π How to use multiplexing to speed up the SSH π
π Read
via "Security on TechRepublic".
Improve the speed SSH can run commands on remote servers with the help of multiplexing.π Read
via "Security on TechRepublic".
TechRepublic
How to use multiplexing to speed up the SSH login process
Improve the speed SSH can run commands on remote servers with the help of multiplexing.
β Researchers hack VR worlds β
π Read
via "Naked Security".
Hackers just infiltrated virtual reality, enabling them to manipulate users' immersive 3D worlds.π Read
via "Naked Security".
Naked Security
Researchers hack VR worlds
Hackers just infiltrated virtual reality, enabling them to manipulate usersβ immersive 3D worlds.
π British Airways hit with Β£183M GDPR fineβcould your business be next? π
π Read
via "Security on TechRepublic".
GDPR fines are finally coming down, and companies must be prepared to comply with the regulations or pay up.π Read
via "Security on TechRepublic".
TechRepublic
British Airways hit with Β£183M GDPR fineβcould your business be next?
GDPR fines are finally coming down, and companies must be prepared to comply with the regulations or pay up.
β Post-Data Breach, British Airways Slapped With Record $230M Fine β
π Read
via "Threatpost".
A proposed $230 million fine on British Airways after a data breach would be the biggest GDPR penalty yet.π Read
via "Threatpost".
Threat Post
Post-Data Breach, British Airways Slapped With Record $230M Fine
A proposed $230 million fine on British Airways after a data breach would be the biggest GDPR penalty yet.
π Why Apple should follow Microsoft's move to get rid of passwords π
π Read
via "Security on TechRepublic".
Apple is testing biometric authentication as a new way of signing in to iCloud.com.π Read
via "Security on TechRepublic".
π΄ Smash-and-Grab Crime Threatens Enterprise Security π΄
π Read
via "Dark Reading: ".
Getting your company smartphone or laptop stolen from your car isn't just a hassle; it can have large regulatory ramifications, too. Visibility is the answer.π Read
via "Dark Reading: ".
ATENTIONβΌ New - CVE-2018-11563
π Read
via "National Vulnerability Database".
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application.π Read
via "National Vulnerability Database".
β Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software β
π Read
via "Threatpost".
Google Project Zero finds Apple iMessage bug that bricks iPhones running older versions of the company's iOS software.π Read
via "Threatpost".
Threat Post
Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software
Google Project Zero finds Apple iMessage bug that bricks iPhones running older versions of the company's iOS software.
π΄ Broadcom Moves Forward on Symantec Acquisition π΄
π Read
via "Dark Reading: ".
Reports indicate a deal could be made by mid-July as Broadcom secures financing for the purchase.π Read
via "Dark Reading: ".
Dark Reading
Broadcom Moves Forward on Symantec Acquisition
Reports indicate a deal could be made by mid-July as Broadcom secures financing for the purchase.
ATENTIONβΌ New - CVE-2017-8408 (dcs-1130_firmware)
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the GET parameters passed in this request (to test if SMB credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "cgibox" is the one that has the vulnerable function "sub_7EAFC" that receives the values sent by the GET request. If we open this binary in IDA-pro we will notice that this follows a ARM little endian format. The function sub_7EAFC in IDA pro is identified to be receiving the values sent in the GET request and the value set in GET parameter "user" is extracted in function sub_7E49C which is then passed to the vulnerable system API call.π Read
via "National Vulnerability Database".
β GoBotKR Targets Pirate Torrents to Build a DDoS Botnet β
π Read
via "Threatpost".
The authors have tweaked a known piece of malware to specifically target Korean TV fans.π Read
via "Threatpost".
Threat Post
GoBotKR Targets Pirate Torrents to Build a DDoS Botnet
The authors have tweaked a known piece of malware to specifically target Korean TV fans.
π΄ NIST Sets Draft Guidelines for Government AI π΄
π Read
via "Dark Reading: ".
This is the first formal step in writing the standards that will guide the implementation of AI technologies within the federal government.π Read
via "Dark Reading: ".
Dark Reading
NIST Sets Draft Guidelines for Government AI
This is the first formal step in writing the standards that will guide the implementation of AI technologies within the federal government.
π΄ Britain Looks to Levy Record GDPR Fine Against British Airways π΄
π Read
via "Dark Reading: ".
The penalty is a sign of things to come, say experts.π Read
via "Dark Reading: ".
Darkreading
Britain Looks to Levy Record GDPR Fine Against British Airways
The penalty is a sign of things to come, say experts.
β Rules-Based Policy Approaches Need to Go β
π Read
via "Threatpost".
A zero-trust model is the only way to keep up with today's digital complexities.π Read
via "Threatpost".
Threat Post
Rules-Based Policy Approaches Need to Go
A zero-trust model is the only way to keep up with today's digital complexities.
ATENTIONβΌ New - CVE-2017-8417 (dcs-1100_firmware, dcs-1130_firmware)
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device requires that a user logging into the device provide a username and password. However, the device allows D-Link apps on the mobile devices and desktop to communicate with the device without any authentication. As a part of that communication, the device uses custom version of base64 encoding to pass data back and forth between the apps and the device. However, the same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third party to retrieve the device's password without any authentication by sending just 1 UDP packet with custom base64 encoding. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-8404 (dcs-1130_firmware)
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the POST parameters passed in this request (to test if email credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The library "libmailutils.so" is the one that has the vulnerable function "sub_1FC4" that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows an ARM little endian format. The function sub_1FC4 in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "receiver1" is extracted in function "sub_15AC" which is then passed to the vulnerable system API call. The vulnerable library function is accessed in "cgibox" binary at address 0x0008F598 which calls the "mailLoginTest" function in "libmailutils.so" binary as shown below which results in the vulnerable POST parameter being passed to the library which results in the command injection issue.π Read
via "National Vulnerability Database".
β GE Aviation Passwords, Source Code Exposed in Open Jenkins Server β
π Read
via "Threatpost".
A DNS misconfiguration resulted in an open Jenkins server being available to all.π Read
via "Threatpost".
Threat Post
GE Aviation Passwords, Source Code Exposed in Open Jenkins Server
A DNS misconfiguration resulted in an open Jenkins server being available to all.
π Airline Facing Record Breaking $229 Million GDPR Fine π
π Read
via "Subscriber Blog RSS Feed ".
The fine would be the largest against a company post-GDPR and roughly 1.5 percent of the company's annual revenue.π Read
via "Subscriber Blog RSS Feed ".
Digital Guardian
Airline Facing Record Breaking $229 Million GDPR Fine
The fine would be the largest against a company post-GDPR and roughly 1.5 percent of the company's annual revenue.
π΄ Android App Publishers Won't Take 'No' for an Answer on Personal Data π΄
π Read
via "Dark Reading: ".
Researchers find more than 1,000 apps in the Google Play store that gather personal data even when the user has denied permission.π Read
via "Dark Reading: ".
Dark Reading
Android App Publishers Won't Take 'No' for an Answer on Personal Data
Researchers find more than 1,000 apps in the Google Play store that gather personal data even when the user has denied permission.
π΄ Researchers Poke Holes in Siemens Simatic S7 PLCs π΄
π Read
via "Dark Reading: ".
Black Hat USA session will reveal how they reverse-engineered the proprietary cryptographic protocol to attack the popular programmable logic controller.π Read
via "Dark Reading: ".
Dark Reading
Researchers Poke Holes in Siemens Simatic S7 PLCs
Black Hat USA session will reveal how they reverse-engineered the proprietary cryptographic protocol to attack the popular programmable logic controller.
β Apple aims privacy billboard at Googleβs controversial smart-city β
π Read
via "Naked Security".
It's outside of Sidewalk Labs HQ in Toronto, where Google's sister company is working on stuffing the city with data-collecting sensors.π Read
via "Naked Security".
Naked Security
Apple aims privacy billboard at Googleβs controversial smart-city
Itβs outside of Sidewalk Labs HQ in Toronto, where Googleβs sister company is working on stuffing the city with data-collecting sensors.
π1