Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers. Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the Read more about Dump these routers, says Cisco, because we won’t patch them[…]

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers. Symantec’s Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in Read more about IOS Mobile banking apps put 300,000 digital fingerprints at risk using hardcoded AWS credentials[…]

An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that Read more about Genshin Impact installs “anti cheat” rootkit signed by Microsoft which is exploited in the wild. Stop allowing spyware rootkits, Microsoft![…]

Last Saturday, I sat in a crowded ballroom at Caesar’s Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor’s control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes’s talks). The presentation was significant because Deere – along with Apple Read more about How bad the problem with John Deere Tractors really is, how not being open leads to incredibly bad security[…]

farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles. Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security Read more about A New Jailbreak for John Deere Tractors wants Right-to-Repair insecure and outdated tech in them[…]

The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that Read more about Open Cybersecurity Schema Framework released[…]

[…] The issue occurred when a user created or revoked a shared invitation link for their workspace. The good news is that the password wasn’t plaintext, and it wasn’t visible in any Slack clients. The bad news is that it could be picked up by monitoring encrypted traffic from Slack’s servers, and it appears that Read more about Slack exposed hashed passwords for years[…]

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products. That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, Read more about VMware patches critical admin authentication bypass bug[…]

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security. The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.” One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a Read more about Atlassian reveals critical flaws in most of their products[…]

[…] “The vulnerabilities,” explained the ESET Research team, “can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” “It’s a typical UEFI ‘double GetVariable’ vulnerability,” the team added, before giving a hat tip Read more about Lenovo fixes trio of UEFI vulnerabilities – fortunately not for Thinkpads though[…]

[…] CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server’s Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren’t relying on your xorg-server running as root. Fixes for these XKB vulnerabilities have been patched in X.Org Server Git Read more about X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities[…]

The directors of the UK Military Intelligence, Section 5 (MI5) and the US Federal Bureau of Investigation on Wednesday shared a public platform for the first time and warned of China’s increased espionage activity on UK and US intellectual property. Speaking to an audience of business and academic leaders, MI5 director general Ken McCallum and Read more about FBI and MI5 bosses speak out together: China hacks and steals at massive scale[…]

[…] Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights. But as Read more about Security flaws in internet-connected hot tubs exposed owners’ personal data[…]

The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information. The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the “applicant” for Read more about FBI warns crooks are using deepfake videos in job interviews[…]

[…]Cisco has just released fixes for seven flaws, two of which are not great. First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it’s not going to fix. In other words, junk your Read more about Time to throw out those older, vulnerable Cisco SMB routers – they’re not gonna fix critical bugs for you[…]

GitHub has revealed it stored a “number of plaintext user credentials for the npm registry” in internal logs following the integration of the JavaScript package registry into GitHub’s logging systems. The information came to light when the company today published the results of its investigation into April’s unrelated OAuth token theft attack, where it described Read more about GitHub saved plaintext passwords of npm users in log files[…]

EU countries and lawmakers agreed on Friday to tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players. The European Commission two years ago proposed rules on the cybersecurity of network and information systems called NIS 2 Read more about EU governments, lawmakers agree on tougher cybersecurity rules for key sectors[…]

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only. Security Advisory Status F5 Product Development has assigned Read more about BIG-IP iControl REST vulnerability offers root commands[…]

Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature. “UEFI threats can be extremely stealthy and dangerous,” said ESET researcher Martin Read more about ESET uncovers 3 vulnerabilities in Lenovo laptops[…]

The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one “critical” security vulnerability (CVE-2022-1162), as well as two rated “high,” nine rated “medium,” and four rated “low.” “A hard-coded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in Read more about GitLab issues security fix for hardcoded password flaw in OmniAuth[…]

This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain. Introduction For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent Read more about Browser In The Browser (BITB) Attack[…]

The flaw, tracked as CVE-2022-0778, was reported to the OpenSSL Project by Google vulnerability researcher Tavis Ormandy. The security hole affects OpenSSL versions 1.0.2, 1.1.1 and 3.0, and it has been fixed with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2. Version 1.1.0 is also impacted, but it’s no longer supported Read more about High-Severity DoS Vulnerability Patched in OpenSSL[…]

A vulnerability in the container runtime engine CRI-O can be exploited by a rogue user to gain root-level access on a host. In a Kubernetes environment powered by CRI-O, the security hole can be used by a miscreant to move through a cluster as an administrator, install malware, and cause other chaos. CrowdStrike’s threat research Read more about Kubernetes container runtime CRI-O has make-me-root flaw[…]

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it? Keep reading! Looking for a high resolution version to download? Download the table now It’s been two years since we first shared our Read more about How safe are your passwords in 2022?[…]

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal Read more about NSA report: This is how you should be securing your network[…]