This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only. Security Advisory Status F5 Product Development has assigned Read more about BIG-IP iControl REST vulnerability offers root commands[…]

Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972. The latter two are particularly embarrassing since they are related to UEFI firmware drivers used in the manufacturing process and can be used to disable SPI flash protections or the UEFI Secure Boot feature. “UEFI threats can be extremely stealthy and dangerous,” said ESET researcher Martin Read more about ESET uncovers 3 vulnerabilities in Lenovo laptops[…]

The cloud-hosted software version control service released versions 14.9.2, 14.8.5, and 14.7.7 of its self-hosted CE and EE software, fixing one “critical” security vulnerability (CVE-2022-1162), as well as two rated “high,” nine rated “medium,” and four rated “low.” “A hard-coded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in Read more about GitLab issues security fix for hardcoded password flaw in OmniAuth[…]

This article explores a phishing technique that simulates a browser window within the browser to spoof a legitimate domain. Introduction For security professionals, the URL is usually the most trusted aspect of a domain. Yes there’s attacks like IDN Homograph and DNS Hijacking that may degrade the reliability of URLs but not to an extent Read more about Browser In The Browser (BITB) Attack[…]

The flaw, tracked as CVE-2022-0778, was reported to the OpenSSL Project by Google vulnerability researcher Tavis Ormandy. The security hole affects OpenSSL versions 1.0.2, 1.1.1 and 3.0, and it has been fixed with the release of versions 1.0.2zd (for premium support customers), 1.1.1n and 3.0.2. Version 1.1.0 is also impacted, but it’s no longer supported Read more about High-Severity DoS Vulnerability Patched in OpenSSL[…]

A vulnerability in the container runtime engine CRI-O can be exploited by a rogue user to gain root-level access on a host. In a Kubernetes environment powered by CRI-O, the security hole can be used by a miscreant to move through a cluster as an administrator, install malware, and cause other chaos. CrowdStrike’s threat research Read more about Kubernetes container runtime CRI-O has make-me-root flaw[…]

The 2022 update to our famous Hive Systems Password Table that’s been shared across the internet, social media, the news, and organizations worldwide. So what’s new, and what’s our methodology behind it? Keep reading! Looking for a high resolution version to download? Download the table now It’s been two years since we first shared our Read more about How safe are your passwords in 2022?[…]

The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal Read more about NSA report: This is how you should be securing your network[…]

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21. Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove Read more about Samsung Screwed Up Encryption on 100M Phones[…]

Ireland’s Health Services Executive has published a fresh summary of the devastating ransomware attack that hit the country’s healthcare sector in the summer of 2021 — on the back of a detailed public post-incident report by consultancy PwC. The HSE is Ireland’s largest public sector employer, with 130,000+ staff manning 70,000+ IT devices across 4,000 Read more about PwC’s HSE hack post-incident report should be a textbook for leaders[…]

[…]Polkit, previously known as PolicyKit, is a tool for setting up policies governing how unprivileged processes interact with privileged ones. The vulnerability resides within polkit’s pkexec, a SUID-root program that’s installed by default on all major Linux distributions. Designated CVE-2021-4034, the vulnerability has been given a CVSS score of 7.8. Bharat Jogi, director of vulnerability Read more about polkit has been allowing root for 12+ years[…]

A new type of malware takes a decidedly more stealthy and hard-to-remove path into your OS — it hides in your BIOS chip and thus remains even after you reinstall your OS or format your hard drive. Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most Read more about MoonBounce Malware Hides In Your BIOS Chip, Persists After Drive Formats[…]

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers. The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository. As of 28 November last year, the issue Read more about Safari 15 could leak Google account info to malicious sites[…]

An app that visitors to the 2022 Olympics Games in Beijing are obligated to download is also a cybersecurity nightmare that threatens to expose much of the data that it collects, according to a new report. MY2022, the mandatory app for visitors at this year’s Winter Games, offers a variety of services—including tourism recommendations, Covid-related Read more about Security Holes Found in My2022 App for Beijing Winter Olympics[…]

Have you immortalized your beloved dog, Charlie, in all of your online passwords? While he may be tasked to protect your home (or at least his food bowl), your heartfelt dedication might actually be compromising your digital safety. Many passwords believed to be deeply personal to you are, in fact, quite common – making them Read more about The Worst Passwords in the Last Decade (And New Ones You Shouldn’t Use)[…]

A team of researchers at France’s Research Institute of Computer Science and Random Systems created an anti-malware system centered around a Raspberry Pi that scans devices for electromagnetic waves. As reported by Tom’s Hardware, the security device uses an oscilloscope (Picoscope 6407) and H-Field probe connected to a Raspberry Pi 2B to pick up abnormalities Read more about Raspberry Pi Can Detect Malware By Scanning for EM Waves[…]

Dutch athletes competing in next month’s Beijing Winter Olympics will need to leave their phones and laptops at home in an unprecedented move to avoid Chinese espionage, Dutch newspaper De Volkskrant reported on Tuesday. The urgent advice to athletes and supporting staff to not bring any personal devices to China was part of a set Read more about Dutch Athletes Warned To Keep Phones and Laptops Out of China[…]

While many of the groups that took part in last year’s siege on the U.S. Capitol turned to Facebook and Telegram groups to plan their part in the attack, the Oath Keepers—a far-right org that’s best described as somewhere between a militia and a rag-tag group of wannabe vigilantes—are alleged to be bigger fans of Read more about DOJ Say Evidence Against Oath Keepers Came From Signal Chats[…]

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j. CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j. That’s the third new version of the tool in the last ten days. In Read more about Bad things come in threes: Apache reveals another Log4J bug[…]

UK online used goods bazaar Gumtree exposed its users’ home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw. British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user’s name Read more about Gumtree users’ locations were visible by pressing F12, wouldn’t pay bug bounty to finder[…]

Smartphone payment provider LINE Pay announced yesterday that around 133,000 users’ payment details were mistakenly published on GitHub between September and November of this year. Files detailing participants in a LINE Pay promotional program staged between late December 2020 and April 2021 were accidentally uploaded to the collaborative coding crèche by a research group employee. Read more about LINE Pay leaks around 133,000 users’ data to GitHub[…]

Tricking users into visiting a malicious webpage could allow malicious people to compromise 150 models of HP multi-function printers, according to F-Secure researchers. The Finland-headquartered infosec firm said it had found “exploitable” flaws in the HP printers that allowed attackers to “seize control of vulnerable devices, steal information, and further infiltrate networks in pursuit of Read more about 150 HP multi-function printer types vulnerable to exploit[…]

UK lawmakers are sick and tired of shitty internet of things passwords and are whipping out legislation with steep penalties and bans to prove it. The new legislation, introduced to the UK Parliament this week, would ban universal default passwords and work to create what supporters are calling a “firewall around everyday tech.” Specifically, the Read more about The UK Just Banned Default Passwords and We Should Too[…]