#vulnerability
Call for papers Vulnerable Societies — Migrants, Minorities, Risks and Responses, Swiss Sociological Association Conference, Basel/Muttenz, 9–11 September 2024. #sociology #migration #c4p #vulnerability @sociology
Deadline: 15 August 2023
Well this is new and scary. When a vendor tells you to remove their hardware, you know it's serious... #Barracuda: Immediately rip out and replace our security hardware https://grahamcluley.com/barracuda-immediately-rip-out-and-replace-our-security-hardware/ #CyberSecurity #InfoSec #vulnerability
Barracuda: Immediately rip out and replace our security hardware https://grahamcluley.com/barracuda-immediately-rip-out-and-replace-our-security-hardware/ #Securitythreats #emailappliance #Vulnerability #vulnerability #Barracuda #Malware
Barracuda: Immediately rip out and replace our security hardware
(They filed it under "Legal" on their website)
https://grahamcluley.com/barracuda-immediately-rip-out-and-replace-our-security-hardware/
A new research report has revealed that the notorious Clop #ransomware group has likely been silently "experimenting with ways to exploit" the recently disclosed critical MOVEit Transfer application #vulnerability (CVE-2023-34362) since 2021.
https://thehackernews.com/2023/06/clop-ransomware-gang-likely-exploiting.html
Hold on tight! Researchers have released details and PoC exploit for a recently disclosed Windows #vulnerability (CVE-2023-29336) that was under active exploitation and allowed threat actors to gain SYSTEM privileges.
https://thehackernews.com/2023/06/experts-unveil-poc-exploit-for-recent.html
The detection of a critical #vulnerability in MOVEit Transfer software has alerted users of this technology. The S.T.A².R.S. Team details the keys to the incident and the steps to mitigate it 📷
https://www.tarlogic.com/blog/cve-2023-34362-moveit-transfer-vulnerability/
For two decades, I've heard security professionals urging organizations to "just patch your stuff" as though they don't already know that and/or it's as simple as saying those words. This is where real data and "thought leaders" differ. The data acknowledges that things aren’t so simple in the real world because vulnerability remediation is a moving target (new vulns are found as old ones are fixed).
We measured the remediation capacity of hundreds of organizations over a 12-month period. To do this, we calculated the total number of open (unremediated) vulnerabilities in the environment and the total number closed each month. We then averaged that over the active timeframe to get a monthly open-to-closed ratio for each organization and created a log-log regression model. The results are recorded in the figure below, where each organization is plotted along the grid. And those results are INSANE!
The R2 statistic for this log-log regression model is 0 .93, meaning that it’s very strong and captures most of the variability around vulnerability closure rates. You can see this visually in the figure because all the points—which represent the remediation capacity for each firm—fit tightly along the regression line.
Strong models are great, but there’s something else we learned that’s greater still. Notice first that each axis is presented on a log scale, increasing by multiples of 10. Now, follow the regression line from the bottom left to upper right . See how every tenfold increase in open vulnerabilities is met with a roughly tenfold increase in closed vulnerabilities?
That, in a nutshell, is why it feels like your vulnerability management program always struggles to keep up. And why "just patch it, stupid" is ignorant and unhelpful advice. A typical organization will have the capacity to remediate about one out of every 10 vulnerabilities in their environment within a given month. That seems to hold true for firms large, small, and anywhere in between.
So is there no hope? Are vulnerability management programs destined to slowly drown in a quagmire of their own making? No! We did observe organizations that managed to drive down risky vulns in their environment over time...but that's another story for another post. Follow / stay tuned for their secret (hint: it doesn't require buying a product).
***
This chart comes from Prediction to Prioritization, Volume 3 - a joint study published 4 years ago between @cyentiainst and Kenna Security (now Cisco). You can view it for free here: https://learn-cloudsecurity.cisco.com/vulnerability-management-resources/vmc/prioritization-to-prediction-volume-3
#vulnerabilitymanagement #vulnerabilities #secops #cybersecurity #infosec #informationsecurity
#vulnerability
Cisco patches critical vulnerability in Express and TelePresence products
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/cisco-patches-critical-vulnerability-in-express-and-telepresence-products-b-g-3-j-e/gD2P6Ple2L
On the things you should be checking if they are vulnerabile in your environment this morning list. #Cisco fixes #privilegeescalation bug in Cisco Secure Client https://securityaffairs.com/147217/security/cisco-secure-client-privilege-escalation.html #CyberSecurity #InfoSec #CSNB #vulnerability
Cisco fixes AnyConnect Windows bug exposing SYSTEM privileges
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/cisco-fixes-anyconnect-windows-bug-exposing-system-privileges-0-c-4-o-v/gD2P6Ple2L
A new #vulnerability has just been discovered in the #Windows version of #itunes, which would allow attackers to escalate privileges on a machine to become local administrator. The S.T.A².R.S Team details how to protect against it 👇
https://www.tarlogic.com/blog/cve-2023-32353-itunes-vulnerability/
June 2023 Security Update for Android fixes bug used by spyware
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/june-2023-security-update-for-android-fixes-bug-used-by-spyware-j-u-8-1-g/gD2P6Ple2L
Smashing Security podcast #325: Rick Astley and the little birdie scam https://grahamcluley.com/smashing-security-podcast-325/ #SmashingSecurity #Vulnerability #IslamicState #Afghanistan #Law&order #australia #Malware #Podcast #Taliban #Mobile #iraq #Scam
How can I tell if an issue has been resolved via backporting? #apt #backport #vulnerability
I have a bad luck regarding electronic payments. Today I've accidentally #DoS-ed a vending machine in the company by not putting the card to the reader quickly enough. And I think I've a scenario. What should I do? How to report #vulnerability for a vending machine?
VMware patches critical vulnerability in vRealize tool
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/cisco-patches-critical-vulnerability-in-vrealize-tool-v-l-e-0-n/gD2P6Ple2L
Cl0p gang tells MOVEit hack victims to contact it before June 14, or else… https://grahamcluley.com/cl0p-gang-tells-moveit-hack-victims-to-contact-it-before-june-14-or-else/ #Vulnerability #vulnerability #Ransomware #databreach #extortion #Dataloss #Cl0p
Understanding security through potential code vulnerabilities:
https://www.youtube.com/watch?v=HTp3cW1Sfq8
#security #java #vulnerability #exploit #video #tutorial #learntocode
Cl0p gang tells MOVEit hack victims to contact it before June 14, or else…
https://grahamcluley.com/cl0p-gang-tells-moveit-hack-victims-to-contact-it-before-june-14-or-else/
#cybersecurity #databreach #moveit #vulnerability #ransomware
There is another issue with Ring security cameras which apparently allows attackers to take them offline with not much effort.
#security #privacy #ring #camera #vulnerability #amazon #mozilla https://foundation.mozilla.org/en/blog/mozilla-publishes-ring-doorbell-vulnerability-following-amazons-apathy/
Get Real - How Community Informs Reality
#community #connection #Vulnerability
https://muz4now.com/2023/get-real-how-community-informs-reality/
Do I need to say it?
Update Chrome now—yet another nasty exploit is out in the wild https://www.pcworld.com/article/1944324/update-chrome-now-yet-another-nasty-exploit-is-out-in-the-wild.html
#Google #GoogleChrome #Exploit #InfoSec #Security #Vulnerability #TechNews
Critical Vulnerabilities Discovered in Game Dev Tool RenderDoc
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-vulnerabilities-discovered-in-game-dev-tool-renderdoc-s-x-e-8-a/gD2P6Ple2L
"Progress MOVEit vulnerability (CVE-2023-34362)"
#Google #Chrome 114 updated to patch the third #0day #vulnerability exploited in the wild this year. Update as soon as possible. https://www.techhelpkb.com/update-google-chrome/?utm_source=mastodon&utm_medium=toot&utm_campaign=chrome
As more organizations grapple with the #MOVEit #vulnerability, we want to reiterate that isolating Internet-facing #MOVEIt servers is critical. Steven Adair recently spoke to @dangoodin about what @volexity observed and how orgs are impacted.
Third Chrome Zero-Day Patch this Year - Patch now!
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/third-chrome-zero-day-patch-this-year-patch-now-5-j-m-j-y/gD2P6Ple2L
"A #vulnerability was found in #ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding."
https://github.com/ImageMagick/ImageMagick/issues/6338
"As authorities plan for a future with more intense disasters, they must not forget housing.
Many communities will become more vulnerable, from towns next to a river to cities surrounded by forest. #Governments have a responsibility to develop #disaster #preparedness and resilience – particularly around #housing.
What we’re seeing now with post-disaster housing #vulnerability is an unintended consequence of leaving housing to the #market system.
Recent catastrophic climate-linked disasters are etched into our communal psyche.
Climate-related disasters leave behind trauma and worse mental health."
>
https://theconversation.com/climate-related-disasters-leave-behind-trauma-and-worse-mental-health-housing-uncertainty-is-a-major-reason-why-206861
#FossilFuel DIY #Disaster #Droughts #Bushfires #Storms #Floods #Heatwaves #OneHealth #Climate #Shelter
ZyXel NAS devices can be targeted by dangerous malware exploit
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/zyxel-nas-devices-can-be-targeted-by-dangerous-malware-exploit-5-v-z-4-9/gD2P6Ple2L
BBC staffers warned of payroll data breach. Other firms also affected by MOVEit vulnerability https://grahamcluley.com/bbc-staffers-warned-of-payroll-data-breach-other-firms-affected-by-moveit-vulnerability/ #BritishAirways #Vulnerability #vulnerability #Ransomware #databreach #ransomware #Dataloss #Malware #payroll #Boots #BBC
BBC staffers warned of payroll data breach, other firms affected by MOVEit vulnerability.
#cybersecurity #databreach #bbc #vulnerability #ransomware #payroll
New #macOS #vulnerability, Migraine, could bypass System Integrity Protection
🍎 New macOS vulnerability, Migraine, could bypass System Integrity Protection
➥ Microsoft Security Blog
"A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device."
#macOS #Vulnerability #CyberSecurity https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/
Another #opensource #vulnerability scanner for #webservers and #cgi is #nikto. It scans for dangerous files, outdated server software and performs other checks against security #threats.
This #vulnerability was addressed on the *opening day* of the 2022 conference where it was presented. The #NoScript extension bundled with @torproject’s #TorBrowser protects against it, and #Tor #Browser users would have received it as an automatic update.
I don’t understand why #Wired is tweeting this old article. Unless a person pays attention to the publication date they might think this is a current threat.
#InfoSec #security #privacy https://press.coop/@WIRED/110483827162431610
Decade-old critical vulnerability in Jetpack patched on millions of WordPress websites https://www.tripwire.com/state-of-security/decade-old-critical-vulnerability-jetpack-patched-millions-wordpress-websites #Securitythreats #Vulnerability #vulnerability #Automattic #Guestblog #Wordpress #Jetpack
Decade-old critical vulnerability in Jetpack patched on millions of WordPress websites.
Read more in my article on the Tripwire blog:
Contrary to common advice I talk about my negative #imposter thoughts. Because spelling them out loud:
1. makes them sound silly to you too
2. reduces the #shame element
3. allows trusted others you’re telling to give you positive feedback which we all need
4. normalises #vulnerability
The #OverlayFS #vulnerability CVE-2023-0386: Overview, detection, and remediation
https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/
Nice work!
As a reminder, Britton White and I had written an explainer for the public about Redline and infostealers., so if anyone needs help educating their relatives, you can download a free copy of our article: "Redline: Storing Passwords in your Browser Can Ruin Your Life (But Will Make Criminals VERY Happy!)" at
https://www.pogowasright.org/wp-content/uploads/Redline.pdf
Britton continues to post examples of login creds he finds for entities that have had breaches. Whether those creds were used to gain access is unknown, but the risk was there. If you follow him on LinkedIn, you can read all the sad examples.
#infostealer #redline #vulnerability #passwords #creds #login #browser #Infosec #cybersecurity
#DPAs focus on #vulnerability as part of their work (complaints, guidelines etc). #EDPS Strategy also contains the concept of vulnerability in data protection. However, we have to decide if we express ourselves on the general level or specific context @W_Wiewiorowski@twitter.com
The panel discusses the relationship between #vulnerability and #dataprotection. Power imbalance generates human vulnerability, how data protection play a key role to enable vulnerable people’s fundamental rights
New episode of the School Ahead #podcast now available! Thoughts on #vulnerability in #education and #leadership in public #schools. Search and subscribe in your favorite podcast service, or visit below. #school #k12 #teaching #teacher #teachers #students @edutooter @edutooters https://schoolahead.buzzsprout.com/
Prompt Injection: An AI-Targeted Attack - For a brief window of time in the mid-2010s, a fairly common joke was to send voic... - https://hackaday.com/2023/05/19/prompt-injection-an-ai-targeted-attack/ #artificialintelligence #injectionattack #promptinjection #vulnerability #security #chatgpt #youtube #gpt #ai
From the "the 's' in #IoT stands for 'security'" department: Belkin Wemo Mini Smart Plug V2 has a remote code execution #vulnerability (CVE-2023-27217) that will **NOT** be patched because the product is EOL:
https://thehackernews.com/2023/05/serious-unpatched-vulnerability.html
⚠️PSA for anyone with #WordPress v6.2.1. WP core team removed shortcodes support in templates to fix a #vulnerability. Many plugins & websites are broken now. You should check your website if you use shortcodes.
Trac ticket:
https://core.trac.wordpress.org/ticket/58333
#cms #php #opensource #foss #wp #webdev #infosec #security #classicpress
Uh oh... Time to switch to #Matrix and #XMPP full time? If you're on a #Mac you could be in danger, other platforms are fine, but it doesn't change the fact that #Telegram is kinda spooky.
#CIA #Vulnerability #Glowies #BigTech #SurveillanceCapitalism
#Vulnerability in #Telegram allows hackers to spy on users through the webcam in #macOS
https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/
I'm very happy to share with you all my latest research #blogpost along with my awesome team mate Reuven Yakar. Reuven and I found a critical vulnerability in the popular Wemo smart electrical socket by Belkin. This research had all the fun stuff - software AND hardware hacking and reverse engineering and I'm super excited to finally be able to share it. Note that Belkin WILL NOT be releasing a patch to this vulnerability:
https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/
#iot #security #securityresearch #belkin #wemo #vulnerability #cve
Disaster research events in London, UK:
22 June
Risk Without Borders
https://www.ucl.ac.uk/risk-disaster-reduction/events/2023/jun/irdr-annual-conference-2023-risk-without-borders
21 June
Humanitarian Summit: Doing even more with even less?
https://www.ucl.ac.uk/risk-disaster-reduction/events/2023/jun/ucl-humanitarian-summit-2023-doing-even-more-even-less
11-13 Sept
Creating Effective Warnings For All
https://www.ucl.ac.uk/sts/warning-research-centre/creating-effective-warnings-all-conference
#DRR #DisastersAreNotNatural #NoNaturalDisasters (so we avoid the phrases #NaturalDisaster #NaturalDisasters) #vulnerability #resilience #DisasterRisk #DisasterRiskReduction #disaster #disasters #DisasterResearch #DisasterStudies
🪲 0-click vulnerability in Outlook (new bypass by @akamai_research) to steal NTLM credentials
👉 Unauthenticated attacker could coerce an #outlook client to connect to an attacker-controlled server
👉 No user interaction
https://www.akamai.com/blog/security-research/important-outlook-vulnerability-bypass-windows-api
I have been *dying* to talk about this and finally can.
Remember that 0-click Outlook vulnerability with a custom sound leading to NTLM theft? The one that MSFT themselves stated it originated and was being actively used by Russian actors?
@nachoskrnl found a way to bypass the patch to it. By adding one singular slash.
Write-up 👇
https://www.akamai.com/blog/security-research/important-outlook-vulnerability-bypass-windows-api
„Presents versus privacy“
Zerforschung doing a great job again at researching a startup promise and finding a simple but bad vulnerability.
#security #research #vulnerability #data #privacy #session #cookies https://zerforschung.org/posts/throne-en/
#WordPress: Advanced Custom Fields Plugins Contain #Vulnerability, 2+ Million Sites Affected
Clever exploitation of a cool bug by trellix…
The Art of Information Disclosure: A Deep Dive into CVE-2022-37985, a Unique Information Disclosure #Vulnerability in #Windows Graphics Component
https://www.trellix.com/en-us/about/newsroom/stories/research/the-art-of-information-disclosure.html
Some thoughts on #vulnerability for #school #leaders and #educators … #education @edutooter@a.gup.pe @edutooter@chirp.social https://write.as/jeffmoore/vulnerability
WordPress plugin vulnerability puts two million websites at risk.
https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-websites-at-risk/
Patch now! The Mirai IoT botnet is exploiting TP-Link routers.
Read more in my article on the Tripwire blog: https://www.tripwire.com/state-of-security/patch-now-mirai-iot-botnet-exploiting-tp-link-routers
#cybersecurity #vulnerability #mirai #botnet #ddos #denialofservice #iot
Let me get this straight… Still ZERO details about the Rapid Security Response from May 1, which presumably fixes at least one actively exploited #vulnerability.
But #Apple releases details for two random firmware updates, one from >3 weeks ago, for a #Bluetooth pairing issue⁉️🤨
A new study has highlighted under-prepared regions across the world most at risk of the devastating effects of scorching temperatures. #climate #GlobalWarming #heatwave #vulnerability https://news.exeter.ac.uk/faculty-of-environment-science-and-economy/research-reveals-countries-where-record-breaking-heatwaves-are-likely-to-cause-most-harm/
Argh! Found a #vulnerability in a big #OpenSource product.
No security.txt
No private issues on GitHub
No bug bounty listed
So I guess I can either raise a public issue on GitHub or email their tech support team.
Any other ideas?
Own a Nexx “smart” alarm or garage door opener? Get rid of it, or regret it.
https://grahamcluley.com/nexx-smart-alarm-garage-door-vulnerability/