Make DNS a Cornerstone of Your Cyber Security Arsenal

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2019-7617PUBLISHED: 2019-08-22 When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing. CVE-2019-14751PUBLISHED: 2019-08-22 NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers…

August 22, 2019
Read More >>

Endgame Boosts Apple Security to Be Commensurate with Windows Security

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2018-18573PUBLISHED: 2019-08-22 osCommerce 2.3.4.1 has an incomplete ‘.htaccess’ for blacklist filtering in the "product" page. Remote authenticated administrators can upload new ‘.htaccess’ files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&ac… CVE-2019-11013PUBLISHED: 2019-08-22 Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or…

August 22, 2019
Read More >>

LinkedIn Details Features of Fight Against Fakes

A recent blog post explains how the social network is fighting to protect its users from interactions with fake accounts. Fake accounts — those created by bots or malicious actors — are problems for every social network. In a recent blog post, professional community LinkedIn discussed what it has done, and is doing, to fight the fakes. According to the post, LinkedIn took action on more than 21 million fake…

August 22, 2019
Read More >>

Texas Towns Recover, But Local Governments Have Little Hope For Respite from Ransomware

Their struggles underscore the difficulties for small towns in dealing with cyberattacks. Twenty-two Texas towns and local government organizations have begun to recover from a coordinated ransomware attack on their information systems, though many continue to struggle with outages and disruptions to their municipal services. The city of Kaufman, Texas, for example, announced on Monday in a post on Facebook that its systems had been “severely affected by an outside…

August 22, 2019
Read More >>

5 Identity Challenges Facing Today’s IT Teams

To take control over your company’s security, identify and understand the biggest identity and access management challenges facing IT teams today and start addressing them. The business landscape is transforming, along with a workforce that is increasingly modernizing where and how they want to work. Employees expect access to the tools they need anytime, from any device. As a result, IT teams are increasingly challenged to manage remote employees, give…

August 22, 2019
Read More >>

Asset Management Becomes the New Security Model

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2019-15314PUBLISHED: 2019-08-22 tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI. CVE-2019-15317PUBLISHED: 2019-08-22 The give plugin before 2.4.7 for WordPress has XSS via a donor name. CVE-2019-15318PUBLISHED: 2019-08-22 The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field. CVE-2016-10921PUBLISHED: 2019-08-22 The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL…

August 22, 2019
Read More >>

Which Security Metrics Should I Use?

Figuring that out actually begins with a broader question. Question: I’m updating my security metrics program. Are there any old security metrics that I should definitely leave behind? Stacey Halota, vice president, information security and privacy, at Graham Holdings: That depends. The best question to ask yourself as you update (or create) a metrics program is, “Why am I measuring this?” When you examine your metrics, are they driving desired change in…

August 22, 2019
Read More >>

New FISMA Report Shows Progress, Gaps in Federal Cybersecurity

No major incidents mixed with continuing gaps in implementation paint an improving, but still muddy, picture of cybersecurity in the federal government. Each year, the Office of Management and Budget (OMB) is required to report to Congress on the state of federal cybersecurity, as per the Federal Information Security Modernization Act of 2014 (FISMA). The latest version of the report, for fiscal 2018, is mostly filled with the sort of…

August 22, 2019
Read More >>

Splunk Buys SignalFx for $1.05 Billion

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2019-1896PUBLISHED: 2019-08-21 A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input in the Certificate S… CVE-2019-1900PUBLISHED: 2019-08-21 A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to…

August 22, 2019
Read More >>

MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online

Thousands of customers’ credit card numbers, MoviePass card numbers, and sensitive data were left in an unprotected database. MoviePass, a struggling film subscription service, has another problem on its plate: Security researchers discovered an unsecured company database exposing thousands of customers’ personal and payment information. The database has since been taken offline. Compromised data includes names, email addresses, credit card numbers, expiration dates, billing information, and mailing addresses. Many exposed…

August 22, 2019
Read More >>