$0.99 Kindle Books Security Vulnerabilities

About the security content of iOS 13.1 and iPadOS 13.1

About the security content of iOS 13.1 and iPadOS 13.1 This document describes the security content of iOS 13.1 and iPadOS 13.1. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches...

News Wrap: Emotet's Return, U.S. Vs. Snowden, Physical Pen Testers Arrested

From the re-emergence of an infamous malware, to a new lawsuit against Edward Snowden, Threatpost editors Lindsey O’Donnell and Tara Seals break down this week’s top news. Top stories include: Emotet, the notorious banking trojan, is back after a summer hiatus. The U.S. sued Edward Snowden over...

Edward Snowden Sued by U.S. Over New Memoir

The U.S. has sued whistleblower Edward Snowden over his new memoir, alleging he published the book in violation of non-disclosure agreements signed with both the CIA and NSA. Edward Snowden, a former employee of the Central Intelligence Agency and contractor for the National Security Agency (NSA),....

CVE-2019-16239

process_http_response in OpenConnect before 8.05 has a Buffer Overflow when a malicious server uses HTTP chunked encoding with crafted chunk...

About the security content of iOS 12.1 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. For more information about security, see....

iPhone iOS 13 Lockscreen Bypass Flaw Exposes Contacts

An iPhone lock screen bypass has been discovered that could enable an attacker to access victims’ address books, including their contacts’ names, email addresses, phone numbers, mailing addresses and more. The hack was first discovered by researcher Jose Rodriguez, an Apple enthusiast based in...

September 10, 2019—KB4515384 (OS Build 18362.356)

September 10, 2019—KB4515384 (OS Build 18362.356) Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard. Note This release also contains updates for Microsoft HoloLens (OS Build 18362.1031) released September 10, 2019. Microsoft will release an...

The Doghouse: Crown Sterling

A decade ago, the Doghouse was a regular feature in both my email newsletter Crypto-Gram and my blog. In it, I would call out particularly egregious -- and amusing -- examples of cryptographic "snake oil." I dropped it both because it stopped being fun and because almost everyone converged on...

UPDATE: Nmap 7.80

PenTestIT RSS Feed Good news guys! The Nmap 7.80 update is now available and this is the Defcon release. We've had to wait for such a long time since the guys behind Nmap were extremely busy improving the Npcap raw packet capturing/sending driver. It now uses modern APIs and is more performant as.....

Cyberattack Lateral Movement Explained

[Lightly edited transcript of the video above] Hi there, Mark Nunnikhoven from Trend Micro Research, I want to talk to you about the concept of lateral movement. And the reason why I want to tackle this today is because I've had some conversations in the last few days that have really kind of hit.....

Critical Bug in Android Antivirus Exposes Address Books

A slew of popular free Android antivirus apps in recent testing proved to have security holes and privacy issues – including a critical vulnerability that exposes user’s address books, and another serious flaw that enables attackers to turn off antivirus protection entirely. According to an...

How Privacy Laws Hurt Defendants

Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don't have the same level of access to aid in their defense: The proposed privacy laws would make this...

CVE-2019-5454

SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the...

New York's Revenge Porn Law Is a Flawed Step Forward

All but four states in the US now have a revenge porn law on the books. But advocates say precious few get it...

CVE-2019-1010084

Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect Access Control. The impact is: Potential for unathorised access to data. The component is: Incorrect calls to _ensure_auth() wrapper result in authentication-checking not being applied to al...

Clickable Endnotes to Click Here to Kill Everybody

In Click Here to Kill Everybody, I promised clickable endnotes. They're finally...

Applied Cryptography is Banned in Oregon Prisons

My Applied Cryptography is on a list of books banned in Oregon prisons. It's not me -- and it's not cryptography -- it's that the prisons ban books that teach people to code. The subtitle is "Algorithms, Protocols, and Source Code in C" -- and that's the reason. My more recent Cryptography...

Mac Malware Pushed via Google Search Results, Masquerades as Flash Installer

Never-before-seen Mac malware, dubbed OSX/CrescentCore, has been discovered in the wild. The trojan, spotted on various websites masquerading as an Adobe Flash Player installer, drops malicious applications and browser extensions on victims’ systems when downloaded. OSX/CrescentCore is spread via.....

Happy Birthday TaoSecurity.com

Nineteen years ago this week I registered the domain taosecurity.com: Creation Date: 2000-07-04T02:20:16Z This was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first taosecurity.com Web site shortly thereafter. I first started hosting it...

Reference: TaoSecurity Press

I started appearing in media reports in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. As of 2017, Mr. Bejtlich generally declines press inquiries on cybersecurity matters, including those on...

SquirrelMail 1.4.22 Cross Site Scripting

...

How I Discovered My First Vulnerability

By David Balaban I have read a couple of books recently about different vulnerabilities in order to be able to better protect my projects/websites. Today, I want to share a story about how I managed to use this knowledge in practice. Disclaimer This material is posted for educational purposes...

PhoneInfoga - Advanced Information Gathering & OSINT Tool For Phone Numbers

PhoneInfoga is one of the most advanced tools to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with very good accuracy. Then search for footprints on search engines to...

What kids get up to online

Today's children navigate the Internet better than adults. They are not afraid to try out new technology, and are quick to grasp new trends and sometimes invent their own. New social networks, mobile games, music, and gadgets are all part and parcel of their daily lives. But just because they feel....

Video game portrayals of hacking: NITE Team 4

Note: The developers of NITE Team 4 granted the blog author access to the game plus DLC content. A little while ago, an online acquaintance of mine asked if a new video game based on hacking called NITE Team 4 was in any way realistic, or “doable” in terms of the types of hacking it portrayed...

P4wnP1 A.L.O.A. - Framework Which Turns A Rapsberry Pi Zero W Into A Flexible, Low-Cost Platform For Pentesting, Red Teaming And Physical Engagements

P4wnP1 A.L.O.A. by MaMe82 is a framework which turns a Rapsberry Pi Zero W into a flexible, low-cost platform for pentesting, red teaming and physical engagements ... or into "A Little Offensive Appliance". 0. How to install The latest image could be found under release tab. The easiest way to...

Build Bikes and Go Fast: Why Building Bikes is Critical to Imperva’s Success

In May 2019, seventy members of Imperva’s global leadership team gathered in one location to share insights, to develop and commit to our future strategy, and to build bikes. That’s right, to build bikes. Of course, that bit about developing and committing to our future strategy is undeniably...

Slims CMS Akasia 8.3.1 SQL Injection

...

EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421)

According to the versions of the libpng package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x...

Safeguard your most sensitive data with Microsoft 365

I am Security Operations’ (SecOps) worst nightmare. Or at least I used to be. As an industrious product marketer, I often share intellectual property (think: details of new product capabilities) or spreadsheets that contain customer personal identifying information (PII) with colleagues and...

“There Are No Hackers, There Are Only Spies”

In December 2015, I opened a letter from the Office of Personnel Management. The OPM oversees healthcare and insurance programs, administers retirement and benefit services, and assists federal agencies in hiring new employees and providing federal investigative services for background checks....

Fedora Update for remmina FEDORA-2019-e3b2885a25

The remote host is missing an update for...

Fedora Update for php-horde-turba FEDORA-2019-6119518602

The remote host is missing an update for...

Fedora Update for php-horde-turba FEDORA-2019-e29ba2d34a

The remote host is missing an update for...

Get security beyond Microsoft products with Microsoft 365

Over time, organizations and individuals acquire stuff. Things we love and things we need. Things we don’t need but can’t seem to get rid of. I was confronted with this challenge when we bought a 1908 craftsman home. How could I make my beloved modern furniture and mandatory kid-friendly gear...

[SECURITY] Fedora 29 Update: php-horde-turba-4.2.24-1.fc29

Turba is the Horde contact management application. Leveraging the Horde framework to provide seamless integration with IMP and other Horde applications, it supports storing contacts in SQL, LDAP, Kolab, and IMSP address...

[SECURITY] Fedora 28 Update: php-horde-turba-4.2.24-1.fc28

Turba is the Horde contact management application. Leveraging the Horde framework to provide seamless integration with IMP and other Horde applications, it supports storing contacts in SQL, LDAP, Kolab, and IMSP address...

Fedora 30 : 1:gnome-bluetooth / at-spi2-core / atomix / bijiben / containers / etc (2019-ac2a21ff07)

This update fixes a bug in the Meson build system which caused binaries and libraries to incorrectly be marking as requiring an executable stack. This makes them more vulnerable to security issues, and also can result in errors caused by SELinux denials. This update also provides rebuilds of all...

Fedora Update for php-horde-turba FEDORA-2019-146df522df

The remote host is missing an update for...

[SECURITY] Fedora 30 Update: php-horde-turba-4.2.24-1.fc30

Turba is the Horde contact management application. Leveraging the Horde framework to provide seamless integration with IMP and other Horde applications, it supports storing contacts in SQL, LDAP, Kolab, and IMSP address...

Flerken - Obfuscated Command Detection Tool

Command line obfuscation has been proved to be a non-negligible factor in fileless malware or malicious actors that are "living off the land". To bypass signature-based detection, dedicated obfuscation techniques are shown to be used by red-team penetrations and even APT activities. Meanwhile,...

Understand and improve your security posture with Microsoft 365

I kickstarted 2019 with a “dry,” keto January. And, as so often happens, I found a parallel between my personal life and my chosen industry, cybersecurity. In this case, it was measurement. How do you know if you’re healthy? There are clear indicators when you’re not healthy, such as a sore throat....

CVE-2019-11490

An issue was discovered in Npcap 0.992. Sending a malformed .pcap file with the loopback adapter using either pcap_sendqueue_queue() or pcap_sendqueue_transmit() results in kernel pool corruption. This could lead to arbitrary code executing inside the Windows kernel and allow escalation of...

clamav - security update

Bulletin has no...

Threat Roundup for April 12 to April 19

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 12 and April 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral...

[SECURITY] Fedora 30 Update: gnome-books-3.32.0-3.fc30

Books is a simple application to access and organize your e-books on GNOME. It is meant to be a simple and elegant replacement for using a file manager to deal with...

Defend your digital landscape with Microsoft 365

What is it about the middle of the night that brings our fears to the surface? For me, it’s the unknown dangers that may confront my young daughter and how I will protect her. Fear of the unknown can also disrupt the sleep of a chief information security officer (CISO) who worries about the...

A "Department of Cybersecurity"

Presidential candidate John Delaney has announced a plan to create a Department of Cybersecurity. I have long been in favor of a new federal agency to deal with Internet -- and especially Internet of Things -- security. The devil is in the details, of course, and it's really easy to get this...

Discover and manage shadow IT with Microsoft 365

While IT teams methodically plan corporate adoption of cloud services, the rest of us have dived in headfirst. Ten years ago, a vendor shared a video file with me via Dropbox because it was too big to email. It was my first experience with a cloud file sharing service, and when I realized I could.....

Cobalt Strike. Walkthrough for Red Teamers

What is Cobalt Strike? Raphael Mudge is the creator of Cobalt Strike (CS), around 2010 he released a tool titled Armitage, which is described by wikipedia as a graphical cyber-attack management for the Metasploit Project, to put this more bluntly, Armitage is a gui that allows you to easily...