Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Client could expose sensitive information (CVE-2016-2861, CVE-2016-0400)

Summary Multiple vulnerabilities in IBM WebSphere eXtreme Scale Client could expose sensitive information. Vulnerability Details CVEID: CVE-2016-2861 DESCRIPTION: IBM WebSphere eXtreme Scale uses weaker than expected security to encrypt data which could allow an attacker that is able to capture...

MyHeritage Says Over 92 Million User Accounts Have Been Compromised

MyHeritage, the Israel-based DNA testing service designed to investigate family history, has disclosed that the company website was breached last year by unknown attackers, who stole login credentials of its more than 92 million customers. The company learned about the breach on June 4, 2018, aft...

Design/Logic Flaw

Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programmer, all versions, and 8870 N'Vision removable Application Card, all versions does not encrypt PII and PHI while at rest...

How to Make Your Demo Environment Easy, Accessible...AND Secure

A common misconception I've heard in the field is that a tradeoff exists between easy access for applications and network security. For example, companies want to allow their sales team, partners, and prospects access into demo environments. With traditional access solutions, there is a question ...

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard. The modules DRD and DRD Agent encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize...

Medium: stunnel, amazon-efs-utils

Issue Overview: This update adds the checkHost option to stunnel, which verifies the host of the peer certificate subject. Certificates are accepted if no checkHost option was specified, or the host name of the peer certificate matches any of the hosts specified with checkHost. This update adds t...

Medium: stunnel, amazon-efs-utils

Issue Overview: This update adds the checkHost option to stunnel, which verifies the host of the peer certificate subject. Certificates are accepted if no checkHost option was specified, or the host name of the peer certificate matches any of the hosts specified with checkHost. This update adds t...

Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts

UPDATE Fitness apparel firm Under Armour said 150 million users of its MyFitnessPal app are victims in a breach exposing user names, email addresses and hashed passwords. The company said personal identifiable information such as credit card numbers and social security numbers were not part of th...

Code injection

In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys...

CVE-2018-7498

In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys...

CVE-2018-7498

In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys...

CVE-2018-7498

Philips Alice 6 System (R8.0.3 or prior) is affected by CVE-2018-7498 due to missing encryption of sensitive data (CWE-311), impacting confidentiality/integrity not properly protected. Update to R8.0.4 to remediate; apply network security controls and follow ICS-CERT guidance for defense-in-depth.

Philips Alice 6 Missing Encryption Sensitive Data Vulnerability

The Philips Alice 6 is a polysomnographic monitoring system PSG designed to record, display and print physiologic information for clinicians/physicians. The Philips Alice 6 suffers from a lack of encryption of sensitive data vulnerability that stems from a lack of proper data encryption that woul...

2018 Cyberthreat Defense Report: Where IT Security Is Going

What keeps you awake at night? We asked IT security professionals the same question and found that these issues are top of mind: malware and spear phishing, securing mobile devices, employee security awareness and new technologies that detect threats capable of bypassing traditional signature-bas...

OpenJDK: insufficient strength of key agreement (JCE, 8185292)

It was discovered that the key agreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break data encryption by attacking key agreement rather than the encryption using...

The Sixth Question(s) Today’s CEOs Should Ask (& Know the Answers To)

In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams. In this blog series, I am going to take a deeper dive into each question and break them down one at a time. We will discuss why CEOs should care about each question and the...

How your enterprise applications could be putting your company at risk

The typical company, large or small, depends on a number of different enterprise applications in order to ensure that employees can complete critical, daily tasks. Apps like those for enterprise resource planning, customer relationship management, screen and file sharing have become commonplace i...

CVE-2017-3762

Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the...

CVE-2017-3762

Lenovo Fingerprint Manager Pro (Windows 7/8/8.1) versions 8.01.86 and earlier store sensitive data (Windows logon credentials, fingerprint data) with weak encryption and a hard-coded password, accessible to all local non-administrative users. This CVE-2017-3762 entry is addressed by Lenovo’s advi...

Overview of rapid cyberattacks

Rapid cyberattacks like Petya and WannaCrypt have reset our expectations on the speed and scope of damage that a cyberattack can inflict. The Microsoft Enterprise Cybersecurity Group Detection and Response team worked extensively to help customers respond to and recover from these kinds of attack...