Over 14 Million Verizon Customers' Data Exposed On Unprotected AWS Server

Verizon, the major telecommunications provider, has suffered a data security breach with over 14 million US customers' personal details exposed on the Internet after NICE Systems, a third-party vendor, mistakenly left the sensitive users’ details open on a server. Chris Vickery, researcher and...

DNI Wants Research into Secure Multiparty Computation

The Intelligence Advanced Research Projects Activity IARPA is soliciting proposals for research projects in secure multiparty computation: Specifically of interest is computing on data belonging to different -- potentially mutually distrusting -- parties, which are unwilling or unable e.g., due t...

Challenges of Insider Threat Detection – Whiteboard Wednesday [Video]

Insider threat detection and containment of insider threats requires an expert understanding of both users and how they use and access enterprise data. In our first Whiteboard Wednesday, Drew Schuil, Vice President of Global Product Strategy at Imperva, talks about the challenges of insider threa...

CVE-2017-2295

Versions of Puppet prior to 4.10.1 will deserialize data off the wire from the agent to the server, in this case with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of...

CVE-2017-10803

Vulnerability summary: CVE-2017-10803 affects Odoo 8.0, Odoo Community Edition 9.0/10.0, and Odoo Enterprise Edition 9.0/10.0. The issue resides in the Database Anonymization module, where insecure handling of anonymization data uses Python’s pickle/unpickle, enabling arbitrary Python code execut...

Trump's Cybersecurity Executive Order Under Fire

NEW YORK–President Donald Trump’s Cybersecurity Executive Order needs an overhaul, specifically a shift from planning and proposals to the pragmatic. According to Ed Amoroso, former AT&T CSO, there are dire consequences to the U.S. critical infrastructure if the U.S. government pursues its curren...

GDPR Readiness – Calculate Your Return on Security Investment (ROSI)

What is the cost of a data breach? Assuming annual revenue of £30M, a single fine could be as much as a whopping £1.2M—the maximum 4%—when the European Union’s General Data Protection Regulation GDPR becomes effective in May 2018. Compare that to a database control cost factor of £750K, the cost ...

Credit Card Breach at Kmart Stores. Again.

For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those...

The Uber platform coming out of authentication vulnerabilities, exploit the vulnerability can reset any account password-loophole warning-the black bar safety net

Italian security expert Vincenzo C. Aka found the Uber platform authentication vulnerabilities, any account can use this vulnerability to reset the password, this discovery yesterday officially announced. In fact, the initiator of the“authentication crisis”the vulnerability is in the seven months...

Weblate: Information Disclosure on demo.weblate.org

Description The demo instance, located on https://demo.weblate.org is leaking user's IP-adresses in the Activity log. F185728 Impact The authenticated user can disclose valid IP adresses of other users through Activity log. The feature works as it should so no changes should be made on the GitHub...

CVE-2017-4895

CVE-2017-4895 affects Airwatch Agent for Android, enabling bypass of root detection. The vulnerability could let an enrolled device circumvent local Airwatch security controls and access data. VMware’s advisory (VMSA-2017-0001) confirms a root-detection bypass and notes that updates address the i...

Transforming the Cyber Health of Small HCOs Across the US

When we talk about healthcare breaches, there are some big-name incidents. Yet in reality there’s a huge number of smaller providers who are in the hackers’ sights and maybe don’t have the resources or expertise to adequately defend themselves. With ransomware threatening to shut down systems and...

Website Flaw Let True Health Diagnostics Users View All Medical Records

Over the past two weeks readers have pointed KrebsOnSecurity to no fewer than three different healthcare providers that failed to provide the most basic care to protect their patients' records online. Only one of the three companies -- the subject of today's story -- required users to be logged o...

Auto Lender Exposes Loan Data For Up To 1 Million Applicants

A California auto loan company left the names, addresses, credit scores and partial Social Security numbers of up to 1 million people exposed on an insecure online database. The company behind the database is Alliance Direct Lending Corporation, according to Kromtech Security Research Center, whi...

Path Traversal

list-n-stream is vulnerable to path traversal attacks. The vulnerability is possible because it fails to sanitize the URL request and prevent access to sensitive files and data on the server. Attackers can leak passwords if they request the /api/v1/fs/..%2f..%2fetc/passwd URL...

Shortening Your DCAP Short List: Five Critical Things to Consider for a Data-Centric Audit and Protection Solution

Exponential data growth. You’ve heard it many times before, but it’s still the most accurate way to describe the enormous and growing amount of data that businesses generate and collect today. It’s this growth that is driving today’s enterprises to revisit their strategies for data security and...

Netflix's HTTPS Update Can't Combat Passive Traffic Analysis Attacks

Academics argue that Netflix’s recent upgrade to HTTPS is doing little to protect its users from a passive traffic analysis attack. According to Andrew Reed and Michael Kranch, researchers with the U.S. Military Academy at West Point, it wouldn’t take much work for an attacker to capture traffic...

siciliaferie.no XSS vulnerability

Open Bug Bounty ID: OBB-221893 Description| Value ---|--- Affected Website:| siciliaferie.no Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

Senator Demands Answers About CloudPets Breach

A U.S. senator has called Spiral Toys onto the carpet for its data security practices in light of the recent CloudPets breach. Sen. Bill Nelson D-FL, a ranking member of the Committee on Commerce, Science and Transportation and backer of a 2016 report on security and privacy concerns related to...

LocalTapiola: HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti

Basic report information Summary: HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti Description: Tonttutesti´s kutsu kaverisi feature sends email to friend with a link to Localtapiola´s tonttutesti site. Fields "Nimesi" and "Kaverisi nimi" seem to be vulnerable...