❌ About FreshRSS
There are new available articles, click to refresh the page.
Today — December 12th 2018Your RSS feeds

CUPS Weak Session Cookie Generation

CUPS generates session cookies srandom(time(NULL)) and random() on Linux.
  • December 12th 2018 at 04:46

Logitech Options Craft WebSocket Server Missing Authentication

The Logitech "Options" craft websocket server has no authentication.
  • December 12th 2018 at 04:44

Ubuntu Security Notice USN-3844-1

Ubuntu Security Notice 3844-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass same-origin restrictions, or execute arbitrary code. Multiple security issues were discovered in WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to open privileged pages, or bypass other security restrictions. Various other issues were also addressed.
  • December 12th 2018 at 04:41

Microsoft Security Bulletin CVE Revision Increment For December, 2018

This Microsoft bulletin summary lists CVEs that have undergone a major revision increment.
  • December 12th 2018 at 04:39

Microsoft Security Update Summary For December 11, 2018

This Microsoft summary lists Microsoft security updates released for December 11, 2018.
  • December 12th 2018 at 04:38

Firefox 64 released with a Windows-like task manager

Firefox 64 also comes with support for multi-tab selections and final distrust of all Symantec SSL certificates.
  • December 12th 2018 at 01:45

Microsoft Security Advisory Updates For December 11, 2018

This Microsoft advisory notification includes advisories released or updated on December 11, 2018.
  • December 12th 2018 at 01:20

It's December of 2018 and, to hell with it, just patch your stuff

Windows, Office, Acrobat, SAP... you know the deal

Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them.…

  • December 12th 2018 at 01:15

US border agents aren't deleting travelers' data after device searches

In addition, CBP agents also didn't carry out any software-assisted searches for more than seven months because a manager forgot to renew a license agreement.
  • December 12th 2018 at 00:11

Binary Exploitation

By /u/johnhammond010
submitted by /u/johnhammond010
[link] [comments]

Ubuntu Security Notice USN-3843-1

Ubuntu Security Notice 3843-1 - It was discovered that pixman incorrectly handled the general_composite_rect function. A remote attacker could use this issue to cause pixman to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • December 11th 2018 at 23:01

Ubuntu Security Notice USN-3843-2

Ubuntu Security Notice 3843-2 - USN-3843-1 fixed a vulnerability in pixman. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that pixman incorrectly handled the general_composite_rect function. A remote attacker could use this issue to cause pixman to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
  • December 11th 2018 at 23:01

Facebook Fined $11.3M for Privacy Violations

By Tara Seals
Italy's regulator found the social giant guilty of misleading consumers as to what it does with their data.

Hack Naked News #200 - December 11, 2018


This week, Google+ flaw leads Chocolate Factory to shut down early, 40,000 credentials for government portals found online, one tweak that can save you from NotPetya, ESET discovers 21 new Linux malware variants, and how this Phishing Scam group built a list of 50,000 execs to target! Jason Wood from Paladin Security joins us for expert commentary on how Microsoft is calling for facial recognition tech regulation!


Full Show Notes:

Visit for all the latest episodes!

Visit https://www.activecountermeasures/hnn to sign up for a demo or buy our AI Hunter!


Follow us on Twitter:

Like us on Facebook:

  • December 11th 2018 at 21:57

A Quick Introduction to the MITRE ATT&CK Framework

By Robert Leong

If you’re an avid reader of threat trends or a fan of red team exercises, you’ve probably come across a reference to the MITRE ATT&CK framework in the last few months. If you have ever wondered what it was all about or if you’ve never heard of it but are interested in how you can improve your security posture, this blog is for you.

To start with, let’s explain what MITRE is. MITRE is a nonprofit organization founded in 1958 (and funded with federal tax dollars) that works on projects for a variety of U.S. government agencies, including the IRS, Department of Defense (DOD), Federal Aviation Administration (FAA), and National Institute of Standards and Technology (NIST). It is not a professional third-party cybersecurity testing agency, which is a common misconception. Its focus is to provide U.S. government agencies with essential deliverables—such as models, technologies and intellectual property—related to U.S. national security, including cybersecurity, healthcare, tax policy, etc. In the cybersecurity landscape, MITRE is mostly known for managing Common Vulnerabilities and Exposures (CVEs) for software vulnerabilities. Note that CVEs are pre-exploitation/defense, whereas the MITRE ATT&CK model is focused on post-exploitation only.

Your next question is probably around what MITRE ATT&CK is and what makes it a model or a framework. The name stands for: Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). It is a curated knowledgebase and model for cyberadversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. The tactics and techniques looked at in the model are used to classify adversary actions by offense and defense, relating them to specific ways of defending against them. What began as an idea in 2010 during an experiment has since grown into a set of evolving resources for cybersecurity experts to contribute to and apply for red teaming, threat hunting, and other tasks. Security practitioners can harden their endpoint defenses and accurately assess themselves by using the model and the tools to help determine how well they are doing at detecting documented adversary behavior.

If you’ve been in the security realm for a while, this may remind you somewhat of Lockheed Martin’s Cyber Kill Chain. It stated that attacks occur in stages and can be disrupted through controls established at each stage. It was also used to reveal the stages of a cyberattack. To understand the overlap of the two models, take a look at this figure:

In the figure above we see that the MITRE ATT&CK matrix model is essentially a subset of the Cyber Kill Chain, but it goes in depth when describing the techniques used between the Deliver and Maintain stages. The Cyber Kill Chain, including the MITRE ATT&CK model, might look like a linear process, but it actually isn’t. It’s rather a branching and looping chain, but we have shown it in a linear fashion to make it easier to understand.

At McAfee, we embrace the MITRE model as a fabulous and detailed way to think about adversarial activity, especially APTs post-compromise, and are applying it to different levels and purposes in our organization. Specifically, we are engineering our endpoint products using the insights gained from MITRE ATT&CK to significantly enhance our fileless threat defense capabilities. Additionally, we are using it to inform our roadmaps and are actively contributing to the model by sharing newly discovered techniques used by adversaries. We are partnering with MITRE and were recently a core sponsor of the inaugural MITRE ATT&CKcon in the Washington, D.C. area.

Over the next few weeks, I’ll continue to go deeper into how MITRE ATT&CK matrix testing works, how you can use it, how it’s different from other testing methods, and how McAfee is investing in it.

The post A Quick Introduction to the MITRE ATT&CK Framework appeared first on McAfee Blogs.

Patch Tuesday, December 2018 Edition

By BrianKrebs

Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft’s December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.

At least nine of the bugs in the Microsoft patches address flaws the company deems “critical,” meaning they can be exploited by malware or ne’er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.

Microsoft patched a zero-day flaw that is already being exploited (CVE-2018-8611) and allows an attacker to elevate his privileges on a host system. The weakness, which is present on all supported versions of Windows, is tagged tagged with the less severe “important” rating by Microsoft mainly because it requires an attacker to be logged on to the system first.

According to security firm Rapid7, other notable vulnerabilities this month are in Internet Explorer (CVE-2018-8631) and Edge (CVE-2018-8624), both of which Microsoft considers most likely to be exploited. Similarly, CVE-2018-8628 is flaw in all supported versions of PowerPoint which is also likely to be used by attackers.

It generally can’t hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Also, it’s a good idea to get in the habit of backing up your data before installing Windows updates.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

For its part, Adobe’s got new versions of Adobe Reader and Adobe Acrobat that plug dozens of security holes in the programs. Also, last week Adobe issued an emergency patch to fix a zero-day flaw in Flash Player that bad guys are now using in active attacks.

Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Ask Woody’s summary.

Ghacks writeup on December 2018 Patch Tuesday.

Qualys’s take.

Ivanti Patch Tuesday Webinar, 11 a.m. ET, Dec. 12.

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory

'Entirely preventable' theft down to traffic-monitoring certificate left expired for 19 months

Updated A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.…

  • December 11th 2018 at 20:37

For the fourth month in a row, Microsoft patches Windows zero-day used in the wild

Microsoft also fixes 38 other security bugs, 9 of which are rated "Critical."
  • December 11th 2018 at 19:54

25% of NHS trusts have zilch, zip, zero staff who are versed in security

Not like there's been a major incident recently to kick them into gear or anything

A quarter of NHS trusts in the UK responding to a Freedom of Information request have no staff with security qualifications, despite some employing up to 16,000 people.…

  • December 11th 2018 at 19:16

Debian Security Advisory 4353-1

Debian Linux Security Advisory 4353-1 - Multiple security issues were found in PHP, a widely-used open source denial of service/information disclosure when parsing malformed images, the Apache module allowed cross-site-scripting via the body of a insufficient input validation which can result in the execution of arbitrary shell commands in the imap_open() function and denial of service in the imap_mail() function.
  • December 11th 2018 at 19:15

Ubuntu Security Notice USN-3837-2

Ubuntu Security Notice 3837-2 - USN-3837-1 fixed vulnerabilities in poppler. A regression was reported regarding the previous update. This update fixes the problem. It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service. Various other issues were also addressed.
  • December 11th 2018 at 19:15

Data Privacy Issues Trigger Soul Searching in Tech Industry

By Lindsey O'Donnell
Consumers are growing angry when it comes to data misuse - but the real change will need to come from the tech industry's culture when it comes to privacy.

Jailbreaking RouterOS & misc GNU inetutils <= 1.9.4 vulnerabilities.

By /u/hackerfantastic

Here are steps to jailbreak Mikrotik routers using arbitrary file creation vulnerabilities through telnet

Here are heap and stack overflows in GNU inetutils <= 1.9.4 telnet.c client in the handling environment variables. Stack overflow is present in TELOPT_XDISPLOC option

These issues can be found all over embedded devices and in mainstream Linux distributions like Arch Linux due to the proliferation of GNU code re-use.

submitted by /u/hackerfantastic
[link] [comments]

Zoho ManageEngine OpManager 12.3 before Build 123237 has XSS via the domainController API.

Posted by Murat Aydemir on Dec 11

Zoho ManageEngine OpManager 12.3 before Build 123237 has XSS via the
domainController API.



20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
06/12/2018 OPManager replay that they fixed

  • December 11th 2018 at 18:33

Vmware airwatch feature

Posted by Jacek Lipkowski on Dec 11

There is a non-bug works-as-designed-feature in products which expose some
internal company resources, such as webmail, to the internet (bad
practice, but this is often done) and use internal authentication. A few
bad logins can lock out internal accounts (usually 3 bad logins per
standard AD policy).

This is obvious and i would ask you a question how to classify this
problem? Security bug? Reliability bug? Bad design? Any other comments?...
  • December 11th 2018 at 18:32

Dynamic Loader Oriented Programming - Wiedergaenger PoC (Proof of Concept) on Ubuntu 16.04.5 LTS - 2018

Posted by Marcin Kozlowski on Dec 11

Hi all,

This is a great technique to reliably allow to escalate unbounded array
access vulnerabilities.

Full article/writeup of my experiences with screenshots is available at:

or here as PDF:

Repo URL, with samples, is at:
  • December 11th 2018 at 18:32

[CFP] Security BSides Ljubljana 0x7E3 | March 16, 2019

Posted by Andraz Sraka on Dec 11

  • December 11th 2018 at 18:30

Cryptomining: A sheep or a wolf?

By Marc Blackmer
One of, if not the, most prominent motivators for threat actors is money. Whether it’s botnet owners renting out their services for DDoS attacks, tech support scammers cold-calling people to...

12 Days of Hack-mas

By Radhika Sarang

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets.

And the ways in which they exact their attacks are becoming more sophisticated and harder to detect. 2019 shows no sign of slowing down when it comes to attacks. Between the apps and websites we use every day, in addition to the numerous connected devices we continue to add our homes, there are a lot of ways in which our cybersecurity can be compromised. Let’s take a look at 12 common, connected devices that are vulnerable to attacks –most of which our friends at the “Hackable?” podcast have demonstrated– and what we can do to protect what matters. This way, as we move into the new year, security is top of mind.

Connected Baby Monitors

When you have a child, security and safety fuels the majority of your thoughts. That’s why it’s terrifying to think that a baby monitor, meant to give you peace of mind, could get hacked. Our own “Hackable?” team illustrated exactly how easy it is. They performed a “man-in-the-middle” attack to intercept data from an IoT baby monitor. But the team didn’t stop there; next they overloaded the device with commands and completely crashed the system without warning a parent, potentially putting a baby in danger. If you’re a parent looking to bring baby tech into your home, always be on the lookout for updates, avoid knockoffs or brands you’re not familiar with, and change your passwords regularly.

Smart TVs

With a click of a button or by the sound of our voice, our favorite shows will play, pause, rewind ten seconds, and more – all thanks to smart TVs and streaming devices. But is there a sinister side? Turns out, there is. Some smart TVs can be controlled by cybercriminals by exploiting easy-to-find security flaws. By infecting a computer or mobile device with malware, a cybercriminal could gain control of your smart TV if your devices are using the same Wi-Fi. To prevent an attack, consider purchasing devices from mainstream brands that keep security in mind, and update associated software and apps regularly.

Home Wi-Fi Routers

Wi-Fi is the lifeblood of the 21st century; it’s become a necessity rather than a luxury. But your router is also a cybercriminal’s window into your home. Especially if you have numerous IoT devices hooked up to the same Wi-Fi, a hacker that successfully cracks into your network can get ahold of passwords and personal information, all of which can be used to gain access to your accounts, and launch spear phishing attacks against you to steal your identity or worse. Cybercriminals do this by exploiting weaknesses in your home network. To stay secure, consider a comprehensive security solution like McAfee® Secure Home Platform.

Health Devices and Apps

Digital health is set to dominate the consumer market in the next few years. Ranging from apps to hardware, the ways in which our health is being digitized varies, and so do the types of attacks that can be orchestrated. For example, on physical devices like pacemakers, malware can be implanted directly on to the device, enabling a hacker to control it remotely and inflict real harm to patients. When it comes to apps like pedometers, a hacker could source information like your physical location or regular routines.  Each of these far from benign scenarios highlight the importance of cybersecurity as the health market becomes increasingly reliant on technology and connectivity.

Smart Speakers

It seems like everyone nowadays has at least one smart speaker in their home. However, these speakers are always listening in, and if hacked, could be exploited by cybercriminals through spear phishing attacks. This can be done by spoofing actual websites which trick users into thinking that they are receiving a message from an official source. But once the user clicks on the email, they’ve just given a cybercriminal access to their home network, and by extension, all devices connected to that network too, smart speakers and all. To stay secure, start with protection on your router that extends to your network, change default passwords, and check for built-in security features.

Voice Assistants

Like smart speakers, voice assistants are always listening and, if hacked, could gain a wealth of information about you. But voice assistants are also often used as a central command hub, connecting other devices to them (including other smart speakers, smart lights or smart locks). Some people opt to connect accounts like food delivery, driver services, and shopping lists that use credit cards. If hacked, someone could gain access to your financial information or even access to your home. To keep cybercriminals out, consider a comprehensive security system, know which apps you can trust, and always keep your software up to date.

Connected Cars

Today, cars are essentially computers on wheels. Between backup cameras, video screens, GPS systems, and Wi-Fi networks, they have more electronics stacked in them than ever. The technology makes the experience smoother, but if it has a digital heartbeat, it’s hackable. In fact, an attacker can take control of your car a couple of ways; either by physically implanting a tiny device that grants access to your car through a phone, or by leveraging a black box tool and  your car’s diagnostic port completely remotely. Hacks can range anywhere from cranking the radio up to cutting the transmission or disabling the breaks. To stay secure, limit connectivity between your mobile devices and a car when possible, as phones are exposed to risks every day, and any time you connect it to your car, you put it at risk, too.

Smart Thermostats

A smart thermostat can regulate your home’s temperature and save you money by learning your preferences. But what if your friendly temperature regulator turned against you? If you don’t change your default, factory-set password and login information, a hacker could take control of your device and make it join a botnet

Connected Doorbells

When we think high-tech, the first thing that comes to mind is most likely not a doorbell. But connected doorbells are becoming more popular, especially as IoT devices are more widely adopted in our homes. So how can these devices be hacked, exactly? By sending an official-looking email that requests that a device owner download the doorbell’s app, the user unwittingly gave full access to the unwelcome guest. From there, the hackers could access call logs, the number of devices available, and even video files from past calls. Take heed from this hack; when setting up a new device, watch out for phishing emails and always make sure that an app is legitimate before you download it.

Smart Pet Cameras

We all love our furry friends and when we have to leave them behind as we head out the door. And it’s comforting to know that we can keep an eye on them, even give them the occasional treat through pet cameras. But this pet-nology can be hacked into by cybercriminals to see what’s get an inside look at your home, as proven by the “Hackable?” crew. Through a device’s app, a white-hat hacker was able to access the product’s database and was able to download photos and videos of other device owners. Talk about creepy. To keep prying eyes out of your private photos, get a comprehensive security solution for your home network and devices, avoid checking on your pet from unsecured Wi-Fi, and do your research on smart products you purchase for your pets.

Cell Phones

Mobile phones are one of the most vulnerable devices simply because they go everywhere you go. They essentially operate as a personal remote control to your digital life. In any given day, we access financial accounts, confirm doctor’s appointments and communicate with family and friends. That’s why is shocking to know how surprisingly easy it is for cybercriminals to access the treasure trove of personal data on your cell phone. Phones can be compromised a variety of ways; but here are a few: accessing your personal information by way of public Wi-Fi (say, while you’re at an airport), implanting a bug, leveraging a flaw in the operating system, or by infecting your device with malware by way of a bad link while surfing the web or browsing email.  Luckily, you can help secure your device by using comprehensive security such as McAfee Total Protection, or by leveraging a VPN (virtual private network) if you find yourself needing to use public Wi-Fi.

Virtual Reality Headsets

Once something out of a science fiction, virtual reality (VR) is now a high-tech reality for many. Surprisingly, despite being built on state of the art technology, VR is quite hackable. As an example, though common and easy-to-execute tactics like phishing to prompt someone to download malware, white-hat hackers were able to infect a linked computer and execute a command and control interface that manipulated the VR experience and disorientated the user. While this attack isn’t common yet, it could certainly start to gain traction as more VR headsets make their way into homes. To stay secure, be picky and only download software from reputable sources.

This is only the tip of the iceberg when it comes to hackable, everyday items. And while there’s absolutely no doubt that IoT devices certainly make life easier, what it all comes down to is control versus convenience. As we look toward 2019, we should ask ourselves, “what do we value more?”

Stay up-to-date on the latest trends by subscribing to our podcast, “Hackable?” and follow us on Twitter or Facebook.

The post 12 Days of Hack-mas appeared first on McAfee Blogs.

Android malware steals money from PayPal accounts while users watch helpless

Android trojan waits for users to enter PayPal credentials and two-factor security code before triggering money transfers.
  • December 11th 2018 at 16:29

Faraday 3.4

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.
  • December 11th 2018 at 16:26

Red Hat Security Advisory 2018-3817-01

Red Hat Security Advisory 2018-3817-01 - Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below. Security fix: Issues addressed include a cross site scripting vulnerability.
  • December 11th 2018 at 16:24

Super Micro says external security audit found no evidence of backdoor chips

Super Micro sends a letter to customers with the results of a third-party security audit.
  • December 11th 2018 at 14:55

Red Team Assessment Phases: Target Identification

By Howard Poston

The third phase of a red team assessment is target identification. In this phase, the red team moves from general information collected about the target to detailed information and potential plans for gaining access to the target environment and preparing to achieve operational objectives. Scoping the Phase In the reconnaissance phase of the assessment, the […]

The post Red Team Assessment Phases: Target Identification appeared first on InfoSec Resources.

Red Team Assessment Phases: Target Identification was first posted on December 11, 2018 at 8:21 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at

Roles and Responsibilities of Information Security Auditor

By Graeme Messina

Most people break out into cold sweats at the thought of conducting an audit, and for good reason. Auditing the information systems of an organization requires attention to detail and thoroughness on a scale that most people cannot appreciate. There are system checks, log audits, security procedure checks and much more that needs to be […]

The post Roles and Responsibilities of Information Security Auditor appeared first on InfoSec Resources.

Roles and Responsibilities of Information Security Auditor was first posted on December 11, 2018 at 8:06 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at

Know Your Boundaries To Know your Strategy

By Robert Albach
Where are the boundaries for threats to your operational systems? Has your organization initiated a risk assessment and created a threat model that would have covered some of the following...

[papers] PHP Source Code Analysis

PHP Source Code Analysis
  • December 11th 2018 at 00:00

[webapps] HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection

HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection
  • December 11th 2018 at 00:00

[webapps] TP-Link wireless router Archer C1200 - Cross-Site Scripting

TP-Link wireless router Archer C1200 - Cross-Site Scripting
  • December 11th 2018 at 00:00

[webapps] Adobe ColdFusion 2018 - Arbitrary File Upload

Adobe ColdFusion 2018 - Arbitrary File Upload
  • December 11th 2018 at 00:00