The Register - That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed -
A critical vulnerability in VMware's vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.
The astonishing vuln (CVE-2020-3952), details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.Medium - Security Engineering Needs a P&I Diagram -
Thinking like an engineer means thinking in models
Probably there is not the one and only answer for each engineering domain; each domain may have multiple popular models that help engineers think.
But: They all have such like models, and they are wide-spread. There is no engineer who has not come across them at school. In fact, engineers learn that if they are to solve a problem, first thing they do is to strip the problem down to a model — and for good reason. Models help to channel thinking. They de-clutter a problem from all irrelevant aspects and show the world from the perspective out of which the problem becomes the clearest.
An engineer uses a model to distill a problem and all its relevant boundary conditions in a single sheet of paper, and then she begins to work with that model, expands, molds and kneads it, until it contains a solution.
In the end, the model showcases a solution, printable onto a sheet of paper that can be handed on to a fellow engineer to help him understand problem as well as solution, and also catalyses discussions.Naked Security - US offers up to $5m reward for information on North Korean hackers -
The US on Wednesday said that it’s got up to $5 million in Rewards for Justice money if you cough up useful details, which you can do here.
The FBI and the Departments of State, Treasury, and Homeland Security (DHS) put out an advisory about the persistent threat from cybercriminals sponsored by the Democratic People’s Republic of Korea (DPRK).
Wednesday’s advisory is a 12-page list of resources and summary of the many cyber operations that have been traced to North Korea.
The advisory was based on a report, prepared for the United Nations Security Council last year, that claimed that North Korea has launched increasingly sophisticated cyberattacks targeting the financial industry, including banks and cryptocurrency exchanges.Medium - Silicon Valley Abandons the Culture That Made It the Envy of the World -
AnnaLee Saxenian, a professor at the UC Berkeley School of Information, literally wrote the book on what differentiated the Valley from other centers of technology (particularly New England’s Route 128). The key words were decentralized and fluid. You worked for Silicon Valley, and working for Silicon Valley often meant striking out on your own, not only to make your name, but because innovation itself required small firms with new visions. That’s how disruption happened, no?
Then the post-dot-com generation of companies became the most ubiquitous and valuable corporations in the world, and Silicon Valley’s rhetoric began to change. Over time, the leaders of Facebook and Google, specifically, began to argue a new line: The most innovative, competitive companies are not small and nimble, but big and rich with user data. The real game isn’t among American internet companies; it’s global, and pits American giants against Chinese corporations, governments, and values. In competition with such power, small will lose, or so the executives warn when facing down antitrust action.Wired - The Pentagon Hasn't Fixed Basic Cybersecurity Blind Spots -
(A) new report from the Government Accountability Office is highlighting systemic shortcomings in the Pentagon's efforts to prioritize cybersecurity at every level and making seven recommendations for shoring up DoD's digital defenses.
The report isn't a checklist of what DoD should be doing to improve cybersecurity awareness in the abstract. Instead, GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of "cybersecurity hygiene" like this doesn't directly analyze a network's hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.ZDNet - Academics steal data from air-gapped systems using PC fan vibrations -
Academics from an Israeli university have proven the feasibility of using fans installed inside a computer to create controlled vibrations that can be used to steal data from air-gapped systems.
The technique, codenamed AiR-ViBeR, is the latest in a long list of wacky data exfiltration techniques devised by Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev in Israel.SC Magazine - The three-sphere circus of compliance -
The horror of cybersecurity compliance can be viewed as two or three rotating spheres, each orbiting around another.
The first sphere represents the rules, the constantly morphing set of geographical and vertical compliance requirements from around the globe. Sometimes these rules and regulations can contradict one another, adding an additional layer of headaches and challenges for the CISO.
The second sphere is the enterprise itself with its own compliance landscape changing weekly. Changes might come as the company launches new products, changes its business practices, or moves into and out of different geographical areas and verticals (perhaps through mergers, acquisitions, and division sales), which itself can change the compliance rules that its CISO must address.
The third sphere, which applies to a smaller percentage of companies, includes a company’s customers as they move in and out of different verticals and locales and what data they choose to store with you. For example, if a retail market chain client of a hosting company were to acquire a drug store that held customers’ personal health information and started storing that data on the host’s site, that hosting service would be required to meet a variety of different compliance requirements that it previously might not have been required to meet. If the client does not inform the hosting provider of the new data stored on its servers, the provider could be out of compliance and vulnerable to lawsuits.ZDNet - Clipboard hijacking malware found in 725 Ruby libraries -
Security researchers from ReversingLabs say they've discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users' clipboards.
...
Installing each of the malicious libraries triggered an infection chain that looked like this:
- The PE file dropped a Ruby script called aaa.rb containing the Ruby interpreter and all the required dependencies to run.
- The Ruby script then dropped a Visual Basic script called oh.vbs
- This script then set up an autorun registry key
- The autorun key then executed a second Visual Basic script every time a computer ran/rebooted
- This second script would capture data sent to the clipboard, look for text patterns that looked like cryptocurrency addresses and then replace the text with the attacker's address
No comments:
Post a Comment