Cybersecurity Vulnerabilities news & analysis | SC Media

Vulnerabilities News and Analyis

Cylance Protect AV vulnerability patched

Carnegie Mellon Software Engineering Institute’s CERT Coordination Center is issued patch for a recently disclosed vulnerability in Cylance Protect. The vulnerability note, VU#489481, said that prior to a July 21, 2019, update Protect contained flaws that allow an adversary to craft malicious files that the AV product would likely mistake for simply being benign files.…

Banking flaw

Monzo updates apps after incorrectly storing banking customer PINs

The U.K.-based digital bank Monzo Sunday disclosed that it has fixed an error that caused certain customers’ PIN codes to be stored in a less secure area of its internal systems. In an Aug. 4 company blog post, the mobile-only banking services provider acknowledged that it mistakenly had recorded some customers’ PINs in encrypted log…

Cisco pays $8.6 million to settle False Claims Act litigation

Eleven years after a whistleblower first reported to the government that Cisco had sold defective video surveillance software to federal and state agencies the company agreed to pay $8.6 million to settle the issue. This settlement is the first whistleblower case successfully litigated under the False Claims Act, which imposes liability on persons and companies…

Autonomous vehicle sensors tricked by “invisible” drone projections of road signs

A group of researchers developed an attack to trick “Level 0” autonomous vehicle sensors by using drones which project images too quick for humans to see but slow enough for the vehicle’s sensors.  Level 0 autonomy systems advise human drivers but don’t directly operate the vehicle and Ben Gurion University security researchers performed the experiment…

Visa contactless hack takes a million units of any foreign currency

Flaws in Visa contactless cards allow for bypass of anti-fraud checks, researchers warn

Researchers say they discovered a technique for exploiting Visa contactless cards that could allow attackers to bypass certain a pair of anti-fraud “payment checks” that normally require a purchaser’s verification. Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov successfully tested the exploit on five major banks in the U.K., according to a company blog post…

Cessna

DHS warns small aircraft are vulnerable to cyberattacks from those with physical access

The Department of Homeland Security (DHS) issued a warning that small aircraft can easily be hacked by threat actors who have physical access to the vehicles. By hacking into the aircrafts’ CAN bus system, threat actors can take control of key navigation systems and easily manipulate telemetry data potentially resulting in loss of control of…

BlueKeep built into exploitation tool, sparks fear of Wannacry style infections

Security firm Immunity has developed a working BlueKeep exploit module and added it to an automated exploitation platform, raising concerns that threat actors may be able to use the tool to recreate WannaCry scale attacks. The product is available for what some are describing as an “expensive” monthly rate and was released because “it’s important…

Google researchers discover six iPhone vulnerabilities, one unpatched

Google Project Zero researchers discovered six iPhone security vulnerabilities, one of which remains unpatched, and four of which could lead to the execution of malicious code. All of the vulnerabilities are “interaction-less,” meaning they can be run without any interaction from a user and can be exploited via  SMS, MMS, Visual Voicemail, iMessage and Mail, according…

Over 200M devices affected by critical flaws found in real-time operating system

VxWorks, a real-time operating system (RTOS) that runs on more than 2 billion devices — many in industrial, health-care and enterprise environments — has been found to contain 11 vulnerabilities, six of which are critical flaws that enable remote code execution. Around 200 million devices are running the vulnerable versions of the RTOS, according to…

Best IPsec/SSL VPN

Multiple advisories for various VPN providers

The Cybersecurity and Infrastructure Security Agency (CISA) is warning users of multiple vulnerabilities in Virtual Private Network (VPN) applications. The vulnerabilities are in the Palo Alto GlobalProtect portal and GlobalProtect Gateway interface products, FortiGuard FortiOS system product, and Pulse Security Pulse Connect Secure / Pulse Policy Secure products and could allow threat actors to take…

Next post in Vulnerabilities