- 1. 10 Exploits Cybersecurity Professionals are Concerned About
Not one open-source vulnerability on the list, not a bad list, but I am concerned about SSH, Exim and Kernel vulns.
- 2. New Hires Speak Out about Cybersecurity Job Expectations – Security Boulevard
This: “One of the issues we discuss in the report is job descriptions and understanding, as an organization, which skills are needed for which roles,” said Clar Rosso, CEO for (ISC)2, in an email interview. For example, many introductory positions want applicants to hold industry certifications. However, said Rosso, it’s unrealistic to ask entry-level job seekers to hold a CISSP certification—a common certification listed for these jobs—since someone looking for an entry-level position is unlikely to have the requisite five years of experience the certification requires."
- 3. WeSteal, a shameless commodity cryptocurrency stealer available for sale
"A new cryptocurrency stealer dubbed WeSteal is available on the cybercrime underground, unlike other commodity cryptocurrency stealers, its author doesn’t masquerade its purpose and promises “the leading way to make money in 2021.” WeSteal is a Python-based malware that uses regular expressions to search for strings related to wallet addresses that victims have copied to their clipboard. "
- 4. Calculating CVSS
So much room for interpretation!
- 5. Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack
- 6. Raspberry Pi Zero Password Thief
Neat: "The idea of pulling credentials from a locked computer isn’t new. There are commercial products that can do this like the USB Armory and the LAN Turtle. They do, however, cost quite a bit more than a Pi Zero and a USB board. There are trade offs; commercial devices may cost more but definitely look less suspicious, for example."
- 7. Experian API Leaks Most Americans’ Credit Scores
"“Shame on you Experian!” Nayyar said. “The credit-score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive — just the sort of data cybercriminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API?”"
- 8. Apple Fixes Zero?Days Under Active Attack
"A critical memory-corruption issue in the Safari WebKit engine where “processing maliciously crafted web content may lead to arbitrary code execution” was addressed with improved state management." - Webkit, yea, seems similar to Chrome and Firefox in terms of vulnerabilities.
- 9. How to apply a Zero Trust approach to your IoT solutions – Microsoft Security
"Strong identity to authenticate devices. Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions." - I mean or you can just build backdoor credentials into your device right?
- 10. Working with Webhooks: Security
"In the code above, we extract the X-Shopify-Hmac-SHA256 HTTP header from the request, create a hash based on the Hmac-SHA256 algorithm from the request body then compare both hashes. Lastly, go ahead and create a constant called secret which would hold the value of the secret Shopify returned to you when created a new webhook connection. You would want to store that as an environmental variable to ensure it is safe." - Better to use a secrets manager, but this is better than one validating or encrypting webhooks (and the traffic via HTTPS).
- 11. Quick and dirty Python: masscan
"Just recently I discovered there is a Python module for both masscan and nmap. So far I have only spent time on the masscan module. Suppose you needed a script which will find all the web servers (port 80, 443) in an address range. It took me about 5 minutes to code up scan_web.py."
- 12. New Attacks Slaughter All Spectre Defenses
"The vulnerability in question is called Spectre because it’s built into modern processors that perform branch prediction. It’s a technique that makes modern chips as speedy as they are by performing what’s called “speculative execution,” where the processor predicts instructions it might end up executing and prepares by following the predicted path to pull the instructions out of memory. If the processor stumbles down the wrong path, the technique can leave traces that may make private data detectable to attackers. One example is when data accesses memory: if the speculative execution relies on private data, the data cache gets turned into a side channel that can be squeezed for the private data through use of a timing attack. The new line of attacks exploits the micro-op cache: an on-chip structure that speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process, as the team explains in a writeup from the University of Virginia. Even though the processor quickly realizes its mistake and does a U-turn to go down the right path, attackers can get at the private data while the processor is still heading in the wrong direction."
- 13. CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws – SentinelLabs
"The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement."
- 14. Then a Hacker Began Posting Patients’ Deepest Secrets Online
"At around 4 pm, Jere checked Snapchat. An email notification popped up on his screen. His hands began to shake. The subject line included his full name, his social security number, and the name of a clinic where he’d gotten mental health treatment as a teenager: Vastaamo. He didn’t recognize the sender, but he knew what the email said before he opened it."
- 15. Python Lists are not good?
A case for arrays: "Python has a built-in module named ‘array‘ which is similar to arrays in C or C++. In this container, the data is stored in a contiguous block of memory. Just like arrays in C or C++, these arrays only support one data type at a time, therefore it’s not heterogenous like Python lists. The indexing is similar to lists. The type of the array has to be specified using the typecode provided in the official documentation"
- 16. HackListX
A good list: "This is a list of Hacking Streamers derived from the original Hacklists here and here. While I continue to maintain those, there is a collaborative version here that motivated me to create this version while and learn new skills."
- 17. Python also impacted by critical IP address validation vulnerability
"The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the "netmask" library earlier this year."
- 18. Github Exploits and malware policy updates
"Our existing language qualified on “active malware and exploits”, which was too broad in practice. Our intent is to narrow scope to “malware and exploits that are directly supporting unlawful activity”. " - So like, you can carry a knife, but don't like stab anyone or something. Legit software is used for unlawful activity too. Regulating content it hard.