Day: September 27, 2021

Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn’t fix even after 5 years

Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016. Though aware of this, Microsoft’s advice continues to be that customers should communicate only with servers they trust. On August 10, 2016, Marco van Beek, managing director at UK-based IT consultancy Supporting Role, …

Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn’t fix even after 5 years Read More »

ManageEngine reconocido en el Cuadrante Mágico™ de Gartner® de 2021 para herramientas de administración de servicios de TI

ManageEngine ha sido reconocido cómo jugador de nicho en el Cuadrante Mágico™ de Gartner® de 2021 para herramientas de administración de servicios de TI (ITSM) por segundo año consecutivo. El Cuadrante Mágico para herramientas ITSM es un recurso … The post ManageEngine reconocido en el Cuadrante Mágico™ de Gartner® de 2021 para herramientas de administración …

ManageEngine reconocido en el Cuadrante Mágico™ de Gartner® de 2021 para herramientas de administración de servicios de TI Read More »

Storybooks for children app FarFaria exposed data of 3M users

According to FarFaria, its apps are “created for children ages 2-9” meaning that the incident exposed children to cybercriminals. Another day, another data leak incident involving misconfigured and exposed MongoDB database – This time it is FarFaria, a San Francisco, CA-based company that offers storybooks for children service through Android and iOS apps. It all happened …

Storybooks for children app FarFaria exposed data of 3M users Read More »

Pichai keeps silent that Chrome collects data in Incognito mode

Sundar Pichai, CEO of Google, is said to have deliberately concealed that the Incognito mode of the Chrome web browser collects data from users. Lorraine Twohill, head of marketing at Google, is said to have advised the CEO to avoid the term “private” because it could lead to misconceptions. Pichai disregarded his warning, wanting to prevent the …

Pichai keeps silent that Chrome collects data in Incognito mode Read More »

New secure payment feature in upcoming versions of Google Chrome

As part of the latest beta version of Chrome 95, Google announced the inclusion of a feature for secure payment, basing its operation on connecting to the web authentication API in order to implement an additional web-based layer of security. The feature adds a new “payment” extension to such an API, allowing institutions such as …

New secure payment feature in upcoming versions of Google Chrome Read More »

Recap: Virtual Boston Globe Summit

Veracode CEO Sam King had the opportunity to speak at this year’s inaugural virtual Boston Globe Summit, “The Great Recovery.” Sam was invited to join the panel, How Boston is Tackling the Biggest Cyber Threats Facing Society, moderated by Gregory T. Huang, Business Editor at the Boston Globe, with guests Greg Dracon of .406 Ventures and Christopher Ahlberg of Recorded Future.   The …

Recap: Virtual Boston Globe Summit Read More »

Microsoft Adds Emergency Threat Mitigation to its Exchange Server Software

Microsoft has baked in a new threat mitigation feature into Exchange Server that will roll out this week as part of its September 2021 cumulative update to the software platform.  The new Emergency Mitigation (EM) software component allows Microsoft to create and execute vulnerability mitigations for its customers’ Exchange Servers automatically. The EM service checks for mitigations hourly via …

Microsoft Adds Emergency Threat Mitigation to its Exchange Server Software Read More »

CVE-2020-17148: Critical remote execution vulnerability in Visual Studio Code’s Remote Development extension

Cybersecurity specialists report the detection of a remote code execution (RCE) vulnerability in Visual Studio Code Remote Development, a platform that allows users to adopt a container, virtual machine or Windows Subsystem for Linux (WSL) as a full-featured development environment. The report, prepared by the cybersecurity firm Shielder, notes that version 1.50 of this software …

CVE-2020-17148: Critical remote execution vulnerability in Visual Studio Code’s Remote Development extension Read More »

Ransomware Patch or Perish: Attackers Exploit ColdFusion

Cring Ransomware Unleashed After Attackers Exploit Unpatched Flaw From 2009For combating ransomware, doing the security basics is essential, including keeping systems updated and patched. Don’t follow in the footsteps of one technology firm, which Sophos found got hit by Cring ransomware after attackers exploited ColdFusion software that hadn’t been patched in 11 years.Read the article

US Commerce Officials Seek Comment on IaaS Executive Order

Trump-Era Mandate Calls for Verifying IDs of Foreign IaaS Account HoldersThe U.S. Department of Commerce is soliciting input on a Trump administration cybersecurity executive order that requires cloud providers to verify the identities of certain users – particularly cyber actors potentially operating abroad and leveraging U.S. cloud technologies.Read the article

Critical Flaw May Affect Millions of Hikvision Devices

Video Security Tech Firm Releases Firmware Update to Fix VulnerabilityA security researcher who goes by the alias Watchful_IP has discovered a command injection vulnerability that could potentially affect millions of Hikvision’s IoT devices. The video security solutions provider says it has fixed the flaw and rolled out a firmware update for its end users.Read the …

Critical Flaw May Affect Millions of Hikvision Devices Read More »

Ninth Circuit Narrowly Defines “Public Injunctive Relief” in Privacy Case, Limiting Plaintiffs’ Ability to Circumvent Arbitration Agreements.

In putative privacy class action Hodges v. Comcast Cable Communications, LLC, involving  Comcast’s privacy and data-collection practices, Comcast moved to compel arbitration based on its subscriber agreement.  The district court denied the motion based on California’s McGill rule, which may invalidate arbitration agreements that purport to waive the right to seek public injunctive relief in …

Ninth Circuit Narrowly Defines “Public Injunctive Relief” in Privacy Case, Limiting Plaintiffs’ Ability to Circumvent Arbitration Agreements. Read More »

BrandPost: Three Surefire Ways to Boost the Digital Banking Experience

The year 2020 disrupted just about every industry, including retail banking. Locked down at home, consumers were abruptly forced to do all their banking over the internet. The sudden transition profoundly impacted banks and created unprecedented demands on online infrastructure. Some banking sites were overwhelmed by traffic and slowed to a crawl. Some sites crashed …

BrandPost: Three Surefire Ways to Boost the Digital Banking Experience Read More »

Project HERMITS Robots Mimic Crabs With Mechanical Shells

Hermit crabs are famous for being small critters that, from time to time throughout their lives, abandon one shell carried on their back to pick up a new one. Project HERMITS by [Ken Nakagaki] is inspired by this very concept, and involves table-top robots that dock with a variety of modules with different mechanical mechanisms. …

Project HERMITS Robots Mimic Crabs With Mechanical Shells Read More »

NIST Requesting Comments on Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector

Date Published: September 23, 2021Comments Due: November 7, 2021Email Comments to: manufacturing_nccoe [at] nist.gov (Subject: Comments%20on%20Draft%20SP%201800-10) Author(s) Michael Powell (NIST),  Joseph Brule (NSA),  Michael Pease (NIST),  Keith Stouffer (NIST),  CheeYee Tang (NIST),  Timothy Zimmerman (NIST),  Chelsea Deane (MITRE),  John Hoyt (MITRE),  Mary Raguso (MITRE),  Aslam Sherule (MITRE), Kangmin Zheng (MITRE),  Matthew Zopf (Strativia) Announcement Draft NIST SP 1800-10 provides a practical example solution to help manufacturers protect their Industrial …

NIST Requesting Comments on Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector Read More »

CISA notifies of critical flaw in VMware vCenter Server that can harm critical infrastructure firms

The Cybersecurity and Infrastructure Security Agency (CISA) alerted critical infrastructure entities and other organizations of a security vulnerability on VMware vCenter Server that was recently patched. CISA has now reported that VMware has confirmed reports that the vulnerability is being exploited in the wild. To reduce their risk exposure, these firms have been advised to …

CISA notifies of critical flaw in VMware vCenter Server that can harm critical infrastructure firms Read More »

Best Practices for Gathering and Analyzing Key Messaging Data

Thursday, 26 October, 3 sessions available- 14:00 Singapore (SGT) 14:00 London (BST) 14:00 New York (EDT) Duration: 1 hour After collecting, analyzing the volume of data found on devices can be overwhelming. Investigators need the ability to gather insights across a variety of data sources, especially third-party application data, chat conversations, location data, emails stored …

Best Practices for Gathering and Analyzing Key Messaging Data Read More »