From Security Weekly Wiki
Jump to navigationJump to search
885 bytes added ,  17:29, 10 December 2019
no edit summary
#[ Linux Bug Opens Most VPNs to Hijacking] - ''According to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), “allows…an attacker to determine if…a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” In an advisory released this week, they noted that once a proof-of-concept exploit allowed them to determine a VPN client’s virtual IP address and make inferences about active connections, they were then able to use encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of connections. These allowed them to hijack TCP sessions and inject data into the TCP stream.''
#[ Hardware-based Password Managers Store Credentials in Plaintext]
#[ Microsoft to end updates to Windows 7's free AV software, Security Essentials]- Let's face it, if you're still on Windows 7 you need something better than the built-in A/V from Microsoft: ''"No, your Windows 7 computer is not protected by MSE ((Microsoft Security Essentials)) after January 14, 2020," the company said in a support document mainly concerned about the Extended Security Updates (ESU) being shilled to enterprises. "MSE is unique to Windows 7 and follows the same lifecycle dates for support." Security Essentials, a free antivirus (AV) program that launched in 2008, was originally limited to consumers. However, in 2010, Microsoft expanded the licensing to small businesses, defined as those with 10 or fewer PCs. Two years after that, MSE was replaced by Windows Defender with the launch of Windows 8. Since then, Defender has been baked into each follow-up version of the OS, including Windows 10. Windows 7, though, has been stuck with MSE.''
#[ New Office 365 Feature Provides Detailed Information on Email Attack Campaigns]
#[ Snatch ransomware pwns security using sneaky safe mode reboot] - We covered this technique on [ Paul's Security Weekly Episode 482] with researchers from Cyberark Labs in September 2016.
#[ Google Confirms Critical Android 8, 9 And 10 Permanent Denial Of Service Threat]


Navigation menu