From Security Weekly Wiki
Revision as of 20:21, 22 October 2020 by Paul Asadoorian (talk | contribs)
Jump to navigationJump to search


  1. 5 things you can do to secure your home office without hiring an expert | WeLiveSecurity
  2. Why Would You Use POST Instead of GET for a Read Operation?
  3. Cyber Security Threats in the Cannabis Industry - Latest Hacking News
  4. IoT Security Foundation unveils online platform to help IoT vendors report and manage vulerabilities - Help Net Security
  5. Serious Vulnerability in GitHub Enterprise Earns Researcher $20,000 | SecurityWeek.Com
  6. Security Testing Company NSS Labs Ceases Operations | SecurityWeek.Com - “Due to Covid-related impacts, NSS Labs ceased operations on October 15th,” a message on the company’s website reads.
  7. Apache Struts 2 Remote Code Execution - Exploitalert - Was this post showing an example of a live target! https://seclists.org/fulldisclosure/2013/Oct/96
  8. Hackers are targeting CVE-2020-3118 flaw in Cisco devices
  9. Multiple Vulnerabilities In Discord Desktop App Could Allow RCE Attacks - If the contextIsolation is disabled, a web page’s JavaScript can affect the execution of the Electron’s internal JavaScript code on the renderer, and preload scripts… This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false.
  10. Tiki Wiki CMS Groupware 21.1 Authentication Bypass - Keep brute-forcing until the admin password gets set to blank: https://github.com/S1lkys/CVE-2020-15906 (And I can't make heads or tails of this: http://dev.tiki.org/Login-documentation LOL)
  11. Ransomware group donates $20,000 in BTC to 2 charities
  12. Google patches Chrome zeroday under attack | WeLiveSecurity - Details about the zero-day remain sparse, although Google did disclose that the memory-corruption flaw causes heap buffer overflow in FreeType.
  13. WordPress sites receive update to security plugin after vulnerability discovered - Oops: Loginizer, a popular plugin for protecting WordPress blogs from brute force attacks, has been found to contain its own severe vulnerabilities that could be exploited by hackers. The flaw, discovered by vulnerability researcher Slavco Mihajloski, opened up opportunities for cybercriminals to completely compromise WordPress sites. The flaw can be exploited if a user attempts to log into a Loginizer-protected website with a carefully-crafted username. Vulnerable versions of Loginizer did not properly validate and sanitise the username to prevent SQL injection and Cross-Site Scripting (XSS) attacks. Researcher's post: https://wpdeeply.com/loginizer-before-1-6-4-sqli-injection/
  14. Snowden Granted Permanent Residency in Russia | SecurityWeek.Com - Hrm: Kucherena said it was "natural" that Snowden wanted to return to the United States but will only do so when the case against him is closed. Earlier this year, US President Donald Trump said he would "take a look" at pardoning Snowden but has not made further comment on the matter. A 2015 petition calling on then president Barack Obama to pardon the whistleblower and privacy advocate was rejected by the White House.
  15. FDA Approves Use of New Tool for Medical Device Vulnerability Scoring | SecurityWeek.Com - Ahh, I get it now: “[The vulnerability] was not scored as high severity because you could not execute remote code, or remotely access information, just remotely alter limited specific functionality,” Luz explained. “The problem is — when you look at the medical aspect of this — those remote functions altered might just be the most severe thing to compromise on this device, so this must be expressed for anyone doing a risk assessment for it.”
  16. Cyberattacks against machine learning systems are more common than you think - Microsoft Security - Interesting: https://github.com/mitre/advmlthreatmatrix/blob/master/pages/adversarial-ml-threat-matrix.md#adversarial-ml-threat-matrix
  17. 8 New and Hot Cybersecurity Certifications for 2020 - I think there is a place for this, and also not a place for this: "For example, if I need a new security engineer to work on vulnerabilities or cloud security, I look for certifications or years of experience operating solutions in those disciplines. I find the empirical knowledge of how to use tools better than a paper certification."