Search results for: vulnerability
A code injection vulnerability (CVE-2020-3956) affecting VMware vCloud Director could be exploited to take over the infrastructure of cloud services, Citadelo researchers have discovered. About VMware vCloud Director and CVE-2020-3956 VMware Cloud Director (formerly known as vCloud Director) is a cloud service delivery platform used by public and private cloud providers to operate and manage cloud infrastructure. CVE-2020-3956 was discovered by Citadelo penetration testers during a security audit of a customer’s VMWare Cloud Director-based cloud … More →
The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. Vulnerabilities of interest disclosed in Q1 2020 Vulnerabilities disclosed in Q1 2020: What happened? Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year. “Although the … More →
Qualys researchers have found a way to exploit an previously known (and very old) vulnerability in Qmail, a secure mail transport agent, to achieve both remote code execution (RCE) and local code execution. The Qmail RCE flaw and other vulnerabilities In 2005, security researcher Georgi Guninski unearthed three vulnerabilities in Qmail, which – due to its simplicity, mutually untrusting modules and other specific development choices made by its creator Daniel J. Bernstein – is still … More →
If you’re using vBulletin to power your online forum(s), you should implement the newest security patches offered by the developers as soon as possible. The patches fix CVE-2020-12720, a vulnerability affecting versions 5.5.6, 5.6.0 and 5.6.1 with could be exploited without previous authentication. About CVE-2020-12720 CVE-2020-12720 has been defined as an incorrect access control issue, but no additional information has been shared. Charles Fol, a security engineer at Ambionics Security, discovered and reported the “critical” … More →
The Forum of Incident Response and Security Teams (FIRST) has released an updated set of coordination principles – Guidelines for Multi-Party Vulnerability Coordination and Disclosure version 1.1. Stakeholder roles and communication paths The purpose The purpose of the Guidelines is to improve coordination and communication across different stakeholders during a vulnerability disclosure and provide best practices, policy and processes for reporting any issues across multiple vendors. It is targeted at vulnerabilities that have the potential … More →
Qualys, a pioneer and leading provider of cloud-based security and compliance solutions, announced that Qualys Container Security is immediately available and Qualys Vulnerability Management will be available within a month in Microsoft Azure Security Center. This solution leverages the embedded Qualys Cloud Agent and Qualys Container Sensors to build Vulnerability Management automation into the CI/CD pipeline as well as real-time visibility into running virtual instances. The solution automatically analyzes virtual machines and container images in … More →
Field Programmable Gate Arrays, FPGAs for short, are flexibly programmable computer chips that are considered very secure components in many applications. Starbleed vulnerability In a joint research project, scientists have now discovered that a critical vulnerability is hidden in these chips. They called the security bug Starbleed. Attackers can gain complete control over the chips and their functionalities via the vulnerability. Since the bug is integrated into the hardware, the security risk can only be … More →
NeuVector, the leader in Full Lifecyle Container Security, announced the NeuVector platform includes new features – purpose-built for enterprise DevOps and security teams – focused on automated end-to-end vulnerability management and protection, expanded registry scanning, and host protection in production environments. The platform additions include the new Vulnerability and Compliance Explorer for quickly investigating, prioritizing, reporting, and mitigating potentially damaging vulnerability and compliance issues. High performance large-registry scanning and enhanced host (node) security processes have … More →
Corporations and public sector organizations can now assess their workforce’s exposure to dangerous phishing attacks, which are escalating as social distancing requires most employees to work from home. Managers can now characterize the weaknesses in their staff’s ability to defend against phishing and online social engineering scams, thanks to “Can We Be Phished?”, a new, freely available online assessment from Click Armor, the Continuous Cybersecurity Awareness Platform. Phishing is the practice of sending malicious emails, … More →
vFeed is a truly exciting company and we had to include them in our list of the 10 hot industry newcomers to watch at RSA Conference 2020. In this podcast, Rachid Harrando, Advisory Board Member at vFeed, talks about how their correlation algorithm analyzes a large plethora of scattered advisories and third-party sources, and then standardizes the content with respect to security industry open standards. Here’s a transcript of the podcast for your convenience. Hello, … More →
Cybersecurity is one of the most daunting challenges enterprises will face in 2020. According to IBM’s 2019 Cost of a Data Breach report, the average cost of a data breach in the U.S. is $8.19 million, with companies averaging 206 days to identify breaches before even attempting to address them (a task that averages another 38 days). These stats and hundreds of others on cybercrime are quite sobering. Cyberattacks are beginning to seem like an … More →
Despite often repeated advice of using unique passwords for online accounts – or at least the most critical ones – password reuse continues to be rampant. And, according to breach discovery firm SpyCloud, employees of the Fortune 1000 are just as bad about reusing passwords as the rest of us. Compromised credentials The company has combed through their database of breach data for data tied to Fortune 1000 companies, analyzed it and found that employees … More →
