High risk vulnerability discovered in Sauter CASE Suite building automation software

Applied Risk researcher, Gjoko Krstic, has identified a security vulnerability in the Sauter CASE Suite, a software package used to handle building automation projects with energy-efficient strategies and methods. The Sauter CASE Suite is a building management software that is used for project engineering and control functions of building management systems within both office and industrial environments. The application suffers from an XML External Entity (XXE) vulnerability, which can be used to cause a Denial … More

Businesses unprepared for Windows 10 migration, fear vulnerability to cyber threats

A new WinMagic study has found that organisations are largely unprepared for when support of older versions of Microsoft’s Windows OS will be withdrawn in January 2020. When questioned about their lack of readiness for the obligatory migration to Windows 10, respondents cited IT security and fears of being exposed to a cyber security vulnerability as two areas of concern. The study was carried out at IP Expo in London in October 2018. One hundred … More

Week in review: First-ever UEFI rootkit, Apple DEP vulnerability, new tactics subvert traditional security measures

Here’s an overview of some of last week’s most interesting news and articles: What do you mean by storage encryption? Depending on the threat context and how you define “storage encryption,” it can be a highly effective control or a complete waste of resources. Phorpiex bots target remote access servers to deliver ransomware Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto … More

Apple DEP vulnerability lets attackers access orgs’ resources, info

An authentication weakness in Apple’s ​Device Enrollment Program​ (DEP) may allow attackers to enroll any device into an organization’s Mobile Device Management server and, consequently, to obtain privileged access to the private resources of an organization or even full VPN access to internal systems. In addition to this, the provided DEP profile may contain information about the organization (email addresses, phone numbers) that could be used to mount successful social engineering attacks against company employees. … More

Crowdfense launches Vulnerability Research Hub for top security researchers

Crowdfense officially launched the Vulnerability Research Hub out of beta. After being internally developed and fine-tuned for several months, Crowdfense opened their process-oriented platform to a wider audience of researchers and brokers interested in trading 0day cyber capabilities, which can be both within the scope of Crowdfense public Bug Bounty Program or freely proposed (for a specific set of key targets). “This is our next step in standardizing and supporting the development of what has … More

Incorporating sensitive asset data into your vulnerability and compliance program

In this podcast recorded at Black Hat USA 2018, Tim White, Director of Product Management, Policy Compliance at Qualys, talks about the importance of incorporating inaccessible or sensitive asset data into your overall vulnerability and compliance program. Here’s a transcript of the podcast for your convenience. Hello, my name is Tim White. I’m director of product management for compliance at Qualys, and today I’m going to talk to you a little bit about the importance … More

Critical vulnerability in Oracle Database, patch without delay!

Oracle is urging users to patch their Oracle Database installations to plug a critical security issue that can result in complete compromise of the Oracle Database and shell access to the underlying server. About the vulnerability (CVE-2018-3110) The vulnerability (CVE-2018-3110) affects Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows and is apparently easy to exploit, but can only be exploited remotely by an authenticated attacker. The vulnerability is in the Java Virtual Machine component of … More

Kryptowire introduces the mobile phone firmware vulnerability feed

Kryptowire discovered vulnerabilities in mobile device firmware and pre-installed mobile apps that pose a risk for the mobile phone supply chain because they can expose consumer and enterprise data on purchase. This means that the vulnerabilities are present, and the user is exposed to attacks even before she performs any activity such as using wireless communications or installing third-party apps. Firmware exploits bypass all existing defenses including commercial Mobile Threat Detection (MTD), or mobile anti-virus, … More

WhiteSource unveils free open source Vulnerability Checker

WhiteSource announced the release of its Vulnerability Checker, a free tool that provides companies with immediate, real-time alerts on the 50 most critical open source vulnerabilities published in the open source community. The new standalone CLI tool is free to use and available for anyone to download as a desktop application directly from the WhiteSource website. Once downloaded, the Vulnerability Checker offers users the opportunity to import and scan any library and run a quick … More

Bluetooth vulnerability allows snooping of traffic between paired devices

Researchers Eli Biham and Lior Neumann have discovered a vulnerability in two Bluetooth features that could be exploited by attackers to gain a man-in-the-middle position and to monitor and fiddle with the traffic between two devices connected via that wireless technology. “Both Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software and BR/EDR implementations of Secure Simple Pairing in device firmware may be affected,” the Carnegie-Mellon CERT notes. The vulnerability (CVE-2018-5383) … More