Archive for the ‘Access Control’ Category

Flaws in Lenovo laptops allow escalating to admin privileges

The ImControllerService service of Lenovo laptops is affected by a privilege elevation bug that can allow to execute commands with admin privileges. Lenovo laptops, including ThinkPad and Yoga families, are affected by a privilege elevation issues that resides in the ImControllerService service allowing attackers to execute commands with admin privileges. The vulnerabilities, tracked as CVE-2021-3922 and CVE-2021-3969, […]

Leave a Comment

Cybercrime underground flooded with offers for initial access to shipping and logistics orgs

Experts warn of the availability in the cybercrime underground of offers for initial access to networks of players in global supply chains. Researchers from threat intelligence firm Intel 471 published an analysis of current cybercrime underground trends online, warning that initial access brokers are offering credentials or other forms of access to shipping and logistics organizations.  These organizations […]

Leave a Comment

Adopting Zero-Trust for API Security

Why Use Zero-Trust for API Security Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside  of the organization. “Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure […]

Leave a Comment

Fortinet FortiWeb OS Command Injection allows takeover servers remotely

Fortinet addresses a command injection vulnerability that can allow attackers to take complete control of servers running vulnerable FortiWeb WAF installs. An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Experts pointed out that the flaw could be chained with an authentication bypass flaw that […]

Leave a Comment

RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries

What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.  According to the post author, all passwords included in […]

Leave a Comment

THE FULL STORY OF THE 2011 RSA HACK CAN FINALLY BE TOLD

THE FULL STORY OF THE 2011 RSA HACK CAN FINALLY BE TOLD – Wired

Leave a Comment

“Those aren’t my kids!” – Eufy camera owners report video mixups

This isn’t the first time we’ve heard of a SNAFU like this, where virtual wires got crossed inside a video surveillance company’s own back end, causing customers not only to lose track of their own video cameras but also to gain access to someone else’s. In one case, three years ago, a user of a […]

Leave a Comment

OpenSSL Project released 1.1.1k version to fix two High-severity flaws

Leave a Comment

Using IAM Solutions to Beat Deepfakes and Fraud

AI and ML technologies have made great strides in helping organizations with cybersecurity, as well as with other tasks like chatbots that help with customer service. Cybercriminals have also made great strides in using AI and ML for fraud. “Today, fraud can happen without stealing someone else’s identity because fraudsters can create ‘synthetic identities’ with […]

Leave a Comment

External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote […]

Leave a Comment

Credential stuffing attack hit RIPE NCC: Members have to enable 2FA

RIPE NCC announced to have suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts. The RIPE NCC is a not-for-profit membership association, a Regional Internet Registry and the secretariat for the RIPE community supporting the Internet through technical coordination. It has over 20,000 members from over 75 countries who act as Local […]

Leave a Comment

Cisco engineer resigns then nukes 16k WebEx accounts, 456 VMs

A former Cisco employee pleaded guilty to accessing the company’s cloud infrastructure in 2018, five months after resigning, to deploy code that led to the shut down of more than 16,000 WebEx Teams accounts and the deletion of 456 virtual machines. According to a plea agreement filed on July 30, 2020, 30-year-old Sudhish Kasaba Ramesh accessed […]

Leave a Comment

Tech firms suspend use of ‘biased’ facial recognition technology

Amazon, IBM and now Microsoft ban the sale of facial recognition technology to police departments and are urging for federal laws to regulate its use. Source: Tech firms suspend use of ‘biased’ facial recognition technology Download a Security Risk Assessment steps paper! Download a vCISO template Subscribe to DISC InfoSec blog by Email Why Cities […]

Leave a Comment

Live and let live InfoSec

User vs Security Live and let live InfoSec The average person’s take on security control: they have real jobs to do, and security isn’t one of them. so remember ‘usability vs bypass security control’ when designing a new control. Please feel free to share your opinion on this. Funny business meeting illustrating how hard it […]

Leave a Comment

Facial ID payment

Leave a Comment

Secure File Sharing from any device

Easy Desktop Access to Cloud Files Ditch Email Attachments. With your files in the cloud, you can easily share them with anyone — even if they’re outside your company firewall — with a simple link via email or straight from Box. Keep Everybody on the Same Page. Easily share files and folders, and add, move or edit […]

Leave a Comment

Why You Should Be Using a Password Manager

Password managers such as LastPass offer a simple service: They will store all your annoying passwords (and help you generate new ones if needed) and then give them out to whatever service you’re logging into through the use of browser add-ons and apps. They’re much like the password tools already built into your browser itself—the […]

Leave a Comment

What to Log for Authentication and Access Control

Authentication and access control plays a critical role in web application security.  Mostly for logging, all authentication and access control events should be logged which includes but not limited to successes and failures. If  we are logging only the successful events, someone may brute force attack the passwords without any detection or notice. On the […]

Leave a Comment

Compartmentalizing and Segmenting Privileged Passwords

By Liberman Software @ Identity Week If you’re a fan of old war movies – and especially if you’re a child of the Cold War – then you no doubt recall watching scenes where prior to launching a nuclear missile, two operators will turn their launch keys simultaneously in order to initiate the launch. The […]

Leave a Comment

Looking for a secure USB stick with hardware encryption

CESG Approved USB Stick CESG is the UK Government’s National Technical Authority for Information Assurance Over 1 million SafeSticks are now in use in the NHS helping to keep patient data and other confidential data secure! Buy your SafeStick today! SafeStick is a secure USB stick with AES 256 bit hardware encryption and is FIPS […]

Comments (5)