Security Pros Value Disclosure … Sometimes

Security professionals will coordinate disclosure with researchers but may keep their self-discovered vulnerabilities secret, a new study shows.
Source: DarkReading
Security Pros Value Disclosure … Sometimes

MITRE Names 2019's Most Dangerous Software Errors

MITRE Names 2019’s Most Dangerous Software Errors

Eight years ago, a list of the world’s most dangerous software errors was published by problem-solving nonprofit the MITRE Corporation. Yesterday saw the long-awaited release of an updated version of this rag-tag grouping of cyber-crime’s most wanted.



The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors list (CWE Top 25) is a roundup of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.



What makes these bad boys so lethal is that they are often easy to find and exploit. And once attackers have gotten their grappling hooks into the errors, they are frequently able to completely take over execution of software, steal data, or prevent the software from working.



Each error was given a threat score to communicate its level of prevalence and the danger it presents. Topping the table of treachery with a threat score of 75.56 and leading by a huge margin is “improper restriction of operations within the bounds of a memory buffer.”



The second-most lethal error was determined to be “improper neutralization of input during web page generation,” also known as cross-site scripting, which had a threat score of 45.69. 



In 2011, a subjective approach based on interviews and surveys of industry experts was used to create the list. In 2019, the list’s compilers took a data-driven approach, leveraging National Vulnerability Database (NVD) data from the years 2017 and 2018, which consisted of approximately 25,000 CVEs. 



MITRE’s goal is to release an updated list each year based on data from that specific year. Asked why the gap between the first two lists was so long, a MITRE spokesperson answered: “Based on the previous methodology employed for the 2011 CWE Top 25 List, it was clear that there was no basis upon which to credibly change the list. 



“As new methodologies were explored, and upon selection of the current data-driven approach, it became valuable to produce a new list because it would validate whether or not the new data-driven methodology would result in a different list. And, since it did result in a different list, community stakeholders now have a new list to consume that is evidence-based and different from the 2011 list.”



The lists are indeed different, but both include some of the same offenders. Explaining why, the spokesperson said: “Significant work remains in the community to educate developers, improve analysis tools, and for consumers of software products to understand that weaknesses exist, and that they have the ultimate leverage with respect to evaluating products and selecting those products that deliberately work weaknesses out. 



“Effective security can exist only if a broad number of stakeholders demand that it does. The 2019 CWE Top 25 List is a tool that different stakeholders can use to understand what the most prevalent weaknesses are and how to orient themselves toward defending against them.”


Source: Infosecurity
MITRE Names 2019’s Most Dangerous Software Errors

Deconstructing an iPhone Spearphishing Attack

How criminals today bypass smartphone anti-theft protection and harvest AppleID and passwords taken from fake Apple servers.
Source: DarkReading
Deconstructing an iPhone Spearphishing Attack

CVE-2019-15032

Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
Source: NIST
CVE-2019-15032

CVE-2019-15033

Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
Source: NIST
CVE-2019-15033

Vacationers Hit by Skimming Attack

Vacationers Hit by Skimming Attack

People using mobile apps to book hotel rooms for their vacations have been targeted by a skimming attack. 



Research by cybersecurity company Trend Micro discovered that a series of incidents took place earlier this month in which the booking websites of two well-known hotel chains were hit by credit card–skimming malware known as Magecart. 



Both websites affected were developed by Spanish company Roomleader. One of the impacted brands has 73 hotels in 14 countries and is comparable in size and geographical distribution to Exe Hotels. The other undisclosed chain has 107 hotels in 14 countries and is comparable in size and geographical distribution to Eurostars Hotels. Exe and Eurostars both have websites powered by Roomleader.  



Attackers were able to pilfer data by replacing the original credit card form on the booking page of each website with a fake one, then stealing the data entered into the imposter form by the user. In this case, the thieves made off with users’ names, email addresses, telephone numbers, credit card details, and hotel room preferences.



The researchers theorized that the reason why the attackers went to the trouble of creating a fake form may have been that the original form didn’t ask users to fill in their credit card’s card verification number, known as a CSC, CVV, or CV2.



To make the switch appear more legitimate, the digital bandits even prepared credit card forms in the eight different languages supported by the targeted hotel websites. 



Trend Micro’s findings follow the discovery of another Magecart-using group by the company back in May of this year. That group, known as Mirrorthief, compromised an e-commerce service provider used by American and Canadian universities.



Roger Grimes, data-driven defense evangelist at KnowBe4, commented: “There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website, but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place.”


Source: Infosecurity
Vacationers Hit by Skimming Attack

CVE-2019-16511

An issue was discovered in DTF in FireGiant WiX Toolset before 3.11.2. Microsoft.Deployment.Compression.Cab.dll and Microsoft.Deployment.Compression.Zip.dll allow directory traversal during CAB or ZIP archive extraction, because the full name of an archive file (even with a ../ sequence) is concatenated with the destination path.
Source: NIST
CVE-2019-16511

CVE-2019-16412 (n301_firmware)

In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
Source: NIST
CVE-2019-16412 (n301_firmware)

CVE-2019-16510 (libiec61850)

libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.
Source: NIST
CVE-2019-16510 (libiec61850)

Ping Identity Prices IPO at $15 per Share

The identity management company plans to sell 12.5 million shares, raising $187.5 million in its initial public offering.
Source: DarkReading
Ping Identity Prices IPO at per Share