Amtrak Breach Rolls Over Frequent Travelers

The breach exposed usernames and passwords of an undisclosed number of program members.
Source: DarkReading
Amtrak Breach Rolls Over Frequent Travelers

European Cybersecurity Blogger Award Winners Announced

European Cybersecurity Blogger Award Winners Announced

The winners of the annual European Cybersecurity Blogger Awards have been announced.



With over a 1000 names put forward, the shortlists for the 12 awards were put to the public vote, and winners were announced via a video conference. The awards were organized by Eskenzi PR and sponsored by Qualys. Yvonne Eskenzi said: “The European Cybersecurity Blogger Awards celebrate the brilliant bloggers, vloggers and podcasters that inform and educate our industry.



“In the true spirit of the event, we didn’t let COVID-19 stop us this year; and thanks to the headline sponsor, Qualys, we were able to deliver a fun, virtual event complete with a cocktail making experience. Congratulations to all the very deserving winners!”


Anne Lenoir, corporate communications and events director EMEA at Qualys, said: “The security sector relies on information sharing to keep ahead of attacks, ensure that new vulnerabilities are understood properly, and that we can all help organizations keep their IT operations protected. There’s a great community of bloggers and podcasters in the security sector that help this process, sharing their expertise and insight to help people in their roles.


“Whether it’s about sharing experiences around the personal issues and skills side, or deep technical knowledge on new problems, the security community helps everyone keep improving. We are really happy to be sponsoring this year’s Cybersecurity Bloggers Awards and support that community development.”




The winners were announced as follows:




Best New Cybersecurity PodcastWeegiecast



Best New, Up-and-Coming Cybersecurity BlogSecurity Queens



Best Corporate BlogSophos Naked Security



Best Corporate TwitterInfosecurity Magazine @InfosecMag



Best PodcastDarknet Diaries



Best Cybersecurity Video OR Cybersecurity Video BlogTroy Hunt’s Weekly Update


Special Mention: IT Security Guru Rant of the Week, featuring Quentyn Taylor



Best Personal Security Blog ZeroSec


Special Mention: Andy Gill



Most Entertaining BlogThom Langford – the Lost CISO



Most Educational Blog for User AwarenessJenny Radcliffe Human Factor


Special mention: KnowBe4



Best Technical BlogSecurity Affairs


Special Mention: ObjectiveSee



Best Personal Twitter – Kevin Beaumont @GossitheDog



Legends of Cybersecurity: Best Overall BlogSophos Naked Security


Source: Infosecurity
European Cybersecurity Blogger Award Winners Announced

Risk Assessment & the Human Condition

Five lessons the coronavirus pandemic can teach security professionals to better assess, monitor, manage, and mitigate organizational risk.
Source: DarkReading
Risk Assessment & the Human Condition

CVE-2020-5410

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
Source: NIST
CVE-2020-5410

CVE-2019-11843

The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS).
Source: NIST
CVE-2019-11843

CVE-2018-18624

Grafana 5.3.1 has XSS via a column style on the “Dashboard > Table Panel” screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Source: NIST
CVE-2018-18624

CVE-2018-18625

Grafana 5.3.1 has XSS via a link on the “Dashboard > All Panels > General” screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Source: NIST
CVE-2018-18625

CVE-2018-18623

Grafana 5.3.1 has XSS via the “Dashboard > Text Panel” screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Source: NIST
CVE-2018-18623

#Infosec20: Resilience Required to Survive #COVID19 Pandemic, Says UBER CIO

#Infosec20: Resilience Required to Survive #COVID19 Pandemic, Says UBER CIO

Resilience and adaptability are key to organizations coming through the COVID-19 crisis, according to Uber CIO, Shobhana Ahluwalia, speaking at the Infosec Europe 20 Virtual Conference. She described to the audience how the company has had to display perseverance and agility on a number of occasions during the last five years in order to be successful, and must continue this mindset in regard to the current crisis, which has caused unprecedented levels of damage to the business.


In the first phase of Uber’s recent journey, the company had to respond to its rapid growth across the world, such as in terms of technological capacity; in the second, it responded to and survived frequent criticisms about the company’s culture, ensuring the business adapted and continued in light of this negativity. In the third, the brand evolved to meet a changing environment in areas such as regulations throughout the world, and finally, the current COVID-19 crisis. Ahluwalia acknowledged that the latter of these is the toughest challenge of all, resulting in a large decline in revenue and the enforced laying off 20-25% of its staff.


She emphasised how the soft skills of resilience and perseverance are traits that trump all others at a time such as this: “Understanding, and coming to terms with instability, unfairness, and change being a constant in life no matter your station – that flexibility is key,” Ahluwalia noted.


In response to an audience question, Ahluwalia went on to describe the status and importance of cybersecurity personnel to Uber’s success: “In tech, security is the new noble job because you have to succeed every time at locking – you have to have a 100% success rate to protect the company and IP, as the attackers have to get through just once to succeed,” she said.


She also outlined her belief that a collaborative approach to security is one that needs to be employed across the sector: “Our teams have a lot of relationships in the industry where they work with several different organizations, which help us be secure. I believe security is one of those areas where we are stronger when we are together,” she stated.


Finally, the importance of mentorship for those working in the cybersecurity industry as they progress in their careers was strongly advised by Ahluwalia. In particular, she highlighted the female CIO group that she is part of.


She commented: “We meet every quarter and we have certain rituals like talking about something personal we are struggling with and something professional we are struggling with and there is so much outpouring of support from people who are doing the same thing or who might have struggled with it in the past.”


Source: Infosecurity
#Infosec20: Resilience Required to Survive #COVID19 Pandemic, Says UBER CIO

NYC Cybersecurity Bootcamp Offers Free Training Nationwide

NYC Cybersecurity Bootcamp Offers Free Training Nationwide

New York City’s cybersecurity bootcamp partner is offering free introductory training courses to all American citizens.



Fullstack Cyber Bootcamp hopes that the initiative will encourage some of the 41 million Americans currently claiming state or federal unemployment benefits to forge a new career in cybersecurity.



As a result of lockdown measures introduced to slow the spread of COVID-19, over 30 million Americans have been left without work. 



According to (ISC)², there were 500,000 open cybersecurity jobs nationally before COVID-19, with more than 29,000 open positions in New York City (CyberSeek).



The free training program was originally scheduled to become available in late 2020 to specifically support under-served New York City residents. However, Fullstack brought the launch forward to today and expanded the program nationwide to help people across the US recover from the economic impacts of the novel coronavirus pandemic.



“Cybersecurity is one of the fastest growing sectors in New York City,” said James Patchett, president and CEO of the New York City Economic Development Corporation (NYCEDC). 



“Fullstack’s free training courses will introduce New Yorkers to a field that provides good-paying jobs. As the city faces a long economic recovery, programs like this, which offer an opportunity to learn in-demand skills and a path to a new or better job, are key.”  



Fullstack’s program gives Americans the chance to participate in nearly 40 hours of entry-level cybersecurity training courses free of charge.



Those who take advantage of the opportunity can take a self-paced Hacking 101 course online, complete a Linux Command Line for Beginners course, and get to take part in a live 3-hour practical hacking workshop online. 



Those who wish to continue their education can enroll in the full Fullstack Cyber Bootcamp, where they can learn the skills necessary to become an employable cybersecurity professional in 17 weeks.



“Fullstack Cyber Bootcamp has already become a national leader in cybersecurity training since opening its first campus in New York City last year,” said Nimit Maru, co-founder and co-CEO of Fullstack Academy. 



“Our partnership with NYCEDC enables us to support the country’s economic recovery, introducing Americans to new careers, while also filling the significant skills gap in the cybersecurity industry.” 


Source: Infosecurity
NYC Cybersecurity Bootcamp Offers Free Training Nationwide