Archive for March, 2019

CVE-2019-10646

Wolf CMS v0.8.3.1 is affected by cross site scripting (XSS) in the module Add Snippet (/?/admin/snippet/add). This allows an attacker to insert arbitrary JavaScript as user input, which will be executed whenever the affected snippet is loaded.
Source: NIST
CVE-2019-10646

CVE-2018-18766

An elevation of privilege vulnerability exists in the Call Dispatcher in Provisio SiteKiosk before 9.7.4905.
Source: NIST
CVE-2018-18766

CVE-2018-19201

A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the ‘username’ parameter.
Source: NIST
CVE-2018-19201

CVE-2018-15840

TP-Link TL-WR840N devices allow remote attackers to cause a denial of service (networking outage) via fragmented packets, as demonstrated by an “nmap -f” command.
Source: NIST
CVE-2018-15840

Android Security & Privacy Year in Review 2018: Keeping two billion users, and their data, safe and sound


We’re excited to release today the 2018 Android Security and Privacy Year in Review. This year’s report highlights the advancements we made in Android throughout the year, and how we’ve worked to keep the overall ecosystem secure.
Our goal is to be open and transparent in everything we do. We want to make sure we keep our users, partners, enterprise customers, and developers up to date on the latest security and privacy enhancements in as close to real-time as possible. To that end, in 2018 we prioritized regularly providing updates through our blogs and our new Transparency Reports, which give a quarterly ecosystem overview. In this year-in-review, you’ll see fewer words and more links to relevant articles from the previous year. Check out our Android Security Center to get the latest on these advancements.
In this year’s report, some of our top highlights include:

  • New features in Google Play Protect
  • Ecosystem and Potentially Harmful Application family highlights
  • Updates on our vulnerability rewards program
  • Platform security enhancements

We’re also excited to have Dave Kleidermacher, Vice President of Android Security and Privacy, give you a rundown of the highlights from this report. Watch his video below to learn more.


Source: Google
Android Security & Privacy Year in Review 2018: Keeping two billion users, and their data, safe and sound

NDSU Offers Nation's First Ph.D. in Cybersecurity Education

The new program focuses on training university-level educators in cybersecurity.
Source: DarkReading
NDSU Offers Nation’s First Ph.D. in Cybersecurity Education

Toyota Customer Information Exposed in Data Breach

The attackers hit dealer sales systems in Japan, according to the automaker.
Source: DarkReading
Toyota Customer Information Exposed in Data Breach

7 Malware Families Ready to Ruin Your IoT's Day

This latest list of Internet of Things miscreants doesn’t limit itself to botnets, like Mirai.
Source: DarkReading
7 Malware Families Ready to Ruin Your IoT’s Day

Toyota Japan Hacked, Vietnam Office Suspects Breach

Toyota Japan Hacked, Vietnam Office Suspects Breach

After a security incident in February at its Australian subsidiary, Toyota Motor Corp. has suffered its second security breach in the last five weeks, with today’s breach announced by the company’s main offices in Japan.


“On March 29, 2019, it was announced in Japan that Toyota Motor Corporation (TMC) learned it had possibly been the victim of a cyberattack targeting Toyota Tokyo Sales Holdings Inc., a TMC sales subsidiary, and its affiliated enterprises. Additionally, three other independent dealers in Japan are possibly involved. Toyota Motor North America (TMNA) is monitoring the situation closely and is currently unaware of any compromise of TMNA systems associated with this incident or evidence that Toyota or Lexus dealers in the United States have been targeted,” Toyota Motor North America said in a statement.


The company reportedly said hackers breached its systems, gaining unauthorized access to data belonging to several sales subsidiaries, all based in Tokyo. Toyota said the servers that hackers accessed stored sales information on up to 3.1 million customers that included names and dates of birth but no credit card information, though the investigation remains ongoing.


In addition, Toyota Vietnam said that it is possible the company was also hacked, according to Tinmoi. “Toyota Vietnam Motor Company (TMV) has discovered that the Company is likely to have been attacked by the network and some customer data may have been accessed. So far we do not have any concrete evidence and details about the lost data, and are currently in the process of investigation. We will share as soon as information is available,” TMV said according to a translation of a statement shared with Tinmoi.


“In light of the Toyota security breach, it’s clear that automotive manufacturers need to be aware that as their technology continues to evolve there are more responsibilities involved to protect the consumer,” said Amir Einav, VP of marketing at Karamba Security. “As car manufacturers are set to collect more data than ever before on drivers and vehicle behavior there is more personal information at stake. Following Toyota’s second breach in the last five weeks, there is a greater sense of urgency in the automotive industry around the need to take preventive cybersecurity measures, from the cloud to the in-vehicle technology.”



Source: Infosecurity
Toyota Japan Hacked, Vietnam Office Suspects Breach

Magento Warns E-Commerce of SQL Injection Risk

Magento Warns E-Commerce of SQL Injection Risk

After researchers discovered an SQL injection vulnerability in Magento’s code, the company issued a security fix for more than 30 different vulnerabilities in its software, which reportedly has put more than 300,000 e-commerce sites at risk of card-skimming attacks.


Online businesses have been strongly urged to download the latest fix, warning that versions prior to 2.3.1 Magento code are vulnerable and being exploited in the wild.


According to the March 26 Magento advisory, “Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.”


With a common vulnerability scoring system (CVSS) severity rating of 9.8, PRODSECBUG-2192 would allow “an authenticated user with privileges to create newsletter or email templates that can execute arbitrary code through crafted newsletter or email template code.”


No proof of concept yet exists, but exploitation is relatively easy according to Satnam Narang, senior research engineer, Tenable.”Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed.”


Instead of credential dumps, criminals are using stolen credit card dumps that can result in immediate financial losses for consumers and fraud losses for merchants, said Ameya Talwalkar, co-founder and CPO, Cequence. “This is a unique case of an application vulnerability being exploited for business logic abuse. We’ve detected and blocked similar attacks to this that have targeted our own retail customers. This particular attack is very similar to credential checking attacks on login applications using malicious automation or bots.”


“Normally retail applications do not allow for $0 transactions, but due to the newly discovered vulnerability in Magento, it allows these $0 transactions and opens the door for checking stolen credit and gift cards for validation.”


Source: Infosecurity
Magento Warns E-Commerce of SQL Injection Risk