Archive for the ‘Uncategorized’ Category

Researchers Uncover Unsophisticated – But Creative – Watering-Hole Attack

Holy Water campaign is targeting users of a specific religious and ethnic group in Asia, Kaspersky says.
Source: DarkReading
Researchers Uncover Unsophisticated – But Creative – Watering-Hole Attack

Why Third-Party Risk Management Has Never Been More Important

Given today’s coronavirus pandemic, the need for companies to collect cybersecurity data about their business partners is more critical than ever. Here’s how to start.
Source: DarkReading
Why Third-Party Risk Management Has Never Been More Important

Latest Security News & Commentary about COVID-19

Check out Dark Reading’s updated, exclusive news and commentary surrounding the coronavirus pandemic.
Source: DarkReading
Latest Security News & Commentary about COVID-19

Data from 5.2M Marriott Loyalty Program Members Hit by Breach

The data was breached through the credentials of two franchisee employees.
Source: DarkReading
Data from 5.2M Marriott Loyalty Program Members Hit by Breach

Patching Poses Security Problems with Move to More Remote Work

Security teams were not ready for the wholesale move to remote work and the sudden expansion of the attack surface area, experts say.
Source: DarkReading
Patching Poses Security Problems with Move to More Remote Work

CVE-2020-11441

phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page.
Source: NIST
CVE-2020-11441

CVE-2019-14905

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible’s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Source: NIST
CVE-2019-14905

CVE-2020-1712

A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.
Source: NIST
CVE-2020-1712

CVE-2019-10180

A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
Source: NIST
CVE-2019-10180

OIG Lacks Confidence in FBI's Adherence to Woods Procedures

OIG Lacks Confidence in FBI’s Adherence to Woods Procedures

The Office of the Inspector General (OIG) has said it lacks confidence that the Federal Bureau of Investigation is executing its Woods Procedures in line with FBI policy when applying for court permission to surveil people in the United States. 



The FBI implemented its Woods Procedures in 2001 following errors in numerous Foreign Intelligence Surveillance Act (FISA) applications submitted to the Foreign Intelligence Surveillance Court (FISC) in FBI counterterrorism investigations. The procedures, named for FBI agent Michael Woods, who helped devise them, require that every fact submitted in support of a wiretap application must be verified.



FBI policy requires case agents who will be requesting the FISA application to create and maintain a “Woods File” that contains supporting documentation for every factual assertion contained in the application together with the results of required database searches and other verifications.



report published by the OIG on March 30 states that a recent audit of the FBI found that in some FISA applications, Woods Files had gone missing or may not have ever existed.



Over the past two months, auditors visited 8 FBI field offices and reviewed a judgmentally selected sample of 29 applications relating to US persons and involving both counterintelligence and counterterrorism investigations. 



The OIG report states that “we could not review original Woods Files for 4 of the 29 selected FISA applications because the FBI has not been able to locate them and, in 3 of these instances, did not know if they ever existed.” 



In all 25 of the FISA applications the OIG were able to review, auditors identified errors or inadequately supported facts.



The OIG said: “For all 25 FISA applications with Woods Files that we have reviewed to date, we identified facts stated in the FISA application that were: (a) not supported by any documentation in the Woods File, (b) not clearly corroborated by the supporting documentation in the Woods File, or (c) inconsistent with the supporting documentation in the Woods File.”



The auditors’ findings led the OIG to conclude that the FBI’s FISA applications were not as accurate as they should be.



“We believe that a deficiency in the FBI’s efforts to support the factual statements in FISA applications through its Woods Procedures undermines the FBI’s ability to achieve its ‘scrupulously accurate’ standard for FISA applications,” stated the OIG.


Source: Infosecurity
OIG Lacks Confidence in FBI’s Adherence to Woods Procedures