BuzzSec

A pair of unpatched security vulnerabilities can allow unauthenticated cyberattackers to turn off window, door and motion-sensor monitoring. from Threatpost https://threatpost.com/fortress-home-security-remote-disarmament/169069/

Cream is latest DeFi platform to get fleeced in rash of attacks. from Threatpost https://threatpost.com/cream-finance-defi-29m/169077/

Services that let consumers resell their bandwidth for money are ripe for abuse, researchers warn. from Threatpost https://threatpost.com/abuse-of-proxyware-services/169068/

One of the most common mantras in security awareness training is “Examine the URL to determine if it points to the legitimate vendor or not!” from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-the-url-domain-is-not-enough-to-avoid-a-phish

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/live-demo-ridiculously-easy-security-awareness-training-and-phishing

On August 10, 2021, the U.S. Senate passed the Infrastructure Investment and Jobs Act of 2021 ( H.R.3684 ). The bill comes in at 2,700+ pages, provides for $1.2T in spending, and includes several cybersecurity items. We expect this legislation to become law around late September and do not expect significant changes to the content. This post provides highlights on cybersecurity from the legislation. (Check out our joint letter calling for cybersecurity in infrastructure legislation here .) Cybersecurity is a priority — that’s progress Cybersecurity is essential to ensure modern infrastructure is safe, and Rapid7 commends Congress and the Administration for including cybersecurity in the Infrastructure Investment and Jobs Act. Rapid7 led industry calls to include cybersecurity in the bill, and we are encouraged that several priorities identified by industry are reflected in the text, such as cybersecurity-specific funding for state and local governments and the electrical grid. On

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/08/31/fbi-cisa-advisory-ransomware-awareness-holidays-and-weekends

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/alerts/aa21-243a

The popular Dynamic Pricing and Discounts plugin from Envato can be exploited by unauthenticated attackers. from Threatpost https://threatpost.com/woocommerce-plugin-malicious/169063/

Editor’s Note : The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF. Executive Summary This report examines trends in malware use, distribution, and development, and high-risk vulnerabilities disclosed by major hardware and software vendors between January 1 and June 30, 2021. Data was assembled from the Recorded Future® Platform, open-source intelligence (OSINT), and public reporting on NVD data. This report will assist threat hunters and security operations center (SOC) teams in strengthening their security posture by prioritizing hunting techniques and detection methods based on this research and data along with vulnerability teams looking for ways to prioritize patching and identify trends in vulnerability targeting. Trends within vulnerability exploitation and malware attacks often intersect, as threat groups will target these flaws to deliver, distribute, and execute their malicious code onto vulnerable s

The NAS maker issued two security advisories about the RCE and DoS flaws, adding to a flurry of advisories from the vast array of companies whose products use OpenSSL. from Threatpost https://threatpost.com/qnap-openssl-bugs/169054/

Jason Kent, hacker-in-residence at Cequence, talks about how cybercriminals target apps and how to thwart them. from Threatpost https://threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/

from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-11-34-heads-up-a-tricky-new-covid-19-phishing-caper

Rapid7 researcher Arvind Vishwakarma discovered multiple vulnerabilities in the Fortress S03 WiFi Home Security System. These vulnerabilities could result in unauthorized access to control or modify system behavior, and access to unencrypted information in storage or in transit. CVE-2021-39276 describes an instance of CWE-287 ; specifically, it describes an insecure cloud API deployment which allows unauthenticated users to trivially learn a secret that can then be used to alter the system's functionality remotely. It has an initial CVSS score of 5.3 (medium). CVE-2021-39277 describes an instance of CWE-294 , a vulnerability where anyone within Radio Frequency (RF) signal range could capture and replay RF signals to alter systems behavior, and has an initial CVSS score of 5.7 . Product Description The Fortress S03 WiFi Home Security System is a do it yourself (DIY) consumer grade home security system which leverages WiFi and RF communication to monitor doors, windows, and motio

Late last year, the NSA declassified and released a redacted version of Lambros D. Callimahos’s Military Cryptanalytics, Part III . We just got most of the index . It’s hard to believe that there are any real secrets left in this 44-year-old volume. from Schneier on Security https://www.schneier.com/blog/archives/2021/08/more-military-cryptanalytics-part-iii.html

Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems. from Threatpost https://threatpost.com/lockfile-ransomware-avoid-detection/169042/

HPE joins Apple in warning customers of a high-severity Sudo vulnerability. from Threatpost https://threatpost.com/hpe-sudo-bug-aruba-platform/169038/

Army looking for AI to layer over daycare CCTV to boost ‘family quality of life.’ from Threatpost https://threatpost.com/army-facial-recognition-child-care/169036/

In part one of a two-part series, Akamai's director of security technology and strategy, Tony Lauro, lays out what orgs need to know to defend against account takeover attacks. from Threatpost https://threatpost.com/underground-economy-account-takeovers/169032/

The bug (CVE-2021-33766) is an information-disclosure issue that could reveal victims' personal information, sensitive company data and more. from Threatpost https://threatpost.com/microsoft-exchange-proxytoken-email/169030/

Scholars and researchers from the think tank New America recently released an education policy initiative titled, Teaching Cyber Citizenship — Bridging Education and National Security to Build Resilience to New Online Threats. The report outlines challenges facing educators when it comes to preparing students for the online world, describes the broad spectrum of reasons why it’s important that they are properly prepared, and provides resources and potential solutions for communities and school systems to adopt. Joining us this week are two of the report’s coauthors, Lisa Guernsey, director of New America’s Teaching, Learning and Tech Program, and Peter W. Singer, strategist and senior fellow.   This podcast was produced in partnership with the CyberWire . The post Cyber Citizenship Education is Essential appeared first on Recorded Future . from Recorded Future https://www.recordedfuture.com/podcast-episode-223/

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/bulletins/sb21-242

The airline announced the breach on Thursday, and the ransomware gang started a countdown clock the next day. from Threatpost https://threatpost.com/lockbit-bangkok-airways-breach/169019/

     In The Wild - CyberSecurity Newsletter Welcome to the 238 th    issue of In The Wild, SBS' weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!            #askSBS: Cyber Insurance SBS Educational Resources Question: What should I know about cyber insurance? Is it worth it? Read Here »     Clear and present danger: Why business leade