In July 2020 the Court of Justice of the European Union passed a judgement that is still sending shockwaves through the privacy and data protection industry in the UK, EU and USA. In case you have never heard of Max Schrems and the Schrems II judgement, this is what you need to know and howRead more
Blog
An innovative American insurance company, Corvus, has reported a drop of 65% in ransomware claims after they started insisting on vulnerability scans of the client’s network before providing cyber-insurance. Lauren Winchester of Corvus states in a recent blog post: Our automated scan locates threats like unprotected RDP upon quoting for new business and we notifyRead more
A critical vulnerability in Microsoft Netlogon was patched in the August patch cycle – but was so dangerous that details were not made public until September when (hopefully) many systems would have been patched. If you have not applied the August patch bundle to your domain controllers stop reading and go do it now. ReallyRead more
Return-Oriented Programming is a security exploit technique used by attackers to execute code on their target system. By obtaining control of the call stack, the attacker can control the flow of existing trusted software running on the computer and manipulate it to their own ends. New research published this month has demonstrated how SPECTRE style vulnerabilitiesRead more
The UK National Cyber-Security Centre has published a toolkit to help organisations setup a vulnerability disclosure programme. A vulnerability disclosure programme makes it easy for someone to provide your organisation with information if they notice a vulnerability that could impact your security. Without such a programme in place, concerned clients or researchers have to resortRead more
By Mark Faithfull | Vulnerabilities | 18 September, 2020 | 0
The September 2020 patch Tuesday contain fixes for 23 Critical vulnerabilities in Microsoft products and 129 fixes in total – including a Microsoft Exchange vulnerability that can allow remote code execution simply by sending a specially crafted email to the server. A large patch bundle is a double edged sword – it’s reassuring that theRead more
The Common Weaknesses Enumeration project has released their 2020 list of the 25 most dangerous software vulnerabilities. The list describes the types of vulnerabilities that have resulted in CVE being issued over the last two years. The project describes itself as: The 2020 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE TopRead more
A new vector for pass-the-hash attacks has been discovered targeting Windows 10 personalisation themes. A security researcher has published details of a potential issue with the design of Windows 10 themes that can be exploited to harvest Windows and Microsoft Account login credentials. A Windows 10 theme is a collection of customisation settings for WindowsRead more
Details emerged this week of a failed multi-million dollar ransomware attack against Tesla which attempted to bribe an employee to hand deliver the malware. According to the legal case files, a Russian named Egor Igorevich Kriuchkov travelled to Nevada in order to contact and then recruit a Tesla employee and offered him $1million in orderRead more
Southern Water found itself in hot water last week when a security researcher discovered a server side request forgery exploit in their customer service system. The (quickly rectified) mistake on the Southern Water customer self-service portal allowed the URL to be manipulated in order to display the details of another arbitrary customer account. The targetRead more
