Security News

Vuln: Oracle Integrated Lights Out Manager CVE-2015-5600 Remote Security Vulnerability

Security Focus Vulnerabilities - 31 July, 2016 - 23:00
Oracle Integrated Lights Out Manager CVE-2015-5600 Remote Security Vulnerability

Re: Dailydave Digest, Vol 56, Issue 10

Daily Dave - 31 July, 2016 - 13:05

Posted by Dave Aitel on Jul 31

In my head I equate using computer and network operations (CNO) inside an
organization to enable information operations (IO) to getting exploitation
primitives and enabling a "Weird Machine
<http://www.slideshare.net/scovetta/fundamentals-of-exploitationrevisited>".
IO has a long history, but it's a completely different thing once CNE gets
involved. You get a feedback loop. It's like having a debugger, versus
blindly...

Re: "Clickbait policy-making"

Daily Dave - 31 July, 2016 - 12:57

Posted by Konrads Smelkovs on Jul 31

[..]

That's because cyber is much more about infowar than death and
destruction as with NBC. And Daily Mail is an amplifier and outlet of
propaganda regardless of whoever served it, so studying in and citing
as as an example of infowar pen-ultimate stage (the ultimate being
change in someone's mindset) is legitimate.

Re: hacking ideology

Daily Dave - 31 July, 2016 - 12:47

Posted by J.M. Porup on Jul 31

Isn't "hacking ideology" precisely the sort of speech the First
Amendment was designed to protect?

jmp

Multiple vulnerabilities in All In One WP Security & Firewall plugin login CAPTCHA

Full Disclosure - 31 July, 2016 - 07:40

Posted by Summer of Pwnage on Jul 31

------------------------------------------------------------------------
Multiple vulnerabilities in All In One WP Security & Firewall plugin
login CAPTCHA
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The login CAPTCHA provided by the...

Stored Cross-Site Scripting vulnerability in Easy Testimonials WordPress Plugin

Full Disclosure - 31 July, 2016 - 07:39

Posted by Summer of Pwnage on Jul 31

------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Easy Testimonials WordPress
Plugin
------------------------------------------------------------------------
Bente Schopman, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Multiple stored Cross-Site Scripting...

Insert PHP WordPress Plugin allows authenticated user to execute arbitrary PHP

Full Disclosure - 31 July, 2016 - 07:38

Posted by Summer of Pwnage on Jul 31

------------------------------------------------------------------------
Insert PHP WordPress Plugin allows authenticated user to execute
arbitrary PHP
------------------------------------------------------------------------
Marcel Vermeulen <vermeulen.mc.at.gmail.com> & Ed van der Vlies
<ecvdvlies.at.gmail.com>, July 2016

------------------------------------------------------------------------
Abstract...

Re: "Clickbait policy-making"

Daily Dave - 29 July, 2016 - 14:43

Posted by Mara Tam on Jul 29

Dave’s not wrong about this. Cyber policy suffers horribly from the fact that it is disproportionately informed by
popular press (i.e. clickbait).

The American Academy of Arts and Sciences recently published a collection titled ‘Governance of Dual-Use Technologies :
Theory and Practice’.[1] This collection covers nuclear technologies, biological technologies, and IT / ‘cyber
weapons'. If you read all three sections, it becomes...

[SECURITY] [DSA 3635-1] libdbd-mysql-perl security update

Bug Traq - 29 July, 2016 - 13:55

Posted by Salvatore Bonaccorso on Jul 29

-------------------------------------------------------------------------
Debian Security Advisory DSA-3635-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
July 29, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libdbd-mysql-perl
CVE ID : CVE-2014-9906...

CVE-2016-5672: Intel Crosswalk SSL Prompt Issue

Bug Traq - 29 July, 2016 - 13:44

Posted by research on Jul 29

[Original at: https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue/]

Summary

The Intel Crosswalk Project library for cross-platform mobile
development did not properly handle SSL errors. This behaviour could
subject applications developed using this library to SSL MITM attacks.

Vulnerability Details

The Crosswalk Project, created by Intel’s Open Source Technology
Center, allows mobile developers to...

[SYSS-2016-038] CHERRY B.UNLIMITED AES - Keystroke Injection Vulnerability

Bug Traq - 29 July, 2016 - 13:34

Posted by matthias . deeg on Jul 29

Advisory ID: SYSS-2016-038
Product: CHERRY B.UNLIMITED AES
Manufacturer: Cherry GmbH
Affected Version(s): JD-0400EU-2/01
Tested Version(s): JD-0400EU-2/01
Vulnerability Type: Cryptographic Issues (CWE-310)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2016-05-04
Solution Date: -
Public Disclosure: 2016-07-29
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg...

[SYSS-2016-032] CHERRY B.UNLIMITED AES - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)

Bug Traq - 29 July, 2016 - 13:25

Posted by matthias . deeg on Jul 29

Advisory ID: SYSS-2016-032
Product: CHERRY B.UNLIMITED AES
Manufacturer: Cherry GmbH
Affected Version(s): JD-0400EU-2/01
Tested Version(s): JD-0400EU-2/01
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-04-22
Solution Date: -
Public Disclosure: 2016-07-29
CVE Reference: Not yet assigned
Authors of Advisory:...

[SYSS-2016-031] CHERRY B.UNLIMITED AES - Missing Protection against Replay Attacks

Bug Traq - 29 July, 2016 - 13:14

Posted by matthias . deeg on Jul 29

Advisory ID: SYSS-2016-031
Product: CHERRY B.UNLIMITED AES
Manufacturer: Cherry GmbH
Affected Version(s): JD-0400EU-2/01
Tested Version(s): JD-0400EU-2/01
Vulnerability Type: Cryptographic Issues (CWE-310)
Missing Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-04-11
Solution Date: -
Public Disclosure: 2016-06-29
CVE Reference: Not yet assigned
Authors of Advisory:...

Re: Dailydave Digest, Vol 56, Issue 10

Daily Dave - 29 July, 2016 - 12:45

Posted by Paul Erling on Jul 29

I could agree that the damage cyberwar does is mostly to ideology, but then what is the difference between cyberwar and
propaganda or even marketing? Isn't it just the fact that you have retrieved some difficult to obtain evidence? Does
that make the propaganda/marketing more believable and so effective?

- Paul

-----Original Message-----
From: dailydave-bounces () lists immunityinc com [mailto:dailydave-bounces () lists immunityinc...

Re: "Nitro Zeus" whatever whatever.

Daily Dave - 29 July, 2016 - 09:28

Posted by Ejovi Nuwere on Jul 29

This article in the New Yorker seems to align well with your explanation of cyberwar as a systemic disruption of
ideology.

http://www.newyorker.com/news/news-desk/the-real-paranoia-inducing-purpose-of-russian-hacks

Sent from my iPhone

[SYSS-2016-038] CHERRY B.UNLIMITED AES - Keystroke Injection Vulnerability

Bug Traq - 29 July, 2016 - 08:54

Posted by matthias . deeg on Jul 29

Advisory ID: SYSS-2016-038
Product: CHERRY B.UNLIMITED AES
Manufacturer: Cherry GmbH
Affected Version(s): JD-0400EU-2/01
Tested Version(s): JD-0400EU-2/01
Vulnerability Type: Cryptographic Issues (CWE-310)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2016-05-04
Solution Date: -
Public Disclosure: 2016-07-29
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg...

SAINTCON Security Conference

Daily Dave - 29 July, 2016 - 08:26

Posted by Troy Jessup on Jul 29

SAINTCON 2016

SAINTCON is the Intermountain-West premiere Cybersecurity conference held in Provo, Utah. This conference is
dedicated to all things security and focuses on security discussions and trainings. If you live or work in the west,
this is your security con!

https://www.saintcon.org

ZMS v3.2 CMS - Multiple Client Side Cross Site Scripting Web Vulnerabilities

Full Disclosure - 29 July, 2016 - 05:11

Posted by Vulnerability Lab on Jul 29

Document Title:
===============
ZMS v3.2 CMS - Multiple Client Side Cross Site Scripting Web Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1890

Release Date:
=============
2016-07-28

Vulnerability Laboratory ID (VL-ID):
====================================
1890

Common Vulnerability Scoring System:
====================================
3.3

Product & Service Introduction:...

"Nitro Zeus" whatever whatever.

Daily Dave - 28 July, 2016 - 17:37

Posted by dave aitel on Jul 28

<nitrozeus>

https://www.youtube.com/watch?v=GiV6am2lNTQ. You'll notice in this
Usenix talk from 2012 I inadvertently blow Nitro Zeus, which came out in
that ZeroDays movie recently. I honestly don't write my talks all by
myself, but you'll notice "we" call out Wikileaks as being a cyber
weapon as opposed to everyone else's seeming fascination with
HackingTeam or whatever the boogieman of the day is.

People...

"Clickbait policy-making"

Daily Dave - 28 July, 2016 - 17:02

Posted by dave aitel on Jul 28

https://na-production.s3.amazonaws.com/documents/Bugs-in-the-System-Final.pdf

Look, I'm sure these (Andi Wilson, Ross Schulman, Kevin Bankston, Trey
Herr) are all good people:<image about authors went here>

But I want to point out that you cannot make good policy recommendations
based on clickbait news articles you've happened to have read over the
years on a subject that is under a ton of covert protection, especially
when none...
Syndicate content