CVE-2024-38856, an incorrect authorization vulnerability affecting all but the latest version of Apache OFBiz, may be exploited by remote, unauthenticated attackers to execute arbitrary code on vulnerable systems.

https://www.helpnetsecurity.com/2024/08/05/cve-2024-38856/

#Cybersecurity #OFBiz #CVE

@screaminggoat Are these ancient CVE's added retroactively or some companies have fallen behind this badly?

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
Hot off the press! CISA adds CVE-2018-0824 (7.5 high, disclosed 08 May 2018 by Microsoft) Microsoft COM for Windows Remote Code Execution Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog! See parent toot above for evidence of exploitation.

#CVE_2018_0824 #eitw #activeexploitation #vulnerability #CVE #Microsoft #KEV #KnownExploitedVulnerabilitiesCatalog

We break down the cryptography services offered within Google Cloud Platform —Cloud KMS, Secret Manager, and Confidential Computing—helping you decide which tools are right for your project. https://buff.ly/3WQB69S

We have this Deposit Return System freshly implemented and of course the IT backend broke after few weeks.

The important thing to notice is that the operator just won't take *any* responsibility/SLA for the IT system, because IT just breaks y'know.

This rhymes pretty much with CrowdStrike's narrative about some random vendor taking out 8M computers is _just inevitable_. (see also: https://risky.biz/WWC4/ )

I'd also bet the reason they can't even tell when they will be able restore transaction processing is that their backend is some unnecessarily complex k8s and/or cloud-native monstrosity... (see also: https://blog.thinkst.com/2024/07/unfashionably-secure-why-we-use-isolated-vms.html )

(Report in Hungarian: https://hvg.hu/gazdasag/20240805_A-Mohu-Repont-app-kotelezo-visszavaltas-ebx )

Elastic: Dismantling Smart App Control
Elastic claims that Windows Smart App Control and SmartScreen have several design weaknesses that allow attackers to gain initial access with no security warnings or popups. A bug in the handling of LNK files can also bypass these security controls. They research bypasses for reputation-based systems and develop detections to identify indicators of attack. No CVE IDs associated.
See related The Hacker News reporting: Researchers Uncover Flaws in Windows Smart App Control and SmartScreen

#smartapp #smartscreen

University student phished others so he could steal their grants. Article in Hungarian:

https://hvg.hu/itthon/20240805_Feltorte-a-Neptun-rendszert-es-maganak-utalta-el-a-diakok-osztondijat-a-csalo-ebx

I'd like to note that In my time we wouldn't think of stealing from broke-ass students like ourselves...also had proper RCE's :P

#Hungary #Neptun

[RSS] Pnut: A Self-Compiling C Transpiler Targeting Human-Readable POSIX Shell

https://hackaday.com/2024/07/25/pnut-a-self-compiling-c-transpiler-targeting-human-readable-posix-shell/

[RSS] Proof that find + mkdir are Turing-Complete

https://hackaday.com/2024/08/05/proof-that-find-mkdir-are-turing-complete/

[RSS] [Blog] Teaching the Old .NET Remoting New Exploitation Tricks

https://code-white.com/blog/teaching-the-old-net-remoting-new-exploitation-tricks/

[RSS] Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3

https://www.thezdi.com/blog/2024/7/31/breaking-barriers-and-assumptions-techniques-for-privilege-escalation-on-windows-part-3

[RSS] Extending Burp Suite for fun and profit – The Montoya way – Part 6

https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-6/

[RSS] Heap exploitation, glibc internals and nifty tricks.

http://blog.quarkslab.com/heap-exploitation-glibc-internals-and-nifty-tricks.html

[RSS] Decrypting VPN traffic via crashdumps

https://dustri.org/b/decrypting-vpn-traffic-via-crashdumps.html

[RSS] Introducing the MSRC Researcher Resource Center

https://msrc.microsoft.com/blog/2024/07/introducing-the-msrc-researcher-resource-center/

Why Google’s “Dear Sydney” Ad Makes Me Want to Scream - by Shelly Palmer

https://shellypalmer.com/2024/07/why-googles-dear-sydney-ad-makes-me-want-to-scream/

(The ad was revoked, but this is still a great piece about the fundamental problems it represented)

“Crowdstrike has made intentional architectural engineering and QA decisions that made this happen. They were negligent in their engineering decisions and their QA decisions.”

@alexstamos starts off strong on his latest @riskybiz episode.

Note to sec company CTOs/CISOs:

If u put in the work to engage with the community on topics that don’t directly affect what u are selling, it buys u some leeway when u have to discuss products that do..

Many would be flamed for taking this stance openly. He pulls it off.

https://pca.st/episode/17c7a25f-faee-479a-b653-53f62679cc02

Fifteen years ago today, a group of hackers and security pros got together and made a little thing happen, the first ever BSides @SecurityBSidesGlobal, @BSidesLV

Things took off from there.

The next BSides on the event calendar is BSides Las Vegas, and it will be event number 1002.

Afk brb!

⚠️ Confirmed: Network data show disruptions to multiple internet providers in #France amid reports of a fibre sabotage campaign targeting telecoms infrastructure during the Paris 2024 Olympics 📉