ZDI releases second Top 5 bug of 2017. This one gets remote code execution in Apache Groovy.
http://ift.tt/2yYo0sM

Submitted December 19, 2017 at 09:05PM by RedmondSecGnome
via reddit http://ift.tt/2D4ew2F

Hex-Men: Chinese campaign targeting SQL Server & MySQLs DBs
http://ift.tt/2klvlyb

Submitted December 19, 2017 at 09:58PM by ribr
via reddit http://ift.tt/2BfNS9J

Dispelling Cybersecurity Myths - Recorded Future podcast episode 36
http://ift.tt/2kHSk5V

Submitted December 19, 2017 at 09:56PM by volci
via reddit http://ift.tt/2CEtuv8

GUI Tool for crafting ROP chains (WIP)
http://ift.tt/2D35Jhn

Submitted December 19, 2017 at 09:41PM by chillingswordfish
via reddit http://ift.tt/2D69liw

"Public Wi-Fi Attacks - Starbucks"
http://ift.tt/2yXVeIV

Submitted December 19, 2017 at 10:13PM by volci
via reddit http://ift.tt/2BddiVg

Top 25 passwords of 2017
http://ift.tt/2D4rYnb

Submitted December 19, 2017 at 10:10PM by kidbytheclouds
via reddit http://ift.tt/2yYWefG

Dispelling Cybersecurity Myths
http://ift.tt/2kHSk5V

Submitted December 19, 2017 at 09:30PM by volci
via reddit http://ift.tt/2kksrtk

Thoughts/Advice
I'm currently going through a vetting exercise on a new vendor/solution for my business.The vendor is offshore, but is touting that they are compliant with a litany of things (NIST, HIPAA, PCI, ISO, etc) as well as saying that the employ a zero-trust policy with everything they do. That's all well and good. That should be a pretty basic standard when you're providing this kind of service.Here's where it gets interesting. As part of the review that my team performs, we ask how vulnerabilities are remediated. Here's the answer that we've gotten:"<software/application that they've written internally> maintains a clear separation between various systems. The policy is enforced realtime and on a continual basis. It is simply impossible to access any internal systems without first authenticating, authorizing role, and providing an intent. <Vendor> follows a zero trust policy for cybersecurity."This seems really off to me. First, I would never, in the history of ever, say that something was impossible to access. Further, the vendor has peppered throughout their entire vetting their tool and how it employs passphrase technology and no user IDs to make their solution "impossible to hack".Thoughts?

Submitted December 19, 2017 at 09:27PM by OldFennecFox
via reddit http://ift.tt/2klgLqw

Kaspersky Lab Sues U.S. Government Over Software Ban
http://ift.tt/2yWuDvG

Submitted December 19, 2017 at 09:21PM by volci
via reddit http://ift.tt/2kMh1ht

CSE Statement on the Attribution of WannaCry Malware
http://ift.tt/2yZm03K

Submitted December 19, 2017 at 09:17PM by julian88888888
via reddit http://ift.tt/2kl0pOp

Annual Security Awareness Training is a Complete Waste of Time
http://ift.tt/2yYSdYJ

Submitted December 19, 2017 at 09:15PM by CurriculaAware
via reddit http://ift.tt/2kMsOfN

Keeping a list of passwords safe..?
Hi there, Our small business has the need for several passwords (bank accounts, visas, third party software, etc etc..). We've been running into the problem of losing our passwords, I think due to the lack of organization. Losing these passwords is a HUGE pain, i'm spending more time than I should on getting passwords reset. These are the two options I can think of, comments/questions/concerns are greatly appreciated! 1- a small book of accounts/passwords kept in a small safe. 2- online password keepers**one of our team members had voiced concern over keeping the accounts/passwords on an online service. Are there any trustworthy companies where this is not a concern? Recommendations?Cheers

Submitted December 19, 2017 at 11:02PM by elifast
via reddit http://ift.tt/2oLX8g0

All you need to know about Buffer Overflow Attacks :)
http://ift.tt/2CEq5MK

Submitted December 19, 2017 at 11:28PM by drhydrogen1
via reddit http://ift.tt/2oNhZiW

Multiple vulnerabilities in Trend Micro Smart Protection Server
http://ift.tt/2CDAl7S

Submitted December 19, 2017 at 11:23PM by pepit0r
via reddit http://ift.tt/2BfrZHE

New Study: Many Consumers Lack Understanding of Basic Cyber Hygiene
http://ift.tt/2CZVlXK

Submitted December 20, 2017 at 12:22AM by speckz
via reddit http://ift.tt/2kMWpWB

Changing IP & MAC on iPhone
Is it possible to change your IP & MAC address on iPhone the same way you can on Mac?

Submitted December 20, 2017 at 01:53AM by ALEXA-Music
via reddit http://ift.tt/2BA16eg

RCE vulnerability found in ruby's NET::Ftp which allows command injection in filenames
http://ift.tt/2BKLUxl

Submitted December 20, 2017 at 02:36AM by tylerg777
via reddit http://ift.tt/2B0nv37

Yeelight, the Bluetooth LED Bedside Lamp from Xiaomi that Spies on You, Part One
http://ift.tt/2CFxviJ

Submitted December 20, 2017 at 02:38AM by petermal67
via reddit http://ift.tt/2B0NGGY

Noob question- How do p2p botnets get stolen data to the attacker without a centralized server?
There were many well known p2p botnets like Zeus, ZeroAccess, Storm and Agobot over the years. The way I understand it, there are some victim nodes that contact a bunch of other computers and that forms the botnet.I just don't know how the attacker is to get the data. If the data is stored on the node, what if it goes offline? Then wouldn't they miss out on a bunch of stolen data.Perhaps it has nothing to do with being stored on the victim, and the malware just sends it to a dropzone or email or something?Any explanation would be greatly appreciated.EDIT: an example would help me understand. How would Zeus, for example, get stolen credit card data to an attacker?

Submitted December 20, 2017 at 05:56AM by fredfredburger88
via reddit http://ift.tt/2z0uUOp

WannaCry: End of Year Retrospective
http://ift.tt/2kmU9pC

Submitted December 20, 2017 at 06:53AM by not_2sec4u
via reddit http://ift.tt/2BzPesz

Every Single American Household Exposed in Massive Leak - Infosecurity Magazine
http://ift.tt/2BzF4bz

Submitted December 20, 2017 at 06:53AM by artTho
via reddit http://ift.tt/2kmWqRv