The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system.
The Federal Bureau of Investigation (FBI) has released an article on their Think Before You Post campaign, designed to educate students on the use of social media and how to avoid making poor choices when posting, texting, or emailing thoughts or grievances that could lead to disruptive behavior, including threats. The FBI article stresses that this type of online behavior could result in serious consequences to the individual as well as the community.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the FBI article for information about the Think Before You Post campaign. CISA also recommends users review the CISA Tip on Identifying Hoaxes and Urban Legends for information on the potential dangers of viral emails. CISA encourages users to report suspicious activity to their local FBI field office and to FBI CyWatch at [email protected]
Cisco has released security updates to address vulnerabilities affecting Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:
- Webex Teams Logging Feature Command Execution Vulnerability cisco-sa-20190904-webex-teams
- Industrial Network Director Configuration Data Information Disclosure Vulnerability cisco-sa-20190904-ind
- Unified Contact Center Express Request Processing Server-Side Request Forgery Vulnerability cisco-sa-20190904-unified-ccx-ssrf
- Content Security Management Appliance Information Disclosure Vulnerability cisco-sa-20190904-sma-info-dis
- Jabber Client Framework for Mac Code Execution Vulnerability cisco-sa-20190904-jcf-codx
- Identity Services Engine Cross-Site Scripting Vulnerability cisco-sa-20190904-ise-xss
- Finesse Request Processing Server-Side Request Forgery Vulnerability cisco-sa-20190904-finesse-ssrf
An estimated 600,000 GPS trackers for monitoring the location of kids, seniors, and pets contain vulnerabilities that open users up to a host of creepy attacks, researchers from security firm Avast have found.
The $25 to $50 devices are small enough to wear on a necklace or stash in a pocket or car dash compartment. Many also include cameras and microphones. They’re marketed on Amazon and other online stores as inexpensive ways to help keep kids, seniors, and pets safe. Ignoring the ethics of attaching a spying device to the people we love, there’s another reason for skepticism. Vulnerabilities in the T8 Mini GPS Tracker Locator and almost 30 similar model brands from the same manufacturer, Shenzhen i365 Tech, make users vulnerable to eavesdropping, spying, and spoofing attacks that falsify users’ true location.
Researchers at Avast Threat Labs found that ID numbers assigned to each device were based on its International Mobile Equipment Identity, or IMEI. Even worse, during manufacturing, devices were assigned precisely the same default password of 123456. The design allowed the researchers to find more than 600,000 devices actively being used in the wild with that password. As if that wasn’t bad enough, the devices transmitted all data in plaintext using commands that were easy to reverse engineer.