Security News

Most state CIOs see innovation as a major part of their job - 83% said innovation is an important or very important part of their day-to-day leadership responsibilities - while only 14% reported extensive innovation initiatives within their organizations, Accenture and the National Association of State Chief Information Officers reveal. Previously, NASCIO had highlighted innovation as a top ten current issue facing state CIOs.

Citrix has quickened its rollout of patches for a critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24.

Citrix has started rolling out security patches for the recently revealed Citrix Application Delivery Controller and Citrix Gateway vulnerability. The issue impacts versions 13.0, 12.1, 12.0, 11.1, and 10.5 of both Citrix ADC and Gateway.

Some of the markets we are planning to expand into are rail transport and Building Automation Systems markets. Starting only one or two years ago, we saw the entire industry kind of look around and say "Safety is job one, and cybersecurity is essential to safety. Oh rats!" And we saw a lot of operators start looking seriously at cybersecurity.

Citrix has finally started rolling out security patches for a critical vulnerability in ADC and Gateway software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. As explained earlier on The Hacker News, the vulnerability, tracked as CVE-2019-19781, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. Rated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December.

Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager tool for managing network platforms and switches. The three critical vulnerabilities in question impact DCNM, a platform for managing Cisco data centers that run Cisco's NX-OS - the network operating system used by Cisco's Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.

Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site's backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerability.

Q4: What role does a 'private key' play here anyway, if not that in Q3? Q5: If one doesn't simply learn the original private key off of knowing the public key, is one simply able to create a new digital certificate this way, as opposed to, having learned the private key of an existing digital certificate? Did I understand this more correctly now? Q6: Could the fake private key, simply be a number like 1, something that can be guessed by anyone? Or, equally bad, any other number, that you then can use to decipher data because someone would ofc know the private key?

The CryptoAPI cryptographic bug that Microsoft reported in its Patch Tuesday release yesterday was so big that it warranted its own story. Among the most serious bugs were remote code execution flaws affecting the Windows Remote Desktop Gateway, which is a Microsoft service that lets authorised remote users connect to resources on a network via the Remote Desktop Connection client.

In light of recent ransomware and other cyberattacks against vendors serving numerous healthcare organizations, it's critical to develop and deploy comprehensive vendor risk management programs, says John Farley managing director of the cyber practice at Arthur J. Gallagher & Co., a provider of cyber insurance and risk management consulting. "It's very common that it's the vendor that gets hacked, and therefore you're going down. You're not the direct target of the cyberattack; it's your vendor," Farley says in an interview with Information Security Media Group.