fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

U.S. Department of Defense Discloses Critical And High Severity Bugs

U.S. Department of Defense Discloses Critical And High Severity Bugs

The U.S. Department of Defense has disclosed today details about four security vulnerabilities on its infrastructure. Two of them have a severity high severity rating while the other two received a critical score.

The flaws were reported in August and July. They could allow attackers to hijack a subdomain, execute arbitrary code remotely, or view files on the affected machine.

Unclaimed bucket, unpatched server

All issues were reported through the Department’s vulnerability disclosure on the HackerOne bug bounty platform by distinct ethical hackers.

One of the critical vulnerabilities is a subdomain takeover because of an unclaimed Amazon S3 bucket. Ethical hacker chron0x who found the issue says it could be exploited to host malicious content on a legitimate domain.

Visitors of the website could then be targeted with phishing and cross-site scripting attacks. The flaw would also allow an attacker to bypass domain security and to steal sensitive user data.

The second glitch with a critical severity rating was reported by Hzllaga on August 19. It is a remote code execution on a DoD server running Apache Solr that had been left unpatched since August 2019.

The server was vulnerable to CVE-2019-0192 and CVE-2019-0193, but only the latter was enough for the hacker to get a shell on the server. Exploit code for both of them is available.

Also read: What Is A Governance Framework? The Importance And How It Works

High-severity bugs

Another flaw stemming from unpatched software, discovered by IT security analyst Dan (U.S. Navy and Coast Guard veteran), is a read-only path traversal that could have given an attacker access to arbitrary sensitive files on the system; it’s in a Cisco product, described in detail here.

The second less severe bug, but an obvious risk, nonetheless, is a code injection on a DoD host that may lead to arbitrary code execution, according to the report from e3xpl0it, a penetration tester at cybersecurity company Positive Technologies.

Although the nature of the bugs is no secret for the DoD, some information has been redacted in the bug reports.

In all cases, the DoD was quick to validate and fix the reported problems. According to statistics from the HackerOne platform, the Department takes about eight hours on average to triage the bugs and deals with all of them.

Since the DoD started the vulnerability disclosure program on HackerOne in November 2016, it addressed 9555 security issues. An interesting detail is that the Department dealt with more than a third of them in the past three months.

Also read: Data Centre Regulations Singapore: Does It Help To Progress?

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us