Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11997PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
CVE-2020-27266PUBLISHED: 2021-01-19In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
CVE-2020-27268PUBLISHED: 2021-01-19In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
CVE-2020-27269PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
CVE-2020-28707PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...
User Rank: Apprentice
3/15/2013 | 4:46:32 AM
Lately, I've been asking myself whether the lack of 'success' achieved by DiD is due entirely to the factors already mentioned by many of those who responded to this article or if in fact its our 'thinking' about such strategies that is really the issue. Reading the quotes in this article, I was reminded of that line from Samuel Beckett's play, 'Waiting for Godot" .. -á-áThereGÇÖs man all over for you, blaming on his boots the faults of his feet".-á
It's my view that while there is ample evidence that the DiD strategy, when executed incorrectly, does not-áyield-áthe expected results; it can also be argued that successful, ongoing-áexecution of the strategy relies too heavily on factors and resources not readily available to most users (knowledge, skills, etc.)
It also is apparent that our 'adversaries' have the-áadvantage-áof fighting a-águerrilla-style-áwar against security professionals in which the very tools we use to blunt their attacks are being turned against us. I've noticed an inherently,-áasymmetrical aspect to each battle-ásecurity professionals fight; -áthe advantage is our adversaries' learn more about our defenses,-áadapt-áfaster, and with greater agility of deployment than we obtain from our analysis of their attacks. The evidence cited by the article about the continuing increase in security breaches despite greater security spend suggests that we defenders are missing something-áfundamental in our attempts to build better security systems and controls.-á
So in what new direction should we be looking to find a way to turn the tide of this war in our favor? I've taken a closer look at the fundamental underpinnings of my own approach to thinking about security strategy and I found a few insightful and thought-provoking ideas in the work done by-áJames A. Dewar of the RAND Corporation on Assumption-Based Planning (ABP) and that of Prof. Richard Heeks of the University of Manchester's, "design reality gap" model. I hope to have a paper submitted to ISACA by the end of the summer which discusses how one might apply these ideas to develop a new-áapproach in-ábuilding security infrastructure.-á