You are here

Home

Cybersecurity

Siemens RUGGEDCOM ROS (ICSA-19-344-03)

CISA has published an advisory on improper restriction of operations within the bounds of a memory buffer and resource management errors vulnerabilities in Siemens RUGGEDCOM ROS. All versions of multiple products are affected. Successful exploitation of these vulnerabilities could allow a denial-of-service condition or arbitrary code execution. Siemens has identified specific workarounds and mitigations users can apply to reduce the risk. CISA also recommends a series of measures to mitigate the vulnerabilities.

Siemens SiNVR 3 (ICSA-19-344-02)

CISA has published an advisory on cleartext storage of sensitive information in GUI, improper authentication, relative path traversal, missing authentication for critical function, weak cryptography for passwords, and exposed dangerous method or function vulnerabilities in Siemens SiNVR. All versions of SiNVR Central Control Server and Video Server are affected.

Siemens SCALANCE W700 and W1700 (ICSA-19-344-01) – Product Used in the Water and Wastewater and Energy Sectors

CISA has published an advisory on an improper enforcement of message integrity during transmission in a communication channel vulnerability in Siemens SCALANCE W700 and W1700. For SCALANCE W700, versions 6.3 and prior are affected. For SCALANCE W1700, versions 1.0 and prior are affected. Successful exploitation of this vulnerability could allow an attacker to access confidential data. Siemens recommends installing the following software updates to address this vulnerability. CISA also recommends a series of measures to mitigate the vulnerability.

44 Million Microsoft Users Reused their Compromised Passwords

Earlier this year, a Microsoft team scanned all customer accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts. "For the leaked credentials for which we found a match, we force a password reset.

No Link between Cyber Attack and Navy Base Attack, according to FBI

The FBI said it has found no signs of any link between a cyber attack on the computer systems for the city of Pensacola, Florida and the attack at the local Naval Air Station in which three sailors were killed and eight others were wounded. The city became aware of the cyber attack early Saturday, just hours after the shooting at the Pensacola Naval Air Station that occurred on Friday. City officials expressed uncertainty over whether the incidents were related but reached out federal authorities as a precaution.

Click2Gov – The Breach that Keeps on Breaching: More Utilities Impacted by Click2Gov Breach (including at least one WaterISAC member)

WaterISAC previously posted the woes regarding Click2Gov on several occasions – view the Security & Resilience Update for November 21, 2019 for a listing of the three other posts. Likewise, a quick Google search reveals many more impacted municipalities and utilities, some having been affected more than once. With this recent spate of disclosures, WaterISAC is aware of at least one member who has been negatively impacted.

New NIST Publication – Developing Cyber Resilient Systems

The National Institute of Standards and Technology (NIST) has just published Special Publication (SP) 800-160 Volume 2, Developing Cyber Resilient Systems: A Systems Engineering Approach. It is the first in a series of specialty publications developed to support NIST SP 800-160 Volume 1, the flagship systems security engineering guideline. Volume 2 addresses cyber resiliency considerations for two important yet distinct communities of interest:

Pages

Subscribe to Cybersecurity