Remote Code Execution Deserialization Vulnerability Blocked by Contrast

On May 20, 2020, the National Vulnerability Database (NVD) published a new CVE—CVE-2020-9484. The vulnerability associated with CVE-2020-9484 allows any anonymous attacker with internet access to submit a malicious request to a Tomcat Server that has PersistentManager enabled using FileStore. This is not the default setup, but it can be configured by administrators in this way. Red Timmy Security wrote in detail about the vulnerability and exploit.

Securing Success: Reporting PAM “Wins” Back to the Business

The director of Identity and Access Management (IAM) is fundamentally responsible for ensuring controls are in place to protect access to sensitive assets within the organization.  This includes all aspects of identity, access and authentication for the entire workforce and also applies to Privileged Access Management (PAM) – which is what we’ll be focusing on in this blog.  Specific accountabilities within this role typically include setting strategy, defining a PAM-based risk framework, designing and implementing appropriate access controls and providing monitoring, reporting and mitigation strategies around overall risk.

Sodinokibi ransomware gang auctions off stolen data

Is it legal to buy stolen data from criminals? In most countries the answer would be no. But will it lead to a penalty or a fine? That is a different question and I’m afraid some companies and organizations will be inclined to seriously consider the last question even when they know the answer to the first one. Maybe we can at least agree that it is not ethical or recommended.

Six Step Guide to Email Security Best Practice


The popularity of email as a collaboration tool shows no sign of abating. In fact, research group Radicati predicts that in 2020 the number of emails sent and received per day will exceed 306 billion. Also, with so many employees now working from home, organizations have never been so reliant on email to keep communication and productivity flowing.

Theft From Online Shopping Carts – Past and Present


Circa 2007, during a penetration test, I encountered an online shopping cart that exposed a variable containing a product’s price and it allowed for manipulation to lower the cart’s total. In early 2008, research was conducted to answer the question – just how many carts are vulnerable to such a trivial hack? At the time, PayPal had a Solutions Directory that listed online shopping carts that integrated with them for payment. Since this was an easy way to identify a large number of carts, a list of 136 carts was made and research began.

Half of Enterprises Have No Dedicated Staff, Processes or Policies for IoT Security

Global enterprises report greater efficiency and productivity, better product/service quality, and improved customer retention and experience, all thanks to recent deployments of Internet of Things (IoT) solutions. But business leaders are also concerned about their next steps. As IoT deployments greatly expand the attack surface for cybercriminals, half of businesses banking on IoT are doing so unprepared to combat cyber risks associated with these purchases.