Insights

If you have Window 10 or Windows Server 2016/2019 installed, like most of the planet, you need to patch now!  NSA recently released a notification along with Microsoft that a critical vulnerability exists in how the mentioned platforms validate Elliptic Curve Cryptography (ECC) certificates. It was discovered by security researchers at NSA, before Microsoft learned of the vulnerability.  It is considered to have been in the wild before discovery. A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and…

As many of you have heard by now a major vulnerability to the Citrix Netscaler platform was announced before the holidays. At that time the vulnerability was not widely known or for that matter understood. Since that time we have seen bad actors using several tools to bypass corporate security mechanisms. From what we’ve seen at Critical Path Security this breach has the potential to affect every Citrix customer with a Citrix Netscaler gateway deployed. The fact that Citrix has been very quiet on this vulnerability considering they were hacked last year and suffered a significant data breach, is very disconcerting to say the least. Even at this moment, we have not heard how this breach at Citrix occurred or if it is somehow related to the Netscaler gateway vulnerability. The vulnerability is a path traversal bug that can be easily exploited over the internet by an attacker. The attacker…

Printing Impressions published a recent article in which Patrick Kelley was quoted. Kelley states, “A significant problem with IoT devices, like printers, is that customers are not educated on security risks. Companies and consumers need to understand the risks they are accepting with IoT devices and to ensure that their third-party vendors are advocates for what's best for them. Choose your vendors carefully, making sure that they are trustworthy and that you are the priority.” Read the article  

Holidays are fast approaching, which means online shopping and scams are going to be on the rise. Here are a few ways to stay as safe as possible. 1.  Know the red flags. The most common types of scams will target you through fake emails (a technique known as phishing), text messages (SMSishing or smishing) voice calls (vishing), letters or even someone who shows up at your front door unexpectedly. No matter which technique the criminal uses these are the common things they try: Pressure you to send money Threaten you with law enforcement action Tell you to purchase gift cards and provide codes as a form of payment Ask you to cash a check for them or send money via wire transfer Ask you to deposit a check that overpays for something you're selling, and then send the difference elsewhere 2. Don’t provide account or personal information via email…