Despite some companies making strides with ARM, for the most part, the desktop and laptop space is still dominated by x86 machines. For all their advantages, they have a glaring flaw for anyone concerned with privacy or security in the form of a hardware backdoor that can access virtually any part of the computer even Read more about Disabling Intel and AMD’s Backdoors On Modern computers[…]
[…] On Tuesday, Google – which has answered the government’s call to secure the software supply chain with initiatives like the Open Source Vulnerabilities (OSV) database and Software Bills of Materials (SBOMs) – announced an open source software vetting service, its deps.dev API. The API, accessible in a more limited form via the web, aims Read more about Google debuts deps.dev API to check security status of dependencies[…]
About a year ago, Google announced its Assured Open Source Software (Assured OSS) service, a service that helps developers defend against supply chain security attacks by regularly scanning and analyzing for vulnerabilities some of the world’s most popular software libraries. Today, Google is launching Assured OSS into general availability with support for well over a Read more about Google’s free Assured Open Source Software service hits GA[…]
Google unveiled a new open source security project on Thursday centered around software supply chain management. Given the acronym GUAC – which stands for Graph for Understanding Artifact Composition – the project is focused on creating sets of data about a software’s build, security and dependency. Google worked with Purdue University, Citibank and supply chain Read more about Google announces GUAC open source project on software supply chains[…]
[…] with Microsoft’s unveiling of the new Security Copilot AI at its inaugural Microsoft Secure event. The automated enterprise-grade security system is powered by OpenAI’s GPT-4, runs on the Azure infrastructure and promises admins the ability “to move at the speed and scale of AI.” Security Copilot is similar to the large language model (LLM) Read more about Microsoft’s new Security Copilot will help network admins respond to threats in minutes, not day[…]
GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository. The software development and version control service says, the private RSA key was only “briefly” exposed, but that it took action out of “an abundance of caution.” Unclear window of exposure In a succinct blog post published today, GitHub acknowledged discovering this Read more about GitHub.com rotates its exposed private SSH key[…]
[…] We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate “backdoor key,” the mechanism is hidden and Read more about Planting Undetectable Backdoors in Machine Learning Models[…]
[…] It is, in fact, possible to uncrop images and documents across a variety of work-related computer apps. Among the suites that include the ability are Google Workspace, Microsoft Office, and Adobe Acrobat. Being able to uncrop images and documents poses risks for sources who may be under the impression that cropped materials don’t contain Read more about Whistleblowers Take Note: Don’t Trust Cropping Tools – you can often uncrop them[…]
A prominent DNA testing firm has settled a pair of lawsuits with the attorney generals of Pennsylvania and Ohio after a 2021 episode that saw cybercriminals steal data on 2.1 million people, including the social security numbers of 45,000 customers from both states. As a result of the lawsuits, the company in question, DNA Diagnostics Center Read more about DNA Diagnostics Center DCC Forgot About 2.1m Clients’ Data, Leaked It[…]
Last November, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept Read more about It Took Months For Anker To Finally Admit Its Eufy Cameras Weren’t Really Secure[…]
European police arrested 42 suspects and seized guns, drugs and millions in cash, after cracking another encrypted online messaging service used by criminals, Dutch law enforcement said Friday. Police launched raids on 79 premises in Belgium, Germany and the Netherlands following an investigation that started back in September 2020 and led to the shutting down Read more about European Police Arrest 42 After Cracking another Covert comms App: Exclu[…]
Officials are still trying to figure out exactly what led to the Federal Aviation Administration system outage on Wednesday but have traced it to a corrupt file, which was first reported by CNN. In a statement late Wednesday, the FAA said it was continuing to investigate the outage and “take all needed steps to prevent Read more about Corrupt NOTAM database file and backup led to the FAA ground stoppage.[…]
Citizen, the provocative crime-reporting app formerly known as Vigilante, is in the news again for all the wrong reasons. On Thursday evening, it doxxed singer Billie Eilish, publishing her address to thousands of people after an alleged burglary at her home. Shortly after the break-in, the app notified users of a break-in in Los Angeles’ Read more about Citizen’s volunteer ‘safety’ app accidentally doxxes singer Billie Eilish[…]
Multiple bugs affecting millions of vehicles from almost all major car brands could allow miscreants to perform any manner of mischief — in some cases including full takeovers — by exploiting vulnerabilities in the vehicles’ telematic systems, automotive APIs and supporting infrastructure, according to security researchers. Specifically, the vulnerabilities affect Mercedes-Benz, BMW, Rolls Royce, Ferrari, Read more about Connected car security is very poor – fortunately they do actually take it seriously, fix bugs quickly[…]
[…] According to the class action complaint filed in a Massachusetts court, names, usernames, billing addresses, email addresses, telephone numbers, and even the IP addresses used to access the service were all made available to wrongdoers. The final straw in the hat could have been the leak of customers’ unencrypted vault data, which includes all Read more about LastPass is being sued following major cyberattack[…]
The FBI is warning the public that cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information. […] Cyber criminals purchase advertisements that appear within internet search results using a domain that is similar to an actual Read more about FBI warns of fake shopping sites – recommends to use an ad blocker[…]
In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating. We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, Read more about LastPass breached again[…]
[…] Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses Read more about Token tactics: How to prevent, detect, and respond to cloud token theft[…]
[…] If an attacker inserts their own SIM into a target’s Android, then enters the wrong SIM PIN three times, they can enter their SIM’s PUK to be able to create a new SIM PIN. Once they do, they bypass the lock screen entirely and access the phone. You can watch the hypothetical attack play Read more about Fix the Android Security Flaw That Lets Anyone Unlock Your Phone[…]
Today we are excited to release Shufflecake, a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under Read more about Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux[…]
More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates Read more about Lenovo driver goof poses security risk for users of 25 notebook models[…]
Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government’s official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations. […] The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a Read more about Egypt’s COP27 summit app can read your emails and encrypted messages, scan your device, send your location[…]
Pharmaceutical giant AstraZeneca has blamed “user error” for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. Read more about AstraZeneca puts username and password on Github, exposes patient data in test environment for a year[…]
We present Wi-Peep – a new location-revealing privacy attack on non-cooperative Wi-Fi devices. Wi-Peep exploits loopholes in the 802.11 protocol to elicit responses from Wi-Fi devices on a network that we do not have access to. It then uses a novel time-of-flight measurement scheme to locate these devices. Wi-Peep works without any hardware or software Read more about Wi-Peep drone locates all your wifi devices and maps them in your home, can tell if your watch is moving around[…]
The United Kingdom’s National Cyber Security Centre (NCSC), the government agency that leads the country’s cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK’s vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture. “These activities cover any Read more about British govt is scanning all Internet devices hosted in UK[…]