🗓️ GoCD bug chain provides second springboard to supply chain attacks 🗓️
📖 Read
via "The Daily Swig".
Follow-up to recent GoCD disclosure provides additional path to infiltrating build environments📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GoCD bug chain provides second springboard for supply chain attacks
Follow-up to recent GoCD disclosure provides additional path to infiltrating build environments
⚠ S3 Ep58: Faces on Facebook, scams that pose as complaints, and a Kaseya bust [Podcast] ⚠
📖 Read
via "Naked Security".
Latest epsiode - listen now!📖 Read
via "Naked Security".
Naked Security
S3 Ep58: Faces on Facebook, scams that pose as complaints, and a Kaseya bust [Podcast]
Latest epsiode – listen now!
🕴 Third-Party Software Risks Grow, but So Do Solutions 🕴
📖 Read
via "Dark Reading".
Enterprises are more dependent than ever on open source software and need to manage the risk posed by vulnerabilities in components and third-party vendors.📖 Read
via "Dark Reading".
Dark Reading
Third-Party Software Risks Grow, but So Do Solutions
Enterprises are more dependent than ever on open source software and need to manage the risk posed by vulnerabilities in components and third-party vendors.
🕴 Insider IP Theft Is Surging — and Most Can't Stop It 🕴
📖 Read
via "Dark Reading".
The Great Resignation is upon us, and insider IP theft is surging as a result. But it is a solvable problem.📖 Read
via "Dark Reading".
Dark Reading
Insider IP Theft Is Surging — and Most Can't Stop It
The Great Resignation is upon us, and insider IP theft is surging as a result. But it is a solvable problem.
❌ Congress Mulls Ban on Big Ransom Payouts ❌
📖 Read
via "Threat Post".
A bill introduced this week would regulate ransomware response by the country's critical financial sector.📖 Read
via "Threat Post".
Threat Post
Congress Mulls Ban on Big Ransom Payouts Unless Victims Get Official Say-So
A bill introduced this week would regulate ransomware response by the country's critical financial sector.
🦿 Research: Supply chain and COVID-19 challenges forces companies to shift their security strategies 🦿
📖 Read
via "Tech Republic".
64% of survey respondents reported that their companies have concerns about security risks for supply chains.📖 Read
via "Tech Republic".
TechRepublic
Research: Supply chain and COVID-19 challenges forces companies to shift their security strategies
64% of survey respondents reported that their companies have concerns about security risks for supply chains.
🕴 What Happens If Time Gets Hacked 🕴
📖 Read
via "Dark Reading".
Renowned hardware security expert raises alarm on the risk and dangers of cyberattackers targeting the current time-synchronization infrastructure.📖 Read
via "Dark Reading".
Dark Reading
What Happens If Time Gets Hacked
Renowned hardware security expert raises alarm on the risk and dangers of cyberattackers targeting the current time-synchronization infrastructure.
🕴 Cloud Attack Analysis Unearths Lessons for Security Pros 🕴
📖 Read
via "Dark Reading".
Researchers detail their investigation of a cryptomining campaign stealing AWS credentials and how attackers have evolved their techniques.📖 Read
via "Dark Reading".
Dark Reading
Cloud Attack Analysis Unearths Lessons for Security Pros
Researchers detail their investigation of a cryptomining campaign stealing AWS credentials and how attackers have evolved their techniques.
❌ Cyber-Mercenary Group Void Balaur Attacks High-Profile Targets for Cash ❌
📖 Read
via "Threat Post".
A Russian-language threat group is available for hire, to steal data on journalists, political leaders, activists and from organizations in every sector.📖 Read
via "Threat Post".
Threat Post
Cyber-Mercenary Group Void Balaur Attacks High-Profile Targets for Cash
A Russian-language threat group is available for hire, to steal data on journalists, political leaders, activists and from organizations in every sector.
❌ Back-to-Back PlayStation 5 Hacks Hit on the Same Day ❌
📖 Read
via "Threat Post".
Cyberattackers stole PS5 root keys and exploited the kernel, revealing rampant insecurity in gaming devices.📖 Read
via "Threat Post".
Threat Post
Back-to-Back PlayStation 5 Hacks Hit on the Same Day
Cyberattackers stole PS5 root keys and exploited the kernel, revealing rampant insecurity in gaming devices.
❌ Invest in These 3 Key Security Technologies to Fight Ransomware ❌
📖 Read
via "Threat Post".
Ransomware volumes are up 1000%. Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs , discusses secure email, network segmentation and sandboxing for defense.📖 Read
via "Threat Post".
Threat Post
Invest in These 3 Key Security Technologies to Fight Ransomware
Aamir Lakhani is a cybersecurity researcher and practitioner at FortiGuard Labs .
🦿 Learn how to become an ethical hacker for only $21 during this pre-Black Friday sale 🦿
📖 Read
via "Tech Republic".
You don't need to break the bank to get the training required for an exciting new career, especially when you've got the right coupon code.📖 Read
via "Tech Republic".
TechRepublic
Learn how to become an ethical hacker for only $21 during this pre-Black Friday sale
You don't need to break the bank to get the training required for an exciting new career, especially when you've got the right coupon code.
‼ CVE-2002-20001 ‼
📖 Read
via "National Vulnerability Database".
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.📖 Read
via "National Vulnerability Database".
🕴 How Do I Know It's Time to Consider a SASE Migration? 🕴
📖 Read
via "Dark Reading".
The rapid shift to a hybrid workplace and accelerated adoption of new technologies means it's time to rethink networking security approaches.📖 Read
via "Dark Reading".
Dark Reading
How Do I Know It's Time to Consider a SASE Migration?
The rapid shift to a hybrid workplace and accelerated adoption of new technologies means it's time to rethink networking security approaches.
‼ CVE-2021-3908 ‼
📖 Read
via "National Vulnerability Database".
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3909 ‼
📖 Read
via "National Vulnerability Database".
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3910 ‼
📖 Read
via "National Vulnerability Database".
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3907 ‼
📖 Read
via "National Vulnerability Database".
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3912 ‼
📖 Read
via "National Vulnerability Database".
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3911 ‼
📖 Read
via "National Vulnerability Database".
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.📖 Read
via "National Vulnerability Database".
🕴 Google Open Sources ClusterFuzzLite 🕴
📖 Read
via "Dark Reading".
ClusterFuzzLite is a stripped-down version of continuous fuzzing tool ClusterFuzz that integrates CI tools.📖 Read
via "Dark Reading".
Dark Reading
Google Open Sources ClusterFuzzLite
ClusterFuzzLite is a stripped-down version of continuous fuzzing tool ClusterFuzz that integrates CI tools.