A vulnerability in Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers allows threat actors to change any user’s password. Cisco has addressed a critical vulnerability, tracked as CVE-2024-20419 (CVSS score of 10.0), in Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers that allows attackers to change any user’s password. The issue […]

Complicated, costly, time-consuming – pick three Cyber security workers only review major updates to software applications only 54 percent of the time, according to a poll of tech managers.…

Joseph Cox / 404 Media: Leaked docs show Cellebrite couldn't forcibly unlock any iPhone running iOS 17.4 or newer as of April 2024; most of the listed Android devices could be unlocked  —  The leaked April 2024 documents, obtained and verified by 404 Media, show Cellebrite could not unlock a large chunk of modern iPhones.

Severity: Medium A high severity vulnerability could allow an attacker to execute arbitary code via SQL Injection on an affected system A high severity vulnerability could allow an attacker to execute arbitary code via SQL Injection on an affected system Updated: 17 Jul 2024

Most GitHub Actions are susceptible to exploitation; they are overly privileged or have risky dependencies, according to Legit Security. GitHub Actions security flaws pose major risks The report found the GitHub Actions marketplace’s security posture to be especially concerning, with most custom Actions not verified, maintained by one developer, or generating low-security scores based on OpenSSF Scorecard. GitHub Actions security is an important aspect of open-source security. Insecure GitHub Actions could allow attackers to compromise … More → The post Most GitHub Actions workflows are insecure in some way appeared first on Help Net Security.

A threat actor has released over 15 million email addresses associated with Trello accounts that were collected using an unsecured API in January. [...]

The knowledge gap, identified in a Linux Foundation report, comes as malicious hackers increasingly target critical vulnerabilities.

Comments

While previous Olympic games have faced cybersecurity threats, the Games of the XXXIII Olympiad, also known as Paris 2024, will see the largest number of threats, the most complex threat landscape, the largest ecosystem of threat actors, and the highest degree of ease for threat actors to execute attacks, according to IDC. To defend against these attacks and avoid significant disruptions, IDC estimates that revenue from cybersecurity services in France will increase by $94 million … More → The post Paris 2024 Olympics to face complex cyber threats appeared first on Help Net Security.

This article provides an overview of the major data breaches we covered in 2024 so far, highlighting incidents involving Trello, AnyDesk, France Travail, Nissan, MITRE, Dropbox, BBC Pension Scheme, TeamViewer, Advance Auto Parts, and AT&T. Find out what led to the breaches and how they affected the breached organizations. The information in this recap might help your organization strengthen its cybersecurity posture. Trello January 2024 In January 2024, Trello encountered an incident in which user … More → The post Major data breaches that have rocked organizations in 2024 appeared first on Help Net Security.

Mainframes are the unseen workhorses that carry the load for many services we use on a daily basis: Withdrawing money from an ATM, credit card payments, and airline reservations to name just a few of the high volume workloads that are primarily handled by mainframes. For those that like to see figures to support this … Continue reading Punch Card Hacking – Exploring a Mainframe Attack Vector →

Samuel Stolton / Bloomberg: Sources: Google offered CISPE ~€455M worth of Google cloud licenses and €14M in cash in a deal for CISPE to maintain its antitrust complaint against Microsoft  —  - Firm's deal offer aimed at continuing EU case against rival  — Cloud group CISPE eventually reached settlement with Microsoft

It’s been less than 18 months since the public introduction of ChatGPT, which gained 100 million users in less than two months. Given the hype, you would expect enterprise adoption of generative AI to be significant, but it’s been slower than many expected. A recent survey by Telstra and MIT Review showed that while 75% of enterprises tested GenAI last year, only 9% deployed it widely. The primary obstacle? Data privacy and compliance. This rings … More → The post ChatGPTriage: How can CISOs see and control employees’ AI use? appeared first on Help Net Security.

A malicious Telegram bot is the key to a veritable flourishing garden of nefarious cybercriminal activity, which was discovered via a series of Python packages.

Files available on the open source NPM repository underscore a growing sophistication.

Lawsuit: One user's IP address was identified in 4,450 infringement notices.

A while ago I already looked into Avast Secure Browser. Back then it didn’t end well for Avast: I found critical vulnerabilities allowing arbitrary websites to infect user’s computer. Worse yet: much of it was due to neglect of secure coding practices, existing security mechanisms were disabled for no good reason. I didn’t finish that investigation because I discovered that the browser was essentially spyware, collecting your browsing history and selling it via Avast’s Jumpshot subsidiary. But that was almost five years ago. After an initial phase of denial, Avast decided to apologize and to wind down Jumpshot. It was certainly a mere coincidence that Avast was subsequently sold to NortonLifeLock, called Gen Digital today. Yes, Avast is truly reformed and paying for their crimes in Europe and the US. According to the European decision, Avast is still arguing despite better knowledge that their data collection was fully anonymized and completely privacy-conformant but… well, old habits are hard to get rid of. Either way, it’s time to take a look at Avast Secure Browser again. Because… all right, because of the name. That was a truly ingenious idea to name their browser like that, nerd sniping security professionals into giving them free security audits. By now they certainly would have addressed the issues raised in my original article and made everything much more secure, right?

Note: This article does not present any actual security vulnerabilities.[...]

Hacktivists claim they have stolen 1.2 TB of data from Disney's developer Slack channels.

Authors/Presenters:Nian Xue, Yashaswi Malla, Zihang Xia, Christina Pöpper, Mathy Vanhoef
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel. Permalink The post USENIX Security ’23 – Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables appeared first on Security Boulevard.

    Photo by Tom Warren / The Verge

Alderon Games, the maker of dinosaur MMO Path of Titans, says it's swapping out its Intel 13th and 14th Gen-based servers for AMD and urges others hosting the game’s servers to do the same. The developer has had “significant” instability issues that none of the fixes so far have reversed, wrote Alderon founder Matthew Cassells in a blog post last week. Cassells wrote that Alderon has recorded “thousands of crashes” on gamers’ CPUs using its crash reporting tools and says the processors can also corrupt SSDs and memory. He added that in his team’s experience, 100 percent of the affected CPUs “deteriorate over time, eventually failing.” On the contrary, Unreal Engine decompression tool maker RAD Game Tools, which Cassells cites in the...

Continue reading…

Cryptography ain’t easy. Seemingly small details like how many times a computationally intensive loop runs can give the game away. [Lord Feistel] gives us a demo of how this could …read more

Google parent Alphabet Inc. is in advanced talks to buy cybersecurity startup Wiz in a deal that could fetch $23 billion, the Wall Street Journal reported, citing people with knowledge of the matter.

A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.

A hacker who claims to have stolen sensitive call and text logs from AT&T Inc. said they were paid about $400,000 to erase the data trove.

    Images of UTM SE from its App Store listing. | Screenshots: UTM SE

Apple has approved UTM SE, an app for emulating a computer to run classic software and games, weeks after the company rejected it and barred it from being notarized for third-party app stores in the European Union. The app is now available for free for iOS, iPadOS, and visionOS. After Apple rejected the app in June, the developer said it wasn’t going to keep trying because the app was “a subpar experience.” Today, UTM thanked the AltStore team for helping it and credited another developer “whose QEMU TCTI implementation was pivotal for this JIT-less build.”

  Screenshot: UTM SE
  UTM SE doesn’t include any virtual machines, but does help you find them.

As with other emulators on the App Store, you can’t do much...

Continue reading…