How EU lawmakers can make mandatory vulnerability disclosure responsible
There is a standard playbook and best practice for when an organization discovers or is notified about a software vulnerability: The organization works quickly to fix the problem and, once a fix is available, discloses that vulnerability for the bene.....»»
Week in review: Exploited Citrix Bleed vulnerability, Atlassian patches critical Confluence bug
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: AI threat landscape: Model theft and inference attacks emerge as top concerns In this Help Net Security interview, Guy Guzner, CEO at Savvy, discuss.....»»
Securing data at the intersection of the CISO and CDO
Two groups in particular play a key and critical role in ensuring data governance and security: the CISO and the CDO. CISOs are responsible for identifying and managing risks associated with data security, while CDOs are responsible for ensuring data.....»»
Atlassian Confluence data-wiping vulnerability exploited
Threat actors are trying to exploit CVE-2023-22518, a critical Atlassian Confluence flaw that allows unauthenticated attackers to reset vulnerable instances’ database, Greynoise is observing. The Shadowserver Foundation has also seen 30+ IP add.....»»
Week in review: VMware patches critical vulnerability, 1Password affected by Okta breach
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: GOAD: Vulnerable Active Directory environment for practicing attack techniques Game of Active Directory (GOAD) is a free pentesting lab. It provides.....»»
Apple"s private Wi-Fi MAC addresses were security theater until iOS 17.1
Apple introduced a feature that would hide a user's permanent MAC address in 2020, but it's been virtually useless until iOS 17.1 thanks to a now patched vulnerability.Private Wi-Fi addressWhen a device connects to a network, it performs a necessary.....»»
Google loses fight to hide 2021 money pit: $26B in default contracts
CEO Sundar Pichai testifies Monday, as Google mounts its defense. Enlarge / Prabhakar Raghavan, a senior vice president at Google (where he is responsible for Google Search, Assistant, Geo, Ads, Commerce, and Payments products),.....»»
Raven: Open-source CI/CD pipeline security scanner
Raven (Risk Analysis and Vulnerability Enumeration for CI/CD) is an open-source CI/CD pipeline security scanner that makes hidden risks visible by connecting the dots across vulnerabilities woven throughout the pipeline that, when viewed collectively.....»»
iLeakage flaw could force iPhones and Macs to divulge passwords and more
A vulnerability in A-series and M-series chips could force iPhones, Macs, and iPads to divulge passwords and other sensitive information to an attacker. Security researchers have dubbed the flaw – which affects Safari on the Mac, and any browser on.....»»
GOAD: Vulnerable Active Directory environment for practicing attack techniques
Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods. GOAD-Light: 3 vms, 1 forest, 2 domains “When the Zerologon vulnerability surfaced.....»»
Pro-Russia hackers target inboxes with 0-day in webmail app used by millions
Previously unknown XSS in Roundcube let Winter Vivern steal government emails. Enlarge (credit: Getty Images) A relentless team of pro-Russia hackers has been exploiting a zero-day vulnerability in widely used webmail so.....»»
Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631)
The Winter Vivern APT group has been exploiting a zero-day vulnerability (CVE-2023-5631) in Roundcube webmail servers to spy on email communications of European governmental entities and a think tank, according to ESET researchers. “Exploitatio.....»»
Experiments show molecules, not substrates, are mostly responsible for chirality-induced spin selectivity
A team of chemists at Northwestern University, working with a pair of colleagues from Università di Parma, reports that the chirality-induced spin selectivity (CISS) effect is caused by the molecules involved, not a substrate, when quantum spin is t.....»»
VMware patches critical vulnerability in vCenter Server (CVE-2023-34048)
VMware has fixed a critical out-of-bounds write vulnerability (CVE-2023-34048) and a moderate-severity information disclosure flaw (CVE-2023-34056) in vCenter Server, its popular server management software. About CVE-2023-34048 and CVE-2023-34056 CVE.....»»
What is operational risk and why should you care? Assessing SEC rule readiness for OT and IoT
The newly released Security and Exchange Commission (SEC) cyber incident disclosure rules have been met with mixed reviews. Of particular concern is whether public companies who own and operate industrial control systems and connected IoT infrastruct.....»»
Researchers discover genes responsible for low and ultra-low glycemic index in rice
The International Rice Research Institute (IRRI) announced they achieved a scientific milestone with the discovery of the genes responsible for low and ultra-low glycemic index (GI) in rice......»»
The latest high-severity Citrix vulnerability under attack isn’t easy to fix
If you run a Netscaler ADC or Gateway, assume it's compromised and take action ... fast. Enlarge (credit: Getty Images) A critical vulnerability that hackers have exploited since August, which allows them to bypass multi.....»»
Urgent action needed to address climate change threats to coastal areas
Global coastal adaptations are "incremental in scale," short-sighted and inadequate to address the root causes of vulnerability to climate change, according to an international team of researchers......»»
Citrix NetScaler bug exploited in the wild since August (CVE-2023-4966)
A recently patched Citrix NetScaler ADC/Gateway information disclosure vulnerability (CVE-2023-4966) has been exploited by attackers in the wild since late August 2023, Mandiant researchers have revealed. About CVE-2023-4966 Citrix’s security a.....»»
State-sponsored APTs are leveraging WinRAR bug
A number of government-backed APTs are exploiting CVE-2023-38831, a file extension spoofing vulnerability in WinRAR, a widely used file archiver utility for Windows. CVE-2023-38831 has been patched in August 2023, along with another high-severity RCE.....»»
“Cisco buried the lede.” >10,000 network devices backdoored through unpatched 0-day
An unknown threat actor is exploiting the vulnerability to create admin accounts. Enlarge / Cables run into a Cisco data switch. (credit: Getty Images) On Monday, Cisco reported that a critical zero-day vulnerability in.....»»