Information

28 Jul

US, Australia Issue Warning Over Access Control Vulnerabilities in Web Applications

New guidance from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) warns developers, vendors, and organizations of access control vulnerabilities in web applications. Described as insecure direct object reference (IDOR) issues, they allow threat actors to read or tamper with sensitive data via application programming interface (API) requests that include the identifier of a valid user. These requests are successful because the authentication or…

28 Jul

In Other News: Data Breach Cost Rises, Russia Targets Diplomats, Tracker Alerts in Android

Data Breaches, Information, News

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar. We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape. Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and…

28 Jul

Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins

Information, News

Threat intelligence company Greynoise says it has observed the first attempts to exploit a recent critical remote code execution (RCE) vulnerability in Citrix ShareFile. A popular cloud-based file-sharing and collaboration solution, ShareFile allows users to store files in their own data centers, via a storage zones controller (or storage center), a .NET web application running under Internet Information Services (IIS). The vulnerability, tracked as CVE-2023-24489 (CVSS score of 9.1), was the result of errors leading…

27 Jul

Gathering dust and data: How robotic vacuums can spy on you.

Information

Mitigate the risk of data leaks with a careful review of the product and the proper settings.

27 Jul

S3 Ep145: Bugs With Impressive Names!

Information

by Paul Ducklin ONE WEEK, TWO BWAINS Apple patches two zero-days, one for a second time. How a 30-year-old cryptosystem got cracked. All your secret are belong to Zenbleed. Remembering those dodgy PC/Mac ads. No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify and anywhere that good podcasts are found. Or…

27 Jul

US Senator Wyden Accuses Microsoft of ‘Cybersecurity Negligence’

Information, News

Oregon senator Ron Wyden wants the U.S. government to hold Microsoft responsible for what he describes as “negligent cybersecurity practices” that enabled “a successful Chinese espionage campaign against the United States government.” In a strongly worded letter to Attorney General Merrick Garland and the heads of CISA and the FTC, Wyden said the software giant “bears significant responsibility” for the M365 cloud hack that started with the theft of a Microsoft encryption key. “Since the…

26 Jul

Dear all! What are some common subject lines in phishing emails?

Information

Scammers exploit current ongoing events, account notifications, corporate communication, and a sense of urgency.

26 Jul

Zenbleed: How the quest for CPU performance could put your passwords at risk

Information

by Paul Ducklin Remember Heartbleed? That was the bug, back in 2014, that introduced the suffix -bleed for vulnerabilities that leak data in a haphazard way that neither the attacker nor the victim can reliably control. In other words, a crook can’t use a bleed-style bug for a precision attack, such as “Find the shadow password file in the /etc directory and upload it to me,” or “Search backwards in memory until the first run…

26 Jul

Russia Sends Cybersecurity CEO to Jail for 14 Years

Information, Insights

The Russian government today handed down a treason conviction and 14-year prison sentence on Iyla Sachkov, the former founder and CEO of one of Russia’s largest cybersecurity firms. Sachkov, 37, has been detained for nearly two years under charges that the Kremlin has kept classified and hidden from public view, and he joins a growing roster of former Russian cybercrime fighters who are now serving hard time for farcical treason convictions. Ilya Sachkov. Image: Group-IB.com.…

26 Jul

Ex-NSA Official Harry Coker Tapped for National Cyber Director Job

Information, News

Former Navy commander and senior official in the NSA and CIA Harry Coker has been formally tapped to replace the retired Chris Inglis as the U.S. government’s National Cyber Director. Coker’s nomination, announced by the Biden administration on Wednesday, puts him in line to lead the implementation of the government’s newly formed national cybersecurity strategy and manage the tricky relationship between the federal government and big-tech vendors struggling to cope with nonstop malicious hacker attacks.…

US, Australia Issue Warning Over Access Control Vulnerabilities in Web Applications

In Other News: Data Breach Cost Rises, Russia Targets Diplomats, Tracker Alerts in Android

Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins

Gathering dust and data: How robotic vacuums can spy on you.

S3 Ep145: Bugs With Impressive Names!

US Senator Wyden Accuses Microsoft of ‘Cybersecurity Negligence’

Dear all! What are some common subject lines in phishing emails?

Zenbleed: How the quest for CPU performance could put your passwords at risk

Russia Sends Cybersecurity CEO to Jail for 14 Years

Ex-NSA Official Harry Coker Tapped for National Cyber Director Job

Search

The 6 Stages of a Vulnerability Management Process

Get Cybersecurity Alerts

Read More

Categories

Site Navigation

Resources