News

Researchers at French offensive hacking shop Synacktiv have demonstrated a pair of successful exploit chains against Tesla’s newest electric car to take top billing at the annual Pwn2Own software exploitation contest. Pwn2Own organizers confirmed the successful hacks exploited flaws in the Tesla-Gateway and Tesla-Infotainment sub-systems to “fully compromise” a new Tesla Model 3 vehicle. The first Tesla hack, described as a TOCTOU (time-of-check to time-of-use) race condition, earned the hackers a $100,000 cash prize and…

Read More

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week announced new guidance for identity and access management (IAM) administrators. A framework for the management of digital identities, IAM covers the business processes, policies, and technologies that ensure user access to data. The basis for proper IAM involves inventorying, auditing, and tracking user identities and access, which represent daunting but necessary operations, especially with state-sponsored groups successfully exploiting vulnerabilities in…

Read More

Looking to grab a slice of the lucrative enterprise AppSec market, Backslash Security emerged from stealth Wednesday with $8 million in seed-stage capital and new technology to identify and mitigate “toxic code flows” in cloud-native applications.  The Israeli startup said the financing was provided by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co.  A roster of prominent security practitioners and entrepreneurs also joined the round.  Based in Tel Aviv, Backslash is building…

Read More

Security startup 443ID, which previously focused on bringing open source intelligence (OSINT) to access management, is now refocusing its solution to tackle account fraud detection and prevention, and has changed its name to Verosint to better describe its new focus. It is launching what is technically version 2 of 443ID’s IAM platform, but is effectively version 1 of Verosint’s account fraud solution. “The previous product was focused on measuring the likelihood of risk to enable…

Read More

Cryptocurrency ATM manufacturer General Bytes over the weekend disclosed a security incident that resulted in the theft of millions of dollars’ worth of funds. The attackers, the company says, exploited a vulnerability in the master service interface that Bitcoin ATMs use to upload videos, which allowed them to upload a JavaScript script and execute it with batm user privileges. “The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services…

Read More

Chinese technology giant Huawei has replaced thousands of product components banned by the United States with homegrown versions, its founder has said, according to a transcript of a recent speech released by a Shanghai university. A leading supplier of telecom gear, smartphones and other advanced equipment, Huawei has been repeatedly targeted by Washington in recent years over cybersecurity and espionage concerns. The administration of former president Donald Trump effectively barred American companies from doing business…

Read More

The Federal Bureau of Investigation (FBI), the Cybersecurity and Information Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) this week issued an alert on the LockBit 3.0 ransomware operation. Since January 2020, LockBit has functioned based on the ransomware-as-a-service (RaaS) model, targeting a broad range of businesses and critical infrastructure entities and using a variety of tactics, techniques, and procedures (TTPs). Also referred to as LockBit Black, LockBit 3.0 has a…

Read More

Facebook parent Meta has officially unveiled a ten-phase kill chain model that it believes will be more inclusive and more effective than the existing range of kill chain models. Cybersecurity theorists have long sought to understand the stages of an attack. The idea is simple: if you can recognize a stage in the attack process, you will be more able to disrupt the attack and protect your assets. This has led to the development of…

Read More

The US Justice Department on Tuesday announced charges against two men from New York and Rhode Island over their alleged roles in a doxing operation that involved hacking into a law enforcement portal and a police official’s email account. The suspects, 19-year-old Sagar Steven Singh (aka Weep) and 25-year-old Nicholas Ceraolo (aka Convict and Ominous), have been charged with conspiracy to commit computer intrusions, for which they face up to five years in prison. Ceraolo…

Read More