We’re sure you’ve heard of OpenSSL, and even if you aren’t a coder yourself, you’ve almost certainly used it. OpenSSL is one of the most popular open-source cryptography libraries out there, and lots of well-known products rely on it, especially on Linux, which doesn’t have a standard, built-in encryption toolkit of its own. Even on Windows […]

Google has demonstrated exploiting the Spectre CPU attack remotely over the web: Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector. We […]

On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild. The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email […]

Apple has released out-of-band security patches to address a critical iOS, macOS, watchOS, and Safari web browser to address a security flaw tracked as CVE-2021-1844. The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The flaw could be exploited by remote attackers to run […]

We know what you’re thinking: “I bet you this is what they call a supply chain attack.” And you’d be right. The “one man” in the headline is cybersecurity researcher Alex Birsan, and his paper Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies, which came out last week, will tell you […]

Google last week announced the OSV (Open Source Vulnerabilities), a vulnerability database and triage infrastructure for open source projects. The database aims at helping both open source maintainers and consumers of open source projects. The archive could allow users and maintainers of open-source software to find the vulnerabilities that affect them, providing detailed info about […]

Microsoft doesn’t feel the bugs are important enough to fix immediately, although one researcher disagrees Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”. On February 2, researcher “mr.d0x,” also known as “TheCyberSecurityTutor”, publicly disclosed a “plague” of spoofing vulnerabilities in the Microsoft-owned remote […]

GitHub has analyzed over 45,000 active directories and found that open source vulnerabilities often go undetected for more than four years. Source: Open source vulnerabilities go undetected for over four years – Help Net Security The State of Open Source Security Vulnerabilities Resources for Searching and Analyzing Online Information Advanced Sciences and Technologies for Security […]

A researcher disclosed technical details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from the targeted system. Source: Expert discloses unpatched Safari flaw that allows stealing local files Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment […]

Mozilla has expanded its bug bounty program including rewards for bypass methods for the exploit mitigations and security features in Firefox. Source: Mozilla offers rewards for Bypassing Firefox Exploit Mitigations Why Firefox is the best browser for privacy and how to configure things properly

Manufactured by Thales, the EHS8 module family has security flaws that could allow attackers to take total control over internet-connected industrial machines. Source: IBM finds vulnerability in IoT chips present in billions of devices   Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment Stands […]

Researchers spotted a new sophisticated peer-to-peer (P2P) botnet, dubbed FritzFrog, that has been actively targeting SSH servers since January 2020. Source: FritzFrog cryptocurrency P2P botnet targets Linux servers over SSH   Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up! DISC InfoSec 🔒 […]

Google Chrome will warn users when submitting insecure forms that deliver information via HTTP connections on HTTPS websites starting with version 86. Source: Google Chrome will warn users when submitting insecure forms   Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up! DISC InfoSec […]

Security researchers have discovered a PoC code and exploit available online that can be used to trigger unpatched security flaws in Apache Struts 2. Security researchers have discovered a PoC code and exploit available on GitHub that that can be used to trigger the security vulnerabilities in Apache Struts 2. The Proof-of-concept exploit code was released last […]

Full details of security vuln plus proof-of-concept exploits revealed This critical-severity bug – scoring 9.9 out of 10 on the CVSS v3 meter – can be exploited by a rogue authenticated user, or someone whose access has been hijacked, to inject arbitrary code into an application server. This means they can run malicious commands they […]

FYI: Someone’s scanning gateways, looking for those security holes Citrix told you not to worry too much about Hackers hit honeypots hours after CISO downplays risk, proof-of-concept exploit code emerges. Source: FYI: Someone’s scanning gateways, looking for those security holes Citrix told you not to worry too much about Explore the subject of Cyber Attack […]

Google says Tsunami is an extensible network scanner for detecting high-severity vulnerabilities with as little false-positives as possible. Source: Google open-sources Tsunami vulnerability scanner | ZDNet The scanner has been used internally at Google and has been made available on GitHub Google Tsunami Security Scanner – Quick install an example run InfoSec Threats, Books and Training […]

Three ways that security teams can improve processes and collaboration, all while creating the common ground needed to sustain them. Source: Good Cyber Hygiene in a Post-Pandemic World Starts with Us Cyber ‘hygiene’ could resolve 90% of cyber attacks | FT Business Notebook Download a Security Risk Assessment steps paper! Download a vCISO template Subscribe […]

Researchers discovered multiple flaws in more than 40 drivers from at least 20 different vendors that could to install a persistent backdoor on Windows PCs. Source: Flaws in device drivers from 20 vendors allow hackers to install a persistent backdoor The security flaw in more than 40 Device Drivers from 20 hardware vendors Subscribe to […]