-
15 votes
-
Disclosure of a vulnerability in AI Dungeon that enabled accessing all users' private adventures, scenarios, and posts via its GraphQL API
16 votes -
An update on the UMN affair
10 votes -
After decades of not using them, the Pentagon has given control of millions of IP addresses to a previously unknown company in an effort to identify possible cyber vulnerabilities and threats
17 votes -
5G: The outsourced elephant in the room
12 votes -
A "worst nightmare" cyberattack: The story of the SolarWinds hack
7 votes -
Team Navalny apologizes after database of email addresses registered for planned protest leaks online
7 votes -
Introduction to SQL Injection - SQLi for Beginners
10 votes -
US intelligence community publishes Global Trends 2040: A More Contested World
17 votes -
Rust in the Android platform
7 votes -
Iran and China sign economic and security agreement, challenging US pressure on the state
8 votes -
I now own the Coinhive domain. Here's how I'm fighting cryptojacking and doing good things with content security policies.
15 votes -
The "S" in "IoT" is for Security
29 votes -
Whistleblower alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price
18 votes -
Engineer reports data leak to nonprofit, hears from the police
11 votes -
WireGuard bounces off FreeBSD—for now
7 votes -
Tracing paper - A brief history of the secret plan to track every printed page
6 votes -
Norway prevents sale of Rolls-Royce subsidiary Bergen Engines to Russia – government has blocked the sale on the grounds of national security
8 votes -
A comparative analysis of security, privacy, and censorship issues in TikTok and Douyin, both developed by ByteDance
5 votes -
Finding and fixing a rare race-condition in GitHub's session handling
6 votes -
Can we stop pretending SMS is secure now?
17 votes -
Exploiting machine learning models distributed as Python pickle files, and introducing Fickling: a new tool for analyzing and modifying pickle bytecode
3 votes -
Introduction to Malware Analysis — Malware Explained
4 votes -
Hackers break into thousands of security cameras, exposing Tesla, jails, hospitals
16 votes -
New technique reveals centuries of secrets in locked letters
4 votes -
The lead developer of curl analyzed its known security vulnerabilities and determined that half of them are related to it being written in C
12 votes -
HTTP is fundamental to modern development. But like any widespread mature standard, it's got some funky skeletons in the closet.
9 votes -
At least 30,000 US organizations newly hacked via holes in Microsoft’s email software
19 votes -
Friday Security Briefing
Friday Security Briefing Hello there! I hope you're all looking forward to something this weekend. Today's briefing will cover a captivating tale of scheming against financial centers, woes of...
Friday Security Briefing
Hello there! I hope you're all looking forward to something this weekend. Today's briefing will cover a captivating tale of scheming against financial centers, woes of virtual networking, and the possibility of Russia behaving quite unnecessarily.
"Listen, or your tongue will make you deaf." ~ Unattributed proverb
Wall Street targeted by new Capital Call investment email scammers
The tactic of exploiting enterprise email systems remains a successful and active attack vector for bad actors. The emerging development is the use of "capital call" style scam, wherein scammers pretend to have investor or insurance business with the business.
"In an example shared by the researchers, the scam email attached a Capital Call Notice for US $970,357.00 to be deposited into a bank account under the fraudsters’ control."
"If the targeted investor was duped into wiring the funds, then it is likely that money would be quickly moved into other accounts and withdrawn by mules to prevent the payment from being returned to the victim."
The flexibility that cryptocurrencies provide to discreetly rearrange money may actually be disadvantageous for banks in certain situations.
Source: Tripwire, Wall Street targeted by new Capital Call investment email scammers
High severity Linux network security holes found, fixed
(CVE-2021-26708) Alexander Popov of London has discovered five security holes in the Linux kernel's virtual socket implementation. This is concerning, my personal use of virtual networking systems could be a lot more thought out. I do tend to keep my use of libvirt to a minimum but ideally I would be running my virtualization workstation on a separate box optimized for safe practices.
"These holes entered Linux when virtual socket multi-transport support was added. This networking transport facilitates communication between virtual machines (VM) and their host. It's commonly used by guest agents and hypervisor services that need a communications channel that is independent of the VM network configuration. As such, people who are running VMs on the cloud, which is pretty much everyone these days, are especially vulnerable."
Source: ZDNet, High severity Linux network security holes found, fixed
Ukraine: DDoS attacks on govt sites originated from Russia
Ukraine is proposing that information on the threat actors responsible for a DDoS on Ukrainian government websites originated from Russian domains.
However, they did not claim that the threat actors were affiliated with the Russian state.
I am curious about the motivations if this was sanctioned by Russia. Are they testing their capabilities against a softer target in order to learn from the European and American Cyber-Defense response? Perhaps this was a way for Russia to demonstrate it's competency at cyber warfare.
"The National Coordination Center for Cybersecurity (NCCC) at the NSDC states that these DDoS attacks have been massive and have targeted government websites in the defense and security sector."
Possible retaliation?
"Last week, news leaked that Ukrainian law enforcement, in cooperation with the US and French police, arrested alleged Egregor ransomware operation members.
Three days later, the Security Service of Ukraine (SBU) issued a press release about the Egregor arrests and seizing the ransomware group's equipment."
Source: Bleeping Computer, Ukraine: DDoS attacks on govt sites originated from Russia
8 votes -
Bitsquatting windows.com with fourteen domains that are one bitflip away
18 votes -
Gab removes their public Git repository after it reveals their developers adding (and struggling to fix) basic security issues that led to a 70GB data leak
12 votes -
What are security, privacy, and anonymity?
6 votes -
The Great Suspender and the problem of malware being introduced into open-source browser extensions
15 votes -
Researcher hacks over 35 tech firms via package/dependency managers
13 votes -
Firefox 85 cracks down on supercookies
18 votes -
List of emails SponsorBlock's creator has received about inserting malware into the extension
17 votes -
A detailed look into the Stack Exchange network's May 2019 security incident
9 votes -
ADT employee covertly accessed about 200 security cameras he installed to spy on people having sex
9 votes -
Finding vulnerabilities in the calling state machines of video/audio messaging platforms
3 votes -
Becoming physically immune to brute-force attacks
11 votes -
Overthewire: Learn Hacking By Playing Games
9 votes -
Declassification of secret document reveals US strategy in the Indo-Pacific
7 votes -
SolarWinds: New findings from our investigation of SUNBURST
6 votes -
70TB of Parler users’ messages, videos, and posts leaked by security researchers
42 votes -
Steam's login method is kinda interesting
27 votes -
New side-channel attack can recover encryption keys from hardware security keys
5 votes -
I'm thinking of getting a password manager. How does it work and any advice on transitioning to one?
The reason why is to make more accounts for reddit, YouTube (one for entertainment and Portuguese content each) news sites where signing up is an alternative to pass a paywall and other sites with...
The reason why is to make more accounts for reddit, YouTube (one for entertainment and Portuguese content each) news sites where signing up is an alternative to pass a paywall and other sites with comment sections.
Bad euphemism bro.Also some sense of "praxis" in order to gain privacy.Edit: And also getting anxious at the idea of remembering all my passwords, and putting them in a note in my old phone, which I am not bringing into my new phone and want to use this to delete.
According to these two articles, I can save my old passwords I had before and maybe even still make new ones after, and put them in a folder behind one true (master) password, which is the one you will truly care about, and they will be saved in a way in which the managing company won't know your password?
There's also figuring out which provider to use (and probably a similar post for alt-mail providers.) This is overwhelmingly for mobile (Android). No real space constraints for apps, only price, because I'm not working age.
27 votes -
Standard Notes completes penetration test and cryptography audit
14 votes -
JetBrains' continuous integration server TeamCity may have been compromised as part of the wide-reaching Russian hack of the US federal government
13 votes -
Neofeudalism and the digital manor
14 votes