Enlarge (credit: Aurich Lawson | Getty Images) Researchers on Wednesday announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows. Dubbed …
The field of machine learning (ML) security—and corresponding adversarial ML—is rapidly advancing as researchers develop sophisticated techniques to perturb, disrupt, or steal the ML model or data. It’s a heady time; because we know so little about the security of these systems, there are many opportunities …
A group of Swiss researchers have published an impressive security analysis of Threema. We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers. We present seven different attacks against the protocol in three different threat models …
This group has found a ton of remote vulnerabilities in all sorts of automobiles. It’s enough to make you want to buy a car that is not Internet-connected. Unfortunately, that seems to be impossible. [...]
A critical code-execution vulnerability in Microsoft Windows was patched in September. It seems that researchers just realized how serious it was (and is): Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning …
Security researchers found a software bug in the KmsdBot cryptomining botnet: With no error-checking built in, sending KmsdBot a malformed command—like its controllers did one day while Akamai was watching—created a panic crash with an “index out of range” error. Because there’s no persistence, the bot …
Eufy cameras claim to be local only, but upload data to the cloud. The company is basically lying to reporters, despite being shown evidence to the contrary. The company’s behavior is so egregious that ReviewGeek is no longer recommending them. This will be interesting to watch. If Eufy …
This is new : Newly revealed research shows that a number of major car brands, including Honda, Nissan, Infiniti, and Acura, were affected by a previously undisclosed security bug that would have allowed a savvy hacker to hijack vehicles and steal user data. According to researchers, the bug was in …
Enlarge (credit: Getty Images) As Elon Musk critics flee from Twitter, Mastodon seems to be the most common replacement. In the last month, the number of monthly active users on Mastodon has rocketed more than threefold, from about 1 million to 3.5 million, while total number of users …
Twitter is having intermittent problems with its two-factor authentication system: Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been …
There are no details yet, but it’s really important that you patch Open SSL 3.x when the new version comes out on Tuesday. How bad is “Critical”? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable. It’s likely to …
Nice work : Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while you’re in the grocery store, intercepting your key’s transmitted signal …
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don’t have …
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group. [...]
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed. [...]
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP. [...]
Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack. [...]
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack. [...]
This vulnerability was reported to Zoom last December: The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their …
Mobile transactions could’ve been disabled, created and signed by attackers. [...]
‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings. [...]
The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities. [...]
August Patch Tuesday tackles 121 CVEs, 17 critical bugs and one zero-day bug exploited in the wild. [...]
Separate phishing campaigns targeting thousands of victims impersonate FedEx and Microsoft, among others, to trick victims. [...]
Vulnerability—for which a proof-of-concept is forthcoming—is one of a string of flaws the company fixed that could lead to an attack chain. [...]