Category: AI in news
Aug 16, 2024Ravie LakshmananCyber Attack / Malware Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT. “ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage,” Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said.…
Read More
SaaS applications have become indispensable for organizations aiming to enhance productivity and streamline operations. However, the convenience and efficiency these applications offer come with inherent security risks, often leaving hidden gaps that can be exploited. Conducting thorough due diligence on SaaS apps is essential to identify and mitigate these risks, ensuring the protection of your…
Read MoreNew Windows IPv6 Zero-Click Vulnerability The press is reporting a critical Windows vulnerability affecting IPv6. As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets. Microsoft also shared its exploitability assessment for this critical vulnerability, tagging it with…
Read More
Aug 16, 2024Ravie LakshmananMobile Security / Software Security A large percentage of Google’s own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware. The issue manifests in the form of a pre-installed Android app called “Showcase.apk” that comes with excessive…
Read More
AI start-up Anthropic launches bug reporting scheme Artificial intelligence startup Anthropic launched a vulnerability disclosure program (VDP), managed by HackerOne, in August with bounty rewards up to $15,000 for novel, universal jailbreak attacks that could expose vulnerabilities in critical, high-risk domains such as CBRN (chemical, biological, radiological, and nuclear) and cybersecurity. A jailbreak attack in…
Read More
An analysis of build artifacts generated by GitHub Actions workflows inside open-source repositories belonging to major companies revealed sensitive access tokens to third-party cloud services, as well as GitHub itself. In addition, a change made this year in the GitHub artifacts feature has introduced a race condition that attackers can exploit to abuse previously unusable…
Read More
A great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach that has exposed hundreds of millions of consumer records. We’ll also…
Read More
How does this lead to misconfigurations? Let’s assume an administrator creates a CRT with “No Permissions Required.” In adding custom fields, he wants some fields to be readable by unauthenticated users, so he sets their Default Access Level to View; other fields that should not be readable, he sets Default Access Level to None, assuming…
Read More
However, researchers noted in the FAQ that the Repository does have several limitations, including being limited to risks from the 43 taxonomies, so it “may be missing emerging, domain-specific risks, and unpublished risks, and has potential for errors and subject bias; we used a single expert reviewer for extraction and coding.” Despite those shortcomings, the…
Read MoreNIST Releases First Post-Quantum Encryption Algorithms From the Federal Register: After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+. These algorithms are part of three…
Read More