An analysis of build artifacts generated by GitHub Actions workflows inside open-source repositories belonging to major companies revealed sensitive access tokens to third-party cloud services, as well as GitHub itself. In addition, a change made this year in the GitHub artifacts feature has introduced a race condition that attackers can exploit to abuse previously unusable…
Read MoreA great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach that has exposed hundreds of millions of consumer records. We’ll also…
Read More‘Now more clearly than ever, we are seeing that public AI alone cannot address the increasing needs of either individuals or enterprises,’ Lenovo CEO Yuanqing Yang said in announcing first quarter earnings on Thursday. ‘Hybrid AI, which is formed by personal AI, enterprise AI, together with public AI, is indeed the way forward.’ Lenovo said…
Read MoreMicrosoft removed today an arbitrary 32GB size limit for FAT32 partitions in the latest Windows 11 Canary build, now allowing for a maximum size of 2TB. “When formatting disks from the command line using the format command, we’ve increased the FAT32 size limit from 32GB to 2TB,” the Windows Insider team said today. Previously, despite…
Read MoreHow does this lead to misconfigurations? Let’s assume an administrator creates a CRT with “No Permissions Required.” In adding custom fields, he wants some fields to be readable by unauthenticated users, so he sets their Default Access Level to View; other fields that should not be readable, he sets Default Access Level to None, assuming…
Read MoreCISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk…
Read MoreRansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. Named EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation, the malware deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security…
Read MoreWhen tech companies look for ways to optimize operations, respond to changing market conditions, re-adjust priorities, or even shut down their operation, the impact on employee livelihood can be big. CRN looks at 10 of the most significant tech layoffs that have made their mark so far in 2024. IT Sector Layoffs Still Happening In…
Read MoreHowever, researchers noted in the FAQ that the Repository does have several limitations, including being limited to risks from the 43 taxonomies, so it “may be missing emerging, domain-specific risks, and unpublished risks, and has potential for errors and subject bias; we used a single expert reviewer for extraction and coding.” Despite those shortcomings, the…
Read MoreNIST Releases First Post-Quantum Encryption Algorithms From the Federal Register: After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+. These algorithms are part of three…
Read More