The CSRB’s recommendations cover many areas, starting with implementing modern control mechanisms and baseline practices across digital identity and credential systems. The report also stresses the importance of establishing a minimum standard for default audit logging in cloud services. “CSPs should maintain sufficient forensics to detect exfiltration of those data, including logging all access to…
Read MoreWelcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cyber security and this bi-weekly publication is your gateway to the latest news. In this week’s edition of the roundup, we will…
Read More10web — photogallery The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue.…
Read MoreApr 03, 2024NewsroomMobile Security / Zero Day Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies. The high-severity zero-day vulnerabilities are as follows – CVE-2024-29745 – An information disclosure flaw in the bootloader component CVE-2024-29748 – A privilege escalation flaw in the firmware…
Read MoreApr 03, 2024NewsroomData Breach / Incident Response The U.S. Cyber Safety Review Board (CSRB) has criticized Microsoft for a series of security lapses that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 last year. The findings, released by the Department of Homeland…
Read MoreApr 03, 2024NewsroomBrowser Security / Session Hijacking Google on Tuesday said it’s piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware. The prototype – currently tested against “some” Google Account users running Chrome Beta – is built with an aim to make…
Read MoreRoughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “The Manipulaters,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research…
Read MoreWhile using public AI tools, fewer than half (47%) have an AI Acceptable Use Policy, opening them to risks of losing intellectual property and competitive advantage. This is despite a high (60% use ChatGPT and 40% use Gemini) usage of such tools. Additionally, among the 80% organizations that believed their data was ready for AI,…
Read MoreApr 03, 2024The Hacker NewsCybersecurity / Penetration Testing Attack surface management (ASM) and vulnerability management (VM) are often confused, and while they overlap, they’re not the same. The main difference between attack surface management and vulnerability management is in their scope: vulnerability management checks a list of known assets, while attack surface management assumes you…
Read MoreClass-Action Lawsuit against Google’s Incognito Mode The lawsuit has been settled: Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed…
Read More