There are a lot of resources out there on Twitter, Reddit, and YouTube about this epic vulnerability. I wanted to create this post to summarize the main things I learned, ways to test it as pentester, and the mitigation controls that help prevent the exploitation of this vulnerability.
A Romanian vulnerability researcher has discovered more than 70 flaws in combinations of cloud applications and content delivery networks (CDNs) that could be used to poison the CDN caches and result in denial-of-service (DoS) attacks on the applications.
One could argue that the last few years have highlighted some of the most pressing semiconductor industry issues but there are challenges on the horizon well beyond current supply chain and silicon manufacturing bottlenecks.
In light of recent incidents that impacted both information technology (IT) and operational technology (OT) environments, organizations are increasingly evaluating the risks associated with growing IT/OT convergence.
On the surface, ISO 27701 and GDPR are entirely different. The GDPR is a mandatory regulation for companies handling European data, and ISO 27701 is an extension of an optional certification, ISO 27001. Despite their differences, they contemplate many of the same considerations.
The Graviton family of Arm server chips designed by the Annapurna Labs division of Amazon Web Services is arguably the highest volume Arm server chips the datacenter market today, and they have precisely one – and only one – customer. Well, direct customer.
If you look at the past, patch management was not a cybersecurity issue; rather, it was an IT issue. And it wasn’t until the emergence of Code Red in 2001 when Microsoft started issuing patches to plug security vulnerabilities in its software.
Verizon and AT&T said on Monday that they have voluntarily agreed to further delay the rollout of their next-generation 5G wireless technology at the request of U.S. Transportation Secretary Pete Buttigieg.
During our 2021 Financial Institution Cyber Drill, 204 security professionals in 38 teams were given the task to act as ‘Incident Handlers’ and identify, investigate and provide recommendations to resolve these issues from the artifacts provided by BGD e-GOV CIRT.
Cybersecurity researchers have detailed a high severity flaw in KCodes NetUSB component that’s integrated into millions of end-user router devices from Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital, among others.
Proving that whenever you buy something new, a better thing immediately comes out, the PCI-Sig Group announced the release of PCIe 6.0 on Tuesday, which will double the raw data rates of the PCIe 5.0 technology that only just debuted in Intel’s 12th-gen ‘Alder Lake’ Core processors.
Not every manufacturing node comes out perfectly and not every one comes out on time, but in the past decade and a half, Taiwan Semiconductor Manufacturing Co, the world’s largest and most technologically advanced etcher of chips in the world, has done far better than any of its few remaining peers to push the chip manufacturing envelope while also maintaining consistent and profitable production of older nodes.
The first half of the year saw massive ransomware attacks that affected parts of critical infrastructure all around the world, as well as a vulnerability in IT management software. This vulnerability targeted the public sector, credit unions, schools, and other essential services.
Satellite broadband made the news again recently when the Chinese government said it had to adjust the orbits of the Chinese space station to avoid collisions with Starlink satellites. China claims it had to make adjustments in July and October of last year.
Exploit code has been released for a serious code-execution vulnerability in Log4j, an open source logging utility that’s used in countless apps, including those used by large enterprise organizations, several websites reported last Thursday.
The Tuesday outage at an Amazon Web Services data center affected services from several collaboration software vendors, highlighting how reliant companies have become on cloud providers for a variety of workplace tools.
Cybersecurity researchers have demonstrated a new attack technique that makes it possible to leverage a device’s Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip, putting billions of electronic devices at risk of stealthy attacks.
In late 2021, the term Web3 began to increasingly appear in mainstream media outlets. This does not refer, however, to a sudden increase in interest in the Semantic Web as defined by Tim Berners-Lee, but rather to something entirely different.
It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent.
At 10:30 p.m. PST on Oct. 6, Twitch released the following statement on its corporate blog: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”
In a highly anticipated decision, a judge of the United States International Trade Commission ruled in August that Google infringed five patents owned by speaker maker Sonos. The case charged Google with copying Sonos’ patented technology in its Google Home smart speakers.
Americans, and not just Americans, are well aware of how deep the dysfunction of the ruling factions runs. Many older ones remember the abuses of the Intelligence Community and the warnings against the Military-Industrial Complex; they have lived long enough to see the political resistance to the Community and the Complex shift, under pressure of deliberate policies, from the Left to the Right.
The rumors spread like wildfire: Muslims were secretly lacing a Sri Lankan village’s food with sterilization drugs. Soon, a video circulated that appeared to show a Muslim shopkeeper admitting to drugging his customers — he had misunderstood the question that was angrily put to him.
Antitrust has not had its moment since the 1911 breakup of Standard Oil. But this past year, policymakers and government leaders around the globe have been taking a hard look at the technology markets.
For well over a decade, I have been arguing that governments should create IT accident investigation boards for the exact same reasons they have done so for ships, railroads, planes, and in many cases, automobiles.
Yet risks remain, and once the genie is out of the bottle, they are often difficult to manage and contain—they range from unintended consequences and side effects to threats to privacy and loss or misdirection of control.
How can we change the field of computing so that ethics is as central a concern as growth, efficiency, and innovation? There is no one intervention to change an entire field: instead, broad change will take a combination of guidelines, governance, and advocacy.
The dominant regime of the electric age—“democracy” mediated and managed by corporate journalists, academics, experts—is being slowly eaten by a new cybernetic order, mediated by algorithm and increasingly not managed at all.
The metaverse is, as they say, happening. Mark Zuckerberg announced last month that Facebook’s parent company, now called Meta, will take the lead in building out an immersive, interactive, and ubiquitous network of virtual environments that he envisions as the next phase of the Internet.
When Google introduced Manifest V3 in 2019, web extension developers were alarmed at the amount of functionality that would be taken away for features they provide users. Especially features like blocking trackers and providing secure connections.
In preventing people like me from accessing Twitter despite plainly qualifying under their own terms of service — and in failing to provide the kind of communication Dorsey testified under oath occurs in situations like mine — Twitter is arguably engaging in fraud, telling the public one thing while engaging in the opposite.
Privacy law is manifested in practice as a litany of “Agree” buttons to consent to data collection and a series of long, convoluted statements of data collection practices that are supposed to give users enough notice about what companies do with our data to enable us to make informed decisions.
It’s been 24 hours since Jack’s resignation, and while I’m not really interested in the evolving loser drama surrounding the new CEO’s decade-old tweets, it is worth noting that Twitter has already updated its content policy in a manner that effectively makes citizen journalism impossible.
In one of the more unusual cybersecurity policing stories of the past year, the FBI announced in June that it had created its own company, called ANOM, to sell devices with a pre-installed encrypted messaging app to criminals.
In its response to Stossel’s defamation claim, Facebook responds on Page 2, Line 8 in the court document (download it below) that Facebook cannot be sued for defamation (which is making a false and harmful assertion) because its ‘fact checks’ are mere statements of opinion rather than factual assertions.
It is refreshing to find instances in the IT sector where competing groups with their own agendas work together for the common good and the improvement of systems everywhere. So it is with the absorption of the Gen-Z Consortium by the CXL Consortium.
From the recent writeup of the DNS work at the IETF its clear that there is a large amount of attention being focused on the DNS. It’s not just an IETF conversation, or a DNS OARC conversation, but a conversation that involves a considerable amount of research activity as well.
It seems like Antarctica’s McMurdo Station could be getting high-speed internet—a modern day luxury feature that could connect its remote laboratories (and seasonal tourist hub) to the rest of the world. The station is located on an island just off the northwestern part of the continent and is the largest US research hub on Antarctica.
Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network.
Let’s say you’re tasked with selecting a strong authentication solution for your organisation. Where do you begin? This article is the first of a series that will explore authentication and authorisation technologies in the context of recent exploits and developing trends.
At the University of California, Riverside, we found the current design and implementation of modern OSes can lead to side-channel-based DNS cache poisoning attacks, namely SAD DNS (Side-channel AttackeD DNS).
If you’re looking for a rugged case for your phone or tablet, you’ve probably seen the terms MIL-SPEC or MIL-STD. But what do they mean? It’s a simple standard, but its appearance on product packaging is a complex topic.
Web 1.0 was from 1991 to 2004 when web users were consumers of content, and the web was a series of static websites. Web 2.0 emerged in 2004 as user-created content overtook static content. The big winners in this era have been the huge social media platforms that became some of the biggest companies on the planet.
Manifest V3, Google Chrome’s soon-to-be definitive basket of changes to the world of web browser extensions, has been framed by its authors as “a step in the direction of privacy, security, and performance.”
Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads.
As telehealth and digital platforms cement their role in the post-pandemic future, it’s imperative for the digital health ecosystem to find ways of enhancing support networks, marking the transition from telehealth to tele-wellbeing.
One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family.
Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. This paper proposes speculative taint tracking (STT), a high security and high performance hardware mechanism to block these attacks.
Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control.
Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.
A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it’s possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users.
No fewer than 1,220 Man-in-the-Middle (MitM) phishing websites have been discovered as targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users’ credentials and carrying out further follow-on attacks.
Kaspersky today publishes its Distributed Denial of Service (DDoS) Q3 2021 report, which found when compared to Q3 2020, the total number of DDoS attacks increased by nearly 24%, while the total number of smart attacks (advanced DDoS attacks that are often targeted) increased by 31% when compared to the same period last year.
If you’ve been perusing cryptocurrency forums or video-game news recently—or spying everything from New York Times job listings to zany Twitter threads claiming that the traditional job interview is about to be replaced by blockchain-based “quests, adventures and courses to prove your worth”—you might have run into the term “Web3.”
When Facebook announced last month that it was rebranding as Meta, CEO Mark Zuckerberg enthusiastically described the metaverse his company would soon build, promising it would be a world “as detailed and convincing as this one” where “you’re going to be able to do almost anything you can imagine.”
In a previous blog, we shared how Paragon™ Pathfinder plays an important role in closed-loop automation by tuning the paths of RSVP or Segment-Routed Traffic Engineered LSPs according to changing conditions that it observes in the live network.
Smishing messages usually include a link to a site that spoofs a popular bank and tries to siphon personal information. But increasingly, phishers are turning to a hybrid form of smishing — blasting out linkless text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text.
A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers (ISPs) and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs (MFA) in Africa, new findings reveal.
As many as 13 security vulnerabilities have been discovered in the Nucleus TCP/IP stack, a software library now maintained by Siemens and used in three billion operational technology and IoT devices that could allow for remote code execution, denial-of-service (DoS), and information leak.
A few months ago, Proofpoint, a leading vendor of data loss prevention software, filed a lawsuit against a former employee for stealing confidential sales-enablement data prior to leaving for Abnormal Security, a market rival.
We’ve had too many face-palm-worthy incidents of organizations hearing “hey, I found your data in a world readable S3 bucket” or finding a supposedly “test” server exposed that had production data in it.
Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns.
In the 2021 Domain Security Report, we analyzed the trend of domain security adoption with respect to the type of domain registrar used, and found that 57% of Global 2000 organizations use consumer-grade registrars with limited protection against domain and DNS hijacking, distributed denial of service (DDoS), man-in-the-middle attacks (MitM), or DNS cache poisoning.
When it comes to cybersecurity, risks are omnipresent. Whether it is a bank dealing with financial transactions or medical providers handling the personal data of patients, cybersecurity threats are unavoidable. The only way to efficiently combat these threats is to understand them.
A new multistage phishing campaign spoofs Amazon’s order notification page and includes a phony customer service voice number where the attackers request the victim’s credit card details to correct the errant “order.”
Traditional security gives value to where the user is coming from. It uses a lot of trust because the user’s location or IP address (perimeter model) is used to define the user to the system. In a zero-trust model, we assume zero units of trust before we grant you access to anything and verify a lot of other information before granting access.
Two senators have introduced bipartisan legislation that would make it harder for online tech giants to make acquisitions that “harm competition and eliminate consumer choice,” according to the office of Sen. Amy Klobuchar (D-Minn.), one of the bill’s co-sponsors.
A team of tech companies including Google, Salesforce, Slack, and Okta recently released the Minimum Viable Secure Product (MVSP) checklist, a vendor-neutral security baseline listing minimum acceptable security requirements for B2B software and business process outsourcing suppliers.