Weekend Reads 082021

Cross Site Scripting is the second most prevalent issue in the Open Source Foundation for Application Security (OWASP) top 10 – it’s found in roughly 2/3 of all applications.

Unidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.

Big O notation is an important tools for computer scientists to analyze the cost of an algorithm. Most software engineers should have an understanding of it.

Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks.

In his keynote, Tait, former information security specialist for the UK’s GCHQ and more recently a member of Google’s Project Zero team, outlined what he considers the three main factors that drove high-profile cyberattacks on Colonial Pipeline, Kaseya, Exchange Server, SolarWinds, and Codecov, as well as North Korea’s targeting of security researchers and the NSO Pegasus Project iOS hacks.

The two researchers reported the issues to Apple and many of them have been fixed. However, the security weaknesses are not just Apple’s problem but also represent issues that third-party software makers need to fix, said Offensive Security’s Fitzl during the presentation at Black Hat USA.

Advanced persistent threat (APT) groups have long sought credentials to access, move laterally throughout, and persist in target networks. Defenders have attempted to mitigate the risk with multifactor authentication (MFA), which, while effective in most cases, can fall short of protecting the most lucrative data.

Social media platforms are excellent hunting grounds for scammers. This is where we connect with our friends or people who we have something in common with. This is precisely what scammers exploit—our connections and the trust that is afforded between friends or acquaintances.

Among the problems stemming from our systemic failure with cybersecurity, which ranges from decades-old software-development practices to Chinese and Russian cyber-attacks, one problem gets far less attention than it should—the insider threat.

And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?

DuckDuckGo is positioning itself as a Google Search alternative, standing between online trackers and your personal information. Here’s how it works.

Apple’s new program for scanning images sent on iMessage steps back from the company’s prior support for the privacy and security of encrypted messages.

Global IT consultancy giant Accenture has become the latest company to be hit by the LockBit ransomware gang, according to a post made by the operators on their dark web portal, likely filling a void left in the wake of DarkSide and REvil shutdown.

Forty years ago this week, the iconic IBM PC made its debut, cementing the personal computer as a mainstream product category to be reckoned with. Within a few years, America — and the world — went computer wild, with home computers suddenly the province of ordinary people.

The promise of quantum computing is incredible, allowing huge leaps in the speed and efficiency of computation. However, even though the idea has been around for decades, putting the concept into practice is a massive engineering challenge.

Security researchers have disclosed as many as 40 different vulnerabilities associated with an opportunistic encryption mechanism in mail clients and servers that could open the door to targeted man-in-the-middle (MitM) attacks, permitting an intruder to forge mailbox content and steal credentials.