Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Feds to Microsoft: Clean Up Your Cloud Security Act Now

A federal review board demanded that the tech giant prioritize its "inadequate" security posture, putting the blame solely on the company for last year's Microsoft 365 breach that allowed China's Storm-0558 to hack the email accounts of key government officials.

DARKReading
#microsoft#cisco#auth
Aembit Selected as Finalist for RSA Conference 2024 Innovation Sandbox Contest

By cybernewswire Silver Spring, United States / Maryland, April 3rd, 2024, CyberNewsWire The Leading Company for Securing Access Between Workloads… This is a post from HackRead.com Read the original post: Aembit Selected as Finalist for RSA Conference 2024 Innovation Sandbox Contest

Aembit Finalist for RSA Conference 2024 Innovation Sandbox

By Cyber Newswire The Leading Company for Securing Access Between Workloads Recognized for the Aembit Workload IAM Platform. This is a post from HackRead.com Read the original post: Aembit Finalist for RSA Conference 2024 Innovation Sandbox

GHSA-2q59-h24c-w6fg: Voilà Local file inclusion

### Impact Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. ### Patches This is patched in 0.2.17+, 0.3.8+, 0.4.4+, 0.5.6+ ### Workarounds None. ### References CWE-73: External Control of File Name or Path ### Original report I have found a local file inclusion vulnerability in one of your subprojects, voila (https://github.com/voila-dashboards/voila). The vulnerability exists in the "/static" Route, and can be exploited by simply making a request such as this: ``` $ curl localhost:8866/static/etc/passwd ``` ...or by using a webbrowser to download the file. I dug into the source code, and I think the offending line is here: https://github.com/voila-dashboards/voila/blob/8419cc7d79c0bb1dabfbd9ec49cb957740609d4d/voi...

Why Cybersecurity Is a Whole-of-Society Issue

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called "The Manipulaters," a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware. The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said. "By binding authentication sessions to the

'Unfaking' News: How to Counter Disinformation Campaigns in Global Elections

What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

An economic success story in Asia, Vietnam is seeing more manufacturing and more business investment. But with that comes a significant uptick in cybercrime as well.