Pulse of Truth

Move to reduce reliance on contractors

The proliferation of non-human identities and the complexity of modern application architectures has created significant security challenges, particularly in managing sensitive credentials, according to GitGuardian. Based on a survey of 1,000 IT decision-makers in organizations with over 500 employees across the US, UK, Germany, and France, the report reveals a significant rise in awareness and concern regarding the risks associated with secrets sprawl. Secrets leaks are on the rise 79% of respondents reported having experienced … More → The post AI learning mechanisms may lead to increase in codebase leaks appeared first on Help Net Security.

The open-source software (OSS) industry is developing the core software for the global infrastructure, to the point that even some proprietary software giants adopt Linux servers for their cloud services. Still, it has never been able to get organized by creating representative bodies capable of giving an organic response to issues such as those raised at the European level by the Cyber Resilience Act. I have been advocating for years the need to transform a … More → The post Open-source software: A first attempt at organization after CRA appeared first on Help Net Security.

The Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation assert that C, C++, and other memory-unsafe languages contribute to potential security breaches.

A US district court sentenced a Nigerian man for an elaborate ‘man-in-the-middle’ phishing campaign, which resulted in $12m in losses from real-estate transactions

A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks. [...]

UK's National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named "Pigmy Goat" created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors. [...]

Schneider Electric has confirmed a developer platform was breached after a threat actor claimed to steal 40GB of data from the company's JIRA server. [...]

Comments

A research tool by the company found a vulnerability in the SQLite open source database, demonstrating the "defensive potential" for using LLMs to find vulnerabilities in applications before they're publicly released.

If you searched for your bank's login page via Bing recently, you may have visited a fraudulent website enabling criminals to get your credentials and even your two-factor security code.

In June 2024, almost 10M user records from Z-lib were discovered exposed online. Now defunct, Z-lib was a malicious clone of Z-Library, a well-known shadow online platform for pirating books and academic papers. The exposed data included usernames, email addresses, countries of residence, Bitcoin and Monero cryptocurrency wallet addresses, purchases and bcrypt password hashes.

Researchers have shown that it's possible to abuse OpenAI's real-time voice API for ChatGPT-4o, an advanced LLM chatbot, to conduct financial scams with low to moderate success rates. [...]

    This, but blasting demons. | Photo by Chris Welch / The Verge

What do John Deere tractors, Ikea smart bulbs, Lego bricks, and the MacBook Pro Touch Bar have in common? They can all run Doom, and naturally, so can Nintendo’s adorable Alarmo alarm clock. It was only a matter of time before someone pulled that off, but what I didn’t expect was that when it happened, it would be playable. That’s exactly what hacker GaryOberNicht, who recently figured out how to run custom firmware on the Alarmo, did in a video posted to Mastodon and their X account yesterday. In it, they play by turning or pressing the mushroom-shaped blob on top of the Alarmo to move and pressing the other buttons to shoot or open doors. Here, have a look:

Gary said it’s “possible to load the shareware version of Doom entirely from...

Continue reading…

Calls for improvements will soon turn into demands when new rules come into force The UK's finance regulator is urging all institutions under its remit to better prepare for IT meltdowns like that of CrowdStrike in July.…

A recently disclosed Microsoft SharePoint remote code execution (RCE) vulnerability tracked as CVE-2024-38094 is being exploited to gain initial access to corporate networks. [...]

The headline is pretty scary: “China’s Quantum Computer Scientists Crack Military-Grade Encryption.” No, it’s not true. This debunking saved me the trouble of writing one. It all seems to have come from this news article, which wasn’t bad but was taken widely out of proportion. Cryptography is safe, and will be for a long time

The botnet is being skillfully used to launch "highly evasive" password-spraying attacks.

Thousand of Dublin residents were misled by an AI chum website promoting events that aren't real.

    Illustration by Cath Virginia / The Verge | Photo from Getty Images

On Friday evening, Okta posted an odd update to its list of security advisories. The latest entry reveals that under specific circumstances, someone could’ve logged in by entering anything for a password, but only if the account’s username had over 52 characters. According to the note people reported receiving, other requirements to exploit the vulnerability included Okta checking the cache from a previous successful login, and that an organization’s authentication policy didn’t add extra conditions like requiring multi-factor authentication (MFA). Here are the details that are currently available:

On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was...

Continue reading…

A disgruntled former Disney worker stands accused of illegally hacking the company’s systems and harassing its workers

"The goal is to complete the password updates by this evening," government says.

The large-scale operation took advantage of open repositories, hardcoded credentials in source code, and other cloud oversights.

The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. [...]

As organizations centralize IT security, the risk of espionage is silently becoming a more profitable threat.