CISA, NSA, FBI, and International Partners Release Updated Secure by Design Guidance

Today, the U.S. Cybersecurity and Infrastructure Security Agency CISA, National Security Agency NSA, and Federal Bureau of Investigation FBI released an update to Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by- Design and -Default with the following...

LLM Summary of My Book Beyond Fear

Claude Anthropics LLM was given this prompt: Please summarize the themes and arguments of Bruce Schneiers book Beyond Fear. Im particularly interested in a taxonomy of his ethical arguments--please expand on that. Then lay out the most salient criticisms of the book. Claudes reply: Heres a brief...

Moniorg - Tool That Leverages Crt.Sh Website To Monitor Domains Of A Target

By looking through CT logs an attacker can gather a lot of information about organization's infrastructure i.e. internal domains,email addresses in a completly passive manner. moniorg leverage certificate transparency logs to monitor for newly issued domains based on organization field in their S...

Results of Major Technical Investigations for Storm-0558 Key Acquisition

March 12, 2024 update As part of our continued commitment to transparency and trust outlined in Microsoft’s Secure Future Initiative, we are providing further information as it relates to our ongoing investigation. This new information does not change the customer guidance we previously shared, n...

"direct" Desktop App for macOS fails to restrict access permissions

Overview "direct" Desktop App for macOS provided by L is B Corp. fails to restrict access permissions CWE-284. The access control mechanism provided by macOS "TCC Transparency Consent and Control" may be bypassed. Koh M. Nakagawa of FFRI Security, Inc. reported this vulnerability to IPA. JPCERT/C...

Google's New Feature Ensures Your Pixel Phone Hasn't Been Hacked. Here’s How It Works

Pixel Binary Transparency is the latest security benefit for Pixel owners...

Columbus-Server - API first subdomain discovery service, blazingly fast subdomain enumeration service with advanced features

Columbus Project is an API first subdomain discovery service, blazingly fast subdomain enumeration service with advanced features. Columbus returned 638subdomains of tesla.com in 0.231 sec. Usage By default Columbus returns only the subdomains in a JSON string array: curl...

YouTube makes sweeping changes to tackle spam on Shorts videos

YouTube is rolling out unclickable links. Video portals like YouTube have had to deal with spam comments and bogus links for many years. With new additions to a platform come new places for scammers to go about their business. YouTube is now cracking down on links posted to the comments section o...

Microsoft Addresses Critical Power Platform Flaw After Delays and Criticism

Microsoft on Friday disclosed that it has addressed a critical security flaw impacting Power Platform, but not before it came under criticism for its failure to swiftly act on it. "The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom...

HackerOne: Staff and Triage can modify the initial post of a report, including of already disclosed reports

The initial post of a report on HackerOne could be modified by program members and Triage, allowing them to change the information and potentially manipulate the narrative of the report...

The 4 Keys to Building Cloud Security Programs That Can Actually Shift Left

As cloud applications are built, tested and updated, they wind their way through an ever-complex series of different tools and teams. Across hundreds or even thousands of technologies that make up the patchwork quilt of development and cloud environments, security processes are all too often...

New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days

The U.S. Securities and Exchange Commission SEC on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are...

CVE-2023-36834 Junos OS: SRX 4600 and SRX 5000 Series: The receipt of specific genuine packets by SRXes configured for L2 transparency will cause a DoS

An Incomplete Internal State Distinction vulnerability in the packet forwarding engine PFE of Juniper Networks Junos OS on SRX 4600 and SRX 5000 Series allows an adjacent attacker to cause a Denial of Service DoS. If an SRX is configured in L2 transparent mode the receipt of a specific genuine...

CVE-2023-36834 Junos OS: SRX 4600 and SRX 5000 Series: The receipt of specific genuine packets by SRXes configured for L2 transparency will cause a DoS

An Incomplete Internal State Distinction vulnerability in the packet forwarding engine PFE of Juniper Networks Junos OS on SRX 4600 and SRX 5000 Series allows an adjacent attacker to cause a Denial of Service DoS. If an SRX is configured in L2 transparent mode the receipt of a specific genuine...

Admin user has an absolute power to withdraw all contract balance, which may raise red flags for investors

Lines of code Vulnerability details Impact Having rug-pull related code is always considered as a red flag for new investors. An admin, who's a single point of failure has access to withdraw function, which allows to withdraw the whole contract balance. Even if the owner is genuine the rug pull...

Privacy of Printing Services

The Washington Post has an article about popular printing services, and whether or not they read your documents and mine the data when you use them for printing: Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also...

transparencia.delmirogouveia.al.gov.br Cross Site Scripting vulnerability OBB-3499827

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Google to pay $40m for "deceptive and unfair" location tracking practices

Google is going to pay $39.9 million to Washington State to put to rest a lawsuit about its location tracking practices which has been in play since last year. Google was accused of "misleading consumers" by State Attorney General Bob Ferguson. From the AG press release: Attorney General Bob...

Why we should be more open about ransomware attacks

The UKs National Cyber Security Centre NCSC has published an article that reflects on why its so concerning when cyberattacks go unreported, saying: ...we are increasingly concerned about what happens behind the scenes of the attacks we dont hear about, particularly the ransomware ones. One of th...

Building Trustworthy AI

We will all soon get into the habit of using AI tools for help with everyday problems and tasks. We should get in the habit of questioning the motives, incentives, and capabilities behind them, too. Imagine youre using an AI chatbot to plan a vacation. Did it suggest a particular resort because i...