When Microsoft patched the vulnerability in October 2022—at least two years after it came under #attack by the Russian hackers—the company made no mention that it was under active exploitation.
#patch #update #exploit #Russia #security #CyberSecurity #news #os #software #hack #hacker
In this adventure, the Cisco #C195 device family was jailbroken in order to run unintended code. This includes the discovery of a vulnerability in the #CIMC body management controller which affects a range of different devices, whereby an authenticated high privilege user can obtain underlying root access to the server’s #BMC (CVE-2024-20356) which in itself has high-level access to various other components in the system. The end goal was to run DOOM – if a smart fridge can do it, why not Cisco?
source: https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
#software #security #bug #network #game #news #vulnerability #exploit #hack #hacker
Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database (NVD), the world's most widely used software vulnerability database.
Source: https://www.infosecurity-magazine.com/news/nist-vulnerability-database/
#nvd #usa #security #software #problem #exploit #hack #bug #news #cybersecurity
Even after Microsoft patched the #vulnerability last month, the company made no mention that the North Korean threat group #Lazarus had been using the vulnerability since at least August to install a stealthy #rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for #malware that had already gained administrative system rights to interact with the Windows #kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don’t represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.
#software #news #security #cybercrime #bug #exploit #0day #fail #economy #problem #politics #hack #Hackers #trust #risk
source: https://techcrunch.com/2024/02/28/anycubic-users-3d-printers-hacked-warning/?guccounter=1
Ouyang said in an email to TechCrunch: “We are investigating very carefully. There will be an official announcement very soon,” but did not comment further.
“Disconnect your printer from the internet until anycubic patches this issue,” the text file reads.
#news #3dprinter #hack #hacker #warning #software #problem #technology #vulnerability
Nearly 11M instances (by unique IP) found vulnerable (~52%).
Background on the #vulnerability: https://terrapin-attack.com
fedivers: https://infosec.exchange/@shadowserver/111691389140858555
#cve #network #internet #security #bug #cyberwar #software #terrapin #attack #danger #administration #update #patch #ssh
Source: https://www.veracode.com/blog/research/state-log4j-vulnerabilities-how-much-did-log4shell-change
What we found illustrates how unaddressed #security technical debt exposes organizations to numerous risks.
...
Overall, we found that more than 1 in 3 (38 percent) of applications currently use vulnerable versions of Log4j.
#vulnerability #problem #software #development #news #economy #capitalism #fail #exploit
Source: https://asset-group.github.io/disclosures/5ghoul/
An attacker within radio range can trigger a denial of service (reachable assert) within the #Qualcomm’s X55/X60 #modem #firmware by means of sending invalid downlink MAC frame to the target 5G UE (e.g., #smartphone) from a nearby malicious gNB.
#mobile #network #attack #news #vulnerability #danger #dos #communication #software #bug
Bluetooth vulnerability exposes Android, Linux, MacOS, and iOS devices. Hackers can access your device without special hardware and run commands without your consent.
Security fix for Android 11 through 14 available, but older versions remain vulnerable. ChromeOS has been patched, but Linux-based OSs are still prone to hacking.
Some OS’s update better, or are supported longer, than others. This is where Android especially suffers, as many phones only got two years of OEM updates.
If you have an Android, in particular, a bad actor could access your device if Bluetooth is simply enabled. The hack is possible on Linux if Bluetooth is discoverable, and iOS and MacOS devices that have Bluetooth enabled with a paired Magic Keyboard are vulnerable as well.
It requires nearby access, though, so this may not be very high risk unless you regularly attend conferences and spend a day sitting in such a place.
One also wants to choose new purchases to also include the consideration around how long a device will get updates in future.
See https://www.androidpolice.com/android-ios-linux-macos-bluetooth-vulnerability/
#Blog, #bluetooth, #security, #technology, #vulnerability
Source: https://francozappa.github.io/post/2023/bluffs-ccs23/
TL;DR: If you are within range of a Bluetooth connection, you can force both devices into an insecure #encryption which can be cracked using brute force. The #workaround is to reject weak encryption via #software. Since there are never #updates for devices that have already been sold, any Bluetooth #connection with an old device must be considered insecure. Bluetooth can be monitored up to 100 meters with special antennas.
#bug #fail #security #hack #warning #danger #problem #update #news #CVE-2023-24023 #smartphone #vulnerability
The #internet has become a bloated mess. Huge #JavaScript libraries, countless client-side queries and overly complex frontend frameworks are par for the course these days.
When popular website like The New York Times are multiple MB in size (nearly 50% of which is JavaScript!), you know there’s a problem. Why does any site need to be that huge? It’s #crazy.
But we can make a difference - all it takes is some #optimisation. Do you really need that extra piece of JavaScript? Does your #WordPress site need a #theme that adds lots of functionality you’re never going to use? Are those huge custom fonts really needed? Are your images optimised for the web?
read more here: https://512kb.club
#frontend #browser #web #danger #framework #software #problem #performance
The setup of #DokuWiki is quick and easy even for bloody noobs: https://www.dokuwiki.org
Ukrainian #Cyber Alliance hackers gained access to #Trigona #ransomware’s infrastructure by using a public #exploit for CVE-2023-22515, a critical #vulnerability in Confluence Data Center and Server that can be leveraged remotely to escalate privileges.
#news #software #fail #hack #hacker #cybercrime #problem #security #privacy #knowledge
"So what can I do, as an individual?"
In my classes, in conversations with friends, and on the many free calls I conduct these days, some version of this question keeps showing up. It's a way that people express how hungry they are to move past the separation, scarcity, and powerlessness that have become the soundtrack of modern living. The longing for a world that works for all is more and more present everywhere I go. It's powerful, insistent, and forward moving. In the context of more consciously taking on patriarchy as the root cause of where we are in our world -- the foundation on which more commonly named systems such as white supremacy or capitalism were erected -- I am ever more eager to find a response to the question.
patriarchyBeyond just an answer, I want to find ways to step outside of the patriarchal norms within which we have become accustomed to live and which we use to evaluate everything, including our actions to transform patriarchy itself.
On the recent Overcoming Patriarchy call, the third since I started them in May, a direction shaped itself which I now want to share with those of you reading this newsletter. Once we noticed, together, that patriarchy rests on an incessant drive to control that of which we are afraid, it became clear that one clear step forward, in any circumstance, with anyone we're with, and with full embracing of the consequences that we may not like, including risks to our very life, is to embrace the triple path of tenderness, vulnerability, and mourning.
What the three have in common is that they sidestep any attempt to control or be "strong" in ways defined by patriarchy. They are antidotes to separation, cruelty, shaming, and fighting.
Tenderness, towards self and other, allows us to metabolize our own and others' failures to live up to our values and to recognize our embeddedness within systems that dramatically constrain our options and capacity for choice.
Vulnerability breaks down the cycle of escalation that responds to harshness with erecting protection and distancing. Sharing our vulnerability in the face of distance and judgment breaks down barriers and allows the magic of connection to surface again.
Mourning is the gift that allows us to combine parts of ourselves and even to come together in community when separation, breakdown, and even harm happen. We can mourn instead of fight, punish, or shame ourselves and each other.
I am now adopting this triplet as one of my core principles for responding to difficult times, and I invite you to join me. In this context, I want to highlight the brave and unusual work of Edwin Rutsch and invite you, on his behalf, to participate in the Empathy Tent. Edwin and a small group of individuals have gone to demonstrations and zones of conflict and invited people on both sides of political divides to participate in in-person or online empathy dialogues. He's now been featured on Fox News and Breitbart, and continues to show up with empathy in response to sarcastic and actively nasty attempts to discredit what he stands for and to make fun of him.
However far he manages to get with these efforts, it's an example of bringing tenderness and vulnerability to a zone of conflict rife with posturing and put-downs. What would be your way of responding to life around you in this way? How would you approach your legislators differently, if you do that kind of activism, if you took seriously the idea of bringing tenderness, vulnerability, and mourning to your efforts?
In my recent blog post I am inviting you to consider another aspect of this path forward. In my endless quest to find ways to engage with and move beyond the separation of privilege, I offer you a way to move towards more responsibility if you are in a position of privilege. The only way I know to embrace more responsibility from a position of privilege, perhaps from any position, is to increase and increase our capacity for self-warmth and acceptance, precisely what tenderness and mourning can provide. This is how the practice of vulnerability has made me so much stronger rather than weaker, as common norms assume.
More and more of us are recognizing that the times we live in are not "normal". As someone people turn to often to seek inspiration, I take my role seriously. When I imagine more of us embracing the soft qualities of tenderness and subverting the hard-edged qualities of our times, I have much more faith in the chances of surviving these times and finding again our place within the web of life that sustains us all.
in peace and hope,
Miki
Source: https://downfall.page
#CPU #bug #vulnerability #hack #problem #security #hardware #software #encryption #news
source: https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability
CVE-2023-2640 and CVE-2023-32629 were found in the #OverlayFS module in Ubuntu, which is a widely used Linux #filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit. This makes the new discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.
#security #os #software #update #bug #problem #news #exploit #hack #hacker #server #vulnerability
For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.
The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or re-route trains.
Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.
Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.
While the TEA1 weakness has been withheld from the public, it’s apparently widely known in the industry and governments. The issue really is that these proprietary algorithms are not subjected to the scrutiny that the open standards ones are. With a proprietary algorithm you are placing all your trust in only that vendor, and if they know about a vulnerability for years without telling you, you’re just not going to know. But as we’ve seen many times, that does not mean someone else has not found it, and may be quietly exploiting it for a long time already.
As we also see in this very linked article, governments are no more trustworthy, as they will deliberately sell something with vulnerabilities to another country, which they think they can maybe later exploit if the need arises.
An open standard is interrogated publicly to find potential weaknesses. It is why so many researchers say it is better to adopt open standards encryption algorithms which are proven, rather than to try to be clever and develop your own one.
TETRA is also used widely in South Africa by emergency personnel. It is anyway always better to assume someone is listening in on your radio messages, than to think it is 100% secure. The advice to TETRA radio users is to check with their vendors where any patch or mitigation is available.
See https://www.wired.com/story/tetra-radio-encryption-backdoor/
#Blog, #radio, #security, #technology, #TETRA, #vulnerability
