A supply-chain attack involving obfuscated malicious code in the xz package was discovered by a developer at Microsoft who noticed a small 600ms delay with SSH processes when doing some routine micro-benchmarking. The account that made the offending commits seemingly played the long game, slowly gaining the trust of xz's developer before injecting the attack. The attack allows for the interception and modification of data used with the library, allowing malicious actors to break sshd authentication and gain access to affected systems. The situation is developing and more vulnerabilities could be discovered.

Popular malware analysis tools often store sensitive private links due to misconfigured tools and users mistakenly submitting private content. These links can expose confidential files, smart home recordings, corporate communications, and more. Users should be aware of this issue and ensure scans are marked 'private' when sensitive data is involved.

Google has published a whitepaper that outlines its "Secure by Design" approach, which advocates for the adoption of languages like Java, Go, and Rust to achieve high-assurance memory safety. Google has a massive C++ codebase. It will gradually adopt memory-safe languages for new code while seeking safety improvements for existing C++.

Passkeys are an alternative to traditional passwords designed to be phishing-resistant and user-friendly. Unlike hardware security keys, passkeys can be backed up and synced across devices. However, since the private key is stored on the device with passkeys, this can potentially make passkeys less secure than hardware keys, unless private keys are exportable.

This walkthrough teaches readers how to build a simple PostgreSQL server impersonator in Python. It’s a useful exercise in understanding the PostgreSQL protocol and studying attack patterns. The server mimics the initial PostgreSQL handshake sequence, including authentication, and successfully fools the psql client into thinking it's a PostgreSQL server.

A detailed timeline of the xz open source attack from October 2021 to March 2024.

Researchers found that AI bots often invent fake software packages when asked for coding help. This is a security risk as a bad actor could create malware with the same invented package name, then trick developers relying on the AI's generated code into downloading and installing it.

DNS cache poisoning attacks exploit weaknesses in DNS to redirect users to malicious sites. Google Public DNS protects against these attacks using a few techniques. It randomizes cases, altering the capitalization of domain names. This protects over 90% of Google Public DNS traffic. Google also uses DNS-over-TLS (ADoT) to encrypt communications with authoritative nameservers.

The number of vulnerabilities in AI and ML applications is increasing rapidly. In April 2024 so far, 48 vulnerabilities were discovered in popular open-source projects, which is a 220% increase since November 2023.

GitHub's comment file upload feature is being used to distribute malware disguised as legitimate files from trusted Microsoft repositories.

Socket Security protects applications from hidden malware in open source code. It goes beyond traditional scanners to find new threats and integrates with GitHub for developer fixes.

The common practice of redirecting API calls from HTTP to HTTPS should be reconsidered. Many programmatic API clients don't keep browser-like state of things like HSTS headers they have seen. The usability-security tradeoff argument doesn't apply as APIs are mostly consumed by other software. HTTP interfaces should be disabled entirely or return clear error responses for unencrypted requests. API credentials sent over unencrypted connections should be considered compromised and revoked.

Polyfill.io is being used to infect websites with malware. Websites running any JavaScript code from the domain are advised to remove it immediately. The site previously offered code that added functionality to older browsers. A Chinese organization bought the domain earlier this year. Some popular CDN providers have created mirrors of the domain so sites can continue to use it without having to load the malicious code.

RegreSSHion allows for remote code execution with root system rights on Linux systems based on glibc.

Cloudflare is now offering its web hosting customers a way to block AI bots from scraping website content and using the data without permission to train machine learning models. It is able to recognize bot activity even when operators lie about their user agent. The bot detection approach relies on digital fingerprinting. With a network that sees an average of 57 million requests per second, Cloudflare has ample data to determine which fingerprints can be trusted.

By chaining various messaging APIs in browsers and browser extensions, it's possible to achieve 'universal code execution', breaking Same Origin Policy and browser sandbox. This vulnerability allows malicious web pages to communicate with an extension's content script and then relay messages to the background script, which can further communicate with a native application on the host operating system. This means that the chain can execute arbitrary code on the victim's machine.

Cloudflare's latest report reveals that nearly 7% of internet traffic is malicious, driven by events like wars and elections, with DDoS attacks being the primary weapon of choice.

A fault with an update issued by CrowdStrike led to worldwide outages on Friday. CrowdStrike is a cybersecurity vendor that develops software to help companies detect and block hacks. It uses cloud technology to apply cyber protections to internet connected devices. The software requires deep access to systems to scan for threats. A fix has been issued, but it could be hard to implement - engineers will have to go into each individual data center running Windows to apply the fix, entering complex encryption keys manually for encrypted machines.

This blog post discusses the recent CrowdStrike outage, which was caused by a memory safety error in the CSagent driver, and provides technical insights into the root cause. Windows usually has safeguards for the quality of third-party security products. Microsoft discourages the use of kernel drivers by security solutions, but it is forced to allow them due to regulation, which is one of the reasons why the CrowdStrike outage happened.

SAML is a standard for exchanging security-related messages between different entities, most commonly used for single sign-on (SSO). In SSO, users authenticate with a centralized identity provider (IDP) and then access multiple applications without having to log in to each one individually. The service provider (SP) and IDP communicate via the user's browser, exchanging SAML requests and responses. SAML responses contain assertions about the user's identity, which are digitally signed by the IDP to ensure authenticity and integrity.

Proofpoint observed an increase in malware delivery through the abuse of Cloudflare Tunnels, particularly with the TryCloudflare feature. The campaign delivers remote access trojans (RATs) and has been evolving to bypass detection. It involves sending malicious emails with URLs or attachments, leading to the download and installation of malware like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos.

Adobe's bug bounty programs have evolved to enhance digital security through global collaboration with security researchers. People can earn monetary rewards for finding vulnerabilities in various Adobe products, including Adobe Firefly, Photoshop Web, and Magento. In 2024, Adobe has seen increased engagement and efficiency in its private program, paying over $200,000 in bounties and further enhancing the vulnerability disclosure experience.

A buffer overflow vulnerability was found in the "Create-A-Park" feature of various Tony Hawk's Pro Skater games. The vulnerability, dubbed "Tony Hawk's Pro Strcpy", allows attackers to gain code execution on multiple gaming consoles, including the original Xbox, PlayStation 2, GameCube, and even the Xbox 360 (on a specific older kernel version). This article explores the various methods used to exploit the bug, ranging from simple save game hacks to intricate ROP chains and network-based attacks.

A notorious hack of a fast-food chain's mobile app exposed a loophole that allowed users to generate unlimited free meal vouchers. This incident shows the importance of securing both frontend and backend systems against vulnerabilities like XSS, CSRF, and IDOR. Proper input validation, content security policies, and secure handling of environment variables are important for security.

The McDonald's Instagram account was recently hacked and used to promote a scam involving a Solana-based token, which quickly led to a rug pull.

Bloomberg Integrates Polymarket 📈, Details on Trump’s DeFi Project 📝, FBI Warns of North Korean Hackers 🥷

Hackers recently leaked a trove of data from Disney that included financial and strategy information on the entertainment giant's operations. It also included personally identifiable information of some staff and consumers and granular details about revenue generated by Disney products, park pricing offers that the company has modeled, and login credentials for some of Disney's cloud infrastructure. Disney says that it doesn't expect the incident to have a material impact on its operations or financial performance. This article provides an overview of the leaked data.

Misconfigured AWS S3 buckets can be hacked through various means, such as examining HTTP responses, using search engines, and bruteforcing common keywords. Developers can test for misconfigurations by testing for list, read, write, and download permissions, examining Access Control Lists (ACLs), and checking for missing file type restrictions and S3 versioning. Knowing how to do this is important to actually secure your S3 buckets properly against unknown attackers.

These researchers inadvertently became the admins of the .MOBI TLD after registering an expired domain, which allowed them to undermine the CA process for the entire .mobi TLD.

RSA is a widely used public-key cryptosystem which is arguably fundamentally flawed and should be abandoned. Its security relies on carefully chosen parameters, which developers often fail to select properly, leading to vulnerabilities. These vulnerabilities stem from subtle mathematical properties that average developers are unlikely to grasp, making RSA inherently fragile and prone to attacks.