Italy government proposes tougher jail terms for cybercriminals

Reuters reports: Italy’s government is set to propose tougher jail terms for cybercrime and stricter disclosure rules for public bodies that come under attack from hackers, according to a draft law seen by Reuters on Wednesday. The bill, set for … Continue reading Italy government proposes tougher jail terms for cybercriminals

Microsoft Executives Hacked

Microsoft is reporting that a Russian intelligence agency—the same one responsible for SolarWinds—accessed the email system of the company’s executives.

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. …

Continue reading Microsoft Executives Hacked

Hypothetical Discovery: Security Concerns in Airline Booking Systems – Seeking Guidance on Responsible Reporting [duplicate]

I recently had a peculiar experience where a vase, courtesy of my mischievous cat, took an unexpected detour onto my head. In the aftermath, I couldn’t help but wonder about the security of an Airline booking system used by various airline… Continue reading Hypothetical Discovery: Security Concerns in Airline Booking Systems – Seeking Guidance on Responsible Reporting [duplicate]

Ransomware Gang Files SEC Complaint

A ransomware gang, annoyed at not being paid, filed an SEC complaint against its victim for not disclosing its security breach within the required four days.

This is over the top, but is just another example of the extreme pressure ransomware gangs put on companies after seizing their data. Gangs are now going through the data, looking for particularly important or embarrassing pieces of data to threaten executives with exposing. I have heard stories of executives’ families being threatened, of consensual porn being identified (people regularly mix work and personal email) and exposed, and of victims’ customers and partners being directly contacted. Ransoms are in the millions, and gangs do their best to ensure that the pressure to pay is intense…

Continue reading Ransomware Gang Files SEC Complaint

New SEC Rules around Cybersecurity Incident Disclosures

The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules:

  1. Public companies must “disclose any cybersecurity incident they determine to be material” within four days, with potential delays if there is a national security risk.
  2. Public companies must “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats” in their annual filings.

The rules go into effect this December.

In an email newsletter, Melissa Hathaway wrote:…

Continue reading New SEC Rules around Cybersecurity Incident Disclosures

Is a responsible disclosure for hardware-based vulnerabilities even possible?

In the last decade side-channel attacks like fault injection attacks (e.g., voltage glitching attacks) have been used to bypass JTAG locks or read-out memory protections. Such vulnerabilities might not be easy to prevent. They can be cause… Continue reading Is a responsible disclosure for hardware-based vulnerabilities even possible?

How to inform the owner of a site about a vulnerability if there is no feedback form? [closed]

Recently, I noticed several resources that may be in danger, but I did not find a feedback form or email or another way to contact the owner and warn. How can I notify the owners?
DoS seems to me a noticeable, but in a very rude way to pay… Continue reading How to inform the owner of a site about a vulnerability if there is no feedback form? [closed]