Collaborate Disseminate
Reuters reports: Italy’s government is set to propose tougher jail terms for cybercrime and stricter disclosure rules for public bodies that come under attack from hackers, according to a draft law seen by Reuters on Wednesday. The bill, set for … Continue reading Italy government proposes tougher jail terms for cybercriminals
Microsoft is reporting that a Russian intelligence agency—the same one responsible for SolarWinds—accessed the email system of the company’s executives.
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. …
I recently had a peculiar experience where a vase, courtesy of my mischievous cat, took an unexpected detour onto my head. In the aftermath, I couldn’t help but wonder about the security of an Airline booking system used by various airline… Continue reading Hypothetical Discovery: Security Concerns in Airline Booking Systems – Seeking Guidance on Responsible Reporting [duplicate]
A ransomware gang, annoyed at not being paid, filed an SEC complaint against its victim for not disclosing its security breach within the required four days.
This is over the top, but is just another example of the extreme pressure ransomware gangs put on companies after seizing their data. Gangs are now going through the data, looking for particularly important or embarrassing pieces of data to threaten executives with exposing. I have heard stories of executives’ families being threatened, of consensual porn being identified (people regularly mix work and personal email) and exposed, and of victims’ customers and partners being directly contacted. Ransoms are in the millions, and gangs do their best to ensure that the pressure to pay is intense…
The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules:
The rules go into effect this December.
In an email newsletter, Melissa Hathaway wrote:…
Continue reading New SEC Rules around Cybersecurity Incident Disclosures
At DEF CON this year, Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI will all open up their models for attack.
The DEF CON event will rely on an evaluation platform developed by Scale AI, a California company that produces … Continue reading AI Hacking Village at DEF CON This Year
In the last decade side-channel attacks like fault injection attacks (e.g., voltage glitching attacks) have been used to bypass JTAG locks or read-out memory protections. Such vulnerabilities might not be easy to prevent. They can be cause… Continue reading Is a responsible disclosure for hardware-based vulnerabilities even possible?
Recently, I noticed several resources that may be in danger, but I did not find a feedback form or email or another way to contact the owner and warn. How can I notify the owners?
DoS seems to me a noticeable, but in a very rude way to pay… Continue reading How to inform the owner of a site about a vulnerability if there is no feedback form? [closed]
Our school uses LanSchool Air and content keeper. I found a way to disable both.
I have already gotten my Chromebook taken away for "abusing Chromebook privileges" I think this is a major flaw that should be fixed.
How should I t… Continue reading I found a way to remove controls on a school Chromebook. How should I tell the school? [duplicate]
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.
Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don’t have an ongoing relationship with the hardware and software providers that protect their funds—nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users won’t be rushing to pay for and install new security patches…
Continue reading Responsible Disclosure for Cryptocurrency Security