Collaborate Disseminate
[aleaksah] got himself a Mi Smart Kettle Pro, a kettle with Bluetooth connectivity, and a smartphone app to go with it. Despite all the smarts, it couldn’t be turned on …read more Continue reading Dumping Encrypted-At-Rest Firmware Of Xiaomi Smart Kettle
Despite being a computer with some extra chips, synthesizers today are still quite expensive. They used to cost far more, but we tend to think of them as instruments instead …read more Continue reading Patching the Kurzweil K2500 Synthesizer
Interesting implementation mistake:
The vulnerability, which Oracle patched on Tuesday, affects the company’s implementation of the Elliptic Curve Digital Signature Algorithm in Java versions 15 and above. ECDSA is an algorithm that uses the principles of elliptic curve cryptography to authenticate messages digitally.
[…]
ECDSA signatures rely on a pseudo-random number, typically notated as K, that’s used to derive two additional numbers, R and S. To verify a signature as valid, a party must check the equation involving R and S, the signer’s public key, and a cryptographic hash of the message. When both sides of the equation are equal, the signature is valid. …
Continue reading Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries
On this April 2022 Patch Tuesday, Microsoft has released patches for 128 CVE-numbered vulnerabilities, including one zero-day exploited in the wild (CVE-2022-24521) and another (CVE-2022-26904) for which there’s already a PoC and a Metasploit mod… Continue reading Microsoft fixes actively exploited zero-day reported by the NSA (CVE-2022-24521)
While IT administrators are mentally preparing themselves for yet another Patch Tuesday, Microsoft has announced Windows Autopatch: a new service that aims make the second Tuesday of every month “just another Tuesday.” About Windows Autopat… Continue reading Windows Autopatch: Managed enterprise patching for Windows and Office
Spring4Shell (CVE-2022-22965) has dominated the information security news these last six days, but Log4Shell (CVE-2021-44228) continues to demand attention and action from enterprise defenders as diverse vulnerable applications are being targeted in at… Continue reading Log4Shell exploitation: Which applications may be targeted next?
Is there a patch for the lucky-13 vulnerability on Windows (Apart from manually disabling certain ciphers).
(I am using IIS and Windows Server 2022)
Continue reading Is there a patch for lucky-13 on Windows Server 2022 [migrated]
I have recently moved to the manufacturing sector to take care of security of systems/products, specifically operational technology (OT) products. Based on a recent US CISA advisory, I had to apply a patch to multiple units of the same se… Continue reading Patching operational technology products in a manufacturing assembly line?
Edgescan announces the findings of a report which offers a comprehensive view of the state of vulnerability management globally. This year’s report takes a more granular look at the trends by industry, and provides details on which of the known, … Continue reading Organizations taking nearly two months to remediate critical risk vulnerabilities
Our single PC is in a data centre in a co-location “locked” rack so no person has physical access to my PC except for myself which means no person can insert a USB stick into the PC and steal my sensitive files that way.
Via our Cisco hard… Continue reading We have a very secure system setup and want to know if someone would be able to hack into our PC and steal sensitive files given our IT setup? [closed]