How Can Businesses Defend Themselves Against Common Cyberthreats?

TechRepublic consolidated expert advice on how businesses can defend themselves against the most common cyberthreats, including zero-days, ransomware and deepfakes. Continue reading How Can Businesses Defend Themselves Against Common Cyberthreats?

Assessing the Y, and How, of the XZ Utils incident

In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects. Continue reading Assessing the Y, and How, of the XZ Utils incident

GenAI can enhance security awareness training

One of the biggest concerns over generative AI is its ability to manipulate us, which makes it ideal for orchestrating social engineering attacks. From mining someone’s digital footprint to crafting highly convincing spear phishing emails, to voice cap… Continue reading GenAI can enhance security awareness training

Using Legitimate GitHub URLs for Malware

Interesting social-engineering attack vector:

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg.

The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.

As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures…

Continue reading Using Legitimate GitHub URLs for Malware

Other Attempts to Take Over Open Source Projects

After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor…

Continue reading Other Attempts to Take Over Open Source Projects

Cisco Duo provider breached, SMS MFA logs compromised

Hackers have managed to compromise a telephony provider for Duo, the Cisco-owned company providing secure access solutions, and steal MFA (multi-factor authentication) SMS message logs of Duo customers. About the attack The unnamed provider – one… Continue reading Cisco Duo provider breached, SMS MFA logs compromised

New open-source project takeover attacks spotted, stymied

The OpenJS Foundation has headed off a “credible takeover attempt” similar to the one that resulted in a backdoor getting included in the open-source XZ Utils package by someone who called themselves “Jia Tan”. This malicious ma… Continue reading New open-source project takeover attacks spotted, stymied

OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects

By Deeba Ahmed
Alarming social engineering attacks target critical open-source projects! Learn how to protect your project and the open-source community from takeovers.
This is a post from HackRead.com Read the original post: OpenSSF Warns of Fake Main… Continue reading OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects

Texting Secrets: How Messenger Apps Guard Your Chats

By Uzair Amir
Worried about prying eyes? We explain how messenger apps keep your chats confidential with features like encryption & multi-factor authentication. Learn about security risks & emerging technologies for a safer digital future.
T… Continue reading Texting Secrets: How Messenger Apps Guard Your Chats