November 6, 2024 at 04:36PM Germany’s draft legislation aims to protect security researchers from criminal liability when reporting cyber vulnerabilities. It amends existing laws to define criteria for legitimate security research and proposes penalties for malicious acts, with the intent to encourage reporting flaws rather than punishing those who identify them. ### Meeting Takeaways: 1. … Read more
November 6, 2024 at 10:19AM Germany’s Federal Ministry of Justice has proposed a law to protect security researchers from criminal liability when reporting vulnerabilities. The draft amends the Criminal Code, offering legal safety in defined circumstances and imposing stricter penalties for serious data crimes. Feedback is due by December 13, 2024, before parliamentary consideration. ### … Read more
September 26, 2024 at 12:06PM Researchers disclosed vulnerabilities in Kia vehicles allowing remote control and access to sensitive information by exploiting the dealership infrastructure. Impacting vehicles made after 2013, attackers could add themselves as “invisible” users, track and send commands to the vehicle discreetly. The flaws were patched by Kia in August 2024 following responsible … Read more
September 25, 2024 at 10:42AM Joe Grand, from a curious child to a seasoned hacker, exhibited mischievous tendencies before redirecting them into ethical hacking. His affiliation with the L0pht hacker collective played a pivotal role in his transformation. Today, as the founder of Grand Idea Studio, he imparts his knowledge and experience to organizations, advocating … Read more
September 24, 2024 at 09:36AM Riello UPS devices are vulnerable to hackers due to unpatched vulnerabilities according to Austria-based firm CyberDanube. The vulnerabilities in the NetMan 204 network communications card enable attackers to take control of the UPS systems, posing a risk to devices directly exposed to the internet. Riello is yet to address these … Read more
September 10, 2024 at 03:37PM Ivanti has patched a critical vulnerability (CVE-2024-29847) in its Endpoint Management software that could allow unauthenticated attackers to execute remote code on the core server. The company has also addressed almost two dozen other high and critical severity flaws in its products. Ivanti has seen a rise in fixed flaws … Read more
August 19, 2024 at 11:13AM The author highlights the increasing impact of AI in security analysis, acknowledging its efficiency but also cautioning about AI jailbreaking challenges. They discuss conflicting views on disclosure and suggest assuming AI jailbreaks are trivial, recommending focus on monitoring and rapid response rather than attempting to create unbreakable systems. The meeting … Read more
August 9, 2024 at 06:39PM Cloud security researchers discovered critical flaws in Amazon Web Services (AWS) that could lead to remote code execution, user takeover, data exposure, and denial of service. The “Bucket Monopoly” issue allows attackers to create covert access to S3 buckets, potentially enabling data theft, privilege escalation, and malicious code execution. AWS … Read more
July 25, 2024 at 06:10AM Researchers have identified a privilege escalation vulnerability, named ConfusedFunction, in Google Cloud Platform’s Cloud Functions service, enabling unauthorized access to other services and sensitive data. The issue with Cloud Build service account permissions, exposed by Tenable, has been addressed by Google, although existing instances remain unaffected. Other cloud providers have … Read more
June 3, 2024 at 06:30AM Security researcher Sam Curry has identified authorization bypass issues in Cox modems, allowing potential unauthorized access and the execution of malicious commands. Following responsible disclosure, the U.S. broadband provider promptly addressed the vulnerabilities. Curry’s analysis revealed potential access to sensitive customer data and the ability to modify device settings, posing … Read more