July 8, 2024 at 04:37AM Four critical security flaws have been identified in the Gogs open-source Git service, allowing attackers to execute arbitrary commands, steal source code, and plant backdoors. The vulnerabilities, disclosed by SonarSource researchers, require authentication for exploitation. The project maintainers have not implemented fixes, and users are advised to take precautions while … Read more
July 5, 2024 at 07:52AM This week’s cybersecurity news roundup includes an Australian man charged for creating ‘evil twin’ Wi-Fi networks, dozens of vulnerabilities found in Sharp and Toshiba printers, a data breach at the Egyptian Health Department, and hacking of smart grills. Also covered are a Pakistan-linked Android spyware targeting gamers and weapons enthusiasts, … Read more
June 28, 2024 at 04:15PM Wireless providers prioritize uptime and lag time at the expense of security, leaving users vulnerable to attacks. At Black Hat 2024, Penn State researchers will reveal how hackers can exploit 5G to intercept Internet traffic, leading to spying and phishing. The researchers have reported vulnerabilities to 5G vendors, but a … Read more
June 21, 2024 at 03:44PM Cryptocurrency theft prompts Security Alliance, formed by industry giants, to address cyber resilience with initiatives like Seal 911 and Whitehat Legal Defense Fund. The latter offers legal aid to ethical researchers facing expenses, emphasizing good-faith hacking and public safety commitment. Accused bad-faith actor complicates the issue for Kraken. From the … Read more
June 17, 2024 at 09:07PM Chinese cybersecurity experts have dramatically improved over the past decade, growing from hesitant participants to dominant players in global hack competitions and bug bounty programs. The Chinese government leverages its civilian hackers to strengthen its cyber-offensive capabilities. China’s cyber pipeline, focusing on practical cybersecurity and vulnerability disclosure, has significantly benefited … Read more
June 14, 2024 at 03:00AM YesWeHack, a French bug bounty and vulnerability disclosure policy company, has raised €26 million in a Series C funding round, bringing its total raised to over $52 million. The investment was led by Wendel, with additional capital from other partners. YesWeHack plans to use the funds to invest in AI, … Read more
June 6, 2024 at 08:18AM Kiuwan, a code security firm owned by US-based Idera, took almost two years to patch critical vulnerabilities in its SAST and Local Analyzer products. Discovered by SEC Consult, the flaws included XSS, XXE injection, privilege escalation, and IDOR issues, posing significant security risks to users. Despite extensive coordination, Kiuwan’s response … Read more
June 3, 2024 at 02:01PM Researchers have demonstrated a chained remote code execution vulnerability on Progress Telerik Report Servers. The exploit, developed by Sina Kheirkha with assistance from Soroush Dalili, involves an authentication bypass and deserialization issue. Urgent updates (Telerik Report Server 2024 Q2 10.1.24.514 or later) are recommended. Progress Software’s history warrants prompt action … Read more
May 30, 2024 at 10:06AM In 2023, over 23,000 vulnerabilities were disclosed, leading to a race to release exploits. Coordinated disclosure involves alerting vendors and waiting to publicly release findings. Full disclosure argues for immediate transparency to prompt patches. Responsible disclosure is crucial due to the potential exploitation of vulnerabilities. Publicly releasing exploit research can … Read more
May 28, 2024 at 02:45AM A critical security flaw, CVE-2024-5035, with a 10.0 CVSS score, was discovered in TP-Link Archer C5400X router, allowing remote code execution. The flaw, patched in version 1_1.1.7, arises from a binary related to radio frequency testing, exposing a network listener. TP-Link’s fix blocks commands with special characters. Other undisclosed vulnerabilities … Read more