Yandex Source Code Online Leaked, Company Denies Hack
By Waqas The threat actor has dumped a whopping 44.7 GB worth of Yandex data, including its source code repository, on a popular hacker forum. This is a post from HackRead.com Read the original post: Yandex Source Code Online Leaked, Company Denies Hack
https://www.hackread.com/yandex-source-code-hacked-leaked/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

L'Actu de la veille

Microsoft Urges Customers to Secure On-Premises Exchange Servers
Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads. "Attackers looking to exploit unpatched Exchange servers are not going to go away," the tech giant's Exchange Team said in a post. "There are too many
https://thehackernews.com/2023/01/microsoft-urges-customers-to-secure-on.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Eliminating SaaS Shadow IT is Now Available via a Self-Service Product, Free of Charge
The use of software as a service (SaaS) is experiencing rapid growth and shows no signs of slowing down. Its decentralized and easy-to-use nature is beneficial for increasing employee productivity, but it also poses many security and IT challenges. Keeping track of all the SaaS applications that have been granted access to an organization's data is a difficult task. Understanding the risks that
https://thehackernews.com/2023/01/eliminating-saas-shadow-it-is-now.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ISC Releases Security Patches for New BIND DNS Software Vulnerabilities
The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. "A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity
https://thehackernews.com/2023/01/isc-releases-security-patches-for-new.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ukraine Hit with New Golang-based 'SwiftSlicer' Wiper Malware in Latest Cyber Attack
Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed SwiftSlicer. ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "Once executed it deletes shadow
https://thehackernews.com/2023/01/ukraine-hit-with-new-golang-based.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researchers to release VMware vRealize Log RCE exploit, patch now
Security researchers with Horizon3's Attack Team will release next week an exploit targeting a vulnerability chain for gaining remote code execution on unpatched VMware vRealize Log Insight appliances. [...]
https://www.bleepingcomputer.com/news/security/researchers-to-release-vmware-vrealize-log-rce-exploit-patch-now/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers use new SwiftSlicer wiper to destroy Windows domains
Security researchers have identified a new data-wiping malware they named SwiftSlicer that aims to overwrite crucial files used by the Windows operating system. [...]
https://www.bleepingcomputer.com/news/security/hackers-use-new-swiftslicer-wiper-to-destroy-windows-domains/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Week in Ransomware - January 27th 2023 - 'We hacked the hackers'
For the most part, this week has been relatively quiet regarding ransomware attacks and researcher — that is, until the FBI announced the disruption of the Hive ransomware operation. [...]
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-27th-2023-we-hacked-the-hackers/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Copycat Criminals mimicking Lockbit gang in northern Europe
Recent reports of Lockbit locker-based attacks against North European SMBs indicate that local crooks started using Lockbit locker variants. Executive Summary Incident Insights Recently, there has been a significant increase in ransomware attacks targeting companies in northern Europe. These attacks are being carried out using the LockBit locker, which is known to be in use […] The post Copycat Criminals mimicking Lockbit gang in northern Europe appeared first on Security Affairs.
https://securityaffairs.com/141491/cyber-crime/crooks-mimicking-lockbit-gang.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Sandworm APT targets Ukraine with new SwiftSlicer wiper
Russia-linked Sandworm APT group is behind a new Golang-based wiper, tracked as SwiftSlicer, that hit Ukraine, ESET reports. Researchers from ESET discovered a new Golang-based wiper, dubbed SwiftSlicer, that was used in attacks aimed at Ukraine. The experts believe that the Russia-linked APT group Sandwork (aka BlackEnergy and TeleBots) is behind the wiper attacks. The Sandworm group has been […] The post Sandworm APT targets Ukraine with new SwiftSlicer wiper appeared first on Security Affairs.
https://securityaffairs.com/141473/apt/sandworm-targets-ukraine-swiftslicer.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ISC fixed high-severity flaws in DNS software suite BIND
The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service (DoS). BIND is a suite of software for interacting with the Domain Name System (DNS) maintained by the Internet Systems Consortium (ISC). The ISC released security patches to address multiple high-severity denial-of-service DoS vulnerabilities in the DNS software suite. Threat actors can exploit […] The post ISC fixed high-severity flaws in DNS software suite BIND appeared first on Security Affairs.
https://securityaffairs.com/141465/security/isc-fixed-bind-flaws.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

SSTImap - Automatic SSTI Detection Tool With Interactive Interface
  SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself. This tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation. Sandbox break-out techniques came from: James Kett's Server-Side Template Injection: RCE For The Modern Web App Other public researches [1] [2] Contributions to Tplmap [3] [4]. This tool is capable of exploiting some code context escapes and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines. Differences with Tplmap Even though this software is based on Tplmap's code, backwards compatibility is not provided. Interactive mode (-i) allowing for easier exploitation and detection Base language eval()-like shell (-x) or single command (-X) execution Added new payload for Smarty without enabled {php}{/php}. Old payload is available as Smarty_unsecure. User-Agent can be randomly selected from a list of desktop browser agents using -A SSL verification can now be enabled using -V Short versions added to all arguments Some old command line arguments were changed, check -h for help Code is changed to use newer python features Burp Suite extension temporarily removed, as Jython doesn't support Python3 Server-Side Template Injection This is an example of a simple website written in Python using Flask framework and Jinja2 template engine. It integrates user-supplied variable name in an unsafe way, as it is concatenated to the template string before rendering. from flask import Flask, request, render_template_stringimport osapp = Flask(__name__)@app.route("/page")def page(): name = request.args.get('name', 'World') # SSTI VULNERABILITY: template = f"Hello, {name}!<br>\n" \ "OS type: {{os}}" return render_template_string(template, os=os.name)if __name__ == "__main__": app.run(host='0.0.0.0', port=80) Not only this way of using templates creates XSS vulnerability, but it also allows the attacker to inject template code, that will be executed on the server, leading to SSTI. $ curl -g 'https://www.target.com/page?name=John'Hello John!<br>OS type: posix$ curl -g 'https://www.target.com/page?name={{7*7}}'Hello 49!<br>OS type: posix User-supplied input should be introduced in a safe way through rendering context: from flask import Flask, request, render_template_stringimport osapp = Flask(__name__)@app.route("/page")def page(): name = request.args.get('name', 'World') template = "Hello, {{name}}!<br>\n" \ "OS type: {{os}}" return render_template_string(template, name=name, os=os.name)if __name__ == "__main__": app.run(host='0.0.0.0', port=80) Predetermined mode SSTImap in predetermined mode is very similar to Tplmap. It is capable of detecting and exploiting SSTI vulnerabilities in multiple different templates. After the exploitation, SSTImap can provide access to code evaluation, OS command execution and file system manipulations. To check the URL, you can use -u argument: $ ./sstimap.py -u https://example.com/page?name=John ╔══════╦══════╦═══════╗ ▀█▀ ║ ╔════╣ ╔════╩══╗ ╔══╝═╗▀╔═ ║ ╚════╣ ╚════╗ ║ ║ ║{║ _ __ ___ __ _ _ __ ╚════╗ ╠════╗ ║ ║ ║ ║*║ | '_ ` _ \ / _` | '_ \ ╔════╝ ╠════╝ ║ ║ ║ ║}║ | | | | | | (_| | |_) | ╚═════════════╝ ╚═╝ ╚╦╝ |_| |_| |_|\__,_| .__/ │ | | |_|[*] Version: 1.0[*] Author: @vladko312[*] Based on Tplmap[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] Testing if GET parameter 'name' is injectable [*] Smarty plugin is testing rendering with tag '*'...[*] Jinja2 plugin is testing rendering with tag '{{*}}'[+] Jinja2 plugin has confirmed injection with tag '{{*}}'[+] SSTImap identified the following injection point: GET parameter: name Engine: Jinja2 Injecti on: {{*}} Context: text OS: posix-linux Technique: render Capabilities: Shell command execution: ok Bind and reverse shell: ok File write: ok File read: ok Code evaluation: ok, python code[+] Rerun SSTImap providing one of the following options: --os-shell Prompt for an interactive operating system shell --os-cmd Execute an operating system command. --eval-shell Prompt for an interactive shell on the template engine base language. --eval-cmd Evaluate code in the template engine base language. --tpl-shell Prompt for an interactive shell on the template engine. --tpl-cmd Inject code in the template engine. --bind-shell PORT Connect to a shell bind to a target port --reverse-shell HOST PORT Send a shell back to the attacker's port --upload LOCAL REMOTE Upload files to the server --download REMOTE LOCAL Download remote files Use --os-shell option to launch a pseudo-terminal on the target. $ ./sstimap.py -u https://example.com/page?name=John --os-shell ╔══════╦══════╦═══════╗ ▀█▀ ║ ╔════╣ ╔════╩══╗ ╔══╝═╗▀╔═ ║ ╚════╣ ╚════╗ ║ ║ ║{║ _ __ ___ __ _ _ __ ╚════╗ ╠════╗ ║ ║ ║ ║*║ | '_ ` _ \ / _` | '_ \ ╔════╝ ╠════╝ ║ ║ ║ ║}║ | | | | | | (_| | |_) | ╚══════╩══════╝ ╚═╝ ╚╦╝ |_| |_| |_|\__,_| .__/ │ | | |_|[*] Version: 0.6#dev[*] Author: @vladko312[*] Based on Tplmap[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] Testing if GET parameter 'name' is injectable[*] Smarty plugin is testing rendering with tag '*'...[*] Jinja2 plugin is testing rendering with tag '{{*}}'[+] Jinja2 plugin has confirmed injection with tag '{{*}}'[+] SSTImap identified the following injection point: GET parameter: name Engine: Jinja2 Injection: {{*}} Context: text OS: posix-linux Technique: render Capabilities: Shell command execution: ok Bind and reverse shell: ok File write: ok File read: ok Code evaluation: ok, python code[+] Run commands on the operating system.posix-linux $ whoamirootposix-linux $ cat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologin To get a full list of options, use --help argument. Interactive mode In interactive mode, commands are used to interact with SSTImap. To enter interactive mode, you can use -i argument. All other arguments, except for the ones regarding exploitation payloads, will be used as initial values for settings. Some commands are used to alter settings between test runs. To run a test, target URL must be supplied via initial -u argument or url command. After that, you can use run command to check URL for SSTI. If SSTI was found, commands can be used to start the exploitation. You can get the same exploitation capabilities, as in the predetermined mode, but you can use Ctrl+C to abort them without stopping a program. By the way, test results are valid until target url is changed, so you can easily switch between exploitation methods without running detection test every time. To get a full list of interactive commands, use command help in interactive mode. Supported template engines SSTImap supports multiple template engines and eval()-like injections. New payloads are welcome in PRs. Engine RCE Blind Code evaluation File read File write Mako ✓ ✓ Python ✓ ✓ Jinja2 ✓ ✓ Python ✓ ✓ Python (code eval) ✓ ✓ Python ✓ ✓ Tornado ✓ ✓ Python ✓ ✓ Nunjucks ✓ ✓ JavaScript ✓ ✓ Pug ✓ ✓ JavaScript ✓ ✓ doT ✓ ✓ JavaScript ✓ ✓ Marko ✓ ✓ JavaScript ✓ ✓ JavaScript (code eval) ✓ ✓ JavaScript ✓ ✓ Dust (<= dustjs-helpers@1.5.0) ✓ ✓ JavaScript ✓ ✓ EJS ✓ ✓ JavaScript ✓ ✓ Ruby (code eval) ✓ ✓ Ruby ✓ ✓ Slim ✓ ✓ Ruby ✓ ✓ ERB ✓ ✓ Ruby ✓ ✓ Smarty (unsecured) ✓ ✓ PHP ✓ ✓ Smarty (secured) ✓ ✓ PHP ✓ ✓ PHP (code eval) ✓ ✓ PHP ✓ ✓ Twig (<=1.19) ✓ ✓ PHP ✓ ✓ Freemarker ✓ ✓ Java ✓ ✓ Velocity ✓ ✓ Java ✓ ✓ Twig (>1.19) × × × × × Dust (> dustjs-helpers@1.5.0) × × × × × Burp Suite Plugin Currently, Burp Suite only works with Jython as a way to execute python2. Python3 functionality is not provided. Future plans If you plan to contribute something big from this list, inform me to avoid working on the same thing as me or other contributors. Make template and base language evaluation functionality more uniform Add more payloads for different engines Short arguments as interactive commands? Automatic languages and engines import Engine plugins as objects of Plugin class? JSON/plaintext API modes for scripting integrations? Argument to remove escape codes? Spider/crawler automation Better integration for Python scripts More POST data types support Payload processing scripts Download SSTImap
http://www.kitploit.com/2023/01/sstimap-automatic-ssti-detection-tool.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

FBI Hacks Back Hive Ransomware Gang's Infrastructure – Website Seized
As a result of an international law enforcement operation, the sites utilized by the Hive ransomware operation for both payments and data leaks on the Tor network were successfully taken over, following the FBI’s infiltration of the group’s infrastructure in July. An international law enforcement operation, led by the US Department of Justice and Europol, […] The post FBI Hacks Back Hive Ransomware Gang’s Infrastructure – Website Seized appeared first on GBHackers - Latest Cyber Security News | Hacker News.
https://gbhackers.com/fbi-hacks-back-hive-ransomware/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Extradited Alleged ShinyHunters Hacker Pleads Not Guilty in US Court
By Habiba Rashid The alleged member of the ShinyHunters group, Sebastian Raoult, is a French citizen who was arrested in Morocco in 2022 and extradited to the U.S. this week. This is a post from HackRead.com Read the original post: Extradited Alleged ShinyHunters Hacker Pleads Not Guilty in US Court
https://www.hackread.com/shinyhunters-hacker-pleads-not-guilty/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

L'Actu à J-2

Compliance Auditing for Data Security Posture Management
The introduction of cloud computing has significantly changed how online businesses function. Working with data… Compliance Auditing for Data Security Posture Management on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/27/compliance-auditing-for-data-security-posture-management/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Experts Uncover the Identity of Mastermind Behind Golden Chickens Malware Service
Cybersecurity researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona "badbullzvenom." eSentire's Threat Response Unit (TRU), in an exhaustive report published following a 16-month-long investigation, said it "found multiple mentions of the badbullzvenom account being shared between two people." The
https://thehackernews.com/2023/01/experts-uncover-identity-of-mastermind.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices
Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems. "This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system," Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn
https://thehackernews.com/2023/01/researchers-discover-new-plugx-malware.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

3 Lifehacks While Analyzing Orcus RAT in a Malware Sandbox
Orcus is a Remote Access Trojan with some distinctive characteristics. The RAT allows attackers to create plugins and offers a robust core feature set that makes it quite a dangerous malicious program in its class. RAT is quite a stable type that always makes it to the top. ANY.RUN's top malware types in 2022 That's why you'll definitely come across this type in your practice, and the Orcus
https://thehackernews.com/2023/01/3-lifehacks-while-analyzing-orcus-rat.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries
The U.K. National Cyber Security Centre (NCSC) on Thursday warned of spear-phishing attacks mounted by Russian and Iranian state-sponsored actors for information-gathering operations. "The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists and activists," the
https://thehackernews.com/2023/01/british-cyber-agency-warns-of-russian.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Massive Microsoft 365 outage caused by WAN router IP change
Microsoft says this week's five-hour-long Microsoft 365 worldwide outage was caused by a router IP address change that led to packet forwarding issues between all other routers in its Wide Area Network (WAN). [...]
https://www.bleepingcomputer.com/news/microsoft/massive-microsoft-365-outage-caused-by-wan-router-ip-change/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ukraine: Sandworm hackers hit news agency with 5 data wipers
The Ukrainian Computer Emergency Response Team (CERT-UA) found a cocktail of five different data-wiping malware strains deployed on the network of the country's national news agency (Ukrinform) on January 17th. [...]
https://www.bleepingcomputer.com/news/security/ukraine-sandworm-hackers-hit-news-agency-with-5-data-wipers/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft fixes Windows 11 issue behind Remote Desktop freezes
Microsoft has addressed a known issue causing Remote Desktop app freezes on Windows 11 systems after installing the Windows 11 2022 Update. [...]
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-11-issue-behind-remote-desktop-freezes/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PlugX malware hides on USB devices to infect new Windows hosts
Security researchers have analyzed a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to. [...]
https://www.bleepingcomputer.com/news/security/plugx-malware-hides-on-usb-devices-to-infect-new-windows-hosts/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft starts force upgrading Windows 11 21H2 devices
Microsoft has started the forced rollout of Windows 11 22H2 to systems running Windows 11 21H2 that are approaching their end-of-support (EOS) date on October 10, 2023. [...]
https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-force-upgrading-windows-11-21h2-devices/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Windows 11 KB5022360 preview update released with 15 improvements
Microsoft has released the Windows 11 22H2 KB5022360 preview cumulative update with fifteen fixes or improvements. [...]
https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5022360-preview-update-released-with-15-improvements/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Patch management is crucial to protect Exchange servers, Microsoft warns
Microsoft warns customers to patch their Exchange servers because attackers always look to exploit unpatched installs. Microsoft published a post to urge its customers to protect their Exchange servers because threat actors actively attempt to exploit vulnerabilities in unpatched installs. The IT giant recommends installing the latest available Cumulative Update (CU) and Security Update (SU) […] The post Patch management is crucial to protect Exchange servers, Microsoft warns appeared first on Security Affairs.
https://securityaffairs.com/141451/security/microsoft-exchange-servers-patch.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker accused of having stolen personal data of all Austrians and more
A Dutch hacker who was arrested at the end of last year claims to have stolen the personal data of almost all Austrians.  At the end of November 2022, the Amsterdam police arrested a 25-year-old man from Almere who is suspected of having stolen or traded the personal data of tens of millions of people […] The post Hacker accused of having stolen personal data of all Austrians and more appeared first on Security Affairs.
https://securityaffairs.com/141439/cyber-crime/hacker-stole-personal-data-austrians.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

CVE-2023-23560 flaw exposes 100 Lexmark printer models to hack
Lexmark released a security firmware update to fix a remote code execution flaw, tracked as CVE-2023-23560, that impacts more than 100 printer models. Lexmark has released a security firmware update to address a remote code execution vulnerability, tracked as CVE-2023-23560, that impacts more than 100 printer models. The CVE-2023-23560 flaw is a server-side request forgery […] The post CVE-2023-23560 flaw exposes 100 Lexmark printer models to hack appeared first on Security Affairs.
https://securityaffairs.com/141428/hacking/lexmark-cve-2023-23560-rce.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

BlackCat Ransomware gang stole secret military data from an industrial explosives manufacturer
The BlackCat Ransomware group claims to have hacked SOLAR INDUSTRIES INDIA and to have stolen 2TB of “secret military data.” The BlackCat Ransomware gang added SOLAR INDUSTRIES INDIA to the list of victims published on its Tor leak site. The company is a globally recognised industrial explosives manufacturer, it provides complete blasting solutions, including packaged, […] The post BlackCat Ransomware gang stole secret military data from an industrial explosives manufacturer appeared first on Security Affairs.
https://securityaffairs.com/141409/data-breach/blackcat-ransomware-solar-industries-india.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A DevOps Security Tutorial for Digital Business Leaders (Clone)
DevOps is a great approach to improve the speed and efficiency of software development, but there is an even better way to approach the process with security in mind. Find out what approach works for best digital business leaders and how to implement these changes in your organization.
https://www.legitsecurity.com/blog/a-devops-security-tutorial-for-digital-business-leaders-0
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Deserialized web security roundup: ‘Catastrophic cyber events', another T-Mobile breach, more LastPass problems
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
https://portswigger.net/daily-swig/deserialized-web-security-roundup-catastrophic-cyber-events-another-t-mobile-breach-more-lastpass-problems
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Facebook two-factor authentication bypass issue patched
Security vulnerability was one of Meta's top bugs of 2022
https://portswigger.net/daily-swig/facebook-two-factor-authentication-bypass-issue-patched
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Are you in control of your personal data? – Week in security with Tony Anscombe
Data Privacy Week is a reminder to protect your data – all year round. Here are three privacy-boosting habits you can start today. The post Are you in control of your personal data? – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/control-your-personal-information-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

SwiftSlicer: New destructive wiper malware strikes Ukraine
Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country The post SwiftSlicer: New destructive wiper malware strikes Ukraine appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

BlueHound - Tool That Helps Blue Teams Pinpoint The Security Issues That Actually Matter
BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network It is a fork of NeoDash, reimagined, to make it suitable for defensive security purposes. To get started with BlueHound, check out our introductory video, blog post and Nodes22 conference talk. BlueHound supports presenting your data as tables, graphs, bar charts, line charts, maps and more. It contains a Cypher editor to directly write the Cypher queries that populate the reports. You can save dashboards to your database, and share them with others. Main Features Full Automation: The entire cycle of collection, analysis and reporting is basically done with a click of a button. Community Driven: BlueHound configuration can be exported and imported by others. Sharing of knowledge, best practices, collection methodologies and more, built-into the tool itself. Easy Reporting: Creating customized report can be done intuitively, without the need to write any code. Easy Customization: Any custom collection method can be added into BlueHound. Users can even add their own custom parameters or even custom icons for their graphs. Getting Started ROST ISO BlueHound can be used as part of the ROST image, which comes pre-configured with everything you need (BlueHound, Neo4j, BloodHound, and a sample dataset). To load ROST, create a new virtual machine, and install it from the ISO like you would for a new Windows host. BlueHound Binary If you already have a Neo4j instance running, you can download a pre-compiled version of BlueHound from our release page. Just download the zip file suitable to your OS version, extract it, and run the binary. Using BlueHound Connect to your Neo4j server Download SharpHound, ShotHound and the Vulnerability Scanner report parser Use the Data Import section to collect & import data into your Neo4j database. Once you have data loaded, you can use the Configurations tab to set up the basic information that is used by the queries (e.g. Domain Admins group, crown jewels servers). Finally, the Queries section can be used to prepare the reports. BlueHound How-To Data Collection The Data Import Tools section can be used to collect data in a click of a button. By default, BlueHound comes preconfigured with SharpHound, ShotHound, and the Vulnerability Scanners script. Additional tools can be added for more data collection. To get started: Download the relevant tools using the globe icon Configure the tool path & arguments for each tool Run the tools The built-in tools can be configured to automatically upload the results to your Neo4j instance. Running & Viewing Queries To get results for a chart, either use the Refresh icon to run a specific query, or use the Query Runner section to run queries in batches. The results will be cached even after closing BlueHound, and can be run again to get updated results. Some charts have an Info icon which explain the query and/or provide links to additional information. Adding & Editing Queries You can edit the query for new and/or existing charts by using the Settings icon on the top right section of the chart. Here you can use any parameters configured with a Param Select chart, and any Edge Filtering string (see section below). Edge Filtering Using the Edge Filtering section, you can filter out specific relationship types for all queries that use the relevant string in their query. For example, ":FILTERED_EDGES" can be used to filter by all the selection filters. You can also filter by a specific category (see the Info icon) or even define your own custom edge filters. Import & Export Config The Export Config and Import Config sections can be used to save & load your dashboard and configurations as a backup, and even shared between users to collaborate and contribute insightful queries to the security community. Don't worry, your credentials and data won't be exported. Note: any arguments for data import tools are also exported, so make sure you remove any secrets before sharing your configuration. Settings The Settings section allows you to set some global limits on query execution – maximum query time and a limit for returned results. Technical Info BlueHound is a fork of NeoDash, built with React and use-neo4j. It uses charts to power some of the visualizations. You can also extend NeoDash with your own visualizations. Check out the developer guide in the project repository. Developer Guide Run & Build using npm BlueHound is built with React. You'll need npm installed to run the web app. Use a recent version of npm and node to build BlueHound. The application has been tested with npm 8.3.1 & node v17.4.0. To run the application in development mode: clone this repository. open a terminal and navigate to the directory you just cloned. execute npm install to install the necessary dependencies. execute npm run dev to run the app in development mode. the application should be available at http://localhost:3000. To build the app for production: follow the steps above to clone the repository and install dependencies. execute npm run build. This will create a build folder in your project directory. deploy the contents of the build folder to a web server. You should then be able to run the web app. Questions / Suggestions We are always open to ideas, comments, and suggestions regarding future versions of BlueHound, so if you have ideas, don't hesitate to reach out to us at support@zeronetworks.com or open an issue/pull request on GitHub. Download BlueHound
http://www.kitploit.com/2023/01/bluehound-tool-that-helps-blue-teams.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Yandex Denies Hack – Source Code Leaked on Popular Hacking Forum
The source code of Yandex, the largest IT company in Russia and commonly referred to as the Russian Google, was hacked by attackers. On a well-known hacker site, a Yandex source code repository purportedly stolen by a former employee of the Russian technology giant was leaked as a torrent. Specifics of the Yandex Data Leak […] The post Yandex Denies Hack – Source Code Leaked on Popular Hacking Forum appeared first on GBHackers - Latest Cyber Security News | Hacker News.
https://gbhackers.com/yandex-data-leak/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers Abuse Legitimate Remote Monitoring Tools to Steal Banking Data
A joint Cybersecurity Advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) has been released to alert network defenders to malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA discovered a massive cyberattack that made use of malicious RMM […] The post Hackers Abuse Legitimate Remote Monitoring Tools to Steal Banking Data appeared first on GBHackers - Latest Cyber Security News | Hacker News.
https://gbhackers.com/hackers-abuse-remote-monitoring-tools/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PlugX Malware Sneaks Onto Windows PCs Through USB Devices
By Deeba Ahmed The new variant stood out among other malware because it can infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device is plugged into later. This is a post from HackRead.com Read the original post: PlugX Malware Sneaks Onto Windows PCs Through USB Devices
https://www.hackread.com/plugx-malware-usb-windows-pcs/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hive Ransomware Gang Disrupted; Servers and Dark Web Site Seized
By Waqas The FBI and Europol have obtained decryption keys for the Hive ransomware, which they have already shared with victims. This is a post from HackRead.com Read the original post: Hive Ransomware Gang Disrupted; Servers and Dark Web Site Seized
https://www.hackread.com/hive-ransomware-gang-disrupted-site-seized/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

L'Actu des jours précédents

Using Artificial Intelligence to Retain Tax Compliance – The Benefits
Tax compliance refers to the process of meeting tax regulations and filing taxes in a… Using Artificial Intelligence to Retain Tax Compliance – The Benefits on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/26/using-artificial-intelligence-to-retain-tax-compliance-the-benefits/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

TROJANPUZZLE Attack Compels AI Assistants To Suggest Rogue Codes
Researchers have devised a novel attack strategy against AI assistants. Dubbed “TrojanPuzzle,” the data poisoning… TROJANPUZZLE Attack Compels AI Assistants To Suggest Rogue Codes on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/23/trojanpuzzle-attack-compels-ai-assistants-to-suggest-rogue-codes/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Multiple Vulnerabilities Found In Samsung Galaxy App Store App
Researchers discovered numerous security vulnerabilities in Samsung's Galaxy App Store application that threatened Samsung users.… Multiple Vulnerabilities Found In Samsung Galaxy App Store App on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/23/multiple-vulnerabilities-found-in-samsung-galaxy-app-store-app/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Role of Plaid developers in the fintech industry
Plaid-Fintech relationship You may not have heard of Plaid developers, but you probably use one… Role of Plaid developers in the fintech industry on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/23/role-of-plaid-developers-in-the-fintech-industry/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

4 Ways to Prevent Leaking Your Location on the Web
Protecting your privacy when using the internet is crucial in today’s world. This includes ensuring… 4 Ways to Prevent Leaking Your Location on the Web on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/23/4-ways-to-prevent-leaking-your-location-on-the-web/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Data Privacy Tips for Small Businesses
Data privacy violation is a serious problem facing small businesses that are often unaware of… 5 Data Privacy Tips for Small Businesses on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/19/5-data-privacy-tips-for-small-businesses/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The state of software supply chain security heading into 2023
Technology is advancing at a rapid rate. It seems that the next new development is… The state of software supply chain security heading into 2023 on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/19/the-state-of-software-supply-chain-security-heading-into-2023/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Programmers Need to Learn About Supply and Demand
Supply and demand are economic forces mostly studied by professional economists and financial experts. But…  What Programmers Need to Learn About Supply and Demand on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/19/what-programmers-need-to-learn-about-supply-and-demand/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researcher Finds Class Pollution – A Prototype Pollution Variant Affecting Python
A security researcher found a serious prototype pollution vulnerability in Python programming language. Exploiting the… Researcher Finds Class Pollution – A Prototype Pollution Variant Affecting Python on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
https://latesthackingnews.com/2023/01/17/researcher-finds-class-pollution-a-prototype-pollution-variant-affecting-python/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hive Ransomware Infrastructure Seized in Joint International Law Enforcement Effort
In what's a case of hacking the hackers, the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) operation has been seized as part of a coordinated law enforcement effort involving 13 countries. "Law enforcement identified the decryption keys and shared them with many of the victims, helping them regain access to their data without paying the cybercriminals," Europol
https://thehackernews.com/2023/01/hive-ransomware-infrastructure-seized.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Google Takes Down 50,000 Instances of Pro-Chinese DRAGONBRIDGE Influence Operation
Google on Thursday disclosed it took steps to dismantle over 50,000 instances of activity orchestrated by a pro-Chinese influence operation known as DRAGONBRIDGE in 2022. "Most DRAGONBRIDGE activity is low quality content without a political message, populated across many channels and blogs," the company's Threat Analysis Group (TAG) said in a report shared with The Hacker News. "However, a
https://thehackernews.com/2023/01/google-takes-down-50000-instances-of.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA
Proof-of-concept (Poc) code has been released for a now-patched high-severity security flaw in the Windows CryptoAPI that the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) reported to Microsoft last year. Tracked as CVE-2022-34689 (CVSS score: 7.5), the spoofing vulnerability was addressed by the tech giant as part of Patch Tuesday updates released in
https://thehackernews.com/2023/01/researchers-release-poc-exploit-for.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researchers Uncover Connection b/w Moses Staff and Emerging Abraham's Ax Hacktivists Group
New research has linked the operations of a politically motivated hacktivist group known as Moses Staff to another nascent threat actor named Abraham's Ax that emerged in November 2022. This is based on "several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity," Secureworks Counter Threat Unit (CTU) said
https://thehackernews.com/2023/01/researchers-uncover-connection-bw-moses.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Is Once-Yearly Pen Testing Enough for Your Organization?
Any organization that handles sensitive data must be diligent in its security efforts, which include regular pen testing. Even a small data breach can result in significant damage to an organization's reputation and bottom line. There are two main reasons why regular pen testing is necessary for secure web application development: Security: Web applications are constantly evolving, and new
https://thehackernews.com/2023/01/is-once-yearly-pen-testing-enough-for.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration
Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report shared with The Hacker News. The
https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software
At least two federal agencies in the U.S. fell victim to a "widespread cyber campaign" that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam. "Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a
https://thehackernews.com/2023/01/us-federal-agencies-fall-victim-to.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages
A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track[.]violetlovelines[.]com" that's designed to redirect visitors to undesirable sites. The latest operation
https://thehackernews.com/2023/01/over-4500-wordpress-sites-hacked-to.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Definitive Browser Security Checklist
Security stakeholders have come to realize that the prominent role the browser has in the modern corporate environment requires a re-evaluation of how it is managed and protected. While not long-ago web-borne risks were still addressed by a patchwork of endpoint, network, and cloud solutions, it is now clear that the partial protection these solutions provided is no longer sufficient. Therefore,
https://thehackernews.com/2023/01/the-definitive-browser-security.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyberattacks
A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as
https://thehackernews.com/2023/01/north-korean-hackers-turn-to-credential.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

LastPass Parent Company GoTo Suffers Data Breach, Customers' Backups Compromised
LastPass-owner GoTo (formerly LogMeIn) on Tuesday disclosed that unidentified threat actors were able to steal encrypted backups of some customers' data along with an encryption key for some of those backups in a November 2022 incident. The breach, which targeted a third-party cloud storage service, impacted Central, Pro, join.me, Hamachi, and RemotelyAnywhere products, the company said. "The
https://thehackernews.com/2023/01/lastpass-parent-company-goto-suffers.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

VMware Releases Patches for Critical vRealize Log Insight Software Vulnerabilities
VMware on Tuesday released software to remediate four security vulnerabilities affecting vRealize Log Insight (aka Aria Operations for Logs) that could expose users to remote code execution attacks. Two of the flaws are critical, carrying a severity rating of 9.8 out of a maximum of 10, the virtualization services provider noted in its first security bulletin for 2023. Tracked as CVE-2022-31706
https://thehackernews.com/2023/01/vmware-releases-patches-for-critical.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection
Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne said in an analysis published today. A striking
https://thehackernews.com/2023/01/chinese-hackers-utilize-golang-malware.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

FBI Says North Korean Hackers Behind 0 Million Horizon Bridge Crypto Theft
The U.S. Federal Bureau of Investigation (FBI) on Monday confirmed that North Korean threat actors were responsible for the theft of 0 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022. The law enforcement agency attributed the hack to the Lazarus Group and APT38 (aka BlueNoroff, Copernicium, and Stardust Chollima), the latter of which is a North Korean state-sponsored
https://thehackernews.com/2023/01/fbi-says-north-korean-hackers-behind.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security Navigator Research: Some Vulnerabilities Date Back to the Last Millennium
Vulnerability analysis results in Orange Cyberdefenses' Security Navigator show that some vulnerabilities first discovered in 1999 are still found in networks today. This is concerning. Age of VOC findings Our Vulnerability Scans are performed on a recurring basis, which provides us the opportunity to examine the difference between when a scan was performed on an Asset, and when a given finding
https://thehackernews.com/2023/01/security-navigator-research-some.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Emotet Malware Makes a Comeback with New Evasion Techniques
The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via
https://thehackernews.com/2023/01/emotet-malware-makes-comeback-with-new.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Apple Issues Updates for Older Devices to Fix Actively Exploited Vulnerability
Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November
https://thehackernews.com/2023/01/apple-issues-updates-for-older-devices.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Facebook Introduces New Features for End-to-End Encrypted Messenger App
Meta Platforms on Monday announced that it has started to expand global testing of end-to-end encryption (E2EE) in Messenger chats by default. "Over the next few months, more people will continue to see some of their chats gradually being upgraded with an extra layer of protection provided by end-to-end encryption," Meta's Melissa Miranda said. The social media behemoth said it intends to notify
https://thehackernews.com/2023/01/facebook-introduces-new-features-for.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Samsung Galaxy Store App Found Vulnerable to Sneaky App Installs and Fraud
Two security flaws have been disclosed in Samsung's Galaxy Store app for Android that could be exploited by a local attacker to stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web. The issues, tracked as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Group and notified to the South Korean chaebol in November and December 2022. Samsung
https://thehackernews.com/2023/01/samsung-galaxy-store-app-found.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

SaaS Security Posture Management (SSPM) as a Layer in Your Identity Fabric
The move to SaaS and other cloud tools has put an emphasis on Identity & Access Management (IAM). After all, user identity is one of the only barriers standing between sensitive corporate data and any unauthorized access.  The tools used to define IAM make up its identity fabric. The stronger the fabric, the more resistant identities are to pressure from threat actors. However, those pressures
https://thehackernews.com/2023/01/saas-security-posture-management-sspm.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks
The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation
https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps
Researchers have shut down an "expansive" ad fraud scheme that spoofed more than 1,700 applications from 120 publishers and impacted roughly 11 million devices.  "VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views," fraud prevention firm
https://thehackernews.com/2023/01/massive-ad-fraud-scheme-targeted-over.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers' DNS Settings
Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking. Kaspersky, which carried out an analysis of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea.
https://thehackernews.com/2023/01/roaming-mantis-spreading-mobile-malware.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram
The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country. "The Gamaredon group's network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location,
https://thehackernews.com/2023/01/gamaredon-group-launches-cyberattacks.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

WhatsApp Hit with €5.5 Million Fine for Violating Data Protection Laws
The Irish Data Protection Commission (DPC) on Thursday imposed fresh fines of €5.5 million against Meta's WhatsApp for violating data protection laws when processing users' personal information. At the heart of the ruling is an update to the messaging platform's Terms of Service that was imposed in the days leading to the enforcement of the General Data Protection Regulation (GDPR) in May 2018,
https://thehackernews.com/2023/01/whatsapp-hit-with-55-million-fine-for.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware
A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were
https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks
A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application. "The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu," Ermetic researcher Liv Matan said in a report shared with The Hacker News. "By
https://thehackernews.com/2023/01/new-microsoft-azure-vulnerability.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Android Users Beware: New Hook Malware with RAT Capabilities Emerges
The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for ,000 per month while featuring
https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New Research Delves into the World of Malicious LNK Files and Hackers Behind Them
Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot. A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, uncovering information such as the specific tools and
https://thehackernews.com/2023/01/new-research-delves-into-world-of.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

6 Types of Risk Assessment Methodologies + How to Choose
An organization's sensitive information is under constant threat. Identifying those security risks is critical to protecting that information. But some risks are bigger than others. Some mitigation options are more expensive than others. How do you make the right decision? Adopting a formal risk assessment process gives you the information you need to set priorities. There are many ways to
https://thehackernews.com/2023/01/6-types-of-risk-assessment.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bitzlato Crypto Exchange Founder Arrested for Aiding Cybercriminals
The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of Anatoly Legkodymov (aka Gandalf and Tolik), the cofounder of Hong Kong-registered cryptocurrency exchange Bitzlato, for allegedly processing 0 million in illicit funds. The 40-year-old Russian national, who was arrested in Miami, was charged in a U.S. federal court with "conducting a money transmitting business that
https://thehackernews.com/2023/01/bitzlato-crypto-exchange-founder.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Mailchimp Suffers Another Security Breach Compromising Some Customers' Information
Popular email marketing and newsletter service Mailchimp has disclosed yet another security breach that enabled threat actors to access an internal support and account admin tool to obtain information about 133 customers. "The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee
https://thehackernews.com/2023/01/mailchimp-suffers-another-security.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Earth Bogle Campaign Unleashes NjRAT Trojan on Middle East and North Africa
An ongoing campaign dubbed Earth Bogle is leveraging geopolitical-themed lures to deliver the NjRAT remote access trojan to victims across the Middle East and North Africa. "The threat actor uses public cloud storage services such as files[.]fm and failiem[.]lv to host malware, while compromised web servers distribute NjRAT," Trend Micro said in a report published Wednesday. Phishing emails,
https://thehackernews.com/2023/01/earth-bogle-campaign-unleashes-njrat.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks
The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated
https://thehackernews.com/2023/01/iranian-government-entities-under.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Guide: How MSSPs and vCISOs can extend their services into compliance readiness without increasing cost
Compliance services are emerging as one of the hottest areas of cybersecurity.  While compliance used to be mainly the province of large enterprises, times have changed, and it is now a day-to-day concern for a growing number of small and medium businesses.  Even when these organizations are not regulated, SMEs often aim to follow compliance and/or security frameworks either for their own risk
https://thehackernews.com/2023/01/guide-how-mssps-and-vcisos-can-extend.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Critical Security Vulnerabilities Discovered in Netcomm and TP-Link Routers
Security vulnerabilities have been disclosed in Netcomm and TP-Link routers, some of which could be weaponized to achieve remote code execution. The flaws, tracked as CVE-2022-4873 and CVE-2022-4874, concern a case of stack-based buffer overflow and authentication bypass and impact Netcomm router models NF20MESH, NF20, and NL1902 running firmware versions earlier than R6B035. "The two
https://thehackernews.com/2023/01/critical-security-vulnerabilities.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Git Users Urged to Update Software to Prevent Remote Code Execution Attacks
The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
https://thehackernews.com/2023/01/git-users-urged-to-update-software-to.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9)
https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft Azure Services Flaws Could've Exposed Cloud Resources to Unauthorized Access
Four different Microsoft Azure services have been found vulnerable to server-side request forgery (SSRF) attacks that could be exploited to gain unauthorized access to cloud resources. The security issues, which were discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed
https://thehackernews.com/2023/01/microsoft-azure-services-flaws-couldve.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware
New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port
https://thehackernews.com/2023/01/hackers-can-abuse-legitimate-github.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

4 Places to Supercharge Your SOC with Automation
It's no secret that the job of SOC teams continues to become increasingly difficult. Increased volume and sophistication of attacks are plaguing under-resourced teams with false positives and analyst burnout. However, like many other industries, cybersecurity is now beginning to lean on and benefit from advancements in automation to not only maintain the status quo, but to attain better security
https://thehackernews.com/2023/01/4-places-to-supercharge-your-soc-with.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Zoho ManageEngine PoC Exploit to be Released Soon - Patch Before It's Too Late!
Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept (PoC) exploit code. The issue in question is CVE-2022-47966, an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. "This vulnerability allows an
https://thehackernews.com/2023/01/zoho-manageengine-poc-exploit-to-be.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft urges admins to patch on-premises Exchange servers
Microsoft urged customers today to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update (CU) to have them always ready to deploy an emergency security update. [...]
https://www.bleepingcomputer.com/news/security/microsoft-urges-admins-to-patch-on-premises-exchange-servers/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bitwarden password vaults targeted in Google ads phishing attack
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials. [...]
https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-targeted-in-google-ads-phishing-attack/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

US offers M bounty for Hive ransomware links to foreign governments
The U.S. Department of State today offered up to million for information that could help link the Hive ransomware group (or other threat actors) with foreign governments. [...]
https://www.bleepingcomputer.com/news/security/us-offers-10m-bounty-for-hive-ransomware-links-to-foreign-governments/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New Mimic ransomware abuses ‘Everything' Windows search tool
A new ransomware family named 'Mimic' has been spotted in the wild abusing the APIs of a legitimate Windows file search tool called 'Everything' to achieve file enumeration. [...]
https://www.bleepingcomputer.com/news/security/new-mimic-ransomware-abuses-everything-windows-search-tool/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

UK NCSC warns of spear-phishing attacks from Russia-linked and Iran-linked groups
The U.K. National Cyber Security Centre (NCSC) warns of a surge in the number of attacks from Russian and Iranian nation-state actors. The U.K. National Cyber Security Centre (NCSC) is warning of targeted phishing attacks conducted by threat actors based in Russia and Iran. The are increasingly targeting organizations and individuals. The UK agency reported ongoing spear-phishing […] The post UK NCSC warns of spear-phishing attacks from Russia-linked and Iran-linked groups appeared first on Security Affairs.
https://securityaffairs.com/141393/apt/ncsc-warns-seaborgium-ta453-attacks.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

An unfaithful employee leaked Yandex source code repositories
A source code repository allegedly stolen by a former employee of the Russian tech giant Yandex has been leaked online. A Yandex source code repository allegedly stolen by a former employee of the Russian IT giant has been leaked on a popular cybercrime forum. The announcement published on BreachForums includes a magnet link to the alleged […] The post An unfaithful employee leaked Yandex source code repositories appeared first on Security Affairs.
https://securityaffairs.com/141382/data-breach/yandex-code-repositories-leaked.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hive Ransomware Tor leak site apparently seized by law enforcement
The leak site of the Hive ransomware gang was seized due to an international operation conducted by law enforcement in ten countries. The Tor leak site used by Hive ransomware operators has been seized as part of an international operation conducted by law enforcement in 10 countries. “The Federal Bureau of Investigation seized this site […] The post Hive Ransomware Tor leak site apparently seized by law enforcement appeared first on Security Affairs.
https://securityaffairs.com/141374/cyber-crime/hive-ransomware-leak-site-seized.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Legitify adds support for GitLab and GitHub Enterprise Server
We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft, and sensitive data exposure - many of which result from bad source code management (SCM) system configurations. Legitify, the open-source security tool we recently announced, is rapidly gaining popularity because it helps users analyze and remediate the security configuration of their SCM resources. 
https://www.legitsecurity.com/blog/legitify-adds-support-for-gitlab-and-github-enterprise-server
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What are the Five Elements of the NIST Cybersecurity Framework?
A cybersecurity framework is a group of documents outlining guidelines, security-related standards, and best practices to help organizations manage and protect their assets from cybersecurity threats. Any InfoSec framework aims to prepare organizations and minimize the potential risk of vulnerabilities by identifying and remediating them.  Example cybersecurity frameworks include the NIST cybersecurity framework, the ISO 27001 framework, the Cybersecurity maturity model (CMMC) developed by the US Department of Defense (DoD), as well as Payment Card Industry Data Security Standard (PCI DSS). Legit Security has aggregated many of these frameworks together into best-practicesthat can reduce software supply chain risk dramatically.  
https://www.legitsecurity.com/blog/five-elements-of-the-nist-cybersecurity-framework
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Exposing Secrets Via SDLC Tools: The SonarQube Case
Secrets are any data that is sensitive to an organization or person and should not be exposed publicly. It can be a password, an access key, an API token, a credit card number, and more. You can read more about the dangers of secrets getting exposed via your source code management (SCM) systems here. But SCMs are not the only services from which secrets can get leaked. Essentially, any service you're using as part of your software development lifecycle (SDLC) in which data is being stored may be the source of secrets leakage. Our research team investigated how sensitive information can get exposed via AppSec tools that you may use as part of your development pipeline, and in this blog post, we will demonstrate the SonarQube study case. When your code scanner becomes your code exposer SonarQube is an open-source SAST platform for managing code quality, providing continuous code inspection and code analysis to identify bugs, vulnerabilities, and code smells in source code (which are characteristic or indicators that possibly indicate a deeper problem) written in various programming languages. It does so by integrating with your SCM and scanning your entire code base.Ironically, when misconfigured, this kind of code scanner can transform from an application security tool to a risk-imposing tool, which attackers can use to harvest sensitive information.Publicly exposed SonarQube instances that don't restrict anonymous access are insecure because they allow anyone with an internet connection to access the instance, including private code, detected issues, and other sensitive information. This could potentially lead to several security risks, such as data breaches, code theft, and, most notably - leaked secrets in code, eventually leading to a broader supply chain attack on the organization.Additionally, the mere fact that a SonarQube instance is publicly accessible, even if it doesn't allow anonymous access to all its resources, makes it vulnerable to various types of known CVEs and zero-day vulnerabilities, including authentication bypass and remote code execution attacks - which in turn will result with its resources getting exposed. It requires the user to constantly patch the system for CVEs as soon as they are discovered.It's important to note that we think SonarQube is a great tool. We have no problem with SonarQube itself. The problem is with the way it is being set up, and our goal is to help its users understand the risk of doing it wrong.
https://www.legitsecurity.com/blog/exposing-secrets-via-sdlc-tools-the-sonarqube-case
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The MarkdownTime Vulnerability: How to Avoid This DoS Attack on Business Critical Services
Everybody is familiar with downtimes in major services. It can be very frustrating when a platform your organization depends upon becomes unavailable. And when it comes to a critical part of your software supply chain, downtime means your production pipeline stops working, and basically, your entire software factory is down. The damage can be very expensive. Now, imagine what would happen if a bad actor finds a vulnerability that allows an unauthenticated user to take down business critical infrastructure with one line of code... In this article, we will explore "MarkDownTime" - a vulnerability we found in a very popular implementation of the markdown engine and the Denial-of-Service (DoS) attack that it could cause on dependent projects, such as GitHub and GitLab. Software supply chains can contain multiple looming threats and vulnerable dependencies. When a popular library is vulnerable to an easy-to-exploit attack, it will potentially cause millions of organizations to be vulnerable. Many commercial products might use libraries such as the ones we'll discuss, so users can be exposed to threats without even knowing. This is a call for action – all vendors using Markdown need to check if they are using a vulnerable implementation, as described below,andtake the necessary actions to avoid being attacked. 
https://www.legitsecurity.com/blog/dos-via-software-supply-chain-innumerable-projects-exposed-to-a-markdown-library-vulnerability
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

2023 Predictions for Modern Application Security
Software dominates the world and remains abig and accessible attack surface.In 2022, an estimated Bwas invested in Application Security, with that number expected to reach .5B in 2023. Within AppSec, software supply chain security entered the spotlight two years ago and represents AppSec's fastest growing attack category with major headlines of breaches and exploits happening on a regular basis. Within this backdrop, a few related mega trends are apparent for the near future of Application Security. First is the growing complexity of development pipelines and dependencies on third-parties in pre-production development environments. Second is the growing synergy between application security and cloud security. Both trends define future security challenges and our predictions for modern application security. 
https://www.legitsecurity.com/blog/predictions-for-modern-application-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack
Jenkins is an open-source automation and build platform that allows for automated tests, integrations, builds, and much more. However, Jenkins also has vulnerabilities that make it susceptible to software supply chain attacks. See how attackers used compromised Jenkins plugins to launch cyberattacks and how to detect vulnerable Jenkins plugins at scale.
https://www.legitsecurity.com/blog/how-to-continuously-detect-vulnerable-jenkins-plugins-to-avoid-a-software-supply-chain-attack
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A DevOps Security Tutorial for Digital Business Leaders
DevOps is a great approach to improve the speed and efficiency of software development, but there is an even better way to approach the process with security in mind. Find out what approach works for best digital business leaders and how to implement these changes in your organization.
https://www.legitsecurity.com/blog/a-devops-security-tutorial-for-digital-business-leaders
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Modern AppSec Requires Extending Beyond SCA and SAST
Once upon a time in Application Security, times were simpler. Not long ago security and development teams could simply scan their code for vulnerabilities and feel confident that their next software release would be secure. But no longer.
https://www.legitsecurity.com/blog/modern-appsec-requires-extending-beyond-sca-and-sast
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable
The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the underlying software development pipelines for projects using GitHub Actions. In this fourth blog covering vulnerable GitHub Actions, we will explore this new technique of artifact poisoning and describe who could be vulnerable, including how we found this vulnerability in the Rust programming language and assisted in its remediation.
https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ruby on Rails apps vulnerable to data theft through Ransack search
Several applications were vulnerable to brute-force attacks; hundreds more could be at risk
https://portswigger.net/daily-swig/ruby-on-rails-apps-vulnerable-to-data-theft-through-ransack-search
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Trellix automates tackling open source vulnerabilities at scale
More than 61,000 vulnerabilities patched and counting
https://portswigger.net/daily-swig/trellix-automates-tackling-open-source-vulnerabilities-at-scale
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Yellowfin tackles auth bypass bug trio that opened door to RCE
Pre- and post-auth path to pwnage
https://portswigger.net/daily-swig/yellowfin-tackles-auth-bypass-bug-trio-that-opened-door-to-rce
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bitwarden responds to encryption design flaw criticism
Password vault vendor accused of making a hash of encryption
https://portswigger.net/daily-swig/bitwarden-responds-to-encryption-design-flaw-criticism
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

IoT vendors faulted for slow progress in setting up vulnerability disclosure programs
Manufacturer complacency ‘translates into an unacceptable risk for consumers', warns security expert
https://portswigger.net/daily-swig/iot-vendors-faulted-for-slow-progress-in-setting-up-vulnerability-disclosure-programs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

AWS patches bypass bug in CloudTrail API monitoring tool
Threat actors poking around AWS environments and API calls could stay under the radar
https://portswigger.net/daily-swig/aws-patches-bypass-bug-in-cloudtrail-api-monitoring-tool
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Tell us what you think: The Daily Swig reader survey 2023
Have your say to be in with the chance to win Burp Suite swag…
https://portswigger.net/daily-swig/tell-us-what-you-think-the-daily-swig-reader-survey
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Git security audit reveals critical overflow bugs
Uncovered vulnerabilities include several high, medium, and low-security issues
https://portswigger.net/daily-swig/git-security-audit-reveals-critical-overflow-bugs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Popular password managers auto-filled credentials on untrusted websites
Dashlane, Bitwarden, and Safari all cited by Google researchers
https://portswigger.net/daily-swig/popular-password-managers-auto-filled-credentials-on-untrusted-websites
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Google pays hacker duo k in bug bounties for flaws in multiple cloud projects
Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations
https://portswigger.net/daily-swig/google-pays-hacker-duo-22k-in-bug-bounties-for-flaws-in-multiple-cloud-projects
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

WAGO fixes config export flaw threatening data leak from industrial devices
Severity somewhat blunted by reboot-related caveat
https://portswigger.net/daily-swig/wago-fixes-config-export-flaw-threatening-data-leak-from-industrial-devices
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

US government announces third Hack The Pentagon challenge
Ethical hackers and bug bounty hunters invited to test Department of Defense assets
https://portswigger.net/daily-swig/us-government-announces-third-hack-the-pentagon-challenge
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach
How the build pipeline was compromised
https://portswigger.net/daily-swig/squaring-the-circleci-devops-platform-publishes-post-mortem-on-recent-breach
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more 
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
https://portswigger.net/daily-swig/deserialized-web-security-roundup-slack-and-okta-breaches-lax-us-government-passwords-report-and-more-nbsp
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New tool protects against vulnerabilities in popular file converter ImageMagick
Library has somewhat of an image problem given history of serious bugs
https://portswigger.net/daily-swig/new-tool-protects-against-vulnerabilities-in-popular-file-converter-imagemagick
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Threema disputes crypto flaws disclosure, prompts security flap
‘Condescending' response to vulnerability disclosure angers infosec community
https://portswigger.net/daily-swig/threema-disputes-crypto-flaws-disclosure-prompts-security-flap
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Prototype pollution-like bug variant discovered in Python
‘Class pollution' flaw similar to dangerous vulnerability type found in JavaScript and similar languages
https://portswigger.net/daily-swig/prototype-pollution-like-bug-variant-discovered-in-python
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Meet teler-waf: Security-focused HTTP middleware for the Go framework
Protection against XSS, SQLi, and more web attacks for Go-based web applications
https://portswigger.net/daily-swig/meet-teler-waf-security-focused-http-middleware-for-the-go-framework
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Exploit drops for remote code execution bug in Control Web Panel
Vendor patched the vulnerability in October after a red team alert
https://portswigger.net/daily-swig/exploit-drops-for-remote-code-execution-bug-in-control-web-panel
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Tesla tackles CORS misconfigurations that left internal networks vulnerable
Typosquatting ploy successfully bypassed firewalls of multiple organizations
https://portswigger.net/daily-swig/tesla-tackles-cors-misconfigurations-that-left-internal-networks-vulnerable
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Devs urged to rotate secrets after CircleCI suffers security breach
DevOps platform advises customers to revoke API tokens
https://portswigger.net/daily-swig/devs-urged-to-rotate-secrets-after-circleci-suffers-security-breach
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Car companies massively exposed to web vulnerabilities
Grand hack auto
https://portswigger.net/daily-swig/car-companies-massively-exposed-to-web-vulnerabilities
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty Radar // The latest bug bounty programs for January 2023
New web targets for the discerning hacker
https://portswigger.net/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-january-2023
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security done right – infosec wins of 2022
The toasts, triumphs, and biggest security wins of the year
https://portswigger.net/daily-swig/security-done-right-infosec-wins-of-2022
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Stupid security 2022 – this year's infosec fails
Epic web security fails and salutary lessons from another inevitably eventful year in infosec
https://portswigger.net/daily-swig/stupid-security-2022-this-years-infosec-fails
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Finding the next Log4j – OpenSSF's Brian Behlendorf on pivoting to a ‘risk-centred view' of open source development
Apache pioneer says ‘use at your own risk' model no longer tenable as OpenSSF ramps up end user engagement
https://portswigger.net/daily-swig/finding-nbsp-the-next-log4j-nbsp-openssfs-brian-behlendorf-on-pivoting-to-a-risk-centred-view-of-open-source-development
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Lean, green coding machine: How sustainable computing drive can reduce attack surfaces
Less is often more when it comes to both infosec and eco-friendly computing practices
https://portswigger.net/daily-swig/lean-green-coding-machine-how-sustainable-computing-drive-can-reduce-attack-surfaces
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Zoom Whiteboard patches XSS bug
Video conferencing platform fixes cross-site scripting vulnerability
https://portswigger.net/daily-swig/zoom-whiteboard-patches-xss-bug
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Password theft bug chain patched in Passwordstate credential manager
Flaws could be combined to grab passwords in cleartext
https://portswigger.net/daily-swig/password-theft-bug-chain-patched-in-passwordstate-credential-manager
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to become a penetration tester: Part 2 – ‘Mr Hacking' John Jackson on the virtue of ‘endless curiosity'
Marine Corps engineer-turned offensive security expert offers careers advice and his best and worst experiences
https://portswigger.net/daily-swig/how-to-become-a-penetration-tester-part-2-mr-hacking-john-jackson-on-the-virtue-of-endless-curiosity
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Akamai wrestles with AWS S3 web cache poisoning bug
Definitive solution is ‘non-trivial' since behavior arises from customers processing non-RFC compliant requests
https://portswigger.net/daily-swig/akamai-wrestles-with-aws-s3-web-cache-poisoning-bug
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Safeurl HTTP library brings SSRF protection to Go applications
Prizes offered to anyone who can bypass the library and capture the flag
https://portswigger.net/daily-swig/safeurl-http-library-brings-ssrf-protection-to-go-applications
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
https://portswigger.net/daily-swig/deserialized-web-security-roundup-fortinet-citrix-bugs-another-uber-breach-hacking-nfts-at-black-hat
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Critical IP spoofing bug patched in Cacti
‘Not that hard to execute if attacker has access to a monitoring platform running Cacti'
https://portswigger.net/daily-swig/critical-ip-spoofing-bug-patched-in-cacti
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Akamai WAF bypassed via Spring Boot to trigger RCE
Akamai issued an update to resolve the flaw several months ago
https://portswigger.net/daily-swig/akamai-waf-bypassed-via-spring-boot-to-trigger-rce
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 – HackerOne
Impact of cloud migration and shift to remote work evident in new report
https://portswigger.net/daily-swig/cloud-flaws-brought-to-the-fore-as-bug-bounty-vulnerabilities-hit-65k-in-2022-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Black Hat Europe redux: The top web hacking talks for 2022
Catch up on the highlights of last week's cybersecurity conference
https://portswigger.net/daily-swig/black-hat-europe-redux-the-top-web-hacking-talks-for-2022
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Black Hat Europe 2022: Hacking tools showcased at annual security conference
Aids and techniques demonstrated at this year's arsenal track
https://portswigger.net/daily-swig/black-hat-europe-2022-hacking-tools-showcased-at-annual-security-conference
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Why your data is more valuable than you may realize
The data trail you leave behind whenever you're online is bigger – and more revealing – than you may think The post Why your data is more valuable than you may realize appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/26/data-more-valuable-you-realize/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Mastodon vs. Twitter: Know the differences
Looking for an alternative to Twitter and thinking about joining the folks flocking to Mastodon? Here's how the two platforms compare to each other. The post Mastodon vs. Twitter: Know the differences appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/25/mastodon-twitter-differences/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 valuable skills your children can learn by playing video games
Gaming can help your children build and sharpen a range of life skills that will stand them in good stead in the future The post 5 valuable skills your children can learn by playing video games appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/24/5-valuable-skills-children-learn-playing-video-games/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hybrid play: Leveling the playing field in online video gaming and beyond
Does VALORANT's approach to cheating signal a turning point in how we deal with the continued hacks afflicting our hybrid world of work and play? The post Hybrid play: Leveling the playing field in online video gaming and beyond appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/23/hybrid-play-leveling-playing-field-online-video-gaming-beyond/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ransomware payments down 40% in 2022 – Week in security with Tony Anscombe
Ransomware revenue plunges to 6 million in 2022 as more victims refuse to pay up. Here's what to make of the trend. The post Ransomware payments down 40% in 2022 – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/whats-behind-drop-ransomware-payments-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Tech support scammers are still at it: Here's what to look out for in 2023
Hello, is it me you're looking for? Fraudsters still want to help you 'fix' a computer problem you never had in the first place. The post Tech support scammers are still at it: Here's what to look out for in 2023 appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/19/tech-support-scammers-still-at-it-what-look-out-for/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Top 10 Venmo scams: Don't fall for these common tricks
Here's what to know about some of the most common ploys that scammers use on the payment app The post Top 10 Venmo scams: Don’t fall for these common tricks appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/17/venmo-scams-how-stay-safe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hybrid commerce: Blurring the lines between business and pleasure
It is now acceptable to find a job on a dating app! The post Hybrid commerce: Blurring the lines between business and pleasure appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/16/hybrid-commerce-blurring-lines-business-pleasure/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

APT group trojanizes Telegram app – Week in security with Tony Anscombe
StrongPity's backdoor is fitted with various spying features and can record phone calls, collect texts, and gather call logs and contact lists The post APT group trojanizes Telegram app – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/strongpity-apt-telegram-shagle-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Introducing IPyIDA: A Python plugin for your reverse‑engineering toolkit
ESET Research announces IPyIDA 2.0, a Python plugin integrating IPython and Jupyter Notebook into IDA The post Introducing IPyIDA: A Python plugin for your reverse‑engineering toolkit appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/12/introducing-ipyida-python-plugin-reverse-engineering-toolkit/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Now you can legally repair your tech – sort of
A new law portends a future where (we hope) it will be easier for us all to repair, fix, upgrade, and just tinker with things we already own The post Now you can legally repair your tech – sort of appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/11/now-you-can-legally-repair-tech-sort-of/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

StrongPity espionage campaign targeting Android users
ESET researchers identified an active StrongPity campaign distributing a trojanized version of the Android Telegram app, presented as the Shagle app – a video-chat service that has no app version The post StrongPity espionage campaign targeting Android users appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cracked it! Highlights from KringleCon 5: Golden Rings
Learning meets fun at the 2022 SANS Holiday Hack Challenge – strap yourself in for a crackerjack ride at the North Pole as I foil Grinchum's foul plan and recover the five golden rings The post Cracked it! Highlights from KringleCon 5: Golden Rings appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/09/cracked-it-highlights-kringlecon-5-golden-rings/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hybrid work: Turning business platforms into preferred social spaces
Hybrid work and hybrid play now merge into hybrid living, but where is the line between the two? Is there one? The post Hybrid work: Turning business platforms into preferred social spaces appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/09/hybrid-work-turning-business-platforms-preferred-social-spaces/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ransomware target list – Week in security with Tony Anscombe
Why schools, hospitals, local governments and other public sector organizations are in a sweet spot for ransomware attacks The post Ransomware target list – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/ransomware-target-list-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The doctor will see you now … virtually: Tips for a safe telehealth visit
Are your virtual doctor visits private and secure? Here's what to know about, and how to prepare for, connecting with a doctor from the comfort of your home. The post The doctor will see you now … virtually: Tips for a safe telehealth visit appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/04/doctor-see-you-now-virtually-tips-safe-telehealth-visit/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Gaming: How much is too much for our children?
With many children spending a little too much time playing video games, learn to spot the signs that things may be spinning out of control The post Gaming: How much is too much for our children? appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/03/gaming-how-much-too-much-children/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The world's most common passwords: What to do if yours is on the list
Do you use any of these extremely popular – and eminently hackable – passwords? If so, we have a New Year's resolution for you. The post The world's most common passwords: What to do if yours is on the list appeared first on WeLiveSecurity
https://www.welivesecurity.com/2023/01/02/most-common-passwords-what-do-if-yours-list/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cybersecurity trends and challenges to look out for in 2023
What are some of the key cybersecurity trends and themes that organizations should have on their radars in 2023? The post Cybersecurity trends and challenges to look out for in 2023 appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/cybersecurity-trends-challenges-look-out-2023/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

2022 in review: 10 of the year's biggest cyberattacks
The past year has seen no shortage of disruptive cyberattacks – here's a round-up of some of the worst hacks and breaches that have impacted a variety of targets around the world in 2022 The post 2022 in review: 10 of the year’s biggest cyberattacks appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/27/2022-review-10-biggest-cyberattacks/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

‘Tis the season for gaming: Keeping children safe (and parents sane)
It's all fun and games over the holidays, but is your young gamer safe from the darker side of the action? The post ‘Tis the season for gaming: Keeping children safe (and parents sane) appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/21/tis-season-gaming-keeping-children-safe-parents-sane/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to set up parental controls on your child's new smartphone
Give yourself peace of mind and help create a safe online space for your child using Android or iOS parental controls The post How to set up parental controls on your child's new smartphone appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/19/how-set-up-parental-controls-childs-new-smartphone/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

MirrorFace aims for high‑value targets in Japan – Week in security with Tony Anscombe
The group's proprietary backdoor LODEINFO delivers additional malware, exfiltrates credentials, and steals documents and emails The post MirrorFace aims for high‑value targets in Japan – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/mirrorface-aims-high-value-targets-japan-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Help! My kid has asked Santa for a smartphone
The time has come for your child to receive their first smartphone. Before handing it over, however, make sure to help them use their new gadget safely and responsibly. The post Help! My kid has asked Santa for a smartphone appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/16/help-my-kid-asked-santa-smartphone/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Traveling for the holidays? Stay cyber‑safe with these tips
Holiday travel is back with a vengeance this year. Set yourself up for a cyber-safe and hassle-free trip with our checklist. The post Traveling for the holidays? Stay cyber‑safe with these tips appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/15/traveling-holidays-stay-cyber-safe-tips/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
ESET researchers discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer The post Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Top tips for security‑ and privacy‑enhancing holiday gifts
Think outside the (gift) box. Here are a few ideas for security and privacy gifts to get for your relatives – or even for yourself. Some don't cost a penny! The post Top tips for security‑ and privacy‑enhancing holiday gifts appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/13/top-tips-security-privacy-enhancing-holiday-gifts/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cybersecurity Trends 2023: Securing our hybrid lives
ESET experts offer their reflections on what the continued blurring of boundaries between different spheres of life means for our human and social experience – and especially our cybersecurity and privacy The post Cybersecurity Trends 2023: Securing our hybrid lives appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/12/cybersecurity-trends-2023-securing-our-hybrid-lives/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Diamond industry under attack – Week in security with Tony Anscombe
ESET researchers uncover a new wiper and its execution tool, both attributed to the Iran-aligned Agrius APT group The post Diamond industry under attack – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/diamond-industry-attack-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Xenomorph: What to know about this Android banking trojan
Xenomorph pilfers victims' login credentials for banking, payment, social media, cryptocurrency and other apps with valuable data The post Xenomorph: What to know about this Android banking trojan appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/xenomorph-what-know-android-banking-trojan/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Fantasy – a new Agrius wiper deployed through a supply‑chain attack
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius's new wiper, with victims including the diamond industry The post Fantasy – a new Agrius wiper deployed through a supply‑chain attack appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Tractors vs. threat actors: How to hack a farm
Forget pests for a minute. Modern farms also face another – and more insidious – breed of threat. The post Tractors vs. threat actors: How to hack a farm appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/05/tractors-threat-actors-how-hack-farm/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ScarCruft updates its toolset – Week in security with Tony Anscombe
Deployed against carefully selected targets, the new backdoor combs through the drives of compromised systems for files of interest before exfiltrating them to Google Drive The post ScarCruft updates its toolset – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/scarcruft-updates-its-toolset-week-in-security-with-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Top tips to save energy used by your electronic devices
With the rapidly rising energy prices putting a strain on many households, what are some quick wins to help reduce the power consumption of your gadgets? The post Top tips to save energy used by your electronic devices appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/12/01/top-tips-save-energy-electronic-devices/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Who's swimming in South Korean waters? Meet ScarCruft's Dolphin
ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group The post Who's swimming in South Korean waters? Meet ScarCruft's Dolphin appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

RansomBoggs: New ransomware targeting Ukraine
ESET researchers spot a new ransomware campaign that goes after Ukrainian organizations and has Sandworm's fingerprints all over it The post RansomBoggs: New ransomware targeting Ukraine appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Spyware posing as VPN apps – Week in security with Tony Anscombe
The Bahamut APT group distributes at least eight malicious apps that pilfer victims' data and monitor their messages and conversations The post Spyware posing as VPN apps – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/spyware-posing-vpn-apps-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Know your payment options: How to shop and pay safely this holiday season
'Tis the season for shopping and if you too are scouting for bargains, make sure to keep your money safe when snapping up those deals The post Know your payment options: How to shop and pay safely this holiday season appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/25/know-payment-options-how-shop-pay-safely-holiday-season/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

10 tips to avoid Black Friday and Cyber Monday scams
It pays not to let your guard down during the shopping bonanza – watch out for some of the most common scams doing the rounds this holiday shopping season The post 10 tips to avoid Black Friday and Cyber Monday scams appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/24/10-tips-avoid-black-friday-cyber-monday-scams/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bahamut cybermercenary group targets Android users with fake VPN apps
Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram The post Bahamut cybermercenary group targets Android users with fake VPN apps appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security fatigue is real: Here's how to overcome it
Do your employees take more risks with valuable data because they've become desensitized to security guidance? Spot the symptoms before it's too late. The post Security fatigue is real: Here's how to overcome it appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/22/security-fatigue-real-how-overcome-it/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Latest insights on APT activity – Week in security with Tony Anscombe
What have some of the world's most notorious APT groups been up to lately? A new ESET report released this week has the answers. The post Latest insights on APT activity – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/insights-apt-activity-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Tor vs. VPN: Which should you choose?
Both Tor and a VPN can greatly help you keep prying eyes away from your online life, but they're also two very different beasts. Which suits your needs better? The post Tor vs. VPN: Which should you choose? appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/18/tor-vs-vpn-which-choose/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Open banking: Tell me what you buy, and I'll tell you who you are
The convenience with which you manage all your financial wants and needs may come at a cost The post Open banking: Tell me what you buy, and I'll tell you who you are appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/16/open-banking-tell-me-what-you-buy-ill-tell-you-who-you-are/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ESET APT Activity Report T2 2022
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in T2 2022 The post ESET APT Activity Report T2 2022 appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/14/eset-apt-activity-report-t2-2022/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security challenges facing SMBs – Week in security with Tony Anscombe
A new ESET report details the mindset of SMBs on digital security and shows why many of them are underprepared to defend themselves against attacks The post Security challenges facing SMBs – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/security-challenges-smbs-week-security-tony-anscombe/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

FIFA World Cup 2022 scams: Beware of fake lotteries, ticket fraud and other cons
When in doubt, kick it out, plus other tips for hardening your cyber-defenses against World Cup-themed phishing and other scams The post FIFA World Cup 2022 scams: Beware of fake lotteries, ticket fraud and other cons appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/11/fifa-world-cup-2022-scams-fake-lotteries-ticket-fraud/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Toward the cutting edge: SMBs contemplating enterprise security
Survey finds SMBs, weary of security failures, curious about detection and response The post Toward the cutting edge: SMBs contemplating enterprise security appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/11/10/toward-cutting-edge-smbs-contemplating-enterprise-security/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker AFK: InsiderPhD

https://www.hackerone.com/hackerone-community-blog/hacker-afk-insiderphd
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Named a Leader in Penetration Testing as a Service (PTaaS) GigaOm Radar Report

https://www.hackerone.com/penetration-testing/hackerone-named-leader-penetration-testing-service-ptaas-gigaom-radar-report
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1 Hackers Walk the Streets of Barcelona at H1-3493!

https://www.hackerone.com/hackerone-community-blog/h1-hackers-walk-streets-barcelona-h1-3493
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Human Security Testing Helps the U.S. Government's Zero Trust Mandate

https://www.hackerone.com/security-compliance/how-human-security-testing-helps-us-governments-zero-trust-mandate
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Brand Ambassador Announcement

https://www.hackerone.com/hackerone-community-blog/brand-ambassador-announcement
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Changes to Disclosure Assistance

https://www.hackerone.com/hackerone-community-blog/changes-disclosure-assistance
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Visualizing Live Hacking Events: Hackers Break Records at H1-702

https://www.hackerone.com/hackerone-community-blog/visualizing-live-hacking-events-hackers-break-records-h1-702
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker AFK: Jason Haddix

https://www.hackerone.com/hackerone-community-blog/hacker-afk-jason-haddix
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ambassador Spotlight: DrSniper

https://www.hackerone.com/hackerone-community-blog/ambassador-spotlight-drsniper
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Human Testers Improve Application Security

https://www.hackerone.com/application-security/how-human-testers-improve-application-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ambassador Spotlight: Emperor

https://www.hackerone.com/hackerone-community-blog/ambassador-spotlight-emperor
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Creating a CTF: The Success of Flag Hunt Bangladesh

https://www.hackerone.com/hackerone-community-blog/creating-ctf-success-flag-hunt-bangladesh
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Introducing Program Levels: Hacker-friendly Practices that Improve Program Results
The ethical hacker community is one of the most powerful security resources available to any organization. We've worked with this community firsthand for the last decade and have witnessed their effectiveness and ingenuity. We've also learned a lot while helping organizations engage the world's largest community of ethical hackers.  Today, we're pleased to announce a new tool to align your program with the state-of-the-art and signal your program maturity: Program Levels, a structured framework that lets programs level up by publicly committing to certain best practices.
https://www.hackerone.com/company-news/introducing-program-levels-hacker-friendly-practices-improve-program-results
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How OneWeb is Safeguarding its Assets with the Hacker Community
HackerOne sat down with Wendy Ng, Principal Cloud Security Architect at OneWeb, to talk about their experience with their private HackerOne bug bounty program.
https://www.hackerone.com/customer-stories/how-oneweb-safeguarding-its-assets-hacker-community
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker Appreciation Month: Badge Awards

https://www.hackerone.com/hackerone-community-blog/hacker-appreciation-month-badge-awards
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker AFK: the_arch_angel

https://www.hackerone.com/hackerone-community-blog/hacker-afk-thearchangel
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker Success Managers

https://www.hackerone.com/hackerone-community-blog/hacker-success-managers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Making Things Right

https://www.hackerone.com/hackerone-community-blog/making-things-right
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Meeting the Mediation Team at H1-702

https://www.hackerone.com/hackerone-community-blog/meeting-mediation-team-h1-702
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Introducing HackerOne Assets
Understanding where the critical flaws lie within your organization's attack surface is critical—but complicated. After all, your attack surface includes your infrastructure, network, software, applications, devices, and the extended supply chain. But it doesn't stop there. Digital transformation, cloud adoption, the shift to remote work, mergers and acquisitions (M&A), and shadow IT further muddy the waters for today's security leaders.
https://www.hackerone.com/vulnerability-management/introducing-hackerone-assets
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Corb3nik Introduces His Tool: Caido

https://www.hackerone.com/hackerone-community-blog/corb3nik-introduces-his-tool-caido
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Thank You to the Hacker Community, From HackerOne
When I joined HackerOne last year, the vitality of the hacker community drew me to this organization. And as Chief Hacking Officer, I see the impact this community makes daily. Together, we've identified nearly 300,000 vulnerabilities through our programs — 300,000 fewer ways cybercriminals can harm society. That's why I'm here to say thank you on behalf of our customers and everyone at HackerOne.
https://www.hackerone.com/ethical-hacker/thank-you-hacker-community-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

TikTok Celebrates Two Years of Bug Bounty
TikTok, a social media giant with more than 1 billion active monthly users, understands the importance of a global community, be that community TikTokers or ethical hackers!  In 2020, TikTok launched its public bug bounty program on HackerOne. In the two years since, they've taken many steps to maintain a partnership with the global hacker community that's rewarding and inviting.
https://www.hackerone.com/bounty/tiktok-celebrates-two-years-bug-bounty
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Let's Celebrate the Hacker Community

https://www.hackerone.com/hackerone-community-blog/lets-celebrate-hacker-community
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the Results of Hack U.S.
On July 4th, 2022, Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services (DDS), DoD Cyber Crime Center (DC3), and HackerOne publicly launched the “Hack U.S.” bug bounty challenge, allowing ethical hackers from around the globe to earn monetary rewards for reporting of critical and high vulnerabilities from within the DoD Vulnerability Disclosure Program (VDP) published scope.
https://www.hackerone.com/bounty/announcing-results-hack-us
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Use Hackerone's Enhanced Pentest as a Service to Streamline Security Testing

https://www.hackerone.com/pentests/use-hackerones-enhanced-pentest-service-streamline-security-testing
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Rise of Internet Bug Bounty

https://www.hackerone.com/hackerone-community-blog/rise-internet-bug-bounty
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Introducing Unified HackerOne Scope Management with Burp Suite Support

https://www.hackerone.com/application-security/introducing-unified-hackerone-scope-management-burp-suite-support
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker AFK: rez0

https://www.hackerone.com/hackerone-community-blog/hacker-afk-rez0
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ambassador Spotlight: Adnan Malik

https://www.hackerone.com/hackerone-community-blog/ambassador-spotlight-adnan-malik
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacking in Sun and Snow H1-303 Colorado

https://www.hackerone.com/hackerone-community-blog/hacking-sun-and-snow-h1-303-colorado
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1-702 Las Vegas Day 3: Switching Up Scopes

https://www.hackerone.com/community-blog/h1-702-las-vegas-day-3-switching-scopes
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1-702 Las Vegas Day 2: Hacking with Zoom

https://www.hackerone.com/community-blog/h1-702-las-vegas-day-2-hacking-zoom
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1-702 Las Vegas Day 1: H@cktivitycon

https://www.hackerone.com/community-blog/h1-702-las-vegas-day-1-hcktivitycon
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1-702 Las Vegas Day 0: Setup

https://www.hackerone.com/community-blog/h1-702-las-vegas-day-0-setup
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PayPal's Third LHE Brings Top Global Hackers to the Virtual Stage
After ten years of partnering with hackers, PayPal is a leader in cybersecurity and hacker relationship building. We were thrilled to work with PayPal once again to uncover new ways to reduce their risk and build proactive security practices.
https://www.hackerone.com/community-blog/paypals-third-lhe-brings-top-global-hackers-virtual-stage
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Benchmark Analysis: Annual Pentest and Code Review Coverage

https://www.hackerone.com/penetration-testing/benchmark-analysis-annual-pentest-and-code-review-coverage
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Articles to Get You Up-to-Speed on Bug Bounty Programs
Many organizations use bug bounty programs to help them protect their ever-expanding attack surface and achieve attack resistance. Bug bounties, with ethical hackers at the helm, uncover critical and severe vulnerabilities before bad actors and deliver better protection against cyberattacks. But what is a bug bounty, and should your organization have one?
https://www.hackerone.com/vulnerability-management/5-articles-get-you-speed-bug-bounty-programs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ten Rules to be Successful in Your Bug Bounty Career

https://www.hackerone.com/hackerone-community-blog/ten-rules-be-successful-your-bug-bounty-career
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security Highlights: New CWE Rankings, Software Supply Chains, and Side-Channel Attacks

https://www.hackerone.com/application-security/security-highlights-new-cwe-rankings-software-supply-chains-and-side-channel
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Security Stages of the DevSecOps Pipeline
DevSecOps builds on modern DevOps practices by incorporating security processes and automation into the development pipeline. This enables development teams to continue the rapid and continuous delivery trend while improving software assets' security. The DevSecOps pipeline follows the familiar DevOps “infinity loop” structure while incorporating some extra steps to ensure code security before, during, and after it's pushed to production.
https://www.hackerone.com/application-security/5-security-stages-devsecops-pipeline
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker's Health: Adverse Effects of Doomscrolling

https://www.hackerone.com/community-blog/hackers-health-adverse-effects-doomscrolling
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Most Overlooked Server Permission Checks

https://www.hackerone.com/application-security/most-overlooked-server-permission-checks
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

DevSecOps vs DevOps: What is the Difference?
DevSecOps can dramatically reduce cyber risk for organizations—particularly those that rely on internal development for a competitive advantage.
https://www.hackerone.com/application-security/devsecops-vs-devops-what-difference
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne's In-Depth Approach to Vulnerability Triage and Validation

https://www.hackerone.com/hackerones-depth-approach-vulnerability-triage-and-validation
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Bug Bounty Uncovered A 5-Year-Old Vulnerability In Hours

https://www.hackerone.com/ethical-hacker/how-bug-bounty-uncovered-5-year-old-vulnerability-hours
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Live Hacking Event Invitations - 2022 Guide

https://www.hackerone.com/community-blog/live-hacking-event-invitations-2022-guide
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

CISOs: Do You Know the Security Risks of Your Organization's Next M&A?
An ever-expanding attack surface is a global concern for most organizations and complicates an M&A, especially for CISOs. The M&A prospect may have a partially unprotected attack surface, thus increasing security risk coming in the form of a gap between the attack surface they can and do protect and the attack surface (and accompanying assets) they need to defend. This gap is what many M&A prospects bring to the table. And while an M&A may have undisputed business and strategic value, CISOs must still address the security risks involved in acquiring another organization's assets and its current attack surface, fully protected or not.
https://www.hackerone.com/vulnerability-management/cisos-do-you-know-security-risks-your-organizations-next-ma
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1 Community Team: Your Hacker Allies

https://www.hackerone.com/community-blog/h1-community-team-your-hacker-allies
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Community at HackerOne: What's to Come

https://www.hackerone.com/community-blog/community-hackerone-whats-come
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Top 5 Most Common Security Issues I Discover When Reviewing Code

https://www.hackerone.com/top-5-most-common-security-issues-i-discover-when-reviewing-code
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Catch Injection Security Vulnerabilities in Code Review
Injection vulnerabilities result from insecure handling of user inputs. They are relatively simple to fix once the underlying issues that cause them are understood, and are frequently found by experienced reviewers who know what to look for. The prevalence of injection vulnerabilities today is one of the best arguments for continuing to perform code review in many organizations—this type of vulnerability is most frequently caught through human inspection of the offending code.
https://www.hackerone.com/vulnerability-management/how-catch-injection-security-vulnerabilities-code-review
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Severe Confluence Vulnerability is an Active Threat (CVE-2022-26134)

https://www.hackerone.com/application-security/severe-confluence-vulnerability-active-threat-cve-2022-26134
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Critical Infrastructure Can be Protected from Threats
Accessing a major critical infrastructure network is very appealing to cybercriminals, as they can maximize societal impact and demand large ransom sums to fix tampered systems. With recent high-profile attacks, including that against the Colonial Pipeline in March 2021, it has become clear that the organizations handling critical infrastructure networks are now in the firing line. Critical infrastructure is vulnerable to both threat groups that are evolving their tactics and public scrutiny if they do not remain transparent when an attack occurs.
https://www.hackerone.com/vulnerability-management/how-critical-infrastructure-can-be-protected-threats
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ethical Hackers Help Beiersdorf Minimize Risk and Protect Their Attack Surface
After a year of running a private Vulnerability Disclosure Program (VDP), Beiersdorf is announcing the launch of its public VDP. HackerOne met with Kai Widua, Chief Information Security Officer (CISO) at Beiersdorf, to learn about the challenges they face in retail security.
https://www.hackerone.com/customer-stories/ethical-hackers-help-beiersdorf-minimize-risk-and-protect-their-attack-surface
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Is a Security.txt File and How Can It Help Your Program?

https://www.hackerone.com/security-compliance/what-securitytxt-file-and-how-can-it-help-your-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Ways I Provide Value as a PullRequest Reviewer When I Start Reviewing a New Project
Important reviewer traits for providing a great code review include prior knowledge and experience, expertise, background context, attention to detail, and written communication skills. As a reviewer on PullRequest, I need to quickly gain context when I'm reviewing a project for the first time. But as is the case for any engineer new to a team, some context is gained over time.
https://www.hackerone.com/application-security/5-ways-i-provide-value-pullrequest-reviewer-when-i-start-reviewing-new-project
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Announces a New Customer Pentest Setup that's More Efficient and Speeds Time to Launch

https://www.hackerone.com/assessments/hackerone-announces-new-customer-pentest-setup-thats-more-efficient-and-speeds-time
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Understanding Public and Private Bug Bounties and Vulnerability Disclosure Programs

https://www.hackerone.com/vulnerability-management/understanding-public-and-private-bug-bounties-and-vulnerability-disclosure
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Introducing HackerOne Assets
A Security Survey on How to Close Your Organization's Attack Resistance Gap
https://www.hackerone.com/vulnerability-management/introducing-hackerone-assets-0
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Why HackerOne Acquired Pull Request and What It Means to Our Customers

https://www.hackerone.com/company-news/why-hackerone-acquired-pull-request-and-what-it-means-our-customers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the Results of the 12-month DIB-VDP Pilot

https://www.hackerone.com/vulnerability-disclosure/announcing-results-12-month-dib-vdp-pilot
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Wix Improves Their Security Posture with Ethical Hackers
Reducing risk is fundamental to Wix's approach to cybersecurity, and as the threat landscape evolves, they turn to HackerOne Bounty to protect their security posture. Since 2018, Wix has invited tens of thousands of ethical hackers worldwide to ensure new and existing features are secure. We recently met with two Wix security team members to learn how they leverage ethical hackers to detect risks before they become threats and how vulnerability insights help strengthen their security posture.
https://www.hackerone.com/customer-stories/how-wix-improves-their-security-posture-ethical-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the HackerOne 2022 Attack Resistance Report: A Security Survey—How to Close Your Organization's Attack Resistance Gap
Today, HackerOne published The 2022 Attack Resistance Report: A HackerOne Security Survey. Our research revealed an increasing gap—the attack resistance gap—between what organizations can defend and what they need to defend. The gap is the result of four components prevalent across organizations.
https://www.hackerone.com/company-news/announcing-hackerone-2022-attack-resistance-report-security-survey-how-close-your
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Ethical Hackers Help A.S. Watson Address Digital Risk
We recently met with A.S. Watson's Chief Information Security Officer (CISO), Feliks Voskoboynik, to learn how ethical hackers have helped with digital transformation and enabled his team to harden their attack surface. Read on to learn Feliks' advice on including a bug bounty program as part of a security strategy, the lessons ethical hackers have provided, and what best practices he can share with other CISOs.
https://www.hackerone.com/customer-stories/how-ethical-hackers-help-watson-address-digital-risk
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Preventing Compromised Password Reuse on HackerOne.com

https://www.hackerone.com/best-practices/preventing-compromised-password-reuse-hackeronecom
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Shifting Left with Ethical Hackers: A Q&A with GitLab
Secure applications start with secure code. As organizations deploy code faster than ever, implementing continuous security across the software development lifecycle (SDLC) is critical to building secure products. As a long-time HackerOne Bounty customer, GitLab knows the importance of identifying and addressing bugs as early as possible in the SDLC. We wanted to hear what they had to say about leveraging the human intelligence of ethical hackers to broadly test their attack surface and increase their ability to resist potential threats.
https://www.hackerone.com/bounty/shifting-left-ethical-hackers-qa-gitlab
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Donating Bounties to Humanitarian Efforts in Ukraine

https://www.hackerone.com/donating-bounties-humanitarian-efforts-ukraine
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Securing Digital Transformation with Vulnerability Disclosure: A Q&A with John Deere CISO, James Johnson
To help fortify security defenses for their customers, dealers, suppliers, and employees, John Deere recently launched a public Vulnerability Disclosure Program (VDP) with HackerOne. HackerOne recently met with James Johnson, CISO at John Deere, to learn why his security team works with ethical hackers to help identify security gaps and increase their product and data security.
https://www.hackerone.com/vulnerability-disclosure/securing-digital-transformation-vulnerability-disclosure-qa-john-deere
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Only Solution That Scales With the Cybersecurity Challenge

https://www.hackerone.com/ceo/only-solution-scales-cybersecurity-challenge
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Nine Months into the DIB-VDP Pilot, Nearly 1,000 Valid Vulnerabilities Have Been Identified
With three months left in the 12-month pilot with the Department of Defense's Defense Industrial Base Vulnerability Disclosure Pilot (DOD DIB-VDP Pilot), HackerOne sat down with DC3 to discuss why new DIB companies are joining the pilot and hear why hackers are a critical partner for the DOD.
https://www.hackerone.com/customer-stories/nine-months-dib-vdp-pilot-nearly-1000-valid-vulnerabilities-have-been-identified
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The HackerOne Global Top 10—Hacker Expertise, Industry Data, and Up-to-Date Vulnerabilities

https://www.hackerone.com/vulnerability-management/hackerone-global-top-10-hacker-expertise-industry-data-and-date
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Log4Shell: Attack Evolution
HackerOne has unique visibility into the global response to Log4Shell, seeing in real time how organizations responded and remediated. Last week HackerOne's CISO Chris Evans and Co-founder Jobert Abma shared findings from our platform.
https://www.hackerone.com/vulnerability-management/log4shell-attack-evolution
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Top 5 Takeaways from the 2021 Hacker-Powered Security Report: Industry Insights

https://www.hackerone.com/hacker-powered-security-report/top-5-takeaways-2021-hacker-powered-security-report-industry
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

CWE (Common Weakness Enumeration) and the CWE Top 25 Explained
Are you wondering about CWE? We explain CWE (Common Weakness Enumeration) and why this community-based initiative is essential in cybersecurity
https://www.hackerone.com/vulnerability-management/cwe-common-weakness-enumeration-and-cwe-top-25-explained
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Log4j Vulnerability Activity on the HackerOne Platform
This post is about the severe and widespread Log4j vulnerability. It gives a technical overview of the vulnerability, mitigations HackerOne has put in place to protect our platform and customers, and the related vulnerability submission activity HackerOne is seeing on its platform.
https://www.hackerone.com/vulnerability-management/log4j-vulnerability-activity-hackerone-platform
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Is The Common Vulnerability Scoring System (CVSS)
Were you wondering about the Common Vulnerability Scoring System (CVSS)? We explain what CVSS is, why it is important, and show how to prioritize vulnerabilities based on their score.
https://www.hackerone.com/vulnerability-management/what-common-vulnerability-scoring-system-cvss
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers Help Organizations Face New Attack Vectors and Build Stronger Security Programs
The risk of cyberattacks grows every day. But there is an essential defensive step that organizations can take: hacker-powered security programs.
https://www.hackerone.com/security-event/how-hackers-help-organizations-face-new-attack-vectors-and-build-stronger-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Management | A Complete Guide and Best Practices
We explain what vulnerability management is and why it matters, and we give a step-by-step guide to implementing a vulnerability management process.
https://www.hackerone.com/vulnerability-management/vulnerability-management-complete-guide-and-best-practices
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Securing the Supply Chain by Working With Ethical Hackers
Software supply chain attacks increasingly create concern among cybersecurity experts as these exploits are becoming more common. But solving the problem has left organizations scrambling for an answer because supply-chain security management is inherently complex.
https://www.hackerone.com/vulnerability-management/securing-supply-chain-working-ethical-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

TikTok Celebrates One Year of Bug Bounty
As part of an ongoing commitment to proactive cybersecurity, TikTok celebrated its one-year anniversary of HackerOne bug bounty by thanking (via video, of course!) 150+ hackers from around the globe who have helped them identify and resolve more than 225 vulnerabilities. They also share insights into assets in scope, their commitment to transparency, and their best-in-class payout and response time metrics.
https://www.hackerone.com/customer-stories/tiktok-celebrates-one-year-bug-bounty
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty Platforms [Best Choices For a Bug Bounty Program]
Are you wondering about bug bounty platforms? We explain what a bug bounty platform is and how it can help you run a successful bug bounty program.
https://www.hackerone.com/vulnerability-management/bug-bounty-platforms-best-choices-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Elastic Attracts and Retains Top Hackers Without Offering the Highest Bounties
Skilled hackers are the foundation of an effective bug bounty program. But how can you ensure your program attracts top hackers and keeps them engaged?
https://www.hackerone.com/how-elastic-attracts-and-retains-top-hackers-without-offering-highest-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers Can Strengthen Cloud Security for Applications
In this session at our 5th annual global cybersecurity conference, HackerOne's Tim Matthews sat down with Josh Bressers, Tech Lead of Product Security at Elastic, to discuss cloud security for applications. They focused on the challenges around cloud security and the role of hacker-powered defensive efforts. Josh's organization, Elastic, is the leading enterprise search company with expertise in building self-managed services for search, logging, security, and analytics use cases.
https://www.hackerone.com/ethical-hacker/how-hackers-can-strengthen-cloud-security-applications
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Is a Bug Bounty? Should You Offer One? And How To Do It

https://www.hackerone.com/vulnerability-management/what-bug-bounty-should-you-offer-one-and-how-do-it
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty vs. VDP | Which Program Is Right for You?
We explain bug bounty programs and Vulnerability Disclosure Programs (VDPs), their pros and cons, and how each can help your organization.
https://www.hackerone.com/vulnerability-management/bug-bounty-vs-vdp-which-program-right-you
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Use Bug Bounty Program Data to Improve Security and Development
Bug bounty program data tells a story—but which story? Tracking program metrics can help organizations identify issues, spot opportunities, and take corrective actions. To do this, stakeholders must know which metrics to track and how to interpret the results.
https://www.hackerone.com/vulnerability-management/how-use-bug-bounty-program-data-improve-security-and-development
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

DOD's DIB-VDP Pilot Hits Six Month Milestone
Six months into the 12-month pilot with the Department of Defense's Defense Industrial Base Vulnerability Disclosure Pilot (DOD DIB-VDP Pilot), HackerOne sat down with key stakeholders from the DIB-VDP Pilot to discuss the program's success to date, the Federal Government's strategy for working with hackers, and to hear about some of the most impactful vulnerabilities discovered to date.
https://www.hackerone.com/customer-stories/dods-dib-vdp-pilot-hits-six-month-milestone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Disclosure | What's the Responsible Solution?
Curious about vulnerability disclosure? We explain what it is, why there may be friction between the researcher and the organization, and possible solutions.
https://www.hackerone.com/vulnerability-disclosure/vulnerability-disclosure-whats-responsible-solution
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Jedox's Journey with HackerOne: A Q&A with CTO, Vladislav Maličević
Jedox secures their cloud - and their customers - with HackerOne Assessments and HackerOne Bounty. Read this blog to learn how they're creating a best-in-class cybersecurity program thanks to ethical hackers.
https://www.hackerone.com/best-practices/jedoxs-journey-hackerone-qa-cto-vladislav-malicevic
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

DevSecOps: Bridging the Gap Between Security and Development
Organizations that rely on developing secure, functional products understand the value of increased collaboration between security and development teams. Tighter partnerships between the two teams can allow organizations to deliver better, safer products faster, but how can this work in the real world?
https://www.hackerone.com/security-event/devsecops-bridging-gap-between-security-and-development
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Trustpilot Manages Risk by Working with Ethical Hackers
At our 2021 Security@ conference, we spoke with Stu Hirst, CISO at consumer review site Trustpilot. Trustpilot's mission is to create an independent currency of trust between consumers and businesses, and cybersecurity plays a central role.
https://www.hackerone.com/bounty/how-trustpilot-manages-risk-working-ethical-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What's a Vulnerability Disclosure Program & Do You Need One?
Are you wondering about Vulnerability Disclosure Programs (VDPs)? Here's why you need one, and instructions on starting one or improving your current process.
https://www.hackerone.com/vulnerability-disclosure/whats-vulnerability-disclosure-program-do-you-need-one
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty Benefits | Why You Need a Bug Bounty Program
​​​​​​​We explain how a bug bounty program identifies vulnerabilities, discuss the program's benefits, and detail its challenges.
https://www.hackerone.com/bounty/bug-bounty-benefits-why-you-need-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Navigating a Safe, Successful Return to Office: 5 Tips for Security Leaders
Security leaders have a lot on their plates in these later stages of the continuing COVID-19 pandemic. In a 2021 survey by Gartner, over three-quarters (76%) of respondents reported increased demand for new digital products or services during the pandemic — and 83% expected this demand to continue to increase. This imperative for transformation has been coming straight from the top: 69% of boards report accelerating digital business initiatives in response to COVID-19.
https://www.hackerone.com/company-news/navigating-safe-successful-return-office-5-tips-security-leaders
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Remediation | A Step-by-Step Guide
Are you wondering about vulnerability remediation? We give you a step-by-step guide to addressing vulnerabilities in your system.
https://www.hackerone.com/vulnerability-remediation-step-step-guide
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers—the Best Kept Secret in Cybersecurity—Can Help Your Organization Protect its Assets and Improve Security
Last week, HackerOne held its fifth annual one-of-a-kind global Security@ conference featuring the best-kept secret in cybersecurity—hackers.
https://www.hackerone.com/ethical-hacker/how-hackers-best-kept-secret-cybersecurity-can-help-your-organization-protect-its
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Top 5 Cloud Security Risks: How Hacker-Powered Security Can Help
Widespread digital transformation means increased cloud security risk. Learn how human intelligence—hacker-powered security—can help your organization defend against new attack vectors, mitigate risk, and improve cloud security.
https://www.hackerone.com/application-security/top-5-cloud-security-risks-how-hacker-powered-security-can-help
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Time to Issue Your Own Cyber Executive Order

https://www.hackerone.com/from-the-ceo/time-issue-your-own-cyber-executive-order
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Testing | Best Techniques for Assessing Risks
Curious about vulnerability testing techniques? We explain processes such as vulnerability assessments, vulnerability scanning, and penetration testing.
https://www.hackerone.com/vulnerability-management/vulnerability-testing-best-techniques-assessing-risks
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hacker-Powered Security Can Help Security Teams Become More Data-Driven

https://www.hackerone.com/vulnerability-management/how-hacker-powered-security-can-help-security-teams-become-more-data
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Assessment Tools [Top Tools & What They Do]
Are you curious about the best vulnerability assessment tools? We detail some of the popular tools, what they do, and their pros and cons.
https://www.hackerone.com/vulnerability-management/vulnerability-assessment-tools-top-tools-what-they-do
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker-Powered Security and DeFi: How Human Intelligence Improves Cryptocurrency Security
Over the last year, DeFi has grown significantly with billions of dollars of cryptocurrency locked into blockchain contracts. With this growth comes increased risk and DeFi funds are lucrative targets for malicious actors. Learn how a HackerOne hacker helps protect DeFi funds and mitigate this risk.
https://www.hackerone.com/ethical-hacker/hacker-powered-security-and-defi-how-human-intelligence-improves-cryptocurrency
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Announces Hacker-Powered Cloud Security Capabilities for AWS Customers
HackerOne announces new capabilities for AWS customers looking to improve security in their cloud applications. These include vulnerability pentests specific to AWS environments, an AWS Security Hub integration for fast, effective security actions, and AWS Certified hackers. AWS customers can now identify and fix vulnerabilities quickly and develop a better understanding of their cloud application security profile.
https://www.hackerone.com/penetration-testing/hackerone-announces-hacker-powered-cloud-security-capabilities-aws-customers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How a New HackerOne Integration with AWS Security Hub Accelerates Vulnerability Remediation Time
HackerOne announced an integration with AWS Security Hub that exchanges vulnerability findings and streamlines workflows to accelerate security actions. The integration consolidates and routes vulnerability intelligence from HackerOne to AWS Security Hub, delivering greater visibility into crucial gaps that could lead to a cyberattack.
https://www.hackerone.com/company-news/how-new-hackerone-integration-aws-security-hub-accelerates-vulnerability-remediation
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The DOD Improves Their Security Posture Through the DIB-VDP
One of the primary missions of the Defense Counterintelligence and Security Agency (DCSA) is to provide critical technology protection to the Defense Industrial Base (DIB). Given the recent increase in cyber incidents affecting the DIB, DCSA views the DIB-VDP Pilot as a promising way to identify and stop attempts at stealing our Nation's secrets.
https://www.hackerone.com/vulnerability-disclosure/dod-improves-their-security-posture-through-dib-vdp
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hyatt's Bug Bounty Program Update: Q&A with Senior Analyst Robert Lowery
Hyatt's three-year-old bug bounty program has reached a significant milestone: 0,000 in bounties paid to hackers. As the first organization in the hospitality industry to embrace hacker-powered security, Hyatt's milestone today demonstrates its long-term commitment to setting the highest standard for cybersecurity. We sat down with Robert Lowery, Senior Analyst at Hyatt, to learn more about the history of Hyatt's bug bounty program and their most recent 0,000 milestone. Read on to see what Robert shared on how the knowledge of the global security researcher community helps Hyatt reduce risk, enable security improvements, and ultimately, deliver on their promise to care for employees, guests, and shareholders alike so they can be their best.
https://www.hackerone.com/bounty/hyatts-bug-bounty-program-update-qa-senior-analyst-robert-lowery
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Why security transparency makes for good corporate governance

https://www.hackerone.com/resources/wistia-webinars/blackhat-marten-mickos
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

One Month of Learnings from Flo Health's Bug Bounty Program: A Q&A with CISO, Leo Cunningham

https://www.hackerone.com/vulnerability-management/one-month-learnings-flo-healths-bug-bounty-program-qa-ciso-leo-cunningham
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Assessment I A Complete Guide

https://www.hackerone.com/vulnerability-management/vulnerability-assessment-i-complete-guide
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What We Can Learn From Recent Ransomware Attacks

https://www.hackerone.com/vulnerability-management/what-we-can-learn-recent-ransomware-attacks
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Use HackerOne and PagerDuty to Identify When Vulnerabilities Need Action

https://www.hackerone.com/vulnerability-management/how-use-hackerone-and-pagerduty-identify-when-vulnerabilities-need-action
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Are Bug Bounties? How Do They Work? [With Examples]

https://www.hackerone.com/vulnerability-management/what-are-bug-bounties-how-do-they-work-examples
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How the Industry's First Hacker-Powered API Helps Hackers Automate Workflows

https://www.hackerone.com/application-security/how-industrys-first-hacker-powered-api-helps-hackers-automate-workflows
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How HackerOne Positively Influences Zebra's Software Development Life Cycle

https://www.hackerone.com/vulnerability-management/zebra-secure-development-lifecycle
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty vs. CTF [Understanding Differences & Benefits]
Trying to understand the difference between a bug bounty vs. CTF? We explain the differences, the similarities, and the benefits of each.
https://www.hackerone.com/community-blog/bug-bounty-vs-ctf-understanding-differences-benefits
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty vs. Penetration Testing: Differences Explained

https://www.hackerone.com/penetration-testing/bug-bounty-vs-penetration-testing-differences-explained
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne in DevSecOps

https://www.hackerone.com/vulnerability-disclosure/hackerone-devsecops
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What is Vulnerability Scanning? [And How to Do It Right]

https://www.hackerone.com/vulnerability-management/what-vulnerability-scanning-and-how-do-it-right
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HOW HACKERONE AND GITHUB NOW WORK BETTER TOGETHER

https://www.hackerone.com/vulnerability-management/how-hackerone-and-github-now-work-better-together
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Citrix's Hacker-Powered Security Growth Plan: Q&A with Abhijith Chandrashekar

https://www.hackerone.com/vulnerability-management/citrixs-hacker-powered-security-growth-plan-qa-abhijith-chandrashekar
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers Can Help Reduce Your Organization's Application Risk on AWS

https://www.hackerone.com/vulnerability-management/how-hackers-can-help-reduce-your-organizations-application-risk-aws
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Is Penetration Testing? How Does It Work Step-by-Step?

https://www.hackerone.com/penetration-testing/what-penetration-testing-how-does-it-work-step-step
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

60 Days of Insights from the DOD's Defense Industrial Base Vulnerability Disclosure Program Pilot

https://www.hackerone.com/vulnerability-management/60-days-insights-dods-defense-industrial-base-vulnerability-disclosure
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ANNOUNCING HACK THE ARMY 3.0 RESULTS: A CONVERSATION WITH DEFENSE DIGITAL SERVICE, U.S. ARMY, AND HACK THE ARMY 3.0'S TOP HACKER

https://www.hackerone.com/blog/announcing-hack-army-30-results-conversation-defense-digital-service-us-army-and-hack-army
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

BUILD A RESILIENT SECURITY POSTURE WITH VULNERABILITY INTELLIGENCE AND CYBERSECURITY RATINGS

https://www.hackerone.com/vulnerability-management/build-resilient-security-posture-vulnerability-intelligence-and
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HACK HARD. HAVE FUN. INCREASE SECURITY

https://www.hackerone.com/community-blog/hack-hard-have-fun-increase-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HOW DIGITAL TRANSFORMATION CHANGES AN ORGANIZATION'S SECURITY CHALLENGES

https://www.hackerone.com/vulnerability-management/how-digital-transformation-changes-organizations-security-challenges
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

MICROSOFT SAYS: RUSSIAN SOLARWINDS HACKERS HIT U.S. GOVERNMENT AGENCIES AGAIN

https://www.hackerone.com/vulnerability-management/microsoft-says-russian-solarwinds-hackers-hit-us-government-agencies-again
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Spotlight on the Server-Side
Server-side request forgery (or SSRF) vulnerabilities are particularly dangerous because they can lead to total system compromise. Discover where they're most common, explore real-world examples, and learn prevention tips from hackers.
https://www.hackerone.com/application-security/spotlight-server-side
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Secrets of a Mature Vulnerability Management Program from Costa Coffee and Priceline
During HackerOne's recent series of webinars, we caught up with Matt Southworth, CISO of Priceline, and Matt Adams, Global Security Architect at Costa Coffee, to learn their 5 secrets to building a highly effective vulnerability management program.
https://www.hackerone.com/vulnerability-management/5-secrets-mature-vulnerability-management-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Security Engineer and Hacker Share Their Experiences with Security Assessments
A few weeks ago, HackerOne and PortSwigger teamed up to shine a light on the innovative ways that customers and security analysts are scaling risk assessments. Read on for key learnings.
https://www.hackerone.com/ethical-hacker/security-engineer-and-hacker-share-their-experiences-security-assessments
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Saxo Bank Celebrates One Year of Bug Bounties: Q&A with CISO Mads Syska Hasling

https://www.hackerone.com/vulnerability-management/saxo-bank-celebrates-one-year-bug-bounties-qa-ciso-mads-syska-hasling
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How HackerOne Helps the Vulnerability Management Process
HackerOne sees vulnerability management as a process combining software tools and security analyst actions to reduce risk. In many cases, successful Vulnerability Management requires a joint effort between security operations, who find vulnerabilities, and IT operations responsible for fixing, or patching, vulnerabilities.
https://www.hackerone.com/vulnerability-management/how-hackerone-helps-vulnerability-management-process
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Reddit's Bug Bounty Program Kicks Off: Q&A with Reddit's Allison Miller and Spencer Koch, and Top Program Hacker @RENEKROKA
HackerOne sat down with Reddit's CISO and VP of Trust, resident Security Wizard, and top hacker to discover the secrets to Reddit's bug bounty success, explore their goals and key results, delve into how they use hackers to scale security across software development, and gain a unique perspective about what it's like to hack one of the world's leading social networks.
https://www.hackerone.com/application-security/reddits-bug-bounty-program-kicks-qa-reddits-allison-miller-and-spencer-koch
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security@ 2021 Call for Speakers is Open
HackerOne's global hacker-powered security conference, Security@, is back for its fifth year. This year's virtual event will take place September 20, 2021. The call for speakers is now open! You have until May 15, 2021, to submit your talk.
https://www.hackerone.com/company-news/security-2021-call-speakers-open
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Rise of IDOR
Insecure Direct Object References (or IDOR) is a simple bug that packs a punch. Discover where they're most common, explore real-world examples, and learn prevention tips from hackers.
https://www.hackerone.com/company-news/rise-idor
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PayPal is our Virtual Pal
HackerOne's second virtual live hacking event with event partners, PayPal to share experiences from the event.
https://www.hackerone.com/vulnerability-management/paypal-our-virtual-pal
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Commerce Giant Shopify Kicks Off 2021 with HackerOne (Virtual) Live Hacking Event: h1-2102
HackerOne's first virtual live hacking event of the year kicked off with Shopify in January 2021. Read this blog post to learn more about how Shopify builds relationships with hackers through live events like h1-2102, and find out who the award winners are.
https://www.hackerone.com/community-blog/commerce-giant-shopify-kicks-2021-hackerone-virtual-live-hacking-event-h1-2102
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Rise of Misconfiguration and Supply Chain Vulnerabilities
The vulnerability of supply chains has been top of mind since the SolarWinds attack, which still dominates headlines, but last week's Singtel breach also reflects the rise of breaches triggered by misconfiguration vulnerabilities.
https://www.hackerone.com/vulnerability-management/rise-misconfiguration-and-supply-chain-vulnerabilities
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

2020 Hacker Community Year in Review
From CTF's to virtual live hacking events and more, check out this recap of the initiatives HackerOne hosted for the hacker community in 2020.
https://www.hackerone.com/community-blog/2020-hacker-community-year-review
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing The Hacker of The Hill

https://www.hackerone.com/ethical-hacker/announcing-hacker-hill
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Learnings From A Conversation With OP Financial Group's CISO And @mrtuxracer
On 20 January, HackerOne's CEO, Marten Mickos, sat down for a chat with European hacker, Julien Ahrens a.k.a @mrtuxracer, and Teemu Ylhäisi, CISO at OP Financial Group. The discussion ranged from the recent SolarWinds attacks to the best way to prevent phishing. Here are our top takeaways from the webinar.
https://www.hackerone.com/application-security/5-learnings-conversation-op-financial-groups-ciso-and-mrtuxracer
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

LINE on Securing the Application Development Lifecycle with Bug Bounties
HackerOne has a large hacker community and the platform necessary to operate LINE's bug bounty program. By using HackerOne's platform and welcoming the community, LINE can increase operational efficiency. Through the partnership with HackerOne, we can share new bugs and learn from the vulnerability trends on the Platform while also getting a guide that helps us create a successful bug bounty program.
https://www.hackerone.com/application-security/line-securing-application-development-lifecycle-bug-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Years of AWS Hacking Tells Us About Building Secure Apps
Years of AWS bug bounties have exposed SSRF vulnerabilities, misconfigurations, and dangling DNS records. What can we learn from these vulnerabilities about mitigating risk?
https://www.hackerone.com/application-security/what-years-aws-hacking-tells-us-about-building-secure-apps
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Grab Celebrates 5 Years on HackerOne
"Just five years ago, leading rideshare, food delivery, and payments company Grab, became one of the first companies in Southeast Asia to implement a hacker-powered security program. In just three years Grab became one of the Top 20 bug bounty programs on HackerOne worldwide."
https://www.hackerone.com/company-news/grab-celebrates-5-years-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Policies Update
HackerOne's Policies Received Updates - check them out now!
https://www.hackerone.com/company-news/hackerone-policies-update
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The World's Largest Live Hacking Event
HackerOne and The Paranoids partnered to bring you the largest live hacking event in the world
https://www.hackerone.com/community-blog/worlds-largest-live-hacking-event
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Quantifying Risk: How do you measure success in security?
When your job is all about avoiding costly incidents and mistakes, it's hard to put a dollar value on your work. At HackerOne's recent Security@ conference, Slack and Hyatt's CISOs sat down for a chat about their challenges and the hacks they use to quantify risk:
https://www.hackerone.com/application-security/quantifying-risk-how-do-you-measure-success-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

12 Days of Hacky Holidays CTF

https://www.hackerone.com/ethical-hacker/12-days-hacky-holidays-ctf
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

VDPs are at the Heart of the Australian Cyber Security Centre's Recommendations

https://www.hackerone.com/vulnerability-management/vdps-are-heart-australian-cyber-security-centres-recommendations
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Joins AWS Marketplace as Cloud Vulnerabilities Rise
HackerOne reveals the most common and critical vulnerabilities found in cloud infrastructure and announces its debut in AWS Marketplace.
https://www.hackerone.com/application-security/hackerone-joins-aws-marketplace-cloud-vulnerabilities-rise
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the HackerOne Brand Ambassadors
Announcing the first group of Hacker Brand Ambassadors who will lead hackers in their local area.
https://www.hackerone.com/community-blog/announcing-hackerone-brand-ambassadors
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

US Government Mandates Vulnerability Disclosure for IoT

https://www.hackerone.com/vulnerability-management/us-government-mandates-vulnerability-disclosure-iot
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing new leaderboards: More ways to engage, compete and win

https://www.hackerone.com/ethical-hacker/announcing-new-leaderboards-more-ways-engage-compete-and-win
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne is Excited to Launch Triage Ratings for Customers and Hackers

https://www.hackerone.com/application-security/hackerone-excited-launch-triage-ratings-customers-and-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

NIST Overhauls “Security and Privacy Controls” and Emphasizes VDP as a Best Practice

https://www.hackerone.com/security-compliance/nist-overhauls-security-and-privacy-controls-and-emphasizes-vdp-best-practice
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Snap's Security Team on Nearly 6 Years of Collaborating with Hackers

https://www.hackerone.com/vulnerability-management/snaps-security-team-nearly-6-years-collaborating-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Organizations Paid Hackers .5 Million for These 10 Vulnerabilities in One Year
HackerOne report reveals cross-site scripting, improper access control, and information disclosure top list of most common and impactful vulnerabilities
https://www.hackerone.com/ethical-hacker/organizations-paid-hackers-235-million-these-10-vulnerabilities-one-year
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Expands Integrations Ecosystem to Connect and Defend Customers

https://www.hackerone.com/vulnerability-management/hackerone-expands-integrations-ecosystem-connect-and-defend-customers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Integrates with ServiceNow to Streamline Vulnerability Lifecycle Management
We're excited to announce our integration with ServiceNow Incident Management. This integration allows customers to escalate vulnerability reports with ServiceNow incidents and synchronize any updates in the vulnerability workflow that happen in ServiceNow or HackerOne.
https://www.hackerone.com/vulnerability-management/hackerone-integrates-servicenow-streamline-vulnerability-lifecycle
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

AT&T Celebrates Million Awarded to Hackers in One Year
AT&T recently celebrated its first anniversary on HackerOne, passing million in payouts to more than 850 researchers worldwide. Read on to learn more about their program and successes over the last year.
https://www.hackerone.com/ethical-hacker/att-celebrates-1-million-awarded-hackers-one-year
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Introducing the 4th Annual Hacker-Powered Security Report

https://www.hackerone.com/ethical-hacker/introducing-4th-annual-hacker-powered-security-report
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1-2010 FAQ's
FAQ's from HackerOne's biggest virtual live hacking event with The Paranoids from Verizon Media, H1-2010.
https://www.hackerone.com/company-news/h1-2010-faqs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Disclosure is Now Mandatory for Federal Agencies - Here's How to Make it Happen

https://www.hackerone.com/vulnerability-management/vulnerability-disclosure-now-mandatory-federal-agencies-heres-how-make-it
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Smartsheet Celebrates One Year with HackerOne
To mark Smartsheet's one-year anniversary with HackerOne, we sat down with Nolan Gibb, Information Security Engineer at Smartsheet, to discuss how bug bounties enable his team to scale and collaborate with software developers to create more secure products.
https://www.hackerone.com/vulnerability-management/smartsheet-celebrates-one-year-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Rolls Out Pentest Review System for Customers and Pentesters

https://www.hackerone.com/penetration-testing/hackerone-rolls-out-pentest-review-system-customers-and-pentesters
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Are Election Hacking Fears Driving Voters To The Polls?
If people fear that the American electoral infrastructure could be hacked, will they withhold their votes in November? Not according to research commissioned by HackerOne.
https://www.hackerone.com/company-news/are-election-hacking-fears-driving-voters-polls
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Become a HackerOne Brand Ambassador
Announcing the Hacker Brand Ambassador Program: lead hackers in your city, get exclusive perks, further your career.
https://www.hackerone.com/company-news/become-hackerone-brand-ambassador
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

National University of Singapore Taps Students to Hack for Good
In an inaugural InterUni Bug Bounty Challenge jointly organized by the National University of Singapore (NUS) and Singapore Management University (SMU) from 12 August to 9 September 2020, students and staff from the two universities will get to hone their hacking skills by looking for vulnerabilities (or ‘bugs') across the digital assets of their respective universities in exchange for monetary rewards, or bounties. To kick off the InterUni Bug Bounty Challenge, we sat down with NUS Chief Information Technology Officers Tommy Hor to learn more about the Challenge, why cybersecurity is so important to educational institutions like NUS, and more.
https://www.hackerone.com/ethical-hacker/national-university-singapore-taps-students-hack-good
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Recap of h@cktivitycon 2020
HackerOne's first-ever hacker conference, h@cktivitycon streamed from Twitch on Friday, July 31st - August 1st, 2020 recapped in this blog post.
https://www.hackerone.com/ethical-hacker/recap-hcktivitycon-2020
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Adobe and HackerOne Celebrate Five Years of Continued Collaboration
To celebrate five years with HackerOne, we sat down with Adobe's Senior Security Program Manager Pieter Ockers to discuss how their program has evolved over the last five years and the role that hacker-powered security, both bug bounties and response programs, plays into their overall security strategy. 
https://www.hackerone.com/company-news/adobe-and-hackerone-celebrate-five-years-continued-collaboration
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

COVID Confessions of a CISO
The COVID-19 crisis has shifted life online. As companies rush to meet remote work requirements and customer demands for digital services, attack surfaces have dramatically expanded, leaving security teams stretched thin and not staffed to cope. HackerOne dug into this concept to identify COVID-19 impacts on security and business. Read on for our findings.
https://www.hackerone.com/company-news/covid-confessions-ciso
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Human vs. Machine: Three-Part Virtual Series on the Human Element of AppSec

https://www.hackerone.com/ethical-hacker/human-vs-machine-three-part-virtual-series-human-element-appsec
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Securing video streaming in sub-Saharan Africa
Maintaining a video streaming service across the whole of Africa is challenge enough, without the added pressure of potential security issues. Showmax turns to hackers to secure their customer data and protect the security of their shows and movies.
https://www.hackerone.com/application-security/securing-video-streaming-sub-saharan-africa
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security@ 2020 Call for Speakers is Open
HackerOne's global hacker-powered security conference, Security@, is back for its fourth year. This year's virtual event will take place October 20-22, 2020. The call for speakers is now open! You have until August 21, 2020, to submit your talk.
https://www.hackerone.com/company-news/security-2020-call-speakers-open
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Costa Coffee prepares for global expansion with bug bounty program
As the coffee chain prepares for global expansion, Costa Coffee joins the likes of Hyatt, Deliveroo, and Zomato in launching its first private bug bounty program. Costa Coffee will shore up its digital defenses using the combined expertise and experience of HackerOne's hacker community.
https://www.hackerone.com/application-security/costa-coffee-prepares-global-expansion-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Warm Welcome To Our New SVP of Customer Success
We are delighted to announce that Amanda Berger — former Chief Customer Officer at Lucidworks — has joined HackerOne as our new SVP of Customer Success. In this article, Amanda introduces herself and shares what she hopes to achieve at HackerOne.
https://www.hackerone.com/company-news/warm-welcome-our-new-svp-customer-success
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Pentesting basics video series launched on Hacker101
Learn the basics of pentesting to further your career and develop core competencies required in one of the hottest job markets in cybersecurity: Penetration testing.
https://www.hackerone.com/ethical-hacker/pentesting-basics-video-series-launched-hacker101
Partager : LinkedIn / Twitter / Facebook / View / View (lite)