Pas d'actualité

L'Actu de la veille

Protection Tips: How to Prevent Phone Hacking
Your phone is your life. It has your contacts, your social media, your banking information,… Protection Tips: How to Prevent Phone Hacking on Latest Hacking News.
https://latesthackingnews.com/2022/05/23/protection-tips-how-to-prevent-phone-hacking/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Multiple Vulnerabilities Found In Jupiter WordPress Theme
Researchers discovered multiple security vulnerabilities in the Jupiter WordPress theme. While vendors have patched the… Multiple Vulnerabilities Found In Jupiter WordPress Theme on Latest Hacking News.
https://latesthackingnews.com/2022/05/23/multiple-vulnerabilities-found-in-jupiter-wordpress-theme/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Top 5 Data Integration Challenges and Ways to Navigate them
Recent developments in the digital business ecosystem have transformed customers' expectations and business models. It… Top 5 Data Integration Challenges and Ways to Navigate them on Latest Hacking News.
https://latesthackingnews.com/2022/05/23/top-5-data-integration-challenges-and-ways-to-navigate-them/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Yes, Containers Are Terrific, But Watch the Security Risks
Containers revolutionized the development process, acting as a cornerstone for DevOps initiatives, but containers bring complex security risks that are not always obvious. Organizations that don't mitigate these risks are vulnerable to attack.  In this article, we outline how containers contributed to agile development, which unique security risks containers bring into the picture – and what
https://thehackernews.com/2022/05/yes-containers-are-terrific-but-watch.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns
Fronton, a distributed denial-of-service (DDoS) botnet that came to light in March 2020, is much more powerful than previously thought, per the latest research. "Fronton is a system developed for coordinated inauthentic behavior on a massive scale," threat intelligence firm Nisos said in a report published last week. "This system includes a web-based dashboard known as SANA that enables a user
https://thehackernews.com/2022/05/fronton-russian-iot-botnet-designed-to.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New Unpatched Bug Could Let Attackers Steal Money from PayPal Users
A security researcher claims to have discovered an unpatched vulnerability in PayPal's money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons
https://thehackernews.com/2022/05/paypal-pays-hacker-200000-for.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes
At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed "Twisted Panda," come in the backdrop of Russia's military invasion of Ukraine, prompting a wide range of threat actors to swiftly adapt their campaigns on the ongoing
https://thehackernews.com/2022/05/chinese-twisted-panda-hackers-caught.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

GM credential stuffing attack exposed car owners' personal info
US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed customer information and allowed hackers to redeem rewards points for gift cards. [...]
https://www.bleepingcomputer.com/news/security/gm-credential-stuffing-attack-exposed-car-owners-personal-info/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Fake Windows exploits target infosec community with Cobalt Strike
A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor. [...]
https://www.bleepingcomputer.com/news/security/fake-windows-exploits-target-infosec-community-with-cobalt-strike/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Photos of abused victims used in new ID verification scam
Scammers are now leveraging dating apps like Tinder and Grindr to pose themselves as former victims of physical abuse to gain your trust and sympathy and sell you "ID verification" services. BleepingComputer came across multiple instances of users on online dating apps being approached by these catfishing profiles. [...]
https://www.bleepingcomputer.com/news/security/photos-of-abused-victims-used-in-new-id-verification-scam/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers can hack your online accounts before you even register them
Security researchers have revealed that hackers can hijack your online accounts before you even register them by exploiting flaws that have been already been fixed on popular websites, including Instagram, LinkedIn, Zoom, WordPress, and Dropbox. [...]
https://www.bleepingcomputer.com/news/security/hackers-can-hack-your-online-accounts-before-you-even-register-them/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New RansomHouse group sets up extortion market, adds first victims
Yet another data-extortion cybercrime operation has appeared on the darknet named 'RansomHouse' where threat actors publish evidence of stolen files and leak data of organizations that refuse to make a ransom payment. [...]
https://www.bleepingcomputer.com/news/security/new-ransomhouse-group-sets-up-extortion-market-adds-first-victims/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Russian hackers perform reconnaissance against Austria, Estonia
In a new reconnaissance campaign, the Russian state-sponsored hacking group Turla was observed targeting the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College. [...]
https://www.bleepingcomputer.com/news/security/russian-hackers-perform-reconnaissance-against-austria-estonia/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Russia-linked Fronton botnet could run disinformation campaigns
Researchers warn that the Fronton botnet was used by Russia-linked threat actors for coordinated disinformation campaigns. Fronton is a distributed denial-of-service (DDoS) botnet that was used by Russia-linked threat actors for coordinated disinformation campaigns. In March 2020, the collective of hacktivists called “Digital Revolution” claimed to have hacked a subcontractor to the Russian FSB. The […] The post Russia-linked Fronton botnet could run disinformation campaigns appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131574/cyber-warfare-2/fronton-botnet-disinformation.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A flaw in PayPal can allow attackers to steal money from users' account
A security researcher announced the discovery of an unpatched flaw in PayPal that could allow attackers to steal money from users. TheHackerNews first reported that a security researcher (that goes online with the moniker h4x0r_dz) has discovered an unpatched flaw in PayPal that could allow attackers to trick users into completing transactions controlled by the […] The post A flaw in PayPal can allow attackers to steal money from users’ account appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131569/hacking/paypal-clickjacking-attack.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cytrox's Predator spyware used zero-day exploits in 3 campaigns
Google’s Threat Analysis Group (TAG) uncovered campaigns targeting Android users with five zero-day vulnerabilities. Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities. The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox. The five 0-day vulnerabilities […] The post Cytrox’s Predator spyware used zero-day exploits in 3 campaigns appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131561/hacking/predator-spyware-zero-day-exploits.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Threat actors target the infoSec community with fake PoC exploits
Researchers uncovered a malware campaign targeting the infoSec community with fake Proof Of Concept to deliver a Cobalt Strike beacon. Researchers from threat intelligence firm Cyble uncovered a malware campaign targeting the infoSec community. The expert discovered a post where a researcher were sharing a fake Proof of Concept (POC) exploit code for an RPC Runtime Library […] The post Threat actors target the infoSec community with fake PoC exploits appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131553/intelligence/fake-poc-exploits-attacks.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Pwn2Own Vancouver: 15th annual hacking event pays out .2m for high-impact security bugs
Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn'
https://portswigger.net/daily-swig/pwn2own-vancouver-15th-annual-hacking-event-pays-out-1-2m-for-high-impact-security-bugs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Chicago Public Schools data breach blamed on ransomware attack on supplier
Cybercrooks compromised server containing student course information and assessment data
https://portswigger.net/daily-swig/chicago-public-schools-data-breach-blamed-on-ransomware-attack-on-supplier
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Yik Yak fixes information disclosure bug that leaked users' GPS location
Hairy MitM exploit independently discovered by two security researchers
https://portswigger.net/daily-swig/yik-yak-fixes-information-disclosure-bug-that-leaked-users-gps-location
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Blockchain bridge Wormhole pays record m bug bounty reward
Critical security flaw patched on the same day it was submitted
https://portswigger.net/daily-swig/blockchain-bridge-wormhole-pays-record-10m-bug-bounty-reward
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Frelatage - The Python Fuzzer That The World Deserves
pip3 install frelatage Current release : 0.0.7 Frelatage is a coverage-based Python fuzzing library which can be used to fuzz python code. The development of Frelatage was inspired by various other fuzzers, including AFL/AFL++, Atheris and PythonFuzz. The main purpose of the project is to take advantage of the best features of these fuzzers and gather them together into a new tool in order to efficiently fuzz python applications. DISCLAIMER : This project is at the alpha stage and can still cause many unexpected behaviors. Frelatage should not be used in a production environment at this time. Requirements Python 3 Installation Install with pip (recommended) pip3 install frelatage Or build from source Recommended for developers. It automatically clones the main branch from the frelatage repo, and installs from source. # Automatically clone the Frelatage repository and install Frelatage from sourcebash <(wget -q https://raw.githubusercontent.com/Rog3rSm1th/Frelatage/main/scripts/autoinstall.sh -O -) How it works The idea behind the design of Frelatage is the usage of a genetic algorithm to generate mutations that will cover as much code as possible. The functioning of a fuzzing cycle can be roughly summarized with this diagram : graph TB m1(Mutation 1) --&gt; |input| function(Fuzzed function) m2(Mutation 2) --&gt; |input| function(Fuzzed function) mplus(Mutation ...) --&gt; |input| function(Fuzzed function) mn(Mutation n) --&gt; |input| function(Fuzzed function) function --&gt; generate_reports(Generate reports) generate_reports --&gt; rank_reports(Rank reports) rank_reports --&gt; select(Select n best reports) select --&gt; |mutate| nm1(Mutation 1) &amp; nm2(Mutation 2) &amp; nmplus(Mutation ...) &amp; nmn(Mutation n) subgraph Cycle mutations direction LR m1 m2 mplus mn end subgraph Next cycle mutations direction LR nm1 nm2 nmplus nmn end style function fill:#5388e8,stroke:white,stroke-width:4px Features Fuzzing different argument types: String Int Float List Tuple Dictionary File fuzzing Frelatage allows to fuzz a function by passing a file as input. Fuzzer efficiency Corpus Dictionnary Use Frelatage Fuzz a classical parameter import frelatageimport my_vulnerable_librarydef MyFunctionFuzz(data): my_vulnerable_library.parse(data)input = frelatage.Input(value="initial_value")f = frelatage.Fuzzer(MyFunctionFuzz, [[input]])f.fuzz() Fuzz a file parameter Frelatage gives you the possibility to fuzz file type input parameters. To initialize the value of these files, you must create files in the input folder (./in by default). If we want to initialize the value of a file used to fuzz, we can do it like this: echo "initial value" > ./in/input.txt And then run the fuzzer: import frelatageimport my_vulnerable_librarydef MyFunctionFuzz(data): my_vulnerable_library.load_file(data)input = frelatage.Input(file=True, value="input.txt")f = frelatage.Fuzzer(MyFunctionFuzz, [[input]])f.fuzz() Load several files to a corpus at once If you need to load several files into a corpus at once (useful if you use a large corpus) You can use the built-in function of Frelatage load_corpus. This function returns a list of inputs. load_corpus(directory: str, file_extensions: list) -> list[Input] directory: Subdirectory of the input directory (relative path), e.g ./, ./images file_extensions: List of file extensions to include in the corpus entries, e.g. ["jpeg", "gif"], ["pdf"] import frelatageimport my_vulnerable_librarydef MyFunctionFuzz(data): my_vulnerable_library.load_file(data) my_vulnerable_library.load_file(data2)# Load every every file in the ./in directorycorpus_1 = frelatage.load_corpus(directory="./")# Load every .gif/.jpeg file in the ./in/images subdirectorycorpus_2 = frelatage.load_corpus(directory="./images", file_extension=["gif", "jpeg"])f = frelatage.Fuzzer(MyFunctionFuzz, [corpus_1, corpus_2])f.fuzz() Fuzz with a dictionary You can copy one or more dictionaries located here in the directory dedicated to dictionaries (./dict by default). Differential fuzzing Differental fuzzing is a popular software testing technique that attempts to detect bugs by providing the same input to multiple libraries/programs and observing differences in their behaviors. You will find an example here of a use of differential fuzzing with Frelatage with the json and ujson libraries. Examples You can find more examples of fuzzers and corpus in the examples directory. Fuzzing Pillow with Frelatage to find bugs and vulnerabilities Reports Each crash is saved in the output folder (./out by default), in a folder named : id:<crash ID>,err:<error type>,err_pos:<error>,err_file:<error file>. The report directory is in the following form: ├── out │ ├── id:<crash ID>,err:<error type>,err_file:<error file>,err_pos:<err_pos> │ ├── input │ ├── 0 │ ├── <inputfile1> │ ├── ... │ ├── ... Read a crash report Inputs passed to a function are serialized using the pickle module before being saved in the <report_folder>/input file. It is therefore necessary to deserialize it to be able to read the contents of the file. This action can be performed with this script. ./read_report.py input Configuration There are two ways to set up Frelatage: Using the environment variables ENV Variable Description Possible Values Default Value FRELATAGE_DICTIONARY_ENABLE Enable the use of mutations based on dictionary elements 1 to enable, 0 otherwise 1 FRELATAGE_TIMEOUT_DELAY Delay in seconds after which a function will return a TimeoutError 1 - 20 2 FRELATAGE_INPUT_FILE_TMP_DIR Temporary folder where input files are stored absolute path to a folder, e.g. /tmp/custom_dir /tmp/frelatage FRELATAGE_INPUT_MAX_LEN Maximum size of an input variable in bytes 4 - 1000000 4094 FRELATAGE_MAX_THREADS Maximum number of simultaneous threads 8 - 50 8 FRELATAGE_MAX_CYCLES_WITHOUT_NEW_PATHS Number of cycles without new paths found after which we go to the next stage 10 - 50000 5000 FRELATAGE_INPUT_DIR Directory containing the initial input files. It needs to be a relative path (to the path of the fuzzing file) relative path to a folder, e.g. ./in ./in FRELATAGE_DICTIONARY_DIR Default directory for dictionaries. It needs to be a relative path (to the path of the fuzzing file) relative path to a folder, e.g. ./dict ./dict FRELATAGE_DEBUG_MODE Enable the debug mode (show the error when Frelatage crash) 1 to enable, 0 otherwise 1 A configuration example : export FRELATAGE_DICTIONARY_ENABLE=1 &&export FRELATAGE_TIMEOUT_DELAY=2 &&export FRELATAGE_INPUT_FILE_TMP_DIR="/tmp/frelatage" &&export FRELATAGE_INPUT_MAX_LEN=4096 &&export FRELATAGE_MAX_THREADS=8 &&export FRELATAGE_MAX_CYCLES_WITHOUT_NEW_PATHS=5000 &&export FRELATAGE_INPUT_DIR="./in" &&export FRELATAGE_DICTIONARY_DIR="./dict" &&python3 fuzzer.py Passing arguments to the fuzzer import frelatage def myfunction(input1_string, input2_int): passinput1 = frelatage.Input(value="initial_value")input2 = frelatage.Input(value=2)f = frelatage.Fuzzer( # The method you want to fuzz method=myfunction, # Corpus corpus=[[input1], [input2]], # Number of threads threads_count=8, # Exceptions that will be taken into account exceptions_whitelist=(OSError), # Exceptions that will not be taken into account exceptions_blacklist=(), # Directory where the error reports will be stored output_directory="./out", # Enable or disable silent mode silent=False)f.fuzz() Risks Please keep in mind that, similarly to many other computationally-intensive tasks, fuzzing may put strain on your hardware and on the OS. In particular: Your CPU will run hot and will need adequate cooling. In most cases, if cooling is insufficient or stops working properly, CPU speeds will be automatically throttled. That said, especially when fuzzing on less suitable hardware (laptops, smartphones, etc), it's not entirely impossible for something to blow up. Targeted programs may end up erratically grabbing gigabytes of memory or filling up disk space with junk files. Frelatage tries to enforce basic memory limits, but can't prevent each and every possible mishap. The bottom line is that you shouldn't be fuzzing on systems where the prospect of data loss is not an acceptable risk. Fuzzing involves billions of reads and writes to the filesystem. On modern systems, this will be usually heavily cached, resulting in fairly modest "physical" I/O - but there are many factors that may alter this equation. It is your responsibility to monitor for potential trouble; with very heavy I/O, the lifespan of many HDDs and SSDs may be reduced. A good way to monitor disk I/O on Linux is the 'iostat' command: $ iostat -d 3 -x -k [...optional disk ID...] About Me/Hire me I am Rog3rSm1th, I am 21 years old and I'm a French computer and cybersecurity enthusiast. I like developing tools (OSINT, Fuzzing...) and playing CTFs/Wargames. To learn more about me and my projects, juste click here. ➜ If you want to hire me for one of your projects (Programming, cybersecurity...), just contact me at r0g3r5@protonmail.com and we will assess your needs together. Contact for any remark, suggestion, bug report, or if you found a bug using Frelatage, you can contact me at r0g3r5@protonmail.com or on twitter @Rog3rSm1th Download Frelatage
http://www.kitploit.com/2022/05/frelatage-python-fuzzer-that-world.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Findwall - Check If Your Provider Is Blocking You!
FindWall is Python script that allows to understand if your network provider is limiting your access to the Internet by blocking any TCP/UDP port. In order to perform this check FindWall needs to connect a public VPS of your property. FindWall performs the following actions: Connects to the VPS via SSH Opens a port in listening mode Tries to connect to that port from the local machine Closes the port How do you use it? To use FindWall you just need an account on a public VPS. The account must have root access if you want to test ports in the range 1-1024. The root account is also required to automatically install the tool nc to open ports. $ pip install -r requirements$ python findwall.py --help===================================================================================== ███████╗██╗███╗ ██╗██████╗ ██╗ ██╗ █████╗ ██╗ ██╗ ██╔════╝██║████╗ ██║██╔══██╗██║ ██║██╔══██╗██║ ██║ █████╗ ██║██╔██╗ ██║██║ ██║██║ █╗ ██║███████║██║ ██║ ██╔══╝ ██║██║╚██╗██║██║ ██║██║███╗██║██╔══██║██║ ██║ ██║ ██║██║ ╚████║██████╔╝╚███╔███╔╝██║ ██║███████╗███████╗ ╚═╝ ╚═╝╚═╝ ╚═══╝╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚══════╝╚══════╝=====================================================================================usage: findwall.py [-h] --ssh-host SSH_HOST [--ssh-port SSH_PORT] --ssh-username SSH_USERNAME [--ssh-password SSH_PASSWORD] [--ssh-key SSH_KEY] --ports PORTS [--udp] [--threads THREADS]Check if someone is blocking you!optional arguments: -h, --help show this help message and exit --ssh-host SSH_HOST Remote host --ssh-port SSH_PORT Remote SSH port --ssh-username SSH_USERNAME Remote SSH username --ssh-password SSH_PASSWORD Remote SSH password --ssh-key SSH_KEY SSH Private key --ports PORTS Port range to scan (default: 1-1024) --udp Scan in UDP --threads THREADS Number of threads As an example: $ python findwall.py --ssh-host 172.17.0.2 --ssh-port 22 --ssh-username test --ssh-password test --ports 8000-8010 --threads 3 Download Findwall
http://www.kitploit.com/2022/05/findwall-check-if-your-provider-is.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers Distribute Vidar Malware By Tricking Users with Fake Windows 11 Downloads
Hackers are tricking users with fake Windows 11 installers loaded with Vidar info stealer spreading through newly registered phishing domains. The cybersecurity analysts at Zscale security firm have detected that the malicious ISO files were included on the spoofed websites to enable the downloading and installation of the Vidar info-stealer malware on the target computers. […] The post Hackers Distribute Vidar Malware By Tricking Users with Fake Windows 11 Downloads appeared first on GBHackers On Security.
https://gbhackers.com/hackers-distribute-vidar-malware/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Optimize Your Database Storage in MySQL
By ghostadmin SQL (structured query language) is a unique programming language for storing, manipulating, and retrieving data from a database.… This is a post from HackRead.com Read the original post: How to Optimize Your Database Storage in MySQL
https://www.hackread.com/how-to-optimize-your-database-storage-in-mysql/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Anonymous Declares Cyber War Against Pro-Russia Hacker Group Killnet
By Waqas The Pro-Russia Hacker Group Killnet recently targeted European institutions, while Anonymous hackers are already claiming to have leaked… This is a post from HackRead.com Read the original post: Anonymous Declares Cyber War Against Pro-Russia Hacker Group Killnet
https://www.hackread.com/anonymous-cyber-warfare-pro-russia-hacker-group-killnet/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Predator Spyware Using Zero-day to Target Android Devices
By Deeba Ahmed Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and… This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices
https://www.hackread.com/predator-spyware-zero-days-target-android-devices/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ISaPWN – research on the security of ISaGRAF Runtime
This report includes an analysis of the ISaGRAF framework, its architecture, the IXL and SNCP protocols and the description of several vulnerabilities the Kaspersky ICS CERT team had identified.
https://securelist.com/isapwn-research-on-the-security-of-isagraf-runtime/106521/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

L'Actu à J-2

Elon Musk deep fakes promote new BitVex cryptocurrency scam
Cryptocurrency scammers are using deep fake videos of Elon Musk and other prominent cryptocurrency advocates to promote a BitVex trading platform scam that steals deposited currency. [...]
https://www.bleepingcomputer.com/news/security/elon-musk-deep-fakes-promote-new-bitvex-cryptocurrency-scam/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PDF smuggles Microsoft Word doc to drop Snake Keylogger malware
Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. [...]
https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft tests new Windows 11 Desktop search that only works with Edge
Microsoft is testing a new feature in the latest Windows 11 preview build that displays an Internet search box directly on the desktop. The problem is that it does not honor your default browser and only uses Bing and Microsoft Edge instead. [...]
https://www.bleepingcomputer.com/news/microsoft/microsoft-tests-new-windows-11-desktop-search-that-only-works-with-edge/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Google: Predator spyware infected Android devices using zero-days
Google's Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox. [...]
https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security Affairs newsletter Round 366 by Pierluigi Paganini
A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Asian media company Nikkei suffered a ransomware attack Russia-linked Sandworm continues to conduct attacks against […] The post Security Affairs newsletter Round 366 by Pierluigi Paganini appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131549/breaking-news/security-affairs-newsletter-round-366-by-pierluigi-paganini.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

North Korea-linked Lazarus APT uses Log4J to target VMware servers
North Korea-linked Lazarus APT is exploiting the Log4J remote code execution (RCE) in attacks aimed at VMware Horizon servers. North Korea-linked group Lazarus is exploiting the Log4J RCE vulnerability (CVE-2021-44228) to compromise VMware Horizon servers. Multiple threat actors are exploiting this flaw since January, in January VMware urged customers to patch critical Log4j security vulnerabilities impacting Internet-exposed […] The post North Korea-linked Lazarus APT uses Log4J to target VMware servers appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131483/apt/lazarus-apt-log4j-vmware-servers.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Pwn2Own Vancouver 2022: Trend Micro and ZDI awarded ,155,000
The Pwn2Own Vancouver 2022 hacking contest ended, Trend Micro and ZDI awarded a total of ,155,000 for successful attempts! During the third day of the Pwn2Own Vancouver 2022 hacking competition, white hat hackers demonstrated a working exploit against Microsoft Windows 11 OS. nghiadt12 from Viettel Cyber Security demonstrated an exploit for an escalation of privilege via Integer […] The post The Pwn2Own Vancouver 2022: Trend Micro and ZDI awarded ,155,000 appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131539/hacking/pwn2own-vancouver-2022-d3.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

RedTeam-Physical-Tools - Red Team Toolkit - A Curated List Of Tools That Are Commonly Used In The Field For Physical Security, Red Teaming, And Tactical Covert Entry
Commonly used tools for Red Teaming Engagements, Physical Security Assessments, and Tactical Covert Entry. In this list I decided to share most of the tools I utilize in authorized engagements, along with my personal ranking of their value based on their usage and for you to consider if they should be in your toolkit, including where to find some of them, and in some cases I will also include some other alternatives. My goal with this list is to help fellow Red Teamers with a 'checklist', for whenever they might be missing a tool, and use this list as a reference. Tool Purpose Usage Where to find Alternative 1. Camera with high zoom Reconnaissance. When gathering intel on your target, and for reporting purposes for your client, you will want to use a reliable camera. With a long zoom camera, you may be able to check for cameras surrounding the building of your target, be able to spot the location of security guards, and possible gather info on the locks and perimeter, reducing the odds of being detected. 7/10 Recommended: Panasonic Lumix FZ-80 60x Camera Alternative: If not the Panasonic, you can use others. There are many other good cameras in the market. Try to get one with a decent zoom, any camera with over 30x Optical Zoom should work just fine. 1.1 Polarized Camera Filters Reconnaissance. These are a camera's best friend when doing recon. A polarized filter helps removing glare and reflection from things in view, such as windows or vehicle windshield, allowing the camera to see clearly through them. 10/10 Recommended: Any polarized filter that fits the lens of your camera. Alternatives: N/A. 2. Body Worn Action Camera Reconnaissance as well as for your own security purpose, in case something happens to you. With all engagements, you need to report everything to your clients. This is where the bodycam helps, by viewing and be able to replay the engagement and infiltration, as well as allowing you to demonstrate to your clients how the infiltration was performed. 10/10 Recommended: GoPro cameras or the DJI Osmo Action camera Alternatives: There are other cheaper alternative action cameras that can be used, however the videos may not have the highest quality or best image stabilization, which can make the footage seem wobbly or too dark. 3. Drone with Camera Mostly reconnaissance. It can be used for scoping the perimeter of a building, see its surrounding area, check for cameras, blind spots, and possible fire escape areas that could be potentially used as an entry point. 1/10 - Its not a "must have", but can really come in handy sometimes. It may be of further use if you utilize a "dropping mechanism" to drom malicious USBs or other devices into the targets premises without having to set foot on site. Recommended: DJI Mavic Mini 2 or any other drone that fits your budget. N/A 4. Two-Way Radios or Walkie Talkies Communication and Intel Gathering. You need to be able to communicate efficiently with other members of your team when performing an engagement, plus using a radio it gives you the possibility of listening into any channels being used by staff or security on the premises, and listen for any valuable information or if any of your team members has been spotted. 9/10 Recommended: BaoFeng UV-5R Alternatives would be to just use cellphones and bluetooth headsets and a live call, however with this option you will not be able to listen to local radio chatter. A cell phone serves the purpose of being able to communicate with the client in case of emergency. 5. Reliable flashlight Self explanatory. 8/10 Amazon, Ebay, local hardware store If you want to save some money, you can always use the flashlight of your cellphone, however some phones cant decrease the brightness intensity. 6. Borescope / Endoscope To perform reconnaissance from under or over the door, take a peek inside and see what is on the other side of the door. It helps to prevent spending time trying to open a door which has nothing important on the other side, or to check for any security measures in place, and avoid tripping any of them by accident. 7/10 Recommended: USB Endoscope Camera There are a few other alternatives, varying in price, size, and connectivity. 7. RFID Frequency Detector This tool is utilized for recon, to determine the frequency of RFID badge readers, and determine what your target is using. By knowing if its high or low frequency, it can help you configure your proxmark to scan and clone badges. Another benefit of these tools is that they do not trigger any alerts. 6/10 Recommended: One good benefit of the Dangerous Things RFID Diagnostics Card is that its the size of a credit card, so it fits perfectly in your wallet for EDC use. Alternative: The RFID LF / HF Detector can be used as a keychain. 8. A reliable ScrewDriver with changeable bits In some scenarios you may need to modify some of your tools, fix something, or disassemble something. 8/10 Recommended: Wera Kraftform Alternative: Any other screwdriver set will work just fine. Ideally a kit which can be portable and with different bits 9. A reliable plier multitool Same as with the screwdriver set, in some scenarios you may need to modify a tool or fix something. 8/10 Recommended: Gerber Plier Multitool Alternatives: any reliable multitool of your preference 10. Gaffer Tape Self explanatory. You never know when you need to modify a tool on the spot. 8/10 Recommended because of its portability: Red Team Tools Gaffer Tape Alternatives: There are many other options on Amazon, but they are all larger in size. 11. A reliable set of 0.025 thin lockpick set Self explanatory. Cant pick locks without a lockpick set. 10/10 Recommended to get a well known brand with good reputation and quality products. Some of those are: TOOOL, Sparrows, Southord, Covert Instruments N/A. You do not want a pick breaking inside of a client's lock. Avoid sets that are of unknown brands from ebay. 12. A reliable set of 0.018 thin lockpick set This is very similar to the 0.025 set, but you may also want to carry a thinner 0.018 or 0.015 thin lockpick set, for those locks that have a very narrow or thinner keyways, and be able to insert the picks. 8/10 Recommended to get a well known brand with good reputation and quality products. Some of those are: TOOOL, Sparrows, Southord, Covert Instruments N/A. 13. Tension bars One of the most important things for a lockpicker. A good picker knows the value of using good and comfortable tension bars. 10/10 Recommended: Covert Instruments Ergo Turner Set or Sparrows Flatbars There are many other alternatives, varying in sizes and lengths. I strongly recommend having them in varying widths. 14. Warded picks These are used for picking warded locks. 5/10 Recommended: Red Team Tools Warded Lock Picks Alternative: Sparrows Warded Pick Set 15. Comb picks These are very useful to open many different Master Locks, as if you were using the key itself. 5/10 Recommended: Sparrows Comb .45 Alternative options: Red Team Tools Comb Picks and the Covert Instruments Quad Comb Set 16. Wafer picks Self explanatory. These are used to commonly pick or rake open wafer locks, which are often seen in office environments. 6/10 Recommended: Red Team Tools Wafer Picks Alternatives: Sparrows Wafer Picks 17. Jigglers Self explanatory. Jigglers can be used to "jiggle" your way into opening a variety of pin tumblers and wafer locks. 6/10 Recommended: Red Team Tools Jiggler Alternatives: Sparrows Coffin Keys 18. Dimple lockpicks Self explanatory. For picking Dimple locks. 5/10 Recommended: Sparrows Black Flag Alternatives: There are other cheaper lower quality brands that can get the job done. Search online for 'klom' or 'goso' dimple picks. 19. Tubular lockpicks Self explanatory. Its for picking tubular locks. 4/10 Recommended: Red Team Tools Tubular Lockpick Alternative: If you are very skilled at picking, you can go the manual route of tensioning and single pin picking, but it will take a lot longer to open the lock. With the Sparrows Goat Wrench you are able to do so. 20. Disk Pick Self explanatory. For picking disk locks. 4/10 Recommended: Sparrows Disk Pick N/A 21. Lock Lubricant Sometimes you will encounter locks that are a bit difficult to manipulate due to weather and age. Nothing some lock lube couldnt help with. 9/10 Some powdered Graphite gets the job done. N/A 22. Plug spinner This is used in those scenarios where you try to pick open a lock, but you had to spin the core in the opposite direction. This avoids the need of having to pick the lock all over again. 4/10 You can find a plug spinner on Red Team Tools Plug Spinner There are other alternatives from some other brands, which you can find with a few online searches 23. Hinge Pin Removal Tool Well, with some locks its just easier to remove the door. 3/10 Recommended: Red Team Tools Hammerless Hinge Pin Tool Here are some other alternatives: Covert Instruments Hinge Pin Removal Tools 24. PadLock Shims Used for shimming padlocks. 6/10 Recommended: Red Team Tools Padlock Shims 5-Pack Alternative: Sparrows padlock shims 20-pack 25. Combination lock decoders These are used for decoding combination locks. 7/10 Recommended: Covert Instruments Decoder Bundle Alternative: Sparrows Ultra Decoder 26. Commercial door hook or Adams Rite These tools are used to bypass commercial door locks. 4/10 Recommended: Covert Instruments Commercial Door Hook Alternative: Red Team Tools Adams Rite or the Sparrows Adams Rite Tool 27. Lishi Picks IYKYK. 10/10 N/A N/A 28. American Lock Bypass Driver Self explanatory. For Bypassing American Padlocks. 4/10 Recommended: Red Team Tools American Lock Bypass N/A 29. Abus Lock Bypass Driver Self explanatory. For Bypassing Abus Padlocks. 4/10 Recommended: Sparrows Abus Lock Bypass N/A 30. Alfa AWUS036ACS 802.11ac One of the smallest USB wifi adapters which allows packet injection. 10/10 Recommended: Alfa AWUS036ACS N/A 41. CANtenna Antenna made out of cans for long range WiFi hacking. 3/10 N/A Yagi Antennas also work the same way. 31. Travelers hook These handy tools are used to manipulate the latches of unproperly installed locks on doors. 10/10 Both Red Team Tools Travelers Hook and Covert Instruments Travelers Hook have it available. N/A 32. Under Door Tool "UDT" One of the best tools for quick covert entry. This is used by slipping it under the door, and pulling down on the locked lever from the inside and opening the door. 10/10 Recommended: Sparrows UDT Alternative: Red Team Tools UDT 33. Camera film Sometimes you dont have enough gap under the door to use a UDT, but you have enough gap over the door. 10/10 Recommended: Red Team Tools Film Canister N/A 34. Loider tool This is similar to the Traveler's Hook tool, but will usually fit in more narrow gaps. 10/10 Recommended: Sparrows Quick Jim Alternative: Red Team Tools Rescue Jim 35. Crash bar tool "DDT" Self explanatory. Fire exits. Crash bar. You know. 7/10 Recommended: Sparrows DDT Alternative: Serepick DDT 36. Deadbolt Thumb Turn tool Tool for turning thumb locks. 7/10 Recommended: Both Covert Instruments J tool and Red Team Tools have it available. N/A 37. Door Latch shims Similar to the Travelers Hook, and the Jim, but for even narrower gaps. 10/10 Recommended: Red Team Tools Door Shims Alternative: Covert Instruments Door Shims 38. Strong Magnet If you've seen the videos of LPL using Magnets, you know what I'm talking about. 6/10 Recommended: Sparrows The Magneto There is also the MagSwitches. Quick search online and you will find them. 39. Bump Keys Self explanatory. (I gave it a lower rating than others would, since bumping locks is very loud and I prefer picking) 3/10 Recommended: Sparrows Bump Keys N/A 40. Seattle RAT "SEA-RAT" This is quite heavy, and intended for first responders, and used to break things, but the long blade works as a loider tool for those doors that have a large cover plate. 8/10 Recommended: Seattle Rapid Access Tool Alternative: I've heard of the use of piano wire in these cases, but I have not used it myself. 41. Air Wedge Its used for assistance with creating gap space in door frames, to use with the Travelers hook. 7/10 Recommended: Covert Instruments Air Wedge N/A 42. Can of Compressed Air Used to bypass 'Request To Exit' sensors 10/10 These can be picked up in many local places. N/A 43. Proxmark3 RDV4 One of the best tools to clone and attack RFID. 8/10 Recommended: Red Team Tools Proxmark RDV4 Alternative: Hacker Warehouse Proxmark3 RDV4 44. Devious, Troublesome, Hooligan! This is a set of 'keyed alike' keys, which are used in many things that we encounter on a daily basis. 10/10 Recommended: Hooligan Keys - Devious, Troublesome, Hooligan! N/A 45. Alarm, Panel, other keys Self explanatory. 10/10 Recommended: Ebay - PenTesting Keys N/A 46. Elevator Keys Avoid these unless you know what you are doing. 10/10 Recommended: Sparrows Fire Service Elevator Key Set N/A 47. Rubber Ducky or Bash Bunny These USB devices are used for keystroke injection and payload delivery. 9/10 Recommended: HAK5 USB Rubber Ducky and the HAK5 Bash Bunny Alternatives: The Digispark. 48. DigiSpark Its a cheaper alternative to the Rubber Ducky or the Bash Bunny.Read more. 9/10 No recommended links at the moment, but often found on overseas online sellers. N/A 49. Lan Turtle USB/Ethernet device used for stealth remote attacks. 9/10 HAK5 Lan Turtle N/A 50. Shark Jack Found a Ethernet jack in the wall? Quick Portscan? No problem. 6/10 Recommended: HAK5 Shark Jack N/A 51. Key Croc One of the best keyloggers in the market. 10/10 Recommended: HAK5 Key Croc N/A 52. Wi-Fi Pineapple Tool used for WiFi security assessments and attacks. 10/10 Recommended: HAK5 WiFi Pineapple N/A 53. O.MG Plug USB implant for attacks over WiFi 9/10 Recommended: HAK5 O.MG Plug N/A 54. ESPKey Used as an RFID implant, for RFID cloning and WiFi attacks. 7/10 Recommended: Red Team Tools ESPKey N/A 55. Pwnagotchi Your EDC WiFi hacking friend. 5/10 Recommended to build. Pwnagotchi Website. N/A 56. Covert Belt This is useful to conceal an extra lockpick set. 6/10 Recommended: Security Travel Money Belt N/A 57. Bogota LockPicks Who hasn't heard of Bogota picks? 10/10 Recommended for EDC: Bogota PI N/A 58. Dog Tag Entry Tool set EDC Bogota dog tag. 1/10 Recommended: Black Scout Survival Dog Tag N/A 59. Sparrows Wallet EDC Kit This is a combination of multiple Sparrows EDC wallet items. 4/10 Recommended: Sparrows Chaos Card; Sparrows Chaos Card: Wary Edition; Sparrows Shimmy Card; Sparrows Flex Pass; Sparrows Orion Card N/A 60. Southord Jackknife Keychain lockpick set. 5/10 Recommended: Southord Jackknife Alternative: The Covert Instruments - Covert Companion 61. Covert Companion A comprehensive kit with multiple tools for multiple needs. 10/10 Recommended: Covert Instruments - Covert Companion N/A 62. Covert Companion Turning Tools Great addition to your Covert Companion, so you do not have to carry or improvise with other tension wrenches. 10/10 Recommended: Covert Instruments - Turning Tools N/A RedTeam-Physical-Tools
http://www.kitploit.com/2022/05/redteam-physical-tools-red-team-toolkit.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Fb_Friend_List_Scraper - OSINT Tool To Scrape Names And Usernames From Large Friend Lists On Facebook, Without Being Rate Limited
OSINT tool to scrape names and usernames from large friend lists on Facebook, without being rate limited. Getting started: Install using pip: python -m pip install fb-friend-list-scraper Script is now installed as fbfriendlistscraper Run with -h or --help to show usage information. Usage:usage: fbfriendlistscraper [-h] -e EMAIL [-p PASSWORD] -u USERNAME [-o OUTFILE] [-w] [-q] [-x] [-s SLEEPMULTIPLIER] [-i PROXY] [-c CMD]Tool to scrape names and usernames from large friend lists on Facebook, without being rate limitedoptions: -h, --help show this help message and exit -e EMAIL, --email EMAIL Email address or phone number to login with. -p PASSWORD, --password PASSWORD Password to login with. If not supplied you will be prompted. You really shouldn't use this for security reasons. -u USERNAME, --username USERNAME Username of the user to scrape. -o OUTFILE, --outfile OUTFILE Path of the output file. (Default: ./scraped_friends.txt) -w, --headless Run webdriver in headless mode. -q, --quiet Do not print scraped users to screen. -x, --onlyusernames Only the usernames/IDs will be written to the output file. -s SLEEPMULTIPLIER, --sleepmultiplier SLEEPMULTIPLIER Multiply sleep time between each page scrape by n. Useful when being easily rate-limited. -i PROXY, --proxy PROXY Proxy server to use for connecting. Username/password can be supplied like: socks5://user:pass@host:port -c CMD, --cmd CMD Shell command to run after each page scrape. Useful for changing proxy/VPN exit.examples: fbfriendlistscraper -e your@email.com -p YourPassword123 -u someusername.123 -o my_file.txt fbfriendlistscraper --email your@email.com --username another.user --headless -s 2 -x fbfriendlistscraper -e your@email.com -u username.johnson -w --proxy socks5://127.0.0.1:9050 fbfriendlistscraper -e your@email.com -u xxuserxx --headless --cmd "mullvad relay set provider Quadranet" fbfriendlistscraper -e your@email.com -u markzuckerburger -w -o ./test.txt --cmd "killall -HUP tor" NOTE: Facebook changes the markup of it's pages regularly, so the script might break from time to time. Please open an issue if something doesn't work and I'll take a look at it. Pull requests are welcome as well. TODO: Make script check for followers if friend list isn't public. Add more error handling. Add proxy rotation. Download Fb_Friend_List_Scraper
http://www.kitploit.com/2022/05/fbfriendlistscraper-osint-tool-to.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ubuntu Desktop & Windows 11 Hacked – Pwn2Own Day 3
After the first and second day, on day 3 , Three more zero-day exploits were successfully used by security researchers to hack the Windows 11 OS of Microsoft on the third and last day of the 2022 Pwn2Own Vancouver hacking contest. Team DoubleDragon’s first attempt of the day to exploit Microsoft Teams failed because they […] The post Ubuntu Desktop & Windows 11 Hacked – Pwn2Own Day 3 appeared first on GBHackers On Security.
https://gbhackers.com/ubuntu-desktop-windows-11-hacked-pwn2own-day-3/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

L'Actu des jours précédents

Impersonate Local Microsoft Users with msImpersonate
What is msImpersonate? What’s up nerds! Captain AMayorica hooked us up again with another Microsoft… Impersonate Local Microsoft Users with msImpersonate on Latest Hacking News.
https://latesthackingnews.com/2022/05/21/impersonate-local-microsoft-users-with-msimpersonate/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft Warns About New Sysrv Botnet Variant Attacks Web Servers
Microsoft has once again alerted users about a new Sysrv botnet variant that targets web… Microsoft Warns About New Sysrv Botnet Variant Attacks Web Servers on Latest Hacking News.
https://latesthackingnews.com/2022/05/21/microsoft-warns-about-new-sysrv-botnet-variant-attacks-web-servers/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Serious Command Injection Vulnerability Found In Zyxel Firewalls
Heads up, Zyxel customers! A severe security vulnerability riddled Zyxel firewalls, allowing remote command injection.… Serious Command Injection Vulnerability Found In Zyxel Firewalls on Latest Hacking News.
https://latesthackingnews.com/2022/05/19/serious-command-injection-vulnerability-found-in-zyxel-firewalls/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Reasons Why Everyone Should Use A VPN
If you have ever connected to a public Wi-Fi network but were concerned about your… Reasons Why Everyone Should Use A VPN on Latest Hacking News.
https://latesthackingnews.com/2022/05/19/reasons-why-everyone-should-use-a-vpn/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New Exploit Emerges For A Previously Patched SharePoint Vulnerability
Months after Microsoft patched a remote code execution vulnerability in SharePoint, a new way to… New Exploit Emerges For A Previously Patched SharePoint Vulnerability on Latest Hacking News.
https://latesthackingnews.com/2022/05/19/new-exploit-emerges-for-a-previously-patched-sharepoint-vulnerability/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New Phishing Attack Targets Windows Systems With Three Infostealers
Researchers have found a new phishing campaign in the wild where three different infostealers attack… New Phishing Attack Targets Windows Systems With Three Infostealers on Latest Hacking News.
https://latesthackingnews.com/2022/05/19/new-phishing-attack-targets-windows-systems-with-three-infostealers/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Crypto Trading Safety Tips To Keep In Mind
When searching for the best crypto trading tips, there is always a paragraph to answer… Crypto Trading Safety Tips To Keep In Mind on Latest Hacking News.
https://latesthackingnews.com/2022/05/18/crypto-trading-safety-tips-to-keep-in-mind/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researchers Find Backdoor in School Management Plugin for WordPress
Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity. The backdoor, which is believed to have existed since version 8.9, enables "an
https://thehackernews.com/2022/05/researchers-find-backdoor-in-school.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cisco Issues Patch for New IOS XR Zero-Day Vulnerability Exploited in the Wild
Cisco on Friday rolled out fixes for a medium-severity vulnerability affecting IOS XR Software that it said has been exploited in real-world attacks. Tracked as CVE-2022-20821 (CVSS score: 6.5), the issue relates to an open port vulnerability that could be abused by an unauthenticated, remote attacker to connect to a Redis instance and achieve code execution. "A successful exploit could allow
https://thehackernews.com/2022/05/cisco-issues-patches-for-new-ios-xr.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft Warns Rise in XorDdos Malware Targeting Linux Devices
A Linux botnet malware known as XorDdos has witnessed a 254% surge in activity over the last six months, according to latest research from Microsoft. The trojan, so named for carrying out denial-of-service attacks on Linux systems and its use of XOR-based encryption for communications with its command-and-control (C2) server, is known to have been active since at least 2014. "XorDdos' modular
https://thehackernews.com/2022/05/microsoft-warns-rise-in-xorddos-malware.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits
Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched
https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines
A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack "CrateDepression." Typosquatting attacks take place when an adversary mimics the name of a popular package on a public registry in hopes that developers
https://thehackernews.com/2022/05/researchers-uncover-rust-supply-chain.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor
The North Korea-backed Lazarus Group has been observed leveraging the Log4Shell vulnerability in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart. "The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC) said in a
https://thehackernews.com/2022/05/hackers-exploiting-vmware-horizon-to.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware
Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware. "The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler said in a report. "These variants of Vidar malware
https://thehackernews.com/2022/05/hackers-trick-users-with-fake-windows.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks
Taiwanese network-attached storage (NAS) devices maker QNAP on Thursday warned its customers of a fresh wave of DeadBolt ransomware attacks. The intrusions are said to have targeted TS-x51 series and TS-x53 series appliances running on QTS 4.3.6 and QTS 4.4.1, according to its product security incident response team.  "QNAP urges all NAS users to check and update QTS to the latest version as
https://thehackernews.com/2022/05/qnap-urges-users-to-update-nas-devices.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars
A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas. The vulnerability has to do with weaknesses in the current implementation of Bluetooth Low Energy (BLE), a wireless technology used for authenticating Bluetooth devices that are physically located within a close range. <!-
https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

7 Key Findings from the 2022 SaaS Security Survey Report
The 2022 SaaS Security Survey Report, in collaboration with CSA, examines the state of SaaS security as seen in the eyes of CISOs and security professionals in today's enterprises. The report gathers anonymous responses from 340 CSA members to examine not only the growing risks in SaaS security but also how different organizations are currently working to secure themselves. Demographics The
https://thehackernews.com/2022/05/7-key-findings-from-2022-saas-security.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

High-Severity Bug Reported in Google's OAuth Client Library for Java
Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads. Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.
https://thehackernews.com/2022/05/high-severity-bug-reported-in-googles.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Web Trackers Caught Intercepting Online Forms Even Before Users Hit Submit
A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such information is submitted and without prior consent. The study involved crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed
https://thehackernews.com/2022/05/web-trackers-caught-intercepting-online.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products
VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior
https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Protect Your Data When Ransomware Strikes
Ransomware is not a new attack vector. In fact, the first malware of its kind appeared more than 30 years ago and was distributed via 5.25-inch floppy disks. To pay the ransom, the victim had to mail money to a P.O. Box in Panama. Fast forward to today, affordable ransomware-as-a-service (RaaS) kits are available on the dark web for anyone to purchase and deploy and attackers have an infinite
https://thehackernews.com/2022/05/how-to-protect-your-data-when.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang
The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. "Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT said in a new report shared with The
https://thehackernews.com/2022/05/researchers-expose-inner-working-of.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility
Microsoft on Tuesday warned that it recently spotted a malicious campaign targeting SQL Servers that leverages a built-in PowerShell binary to achieve persistence on compromised systems. The intrusions, which leverage brute-force attacks as an initial compromise vector, stand out for their use of the utility "sqlps.exe," the tech giant said in a series of tweets. The ultimate goals of the
https://thehackernews.com/2022/05/hackers-gain-fileless-persistence-on.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

[eBook] Your 90-Day MSSP Plan: How to Improve Margins and Scale-Up Service Delivery
To cash in on a thriving market, a managed security service provider (MSSP) must navigate unprecedented competition and complex challenges. The good news is that demand is through the roof. 69% of organizations plan to boost spending on cybersecurity in 2022.  The bad news is that everyone wants a piece of the pie. MSSPs must outshine each other while fending off encroachments by traditional IT
https://thehackernews.com/2022/05/ebook-your-90-day-mssp-plan-how-to.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

U.S. Warns Against North Korean Hackers Posing as IT Freelancers
Highly skilled software and mobile app developers from the Democratic People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in hopes of landing freelance employment in an attempt to enable the regime's malicious cyber intrusions. That's according to a joint advisory from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI)
https://thehackernews.com/2022/05/us-warns-against-north-korean-hackers.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Microsoft Warns of "Cryware" Info-Stealing Malware Targeting Crypto Wallets
Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks. The tech giant dubbed the new threat "cryware," with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet. "Cryware are information stealers that
https://thehackernews.com/2022/05/microsoft-warns-of-cryware-info.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government
The notorious Conti ransomware gang, which last month staged an attack on Costa Rican administrative systems, has threatened to "overthrow" the new government of the country. "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power," the group said on its official website. "We have our insiders in your government. We are also
https://thehackernews.com/2022/05/russian-conti-ransomware-gang-threatens.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

UpdateAgent Returns with New macOS Malware Dropper Written in Swift
A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. "Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server," researchers from Jamf Threat
https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Domain Persistence: Silver Ticket Attack
Introduction Benjamin Delpy (the creator of mimikatz) introduced the silver ticket attack in Blackhat 2014 in his abusing Kerberos session. Silver tickets are forged service The post Domain Persistence: Silver Ticket Attack appeared first on Hacking Articles.
https://www.hackingarticles.in/domain-persistence-silver-ticket-attack/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Detailed Guide on Rubeus
Introduction Rubeus is a C# toolkit for Kerberos interaction and abuses. Kerberos, as we all know, is a ticket-based network authentication protocol and is used The post A Detailed Guide on Rubeus appeared first on Hacking Articles.
https://www.hackingarticles.in/a-detailed-guide-on-rubeus/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Process Herpaderping (Mitre:T1055)
Introduction Johnny Shaw demonstrated a defense evasion technique known as process herpaderping in which an attacker is able to inject malicious code into the mapped The post Process Herpaderping (Mitre:T1055) appeared first on Hacking Articles.
https://www.hackingarticles.in/process-herpaderping-mitret1055/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Detailed Guide on Hydra
Hello! Pentesters, this article is about a brute-forcing tool Hydra. Hydra is one of the favourite tools of security researchers and consultants. Being an excellent The post A Detailed Guide on Hydra appeared first on Hacking Articles.
https://www.hackingarticles.in/a-detailed-guide-on-hydra/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Detailed Guide on HTML Smuggling
Introduction HTML Smuggling is an evasive payload delivery method that helps an attacker smuggle payload past content filters and firewalls by hiding malicious payloads inside The post A Detailed Guide on HTML Smuggling appeared first on Hacking Articles.
https://www.hackingarticles.in/a-detailed-guide-on-html-smuggling/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Detailed Guide on Medusa
Hi Pentesters! Let's learn about a different tool Medusa, which is intended to be a speedy, parallel and modular, login brute forcer. The goal of The post A Detailed Guide on Medusa appeared first on Hacking Articles.
https://www.hackingarticles.in/a-detailed-guide-on-medusa/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Process Doppelganging (Mitre:T1055.013)
Introduction Eugene Kogan and Tal Liberman presented a technique for defense evasion called “Process Doppelganging” in Blackhat EU 2017 which can be found here and The post Process Doppelganging (Mitre:T1055.013) appeared first on Hacking Articles.
https://www.hackingarticles.in/process-doppelganging-mitret1055-013/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Process Hollowing (Mitre:T1055.012)
Introduction In July 2011, John Leitch of autosectools.com talked about a technique he called process hollowing in his whitepaper here. Ever since then, many malware The post Process Hollowing (Mitre:T1055.012) appeared first on Hacking Articles.
https://www.hackingarticles.in/process-hollowing-mitret1055-012/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Detailed Guide on AMSI Bypass
Introduction Windows developed the Antimalware Scan Interface (AMSI) standard that allows a developer to integrate malware defense in his application. AMSI allows an application to The post A Detailed Guide on AMSI Bypass appeared first on Hacking Articles.
https://www.hackingarticles.in/a-detailed-guide-on-amsi-bypass/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Detailed Guide on Responder (LLMNR Poisoning)
Introduction Responder is a widely used tool in penetration test scenarios and can be used for lateral movement across the network by red teamers. The The post A Detailed Guide on Responder (LLMNR Poisoning) appeared first on Hacking Articles.
https://www.hackingarticles.in/a-detailed-guide-on-responder-llmnr-poisoning/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ransomware attack exposes data of 500,000 Chicago students
The Chicago Public Schools has suffered a massive data breach that exposed the data of almost 500,000 students and 60,000 employee after their vendor, Battelle for Kids, suffered a ransomware attack in December. [...]
https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Malicious PyPI package opens backdoors on Windows, Linux, and Macs
Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. [...]
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-opens-backdoors-on-windows-linux-and-macs/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Windows 11 hacked three more times on last day of Pwn2Own contest
On the third and last day of the 2022 Pwn2Own Vancouver hacking contest, security researchers successfully hacked Microsoft's Windows 11 operating system three more times using zero-day exploits. [...]
https://www.bleepingcomputer.com/news/security/windows-11-hacked-three-more-times-on-last-day-of-pwn2own-contest/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Asian media company Nikkei suffered a ransomware attack
The media company Nikkei has disclosed a ransomware attack and revealed that the incident might have impacted customer data. The Japanese-based media company Nikkey is focused on the business and financial industry, it is the world’s largest financial newspaper. This week the company disclosed a security breach, ransomware infected one of its servers at a […] The post Asian media company Nikkei suffered a ransomware attack appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131533/data-breach/nikkei-data-breach.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Russia-linked Sandworm continues to conduct attacks against Ukraine
Security researchers from ESET reported that the Russia-linked APT group Sandworm continues to target Ukraine. Security experts from ESET reported that the Russia-linked cyberespionage group Sandworm continues to launch cyber attacks against entities in Ukraine. Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU's Main Center for […] The post Russia-linked Sandworm continues to conduct attacks against Ukraine appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131523/apt/sandworm-attacks-against-ukraine.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cisco fixes an IOS XR flaw actively exploited in the wild
Cisco addressed a medium-severity vulnerability affecting IOS XR Software, the company warns that the flaw is actively exploited in the wild. Cisco released security updates to address a medium-severity vulnerability affecting IOS XR Software, tracked as CVE-2022-20821 (CVSS score: 6.5), that threat actors are actively exploiting in attacks in the wild. The flaw resides in […] The post Cisco fixes an IOS XR flaw actively exploited in the wild appeared first on Security Affairs.
https://securityaffairs.co/wordpress/131516/security/cisco-ios-xr-flaw.html
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

WordPress theme Jupiter patches critical privilege escalation flaw
Users urged to update systems amid reports of active exploitation
https://portswigger.net/daily-swig/wordpress-theme-jupiter-patches-critical-privilege-escalation-flaw
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Widespread Swagger-UI library vulnerability leads to DOM XSS attacks
Dozens of bugs reported with a backlog containing hundreds more
https://portswigger.net/daily-swig/widespread-swagger-ui-library-vulnerability-leads-to-dom-xss-attacks
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research
DoJ makes long-anticipated changes to policy
https://portswigger.net/daily-swig/us-revises-policy-regarding-computer-fraud-and-abuse-act-will-not-prosecute-good-faith-research
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Active attacks against VMware flaws prompts emergency update directive
CISA orders US federal agencies to implement patches ASAP
https://portswigger.net/daily-swig/active-attacks-against-vmware-flaws-prompts-emergency-update-directive
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Encrypted email service CTemplar announces closure
Privacy-focused service to shut down by the end of the month
https://portswigger.net/daily-swig/encrypted-email-service-ctemplar-announces-closure
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw
Mischief-makers could ‘disrupt the availability, integrity and confidentiality' of other tenants
https://portswigger.net/daily-swig/rogue-cloud-users-could-sabotage-fellow-off-prem-tenants-via-critical-flux-flaw
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Popular websites leaking user email data to web tracking domains
Data harvested without consent and before forms are submitted in many cases, researchers claim
https://portswigger.net/daily-swig/popular-websites-leaking-user-email-data-to-web-tracking-domains
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

DevSecOps and cybersecurity skills are top priorities for enterprise IT – report
Transparency and inter-team collaboration key amid escalating threats and compliance requirements
https://portswigger.net/daily-swig/devsecops-and-cybersecurity-skills-are-top-priorities-for-enterprise-it-report
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Facebook account takeover: Researcher scoops k bug bounty for chained exploit
Youssef Sammouda returns with more Facebook hacks – this time leveraging stolen Google authentication tokens to gain access to social media accounts
https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

‘Eternity malware' offers Swiss Army knife of cybercrime tools
A one-stop shop for data and crypto kleptomaniacs
https://portswigger.net/daily-swig/eternity-malware-offers-swiss-army-knife-of-cybercrime-tools
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Medical doctor charged with creating the Thanos ransomware builder
Venezuelan cardiologist allegedly tied to cybercrime scams through multiple OpSec mistakes
https://portswigger.net/daily-swig/medical-doctor-charged-with-creating-the-thanos-ransomware-builder
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Firefox debuts improved process isolation to reduce browser attack surface
The goal was Win32k Lockdown – a serious step up in Windows security
https://portswigger.net/daily-swig/firefox-debuts-improved-process-isolation-to-reduce-browser-attack-surface
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

UK government sits out bug bounty boom but welcomes vulnerability disclosure
Budget constraints limit any immediate ambitions
https://portswigger.net/daily-swig/uk-government-sits-out-bug-bounty-boom-but-welcomes-vulnerability-disclosure
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

SharePoint RCE bug resurfaces three months after being patched by Microsoft
Deserialization vulnerabilities are hard to fix
https://portswigger.net/daily-swig/sharepoint-rce-bug-resurfaces-three-months-after-being-patched-by-microsoft
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Parker Hannifin reveals cyber-attack exposed sensitive data of 119,000 individuals
Data breach involves Social Security numbers and health insurance data, among other information
https://portswigger.net/daily-swig/parker-hannifin-reveals-cyber-attack-exposed-sensitive-data-of-119-000-individuals
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Black Hat Asia: ‘If democracy is to survive, technology will have to be tamed'
Indian tech policy expert Samir Saran says it's not too late to ‘course-correct' after a ‘challenging decade' for liberal democracies
https://portswigger.net/daily-swig/black-hat-asia-nbsp-if-democracy-is-to-survive-technology-will-have-to-be-tamed
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Brace of Icinga web vulnerabilities ‘easily chained' to hack IT monitoring software
Open source IT monitoring system gets patched
https://portswigger.net/daily-swig/brace-of-icinga-web-vulnerabilities-easily-chained-to-hack-it-monitoring-software
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Ukrainian hacker jailed for selling account credentials on the dark web
Botnet operator had thousands of hacked credential listings, according to the DoJ
https://portswigger.net/daily-swig/ukrainian-hacker-jailed-for-selling-account-credentials-on-the-dark-web
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Marcus Hutchins on halting the WannaCry ransomware attack – ‘Still to this day it feels like it was all a weird dream'
Five years since WannaCry exploded onto the scene, ransomware still tops global threat lists
https://portswigger.net/daily-swig/marcus-hutchins-on-halting-the-wannacry-ransomware-attack-still-to-this-day-it-feels-like-it-was-all-a-weird-dream
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit
Conti, Lockbit, and other prolific ransomware strains apparently have similar vulnerabilities
https://portswigger.net/daily-swig/researcher-stops-revil-ransomware-in-its-tracks-with-dll-hijacking-exploit
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Box, Zoom, Google Docs offer phishing boost with ‘vanity URL' flaws
Attack technique bypasses email filters and burnishes credibility of phishing links
https://portswigger.net/daily-swig/box-zoom-google-docs-offer-phishing-boost-with-vanity-url-flaws
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

CyberUK 2022: Global power conflicts creating ‘balkinization' of cybersecurity tech
Technology interoperability at risk from wider conflict between China and the West
https://portswigger.net/daily-swig/cyberuk-2022-global-power-conflicts-creating-balkinization-of-cybersecurity-tech
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

RuTube hack: Russian video platform denies loss of source code following cyber-attack
The ‘Russian alternative to YouTube' has been offline since Monday
https://portswigger.net/daily-swig/rutube-hack-russian-video-platform-denies-loss-of-source-code-following-cyber-attack
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

NIST refreshes software supply chain risk management guidance
‘A comprehensive tool that can take you from crawl to walk to run'
https://portswigger.net/daily-swig/nist-refreshes-software-supply-chain-risk-management-guidance
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

UK government blocked four times as many cyber-scams in 2021 than previous year, CyberUK delegates told
War in Ukraine and ransomware trends top the agenda at this year's NCSC conference
https://portswigger.net/daily-swig/uk-government-blocked-four-times-as-many-cyber-scams-in-2021-than-previous-year-cyberuk-delegates-told
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Russia behind cyber-attack on satellite internet network KA-SAT that disrupted Ukrainian infrastructure – EU
Attack took place one hour before Russia invaded Ukraine
https://portswigger.net/daily-swig/russia-behind-cyber-attack-on-satellite-internet-network-ka-sat-that-disrupted-ukrainian-infrastructure-eu
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

EU targets standardization as key to bloc-wide cyber-resilience
Threat landscape's increasing complexity adds impetus to drive for consistency across 27 member states
https://portswigger.net/daily-swig/eu-targets-standardization-as-key-to-bloc-wide-cyber-resilience
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Quantum leap: Biden administration commits to ensuring US leadership in emerging tech
Government sets out plan for post-quantum encryption
https://portswigger.net/daily-swig/quantum-leap-biden-administration-commits-to-ensuring-us-leadership-in-emerging-tech
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool
Users should patch immediately
https://portswigger.net/daily-swig/big-ip-proof-of-concept-released-for-rce-vulnerability-in-f5-network-management-tool
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

WordPress sites getting hacked ‘within seconds' of TLS certificates being issued
Attackers pounce before site owners can activate the installation wizard
https://portswigger.net/daily-swig/wordpress-sites-getting-hacked-within-seconds-of-tls-certificates-being-issued
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

UK government calls for tougher protections against malicious mobile apps
NCSC proposes new code of conduct for app stores
https://portswigger.net/daily-swig/uk-government-calls-for-tougher-protections-against-malicious-mobile-apps
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Heroku resets user passwords after concluding April cyber-attack ran deep
Hack investigation blames compromised token for breach
https://portswigger.net/daily-swig/heroku-resets-user-passwords-after-concluding-april-cyber-attack-ran-deep
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

India to introduce six-hour data breach notification rule
Reporting window is 66 hours shorter than that stipulated under the EU's GDPR
https://portswigger.net/daily-swig/india-to-introduce-six-hour-data-breach-notification-rule
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Serious Snipe-IT bug exploitable to send password reset email traps
Attackers could use the flaw to steal credentials with no authentication required
https://portswigger.net/daily-swig/serious-snipe-it-bug-exploitable-to-send-password-reset-email-traps
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks
Unpatched flaw caused by the predictability of transaction IDs
https://portswigger.net/daily-swig/zero-day-bug-in-uclibc-library-could-leave-iot-devices-vulnerable-to-dns-poisoning-attacks
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

State Bar of Georgia reels from cyber-attack
Bar suspends website after mystery assault
https://portswigger.net/daily-swig/state-bar-of-georgia-reels-from-cyber-attack
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cryptocurrency: secure or not? – Week in security with Tony Anscombe
When you hear the term ‘cryptocurrency', does ‘secure' also spring to mind? Here are some implications of the lack of sound security practices in the world of crypto. The post Cryptocurrency: secure or not? – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/cryptocurrency-secure-not-week-security-tony-anscombe-173/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Sandworm uses a new version of ArguePatch to attack targets in Ukraine
ESET researchers spot an updated version of the malware loader used in the Industroyer2 and CaddyWiper attacks The post Sandworm uses a new version of ArguePatch to attack targets in Ukraine appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The flip side of the coin: Why crypto is catnip for criminals
Cybercriminals continue to mine for opportunities in the crypto space – here's what you should know about coin-mining hacks and crypto theft The post The flip side of the coin: Why crypto is catnip for criminals appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/19/flip-side-coin-why-crypto-catnip-criminals/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Fake news – why do people believe it?
In the age of the perpetual news cycle and digital media, the risks that stem from the fake news problem are all too real The post Fake news – why do people believe it? appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/18/fake-news-why-people-believe-it/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The downside of ‘debugging' ransomware
The decision to release a ransomware decryptor involves a delicate balancing act between helping victims recover their data and alerting criminals to errors in their code The post The downside of ‘debugging' ransomware appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/16/downside-debugging-ransomware/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to spot and avoid a phishing attack – Week in security with Tony Anscombe
Can you spot the tell-tale signs of a phishing attempt and check if an email that has landed in your inbox is legit? The post How to spot and avoid a phishing attack – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-172/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

10 reasons why we fall for scams
The ‘it won't happen to me' mindset leaves you unprepared – here are some common factors that put any of us at risk of online fraud The post 10 reasons why we fall for scams appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/12/10-reasons-why-we-fall-scams/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Opportunity out of crisis: Tapping the Great Resignation to close the cybersecurity skills gap
What can organizations do to capitalize on the current fluidity in the job market in order to bring fresh cybersecurity talent into the fold? The post Opportunity out of crisis: Tapping the Great Resignation to close the cybersecurity skills gap appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/11/opportunity-crisis-tapping-great-resignation-cybersecurity-skills-gap/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Common LinkedIn scams: Beware of phishing attacks and fake job offers
LinkedIn scammers attack when we may be at our most vulnerable – here's what to look out for and how to avoid falling victim to fraud when using the platform The post Common LinkedIn scams: Beware of phishing attacks and fake job offers appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/09/common-linkedin-scams-phishing-attacks-fake-job-offers/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Defending against APT attacks – Week in security with Tony Anscombe
The conflict in Ukraine has highlighted the risks of cyberespionage attacks that typically involve Advanced Persistent Threat groups and often target organizations' most valuable data The post Defending against APT attacks – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-171/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

There's no sugarcoating it: That online sugar daddy may be a scammer
The bitter truth about how fraudsters dupe online daters in this new twist on romance fraud The post There's no sugarcoating it: That online sugar daddy may be a scammer appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/05/no-sugarcoating-it-online-sugar-daddy-scammer/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

3 most dangerous types of Android malware
Here's what you should know about some of the nastiest mobile malware around – from malicious software that takes phones and data hostage to RATs that allow hackers to control devices remotely The post 3 most dangerous types of Android malware appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/04/3-most-dangerous-types-android-malware/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What's behind the record‑high number of zero days?
Organizations need to get better at mitigating threats from unknown vulnerabilities, especially as both state-backed operatives and financially-motivated cybercriminals are increasing their activity The post What's behind the record‑high number of zero days? appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/05/03/whats-behind-the-record-high-number-of-zero-days/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

TA410 under the microscope – Week in security with Tony Anscombe
Here's what you should know about FlowingFrog, LookingFrog and JollyFrog, the three teams making up the TA410 espionage umbrella group The post TA410 under the microscope – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-170/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
ESET researchers reveal a detailed profile of TA410: we believe this cyberespionage umbrella group consists of three different teams using different toolsets, including a new version of the FlowCloud espionage backdoor discovered by ESET. The post A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The trouble with BEC: How to stop the costliest internet scam
BEC fraud generated more losses for victims than any other type of cybercrime in 2021. It's long past time that organizations got a handle on these scams. The post The trouble with BEC: How to stop the costliest internet scam appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/26/trouble-bec-how-stop-costliest-scam/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Webcam hacking: How to know if someone may be spying on you through your webcam
Camfecting doesn't ‘just' invade your privacy – it could seriously impact your mental health and wellbeing. Here's how to keep an eye on your laptop camera. The post Webcam hacking: How to know if someone may be spying on you through your webcam appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/25/webcam-hacking-how-know-someone-spying/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cybersecurity threats to critical infrastructure – Week in security with Tony Anscombe
As the Five Eyes nations warn of attacks against critical infrastructure, we look at the potentially cascading effects of such attacks and how essential systems and services can ramp up their defense The post Cybersecurity threats to critical infrastructure – Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-169/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Critical infrastructure: Under cyberattack for longer than you might think
Lessons from history and recent attacks on critical infrastructure throw into sharp relief the need to better safeguard our essential systems and services The post Critical infrastructure: Under cyberattack for longer than you might think appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/21/critical-infrastructure-cyberattack-longer-think/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Is your Lenovo laptop vulnerable to cyberattack?
Here's what to know about vulnerabilities in more than 100 Lenovo consumer laptop models and what you can do right away to stay safe – all in under three minutes The post Is your Lenovo laptop vulnerable to cyberattack? appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/is-your-lenovo-laptop-vulnerable-cyberattack/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How can we support young people in harnessing technology for progress?
Young people are not passive victims of technology or helpless addicts. They are technology creators and agents with diverse backgrounds and interests. The post How can we support young people in harnessing technology for progress? appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/20/how-can-we-support-young-people-harnessing-technology-progress/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

When “secure” isn't secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
ESET researchers discover multiple vulnerabilities in various Lenovo laptop models that allow an attacker with admin privileges to expose the user to firmware-level malware The post When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Week in security with Tony Anscombe
Ukrainian energy provider targeted by Industroyer2 – ESET helps disrupt Zloader botnets – Where do new ideas come from and how are they spread? The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-168/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ESET takes part in global operation to disrupt Zloader botnets
ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses The post ESET takes part in global operation to disrupt Zloader botnets appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Innovation and the Roots of Progress
If you look back at the long arc of history, it's clear that one of the most crucial drivers of real progress in society is innovation The post Innovation and the Roots of Progress appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/13/innovation-roots-progress/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Industroyer2: Industroyer reloaded
This ICS-capable malware targets a Ukrainian energy company The post Industroyer2: Industroyer reloaded appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Week in security with Tony Anscombe
Fake e-shops & Android malware – A journey into the dark recesses of the world wide web – Keeping your cloud resources safe The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-167/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How secure is your cloud storage? Mitigating data security risks in the cloud
As cloud systems are increasingly the bedrock on which digital transformation is built, keeping a close eye on how they are secured is an essential cybersecurity best practice The post How secure is your cloud storage? Mitigating data security risks in the cloud appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/07/how-secure-cloud-storage-mitigating-data-security-risks/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Fake e‑shops on the prowl for banking credentials using Android malware
ESET researchers analyzed three malicious applications targeting customers of eight Malaysian banks The post Fake e‑shops on the prowl for banking credentials using Android malware appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

We're going on Tor
If better privacy and anonymity sound like music to your ears, you may not need to look much further than Tor Browser. Here's what it's like to surf the dark web using the browser. The post We're going on Tor appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/05/were-going-on-tor/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Week in security with Tony Anscombe
Under the hood of Wslink's VM – The energy sector & cyber-risk – SMB cybersecurity survival tips The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-166/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cybersecurity survival tips for small businesses: 2022 edition
How can businesses that lack the resources and technological expertise of large organizations hold the line against cybercriminals? The post Cybersecurity survival tips for small businesses: 2022 edition appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/04/01/cybersecurity-survival-tips-small-businesses-2022-edition/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Women in tech: Unique insights from a lifelong pursuit of innovation
Leading Slovak computer scientist Mária Bieliková shares her experience working as a woman driving technological innovation and reflects on how to inspire the next generation of talent in tech The post Women in tech: Unique insights from a lifelong pursuit of innovation appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/30/women-tech-unique-insights-pursuit-innovation/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Europe's quest for energy independence – and how cyber‑risks come into play
Soaring energy prices and increased geopolitical tensions amid the Russian invasion of Ukraine bring a sharp focus on European energy security The post Europe’s quest for energy independence – and how cyber‑risks come into play appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/29/europe-quest-energy-independence-cyber-risks/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Under the hood of Wslink's multilayered virtual machine
ESET researchers describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through its obfuscation techniques The post Under the hood of Wslink's multilayered virtual machine appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-virtual-machine/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Week in security with Tony Anscombe
ESET discovers Mustang Panda's Hodur trojan – Crypto malware targeting Android and iOS users alike – Nation-state digital deterrent The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-165/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Is a nation‑state digital deterrent scenario so far‑fetched?
Why has the conflict in Ukraine not caused the much anticipated global cyber-meltdown? The post Is a nation‑state digital deterrent scenario so far‑fetched? appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/24/is-nation-state-digital-deterrent-scenario-so-far-fetched/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Crypto malware in patched wallets targeting Android and iOS devices
ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets The post Crypto malware in patched wallets targeting Android and iOS devices appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Mustang Panda's Hodur: Old tricks, new Korplug variant
ESET researchers have discovered Hodur, a previously undocumented Korplug variant spread by Mustang Panda, that uses phishing lures referencing current events in Europe, including the invasion of Ukraine The post Mustang Panda's Hodur: Old tricks, new Korplug variant appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Sandworm: A tale of disruption told anew
As the war rages, the APT group with a long résumé of disruptive cyberattacks enters the spotlight again The post Sandworm: A tale of disruption told anew appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Week in security with Tony Anscombe
ESET Research finds another data wiper in Ukraine – Securing data centers against threats – A cultural divide between the military and Silicon Valley The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-164/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Defending the data center: The time to act is now
Cyberattacks against data centers may ultimately be everyone's problem – how prepared are their operators for the heightened risk of cyber-assaults? The post Defending the data center: The time to act is now appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/18/defending-the-data-center-the-time-to-act-is-now/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

US military vs. Silicon Valley – a cultural divide
The US military knows it needs to speed up technology adoption through optimization, something at the heart of Silicon Valley culture The post US military vs. Silicon Valley – a cultural divide appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/16/us-military-vs-silicon-valley-cultural-divide/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

CaddyWiper: New wiper malware discovered in Ukraine
This is the third time in as many weeks that ESET researchers have spotted previously unknown data wiping malware taking aim at Ukrainian organizations The post CaddyWiper: New wiper malware discovered in Ukraine appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A first look at threat intelligence and threat hunting tools
An overview of some of the most popular open-source tools for threat intelligence and threat hunting The post A first look at threat intelligence and threat hunting tools appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/14/first-look-threat-intelligence-threat-hunting-tools/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Week in security with Tony Anscombe
Gray zone conflicts in cyberspace – Can you identify fake news? – Top cybersecurity threats for the healthcare sector The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
https://www.welivesecurity.com/videos/week-security-tony-anscombe-163/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ESET Research webinar: How APT groups have turned Ukraine into a cyber‑battlefield
Ukraine has been under cyber-fire for years now – here's what you should know about various disruptive cyberattacks that have hit the country since 2014 The post ESET Research webinar: How APT groups have turned Ukraine into a cyber‑battlefield appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/11/eset-research-webinar-apt-groups-ukraine-cyber-battlefield/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

True or false? How to spot – and stop – fake news
How can you tell fact from fiction and avoid falling for and spreading falsehoods about the war in Ukraine? The post True or false? How to spot – and stop – fake news appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/10/true-false-spot-stop-fake-news/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Securing healthcare: An IT health check on the state of the sector
No sector or organization is immune to rapidly escalating threats, but when it comes to healthcare, the stakes couldn't be higher The post Securing healthcare: An IT health check on the state of the sector appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/09/securing-healthcare-it-health-check-state-sector/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cyber‑readiness in the face of an escalated gray zone conflict
Organizations worldwide should remain on high alert for cyberattacks as the risk of major cyber-spillover from the crisis in Ukraine continues to loom large The post Cyber‑readiness in the face of an escalated gray zone conflict appeared first on WeLiveSecurity
https://www.welivesecurity.com/2022/03/07/cyber-readiness-face-escalated-gray-zone-conflict/
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Announces a New Customer Pentest Setup that's More Efficient and Speeds Time to Launch

https://www.hackerone.com/assessments/hackerone-announces-new-customer-pentest-setup-thats-more-efficient-and-speeds-time
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Understanding Public and Private Bug Bounties and Vulnerability Disclosure Programs

https://www.hackerone.com/vulnerability-management/understanding-public-and-private-bug-bounties-and-vulnerability-disclosure
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What is Attack Resistance Management?
A Security Survey on How to Close Your Organization's Attack Resistance Gap
https://www.hackerone.com/company-news/what-attack-resistance-management
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Why HackerOne Acquired Pull Request and What It Means to Our Customers

https://www.hackerone.com/company-news/why-hackerone-acquired-pull-request-and-what-it-means-our-customers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the Results of the 12-month DIB-VDP Pilot

https://www.hackerone.com/vulnerability-disclosure/announcing-results-12-month-dib-vdp-pilot
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Wix Improves Their Security Posture with Ethical Hackers
Reducing risk is fundamental to Wix's approach to cybersecurity, and as the threat landscape evolves, they turn to HackerOne Bounty to protect their security posture. Since 2018, Wix has invited tens of thousands of ethical hackers worldwide to ensure new and existing features are secure. We recently met with two Wix security team members to learn how they leverage ethical hackers to detect risks before they become threats and how vulnerability insights help strengthen their security posture.
https://www.hackerone.com/customer-stories/how-wix-improves-their-security-posture-ethical-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the HackerOne 2022 Attack Resistance Report: A Security Survey—How to Close Your Organization's Attack Resistance Gap
Today, HackerOne published The 2022 Attack Resistance Report: A HackerOne Security Survey. Our research revealed an increasing gap—the attack resistance gap—between what organizations can defend and what they need to defend. The gap is the result of four components prevalent across organizations.
https://www.hackerone.com/company-news/announcing-hackerone-2022-attack-resistance-report-security-survey-how-close-your
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Ethical Hackers Help A.S. Watson Address Digital Risk
We recently met with A.S. Watson's Chief Information Security Officer (CISO), Feliks Voskoboynik, to learn how ethical hackers have helped with digital transformation and enabled his team to harden their attack surface. Read on to learn Feliks' advice on including a bug bounty program as part of a security strategy, the lessons ethical hackers have provided, and what best practices he can share with other CISOs.
https://www.hackerone.com/customer-stories/how-ethical-hackers-help-watson-address-digital-risk
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Preventing Compromised Password Reuse on HackerOne.com

https://www.hackerone.com/best-practices/preventing-compromised-password-reuse-hackeronecom
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Shifting Left with Ethical Hackers: A Q&A with GitLab
Secure applications start with secure code. As organizations deploy code faster than ever, implementing continuous security across the software development lifecycle (SDLC) is critical to building secure products. As a long-time HackerOne Bounty customer, GitLab knows the importance of identifying and addressing bugs as early as possible in the SDLC. We wanted to hear what they had to say about leveraging the human intelligence of ethical hackers to broadly test their attack surface and increase their ability to resist potential threats.
https://www.hackerone.com/bounty/shifting-left-ethical-hackers-qa-gitlab
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Donating Bounties to Humanitarian Efforts in Ukraine

https://www.hackerone.com/donating-bounties-humanitarian-efforts-ukraine
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Securing Digital Transformation with Vulnerability Disclosure: A Q&A with John Deere CISO, James Johnson
To help fortify security defenses for their customers, dealers, suppliers, and employees, John Deere recently launched a public Vulnerability Disclosure Program (VDP) with HackerOne. HackerOne recently met with James Johnson, CISO at John Deere, to learn why his security team works with ethical hackers to help identify security gaps and increase their product and data security.
https://www.hackerone.com/vulnerability-disclosure/securing-digital-transformation-vulnerability-disclosure-qa-john-deere
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Only Solution That Scales With the Cybersecurity Challenge

https://www.hackerone.com/ceo/only-solution-scales-cybersecurity-challenge
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Nine Months into the DIB-VDP Pilot, Nearly 1,000 Valid Vulnerabilities Have Been Identified
With three months left in the 12-month pilot with the Department of Defense's Defense Industrial Base Vulnerability Disclosure Pilot (DOD DIB-VDP Pilot), HackerOne sat down with DC3 to discuss why new DIB companies are joining the pilot and hear why hackers are a critical partner for the DOD.
https://www.hackerone.com/customer-stories/nine-months-dib-vdp-pilot-nearly-1000-valid-vulnerabilities-have-been-identified
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The HackerOne Global Top 10—Hacker Expertise, Industry Data, and Up-to-Date Vulnerabilities

https://www.hackerone.com/vulnerability-management/hackerone-global-top-10-hacker-expertise-industry-data-and-date
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Log4Shell: Attack Evolution
HackerOne has unique visibility into the global response to Log4Shell, seeing in real time how organizations responded and remediated. Last week HackerOne's CISO Chris Evans and Co-founder Jobert Abma shared findings from our platform.
https://www.hackerone.com/vulnerability-management/log4shell-attack-evolution
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Top 5 Takeaways from the 2021 Hacker-Powered Security Report: Industry Insights

https://www.hackerone.com/hacker-powered-security-report/top-5-takeaways-2021-hacker-powered-security-report-industry
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

CWE [Common Weakness Enumeration] | Why It Is Important
Are you wondering about CWE? We explain CWE (Common Weakness Enumeration) and why this community-based initiative is essential in cybersecurity
https://www.hackerone.com/vulnerability-management/cwe-common-weakness-enumeration-why-it-important
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Log4j Vulnerability Activity on the HackerOne Platform
This post is about the severe and widespread Log4j vulnerability. It gives a technical overview of the vulnerability, mitigations HackerOne has put in place to protect our platform and customers, and the related vulnerability submission activity HackerOne is seeing on its platform.
https://www.hackerone.com/vulnerability-management/log4j-vulnerability-activity-hackerone-platform
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Common Vulnerability Scoring System [CVSS] | A Complete Explanation
Were you wondering about the Common Vulnerability Scoring System (CVSS)? We explain what CVSS is, why it is important, and show how to prioritize vulnerabilities based on their score.
https://www.hackerone.com/vulnerability-management/common-vulnerability-scoring-system-cvss-complete-explanation
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers Help Organizations Face New Attack Vectors and Build Stronger Security Programs
The risk of cyberattacks grows every day. But there is an essential defensive step that organizations can take: hacker-powered security programs.
https://www.hackerone.com/security-event/how-hackers-help-organizations-face-new-attack-vectors-and-build-stronger-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Management | A Complete Guide and Best Practices
We explain what vulnerability management is and why it matters, and we give a step-by-step guide to implementing a vulnerability management process.
https://www.hackerone.com/vulnerability-management/vulnerability-management-complete-guide-and-best-practices
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Securing the Supply Chain by Working With Ethical Hackers
Software supply chain attacks increasingly create concern among cybersecurity experts as these exploits are becoming more common. But solving the problem has left organizations scrambling for an answer because supply-chain security management is inherently complex.
https://www.hackerone.com/vulnerability-management/securing-supply-chain-working-ethical-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

TikTok Celebrates One Year of Bug Bounty
As part of an ongoing commitment to proactive cybersecurity, TikTok celebrated its one-year anniversary of HackerOne bug bounty by thanking (via video, of course!) 150+ hackers from around the globe who have helped them identify and resolve more than 225 vulnerabilities. They also share insights into assets in scope, their commitment to transparency, and their best-in-class payout and response time metrics.
https://www.hackerone.com/customer-stories/tiktok-celebrates-one-year-bug-bounty
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty Platforms [Best Choices For a Bug Bounty Program]
Are you wondering about bug bounty platforms? We explain what a bug bounty platform is and how it can help you run a successful bug bounty program.
https://www.hackerone.com/vulnerability-management/bug-bounty-platforms-best-choices-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Elastic Attracts and Retains Top Hackers Without Offering the Highest Bounties
Skilled hackers are the foundation of an effective bug bounty program. But how can you ensure your program attracts top hackers and keeps them engaged?
https://www.hackerone.com/how-elastic-attracts-and-retains-top-hackers-without-offering-highest-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers Can Strengthen Cloud Security for Applications
In this session at our 5th annual global cybersecurity conference, HackerOne's Tim Matthews sat down with Josh Bressers, Tech Lead of Product Security at Elastic, to discuss cloud security for applications. They focused on the challenges around cloud security and the role of hacker-powered defensive efforts. Josh's organization, Elastic, is the leading enterprise search company with expertise in building self-managed services for search, logging, security, and analytics use cases.
https://www.hackerone.com/ethical-hacker/how-hackers-can-strengthen-cloud-security-applications
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Is a Bug Bounty? Should You Offer One? And How To Do It

https://www.hackerone.com/vulnerability-management/what-bug-bounty-should-you-offer-one-and-how-do-it
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty vs. VDP | Which Program Is Right for You?
We explain bug bounty programs and Vulnerability Disclosure Programs (VDPs), their pros and cons, and how each can help your organization.
https://www.hackerone.com/vulnerability-management/bug-bounty-vs-vdp-which-program-right-you
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Use Bug Bounty Program Data to Improve Security and Development
Bug bounty program data tells a story—but which story? Tracking program metrics can help organizations identify issues, spot opportunities, and take corrective actions. To do this, stakeholders must know which metrics to track and how to interpret the results.
https://www.hackerone.com/vulnerability-management/how-use-bug-bounty-program-data-improve-security-and-development
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

DOD's DIB-VDP Pilot Hits Six Month Milestone
Six months into the 12-month pilot with the Department of Defense's Defense Industrial Base Vulnerability Disclosure Pilot (DOD DIB-VDP Pilot), HackerOne sat down with key stakeholders from the DIB-VDP Pilot to discuss the program's success to date, the Federal Government's strategy for working with hackers, and to hear about some of the most impactful vulnerabilities discovered to date.
https://www.hackerone.com/customer-stories/dods-dib-vdp-pilot-hits-six-month-milestone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Disclosure | What's the Responsible Solution?
Curious about vulnerability disclosure? We explain what it is, why there may be friction between the researcher and the organization, and possible solutions.
https://www.hackerone.com/vulnerability-disclosure/vulnerability-disclosure-whats-responsible-solution
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Jedox's Journey with HackerOne: A Q&A with CTO, Vladislav Maličević
Jedox secures their cloud - and their customers - with HackerOne Assessments and HackerOne Bounty. Read this blog to learn how they're creating a best-in-class cybersecurity program thanks to ethical hackers.
https://www.hackerone.com/best-practices/jedoxs-journey-hackerone-qa-cto-vladislav-malicevic
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

DevSecOps: Bridging the Gap Between Security and Development
Organizations that rely on developing secure, functional products understand the value of increased collaboration between security and development teams. Tighter partnerships between the two teams can allow organizations to deliver better, safer products faster, but how can this work in the real world?
https://www.hackerone.com/security-event/devsecops-bridging-gap-between-security-and-development
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What's a Vulnerability Disclosure Program & Do You Need One?
Are you wondering about Vulnerability Disclosure Programs (VDPs)? Here's why you need one, and instructions on starting one or improving your current process.
https://www.hackerone.com/vulnerability-disclosure/whats-vulnerability-disclosure-program-do-you-need-one
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Trustpilot Manages Risk by Working with Ethical Hackers
At our 2021 Security@ conference, we spoke with Stu Hirst, CISO at consumer review site Trustpilot. Trustpilot's mission is to create an independent currency of trust between consumers and businesses, and cybersecurity plays a central role.
https://www.hackerone.com/bounty/how-trustpilot-manages-risk-working-ethical-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty Benefits | Why You Need a Bug Bounty Program
​​​​​​​We explain how a bug bounty program identifies vulnerabilities, discuss the program's benefits, and detail its challenges.
https://www.hackerone.com/bounty/bug-bounty-benefits-why-you-need-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Navigating a Safe, Successful Return to Office: 5 Tips for Security Leaders
Security leaders have a lot on their plates in these later stages of the continuing COVID-19 pandemic. In a 2021 survey by Gartner, over three-quarters (76%) of respondents reported increased demand for new digital products or services during the pandemic — and 83% expected this demand to continue to increase. This imperative for transformation has been coming straight from the top: 69% of boards report accelerating digital business initiatives in response to COVID-19.
https://www.hackerone.com/company-news/navigating-safe-successful-return-office-5-tips-security-leaders
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Remediation | A Step-by-Step Guide
Are you wondering about vulnerability remediation? We give you a step-by-step guide to addressing vulnerabilities in your system.
https://www.hackerone.com/vulnerability-remediation-step-step-guide
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers—the Best Kept Secret in Cybersecurity—Can Help Your Organization Protect its Assets and Improve Security
Last week, HackerOne held its fifth annual one-of-a-kind global Security@ conference featuring the best-kept secret in cybersecurity—hackers.
https://www.hackerone.com/ethical-hacker/how-hackers-best-kept-secret-cybersecurity-can-help-your-organization-protect-its
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Top 5 Cloud Security Risks: How Hacker-Powered Security Can Help
Widespread digital transformation means increased cloud security risk. Learn how human intelligence—hacker-powered security—can help your organization defend against new attack vectors, mitigate risk, and improve cloud security.
https://www.hackerone.com/application-security/top-5-cloud-security-risks-how-hacker-powered-security-can-help
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Time to Issue Your Own Cyber Executive Order

https://www.hackerone.com/from-the-ceo/time-issue-your-own-cyber-executive-order
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Testing | Best Techniques for Assessing Risks
Curious about vulnerability testing techniques? We explain processes such as vulnerability assessments, vulnerability scanning, and penetration testing.
https://www.hackerone.com/vulnerability-management/vulnerability-testing-best-techniques-assessing-risks
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hacker-Powered Security Can Help Security Teams Become More Data-Driven

https://www.hackerone.com/vulnerability-management/how-hacker-powered-security-can-help-security-teams-become-more-data
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Assessment Tools [Top Tools & What They Do]
Are you curious about the best vulnerability assessment tools? We detail some of the popular tools, what they do, and their pros and cons.
https://www.hackerone.com/vulnerability-management/vulnerability-assessment-tools-top-tools-what-they-do
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacker-Powered Security and DeFi: How Human Intelligence Improves Cryptocurrency Security
Over the last year, DeFi has grown significantly with billions of dollars of cryptocurrency locked into blockchain contracts. With this growth comes increased risk and DeFi funds are lucrative targets for malicious actors. Learn how a HackerOne hacker helps protect DeFi funds and mitigate this risk.
https://www.hackerone.com/ethical-hacker/hacker-powered-security-and-defi-how-human-intelligence-improves-cryptocurrency
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Announces Hacker-Powered Cloud Security Capabilities for AWS Customers
HackerOne announces new capabilities for AWS customers looking to improve security in their cloud applications. These include vulnerability pentests specific to AWS environments, an AWS Security Hub integration for fast, effective security actions, and AWS Certified hackers. AWS customers can now identify and fix vulnerabilities quickly and develop a better understanding of their cloud application security profile.
https://www.hackerone.com/penetration-testing/hackerone-announces-hacker-powered-cloud-security-capabilities-aws-customers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How a New HackerOne Integration with AWS Security Hub Accelerates Vulnerability Remediation Time
HackerOne announced an integration with AWS Security Hub that exchanges vulnerability findings and streamlines workflows to accelerate security actions. The integration consolidates and routes vulnerability intelligence from HackerOne to AWS Security Hub, delivering greater visibility into crucial gaps that could lead to a cyberattack.
https://www.hackerone.com/company-news/how-new-hackerone-integration-aws-security-hub-accelerates-vulnerability-remediation
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The DOD Improves Their Security Posture Through the DIB-VDP
One of the primary missions of the Defense Counterintelligence and Security Agency (DCSA) is to provide critical technology protection to the Defense Industrial Base (DIB). Given the recent increase in cyber incidents affecting the DIB, DCSA views the DIB-VDP Pilot as a promising way to identify and stop attempts at stealing our Nation's secrets.
https://www.hackerone.com/vulnerability-disclosure/dod-improves-their-security-posture-through-dib-vdp
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hyatt's Bug Bounty Program Update: Q&A with Senior Analyst Robert Lowery
Hyatt's three-year-old bug bounty program has reached a significant milestone: 0,000 in bounties paid to hackers. As the first organization in the hospitality industry to embrace hacker-powered security, Hyatt's milestone today demonstrates its long-term commitment to setting the highest standard for cybersecurity. We sat down with Robert Lowery, Senior Analyst at Hyatt, to learn more about the history of Hyatt's bug bounty program and their most recent 0,000 milestone. Read on to see what Robert shared on how the knowledge of the global security researcher community helps Hyatt reduce risk, enable security improvements, and ultimately, deliver on their promise to care for employees, guests, and shareholders alike so they can be their best.
https://www.hackerone.com/bounty/hyatts-bug-bounty-program-update-qa-senior-analyst-robert-lowery
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Why security transparency makes for good corporate governance

https://www.hackerone.com/resources/wistia-webinars/blackhat-marten-mickos
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

One Month of Learnings from Flo Health's Bug Bounty Program: A Q&A with CISO, Leo Cunningham

https://www.hackerone.com/vulnerability-management/one-month-learnings-flo-healths-bug-bounty-program-qa-ciso-leo-cunningham
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Assessment I A Complete Guide

https://www.hackerone.com/vulnerability-management/vulnerability-assessment-i-complete-guide
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What We Can Learn From Recent Ransomware Attacks

https://www.hackerone.com/vulnerability-management/what-we-can-learn-recent-ransomware-attacks
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How to Use HackerOne and PagerDuty to Identify When Vulnerabilities Need Action

https://www.hackerone.com/vulnerability-management/how-use-hackerone-and-pagerduty-identify-when-vulnerabilities-need-action
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Are Bug Bounties? How Do They Work? [With Examples]

https://www.hackerone.com/vulnerability-management/what-are-bug-bounties-how-do-they-work-examples
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How the Industry's First Hacker-Powered API Helps Hackers Automate Workflows

https://www.hackerone.com/application-security/how-industrys-first-hacker-powered-api-helps-hackers-automate-workflows
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How HackerOne Positively Influences Zebra's Software Development Life Cycle

https://www.hackerone.com/vulnerability-management/zebra-secure-development-lifecycle
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty vs. CTF [Understanding Differences & Benefits]
Trying to understand the difference between a bug bounty vs. CTF? We explain the differences, the similarities, and the benefits of each.
https://www.hackerone.com/community-blog/bug-bounty-vs-ctf-understanding-differences-benefits
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Bug Bounty vs. Penetration Testing: Differences Explained

https://www.hackerone.com/penetration-testing/bug-bounty-vs-penetration-testing-differences-explained
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne in DevSecOps

https://www.hackerone.com/vulnerability-disclosure/hackerone-devsecops
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What is Vulnerability Scanning? [And How to Do It Right]

https://www.hackerone.com/vulnerability-management/what-vulnerability-scanning-and-how-do-it-right
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HOW HACKERONE AND GITHUB NOW WORK BETTER TOGETHER

https://www.hackerone.com/vulnerability-management/how-hackerone-and-github-now-work-better-together
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Citrix's Hacker-Powered Security Growth Plan: Q&A with Abhijith Chandrashekar

https://www.hackerone.com/vulnerability-management/citrixs-hacker-powered-security-growth-plan-qa-abhijith-chandrashekar
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Hackers Can Help Reduce Your Organization's Application Risk on AWS

https://www.hackerone.com/vulnerability-management/how-hackers-can-help-reduce-your-organizations-application-risk-aws
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Is Penetration Testing? How Does It Work Step-by-Step?

https://www.hackerone.com/penetration-testing/what-penetration-testing-how-does-it-work-step-step
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

60 Days of Insights from the DOD's Defense Industrial Base Vulnerability Disclosure Program Pilot

https://www.hackerone.com/vulnerability-management/60-days-insights-dods-defense-industrial-base-vulnerability-disclosure
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

ANNOUNCING HACK THE ARMY 3.0 RESULTS: A CONVERSATION WITH DEFENSE DIGITAL SERVICE, U.S. ARMY, AND HACK THE ARMY 3.0'S TOP HACKER

https://www.hackerone.com/blog/announcing-hack-army-30-results-conversation-defense-digital-service-us-army-and-hack-army
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

BUILD A RESILIENT SECURITY POSTURE WITH VULNERABILITY INTELLIGENCE AND CYBERSECURITY RATINGS

https://www.hackerone.com/vulnerability-management/build-resilient-security-posture-vulnerability-intelligence-and
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HACK HARD. HAVE FUN. INCREASE SECURITY

https://www.hackerone.com/community-blog/hack-hard-have-fun-increase-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HOW DIGITAL TRANSFORMATION CHANGES AN ORGANIZATION'S SECURITY CHALLENGES

https://www.hackerone.com/vulnerability-management/how-digital-transformation-changes-organizations-security-challenges
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

MICROSOFT SAYS: RUSSIAN SOLARWINDS HACKERS HIT U.S. GOVERNMENT AGENCIES AGAIN

https://www.hackerone.com/vulnerability-management/microsoft-says-russian-solarwinds-hackers-hit-us-government-agencies-again
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Spotlight on the Server-Side
Server-side request forgery (or SSRF) vulnerabilities are particularly dangerous because they can lead to total system compromise. Discover where they're most common, explore real-world examples, and learn prevention tips from hackers.
https://www.hackerone.com/application-security/spotlight-server-side
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Secrets of a Mature Vulnerability Management Program from Costa Coffee and Priceline
During HackerOne's recent series of webinars, we caught up with Matt Southworth, CISO of Priceline, and Matt Adams, Global Security Architect at Costa Coffee, to learn their 5 secrets to building a highly effective vulnerability management program.
https://www.hackerone.com/vulnerability-management/5-secrets-mature-vulnerability-management-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Security Engineer and Hacker Share Their Experiences with Security Assessments
A few weeks ago, HackerOne and PortSwigger teamed up to shine a light on the innovative ways that customers and security analysts are scaling risk assessments. Read on for key learnings.
https://www.hackerone.com/ethical-hacker/security-engineer-and-hacker-share-their-experiences-security-assessments
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Saxo Bank Celebrates One Year of Bug Bounties: Q&A with CISO Mads Syska Hasling

https://www.hackerone.com/vulnerability-management/saxo-bank-celebrates-one-year-bug-bounties-qa-ciso-mads-syska-hasling
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How HackerOne Helps the Vulnerability Management Process
HackerOne sees vulnerability management as a process combining software tools and security analyst actions to reduce risk. In many cases, successful Vulnerability Management requires a joint effort between security operations, who find vulnerabilities, and IT operations responsible for fixing, or patching, vulnerabilities.
https://www.hackerone.com/vulnerability-management/how-hackerone-helps-vulnerability-management-process
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Reddit's Bug Bounty Program Kicks Off: Q&A with Reddit's Allison Miller and Spencer Koch, and Top Program Hacker @RENEKROKA
HackerOne sat down with Reddit's CISO and VP of Trust, resident Security Wizard, and top hacker to discover the secrets to Reddit's bug bounty success, explore their goals and key results, delve into how they use hackers to scale security across software development, and gain a unique perspective about what it's like to hack one of the world's leading social networks.
https://www.hackerone.com/application-security/reddits-bug-bounty-program-kicks-qa-reddits-allison-miller-and-spencer-koch
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security@ 2021 Call for Speakers is Open
HackerOne's global hacker-powered security conference, Security@, is back for its fifth year. This year's virtual event will take place September 20, 2021. The call for speakers is now open! You have until May 15, 2021, to submit your talk.
https://www.hackerone.com/company-news/security-2021-call-speakers-open
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Rise of IDOR
Insecure Direct Object References (or IDOR) is a simple bug that packs a punch. Discover where they're most common, explore real-world examples, and learn prevention tips from hackers.
https://www.hackerone.com/company-news/rise-idor
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PayPal is our Virtual Pal
HackerOne's second virtual live hacking event with event partners, PayPal to share experiences from the event.
https://www.hackerone.com/vulnerability-management/paypal-our-virtual-pal
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Commerce Giant Shopify Kicks Off 2021 with HackerOne (Virtual) Live Hacking Event: h1-2102
HackerOne's first virtual live hacking event of the year kicked off with Shopify in January 2021. Read this blog post to learn more about how Shopify builds relationships with hackers through live events like h1-2102, and find out who the award winners are.
https://www.hackerone.com/community-blog/commerce-giant-shopify-kicks-2021-hackerone-virtual-live-hacking-event-h1-2102
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Rise of Misconfiguration and Supply Chain Vulnerabilities
The vulnerability of supply chains has been top of mind since the SolarWinds attack, which still dominates headlines, but last week's Singtel breach also reflects the rise of breaches triggered by misconfiguration vulnerabilities.
https://www.hackerone.com/vulnerability-management/rise-misconfiguration-and-supply-chain-vulnerabilities
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

2020 Hacker Community Year in Review
From CTF's to virtual live hacking events and more, check out this recap of the initiatives HackerOne hosted for the hacker community in 2020.
https://www.hackerone.com/community-blog/2020-hacker-community-year-review
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing The Hacker of The Hill

https://www.hackerone.com/ethical-hacker/announcing-hacker-hill
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

5 Learnings From A Conversation With OP Financial Group's CISO And @mrtuxracer
On 20 January, HackerOne's CEO, Marten Mickos, sat down for a chat with European hacker, Julien Ahrens a.k.a @mrtuxracer, and Teemu Ylhäisi, CISO at OP Financial Group. The discussion ranged from the recent SolarWinds attacks to the best way to prevent phishing. Here are our top takeaways from the webinar.
https://www.hackerone.com/application-security/5-learnings-conversation-op-financial-groups-ciso-and-mrtuxracer
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

LINE on Securing the Application Development Lifecycle with Bug Bounties
HackerOne has a large hacker community and the platform necessary to operate LINE's bug bounty program. By using HackerOne's platform and welcoming the community, LINE can increase operational efficiency. Through the partnership with HackerOne, we can share new bugs and learn from the vulnerability trends on the Platform while also getting a guide that helps us create a successful bug bounty program.
https://www.hackerone.com/application-security/line-securing-application-development-lifecycle-bug-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Years of AWS Hacking Tells Us About Building Secure Apps
Years of AWS bug bounties have exposed SSRF vulnerabilities, misconfigurations, and dangling DNS records. What can we learn from these vulnerabilities about mitigating risk?
https://www.hackerone.com/application-security/what-years-aws-hacking-tells-us-about-building-secure-apps
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Grab Celebrates 5 Years on HackerOne
"Just five years ago, leading rideshare, food delivery, and payments company Grab, became one of the first companies in Southeast Asia to implement a hacker-powered security program. In just three years Grab became one of the Top 20 bug bounty programs on HackerOne worldwide."
https://www.hackerone.com/company-news/grab-celebrates-5-years-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Policies Update
HackerOne's Policies Received Updates - check them out now!
https://www.hackerone.com/company-news/hackerone-policies-update
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The World's Largest Live Hacking Event
HackerOne and The Paranoids partnered to bring you the largest live hacking event in the world
https://www.hackerone.com/community-blog/worlds-largest-live-hacking-event
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Quantifying Risk: How do you measure success in security?
When your job is all about avoiding costly incidents and mistakes, it's hard to put a dollar value on your work. At HackerOne's recent Security@ conference, Slack and Hyatt's CISOs sat down for a chat about their challenges and the hacks they use to quantify risk:
https://www.hackerone.com/application-security/quantifying-risk-how-do-you-measure-success-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

12 Days of Hacky Holidays CTF

https://www.hackerone.com/ethical-hacker/12-days-hacky-holidays-ctf
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

VDPs are at the Heart of the Australian Cyber Security Centre's Recommendations

https://www.hackerone.com/vulnerability-management/vdps-are-heart-australian-cyber-security-centres-recommendations
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Joins AWS Marketplace as Cloud Vulnerabilities Rise
HackerOne reveals the most common and critical vulnerabilities found in cloud infrastructure and announces its debut in AWS Marketplace.
https://www.hackerone.com/application-security/hackerone-joins-aws-marketplace-cloud-vulnerabilities-rise
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the HackerOne Brand Ambassadors
Announcing the first group of Hacker Brand Ambassadors who will lead hackers in their local area.
https://www.hackerone.com/community-blog/announcing-hackerone-brand-ambassadors
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

US Government Mandates Vulnerability Disclosure for IoT

https://www.hackerone.com/vulnerability-management/us-government-mandates-vulnerability-disclosure-iot
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing new leaderboards: More ways to engage, compete and win

https://www.hackerone.com/ethical-hacker/announcing-new-leaderboards-more-ways-engage-compete-and-win
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne is Excited to Launch Triage Ratings for Customers and Hackers

https://www.hackerone.com/application-security/hackerone-excited-launch-triage-ratings-customers-and-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

NIST Overhauls “Security and Privacy Controls” and Emphasizes VDP as a Best Practice

https://www.hackerone.com/security-compliance/nist-overhauls-security-and-privacy-controls-and-emphasizes-vdp-best-practice
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Snap's Security Team on Nearly 6 Years of Collaborating with Hackers

https://www.hackerone.com/vulnerability-management/snaps-security-team-nearly-6-years-collaborating-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Organizations Paid Hackers .5 Million for These 10 Vulnerabilities in One Year
HackerOne report reveals cross-site scripting, improper access control, and information disclosure top list of most common and impactful vulnerabilities
https://www.hackerone.com/ethical-hacker/organizations-paid-hackers-235-million-these-10-vulnerabilities-one-year
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Expands Integrations Ecosystem to Connect and Defend Customers

https://www.hackerone.com/vulnerability-management/hackerone-expands-integrations-ecosystem-connect-and-defend-customers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Integrates with ServiceNow to Streamline Vulnerability Lifecycle Management
We're excited to announce our integration with ServiceNow Incident Management. This integration allows customers to escalate vulnerability reports with ServiceNow incidents and synchronize any updates in the vulnerability workflow that happen in ServiceNow or HackerOne.
https://www.hackerone.com/vulnerability-management/hackerone-integrates-servicenow-streamline-vulnerability-lifecycle
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

AT&T Celebrates Million Awarded to Hackers in One Year
AT&T recently celebrated its first anniversary on HackerOne, passing million in payouts to more than 850 researchers worldwide. Read on to learn more about their program and successes over the last year.
https://www.hackerone.com/ethical-hacker/att-celebrates-1-million-awarded-hackers-one-year
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Introducing the 4th Annual Hacker-Powered Security Report

https://www.hackerone.com/ethical-hacker/introducing-4th-annual-hacker-powered-security-report
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

H1-2010 FAQ's
FAQ's from HackerOne's biggest virtual live hacking event with The Paranoids from Verizon Media, H1-2010.
https://www.hackerone.com/company-news/h1-2010-faqs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Vulnerability Disclosure is Now Mandatory for Federal Agencies - Here's How to Make it Happen

https://www.hackerone.com/vulnerability-management/vulnerability-disclosure-now-mandatory-federal-agencies-heres-how-make-it
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Smartsheet Celebrates One Year with HackerOne
To mark Smartsheet's one-year anniversary with HackerOne, we sat down with Nolan Gibb, Information Security Engineer at Smartsheet, to discuss how bug bounties enable his team to scale and collaborate with software developers to create more secure products.
https://www.hackerone.com/vulnerability-management/smartsheet-celebrates-one-year-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Rolls Out Pentest Review System for Customers and Pentesters

https://www.hackerone.com/penetration-testing/hackerone-rolls-out-pentest-review-system-customers-and-pentesters
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Are Election Hacking Fears Driving Voters To The Polls?
If people fear that the American electoral infrastructure could be hacked, will they withhold their votes in November? Not according to research commissioned by HackerOne.
https://www.hackerone.com/company-news/are-election-hacking-fears-driving-voters-polls
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Become a HackerOne Brand Ambassador
Announcing the Hacker Brand Ambassador Program: lead hackers in your city, get exclusive perks, further your career.
https://www.hackerone.com/company-news/become-hackerone-brand-ambassador
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

National University of Singapore Taps Students to Hack for Good
In an inaugural InterUni Bug Bounty Challenge jointly organized by the National University of Singapore (NUS) and Singapore Management University (SMU) from 12 August to 9 September 2020, students and staff from the two universities will get to hone their hacking skills by looking for vulnerabilities (or ‘bugs') across the digital assets of their respective universities in exchange for monetary rewards, or bounties. To kick off the InterUni Bug Bounty Challenge, we sat down with NUS Chief Information Technology Officers Tommy Hor to learn more about the Challenge, why cybersecurity is so important to educational institutions like NUS, and more.
https://www.hackerone.com/ethical-hacker/national-university-singapore-taps-students-hack-good
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Recap of h@cktivitycon 2020
HackerOne's first-ever hacker conference, h@cktivitycon streamed from Twitch on Friday, July 31st - August 1st, 2020 recapped in this blog post.
https://www.hackerone.com/ethical-hacker/recap-hcktivitycon-2020
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Adobe and HackerOne Celebrate Five Years of Continued Collaboration
To celebrate five years with HackerOne, we sat down with Adobe's Senior Security Program Manager Pieter Ockers to discuss how their program has evolved over the last five years and the role that hacker-powered security, both bug bounties and response programs, plays into their overall security strategy. 
https://www.hackerone.com/company-news/adobe-and-hackerone-celebrate-five-years-continued-collaboration
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

COVID Confessions of a CISO
The COVID-19 crisis has shifted life online. As companies rush to meet remote work requirements and customer demands for digital services, attack surfaces have dramatically expanded, leaving security teams stretched thin and not staffed to cope. HackerOne dug into this concept to identify COVID-19 impacts on security and business. Read on for our findings.
https://www.hackerone.com/company-news/covid-confessions-ciso
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Human vs. Machine: Three-Part Virtual Series on the Human Element of AppSec

https://www.hackerone.com/ethical-hacker/human-vs-machine-three-part-virtual-series-human-element-appsec
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Securing video streaming in sub-Saharan Africa
Maintaining a video streaming service across the whole of Africa is challenge enough, without the added pressure of potential security issues. Showmax turns to hackers to secure their customer data and protect the security of their shows and movies.
https://www.hackerone.com/application-security/securing-video-streaming-sub-saharan-africa
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security@ 2020 Call for Speakers is Open
HackerOne's global hacker-powered security conference, Security@, is back for its fourth year. This year's virtual event will take place October 20-22, 2020. The call for speakers is now open! You have until August 21, 2020, to submit your talk.
https://www.hackerone.com/company-news/security-2020-call-speakers-open
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Costa Coffee prepares for global expansion with bug bounty program
As the coffee chain prepares for global expansion, Costa Coffee joins the likes of Hyatt, Deliveroo, and Zomato in launching its first private bug bounty program. Costa Coffee will shore up its digital defenses using the combined expertise and experience of HackerOne's hacker community.
https://www.hackerone.com/application-security/costa-coffee-prepares-global-expansion-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

A Warm Welcome To Our New SVP of Customer Success
We are delighted to announce that Amanda Berger — former Chief Customer Officer at Lucidworks — has joined HackerOne as our new SVP of Customer Success. In this article, Amanda introduces herself and shares what she hopes to achieve at HackerOne.
https://www.hackerone.com/company-news/warm-welcome-our-new-svp-customer-success
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Pentesting basics video series launched on Hacker101
Learn the basics of pentesting to further your career and develop core competencies required in one of the hottest job markets in cybersecurity: Penetration testing.
https://www.hackerone.com/ethical-hacker/pentesting-basics-video-series-launched-hacker101
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Cybersecurity Vendor Consolidation: Securing More with Less
Discover how hacker-powered security solutions can help identify the gaps and consolidate point-solution tools into a single platform for easier management and measured ROI.
https://www.hackerone.com/company-news/cybersecurity-vendor-consolidation-securing-more-less
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Visma's Ioana Piroska on Securing the Development Lifecycle Through Bug Bounties
Having recently taken their bug bounty program public, we caught up with Visma Security Analyst Ioana Piroska about the program's results so far and Visma's plans for the future.
https://www.hackerone.com/application-security/vismas-ioana-piroska-securing-development-lifecycle-through-bug-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Pentesting Beyond Compliance: A Tool to Improve Your Security Posture

https://www.hackerone.com/penetration-testing/pentesting-beyond-compliance-tool-improve-your-security-posture
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What Juneteenth Means at HackerOne

https://www.hackerone.com/company-news/what-juneteenth-means-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Reputation, Signal & Impact Calculation Enhancements
Reputation, Signal and Impact changes and how this will affect hacker stats going forward.
https://www.hackerone.com/ethical-hacker/reputation-signal-impact-calculation-enhancements
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Mail.ru Group pays out over million in bounties

https://www.hackerone.com/ethical-hacker/mailru-group-pays-out-over-1-million-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Mayonaise Joins The Ranks of The Seven-Figure-Earning Hackers
Congratulations to @mayonaise, the ninth hacker to earn Million hacking for good on the HackerOne platform! Read on for more about his unique approach, focus, and journey to being one of the top hackers in the world.
https://www.hackerone.com/ethical-hacker/mayonaise-joins-ranks-seven-figure-earning-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Celebrating Pride at HackerOne

https://www.hackerone.com/company-news/celebrating-pride-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the PlayStation Bug Bounty Program
Today, PlayStation launched a public bug bounty program on HackerOne because the security of their products is a fundamental part of creating amazing experiences for the PlayStation community. Read on to learn more about their program, bounties, and more.
https://www.hackerone.com/application-security/announcing-playstation-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

What to Look For in a Penetration Testing Company
Penetration testing is one of the most widely used techniques to comply with security regulations and protect network and computing systems and users. Hacker-powered penetration tests are emerging as a more cost-effective way to harden applications. With HackerOne Challenge, selected hackers from our community are invited to find vulnerabilities in your systems, and you only pay for the verified vulnerabilities found.
https://www.hackerone.com/vulnerability-management/what-look-penetration-testing-company
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Juneteenth: HackerOne's Day for Action

https://www.hackerone.com/company-news/juneteenth-hackerones-day-action
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Scaling & Prioritizing Product Security with Zendesk
In a recent virtual roundtable, we sat down with Scott Reed, Senior Manager of Product Security at Zendesk, to discuss how they incorporate bug bounties throughout their product security strategy and scaling security at a high-growth organization. Take a look at some of the highlights of our conversation below.
https://www.hackerone.com/application-security/scaling-prioritizing-product-security-zendesk
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How does Pentesting fit into your overall security strategy?
As digital technologies and data transform the way business gets done, a cybersecurity strategy is fundamental in helping your company save time and money while protecting your brand. How should organizations think about penetration testing within their overall security strategy?
https://www.hackerone.com/penetration-testing/how-does-pentesting-fit-your-overall-security-strategy
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

h1-2006 CTF
h1-2006 CTF Winner Announcement
https://www.hackerone.com/ethical-hacker/h1-2006-ctf
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Crowdsourcing Racial Justice and Equality

https://www.hackerone.com/company-news/crowdsourcing-racial-justice-and-equality
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

There is no room for racism or inequality here.
At HackerOne we say No to racism. We are here to democratize opportunity across the world. We believe in the aspirations and possibilities of every human being. Hacker-powered security is proof that by working together across all boundaries we accomplish what otherwise would remain unachievable.
https://www.hackerone.com/ceo/there-no-room-racism-or-inequality-here
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

100 Hacking Tools and Resources
As part of our 0 Million in bounties celebration, we want to share a list of 100 tools and resources that will help hackers continue hacking!
https://www.hackerone.com/ethical-hacker/100-hacking-tools-and-resources
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The Journey in Data: HackerOne Hits 100 Million Dollars in Bounties
Yesterday, hackers on HackerOne hit a major milestone: they have earned a total of 0 million in bounties over the past 8 years, with nearly half in the past year alone! Let's take a look at some of the numbers that have taken us to the 0 million milestone.
https://www.hackerone.com/ethical-hacker/journey-data-hackerone-hits-100-million-dollars-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Thanks For Being Part Of The Journey to 0 Million in Bounties!
Reaching 0 Million in bounties is a reason to celebrate what this community has achieved. It also gave us a chance to reflect on the journey to this point and the enduring values that will get us to the next milestone.
https://www.hackerone.com/ethical-hacker/thanks-being-part-journey-100-million-bounties
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

0 Million Paid - One Billion in Sight for Hackers
Today we celebrate with all our hackers the phenomenal milestone of a hundred million dollars in bounties. Hack for Good! Yet we should know that we are only getting going. The digital world is not safe and secure yet. Much more work awaits us. We have one hundred million more bugs to find.
https://www.hackerone.com/ceo/100-million-paid-one-billion-sight-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

10 Ways to Hack Your “New Normal” Workweek
As a company inspired by hackers, HackerOne is taking this unique time to hack our programs to provide our people with additional support to ensure the wellbeing of all Hackeronies and their families. Here's a peek at the fun programs and perks we've implemented at HackerOne based on input from our people.
https://www.hackerone.com/company-news/10-ways-hack-your-new-normal-workweek
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Federal Agencies Use Vulnerability Disclosure Policies to Level Up Security

https://www.hackerone.com/vulnerability-management/how-federal-agencies-use-vulnerability-disclosure-policies-level-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security by the People: Announcing HackerOne's FedRAMP Authorization
Since 2016, we've been proud to help secure critical U.S. Department of Defense and GSA applications. As we achieve FedRAMP Tailored Authorization, we are excited to expand this important work.
https://www.hackerone.com/vulnerability-management/security-people-announcing-hackerones-fedramp-authorization
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Stay Ahead of Threats With Hacker-Powered Retesting
Introducing Hacker-Powered Retesting! Retesting is designed to scale with capabilities to keep your critical assets safe from increasingly sophisticated attacks.
https://www.hackerone.com/vulnerability-management/stay-ahead-threats-hacker-powered-retesting
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PayPal on Creating Strong Relationships with Security Researchers

https://www.hackerone.com/application-security/paypal-creating-strong-relationships-security-researchers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackers take on San Francisco for the 4th Year in a Row
HackerOne hosted its first flagship event of the year with Verizon Media in San Francisco.
https://www.hackerone.com/ethical-hacker/hackers-take-san-francisco-4th-year-row
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Shopify Celebrates 5 Years on HackerOne

https://www.hackerone.com/vulnerability-management/shopify-celebrates-5-years-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hackweek: An insider's look at HackerOne culture

https://www.hackerone.com/ethical-hacker/hackweek-insiders-look-hackerone-culture
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Slack Increases Bounty Minimums For the Next 90 Days

https://www.hackerone.com/application-security/slack-increases-bounty-minimums-next-90-days
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Live Hacking Goes Virtual

https://www.hackerone.com/ethical-hacker/live-hacking-goes-virtual
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hack for Good: Easily Donate Bounties to WHO's COVID-19 Response Fund
Collaboration and bounty splitting have been possible for years, and now you can easily donate bounties by adding the user “hackforgood” as a collaborator to a report submission on HackerOne.
https://www.hackerone.com/ethical-hacker/hack-good-easily-donate-bounties-whos-covid-19-response-fund
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Six years of the GitHub Security Bug Bounty program

https://www.hackerone.com/application-security/six-years-github-security-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Live hacking the U.S. Air Force, UK Ministry of Defence and Verizon Media in Los Angeles at h1-213
HackerOne hosted its final flagship live hacking event of 2019 in Los Angeles, CA
https://www.hackerone.com/ethical-hacker/live-hacking-us-air-force-uk-ministry-defence-and-verizon-media-los-angeles-h1-213
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

My Career Just Got Hacked: Rana Robillard Joins HackerOne

https://www.hackerone.com/my-career-just-got-hacked-rana-robillard-joins-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Live Hacking Events | 2019 Recap and the Road Ahead
A look at where we've been and where we're going in 2020...
https://www.hackerone.com/ethical-hacker/live-hacking-events-2019-recap-and-road-ahead
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Confessions of European CISOs
Ever wondered what's been keeping your CISO up at night? Well, wonder no more. We did some research to find out what worries European CISOs who are tasked with shoring up their digital infrastructure.
https://www.hackerone.com/company-news/confessions-european-cisos
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

LINE Security Bug Bounty Program Report 2019

https://www.hackerone.com/application-security/line-security-bug-bounty-program-report-2019
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Congratulations, Cosmin! The world's seventh million-dollar bug bounty hacker
The ranks of seven-figure-earning hackers have now risen to eight. Meet @inhibitor181 — the world's seventh million-dollar bug bounty hacker.
https://www.hackerone.com/ethical-hacker/congratulations-cosmin-worlds-seventh-million-dollar-bug-bounty-hacker
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Dropbox bug bounty program has paid out over ,000,000

https://www.hackerone.com/ethical-hacker/dropbox-bug-bounty-program-has-paid-out-over-1000000
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hyatt Celebrates its First Anniversary on HackerOne

https://www.hackerone.com/vulnerability-management/hyatt-celebrates-its-first-anniversary-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

#AndroidHackingMonth: Introduction to Android Hacking by @0xteknogeek

https://www.hackerone.com/ethical-hacker/androidhackingmonth-intro-to-android-hacking
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Guess what's coming!? #AndroidHackingMonth on @Hacker0x01
February is Android Hacking Month! That means new resources, new CTFs, and, of course, swag. Learn more about how to get involved.
https://www.hackerone.com/ethical-hacker/AndroidHackingMonth
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

h1-415 CTF Winners Announced!
Thanks to all who participated in our #h1415 CTF, and congratulations to our winners @p4fg and @manoelt! Here's how it went down.
https://www.hackerone.com/ethical-hacker/h1-415-ctf-winners-announced
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

InnoGames Models Avatar After Top Ethical Hacker
Kevin Heseler, Security Engineer at InnoGames, tells us about how InnoGames leverages their bug bounty program to secure their games and the unique approach they have taken to awarding their most valuable hacker with their very own avatar in the ‘Forge of Empires' game
https://www.hackerone.com/ethical-hacker/innogames-models-avatar-after-top-ethical-hacker
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Why Every Federal Agency Needs a VDP

https://www.hackerone.com/vulnerability-management/why-every-federal-agency-needs-vdp
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

GitLab Celebrates Awarding Million in Bounties to Hackers on HackerOne
Today, GitLab announced that they have awarded million in bounties to hackers on HackerOne. To learn more about the open-source tool's security strategy and commitment to transparency, we sat down with security managers James Ritchey and Ethan Strike. Read on for a glimpse into our conversation.
https://www.hackerone.com/vulnerability-management/gitlab-celebrates-awarding-1-million-bounties-hackers-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Launches Bug Bounty Program for Kubernetes
The Cloud Native Computing Foundation (CNCF) today launched the Kubernetes bug bounty program on HackerOne. The Kubernetes bug bounty program is yet another layer of security assurance that will reward researchers who find vulnerabilities in the container orchestration system. Bounties will range from 0 to ,000. All reports will be thoroughly investigated by the Kubernetes Product Security Committee, a set of security-minded Kubernetes community volunteers.
https://www.hackerone.com/application-security/hackerone-launches-bug-bounty-program-kubernetes
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Hacking for Good

https://www.hackerone.com/ceo/hacking-good
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

This Season, Give the Gift of Data-Driven Insight

https://www.hackerone.com/company-news/season-give-gift-data-driven-insight
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Using Bug Bounty Talent Pools to Attract and Maintain Top Talent

https://www.hackerone.com/vulnerability-management/using-bug-bounty-talent-pools-attract-and-maintain-top-talent
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Transparency Builds Trust
Someone called it a “breach,” and the world took notice. Here is the story.
https://www.hackerone.com/vulnerability-management/transparency-builds-trust
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How Bug Bounties Help You Shift Left

https://www.hackerone.com/application-security/how-bug-bounties-help-you-shift-left
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne is a 2019 Cyber Catalyst Designated Cybersecurity Solution

https://www.hackerone.com/application-security/hackerone-2019-cyber-catalyst-designated-cybersecurity-solution
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

8 High-impact Bugs and How HackerOne Customers Avoided a Breach: SQL Injection

https://www.hackerone.com/security-compliance/8-high-impact-bugs-and-how-hackerone-customers-avoided-breach-sql-injection
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How the Risk-Averse DoD Learned to Stop Worrying and Love the Hackers

https://www.hackerone.com/vulnerability-management/how-risk-averse-dod-learned-stop-worrying-and-love-hackers
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

The World's Elite Hackers Share Tips and Insights

https://www.hackerone.com/ethical-hacker/worlds-elite-hackers-share-tips-and-insights
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

LINE Launches Public Bug Bounty Program: Q&A with Security Engineer Robin Lunde
Today, after three successful years running an independent bug bounty program, LINE launched a public bug bounty program on HackerOne. To learn more about the popular messaging app's security strategy and commitment to the hacker community, we sat down with security engineers Robin Lunde, Koh You Liang and Keitaro Yamazaki. Read on for a glimpse into our conversation.
https://www.hackerone.com/application-security/line-launches-public-bug-bounty-program-qa-security-engineer-robin-lunde
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Supporting the Source: Why HackerOne is Upgrading its Free Tools for Open Source
Open source software powers HackerOne. As part of our mission to make the internet safer, we want to make it easier for your open source project to remain secure, so we're joining GitHub Security Lab. Read on for more on why we're joining, new free offerings for open source projects from HackerOne, and new open source targets for hackers from GitHub and HackerOne.
https://www.hackerone.com/vulnerability-management/supporting-source-why-hackerone-upgrading-its-free-tools-open-source
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing Program Audit Log
As our customers' security teams grow, it's important for us to sustain their growth with new features. Today we're announcing the Program Audit Log. It enables customers to audit important actions that were taken in their program, such as permission updates, new members, bounty rewards, and program settings. Read on for more!
https://www.hackerone.com/vulnerability-management/announcing-program-audit-log
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Reducing Risk With a Bug Bounty Program

https://www.hackerone.com/application-security/reducing-risk-bug-bounty-program
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

U.S. Department of Defense VDP Wins Prestigious 2019 DoD Chief Information Officer Award
On Nov. 3, 2019 in the Pentagon Auditorium, the DoD Cyber Crime Center (DC3) Vulnerability Disclosure Program (VDP) was awarded the 2019 DoD Chief Information Officer (CIO) award for Cybersecurity. Over the past three years, the VDP on HackerOne has processed more than 11,000 vulnerabilities discovered by researchers within DoD's public facing websites.
https://www.hackerone.com/vulnerability-management/us-department-defense-vdp-wins-prestigious-2019-dod-chief-information
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

8 High-Impact Bugs and How HackerOne Customers Avoided a Breach: Information Disclosure

https://www.hackerone.com/security-compliance/8-high-impact-bugs-and-how-hackerone-customers-avoided-breach-information
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Scaling Security: From Startup to Unicorn

https://www.hackerone.com/application-security/scaling-security-startup-unicorn
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Why Laurie Mercer Became a Security Engineer at HackerOne

https://www.hackerone.com/company-news/why-laurie-mercer-became-security-engineer-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Security@ Fireside Chat: Insights from Phil Venables of Goldman Sachs

https://www.hackerone.com/vulnerability-management/security-fireside-chat-insights-phil-venables-goldman-sachs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Keynote with Phil Venables of Goldman Sachs

https://www.hackerone.com/vulnerability-management/keynote-phil-venables-goldman-sachs
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Q&A with HackerOne's New Vice President, APAC, Attley Ng

https://www.hackerone.com/company-news/qa-hackerones-new-vice-president-apac-attley-ng
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Lowering Your Pentesting Fees with HackerOne

https://www.hackerone.com/penetration-testing/lowering-your-pentesting-fees-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Slack Increases Minimum Bounties for High and Critical Bugs for 30 Days
Over the past five years, Slack and HackerOne have established a partnership and commitment to ensure Slack's platform is secure for its over 12 million daily active users. To build on this momentum and engage top researchers from the HackerOne community, Slack is increasing its minimum bounties for High and Critical findings to 00 and 00 respectively for a limited time. Read on to learn more!
https://www.hackerone.com/application-security/slack-increases-minimum-bounties-high-and-critical-bugs-30-days
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

8 High-Impact Bugs and How HackerOne Customers Avoided a Breach: Privilege Escalation

https://www.hackerone.com/security-compliance/8-high-impact-bugs-and-how-hackerone-customers-avoided-breach-privilege
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

HackerOne Congratulates the Department of Defense on 11K Vulnerability Reports

https://www.hackerone.com/vulnerability-management/hackerone-congratulates-department-defense-11k-vulnerability-reports
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Through a Hacker's Eyes: Recapping h1-604
For the first time ever, a hacker writes a live hacking recap blog, highlighting what it is like to attend a live event. Katie (@InsiderPhD) gives a first-person narrative of h1-604. From seeing a bear for the first time to collaborating closely with peers, Katie covers all the adventures of heading to Vancouver, Canada to hunt bugs.
https://www.hackerone.com/ethical-hacker/through-hackers-eyes-recapping-h1-604
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Tell Your Hacker Story with the Redesigned Profile Pages

https://www.hackerone.com/ethical-hacker/tell-your-hacker-story-redesigned-profile-pages
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

3 Ways Hacker-Powered Security Helps the Agile CISO

https://www.hackerone.com/3-ways-hacker-powered-security-helps-agile-ciso
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

More Than Bounty: Beating Burnout with Hacker-Powered Security

https://www.hackerone.com/more-bounty-beating-burnout-hacker-powered-security
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Breaking Down the Benefits of Hacker-Powered Pentests

https://www.hackerone.com/breaking-down-benefits-hacker-powered-pentests
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

PayPal Celebrates Its First Anniversary on HackerOne
It's been a year since PayPal transitioned its Bug Bounty program to HackerOne. During that time, PayPal has paid out more than .5 million in bounties to the hacker community. In this post Ray Duran, manager of PayPal's Bug Bounty team, reflects on PayPal's journey, shares some exciting changes to the program and discusses what's to come.
https://www.hackerone.com/vulnerability-management/paypal-celebrates-its-first-anniversary-hackerone
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

GitLab: Reducing the time to payout and a bug bounty anniversary contest
In just nine months since going public GitLab's bug bounty program has seen substantial contributions from the HackerOne community. Since going public, researchers have submitted 1016 reports and GitLab has paid out 5,000 in bounties. Leading up to the one year anniversary of GitLab's public program, they've changed their bounty payout timeline based on hacker feedback, are spotlighting some of their top contributors, and launched a contest open for all! Check it out.
https://www.hackerone.com/vulnerability-management/gitlab-reducing-time-payout-and-bug-bounty-anniversary-contest
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

Announcing the Security@ San Francisco 2019 Agenda
The agenda for the third annual hacker-powered security conference, Security@ San Francisco, is live! Security@ is the only conference dedicated to the booming hacker-powered security industry, where hackers and leaders come together to build a safer internet. The conference takes place on October 15, 2019 at the Palace of Fine Arts and will include talks by security leaders from some of the most innovative security teams. In addition, hackers from all over the world will discuss lessons learned from defending the front lines, scaling security teams, and addressing the talent gap. 2019 promises to be our largest event yet!
https://www.hackerone.com/company-news/announcing-security-san-francisco-2019-agenda
Partager : LinkedIn / Twitter / Facebook / View / View (lite)

How HackerOne Fits into the Dev Tools You Know and Love

https://www.hackerone.com/vulnerability-management/how-hackerone-fits-dev-tools-you-know-and-love
Partager : LinkedIn / Twitter / Facebook / View /