Slashdot
2024-05-05The blog Its FOSS has 15,000 followers for its Mastodon account — which they think is causing problems: When you share a link on Mastodon, a link preview is generated for it, right? With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately. And, this "fediverse effect" increases the load on the website's server in a big way. Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances)... We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load. Slashdot reader nunojsilva is skeptical that "blurbs with a thumbnail and description" could create the issue (rather than, say, poorly-optimized web content). But the It's Foss blog says they found three GitHub issues about the same problem — one from 2017, and two more from 2023. And other blogs also reported the same issue over a year ago — including software developer Michael Nordmeyer and legendary Netscape programmer Jamie Zawinski. And back in 2022, security engineer Chris Partridge wrote: [A] single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and... an image. In total, 114.7 MB of data was requested from my site in just under five minutes — making for a traffic amplification of 36704:1. [Not counting the image.] Its Foss reports Mastodon's official position that the issue has been "moved as a milestone for a future 4.4.0 release. As things stand now, the 4.4.0 release could take a year or more (who knows?)." They also state their opinion that the issue "should have been prioritized for a faster fix... Don't you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one?" Read more of this story at Slashdot.
https://tech.slashdot.org/story/24/05/05/0241211/is-mastodons-link-previewing-overloading-servers?utm_source=rss1.0mainlinkanon&utm_medium=feed
An anonymous reader shared this report from the Guardian: Newly deciphered passages from a papyrus scroll that was buried beneath layers of volcanic ash after the AD79 eruption of Mount Vesuvius may have shed light on the final hours of Plato, a key figure in the history of western philosophy. In a groundbreaking discovery, the ancient scroll was found to contain a previously unknown narrative detailing how the Greek philosopher spent his last evening, describing how he listened to music played on a flute by a Thracian slave girl. Despite battling a fever and being on the brink of death, Plato — who was known as a disciple of Socrates and a mentor to Aristotle, and who died in Athens around 348BC — retained enough lucidity to critique the musician for her lack of rhythm, the account suggests.... In a presentation of the research findings at the National Library of Naples, Prof Graziano Ranocchia, of the University of Pisa, who spearheaded the team responsible for unearthing the carbonised scroll, described the discovery as an "extraordinary outcome that enriches our understanding of ancient history". He said: "Thanks to the most advanced imaging diagnostic techniques, we are finally able to read and decipher new sections of texts that previously seemed inaccessible... For the first time, we have been able to read sequences of hidden letters from the papyri that were enfolded within multiple layers, stuck to each other over the centuries, through an unrolling process using a mechanical technique that disrupted whole fragments of text." Read more of this story at Slashdot.
https://science.slashdot.org/story/24/05/05/0314231/platos-final-hours-recounted-in-scroll-found-in-vesuvius-ash?utm_source=rss1.0mainlinkanon&utm_medium=feed
"A leap in our ability to see the chemistry of matter in three-dimensions at the nanoscale was achieved, allowing scientists to understand how nanomaterials are chemically arranged," writes Slashdot reader Hovden: Traditionally, seeing matter at the smallest sizes requires too many high-energy electrons for 3D chemical imaging. The high beam exposure destroys the specimen before an experiment is completed. Even larger doses are required to achieve high resolution. Thus, chemical mapping in 3D has been unachievable except at lower resolution with the most radiation-hard materials. High-resolution 3D chemical imaging is now achievable near or below one-nanometer resolution. A team from Dow Chemical and the University of Michigan used a newly introduced method, called multi-modal data fusion, high-resolution chemical tomography, that provides 99% less dose by linking information encoded within both elastic and inelastic scattered signals. The researchers showed sub-nanometer 3D resolution of chemistry is measurable for a broad class of geometrically and compositionally complex materials. "Here are the pretty pictures," adds long-time Slashdot reader thoper. Phys.org also has this quote from Robert Hovden, an associate professor of materials science and engineering at the University of Michigan and corresponding author on the study published in Nature Communications. "Seeing invisible worlds, far smaller than the wavelengths of light, is absolutely critical to understanding the matter we are engineering at the nanoscale, not just in 2D but in 3D as well." Read more of this story at Slashdot.
https://science.slashdot.org/story/24/05/04/2350234/breakthrough-achieved-in-nanometer-resolution-imaging-of-3d-chemistry?utm_source=rss1.0mainlinkanon&utm_medium=feed
Thursday the Verge reported that a new report from Microsoft "outlines the steps the company took to release responsible AI platforms last year." Microsoft says in the report that it created 30 responsible AI tools in the past year, grew its responsible AI team, and required teams making generative AI applications to measure and map risks throughout the development cycle. The company notes that it added Content Credentials to its image generation platforms, which puts a watermark on a photo, tagging it as made by an AI model. The company says it's given Azure AI customers access to tools that detect problematic content like hate speech, sexual content, and self-harm, as well as tools to evaluate security risks. This includes new jailbreak detection methods, which were expanded in March this year to include indirect prompt injections where the malicious instructions are part of data ingested by the AI model. It's also expanding its red-teaming efforts, including both in-house red teams that deliberately try to bypass safety features in its AI models as well as red-teaming applications to allow third-party testing before releasing new models. Microsoft's chief Responsible AI officer told the Washington Post this week that "We work with our engineering teams from the earliest stages of conceiving of new features that they are building." "The first step in our processes is to do an impact assessment, where we're asking the team to think deeply about the benefits and the potential harms of the system. And that sets them on a course to appropriately measure and manage those risks downstream. And the process by which we review the systems has checkpoints along the way as the teams are moving through different stages of their release cycles... "When we do have situations where people work around our guardrails, we've already built the systems in a way that we can understand that that is happening and respond to that very quickly. So taking those learnings from a system like Bing Image Creator and building them into our overall approach is core to the governance systems that we're focused on in this report." They also said " it would be very constructive to make sure that there were clear rules about the disclosure of when content is synthetically generated," and "there's an urgent need for privacy legislation as a foundational element of AI regulatory infrastructure." Read more of this story at Slashdot.
https://slashdot.org/story/24/05/05/0521206/microsoft-details-how-its-developing-ai-responsibly?utm_source=rss1.0mainlinkanon&utm_medium=feed
Come 2029, all cars sold in the U.S. "must be able to stop and avoid contact with a vehicle in front of them at speeds up to 62 mph," reports Car and Driver. "Additionally, the system must be able to detect pedestrians in both daylight and darkness. As a final parameter, the federal standard will require the system to apply the brakes automatically up to 90 mph when a collision is imminent, and up to 45 mph when a pedestrian is detected." Notably, the federal standardization of automated emergency braking systems includes pedestrian-identifying emergency braking, too. Once implemented, the NHTSA projects that this standard will save at least 360 lives a year and prevent at least 24,000 injuries annually. Specifically, the federal agency claims that rear-end collisions and pedestrian injuries will both go down significantly... "Automatic emergency braking is proven to save lives and reduce serious injuries from frontal crashes, and this technology is now mature enough to require it in all new cars and light trucks. In fact, this technology is now so advanced that we're requiring these systems to be even more effective at higher speeds and to detect pedestrians," said NHTSA deputy administrator Sophie Shulman. Thanks to long-time Slashdot reader sinij for sharing the article. Read more of this story at Slashdot.
https://yro.slashdot.org/story/24/05/04/2250221/the-us-just-mandated-automated-emergency-braking-systems-by-2029?utm_source=rss1.0mainlinkanon&utm_medium=feed
In 2016, an online "swarm intelligence" platform generated a correct prediction for the Kentucky Derby — naming all four top finishers, in order. (But the next year their predictions weren't even close, with TechRepublic suggesting 2016's race had an unusual cluster of just a few top racehorses.) So this year Decrypt.co tried crafting their own system "that can be called up when the next Kentucky Derby draws near. There are a variety of ways to enlist artificial intelligence in horse racing. You could process reams of data based on your own methodology, trust a third-party pre-trained model, or even build a bespoke solution from the ground up. We decided to build a GPT we named HorseGPT to crunch the numbers and make the picks for us... We carefully curated prompts to instill HorseGPT with expertise in data science specific to horse racing: how weather affects times, the role of jockeys and riding styles, the importance of post positions, and so on. We then fed it a mix of research papers and blogs covering the theoretical aspects of wagering, and layered on practical knowledge: how to read racing forms, what the statistics mean, which factors are most predictive, expert betting strategies, and more. Finally, we gave HorseGPT a wealth of historical Kentucky Derby data, arming it with the raw information needed to put its freshly imparted skills to use. We unleashed HorseGPT on official racing forms for this year's Derby. We asked HorseGPT to carefully analyze each race's form, identify the top contenders, and recommend wager types and strategies based on deep background knowledge derived from race statistics. So how did it do? HorseGPT picked two horses to win — both of which failed to do so. (Sierra Leone did finish second — in a rare three-way photo finish. But Fierceness finished... 15th.) It also recommended the same two horses if you were trying to pick the top two finishers in the correct order — a losing bet, since, again, Fierceness finished 15th. But even worse, HorseGPT recommended betting on Just a Touch to finish in either first or second place. When the race was over, that horse finished dead last. (And when asked to pick the top three finishers in correct order, HorseGPT stuck with its choices for the top two — which finished #2 and #15 — and, again, Just a Touch, who came in last.) When Google Gemini was asked to pick the winner by The Athletic, it first chose Catching Freedom (who finished 4th). But it then gave an entirely different answer when asked to predict the winner "with an Italian accent." "The winner of the Kentucky Derby will be... Just a Touch! Si, that's-a right, the underdog! There will be much-a celebrating in the piazzas, thatta-a I guarantee!" Again, Just a Touch came in last. Decrypt noticed the same thing. "Interestingly enough, our HorseGPT AI agent and the other out-of-the-box chatbots seemed to agree with each other," the site notes, adding that HorseGPT also seemed to agree "with many expert analysts cited by the official Kentucky Derby website." But there was one glimmer of insight into the 20-horse race. When asked to choose the top four finishers in order, HorseGPT repeated those same losing picks — which finished #2, #15, and #20. But then it added two more underdogs for fourth place finishers, "based on their potential to outperform expectations under muddy conditions." One of those two horses — Domestic Product — finished in 13th place. But the other of the two horses was Mystik Dan — who came in first. Mystik Dan appeared in only one of the six "Top 10 Finishers" lists (created by humans) at the official Kentucky Derby site... in the #10 position. Read more of this story at Slashdot.
https://idle.slashdot.org/story/24/05/05/0037217/ai-powered-horsegpt-fails-to-predict-this-years-kentucky-derby-winner?utm_source=rss1.0mainlinkanon&utm_medium=feed
An anonymous reader shared this report from the New York Times: American officials are trying to increase international pressure on Russia not to deploy an antisatellite nuclear weapon in space, and have obtained information that undermines Moscow's explanation that the device it is developing is for peaceful scientific purposes, a senior State Department official said on Friday... On Friday, Mallory Stewart, the assistant secretary of state for arms control, said that while the United States had been aware of Russia's pursuit of such a device for years, "only recently have we been able to make a more precise assessment of their progress." Ms. Stewart, speaking at the nonpartisan Center for Strategic and International Studies in Washington, said the orbit the Russian satellite would occupy is in a high-radiation region not used by other satellites, information that undercuts Russia's defense that it is not developing a weapon. Read more of this story at Slashdot.
https://science.slashdot.org/story/24/05/04/225252/us-seeks-to-build-world-pressure-on-russia-over-space-nuclear-weapon?utm_source=rss1.0mainlinkanon&utm_medium=feed
CircleID reports that Multinational internet service provider Cogent recently announced that it was offering $206 million in secured notes (a corporate bond backed by assets). "The unusual part is what it's using as security: some of its IPv4 addresses and the leases on those IPv4 addresses." All internet service providers (ISPs) give IP addresses to their users, but Cogent was among the first to lease those addresses independently of internet access. (Internet access customers normally require a unique address as part of their service.) Sources are hard to find, but prevailing wisdom is that they have over 10M addresses leased for about $0.30 per month, or $36M per year in revenue. The notes are expected to be repaid in five years. Thanks to long-time Slashdot reader penciling_in for sharing the article. Read more of this story at Slashdot.
https://tech.slashdot.org/story/24/05/04/2122251/multinational-isp-offers-206m-in-secured-notes-backed-by-ipv4-addresses?utm_source=rss1.0mainlinkanon&utm_medium=feed
The blog It's FOSS is "pissed at the casual arrogance of Ubuntu and its parent company Canonical..... The sheer audacity of not caring for its users reeks of Microsoft-esque arrogance." If you download a .deb package of a software, you cannot install it using the official graphical software center on Ubuntu anymore. When you double-click on the downloaded deb package, you'll see this error, "there is no app installed for Debian package files". If you right-click and choose to open it with Software Center, you are in for another annoyance. The software center will go into eternal loading. It may look as if it is doing something, but it will go on forever. I could even livestream the loading app store on YouTube, and it would continue for the 12 years of its long-term support period. Canonical software engineer Dennis Loose actually created an issue ticket for the problem himself — back in September of 2023. And two weeks ago he returned to the discussion to announce that fix "will be a priority for the next cycle". (Though "unfortunately we didn't have the capacity to work on this for 24.04...) But Its Foss accused Canonical of "cleverly booting out deb in favor of Snap, one baby step at a time" (noting the problem started with Ubuntu 23.10): There is also the issue of replacing deb packages with Snap, even with the apt command line tool. You use 'sudo apt install chromium', you get a Snap package of Chromium instead of Debian The venerable Linux magazine argues that Canonical "has secretly forced Snap installation on users." [I]t looks as if the Software app defaults to Snap packages for everything now. I combed through various apps and found this to be the case.... As far as the auto-installation of downloaded .deb files, you'll have to install something like gdebi to bring back this feature. Read more of this story at Slashdot.
https://news.slashdot.org/story/24/05/04/202207/ubuntu-criticized-for-bug-blocking-installation-of-deb-packages?utm_source=rss1.0mainlinkanon&utm_medium=feed
An anonymous reader shared this report from the Washington Post: The heat shield of the Orion spacecraft intended one day to carry astronauts to the moon under NASA's Artemis program suffered unexpected damage in more than 100 places as the spacecraft returned to Earth during an uncrewed test flight in 2022, according to a watchdog report released late Wednesday. While the capsule withstood the fiery tumult of reentry, when temperatures reached 5,000 degrees Fahrenheit as it plunged through the atmosphere at nearly 25,000 mph, the damage the heat shield suffered was far greater than NASA engineers had expected and more severe than NASA had revealed previously. Photos of the heat shield in the report showed gouges that look like small potholes. "Should the same issue occur on future Artemis missions, it could lead to the loss of the vehicle or crew," the report, by NASA's inspector general, concluded... The IG report provides the most detailed description of the issue to date. It also highlighted other problems with the spacecraft that could create significant challenges for the space agency as it seeks to return humans to the lunar surface for the first time in more than 50 years. Portions of the heat shield "wore away differently than NASA engineers predicted, cracking and breaking off the spacecraft in fragments that created a trail of debris rather than melting away as designed," according to the report. That, in turn, "could have caused enough structural damage to cause one of Orion's parachutes to fail...." In addition to the heat shield erosion on Orion, which is manufactured by Lockheed Martin, the IG said several bolts on the crew module "experienced an exposed gap that allowed for increased heating to the bolt interior and greater than expected melting and erosion." Earlier this year, NASA announced the next flight for its moon program — sending a crew of four around the moon — would be delayed, according to the article. The moon-orbiting mission would now occur "no earlier than September 2025, largely because officials wanted to study the heat shield issue further and understand why it eroded as it did." The article adds that this new report "casts doubt on both NASA's rosy original assessment of the test flight" — as well as the likelihood that a lunar landing will occur by late 2026. Read more of this story at Slashdot.
https://science.slashdot.org/story/24/05/04/054256/nasas-moon-capsule-suffered-extensive-damage-during-2022s-test-flight?utm_source=rss1.0mainlinkanon&utm_medium=feed
The Washington Post reports that wind turbines "only take up five percent of the land where they've been built, new research shows." The rest of the space can be used for other purposes, such as agriculture, according to a study published recently in the peer-reviewed journal Environmental Science and Technology. This means developers could fit turbines in places that are often perceived as unsuitable for a wind farm. The new study highlights that turbines and existing human development, such as agriculture, cannot only share the same area, but also that building wind farms where there are already roads and other infrastructure could help reduce impacts on the land. "Clever siting, use of existing infrastructure, multiple use of landscapes — all these things ... can really contribute to solutions in areas where wind power is acceptable to the local people," said Sarah Jordaan, the study's principal investigator. Historically, planning studies for wind farms have often assumed that turbines would disturb all the land at the site and leave the area unusable for anything else, said Jordaan, an associate professor in the department of civil engineering at McGill University. The study's findings provide a more accurate accounting of how much land is needed for wind farms, she added. Read more of this story at Slashdot.
https://hardware.slashdot.org/story/24/05/04/0435251/finding-land-for-us-wind-farms-might-be-easier-than-we-thought?utm_source=rss1.0mainlinkanon&utm_medium=feed
An anonymous reader shared this report from the blog Bitcoinist: Jack Dorsey's financial services and digital payments company, Block Inc., announced it will begin investing 10% of its monthly Bitcoin-related gross profits into BTC purchases. This announcement was made following the release of Block's first-quarter earnings for 2024, which demonstrated substantial profits from its Bitcoin operations. Block reported Bitcoin-related gross profits amounting to $80 million in the first quarter alone. If this trend continues, the implementation of the new dollar cost averaging (DCA) program could see the company investing approximately $24 million in Bitcoin within one year... Dorsey also shared a detailed document [PDF] titled "Bitcoin Blueprint For Corporate Balance Sheets," which serves as a comprehensive guide for other corporations interested in integrating BTC into their financial strategies. According to the document, Block, formerly known as Square, began its substantial acquisitions in October 2020, purchasing 4,709 BTC at an aggregate price of $50 million. The company later bought an additional 3,318 BTC in February 2021 for $170 million. As of March 31, 2024, Block holds approximately 8,038 BTC, representing about 9% of its total cash and marketable securities. Read more of this story at Slashdot.
https://slashdot.org/story/24/05/04/0356205/jack-dorseys-block-is-investing-10-of-its-bitcoin-profits-into-monthly-bitcoin-purchases?utm_source=rss1.0mainlinkanon&utm_medium=feed
Markos Moulitsas is the poll-watching founder of the political blog Daily Kos. Thursday he wrote that in 2021, future third-party presidential candidate RFK Jr. had sued their web site. "Things are not going well for him." Back in 2021, Robert F. Kennedy Jr. sued Daily Kos to unmask the identity of a community member who posted a critical story about his dalliance with neo-Nazis at a Berlin rally. I updated the story here, here, here, here, and here. To briefly summarize, Kennedy wanted us to doxx our community member, and we stridently refused. The site and the politician then continued fighting for more than three years. "Daily Kos lost the first legal round in court," Moulitsas posted in 2021, "thanks to a judge who is apparently unconcerned with First Amendment ramifications given the chilling effect of her ruling." But even then, Moulitsas was clear on his rights: Because of Section 230 of the Communications Decency Act, [Kennedy] cannot sue Daily Kos — the site itself — for defamation. We are protected by the so-called safe harbor. That's why he's demanding we reveal what we know about "DowneastDem" so they can sue her or him directly. Moulitsas also stressed that his own 2021 blog post was "reiterating everything that community member wrote, and expanding on it. And so instead of going after a pseudonymous community writer/diarist on this site, maybe Kennedy will drop that pointless lawsuit and go after me... consider this an escalation." (Among other things, the post cited a German-language news account saying Kennedy "sounded the alarm concerning the 5G mobile network and Microsoft founder Bill Gates..." Moulitsas also noted an Irish Times article which confirmed that at the rally Kennedy spoke at, "Noticeable numbers of neo-Nazis, kitted out with historic Reich flags and other extremist accessories, mixed in with the crowd.") So what happened? Moulitsas posted an update Thursday: Shockingly, Kennedy got a trial court judge in New York to agree with him, and a subpoena was issued to Daily Kos to turn over any information we might have on the account. However, we are based in California, not New York, so once I received the subpoena at home, we had a California court not just quash the subpoena, but essentially signal that if New York didn't do the right thing on appeal, California could very well take care of it. It's been a while since I updated, and given a favorable court ruling Thursday, it's way past time to catch everyone up. New York is one of the U.S. states that doesn't have a strict "Dendrite standard" law protecting anonymous speech. But soon the blog founder discovered he had allies: The issues at hand are so important that The New York Times, the E.W.Scripps Company, the First Amendment Coalition, New York Public Radio, and seven other New York media companies joined the appeals effort with their own joint amicus brief. What started as a dispute over a Daily Kos diarist has become a meaningful First Amendment battle, with major repercussions given New York's role as a major news media and distribution center. After reportedly spending over $1 million on legal fees, Kennedy somehow discovered the identity of our community member sometime last year and promptly filed a defamation suit in New Hampshire in what seemed a clumsy attempt at forum shopping, or the practice of choosing where to file suit based on the belief you'll be granted a favorable outcome. The community member lives in Maine, Kennedy lives in California, and Daily Kos doesn't publish specifically in New Hampshire. A perplexed court threw out the case this past February on those obvious jurisdictional grounds.... Then, last week, the judge threw out the appeal of that decision because Kennedy's lawyer didn't file in time — and blamed the delay on bad Wi-Fi... Kennedy tried to dismiss the original case, the one awaiting an appellate decision in New York, claiming it was now moot. His legal team had sued to get the community member's identity, and now that they had it, they argued that there was no reason for the case to continue. We disagreed, arguing that there were important issues to resolve (i.e., Dendrite), and we also wanted lawyer fees for their unconstitutional assault on our First Amendment rights... On Thursday, in a unanimous decision, a four-judge New York Supreme Court appellate panel ordered the case to continue, keeping the Dendrite issue alive and also allowing us to proceed in seeking damages based on New York's anti-SLAPP law, which prohibits "strategic lawsuits against public participation." Thursday's blog post concludes with this summation. "Kennedy opened up a can of worms and has spent millions fighting this stupid battle. Despite his losses, we aren't letting him weasel out of this." Read more of this story at Slashdot.
https://yro.slashdot.org/story/24/05/04/0316216/when-a-politician-sues-a-blog-to-unmask-its-anonymous-commenter?utm_source=rss1.0mainlinkanon&utm_medium=feed
The world's highest astronomical site is officially open for business after being in the works for 26 years. Space.com reports: The Japanese University of Tokyo Atacama Observatory, or TAO, which was first conceptualized 26 years ago to study the evolution of galaxies and exoplanets, is perched on top of a tall mountain in the Chilean Andes at 5,640 meters (18,500 feet) above sea level. The facility's altitude surpasses even the Atacama Large Millimeter Array, which is at an elevation of 5,050 meters (16,570 feet). TAO is located on the summit of Atacama's Cerro Chajnantor mountain, whose name means "place of departure" in the now-extinct Kunza language of the indigenous Likan Antai community. The region's high altitude, sparse atmosphere and perennially arid climate is deadly to humans, but makes an excellent spot for infrared telescopes like TAO as their observational accuracies rely on low moisture levels, which render Earth's atmosphere transparent in infrared wavelengths. TAO's 6.5-meter telescope consists of two science instruments designed to observe the universe in infrared, which is electromagnetic radiation with a wavelength longer than visible light but shorter than microwaves. One of the instruments, named SWIMS, will image galaxies from the very early universe to understand how they coalesced out of pristine dust and gas, a process whose specifics remain murky despite decades of research. The second, named MIMIZUKU, will aid the overarching science goal by studying primordial disks of dust within which stars and galaxies are known to form, according to the mission plan. Constructing the telescope on the summit of Mt. Chajnantor "was an incredible challenge, not just technically, but politically too," Yuzuru Yoshii, a professor at the University of Tokyo in Japan who spearheaded TAO since 1998, said in a statement. "I have liaised with Indigenous peoples to ensure their rights and views are considered, the Chilean government to secure permission, local universities for technical collaboration, and even the Chilean Health Ministry to make sure people can work at that altitude in a safe manner." "Thanks to all involved, research I've only ever dreamed about can soon become a reality, and I couldn't be happier," he added. Read more of this story at Slashdot.
https://science.slashdot.org/story/24/05/03/233253/the-highest-observatory-on-earth-is-now-open?utm_source=rss1.0mainlinkanon&utm_medium=feed
This year's Free Comic Book Day coincided with Star Wars Day. So there's two new free Star Wars titles being handed out today in comic shops around the world. They're among several geek-friendly titles among the 48 free comics that fans will get to choose from during this once-a-year event, including: - Street Fighter vs Final Fight - Jonny Quest - Teenage Mutant Ninja Turtles - Conan the Barbarian - Flash Gordon And, of course, four from Marvel Comics. More details from IGN: DC is about to kick off Absolute Power, a major crossover event that involves Amanda Waller teaming with Batman's rogue android Failsafe and the Brainiac Queen to drain the world's heroes of their power. This prologue issue serves as a primer for the event... Alongside their Conan issue, Titan is also releasing a new Doctor Who comic that has the distinction of being the first story to feature Ncuti Gatwa's Fifteenth Doctor... Robert Kirkman's Skybound has been busy establishing a new shared Energon Universe, one which comprises Kirkman and Lorenzo De Felici's Void Rivals as well as the Transformers and G.I. Joe franchises... This issue features new stories for all three series and is designed to be an easy gateway into this rapidly growing comic book line. There's a Stranger Things story, an Archie Horror comic, and the story of how Popeye lost his eye. The event is designed to help the industry by attracting comic book readers to independent comic book stores -- and in 2017 NPR offered this advice for visiting comics fans. "While you're there, buy something... The comics shops still have to pay for the 'free' FCBD books they stock, and they're counting on the increased foot traffic to lift sales." Read more of this story at Slashdot.
https://entertainment.slashdot.org/story/24/05/03/1928201/geek-friendly-free-comic-book-day-titles-include-two-star-wars-books-for-may-the-fourth?utm_source=rss1.0mainlinkanon&utm_medium=feed
Security Magazine
Fri, 03 May 2024 12:00:00 -0400The 2024 Data Breach Investigations Report reveals the role that the human element plays in cyber threats, and security leaders are weighing in.
https://www.securitymagazine.com/articles/100629-verizon-2024-data-breach-report-shows-the-risk-of-the-human-element
AI can analyze and utilize customers’ personally identifiable information (PII) in ways that could infringe on an individual’s privacy.
https://www.securitymagazine.com/articles/100628-ai-enabled-data-collection-and-the-regulatory-landscape
Organizations are utilizing data to promote innovation; however, less than 2% can access sensitive data within a week’s time.
https://www.securitymagazine.com/articles/100627-report-the-cost-and-complexity-of-data-compliance-impedes-innovation
Cybersecurity is now a business enabler, impacting the bottom line with emerging regulations and making it more of a priority for organizations.
https://www.securitymagazine.com/articles/100626-cisos-arent-scapegoats-fostering-a-security-first-culture
Governance, risk, and compliance is often treated as a separate entity from security. But experts know that the two are hopelessly intertwined.
https://www.securitymagazine.com/articles/100625-leveraging-holistic-grc-for-compliance-and-audit-preparation
A new report shows that within the last 12 months, a majority of organizations reworked cybersecurity strategies.
https://www.securitymagazine.com/articles/100624-95-of-organizations-adjusted-cybersecurity-strategies-this-past-year
Security leaders discuss how collaborative partnerships enhance security and business operations.
https://www.securitymagazine.com/articles/100623-the-power-of-partnerships
New data analyzing ransomware group activities has found that activity from the ransomware gang RAGroup has risen by 300% since December.
https://www.securitymagazine.com/articles/100619-ransomware-gang-ragroup-activities-increased-by-more-than-300
In this edition of Security’s Top 5 from Security magazine, we showcase the top stories and new developments from across the security industry throughout March.
https://www.securitymagazine.com/articles/100622-securitys-top-5-march-2024
In the realm of global technology regulation, businesses are tasked with fostering innovation while navigating an increasingly intricate regulatory environment.
https://www.securitymagazine.com/articles/100620-navigate-the-new-european-ai-act-and-possible-global-standardization
An evaluation of nearly 4,900 ransomware attacks reveals information about malicious actors and their new techniques, their evolving operations and their global impact.
https://www.securitymagazine.com/articles/100618-there-was-an-81-year-over-year-increase-in-ransomware-attacks
Many organizations are vulnerable to risk, yet a majority of cyber leaders express confidence that their organization can manage risk.
https://www.securitymagazine.com/articles/100617-poor-cyber-hygiene-and-budgets-leave-organizations-ill-prepared
MITRE Corporation announced that it was the target of a nation-state cyberattack, and security leaders are sharing their insights.
https://www.securitymagazine.com/articles/100616-experts-weigh-in-on-the-mitre-nation-state-cyberattack
Felipe Fernandez, Chief Technology Officer at Fortinet Federal, discusses the challenges and opportunities for enterprise security professionals in the scope of national security.
https://www.securitymagazine.com/articles/100611-emerging-national-security-threats
Omni Hotels & Resorts was the recent target of a ransomware attack by the Daixin Team ransomware group.
https://www.securitymagazine.com/articles/100605-experts-weigh-in-on-omni-hotel-ransomware-incident
LabHost, a notable phishing-as-a-service platform, was disrupted by international investigations. Security leaders respond.
https://www.securitymagazine.com/articles/100606-security-leaders-respond-to-disruption-of-labhost-a-fraud-website
A new report surveyed more than 400 CISOs from the United States and the United Kingdom to gauge their challenges, priorities and initiatives.
https://www.securitymagazine.com/articles/100615-72-of-cisos-believe-ai-solutions-may-lead-to-security-breaches
Security leaders predict that AI will become a more prevalent tool in the tool kit of cybercriminals, potentially powering a range of cyberattacks.
https://www.securitymagazine.com/articles/100613-93-of-security-leaders-anticipate-daily-ai-attacks-by-2025
Legislators and others in favor of banning TikTok often cite data security issues, but it’s an invalid argument that will do little in terms of data security protections.
https://www.securitymagazine.com/articles/100612-why-banning-tiktok-will-not-solve-data-security-challenges
In episode 22 of the Cybersecurity & Geopolitical Discussion, our trio of hosts debate the geopolitical and security dimensions of the current global space industry.
https://www.securitymagazine.com/articles/100594-the-real-space-race-inside-geopolitics-and-security-of-a-18t-industry
The FTC issues refunds after a settlement with Ring over charges the company allowed employees and contractors to access consumers’ private videos.
https://www.securitymagazine.com/articles/100607-ftc-issues-refunds-to-ring-customers-following-privacy-settlement
For executives and leaders in IT, security and business operations, the widening cybersecurity skills gap poses an urgent dilemma.
https://www.securitymagazine.com/articles/100608-bridging-the-widening-cybersecurity-skills-gap
Many small and medium-sized enterprises lack the resources and abilities to properly handle the large volume security alerts received.
https://www.securitymagazine.com/articles/100610-73-of-security-professionals-failed-to-act-upon-security-alerts
According to a recent study, 80% of cybersecurity decision makers say accelerating AI adoption is critical to their organization’s resilience.
https://www.securitymagazine.com/articles/100603-40-of-organizations-have-ai-policies-for-critical-infrastructure
As technology evolves, manufacturers can leverage new tools to reduce costs while improving accuracy, visibility and customer satisfaction.
https://www.securitymagazine.com/articles/100601-automating-a-more-resilient-supply-chain
Research has discovered a vulnerability in an Apache project that could lead to remote code execution inside of the production environment.
https://www.securitymagazine.com/articles/100599-new-research-discovers-vulnerability-in-an-archived-apache-project
According to a recent cybersecurity priorities report, security analysts maintain that up to 57% of their daily tasks could be automated.
https://www.securitymagazine.com/articles/100602-88-of-respondents-will-focus-security-investments-on-cloud-security
AI can become the foundation for a future where agencies can proactively identify, understand and address cyber threats before it’s too late.
https://www.securitymagazine.com/articles/100598-harnessing-ai-to-bolster-public-sector-cybersecurity
With threats looming, here are three considerations for consumers and businesses to protect data privacy in the age of AI.
https://www.securitymagazine.com/blogs/14-security-blog/post/100597-security-isnt-convenient-and-thats-a-big-problem-in-the-age-of-ai
In a recent report, two-thirds of IT leaders express a lack of confidence in the United States government's ability to defend against cyberwarfare.
https://www.securitymagazine.com/articles/100593-66-of-it-leaders-doubt-the-government-can-defend-against-cyberwarfare
theHackerNews
Sat, 04 May 2024 14:08:00 +0530Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S. The Czech Republic's Ministry of Foreign Affairs (MFA), in a statement, said some unnamed
https://thehackernews.com/2024/05/microsoft-outlook-flaw-exploited-by.html
In today's rapidly evolving digital landscape, the threat of Distributed Denial of Service (DDoS) attacks looms more significant than ever. As these cyber threats grow in sophistication, understanding and countering them becomes crucial for any business seeking to protect its online presence. To address this urgent need, we are thrilled to announce our upcoming webinar, "Uncovering Contemporary
https://thehackernews.com/2024/05/expert-led-webinar-learn-latest-ddos.html
Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.
https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.html
SaaS applications are dominating the corporate landscape. Their increased use enables organizations to push the boundaries of technology and business. At the same time, these applications also pose a new security risk that security leaders need to address, since the existing security stack does not enable complete control or comprehensive monitoring of their usage.
https://thehackernews.com/2024/05/new-guide-explains-how-to-eliminate.html
The U.S. government on Thursday published a new cybersecurity advisory warning of North Korean threat actors' attempts to send emails in a manner that makes them appear like they are from legitimate and trusted parties. The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State. "The
https://thehackernews.com/2024/05/nsa-fbi-alert-on-n-korean-hackers.html
Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years. "Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords," Heather Adkins, vice president of security engineering at Google, said.
https://thehackernews.com/2024/05/google-announces-passkeys-adopted-by.html
HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems. Of the 10 security defects, four are rated critical in severity - CVE-2024-26304 (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via
https://thehackernews.com/2024/05/four-critical-vulnerabilities-expose.html
Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability codenamed the Dirty Stream attack that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app's home directory. "The implications of this vulnerability pattern include arbitrary code execution and token theft,
https://thehackernews.com/2024/05/popular-android-apps-like-xiaomi-wps.html
A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the REvil ransomware group orchestrated more than 2,500 ransomware attacks and demanded ransom payments in
https://thehackernews.com/2024/05/ukrainian-revil-hacker-sentenced-to-13.html
Like antivirus software, vulnerability scans rely on a database of known weaknesses. That’s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn’t existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speaking
https://thehackernews.com/2024/05/when-is-one-vulnerability-scanner-not.html
Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign (formerly HelloSign) was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with the U.S. Securities and Exchange Commission (SEC), said it became aware of the "
https://thehackernews.com/2024/05/dropbox-discloses-breach-of-digital.html
A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary
https://thehackernews.com/2024/05/new-goldoon-botnet-targets-d-link.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild. Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html
A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. "This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent
https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html
A forensic analysis of a graph dataset containing transactions on the Bitcoin blockchain has revealed clusters associated with illicit activity and money laundering, including detecting criminal proceeds sent to a crypto exchange and previously unknown wallets belonging to a Russian darknet market. The findings come from Elliptic in collaboration with researchers from the&
https://thehackernews.com/2024/05/bitcoin-forensic-analysis-uncovers.html
Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. "Wpeeper is a typical backdoor Trojan for Android
https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html
There’s a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you’ve got to remain prepared to confront those very same threats. As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard,
https://thehackernews.com/2024/05/everyones-expert-how-to-empower-your.html
The authors behind the resurfaced ZLoader malware have added a feature that was originally present in the Zeus banking trojan that it's based on, indicating that it's being actively developed. "The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection," Zscaler ThreatLabz researcher Santiago
https://thehackernews.com/2024/05/zloader-malware-evolves-with-anti.html
A former employee of the U.S. National Security Agency (NSA) has been sentenced to nearly 22 years (262 months) in prison for attempting to transfer classified documents to Russia. "This sentence should serve as a stark warning to all those entrusted with protecting national defense information that there are consequences to betraying that trust," said FBI Director Christopher Wray.
https://thehackernews.com/2024/05/ex-nsa-employee-sentenced-to-22-years.html
Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. "Over four million of the repositories in Docker Hub are imageless and have no content except for the repository
https://thehackernews.com/2024/04/millions-of-malicious-imageless.html
The U.S. government has unveiled new security guidelines aimed at bolstering critical infrastructure against artificial intelligence (AI)-related threats. "These guidelines are informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems," the Department of Homeland Security (DHS)&
https://thehackernews.com/2024/04/us-government-releases-new-ai-security.html
Operational Technology (OT) refers to the hardware and software used to change, monitor, or control the enterprise's physical devices, processes, and events. Unlike traditional Information Technology (IT) systems, OT systems directly impact the physical world. This unique characteristic of OT brings additional cybersecurity considerations not typically present in conventional IT security
https://thehackernews.com/2024/04/considerations-for-operational.html
The U.K. National Cyber Security Centre (NCSC) is calling on manufacturers of smart devices to comply with new legislation that prohibits them from using default passwords, effective April 29, 2024. "The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to
https://thehackernews.com/2024/04/new-uk-law-bans-default-passwords-on.html
Google on Monday revealed that almost 200,000 app submissions to its Play Store for Android were either rejected or remediated to address issues with access to sensitive data such as location or SMS messages over the past year. The tech giant also said it blocked 333,000 bad accounts from the app storefront in 2023 for attempting to distribute malware or for repeated policy violations. "In 2023,
https://thehackernews.com/2024/04/google-prevented-228-million-malicious.html
A previously undocumented cyber threat dubbed Muddling Meerkat has been observed undertaking sophisticated domain name system (DNS) activities in a likely effort to evade security measures and conduct reconnaissance of networks across the world since October 2019. Cloud security firm Infoblox described the threat actor as likely affiliated with the
https://thehackernews.com/2024/04/china-linked-muddling-meerkat-hijacks.html
It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many
https://thehackernews.com/2024/04/navigating-threat-landscape.html
A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. The flaw, assigned the CVE identifier CVE-2024-27322 (CVSS score: 8.8), "involves the use of promise objects and lazy evaluation in R," AI application
https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.html
Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system. The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine," Australian
https://thehackernews.com/2024/04/sandbox-escape-vulnerabilities-in.html
Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the
https://thehackernews.com/2024/04/okta-warns-of-unprecedented-surge-in.html
Cybersecurity researchers have discovered a targeted operation against Ukraine that has been found leveraging a nearly seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems. The attack chain, which took place at the end of 2023 according to Deep Instinct, employs a PowerPoint slideshow file ("signal-2023-12-20-160512.ppsx") as the starting point, with
https://thehackernews.com/2024/04/ukraine-targeted-in-cyberattack.html
An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors. "During these fraudulent interviews, the developers are often asked
https://thehackernews.com/2024/04/bogus-npm-packages-used-to-trick.html
Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances. The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them. The issues range from incorrect firewall rules,
https://thehackernews.com/2024/04/severe-flaws-disclosed-in-brocade.html
In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business’s digital kingdom. And because of this, endpoints are one of hackers' favorite targets. According to the IDC, 70% of successful breaches start at the endpoint. Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT
https://thehackernews.com/2024/04/10-critical-endpoint-security-tips-you.html
Fake browser updates are being used to push a previously undocumented Android malware called Brokewell. "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric said in an analysis published Thursday. The malware is said to be in active development,
https://thehackernews.com/2024/04/new-brokewell-android-malware-spread.html
Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation. The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in
https://thehackernews.com/2024/04/palo-alto-networks-outlines-remediation.html
Threat actors are attempting to actively exploit a critical security flaw in the ValvePress Automatic plugin for WordPress that could allow site takeovers. The shortcoming, tracked as CVE-2024-27956, carries a CVSS score of 9.9 out of a maximum of 10. It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024,
https://thehackernews.com/2024/04/hackers-exploiting-wp-automatic-plugin.html
The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT as part of attacks targeting specific individuals in the Asia region in summer 2023. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL
https://thehackernews.com/2024/04/north-koreas-lazarus-group-deploys-new.html
Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit
https://thehackernews.com/2024/04/network-threats-step-by-step-attack.html
The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds. To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged
https://thehackernews.com/2024/04/doj-arrests-founders-of-crypto-mixer.html
Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The tech giant said it's working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year. As part of the
https://thehackernews.com/2024/04/google-postpones-third-party-cookie.html
A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). "UAT4356
https://thehackernews.com/2024/04/state-sponsored-hackers-exploit-two.html
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021. This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh
https://thehackernews.com/2024/04/us-treasury-sanctions-iranian-firms-and.html
Cybersecurity researchers have discovered an ongoing attack campaign that's leveraging phishing emails to deliver a malware called SSLoad. The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. "SSLoad is designed to stealthily infiltrate systems, gather sensitive
https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html
Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors. The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security
https://thehackernews.com/2024/04/major-security-flaws-expose-keystrokes.html
Compliance requirements are meant to increase cybersecurity transparency and accountability. As cyber threats increase, so do the number of compliance frameworks and the specificity of the security controls, policies, and activities they include. For CISOs and their teams, that means compliance is a time-consuming, high-stakes process that demands strong organizational and
https://thehackernews.com/2024/04/ciso-perspectives-on-complying-with.html
A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed
https://thehackernews.com/2024/04/escan-antivirus-update-mechanism.html
A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as CoralRaider, a suspected Vietnamese-origin
https://thehackernews.com/2024/04/coralraider-malware-campaign-exploits.html
Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness. Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository. This&
https://thehackernews.com/2024/04/apache-cordova-app-harness-targeted-in.html
In the high-stakes world of cybersecurity, the battleground has shifted. Supply chain attacks have emerged as a potent threat, exploiting the intricate web of interconnected systems and third-party dependencies to breach even the most formidable defenses. But what if you could turn the tables and proactively hunt these threats before they wreak havoc? We invite you to join us for an
https://thehackernews.com/2024/04/webinar-learn-proactive-supply-chain.html
European Police Chiefs said that the complementary partnership between law enforcement agencies and the technology industry is at risk due to end-to-end encryption (E2EE). They called on the industry and governments to take urgent action to ensure public safety across social media platforms. "Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies
https://thehackernews.com/2024/04/police-chiefs-call-for-solutions-to.html
Cyber Defense Magazine
Sun, 05 May 2024 15:00:20 +0000Adversarial Cyber Exercises Are The New Mandate By Stephen Gates, Principal SME, Horizon3.ai After observing the cyber threat landscape in 2023, in the coming year we’re going to see a […] The post Offensive Awakening: The 2024 Shift from Defensive to Proactive Security appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/offensive-awakening-the-2024-shift-from-defensive-to-proactive-security/
Harnessing the Power of AI for Advanced Cyber Threat Intelligence and Prevention By Bryan Kissinger, Senior Vice President of Security Solutions and Chief Information Security Officer, Trace3 The digital environment […] The post Navigating the Digital Age: AI’s Crucial Role in Cybersecurity Reinforcement appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/navigating-the-digital-age-ais-crucial-role-in-cybersecurity-reinforcement/
By Jyoti Bansal, CEO and Co-Founder, Traceable AI In the dynamic world of digital transformation, I’ve observed a paradigm shift that is reshaping the very fabric of cybersecurity: the monumental […] The post Navigating the API Security Landscape: A CEO’s Perspective on Embedding Zero Trust Principles appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/navigating-the-api-security-landscape-a-ceos-perspective-on-embedding-zero-trust-principles/
By Milica D. Djekic There are a plenty of methods to determine someone’s identity and the most convenient cases are through fingerprint, iris detection, DNA and so on, while some […] The post Identity Management Challenges appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/identity-management-challenges/
By Ken Westin, Field CISO, Panther Labs This week at the World Economic Forum, there was a panel titled “Are Banks Ready for the Future?” with an esteemed panel of […] The post Hyperbole, Misinformation, and CyberMonsters Under the Bed appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/hyperbole-misinformation-and-cybermonsters-under-the-bed/
Evaluate your needs and prioritize solutions that offer open integration and independence from the single-vendor trend, ensuring robust IGA that aligns with evolving security demands and regulatory requirements By Thomas […] The post How SaaS-Based Identity Governance Can Help Future-Proof Your Security appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/how-saas-based-identity-governance-can-help-future-proof-your-security/
Trends to Look Out for in 2024 By Yashin Manraj, CEO, Pvotal Technologies For cybersecurity professionals, remaining effective requires staying on top of a constantly evolving arsenal of attack strategies […] The post Hacking and Cybersecurity appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/hacking-and-cybersecurity/
By Sagie Dulce, VP Research, Zero Networks A Brief History of Identity Management For as long as there have been identities, there have been solutions trying to manage them so […] The post Stop Managing Identities, Segment them Instead appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/stop-managing-identities-segment-them-instead/
By Craig Burland, CISO, Inversion6 In the dynamic and unpredictable realm of cybersecurity, striving for perfect solutions can be a futile and counterproductive pursuit. There are too many threats to […] The post Good Security Is About Iteration, Not Perfection. appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/good-security-is-about-iteration-not-perfection/
By Dwayne McDaniel, GitGuardian Developer and Security Advocate, GitGuardian The modern world of DevOps means relying on our code connecting to outside services and components imported at run time. All […] The post GitGuardian Researchers Find Thousands of Leaked Secrets in PyPI (Python Package Index) Packages appeared first on Cyber Defense Magazine.
https://www.cyberdefensemagazine.com/gitguardian-researchers-find-thousands-of-leaked-secrets-in-pypi-python-package-index-packages/
Securityweek
Sat, 04 May 2024 11:06:55 +0000Vincent Strubel, who heads France’s national cybersecurity agency, called the cyberthreats level facing the Olympic Games unprecedented. The post French Cyberwarriors Ready to Test Their Defense Against Hackers and Malware During the Olympics appeared first on SecurityWeek.
https://www.securityweek.com/french-cyberwarriors-ready-to-test-their-defense-against-hackers-and-malware-during-the-olympics/
Germany accused Russian military agents of hacking the top echelons of Chancellor Olaf Scholz’s party and other government and industrial targets. The post German Foreign Minister Says Russia will Face Consequences for Monthslong Cyber Espionage appeared first on SecurityWeek.
https://www.securityweek.com/german-foreign-minister-says-russia-will-face-consequences-for-monthslong-cyber-espionage/
Microsoft security chief Charlie Bell pledges significant reforms and a strategic shift to prioritize security above all other product features. The post Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report appeared first on SecurityWeek.
https://www.securityweek.com/microsoft-overhauls-cybersecurity-strategy-after-scathing-csrb-report/
Israeli startup LayerX Security banks $25 million in new financing as investors continue to pour money into secure web browsing technologies. The post LayerX Raises $26 Million for Browser Security Platform appeared first on SecurityWeek.
https://www.securityweek.com/layerx-raises-26-million-for-browser-security-platform/
The US government warns of a North Korean threat actor abusing weak email DMARC settings to hide spear-phishing attacks. The post US Says North Korean Hackers Exploiting Weak DMARC Settings appeared first on SecurityWeek.
https://www.securityweek.com/us-says-north-korean-hackers-exploiting-weak-dmarc-settings/
Noteworthy stories that might have slipped under the radar: 4,000 take part in Locked Shields 2024 exercise, Qantas and JP Morgan hit by data exposure bugs, NVIDIA patches critical flaw. The post In Other News: Locked Shields 2024, Data Exposure Bugs, NVIDIA Patches appeared first on SecurityWeek.
https://www.securityweek.com/in-other-news-locked-shields-2024-data-exposure-bugs-nvidia-patches/
A botnet dismantled in January and used by Russia-linked APT28 consisted of more than just Ubiquiti Edge OS routers. The post Botnet Disrupted by FBI Still Used by Russian Spies, Cybercriminals appeared first on SecurityWeek.
https://www.securityweek.com/botnet-disrupted-by-fbi-still-used-by-russian-spies-cybercriminals/
CISA and the FBI warn of threat actors abusing path traversal software vulnerabilities in attacks targeting critical infrastructure. The post CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities appeared first on SecurityWeek.
https://www.securityweek.com/cisa-fbi-urge-organizations-to-eliminate-path-traversal-vulnerabilities/
An analysis of IoCs suggests that a Chinese threat group may be behind the recent ArcaneDoor espionage campaign targeting Cisco firewalls. The post ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China appeared first on SecurityWeek.
https://www.securityweek.com/arcanedoor-espionage-campaign-targeting-cisco-firewalls-linked-to-china/
SaaS-based, AI-assisted penetration service allows proactive defensive action against exploitation of new vulnerabilities. The post Horizon3.ai Introduces AI-Assisted Service to Prioritize and Patch Vulnerabilities Faster appeared first on SecurityWeek.
https://www.securityweek.com/horizon3-ai-introduces-ai-assisted-service-to-prioritize-and-patch-vulnerabilities-faster/
Techrepublic
Fri, 03 May 2024 16:52:14 +0000According to the M-Trends report, the average time it takes for an organisation to detect an attacker in their environment has decreased from 16 days in 2022 to 10 days in 2023.
https://www.techrepublic.com/article/cyber-security-trends-google-report/
The U.K.'s National Cyber Security Centre, along with U.S. and Canadian cyber authorities, has identified a rise in attacks against OT operators since 2022.
https://www.techrepublic.com/article/pro-russia-hacktivists-target-operational-technology/
The year 2024 is bringing a return to stable tech salary growth in APAC, with AI and data jobs leading the way. This follows downward salary pressure in 2023, after steep increases in previous years.
https://www.techrepublic.com/article/tech-jobs-salaries-apac/
TechRepublic identified the top four trends emerging in IoT that businesses in the U.K. should be aware of.
https://www.techrepublic.com/article/iot-trends-uk/
A great way to stay current with the latest technology trends and innovations is by attending conferences. Read and bookmark our 2024 tech events guide.
https://www.techrepublic.com/article/top-tech-conferences-events/
Explore the top password managers that offer secure and efficient password management solutions for teams.
https://www.techrepublic.com/article/password-managers-built-teams/
Save on tech services or switch to a lucrative new tech career by training at your own pace to develop high-demand cybersecurity skills.
https://www.techrepublic.com/article/the-2023-complete-cyber-security-ethical-hacking-certification-bundle/
Security researchers can earn up to $10,000 for critical vulnerabilities in the generative AI products.
https://www.techrepublic.com/article/adobe-ai-bug-bounty/
Are virtual private networks legal to use? Discover if VPNs are legal, restricted or banned in your geolocation and what activities are legal vs. illegal when using a VPN.
https://www.techrepublic.com/article/are-vpns-legal/
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
https://www.techrepublic.com/article/techrepublic-premium-editorial-calendar-it-policies-checklists-toolkits-and-research-for-download/
Securelist.com
Tue, 30 Apr 2024 09:00:40 +0000The report covers the tactics, techniques and tools most commonly deployed by threat actors, the nature of incidents detected and their distribution among MDR customers.
https://securelist.com/kaspersky-mdr-report-2023/112411/
In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects.
https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/
We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/
New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go.
https://securelist.com/dunequixote/112425/
We review the new mobile Trojan banker SoumniBot, which exploits bugs in the Android manifest parser to dodge analysis and detection.
https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/
Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder.
https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
https://securelist.com/xz-backdoor-story-part-1/112354/
In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022.
https://securelist.com/dinodasrat-linux-implant/112284/
In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan.
https://securelist.com/crimeware-report-android-malware/112121/
Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region.
https://securelist.com/threat-landscape-for-industrial-automation-systems-h2-2023/112153/