Andy's News Roundup

December 29, 2022 at 01:34PM

LABScon Replay | Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi)

#Cybersecurity

Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 12 months, the Binarly efiXplorer team disclosed 107 high-impact vulnerabilities related to SMM and DXE firmware components. However, newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM), and the new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS. The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many...
December 29, 2022 at 11:17AM

Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities

#Cybersecurity

Dec 29, 2022Ravie LakshmananServer Security / Citrix Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8 and December 13, 2022, respectively. While CVE-2022-27510 relates to an authentication bypass that could be exploited to gain unauthorized access to Gateway user capabilities, CVE-2022-27518 concerns a remote code execution bug that could enable the takeover of affected systems. Citrix and...
December 28, 2022 at 09:00PM

LastPass Data Breach: It’s Time to Ditch This Password Manager

#Technology

You've heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. For the security service's 25.6 million users, though, the company made a worrying announcement last week: A security incident the firm previously reported on November 30 was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data. The details LastPass provided about...
December 14, 2022 at 04:40PM

The UK Data Protection Reforms from an EU perspective

#Cybersecurity

Political turmoil in the UK has slowed down the Government plans to reform data protection: since the Data Protection and Digital Information Bill was tabled in Parliament this June, two Prime Ministers were quickly ousted and, six months after the Bill was published, a parliamentary debate around the Bill has yet to be scheduled. In the meanwhile, a delegation from the European Parliament visited London and left with some rather scathing opinions about the UK data protection reform, but UK Ministers have been denying that there is any issue with their proposals. At the Westminster eForum Conference, the deputy director...
December 14, 2022 at 10:46AM

Probing Weaponized Chat Applications Abused in Supply-Chain Attacks

#Cybersecurity


Probing Weaponized Chat Applications Abused in Supply-Chain Attacks This report examines the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms. By: Jaromir Horejsi, Joseph C Chen December 14, 2022Read time:  ( words) ...
Previous page   Next page
RSS