Securing Open Source

Malicious PyPI Package ‘Pytoileur’ Targets Windows and Leverages Stack Overflow for Distribution

Steven J. Vaughan-Nichols | May 29, 2024 | Malware, PyPI, python, Sonatype, windows malware

Another day, another PyPI malware package. But this one has a new way to (try to) sneak into your computer ...

Security Boulevard

GitHub Issues Patch for Critical Exploit in Enterprise Server

Nathan Eddy | May 23, 2024 | Authentication, CVE-2024-4985, ghes, GitHub, SAML SSO, single sign on

The vulnerability affects all GHES versions prior to 3.13.0 and achieves the highest possible CVSS score of 10. Instances with SAML SSO authentication are at risk ...

Security Boulevard

North Korea IT Worker Scam Brings Malware and Funds Nukes

Richi Jennings | May 17, 2024 | DPRK, Korea, Korean military, Korean ransomware, North Korea, North Korean Hacking, North Korean Threat Actors, northkorea, Noth Korea, SB Blogwatch

WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans ...

Security Boulevard

VFCFinder Highlights Security Patches in Open Source Software

Nathan Eddy | May 16, 2024 | north Carolina state university, open source, security patches, software dependencies, vfc, vfcfinder, vulnerability, Vulnerability Fixing Commits

VFCFinder analyzes commit histories to pinpoint the most likely commits associated with vulnerability fixes ...

Security Boulevard

Dell Hell Redux — More Personal Info Stolen by ‘Menelik’

Phish Ahoy! Hacker took advantage of Dell’s lack of anti-scraping defense ...

Security Boulevard

GitLab ‘Perfect 10’ Bug Gets a CISA Warning: PATCH NOW

Password reset FAILURE: The U.S. Cybersecurity and Infrastructure Security Agency warns GitLab users of a 100-day-old, maximum severity vulnerability ...

Security Boulevard

UK, apple, ‘Union Jack’ bunting in Balham after the Queen’s Platinum Jubilee celebrations, June 2022

Brits Ban Bad Passwords — and Other IoT Stupid Stuff

Richi Jennings | April 30, 2024 | bad passwords, blank password, Consumer IoT, gchq, gov.uk, Internet of things, Internet of Things (IoT), Internet of Things (IoT) Security, iot, National Cyber Security Centre, NCSC, Product Security and Telecommunications Infrastructure act (PSTI), SB Blogwatch, The ‘S’ in IoT stands for Security, uk, United Kingdom

Nice Cup of IoTea? The UK’s Product Security and Telecommunications Infrastructure Act aims to improve the security of net-connected consumer gear ...

Security Boulevard

CISA, cyber threats, Seal of the Cybersecurity & Infrastructure Security Agency

Sisense Hacked: CISA Warns Customers at Risk

Richi Jennings | April 12, 2024 | Amazon Web Services (AWS), aws, AWS access keys, AWS bucket, cisa, CISA Advisories, CISA Advisory, CISA Alert, CISA warning, CISA.gov, depth, NSA/CISA, Sangram Dash, SB Blogwatch, Sisense

A hard-coded credential catastrophe: The analytics firm kept big companies’ secrets in an insecure AWS bucket. Government says victims include the “critical infrastructure sector.” ...

Security Boulevard

An old-school telephone, the like of which Millenials have never seen. Also: Get off my lawn.

FCC: Phone Network Bugs Must Be Fixed — But are SS7/Diameter Beyond Repair?

Fast enough for government work: The Federal Communications Commission is finally minded to do something about decades-old vulnerabilities ...

Security Boulevard

David Boies, founding partner and chairman of Boies Schiller Flexner, LLP

Chrome’s Incognito Mode Isn’t as Private as You Think — but Google’s Not Sorry

Short term gain for long term pain? Class action attorney David Boies asked for $5,000 per user, but got nothing—except some assurances Google will delete data it no longer needs ...

Security Boulevard