#Microsoft used its #AI-powered #SecurityCopilot to discover 20 previously unknown vulnerabilities in the #GRUB2, #UBoot, and #Barebox #opensource #bootloaders.
GRUB2 (GRand Unified Bootloader) is the default boot loader for most #Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and #IoT devices.
https://www.bleepingcomputer.com/news/security/microsoft-uses-ai-to-find-flaws-in-grub2-u-boot-barebox-bootloaders/ #ITSec
Recent searches
Search options
#itsec
9 posts6 participants0 posts today
Continued thread
@heisec Die NVD Website hat immer noch Probleme: https://www.nist.gov/itl/nvd
Die API ist davon aber nicht betroffen!
NIST · National Vulnerability DatabaseNIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure
»Gmail Gets End-To-End Encryption From Google As 21'st Birthday Present:
[…] Google Claims To Have Invented An Entirely New Type Of Encryption For Gmail Users […]«
This is not an April joke and yes Google offers OpenPGP for Gmail Accounts. This is not difficult to set up but too many people are too lazy in my opinion.
ForbesGmail Gets End-To-End Encryption From Google As 21st Birthday PresentAs Gmail turns 21, Google has announced it is bringing end-to-end encryption to the email party. Here's what you need to know.
@heisec Wisst Ihr, was da bei NIST los ist? nvd.nist.gov ist seit min. heute Mittag immer wieder nicht erreichbar (503).
nvd.nist.gov seems to be down? DOGE@work?
Interessant: Wenn ich der Home Assistant App (iOS) die Berechtigung sich im LAN umzuschauen, entziehe, dann funktioniert die Verbindung zum Server nicht mehr. Eigentlich sollte der Server-URL ausreichen. Finde ich verdächtig.
»Unsicherheit – US-Kürzungsrausch gefährdet für das Internet wichtige Open-Source-Projekte:
Die neue US-Regierung entzieht dem Open Technology Fund (OTF) die Mittel. Von diesem sind unter anderem @letsencrypt, @torproject und @fdroidorg finanziell abhängig. Der OTF hat Klage eingereicht«
Sehr heikel und es petrifft, wenn auch "nur" indirekt, alle Menschen auf der Erde. Der Egoismus eines Irren kann uns alle betreffen!
DER STANDARD · Trumps Kürzungsrausch gefährdet für das Internet wichtige Open-Source-ProjekteDie neue US-Regierung entzieht dem Open Technology Fund die Mittel. Von diesem sind unter anderem Let’s Encrypt, Tor und F-Droid finanziell abhängig. Der OTF hat Klage eingereicht
»Cyberkriminalität - Swisspass-Konto gehackt: freie Fahrt für die Betrüger:
Hacker ändern das Login und bestellen auf Kosten eines Studenten Zugtickets von fast 900 Franken. Das ist kein Einzelfall.«
Ich bin froh, dass ich öfters noch analoge Dinge nutze und dies bewusst. Was mich mehr aufregt, ist dass viele digitale so wie online Dienste sich nicht wirklich um die Sicherheit ihrer Kunden kümmern.
[CH-DE] 
Schweizer Radio und Fernsehen (SRF)Swisspass-Konto gehackt: Student fällt Betrügern zum OpferHacker ändern das Login und bestellen auf Kosten eines Studenten Zugtickets von fast 900 Franken. Kein Einzelfall.
Apple ID Hack — New Warning For 2 Billion Users
Apple has long since had an air of invulnerability about it as far as users have been concerned; be they iPhone, iPad or Mac fans, the ecosystem has been thought of as pretty darn secure. Like most security assumptions, however, it is wrong. […]
https://www.forbes.com/sites/daveywinder/2025/03/30/apple-id-hack-new-warning-for-2-billion-users/
ForbesApple ID Hack—New Warning For 2 Billion UsersAs hackers turn their attention from Windows to iOS and macOS, beware these new Apple ID attacks—here’s what you need to know.
Continued thread
Cursed idea: An die E-Mail-Adresse im Impressum einen Alias mit Timestamp-basierten Hash anhängen und Spam automatisiert mit IP-Adresse aus dem Log an die Justiz übergeben
GitHubRework `clamd` command protocol (insecure by design) · Issue #1169 · Cisco-Talos/clamav
Replied in thread
@dzwiedziu @fj @signalapp not really, as the #Metadata #FUD cited by #Signal is mitigateable with proper measures.
- You can't even run Signal over @torproject and even if that point is moot when you're forced to quasi-#KYC by virtue of a #PhoneNumber aka. #PII they have neither legitimate interest nor technical reason to demand in the first place!
Every claim that things like #ITsec, #InfoSec, #OpSec & #ComSec can be solved with "Just use Signal!" is "#TechPopulism" at best if not being a "#UsefulIdiot"!
- All #centralized, #SingleVendor & #SingleProbider systems are inherently insecure!
What is BLAKE3?
Even if I use a big fan from the use of BLAKE3 to hash, it is not possible to use it in a very advantageous way everywhere. What kind of thing is always what you have to question as a programmer. In the case of a product, the following conditions are met.
Bit2Me Academy · What is BLAKE3?Meet BLAKE3, one of the fastest, most secure and efficient hashing algorithms in the computing and blockchain world.
Replied in thread
@Andromxda @mollyim no it's not bs and fanboying @signalapp isn't going to change that.
If #Signal was secure it would be the #1 comms tool of organized crime...
- Yet I've only seen #TechIlliterates shill it.
Real professionals use #SelfHosting capable, fully #FLOSS'd solutions like #PGP/MIME & #XMPP+#OMEMO.
- Again: Demanding #PII like #PhoneNumbers and shilling a #Shitcoin-#Scam (#MobileCoin) makes Signal literally untrustworthy and if it doesn't for you then maybe your standards are just too low...
It's just me reading the room: Cuz #ComSec isn't done woth "JuSt UsE sIgNaL!" and everyone who claims so without pointing out #OpSec, #InfoSec & #ITsec is BSing hard.
- The cold hard truth is that #TechLiteracy is irreplaceable and the only solution to it is to actually teach normies how to "get gud" with stuff like PGP.
Fortunatelty, @thunderbird and @tails_live / @tails / #Tails and many other tools make that easier than ever before.
- So rather than vomiting insults against my intellect in my mentions, go to the next @cryptoparty@mastodon.earth / #Cryptoparty / @cryptoparty@chaos.social and lend a hand.
Tell me you are working in #itsec without telling me you're in IT sec.
www.reddit.comReddit - The heart of the internet
Full write-up for ToolPie this year's forensics challenge from Hack The Box Cyber Apocalypse CTF - Tales From Eldoria.
PCAP (network capture) analysis Python bytecode, marshalling, decompiling
CyberEthical.Me: Hacking for the Security Awareness · HackTheBox CTF - Forensics: ToolPie
sqlmap: Automatic SQL injection and database takeover tool
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. […]
https://darkwebinformer.com/sqlmap-automatic-sql-injection-and-database-takeover-tool/
Dark Web Informer - Cyber Threat Intelligence · sqlmap: Automatic SQL injection and database takeover toolsqlmap: Automatic SQL injection and database takeover tool