Friday, 2 June 2023

Russia Says NSA Hacked iOS With Apple’s Help — we Triangulate Kaspersky’s Research - Security Boulevard

Tit-For-Tat #Triangulation Trojan Talk:

Thursday, 1 June 2023

Dev Jobs are Dead: ‘Everyone’s a Programmer’ With AI ¦ Intel VPUs - DevOps.com

The moral of the story: Too many of us are not living our dreams because we are living our fears

Wednesday, 31 May 2023

‘Extinction risk’: Could AI wipe out humans via software backdoors? - ReversingLabs

Generative, schmenerative:

Tuesday, 30 May 2023

‘Predator’ — Nasty Android Spyware Revealed - Security Boulevard

‘Alien’ Technology:

Friday, 26 May 2023

COSMICENERGY: ‘Russian’ Threat to Power Grids ICS/OT - Security Boulevard

IEC 60870-5-104 ‘insecure by design’:

Thursday, 25 May 2023

US DoJ Makes PyPI Give Up User Data ¦ Tape Storage: Not Dead - DevOps.com

The moral of the story: The report of my death has been grossly exaggerated

Wednesday, 24 May 2023

‘BrutePrint’ Unlocks Android Phones — Chinese Researchers - Security Boulevard

SPI/TEE MITM FAIL:

Tuesday, 23 May 2023

PyPI paused as automated attack overwhelms admins - ReversingLabs

Python team needs a rest:

Monday, 22 May 2023

Facebook Fined $1.3B — Zuckerberg Furious in GDPR Fight - Security Boulevard

GDPR Move for Mark’s Money: No legal way to move Europeans’ data to the US since 2015. Cloud industry better take note.

Friday, 19 May 2023

Google Chrome 3rd Party Cookies Crumbling — Finally! - Security Boulevard

Om Nom Nom Nom Nom: #PrivacySandbox inching towards reality. But concerns remain.

Thursday, 18 May 2023

OpenAI to go Open Source — Elon Musk was a ‘Huge Idiot’ ¦ Mojo Risin’ - DevOps.com

The moral of the story: If they say I never loved you, you know they are a liar

Wednesday, 17 May 2023

MSI UEFI key breach: How safe are YOUR secrets?

OEM OMG: No HSM

Tuesday, 16 May 2023

TSA Facial Recognition Pilot Flies Solo at U.S. Airports - Security Boulevard

Your Tinfoil Hat is Under Your Seat: Prepare to have your face scanned at airport security.

Wednesday, 10 May 2023

Microservices Sucks — Amazon Goes Back to Basics - DevOps.com

The moral of the story: Life shrinks or expands in proportion to one’s courage

Tuesday, 9 May 2023

Red teamers take on AI at DEF CON 31 - ReversingLabs

Near the TannhΓ€user Gate:

Monday, 8 May 2023

Knives Out for TikTok as Journo Reveals her Spy Story - Security Boulevard

Clock Ticking for U.S. Ban: FT’s Criddle claims ByteDance spied on her—because she wrote damaging stories about TikTok.

Friday, 5 May 2023

Dallas Reels from Royal Ransomware Raid - Security Boulevard

Royal, nΓ©e Zeon, born of Conti: Police, 911, courts and other city services staggering to recover

Thursday, 4 May 2023

FIDO/WebAuthn Passkeys is Inevitable: Get on the Train ¦ IBM CEO Hates WFH - DevOps.com

The moral of the story: The two most important days in your life are the day you are born and the day you find out why

Wednesday, 3 May 2023

SolarWinds hack: Did DoJ know 6 months earlier? - ReversingLabs

DoJ on down-low for half a year:

Tuesday, 2 May 2023

New Apple ‘Rapid’ Update is Slow, Messy FAIL - Security Boulevard

PATCH NOW! Oh, wait, you can’t: “You are no longer connected to the internet,” it sneers.

Friday, 28 April 2023

Rust in Windows — it’s Official — Safe and Fast - Security Boulevard

40-year-old code: Starting with ancient, vulnerable legacy, Redmond team is rewriting chunks in the trendy secure language.

Thursday, 27 April 2023

Linux 6.3: What’s New ¦ AWS Layoffs are a Worry - DevOps.com

The moral of the story: Every strike brings me closer to the next home run

Wednesday, 26 April 2023

#RSAC is bustling — AI + security is huge: #StrongerTogether? - ReversingLabs

#RSAC #AI snacks #StrongerTogether:

Tuesday, 25 April 2023

FINALLY! Google Makes 2FA App Useable — BUT There’s a Catch - Security Boulevard

2FA OTP ASAP?

Monday, 24 April 2023

Governments Try to Ban Encryption (Yet Again) - Security Boulevard

CSAM: DΓ©jΓ  Vu

Tuesday, 18 April 2023

EU cyber laws ‘will’ make FOSS devs liable - ReversingLabs

The Python Software Foundation is very, very unhappy with the draft Cyber Resilience Act (CRA) and Product Liability Act (PLA).


European lawmakers want all software makers to be liable for security holes. Even non-profit or hobbyist developers could be sued for negligence.

The EU’s draft Cyber Resilience Act (CRA) and Product Liability Act (PLA) would “create a chilling effect” and do “irreparable harm,” according to the organization behind Python and PyPI. When replicated across other parts of the software supply chain ecosystem, we risk the whole house of cards crashing down — as devs race to limit their liability.

The goal might be laudable, but some aspects need a major rethink. In this week’s Secure Software Blogwatch, we fear unintended consequences.


Read more: EU cyber laws ‘will’ make FOSS devs liable

Monday, 17 April 2023

Drop Everything: Update Chrome NOW — 0-Day Exploit in Wild - Security Boulevard

It’s Help|About time:

Friday, 14 April 2023

Western Digital Redux: My Cloud Alive Again, Ransom is $10M+ - Security Boulevard

Your Cloud — But For How Long?

Thursday, 13 April 2023

Can ChatGPT Fix Bugs? ‘Wolverine’ Dev Says YES - DevOps.com

The moral of the story: Life’s tragedy is that we get old too soon and wise too late

Wednesday, 12 April 2023

‘But His Emails!’ — Ukrainian Hackers Hack Hillary Hacker - Security Boulevard

Beware Fancy Bears Bearing Gifts:

Tuesday, 11 April 2023

Has public USB ‘juice jacking’ made it into the wild? - ReversingLabs

DΓ©jΓ  vu, but carry protection:

Monday, 10 April 2023

Yes, You CAN Steal This Car — by Opening the Fender - Security Boulevard

Car Makers: CAN You Not?
Thieves are prising open the front fenders of cars, just below the headlight. The idea is to get at the car’s data bus, known as CAN.

Friday, 7 April 2023

Tesla Staff Shared Saucy Snaps of Customers (Sources Say) - Security Boulevard

I guess I’m banned from Twitter now: Tesla employees mocked and memeified private photos and videos. Firm’s message boards were full of the stuff.

Thursday, 6 April 2023

Android Apps Must Let Users Delete Data ¦ RISC-V in the Data Center - DevOps.com

The moral of the story: Live in the sunshine, swim the sea, drink the wild air

Wednesday, 5 April 2023

With Twitter code in the wild, DevSecOps doubts surface - ReversingLabs

Blue bird b0rked:

Tuesday, 4 April 2023

TikTok Abused Kids’ Data — UK Fines it $16 Million - Security Boulevard

This is Fine: $8.50 per Child
UK regulator punishes TikTok at 5.5% of revenue. Says app illegally tracked children.

Monday, 3 April 2023

Western Digital Hacked: ‘My Cloud’ Data Dead (Even Local Storage!) - Security Boulevard

DΓ©jΓ  Vu: Not Your Cloud
Hack of WD systems leads to My Cloud service outage. Owners unable to access files.

Friday, 31 March 2023

npm is Scam-Spam Cesspool ¦ Google in Microsoft Antitrust Thrust - DevOps.com

The moral of the story: Life would be tragic if it weren’t funny

Thursday, 30 March 2023

Brits Slap Wrists of DDoS Kids, via NCA’s Fake Booter Sites - Security Boulevard

UK NCA: No Way
UK National Crime Agency nips it in the bud: Aims to scare straight naughty DDoS kiddies.

Wednesday, 29 March 2023

Do you trust AI to find app sec holes while you sleep? - ReversingLabs

Purr-fect? Or cat-astrophe?
Microsoft has turned OpenAI’s LLM onto cybersecurity. “Security Copilot” is its name for conversational, ChatGPT security analysis and monitoring.

Friday, 17 March 2023

FINALLY! FCC Acts on SMS Scam-Spam — But Will It Work?

NARRATOR: It didn’t
Federal Communications Commission rules to block illegal text messages. What took you so long?

Thursday, 16 March 2023

Scams Lost US $10 BILLION in 2022 — Crypto Fraud Grows Fast - Security Boulevard

Ben is disappointed: FBI reports huge rise in cryptocurrency investment scams. Why am I not surprised?

Tuesday, 14 March 2023

SVB: When Silly Valley Sneezes, DevOps Catches a Cold - DevOps.com

The moral of the story: Good friends, good books and a sleepy conscience: This is the ideal life

Monday, 13 March 2023

White House to Regulate Cloud Security: Good Luck With That - Security Boulevard

Be careful what you wish for: Biden administration wants new regulations for cloud providers. But we’re not sure it’ll help.

Friday, 10 March 2023

‘Extraordinary, Egregious’ Data Breach at House and Senate - Security Boulevard

Capitol Trouble: Senators, representatives and staffers suffer PII leak: Could it finally kickstart some action?

Thursday, 9 March 2023

Ban TikTok, say FBI, CIA, NSA, DNI, GOP, DNC, POTUS (but not ACLU) - Security Boulevard

R.E.S.P.E.C.T. RESTRICT
The White House and both sides of the Senate agree: TikTok needs to be stopped—or at least RESTRICT’ed. A bipartisan bill seeks to make that happen.

Wednesday, 8 March 2023

Linux Tweak Brings Big Speedup ¦ DCs in SPAAACE (Redux) ¦ Atlassian Fires 500 - DevOps.com

The moral of the story: You have brains in your head. You have feet in your shoes. You can steer yourself any direction you choose.

Tuesday, 7 March 2023

White House cyber strategy: A love/hate story - ReversingLabs

A thin line: The Biden administration’s new cybersecurity strategy will, among other things, punish big software developers for failing to follow best practices. And, for the first time, it will make them liable.

Monday, 6 March 2023

Voice-Clone AI Scams — it’s NOT ME on the Phone, Grandma - Security Boulevard

“Wolfie’s fine, honey”
Voice AI tech being misused by scammers: Scrotes fake your voice and call your grandparents.

Friday, 3 March 2023

Microsoft FAIL: ‘BlackLotus’ Bootkit Breaks Secure Boot - Security Boulevard

UEFI DBX Ignored for 13 Months: BlackLotus malware targets UEFI Secure Boot. For a mere $5000, you too can own it.

Thursday, 2 March 2023

LinkedIn Job Scams: Out of Hand ¦ 4-Day Workweek: Let’s Get Serious - DevOps.com

The moral of the story: Life is 10% what happens to you and 90% how you respond to it

Wednesday, 1 March 2023

LastPass revelations: BIG lessons for DevSecOps teams - ReversingLabs

Yearnings for learnings: LastPass has revealed a little more about the vault breach that occurred during August last year. And there are big, big lessons to be learned for Dev(Sec)Ops.

Tuesday, 28 February 2023

US Marshals Ransomware Hack is ‘Major Incident’ - Security Boulevard

Useless USMS?
The U.S. Marshals Service (USMS) has been hacked (again). Scrotes stole sensitive stuff (supposedly).

Friday, 24 February 2023

‘See No Evil’ — Mozilla SLAMS Google’s App Privacy Labels - Security Boulevard

Google’s not Looking, so You’re Blind: Google doesn’t want you to know what your Android apps do with your data. That seems to be the conclusion from a Mozilla study into Google’s app store.

Thursday, 23 February 2023

WTH? WFH is 6× Pre-Covid ¦ Plus: Agile Sucks (Redux) - DevOps.com

The Moral of the Story: Life is like a coin—you can spend it any way you wish, but you only spend it once

Wednesday, 22 February 2023

Surprise! US DoD Server Had no Password — 3TB of Sensitive Data Leaked - Security Boulevard

I’m Sorry, Dave: Sensitive military data found on unprotected Microsoft Azure server. Defense Department email store left insecure for at least 11 days.

Tuesday, 21 February 2023

Lesson from Core-JS: Beware hidden dependencies from indebted Russian devs - ReversingLabs

This is not a drill: Denis Pushkarev has big debts — and his code is EVERYWHERE.
The Code-JS project is absolutely huge. Perhaps your project has a dependency on it? The likelihood is you’d never know.

Monday, 20 February 2023

GoDaddy Hosting Hacked — for FOURTH Time in 4 Years - Security Boulevard

4th Time’s a Charm: GoDaddy’s web hosting service breached yet again. This time, the perps were redirecting legit websites to malware.

Friday, 17 February 2023

‘Serious’ Ransomware Emergency in Oakland, Calif. — Legacy FAIL - Security Boulevard

Transparency: We’ve Heard of It
Oakland is still reeling from last week’s ransomware attack. San Francisco’s poorer neighbor is asking for help.

Thursday, 16 February 2023

Dev of core-js Will Flip Table ¦ Another 451 PyPI Maldeps - DevOps.com

The moral of the story: The healthiest response to life is joy

Wednesday, 15 February 2023

Lessons from ChatGPT, Bing AI, Bard and Copilot: Chatty AI is just a toy - ReversingLabs

Beep, boop; hope, hype: Generative AI isn't ready for prime time. So don't play games with your software development. After the uncritical, hyperbolic stories last week, here comes the fable: The innocent child inconveniently points at Microsoft’s Bing AI demo as if it was a naked emperor.

Tuesday, 14 February 2023

Your Mental Health Data for Sale or Rent — 20¢ - Security Boulevard

US GDPR ASAP: Data brokers are selling PII about mental health conditions—such as depression, anxiety, bipolar disorder, PTSD and OCD.

Friday, 10 February 2023

Reddit Hacked — 2FA is no Phishing Phix - Security Boulevard

Snoo Boo Boo: Reddit got hacked with a “sophisticated” spear phishing attack. The individual victim was an employee who clicked the wrong email link.

Thursday, 9 February 2023

Amazing Fast Crypto for IoT — US NIST Fingers ASCON - Security Boulevard

CAESAR Winner Wins Again: Implementing modern cryptography standards on tiny IoT devices is hard. They’re underpowered, need to sip battery charge and something like AES is often overkill.

Wednesday, 8 February 2023

Voice.ai ‘Stole’ Code ¦ AWS Gets Filthier - DevOps.com

The moral of the story: Life is a succession of lessons which, must be lived to be understood

Tuesday, 7 February 2023

C-SCRM: We’re from the government — and we’re here to help with software supply chain security - ReversingLabs

CISA and FASC and NIST — oh my!
A whole alphabet soup of agencies, offices and councils are springing up in D.C. and beyond. They’re trying to help us with the software supply chain security problem.

Monday, 6 February 2023

Dutch Cops Bust ‘Exclu’ Messaging Service, Arrest 42 - Security Boulevard

Exclu Sieve: Crims are Dim
Police in the Netherlands broke open alleged drugs gangs by hacking an encrypted messenger service, Exclu. Lives were saved and alleged perps arrested.

Friday, 3 February 2023

Anker’s Eufy Admits ‘Lie’ After TWO Months — Still no Apology - Security Boulevard

Euf***ed Up — Again: Anker said its Eufy cameras never send unencrypted video. But a couple of months ago, researchers discovered they did. Despite the clear evidence, Anker denied, delayed and deflected.

Thursday, 2 February 2023

OpenAI Hires 1,000 Low Wage Coders to Retrain Copilot | Netflix Blocks Password Sharing - DevOps.com

The moral of the story: Life is like riding a bicycle: To keep your balance, you must keep moving

Wednesday, 1 February 2023

‘Finish Him!’ US Kills Huawei With Final Tech Ban - Security Boulevard

“Splendid Achievement”
The federal government has cut off Huawei’s last sources of technology. Export licenses for chips and other tech components are finished.

Tuesday, 31 January 2023

Google's open source team layoffs: Your software supply chain security is at risk - ReversingLabs

Don’t be evil: Google has laid off many leading lights of the open source world. This will have a profound effect on software supply chain security.

Another Password Manager Leak Bug: But KeePass Denies CVE - Security Boulevard

‘Nihilistic; Dismissive’
Two researchers report vulnerability in KeePass. But lead developer Dominik Reichl says it’s not a problem—and refuses to fix the flaw.

Friday, 27 January 2023

‘Hive’ Russian Ransomware Gang Shut Down by FBI, DoJ, Europol, Bundeskriminalamt, et al - Security Boulevard

Site Seized; Russians Riled: The ransomware scrotes known as Hive got pwned this week. Their servers are no more.

Wednesday, 25 January 2023

Microsoft Outage Outrage: Was it BGP or DNS? - DevOps.com

The moral of the story: Life imposes things on you that you can’t control, but you still have the choice of how you’re going to live through this

Tuesday, 24 January 2023

Move over, npm: Trust VS Code extensions at your own risk, dev teams - ReversingLabs

VSC Marketplace FAIL: It’s super easy to spoof Visual Studio Code extensions. And it’s incredibly hard to detect.

Monday, 23 January 2023

US No-Fly List Leaked via Airline Dev Server by @_nyancrimew - Security Boulevard

FBI TSC CSV on AWS S3: CommuteAir, a United Airlines puddle-jumper affiliate, leaked the federal government’s No-Fly and “Selectee” lists. Or, at least, a snapshot from 2019—totaling more than 1.8 million entries.

Friday, 20 January 2023

T-Mobile’s SIXTH Breach in 5 years: 37M Users’ PII Leaks - Security Boulevard

Magenta Maladministration: T-Mobile US has been hacked yet again. In case you’re not keeping score, that’s the sixth time since 2018.

Thursday, 19 January 2023

8-Bit Floating Point for AI/ML? | Amazon and Microsoft Shed Tech Jobs - DevOps.com

The moral of the story: You never really learn much from hearing yourself speak

GitHub Copilot’s ML ‘Code Brushes’: Ready for a Bob Ross ‘happy little accident’? - ReversingLabs

Good thing, or bad?
GitHub launches Code Brushes — a fascinating new “usable prototype” toolbox in the Copilot Labs Visual Studio Code extension. In theory, it can make your code more secure, easier to understand and more.

Monday, 16 January 2023

Another Password Manager Breach: NortonLifeLock Apes LastPass - Security Boulevard

Monkey123 See — Monkey123 Do: NortonLifeLock is warning customers their passwords are loose. First LastPass, now this?

Friday, 13 January 2023

Yikes, Control Web Panel has Critical RCE — Patch NOW - Security Boulevard

CWP RCE CVE POC BBQ: Linanto’s popular web hosting control panel, CWP, has a nasty flaw. It’s easily exploitable—in fact, it’s being exploited right now.

Thursday, 12 January 2023

FAA Ground Stop due to Technical Debt? | Don’t Do DIY Crypto! - DevOps.com

The moral of the story: Don’t settle for what life gives you—make life better and build something

Wednesday, 11 January 2023

If you don't love me now: JsonWebToken breaks the software supply chain (again) - ReversingLabs

JWT type confusion: Yes, here’s another example of the risks in uncontrolled software supply chains. This npm library is relied upon by countless apps and services — perhaps yours.

Tuesday, 10 January 2023

Digital License Plates: Stupid, Pointless, Insecure - Security Boulevard

The ‘S’ in IoT is for Security: Reviver’s Rplate digital license plates are inherently insecure: Their design seems to be riddled with privacy holes, given the apparent lack of API security, which is easily defeated.

Monday, 9 January 2023

CES 2023 FAIL: Worst in Show for Security and Privacy - Security Boulevard

This Happened in Vegas — it Should Stay in Vegas: The Consumer Electronics Show wrapped up yesterday. But some vendors faced stiff criticism over their privacy and security stances.

Thursday, 5 January 2023

Southwest Airlines: ‘Shameful’ Technical Debt Bites Back - DevOps.com

The moral of the story: I like criticism. It makes you strong.