news
Security and Windows TCO
-
Security Week ☛ iMessage Zero-Click Attacks Suspected in Targeting of High-Value Individuals
iVerify links iPhone crashes to sophisticated zero-click attacks via iMessage targeting individuals involved in politics in the EU and US.
-
Security Week ☛ Chinese Hackers and User Lapses Turn Smartphones Into a ‘Mobile Security Crisis’
Foreign hackers have increasingly identified smartphones, other mobile devices and the apps they use as a weak link in U.S. cyberdefenses.
-
Confidentiality
-
UnixBSDSHell ☛ TOR Installation And Configuration On FreeBSD Server UnixBSDShell
Tor is a free, open-source utility and open network that enables anonymous communication. When combined, these two components help defend against various forms of traffic analysis and network surveillance. Trying to explain Tor comprehensively again is beyond the scope of this article, you can read about it through the literature provided by the project website and The Electronic Frontier Foundation (EFF) before installing it.
-
-
Canonical/Ubuntu Family
-
Ubuntu ☛ Apache Spark security: start with a solid foundation
Securing Spark is key to maintaining enterprise business continuity, safeguarding data in memory as well as at rest, and defending against emerging vulnerabilities unique to distributed, in-memory processing platforms. Unfortunately, securing Spark is far from a trivial task; in this blog we’ll take a closer look at what makes it so challenging, and the steps that enterprises can take to protect their big data platforms.
-
-
Windows TCO / Windows Bot Nets
-
Security Week ☛ React Native Aria Packages Backdoored in Supply Chain Attack [Ed: NPM, so Microsoft is the issue; it transmits malware again]
A threat actor published backdoored versions of 17 NPM packages from GlueStack in a fresh supply chain attack.
-
Security Week ☛ Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems [Ed: Windows TCO, or Microsoft TCO; Microsoft is the spreaders of malware]
Two malicious NPM packages contain code that would delete production systems when triggered with the right credentials.
-
Krebs On Security ☛ Patch Tuesday, June 2025 Edition
Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.
-
Security Week ☛ Sensitive Information Stolen in Sensata Ransomware Attack
Sensata said at the time that it had detected the intrusion on April 6, when ransomware started encrypting files stored on its systems. It also found evidence that the attackers had stolen some data.
-
Cyble Inc ☛ Software Supply Chain Attacks Have Surged In Recent Months
“Damage from a single successful exploit in those areas can be widespread, as happened with the hundreds of CL0P ransomware victims from a single vulnerability,” Cyble said. Those CL0P victims helped make February a record month for ransomware attacks.
-
-
Integrity/Availability/Authenticity
-
Security Week ☛ Nigerian Involved in Hacking US Tax Preparation Firms Sentenced to Prison
Kingsley Uchelue Utulu has been sentenced to more than 5 years in prison for his role in a scheme that involved hacking, fraud and identity theft.
-
A targeted attack mimics communication from company CEO to steal funds
Over the last few weeks, Kaspersky detected a series of sophisticated attack attempts aimed at deceiving an organisation’s finance team into paying fraudulent invoices. Emails mimicking correspondence between the organisation’s CEO and contractor companies were sent to the organisation’s finance department to persuade them into paying urgent “invoices” for alleged “consulting services”.
-
The Register UK ☛ Trump EO axes digital IDs, blames 'illegal aliens' for fraud
Eliminating this digital ID requirement "in the name of preventing fraud, waste, and abuse is like claiming we need safer roads while removing guardrails from bridges," Center for Democracy and Technology CEO Alexandra Reeve Givens said in an email to The Register. She added that the Biden order did not mandate government-issued digital IDs for undocumented immigrants: "That's simply not true," she said.
-
The Register UK ☛ Google brute-force attack exposes phone numbers in minutes
They explained in the post that "after looking through random Google products, I found out that I could create a Looker Studio document, transfer ownership of it to the victim, and the victim's display name would leak on the home page, with 0 interaction required from the victim."
The researcher also found an old-school username recovery form that worked without Javascript, which allowed them to check if a recovery email or phone number was associated with a specific display name using 2 HTTP requests.
-
University of Toronto ☛ Potential issues in running your own identity provider
The hardcore option is to rely on no outside services at all, not even for multi-factor authentication. This pretty much reduces your choices for MFA down to TOTP and perhaps WebAuthn, either with devices or with hardware keys. And of course you're going to have to manage all aspects of your MFA yourself. I'm not sure if there's capable open source software here that will let people enroll multiple second factors, handle invalidating one, and so on.
-