Cybersecurity information flow

有新的漏洞组件被发现啦,组件ID:Apache
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it. [1] https://cveprocess.apache.org/cve5/[1]%C2%A0https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891

近日，一张由AI生成的假照片在推特上疯传，照片上显示的是华盛顿五角大楼发生剧烈爆炸的画面。这个事件暴露出了马斯克的Twitter Blue付费认证的真正问题。 周一上午晚些时候，这张假照片在社交信息平台上一经发布后不久就在网上疯传，直到美国政府官员出面，证实并谴责该照片只是个骗局才得以平息。 俄罗斯国家媒体和一个虚假的彭博新闻账户的个人资料名称旁边出现了蓝色对勾认证标记，此事备受争议。 美国东部时间上午10点左右，一张五角大楼草坪上熊熊燃烧的照片开始被大量转发，并快速传播，该照片的标题为“华盛顿特区五角大楼附近发生大爆炸的初步报告”。 据《福布斯》报道，美国国防部发言人已经声明这张照片是个“错误信息”。 到美国东部时间上午10点27分，阿灵顿消防和急救中心也在推特上谴责这是张假照片。该部门的推特账号发布内容称：@PFPAOfficial和ACFD注意到网上流传的有关五角大楼附近发生爆炸的社交媒体报道，但在五角大楼保留区或附近并未发生任何爆炸事件，对公众不会造成直接的危险或危害。 OSINT专家在几分钟内就对图像进行了全面检查，并指出了差异，证明图像确实是由AI生成的假图像。 Bellingcat的数字调查员Nick Walters表示，想伪造这样一个事件非常困难，甚至可以说根本不可能。这通过观察图像中的建筑物的正面，以及围栏融入人群屏障的方式就能轻松判断真伪。 Nick Walters称，对于这样一个重大的新闻报道，没有其他第一手目击者的照片或视频发布在网上就没那么可信。 此外，Nick Walters还在推特上写道：人口稠密地区发生的大多数极端物理事件(爆炸、恐怖袭击、大规模打斗)都会产生可识别的数字涟漪。 虚假的人工智能图像虽然对创作者和观众来说很有趣，但自去年11月ChatGPT发布以来，这一直是治理实体和人工智能专家关注的最大问题之一。 本月早些时候，一名男子因利用深度技术在网上传播虚假新闻而在中国被捕，面临最高10年的监禁。这名男子被指控使用ChatGPT制作了一个虚假的人工智能新闻视频，该视频描述了一场致命的火车相撞事故，然后将其发布在多个社交媒体网站上。 专家表示，随着人工智能模型近年来不断发展，社交媒体上的虚假信息非常令人担忧，尤其是在2024年美国总统大选周期刚刚开始的情况下。 《赫芬顿邮报》的高级编辑Andy Campbell提到了去年秋天，推特首席执行官马斯克接管该公司时，他与推特用户就其T

Sysco, the global food distribution giant, disclosed a data breach, the compromised data includes customer and employee data. Sysco Corporation is an American multinational corporation involved in marketing and distributing food products, smallwares, kitchen equipment and tabletop items. BleepingComputer, who has seen an internal memo sent to employees on May 3, first reported that threat actors may have […]
The post The global food distribution giant Sysco discloses a data breach appeared first on Security Affairs.

A few days ago I had a fun chat with Ange Albertini about secure design of file formats – a topic Ange has been passionately researching for some time now. One of the specific problems that we discussed were overlarge fields and how to approach them in a file format or communication protocol design in a way that makes certain that their handling is safe and secure by default. In this blogpost I wanted to discuss two of my ideas (neither of which is perfect) and related observations on this topic.
What is an overlarge field?
It's best to explain this using one of my favorite examples – same one I've used in my "How to find vulnerabilities?" blog post and in several talks.
In the GIF image format specification there is a field called LZW code size which holds the initial LZW compression code size in bits.
7 6 5 4 3 2 1 0 +---------------+ | LZW code size | +---------------+
What exactly the value entails isn't really important for this discussion. What is however important is that said value must be between 3 a

Linux支持多种不同格式的可执行程序

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
[GitHub]CVE-2023-1671-POC, based on dnslog platform

There is a cybersecurity risk inherent to the human being that we will not be able to eliminate completely and it is the implicit need to “click” on links that come to us, especially through email, which may be the prelude to the materialization of a cyber attack through an APT.
Article Link: https://isc.sans.edu/diary/rss/29768
1 post - 1 participant
Read full topic

NVIDIA DGX-2 SBIOS contains a vulnerability in Bds, where a user with high privileges can cause a write beyond the bounds of an indexable resource, which may lead to code execution, denial of service, compromised integrity, and information disclosure.

HSM可以为不同的应用提供安全服务，如加密、解密、签名、认证、密钥生成、密钥管理等。

无法提供摘要。这是一篇受保护的文章。

This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server. This affects versions of UniData prior to 8.2.4 build 3003. This service typically runs as root. It accepts a username of ":local:" and a password in the form of "::", where username and uid must be a valid account, but gid can be anything except 0. This exploit takes advantage of this login account to authenticate as a chosen user and run an arbitrary command (using the built-in OsCommand message).

域信息收集工具

Mitel MiCollab AWV 8.1.2.4 / 9.1.3 Directory Traversal / LFI

Introduction The topic of this blog post is not directly related to red teaming (which is my usual go-to), but something I find important personally. Last month, I gave an info session at a local elementary school to highlight the risks of public sharing of children’s pictures at school. They decided that instead of their … Continue reading An Innocent Picture? How the rise of AI makes it easier to abuse photos online. →

移动安全101，如何设置您的 Android 环境

随着信息技术和汽车技术的发展，车辆网络（Vehicle Network）作为一种新型的交通信息系统，逐渐发展起来。

Tax season is a busy time of year for taxpayers and threat actors. Consumers and businesses focus on filing their taxes and getting excited over possible refunds, while cybercriminals roll out both their tried-and-true tax scams along with implementing new efforts.

Gold Digger 是一种工具，可扫描文件夹和文件以查找 gold.json 文件中的内容匹配项，并生成包含扫描结果的日志文件。该工具已被证明可以在处理数千个文件时提高工作效率

泄漏后Twitter迅速向在线协作平台GitHub发送侵犯版权通知，要求其删除泄露的代码。 GitHub删除了泄漏的代码。本次泄漏的来源不排除是前雇员

The creator of a Remote Access Trojan (RAT), responsible for compromising more than 10,000 computers, has been arrested by law enforcement in Ukraine.
At the time of the arrest, the developer still had real-time access to 600 PCs. According to the announcement, the RAT could tell infected devices to:
Download and upload files
Install and uninstall programs
Take screenshots
Capture sound from microphones
Capture video from cameras
Once data was harvested by the RAT, some of it was put to further use: Account theft and withdrawal of electronic funds contained in compromised balances are both mentioned in the police release.
Unfortunately, the release makes no mention as to how the file was distributed other than as “applications for computer games”. Bleeping Computer suggests that the campaign resembles malware distribution involving bogus YouTube videos promoting game cheats and modifications.
With this in mind, what can you do to try and avoid rogue files such as these?
Steering clear of bogus applications
Be

GPT长文本批处理工具，Batch Processing tools for GPT