Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

PARSIQ’s Reactive Network Provides Solution for DeFi Exchange Vulnerabilities

Over the past few years, decentralised finance (DeFi) has revolutionised the financial sector. DeFi introduced transparent, permissionless and…

HackRead
Open in Source
#vulnerability#oracle#ssl
Tunneling Flaws Put VPNs, CDNs and Routers at Risk Globally

Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws…

Belsen Group Leaks 15,000+ FortiGate Firewall Configurations

FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn…

GHSA-v4mq-x674-ff73: AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider

### Impact Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34. However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack. As a best practice, CDK should still fix this issue under a...

15K Fortinet Device Configs Leaked to the Dark Web

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.

Attackers Hijack Google Advertiser Accounts to Spread Malware

It's an especially brazen form of malvertising, researchers say, striking at the heart of Google's business; the tech giant says it's aware of the issue and is working quickly to address the problem.

OWASP's New LLM Top 10 Shows Emerging AI Threats

Ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

An ongoing campaign targeting FortiGate devices with management interfaces exposed on the public Internet is leading to unauthorized administrative logins and configuration changes, creating new accounts, and performing SSL VPN authentication.