Aggregator

A vulnerability was found in Gradio up to 4.x. It has been classified as problematic. Affected is an unknown function. The manipulation leads to insufficient verification of data authenticity. This vulnerability is traded as CVE-2024-47867. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in VMware Workstation and Player on Windows. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper access controls. This vulnerability is known as CVE-2016-2077. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the world's largest and longest-running dark web market for illegal goods, drugs, and cybercrime services. The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said. The marketplace

A vulnerability was found in webges iMig 2012 1.0.0 and classified as critical. Affected by this issue is some unknown functionality of the component X.509 Certificate Handler. The manipulation leads to cryptographic issues. This vulnerability is handled as CVE-2014-7567. Access to the local network is required for this attack to succeed. There is no exploit available.

图片来源：安全内参 一名安全研究人员透露，数千个机器学习工具已暴露在开放的互联网中，其中一些还属于大型科技公司。任何人都能访问这些工具，并存在敏感数据泄露的潜在风险。 这则消息表明，尽管公司和研究人员在人工智能研究上突飞猛进，但保护这些工具，仍需要依赖适用于其他类型账号的通用账号安全和身份验证最佳实践。 Reddit的安全研究人员兼首席安全工程师Charan Akiri在其研究报告中指出：“除了机器学习（ML）模型本身，暴露的数据还可能包括训练数据集、超参数，甚至有时是用于构建模型的原始数据。” 暴露的工具包括MLflow、Kubeflow和TensorBoard实例。这些工具通常用于帮助企业在云端训练和部署生成式AI模型，或可视化其结果。 Akiri在研究报告中写道：“这种配置错误使得未经授权的人员能够访问、下载，甚至运行敏感的机器学习模型和数据集。这类暴露事件本不应发生，因为这些平台应该仅限于内部使用。” Akiri指出，他们已经能够识别出部分暴露实例的所有者，但他强调，“这只是整体暴露的一小部分，实际上可能还有许多公司尚未被我们识别出来。” 其中一家公司是日本的半导体制造商瑞萨电子（Renesas Electronics）。Akiri表示，通过控制面板证书中的线索，他们确认了一个机器学习工具属于瑞萨电子。外媒404 Media联系瑞萨电子请求对此事发表评论后，瑞萨电子立即撤下了暴露的控制面板，Akiri也通知了该公司这一问题。然而，瑞萨电子最终未对评论请求作出回应。 404 Media在访问几个可以通过开放互联网找到的MLFlow实例时，发现控制面板提供了创建“新运行”的选项。用户还能查看之前的实验记录，通常还能够执行与原用户相同或类似的任务。Akiri表示，他们发现了大约5000个暴露的MLFlow实例。 参考资料：https://www.404media.co/thousands-of-internal-ai-training-datasets-tools-exposed-to-anyone-on-the-internet/     转自安全内参，原文链接：https://www.secrss.com/articles/71040 封面来源于网络，如有侵权请联系删除

A vulnerability, which was classified as critical, was found in libbsd up to 0.8.1. This affects the function fgetwln. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2016-2090. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as very critical was found in Oracle Siebel CRM 8.5.1.0 - 8.5.1.7/8.6.0/8.6.1. Affected by this vulnerability is an unknown functionality of the component Oracle Knowledge. The manipulation leads to improper access controls. This vulnerability is known as CVE-2016-2141. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

Ensuring seamless operations in even the harshest environments is a necessity today. For organizations operating within the Department of Defense (DoD) space, identity resilience and continuity are essentially non-negotiable — as the stakes are high and often involve life-and-death scenarios. Missions demand resilient systems capable of functioning even in the most extreme conditions. Military environments...

The post Resilience in extreme conditions: Why DDIL environments need continuous identity access appeared first on Strata.io.

The post Resilience in extreme conditions: Why DDIL environments need continuous identity access appeared first on Security Boulevard.

92% of healthcare organizations experienced at least one cyber attack in the past 12 months, an increase from 88% in 2023, with 69% reporting disruption to patient care as a result, according to Proofpoint. Healthcare organizations struggle to mitigate risks from cyberattacks Among the organizations that suffered the four most common types of attacks – cloud compromise, ransomware, supply chain, and business email compromise (BEC) – 56% reported poor patient outcomes due to delays in … More →

The post Data loss incidents impact patient care appeared first on Help Net Security.

A vulnerability classified as very critical was found in JGroups up to 3.x. Affected by this vulnerability is an unknown functionality of the component Node Join Handler. The manipulation leads to improper access controls. This vulnerability is known as CVE-2016-2141. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Spring AMQP up to 1.5.4. This affects the function org.springframework.core.serializer.DefaultDeserializer of the component Deserialize Handler. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2016-2173. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

发表在《Entertainment Computing》上的一项研究根据 Steam 用户评论和玩家数量估计游戏收入，发现一旦游戏使用的 DRM 被破解，会给发行商带来 19% 的平均收入损失。北卡罗来纳大学的 William Volckmann 分析了 2014 - 2022 年间 Steam 上使用 Denuvo DRM 的 86 款游戏，发现如果游戏上市第一周就被破解，那么发行商的收入会损失 20%，如果六周后被破解那么收入损失减少到 5%。但下载破解版本的玩家即使没有破解他们也不太可能花钱买游戏，他们不是游戏的目标客户。

Apache Subversion中发现了一个关键的安全漏洞，CVE-2024-45720，该漏洞主要影响Windows平台。

A vulnerability has been found in Abtei-neuburg Stift Neuburg 1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the component X.509 Certificate Handler. The manipulation leads to cryptographic issues. This vulnerability is known as CVE-2014-7566. Access to the local network is required for this attack. There is no exploit available.

国庆长假期间，一系列利用AI技术克隆小米公司创始人雷军声音的恶搞视频在社交媒体平台上迅速传播。这些视频在短时间 […]

新闻速览 •在办公环境中开启iPhone  镜像功能或存在严重的隐私和法律违规风险 •法国游戏公司育 […]

A vulnerability, which was classified as critical, was found in Gmt-editions Rando Noeux 1.0.0. Affected is an unknown function of the component X.509 Certificate Handler. The manipulation leads to cryptographic issues. This vulnerability is traded as CVE-2014-7565. The attack needs to be initiated within the local network. There is no exploit available.

The frequency, sophistication, and impact of cyber-attacks on financial institutions have been rising. Given the economic system’s interconnected nature, disruptions in one institution can have cascading effects on the broader financial market, leading to systemic risks. Regulators have responded with increasingly stringent requirements. One of the most significant regulatory developments in this context is the European Union’s Digital Operational Resilience Act (DORA), which will come into force on January 17th, 2025. Dimitri Chichlo, CISO at … More →

The post DORA regulation’s nuts and bolts appeared first on Help Net Security.

Executive SummaryIn July 2024, researchers from Palo Alto Networks discovered a su

生活案例举例教你搞定难懂的Kerberos认证过程