Aggregator

You must login to view this content

You must login to view this content

You must login to view this content

《仿真驱动的侧信道攻击新范式：让CPU消耗成为密码学安全的X光机》探索了一种创新的侧信道攻击思路：尝试利用CPU使用率这一软件指标来替代传统硬件功耗轨迹，以破解加密算法。研究构建了完整的仿真环境，涵盖多种加密算法与攻击模型，并通过大量实验验证了不同中间值与CPU使用率的相关性。结果显示，尽管在小样本下出现强相关性，但随着轨迹数增加，相关性急剧下降，证明CPU使用率难以稳定反映密钥相关的微架构状态。该工作虽未达成预期目标，但为侧信道研究提供了宝贵的仿真工具与实证分析，开辟了软件化侧信道分析的新探索方向。

Sweet Security announced an extension of its Runtime CNAPP sensor to include Windows environments. With this launch, organizations can secure Windows workloads and applications in the cloud. The new capability brings the same visibility, real-time detection, risk prioritization, and automated investigation that power Sweet’s Runtime CNAPP for Linux to one of the most complex and widely used operating systems in the enterprise cloud. Protecting cloud workloads running on the Windows operating system has long been … More →

The post Sweet Security brings Runtime CNAPP visibility and protection to Windows environments appeared first on Help Net Security.

《危险游戏：智能驾驶一线攻防实战》系统揭示了智能汽车面临的多层次安全威胁。报告从硬件获取、域控架构入手，分析了T-Box、网关、自动驾驶控制器等组件的网络攻击面，并通过实际案例展示了如何通过零部件漏洞（如Secure OAD密钥未更新）实现从车身CAN网络到动力域的权限提升与远程控车。研究还深入智驾模型加密机制、TensorRT仿真难点及芯片TEE安全，并剖析了V2X协议中的消息泄露与欺骗风险，全面论证了智能驾驶系统在供应链、网络、算法与硬件层面的脆弱性。

《你尽力了吗 - 25年后的再追问》以系统架构师、软件工程师、质量保障专家和安全研究员的多重身份，复盘了作者在苹果系统安全领域的深度研究。报告通过IOMobileFrameBuffer、IOBluetooth、AppleBCMWLAN等系列内核漏洞（如CVE-2020-9928、CVE-2022-26762）的案例分析，揭示了并发竞争、边界检查缺失、用户输入未校验等根因，并展示了漏洞组合利用的完整攻击链。文章不仅反思了开发流程中的盲点，更以“是否已竭尽全力”自我追问，呼吁在软件全生命周期中持续突破技术极限，坚守安全研究的初心与热忱。

Discover the security risks in vibe-coded applications as we uncover over 2,000 vulnerabilities, exposed secrets, and PII

The post Methodology: How we discovered over 2k high-impact vulnerabilities in apps built with vibe coding platforms appeared first on Security Boulevard.

Obsidian Security says it is creating a working group of security leaders to pressure SaaS vendors to adopt standards like the SSCF to make their online applications safer as the cyber threats against them escalate and the use of AI agents in SaaS tools continues to expand.

The post Obsidian: SaaS Vendors Must Adopt Security Standards as Threats Grow appeared first on Security Boulevard.

Rapid7 announced AI-generated risk intelligence as part of the Rapid7 Command Platform. Delivered through Remediation Hub, the new capability accelerates remediation by giving security teams a contextual, and actionable view of each exposure, transforming vulnerability data into risk intelligence informed decisions that help teams to prioritize remediation, and communicate and collaborate with internal teams to drive measurable risk reduction. In addition, Rapid7 added new vulnerability intelligence capabilities to Intelligence Hub, the company’s integrated threat intelligence … More →

The post Rapid7 strengthens security with AI-powered risk and vulnerability insights appeared first on Help Net Security.

A critical security vulnerability was discovered when a complete 4-terabyte SQL Server backup belonging to Ernst & Young (EY), one of the world’s Big Four accounting firms, was found publicly accessible on Microsoft Azure. The exposure was identified by security researchers during routine internet mapping operations and has since been remediated following responsible disclosure protocols. […]

The post Massive 4TB EY Database Backup Found Publicly Accessible on Azure appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Russian-linked attackers have intensified their targeting of Ukrainian organizations through sophisticated intrusions that rely heavily on legitimate Windows tools rather than malware. The attackers demonstrated remarkable restraint in their malware deployment, instead leveraging living-off-the-land tactics and dual-use tools to evade detection while accomplishing their objectives. A recent investigation by our Threat Hunter Team revealed two […]

The post Russian Hackers Target Government with Stealthy “Living-Off-the-Land” Tactics appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.