Aggregator

Как файловая ссылка победила обновление.

科技让美好发生

Разбираем самые популярные сервисы обратного поиска лиц и что они могут рассказать о вас.

2025年五大安全框架成CISO对抗复杂威胁的刚需！

Symbiotic Security launched Symbiotic Security version 1 that ensures code security keeps pace with development speed, by using AI to secure code in real-time through remediation and training integrated within their workflows. Symbiotic Security v1 empowers developers to write secure code from the outset during the development process, and maximize the productivity gains of AI-assisted coding. Its intelligent detection and remediation identifies vulnerabilities in real-time, instantly providing secure code suggestions that developers can accept, modify, … More →

The post Symbiotic Security v1 empowers developers to write secure code appeared first on Help Net Security.

Как компания борется с нелояльностью сотрудников.

Google 官方博客宣布将逐步淘汰它使用的国家顶级域名如 google.ng（尼日利亚）或 google.com.br（巴西）。 Google 称它多年来一直在改进本地化搜索体验，无论是使用特定国家域名还是使用 google.com，搜索体验已经基本一致，因此 Google 的国家顶级域名（ccTLD）已不再必要，它将把这些 ccTLD 重定向至 google.com。这一改变将在未来几个月内完成。

A hacker has exposed the personal records of over 33,000 employees after discovering unrestricted endpoints belonging to a major technology service provider. The breach, first reported by cybersecurity platform CloudSEK’s BeVigil, highlights alarming gaps in API security that could have far-reaching consequences for both the affected organization and its clients. CloudSEK’s BeVigil, a platform specializing […]

The post Hacker Leaks 33,000 Employee Records in Third-Party API Breach appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

HackerNews 编译，转载请注明出处： 由前MTV高管创立的澳大利亚最热门创意招聘平台The Loop于2024年关闭，但其用户敏感数据至今仍在泄露。该平台错误配置的Google Cloud存储桶导致210万份文件泄露，包括含全名、地址、电话号码、邮箱及完整职业履历的简历。利用这些数据，诈骗者可实施高度定向的钓鱼攻击、语音钓鱼和短信钓鱼，将用户置于风险之中。截至目前，尚未有任何机构采取行动保护这些数据。 2025年2月，Cybernews安全研究人员偶然发现了本不该暴露于世的秘密：一个配置错误的Google Cloud存储桶向全网开放，其中存放着210万份文件。泄露的文件包含高度敏感信息，例如原始简历（含全名、家庭地址、电话号码、电子邮箱以及详细的职业与教育经历）。 简而言之，这些数据为诈骗者提供了伪装成你本人或通过虚假职位窃取银行信息所需的一切。 The Loop泄露了哪些数据？ 含教育及职业背景的简历 全名 家庭地址 电子邮箱 电话号码 该平台由MTV前高管Pip Jamieson和Matt Fayle创立，声称拥有10万名注册艺术家用户，并与1.6万家企业建立联系。 Cybernews尝试联系该公司及计算机应急响应组（CERT），但未收到任何回应。 这种包含完整个人档案的数据泄露犹如一场“灾难自助餐”，尤其当受害者是依赖网络声誉接案的创意工作者和自由职业者时， 凭借详细简历，诈骗者可制作极度逼真的个性化钓鱼邮件。试想收到一封提及你真实职位名称、过往客户甚至日常使用工具的邮件——所有这些信息均从你的简历中提取。邮件可能附带虚假职位邀约、待签署合同，或要求你“验证身份”（需提供护照复印件）。当诈骗者掌握你的电话号码和背景信息时，语音钓鱼和短信钓鱼将变得极具说服力。例如，接到自称来自你曾实际应聘的创意机构的电话，要求“最终确认”银行信息。利用你的姓名、地址、生日、邮箱、电话号码及职业履历，诈骗者可伪装成你向客户或雇主发送虚假发票。 对某些人而言，这种场景看似难以置信。因此，让我们回顾史上最猖獗的网络诈骗案例：一名立陶宛男子通过伪造发票邮件诱骗Facebook和Google向其转账超1亿美元。这两家全球科技巨头在两年间持续付款且未提出任何质疑。试想，中小企业落入此类陷阱的难度将低得多。       消息来源：cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

OSINT-инструменты для анализа корпоративных сайтов.

A vulnerability, which was classified as critical, was found in CubeCart up to 6.5.4. Affected is an unknown function of the component Phar File Handler. The manipulation leads to unrestricted upload. This vulnerability is traded as CVE-2024-33438. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in taoCMS 3.0.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file include/model/file.php. The manipulation leads to path traversal. This vulnerability is handled as CVE-2024-33350. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in wasm3 0.5.0 and classified as critical. Affected by this vulnerability is the function DeallocateSlot of the file wasm3/source/m3_compile.c. The manipulation leads to heap-based buffer overflow. This vulnerability is known as CVE-2024-34249. Access to the local network is required for this attack. There is no exploit available.

A vulnerability, which was classified as critical, has been found in wasm3 0.5.0. Affected by this issue is the function main of the file wasm3/platforms/app/main.c. The manipulation leads to memory corruption. This vulnerability is handled as CVE-2024-34246. Access to the local network is required for this attack. There is no exploit available.

A vulnerability was found in RuvarOA 6.01/12.01 and classified as critical. Affected by this issue is some unknown functionality of the file /bulletin/bulletin_template_show.aspx. The manipulation of the argument ID leads to sql injection. This vulnerability is handled as CVE-2024-25508. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in RuvarOA 6.01/12.01. It has been classified as critical. This affects an unknown part of the file /Bulletin/AttachDownLoad.aspx. The manipulation of the argument attach_id leads to sql injection. This vulnerability is uniquely identified as CVE-2024-25512. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in RuvarOA 6.01/12.01. It has been rated as critical. This issue affects some unknown processing of the file /LHMail/AttachDown.aspx. The manipulation of the argument email_attach_id leads to sql injection. The identification of this vulnerability is CVE-2024-25507. The attack may be initiated remotely. There is no exploit available.