Aggregator

端午礼盒送不停，更有胶卷相机等超级好礼！

端午礼盒送不停，更有胶卷相机等超级好礼！

HackerNews 编译，转载请注明出处： 欧洲知名求职平台beWanted发生重大数据泄露事件，超110万份求职者简历及敏感信息通过未加密的Google云存储桶（GCS）暴露于公网。网络安全媒体Cybernews研究团队于2023年11月发现该漏洞，但多次联系总部位于西班牙马德里的beWanted公司后，数据仍可公开访问。 泄露数据包含： 全名、电话号码、邮箱及家庭住址 出生日期、国籍及出生地 身份证号码（涉及西班牙、阿根廷、危地马拉、洪都拉斯等多国公民） 社交媒体链接、工作经历及教育背景 研究人员指出，每份文件可能对应一名求职者，此次泄露构成重大安全事件。数据至少暴露六个月，网络犯罪分子可能已利用其发起： 身份盗用：伪造合成身份或欺诈账户 精准钓鱼攻击：诱骗受害者泄露金融账户或敏感数据 社交工程攻击：冒充虚假招聘机构渗透职业网络，传播恶意软件或窃取机密 尽管Cybernews已联系beWanted寻求置评，但截至发稿未获回复。该公司自称“全球最大人才库生态”，通过SaaS模式连接求职者与雇主，在墨西哥、德国及英国设有分支机构。 研究团队提出以下防护措施以缓解风险： 限制公开访问：关闭存储桶公共权限，启用“公开访问预防”功能 实施访问控制：基于最小权限原则，仅向授权用户和服务分配必要权限 监控访问活动：启用云审计日志追踪存储桶访问，配置云监控警报响应可疑行为 启用数据加密：激活服务器端静态数据加密，使用Google云密钥管理服务（KMS） 强制安全传输：要求所有数据传输使用SSL/TLS协议，拦截非安全HTTP连接 采纳最佳实践：定期执行权限与配置安全审计，利用Google云安全指挥中心自动化评估 此次事件再次凸显云存储配置失误的破坏力。求职者需警惕异常招聘邀约，企业应强化云环境安全基线，避免成为下一个受害者。       消息来源： cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

Hackers Bypass MFA to Steal Australians' Banking Credentials
Melbourne-based ANZ Bank will introduce passwordless authentication for digital banking services amid news that hackers have stolen the banking credentials of tens of thousands of Australians. Cybercriminals used infostealer malware to steal the credentials of more than 30,000 Australians.

Critics Say Public Benefit Corporation Model May Undermine AI Safety and Oversight
OpenAI’s nonprofit parent will retain control as its for-profit subsidiary becomes a public benefit corporation. While the company frames the change as mission-driven, critics fear it may strip the nonprofit of meaningful control and expose AGI development to uncontrolled commercial interests.

Hacker Breaches Government-Approved Messaging App Used by Top Trump Officials
A Signal clone messaging app apparently being used by top advisers to U.S. President Donald Trump abruptly went dark Monday following a reported hacking incident. TeleMessage said it temporarily suspended messaging services "out of an abundance of caution."

Huione Group Helped Criminals Launder Over $4 Billion Worth of Cybercrime Proceeds
The U.S. Department of Treasury set in motion a process to ban a Cambodian company's access to the dollar financial system for running a vast illicit marketplace for cybercrime tools and laundering billions of dollars on behalf of North Korean and other cybercrime groups.

HackerNews 编译，转载请注明出处： 网络安全专家指出，《纽约邮报》（New York Post）经过认证的X平台（原Twitter）账户疑似遭劫持，并被用于针对加密货币爱好者。2025年5月3日，Kerberus创始人兼CEO Alex Katz在X平台分享诈骗活动截图，显示@nypost认证账户被用于发送欺诈私信。 诈骗者冒充《纽约邮报》调查记者，以邀请嘉宾参与播客录制为名发送私信：“我们正在为新一期播客招募嘉宾，诚邀您参与录制。” 收到私信的用户若回复，会立即被对方在X平台拉黑，并被要求通过Telegram联系——此举疑似为避免触发《纽约邮报》团队警报，同时将受害者诱骗至Telegram实施加密货币诈骗。 网络安全公司Drew Security创始人、NFT收藏家Drew进一步分析称，此新型骗局利用用户对过往对话的信任，通过私信而非公开推送欺诈广告或恶意链接实施攻击。部分专家推测，攻击者可能试图利用Zoom等流行平台的安全漏洞安装恶意软件。 目前尚不清楚黑客如何获得账户权限及具体联系人数。《纽约邮报》尚未发布官方声明，Cybernews已联系该媒体寻求置评并将更新回应内容。 安全专家建议用户谨慎处理私信，尤其是要求切换至其他平台的请求——即使信息来自可信账户（因任何账户均可能被入侵）。截至发稿，@nypost账户仍可正常访问，但相关欺诈私信已被删除。     消息来源： cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as critical has been found in Open Design Alliance Drawings SDK up to 2022.12. This affects an unknown part of the component JPG File Handler. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2022-23095. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in H2 Console. This affects an unknown part of the component JDBC URL Handler. The manipulation leads to argument injection. This vulnerability is uniquely identified as CVE-2022-23221. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in phpMyAdmin up to 5.0/5.1.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Setup. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2022-23808. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in libexpat up to 2.4.3. Affected is the function XML_GetBuffer. The manipulation leads to integer overflow. This vulnerability is traded as CVE-2022-23852. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in libexpat up to 2.4.3. This vulnerability affects the function doProlog. The manipulation leads to integer overflow. This vulnerability was named CVE-2022-23990. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in GLPI up to 9.5.6. Affected is an unknown function. The manipulation leads to sql injection. This vulnerability is traded as CVE-2022-21720. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Plone Products.ATContentTypes up to 3.0.5. This affects an unknown part. The manipulation leads to open redirect. This vulnerability is uniquely identified as CVE-2022-23599. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as very critical was found in Oracle Communications MetaSolv Solution 6.3.1. Affected by this vulnerability is an unknown functionality of the component User Interface. The manipulation leads to integer overflow. This vulnerability is known as CVE-2022-23990. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Communications Cloud Native Core Console 1.9.0. It has been rated as very critical. Affected by this issue is some unknown functionality of the component CNC Console. The manipulation leads to code injection. This vulnerability is handled as CVE-2022-23221. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Healthcare Translational Research up to 4.1.1.1. It has been rated as very critical. This issue affects some unknown processing of the component Data Studio. The manipulation leads to code injection. The identification of this vulnerability is CVE-2022-23221. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as very critical has been found in Oracle SOA Suite 12.2.1.4.0. This affects an unknown part of the component B2B Engine. The manipulation leads to argument injection. This vulnerability is uniquely identified as CVE-2022-23221. It is possible to initiate the attack remotely. There is no exploit available.

HackerNews 编译，转载请注明出处： 应用安全领域正面临一个持续十余年的悖论：检测工具越先进，警报结果却越无用。随着静态分析工具、扫描器和CVE数据库的警报激增，真正的安全保障却愈发遥不可及。取而代之的是警报疲劳与不堪重负的团队——这已成为行业新常态。 根据OX Security的《2025年应用安全基准报告》，95-98%的应用安全警报无需采取行动——事实上，这些警报对组织的危害可能大于帮助。我们的研究覆盖178个组织的1.01亿个安全检测结果，揭示了现代应用安全运营的低效。每个组织平均收到近57万条警报，其中仅有202条代表真实关键问题。 这个令人震惊的结论难以忽视：安全团队正在追逐幻影，将时间浪费在对无实际威胁漏洞的处置上，消耗预算，并与开发团队关系紧张。最糟糕的是——安全正在阻碍实际创新。正如Chris Hughes所言：“我们以业务赋能者自居，实则将同事埋没于苦工，延缓开发速度，最终损害业务成果。” 回溯2015年，全球公开披露的CVE漏洞仅6,494个，彼时检测能力被视为核心指标。十年间，云原生应用普及、开发周期提速、攻击面扩张，至2025年全球CVE漏洞总数已突破20万。然而，多数安全工具仍固守“检测为王”逻辑，向控制面板倾泻未经筛选、缺乏上下文的警报。 OX的基准报告证实了从业者长期怀疑的现象： 32%的已报告问题存在低利用概率 25%没有已知公开漏洞利用 25%源于未使用或仅用于开发的依赖项 这种无关检测结果的洪流不仅拖慢安全速度——更在主动削弱安全效能。 为对抗这种厄运循环，组织必须采用基于证据优先级的更复杂应用安全方法。这需要从通用警报处理转向涵盖从设计阶段到运行时代码的全面模型，包含以下要素： 可达性：漏洞代码是否被使用，是否可访问？ 可利用性：该环境中是否存在漏洞利用条件？ 业务影响：此处被攻破会造成实际损害吗？ 云到代码映射：该问题在SDLC中起源于何处？ 通过实施此类框架，组织能有效过滤噪音，专注于构成真实威胁的少数警报。这能提升安全效能，释放宝贵资源，并支持更自信的开发实践。OX Security正通过代码投影（Code Projection）应对这一挑战——这项基于证据的安全技术将云和运行时元素映射回代码源头，实现上下文理解和动态风险优先级排序。 通过基于证据的优先级排序，每个组织平均569,354条警报可缩减至11,836条，其中仅202条需立即处置。行业基准揭示多个关键洞见： 一致的噪音阈值：无论企业或商业环境，不同行业的基线噪音水平惊人相似 企业安全复杂性：企业环境因更广泛的工具生态、更大的应用覆盖、更多的安全事件、更频繁的事件和更高的整体风险敞口面临更大挑战 金融行业脆弱性：金融机构警报量显著更高。其对金融交易和敏感数据的处理使其成为高价值目标。如《Verizon数据泄露调查报告》所示，95%的攻击者主要动机是经济利益而非间谍活动。金融机构与货币资产的密切关系为攻击者创造了直接获利机会 这些发现具有深远影响。如果少于5%的应用安全修复对组织至关重要，那么所有组织在分类、编程和网络安全工时上的巨额投入都将徒劳。这种浪费延伸至漏洞赏金计划支付（白帽黑客发现需修复的漏洞），以及未及时发现并进入生产环境的漏洞修复成本。最终重大成本是开发团队与安全团队之间因要求修复无关漏洞而产生的紧张关系。 面对2025年预计新增的5万个漏洞，传统“全检测、后修复”模式已显危险。OX报告强调应用安全的未来不在于修复所有潜在漏洞，而在于智能识别真实风险。当企业能将97.8%的无效警报过滤，安全团队方能摆脱“救火队”角色，真正成为业务创新的护航者。          消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文