-- Leo's gemini proxy
-- Connecting to gemini.tuxmachines.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en-GB
Tux Machines
Posted by Roy Schestowitz on Aug 03, 2023
> Microsoft says a Russian government-linked hacking group is using its Microsoft Teams chat app to phish for credentials at targeted organizations.
> Yoran said the bank he had referred to was still vulnerable more than four months after the Azure flaw had been reported.
> "And, to the best of our knowledge, they [the bank] still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions," he explained.
> "Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t."
> Yoran said cloud providers had supported the shared responsibility model for a long time. "That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly," he said.
> "What you hear from Microsoft is 'just trust us', but what you get back is very little transparency and a culture of toxic obfuscation.
> "How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact [of the ] patterns and current behaviours? Microsoft’s track record puts us all at risk. And it’s even worse than we thought."
> Contacted for comment, a Microsoft spokesperson told iTWire: "We appreciate the collaboration with the security community to responsibly disclose product issues.
> "We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications.
> Microsoft has once again come under blistering criticism for the security practices of Azure...
> Through mid-2022 and early 2023, Project Zero had access to pre-production hardware implementing this instruction set extension to evaluate the security properties of the implementation. In particular, we're interested in whether it's possible to use this instruction set extension to implement effective security mitigations, or whether its use is limited to debugging/fault detection purposes.
> In order to understand the "additional difficulty" that attackers will face in writing exploits that can bypass MTE based mitigations, we need to consider carefully the context in which the attacker finds themself.
> Ever since KeePassXC got builtin and in the tray in EasyOS, I have had reservations about it. FPM2, Figaro's Password Manager v2 is tiny in comparison, about 1/100 the size, yet has adequate functionality and is simpler to use.
> Up until now, Easy has FPM2 version 0.79. Today have compiled version 0.90, which has superior encryption. Here is the website: [...]
> A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum.
> Freenom, which offers free domain names in .tk and several other ccTLDs, is being sued by Meta for ignoring abuse complaints. Freenom subsequently paused new domain registrations in March 2023.
> StagingTool is a lot like a widely used third-party utility called ViVeTool.
-- Response ended
-- Page fetched on Fri Jun 14 03:20:10 2024