New #Plex update is out and while I didn't test it, you may want to update because this "sounds" like it may have been allowing some kind of directory traversal.

#Security #CyberSecurity #PlexMediaServer

Massachusetts hacker to plead guilty to PowerSchool data breach:

investing.com/news/stock-marke…

Related:

DOJ Press release: justice.gov/usao-ma/pr/worcest…

USA v. Matthew D. Lane - Information: justice.gov/usao-ma/media/1400…

USA v. Matthew D. Lane - Plea Agreement:
justice.gov/usao-ma/media/1400…

#databreach #PowerSchool #EduSec #cybersecurity

@douglevin @funnymonkey @brett @mkeierleber

Worcester College Student to Plead Guilty to Cyber Extortions

BOSTON – A student at Assumption University in Worcester, Mass., has been charged, and has agreed to plead guilty, in connection with hacking into the computer networks of two U.S.-based companies and extorting the companies for ransoms.

^{www.justice.gov}

I will not win awards for pretty UX, but it works and is coming together.

Incredibly excited to launch the beta-version and get some feedback from all who have asked to participate in the closed beta.

Each primary category of content has a number of subcategories. The initial version will "only" allow you to configure which primary categories you're interested in, but later versions will also allow you to configure subcategories.

And these categories are likely to change with time and as I learn even more about what works ... and likely doesn't.

#CyberEspresso #Cybersecurity

cyberespresso.eu

DETECTING MALICIOUS #UNICODE

Source: daniel.haxx.se/blog/2025/05/16…

#cybersecurity #security #uri #software #coder #hacker #developer #program #news

Detecting malicious Unicode

In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts.

^{daniel.haxx.se}

#Virus included: reddit.com/r/computerviruses/c…

#customer #economy #software #printer #consumer #security #cybersecurity #malware #news #fail

Putting this out there for whatever good it does.

#Email #Spam folders are a problem because they contain a mix of emails that are clearly spoofed and faked based on #SPF and #DKIM failures, along with others that maybe might, perhaps, be spam based on HTML content, language, whatever. We train people to expect Spam folders are usually wrong. But emails that fail SPF and DKIM should be taken seriously!

Email providers. Why not deal with this by either providing 2 SPAM folders or else showing emails that land in the spam folder because of the #DMARC p=quarantine policy, in red, bold letters, and with a "!!" flag, so people know to be extra cautious?

And when opened, give notices like the sending server is not authorized to send email for the sender or the from address is not authorized to be sent by the sending server.

Why not?

#CyberSecurity #Spoofing
@runbox @Tutanota @thunderbird

AI-powered features are the new attack surface! Check out our new blog in which LMG Security’s Senior Penetration Tester Emily Gosney @baybedoll shares real-world strategies for testing AI-driven web apps against the latest prompt injection threats.

From content smuggling to prompt splitting, attackers are using natural language to manipulate AI systems. Learn the top techniques—and why your web app pen test must include prompt injection testing to defend against today’s AI-driven threats.

Read now: lmgsecurity.com/are-your-ai-ba…

#CyberSecurity #PromptInjection #AIsecurity #WebAppSecurity #PenetrationTesting #LLMvulnerabilities #Pentest #DFIR #AI #CISO #Pentesting #Infosec #ITsecurity

Are Your AI-Backed Web Apps Secure? Why Prompt Injection Testing Belongs in Every Web App Pen Test | LMG Security

Discover how prompt injection testing reveals hidden vulnerabilities in AI-enabled web apps. Learn real-world attack examples, risks, and why your pen test must include LLM-specific assessments.

^{LMG Security}

$28 million in Texas' cybersecurity funding for schools left unspent

cbsnews.com/texas/news/k-12-cy…

@douglevin @funnymonkey @mkeierleber @brett

#databreach #cybersecurity #EdSec

$28 million in Texas' cybersecurity funding for schools left unspent

Most schools — 86% — said a lack of funding was their top concern in defending against cyberattacks

^{Brian New (CBS Texas)}

Consult the European #Vulnerability #Database to enhance your #digital #security!

source: enisa.europa.eu/news/consult-t…
database: euvd.enisa.europa.eu

The database provides aggregated, reliable, and actionable information such as mitigation measures and #exploitation status on #cybersecurity vulnerabilities affecting Information and Communication #Technology (ICT) products and services.

#europe #eu #software #bug #news #exploit

EUVD

European Vulnerability Database

^{euvd.enisa.europa.eu}

And a perfect time to start using a password manager and two factor authentication!

Tagging some great ones:
@ente @bitwarden

#cybersecurity #technology

New #Intel #CPU flaws leak sensitive data from privileged memory

bleepingcomputer.com/news/secu…

#cybersecurity

🐛 NEW SECURITY CONTENT 🐛

💻 macOS Sequoia 15.5 - 50 bugs fixed
support.apple.com/en-us/122716
💻 macOS Sonoma 14.7.6 - 33 bugs fixed
support.apple.com/en-us/122717
📱 iOS and iPadOS 18.5 - 33 bugs fixed
support.apple.com/en-us/122404
💻 macOS Ventura 13.7.6 - 30 bugs fixed
support.apple.com/en-us/122718
📱 iPadOS 17.7.7 - 29 bugs fixed
support.apple.com/en-us/122405
🥽 visionOS 2.5 - 25 bugs fixed
support.apple.com/en-us/122721
📺 tvOS 18.5 - 24 bugs fixed
support.apple.com/en-us/122720
⌚ watchOS 11.5 - 23 bugs fixed
support.apple.com/en-us/122722

#apple #cybersecurity #infosec #security #ios

You think #ransomware is bad now? Wait until it infects CPUs

Source: theregister.com/2025/05/11/cpu…

#cpu #Hardware #microcode #Software #vulnerability #bug #security #cybersecurity #future #technology #news #cybercrime #hack #hacker

You think ransomware is bad now? Wait until it infects CPUs

RSAC: Rapid7 threat hunter wrote a PoC. No, he's not releasing it

^{Jessica Lyons (The Register)}

#Browser #Extensions can be dangerous

source: bleepingcomputer.com/news/secu…

If you have no idea about #cybersecurity and don't want to have one, then make sure you only install extensions that have been tested by #Mozilla.

Recommended Extensions - Extensions that carry this badge are carefully selected and meet rigorous standards in #security, functionality and user experience.

source: support.mozilla.org/en-US/kb/a…

#internet #web #www #software #addOn #check #test #news #danger #warning #risk #hack #hacker #surveillance

DOGE software engineer’s computer infected by info-stealing malware

Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.

#KyleSchutt #doge #cisa #fema #password #passwords #security #cybersecurity #hackers #Hacking #hacked

arstechnica.com/security/2025/…

DOGE software engineer’s computer infected by info-stealing malware

The presence of credentials in leaked “stealer logs” indicates his device was infected.

^{Dan Goodin (Ars Technica)}

John Young Of Cryptome.org:
"Spiritual Godfather Of Online Leaking"

#cryptome #whistleblower #leaks #RIP #legacy #infosec #Cybersecurity #transparency #governance #democracy #humanrights #Wikileaks #security

tube.tchncs.de/w/2BNB5SZi1JGon…

US Admin Signalgae App Compromised Within 20 minutes According To Anonymous Security Report

#Signalgate #USA #infosec #cybersecurity #e2ee #encryption #crypto #security #telemessage

tube.tchncs.de/w/f3CbcXQLrNFRa…

#Florida bill requiring #encryption backdoors for #SocialMedia accounts has failed

techcrunch.com/2025/05/09/flor…

#cybersecurity #politics

Florida bill requiring encryption backdoors for social media accounts has failed | TechCrunch

The bill would have required social media companies create encryption backdoors to allow access to users' private information.

^{Zack Whittaker (TechCrunch)}

#DOGE bro #KyleSchutt's computer infected by #malware, #credentials found in stealer logs

Source: micahflee.com/doge-bro-kyle-sc…

Stealer logs are collections of URLs paired with usernames and passwords, compiled with the help of malware. If malware infects your device, it can do things like log your keystrokes or record everything entered into forms in your web browser – building a list of your usernames and #passwords for various websites – and then send this data back to the person who controls the malware. This is where stealer log data comes from.

#security #cybersecurity #usa #password #politics #news #Problem

DOGE bro Kyle Schutt's computer infected by malware, credentials found in stealer logs

Kyle Schutt is a 37 year old "DOGE software engineer," according to ProPublica. In February, Drop Site News reported that he gained access to FEMA's "core financial management system.

^{Micah Lee (micahflee)}

#Meta wins $168 million in damages from Israeli #cyberintel firm in #Whatsapp #spyware #scandal

source: courthousenews.com/meta-wins-1…

After its loss in #court, #NSO reaffirmed its commitment to #Pegasus as a valuable tool in anti-terror operations around the world.

Who would have thought that? Using spyware to #wiretap the #communications of millions of people is #illegal. If the #NSA were aware of that ...

#software #security #cybersecurity #justice #usa #communication #chat #smartphone #news

Are Your #Passwords in the Green?

source: hivesystems.com/blog/are-your-…

#password #login #internet #gpu #bruteforce #crack #hack #security #cybersecurity #technology #speed

Remote code execution vulnerability found in meshtastic, looks potentially bad enough that you might be able to make a worm.

yikes

cvedetails.com/cve/CVE-2025-24…

#meshtastic #lora #cybersecurity #iot

Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)

The goal of the K12 SIX Essential Cybersecurity Protections is to communicate the most important defenses that K-12 school systems can implement to dramatically reduce the cybersecurity risks they are currently facing. Designed to address the most frequently experienced school cyber incidents and taking into consideration advice from other national cybersecurity risk management frameworks, the K12 SIX Essential Protections were built specifically for the K-12 community by practicing K-12 IT practitioners, taking into account the unique context in which the education sector operates. Entering its fourth annual update and revision cycle for the 2025-26 school year, it is an opinionated framework, emphasizing accessibility and pragmatism over comprehensiveness. k12six.org/news/call-for-publi… #edtech #cybersecurity @PogoWasRight @brett @funnymonkey @mkeierleber @michaelfklein

Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)

The K12 SIX Technical Working Group is pleased to open a call for public input into the 2025-26 school year update and revision to the K12 SIX Essential Cybersecurity Protections Series.

^{Doug Levin (K12 SIX)}

Here's the source #code for the unofficial #Signal #app used by #Trump officials

source: micahflee.com/heres-the-source…

The source code contains hardcoded credentials and other #vulnerabilities.

#software #fail #bug #vulnerability #security #communication #chat #cybersecurity #whitehouse #usa #politics #government #problem #news

Here's the source code for the unofficial Signal app used by Trump officials

💡Update May 4, 2025: I have published quite the follow-up story, if I may say so myself: The Signal Clone the Trump Admin Uses Was Hacked Yesterday, I published an analysis of what I could publicly find about TM SGNL, the obscure and unofficial Sign…

^{Micah Lee (micahflee)}

iHeartMedia, America's largest owner of radio stations, suffered a breach in December that exposed personal data, including Social Security and passport numbers.

#databreach #dataprivacy #cybersecurity #US

cnews.link/iheartmedia-suffers…

#Windows #RDP lets you log in using revoked passwords. #Microsoft is OK with that.

source: arstechnica.com/security/2025/…

#fail #password #security #login #bug #software #cybersecurity #problem #news

Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.

Researchers say the behavior amounts to a persistent backdoor.

^{Dan Goodin (Ars Technica)}

Among other things, Meta is now making it mandatory to store voice recordings from their Rayban "smart" glasses in the Meta cloud, and making Meta AI's ability to train and see through your lenses "always on" unless you disable it each time manually.

Gonna be honest, any time someone with Raybans talks to me, I'm going to ask them to remove the glasses.

theverge.com/news/658602/meta-…

#privacy #cybersecurity

Meta tightens privacy policy around Ray-Ban glasses to boost AI training

Meta is making two significant changes to its Ray-Ban Meta privacy policy in an effort to gather more AI training data and improve voice commands.

^{Chris Welch (The Verge)}

CEO of #cybersecurity firm charged with #installing #malware on #hospital systems

source: securityaffairs.com/177020/cyb…

Bowie was arrested on April 14, following the issuance of an arrest warrant. Security footage reportedly shows the man attempting to access multiple offices before installing malicious software designed to capture screenshots every 20 minutes and transmit them to an external IP address.

#health #security #business #usa #fail #news

CEO of cybersecurity firm charged with installing malware on hospital systems

Veritaco CEO Jeffrey Bowie faces charges for allegedly installing malware on hospital computers, violating Oklahoma's Computer Crimes Act.

^{Pierluigi Paganini (Security Affairs)}

#Proton confirmed on #Telegram :

Drive client for #Linux is coming!

Great news for privacy-conscious users.

Proton offers solid tools (#Email service, #Password Manager, #Cloud storage, #VPN …), but remember - diversify your #privacy stack.

Don’t keep all your eggs in one basket.

For suggestions or questions, feel free to reply or follow me for the latest #tech #news!

Check out the spring/summer 2025 roadmap:
proton.me/blog/product-roadmap…

#Technology #TechNews #Software #Cybersecurity

Proton 2025 spring roadmaps | Proton

We're sharing the roadmaps for all our services so you can see what's coming and give us your feedback.

^Proton

Cryptowars Update: "Ghost Participant" Encryption Backdoors & More

#cryptowars #encryption #e2ee #backdoors #communication #security #infosec #cybersecurity #policing #Europe #Florida

tube.tchncs.de/w/t75E7TnaBRzea…

It's time people stopped claiming that breaches that have occurred over and over again for years are a "wake up call" for anything. Every sector has had "wake up calls" galore, including the education sector. Nobody woke up. Nobody is still waking up. Instead of a headline calling a breach a "wake up call," maybe the headline should be "Yet another avoidable breach will lead to a major lawsuit."

#Edusec #cybersecurity #databreach #SlowLearningCurve

@douglevin @funnymonkey @mkeierleber @brett

I love it when employers install creepware #surveillance nonsense because they have zero respect for their employees, and end up publishing 21 million internal screenshots to the web instead, leaking their most sensitive information.

Very nice, no issues.

#cybersecurity #infosec #assholeBoss

“Employee monitoring app leaks 21 million screenshots in real time”

cybernews.com/security/employe…

#Telegram pledges to exit the market rather than "undermine #encryption with #backdoors"

source: techradar.com/vpn/vpn-privacy-…

Telegram's CEO, #PavelDurov, has said Telegram would rather exit a market than "undermine encryption with backdoors," reaffirming the company's commitment to users' #privacy and #security.

#cybersecurity #politics #communication #messenger #chat #politics #economy #news #internet

Telegram pledges to exit the market rather than "undermine encryption with backdoors"

"We don’t trade privacy for market share," said Telegram's CEO, Pavel Durov

^{Chiara Castro (TechRadar)}

🚨 Beware! Hackers are now sending phishing emails from “no-reply@google.com” by abusing Google’s OAuth apps & notification system. These legit-looking emails can trick even tech-savvy users! 🕵️‍♂️ Always double-check links & sender details. Stay safe online! 🔐 #CyberSecurity #PhishingAlert #Google #InfoSec #StaySafe #TechRadar

Read more: techradar.com/pro/security/bew…

Beware, hackers can apparently now send phishing emails from “no-reply@google.com”

Researchers discover a rather elaborate scheme

^{Sead Fadilpašić (TechRadar pro)}

How I made $64k from deleted files — a #bug #bounty #story

Source: medium.com/@sharon.brizinov/ho…

For each repository I restored deleted files, found dangling blobs and unpacked .pack files to search in them for exposed #API keys, tokens, and #credentials.

#github #git #software #token #security #cybersecurity #news

How I made $64k from deleted files — a bug bounty story

TL;DR — I built an automation that cloned and scanned tens of thousands of public GitHub repos for leaked secrets. For each repository I restored deleted files, found dangling blobs and unpacked…

^{Sharon Brizinov (Medium)}

#Hacking US #crosswalks to talk like Zuck is as easy as 1234

source: theregister.com/2025/04/19/us_…

#hack #hacker #usa #traffic #security #technology #cybersecurity #news #fail

Hacking US crosswalks to talk like Zuck is as easy as 1234

Video: AI-spoofed Mark joins fellow billionaires as the voice of the street – here's how it was probably done

^{Iain Thomson (The Register)}

DOGE staff allegedly used admin accounts to exfiltrate over 10GB of sensitive NLRB case data, downloading tools linked to brute forcing and web scraping. A whistleblower tied one tool to DOGE employee Marko Elez.

krebsonsecurity.com/2025/04/do…

#infosec #databreach #cybersecurity #privacy

DOGE Worker’s Code Supports NLRB Whistleblower

A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk's Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency's sensitive case files in early March.

^{krebsonsecurity.com}