Aggregator

根据国家信息安全漏洞库（CNNVD）统计，近期（2026年5月18日至2026年5月28日）共采集重要人工智能漏洞114个

Currently trending CVE - Hype Score: 1 - In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for ...

2006 年 5 月 31 日，海盗湾成立不到三年，65 名瑞典警察进入了斯德哥尔摩的一个数据中心。在美国政府的压力下，作为刑事调查的一部分，他们奉命下线海盗湾的服务器。在警察进入数据中心前，海盗湾联合创始人Gottfrid Svartholm 和 Fredrik Neij 就感觉到情况不妙。他们注意到有密探跟踪他们。不过这一次警方的目标是他们的服务器。上午 10 点左右，Gottfrid 告诉 Fredrik 办公室来了警察。他让同事去托管机房销毁“罪证”。Fredrik 离开时，他意识到问题可能与他们的 torrent tracker 相关。为以防万一他决定对网站进行完整备份。当他到达托管机房时，他的担忧得到了证实。数十名警察带走了数十台服务器，其中大部分属于与海盗湾无关的客户。接下来几天，Fredrik 备份网站的决定显然是海盗湾历史上最关键的时刻。正因为有了备份，海盗湾团队才得以在三天内恢复网站。事件的处理方式也延续了海盗湾一贯的恶搞。他们将网站更名为“警察湾”（The Police Bay），设计了一个向好莱坞发射炮弹的新标志。几天后网站的标志被凤凰图案取代，象征着它从数字灰烬里重生。这次突击搜查非但没有让海盗湾倒闭，反而让它成为主流媒体关注的焦点，而很大程度上这要归功于网站的快速恢复。媒体的报道也引发了网站流量的激增，与好莱坞的预期结果相反。20 年后，海盗湾仍然还是那个海盗湾。

Силовики утверждают, что международные IT-корпорации помогали шпионить за российскими политиками.

The Spanish National Police arrested a man in Granada for allegedly leaking personal data belonging to members of several sensitive state institutions. According to police, the suspect published the information on multiple online platforms, exposing personnel associated with organizations including the National Cybersecurity Institute (INCIBE), the National Security Council, the National Police, the Civil Guard, the State Attorney General’s Office, the Ministry of Finance, and the Tax Agency. “The investigation, led by Madrid’s Court of … More →

The post Sensitive government personnel data posted online, Spanish police arrest suspect appeared first on Help Net Security.

Один сетевой запрос может открыть путь туда, где ошибка стоит дороже обычного сбоя.

一个被追踪为 DriveSurge 的威胁行为者，一直在利用 ClickFix 和 FakeUpdate 技术，对被入侵的网站开展大规模恶意软件分发活动。   据网络安全公司 SilentPush 的研究人员称，在 DriveSurge 发起的活动中，数千个网站遭入侵，访问者被重定向到恶意软件分发基础设施。   ClickFix 是一种常见的社会工程策略，诱骗受害者在其系统上复...

应对AI时代的挑战需要从三位一体的角度推动安全升级。

Red Hat 官方 NPM 账号 @redhat-c​​loud-services 被入侵，该账号相关联的多个软件包植入了窃取凭证的恶意程序。恶意程序旨在窃取 GitHub Action Secret、以及 AWS、GCP、Azure、Kubernetes、HashiCorp Vault、npm 和 CircleCI 等的凭证，它还是一种能自我传播的蠕虫，会利用窃取的 npm 令牌和 npm 的 bypass_2fa 参数，自动重新发布其它软件包的后门版本。Red Hat 在一份声明中表示，恶意软件包已经移除，它仍然在进行调查，初步分析未发现对客户或合作伙伴环境或 Red Hat 生产系统造成任何影响。

Борьба Роскомнадзора с VPN ломает работу российских программистов.

RSA has expanded its passwordless authentication capabilities to Linux environments, advancing its goal of delivering secure, password-free access for every user in every environment. Linux is ubiquitous in enterprise infrastructure, powering servers, developer workstations, and critical operational environments across industries from financial services to government. Despite its reach, Linux users have historically been underserved by passwordless solutions, often left to rely on legacy credential-based access while users elsewhere deployed modern passwordless form factors. The Linux … More →

The post RSA extends passwordless authentication to Linux environments appeared first on Help Net Security.

Следы атаки месяцами оставались на виду, но никто их не замечал.

Anthropic 已向美国证券交易委员会（SEC）秘密提交了 IPO 招股说明书。该公司表示在 SEC 完成审查之后，将根据市场状况等因素选择上市。Anthropic 的估值今年以来出现了爆炸式增长，在上周的最新一轮融资中估值达到了 9650 亿美元，超过了 OpenAI 在 3 月下旬的 8520 亿美元估值。美国股市即将迎来三家万亿市值公司的上市，SpaceX 预计本月上市，Anthropic 竞争对手 OpenAI 预计会很快递交上市申请，三家公司的市值预计将达到 4 万亿美元。

Сразу 95 официальных пакетов внезапно превратились в шпионов.

Malware on approximately 2,000 WordPress sites hid C2 instructions in Steam profile comments using invisible Unicode. GoDaddy researchers spotted a command-and-control infrastructure for a malware campaign abusing Valve’s Steam gaming platform. The experts discovered malware on approximately 1,980 WordPress sites that fetches its instructions by reading Steam Community profile comments, where the actual payload is […]

In this interview with Help Net Security, Chuck Davis, VP, Global Information Security at Hikvision, explains how zero trust applies to physical security systems like cameras and door controllers. He breaks down how to make trust decisions at the edge without recreating old perimeter assumptions, why these devices should be treated as IT assets, and what the Mirai botnet taught the industry. Davis also covers posture assessment for devices that cannot run standard agents, and … More →

The post Zero trust physical security needs trust decisions at the edge appeared first on Help Net Security.

Атака Bitskrieg обнулит ключевые механизмы доверия Secure Boot.

Most security teams know the drill: A new autonomous penetration testing tool gets deployed, and the first run is genuinely impressive. The dashboard surfaces critical findings, maps lateral movement paths nobody had documented before, and exposes a legacy service account that has been sitting idle for years. Great. The red team feels like it’s found a force multiplier. The CISO feels like the “human element” of validation has finally been automated away. Then, troublingly, by … More →

The post Why you need BAS and autonomous pentesting together appeared first on Help Net Security.

За сухими строками отчёта проступила карта чужих интересов и будущих кризисов.