Aggregator

Researchers discovered critical vulnerabilities in Kentico’s Xperience CMS that could allow attackers to completely compromise affected systems.  The vulnerabilities, identified as WT-2025-0006, WT-2025-0007, and WT-2025-0011, can be chained together to achieve unauthenticated remote code execution on systems with common configurations. Researchers at watchTowr Labs identified two distinct authentication bypass vulnerabilities and one post-authentication remote code […]

The post Kentico Xperience CMS Authentication Bypass Vulnerability Allow Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.

Pavel Durov, founder and CEO of Telegram, announced his return to Dubai on Monday following months of judicial supervision in France as investigations into alleged criminal activities on his messaging platform continue. Durov expressed relief at being back home and gratitude toward the French judiciary for permitting his temporary departure. The investigation stems from accusations […]

The post Telegram CEO Returns to Dubai Amid French Investigation Continues appeared first on Cyber Security News.

TwoNet Targeted the Website of HM Sanchinarro

DarkAtlas researchers have uncovered a direct link between BlackLock and the Eldorado ransomware group, confirming a rebranded identity of the notorious threat actor

Militairen en veteranen met een posttraumatische stressstoornis (PTSS) hebben baat bij traumabehandeling met een virtual reality (VR) bril. Dat blijkt uit een pilotstudie van het Expertisecentrum MGGZ (Militaire Geestelijke Gezondheidszorg). Daaraan namen 16 mensen deel. Gemiddeld gezien namen hun PTSS-klachten af. De resultaten zijn vandaag gepresenteerd in het Centraal Militair Hospitaal in Utrecht.

Gemini 将在今年晚些时候取代 Google Assistant。Google Assistant 是 Google 在 2016 年推出的数字助手，虽然 Gemini 品牌诞生仅一年时间，但 Google 正快速在各平台普及 Gemini。在 Android 上发布 Gemini 应用时，Google 强迫任何安装它的人禁用 Assistant 切换到 Gemini。当 Assistant 在 2025 年晚些时候退役时，Google 将从应用商店移除该应用，并将用户引导到 Gemini。Google 表示，使用 Assistant 的 Google 汽车、手表、耳机等设备将会收到更新会过渡到 Gemini，更多细节将会在未来几个月公布。

Generic secrets are hard to detect and are getting leaked more often. See how GitGuardian offers advanced protection where GitHub's push protection falls short.

The post Addressing The Growing Challenge of Generic Secrets: Beyond GitHub’s Push Protection appeared first on Security Boulevard.

Encrypting files keeps sensitive data like personal details, finances, and passwords safe from attackers by making them unreadable to unauthorized users. Encryption also safeguards data in case of device loss or theft, preventing malicious actors from accessing or misusing the information even if the drive is removed. Encrypting and securing sensitive files on macOS can be done using built-in tools. Using FileVault for full disk encryption on macOS FileVault is Apple’s built-in full-disk encryption (FDE) … More →

The post How to encrypt and secure sensitive files on macOS appeared first on Help Net Security.

人生的道路是由内因决定的

This is a news item roundup of privacy or privacy-related news items for 9 MAR 2025 - 15 MAR 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

TABLE OF CONTENTS

• Privacy Tip of the Week
• Surveillance Tech in the News
• Privacy Tools and Services
• • Privacy Services
• Vulnerabilities and Malware
• • Vulnerabilities
  • Malware
• Phishing and Scams
• • Phishing
  • Scams
• Service Providers' Privacy Practices
• Legislation/Regulations/Lawsuits
• • Lawsuits
  • Legislation and Regulation
• Data Breaches and Leaks
• • Data breaches

Privacy Tip of the Week

Clear your browser cookies regularly.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

Data Broker Brags About Having Highly Detailed Personal Information on Nearly All Internet Users

Gizmodo

An owner of a data broker business brags and showcases his company's ability to deliver "personalized messaging at scale." Of course, personalized in this context means leveraging extensive amounts of data collected on people. The CEO claims that thanks to their "CoreAI" product/service/feature, they can leverage extreme personalized (and prediction) advertising for 91 percent of adults around the world.

The 200+ Sites an ICE Surveillance Contractor is Monitoring

404media

A contractor for ICE (and other US government agencies) has built a tool that facilitates pulling a target's publicly available data from various sources - which include social media networks, apps, and services. Most notably these include Bluesky, OnlyFans, Roblox, and various platforms owned/controlled by Meta (Instagram, Facebook). It can also reportedly pull data from sites geared towards specific demographics; for example, Black Planet, a social network for Black people.

More information on what sites this tool can pull from can be found on a Google Docs spreadsheet uploaded by 404media.

US lawmakers urge UK spy court to hold Apple ‘backdoor’ secret hearing in public

TechCrunch

This is yet another addition to the Apple vs secret order by the UK government saga. Various groups have called for Apple's official appeal to the UK order to be completed publicly, with US lawmakers now joining the chorus.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Services

Tuta Mail & Tuta Calendar Updates (+ What’s coming next)

Tuta

Tuta announces updates to Tuta Calendar; specifically, the introduction of advanced repeat rules and a three-day view. Tuta also shares planned updates "coming soon" to Tuta Mail.

Kagi Search introduces Privacy Pass authentication

AlternativeTo

Kagi officially rolls out Privacy Pass support for its Android app.

Telegram introduces Star Messages, cheaper user verification, Chromecast support, and more

AlternativeTo

Telegram introduces enhanced privacy controls for content creators and public figures. Telegram also implemented a detailed info page for users receiving a first-time message from outside their contacts list.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)

Tenable

This week included Microsoft Patch Tuesday for March 2025. It included seven zero-day flaws, with six of them being exploited in the wild. Likely the most notable CVEs exploited in the wild for majority of users includes:

• CVE-2025-24985, a remote code execution vulnerability in the Windows Fast FAT File System Driver. Has been exploited in the wild; requires the attacker to trick the user into mounting a specially crafted virtual hard disk.
• CVE-2025-26633, a security feature bypass in Microsoft Management Console. Confirmed exploited in the wild as a zero-day; requires a user to open a malicious file.

Apple discloses zero-day vulnerability, releases emergency patches

Cyberscoop

CVE-2025-24201. On March Patch Tuesday, Apple released emergency updates addressing an out-of-bounds write zero-day in WebKit. Maliciously crafted web content may be able to exploit this vulnerability to escape the Web Content sandbox and potentially take unauthorized actions on the affected device.

Apple disclosed this vulnerability was exploited in attacks on "specific targeted individuals" and described it as "extremely sophisticated."

The ESP32 Bluetooth Backdoor That Wasn’t

HACKADAY

This post stems from Tarlogic's claim of finding a "backdoor" (which is strong language) in ESP32, a bluetooth chip used in approximately 1 billion (and more) devices. The reality is, the original findings found undocumented commands - that were likely manufacturer debugging tools - shipped in the final, consumer-facing products. In theory, these could be abused for malicious actions.

Tarlogic received backlash for the panic induced from using "backdoor" in their findings and has since modified their reporting.

Research on iOS apps shows widespread exposure of secrets

MalwareBytes

Out of 156,000 examined iOS apps, more than 815,000 secrets were hard-coded into. These sensitive secrets included keys to cloud storage, APIs, and keys to payment processors. According to the researchers, "the average app's code exposed 5.1 and 71% of apps leak at least one secret."

While easy to file away as the app publisher's problem, hard-coded secrets to APIs and cloud storage could result in data breaches, which naturally have a direct effect on user privacy.

Malware

North Korean government hackers snuck spyware on Android app store

TechCrunch

APT threat actors associated with the North Korean government uploaded spyware "KoSpy" to Google Play. According to Lookout, these nation-state threat actors also tricked some users into downloading KoSpy in likely targeted attacks.

KoSpy collects sensitive information including (but not necessarily limited to) text messages, call logs, device location data, files/folders on device, keystrokes, Wi-Fi network details, and installed apps. It can...

The post Privacy Roundup: Week 11 of Year 2025 appeared first on Security Boulevard.

The old adage “Prevention is better than cure” has taken a new, more urgent meaning in the cybersecurity community. With 600 million cyber attacks per day, several companies have started investing heavily in proactive cybersecurity measures that encompass risk-based vulnerability management, predictive threat intelligence feeds, attack surface management (ASM), and many other modern solutions.  This […]

The post Proactive Cybersecurity – Staying Ahead of Threats with a Preventive Approach appeared first on Cyber Security News.

不到 4 万元的 DeepSeek-R1-671B-Q8 部署方案 by ourren

IDS - AGENT 为物联网入侵检测带来可解释性突破 by ourren

SecWiki周刊（第576期) by ourren

洞察流量路径：基于路径签名特征的加密流量分类 by ourren

更多最新文章，请访问SecWiki

A ransomware activity wave using the SocGholish MaaS framework for initial access also has affected banking and consulting firms in the US, Taiwan, and Japan since the beginning of the year.

Diplomat Targeted the Website of Ibercaja

Хакеры модифицировали tj-actions/changed-files, чтобы копировать учетные данные из памяти серверов.

A vulnerability was found in Sun Solaris 2.0. It has been declared as critical. This vulnerability affects unknown code of the component SNMP Account. The manipulation of the argument Community Name leads to improper authentication. This vulnerability was named CVE-1999-0517. The attack can be initiated remotely. There is no exploit available. It is recommended to add further authentication.