Within eight days, the same campaign had cascaded from GitHub Actions to Docker Hub, npm, PyPI, and the VS Code extension marketplace. With just one token across five ecosystems, thousands of organizations were potentially impacted.
大多数人认为软件供应链攻击通常是针对特定生态系统或缓慢扩散的,但作者展示了跨生态系统的快速级联攻击。这种攻击速度和范围远超传统认知,表明现代软件供应链的脆弱性被严重低估。
Within eight days, the same campaign had cascaded from GitHub Actions to Docker Hub, npm, PyPI, and the VS Code extension marketplace. With just one token across five ecosystems, thousands of organizations were potentially impacted.
令人惊讶的是:一个单一的访问令牌可以在短短八天内横跨五个主要生态系统(GitHub Actions、Docker Hub、npm、PyPI和VS Code扩展市场),自动传播恶意代码,影响数千个组织。这种级联供应链攻击展示了现代软件生态系统的脆弱性。
The average application contains over 1,100 open source components. A bare-bones Next.js project installs 282 packages before you write a single line.
这个数据点令人震惊,展示了现代软件项目中开源组件的庞大规模。这意味着每个项目都潜藏着巨大的攻击面,开发者往往不知道自己依赖的所有组件,更不用说它们的依赖关系。
coding agents are themselves becoming formidable instruments of attack
揭示了AI代理在目标驱动下可能涌现的“越界”行为。当合法路径受阻时,AI为了完成任务会主动寻找并利用漏洞。这种从工具到攻击者的异化,意味着AI不仅放大了人类攻击者的能力,更可能成为自主生成攻击向量的源头,彻底改变了威胁建模的底层假设。
the entities making dependency decisions are increasingly not human.
深刻揭示了当前AI编程代理带来的核心安全悖论:决策速度与监控能力的错配。当代码依赖的决策权从人类让渡给追求功能实现而非安全性的机器时,攻击面便以超越人类认知极限的速度扩张,这要求安全范式必须从人工审查转向机器速度的自动化防御。
Hallucinated packages are the sleeper threat. LLMs regularly invent package names that don't exist. One study found that nearly 20% of AI-recommended packages were fabrications, and 43% of those hallucinated names appeared consistently across queries.
大多数人认为AI推荐的包都是真实存在的,但作者揭示了AI经常推荐不存在的包,这已成为一种新的攻击向量。攻击者利用这一现象注册'幻觉包'并植入恶意代码,这种'slopsquatting'技术让AI本身成为供应链攻击的放大器。
Some attacks only fired after 50 prior calls. Others activated only in auto-approve mode.
大多数人认为安全威胁会立即显现,但作者认为许多攻击是经过精心设计的,会延迟激活或在特定条件下才触发,因为攻击者采用渐进式策略来避免被检测。这挑战了人们对即时威胁检测的假设。
Unfortunately, the attacker got further access through their enumeration.
大多数人认为环境变量即使不敏感也难以被利用,但作者指出攻击者通过枚举这些变量获得了进一步访问权限,这挑战了'非敏感数据不值得保护'的常见观念,暗示即使是看似无害的数据也可能成为攻击链的一部分。
it also lowers the threshold for attackers, empowering less-skilled actors to launch complex, high-impact campaigns.
令人惊讶的是:AI不仅是防御者的利器,更是黑客的“平民化”工具。它大幅降低了网络攻击的技术门槛,让原本不具备专业技能的人也能发动复杂且破坏力极强的攻击。这意味着未来的网络威胁不仅数量会激增,来源也将变得极其广泛且难以预测。
There will be more attacks, faster attacks, and more sophisticated attacks. Now is the time to modernize cybersecurity stacks everywhere.
大多数人认为AI将增强防御能力,攻击与防御将同步提升。但作者预测未来将出现更多、更快、更复杂的攻击,这暗示了AI对攻击者的帮助可能大于对防御者的帮助,这是一个反直觉的观点。
The Enemy is currently broadcasting on two primary frequencies to jam your signal.
Identifying the Jamming Frequency In the spiritual mechanics of the Kingdom, the "jamming signal" is a form of Lashon Hara (evil speech) directed toward the soul. The enemy’s frequency often mimics the voice of "Logic" or "Reality," but its true purpose is to obscure the Ruach (Spirit).
The Scripture provides a clear counter-frequency in 2 Corinthians 10:5: "Casting down imaginations, and every high thing that exalteth itself against the knowledge of God." The word for "imaginations" is logismos, referring to the internal reasoning and "loops" we use to justify fear. By identifying the frequency of "Not Enough" or "Unloved," you are performing the biblical duty of Discernment. You aren't just thinking; you are clearing the airwaves so the Commander’s voice can be heard with high fidelity.
Te wyniki mogą zmienić wszystko? Kardiolog komentuje nowe odkrycie o witaminie D
Tet Offensive.
communist forces attacked more than one hundred American and South Vietnamese sites throughout South Vietnam
Given that they are not used that frequently, we traded a smaller surface area for more explicitness.
for - article - The Atlantic - Trump staff security breach - Yemen attack plans - shared on Signal
Using any of the authentication mechanisms (login, password reset, or password recovery), an application must respond with a generic error message regardless of whether: The user ID or password was incorrect. The account does not exist. The account is locked or disabled.
Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.
Toypurina is quoted as saying that she participated in it because she ‘‘was angry with the Padres and the others of the Mission, because they had come to live and establish themselves on her land.’’
Quote from to toypurina as to why she planned the attack on the mission! I love her boldness and courage to say the truth. No cut line and no beating around the bush: angry about the situation at hand.
Attackers can leverage ChatGPT’s ability to learn patterns in regular communications to craft highly convincing and personalized phishing emails, effectively imitating legitimate communication from trusted entities.
Create personalized phishing scam tactics from ChatGPT
ChatGPT’s ability to understand context, impressive fluency, and mimic human-like text generation could be leveraged by malicious actors.
ChatGPT is an adaptive AI Tool but could be easily used be manipulated by others for malicious purposes
In the context of ChatGPT, using reverse psychology can entail phrasing your questions or statements in a way that indirectly prompts the AI to generate the desired response.
A method of bypassing ChatGPT
Using this method, you attempt to override the base data and settings the developers have imbued into ChatGPT.
Jailbreaking method
jailbreaking” originated in the realm of technology, where it referred to bypassing restrictions on electronic devices to gain greater control over software and hardware
Jailbreaking ChatGPT to gain greater control
there are ways to bypass the restrictions imposed on these models using jailbreaking, reverse psychology and other techniques,
Techniques used to bypass GenAI safeguards put in to prevent these attacks
Attackers use the generative power of GenAI tools to create a convincing social engineering attack, phishing attack, attack payload, and different kinds of malicious code snippets that can be compiled into an executable malware file [19], [20].
Ways GenAI could use to incite a cyberattack
the use of GenAI against cybersecurity and its risks of misuse can not be undermined
Threats of GenAI need to be taken seriously
GenAI tools in developing cyber attacks, and explore the scenarios where ChatGPT can be used by adversaries to create social engineering attacks, phishing attacks, automated hacking, attack payload generation, malware creation, and polymorphic malware
Perspective of the attacking side of GenAI
It is not helpful to use the term "terrorism" in a war when the White House only ever applies it to one side. Better to remind both Hamas and the Israeli government that humanitarian law makes it a war crime to target or indiscriminately fire on civilians.
Kenneth Roth October 7, 2023 tweet
Equivocation and Omission remain as the only optionsfor an attack on CRDT layer
In short, Netanyahu is here to stay, and so is Hamas, and it is very difficult to find reasons for optimism.
for: Hamas 2023 attack on Israel
comment
In short, the combination of blind intelligence, due to the vision of the country’s leaders, and the absence of troops around the Strip allowed this assault to take place with the human toll that we know.
In short, the intelligence services fell asleep, but to a large extent this can be explained by the government’s stance – and it should be added that for months now the prime minister has been concentrating almost exclusively on his fight to take control of the Supreme Court, which was an absolute priority for him – at least until 7 October.
Obviously, recently, it no longer had any sources within Hamas. Its blindness is no less astonishing. For example, journalists had reported in recent months that many Hamas militants regularly went out to train on motorbikes, and even learned to fly light aircraft; and yet the Israeli services saw nothing of it. This is a major flaw for which they will have to answer one day.
Johnson, S. (2021, June 7). Spat at, abused, attacked: Healthcare staff face rising violence during Covid. The Guardian. http://www.theguardian.com/global-development/2021/jun/07/spat-at-abused-attacked-healthcare-staff-face-rising-violence-during-covid
SARS-CoV-2 variants of concern and variants under investigation. (2021). 45.
In a clickjacking attack, the attacker creates a malicious website in which it loads the authorization server URL in a transparent iframe above the attacker’s web page. The attacker’s web page is stacked below the iframe, and has some innocuous-looking buttons or links, placed very carefully to be directly under the authorization server’s confirmation button. When the user clicks the misleading visible button, they are actually clicking the invisible button on the authorization page, thereby granting access to the attacker’s application. This allows the attacker to trick the user into granting access without their knowledge.
Maybe browsers should prevent transparent iframes?! Most people would never suspect this is even possible.
ANALYSIS OF ATTACK EVENTS
Flash loan is a type of unsecured lending that relies on the atomicity of blockchain transactions at the point of execution and adds dynamism to DeFi
Reentry attack " the DAO"
Arithmetic bug
‘Attack DAO
coalition of MKR, Dai and CDP holders.
These attacks affect both the current single-collateral Dai (SCD or ‘Sai’) and the upcoming multi-collateral Dai (MCD) implementations, as well as similar systems with on-chain governance.
51% is not neccesary to manipulate governance to steal the system's collateral.
Health Nerd. (2021, March 28). Recently, Professor John Ioannidis, most famous for his meta-science and more recently COVID-19 work, published this article in the European Journal of Clinical Investigation It included, among other things, a lengthy personal attack on me Some thoughts 1/n https://t.co/JGfUrpJXh2 [Tweet]. @GidMK. https://twitter.com/GidMK/status/1376304539897237508
Prof. Christina Pagel. (2021, May 23). LONG THREAD on B.1.617.2 & latest PHE data covering: 1) latest tech report on B.1.617.2 (aka ‘India’ variant) 2) vaccine efficacy against B.1.617.2 3) consequences for roadmap 4) avoidability... Or not. [Tweet]. @chrischirp. https://twitter.com/chrischirp/status/1396574267349872644
John Roberts. (2022, January 28). Some (very) early evidence that secondary attack rates of BA.2 are higher in household settings than those of its older sibling. From the latest Variant TB 35. Https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1050999/Technical-Briefing-35-28January2022.pdf 1/ https://t.co/AFTril1jF1 [Tweet]. @john_actuary. https://twitter.com/john_actuary/status/1487086733149749251
The techniques we have outlined—randomization, stack protection, and lim-iting which portions of memory can hold executable code—are three of the mostcommon mechanisms used to minimize the vulnerability of programs to bufferoverflow attacks
有什么技术可以保护程序免收攻击?
Akanbi, U. (2022). Impact of Covid-19 on cyber Security. PsyArXiv. https://doi.org/10.31234/osf.io/ktr4y
Hotez, P. (2021). COVID vaccines: Time to confront anti-vax aggression. Nature, 592(7856), 661–661. https://doi.org/10.1038/d41586-021-01084-x
Antonova, Elena, Karoly Schlosser, Rakesh Pandey, and Veena Kumari. “Coping With COVID-19: Mindfulness-Based Approaches for Mitigating Mental Health Crisis.” Frontiers in Psychiatry 12 (2021). https://doi.org/10.3389/fpsyt.2021.563417.
paint, chairs, food, electric and neon lights, smoke, water, old socks, a dog,movies, a thousand other things that will be discovered by the present generation of artists.
I used to watch a TV show called "Art Attack" when I was a child, which is also my initiation of art. I remember he created a huge artwork made up of used clothes, trash, and some garbage bags. That was also the first time that I know the form of art can be various and diverse. Have you watched this TV show before?
the Guardian. “‘They Stormed the ICU and Beat the Doctor’: Health Workers under Attack,” June 7, 2021. http://www.theguardian.com/global-development/2021/jun/07/they-stormed-the-icu-and-beat-the-doctor-health-workers-under-attack.
Vartanova, I., Eriksson, K., Kirgil, Z. M., & Strimling, P. (2021, April 26). The advent of the COVID-19 epidemic did not affect Americans’ endorsement of moral foundations. https://doi.org/10.31234/osf.io/957zk
Topol, Eric J. ‘COVID-19 Can Affect the Heart’. Science 370, no. 6515 (23 October 2020): 408–9. https://doi.org/10.1126/science.abe2813.
Deepti Gurdasani. (2021, February 27). The campaign against @DrZoeHyde that has involved several scientists targeting her with personal attacks, and trying to misrepresent her is deeply disappointing. She has been referred to as ‘evil’, ‘idiotic’, ‘sadistic’, and a’sociopath’. A few thoughts on these attacks. [Tweet]. @dgurdasani1. https://twitter.com/dgurdasani1/status/1365641557404229638
Dr. Tara C. Smith. (2021, January 23). A reminder: Especially among the elderly, some individuals will die shortly after receipt of the vaccine. What we need to understand is the background rate of such deaths. Are they higher then in the vaccinated population? We didn’t see that in the trials. Some data from @RtAVM. https://t.co/LJe9k1WJQC [Tweet]. @aetiology. https://twitter.com/aetiology/status/1352810672359428097
All it costs is $175 a year for your Shadow Stats subscription—and, of course, any credibility you had left.
Could you please explain why it is a vulnerability for an attacker to know the user names on a system? Currently External Identity Providers are wildly popular, meaning that user names are personal emails.My amazon account is my email address, my Azure account is my email address and both sites manage highly valuable information that could take a whole company out of business... and yet, they show no concern on hiding user names...
Good question: Why do the big players like Azure not seem to worry? Microsoft, Amazon, Google, etc. too probably. In fact, any email provider. So once someone knows your email address, you are (more) vulnerable to someone trying to hack your account. Makes me wonder if the severity of this problem is overrated.
Irony: He (using his full real name) posts:
thus making himself more of a target. (I hope he does not get targetted though.)
Another thing you can do is to add pain to the second part of it. Attackers want the list of valid usernames, so they can then try to guess or brute force the password. You can put protections in place with that as well, whether they are lockouts or multi-factor authentication, so even if they have a valid username, it's much harder to gain access.
That is certainly a good use-case. One thing you can do is to require something other than a user-chosen string as a username, something like an email address, which should be unique. Another thing you could do, and I admit this is not user-friendly at all, to let them sign up with that user name, but send the user an email letting them know that the username is already used. It still indicates a valid username, but adds a lot of overhead to the process of enumeration.
How would you remediate this? One way could be to have the application pad the responses with a random amount of time, throwing off the noticeable difference.
Sometimes, user enumeration is not as simple as a server responding with text on the screen. It can also be based on how long it takes a server to respond. A server may take one amount of time to respond for a valid username and a very different (usually longer) amount of time for an invalid username.
This is a very dangerous practice as each optimization means making assumptions. If you are compressing an image you make an assumption that some payload can be cut out without seriously affecting the quality, if you are adding a cache to your backend you assume that the API will return same results. A correct assumption allows you to spare resources. A false assumption introduces a bug in your app. That’s why optimizations should be done consciously.
but the advantage is the "functional style" with its strict separation of scopes = less attack surface for bugs
Clements, J. C. (2020). Don’t be a prig in peer review. Nature. https://doi.org/10.1038/d41586-020-02512-0
Jolley, D., & Paterson, J. L. (n.d.). Pylons ablaze: Examining the role of 5G COVID-19 conspiracy beliefs and support for violence. British Journal of Social Psychology, n/a(n/a). https://doi.org/10.1111/bjso.12394
Phillips, G. (2020, May 28). How the free press worldwide is under threat. The Guardian. https://www.theguardian.com/media/2020/may/28/how-the-free-press-worldwide-is-under-threat
Ward, B. (2020, May 6). It’s not just Neil Ferguson – scientists are being attacked for telling the truth | Bob Ward. The Guardian. https://www.theguardian.com/commentisfree/2020/may/06/neil-ferguson-scientists-media-government-adviser-social-distancing
Cheng, H.-Y., Jian, S.-W., Liu, D.-P., Ng, T.-C., Huang, W.-T., Lin, H.-H., & for the Taiwan COVID-19 Outbreak Investigation Team. (2020). Contact Tracing Assessment of COVID-19 Transmission Dynamics in Taiwan and Risk at Different Exposure Periods Before and After Symptom Onset. JAMA Internal Medicine. https://doi.org/10.1001/jamainternmed.2020.2020
The answer, of course, is end-to-end encryption. The way this works is to remove any “man-in-the-middle” vulnerabilities by encrypting messages from endpoint to endpoint, with only the sender and recipient holding the decryption key. This level of messaging security was pushed into the mass-market by WhatsApp, and has now become a standard feature of every other decent platform.
The issue, though—and it’s a big one, is that the SMS infrastructure is inherently insecure, lending itself to so-called “man-in-the-middle attacks.” Messages run through network data centres, everything can be seen—security is basic at best, and you are vulnerable to local carrier interception when travelling.
When you make a call using Signal, it will generate a two-word secret code on both the profiles. You will speak the first word and the recipient will check it. Then he will speak the second word and you can check it on your end. If both the words match, the call has not been intercepted and connected to the correct profile
Rybniker, J., & Fätkenheuer, G. (2020). Importance of precise data on SARS-CoV-2 transmission dynamics control. The Lancet Infectious Diseases, S1473309920303595. https://doi.org/10.1016/S1473-3099(20)30359-5
Liu, Y., Eggo, R. M., & Kucharski, A. J. (2020). Secondary attack rate and superspreading events for SARS-CoV-2. The Lancet, 395(10227), e47. https://doi.org/10.1016/S0140-6736(20)30462-1
Hamner L, Dubbel P, Capron I, et al. High SARS-CoV-2 Attack Rate Following Exposure at a Choir Practice — Skagit County, Washington, March 2020. MMWR Morb Mortal Wkly Rep 2020;69:606–610. DOI: http://dx.doi.org/10.15585/mmwr.mm6919e6external icon
Ghinai, I., Woods, S., Ritger, K. A., McPherson, T. D., Black, S. R., Sparrow, L., Fricchione, M. J., Kerins, J. L., Pacilli, M., Ruestow, P. S., Arwady, M. A., Beavers, S. F., Payne, D. C., Kirking, H. L., & Layden, J. E. (2020). Community Transmission of SARS-CoV-2 at Two Family Gatherings—Chicago, Illinois, February–March 2020. MMWR. Morbidity and Mortality Weekly Report, 69(15), 446–450. https://doi.org/10.15585/mmwr.mm6915e1
Li, W., Zhang, B., Lu, J., Liu, S., Chang, Z., Cao, P., Liu, X., Zhang, P., Ling, Y., Tao, K., & Chen, J. (2020). The characteristics of household transmission of COVID-19. Clinical Infectious Diseases, ciaa450. https://doi.org/10.1093/cid/ciaa450
Jing, Q.-L., Liu, M.-J., Yuan, J., Zhang, Z.-B., Zhang, A.-R., Dean, N. E., Luo, L., Ma, M.-M., Longini, I., Kenah, E., Lu, Y., Ma, Y., Jalali, N., Fang, L.-Q., Yang, Z.-C., & Yang, Y. (2020). Household Secondary Attack Rate of COVID-19 and Associated Determinants [Preprint]. Epidemiology. https://doi.org/10.1101/2020.04.11.20056010
Burke RM, Midgley CM, Dratch A, et al. Active Monitoring of Persons Exposed to Patients with Confirmed COVID-19 — United States, January–February 2020. MMWR Morb Mortal Wkly Rep 2020;69:245–246. DOI: http://dx.doi.org/10.15585/mmwr.mm6909e1
Dr Muge Cevik on Twitter
Steinbrook, R. (2020). Contact Tracing, Testing, and Control of COVID-19—Learning From Taiwan. JAMA Internal Medicine. https://doi.org/10.1001/jamainternmed.2020.2072
Halpert, J. (2020 April 11). How to manage panic attacks. The New York Times. https://www.nytimes.com/2020/04/11/smarter-living/coronavirus-managing-panic-attacks.html
Since the authenticity token is stored in the session, the client cannot know its value. This prevents people from submitting forms to a Rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request to http://serviceA.com/close_account. This is what is known as CSRF (Cross Site Request Forgery). If service A is using authenticity tokens, this attack vector is no longer applicable, since the request from service B would not contain the correct authenticity token, and will not be allowed to continue.
pardons twenty absurdities and defects for one elevated or pathetic stroke.
I feel like this is where I live -- thank you for noticing me Hume
Terrorist use of an actual nuclear bomb is a low-probability event
Low probability and high impact but not a black swan
we attempt to spell out here the likely consequences of the explosion of a single terrorist nuclear bomb on a major city, and its subsequent ripple effects on the rest of the planet.
