今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

标签:#Cybersecurity

找到 166 篇相关文章

AI 资讯

Your Database Will Be Breached Someday. The Question Is: Will Passwords Be Inside?

Most developers think password hashing is about authentication. It's not. Authentication is just a side effect. Password hashing exists for a much darker reason: because databases get stolen. Every year, companies invest millions in firewalls, monitoring systems, cloud security, and access controls. Yet breach after breach continues to make headlines. The uncomfortable truth is that security teams don't assume a breach will never happen. They assume it eventually will. And when that day comes, one question determines whether the incident becomes a minor security event or a full-scale disaster: Did you hash the passwords? The Difference Between an Incident and a Catastrophe Imagine an attacker gains read access to your production database. Not a far-fetched scenario. A leaked backup. A vulnerable API. A compromised employee account. A misconfigured cloud bucket. The attacker runs a simple query: SELECT email , password FROM users ; If your system stores passwords in plain text, the breach is over. The attacker already won. No advanced techniques. No brute force. No expensive infrastructure. They now possess something more valuable than your database itself: your users' digital identities. Because users rarely reuse databases. They reuse passwords. The same password protecting an account on your platform might also unlock their Gmail, GitHub, LinkedIn, banking app, or company VPN. What started as your security problem instantly becomes everyone else's. This Is Not Theoretical History has repeatedly shown what happens when passwords are handled incorrectly. The RockYou breach exposed more than 30 million passwords stored in plain text. Attackers didn't need to crack anything. They simply read the data. Years later, those leaked passwords were still appearing in credential stuffing attacks across the internet. A single backend decision survived longer than the company itself. That's the thing about password leaks. They don't expire when the incident report is published.

2026-06-25 原文 →
AI 资讯

Why the Scams Prevention Framework Requires More Than Awareness

For years, scam prevention has leaned heavily on awareness. Be careful. Do not click suspicious links. Check the sender. Call the organisation directly. Do not trust urgent payment requests. Slow down before you act. These messages are useful, and they should not disappear. But awareness is no longer enough to describe what serious scam defence requires. The Scams Prevention Framework, or SPF, moves the conversation from “make users more careful” to “make the scam ecosystem harder to exploit.” That shift is important. Modern scams do not succeed only because a user failed to notice a warning sign. They succeed because scam operators move through gaps between messaging channels, platforms, brand impersonation, payment pressure, fake infrastructure, multilingual persuasion, reporting delays, and weak post-report disruption. Awareness helps at the point of decision. SPF requires capability across the whole chain. In my view, awareness alone covers about 28% of the real scam defence problem. The rest sits in evidence quality, intelligence sharing, infrastructure disruption, multilingual interpretation, safe financial harm context, recurrence monitoring, and operational response. That is why SPF should not be read as an education policy. It should be read as an operating model. The Awareness Ceiling Awareness is a front-line control, not a full defence system. It helps users recognise risk, but it cannot remove the fake page, connect related reports, preserve evidence, disrupt a fake app, identify a phone-linked abuse path, or monitor the next replacement domain. It also assumes the user has enough time, confidence, language support, and emotional distance to make a calm decision. Many scam situations are built specifically to remove those conditions. Scammers do not only trick uninformed people. They create urgency for informed people. They create authority for cautious people. They create routine-looking payment requests for busy people. They create private pressure fo

2026-06-25 原文 →
AI 资讯

Welcome to My Developer Blog

I'm Dr. Mohammad Reza Beheshti, Founder of CyberSiARA. I hold a PhD in Electronic Engineering and Artificial Intelligence and have over 15 years of experience in cybersecurity research and innovation. My passion has always been solving complex security challenges through technology. This journey led me to found CyberSiARA, where we're developing AI-powered bot protection and human verification solutions to help organizations defend against increasingly sophisticated cyber threats. I enjoy combining academic research with practical engineering to create technologies that are both innovative and effective in the real world. Through this blog, I share insights from my research, product development, and experiences building a cybersecurity company, with the aim of helping developers and security professionals stay ahead of emerging threats. I'm always keen to learn, collaborate, and contribute to the global developer and cybersecurity communities.

2026-06-24 原文 →
AI 资讯

npm Supply Chain RAT: PostCSS Impersonation & Dependency Confusion

Originally published on satyamrastogi.com Three malicious npm packages masquerading as PostCSS tools delivered Windows RAT payloads. Analysis of supply chain attack mechanics, payload delivery chains, and detection gaps in dependency management. Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT Executive Summary This is a textbook supply chain attack leveraging npm's trust model. Three packages published in June 2026 - aes-decode-runner-pro , postcss-minify-selector , and postcss-minify-selector-parser - delivered Windows RAT payloads to developers. The attack demonstrates why automated dependency management without behavioral validation is a critical vulnerability. What makes this particularly effective: PostCSS is a legitimate, widely-used build tool. Developers hunting for PostCSS plugins via search or copy-pasting dependency names from tutorials become easy prey. The attacker didn't need zero-days, social engineering sophistication, or exploit kits. Just npm account registration and package uploads. This follows the exact pattern we've seen in credential theft campaigns prioritizing convenience over complexity . Low barrier to entry, high payoff. Attack Vector Analysis MITRE ATT&CK Framework Mapping This attack chains multiple techniques: T1195.001: Compromise Third-Party Software Supply Chain - Malicious package publication on npm registry T1566.002: Phishing - Spearphishing Link - Package discovery and recommendation (implicit trust) T1059.003: Command and Scripting Interpreter - Windows Command Shell - RAT payload execution T1105: Ingress Tool Transfer - Initial RAT download mechanism T1571: Non-Standard Port - C2 communication channels (typical) Kill Chain Breakdown Stage 1: Reconnaissance & Naming Attacker identifies PostCSS as high-value target (builds present in thousands of projects) Creates names that blend legitimacy with search results: postcss-minify-selector exploits incomplete package searches The aes-decode-runner-pro variant sug

2026-06-23 原文 →
AI 资讯

The Invisible Guardrail: How Commercial LLMs Enforce Algorithmic Paternalism

I recently published my PhD thesis analyzing what I term the "Alignment Tax" and the emerging phenomenon of Algorithmic Paternalism in commercial artificial intelligence. As the tech industry rapidly positions Large Language Models (LLMs) as the primary interface for information retrieval and coding assistance, a critical epistemological issue is being largely ignored. Much of the public debate regarding AI alignment focuses exclusively on existential risk or the prevention of catastrophic physical harm. While necessary, this focus obscures the structural damage being done to legitimate technical research. Through my research in Cybersecurity and AI, I have documented how frontier models (such as GPT-4 or Claude) systematically enforce what I define as "Soft Refusals". When presented with a complex, edge-case, or dual-use query—particularly in fields like information security, reverse engineering, or deep systems architecture—these models rarely issue a hard, explicit "I cannot answer that". Instead, they provide a degraded, superficial, or heavily sanitized response. They effectively neuter the research process without the user fully realizing the depth of technical information that is being actively withheld. This is Algorithmic Paternalism. The commercial model acts as a silent, corporate arbiter, deciding unilaterally what level of technical detail is "safe" for the user to possess. This dynamic flattens the available technical knowledge and actively penalizes independent researchers and developers working on advanced problems. The core issue is that this paradigm creates a profound class division in how we access computational intelligence. We are rapidly moving toward a two-tier system. On one side, there are "certified" entities, corporate partners, and wealthy organizations who are granted direct access to strong, unfiltered base models. On the other side, the general public and independent developers are subjected to obfuscation algorithms, sanitized APIs,

2026-06-23 原文 →
AI 资讯

Securing AI: Codex Operational Bugs, Claude Output Integrity, Copilot Context

Securing AI: Codex Operational Bugs, Claude Output Integrity, Copilot Context Today's Highlights This week's top security news highlights critical operational bugs impacting AI systems, alongside deeper dives into ensuring the integrity of AI-generated content. We also explore how improved context handling in AI coding assistants can subtly enhance generated code security. Codex logging bug may write TBs to local SSDs (Hacker News) Source: https://github.openai/codex/issues/28224 A recently disclosed bug in OpenAI's Codex has revealed a critical operational security concern: excessive logging that can lead to the rapid consumption of local SSD storage. This issue, documented on GitHub, highlights how seemingly innocuous software bugs can escalate into denial-of-service (DoS) vectors, particularly in resource-intensive AI environments. While not an exploit in the traditional sense, a system running out of disk space due to uncontrolled logging can halt operations, prevent critical updates, or even lead to data loss if not managed proactively. For developers and system administrators deploying AI models like Codex, this bug serves as a potent reminder of the importance of robust logging configurations and monitoring. Proactive measures, such as log rotation, size limits, and alerts for abnormal disk usage, become essential hardening techniques. This vulnerability underscores that operational stability is a key component of overall system security, especially when integrating complex AI tools into production environments where resource consumption can be unpredictable. Comment: This bug is a stark reminder that even sophisticated AI tools can have fundamental operational flaws. Monitoring disk usage and implementing strict log management policies are non-negotiable for AI deployments. The text in Claude Code’s “Extended Thinking” output (Hacker News) Source: https://patrickmccanna.net/the-text-in-claude-codes-extended-thinking-output-is-not-authentic/ An analysis of Cl

2026-06-23 原文 →
产品设计

Why UPI and Fintech Apps Need Business Logic Testing (Not Just Security Testing)

Most fintech breaches you read about involve a hacker, a vulnerability, and a headline. Most fintech losses I've actually seen up close involve none of those things. They involve someone who read the terms of a cashback offer more carefully than the product team did, found the one path through the workflow nobody had tested, and quietly walked away with money the system handed over willingly. That's the part standard security testing misses. A penetration test asks: can someone break in? Business logic testing asks a more uncomfortable question: what happens if someone uses every feature exactly as designed, just not exactly as intended ? In a country processing billions of UPI transactions a month, that second question matters just as much as the first — arguably more, because nobody needs a zero-day to abuse a referral program. Here's where that gap shows up most often in Indian fintech apps. Wallet Systems: Built for Speed, Tested for Function, Rarely Tested for Abuse A digital wallet sits at the intersection of multiple money-in paths — UPI, card, net banking, cashback credits — and at least one money-out path. Every intersection like that is a place where timing and assumptions can quietly fall apart. The classic version of this is a race condition: top up the wallet and spend from it in two near-simultaneous requests, and check whether the balance check happens before or after both transactions are committed. Done right, this should be impossible. Done wrong, a user can spend money that, technically, hadn't arrived yet — or spend the same balance twice. There's a quieter version of the same problem around refunds. If a refund is credited back to the wallet on a different timeline than the original debit was finalized, there's often a window where the balance briefly shows more than it should, and a fast enough user can act inside that window before reconciliation catches up. And then there's KYC tiering. Minimum-KYC wallets in India are deliberately capped at

2026-06-21 原文 →
AI 资讯

Securing LLM Agent Teams: Inside NRT-Defense v0.4.0

Securing LLM Agent Teams: Inside NRT-Defense v0.4.0 Multi-turn autonomous LLM agents are expanding rapidly in safety-critical systems. However, a major vulnerability has been exposed by Lee et al. (2026) in the NRT-Bench paper : adaptive multi-turn attacks can exploit disjoint model vulnerabilities, causing a 8.7% to 12.1% loss of Critical Safety Functions (CSFs) . To solve this, I am open-sourcing NRT-Defense , an adaptive multi-turn defense framework designed to monitor agent sessions and reduce the attack success rate to <1% . The Threat: Context Drift and Disjoint Exploits Standard guardrails evaluate prompts in isolation (single-turn). Attackers leverage this by spreading an exploit across multiple conversational turns. Turn by turn, the context drifts until the agent team completely bypasses its safety containment. The NRT-Bench paper demonstrated this in a simulated nuclear power plant control room with 5 operator roles, 4 attack channels, and 6 critical safety functions. The results were alarming: Metric Value Attack success rate 8.7% — 12.1% Sessions analyzed 149 Models tested 4 frontier LLMs Vulnerability overlap Nearly disjoint The key finding: vulnerabilities are nearly disjoint across models . An attack that works against GPT-4 may not work against Claude. This means model diversity is itself a defense — but only if you can detect and respond to attacks in real-time. The Solution: 3-Step CMPE Defense nrt-defense neutralizes this threat through a continuous, multi-component pipeline: Per-Turn Message Analysis: Evaluates channel risk and turn-escalation metrics. Each message is scored for adversarial content using keyword detection, pattern matching, and channel-specific risk weights. Real-Time CSF Monitoring: Tracks 6 operational critical safety functions simultaneously. Risk accumulates over turns and triggers alerts when thresholds are breached. Context-Aware Misdirection Prompt Engineering (CMPE): When an anomaly is detected, instead of a blunt reject

2026-06-21 原文 →
开发者

Remote File Inclusion: How a Single URL Parameter Can Give Attackers Full Control of Your Server

Remote File Inclusion (RFI) is a web vulnerability where an application accepts a URL from user input, fetches the file at that URL, and executes it. When there is no validation on what URLs are allowed, an attacker can point the application to a malicious script on their own server and get it executed remotely. This pattern shows up in automation tools, plugin systems, and CI/CD pipelines. The idea of loading scripts from a URL seems useful, but without strict controls, it becomes a direct path to remote code execution. Here is a simplified example of vulnerable server-side code: // Vulnerable automation runner - DO NOT USE IN PRODUCTION const express = require ( ' express ' ); const http = require ( ' http ' ); const https = require ( ' https ' ); const app = express (); app . get ( ' /api/automation/run ' , ( req , res ) => { const scriptUrl = req . query . scriptUrl ; const startTime = Date . now (); const parsedUrl = new URL ( scriptUrl ); const client = parsedUrl . protocol === ' https: ' ? https : http ; client . get ( scriptUrl , ( response ) => { let data = '' ; response . on ( ' data ' , ( chunk ) => { data += chunk ; }); response . on ( ' end ' , () => { // VULNERABLE: executes fetched script without sandboxing or validation const output = eval ( data ); const executionTime = Date . now () - startTime ; res . json ({ status : ' success ' , output : output , executionTimeMs : executionTime }); }); }); }); app . listen ( 8080 , () => { console . log ( ' Server running on port 8080 ' ); }); The core problem with the code above: It accepts any URL from user input without validation It fetches and runs that URL's content using eval() There is no sandboxing or restriction on what the script can do The code runs with the same privileges as the application itself Ethical Considerations This is for educational purposes only. You should only test for RFI on systems you own or have explicit permission to test. Unauthorized testing is illegal and can lead to serious

2026-06-20 原文 →
AI 资讯

Section 1.1 — Comparing AI Types and Techniques Used in Cybersecurity

Hi, it's Furkan. I'm a security professional prepping for the CompTIA SecAI+ (CY0-001) cert, and I couldn't find study material that actually clicked for me, so I built my own and structured it around the exam blueprint. This is me sharing it back. Each post maps to one objective, and I've leaned hard on real-world scenarios because that's what made it stick for me. If it helps you pass too, even better. CompTIA SecAI+ CY0-001 | Domain 1.0: Basic AI Concepts Related to Cybersecurity "Compare and contrast various AI types and techniques used in cybersecurity." 🧠 What's in This Section? This one breaks down into three big building blocks: AI Types — which kind of AI does what, and where it shows up in security Model Training Techniques — how a model actually gets trained and tuned Prompt Engineering — how to ask an AI the right question Ready? Let's get into it. 🔷 PART 1: Types of AI AI isn't one single thing. Different problems call for different AI approaches. Think of a carpenter's toolbox: there's a hammer, a screwdriver, a saw. They all do different jobs, but they're all "tools." AI types work the same way. 1. Generative AI What it does: Creates new content. Text, images, audio, code; whatever you ask for. How it works: Models trained on huge amounts of data use the patterns they've learned to produce outputs that never existed before. They don't memorize, they learn patterns and then build new things out of them. In security: Defense side: Building security awareness training by simulating phishing emails, auto-generating incident response playbooks, drafting security reports. Offense side: Attackers use generative AI to spin up convincing phishing emails, deepfake audio, or malicious code. 🍕 Real-World Example: A security team wants to test their employees, so they use generative AI to write phishing emails that nail the CEO's writing style. "Hey, I need you to push through an urgent payment...", the email is so realistic that 40% of staff click. That right the

2026-06-20 原文 →