Computer Science | Breaking Cybersecurity News | The Hacker News

A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations. Dubbed  GoFetch , the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Apple was made aware of the findings in December 2023. Prefetchers are a hardware optimization technique that predicts what memory addresses a currently running program will access in the near future and retrieve the data into the cache accordingly from the main memory. The goal of this approach is to reduce the program's memory access latency. DMP is a type of prefetcher that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it ripe for cache-based attacks that trick the prefetche

A group of researchers has discovered a new data leakage attack impacting modern CPU architectures supporting speculative execution. Dubbed  GhostRace  ( CVE-2024-2193 ), it is a variation of the transient execution CPU vulnerability known as Spectre v1 (CVE-2017-5753). The approach combines speculative execution and race conditions. "All the common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a branch misprediction attack, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs), allowing attackers to leak information from the target," the researchers  said . The findings from the Systems Security Research Group at IBM Research Europe and VUSec, the latter of which disclosed another side-channel attack called  SLAM  targeting modern processors in December 2023. Spectre refers to a  class of side-channel attacks  that exploit branch prediction and s

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

The U.S. government on Tuesday announced the takedown of the IPStorm botnet proxy network and its infrastructure, as the Russian and Moldovan national behind the operation pleaded guilty. "The botnet infrastructure had infected Windows systems then further expanded to infect Linux, Mac, and Android devices, victimizing computers and other electronic devices around the world, including in Asia, Europe, North America and South America," the Department of Justice (DoJ)  said  in a press statement. Sergei Makinin, who developed and deployed the malicious software to infiltrate thousands of internet-connected devices from June 2019 through December 2022, faces a maximum of 30 years in prison. The Golang-based botnet malware, prior to its dismantling,  turned the infected devices into proxies  as part of a for-profit scheme, which was then offered to other customers via proxx[.]io and proxx[.]net. "IPStorm is a botnet that abuses a legitimate peer-to-peer (p2p) network c

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads. Tracked as  CVE-2021-22573 , the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature. Credited with discovering and reporting the flaw on March 12 is  Tamjid Al Rahat , a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google's bug bounty program. "The vulnerability is that the IDToken verifier does not verify if the token is properly signed," an  advisory  for the flaw reads. "Signature verification makes sure that the token's payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on

The United States could soon face a significant shortage of computer science professionals unless it starts graduating more students in this field. At a time when computer hacking and security are critical issues for both the government and the private sector, the U.S. is producing only 9,000 computer science graduates annually. Among them, only 700 specialize in computer and information systems security. This number is far from sufficient, especially when considering that a single defense contractor, Booz Allen Hamilton, alone needs 1,000 computer security specialists. Meanwhile, the military is dealing with the rapid rise of cyber warfare. It is becoming increasingly clear that while a traditional military attack on the United States is unlikely, the nation's economic system could be vulnerable to a cyber attack. Conversely, the U.S. can leverage its cyber capabilities to attack other countries. For instance, in September, Iran's nuclear program was disrupted by a computer