HP Poly VoIP vulnerability sets the stage for executive voice deepfakes
ICE enables VoIP devices to establish peer-to-peer connections using the shortest available network path. The feature is not enabled by default on HP Poly devices,…
Category: CISOOnline
Malware could drain your fuel tank as well as your bank account
The attacks take three forms: authentication bypass and hardcoded credentials, which allow attackers to gain access to device management; OS command execution and SQL injection…
Patching fast and slow: Ruby devs delay to defend against supply chain attack
To counteract this, RubyGems team has added a new cooldown argument to Bundler that takes ignores gems until they have been published for a specified…
Microsoft identifies seven new ways AI agents can be hacked
The seven new failure modes it has identified are: Agentic Supply Chain Compromise —agent behavior can be affected by natural language rather than malicious code;…
AI tools becoming hot commodities on ransomware marketplaces
The AI tools for sale divided into four categories: Weaponized LLMs: Sometimes called dark LLMs, these tools omit the safety guardrails and rules present in…
Claude Code has an MCP security problem — and your developers are already using it
What researchers found Last week, researchers at Mitiga Labs published an attack chain that should concern every security team whose developers use Claude Code. The…
US government report slams NIST for NVD backlog
Inter-agency squabbles The Inspector General’s report blamed NIST for a variety of management and strategy shortcomings. “NIST’s lack of strategic planning and decisive action have…
OpenAI responds to White House executive order on AI governance
At the center of OpenAI’s proposal is a distinction between government evaluation and government approval. The company proposed that the most capable AI models undergo…
HTTP/2’s speed abused to slow webserver performance in DoS attack
HTTP/2 was introduced in 2015 to increase the speed of HTTP by allowing multiple simultaneous connections, and is gradually being superceded by HTTP/3, which is…
Hugging Face Transformers RCE flaw enables stealthy compromise via AI model configs
“The malicious field uses an underscore-prefixed name that looks like an internal implementation detail — the kind of field that config files are full of,”…
Beware the ‘son of Mythos,’ security experts warn
“When we’re doing threat modeling, we have some sense that these are the known vulnerabilities that we are modeling against and here’s where we think…
Hole in GitHub’s browser-based VSCode editor could lead to stolen token
First, the bug: Users of github.com may not realize it, but when they are on any repository, they can shift to github.dev and its browser-based…