«I had the distinct pleasure of working with Fernando during my tenure at Yalo, and from our very first interaction, it was evident that collaborating with him would be a rewarding experience. At that time, I was responsible for developing a solution for our new Business Unit focused on electronic payments. Fernando immediately extended his expertise and support, becoming an invaluable asset to our team. Fernando's technological proficiency is truly exceptional. His deep knowledge of security technology and his keen understanding of the implications of every security pathway were instrumental in the success of our project. Facing an aggressive timeline to bring our solution to market, Fernando rose to the challenge, providing unwavering support and expert guidance to ensure we met our goals. Fernando's combination of technical acumen, dedication, and collaborative spirit is truly impressive. Any organization would be fortunate to have someone of his caliber, and I wholeheartedly recommend him for any opportunity he pursues.»
Acerca de
Fernando Gont is currently Staff Platform Security Engineer at Yalo, and has over twenty…
Actividad
-
Visit of my old friend Florian Horsch at HOLY, one of the coolest #hypergrowth startups in Berlin. Also had some good discussions about #foundermode
Visit of my old friend Florian Horsch at HOLY, one of the coolest #hypergrowth startups in Berlin. Also had some good discussions about #foundermode
Recomendado por Fernando Gont
-
📣 Comunidad de #ISP de Yucatán e #IXSYFellows 👩🏽💻🧑🏻💻2️⃣0️⃣2️⃣5️⃣ Vamos caminando hacia el #IXSYMeeting 2️⃣0️⃣2️⃣5️⃣, con el entrenamiento…
📣 Comunidad de #ISP de Yucatán e #IXSYFellows 👩🏽💻🧑🏻💻2️⃣0️⃣2️⃣5️⃣ Vamos caminando hacia el #IXSYMeeting 2️⃣0️⃣2️⃣5️⃣, con el entrenamiento…
Recomendado por Fernando Gont
-
Updated revision of my IETF Interne-Draft "Problem Statement about IPv6 Support for Multiple Routers, Multiple Interfaces, and Multiple Prefixes"…
Updated revision of my IETF Interne-Draft "Problem Statement about IPv6 Support for Multiple Routers, Multiple Interfaces, and Multiple Prefixes"…
Compartido por Fernando Gont
Experiencia de voluntariado
-
Chair
LACNIC Security Forum (LACSEC)
- 7 años 6 meses
Moderator of the LACNIC Security Forum, and Chair of the LACSEC event
Publicaciones
-
RFC 6528: Defending against Sequence Number Attacks
IETF
This document specifies an algorithm for the generation of TCP Initial Sequence Numbers (ISNs), such that the chances of an off-path attacker guessing the sequence numbers in use by a target connection are reduced. This document revises (and formally obsoletes) RFC 1948, and takes the ISN generation algorithm originally proposed in that document to Standards Track, formally updating RFC 793.
Otros autores -
-
RFC 6274: Security Assessment of the Internet Protocol Version 4
IETF
Ver publicaciónThis document contains a security assessment of the IETF specifications of the Internet Protocol version 4 and of a number of mechanisms and policies in use by popular IPv4 implementations. It is based on the results of a project carried out by the UK's Centre for the Protection of National Infrastructure (CPNI).
-
RFC 6191: Reducing the TIME-WAIT State Using TCP Timestamps
IETF
Ver publicaciónThis document describes an algorithm for processing incoming SYN segments that allows higher connection-establishment rates between any two TCP endpoints when a TCP Timestamps option is present in the incoming SYN segment. This document only modifies processing of SYN segments received for connections in the TIME-WAIT state; processing in all other states is unchanged.
-
RFC 6056: Recommendations for Transport-Protocol Port Randomization
IETF
Ver publicaciónDuring the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be…
During the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be attacked. This document describes a number of simple and efficient methods for the selection of the client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods for protecting the transport-protocol instance, the aforementioned port selection algorithms provide improved security with very little effort and without any key management overhead. The algorithms described in this document are local policies that may be incrementally deployed and that do not violate the specifications of any of the transport protocols that may benefit from them, such as TCP, UDP, UDP-lite, Stream Control Transmission Protocol (SCTP), Datagram Congestion Control Protocol (DCCP), and RTP (provided that the RTP application explicitly signals the RTP and RTCP port numbers).
-
RFC 6093: On the Implementation of the TCP Urgent Mechanism
IETF
This document analyzes how current TCP implementations process TCP urgent indications and how the behavior of some widely deployed middleboxes affects how end systems process urgent indications. This document updates the relevant specifications such that they accommodate current practice in processing TCP urgent indications, raises awareness about the reliability of TCP urgent indications in the Internet, and recommends against the use of urgent indications (but provides advice to applications…
This document analyzes how current TCP implementations process TCP urgent indications and how the behavior of some widely deployed middleboxes affects how end systems process urgent indications. This document updates the relevant specifications such that they accommodate current practice in processing TCP urgent indications, raises awareness about the reliability of TCP urgent indications in the Internet, and recommends against the use of urgent indications (but provides advice to applications that do).
Otros autores -
-
RFC 5927: ICMP Attacks against TCP
IETF
Ver publicaciónThis document discusses the use of the Internet Control Message Protocol (ICMP) to perform a variety of attacks against the Transmission Control Protocol (TCP). Additionally, this document describes a number of widely implemented modifications to TCP's handling of ICMP error messages that help to mitigate these issues.
-
RFC 5482: TCP User Timeout Option
IETF
The TCP user timeout controls how long transmitted data may remain unacknowledged before a connection is forcefully closed. It is a local, per-connection parameter. This document specifies a new TCP option -- the TCP User Timeout Option -- that allows one end of a TCP connection to advertise its current user timeout value. This information provides advice to the other end of the TCP connection to adapt its user timeout accordingly. Increasing the user timeouts on both ends of a TCP…
The TCP user timeout controls how long transmitted data may remain unacknowledged before a connection is forcefully closed. It is a local, per-connection parameter. This document specifies a new TCP option -- the TCP User Timeout Option -- that allows one end of a TCP connection to advertise its current user timeout value. This information provides advice to the other end of the TCP connection to adapt its user timeout accordingly. Increasing the user timeouts on both ends of a TCP connection allows it to survive extended periods without end-to-end connectivity. Decreasing the user timeouts allows busy servers to explicitly notify their clients that they will maintain the connection state only for a short time without connectivity.
Otros autores -
-
RFC 5461: TCP's Reaction to Soft Errors
IETF
Ver publicaciónThis document describes a non-standard, but widely implemented, modification to TCP's handling of ICMP soft error messages that rejects pending connection-requests when those error messages are received. This behavior reduces the likelihood of long delays between connection-establishment attempts that may arise in a number of scenarios, including one in which dual-stack nodes that have IPv6 enabled by default are deployed in IPv4 or mixed IPv4 and IPv6 environments.
-
Security Assessment of the Transmission Control Protocol (TCP)
United Kingdom's Centre for the Protection of National Infrastructure (CPNI)
Ver publicaciónThis document is the result of a security assessment of the IETF specifications of the Transmission Control Protocol (TCP), from a security point of view. Possible threats are identified and, where possible, countermeasures are proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems.
-
Security Assessment of the Internet Protocol
United Kingdom's Centre for the Protection of National Infrastructure (CPNI)
Ver publicaciónThis document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to
performing a security assessment of the relevant IETF…This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to
performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies.
Whilst not aiming to be the final word on the security of the IP, this document aims to raise awareness about the many security threats based on the IP protocol that have been faced in the past, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the IP, and also insights about the security aspects of the IP that may be of help to the Internet operations
community.
Proyectos
-
SI6 Networks' IoT Toolkit
Ver proyectoThe SI6 Networks' Internet of Things (IoT) Toolkit is a security assessment and troubleshooting tool for IoT devices and protocols.
-
IPv6 Toolkit Debian package
Collaboration with Octavio Alvarez (maintainer of the SI6 Networks' IPv6 toolkit Debian package)
Otros creadores -
-
SI6 Networks' IPv6 Address Monitoring Daemon
Ver proyectoipv6mon is a tool meant for monitoring IPv6 address usage on a local network. It is meant to be particularly useful in networks that employ IPv6 Stateless Address Auto-Configuration (as opposed to DHCPv6), where address assignment is decentralized and there is no central server that records which IPv6 addresses have been assigned to which nodes during which period of time. ipv6mon employs active probing to discover IPv6 addresses in use, and determine whether such addresses remain active.
-
SI6 Networks' IPv6 Toolkit
Ver proyectoThe IPv6 toolkit is a portable IPv6 security assessment suite originally produced by Fernando Gont as part of a project funded by the UK CPNI.
Idiomas
-
Spanish
Competencia bilingüe o nativa
-
English
Competencia bilingüe o nativa
-
Portuguese
Competencia básica
Empresas
-
IEEE
-
Recomendaciones recibidas
2 personas han recomendado a Fernando
Unirse para verloMás actividad de Fernando
-
Este domingo saldré en el programa de Teresa Cabado, Educacion y Sociedad en el canal Metro. Representando al Instituto Universitario para el…
Este domingo saldré en el programa de Teresa Cabado, Educacion y Sociedad en el canal Metro. Representando al Instituto Universitario para el…
Recomendado por Fernando Gont
Perfiles similares
Ver más publicaciones
-
Tal Skverer
-6- Taming the Beast: Inside the Llama 3 Red Team Process - Maya Pavlova, Ivan Evtimov, Joanna Bitton, Aaron Grattafiori We meet the team at Meta in charge of red-teaming the Llama - Meta's AI model. This is an extremely very interesting talk, diving deep into their processes and methodologies when they're researching how to break the guardrails around the model. First, they go over the techniques: * Roleplaying - asking the model to portray a character, either one which is benign, or one which makes sense to talk with on a violating topic. * Hypotheticals - ensuring the model that the discussion is purely theoretical or used for training. * Suppress Refusals - since upon detection of violating topics the model will start by apologizing that it cannot discuss it, command it to never use such words or apologize. * Output Formatting - requesting the output to be within a certain format, like JSON or a table. * Disclaimer - asking the model to add a disclaimer before its response, like a trigger warning. * Splitting - split violating words into sub-tokens and ask questions on their concatenation. Paired with requesting the model to keep using the sub-tokens. * Multi-lingual - switching between languages in the prompt. All these methods are aimed to coax the model into including violating content in its response — by softening the inclusion of problematic content or making the model guardrails miss the violating content altogether. Then, they talk about automation — a critical component when it comes to LLM pentesting. The amount of text and the large matrix of techniques makes it near impossible to test by hand. This is amplified when stepping into the area of multi-turn attacks (having a conversation instead of a question-answer). To do this, they created a matrix combining the different risks, personas, and techniques, and the automation mix-and-matches between them to test for attack scenarios. What's cool is that they use an LLM for the automation of conversing with the model. I think what's most interesting to me is how different their task is from "classic" red teaming, and the ingenuity they have to constantly practice to reveal further techniques. Since they deal with LLMs, however, they are usually very elegantly explainable and garner an "ah-ha!" moment, at least from me. #DEFCON #LLM #RedTeam https://lnkd.in/dpE5z-8z
5 comentarios -
Raph Soeiro
Here's my 2024 LinkedIn Rewind, by Coauthor.studio: 🚀 Twenty years ago I arrived in Miami with minimal English. Today, we're transforming how thousands learn cloud security through WizLabs - proving that education and skilling truly breaks down borders. 2024 showed me that the best technical solutions come from embracing our authentic stories: ➡️ Launched Wiz Customer Training Portal, revolutionizing how customers learn our platform ➡️ Scaled our technical enablement team of Wizards ➡️ Built WizLabs virtual platform for hands-on cloud security training ➡️ Selected as WizFluencer to share cloud security insights ➡️ Promoted to Director of Training and Certification Three posts that captured our journey: "20 Years in the US" That young Brazilian boy's dream of building something meaningful in tech became reality https://lnkd.in/eh2hfimi "Wiz Customer Training Portal Launch" Because great technology needs even better education https://lnkd.in/e-iAxSva "Back to AWS re:Invent" Connecting with the cloud community that helped shape my journey https://lnkd.in/eHrrSxeS As we enter 2025, our focus remains clear: scaling technical enablement to match Wiz's explosive growth while ensuring our training platforms empower every customer to maximize their cloud security potential. To every immigrant dreaming big, to every technical trainer breaking down complex concepts, and to every learner pushing their boundaries - your persistence matters. Sometimes the longest journeys lead to the most meaningful destinations. #WizFluencer #CloudSecurity #TechnicalTraining
4 comentarios -
Alejandro Cadarso
I had the privilege of been on Marcus Breen CyberPod podcast discuss such crucial topics in today's cybersecurity landscape. https://lnkd.in/d9u3jwQz As we mentioned in the podcast, it's critical for CEOs and business leaders to understand that cybersecurity goes far beyond simply being an IT issue - it's a critical business risk that requires executive-level attention. A few key points I'd like to highlight: 1. The importance of zero trust architecture (zero trust) in today's business environment. 2. The critical distinction between data security and cybersecurity, and why both are essential. 3. The emerging risks associated with deepfakes and data poisoning in AI, which can have serious implications for enterprises. I hope this episode will help educate and raise awareness on these crucial topics. I invite all listeners to continue to learn and discuss cybersecurity, as it is an ever-evolving field. What other cybersecurity topics would you like to see addressed in future episodes? I look forward to hearing your thoughts and continuing this important conversation! #Cybersecurity #BusinessLeadership #RiskManagement #TheCyberPod
-
SecuritySenses
The latest update for #Trustwave includes "7-Step Guide to Properly Scoping an Offensive Security Program" and "Trustwave SpiderLabs Reveals the Ransomware Threats Targeting Latin American Financial and Government Sectors". #Cybersecurity #MDR #infosec https://lnkd.in/dAFsV2s9
-
Piotr Klepuszewski
📢 Project Zero 🔹 News and updates from the Project Zero team at Google 🚀 From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code 🛠️ 💡 Posted by the Big Sleep team 🔍 In our previous post, *Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models*, we introduced our LLM-assisted vulnerability research framework. Now, in collaboration with Google DeepMind, Project Naptime has evolved into **Big Sleep**. 📢 *Today, we're thrilled to share the first real-world vulnerability discovered by the Big Sleep agent:* a stack buffer underflow in SQLite! 🐞 Thanks to Big Sleep, this vulnerability was identified and reported in October, with a fix implemented on the same day, ensuring users weren’t impacted. 🙌 🏆 *This marks a milestone in AI for cybersecurity,* as it's the first public example of an AI agent finding an exploitable memory-safety issue in widely used software before release. With Big Sleep, we aim to shift the advantage to defenders, helping to find vulnerabilities that fuzzing alone might miss. 🔗 [Full Post Here](https://lnkd.in/eG8RVN3T)
5 comentarios -
Wade Baker, Ph.D.
I'm fascinated by the concept of measuring attacker-defender advantage in software, devices, and even entire IT environments. What do I mean by "attacker-defender advantage?" Lemme sum up and then share a chart. Let's say you could measure the speed at which defenders remediate various types of security vulnerabilities across all relevant assets. Then say you could detect and measure the speed at which attackers find/exploit those vulnerable assets across the target population of organizations using them. Finally, plot those curves (across time and assets) to see the delta between them and derive a measure of relative advantage for attackers and defenders. That relative value is what I mean by attacker-defender advantage. Since a picture is worth a thousand words, here's a visual example of the concept. The blue line represents defenders, measuring the speed of remediation. Red measures how attacker exploitation activity spreads across the target population. When the blue line is on top, defenders have a relative advantage (remediating faster than attackers are attempting to exploit new targets). When red's on top, the opposite is true. The delta between the lines corresponds to the relative degree of advantage (also expressed by the number in the upper left). This chart comes from prior Cyentia Institute research in which we were able to combine datasets from two different partners (with their permission). Unfortunately, those datasets/partners are no longer available to further explore this concept - but maybe this post will inspire new partnerships and opportunities! Any surprises in the attacker-defender advantage results depicted in the chart? Has anyone measured this or something similar? #cybersecurity #vulnerabilities #cyberattacks
124 comentarios -
Maveris
New #MaverisLabs post by Manuel Arrieta — "Enhancing Cybersecurity with VirusTotal: Unveiling Malicious .LNK Files." While shortcut (.LNK) files might seem innocuous, in the hands of attackers, they can become a serious threat. 🛡️ Identifying and mitigating these threats is a critical part of staying ahead in cybersecurity. In this insightful article from Maveris, explore how the VirusTotal API can be leveraged to hunt for malicious .LNK files effectively. What you’ll learn: ✅ The risks associated with .LNK files. ✅ How to analyze suspicious shortcut files. ✅ Using VirusTotal API to enhance your threat-hunting toolkit. Whether you're a cybersecurity professional or just curious about threat detection techniques, this is a must-read! 📚 Check it out here 👉 https://lnkd.in/ePqANh7W #Cybersecurity #ThreatHunting #VirusTotalAPI #RedTeam #Vulnerabilities
-
Rafael B
🚨 🚨 🚨 🚨 🚨 TellYouthePass Ransomware Group Explora Falha Crítica do PHP. https://lnkd.in/d2ax5X6w #cti #threatintelligence #ataque #ciberataque #cibersecurity #cibersegurança #threathunting #malwareanalysis #cyberespionage #APT #threatresearch #threatattribution #industrialIntelligence #criticalinfrastructure #offensivecyberoperations #cyberattack #hacking #cybersecurity #malware #industrialcybersecurity
-
FirstHackers News
A significant vulnerability, CVE-2024-37629, has been discovered in SummerNote 0.8.18, allowing Cross-Site Scripting (XSS) via the Code View function. Summernote is a JavaScript library for creating WYSIWYG editors online. An attacker can use XSS to insert harmful scripts into a trusted application or website. An XSS attack often starts with an attacker luring a user to click on a malicious link. According to security researcher Sergio Medeiros, 10,000 web apps have a 0-day vulnerability that can be exploited with a simple XSS payload. Detecting XSS Vulnerability in the Editor Given similar XSS concerns in editors like CKEditor and TinyMCE, the security researcher decided to investigate the WYSIWYG Editor. This led to the SummerNote website, where users can see the WYSIWYG editor’s features on the homepage, along with a GitHub repository URL to examine the codebase. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/gsRA6ivt #vulnerability #summernote #xss #codeview #javascript #attacker #maliciouslink #securityresearcher #website #zeroday #cyberattack #cybersecurity #cybernews #fhn #firsthackersnews #informationsecurity #latestnews
-
Teri Radichel 🩵
How to Figure Out What’s Running On a Specific Port on Linux ~~ Some strange process is running on a particular port — what is that? ~~ In this case looking at STUN/TURN/ICE traffic which is used for peer to peer connections to bypass NATs and Firewalls https://lnkd.in/e-BcKWq2
-
GLPI Developed by Teclib'
GLPI plays a role in the judicial sector! 🧑🏻⚖️ They use GLPI for several reasons! 👇🏻 1️⃣ GLPI's asset management functions are used extensively. Track assets and manage their lifecycle within the company. 2️⃣ Thanks to GLPI plugins available in the community, payments to a third party company are automated. 3️⃣ Outsourced analysts launch tasks, associated with hourly costs, which are then processed automatically. 4️⃣ At the end of the month, just click two buttons to make payment to the company. Freeing up time to focus on activities with higher added value for the company. Do like them! Use GLPI now! https://glpi-project.org Get in touch with us: https://lnkd.in/ernxZcJc ✨GLPI, the most powerful open source service! ✨ #glpi #assetmanagement #PaymentAutomation #Productivity #CustomerService #LegalSector #AssetTracking #ProcessEfficiency #JudicialSector #GLPIServices #GLPIIndustries
-
Alexander Poizner🌸
I mostly post about issues that contribute to application security vulnerabilities. Today, I'd like to express the opposite opinion. There seems to be a bit of hysteria around memory-unsafe languages such as C and C++ and the amount of code written and supported in these languages. True, most of the languages developed before Java are memory-unsafe. They are also a prime choice for software that requires exceptionally high performance or a very small footprint (e.g., embedded). Those languages are not going anywhere anytime soon, so we, as application security professionals, have to live with them. My observation is that while writing code in these languages comes with risk, this risk is often compensated by the higher skill of developers, who put extra effort into avoiding writing faulty code and, thus, creating more secure software. In fact, experience in coding using memory-unsafe languages contributes to the software security of teams that write software in memory-safe languages. In addition, there are enough tools to detect memory issues for code written in memory-unsafe languages, and the noise around those findings is low. So, how safe is the use of memory-unsafe languages? As with any industry with a high risk of hazards, while the potential for an accident is higher, awareness of potential hazards, protocols, and processes to avoid accidents compensates for risks quite well. So, do not discard OSS components as risky just because they are written in memory-unsafe language. Most of those development teams know what they are doing.
-
Eyal Estrin ☁
Interesting post by Ali K. about the important of portable architectures: https://lnkd.in/dBr86qGn From my point of view: 1️⃣ Portability is important, but organizations need to measure the cost of insisting on portability and the addition of abstraction layers to allow CSP agnostic architecture vs. the capabilities missing or not taking the full benefits of CSP native capabilities due to pushing for the common denominator. 2️⃣ One of the topics I would add to this post – is following the 12-factor application methodology (which is currently under changes and updates, but the project is still in the early stages). 3️⃣ Even if you package your entire application components into container images, and still be able to run containers on top of managed services (such as EKS, AKS, GKE, etc.), you still need to adjust your workload when connecting to the CSPs eco-system (from connectivity to managed storage services, message queuing services, observability, security controls, etc.) You are welcome to follow me on social media - https://lnkd.in/dwQAiYhY #cloud #cloudarchitecture #portability
1 comentario -
Darace Rose
In a surprising turn of events, the notorious hacker USDoD, responsible for major data breaches including the leak of 3.2 billion SSNs, has revealed his identity as a 33-year-old Brazilian citizen. This development raises intriguing questions about international cybercrime, extradition laws, and the potential for redemption in the tech world. What does this mean for global cybersecurity efforts and the future of high-profile hackers?
-
Alex Matrosov
One of the new features of BINARLY Transperency Platfrom v2.0 is the secure-by-design practices when measuring the defense in depth maturity. Our Binary Intelligence Technology measures the mitigation code coverage inside the binary. It provides visibility on weak code places not protected by mitigations, such as stack canaries. #SupplyChainSecurity #SecureByDesign #VulnerabilityManagment
4 comentarios -
FirstHackers News
Zoho released a security update for a critical SQL injection flaw in ADAudit Plus (CVE-2024-49574), fixed in version 8123 on November 8, 2024. The SQL injection vulnerability was found in ADAudit Plus, a popular tool for Active Directory auditing and monitoring. The flaw was in the report generation feature and could be exploited by an authenticated attacker. SQL Injection Vulnerability (CVE-2024-49574) The vulnerability, CVE-2024-49574, allowed an authenticated attacker to run arbitrary SQL queries on the system. Exploiting this flaw could give an attacker access to database tables, allowing them to view, modify, or delete sensitive data. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/gvA4vXwT #zoho #securityupdate #sql #injection #vulnerability #adauditplus #activedirectory #monitoring #flaw #authenticated #attacker #sensitivedata #cyberattack #cybersecurity #fhn #firsthackersnews #informationsecurity #latestnews
-
FirstHackers News
Hackers are exploiting a new Apache Struts2 vulnerability (CVE-2024-53677) with a critical CVSS score of 9.5, posing severe risks. Apache Struts2 flaw Apache Struts2 recently announced a vulnerability with path-traversal, allowing attackers to upload files into restricted directories, potentially enabling remote code execution. If a webshell is uploaded to the web root, hackers could gain control of the system. This flaw appears related to CVE-2023-50164, which was poorly addressed, leading to the current threat. Patching the issue isn’t simple—users must switch to a new Action File Upload mechanism and interceptor, as the old one leaves systems vulnerable. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/gy_WFBaZ #hackers #exploit #apache #struts2 #vulnerability #cvss #risks #attackers #files #directories #rce #webshell #webroot #threat #patching #vulnerable #cyberattack #cybersecurity #fhn #firsthackersnews #informationsecurity #latestnews
-
Raushan Raj
Meta-Llama-3-70B-Instruct powered IaC issues reporting. Checkov is a very nice #DevSecOps tool. Only thing missing is proper documentation and reporting for issues discovered. I have used LLM to create a developer friendly documentation for around 3.8K rules. It costed me around 50$ to do so. Please DM me i will share the json dump with you. Also if you want me to create better documentation for some existing tools, please let me know, i will do it. #devsecops #llm #reporting #improvement #iac #uiux #tools #security #owasp #devsecops_bot #owaspDAM
2 comentarios