Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Happy Friday c/cybersecurity! I wanted to try out a new recurring thread with a familiar theme, Follow Friday!

Use this thread to share information about yourself or others including social accounts, blogs, podcasts, YouTube channels, w/e you want to plug so people can follow!

If you like (or don’t like) this idea, sound off in the comments or send me a DM. This can be a regular weekly thread or could be monthly or quarterly. Cheers!

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

MTE = Memory Tagging Extension

In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities.

Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. The ability of MTE to detect memory corruption exploitation at the first dangerous access provides a significant improvement in diagnostic and potential security effectiveness. In comparison, most other proposed approaches rely on blocking later stages in the exploitation process, for example various hardware-assisted CFI approaches which aim to block invalid control-flow transfers.

Implementation Testing

Mitigation Case Studies

The Kernel

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

41 in-the-wild 0-days were detected and disclosed in 2022, the second-most ever recorded since we began tracking in mid-2014, but down from the 69 detected in 2021. Although a 40% drop might seem like a clear-cut win for improving security, the reality is more complicated.

SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 229, 232, 239, 240, and 249 [Release Nos. 33-11216; 34-97989; File No. S7-09-22] RIN 3235-AM89

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure AGENCY: Securities and Exchange Commission.

ACTION: Final rule. SUMMARY: The Securities and Exchange Commission (“Commission”) is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks. Lastly, the final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”). DATES: Effective date: The amendments are effective [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

A new vulnerability impacting AMD’s line of Zen 2 processors — which includes popular CPUs like the budget-friendly Ryzen 5 3600 — has been discovered that can be exploited to steal sensitive data like passwords and encryption keys. Google security researcher Tavis Ormandy disclosed the “Zenbleed” bug (filed as CVE-2023-20593) on his blog this week after first reporting the vulnerability to AMD on May 15th.

The entire Zen 2 product stack is impacted by the vulnerability, including all processors within the AMD Ryzen 3000 / 4000 / 5000 / 7020 series, the Ryzen Pro 3000 / 4000 series, and AMD’s EPYC “Rome” data center processors. AMD has since published its anticipated release timeline for patching out the exploit, with most firmware updates not expected to arrive until later this year.

Weekly thread to discuss industry certifications, trainings and other courses/learning. Ask questions, share your experiences and help others!

cross-posted from: https://lemmy.capebreton.social/post/82259

OSLO, July 24 (Reuters) - Twelve Norwegian government ministries have been hit by a cyber attack, the Norwegian government said on Monday, the latest attack to hit the public sector of Europe's largest gas supplier and NATO's northernmost member.

"We identified a weakness in the platform of one of our suppliers. That weakness has now been shut," Erik Hope, head of the government agency in charge of providing services to ministries, told a news conference.

The attack was identified due to "unusual" traffic on the supplier's platform, Hope said, declining to provide specifics. It was uncovered on July 12 and was being investigated by police.

"It is too early to say who is back this and what is the extent of the impact (of the attack)," he said.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!