tutorials · 10 min
On 25 July, Binarly publishes the result of auditing the firmware of ~900 devices: hundreds use AMI/Insyde test keys with the string "DO NOT TRUST" in the subject, and the private half is on GitHub. CVE-2024-8105, VU#455367, Secure Boot bypass by design.
· Manuel López Pérez
compliance · 11 min
On 1 August the AI Act enters into force after OJEU publication on 12 July. Application is staggered: Art. 5 prohibitions at 6 months, GPAI at 12, high-risk Annex III at 24, Annex I products at 36. What a CISO/DPO needs to put in motion now.
· Manuel López Pérez
news · 10 min
Dense month. regreSSHion opens the month with a big headline and moderate exploitability. On the 12th the AI Act lands in the OJEU and AT&T notifies 110M records linked to Snowflake. On the 19th, CrowdStrike ships Channel File 291 and drops 8.5M Windows machines. ESXi CVE-2024-37085 already being abused by ransomware. ServiceNow, Authy, Disney/NullBulge, Mistral NeMo.
· Manuel López Pérez
tutorials · 9 min
On 19 July 2024 at 04:09 UTC, a content update from CrowdStrike Falcon puts 8.5 million Windows machines into a reboot loop. Delta cancels 7,000 flights. The bug: a kernel-mode parser that reads field 21 of a template instance that only carries 20. How we got there, why the validator let it through, and what changes in EDR from here.
· Manuel López Pérez
tutorials · 9 min
On 1 July Qualys publishes a race condition in the OpenSSH signal handler that reintroduces a bug patched in 2006. Pre-auth RCE as root sounds apocalyptic. The fine print (glibc, x86, 10,000 connections, 6-8 hours of race window) brings the news back to its real size.
· Manuel López Pérez
news · 9 min
Mandiant publishes the UNC5537 report — 165 Snowflake accounts compromised via infostealers. Polyfill.io turns out to have been bought by Funnull and serving malware since February. CDK Global pays $25M to BlackSuit after halting 15,000 dealerships. APT29 inside TeamViewer. Apple presents Private Cloud Compute at WWDC and Anthropic ships Claude 3.5 Sonnet.
· Manuel López Pérez
tutorials · 11 min
Mandiant publishes the UNC5537 report on 10 June. Snowflake credentials stolen by infostealers between 2020 and 2024, accounts with no MFA and no network policy, mass exfil via COPY INTO. No CVE: just lax defaults and credentials nobody rotated.
· Manuel López Pérez
news · 10 min
Recall is announced on the 20th and dismantled on the 30th. Ticketmaster and Santander join the Snowflake victim list. Dell loses 49M records to an API with no rate limit. Patch Tuesday with two zero-days. GPT-4o and the "Sky" voice that sounded like Johansson.
· Manuel López Pérez
ai-security · 9 min
Recall captures screenshots every N seconds, OCR + embeddings, and indexes the lot into a local SQLite. Beaumont and Forshaw show in two weeks that any malware running with user permissions reads the visual history of the PC. Microsoft pulls back on 7 June.
· Manuel López Pérez
tutoriales · 10 min
Fifteen transfers, five Hong Kong accounts, $25M gone in a single Zoom session. The finance employee approved the transaction because "the CFO and other colleagues were on the call" — every one of them was a real-time video and voice deepfake. The canonical case of AI-assisted social engineering.
· Manuel López Pérez
news · 10 min
Anthropic publishes many-shot jailbreaking on the 2nd. Palo Alto GlobalProtect drops as a zero-day on the 12th. MITRE admits a breach via Ivanti on the 19th. Cisco ASA + ArcaneDoor on the 24th. Meta releases Llama 3. Sisense forces a mass reset. LayerSlider pre-auth SQLi.
· Manuel López Pérez
tutorials · 8 min
Pre-auth command injection in PAN-OS GlobalProtect. The SESSID cookie parameter gets interpolated into a shell to build a telemetry filename; metacharacters earn execution as root. Volexity tracks exploitation since 26 March, vendor confirms on 12 April.
· Manuel López Pérez
