Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models

The Hacker News - 1 Květen, 2025 - 08:22
SonicWall has revealed that two now-patched security flaws impacting its SMA100 Secure Mobile Access (SMA) appliances have been exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-44221 (CVSS score: 7.2) - Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Microsoft tries to reassure Europe that it can resist the US government. Europe has doubts

Computerworld.com [Hacking News] - 1 Květen, 2025 - 03:40

Microsoft on Wednesday released a statement aimed at convincing global IT leaders, and particularly those in Europe, that it can still be trusted, but analysts in Europe said its statement was not persuasive.

Much of the European nervousness comes from American tariffs and the inevitable responding tariffs from the European Union (EU). But the fears go beyond that, with some European IT and cybersecurity executives worried about what American technology firms might be forced to do by the Trump administration. Those fears are fueled by the recent politicization of security clearances

Microsoft’s detailed statement, attributed to vice-chair and president Brad Smith, spent a lot of words recapping all of what Microsoft has done in Europe over the years.

“Our economic reliance on Europe has always run deep. We recognize that our business is critically dependent on sustaining the trust of customers, countries, and governments across Europe,” Smith wrote. “We respect European values, comply with European laws, and actively defend Europe’s cybersecurity. Our support for Europe has always been — and always will be — steadfast. In a time of geopolitical volatility, we are committed to providing digital stability.”

Increasing European capacity

“Today, we are announcing plans to increase our European datacenter capacity by 40% over the next two years,” the statement said. “We are expanding datacenter operations in 16 European countries. When combined with our recent construction, the plans we’re announcing today will more than double our European datacenter capacity between 2023 and 2027. It will result in cloud operations in more than 200 data centers across the continent.”

It added, “this expansion will play an important role in boosting Europe’s economic growth and competitiveness. We believe that broad AI diffusion will be one of the most important drivers of innovation and productivity growth over the next decade. Like electricity and other general-purpose technologies in the past, AI and cloud datacenters represent the next stage of industrialization.”

However, the closest Smith got to addressing the core concerns within the European IT community was a promise to legally fight to continue to maintain its European relationships. 

“In the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court,” his statement said. “By including a new European Digital Resilience Commitment in all of our contracts with European national governments and the European Commission, we will make this commitment legally binding on Microsoft Corporation and all its subsidiaries.”

It continued: “Microsoft has a demonstrated history of pursuing litigation when that has been needed to protect the rights of our customers and other stakeholders. This includes four lawsuits we filed against the US Executive Branch during President Obama’s tenure, including to protect the privacy of our customers’ data in the United States and Europe. It also included, during President Trump’s first term, a successful decision before the US Supreme Court to uphold the rights of employees who are immigrants. When necessary, we’re prepared to go to court.”

Must decide ‘where loyalty lies’

Analysts felt the promises didn’t deliver much.

Michela Menting, digital security research director at ABI Research, said that even Microsoft can only fight for so long.

“Microsoft can say everything they want on their record of litigation and promising to defend European interests, but ultimately they cannot guarantee that they can continue to do so,” Menting said. “They can fight for it, but that is not the same thing as winning that fight.”

“It is not possible for them to guarantee that, under this administration, that they can uphold those rights,” Menting said. 

When pushed for an example, Menting said if the Trump administration wants Microsoft “to siphon all kinds of customer data from European companies, or whatever crazy idea comes into his head, they might well have to do Trump’s bidding.”

“These lists of what they have done in the past, it stands for nothing today,” Menting said. “If the rule of law changes in the US, they will have to adapt.”

Menting dismissed the Microsoft statement as “marketing fluff. It’s not soothing anyone. Indeed, it does the opposite. The fact that they are putting out that statement probably means that they are already receiving threats on their end. Microsoft is clearly worried, and this statement shows it.”

Forrester VP/research director Pascal Matzke was even more blunt, suggesting that European IT leaders are worried about what Microsoft, and other tech giants including Google, ServiceNow, and Salesforce, will do when the pressure is turned on.

“Microsoft has to decide where its loyalty lies — [with] the Trump administration or with its clients?” Matzke said. “There is a concern that they will ultimately be listening more to Trump.”

Anxiety is ‘huge’

Matze said the key fear is that the European tech infrastructure has allowed itself to be far too intertwined with various American tech giants, including Microsoft. European government officials are likely to fight the tariffs with their own, “and the whole thing will spiral out of control. Can we continue then to work in the same collaborative manner?”

Matze’s argument is that European IT “anxiety is huge” and that some are starting to fear trusting American companies in the same way that they now fear working with Chinese companies. But because of the deep, years-long reliance on American tech players, he fears that a pullback would “kill innovation,” if it was even possible.

“I don’t see a way back. We are now in this global state,” Matze said, adding that those who think they can separate are wrong. “That’s an illusion. There is just no way. The boat has sailed, that train has left the station.”

Another analyst, Phil Brunkard, executive counselor at Info-Tech Research Group, said, “Microsoft’s new pledges look like they’re designed to calm three groups at once. EU policymakers pressing for digital sovereignty; big European firms drowning in DORA/NIS 2/CRA [regulations]; and global enterprises fearing the next geopolitical shock that could knock out a US hyperscaler.”

Brunkard said he was impressed by Microsoft’s promise for increased capacity.

“The capacity promise is pretty eye-catching: 40% more compute within 2 years, more than double by 2027 across 16 countries and roughly 200 facilities,” Brunkard said. “But the Digital Resilience Commitment is the real headline here. Microsoft is saying that it will fight in court against any foreign order to pull the plug on its EU cloud and, if forced offline, will hand Swiss-escrowed source code to local partners. Add in EU-only data center boards and a Deputy CISO for Europe, and Redmond is telling Brussels ‘OK, we’ll play by your rules now.’”

Is it enough?

But is that enough? Brunkard is not certain.

“Does this make Microsoft less toxic? Partly. Sovereignty optics do improve a bit, but antitrust and licensing complaints are still there, and the CRA will be judging on audited technical controls, not blog posts,” Brunkard said. “Respect for European law is a start and a bold statement, but until auditors and eventually regulators can confirm the new safeguards, the jury’s still out.”

ABI’s Menting said there is yet another problem lurking behind these arguments. 

“Despite all that blinding compliance speak, it’s hard to ignore the elephant in the room: the EU’s Anti-Coercion Instrument (ACI). If it comes into play, and the current climate is totally amenable to such a state, this could cripple Microsoft’s ability to operate successfully and lucratively in Europe,” Menting said. “The current US tariff imposition on Europe can most certainly be seen as economic coercion, and the EU would be within its rights to trigger the ACI and hit back against US digital services.”

And if that doesn’t work, Microsoft can leverage its power in controlling how and where it pays taxes. Its statement doesn’t discuss how the company will pay its taxes in Europe.

“How will they be reporting their revenues derived in the European territory? It’s all too common for US digital service providers to route those revenues through their various regional subsidiaries — hello Ireland — and then back to the US, effectively gaming the European tax system,” Menting said. “If things become dire, it can still play its tax card. At best, it could totally divest its European business, with completely separate and independent companies operating in Europe. But that is not the American way of doing business and Microsoft is very much an American company.”

Kategorie: Hacking & Security

Hackers abuse IPv6 networking feature to hijack software updates

Bleeping Computer - 1 Květen, 2025 - 02:33
A China-aligned APT threat actor named "TheWizards" abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware. [...]
Kategorie: Hacking & Security

WordPress plugin disguised as a security tool injects backdoor

Bleeping Computer - 30 Duben, 2025 - 23:05
A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it. [...]
Kategorie: Hacking & Security

WhatsApp unveils 'Private Processing' for cloud-based AI features

Bleeping Computer - 30 Duben, 2025 - 21:01
WhatsApp has announced the introduction of 'Private Processing,' a new technology that enables users to utilize advanced AI features by offloading tasks to privacy-preserving cloud servers. [...]
Kategorie: Hacking & Security

Zoho adds AI capabilities to its low code dev platform

Computerworld.com [Hacking News] - 30 Duben, 2025 - 20:02

Zoho on Wednesday announced the addition of 10 AI-centric services and features within Zoho Creator, the company’s low code application development platform, that it said are part of its pledge to invest only in “AI capabilities that drive real-time, practical and secure benefits to business users.”

The expanded offerings include CoCreator, the firm’s new AI “development partner” powered by Zia, Zoho’s AI assistant, that it said in a release “facilitates faster, simpler and more intelligent app building with the use of voice and written prompts, process flows and business specification documents.”

New features also include the ability to transform unstructured data from different file types and databases into customized applications, aided by what the company described as “advanced AI-based data prep capabilities that remove inconsistencies and bring logical structure to detail.”

Kategorie: Hacking & Security

SonicWall warns of more VPN flaws exploited in attacks

Bleeping Computer - 30 Duben, 2025 - 19:23
Cybersecurity company SonicWall has warned customers that two older vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks. [...]
Kategorie: Hacking & Security

Trump wants kids learning AI in kindergarten — some say that’s too late

Computerworld.com [Hacking News] - 30 Duben, 2025 - 19:22

President Donald J. Trump recently signed an executive order to bring AI into K–12 education to boost literacy around the technology and create a new White House task force to lead the effort.

The task force plans to form public-private partnerships with AI experts to develop online resources for K-12 AI literacy and critical thinking and will seek industry commitments and federal funding to support the effort; the goal is to ensure resources are available for K-12 instruction within 180 days. As part of the plan, the US Secretary of Education must within 90 days issue guidance on using federal grants to support AI in education and find ways to use existing research programs to help states boost student success.

Some, however, say the executive order on AI in education doesn’t go far enough.

“AI education has to start even earlier than kindergarten!” Karen Panetta, a fellow with the Institute of Electrical and Electronics Engineers (IEEE), wrote via email when asked about Trump’s order. “Why? Because children need to be aware of the influences of things that are and are not real.” (IEEE is a global professional organization that advances technology through standards development and education.)

Children will encounter realistic but fake AI-generated content, so it should be an imperative teach them early to question what they see and ask trusted adults for help, according to Panetta.

Heather Barnhart, an education curriculum lead and fellow at the SANS Institute, agreed that AI training is critical, arguing that predators can leverage the technology to create images young children crave.

“That sentence is disturbing, but true,” Barnhart said. “Yes, AI has guardrails. However, it’s open source and can be taught how to create child sexual abuse material (CSAM). AI can also be used in the art of sex extortion. Here, children and teenagers are targeted in financial extortion with the creation of AI generated images of themselves. Out of fear, the kids resort to trying to pay the ransom or worse, harming themselves.”

Parents and teachers should talk to children about AI early and often, and those conversations should be age-appropriate and based on a child’s maturity, she said. Teaching kids to recognize suspicious behavior — both online and offline— is as important as teaching them about physical safety. Giving a child a device exposes them to potential dangers, often from strangers who appear to be peers or friends, Barnhart said.

“Bottom line, we can’t fear technology,” she said. “We cannot keep our children from technology. We need to learn how to communicate with them about online safety so that their world is not impacted when a threat comes their way. The more you talk to your kids and the more open you are to what they are doing and living — and what they are looking at online — the safer your family will be.”

Panetta said AI will increase phishing and online threats unless the US begins digital and AI education from the moment kids use devices. Just as word processors became standard in schools, AI tools will soon be essential in education and work.

Every school has students using tablets in the classroom and at home, Panetta pointed out, allowing students to use standard software programs such as word processors, animation software, drawing programs and instant access via the internet to relevant curated learning videos.

Panetta said using AI to help develop customized learning approaches is key. For example, “autistic children can greatly benefit from having AI that knows how to read their facial expressions to gauge their interest or emotions in response to educational materials. This helps develop AI that is more in tune with the needs of different abled children,” she said.

Trump’s executive order calls for educators, industry leaders, and employers to collaborate to create programs that equip students with essential AI skills across all learning paths. And it calls for a strong framework that integrates early exposure, teacher training, and workforce development to help foster innovation and critical thinking.

The order just “makes sense,” according to Emily DeJeu, an assistant professor of Business Management Communication at Carnegie Mellon University’s Tepper School of Business.

Noting China’s recent announcement of a major AI-focused educational overhaul, “this move seems intended to keep American students competitive in a fast-changing global landscape,” DeJeu said. “There’s also historical precedent for it: the 1983 federal report A Nation at Risk called for integrating computer science into high school curricula, sparking decades of STEM-focused education reforms.

“Building AI literacy could benefit students much like past efforts to build digital literacy,” she said.

However, DeJeu added, educators must be cautious because research shows AI can hinder critical thinking, increase plagiarism, and lead to learning loss. Students may rely on AI to do challenging work, gaining polished results without true understanding — risking a generation that uses AI well but lacks deep knowledge and critical skills.

Panetta also advised a cautious approach in light of AI’s tendency to hallucinate and spew erroneous information and expose sensitive information.

“We need to guarantee that standards are in place for both security and privacy,” Panetta said. “The best educational product that unintentionally shares your child’s image or private information will ultimately do more harm than good. At IEEE, our AI and security experts around the globe are leading the efforts to create these safeguards and standards.”

Kategorie: Hacking & Security

Commvault says recent breach didn't impact customer backup data

Bleeping Computer - 30 Duben, 2025 - 18:20
Commvault, a leading provider of data protection solutions, says a nation-state threat actor who breached its Azure environment didn't gain access to customer backup data. [...]
Kategorie: Hacking & Security

FBI shares massive list of 42,000 LabHost phishing domains

Bleeping Computer - 30 Duben, 2025 - 18:01
The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. [...]
Kategorie: Hacking & Security

Hands on with the new Apple Mac Studio M4 Max

Computerworld.com [Hacking News] - 30 Duben, 2025 - 17:59

I can still remember the first time I attended a press launch for a professional Mac – the January 1999 introduction of the Blue and White Power Mac G3, which Apple wanted the world to believe was faster than Intel PCs of similar clock speed. Today, Apple’s new professional Mac Studio absolutely devours any other system when it comes to processor performance and energy efficiency.

What a difference a quarter century makes.

I’ve spent time with the Mac Studio M4 Max in recent weeks. This model was equipped with an M4 Max chip boasting 16 CPU cores, 40 GPU cores, a 1TB SSD drive and 128GB of memory. This particular iteration costs $3,699, but you get a lot for your money. (For reference, that original Power Mac G3 started at $1,599, shipped with Apple’s infamous ‘puck’ mouse, and was nicknamed the Smurf, for its distinctive blue-&-white color.)

That’s where the comparisons end, of course, as there really is no relevant comparison to make between Apple’s old Power Macs and the new breed of Apple Silicon-driven speed demons.

The Mac Studio is everything Apple 20 years ago couldn’t deliver — the most powerful machine in its class, capable of munching its way through the most demanding tasks, and with benchmark data points that absolutely show these Macs to be the best systems for any professional needing to do intensive work.

Speeds and feeds

Here’s what the numbers show:

  • Geekbench, Single-core, 4,086
  • Geekbench, Multi-core, 26,021
  • Geekbench, Metal, 187,728
  • Geekbench, Open CL, 118,684

The Mac aced its Cinebench tests, too, convincingly topping the list of reference systems and achieving in excess of 3,000 points on the Unigine Heaven benchmark; it’s a good score, but is dented by the fact the test environment needs to run in Darwin emulation.

Apple

Supporting the release, Apple published a number of data points to show how powerful these systems can be. The main takeaways: even if you’re using a Mac Studio that’s under a year old, the new model is a welcome speed upgrade, and if you use an M1 Mac Studio you can expect twice the performance (faster rendering, compiling, photo editing).

Numbers are really real-world, so to put these into context, they mean this Mac — the latter-day descendant of the “Smurf” — is powerful enough to take anything you throw at it. And with even more powerful models also available, there’s almost no demanding task you can’t expect this Mac to achieve. Apple Silicon is eating the PC industry lunch.

Higher and higher

Finally, if you upgrade from an Intel Mac, well, just as the move to Intel unleashed Apple’s pro Macs from decades in the PowerPC doldrums, the move to Apple Silicon has utterly unshackled the line. It means that if you’ve come across from an Intel Mac, you’ll be stunned by the huge performance upgrade you experience.

For pros, it means you’ll get more done faster than ever on a Mac.

That really wasn’t the case in 1999, when pro machines really were destined for use by Mac fans and people from the creative departments; while good at handling creative tasks, they didn’t truly match Windows in others — except you didn’t have to run Windows, which has always been an advantage to many of us.

Apple Where’s the ceiling?

The problem with reviewing this piece of kit is that nothing I could do would actually make it break a sweat. For example, I did my usual test of opening up a GarageBand project with 300 instrument tracks; the machine figuratively shrugged and delivered. It then shrugged at everything I could think of doing with it — running multiple video windows, working with Pixelmator Pro transitions, dabbling about with Final Cut. During the week or so I tried to make the Mac stumble, I barely noticed it get warm and never heard the cooling system in action.

For me, these Macs over deliver, delivering performance far beyond what I actually need. To be frank, of course, most of my computing needs are answered by the also available M4-powered MacBook Air, with which I also had a pleasant dalliance. But I’m not the target market — the most cutting-edge pros in design, graphics, architecture, AI, medicine, and researchers. For those people, these Macs will deliver.

They also open up other opportunities. 

For example, Apple researcher Awni Hannun managed to run Deep Seek v3 in 4-bit natively on the even more powerful M3 Ultra Mac Studio: “The new DeepSeek-V3-0324 in 4-bit runs at > 20 tokens/second on a 512GB M3 Ultra with mlx-lm!” he wrote.

The system I tested can’t quite do that, but it will happily run smaller large language models on device, making it possible to build and run bespoke AI systems on hardware you keep on your desk. That’s great for security-conscious businesses seeking an AI edge who want to ensure all the data belongs to them, and not to their AI provider.

Are there limitations?

There are some drawbacks, I suppose. Some could see the need to get hold of a display, mouse, and keyboard to use with the device as being a snag. Users might also feel frustrated at the lack of easy upgradeability of Apple’s systems – it would be neat to be able to install your own memory, just as you were able to do with the more upgradeable Power Mac of yore.

Some might want more connectivity options, but that didn’t really worry me; the 5 USB-C/Thunderbolt 5 slots, 10Gb Ethernet, dual USB-A, HDMI, and SDXC slot seemed more than enough for most people.

If you really want the best and most powerful gaming computer, you might need to use systems with Nvidia chips, at least for a little while longer until gaming firms catch up with Mac. Again and again, we hit software compatibility problems with some apps as the only remaining barrier to accelerating Mac adoption.

Summing up

I’ve deliberately tried to avoid the formulaic approach to a Mac review here. You don’t have the time to hear me reprise every data point from the tech sheet you can read here, and I don’t see any value in regurgitating those numbers. Life’s too short to re-read it, right?

And when it comes to looks, here’s a picture:

Apple

If you’ve been keeping up with news on these machines, you know they look like a tall Mac mini and come in the form of a nice silver box. You already know what Macs do – they run macOS, can run Windows in emulation, and as Apple builds out the Apple Intelligence system, they’ll do more things more effectively over time. 

What is clear is that Apple’s high-end Macs can and will scale to whatever you need them to do. You should also recognize that the velocity of Apple Silicon development means that within the next 12 to 18 months Apple will be able to upgrade the range all over again, inserting even faster processors that raise the bar of what Macs can achieve even more all over again.

That’s a huge change from how things used to be. Back when I met the Power Mac G3, Apple really was playing catch-up with its professional Macs. These days, Apple’s pro machines aren’t playing the same game. The computers set the bar for what competitors hope to achieve. If you need a lot of computational power at significantly lower energy costs, you can’t go wrong with a Mac Studio.

You can follow me on social media! Join me on BlueSky,  LinkedInMastodon, and MeWe

Kategorie: Hacking & Security

Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense

The Hacker News - 30 Duben, 2025 - 17:59
As the field of artificial intelligence (AI) continues to evolve at a rapid pace, fresh research has found how techniques that render the Model Context Protocol (MCP) susceptible to prompt injection attacks could be used to develop security tooling or identify malicious tools, according to a new report from Tenable. MCP, launched by Anthropic in November 2024, is a framework designed to connect
Kategorie: Hacking & Security

Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense

The Hacker News - 30 Duben, 2025 - 17:59
As the field of artificial intelligence (AI) continues to evolve at a rapid pace, fresh research has found how techniques that render the Model Context Protocol (MCP) susceptible to prompt injection attacks could be used to develop security tooling or identify malicious tools, according to a new report from Tenable. MCP, launched by Anthropic in November 2024, is a framework designed to connectRavie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

UK retailer Co-op shuts down some IT systems after hack attempt

Bleeping Computer - 30 Duben, 2025 - 16:12
British supermarket chain Co-op Food has confirmed to BleepingComputer via a statement that it has suffered limited operational disruption as it responds to a cyberattack. [...]
Kategorie: Hacking & Security

Ascension discloses new data breach after third-party hacking incident

Bleeping Computer - 30 Duben, 2025 - 15:21
​Ascension, one of the largest private healthcare systems in the United States, is notifying patients that their personal and health information was stolen in a December 2024 data theft attack, which affected a former business partner. [...]
Kategorie: Hacking & Security

[Free Webinar] Guide to Securing Your Entire Identity Lifecycle Against AI-Powered Threats

The Hacker News - 30 Duben, 2025 - 13:26
How Many Gaps Are Hiding in Your Identity System? It’s not just about logins anymore. Today’s attackers don’t need to “hack” in—they can trick their way in. Deepfakes, impersonation scams, and AI-powered social engineering are helping them bypass traditional defenses and slip through unnoticed. Once inside, they can take over accounts, move laterally, and cause long-term damage—all without
Kategorie: Hacking & Security

[Free Webinar] Guide to Securing Your Entire Identity Lifecycle Against AI-Powered Threats

The Hacker News - 30 Duben, 2025 - 13:26
How Many Gaps Are Hiding in Your Identity System? It’s not just about logins anymore. Today’s attackers don’t need to “hack” in—they can trick their way in. Deepfakes, impersonation scams, and AI-powered social engineering are helping them bypass traditional defenses and slip through unnoticed. Once inside, they can take over accounts, move laterally, and cause long-term damage—all without [email protected]
Kategorie: Hacking & Security

Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool

The Hacker News - 30 Duben, 2025 - 13:05
A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks. "Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and
Kategorie: Hacking & Security

Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool

The Hacker News - 30 Duben, 2025 - 13:05
A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks. "Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security
Syndikovat obsah