Attacks & Vulnerabilities
|
Canadian Tire 2025 data breach impacts 38 million users (2 minute read)
A 2025 e‑commerce breach at Canadian Tire exposed data from over 38 million accounts, including names, contact details, hashed passwords, and partial card numbers, with under 150,000 records containing full dates of birth. Financial systems and in‑store transactions were reportedly unaffected, but 42 million records were added to Have I Been Pwned.
|
Cops back Dutch telco Odido after second wave of ShinyHunters leaks (2 minute read)
ShinyHunters is dumping Odido customer records in daily batches, exposing sensitive identifiers, bank details, and support notes, and threatening to escalate the leaks after already impacting more than a million accounts. Dutch police publicly support Odido's stance of refusing ransom payments and emphasize the need for rapid law enforcement engagement and anti‑phishing vigilance.
|
|
Delinea Protocol Handler - Return of the MSI: RCE via Custom Launcher (8 minute read)
AmberWolf disclosed an RCE vulnerability in Delinea's Secret Server Protocol Handler (≤6.0.3.39) and Connection Manager (≤2.7.1) where improper sanitisation of the sslauncher:// URL handler's generic process launcher allowed a malicious server to supply attacker-controlled process names and arguments via encrypted launcher data, achieving arbitrary code execution on both Windows and macOS when a victim visits a crafted webpage and accepts a security prompt. The exploit, implementable as a NachoVPN plugin, abuses the legitimate key exchange flow to inject serialized launcher configurations that RDPWin.exe blindly executes via Process.Start(). Delinea patched the protocol handler as of January 17. Organizations should upgrade immediately and monitor for anomalous child processes spawned by RDPWin.exe.
|
Twitch Ships Server-Side Eppo Keys in Its iOS App, Exposing Its Entire Product Roadmap (10 minute read)
Twitch's iOS app uses server-side Eppo SDK keys instead of client tokens, exposing over 260 unobfuscated production feature flags via a CDN endpoint that can be freely polled once a key is observed in traffic. The flags reveal Twitch's near-term roadmap. Hardcoded IDs, internal codenames, and future launches like "Elevate Prime 2026" are visible, turning feature flags into a live intelligence feed on product, security posture, and internal economics.
|
Process Preluding: Child Process Injection Before the Story Begins (7 minute read)
Many security products in Windows 10 and 11 use kernel Event Tracing for Windows (ETW) hooks to monitor process creation and be notified of potentially malicious activity. An attacker can bypass these checks by exploiting a race condition between the kernel's completion of the executive process object setup and the invocation of process-creation callbacks. Attackers can also use legacy APIs for process creation, which do not trigger process-creation callbacks.
|
|
MacNoise (GitHub Repo)
MacNoise is a modular macOS telemetry-generation framework designed to help security teams validate EDR, SIEM, and firewall detection coverage by producing real system events across the network, process, file, TCC, and persistence categories. The tool includes MITRE ATT&CK-mapped modules, pre-built APT emulation scenarios, and OCSF 1.7.0-compliant audit logging for structured correlation. Scenarios can be dry-run previewed, chained via YAML, and output as JSONL for automated detection gap analysis.
|
Rustdesk (GitHub Repo)
Rustdesk is an open-source remote desktop application designed for self-hosting. An alternative to TeamViewer, it works out of the box with no configuration required. You have full control over your data, with no security concerns.
|
ksentinel (GitHub Repo)
ksentinel is a Linux kernel module that monitors syscall table integrity, function prologues, and LSTAR MSR values using FNV-1a hashing to detect unauthorized modifications from rootkits such as PUMAKIT, Diamorphine, and KoviD. It covers 500+ syscall wrappers, plus critical VFS, networking, credential, and tracing functions, with anti-unload protection via a compile-time-generated unlock key. The module supports Linux versions 5.4 to 6.12+ on x86_64 and ARM64. It features configurable check intervals and a management script for live monitoring and violation alerts.
|
|
Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking (2 minute read)
Researchers reported flaws in Gardyn Home and Studio, which exposed roughly 138,000 indoor smart gardens to unauthenticated, internet‑reachable remote compromise, including OS command execution via command injection and hardcoded admin credentials in the Gardyn IoT Hub and Azure IoT infrastructure. Thankfully, patches are out and auto‑delivered.
|
What is EC2 Instance Attestation (5 minute read)
Nitro enclaves were introduced in 2020 to provide a trusted execution environment for security-sensitive applications. However, application development was more complex due to the execution environment's limitations. Last year, AWS launched EC2 instance attestation, which extends the security enclave to the full instance, enabling more use cases and improving usability at the cost of greater effort to secure the instance and increased deployment complexity. This post walks through the process of creating an application running on an EC2 instance with attestation, including a GitHub Actions workflow to build a hardened, attestable AMI.
|
Demystifying Zero Trust (5 minute read)
This part of the UK's NCSC multi-part guide on implementing zero trust in an enterprise focuses on defining zero trust beyond the buzzword or a specific product. Zero trust defines a strategic shift where users are continually authenticated as opposed to a point-in-time authentication at the beginning of a session. It implies a defense in depth approach where controls are layered in a system and may work in conjunction with existing systems or replace them.
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
|
Track your referrals here.
|
|
|
|
