Wifi-Attackable Airplay Devices 📶, Surviving As CISO 😅, Microsoft to Charge For Hotpatching 🩹

Researchers have discovered security flaws in Apple's AirPlay protocol that allow hackers on the same Wi-Fi network to hijack AirPlay-enabled devices ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-04-30 Black Duck: ensuring uncompromised trust in software for the regulated, AI powered world (Sponsor) As the avalanche of AI-generated code transforms development practices, AppSec teams face unprecedented security challenges. Black Duck addresses these strategic risks with True Scale Application Security, designed to empower security leaders to make smarter decisions and unleash business innovation with confidence.  Black Duck reduces the security, regulatory, and licensing risks that cause failure or impede time to-market across the software development life cycle and everywhere code happens. Named a Gartner Magic Quadrant leader in Application Security Testing for 7 consecutive years, Black Duck eliminates the traditional tradeoffs between speed, accuracy, and compliance at scale. That's why it's the only choice for securing mission-critical software everywhere code happens. Discover how Black Duck delivers True Scale Application Security 🔓 Attacks & Vulnerabilities 4M Affected by VeriSource Data Breach (2 minute read) VeriSource Services, which provides employee benefit administrative services, is notifying 4 million individuals that it experienced a data breach in February 2024. The compromised data includes names, addresses, dates of birth, gender information, and Social Security numbers. Banking Passwords Stolen from Australians are Being Traded Online by Cybercriminals (3 minute read) Threat intelligence researchers from Australian firm Dvuln say that 31k passwords belonging to Australian customers of the Big Four banks are being shared on Telegram and dark web sites. The researchers stated that the passwords are coming directly from infostealers installed on victims' devices, not a vulnerability or breach from the banks. Dvuln has stated that these bank accounts can be used to transfer funds or for money laundering. Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi (4 minute read) Researchers have discovered "AirBorne" security flaws in Apple's AirPlay protocol that allow hackers on the same Wi-Fi network to hijack AirPlay-enabled devices. While Apple has patched vulnerabilities in its products, millions of third-party devices remain at risk, potentially creating persistent network access points for attackers. 🧠 Strategies & Tactics How to survive as a CISO aka 'chief scapegoat officer (3 minute read) A panel in RSA discussed the role of the CISO, highlighting how CISOs should secure personal liability insurance and golden parachutes when starting new jobs as protection against becoming scapegoats. They advised documenting everything, avoiding lawsuits against employers after whistleblowing to prevent industry blacklisting, and not trusting HR departments, which ultimately protect the company, not employees. Does RAG make LLMs less safe? Bloomberg research reveals hidden dangers (8 minute read) Retrieval Augmented Generation (RAG) can unexpectedly make LLMs less safe by bypassing built-in guardrails. When using RAG, models that normally refuse harmful queries often produce unsafe responses. Generic AI safety frameworks frequently fail to address domain-specific risks in industries such as financial services. Shadow Roles: AWS Defaults Can Open the Door to Service Takeover (10 minute read) AWS default roles, such as AWSGlueServiceRole, often have overly broad access, like AmazonS3FullAccess, making service takeover easier for attackers. They can exploit these roles to manipulate various AWS services beyond S3 buckets, risking the entire environment. To mitigate risks, audit AWS roles and restrict excessive access, especially to S3 buckets. 🧑‍💻 Launches & Tools Coinbase is hiring InfoSec experts – TLDR readers encouraged to apply! (Sponsor) Builders. Innovators. Exceptional security leaders. People who are ready to do more – to develop and execute a vision for the future. Join a team where your expertise and passion are valued, and outperformance is generously rewarded. Apply to be a Staff Blockchain Security Architect or check out all available positions. ↗️ OpenAIPot (GitHub Repo) OpenAIPot is a deceptive OpenAI API gateway that acts as a honeypot for detecting unauthorized API usage. AuthMind (Product Launch) AuthMind monitors the flow of activities for both human and non-human identities, aiming to provide organizations with a consolidated identity security posture management (ISPM) and threat detection and response (ITDR) solution. Dalec (GitHub Repo) Produce secure packages and containers with declarative configurations. 🎁 Miscellaneous Take It Down Act Heads to Trump's Desk (2 minute read) The bipartisan Take It Down Act, which will require social media companies to take down content flagged as nonconsensual (including AI-generated) sexual images, is heading to Trump's desk for signature. Some privacy activists are concerned that the takedown will be selectively enforced by the FTC and does not provide enough time for smaller sites to verify the claims correctly, which could be abused to hinder platforms' ability to operate effectively. The bill does not contain exemptions for end-to-end encrypted services such as private messaging and cloud storage. Oregon agency won't say if hackers stole data in cyberattack (2 minute read) Oregon's Environmental Quality Department faced a cyberattack by the ransomware group Rhysida. Officials have not confirmed data theft claims, including the theft of employee information, although services such as vehicle inspections were interrupted. Cyber Security Company CEO Arrested for Installing Malware Onto Hospital Computers (2 minute read) Jeffrey Bowie, CEO of the cybersecurity firm Veritaco, was arrested for allegedly installing malware on the computers of St. Anthony Hospital. Security cameras captured him accessing computers, where he installed software that took screenshots and transmitted them externally. Hospital staff caught him, and forensic analysis confirmed the breach. ⚡ Quick Links Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products (3 minute read) Google reported 75 zero-day vulnerabilities in 2024, down from 98 in 2023, with 44% targeting enterprise products, particularly security software. 4chan is Back Online, Says it's Been Starved for Money (2 minute read) After a two-week downtime caused by a hack, 4chan is back online. Microsoft: Windows Server hotpatching to require subscription (2 minute read) Microsoft will begin charging a subscription fee in July for Windows Server 2025 hotpatching, which enables security updates without requiring a restart. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.