Marcus Hutchins

Jason Soroko and I explain the major news items from the most recent CA/Browser Forum face-to-face meeting in Tokyo on the Root Causes Podcast. Topics include MPIC, 47-day certificate term, and Temporary Restraining Orders. Audio: https://lnkd.in/g-RaJifc Video: https://lnkd.in/gDJuyRAg

34

1 Comment

MPIC (Multi-perspective Issuance Corroboration) is soon to move into enforcement phase. In this Root Causes Podcast episode Jason Soroko and I describe three configuration decisions that can force Domain Control Validation (DCV) to fail and tell you what to do about them. Audio: https://lnkd.in/g5kTP-c4 Video: https://lnkd.in/g2Eug8BN

16

I'm a few days late, but last week's haul for VulnCheck Initial Access Intelligence customers included new #exploits, detections, PCAPs, and more for Tenda AC15 AC1900 devices, Flowise, and LG Simple Editor. The team also shipped a scanner for F5 BIG-IP management interfaces (plus ASM queries) and signatures for Redis CVE-2025-46818 (privesc) and CVE-2025-49844 (use-after-free). Notably, despite the news cycle, none of the public PoC for Redis manages to successfully trigger a crash, let alone get code execution. VulnCheck's research team assesses that the UAF is unlikely to be exploitable at scale, which isn't super surprising. More details and #threat context in the team's release notes! https://lnkd.in/ezJb-FXq

29

Just published a full step-by-step walkthrough on Rooting the Butler machine (TCM Security). This write-up covers the complete attack path — from initial enumeration to privilege escalation. If you’re preparing for hands-on certifications or sharpening real-world pentesting skills, this one’s for you.

15

1 Comment

After lengthy late-night discussions with Cédric Bonhomme on sightings and KEV formats, we produced a first draft of a generic format for Known Exploited Vulnerabilities (KEV).  Initially, we considered extending GCVE BCP-05 using the CVE Record format. However, we ultimately concluded that it may be more appropriate to define a standalone format, allowing sources to publish their KEV data independently. Feel free to comment on the discourse link below. KEV Assertion Format – Draft Specification (potential BCP?) This format describes a generic KEV (Known Exploited Vulnerability) assertion format. The goal is to express who claims exploitation, when, based on what, where it was observed, and with which level of confidence, without turning KEV into full threat intelligence. A KEV assertion is usually very binary and lacking some meta-information. The format adds some information which could better capture details about the exploitation. A majority of the fields are optional except vulnerability, status and evidence.[].source which are recommended. 🔗 https://lnkd.in/eaBUFXie GCVE-EU CIRCL (Computer Incident Response Center Luxembourg) CVE Program

145

11 Comments

Audits and forensics aren’t witch-hunts to “name the hacker.” They’re how you stop the next breach. A good audit/forensic review will: Expose misconfigurations and control gaps Surface broken processes (people • tech • vendors) Produce a clear timeline to improve response Provide evidence for insurance claims and regulators Demonstrate senior management intent and due diligence One breach costs more—in money, trust, and time—than doing the work properly up front. At Tylers, we turn incidents into hardening plans: fixes, owners, deadlines. Not blame—better security. #CyberSecurity #DigitalTrust #Forensics #Audit #IncidentResponse #Tylers

17

2 Comments

You might be feeling frustrated by the endless struggle of getting Sigma detection rules to work seamlessly in your open-source SIEM stack. It probably feels like every new rule demands manual conversions, special configs, and a ton of guesswork. It can be exhausting--and I’ve definitely been there. In this walkthrough I introduce how we can incorporate Velociraptor DFIR to solve our Sigma challenge. I share how I set up automated scans, tackled noisy detections, and fed alerts into my incident-response workflow (CoPilot). https://lnkd.in/gX5-X_mN

90

3 Comments

𝗧𝗵𝗲 𝗦𝘁𝗮𝘁𝗲 𝗼𝗳 𝗶𝗙𝗿𝗮𝗺𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 iFrame is a common webpage component used to display payment pages from the acquirer, payment facilitator or payment gateway.  In an interesting article by Abigail Amadi from Jscrambler, she outlined the common methods of attacking iFrames, how it relates to PCI DSS and what you can do about it. https://lnkd.in/gF2VwYB3 In my second last article featuring sponsors at the PCI Europe and Asia Pacific Community Meetings, thank you to Pedro Fortuna, John Elliott and the Jscrambler team for being sponsors at the PCI EUCM.  Pedro and John also represent Jscrambler as a PCI Principal Participating Organization (the higher tier member) and a PCI Board of Advisors member. I have covered about this issue with merchants’ page scripts in earlier posts. https://lnkd.in/ggF-gETE and https://lnkd.in/gkrr_MmV If you are a larger eCommerce (CNP) merchant and have no idea how to address this, do consider attending the PCI Community Meetings where experts will be present to demonstrate what the problem is.  There are two more conferences (Amsterdam from 14-16 Oct, Bangkok from 5-6 Nov) so make use of this opportunity to learn how to protect your organization's reputation and your customers' sensitive payment data.  https://lnkd.in/gNbE4wHH Smaller merchants are welcomed to join the Community Meetings but you should consult your Compliance Accepting Entity(ies), which is likely your acquirer (merchant bank), on suitable actions.  You may also refer to this information supplement published on the PCI Perspectives Blog: https://lnkd.in/g3BFxAEH Disclaimer: PCI Council is a neutral body and my personal post is not an endorsement of any organization or solution. PCI Security Standards Council #pcissc #pcicommunity #pcidss #pcidssv4 #datasecurity #cybersecurity #payments #paymentsecurity Video credit: Thank you Canva for your platform and the royalty-free video.

21

Two newly disclosed N-able vulnerabilities, CVE-2025-8875 and CVE-2025-8876, have been added to CISA’s KEV Catalog. They affect N-able’s N-central remote monitoring and management (RMM) platform. These flaws allow local code execution and command injection but require authentication to exploit, meaning they are unlikely to be used at the beginning of an exploit chain. Alexander Culafi at Dark Reading covers the details, noting the vulnerabilities impact versions prior to 2025.3.1. The article also features insight from Rapid7's Seth Lazarus: “They require authentication to achieve exploitation, which is much less severe than what we’ve recently seen, and likely why exploitation in the wild doesn’t appear to be widespread.” Read the full breakdown here: https://lnkd.in/eiukB6HM

77

Achieving SOC 2 compliance can be complex—but it doesn’t have to be. Oppos offers full-spectrum SOC 2 compliance & attestation services designed for businesses that value security, trust, and audit readiness. ✅ Start with a scoping and gap assessment to identify where you stand ✅ Document policies and controls aligned with SOC 2 Trust Services Criteria ✅ Conduct internal testing and advisory support ✅ Guide you through auditor validation and formal attestation Our approach helps streamline the process—reduce audit delays, prove trust to clients, and support growth in regulated markets. Whether you’re pursuing your first attestation or maintaining certification annually, we bring clarity, structure, and speed. https://smpl.is/aa7rd #SOC2 #ComplianceServices #AuditReady

9

⚙️ NEW EPISODE: Simply ICS Cyber – LIVE & ON DEMAND today at 9:30 AM EDT! Industrial cybersecurity and incident response fans — this one’s for you. 🎙️ S1 E5: Incident Response in ICS, OT, SCADA is with special guest Kai Thomsen, Director of Global IR Services at Dragos. In this must-hear episode, Don and Tom sit down with Kai to pull back the curtain on what Incident Response really looks like in ICS, OT, and SCADA environments. We’re digging into questions like: 🔹 Is DFIR the same in OT as it is in IT? 🔹 Who actually owns incident response in OT? 🔹 What makes tabletop exercises so critical — and how do you run them? 🔹 How can YOU break into OT-focused DFIR? 🚨 Whether you're defending control systems, building OT programs, or pivoting from IT to industrial cyber, this episode delivers tactical insights you won’t get anywhere else. 📺 Watch the stream on YouTube or 🎧 Catch the podcast on all major platforms 📅 Streaming Wednesday, April 16 at 9:30 AM EDT 🔗 youtu.be/qWsNbcqJX8M #ICS #incidentresponse #cybersecurity

9

Misinformation is circulating that Microsoft has stopped accepting SOC 2 reports for its SSPA program. This is incorrect. The April 2025 SSPA program guide states “A SOC 2 report may be accepted for DPR Section J (security) where no qualifications are noted." However, it is correct that SSPA may require SaaS companies to obtain an ISO 27001 and/or an ISO 42001 certification depending on a SaaS company’s agreement with Microsoft. They do not require SaaS companies to obtain an Unqualified SOC 2 report in any circumstances. But this doesn’t mean that Microsoft’s SSPA program won’t accept SOC 2 as evidence of meeting security requirements. An unqualified SOC 2 report is still a valid and valuable way to demonstrate your security posture to Microsoft and other customers. Don't let these rumors diminish the credibility of SOC 2 reports.

59

7 Comments

Stop Calling It “User Error” — Start Calling It a Design Flaw We’ve trained people to blame themselves for security failures. Clicked a phishing link? Didn’t spot the fake invoice? Used the same password twice? We call it user error -- when the real error is designing systems that expect perfection from humans under pressure. Cybersecurity shouldn’t rely on luck or fear. It should be built with empathy. Security is a shared right -- not a solo burden. How are you designing cyber programs that support humans, not punish them? #HumanCenteredSecurity #EmpathyInCyber #infosec #NoMoreUserError

13

7 Comments