Why the HTTP QUERY Method Is a Bad Idea, and Accept-Query Is Why
Why the HTTP QUERY Method Is a Bad Idea, and Accept-Query Is Why
In June 2026 the IETF published RFC 10008 and gave HTTP a new method: QUERY. New HTTP methods are rare. Most engineers have not seen one added in about twenty years, so this is worth understanding before it shows up in your stack. At first, when I saw this new method, I thought, "OK, we need to support it in our WAF." But after reading the RFC... I changed my mind... Here is what QUERY does, in plain terms. It works like GET, but it can carry a request body. A client uses it to send a read-onl
·blog.sicuranext.com·
Why the HTTP QUERY Method Is a Bad Idea, and Accept-Query Is Why
AssuranceAmerica data breach exposes records of 6.9 million drivers
AssuranceAmerica data breach exposes records of 6.9 million drivers
American insurance company AssuranceAmerica has disclosed a data breach impacting nearly 7 million drivers after attackers gained access to its systems earlier this year.
·bleepingcomputer.com·
AssuranceAmerica data breach exposes records of 6.9 million drivers
La nebbia dei proxy: perché nella cyber security il nemico non ha più una sola nazionalità
La nebbia dei proxy: perché nella cyber security il nemico non ha più una sola nazionalità
L'ultimo Internet Organised Crime Threat Assessment di Europol descrive un'economia del crimine ormai industrializzata. Ecco i casi concreti degli ultimi dodici mesi che mostrarno quanto la nuova grammatica del conflitto sia già operativa sul territorio europeo, con lo sfaldamento della distizione fra cyber criminali per profitto e attori statali
·cybersecurity360.it·
La nebbia dei proxy: perché nella cyber security il nemico non ha più una sola nazionalità
RedHook Returns with a Dangerous Upgrade
RedHook Returns with a Dangerous Upgrade
Group-IB analysts examine this resurfaced Android Remote Access Trojan, demonstrating new, sophisticated and malicious functionalities including autonomous privilege abuse, expanded command-and-control capabilities, and a robust persistence stack.
·group-ib.com·
RedHook Returns with a Dangerous Upgrade
Microsoft patches RoguePlanet Defender zero-day vulnerability
Microsoft patches RoguePlanet Defender zero-day vulnerability
Microsoft has released a security patch to address a Defender zero-day vulnerability known as "RoguePlanet," disclosed after the June 2026 Patch Tuesday.
·bleepingcomputer.com·
Microsoft patches RoguePlanet Defender zero-day vulnerability
Mount Royal University confirms breach as hackers claim attack
Mount Royal University confirms breach as hackers claim attack
Mount Royal University in Calgary says hackers stole and then deleted data from its file storage systems after breaching the university's network.
·bleepingcomputer.com·
Mount Royal University confirms breach as hackers claim attack
Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials
Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials
Malicious packages on the Node Package Manager (npm) and the Python Package Index (PyPI) delivered stealer malware to developers and users of Paysafe, Skrill, and Neteller payment applications.
·bleepingcomputer.com·
Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials
Hackers exploit Roundcube flaw to spy on academic researchers
Hackers exploit Roundcube flaw to spy on academic researchers
A China-linked threat cluster has been exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and deploy backdoor malware.
·bleepingcomputer.com·
Hackers exploit Roundcube flaw to spy on academic researchers
Entra passkey enrollment vishing targets Microsoft 365 users
Entra passkey enrollment vishing targets Microsoft 365 users
A threat actor has been targeting organizations across multiple sectors with voice-based fake security requests that ask Microsoft 365 users to enroll a new Entra passkey.
·bleepingcomputer.com·
Entra passkey enrollment vishing targets Microsoft 365 users
Apple e la privacy: cosa insegna il caso del bug in “Nascondi la mia email”
Apple e la privacy: cosa insegna il caso del bug in “Nascondi la mia email”
Un bug nella funzione “Nascondi la mia email” espone da oltre un anno gli indirizzi reali degli utenti iCloud, mettendo in discussione una delle principali promesse di privacy di Apple. Il caso riapre il dibattito su vulnerability management, trasparenza e tutela dell’identità digitale
·cybersecurity360.it·
Apple e la privacy: cosa insegna il caso del bug in “Nascondi la mia email”
TrojPix, così rubano dati sfruttando i cavi video: un nuovo rischio per le reti isolate
TrojPix, così rubano dati sfruttando i cavi video: un nuovo rischio per le reti isolate
TrojPix conferma che la sicurezza delle reti air-gapped non dipende soltanto dall'assenza di connessioni Internet. Emissioni elettromagnetiche, malware e canali laterali possono aggirare l'isolamento fisico, ampliando il perimetro della cyber security degli ambienti più sensibili
·cybersecurity360.it·
TrojPix, così rubano dati sfruttando i cavi video: un nuovo rischio per le reti isolate
3 Ways AI Powers Service Desk Attacks and How to Prevent Them
3 Ways AI Powers Service Desk Attacks and How to Prevent Them
Specops Software explains how AI is making service desk impersonation attacks more convincing, personalized, and scalable, along with practical steps organizations can take to strengthen onboarding and identity verification.
·bleepingcomputer.com·
3 Ways AI Powers Service Desk Attacks and How to Prevent Them
Felons, Fraudsters Flog Offensive Cybersecurity Startup
Felons, Fraudsters Flog Offensive Cybersecurity Startup
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying…
·krebsonsecurity.com·
Felons, Fraudsters Flog Offensive Cybersecurity Startup
DuckDuckGo browser now blocks YouTube video ads
DuckDuckGo browser now blocks YouTube video ads
DuckDuckGo announced that its browser can now block most video ads on YouTube, including those shown before the video starts playing and during playback.
·bleepingcomputer.com·
DuckDuckGo browser now blocks YouTube video ads
Protect Your WordPress Using Claude Code and Karna
Protect Your WordPress Using Claude Code and Karna
When we open-sourced Karna WAF, we immediately added AI Agent Skills to help agents not just use and configure Karna, but also learn how to protect web apps and APIs. Now you can ask to Claude Code to protect your web application using Karna without knowing how to do it yourself. Karna Skills are grouped in 4 different categories: configuration: tells to your AI Agent how to configure Karna and what each parameter means. deploy: instruction about how to deploy Karna via an isolated docker con
·blog.sicuranext.com·
Protect Your WordPress Using Claude Code and Karna
Telco giant KDDI says data breach affects over 12 million people
Telco giant KDDI says data breach affects over 12 million people
Japanese telecommunications giant KDDI says that millions of people had their email addresses and passwords exposed after attackers breached an email platform used by five internet service providers (ISPs) in the country.
·bleepingcomputer.com·
Telco giant KDDI says data breach affects over 12 million people
Action Plan europeo su cyber security e AI: dalle regole alla capacità operativa
Action Plan europeo su cyber security e AI: dalle regole alla capacità operativa
L’Action Plan europeo su cyber security e AI punta a rafforzare valutazione dei modelli, gestione delle vulnerabilità, software open source e competenze. Dopo la stagione della regolazione, Bruxelles prova a costruire capacità operative e sovranità tecnologica
·cybersecurity360.it·
Action Plan europeo su cyber security e AI: dalle regole alla capacità operativa
CISA orders feds to prioritize patching Langflow auth bypass flaw
CISA orders feds to prioritize patching Langflow auth bypass flaw
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies until Friday to patch an actively exploited vulnerability in the Langflow visual framework for building AI agents.
·bleepingcomputer.com·
CISA orders feds to prioritize patching Langflow auth bypass flaw
Transizione post-quantum: l’evoluzione degli standard crittografici per la tutela dei dati aziendali
Transizione post-quantum: l’evoluzione degli standard crittografici per la tutela dei dati aziendali
La crittografia post-quantum non è una minaccia del futuro: la strategia “harvest now, decrypt later” rende urgente la transizione oggi. Con la pubblicazione degli standard NIST FIPS 203-206 nel 2024, le organizzazioni hanno ora gli strumenti per avviare la migrazione. Questa guida illustra il percorso in sei passi verso la quantum-resistance
·cybersecurity360.it·
Transizione post-quantum: l’evoluzione degli standard crittografici per la tutela dei dati aziendali
È possibile decolonizzare l’intelligenza artificiale?
È possibile decolonizzare l’intelligenza artificiale?
Organizzazioni, collettivi e istituzioni fuori dal mondo occidentale si interrogano su come sfruttare le potenzialità delle intelligenze artificiali generative e svincolarsi da Big Tech. Ma il valore della sfida politica si scontra con la disparità di potere.
·guerredirete.it·
È possibile decolonizzare l’intelligenza artificiale?