Trending Articles

article thumbnail

Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers

Krebs on Security

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com , which until very recently rendered as fedex.com in tweets.

Phishing 276
article thumbnail

In Memoriam: Ross Anderson, 1956-2024

Schneier on Security

Last week I posted a short memorial of Ross Anderson. The Communications of the ACM asked me to expand it. Here’s the longer version.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Security Vulnerability of HTML Emails

Schneier on Security

This is a newly discovered email vulnerability: The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible.

Phishing 260
article thumbnail

Weekly Update 394

Troy Hunt

I suggest, based on my experiences with data breaches over the years, that AT&T is about to have a very bad time of it. Class actions following data breaches have become all too common and I've written before about how much I despise them. The trouble for AT&T (in my non-legal but "hey, I'm the data breach guy" opinion), will be their denial of a breach in 2021 and the subsequent years in which tens of millions of social security numbers were floating around.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor

Tech Republic Security

Read about a supply chain attack that involves XZ Utils, a data compressor widely used in Linux systems, and learn how to protect from this threat.

article thumbnail

New Spectre v2 attack impacts Linux systems on Intel CPUs

Bleeping Computer

Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. [.

130
130

More Trending

article thumbnail

Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included

The Hacker News

Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild. Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity.

135
135
article thumbnail

6 Best Open Source Password Managers for Windows in 2024

Tech Republic Security

Discover the top open-source password managers for Windows. Learn about the features and benefits of each to determine which one is the best fit for your needs.

article thumbnail

Malicious PowerShell script pushing malware looks AI-written

Bleeping Computer

A threat actor is using a PowerShell script that was likely created with the help of an artificial intelligence system such as OpenAI's ChatGPT, Google's Gemini, or Microsoft's CoPilot. [.

article thumbnail

From Marco Polo to Modern Mayhem: Why Identity Management Matters

Thales Cloud Protection & Licensing

From Marco Polo to Modern Mayhem: Why Identity Management Matters madhav Tue, 04/09/2024 - 05:20 Imagine yourself as Marco Polo, the Venetian merchant traversing dangerous trade routes. Every border crossing meant proving your identity – who you were, where you came from, your purpose. Misrepresenting yourself could mean imprisonment or worse. Today's identity struggles aren't about camel caravans and silk, but that same core battle remains: proving who you are and protecting that identity from

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack

Schneier on Security

US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior U.S. government officials. From the executive summary: The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosy

Hacking 234
article thumbnail

Damn Vulnerable RESTaurant: An intentionally vulnerable Web API game for learning and training

Penetration Testing

Damn Vulnerable RESTaurant An intentionally vulnerable API service designed for learning and training purposes dedicated to developers, ethical hackers, and security engineers. The idea of the project is to provide an environment that can... The post Damn Vulnerable RESTaurant: An intentionally vulnerable Web API game for learning and training appeared first on Penetration Testing.

article thumbnail

The Tech Needed to Survive This Decade’s ‘Seismic’ APAC B2B Trends

Tech Republic Security

From generative AI and virtual prototyping to the Internet of Things, blockchain and data analytics, Merkle has predicted that four shifts in the business-to-business market will shape tech buying appetites.

B2B 148
article thumbnail

Microsoft fixes two Windows zero-days exploited in malware attacks

Bleeping Computer

Microsoft has fixed two actively exploited zero-day vulnerabilities during the April 2024 Patch Tuesday, although the company failed to initially tag them as such. [.

Malware 131
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

10 Million Devices Were Infected by Data-Stealing Malware in 2023

Security Boulevard

Cybercriminals pilfered an average of 50.9 login credentials per device, evidence of the pressing need for cybersecurity measures. The post 10 Million Devices Were Infected by Data-Stealing Malware in 2023 appeared first on Security Boulevard.

Malware 135
article thumbnail

Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed

Schneier on Security

It seems that the FCC might be fixing the vulnerabilities in SS7 and the Diameter protocol: On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers’ locations. The FCC has also asked carriers to detail any exploits of the protocols since 2018.

article thumbnail

Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access

The Hacker News

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

article thumbnail

6 Best Open Source Password Managers for Mac in 2024

Tech Republic Security

Explore the top open-source password managers available for Mac users. Find the best one that suits your needs and secure your online accounts effectively.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Over 92,000 exposed D-Link NAS devices have a backdoor account

Bleeping Computer

A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. [.

article thumbnail

Hashicorp Versus OpenTofu Gets Ugly

Security Boulevard

Hashicorp is accusing the open source OpenTofu Project of swiping some of its BSL-licensed Terraform code. Enter the lawyers. The post Hashicorp Versus OpenTofu Gets Ugly appeared first on Security Boulevard.

137
137
article thumbnail

Friday Squid Blogging: SqUID Bots

Schneier on Security

They’re AI warehouse robots. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here.

article thumbnail

Fortinet Patches Multiple Critical Vulnerabilities Affecting FortiClient, FortiSandbox, FortiOS, and FortiProxy

Penetration Testing

Fortinet has released an urgent security advisory and patches addressing several critical and high-severity vulnerabilities in their popular security products. These vulnerabilities could expose organizations to remote code execution, unauthorized file deletion, OS command... The post Fortinet Patches Multiple Critical Vulnerabilities Affecting FortiClient, FortiSandbox, FortiOS, and FortiProxy appeared first on Penetration Testing.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Get an Extra 20% Off a Lifetime of Powerful VPN Protection Through 4/7

Tech Republic Security

There’s no reason to risk your privacy or your most confidential information, or even be deprived of your favorite content, when a solution is so affordable. Use coupon SECURE20 at checkout through 4/7 to unlock an additional 20% off this deal!

VPN 138
article thumbnail

Notepad++ needs your help in "parasite website" shutdown

Bleeping Computer

The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project. There is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack. [.

123
123
article thumbnail

Here Comes the US GDPR: APRA, the American Privacy Rights Act

Security Boulevard

Enter the lobbyists: A draft federal privacy act has Washington DC buzzing. But it’s just a bill—and it’s a long, long journey before it becomes a law. The post Here Comes the US GDPR: APRA, the American Privacy Rights Act appeared first on Security Boulevard.

article thumbnail

Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks

The Hacker News

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.

112
112
article thumbnail

Cybersecurity Predictions for 2024

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

article thumbnail

CVE-2023-3454: Critical Vulnerability in Brocade Fabric OS Exposes Networks to Remote Attacks

Penetration Testing

A serious vulnerability has been uncovered in Brocade Fabric OS, the firmware used by popular Fibre Channel switches found in numerous enterprise data centers. This flaw, designated CVE-2023-3454 (CVSS 8.6), could allow malicious actors to... The post CVE-2023-3454: Critical Vulnerability in Brocade Fabric OS Exposes Networks to Remote Attacks appeared first on Penetration Testing.

article thumbnail

Google Cloud Next 2024: New Data Center Chip and Chrome Enterprise Premium Join the Ecosystem

Tech Republic Security

Some Google Cloud customers will be able to run instances on the Arm-based Axion chip later this year. Plus, Chrome has a new enterprise tier.

article thumbnail

Hackers deploy crypto drainers on thousands of WordPress sites

Bleeping Computer

Almost 2,000 hacked WordPress sites now display fake NFT and discount pop-ups to trick visitors into connecting their wallets to crypto drainers that automatically steal funds. [.

Hacking 119
article thumbnail

FCC Mulls Rules to Protect Abuse Survivors from Stalking Through Cars

Security Boulevard

To protect domestic violence survivors from abusers, the FCC wants to include internet-connected vehicles under the Safe Communication Act. The post FCC Mulls Rules to Protect Abuse Survivors from Stalking Through Cars appeared first on Security Boulevard.

Internet 126
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.