Trending Articles

article thumbnail

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Krebs on Security

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt.

Passwords 306
article thumbnail

Security Vulnerability in Saflok’s RFID-Based Keycard Locks

Schneier on Security

It’s pretty devastating : Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba.

Internet 213
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Weekly Update 392

Troy Hunt

Let's get straight to the controversial bit: email address validation. A penny-drop moment during this week's video was that the native browser address validator rejects many otherwise RFC compliant forms. As an example, I asked ChatGTP about the validity of the pipe symbol during the live stream and according to the AI, it's permissible "when properly quoted": "john|doe"@example.com Give that a go and see how far you get in an input of type "email" Mind yo

212
212
article thumbnail

GUEST ESSAY: NIST’s Cybersecurity Framework update extends best practices to supply chain, AI

The Last Watchdog

The National Institute of Standards and Technology (NIST) has updated their widely used Cybersecurity Framework (CSF) — a free respected landmark guidance document for reducing cybersecurity risk. Related: More background on CSF However, it’s important to note that most of the framework core has remained the same. Here are the core components the security community knows: Govern (GV): Sets forth the strategic path and guidelines for managing cybersecurity risks, ensuring harmony with business go

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

New GoFetch Vulnerability in Apple’s M Chips Allows Secret Keys Leak on Compromised Computers

Tech Republic Security

The GoFetch vulnerability, which affects Apple's M series of chips, allows an attacker to steal secret keys from the Mac under certain conditions. Read tips on mitigating the GoFetch security threat.

article thumbnail

Mozilla Drops Onerep After CEO Admits to Running People-Search Networks

Krebs on Security

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep , an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.

Media 241

More Trending

article thumbnail

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

Bleeping Computer

A new variant of "TheMoon" malware botnet has been spotted infecting thousands of outdated small office and home office (SOHO) routers and IoT devices in 88 countries. [.

Malware 137
article thumbnail

Data Security Trends: 2024 Report Analysis

Thales Cloud Protection & Licensing

Data Security Trends: 2024 Report Analysis madhav Mon, 03/25/2024 - 05:08 Amid ongoing economic uncertainty and a progressively complex threat landscape, businesses are trying to navigate increasingly stringent regulatory requirements while bolstering their security posture. The 2024 Thales Global Data Threat Report , conducted by S&P Global Market Intelligence, which surveyed almost 3,000 respondents from 18 countries and 37 industries, revealed how decision-makers navigate new threats while tr

article thumbnail

Microsoft: 87% of UK Businesses Are Unprepared for Cyberattacks

Tech Republic Security

Microsoft has called on UK business leaders to "fight fire with fire" by adopting AI cybersecurity tools to defend themselves from cyberattacks.

article thumbnail

toolkit: The essential toolkit for reversing, malware analysis, and cracking

Penetration Testing

Indetectables Toolkit This tool compilation is carefully crafted to be useful both for beginners and veterans of the malware analysis world. It has also proven useful for people trying their luck at the cracking... The post toolkit: The essential toolkit for reversing, malware analysis, and cracking appeared first on Penetration Testing.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Google Pays $10M in Bug Bounties in 2023

Schneier on Security

BleepingComputer has the details. It’s $2M less than in 2022, but it’s still a lot. The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million. For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million.

Mobile 242
article thumbnail

Free VPN apps on Google Play turned Android phones into proxies

Bleeping Computer

Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots. [.

VPN 132
article thumbnail

Telegram Privacy Nightmare: Don’t Opt In to P2PL

Security Boulevard

Scary SMS shenanigans: Avoid Telegram’s new “Peer-To-Peer Login” program if you value your privacy or your cellular service. The post Telegram Privacy Nightmare: Don’t Opt In to P2PL appeared first on Security Boulevard.

article thumbnail

6 Best Authenticator Apps for 2024

Tech Republic Security

Authenticator apps provide an extra layer of security. Learn about the best authenticator apps to secure your online accounts and protect your privacy.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

YouTube ordered to reveal the identities of video viewers

Malwarebytes

Federal US authorities have asked Google for the names, addresses, telephone numbers, and user activity of accounts that watched certain YouTube videos, according to unsealed court documents Forbes has seen. Of those users that weren’t logged in when they watched those videos between January 1 and 8, 2023, the authorities asked for the IP addresses.

VPN 125
article thumbnail

CISA Warns of Active CVE-2023-24955 Exploitation in Microsoft SharePoint Server

Penetration Testing

The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm regarding active attacks targeting a vulnerability in Microsoft SharePoint Server (CVE-2023-24955). This flaw has now joined CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling... The post CISA Warns of Active CVE-2023-24955 Exploitation in Microsoft SharePoint Server appeared first on Penetration Testing.

article thumbnail

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Bleeping Computer

Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [.

Phishing 144
article thumbnail

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

The Hacker News

A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.

Marketing 111
article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Protect Your Business With This Seamless Firewall — Now $150 Off

Tech Republic Security

DNS FireWall is an intuitive security app built to protect you and your business from malware, phishing, botnets and more security threats.

Firewall 109
article thumbnail

Patch now: Mozilla patches two critical vulnerabilities in Firefox

Malwarebytes

Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn’t affect mobile versions of Firefox. Windows users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser.

Mobile 121
article thumbnail

DroneXtract: A digital forensics suite for DJI drones

Penetration Testing

DroneXtract DroneXtract is a comprehensive digital forensics suite for DJI drones made with Golang. It can be used to analyze drone sensor values and telemetry data, visualize drone flight maps, audit for criminal activity,... The post DroneXtract: A digital forensics suite for DJI drones appeared first on Penetration Testing.

article thumbnail

Google's new AI search results promotes sites pushing malware, scams

Bleeping Computer

Google's new AI-powered 'Search Generative Experience' algorithms recommend scam sites that redirect visitors to unwanted Chrome extensions, fake iPhone giveaways, browser spam subscriptions, and tech support scams. [.

Scams 140
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Alert: New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice

The Hacker News

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla. Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment.

Banking 102
article thumbnail

Apple M-Series FAIL: GoFetch Flaw Finds Crypto Keys

Security Boulevard

GoFAIL: Researchers worm their way into broken cache-filling microcode in most Macs and iPads. The post Apple M-Series FAIL: GoFetch Flaw Finds Crypto Keys appeared first on Security Boulevard.

article thumbnail

Large-scale Sign1 malware campaign already infected 39,000+ WordPress sites

Security Affairs

A large-scale malware campaign, tracked as Sign1, has already compromised 39,000 WordPress sites in the last six months. Sucurity researchers at Sucuri spotted a malware campaign, tracked as Sign1, which has already compromised 39,000 WordPress sites in the last six months. The experts discovered that threat actors compromised the websites implanting malicious JavaScript injections that redirect visitors to malicious websites.

Malware 125
article thumbnail

Firefox Patches Critical Zero-Day Vulnerabilities Exposed in Pwn2Own 2024

Penetration Testing

Mozilla has issued emergency security updates to fix two critical “zero-day” vulnerabilities in the Firefox web browser. These flaws were skillfully exploited during the recent Pwn2Own Vancouver 2024 hacking contest. Zero-Day Dangers Zero-day vulnerabilities... The post Firefox Patches Critical Zero-Day Vulnerabilities Exposed in Pwn2Own 2024 appeared first on Penetration Testing.

article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

Microsoft confirms Windows Server issue behind domain controller crashes

Bleeping Computer

Microsoft confirmed that a memory leak introduced with the March 2024 Windows Server security updates is behind a widespread issue causing Windows domain controllers to crash. [.

144
144
article thumbnail

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities added are as follows - CVE-2023-48788 (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529 (CVSS score: 9.

article thumbnail

Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script

Trend Micro

This blog entry discusses the Agenda ransomware group's use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.

article thumbnail

CISA adds FortiClient EMS, Ivanti EPM CSA, Nice Linear eMerge E3-Series bugs to its Known Exploited Vulnerabilities catalog

Security Affairs

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds FortiClient EMS, Ivanti EPM CSA, Nice Linear eMerge E3-Series bugs to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulne

Hacking 116
article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.