Document and Risk - Cyber Security Informer

Roger Grimes on Prioritizing Cybersecurity Advice

Schneier on Security

OCTOBER 31, 2024

This is a good point : Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. Here is one big one: Do not use or rely on un-risk-ranked lists.

Cybersecurity

Cybersecurity Risk Authentication

FBI warns of malicious free online document converters spreading malware

Security Affairs

MARCH 24, 2025

The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users sensitive information and infect their systems with malware. ” reads the alert. ” reads the alert.

Malware

Malware Scams Identity Theft Antivirus

OpenAI Is Not Training on Your Dropbox Documents—Today

Schneier on Security

DECEMBER 19, 2023

There’s a rumor flying around the Internet that OpenAI is training foundation models on your Dropbox documents. Dropbox isn’t sharing all of your documents with OpenAI. We risk letting companies get away with real misconduct because we incorrectly believed in conspiracy theories. Here’s CNBC.

Government

Government Banking Risk Internet

AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical records

Malwarebytes

DECEMBER 3, 2024

But the way its solution is set up introduces an extra link in the chain in the flow of personally identifiable information (PII) from the customer to the company that deployed the chatbot, leaving an additional risk of exposure. If you do get a chance, don’t send sensitive data to a chatbot, but ask for a safe company email address instead.

Identity Theft

Identity Theft Education Risk Phishing

From Risk Assessment to Action: Improving Your DLP Response

Security Affairs

OCTOBER 25, 2024

DLP is key in cybersecurity; a risk assessment identifies data risks, helping turn findings into real-world security improvements. So, how can you conduct a DLP risk assessment? What is a DLP Risk Assessment? Why Conduct a DLP Risk Assessment? Protecting sensitive data is what cybersecurity is all about.

Risk

Risk Cybersecurity Data breaches Cyber threats

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Security Affairs

MAY 16, 2025

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise growing concerns over data security and privacy risks. While these tools deliver clear productivity gains, they also expose businesses to complex new risks, particularly around data security and privacy. While valuable, these efforts are not enough.

Risk

Risk Artificial Intelligence Government Hacking

AI Risks

Schneier on Security

OCTOBER 9, 2023

Reading the headlines, one would hope that the rapid gains in AI technology have also brought forth a unifying realization of the risks—and the steps we need to take to mitigate them. Some are concerned about far-future risks that sound like science fiction. AI could destroy humanity or pose a risk on par with nukes.

Risk

Risk Artificial Intelligence Technology Surveillance

All Gmail users at risk from clever replay attack

Malwarebytes

APRIL 22, 2025

If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials. Protect yourand your family’spersonal information by using identity protection.

Risk

Risk Accountability Scams Phishing

Security Risks of Relying on a Single Smartphone

Schneier on Security

SEPTEMBER 8, 2021

Isracard used a single cell phone to communicate with credit card clients, and receive documents via WhatsApp. An employee stole the phone. He reformatted the SIM, which was oddly the best possible outcome, given the circumstances. Using the data to steal money would have been much worse. Here’s a link to an archived version.

Risk

From Compliance to Confidence: How AI Is Reshaping Third-Party Risk

SecureWorld News

MAY 13, 2025

As geopolitical instability, supply chain disruption, and cyber threats continue to escalate, third-party risk management (TPRM) is evolving from a compliance function to a strategic business imperative. According to the EY survey , 87% of organizations have experienced a third-party risk incident in the past three years.

Risk

Risk Cyber Risk Artificial Intelligence Technology

Safety and Security in Automated Driving

Adam Shostack

JANUARY 2, 2025

Lets explore the risks associated with Automated Driving. I would find it more surprising if I were to look at a 150 page document and not find anything surprising.) One of the "minimal risk" maneuvers listed (table 4) is an emergency stop. Give specific threat information and mitigation strategies to component designers.

Risk

Risk Architecture Manufacturing Cybersecurity

Risk reduction redefined: How compromise assessment helps strengthen cyberdefenses

SecureList

OCTOBER 29, 2024

The primary objective of these services is risk reduction. Policy violations by employees Most organizations focus on external threats; however, policy violations pose a major risk , with 51% of SMB incidents and 43% of enterprise incidents involving IT security policy violations caused by employees.

Risk

Risk Antivirus Accountability Malware

Threat Modeling the Genomic Data Sequencing Workflow (Threat Model Thursday)

Adam Shostack

FEBRUARY 12, 2025

This is a big, complex document. The apparent complexity is exacerbated by the intermingling of how to conduct with sample output and perhaps the document might be improved by breaking it into two: a how to guide and a sample output document or documents. What makes this level of detail right for this document?

Risk

Risk Manufacturing Encryption Surveillance

Opportunities and risks of AI coding assistants

BH Consulting

DECEMBER 6, 2024

This blog will explore the advantages and risks these AI tools bring, along with actionable steps to integrate them responsibly into business practices. Maintaining code standards is essential, and AI assistants help enforce consistent code formatting, documentation, and commenting which improves readability and collaboration across teams.

Risk

Risk Data privacy Information Security Software

First American Financial Pays Farcical $500K Fine

Krebs on Security

JUNE 18, 2021

NYSE:FAF ] was leaking more than 800 million documents — many containing sensitive financial data — related to real estate transactions dating back 16 years. If you bought or sold a property in the last two decades or so, chances are decent that you also gave loads of personal and financial documents to First American.

Insurance

Insurance Risk Financial Services CISO

LW ROUNDTABLE: Wrist slap or cultural shift? SEC fines cyber firms for disclosure violations

The Last Watchdog

NOVEMBER 12, 2024

Unisys, for instance, was found to have framed cyber risks hypothetically even though its systems had already been breached, exfiltrating gigabytes of data. But the SEC’s latest actions underscore that failing to inform stakeholders about material risks and breaches is not an option. Want to stay out of trouble?

CISO

CISO CSO Risk Cyber threats

News alert: INE Security announces new initiative to help companies accelerate CMMC 2.0 compliance

The Last Watchdog

JANUARY 27, 2025

demands a structured approach to implementation and preparation. demands a structured approach to implementation and preparation. demands a structured approach to implementation and preparation.

Password Management

Password Management Architecture Threat Detection Cybersecurity

PayPal scam abuses Docusign API to spread phishy emails

Malwarebytes

MARCH 4, 2025

Also, it seems weird that Docusign has been used to send a document that doesnt require a signature. I’ve you’ve received an email like this and want to verify if it’s genuine, go directly to Docusign.com, click ‘Access Documents’ (upper right-hand corner), and enter the security code displayed in the email.

Scams

Scams Accountability Phishing Banking

EDR-as-a-Service makes the headlines in the cybercrime landscape

Security Affairs

APRIL 7, 2025

With the help of these documents, even inexperienced operators with limited hacking skills can quickly acquire the necessary expertise to successfully forward counterfeit EDRs. These EDRs, representing the official cooperation channels between law enforcement agencies and social media platforms, are at risk of becoming a double-edged sword.

Cybercrime

Cybercrime Social Engineering Accountability Government

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Security Affairs

MAY 18, 2025

“However, rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by U.S The DOE said it assesses risks but faces challenges due to manufacturers’ poor disclosure. The DOE said it assesses risks, but faces challenges due to manufacturers’ poor disclosure.

Energy and Utilities

Energy and Utilities Manufacturing Government Hacking

Sealed U.S. Court Records Exposed in SolarWinds Breach

Krebs on Security

JANUARY 7, 2021

The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. These sealed documents will not be uploaded to CM/ECF.

Computers and Electronics

Computers and Electronics Software Engineering Accountability

Fake Social Security Statement emails trick users into installing remote tool

Malwarebytes

APRIL 30, 2025

Your document is now ready for download: Please download the attachment and follow the provided instructions. NOTE: Statements & Documents are only compatible with PC/Windows systems. icu We don’t just report on data privacywe help you remove your personal information Cybersecurity risks should never spread beyond a headline.

Computers and Electronics

Computers and Electronics Identity Theft Phishing Banking

News alert: Bubba AI launches Comp AI to help 100,000 startups get SOC 2 compliant by 2032

The Last Watchdog

MARCH 3, 2025

is building a comprehensive solution for these organizations to easily integrate compliance workflows and build their own customized processes through an open-source alternative to existing GRC (Governance, Risk, and Compliance) automation platforms. Bubba AI, Inc.

Marketing

Marketing Risk Banking Media

Best Policy Templates for Compliance: Essential Documents for Regulatory Success

Centraleyes

FEBRUARY 17, 2025

Policy management is the sturdy scaffolding that supports governance, risk, and compliance (GRC) objectives while shaping corporate culture and ensuring adherence to regulatory obligations. It anchors organizational goals, mitigates risks, and guides compliance. Tailored : No one-size-fits-all.

Architecture

Architecture Government Risk Technology

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Security Affairs

MAY 13, 2025

Interlock Ransomware ‘s attack on a defense contractor exposed global defense supply chain details, risking operations of top contractors and their clients. Resecurity envisions the cascading effects on the defense supply chain due to ransomware activity.

Ransomware

Ransomware Cyber Attacks Risk Hacking

CISA’s 11-Month extension ensures continuity of MITRE’s CVE Program

Security Affairs

APRIL 16, 2025

-funded CVE program, a core cybersecurity tool for tracking vulnerabilities, faces funding expiry Wednesday, risking disruption to global security. government funding for MITRE s CVE program , a key global cybersecurity resource for cataloging vulnerabilities, is set to expire Wednesday, risking disruption.

Government

Government Risk Cybersecurity Media

Identifying People Using Cell Phone Location Data

Schneier on Security

JANUARY 9, 2023

This is the interesting part: Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four substations, according to court documents. He is based in a rural area, so he can’t risk making his ransom calls from that area.

Surveillance

Surveillance Internet Internet Risk

U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason”

Krebs on Security

FEBRUARY 26, 2025

But in a response filed today (PDF), prosecutors in Seattle said Wagenius was a flight risk, partly because prior to his arrest he was searching online for how to defect to countries that do not extradite to the United States. government military which country will not hand me over” -“U.S.

Hacking

Hacking Government Identity Theft Accountability

The Limits of Cyber Operations in Wartime

Schneier on Security

MAY 31, 2022

In theory, subversion provides a way to exert influence at lower risks than force because it is secret and indirect, exploiting systems to use them against adversaries. Qualitative analysis leverages original data from field interviews, leaked documents, forensic evidence, and local media.

Media

Media Technology Risk

New SEC Rules around Cybersecurity Incident Disclosures

Schneier on Security

AUGUST 2, 2023

There are two basic rules: Public companies must “disclose any cybersecurity incident they determine to be material” within four days, with potential delays if there is a national security risk. Continuous assessment of the risk reduction activities should be elevated within an enterprise risk management framework and process.

Cybersecurity

Cybersecurity Risk Government Accountability

GUEST ESSAY: Why internal IT teams are ill-equipped to adequately address cyber risks

The Last Watchdog

FEBRUARY 11, 2024

From identity theft to greater oversight on risk management, internal IT teams will be taking the brunt of these incoming regulations. Regulatory overload Firms in the financial services industry are staring down the bottom of the regulatory barrel coming into 2024. The list goes on.

Cyber Risk

Cyber Risk Risk Financial Services Cyber threats

10 Benefits of Leading a Cybersecurity Management Review

SecureWorld News

NOVEMBER 25, 2024

It’s a chance to take a high-level look at how well your organization is managing information security risks, meeting objectives, and staying aligned with regulatory and business needs. Whether it’s a gap in controls, a missed objective, or an emerging risk, this is your chance to catch it early and take action.

Cybersecurity

Cybersecurity Risk Information Security Accountability

GUEST ESSAY: Addressing data leaks and other privacy, security exposures attendant to M&As

The Last Watchdog

JANUARY 27, 2022

Throughout this period, the risk level of the acquirer is much higher than the acquired company, creating a major cybersecurity gap as they merge their tech stack and security tools together. They can be divided into two categories: Pre-Close Risks. Lack of documented evidence. . Lack of documented evidence.

Marketing

Marketing Data privacy Risk Accountability

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Krebs on Security

JUNE 21, 2020

In a post on Twitter , DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

Government

Government Accountability Cyber threats Cyber Attacks

Dental group lied through teeth about data breach, fined $350,000

Malwarebytes

JANUARY 6, 2025

Nothing showed evidence that a HIPAA-compliant risk analysis had ever been conducted (lists of usernames and passwords in plain text on the compromised server). Court documents also reveal that because Westend Dental did not conduct a forensic investigation, the exact number of people affected by the breach is unknown.

Data breaches

Data breaches Ransomware Passwords Insurance

New iMessage Security Features

Schneier on Security

JANUARY 29, 2021

Apple has added added security features to mitigate the risk of zero-click iMessage attacks.

Risk

Risk Hacking Cybersecurity

7-Zip bug could allow a bypass of a Windows security feature. Update now

Malwarebytes

JANUARY 22, 2025

The MotW also makes sure that Office documents that are marked with the MotW will be opened in Protected View, which automatically enables read-only mode and means that all macros will be disabled until the user allows them. We dont just report on threatswe remove them Cybersecurity risks should never spread beyond a headline.

Internet

Internet Internet Malware Risk

U.S. CISA adds Cisco ASA and FTD, and RoundCube Webmail bugs to its Known Exploited Vulnerabilities catalog

Security Affairs

OCTOBER 25, 2024

The company published a document containing recommendations against password spray attacks aimed at Remote Access VPN (RAVPN) services. The content of the email was empty, and the message only included an attached document that was not visible in the email client. The researchers also published PoC exploit code for this vulnerability.

VPN

VPN Firewall Technology Passwords

Threat Model Thursday: BIML Machine Learning Risk Framework

Adam Shostack

JANUARY 2, 2025

Risk Framework and Machine Learning The Berryville Institute of Machine Learning (BIML) has released " An Architectural Risk Analysis of Machine Learning Systems." BIML has released the work in two ways, an interactive risk framework contains a subset of the information in the PDF version. The first challenge is specificity.

Risk

Risk Engineering Architecture

How Cryptocurrency Turns to Cash in Russian Banks

Krebs on Security

DECEMBER 11, 2024

This address was the subject of an investigation published in July by CTV National News and the Investigative Journalism Foundation (IJF) , which documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant. in Vancouver, BC.

Cryptocurrency

Cryptocurrency Banking Cybercrime Advertising

Irish Data Protection Commission (DPC) fined Meta €251 million for a 2018 data breach

Security Affairs

DECEMBER 18, 2024

The DPC fined Meta 251M for GDPR violations, citing insufficient breach notifications (8M), poor breach documentation (3M), design flaws (130M), and default data protection failures (110M). By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.

Data breaches

Data breaches Accountability Risk Advertising

News alert: Doppler announces integration with Datadog to streamline credential security

The Last Watchdog

JANUARY 31, 2025

Dopplers automated secrets storage and rotation, paired with Datadogs continuous monitoring, empowers teams to mitigate risks of secret sprawl and prevent unauthorized access in a scalable, automated fashion. Together, were helping teams protect their data while allowing them to stay focused on building great software.

Risk

Risk Data breaches Media Engineering

News alert: INE Security highlights monthly CVE Labs aimed at sharpening real-world defense

The Last Watchdog

MAY 14, 2025

With over 26,000 new CVEs documented in the past year, security teams are drowning in vulnerability alerts while facing exploit windows that have compressed to hours in many cases. ” Skill Dive is INE Security’s risk-free technical environment featuring exclusive labs not found in learning paths and courses.

Authentication

Authentication Cybersecurity Risk Media

A data leak exposes the operations of the Chinese private firm TopSec, which provides Censorship-as-a-Service

Security Affairs

FEBRUARY 24, 2025

The leak includes work logs, DevOps commands, API data, and network configs with hardcoded credentials, posing security risks to TopSec and its customers. Some documents detail the use of web content monitoring services to enforce censorship for public and private sector customers. ” reads the report published by SentinelLabs.

Government

Government Cybersecurity Hacking Internet

Roger Grimes on Prioritizing Cybersecurity Advice

FBI warns of malicious free online document converters spreading malware

Trending Sources

OpenAI Is Not Training on Your Dropbox Documents—Today

AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical records

From Risk Assessment to Action: Improving Your DLP Response

AI in the Cloud: The Rising Tide of Security and Privacy Risks

AI Risks

All Gmail users at risk from clever replay attack

Security Risks of Relying on a Single Smartphone

From Compliance to Confidence: How AI Is Reshaping Third-Party Risk

Safety and Security in Automated Driving

Risk reduction redefined: How compromise assessment helps strengthen cyberdefenses

Threat Modeling the Genomic Data Sequencing Workflow (Threat Model Thursday)

Opportunities and risks of AI coding assistants

First American Financial Pays Farcical $500K Fine

LW ROUNDTABLE: Wrist slap or cultural shift? SEC fines cyber firms for disclosure violations

News alert: INE Security announces new initiative to help companies accelerate CMMC 2.0 compliance

PayPal scam abuses Docusign API to spread phishy emails

EDR-as-a-Service makes the headlines in the cybercrime landscape

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Sealed U.S. Court Records Exposed in SolarWinds Breach

Fake Social Security Statement emails trick users into installing remote tool

News alert: Bubba AI launches Comp AI to help 100,000 startups get SOC 2 compliant by 2032

Best Policy Templates for Compliance: Essential Documents for Regulatory Success

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

CISA’s 11-Month extension ensures continuity of MITRE’s CVE Program

Identifying People Using Cell Phone Location Data

U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason”

The Limits of Cyber Operations in Wartime

New SEC Rules around Cybersecurity Incident Disclosures

GUEST ESSAY: Why internal IT teams are ill-equipped to adequately address cyber risks

10 Benefits of Leading a Cybersecurity Management Review

GUEST ESSAY: Addressing data leaks and other privacy, security exposures attendant to M&As

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Dental group lied through teeth about data breach, fined $350,000

New iMessage Security Features

7-Zip bug could allow a bypass of a Windows security feature. Update now

U.S. CISA adds Cisco ASA and FTD, and RoundCube Webmail bugs to its Known Exploited Vulnerabilities catalog

Threat Model Thursday: BIML Machine Learning Risk Framework

How Cryptocurrency Turns to Cash in Russian Banks

Irish Data Protection Commission (DPC) fined Meta €251 million for a 2018 data breach

News alert: Doppler announces integration with Datadog to streamline credential security

News alert: INE Security highlights monthly CVE Labs aimed at sharpening real-world defense

A data leak exposes the operations of the Chinese private firm TopSec, which provides Censorship-as-a-Service

Stay Connected