Mon.Jan 30, 2023

article thumbnail

Unphishable mobile MFA through hardware keys

Tech Republic Security

With Azure AD and FIDO security keys, you can make MFA more secure and avoid having to provision certificates on everyone’s phones. The post Unphishable mobile MFA through hardware keys appeared first on TechRepublic.

Mobile 136
article thumbnail

Security, Compliance Risks Complicate Cloud Migration Efforts 

Security Boulevard

Security and compliance risks are ranked as among the top barriers to achieving value from investments moving to the cloud as organizations grapple with what they consider an “urgent priority,” according to a recent report from Accenture. The global survey of 800 business and IT leaders revealed security continues to be one of the top. The post Security, Compliance Risks Complicate Cloud Migration Efforts appeared first on Security Boulevard.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Get nine ethical hacking courses for just $30

Tech Republic Security

Learn some of today's most popular attacks and how to mitigate them with The All-in-One Ethical Hacking & Penetration Testing Bundle. The post Get nine ethical hacking courses for just $30 appeared first on TechRepublic.

article thumbnail

How to survive below the cybersecurity poverty line

CSO Magazine

The security poverty line broadly defines a divide between the organizations that have the means and resources to achieve and maintain mature security postures to protect data, and those that do not. It was first coined by cybersecurity expert Wendy Nather in 2011, and the concept is just as relevant today as it was then (if not more so). It has widely become the benchmark for acceptable cybersecurity, often associated with factors such as company size, sector and disposable income, but also kno

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

6 misconceptions about Software Bills of Materials

Security Boulevard

There is no debate that the software supply chain is filled with action. It’s the front lines of the security world these days. If you have a shadow of a doubt, search the history of SolarWinds, Codecov , or CircleCI for examples of how attackers use the supply chain as a gateway of compromise. The post 6 misconceptions about Software Bills of Materials appeared first on Security Boulevard.

Software 133
article thumbnail

BlackCat Ransomware targets Indian Military weapons maker and Yandex Data Breach

CyberSecurity Insiders

BlackCat Ransomware has targeted an Indian firm that produces and supplies weaponry to military agencies across the subcontinent. And details are in that the hacking gang has now put the stolen data up for sale, as the victim failed to entertain their monetary demands. Solar Industries India Limited is the firm that became a victim of the BlackCat group and data breach and security firm CloudSEK has confirmed the incident as it has gathered confidential evidence to prove its stance.

More Trending

article thumbnail

Economic headwinds could deepen the cybersecurity skills shortage

CSO Magazine

According to the most recent research report from ESG and the Information System Security Association International (ISSA), 57% of organizations claim that they’ve been impacted by the global cybersecurity skills shortage, while 44% of organizations believe the skills shortage has gotten worse over the past few years. The result? Increasing workloads on existing cybersecurity staff, job requisitions open for weeks or months, and high burnout rates and attrition for cybersecurity professionals.

article thumbnail

ChatGPT Makes Waves Inside and Outside of the Tech Industry

Security Boulevard

New and Noteworthy: ChatGPT Makes Waves Inside and Outside of the Tech Industry Since it was made publicly available in December, ChatGPT has prompted all sorts of reactions from both inside and outside technology circles. Microsoft, which previously invested $1B into ChatGPT creator company OpenAI, indicated it will invest another $10 billion into the company and that it would incorporate AI into all of Microsoft’s tools. ( 1 ) Cybercriminals also seem to see the potential in ChatGPT; some sec

Malware 126
article thumbnail

Come to the dark side: hunting IT professionals on the dark web

SecureList

The dark web is a collective name for a variety of websites and marketplaces that bring together individuals willing to engage in illicit or shady activities. Dark web forums contain ads for selling and buying stolen data, offers to code malware and hack websites, posts seeking like-minded individuals to participate in attacks on companies, and many more.

article thumbnail

Open source software: A pillar of modern software development

Security Boulevard

Open source software provides companies with a competitive edge but when used incorrectly, it can lead to risks in the software supply chain. The post Open source software: A pillar of modern software development appeared first on Security Boulevard.

Software 126
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

U.S. No Fly list shared on a hacking forum, government investigating

Bleeping Computer

A U.S. No Fly list with over 1.5 million records of banned flyers and upwards of 250,000 'selectees' has been shared publicly on a hacking forum. BleepingComputer has confirmed, the list is the same TSA No Fly list that was discovered recently on an unsecured CommuteAir server. [.

Hacking 127
article thumbnail

Data Breach at Britain JD Sports leaks 10 million customers

CyberSecurity Insiders

JD Sports, Britain’s online retailer of branded sportswear, has reportedly become a victim of a cyber attack that leaked information of over 10 million customers. Details are in that the info belongs to all those customers who booked their orders on the platform from the past few years(say between Nov’18 to Oct’2020) and might include sensitive details of half of the affected consumers.

article thumbnail

Zero trust security: A cheat sheet (free PDF)

Tech Republic Security

Current cybersecurity practices are woefully unprepared to meet the complexities of modern networks. Cloud services, remote users, personally-owned devices, mobile company assets and other forms of tech regularly move from outside the network in, and a once-safe device can’t be assumed to be safe again. It’s here that a new paradigm in cybersecurity thinking emerges: The post Zero trust security: A cheat sheet (free PDF) appeared first on TechRepublic.

Mobile 102
article thumbnail

Flipper Zero: Next Gen Hacking Tool for the Next Generation

SecureWorld News

You probably don't remember a TV series that aired on NBC in the mid 60s called Flipper. It actually stopped broadcasting before I was even born, but I do recall reruns involving criminal schemes foiled by an uncannily smart bottle-nosed dolphin named Flipper. Well, Flipper is back but in an entirely new way and for an entirely new generation. Flipper Zero has no shortage of wireless inputs and outputs Kickstarter sensation Flipper Zero is described as "a cyber dolphin who really loves to hack"

Hacking 108
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

QNAP fixes critical bug letting hackers inject malicious code

Bleeping Computer

QNAP is warning customers to install QTS and QuTS firmware updates that fix a critical security vulnerability allowing remote attackers to inject malicious code on QNAP NAS devices. [.

Firmware 108
article thumbnail

Open Source Security Index Lists Top Projects

eSecurity Planet

Two venture investors have launched an index to track the most popular open source security projects. Chenxi Wang of Rain Capital and Andrew Smyth of Atlantic Bridge unveiled the Open Source Security Index last month. The website leverages GitHub application programming interfaces (APIs) to make “finding open-source security projects easier for everyone.” Anyone can go to the site to discover “the most popular and fastest-growing open-source security (OSS) projects.” OSS

InfoSec 101
article thumbnail

Researcher received a $27,000 bounty for 2FA bypass bug in Facebook and Instagram

Security Affairs

A researcher disclosed technical details of a two-factor authentication bypass vulnerability affecting Instagram and Facebook. The researcher Gtm Manoz received a $27,000 bug bounty for having reported a two-factor authentication bypass vulnerability affecting Instagram and Facebook. The flaw resides in a component used by the parent company Meta for confirming a phone number and email address.

article thumbnail

Analyzing and remediating a malware infested T95 TV box from Amazon

Malwarebytes

A couple of weeks ago, security news outlets made their rounds reporting on an Android TV box available on Amazon that came pre-installed with malware. The findings came from a Canadian developer, Daniel Milisic, who posted on his GitHub. What Daniel found was an Android T95 TV box infected with malware right out of the box! Immediately, I recognized some of the apps that put up red flags, such as Adups.

Malware 98
article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

GUAC Explained in 5 Minutes

Security Boulevard

GUAC stands for Graph for Understanding Artifact Composition and was developed by Google in collaboration with industry leaders to make it easier to understand the influx of security metadata generated by artifacts in the software development lifecycle. As the threat landscape evolves, forming a coalition to create a common framework with the goal of leveraging security metadata can lead to more secure software.

article thumbnail

A private moment, caught by a Roomba, ended up on Facebook. Eileen Guo explains how: Lock and Code S04E03

Malwarebytes

In 2020, a photo of a woman sitting on a toilet—her shorts pulled half-way down her thighs—was shared on Facebook, and it was shared by someone whose job it was to look at that photo and, by labeling the objects in it, help train an artificial intelligence system for a vacuum. Bizarre? Yes. Unique? No. In December, MIT Technology Review investigated the data collection and sharing practices of the company iRobot , the developer of the popular self-automated Roomba vacuums.

article thumbnail

GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

The Hacker News

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.

article thumbnail

Riot Games refuses to pay ransom to avoid League of Legends leak

Malwarebytes

After confirming threat actors were able to steal some of its code, Riot Games has also revealed that it received a ransom email from its attacker. The attackers demanding $10 million to stop them leaking source code from League of Legend's and other games. Riot's reply? Today, we received a ransom email. Needless to say, we won’t pay. While this attack disrupted our build environment and could cause issues in the future, most importantly we remain confident that no player data or player p

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

QNAP addresses a critical flaw impacting its NAS devices

Security Affairs

Taiwanese vendor QNAP is warning customers to install QTS and QuTS firmware updates to address a critical flaw impacting its NAS devices. QNAP released QTS and QuTS firmware updates to address a critical vulnerability, tracked as CVE-2022-27596 (CVSS v3 score: 9.8), that affects QNAP NAS devices. A remote attacker can exploit the vulnerability to inject malicious code on QNAP NAS devices.

article thumbnail

New Mimic Ransomware Uses Windows Search Engine to Find and Encrypt Files

Heimadal Security

Cybersecurity researchers uncovered a new strain of ransomware named Mimic. Mimic uses Everything API, a file search tool for Windows, to search for files to encrypt. Some of the code in Mimic is similar to that found in Conti, whose source code was leaked to a Ukrainian researcher in March 2022. As a sophisticated malware, […] The post New Mimic Ransomware Uses Windows Search Engine to Find and Encrypt Files appeared first on Heimdal Security Blog.

article thumbnail

Convincing, Malicious Google Ads Look to Lift Password Manager Logins

Dark Reading

Users searching for Bitwarden and 1Password's Web vaults on Google have recently reported seeing paid ads with links to cleverly spoofed sites for stealing credentials to their password vaults.

article thumbnail

Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices

The Hacker News

Researchers are warning about a spike in exploitation attempts weaponizing a critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022. According to Palo Alto Networks Unit 42, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.

IoT 101
article thumbnail

ERM Program Fundamentals for Success in the Banking Industry

Speaker: William Hord, Senior VP of Risk & Professional Services

Enterprise Risk Management (ERM) is critical for industry growth in today’s fast-paced and ever-changing risk landscape. When building your ERM program foundation, you need to answer questions like: Do we have robust board and management support? Do we understand and articulate our bank’s risk appetite and how that impacts our business units? How are we measuring and rating our risk impact, likelihood, and controls to mitigate our risk?

article thumbnail

KeePass disputes vulnerability allowing stealthy password theft

Bleeping Computer

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. [.

article thumbnail

Update your LearnPress plugins now!

Malwarebytes

It’s time for a reminder to ensure all of your WordPress plugins are fully up to date (or removed, if you don't need them). Bleeping Computer reports that as many as 75,000 WordPress sites may be open to several flaws in a plugin called LearnPress. Worse, the update tally for users of the plugin isn't doing particularly well , with a big slice of site owners still to update.

article thumbnail

QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates

The Hacker News

Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection. Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1.

97
article thumbnail

Maximizing Cybersecurity Savings through Tool Consolidation: A Guide for Enterprises

Security Boulevard

Let’s define cybersecurity tool consolidation as “merging together the capabilities of disparate tools used to monitor network behavior and mitigate and prevent threats.” It’s a way to simplify security infrastructure by identifying and eliminating redundant or unnecessary tools. The post Maximizing Cybersecurity Savings through Tool Consolidation: A Guide for Enterprises appeared first on Security Boulevard.

article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.