Krebs on Security

DECEMBER 14, 2021

Microsoft , Adobe , and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “ Log4Shell ” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.

Internet 299

Internet Internet Backups Data breaches 299

Schneier on Security

DECEMBER 14, 2021

It’s serious : The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks.

Accountability 296

Accountability Malware 296

Tech Republic Security

DECEMBER 14, 2021

While looking for additional Exchange vulnerabilities in the wake of this year's zero-days, Kaspersky found an IIS add-on that harvests credentials from OWA whenever, and wherever, someone logs in.

Phishing 217

Phishing Malware 217

Schneier on Security

DECEMBER 14, 2021

This is a current list of where and when I am scheduled to speak: I’m speaking at the RSA Conference 2022 in San Francisco on February 8, 2022. I’m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I’m speaking at the 14th International Conference on Cyber Conflict, CyCon 2022, in Tallinn, Estonia on June 3, 2022. The list is maintained on this page.

211

211

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Tech Republic Security

DECEMBER 14, 2021

Dashlane's sixth annual list of the year's worst password offenders reveals the biggest password security mishaps for 2021.

Passwords 215

Passwords 215

Security Affairs

DECEMBER 14, 2021

Bitdefender researchers discovered that threat actors are attempting to exploit the Log4Shell flaw to deliver the new Khonsari ransomware on Windows machines. Bitdefender researchers discovered that threat actors are attempting to exploit the Log4Shell vulnerability ( CVE-2021-44228 ) to deliver the new Khonsari ransomware on Windows machines. Experts warn that threat actors are attempting to exploit the Log4Shell flaw to deliver the new Khonsari ransomware on Windows machines.

Ransomware 143

Ransomware Encryption Engineering Malware 143

We Live Security

DECEMBER 14, 2021

By spotting these early warning signs of identity theft, you can minimize the impact on you and your family. The post 5 warning signs your identity has been stolen appeared first on WeLiveSecurity.

Identity Theft 141

Identity Theft 141

Tech Republic Security

DECEMBER 14, 2021

You can send your career soaring by learning highly paid skills online from over 1,000 courses without worrying about security, and enjoy a bit of extra gaming during your breaks.

VPN 126

VPN 126

Security Boulevard

DECEMBER 14, 2021

There’s no good time for a ransomware attack, but in the midst of the holiday season when workers depend even more than usual on a steady paycheck, an attack on an HR management company that prevents users from accessing important things like payroll can cause a whole slew of problems. The HR company in question. The post Kronos Sends Clients Elsewhere After Ransomware Attack appeared first on Security Boulevard.

Ransomware 130

Ransomware Data breaches Malware Cybersecurity 130

Tech Republic Security

DECEMBER 14, 2021

Companies must attempt to divert cybercriminals without inconveniencing or possibly exposing customers and their data. One expert explains how it's possible.

129

129

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Boulevard

DECEMBER 14, 2021

Apple is proud to announce its anti-stalking app for Android: Tracker Detect lets Android users scan for malicious, hidden AirTag trackers. The post Apple AirTag Android App is Absolutely Awful—Tracker Detect Fail appeared first on Security Boulevard.

Social Engineering 128

Social Engineering Security Awareness Engineering IoT 128

Bleeping Computer

DECEMBER 14, 2021

The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers. [.].

Ransomware 144

Ransomware 144

Security Boulevard

DECEMBER 14, 2021

Phishing scams continue to top the list of cybercrimes. Unfortunately, it’s likely 2022 will continue this trend as these types of social engineering attacks become more sophisticated. The statistics are alarming. Phishing attacks account for more than 80% of reported security incidents. In fact, 74% of organizations in the U.S. have experienced a successful phishing.

Scams 125

Scams Phishing Social Engineering Cybercrime 125

CSO Magazine

DECEMBER 14, 2021

Cybersecurity firm Cybereason and Google Cloud have unveiled a new joint solution to enhance the ability of defenders to predict, detect and respond to cyberattacks at scale. Cybereason XDR, powered by Google Chronicle, is designed to work at speed across the entire enterprise – including endpoints, networks, identities, cloud and workspaces. The partnership may be indicative of the modern threat detection and response market.

Threat Detection 122

Threat Detection Marketing Cybersecurity 122

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Security Boulevard

DECEMBER 14, 2021

Zero-trust is an increasingly popular cybersecurity model. Even the National Security Agency encourages the use of a zero-trust architecture, largely because of its data-centric approach to protecting critical assets across the network. Yet, no matter how good it sounds, it isn’t a perfect solution, as the NSA also points out. “Systems that are designed using.

Architecture 110

Architecture Cybersecurity Authentication Risk 110

CSO Magazine

DECEMBER 14, 2021

Over the past year, there have been several high-profile incidents in which attackers have attempted to compromise enterprises through the software supply chain. A software supply chain “is anything that goes into or affects your code from development, through your CI/CD pipeline, until it gets deployed into production,” Maya Kaczorowski of Nutanix explains in a GitHub post.

Software 113

Software 113

The Hacker News

DECEMBER 14, 2021

Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability. The attack leverages the remote code execution flaw to download an additional payload, a.

Ransomware 110

Ransomware Technology Cybersecurity 110

CSO Magazine

DECEMBER 14, 2021

Security leaders are pushing ahead with holistic strategies heading into 2022, with a list of priorities that support enterprise resiliency.

124

124

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Digital Guardian

DECEMBER 14, 2021

IP theft can have a long term damaging effects on a company. In this blog, we look at nearly 50 different examples of IP theft to help you better understand the threat.

109

109

Threatpost

DECEMBER 14, 2021

If 2021 was the Year of Supply Chain Pain, 2022 will be the Year of Supply Chain Chronic Pain (or something worse than pain). This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key […].

InfoSec 107

InfoSec 107

Bleeping Computer

DECEMBER 14, 2021

The Department of Homeland Security (DHS) has launched a new bug bounty program dubbed "Hack DHS" that allows vetted cybersecurity researchers to find and report security vulnerabilities in external DHS systems. [.].

Hacking 106

Hacking Cybersecurity 106

The Hacker News

DECEMBER 14, 2021

Microsoft has rolled out Patch Tuesday updates to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw that's being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads.

Malware 105

Malware Software 105

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

SecureList

DECEMBER 14, 2021

While looking for potentially malicious implants that targeted Microsoft Exchange servers, we identified a suspicious binary that had been submitted to a multiscanner service in late 2020. Analyzing the code, we determined that the previously unknown binary is an IIS module, aimed at stealing credentials and enabling remote command execution from OWA.

Authentication 104

Authentication Encryption Accountability Passwords 104

Security Boulevard

DECEMBER 14, 2021

The rise in sophisticated supply chain cyberattacks doesn’t just affect enterprises; there are also impacts on the insurance industry and on enterprises’ cyberinsurance costs. What is a software supply chain attack? Software supply chain attacks are cyberattacks against an organization’s software supply chain infrastructure and process. In such attacks, the attacker gains access to a.

Insurance 104

Insurance Software Cyber Insurance Risk 104

Security Affairs

DECEMBER 14, 2021

The DHS has launched a new bug bounty program dubbed ‘Hack DHS’ to discover security vulnerabilities in external DHS systems. The Department of Homeland Security (DHS) has launched a new bug bounty program dubbed ‘Hack DHS’ that allows vetted white hat hackers to discover and report security vulnerabilities in external DHS systems.

Hacking 104

Hacking Government Cybersecurity Technology 104

Security Boulevard

DECEMBER 14, 2021

Maybe Log4j vulnerabilities are like rats—for every one that’s visible, multiple others scurry beneath the surface. It’s too early to tell if that’s what will happen with Log4j. But just a day or so after a damaging vulnerability was disclosed, another has come to light. This time it’s believed to be moderate in severity. “A. The post Here We Go Again: Second Log4j Flaw Surfaces appeared first on Security Boulevard.

Security Awareness 104

Security Awareness Malware Cybersecurity 104

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Bleeping Computer

DECEMBER 14, 2021

Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely. [.].

103

103

Security Affairs

DECEMBER 14, 2021

Adobe warns of threat actors that could exploit critical vulnerabilities in multiple products running on Windows and macOS systems. Adobe has issued critical warnings for more than 60 vulnerabilities in multiple products running on Windows and macOS machines. The vulnerabilities can be exploited by threat actors for code execution, privilege escalation and denial-of-service attacks.

Hacking 102

Hacking Information Security 102

Cisco Security

DECEMBER 14, 2021

In today’s security climate, NetOps and SecOps teams are witnessing increased attack surface area as applications and workloads move far beyond the boundaries of their data center. These applications/workloads move to, and reside in, multicloud architecture, adding complexity to connectivity, visibility, and control. In the multicloud world, the SecOps teams use a distributed security model that is expensive, difficult to deploy, and complex to manage. .

Firewall 101

Firewall Architecture Internet Internet 101

The Hacker News

DECEMBER 14, 2021

The Apache Software Foundation (ASF) has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "incomplete in certain non-default configurations." The second vulnerability — tracked as CVE-2021-45046 — is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.

Software 101

Software 101

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.