Schneier on Security

OCTOBER 28, 2022

There are no details yet, but it’s really important that you patch Open SSL 3.x when the new version comes out on Tuesday. How bad is “Critical”? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable. It’s likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely.

259

259

Tech Republic Security

OCTOBER 28, 2022

A threat actor dubbed "Cranefly" uses a new technique for its communications on infected targets. The post Cranefly uses new communication technique in attack campaigns appeared first on TechRepublic.

Malware 158

Malware 158

GlobalSign

OCTOBER 28, 2022

A critical vulnerability has been discovered in current versions of OpenSSL and will need to be patched immediately. The OpenSSL Project will release version 3.0.7 on Tuesday, November 1st, 2022. This is a critical update that needs to be made immediately.

139

139

Tech Republic Security

OCTOBER 28, 2022

In business and technology, migrating data means moving it from one system or platform to another. Learn the processes and challenges of data migration. The post What is data migration? appeared first on TechRepublic.

Technology 151

Technology Big data 151

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Security Boulevard

OCTOBER 28, 2022

OpenSSL has a new ‘critical’ bug. But it’s a secret until next month. The post OpenSSL ‘CRITICAL’ Bug — Sky Falling — Patch Hits 11/1 appeared first on Security Boulevard.

Social Engineering 140

Social Engineering Security Awareness Engineering IoT 140

CyberSecurity Insiders

OCTOBER 28, 2022

Adoption of cloud services, whether consumed as 3 rd party services provided by various vendors or in the form in-house developed software and/or services leveraging Platform-as-a-Service (PaaS) from major Cloud Service Providers (CSPs) has been steadily on the rise in critical infrastructure (CI) related industries [i]. This represents a significant shift for such industries which have traditionally relied on isolation via air-gapped networks.

IoT 134

IoT Architecture Energy and Utilities Firewall 134

CyberSecurity Insiders

OCTOBER 28, 2022

LinkedIn is a professional social media platform where learnt people interact to take their businesses to next level. But there are N number of instances where the platform has/is serving as a medium for criminals to create fake profiles to lure C-level employees with malicious intentions, sell fake counterfeit products, and act as a medium to conduct monetary scams.

Scams 131

Scams Accountability Media Phishing 131

Security Boulevard

OCTOBER 28, 2022

We’re almost at the end of Cybersecurity Awareness Month. For me, working in the cybersecurity space truly is a rewarding experience. It has been more than just a job or even a career. Working with solutions that protect companies from cyberattacks makes me proud. In some ways, it is a calling similar to the calling …. Read More. The post What Cybersecurity Professionals Can Learn from First Responders appeared first on Security Boulevard.

Cybersecurity 131

Cybersecurity Network Security 131

eSecurity Planet

OCTOBER 28, 2022

GitHub proofs of concept (PoCs) for known vulnerabilities could themselves contain malware as often as 10% of the time, security researchers have found. Researchers at the Leiden Institute of Advanced Computer Science have alerted security professionals about risks associated with GitHub and other platforms like pastebin that host public PoCs of exploits for known vulnerabilities.

Malware 129

Malware VPN Education Advertising 129

CSO Magazine

OCTOBER 28, 2022

Email security and threat detection company Vade has found that phishing emails in the third quarter this year increased by more than 31% quarter on quarter, with the number of emails containing malware in the first three quarters surpassing the 2021 level by 55.8 million. Malware emails in the third quarter of 2022 alone increased by 217% compared to same period in 2021.

Phishing 128

Phishing Threat Detection Malware 128

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Boulevard

OCTOBER 28, 2022

Check out the coolest extensions to help out when hacking APIs in Burp. The post 7 Essential Burp Extensions for Hacking APIs appeared first on Dana Epp's Blog. The post 7 Essential Burp Extensions for Hacking APIs appeared first on Security Boulevard.

Hacking 123

Hacking 123

eSecurity Planet

OCTOBER 28, 2022

The OpenSSL project this week announced plans to release version 3.0.7 on November 1 to patch a critical security flaw affecting versions 3.0 and later. Co-founder Mark J. Cox noted it’s only the second critical patch “since we started rating flaws back in 2014.” OpenSSL identifies critical issues as those affecting common configurations and likely to be exploitable, with examples including “significant disclosure of the contents of server memory (potentially revealing us

Architecture 119

Architecture Software Engineering Cybersecurity 119

Security Boulevard

OCTOBER 28, 2022

Insight #1. ". CVSS score does not directly relate to the risk to your organization. Please for everyone’s sake, including your developers, produce a better algorithm for managing risk in your organization. Look at things like exploitability (EPSS), exploit path, vulnerable class usage, etc.". . Insight #2. ". The security industry is known to overreact to new CVEs, especially when they are rate critical.

CISO 120

CISO Cybersecurity Risk 120

Security Affairs

OCTOBER 28, 2022

Juniper Networks devices are affected by multiple high-severity issues, including code execution vulnerabilities. Multiple high-severity security vulnerabilities have been discovered in Juniper Networks devices. “Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.” reads the advisory pu

Authentication 119

Authentication Hacking Information Security 119

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Bleeping Computer

OCTOBER 28, 2022

Microsoft is investigating a known issue causing OneDrive and OneDrive for Business crashes on Windows 10 systems where customers have installed updates released earlier this month. [.].

116

116

CyberSecurity Insiders

OCTOBER 28, 2022

Roel Decneut, Chief Strategy Officer at Lansweeper. Do you know what IT devices are in your business or on your network right now? If not, it’s not just cybercriminals that might be knocking on your door very soon, but the White House. Binding Operational Directive 23-01 , or BOD 23-01, is a new directive from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD) that orders federal agencies in the country to keep track of their IT asse

Government 117

Government Software Technology Risk 117

Bleeping Computer

OCTOBER 28, 2022

Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances. [.].

Authentication 116

Authentication 116

Security Affairs

OCTOBER 28, 2022

Apple released updates to backport the recently released security patches for CVE-2022-42827 zero-day to older iPhones and iPads. Apple has released new security updates to backport security patches released this week to address actively exploited CVE-2022-42827 in older iPhones and iPads, addressing an actively exploited zero-day bug. Early this week, Apple addressed the ninth zero-day vulnerability exploited in attacks in the wild since the start of the year.

Hacking 114

Hacking Information Security 114

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Security Boulevard

OCTOBER 28, 2022

Fitzgerald, Georgia is a small town in south-central Georgia primarily known for the fact that, in May of 1865, former Confederate president Jefferson Davis was captured by Union soldiers. Its main streets are named Lee and Johnston for Confederate generals, and Grant and Sherman for their Union counterparts. But there may be another war there—one. The post Ransomware Remediation Contract Dispute Leads to Arrest, Suit in Georgia appeared first on Security Boulevard.

Ransomware 113

Ransomware Risk Cybercrime Government 113

CSO Magazine

OCTOBER 28, 2022

Cyber risks, especially those emanating from third and fourth parties, are escalating. Successful breaches via the supply chain increased from 44% in 2020 to 61% in 2021, according to Accenture. Yet gaining a clear picture of these risks is much more complex given interwoven ecosystem dependencies, data sitting in silos, and many organizations’ lack of a security mindset.

Cyber Risk 112

Cyber Risk Risk Cybersecurity 112

InfoWorld on Security

OCTOBER 28, 2022

The question I get asked most often besides, “What is cloud computing?” is “What career path should I take in cloud computing?” I get it. Like almost everyone in the world, you know that the cloud job market is on fire right now. You want to strike while the iron is hot. The explosion of pandemic-driven cloud computing deployments and businesses that moved too fast to the cloud created a perfect storm.

Architecture 110

Architecture Marketing Risk 110

Security Affairs

OCTOBER 28, 2022

Google Thursday released an emergency patch for Chrome 107 to address the actively exploited zero-day vulnerability CVE-2022-3723. Google released an emergency update for the Chrome 107 to address an actively exploited zero-day vulnerability tracked as CVE-2022-3723. The CVE-2022-3723 flaw is a type confusion issue that resides in the Chrome V8 Javascript engine.

Engineering 109

Engineering Surveillance Hacking Information Security 109

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

The Hacker News

OCTOBER 28, 2022

Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojt?šek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022.

Engineering 106

Engineering 106

Heimadal Security

OCTOBER 28, 2022

A threat group tracked as DEV-0950 was revealed to have used Clop ransomware to encrypt the network of victims previously infected with the Raspberry Robin worm. In their most recent report, Microsoft Security Threat Intelligence analysts claim that Raspberry Robin worm has become part of a larger ecosystem opening doors for ransomware activity. The Windows malware with […].

Ransomware 108

Ransomware Encryption Malware Cybersecurity 108

Bleeping Computer

OCTOBER 28, 2022

The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs. [.].

Malware 104

Malware Internet Internet Hacking 104

Heimadal Security

OCTOBER 28, 2022

The American news outlet New York Post confirmed today that it was hacked after threat actors used their website and Twitter account to publish offensive headlines and tweets directed at U.S. politicians. What Happened? New York Post took to Twitter to make the announcement about the hack after it deleted all the offensive tweets targeted […].

Accountability 107

Accountability Hacking Cybersecurity 107

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Security Boulevard

OCTOBER 28, 2022

Cybersecurity is a battle that all organizations must fight, and there is really no point in doing it alone. Sharing information – the latest attack vectors, shifts in tactics, new-found defenses – helps everyone. Increasing interconnectedness and the expanding software supply chain means an attack stopped in one location will prevent an attack spreading to.

Hacking 102

Hacking Software Cybersecurity Spyware 102

Bleeping Computer

OCTOBER 28, 2022

Microsoft says that Windows domain join processes may fail with "0xaac (2732)" errors after applying this month's security updates. [.].

117

117

We Live Security

OCTOBER 28, 2022

A look at a recent string of law enforcement actions directed against (in some cases suspected) perpetrators of various types of cybercrime. The post Courts vs. cybercrime – Week in security with Tony Anscombe appeared first on WeLiveSecurity.

Cybercrime 101

Cybercrime 101

Bleeping Computer

OCTOBER 28, 2022

Microsoft is working on a fix for ongoing sign-in issues affecting some Outlook for Microsoft 365 customers and preventing them from accessing their accounts. [.].

Accountability 105

Accountability 105

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.