Schneier on Security

NOVEMBER 3, 2023

Another example of a large and influential state doing things the federal government won’t: Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function.

Cybersecurity 254

Cybersecurity Government Risk Banking 254

Tech Republic Security

NOVEMBER 3, 2023

In the active Elektra-Leak campaign, attackers hunt for Amazon IAM credentials within public GitHub repositories before using them for cryptomining. Get tips on mitigating this cybersecurity threat.

Cybersecurity 142

Cybersecurity Software 142

Bleeping Computer

NOVEMBER 3, 2023

Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations. [.

134

134

Tech Republic Security

NOVEMBER 3, 2023

A VPN (virtual private network) encrypts your internet traffic and protects your online privacy. Find out how it works and why you should use it.

VPN 151

VPN Encryption Internet Internet 151

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

The Hacker News

NOVEMBER 3, 2023

Cybersecurity researchers have unearthed a number of WhatsApp mods for Android that come fitted with a spyware module dubbed CanesSpy. These modified versions of the instant messaging app have been observed propagated via sketchy websites advertising such software as well as Telegram channels used primarily by Arabic and Azerbaijani speakers, one of which boasts 2 million users.

Spyware 132

Spyware Advertising Software Cybersecurity 132

Security Affairs

NOVEMBER 3, 2023

The FSB arrested two Russian hackers who are accused of having helped Ukrainian entities carry out cyberattacks on critical infrastructure targets. The Russian intelligence agency Federal Security Service (FSB) arrested two individuals who are suspected of supporting Ukrainian entities to carry out cyberattacks to disrupt Russian critical infrastructure.

Media 129

Media Hacking Information Security 129

Security Affairs

NOVEMBER 3, 2023

Threat actors who breached the Okta customer support system also gained access to files belonging to 134 customers. Threat actors who breached the Okta customer support system in October gained access to files belonging to 134 customers, the company revealed. Some of the files accessed by the attackers are HAR files that contained session tokens. According to the company, the threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers.

Data breaches 123

Data breaches Social Engineering Accountability Authentication 123

Dark Reading

NOVEMBER 3, 2023

Cyberattackers downed a quarter of the hardware giant's entire IT apparatus. Now, before the company can recover, they're going after individual branches.

127

127

Security Affairs

NOVEMBER 3, 2023

Researchers disclosed four zero-day flaws in Microsoft Exchange that can be remotely exploited to execute arbitrary code or disclose sensitive information on vulnerable installs. Trend Micro’s Zero Day Initiative (ZDI) disclosed four zero-day vulnerabilities in Microsoft Exchange that can be remotely exploited by an authenticated attacker to execute arbitrary code or disclose sensitive information on vulnerable installs.

Authentication 123

Authentication Hacking Information Security 123

Security Boulevard

NOVEMBER 3, 2023

Insight #1 A recent study has 2/3 of cybersecurity professionals saying they have a shortage of cybersecurity staff. The most troubling part of this isn’t that they can’t find people to hire; it's that they aren’t actually hiring, leaving holes in their ability to protect their organization. The post Cybersecurity Insights with Contrast CISO David Lindner | 11/3 appeared first on Security Boulevard.

CISO 113

CISO Cybersecurity Software 113

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Affairs

NOVEMBER 3, 2023

Kaspersky researchers are warning of multiple WhatsApp mods that embed a spyware module dubbed CanesSpy. Kaspersky researchers discovered multiple WhatsApp mods that embed a spyware module dubbed CanesSpy. mods are modifications or alterations made to an application, often by third-party developers or users. These modifications can serve various purposes, such as adding new features, customizing the app’s behavior, or enhancing its performance.

Spyware 110

Spyware Malware Mobile Advertising 110

Bleeping Computer

NOVEMBER 3, 2023

Google Play, Android's official app store, is now tagging VPN apps with an 'independent security reviews' badge if they conducted an independent security audit of their software and platform. [.

VPN 113

VPN Software Mobile 113

The Hacker News

NOVEMBER 3, 2023

Google is rolling out a new banner to highlight the "Independent security review" badge in the Play Store's Data safety section for Android VPN apps that have undergone a Mobile Application Security Assessment (MASA) audit.

VPN 111

VPN Mobile 111

Bleeping Computer

NOVEMBER 3, 2023

A former Dutch cybersecurity professional was sentenced to four years in prison after being found guilty of hacking and blackmailing more than a dozen companies in the Netherlands and worldwide. [.

Hacking 110

Hacking Cybersecurity 110

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

The Hacker News

NOVEMBER 3, 2023

Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called NodeStealer. "Clicking on ads immediately downloads an archive containing a malicious.exe 'Photo Album' file which also drops a second executable written in.

Accountability 108

Accountability Malware 108

Penetration Testing

NOVEMBER 3, 2023

7-Zip is one of the most popular file archivers in the world and for good reason. It’s free, open-source, and supports a wide range of archive formats. However, a recent vulnerability discovered in 7-Zip... The post CVE-2023-31102: 7-Zip Remote Code Execution Vulnerability appeared first on Penetration Testing.

Penetration Testing 111

Penetration Testing 111

Malwarebytes

NOVEMBER 3, 2023

On the 27 October, the Apache Software Foundation (ASF) announced a very serious vulnerability in Apache ActiveMQ that can be used to achieve remote code execution (RCE). The Cybersecurity and Infrastructure Security Agency has now added this vulnerability to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by November 11, 2023 in order to protect their de

Ransomware 104

Ransomware Backups Encryption Internet 104

Mitnick Security

NOVEMBER 3, 2023

Arguably the most influential hacker, Kevin Mitnick, leaves behind a tremendous legacy and industry-changing knowledge in the hacking community as well as Mitnick Security and our team of security consultants.

Hacking 102

Hacking 102

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Bleeping Computer

NOVEMBER 3, 2023

Allied Pilots Association (APA), a labor union representing 15,000 American Airlines pilots, disclosed a ransomware attack that hit its systems on Monday. [.

Ransomware 108

Ransomware 108

Lenny Zeltser

NOVEMBER 3, 2023

The notion that security is everyone’s responsibility in computer systems dates back to at least the early 1980s when it was included in a US Navy training manual and hearings in the US House of Representatives. Behind the pithy slogan is the idea that every person in the organization contributes to its security program. Even if the company has employees with “security” in their title, they cannot safeguard information assets on their own.

Cybersecurity 100

Cybersecurity Accountability Engineering Authentication 100

The Hacker News

NOVEMBER 3, 2023

Identity and authentication management provider Okta on Friday disclosed that the recent support case management system breach affected 134 of its 18,400 customers. It further noted that the unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately accessed HAR files containing session tokens that could be used for session hijacking attacks.

Data breaches 100

Data breaches Authentication 100

Dark Reading

NOVEMBER 3, 2023

In-the-wild exploit activity from dozens of cyberattacker networks is ramping up for the security vulnerability in Confluence, tracked as CVE-2023-22518.

104

104

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

The Hacker News

NOVEMBER 3, 2023

Here is what matters most when it comes to artificial intelligence (AI) in cybersecurity: Outcomes. As the threat landscape evolves and generative AI is added to the toolsets available to defenders and attackers alike, evaluating the relative effectiveness of various AI-based security offerings is increasingly important — and difficult.

Artificial Intelligence 96

Artificial Intelligence Cybersecurity 96

Bleeping Computer

NOVEMBER 3, 2023

Over the past couple of months, ransomware attacks have been escalating as new operations launch, old ones return, and existing operations continue to target the enterprise. [.

Ransomware 94

Ransomware 94

Dark Reading

NOVEMBER 3, 2023

Trained teams can implement and test security measures and protocols to prevent and mitigate cyber breaches.

122

122

Heimadal Security

NOVEMBER 3, 2023

Any device that runs code is vulnerable to hacking and so are MacOS machines. They need patching just as any other endpoint. Most Apple users would swear that Macs are immune to viruses and other malware. The truth is they`re not. A Mac is a computer, not a cybersecurity software. Hackers successfully target Macs with […] The post The Threat Is Real.

Malware 89

Malware Software Hacking Cybersecurity 89

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Dark Reading

NOVEMBER 3, 2023

Posing as fellow engineers, the North Korean state-sponsored cybercrime group Lazarus tricked crypto-exchange developers into downloading the hard-to-detect malware.

Engineering 95

Engineering Malware Cybercrime 95

Heimadal Security

NOVEMBER 3, 2023

ISO 27001, sometimes referred to as ISO/IEC 27001 is an international standard that addresses organizational information security. Issued in 2005 and with a second revision in 2013, the ISO 27001 standard describes the Information Security Management Systems requirements for global controls and safeguards meant to preserve data privacy, protect sensitive information, optimize the organizational cybersecurity […] The post Silent Safeguards – The Essence of ISO 27001 Controls appeared

Data privacy 89

Data privacy Information Security Cybersecurity 89

Dark Reading

NOVEMBER 3, 2023

1Password, BeyondTrust, and Cloudflare were among five customers directly targeted with stolen Okta session tokens, the company's CSO says.

CSO 102

CSO 102

Penetration Testing

NOVEMBER 3, 2023

QNAP NAS devices are popular among businesses and consumers alike for their ease of use and reliability. The company released security updates to address two critical vulnerabilities in its network-attached storage (NAS) devices that... The post Critical QNAP NAS Vulnerabilities Allow Remote Code Execution appeared first on Penetration Testing.

Penetration Testing 95

Penetration Testing 95

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.