Tue.Dec 05, 2023

article thumbnail

The Internet Enabled Mass Surveillance. AI Will Enable Mass Spying.

Schneier on Security

Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.

article thumbnail

Hackers breach US govt agencies using Adobe ColdFusion exploit

Bleeping Computer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. [.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

AI and Mass Spying

Schneier on Security

Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.

article thumbnail

23andMe Finally Admits: 6.9 MILLION Users’ PII Breached

Security Boulevard

Not nice: Hacker claimed 20 million, 23andMe said it was only 14,000—but now admits to 6.9 million. The post 23andMe Finally Admits: 6.9 MILLION Users’ PII Breached appeared first on Security Boulevard.

article thumbnail

Guide to Business Writing

Everything you need to know about better business writing in one place. This is a complete guide to business writing — from a clear business writing definition to tips on how to hone your business writing skills.

article thumbnail

The 23andMe Data Breach Keeps Spiraling

WIRED Threat Level

23andMe has provided more information about the scope and scale of its recent breach, but with these details come more unanswered questions.

article thumbnail

What the Future Holds for Data Security

Security Boulevard

With the proliferation of data in all aspects of life, from personal information to business operations, its protection becomes more critical than ever. The post What the Future Holds for Data Security appeared first on Security Boulevard.

More Trending

article thumbnail

AI and Quantum Computing Threaten Encryption and Data Security

Security Boulevard

The combination of AI and quantum computing in the wrong hands are enough of a security concern to give pause to even the most experienced technologists. The post AI and Quantum Computing Threaten Encryption and Data Security appeared first on Security Boulevard.

article thumbnail

Google fixed critical zero-click RCE in Android

Security Affairs

Google fixed a critical zero-click RCE vulnerability (CVE-2023-40088) with the release of the December 2023 Android security updates. Google December 2023 Android security updates addressed 85 vulnerabilities, including a critical zero-click remote code execution (RCE) flaw tracked as CVE-2023-40088. The vulnerability resides in Android’s System component, it doesn’t require additional privileges to be triggered.

Hacking 118
article thumbnail

Beware of predatory fin(tech): Loan sharks use Android apps to reach new depths

We Live Security

ESET researchers describe the growth of deceptive loan apps for Android and techniques they use to circumvent Google Play

article thumbnail

Kali Linux 2023.4 released with GNOME 45 and 15 new tools

Bleeping Computer

Kali Linux 2023.4, the fourth and final version of 2023, is now available for download, with fifteen new tools and the GNOME 45 desktop environment. [.

129
129
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

ENISA published ENISA Threat Landscape for DoS Attacks

Security Affairs

ENISA published the ENISA Threat Landscape for DoS Attacks report to bring new insights to the DoS threat landscape. Denial-of-Service (DoS) attacks pose a persistent and significant security risk for organizations. Over the past few years, threat actors have increasingly had access to cost-effective and efficient means and services to carry out such kinds of attacks.

article thumbnail

Roblox and Twitch provider Tipalti breached by ransomware

Malwarebytes

Accounting software provider Tipalti says it is investigating a claim by ransomware group ALPHV that they have gained access to Tipalti’s systems. Tipalti makes software for accounting and payment automation and has some big names among its customers. In what seems to be a typical supply chain attack, ALPHV aka BlackCat are now threatening some Tipalti customers, including Roblox and Twitch: “We are systematically reaching out to affected clients of Tipalti, the first batch (consisting of

article thumbnail

Microsoft confirms Windows bug renames printers to HP LaserJet M101-M106

Bleeping Computer

Microsoft has confirmed an issue causing the HP Smart app to automatically install on Windows systems after all printers are renamed to HP LaserJet M101-M106. [.

119
119
article thumbnail

Threat actors breached US govt systems by exploiting Adobe ColdFusion flaw

Security Affairs

The U.S. CISA warns that threat actors are actively exploiting a critical vulnerability in Adobe ColdFusion to breach government agencies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about threat actors actively exploiting a critical vulnerability ( CVE-2023-26360 ) in Adobe ColdFusion to breach government agencies. The flaw is an Improper Access Control that can allow a remote attacker to execute arbitrary code.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

"Sierra:21" vulnerabilities impact critical infrastructure routers

Bleeping Computer

A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. [.

IoT 113
article thumbnail

A New Trick Uses AI to Jailbreak AI Models—Including GPT-4

WIRED Threat Level

Adversarial algorithms can systematically probe large language models like OpenAI’s GPT-4 for weaknesses that can make them misbehave.

article thumbnail

HTC Global Services confirms cyberattack after data leaked online

Bleeping Computer

IT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data. [.

article thumbnail

Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts

Security Affairs

Microsoft warns that the Russia-linked APT28 group is actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts. Microsoft’s Threat Intelligence is warning of Russia-linked cyber-espionage group APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Microsoft to let Windows 10 home users buy Extended Security Updates

Bleeping Computer

Microsoft says that all Windows 10 customers (including home users) will be able to pay for three extra years of security updates through the company's Extended Security Updates (ESU) program after the end of support (EOS) date. [.

109
109
article thumbnail

Appknox Stands Out in Gartner's 2023 'Voice of the Customer' for Application Security Testing

Appknox

Appknox continues to solidify its position as a top-tier vendor in application security testing, receiving prestigious recognition from Gartner as one of the leading vendors for Voice of the Customer. This recognition underscores Appknox's unwavering commitment to customer satisfaction, its consistent delivery of robust, developer-centric security solutions, and also its continued relevance in the ever-evolving landscape of application security.

Software 105
article thumbnail

Multiple NFT collections at risk by flaw in open-source library

Bleeping Computer

A vulnerability in an open-source library that is common across the Web3 space impacts the security of pre-built smart contracts, affecting multiple NFT collections, including Coinbase. [.

Risk 108
article thumbnail

60 U.S. Credit Unions Hit by Supply Chain Cyber Attack

SecureWorld News

Just three months after t he National Credit Union Administration (NCUA) put into place a final rule requiring federally chartered and federally insured credit unions to notify NCUA of a "reportable cyber incident," about 60 credit unions in the United States experienced outages because of a ransomware attack on an IT provider the institutions use, according to a U.S. federal agency.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Microsoft to also sell Windows 10 Extended Security Updates to home users

Bleeping Computer

Microsoft says that customers still using Windows 10 after the end of support date will be able to buy three extra years of security updates through the company's Extended Security Updates (ESU) program. [.

106
106
article thumbnail

Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack

The Hacker News

A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when it's actually not and carry out covert attacks.

103
103
article thumbnail

Holiday Hackers: How to Safeguard Your Service Desk

Bleeping Computer

Consumer traffic rises sharply during the holidays, as do the scope and severity of cyberattacks. Learn more from Specops Software on how to protect your service or help desk from social engineering attacks during the holiday season. [.

article thumbnail

15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

The Hacker News

New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking. "More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes," Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News.

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

CVE-2023-22523: Critical RCE Vulnerability in Assets Discovery

Penetration Testing

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2023-22523 (CVSS score of 9.8), has been discovered in Assets Discovery. This vulnerability allows an attacker to execute arbitrary code on an affected machine with... The post CVE-2023-22523: Critical RCE Vulnerability in Assets Discovery appeared first on Penetration Testing.

article thumbnail

Russian hacker pleads guilty to Trickbot malware conspiracy

Graham Cluley

A 40-year-old Russian man faces a lengthy prison sentence in the United States after pleading guilty to his involvement in the distribution and development of the notorious Trickbot malware. Read more in my article on the Hot for Security blog.

Malware 93
article thumbnail

KnowsMore: swiss army knife tool for pentesting Microsoft Active Directory

Penetration Testing

KnowsMore KnowsMore is a Swiss army knife tool for pentesting Microsoft Active Directory (NTLM Hashes, BloodHound, NTDS, and DCSync). Main features Import NTLM Hashes from.ntds output txt file (generated by CrackMapExec or secretsdump.py)... The post KnowsMore: swiss army knife tool for pentesting Microsoft Active Directory appeared first on Penetration Testing.

article thumbnail

How to build a cyber incident response team (a 2024 playbook)

Heimadal Security

This post is authored by Heimdal’s Valentin Rusu – Machine Learning Research Engineer and overall cybersecurity guru here at Heimdal. As an incident response manager himself, Valentin regularly coordinates security responses for companies of all shapes and sizes – including many of the examples discussed in this post. He explains everything you need to know […] The post How to build a cyber incident response team (a 2024 playbook) appeared first on Heimdal Security Blog.

article thumbnail

ERM Program Fundamentals for Success in the Banking Industry

Speaker: William Hord, Senior VP of Risk & Professional Services

Enterprise Risk Management (ERM) is critical for industry growth in today’s fast-paced and ever-changing risk landscape. When building your ERM program foundation, you need to answer questions like: Do we have robust board and management support? Do we understand and articulate our bank’s risk appetite and how that impacts our business units? How are we measuring and rating our risk impact, likelihood, and controls to mitigate our risk?