Schneier on Security

APRIL 3, 2024

The lawsuit has been settled : Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users­—even when they’re in private-browsing mode.

Data collection 255

Data collection 255

Krebs on Security

APRIL 3, 2024

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “ The Manipulaters ,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate.

Phishing 214

Phishing Cybercrime Malware Advertising 214

Thales Cloud Protection & Licensing

APRIL 3, 2024

Luna HSMs FIPS 140-3 Validation sparsh Wed, 04/03/2024 - 07:52 FIPS 140-3 and You, Part Two Awhile back, we shared that Thales Luna HSMs were about to kick-off the process of moving towards Federal Information Processing Standard (FIPS) 140-3 Level 3, the newest security standard to accredit cryptographic modules. Security standards, like technology, are always evolving, making compliance challenging for customers and vendors alike.

Firmware 133

Firmware Technology Backups Marketing 133

WIRED Threat Level

APRIL 3, 2024

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

Hacking 142

Hacking 142

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Bleeping Computer

APRIL 3, 2024

The U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) has released a scathing report on how Microsoft handled its 2023 Exchange Online attack, warning that the company needs to do better at securing data and be more truthful about how threat actors stole an Azure signing key. [.

129

129

Penetration Testing

APRIL 3, 2024

secator secator is a task and workflow runner used for security assessments. It supports dozens of well-known security tools and it is designed to improve productivity for pentesters and security researchers. Feature A curated... The post secator: The pentester’s swiss knife appeared first on Penetration Testing.

Penetration Testing 144

Penetration Testing 144

Bleeping Computer

APRIL 3, 2024

Data breach alerting service Have I Been Pwned (HIBP) warns that SurveyLama suffered a data breach in February 2024, which exposed the sensitive data of 4.4 million users. [.

Data breaches 120

Data breaches 120

Malwarebytes

APRIL 3, 2024

In April’s update for the Android operating system (OS) , Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

Firmware 118

Firmware Software Mobile Risk 118

Bleeping Computer

APRIL 3, 2024

Google has fixed another zero-day vulnerability in the Chrome browser, which was exploited by security researchers during the Pwn2Own hacking contest last month. [.

Hacking 119

Hacking 119

Security Affairs

APRIL 3, 2024

Google addressed several vulnerabilities in Android and Pixel devices, including two actively exploited flaws. Google addressed 28 vulnerabilities in Android and 25 flaws in Pixel devices. Two issues fixed by the IT giant, tracked as CVE-2024-29745 and CVE-2024-29748, are actively exploited in the wild. The most critical flaw addressed by the company impacts the System component, it is a local privilege escalation that doesn’t require any additional execution privileges. “The most se

Spyware 114

Spyware Firmware Hacking Information Security 114

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Malwarebytes

APRIL 3, 2024

Google has announced the introduction of Device Bound Session Credentials (DBSC) to secure Chrome users against cookie theft. In January we reported how hackers found a way to gain unauthorized access to Google accounts, bypassing multi-factor authentication (MFA) , by stealing authentication cookies with info-stealer malware. An authentication cookie is added to a web browser after a user proves who they are by logging in.

Authentication 114

Authentication Passwords Malware Accountability 114

Bleeping Computer

APRIL 3, 2024

IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. [.

VPN 120

VPN Software 120

Penetration Testing

APRIL 3, 2024

Google has revealed in their April 2024 Pixel Update Bulletin that several serious security flaws could be putting your Pixel device at risk. Two of these vulnerabilities, labeled CVE-2024-29745 and CVE-2024-29748, are already being... The post CVE-2024-29745 & CVE-2024-29748: Critical Google Pixel Flaws Exploited – Update Immediately appeared first on Penetration Testing.

Penetration Testing 136

Penetration Testing Risk 136

Bleeping Computer

APRIL 3, 2024

A premium WordPress plugin named LayerSlider, used in over one million sites, is vulnerable to unauthenticated SQL injection, requiring admins to prioritize applying security updates for the plugin. [.

108

108

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

The Hacker News

APRIL 3, 2024

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.

Firmware 123

Firmware 123

Bleeping Computer

APRIL 3, 2024

Chilean data center and hosting provider IxMetro Powerhost has suffered a cyberattack at the hands of a new ransomware gang known as SEXi, which encrypted the company's VMware ESXi servers and backups. [.

Ransomware 106

Ransomware Backups Encryption 106

Security Affairs

APRIL 3, 2024

Jackson County, Missouri, confirmed that a ransomware attack has disrupted several county services. A ransomware attack disrupted several services of the Jackson County, Missouri. The County Executive Frank White, Jr. declared a state of emergency. “Jackson County has confirmed a ransomware attack was responsible for the disruption of several county services today.” reads the statement released by the County. “The rapid response by county associates, especially those within the

Ransomware 105

Ransomware Hacking Technology Cybersecurity 105

The Hacker News

APRIL 3, 2024

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware. The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said.

Authentication 103

Authentication Accountability Malware 103

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Security Affairs

APRIL 3, 2024

Resecurity researchers warn that a new Version of JsOutProx is targeting financial institutions in APAC and MENA via Gitlab abuse. Resecurity has detected a new version of JSOutProx , which is targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and.NET. It employs the.NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine.

Banking 104

Banking Financial Services Malware Phishing 104

Tech Republic Security

APRIL 3, 2024

AdLock Ad Blocker is a top-rated ad blocking utility and this week only, you can get a lifetime subscription for just $15 with promo code SECURE20.

Internet 109

Internet Internet Network Security 109

The Hacker News

APRIL 3, 2024

The banking trojan known as Mispadu has expanded its focus beyond Latin America (LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and Sweden. Targets of the ongoing campaign include entities spanning finance, services, motor vehicle manufacturing, law firms, and commercial facilities, according to Morphisec.

Manufacturing 102

Manufacturing Banking 102

Tech Republic Security

APRIL 3, 2024

Help your business by becoming your own IT expert. This week only, you can get The 2023 Ultimate IT Career Kickstarter Bundle for just $47.99 with promo code SECURE20.

100

100

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

Penetration Testing

APRIL 3, 2024

The Node.js project has released a critical security update addressing vulnerabilities in active release lines (v18.x, v20.x, and v21.x) of the popular JavaScript runtime environment. One of the flaws could allow attackers to crash... The post Node.js Security Update Addresses Server Crash, Request Smuggling Vulnerabilities appeared first on Penetration Testing.

Penetration Testing 116

Penetration Testing 116

Bleeping Computer

APRIL 3, 2024

The U.S. Department of State is investigating claims of a cyber incident after a threat actor leaked documents allegedly stolen from a government contractor. [.

Government 106

Government 106

Tech Republic Security

APRIL 3, 2024

In today’s world, if you’re not constantly working to secure your servers, you’re already 10 steps behind every hacker on the planet. And if you happen to be a Linux systems administrator, you might think it doesn’t apply to you. It does. Even though the Linux open source platform is considerably more secure than many.

System Administration 86

System Administration Software 86

Bleeping Computer

APRIL 3, 2024

Jackson County, Missouri, is in a state of emergency after a ransomware attack took down some county services on Tuesday. [.

Ransomware 114

Ransomware 114

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

The Hacker News

APRIL 3, 2024

Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS). The list of flaws is as follows - CVE-2024-21894 (CVSS score: 8.2) - A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.

93

93

InfoWorld on Security

APRIL 3, 2024

Over the past decade, Rust has emerged as a language of choice for people who want to write fast, machine-native software that also has strong guarantees for memory safety. Other languages, like C, may run fast and close to the metal, but they lack the language features to ensure program memory is allocated and disposed of properly. As noted recently by the White House Office of the National Cyber Director, these shortcomings enable software insecurities and exploits with costly real-world conse

Software 88

Software 88

The Hacker News

APRIL 3, 2024

Attack surface management (ASM) and vulnerability management (VM) are often confused, and while they overlap, they’re not the same. The main difference between attack surface management and vulnerability management is in their scope: vulnerability management checks a list of known assets, while attack surface management assumes you have unknown assets and so begins with discovery.

91

91

Graham Cluley

APRIL 3, 2024

Google says it is deleting the your Google Chrome Incognito private-browsing data that it should never have collected anyway. Can a zero-risk millionaire-making bot be trusted? And what countries are banned from buying your sensitive data? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown's Thom Langford.

Risk 88

Risk Cybersecurity Cryptocurrency Scams 88

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.