Thu.Dec 07, 2023

article thumbnail

Spying through Push Notifications

Schneier on Security

When you get a push notification on your Apple or Google phone, those notifications go through Apple and Google servers. Which means that those companies can spy on them—either for their own reasons or in response to government demands. Sen. Wyden is trying to get to the bottom of this : In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications. “In this case, the fed

article thumbnail

Weekly Update 377

Troy Hunt

10 years later. 🤯 Seriously, how did this thing turn into this?! It was the humblest of beginning with absolutely no expectations of anything, and now it's, well, massive! I'm a bit lost for words if I'm honest, I hope the chat with Charlotte adds some candour to this week's update, she's seen this thing grow since before its first birthday, through the hardest times and the best times and now lives and breathes HIBP day in day out with me.

Malware 247
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Widespread Windows and Linux Vulnerabilities Could Let Attackers Sneak in Malicious Code Before Boot

Tech Republic Security

AMI, Insyde and Lenovo have released patches for LogoFAIL, an image library poisoning attack. Learn more about LogoFAIL.

article thumbnail

US government is snooping on people via phone push notifications, says senator

Malwarebytes

Many people don’t realize that the instant alert push notifications you get on your phone are routed through Google or Apple’s servers, depending on which device you use. So if you have an iPhone or iPad, any push notifications can be seen by Apple, and if you use an Android, they can be seen by Google. But, it seems, it’s not just Apple and Google who can view them.

article thumbnail

Guide to Business Writing

Everything you need to know about better business writing in one place. This is a complete guide to business writing — from a clear business writing definition to tips on how to hone your business writing skills.

article thumbnail

Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines

Tech Republic Security

Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules.

article thumbnail

Android phones can be taken over remotely – update when you can

Malwarebytes

Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything. Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.” The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution

Risk 143

More Trending

article thumbnail

End-to-End Encrypted Instagram and Messenger Chats: Why It Took Meta 7 Years

WIRED Threat Level

Mark Zuckerberg personally promised that the privacy feature would launch by default on Messenger and Instagram chat. WIRED goes behind the scenes of the company’s colossal effort to get it right.

article thumbnail

Incident Reporting and Response Procedures Policy

Tech Republic Security

The purpose of the Incident Reporting and Response Procedures Policy from TechRepublic Premium is to establish a clear and efficient process for employees to report security breaches, device loss, or data exposure incidents involving personal devices used for work purposes. From the policy: CONFIDENTIAL REPORTING Employees are strongly encouraged to promptly report incidents, and they.

122
122
article thumbnail

State of Log4j Vulnerabilities: How Much Did Log4Shell Change?

Veracode Security

December 9 marks two years since the world went on high alert because of what was deemed one of the most critical zero-day vulnerabilities ever: Log4Shell. The vulnerability that carried the highest possible severity rating (10.0) was in Apache Log4j, an ubiquitous Java logging framework that Veracode estimated at the time was used in 88 percent of organizations.

130
130
article thumbnail

Concerned About Business Email Compromise? 4 Technologies That Can Help

Security Boulevard

Understanding the scope and impact of BEC is critical for any business that wants to protect itself from this insidious threat. The post Concerned About Business Email Compromise? 4 Technologies That Can Help appeared first on Security Boulevard.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

A cyber attack hit Nissan Oceania

Security Affairs

Japanese carmaker Nissan announced it has suffered a cyberattack impacting the internal systems at Nissan Oceania. Nissan Oceania, the regional division of the multinational carmaker, announced it had suffered a cyber attack and launched an investigation into the incident. Nissan already notified the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre.

article thumbnail

CISA to Developers: Adopt Memory Safe Programming Languages

Security Boulevard

Software makers need to embrace the growing number of newer programming languages that protect memory to reduce the number of security vulnerabilities in their products, according to cybersecurity agencies in the United States and other countries. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released a report outlining steps software developers can take.

Software 123
article thumbnail

To tap or not to tap: Are NFC payments safer?

We Live Security

NFC chips have enabled us to pay in a more convenient way, but there are several flaws which can make the experience less secure. However, despite this, thanks to NFC phone payments, these security flaws can be ameliorated in some ways, like with biometric verification.

article thumbnail

Navigating Public Company Cybersecurity Disclosures

Security Boulevard

Transparency in the disclosure of cybersecurity incidents for public companies is no longer good practice – it’s now a regulatory necessity. The imminent requirement for public companies to disclose current material cybersecurity incidents is set to reshape the disclosure landscape for public companies. It brings forth a myriad of considerations that Chief Information Security Officers […] The post Navigating Public Company Cybersecurity Disclosures appeared first on Symmetry Systems.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

BlackSuit ransomware – what you need to know

Graham Cluley

A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia. And earlier in the year, a zoo in Tampa Bay was targeted by the same hacking gang. Learn more about the BlackSuit ransomware in my article on the Tripwire State of Security blog.

article thumbnail

Developers behaving badly: Why holistic AppSec is key

Security Boulevard

A recent survey shows that untested software releases, rampant pushing of unvetted and uncontrolled AI-derived code, and bad developer security are all culminating to seriously expand security risks across software development. Add in the explosion of low-code/no-code development and economic headwinds that are pressuring developers to deliver features with less support, and the AppSec world is in for a perfect storm in 2024.

Software 114
article thumbnail

Russia-linked APT8 exploited Outlook zero-day to target European NATO members

Security Affairs

Russia-linked group APT28 exploited Microsoft Outlook zero-day to target European NATO members, including a NATO Rapid Deployable Corps. Palo Alto Networks’ Unit 42 reported that the Russia-linked APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) group exploited the CVE-2023-23397 vulnerability in attacks aimed at European NATO members.

article thumbnail

In Pursuit of a Passwordless Future

Security Boulevard

The passwordless future feels close because we have the technology to do it, but progress will be slow as applications are migrated to adopt passwordless authentication. The post In Pursuit of a Passwordless Future appeared first on Security Boulevard.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Finally! Facebook and Messenger are getting default end-to-end encryption. And not everyone is happy…

Graham Cluley

Meta's Head of Messenger announced that the company has begun to roll out end-to-end encryption (E2EE) for personal chats and calls. Read more in my article on the Hot for Security blog.

article thumbnail

Russian military hackers target NATO fast reaction corps

Bleeping Computer

Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. [.

112
112
article thumbnail

New Krasue Linux RAT targets telecom companies in Thailand

Security Affairs

A previously undetected Linux RAT dubbed Krasue has been observed targeting telecom companies in Thailand. Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue has been employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) has remained undetected since at least 2021 when it was registered on Virustotal.

Malware 107
article thumbnail

Meta rolls out default end-to-end encryption on Messenger, Facebook

Bleeping Computer

Meta has announced that the immediate availability of end-to-end encryption for all chats and calls made through the Messenger app, as well as the Facebook social media platform. [.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

23andMe Data Breach Impacts Nearly 7 Million Users

SecureWorld News

New revelations have shed light on the extensive fallout of the 23andMe data breach, which exposed the personal information of a staggering 6.9 million users. This significant update comes almost two months after the genetic testing company initially reported a breach affecting 14,000 individuals. The SEC filing accompanying these recent developments reveals critical information about the breach's scope, underlining the severity of the situation.

article thumbnail

UK and allies expose Russian FSB hacking group, sanction members

Bleeping Computer

The UK National Cyber Security Centre (NCSC) and Microsoft warn that the Russian state-backed actor "Callisto Group" (aka "Seaborgium" or "Star Blizzard") is targeting organizations worldwide with spear-phishing campaigns used to steal account credentials and data. [.

Hacking 105
article thumbnail

Welltok Data Breach: 8.5M US Patients’ Information Exposed

Security Boulevard

In a recent cybersecurity incident, Welltok, a leading healthcare Software as a Service (SaaS) provider, reported unauthorized access to its MOVEit Transfer server, affecting the personal information of approximately 8.5 million patients in the United States. Discovered on July 26, 2023, this breach raises critical concerns about healthcare data security, with far-reaching implications for healthcare […] The post Welltok Data Breach: 8.5M US Patients’ Information Exposed appeared first on TuxCar

article thumbnail

WordPress fixes POP chain exposing websites to RCE attacks

Bleeping Computer

WordPress has released version 6.4.2 that addresses a remote code execution (RCE) vulnerability that could be chained with another flaw to allow attackers run arbitrary PHP code on the target website. [.

105
105
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

CVE-2023-50164: Apache Struts Remote Code Execution Vulnerability

Penetration Testing

In the realm of Java web application development, Apache Struts stands as a paragon of efficiency and modern design. This free, open-source Model-View-Controller (MVC) framework has empowered developers to create elegant web applications with... The post CVE-2023-50164: Apache Struts Remote Code Execution Vulnerability appeared first on Penetration Testing.

article thumbnail

23andMe updates user agreement to prevent data breach lawsuits

Bleeping Computer

As Genetic testing provider 23andMe faces multiple lawsuits for an October credential stuffing attack that led to the theft of customer data, the company has modified its Terms of Use to make it harder to sue the company. [.

article thumbnail

New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices

The Hacker News

A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.

article thumbnail

Elijah Wood and Mike Tyson Cameo Videos Were Used in a Russian Disinformation Campaign

WIRED Threat Level

Videos featuring Elijah Wood, Mike Tyson, and Priscilla Presley have been edited to push anti-Ukraine disinformation, according to Microsoft researchers.

109
109
article thumbnail

ERM Program Fundamentals for Success in the Banking Industry

Speaker: William Hord, Senior VP of Risk & Professional Services

Enterprise Risk Management (ERM) is critical for industry growth in today’s fast-paced and ever-changing risk landscape. When building your ERM program foundation, you need to answer questions like: Do we have robust board and management support? Do we understand and articulate our bank’s risk appetite and how that impacts our business units? How are we measuring and rating our risk impact, likelihood, and controls to mitigate our risk?