Schneier on Security

DECEMBER 7, 2023

When you get a push notification on your Apple or Google phone, those notifications go through Apple and Google servers. Which means that those companies can spy on them—either for their own reasons or in response to government demands. Sen. Wyden is trying to get to the bottom of this : In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications. “In this case, the fed

Surveillance 297

Surveillance Government Accountability Spyware 297

Troy Hunt

DECEMBER 7, 2023

10 years later. 🤯 Seriously, how did this thing turn into this?! It was the humblest of beginning with absolutely no expectations of anything, and now it's, well, massive! I'm a bit lost for words if I'm honest, I hope the chat with Charlotte adds some candour to this week's update, she's seen this thing grow since before its first birthday, through the hardest times and the best times and now lives and breathes HIBP day in day out with me.

Malware 259

Malware 259

Tech Republic Security

DECEMBER 7, 2023

AMI, Insyde and Lenovo have released patches for LogoFAIL, an image library poisoning attack. Learn more about LogoFAIL.

Technology 180

Technology 180

Malwarebytes

DECEMBER 7, 2023

Many people don’t realize that the instant alert push notifications you get on your phone are routed through Google or Apple’s servers, depending on which device you use. So if you have an iPhone or iPad, any push notifications can be seen by Apple, and if you use an Android, they can be seen by Google. But, it seems, it’s not just Apple and Google who can view them.

Government 145

Government Surveillance Accountability VPN 145

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Tech Republic Security

DECEMBER 7, 2023

Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules.

Cyber threats 130

Cyber threats Cybersecurity 130

Malwarebytes

DECEMBER 7, 2023

Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything. Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.” The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution

Risk 141

Risk Cybersecurity 141

Veracode Security

DECEMBER 7, 2023

December 9 marks two years since the world went on high alert because of what was deemed one of the most critical zero-day vulnerabilities ever: Log4Shell. The vulnerability that carried the highest possible severity rating (10.0) was in Apache Log4j, an ubiquitous Java logging framework that Veracode estimated at the time was used in 88 percent of organizations.

138

138

Tech Republic Security

DECEMBER 7, 2023

The purpose of the Incident Reporting and Response Procedures Policy from TechRepublic Premium is to establish a clear and efficient process for employees to report security breaches, device loss, or data exposure incidents involving personal devices used for work purposes. From the policy: CONFIDENTIAL REPORTING Employees are strongly encouraged to promptly report incidents, and they.

119

119

We Live Security

DECEMBER 7, 2023

NFC chips have enabled us to pay in a more convenient way, but there are several flaws which can make the experience less secure. However, despite this, thanks to NFC phone payments, these security flaws can be ameliorated in some ways, like with biometric verification.

Cybercrime 126

Cybercrime 126

WIRED Threat Level

DECEMBER 7, 2023

Mark Zuckerberg personally promised that the privacy feature would launch by default on Messenger and Instagram chat. WIRED goes behind the scenes of the company’s colossal effort to get it right.

Encryption 126

Encryption Media 126

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Boulevard

DECEMBER 7, 2023

Understanding the scope and impact of BEC is critical for any business that wants to protect itself from this insidious threat. The post Concerned About Business Email Compromise? 4 Technologies That Can Help appeared first on Security Boulevard.

Technology 123

Technology Social Engineering Engineering Phishing 123

Graham Cluley

DECEMBER 7, 2023

A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia. And earlier in the year, a zoo in Tampa Bay was targeted by the same hacking gang. Learn more about the BlackSuit ransomware in my article on the Tripwire State of Security blog.

Ransomware 121

Ransomware Hacking Data breaches Malware 121

Security Boulevard

DECEMBER 7, 2023

Software makers need to embrace the growing number of newer programming languages that protect memory to reduce the number of security vulnerabilities in their products, according to cybersecurity agencies in the United States and other countries. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released a report outlining steps software developers can take.

Software 122

Software Cybersecurity Mobile Network Security 122

Security Affairs

DECEMBER 7, 2023

Japanese carmaker Nissan announced it has suffered a cyberattack impacting the internal systems at Nissan Oceania. Nissan Oceania, the regional division of the multinational carmaker, announced it had suffered a cyber attack and launched an investigation into the incident. Nissan already notified the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre.

Cyber Attacks 118

Cyber Attacks Financial Services Scams Data breaches 118

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Security Boulevard

DECEMBER 7, 2023

Transparency in the disclosure of cybersecurity incidents for public companies is no longer good practice – it’s now a regulatory necessity. The imminent requirement for public companies to disclose current material cybersecurity incidents is set to reshape the disclosure landscape for public companies. It brings forth a myriad of considerations that Chief Information Security Officers […] The post Navigating Public Company Cybersecurity Disclosures appeared first on Symmetry Systems.

Cybersecurity 117

Cybersecurity Information Security Government 117

Security Affairs

DECEMBER 7, 2023

Russia-linked group APT28 exploited Microsoft Outlook zero-day to target European NATO members, including a NATO Rapid Deployable Corps. Palo Alto Networks’ Unit 42 reported that the Russia-linked APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) group exploited the CVE-2023-23397 vulnerability in attacks aimed at European NATO members.

Government 113

Government Telecommunications Accountability Phishing 113

Bleeping Computer

DECEMBER 7, 2023

Meta has announced that the immediate availability of end-to-end encryption for all chats and calls made through the Messenger app, as well as the Facebook social media platform. [.

Encryption 115

Encryption Media 115

Security Boulevard

DECEMBER 7, 2023

A recent survey shows that untested software releases, rampant pushing of unvetted and uncontrolled AI-derived code, and bad developer security are all culminating to seriously expand security risks across software development. Add in the explosion of low-code/no-code development and economic headwinds that are pressuring developers to deliver features with less support, and the AppSec world is in for a perfect storm in 2024.

Software 113

Software Risk 113

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Graham Cluley

DECEMBER 7, 2023

Meta's Head of Messenger announced that the company has begun to roll out end-to-end encryption (E2EE) for personal chats and calls. Read more in my article on the Hot for Security blog.

Encryption 112

Encryption 112

Security Affairs

DECEMBER 7, 2023

A previously undetected Linux RAT dubbed Krasue has been observed targeting telecom companies in Thailand. Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue has been employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) has remained undetected since at least 2021 when it was registered on Virustotal.

Malware 108

Malware Internet Internet Hacking 108

Security Boulevard

DECEMBER 7, 2023

The passwordless future feels close because we have the technology to do it, but progress will be slow as applications are migrated to adopt passwordless authentication. The post In Pursuit of a Passwordless Future appeared first on Security Boulevard.

Authentication 110

Authentication Technology Data privacy Passwords 110

Bleeping Computer

DECEMBER 7, 2023

Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. [.

109

109

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

Security Boulevard

DECEMBER 7, 2023

In a recent cybersecurity incident, Welltok, a leading healthcare Software as a Service (SaaS) provider, reported unauthorized access to its MOVEit Transfer server, affecting the personal information of approximately 8.5 million patients in the United States. Discovered on July 26, 2023, this breach raises critical concerns about healthcare data security, with far-reaching implications for healthcare […] The post Welltok Data Breach: 8.5M US Patients’ Information Exposed appeared first on TuxCar

Data breaches 104

Data breaches Healthcare Software Cybersecurity 104

Penetration Testing

DECEMBER 7, 2023

In the realm of Java web application development, Apache Struts stands as a paragon of efficiency and modern design. This free, open-source Model-View-Controller (MVC) framework has empowered developers to create elegant web applications with... The post CVE-2023-50164: Apache Struts Remote Code Execution Vulnerability appeared first on Penetration Testing.

Penetration Testing 109

Penetration Testing 109

Bleeping Computer

DECEMBER 7, 2023

The UK National Cyber Security Centre (NCSC) and Microsoft warn that the Russian state-backed actor "Callisto Group" (aka "Seaborgium" or "Star Blizzard") is targeting organizations worldwide with spear-phishing campaigns used to steal account credentials and data. [.

Hacking 100

Hacking Phishing Accountability 100

The Hacker News

DECEMBER 7, 2023

A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.

Authentication 108

Authentication 108

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Bleeping Computer

DECEMBER 7, 2023

WordPress has released version 6.4.2 that addresses a remote code execution (RCE) vulnerability that could be chained with another flaw to allow attackers run arbitrary PHP code on the target website. [.

100

100

SecureWorld News

DECEMBER 7, 2023

New revelations have shed light on the extensive fallout of the 23andMe data breach, which exposed the personal information of a staggering 6.9 million users. This significant update comes almost two months after the genetic testing company initially reported a breach affecting 14,000 individuals. The SEC filing accompanying these recent developments reveals critical information about the breach's scope, underlining the severity of the situation.

Data breaches 99

Data breaches Passwords Data privacy Accountability 99

Bleeping Computer

DECEMBER 7, 2023

As Genetic testing provider 23andMe faces multiple lawsuits for an October credential stuffing attack that led to the theft of customer data, the company has modified its Terms of Use to make it harder to sue the company. [.

Data breaches 97

Data breaches 97

Penetration Testing

DECEMBER 7, 2023

In a digital age teeming with cyber threats, FortiGuard Labs recently identified an email phishing campaign that spread MrAnon Stealer malware. Crafted with cunning precision, this campaign entices victims through seemingly innocuous hotel booking... The post Cybercriminals Exploit Travel Season with MrAnon Stealer Email Phishing appeared first on Penetration Testing.

Phishing 104

Phishing Penetration Testing Cyber threats Malware 104

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.