Troy Hunt

JANUARY 7, 2024

It's another weekly update from the other side of the world with Scott and I in Rome as we continue a bit of downtime before hitting NDC Security in Oslo next week. This week, Scott's sharing details of how he and Joe Tiedman registered a domain Capelli Sport let lapse and now have their JavaScript running on the websites shopping cart page (check your browser console after loading that link) 😲 That's not the crazy bit though, the crazy bit is the months they've spent

Data breaches 245

Data breaches Accountability 245

Tech Republic Security

JANUARY 7, 2024

A web browser is an indispensable feature of every computer and, in some cases, the only truly essential feature (such as with Google Chromebooks). The purpose of this policy from TechRepublic Premium is to provide guidelines for the secure configuration and use of web browsers on company systems. It also includes steps for remediation and.

Software 122

Software 122

Security Affairs

JANUARY 7, 2024

Bit24.cash has inadvertently exposed sensitive data belonging to nearly 230,000 users, as revealed by Cybernews research. Due to its limited access to foreign financial markets, Iran has embraced cryptocurrency significantly. Last year, Iranian crypto exchanges facilitated transactions totaling nearly $3 billion. Almost all incoming crypto volume in Iran adheres to Know Your Customer (KYC) requirements.

Cryptocurrency 134

Cryptocurrency Marketing Hacking Data breaches 134

Bleeping Computer

JANUARY 7, 2024

A campaign delivering the AsyncRAT malware to select targets has been active for at least the past 11 months, using hundreds of unique loader samples and more than 100 domains. [.

Malware 123

Malware 123

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Security Affairs

JANUARY 7, 2024

Sea Turtle cyber espionage group targeted telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands. Researchers from Dutch security firm Hunt & Hackett observed Sea Turtle cyber espionage group (aka Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) targeting telco, media, ISPs, IT service providers, and Kurdish websites in the Netherlands.

Media 119

Media Accountability Telecommunications Government 119

Bleeping Computer

JANUARY 7, 2024

Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys. [.

Encryption 123

Encryption Risk 123

Security Boulevard

JANUARY 7, 2024

In this episode, we discuss the most sophisticated iPhone exploit ever, Google’s agreement to settle a $5 billion lawsuit about tracking users in ‘incognito’ mode, and a new iOS app, Journal. The iPhone exploit, known as Operation Triangulation, has complex chains of events that lead to compromised iPhone security. Meanwhile, the lawsuit against Google claims […] The post Most Advanced iPhone Exploit Ever, Google’s $5 Billion Settlement, Apple’s Journal App appeared first on Shared Security Podc

Data privacy 113

Data privacy Technology Mobile InfoSec 113

Malwarebytes

JANUARY 7, 2024

British police are investigating a case involving a virtual sexual assault of a girl’s avatar. Even though there was no physical violence involved the incident will be investigated as it has caused psychological trauma. By definition, an avatar is a virtual representation of a user and is driven by the user’s movements in the virtual world.

Technology 112

Technology Internet Internet Risk 112

Bleeping Computer

JANUARY 7, 2024

U.S. mortgage lender loanDepot has suffered a cyberattack that caused the company to take IT systems offline, preventing online payments against loans. [.

120

120

Penetration Testing

JANUARY 7, 2024

SSH-Snake: Automated SSH-Based Network Traversal SSH-Snake is a powerful tool designed to perform automatic network traversal using SSH private keys discovered on systems, to create a comprehensive map of a network and its dependencies,... The post SSH-Snake: Automated SSH-Based Network Traversal appeared first on Penetration Testing.

Penetration Testing 111

Penetration Testing 111

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Affairs

JANUARY 7, 2024

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea Merck settles with insurers regarding a $1.4 billion claim over NotPetya damages Law firm Orrick data breach impacted 638,000 individuals The source code of Zeppelin Ran

Artificial Intelligence 98

Artificial Intelligence Data breaches Scams Insurance 98

Penetration Testing Lab

JANUARY 7, 2024

Windows Event logs are the main source of information for defensive security teams to identify threats and for administrators to troubleshoot errors.

100

100

Penetration Testing

JANUARY 7, 2024

MDE Kit MDE Kit’s objective is to help automate and empower your investigation, detection, prevention, and response capabilities leveraging the MDE API. MDE Kit leverages many of the available Microsoft Defender for Endpoint (MDE)... The post MDE Kit: A PowerShell Module for Microsoft Defender for Endpoint appeared first on Penetration Testing.

Penetration Testing 109

Penetration Testing 109

The Hacker News

JANUARY 7, 2024

The U.S. National Institute of Standards and Technology (NIST) is calling attention to the privacy and security challenges that arise as a result of increased deployment of artificial intelligence (AI) systems in recent years.

Artificial Intelligence 94

Artificial Intelligence Risk Technology 94

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Malwarebytes

JANUARY 7, 2024

Last week on Malwarebytes Labs: Police investigate sexual assault on an avatar How AI hallucinations are making bug hunting harder Explained: SMTP smuggling Facebook introduces another way to track you – Link History 23andMe blames “negligent” breach victims, says it’s their own fault Microsoft disables ms-appinstaller after malicious use Investment fraud a serious money maker for criminals Oops!

Encryption 85

Encryption Ransomware 85

Security Boulevard

JANUARY 7, 2024

Most resources, such as databases or machines, are running in the cloud today and need privileged access. Yet few teams can effectively manage identities in the cloud at scale, with Gartner estimating that by 2023, 75 percent of cloud security failures will occur due to inadequate management of identities and accesses. As a result, controlling, […] The post 9 Questions to Ask a Privileged Access Provider appeared first on Security Boulevard.

82

82

Penetration Testing

JANUARY 7, 2024

A new breed of cyber threat has emerged, one that exploits the computational resources of unsuspecting victims of illicit cryptocurrency mining. A recent study by Cyfirma delves into this alarming trend, revealing how malicious... The post Cryptocurrency Malware: The Hidden Threat Lurking on YouTube appeared first on Penetration Testing.

Cryptocurrency 100

Cryptocurrency Penetration Testing Malware Cyber threats 100

The Hacker News

JANUARY 7, 2024

The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace, which is estimated to have facilitated more than $68 million in fraud.

83

83

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Penetration Testing

JANUARY 7, 2024

Security researchers at Phylum have been tracking a sophisticated cyber campaign involving a series of npm packages since November. These packages, upon installation, execute a complex chain of actions – downloading remote files, decrypting... The post North Korean APT’s Stealth Attack on Open-Source Ecosystems appeared first on Penetration Testing.

Penetration Testing 97

Penetration Testing Malware 97

SecureWorld News

JANUARY 7, 2024

The integration of Governance, Risk, and Compliance (GRC) strategies with emerging technologies like Artificial Intelligence and the Internet of Things are reshaping the corporate risk landscape. Let's take a look at how businesses are adapting and expanding their GRC frameworks to accommodate the new capabilities offered by these cutting-edge technologies, addressing the unique risks they bring , and capitalizing on their potential for enhanced governance and compliance.

IoT 75

IoT Technology Artificial Intelligence Government 75

Penetration Testing

JANUARY 7, 2024

The discovery of a subtle yet potent vulnerability can send ripples across the industry. Recently, a security researcher @cybaqkebm identified a critical flaw in the Mobile Security Framework (MobSF), a widely used platform for... The post CVE-2024-21633 Let Attacker Gain Remote Code Execution in Mobile Security Framework (MobSF) appeared first on Penetration Testing.

Mobile 89

Mobile Penetration Testing 89

Security Boulevard

JANUARY 7, 2024

Recent reports have highlighted the return of the Carbanak Malware. As per the reports, it’s a banking malware used in ransomware attacks that leverages updated tactics for increased effectiveness. As of now, the malware is known to have been distributed through various compromised websites and is seen impersonating different business-related software.

Malware 67

Malware Banking Ransomware Software 67

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

Penetration Testing

JANUARY 7, 2024

A new campaign has emerged, stirring significant concern in cybersecurity circles. Dubbed ‘Operation Japan,’ this campaign unfolds against the backdrop of Japan’s controversial decision to release treated water from the Fukushima Daiichi nuclear power... The post Operation Japan’s Cyber Response to Fukushima Decision appeared first on Penetration Testing.

Penetration Testing 93

Penetration Testing Cybersecurity DDOS 93

Security Boulevard

JANUARY 7, 2024

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott ; and via the organizations YouTube channel. Permalink The post USENIX Security ’23 – Oshrat Ayalon, Dana Turjeman, Elissa M.

Architecture 57

Architecture Education Information Security Network Security 57

Penetration Testing

JANUARY 7, 2024

A series of sophisticated cyberattacks in the Netherlands, orchestrated by a group aligning with Turkish interests, has signaled an escalation in Turkey’s pursuit of intelligence and influence within Western nations. Hunt & Hackett, a... The post Hunt & Hackett Exposes Turkish-Aligned Cyber Threats in the Netherlands appeared first on Penetration Testing.

Cyber threats 88

Cyber threats Penetration Testing 88

Trend Micro

JANUARY 7, 2024

Trend Micro's bug bounty program Zero Day Initiative 2023 performance gives a glimpse inside the world of threat-hunting and cyber risk prevention

Cyber Risk 60

Cyber Risk Risk Cyber threats 60

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Penetration Testing

JANUARY 7, 2024

In an age where artificial intelligence (AI) seamlessly integrates into our daily lives, a new publication from the National Institute of Standards and Technology (NIST) sheds light on a critical vulnerability: AI’s susceptibility to... The post Decoding AI Vulnerabilities: NIST’s Deep Dive into Adversarial Machine Learning appeared first on Penetration Testing.

Artificial Intelligence 86

Artificial Intelligence Penetration Testing Technology 86

Malwarebytes

JANUARY 7, 2024

SMTP smuggling is a technique that allows an attacker to send an email from pretty much any address they like. The intended goal is email spoofing —sending emails with false sender addresses. Email spoofing allows criminals to make malicious emails more believable. Let’s take a closer look at what it is exactly, and how cybercriminals can use it. The first thing we need to look at is the Simple Mail Transfer Protocol (SMTP), a protocol that allows the exchange of emails.

DNS 121

DNS Authentication Firewall Accountability 121

Penetration Testing

JANUARY 7, 2024

In the rapidly evolving world of cybersecurity, staying ahead of threats is a daunting task for organizations across the globe. The latest CYFIRMA Industries Report offers an illuminating look into the current state of... The post Professional Goods & Services at Risk: Decoding CYFIRMA’s Cybersecurity Report appeared first on Penetration Testing.

Penetration Testing 83

Penetration Testing Risk Cybersecurity Cyber threats 83

Centraleyes

JANUARY 7, 2024

Cybersecurity is top of mind for most businesses today. A single data breach can compromise your ability to operate, generate revenue, and ruin the reputation you’ve spent years building with your clients, business partners, and vendors. There’s no avoiding digital risk. In today’s hyper-connected world, they will continue to grow at an alarming rate.

Cyber Risk 52

Cyber Risk Risk Penetration Testing Cybersecurity 52

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.