Mon.Jan 09, 2023

article thumbnail

Identity Thieves Bypassed Experian Security to View Credit Reports

Krebs on Security

Identity thieves have been exploiting a glaring security weakness in the website of Experian , one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report.

article thumbnail

Identifying People Using Cell Phone Location Data

Schneier on Security

The two people who shut down four Washington power stations in December were arrested. This is the interesting part: Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four substations, according to court documents. Nowadays, it seems like an obvious thing to do—although the search is probably unconstitutional.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

GUEST ESSAY: How ‘DPIAs” — data privacy impact assessments — can lead SMBs to compliance

The Last Watchdog

As the world becomes more digital and connected, it is no surprise that data privacy and security is a growing concern for small to medium sized businesses — SMBs. Related: GDPR sets new course for data privacy. Large corporations tend to have the resources to deal with compliance issues. However, SMBs have can struggle with the expense and execution of complying with data security laws in many countries.

article thumbnail

Forging the Path to Continuous Audit Readiness

CyberSecurity Insiders

By Scott Gordon, CISSP, Oomnitza . Technology oversight is a common mandate across IT and security frameworks and compliance specifications, but achieving that oversight is difficult. The rise of hybrid workplaces, shadow IT/DevOps, and cloud infrastructure dynamics continue to create cybersecurity risks. SecOps, Governance Risk and Compliance (GRC) and ITOps teams use wide variety of tools and operational data to mitigate security posture exposures and fortify business resiliency, yet audit re

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

CES 2023 FAIL: Worst in Show for Security and Privacy

Security Boulevard

The Consumer Electronics Show wrapped up yesterday. But some vendors faced stiff criticism over their privacy and security stances. The post CES 2023 FAIL: Worst in Show for Security and Privacy appeared first on Security Boulevard.

article thumbnail

If governments are banning TikTok, why is it still on your corporate devices?

CSO Magazine

TikTok, the viral app resident on millions of devices, was recently banned from executive branch devices in the United States, as set out in in the recent Omnibus Bill signed by President Joe Biden. The Omnibus Bill, as detailed in CSO Online’s overview , highlighted that the “legislation required the Office of Management and Budget in consultation with the administrator of general services, the director of CISA, the director of national intelligence, and the secretary of defense, to develop wit

CSO 131

More Trending

article thumbnail

Cracked it! Highlights from KringleCon 5: Golden Rings

We Live Security

Learning meets fun at the 2022 SANS Holiday Hack Challenge – strap yourself in for a crackerjack ride at the North Pole as I foil Grinchum's foul plan and recover the five golden rings. The post Cracked it! Highlights from KringleCon 5: Golden Rings appeared first on WeLiveSecurity.

Hacking 126
article thumbnail

2023 Predictions for Modern Application Security

Security Boulevard

Software dominates the world and remains a big and accessible attack surface. In 2022, an estimated $6B was invested in Application Security, with that number expected to reach $7.5B in 2023. Within AppSec, software supply chain security entered the spotlight two years ago and represents AppSec’s fastest growing attack category with major headlines of breaches and exploits happening on a regular basis.

Software 134
article thumbnail

Security risk assessment checklist

Tech Republic Security

Organizations, regardless of size, face ever-increasing information technology and data security threats. Everything from physical sites to data, applications, networks and systems are under attack. Worse, neither an organization nor its managers need to prove prominent or controversial to prove a target. Automated and programmatic robotic attacks seek weaknesses, then exploit vulnerabilities when detected.

Risk 102
article thumbnail

Compliance and Regulations for Your Cybersecurity Program

Security Boulevard

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology function within the enterprise, security has been a priority for the companies and governing bodies in the industries and locations where they operate effectively. For many entities, compliance is critical to ensure ongoing business operations and support new business growth.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Hybrid work: Turning business platforms into preferred social spaces

We Live Security

Hybrid work and hybrid play now merge into hybrid living, but where is the line between the two? Is there one? The post Hybrid work: Turning business platforms into preferred social spaces appeared first on WeLiveSecurity.

115
115
article thumbnail

Best Practices for Securing Locally Stored Employee Data

Security Boulevard

Many businesses are moving to the cloud, but others still retain some data in on-premises solutions. Local storage has many advantages, including providing more control over data security measures and practices. However, higher control also means more responsibility. Businesses that store employee data locally should carefully consider how they can keep it secure.

article thumbnail

11 top XDR tools and how to evaluate them

CSO Magazine

Little in the modern IT world lends itself to manual or siloed management, and this is doubly true in the security realm. The scale of modern enterprise computing and modern application stack architecture requires security tools that can bring visibility into the security posture of modern IT components and integrate tightly to bring real-time threat detection, possibly even automating aspects of threat mitigation.

article thumbnail

Major Challenges of IT Staff Augmentation and 7 Ways to Solve Them for your Business in 2023

Security Boulevard

Filling gaps in your workforce to meet business objectives and fulfill customer requirements is paramount. However, recruiting the perfect candidate can be challenging. Closing these. Read More. The post Major Challenges of IT Staff Augmentation and 7 Ways to Solve Them for your Business in 2023 appeared first on ISHIR | Software Development India.

Software 115
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

5 Strategies To Secure Your Custom Software Development Pipeline

SecureBlitz

There are several effective strategies to secure your custom software development pipeline. According to recent data, it’s nearly five times more expensive for software developers to fix a bug during implementation than to bake in security from the start. Similarly, fixing bugs during testing can be over 10 times more expensive than fixing the same […].

Software 109
article thumbnail

Ostrich Cyber-Risk Welcomes Cybersecurity Industry Veteran Charlie Barker as Senior Vice President of Sales

Security Boulevard

Charlie Barker, Award-Winning Cybersecurity Sales and Marketing Leader, joins Ostrich Cyber-Risk as the Senior Vice President of Sales to lead. client acquisition and expand the national sales team. The post Ostrich Cyber-Risk Welcomes Cybersecurity Industry Veteran Charlie Barker as Senior Vice President of Sales appeared first on Security Boulevard.

article thumbnail

'Copyright Infringement' Lure Used for Facebook Credential Harvesting

Dark Reading

Business users receive a message from Facebook warning their accounts will be permanently suspended for using photos illegally if they don't appeal within 24 hours, leading victims to a credential-harvesting page instead.

article thumbnail

Tax Preparer Fraud: How to Choose the Right Tax Preparer

Identity IQ

Tax Preparer Fraud: How to Choose the Right Tax Preparer. IdentityIQ. With the tax season back, so are tax preparer fraudsters. While many trustworthy and honest tax preparers are willing to help you complete your tax returns, it’s still good to be cautious, especially when you want to protect your identity. Here’s how to avoid tax preparer fraud and what to look for when choosing a tax preparer this season.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Threat Actors Abuse Visual Studio Marketplace to Target Developers

Heimadal Security

Threat actors targeting the Visual Studio Code extensions use a new attack vector. They upload rogue extensions impersonating their legitimate counterparts with the goal of triggering supply chain attacks on the machines of developers. Curated via a marketplace made available by Microsoft, VSCode extensions allow developers to add debuggers, programming languages, and other tools to […].

article thumbnail

CMMC 2.0: Phased Implementation Begins This Year. Are You Ready?

Security Boulevard

After long, drawn-out conversations about when it will happen, it appears a timeline has finally been established for implementing the Cybersecurity Maturity Model Certification (CMMC) v. 2.0. . The post CMMC 2.0: Phased Implementation Begins This Year. Are You Ready? appeared first on Security Boulevard.

article thumbnail

Attackers Are Already Exploiting ChatGPT to Write Malicious Code

Dark Reading

The AI-based chatbot is allowing bad actors with absolutely no coding experience to develop malware.

Malware 139
article thumbnail

BrandPost: TCP Floods Are Again the Leading DDoS Attack Vector

CSO Magazine

My personal and professional objectives, like those of many other people, are centered around improving on how I get things done. Or, more importantly, about how to do things more efficiently. One of my favorite things to watch on the attention-sucking platform of TikTok or YouTube Shorts are life hacks. Life hacks are supposed to make tasks easier or more efficient to accomplish but, in many cases are simply more complicated.

DDOS 102
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Best Practices Check List for Flawless Container Security

Heimadal Security

While containers and microservices keep gaining popularity among developers, it`s no wonder the interest in container security best practices has also grown. Although container-based architecture comes with a series of advantages: portability, lightweight, easy maintenance, and scalability, it also rises specific security challenges. Compared to virtual machines, containers are more resource-efficient and agile.

article thumbnail

How much security is enough?

SecureList

According to a prominent Soviet science fiction writer , beauty is a fine line, a razor’s edge between two opposites locked in a never-ending battle. Today, we would put it less poetically as an ideal compromise between contradictions. An elegant, or beautiful, design is one that allows reaching that compromise. As an information security professional, I like elegant designs — all the more so because trade-off is a prerequisite for an information security manager’s success: in partic

InfoSec 100
article thumbnail

Turla Uses Old Malware Infrastructure to Attack Ukrainian Institutions

Heimadal Security

Turla Russian espionage group delivers KOPILUWAK reconnaissance utility and QUIETCANARY backdoor to ANDROMEDA malware victims in Ukraine. Cyber researchers track the operation as UNC4210. Turla is also known as Iron Hunter, Krypton, Uroburos, Venomous Bear, or Waterbug and is thought to be sponsored by the Russian state. The malicious group`s principal targets are governmental, diplomatic, […].

Malware 97
article thumbnail

Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car Brands

The Hacker News

Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners.

article thumbnail

ERM Program Fundamentals for Success in the Banking Industry

Speaker: William Hord, Senior VP of Risk & Professional Services

Enterprise Risk Management (ERM) is critical for industry growth in today’s fast-paced and ever-changing risk landscape. When building your ERM program foundation, you need to answer questions like: Do we have robust board and management support? Do we understand and articulate our bank’s risk appetite and how that impacts our business units? How are we measuring and rating our risk impact, likelihood, and controls to mitigate our risk?

article thumbnail

Microsoft ends extended support for Windows 7 and Windows Server 2008 today

Malwarebytes

Time has finally run out for Windows 7 Professional and Enterprise users. Microsoft will stop providing its Extended Security Updates (ESU) program for the OS version today, January 10. When the company ended its mainstream support for Windows 7 three years ago , it also offered an ESU program to provide a lifeline for organizations requiring more time to upgrade to new products.

Risk 98
article thumbnail

Resecurity Released a Status Report on Drug Trafficking in the Dark Web (2022-2023)

Security Affairs

Cybersecurity firm Resecurity published report on drug trafficking marketplaces currently operating in the Dark Web. Resecurity, a Los Angeles-based cybersecurity and risk management provider has released an eye-opening report on drug trafficking marketplaces currently operating in the Dark Web. The report highlights a rapidly growing shadow economy, and new communication methods such as proprietary Android-based mobile apps criminals developed allowing them to migrate from traditional communica

article thumbnail

2023 Predictions: What Will Happen in Software Supply Chain Governance?

Security Boulevard

Around this time last year, InfoWorld called 2022 the “ the year of software supply chain security.” Unfortunately, one year later still feels very much like we’re back at the beginning. Our data shows software supply chain attacks are on a radical incline, increasing an average of 742% yearly since 2019. Bad actors continue to target open source project ecosystems–and there’s no reason to believe next year will be different.

article thumbnail

New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks

The Hacker News

A group of academics has demonstrated novel attacks that leverage Text-to-SQL models to produce malicious code that could enable adversaries to glean sensitive information and stage denial-of-service (DoS) attacks.

100
100
article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.