Schneier on Security

MAY 2, 2024

The UK is the first country to ban default passwords on IoT devices. On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will rec

Passwords 252

Passwords IoT Manufacturing Telecommunications 252

Troy Hunt

MAY 2, 2024

How many different angles can you have on one data breach? Facial recognition (which probably isn't actual biometrics), gambling, offshore developers, unpaid bills, extortion, sloppy password practices and now, an arrest. On pondering it more after today's livestream, it's the unfathomable stupidity of publishing this data publicly that really strikes me.

Passwords 194

Passwords Data breaches 194

The Last Watchdog

MAY 2, 2024

It took some five years to get to 100 million users of the World Wide Web and it took just one year to get to 100 million Facebook users. Related: LLM risk mitigation strategies Then along came GenAI and Large Language Models (LLM) and it took just a couple of weeks to get to 100 million ChatGPT users. LLM is a game changer in the same vein as the Gutenberg Press and the Edison light bulb.

Internet 147

Internet Internet Risk Cybersecurity 147

Penetration Testing

MAY 2, 2024

Security researcher Florian Port at Insinuator recently uncovered a critical flaw in Jitsi Meet, the popular open-source video conferencing platform. The vulnerability (CVE-2024-33530) allows unauthorized individuals to gain the meeting password, potentially bypassing security... The post CVE-2024-33530: Jitsi Meet Flaw Leaks Meeting Passwords, Exposing Calls to Intruders appeared first on Penetration Testing.

Passwords 137

Passwords Penetration Testing 137

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Tech Republic Security

MAY 2, 2024

TechRepublic identified the top four trends emerging in IoT that businesses in the U.K. should be aware of.

IoT 146

IoT Artificial Intelligence Internet Internet 146

Penetration Testing

MAY 2, 2024

Microsoft’s Senior Security Researcher Vladimir Tokarev will detail a series of critical zero-day vulnerabilities in OpenVPN, the world’s leading VPN solution, used by millions of endpoints globally at the upcoming Black Hat USA 2024... The post Microsoft Researcher to Unveil 4 OpenVPN Zero-Day Vulnerabilities at Black Hat USA 2024 appeared first on Penetration Testing.

Penetration Testing 139

Penetration Testing VPN 139

Security Boulevard

MAY 2, 2024

Drop Dropbox? The company apologized as user details were leaked from its “Dropbox Sign” product. The post Dropbox Hacked: eSignature Service Breached appeared first on Security Boulevard.

Hacking 122

Hacking Social Engineering Data privacy Engineering 122

The Hacker News

MAY 2, 2024

Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign (formerly HelloSign) was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with the U.S.

Accountability 121

Accountability 121

Bleeping Computer

MAY 2, 2024

Bitwarden, the creator of the popular open-source password manager, has just launched a new authenticator app called Bitwarden Authenticator, which is available for iOS and Android devices. [.

Authentication 118

Authentication Password Management Passwords Software 118

The Hacker News

MAY 2, 2024

A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is CVE-2015-2051 (CVSS score: 9.

115

115

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Affairs

MAY 2, 2024

CISA adds GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset.

Passwords 112

Passwords Accountability Hacking Risk 112

Security Boulevard

MAY 2, 2024

Cryptocurrency for several years has been pointed to as a key enabler of ransomware groups, allowing their ransoms to be paid in Bitcoin or Ethereum or some other virtual tokens that are difficult to trace, can be hidden and laundered through such means as crypo mixers, can move easily across borders, and allow bad actors. The post Elliptic Shows How an AI Model Can Identify Bitcoin Laundering appeared first on Security Boulevard.

Cryptocurrency 113

Cryptocurrency Ransomware Cybersecurity Network Security 113

WIRED Threat Level

MAY 2, 2024

Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data.

Hacking 115

Hacking 115

Security Boulevard

MAY 2, 2024

In a dramatic shift, the 2024 version of the Verizo n Business Data Breach Investigations Report (DBIR) sounds the alarm about the growing link between data breaches and the vulnerability of the software supply chain – and calls on enterprises to hold their software suppliers to a higher standard for software security. The post Verizon 2024 DBIR: Software supply chain risks fuel a data breach epidemic appeared first on Security Boulevard.

Data breaches 106

Data breaches Software Risk 106

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Bleeping Computer

MAY 2, 2024

Microsoft has highlighted a novel attack dubbed "Dirty Stream," which could allow malicious Android apps to overwrite files in another application's home directory, potentially leading to arbitrary code execution and secrets theft. [.

Mobile 102

Mobile 102

Security Boulevard

MAY 2, 2024

50,000 security practitioners are about to attend RSA 2024. Here’s what one expert anticipates for this year’s show. The post What to Expect at RSA 2024: Will AI Wreak Havoc on Cybersecurity? appeared first on Security Boulevard.

Cybersecurity 104

Cybersecurity CISO 104

Bleeping Computer

MAY 2, 2024

Onur Aksoy, the CEO of a group of companies controlling multiple online storefronts, was sentenced to six and a half years in prison for selling $100 million worth of counterfeit Cisco network equipment to government, health, education, and military organizations worldwide. [.

Education 99

Education Government 99

Security Affairs

MAY 2, 2024

Threat actors breached the Dropbox Sign production environment and accessed customer email addresses and hashed passwords Cloud storage provider DropBox revealed that threat actors have breached the production infrastructure of the DropBox Sign eSignature service and gained access to customer information and authentication data. Dropbox Sign is a service that allows users to electronically sign and request signatures on documents.

Hacking 99

Hacking Authentication Passwords Accountability 99

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Bleeping Computer

MAY 2, 2024

A former cybersecurity consultant was arrested for allegedly attempting to extort a publicly traded IT company by threatening to disclose confidential and proprietary data unless they paid him $1,500,000. [.

Cybersecurity 94

Cybersecurity 94

Penetration Testing

MAY 2, 2024

NTLM Relay Gat NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines... The post NTLM Relay Gat: automate the exploitation of NTLM relays appeared first on Penetration Testing.

Penetration Testing 95

Penetration Testing 95

The Hacker News

MAY 2, 2024

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims.

Ransomware 96

Ransomware 96

Malwarebytes

MAY 2, 2024

This blog post was written based on research carried out by Jérôme Segura. A campaign using sponsored search results is targeting home users and taking them to tech support scams. Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored” They’re often ads that are taken out by brands who want to get people to click through to their website.

Scams 95

Scams Advertising Identity Theft Passwords 95

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Security Boulevard

MAY 2, 2024

The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry. Today let’s get to know the company Amebit. Company Introduction Aembit was established in 2021 and is headquartered in Washington, USA. The company is dedicated to […] The post RSAC 2024 Innovation Sandbox | Aembit: An IAM Platform for Cloud Workloads appeared first on NSFOCUS, Inc., a global network and cyb

Cyber Attacks 93

Cyber Attacks Cybersecurity 93

Malwarebytes

MAY 2, 2024

On October 30, 2020, I started a article with the words: “Hell is too nice a place for these people.” The subject of this outrage focused on the cybercriminals behind an attack on Finnish psychotherapy practice Vastaamo. Because it was a psychotherapy practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Hacking 94

Hacking Government Risk Cybersecurity 94

Security Affairs

MAY 2, 2024

HPE Aruba Networking addressed four critical remote code execution vulnerabilities impacting its ArubaOS network operating system. HPE Aruba Networking released April 2024 security updates that addressed four critical remote code execution (RCE) vulnerabilities affecting multiple versions of the network operating system ArubaOS. The four vulnerabilities are unauthenticated buffer overflow issues that could be exploited to remotely execute arbitrary code.

Mobile 90

Mobile Software Authentication Hacking 90

Penetration Testing

MAY 2, 2024

Cisco has issued a security advisory highlighting multiple vulnerabilities in the firmware of several IP Phone models that could allow unauthenticated, remote attackers to engage in detrimental activities ranging from denial of service (DoS)... The post Cisco IP Phones Exposed: Vulnerabilities Allow Hackers to Disrupt, Spy, and Even Make Calls appeared first on Penetration Testing.

Penetration Testing 92

Penetration Testing Firmware 92

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

The Hacker News

MAY 2, 2024

Like antivirus software, vulnerability scans rely on a database of known weaknesses. That’s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn’t existed in the vulnerability management space.

Antivirus 90

Antivirus Engineering Malware Software 90

Security Affairs

MAY 2, 2024

Government agencies from the US, Canada and the UK warn of Russian threat actors targeting critical infrastructure in North America and Europe The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Ce

Passwords 86

Passwords Internet Internet Software 86

The Hacker News

MAY 2, 2024

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years. "Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords," Heather Adkins, vice president of security engineering at Google, said.

Accountability 88

Accountability Engineering Phishing Authentication 88

Bleeping Computer

MAY 2, 2024

Law enforcement shut down 12 phone fraud call centers in Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, behind thousands of scam calls daily. [.

Scams 92

Scams 92

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk