Schneier on Security

OCTOBER 12, 2022

Researchers have used thermal cameras and ML guessing techniques to recover passwords from measuring the residual heat left by fingers on keyboards. From the abstract: We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting from input publicly available. Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respec

Passwords 294

Passwords 294

Anton on Security

OCTOBER 12, 2022

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fourth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blog for #2 , my unofficial blog for #3 ). My favorite quotes from the report follow below: “in Q2 threat actors frequently targeted weak and default-password issues for initial compromise, factoring in over half of identified Incidents.

Cybersecurity 246

Cybersecurity Malware Accountability Authentication 246

Joseph Steinberg

OCTOBER 12, 2022

What can hospitals learn from an ex-CIA cybersecurity director and a cybersecurity-expert columnist read by millions of people? Join Bonnie Stith, former Director of the CIA’s Center for Cyber Intelligence , and and Joseph Steinberg, renowned cybersecurity expert witness and columnist , for a special, free educational webinar, Best Practices for Asset Risk Management in Hospitals.

Cybersecurity 223

Cybersecurity Technology Risk Artificial Intelligence 223

Tech Republic Security

OCTOBER 12, 2022

Recent phishing emails claim to offer a COVID-19 grant application from the SBA but are actually looking to capture banking details and other confidential data, says Inky. The post Credential phishing attacks continue to exploit COVID-19 to target businesses appeared first on TechRepublic.

Phishing 141

Phishing Banking Small Business 141

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

SecureList

OCTOBER 12, 2022

Last year, we wrote about the Triada Trojan inside FMWhatsApp, a modified WhatsApp build. At that time, we discovered that a dropper was found inside the distribution, along with an advertising SDK. This year, the situation has repeated, but with a different modified build, YoWhatsApp version 2.22.11.75. Inside it, we found a malicious module that we detect as Trojan.AndroidOS.Triada.eq.

Malware 135

Malware Advertising Accountability Mobile 135

Tech Republic Security

OCTOBER 12, 2022

Be prepared for the latest cybersecurity threats with the 2023 Complete Cyber Security Ethical Hacking Certification Bundle. The post Get 10 cybersecurity courses for just $35 appeared first on TechRepublic.

Cybersecurity 139

Cybersecurity Hacking 139

Tech Republic Security

OCTOBER 12, 2022

Protect your personal and business information from snoops with a Windscribe VPN Pro Plan—now available for just $39. The post Get a Windscribe VPN Pro Plan for 43% off appeared first on TechRepublic.

VPN 130

VPN 130

Bleeping Computer

OCTOBER 12, 2022

A new version of an unofficial WhatsApp Android application named 'YoWhatsApp' has been found stealing access keys for users' accounts. [.].

Accountability 145

Accountability 145

Dark Reading

OCTOBER 12, 2022

The platform lets network connectivity data escape outside of the secure tunnel when connected to a public network, posing a "privacy concern" for users with "certain threat models," researchers said.

VPN 125

VPN 125

CSO Magazine

OCTOBER 12, 2022

Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business—or, inversely by a businessperson who didn’t understand enough about technology.

CISO 125

CISO Technology Advertising 125

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Bleeping Computer

OCTOBER 12, 2022

Microsoft has now made it possible to receive notifications about new security updates through a new RSS feed for the Security Update Guide. [.].

134

134

CSO Magazine

OCTOBER 12, 2022

With both Privacy Shield and Safe Harbor having been previously struck down by legal challenges, experts question whether US President Biden’s executive order implementing the new Trans-Atlantic Data Policy Framework will stand up to scrutiny.

122

122

Security Affairs

OCTOBER 12, 2022

Aruba addressed multiple critical severity vulnerabilities in the EdgeConnect Enterprise Orchestrator. Aruba addressed multiple critical severity vulnerabilities in the EdgeConnect Enterprise Orchestrator that can be exploited by remote attackers to compromise the vulnerable host. Aruba EdgeConnect Orchestrator is a centralized SD-WAN management solution that allows enterprises to control their WAN.

Authentication 117

Authentication Firewall Hacking Information Security 117

CSO Magazine

OCTOBER 12, 2022

Network security firm Portnox on Wednesday announced it is adding IoT fingerprinting features to the Portnox Cloud NAC-as-a-Service to allow companies to more easily identify and authorize devices on their networks. The IoT fingerprinting features add new device-identification techniques to the network access control product, including MAC address clustering and DHCP (Dynamic Host Configuration Protocol) gleaning.

IoT 121

IoT Network Security 121

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Bleeping Computer

OCTOBER 12, 2022

Microsoft has added command-and-control (C2) traffic detection capabilities to its Microsoft Defender for Endpoint (MDE) enterprise endpoint security platform. [.].

118

118

CSO Magazine

OCTOBER 12, 2022

While most security teams believe that security operations centers (SOCs) play a pivotal role in cybersecurity programs, several challenges are impacting SOC performance within businesses, according to a new report. Among these are information overload, worker burnout, and talent retention. The data comes from cybersecurity firm Devo following an independent survey of global SOC leaders (553) and staff members (547), and it adds evidence to reports of security operations becoming harder for team

Cybersecurity 118

Cybersecurity 118

Bleeping Computer

OCTOBER 12, 2022

Signal says it will start to phase out SMS and MMS message support from its Android app to streamline the user experience and prioritize security and privacy. [.].

Technology 118

Technology 118

CSO Magazine

OCTOBER 12, 2022

Addressing the shortage of skilled cybersecurity professionals, Malwarebytes on Wednesday launched Malwarebytes MDR (managed detection and response), pairing EDR (end point detection and response) technology with a dedicated team of security analysts, providing both automated and human lines of defense. In doing so, the company says, the new MDR service helps reduce the need for security teams to dedicate a large staff to prioritize, triage and respond to threats.

Cybersecurity 114

Cybersecurity Technology 114

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Dark Reading

OCTOBER 12, 2022

Drone-based cyberattacks to spy on corporate targets are no longer hypothetical, one incident from this summer shows.

138

138

Security Boulevard

OCTOBER 12, 2022

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fourth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blog for #2 , my unofficial blog for #3 ). My favorite quotes from the report follow below: “in Q2 threat actors frequently targeted weak and default-password issues for initial compromise, factoring in over half of identified Incidents.

Cybersecurity 109

Cybersecurity Malware Accountability Authentication 109

Dark Reading

OCTOBER 12, 2022

Among other things, users who download the app could end up having their WhatsApp account details stolen.

Mobile 144

Mobile Accountability 144

Security Affairs

OCTOBER 12, 2022

Microsoft Patch Tuesday security updates for October 2022 addressed a total of 85 security vulnerabilities, including an actively exploited zero-day. Microsoft Patch Tuesday security updates for October 2022 addressed 85 new vulnerabilities in multiple products, including Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate

Hacking 108

Hacking Information Security 108

Advertisement

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

Identity Theft

eSecurity Planet

OCTOBER 12, 2022

Microsoft’s October 2022 Patch Tuesday includes security updates that fix well over 80 vulnerabilities in more than 50 different parts of its product range – but the ProxyNotShell flaws in Exchange Server that were reported last month are not on the list. Key vulnerabilities patched include CVE-2022-41033 , a zero-day flaw in the Windows COM+ Event System Service that’s being actively exploited and can provide an attacker with system privileges; and CVE-2022-34689 , a Windows CryptoA

Passwords 107

Passwords Accountability Internet Internet 107

The Hacker News

OCTOBER 12, 2022

Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome. "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant said. "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks.

Authentication 105

Authentication Phishing Passwords 105

Security Boulevard

OCTOBER 12, 2022

In recognition of National Cybersecurity Awareness Month, we’ve outlined some open source dependency best practices to help organizations manage their open source. The post Open source dependency best practices for developers appeared first on Application Security Blog. The post Open source dependency best practices for developers appeared first on Security Boulevard.

Cybersecurity 104

Cybersecurity Software Risk 104

The Hacker News

OCTOBER 12, 2022

Malicious actors are resorting to voice phishing (vishing) tactics to dupe victims into installing Android malware on their devices, new research from ThreatFabric reveals. The Dutch mobile security company said it identified a network of phishing websites targeting Italian online-banking users that are designed to get hold of their contact details.

Banking 103

Banking Malware Phishing Mobile 103

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Security Boulevard

OCTOBER 12, 2022

Edge computing is a vital component of digital transformation, allowing data to be analyzed and used in real-time closer to the point where it is created and consumed. Securing the edge requires a shared security responsibility model, as research from AT&T pointed out, with cybersecurity responsibility spread across three entities: The cloud provider, carriers and.

Digital transformation 104

Digital transformation Cybersecurity IoT Internet 104

Bleeping Computer

OCTOBER 12, 2022

Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. [.].

103

103

The Hacker News

OCTOBER 12, 2022

A vulnerability in Siemens Simatic programmable logic controller (PLC) can be exploited to retrieve the hard-coded, global private cryptographic keys and seize control of the devices.

Cybersecurity 97

Cybersecurity 97

Graham Cluley

OCTOBER 12, 2022

iOS 16.0.3 has been pushed out by Apple, and my advice is that you should install it.

144

144

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.