Mon.May 13, 2024

article thumbnail

LLMs’ Data-Control Path Insecurity

Schneier on Security

Back in the 1960s, if you played a 2,600Hz tone into an AT&T pay phone, you could make calls without paying. A phone hacker named John Draper noticed that the plastic whistle that came free in a box of Captain Crunch cereal worked to make the right sound. That became his hacker name, and everyone who knew the trick made free pay-phone calls. There were all sorts of related hacks, such as faking the tones that signaled coins dropping into a pay phone and faking tones used by repair equipment.

Risk 259
article thumbnail

Report: Organisations Have Endpoint Security Tools But Are Still Falling Short on the Basics

Tech Republic Security

AI PCs could soon see organisations invest in whole fleets of new managed devices, but Absolute Security data shows they are failing to maintain endpoint protection and patching the devices they have.

Big data 172
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

News alert: Criminal IP and Quad9 collaborate to exchange domain and IP threat intelligence

The Last Watchdog

Torrance, Calif., May 13, 2024, CyberNewsWire — Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking threats to end users. Criminal IP underwent rigorous data evaluation to integrate with Quad9’s threat-blocking service, demonstrating high data uniqueness and accuracy.

DNS 130
article thumbnail

Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices

The Hacker News

Apple and Google on Monday officially announced the rollout of a new feature that notifies users across both iOS and Android if a Bluetooth tracking device is being used to stealthily keep tabs on them without their knowledge or consent.

128
128
article thumbnail

Reimagining Cybersecurity Training: Driving Real Impact on Security Culture

Speaker: Speakers:

They say a defense can be measured by its weakest link. In your cybersecurity posture, what––or who––is the weakest link? And how can you make them stronger? This webinar will equip you with the resources to search for quality training, implement it, and improve the cyber-behaviors of your workforce. By the end of the hour, you will feel empowered to improve the aspects of your security posture you control the least – the situational awareness and decision-making of your workforce.

article thumbnail

Novel LLMjacking Attacks Target Cloud-Based AI Models

Security Boulevard

Just like enterprises, cybercriminals are embracing generative AI to shape their attacks, from creating more convincing phishing emails and spreading disinformation to model poisoning, prompt injections, and deepfakes. Now comes LLMjacking. Threat researchers with cybersecurity firm Sysdig recently detected bad actors using stolen credentials to target large language models (LLMs) – which are foundational to.

Phishing 124
article thumbnail

Hackers use DNS tunneling for network scanning, tracking victims

Bleeping Computer

Threat actors are using Domain Name System (DNS) tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. [.

DNS 124

More Trending

article thumbnail

Four Simple Cybersecurity Tips for Small Businesses

Security Boulevard

During National Small Business Week in April, small businesses were urged to use the free. The post Four Simple Cybersecurity Tips for Small Businesses appeared first on Security Boulevard.

article thumbnail

Threat actors may have exploited a zero-day in older iPhones, Apple warns

Security Affairs

Apple rolled out urgent security updates to address code execution vulnerabilities in iPhones, iPads, and macOS. Apple released urgent security updates to address multiple vulnerabilities in iPhones, iPads, macOS. The company also warns of a vulnerability patched in March that the company believes may have been exploited as a zero-day. The issue impacts older iPhone devices, it is tracked as CVE-2024-23296 and is a memory corruption flaw in the RTKit.

Hacking 118
article thumbnail

Welcome to the Laser Wars

WIRED Threat Level

Amid a rising tide of adversary drones and missile attacks, laser weapons are finally poised to enter the battlefield.

140
140
article thumbnail

Russian hackers defaced local British news sites

Security Affairs

A group of hackers that defines itself as “first-class Russian hackers” claims the defacement of hundreds of local and regional British newspaper websites. A group claiming to be “first-class Russian hackers” defaced numerous local and regional British newspaper websites owned by Newsquest Media Group. The group defaced the home pages of the targeted websites and posted the message “PERVOKLASSNIY RUSSIAN HACKERS ATTACK.” The following image shows an archived version of t

Media 111
article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Prison for cybersecurity expert selling private videos from inside 400,000 homes

Graham Cluley

A Korean cybersecurity expert has been sentenced to prison for illegally accessing and distributing private photos and videos from vulnerable "wallpad" cameras in 400,000 private households. Read more in my article on the Hot for Security blog.

article thumbnail

Phorpiex botnet sent millions of phishing emails to deliver LockBit Black ransomware

Security Affairs

Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread LockBit Black ransomware. New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to send millions of phishing emails as part of a LockBit Black ransomware campaign.

Phishing 111
article thumbnail

Google and Apple deliver support for unwanted tracking alerts in Android and iOS

Google Security

Google and Apple have worked together to create an industry specification – Detecting Unwanted Location Trackers – for Bluetooth tracking devices that makes it possible to alert users across both Android and iOS if such a device is unknowingly being used to track them. This will help mitigate the misuse of devices designed to help keep track of belongings.

article thumbnail

What Is the Dark Web?

Tech Republic Security

The negative press, coupled with YouTube horror stories, has cemented the Dark Web’s reputation for illicit behavior. Today, the Dark Web is believed to be a platform where cybercriminals sell drugs, weapons, malicious software and piles of consumer and sensitive corporate data. But is the Dark Web just filled with darkness? Maria Carrisa Sanchez, writing.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Black Basta Ransomware Strikes 500+ Entities Across North America, Europe, and Australia

The Hacker News

The Black Basta ransomware-as-a-service (RaaS) operation has targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia since its emergence in April 2022.

article thumbnail

Australian Firstmac Limited disclosed a data breach after cyber attack

Security Affairs

Firstmac Limited disclosed a data breach after the new Embargo extortion group leaked over 500GB of data allegedly stolen from the company. Firstmac Limited, one of the largest non-bank lenders in Australia, disclosed a data breach. Firstmac Limited is an Australian owned company with experience in home and investment loans. They have a range of market insurance products backed by international company, Allianz Group.

article thumbnail

MITRE Unveils EMB3D: A Threat-Modeling Framework for Embedded Devices

The Hacker News

The MITRE Corporation has officially made available a new threat-modeling framework called EMB3D for makers of embedded devices used in critical infrastructure environments.

article thumbnail

Votiro Named Market Leader in Data Security by the 2024 CDM Awards

Security Boulevard

The post Votiro Named Market Leader in Data Security by the 2024 CDM Awards appeared first on Votiro. The post Votiro Named Market Leader in Data Security by the 2024 CDM Awards appeared first on Security Boulevard.

article thumbnail

Cybersecurity Predictions for 2024

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

article thumbnail

The $2.3 Billion Tornado Cash Case Is a Pivotal Moment for Crypto Privacy

WIRED Threat Level

Tuesday’s verdict in the trial of Alexey Pertsev, a creator of crypto-privacy service Tornado Cash, is the first in a string of cases that could make it much harder to skirt financial surveillance.

article thumbnail

Quick Glossary: DevSecOps

Tech Republic Security

The way software is developed has changed. DevSecOps is transforming the industry by incorporating security from the early stages and automating traditional processes to build better, faster and more secure software. Ray Fernandez, writing for TechRepublic Premium, presents this DevSecOps glossary to help you navigate the modern world of software development and enhance your understanding.

article thumbnail

FCC reveals Royal Tiger, its first tagged robocall threat actor

Bleeping Computer

The Federal Communications Commission (FCC) has named its first officially designated robocall threat actor 'Royal Tiger,' a move aiming to help international partners and law enforcement more easily track individuals and entities behind repeat robocall campaigns. [.

96
article thumbnail

Internal Emails Show How a Controversial Gun-Detection System Found Its Way to NYC

WIRED Threat Level

NYC mayor Eric Adams wants to test Evolv’s gun-detection tech in subway stations—despite the company saying it’s not designed for that environment. Emails obtained by WIRED show how the company still found an in.

95
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Severe Vulnerabilities in Cinterion Cellular Modems Pose Risks to Various Industries

The Hacker News

Cybersecurity researchers have disclosed multiple security flaws in Cinterion cellular modems that could be potentially exploited by threat actors to access sensitive information and achieve code execution.

Risk 94
article thumbnail

Helsinki suffers data breach after hackers exploit unpatched flaw

Bleeping Computer

The City of Helsinki is investigating a data breach in its education division, which it discovered in late April 2024, impacting tens of thousands of students, guardians, and personnel. [.

article thumbnail

Critical Security Flaws in Cacti: Command Injection (CVE-2024-29895, CVSS 10) and XSS Vulnerabilities

Penetration Testing

Cacti, a popular open-source network monitoring and graphing tool, has recently released a crucial security update to address two significant vulnerabilities that could leave systems exposed to malicious attacks. These vulnerabilities were found in... The post Critical Security Flaws in Cacti: Command Injection (CVE-2024-29895, CVSS 10) and XSS Vulnerabilities appeared first on Penetration Testing.

article thumbnail

PyPi package backdoors Macs using the Sliver pen-testing suite

Bleeping Computer

A new package mimicked the popular 'requests' library on the Python Package Index (PyPI) to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. [.

89
article thumbnail

5 Key Findings From the 2023 FBI Internet Crime Report

The losses companies suffered in 2023 ransomware attacks increased by 74% compared to those of the previous year, according to new data from the Federal Bureau of Investigation (FBI). The true figure is likely to be even higher, though, as many identity theft and phishing attacks go unreported. Ransomware attackers can potentially paralyze not just private sector organizations but also healthcare facilities, schools, and entire police departments.

article thumbnail

CISOs Reconsider Their Roles in Response to GenAI Integration

Security Boulevard

Modern CISOs have a new task cut out for them: determining how to navigate AI as both challenge and opportunity. The post CISOs Reconsider Their Roles in Response to GenAI Integration appeared first on Security Boulevard.

CISO 85
article thumbnail

Romance Scammers Target Cryptocurrency Investors with Social Engineering and Fake Exchanges

Penetration Testing

AhnLab’s Mobile Analysis Team has issued an alarm about an insidious new breed of romance scams specifically targeting cryptocurrency enthusiasts. These scams go beyond the typical emotional manipulation seen in traditional romance scams, incorporating... The post Romance Scammers Target Cryptocurrency Investors with Social Engineering and Fake Exchanges appeared first on Penetration Testing.

article thumbnail

Why car location tracking needs an overhaul

Malwarebytes

Across America, survivors of domestic abuse and stalking are facing a unique location tracking crisis born out of policy failure, unclear corporate responsibility, and potentially risky behaviors around digital sharing that are now common in relationships. No, we’re not talking about stalkerware. Or hidden Apple AirTags. We’re talking about cars. Modern cars are the latest consumer “device” to undergo an internet-crazed overhaul, as manufacturers increasingly stuff their automobiles with the typ

article thumbnail

The 2024 Browser Security Report Uncovers How Every Web Session Could be a Security Minefield

The Hacker News

With the browser becoming the most prevalent workspace in the enterprise, it is also turning into a popular attack vector for cyber attackers. From account takeovers to malicious extensions to phishing attacks, the browser is a means for stealing sensitive data and accessing organizational systems.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?