Sat.Sep 25, 2021 - Fri.Oct 01, 2021

article thumbnail

The Rise of One-Time Password Interception Bots

Krebs on Security

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. That service quickly went offline, but new research reveals a number of competitors have since launched bot-based services that make it relatively easy for crooks to phish OTPs from targets.

Passwords 308
article thumbnail

Case Study: Cyber and Physical Security Convergence

Lohrman on Security

Marc Sokol shares a powerful case study on the benefits of cybersecurity convergence with physical security, an example of measuring risk reduction and other benefits to global enterprises.

Risk 256
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Check What Information Your Browser Leaks

Schneier on Security

These two sites tell you what sorts of information you’re leaking from your browser.

286
286
article thumbnail

Compromising a government network is so simple, an out-of-the-box, dark web RAT can do it

Tech Republic Security

Commercially-available malware, with minimal modification, is behind attacks against the Indian government, says Cisco's Talos security research group.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Apple AirTag Bug Enables ‘Good Samaritan’ Attack

Krebs on Security

The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page — or to any other malicious website.

Mobile 306
article thumbnail

Hackers rob thousands of Coinbase customers using MFA flaw

Bleeping Computer

Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company's SMS multi-factor authentication security feature. [.].

More Trending

article thumbnail

Windows Server 2022: A cheat sheet

Tech Republic Security

Microsoft has just released its most recent Windows Server platform. Check out the improved hybrid cloud features, beefed up security and improved support for large on-premises applications.

190
190
article thumbnail

FCC Proposal Targets SIM Swapping, Port-Out Fraud

Krebs on Security

The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity. In a long-overdue notice issued Sept. 30 , the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before

Wireless 271
article thumbnail

Vaccine passport app leaks users’ personal data

Malwarebytes

Security and privacy advocates may have cause to worry after all: Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time. On Monday, Canadian Broadcasting Corporation (CBC) received a tip that “the user profiles on the app’s website could be accessed by members of the public.” CBC won’t say how or where the data was found but does say it was unencrypted and could be viewed in plain text

article thumbnail

Tracking Stolen Cryptocurrencies

Schneier on Security

Good article about the current state of cryptocurrency forensics.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Consumer privacy study finds online privacy is of growing concern to increasingly more people

Tech Republic Security

The study, from Cisco, comes with the announcement of its New Trust Standard, a benchmark for seeing how trustworthy businesses are as they embrace digital transformation.

article thumbnail

New Android malware steals millions after infecting 10M phones

Bleeping Computer

A large-scale malware campaign has infected more than 10 million Android devices from over 70 countries and likely stole hundreds of millions from its victims by subscribing to paid services without their knowledge. [.].

Malware 145
article thumbnail

Google releases emergency fix to plug zero?day hole in Chrome

We Live Security

The emergency release comes a mere three days after Google’s previous update that plugged another 19 security loopholes. The post Google releases emergency fix to plug zero‑day hole in Chrome appeared first on WeLiveSecurity.

143
143
article thumbnail

Risk Management Programs for the Post-COVID Environment

Security Boulevard

After a year spent managing increased business risks—including security, IT resiliency and cybersecurity concerns—business leaders need to adjust their mindset when it pertains to risk management and avoid the more traditional approach to crisis management and business continuity planning. The past year has also changed the inherent risks companies, both globally and here in the.

Risk 143
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Google stakes new Secure Open Source rewards program for developers with $1M seed money

Tech Republic Security

The SOS program, run by the Linux Foundation, will reward developers with potentially more than $10,000 for enhancing the security of critical open source software.

Software 192
article thumbnail

Microsoft will disable Basic Auth in Exchange Online in October 2022

Bleeping Computer

Microsoft announced that Basic Authentication will be turned off for all protocols in all tenants starting October 1st, 2022, to protect millions of Exchange Online users. [.].

article thumbnail

What is advanced persistent threat? Explaining APT security

CyberSecurity Insiders

This article was written by an independent guest author. As the threat landscape evolves faster than we can keep up with, organizations must be aware of the type of threats they may face. Certain threat types, like ransomware and malware, are more prominent and therefore must be fought with the appropriate resources. On the other hand, some threat types are not prevalent and pose significantly less risk.

Firewall 139
article thumbnail

ImmuniWeb Launches Free Cloud Security Test to Detect Unprotected Storage

The Hacker News

The IDC cloud security survey 2021 states that as many as 98% of companies were victims of a cloud data breach within the past 18 months. Fostered by the pandemic, small and large organizations from all over the world are migrating their data and infrastructure into a public cloud, while often underestimating novel and cloud-specific security or privacy issues.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

3 tips to protect your users against credential phishing attacks

Tech Republic Security

A new phishing campaign spotted by Armorblox tried to steal user credentials by spoofing a message notification from a company that provides email encryption.

Phishing 186
article thumbnail

New Windows 11 install script bypasses TPM, system requirements

Bleeping Computer

A new script allows you to install Windows 11 on devices with incompatible hardware, such as missing TPM 2.0, incompatible CPUs, or the lack of Secure Boot. Even better, the script also works on virtual machines, allowing you to upgrade to the latest Windows Insider build. [.].

145
145
article thumbnail

Exploring the Relationship between Company Culture and Insider Threats

CyberSecurity Insiders

By: Steve Salinas, director of solutions marketing, Exabeam. Security teams are trained to take decisive action when an attacker is detected. Using specialized tools, technologies and processes, their biggest responsibility is to mitigate the impact of a breach. While this approach is valid and needed to ensure business continuity, there are other initiatives an organization can and should undertake to minimize the chance an attacker even gets the opportunity to carry out their attack.

article thumbnail

US Gov’t Again Threatens to Prosecute Those Who Pay Ransom

Security Boulevard

On September 21, 2021, the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) once again threatened sanctions against companies for paying ransom in the event that their data or systems were hijacked by hackers. In a new advisory, the federal agency noted that paying ransom strengthens adversaries, encourages more ransomware attacks and facilitates future.

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

New SMS malware targets Android users through fake COVID messages

Tech Republic Security

Dubbed TangleBot, the malware can overlay financial apps with its own screens in an attempt to steal your account credentials, says Cloudmark.

Malware 195
article thumbnail

Apple Pay with VISA lets hackers force payments on locked iPhones

Bleeping Computer

Academic researchers have found a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card in the digital wallet set as a transit card. [.].

145
145
article thumbnail

Cybercriminals bypass 2FA and OTP with robocalling and Telegram bots

CSO Magazine

Two-factor authentication (2FA) has been widely adopted by online services over the past several years and turning it on is probably the best thing users can do for their online account security. Faced with this additional hurdle that prevents them from exploiting stolen passwords, cybercriminals have had to adapt, too, and come up with innovative ways to extract one-time use authentication codes from users.

article thumbnail

Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users

The Hacker News

A formerly unknown Chinese-speaking threat actor has been linked to a long-standing evasive operation aimed at South East Asian targets as far back as July 2020 to deploy a kernel-mode rootkit on compromised Windows systems.

Malware 134
article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

Why organizations are slow to patch even high-profile vulnerabilities

Tech Republic Security

Not all organizations have a team or even staffers who can focus solely on vulnerability management, says Trustwave.

214
214
article thumbnail

Apple Pay vulnerable to wireless pickpockets

Malwarebytes

Researchers have shown that it is possible for attackers to bypass an Apple iPhone’s lock screen to access payment services and make contactless transactions. The issue, which only applies to Apple Pay and Visa, is caused by the use of so-called magic bytes, a unique code used to unlock Apple Pay. In the full paper , researchers from two UK universities—the University of Birmingham and the University of Surrey—show how this feature makes it possible to wirelessly pickpocket money.

Wireless 130
article thumbnail

Seven strategies for building a great security team

CSO Magazine

Brennan P. Baybeck lists building a successful team as one of his top responsibilities as a CISO. “If you surround yourself with great people, make sure they’re successful and have what they need—the training, the budget, the right headcount—then great security comes along,” he says. “But if you don’t put that focus on your team, it’s not going to happen.” [ Learn the 5 key qualities of successful CISOs, and how to develop them and 7 security incidents that cost CISOs their jobs. | Sign up for C

CISO 131
article thumbnail

Google wants you to follow these cybersecurity basics

CyberSecurity Insiders

As the world is turning completely digital, the need to be connected to the internet has become a necessity to everyone, rather than just a trend. However, not all seem to be merry for staying connected to the web 24×7. As hackers and cyber crooks are always on a prowl of vulnerable of those who can be targeted easily by email scams, messages, malware or phishing attacks.

article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.