Sat.May 04, 2024 - Fri.May 10, 2024

article thumbnail

New Attack on VPNs

Schneier on Security

This attack has been feasible for over two decades: Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering. TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloa

VPN 320
article thumbnail

Why Your VPN May Not Be As Secure As It Claims

Krebs on Security

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

VPN 264
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Can VPNs Be Tracked by the Police?

Tech Republic Security

VPNs are popular due to the fact they add security and privacy to what are otherwise daily open Wi-Fi and public internet channels. But can VPNs be tracked by the police?

Internet 175
article thumbnail

CVE-2024-24787 (CVSS 9.8): Go Vulnerability Could Lead to Code Execution

Penetration Testing

The Go programming language, known for its simplicity and efficiency in software development, has recently issued a crucial security advisory addressing two severe vulnerabilities. These flaws, identified in the Go environment, could potentially allow... The post CVE-2024-24787 (CVSS 9.8): Go Vulnerability Could Lead to Code Execution appeared first on Penetration Testing.

article thumbnail

Enhance Innovation and Governance Through the Cloud Development Maturity Model

Leverage the Cloud Development Environment Maturity Model to elevate your software development practices with scalable, secure cloud-based workspaces. This model offers a structured approach to modernizing development, aligning technology, developer experience, security, and workflows. By implementing Cloud Development Environments (CDEs), teams can boost efficiency, improve security, and streamline operations through centralized governance.

article thumbnail

How Criminals Are Using Generative AI

Schneier on Security

There’s a new report on how criminals are using generative AI tools: Key Takeaways: Adoption rates of AI technologies among criminals lag behind the rates of their industry counterparts because of the evolving nature of cybercrime. Compared to last year, criminals seem to have abandoned any attempt at training real criminal large language models (LLMs).

article thumbnail

Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

WIRED Threat Level

The iPhone maker has detected spyware attacks against people in more than 150 countries. Knowing if your device is infected can be tricky—but there are a few steps you can take to protect yourself.

Spyware 144

More Trending

article thumbnail

CVE-2024-4367 & CVE-2024-34342: JavaScript Flaws Threaten Millions of PDF.js and React-PDF Users

Penetration Testing

A significant security flaw has been identified in PDF.js, a widely-used, Mozilla-supported PDF viewer developed with HTML5, and React-PDF, a popular npm package for displaying PDFs within React applications. This vulnerability, which allows for... The post CVE-2024-4367 & CVE-2024-34342: JavaScript Flaws Threaten Millions of PDF.js and React-PDF Users appeared first on Penetration Testing.

article thumbnail

New Lawsuit Attempting to Make Adversarial Interoperability Legal

Schneier on Security

Lots of complicated details here: too many for me to summarize well. It involves an obscure Section 230 provision—and an even more obscure typo. Read this.

278
278
article thumbnail

Top FBI Official Urges Agents to Use Warrantless Wiretaps on US Soil

WIRED Threat Level

An internal email from FBI deputy director Paul Abbate, obtained by WIRED, tells employees to search for “US persons” in a controversial spy program's database that investigators have repeatedly misused.

143
143
article thumbnail

The Australian Government’s Manufacturing Objectives Rely on IT Capabilities

Tech Republic Security

The intent of the Future Made in Australia Act is to build manufacturing capabilities across all sectors, which will likely lead to more demand for IT skills and services.

article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

article thumbnail

Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

The Hacker News

Google on Thursday released security updates to address a zero-day flaw in Chrome that it said has been actively exploited in the wild. Tracked as CVE-2024-4671, the high-severity vulnerability has been described as a case of use-after-free in the Visuals component. It was reported by an anonymous researcher on May 7, 2024.

143
143
article thumbnail

Duo’s New Session Trust Solution Provides Continuous Policy

Duo's Security Blog

User experience and security protocols have historically been at odds. To improve security outcomes, users are forced to jump through more hoops to gain access to sensitive resources. Duo is rethinking this paradigm with the launch of Session Trust’s continuous policy. Challenge with sessions When a user logs in to a new application, the website sends a cookie that is stored in the browser.

Risk 142
article thumbnail

Google Rushes to Patch Chrome Zero-Day Exploit: CVE-2024-4671

Penetration Testing

Google has rushed out an emergency security update for its Chrome browser to address a critical vulnerability already being exploited by threat actors. The flaw, designated CVE-2024-4671, is a “use after free” bug located... The post Google Rushes to Patch Chrome Zero-Day Exploit: CVE-2024-4671 appeared first on Penetration Testing.

article thumbnail

How Can Businesses Defend Themselves Against Common Cyberthreats?

Tech Republic Security

TechRepublic consolidated expert advice on how businesses can defend themselves against the most common cyberthreats, including zero-days, ransomware and deepfakes.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

The Hacker News

The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys.

142
142
article thumbnail

Dell notifies customers about data breach

Malwarebytes

Dell is warning its customers about a data breach after a cybercriminal offered a 49 million-record database of information about Dell customers on a cybercrime forum. A cybercriminal called Menelik posted the following message on the “Breach Forums” site: “The data includes 49 million customer and other information of systems purchased from Dell between 2017-2024.

article thumbnail

Dell API abused to steal 49 million customer records in data breach

Bleeping Computer

The threat actor behind the recent Dell data breach revealed they scraped information of 49 million customer records using an partner portal API they accessed as a fake company. [.

article thumbnail

Google Steps Up The Battle Against Gmail Spam

Tech Republic Security

Additional enforcement means non-compliant email may be delivered to spam folders. Here’s what Google Workspace administrators and Gmail users need to know.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Germany Warns Russia: Hacking Will Have Consequences

Security Boulevard

War of the words: Fancy Bear actions are “intolerable and unacceptable,” complains German foreign minister Annalena Baerbock. The post Germany Warns Russia: Hacking Will Have Consequences appeared first on Security Boulevard.

Hacking 134
article thumbnail

Major VPN Flaw Exposed: “TunnelVision” (CVE-2024-3661) Threatens Security on Public Networks

Penetration Testing

The very backbone of Virtual Private Networks (VPNs), praised for their ability to secure online activities, is under scrutiny following a breakthrough discovery by Dani Cronce and Lizzie Moratti from Leviathan Security Group. Their... The post Major VPN Flaw Exposed: “TunnelVision” (CVE-2024-3661) Threatens Security on Public Networks appeared first on Penetration Testing.

VPN 132
article thumbnail

Microsoft: April Windows Server updates also cause crashes, reboots

Bleeping Computer

Microsoft has confirmed that last month's Windows Server security updates may also cause domain controller reboots after the Local Security Authority Subsystem Service (LSASS) process crashes. [.

132
132
article thumbnail

Udemy Report: Which IT Skills Are Most in Demand in Q1 2024?

Tech Republic Security

Informatica PowerCenter, Microsoft Playwright and Oracle Database SQL top Udemy’s list of most popular tech courses.

Big data 164
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Lessons Learned from Developing Secure AI Workflows at Google

Elie

This talk discuss through concrete examples how to use the Google Security AI Framework (SAIF) to protect AI systems and workflows

149
149
article thumbnail

TikTok Ban — ByteDance Sues US to Kill Bill

Security Boulevard

PAFACA SueTok: U.S. Courts “likely” to rule whether new law is constitutional—or even practical. The post TikTok Ban — ByteDance Sues US to Kill Bill appeared first on Security Boulevard.

article thumbnail

Dell warns of data breach, 49 million customers allegedly affected

Bleeping Computer

Dell is warning customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers. [.

article thumbnail

FIN7 Hackers Using Signed Malware and Fake Google Ads to Evade Defenses

Penetration Testing

Researchers at eSentire’s Threat Response Unit (TRU) have uncovered a disturbing trend in FIN7 attacks demonstrating the notorious cybercrime group’s evolving tactics for infiltrating systems. FIN7’s campaign targets users with malicious websites disguised as... The post FIN7 Hackers Using Signed Malware and Fake Google Ads to Evade Defenses appeared first on Penetration Testing.

article thumbnail

IT Leadership Agrees AI is Here, but Now What?

IT leaders are experiencing rapid evolution in AI amid sustained investment uncertainty. As AI evolves, enhanced cybersecurity and hiring challenges grow. This whitepaper offers real strategies to manage risks and position your organization for success.

article thumbnail

Ransomware drama: Law enforcement seized Lockbit group’s website again

Security Affairs

Law enforcement seized the Lockbit group’s Tor website again and announced they will reveal more identities of its operators Law enforcement seized the Lockbit group’s Tor website again. The authorities resumed the Lockbit seized leak site and mocked its administrators. According to the countdown active on the seized, law enforcement that are currently controlling the website will reveal the identities of the LockBitSupps and other members of the gang on May 7, 2024, at 14:00:00 UTC.

article thumbnail

One in Four Tech CISOs Unhappy with Compensation

Security Boulevard

Stagnating security budgets and mounting job pressures are weighing on CISOs, a quarter of whom expressed discontent with their salary and overall compensation. Show me the money: The average total compensation for tech CISOs stands at $710,000. The post One in Four Tech CISOs Unhappy with Compensation appeared first on Security Boulevard.

CISO 128
article thumbnail

A (Strange) Interview the Russian-Military-Linked Hackers Targeting US Water Utilities

WIRED Threat Level

Despite Cyber Army of Russia’s claims of swaying US “minds and hearts,” experts say the cyber sabotage group appears to be hyping its hacking for a domestic audience.

Hacking 129
article thumbnail

CVE-2024-34456: Trend Micro Patches Code Injection Vulnerability in Antivirus One

Penetration Testing

Trend Micro, a leading provider of cybersecurity solutions, has released an important update for its Antivirus One software, targeting a critical vulnerability that could have allowed attackers to inject malicious code. The issue tracked... The post CVE-2024-34456: Trend Micro Patches Code Injection Vulnerability in Antivirus One appeared first on Penetration Testing.

Antivirus 125
article thumbnail

Cybersecurity Predictions for 2024

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.