Sat.May 04, 2024 - Fri.May 10, 2024

article thumbnail

New Attack on VPNs

Schneier on Security

This attack has been feasible for over two decades: Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering. TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloa

VPN 287
article thumbnail

Why Your VPN May Not Be As Secure As It Claims

Krebs on Security

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

VPN 264
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Combatting Deepfakes in Australia: Content Credentials is the Start

Tech Republic Security

The production of deepfakes is accelerating at more than 1,500% in Australia, forcing organisations to create and adopt standards like Content Credentials.

article thumbnail

CVE-2024-24787 (CVSS 9.8): Go Vulnerability Could Lead to Code Execution

Penetration Testing

The Go programming language, known for its simplicity and efficiency in software development, has recently issued a crucial security advisory addressing two severe vulnerabilities. These flaws, identified in the Go environment, could potentially allow... The post CVE-2024-24787 (CVSS 9.8): Go Vulnerability Could Lead to Code Execution appeared first on Penetration Testing.

article thumbnail

Reimagining Cybersecurity Training: Driving Real Impact on Security Culture

Speaker: Speakers:

They say a defense can be measured by its weakest link. In your cybersecurity posture, what––or who––is the weakest link? And how can you make them stronger? This webinar will equip you with the resources to search for quality training, implement it, and improve the cyber-behaviors of your workforce. By the end of the hour, you will feel empowered to improve the aspects of your security posture you control the least – the situational awareness and decision-making of your workforce.

article thumbnail

How Criminals Are Using Generative AI

Schneier on Security

There’s a new report on how criminals are using generative AI tools: Key Takeaways: Adoption rates of AI technologies among criminals lag behind the rates of their industry counterparts because of the evolving nature of cybercrime. Compared to last year, criminals seem to have abandoned any attempt at training real criminal large language models (LLMs).

article thumbnail

Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

The Hacker News

Google on Thursday released security updates to address a zero-day flaw in Chrome that it said has been actively exploited in the wild. Tracked as CVE-2024-4671, the high-severity vulnerability has been described as a case of use-after-free in the Visuals component. It was reported by an anonymous researcher on May 7, 2024.

139
139

More Trending

article thumbnail

CVE-2024-4367 & CVE-2024-34342: JavaScript Flaws Threaten Millions of PDF.js and React-PDF Users

Penetration Testing

A significant security flaw has been identified in PDF.js, a widely-used, Mozilla-supported PDF viewer developed with HTML5, and React-PDF, a popular npm package for displaying PDFs within React applications. This vulnerability, which allows for... The post CVE-2024-4367 & CVE-2024-34342: JavaScript Flaws Threaten Millions of PDF.js and React-PDF Users appeared first on Penetration Testing.

article thumbnail

New Lawsuit Attempting to Make Adversarial Interoperability Legal

Schneier on Security

Lots of complicated details here: too many for me to summarize well. It involves an obscure Section 230 provision—and an even more obscure typo. Read this.

243
243
article thumbnail

Top FBI Official Urges Agents to Use Warrantless Wiretaps on US Soil

WIRED Threat Level

An internal email from FBI deputy director Paul Abbate, obtained by WIRED, tells employees to search for “US persons” in a controversial spy program's database that investigators have repeatedly misused.

142
142
article thumbnail

How Can Businesses Defend Themselves Against Common Cyberthreats?

Tech Republic Security

TechRepublic consolidated expert advice on how businesses can defend themselves against the most common cyberthreats, including zero-days, ransomware and deepfakes.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Google Rushes to Patch Chrome Zero-Day Exploit: CVE-2024-4671

Penetration Testing

Google has rushed out an emergency security update for its Chrome browser to address a critical vulnerability already being exploited by threat actors. The flaw, designated CVE-2024-4671, is a “use after free” bug located... The post Google Rushes to Patch Chrome Zero-Day Exploit: CVE-2024-4671 appeared first on Penetration Testing.

article thumbnail

Dell notifies customers about data breach

Malwarebytes

Dell is warning its customers about a data breach after a cybercriminal offered a 49 million-record database of information about Dell customers on a cybercrime forum. A cybercriminal called Menelik posted the following message on the “Breach Forums” site: “The data includes 49 million customer and other information of systems purchased from Dell between 2017-2024.

article thumbnail

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

The Hacker News

The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys.

139
139
article thumbnail

Google Steps Up The Battle Against Gmail Spam

Tech Republic Security

Additional enforcement means non-compliant email may be delivered to spam folders. Here’s what Google Workspace administrators and Gmail users need to know.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

WIRED Threat Level

The iPhone maker has detected spyware attacks against people in more than 150 countries. Knowing if your device is infected can be tricky—but there are a few steps you can take to protect yourself.

Spyware 139
article thumbnail

Dell API abused to steal 49 million customer records in data breach

Bleeping Computer

The threat actor behind the recent Dell data breach revealed they scraped information of 49 million customer records using an partner portal API they accessed as a fake company. [.

article thumbnail

Lessons Learned from Developing Secure AI Workflows at Google

Elie

This talk discuss through concrete examples how to use the Google Security AI Framework (SAIF) to protect AI systems and workflows

149
149
article thumbnail

The Australian Government’s Manufacturing Objectives Rely on IT Capabilities

Tech Republic Security

The intent of the Future Made in Australia Act is to build manufacturing capabilities across all sectors, which will likely lead to more demand for IT skills and services.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

TikTok Ban — ByteDance Sues US to Kill Bill

Security Boulevard

PAFACA SueTok: U.S. Courts “likely” to rule whether new law is constitutional—or even practical. The post TikTok Ban — ByteDance Sues US to Kill Bill appeared first on Security Boulevard.

article thumbnail

Microsoft: April Windows Server updates also cause crashes, reboots

Bleeping Computer

Microsoft has confirmed that last month's Windows Server security updates may also cause domain controller reboots after the Local Security Authority Subsystem Service (LSASS) process crashes. [.

132
132
article thumbnail

Major VPN Flaw Exposed: “TunnelVision” (CVE-2024-3661) Threatens Security on Public Networks

Penetration Testing

The very backbone of Virtual Private Networks (VPNs), praised for their ability to secure online activities, is under scrutiny following a breakthrough discovery by Dani Cronce and Lizzie Moratti from Leviathan Security Group. Their... The post Major VPN Flaw Exposed: “TunnelVision” (CVE-2024-3661) Threatens Security on Public Networks appeared first on Penetration Testing.

VPN 131
article thumbnail

Udemy Report: Which IT Skills Are Most in Demand in Q1 2024?

Tech Republic Security

Informatica PowerCenter, Microsoft Playwright and Oracle Database SQL top Udemy’s list of most popular tech courses.

Big data 164
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

One in Four Tech CISOs Unhappy with Compensation

Security Boulevard

Stagnating security budgets and mounting job pressures are weighing on CISOs, a quarter of whom expressed discontent with their salary and overall compensation. Show me the money: The average total compensation for tech CISOs stands at $710,000. The post One in Four Tech CISOs Unhappy with Compensation appeared first on Security Boulevard.

CISO 130
article thumbnail

Dell warns of data breach, 49 million customers allegedly affected

Bleeping Computer

Dell is warning customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers. [.

article thumbnail

FIN7 Hackers Using Signed Malware and Fake Google Ads to Evade Defenses

Penetration Testing

Researchers at eSentire’s Threat Response Unit (TRU) have uncovered a disturbing trend in FIN7 attacks demonstrating the notorious cybercrime group’s evolving tactics for infiltrating systems. FIN7’s campaign targets users with malicious websites disguised as... The post FIN7 Hackers Using Signed Malware and Fake Google Ads to Evade Defenses appeared first on Penetration Testing.

article thumbnail

Citrix warns customers to update PuTTY version installed on their XenCenter system manually

Security Affairs

Citrix urges customers to manually address a PuTTY SSH client flaw that could allow attackers to steal a XenCenter admin’s private SSH key. Versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR used PuTTY, a third-party component, for SSH connections to guest VMs. However, PuTTY inclusion was deprecated with XenCenter version 8.2.6, and any versions after 8.2.7 will not include PuTTY.

article thumbnail

Cybersecurity Predictions for 2024

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

article thumbnail

Dell Data Breach Could Affect 49 Million Customers

Security Boulevard

The tech giant says the information stolen doesn't represent a significant risk to users, but cybersecurity experts disagree. The post Dell Data Breach Could Affect 49 Million Customers appeared first on Security Boulevard.

article thumbnail

FBI warns US retailers that hackers are targeting their gift card systems

Graham Cluley

The FBI has issued a warning to US retailers about a financially-motivated malicious hacking ring that has been targeting employees with phishing attacks in an attempt to create fraudulent gift cards. Read more in my article on the Tripwire State of Security blog.

Retail 117
article thumbnail

CVE-2024-34456: Trend Micro Patches Code Injection Vulnerability in Antivirus One

Penetration Testing

Trend Micro, a leading provider of cybersecurity solutions, has released an important update for its Antivirus One software, targeting a critical vulnerability that could have allowed attackers to inject malicious code. The issue tracked... The post CVE-2024-34456: Trend Micro Patches Code Injection Vulnerability in Antivirus One appeared first on Penetration Testing.

Antivirus 124
article thumbnail

Google fixes fifth actively exploited Chrome zero-day this year

Security Affairs

Since the start of the year, Google released an update to fix the fifth actively exploited zero-day vulnerability in the Chrome browser. Google this week released security updates to address a zero-day flaw, tracked as CVE-2024-467, in Chrome browser. The vulnerability is the fifth zero-day flaw in the Google browser that is exploited in the wild since the start of the year.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.