The Last Watchdog

DECEMBER 14, 2023

Here’s part two of Last Watchdog’s year-end tête-à-tête with top cybersecurity experts. Part three to follow on Friday. We asked two questions: •What should be my biggest takeaway from 2023, with respect to mitigating cyber risks at my organization? •What should I be most concerned about – and focus on – in 2024? Their guidance: Brandon Colley , Principal Security Consultant, Trimarc Security Colley Some 10-year-old vulnerabilities are still wildly prevalent.

Cybersecurity 236

Cybersecurity Risk Cyber threats CSO 236

Schneier on Security

DECEMBER 12, 2023

Interesting attack based on malicious pre-OS logo images : LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux… The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday.

Firmware 296

Firmware Manufacturing Internet Internet 296

Joseph Steinberg

DECEMBER 11, 2023

Veteran cybersecurity expert witness executive will help strengthen law enforcement capabilities to prevent, investigate, and prosecute information-age crimes. Washington, DC — December 11, 2023 — The International Association of Chiefs of Police (IACP) has appointed long-time information-security-industry veteran and cybersecurity expert witness, Joseph Steinberg, to the organization’s Computer Crime & Digital Evidence Committee.

Cybersecurity 250

Cybersecurity Artificial Intelligence CISO Technology 250

Lohrman on Security

DECEMBER 10, 2023

This was a year unlike any other in the brief history of the cybersecurity industry, with generative artificial intelligence disrupting plans and ushering in unparalleled change to security.

Artificial Intelligence 239

Artificial Intelligence Cybersecurity 239

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

The Last Watchdog

DECEMBER 13, 2023

Notable progress was made in 2023 in the quest to elevate Digital Trust. Related: Why IoT standards matter Digital Trust refers to the level of confidence both businesses and consumers hold in digital products and services – not just that they are suitably reliable, but also that they are as private and secure as they need to be. We’re not yet at a level of Digital Trust needed to bring the next generation of connected IT into full fruition – and the target keeps moving.

Encryption 312

Encryption Technology CISO IoT 312

Schneier on Security

DECEMBER 15, 2023

In 2016, I wrote about an Internet that affected the world in a direct, physical manner. It was connected to your smartphone. It had sensors like cameras and thermostats. It had actuators: Drones, autonomous cars. And it had smarts in the middle, using sensor data to figure out what to do and then actually do it. This was the Internet of Things (IoT).

Internet 275

Internet Internet IoT Banking 275

Krebs on Security

DECEMBER 12, 2023

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known “zero-day” threats targeting any of the vulnerabilities in December’s patch batch. Still, four of the updates pushed out today address “critical” vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete c

Internet 209

Internet Internet Engineering Malware 209

The Last Watchdog

DECEMBER 14, 2023

Here’s the final installment of leading technologists sharing their observations about cybersecurity developments in the year that’s coming to a close — and the year to come. Last Watchdog posed two questions: •What should be my biggest takeaway from 2023, with respect to mitigating cyber risks at my organization? •What should I be most concerned about – and focus on – in 2024?

Cybersecurity 235

Cybersecurity Marketing Encryption CISO 235

Schneier on Security

DECEMBER 11, 2023

It’s happened. Details here , and tech details here (for messages in transit) and here (for messages in storage) Rollout to everyone will take months, but it’s a good day for both privacy and security. Slashdot thread.

Encryption 268

Encryption Cybersecurity 268

Tech Republic Security

DECEMBER 12, 2023

Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. Get the details.

Social Engineering 180

Social Engineering Engineering Malware Big data 180

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Bleeping Computer

DECEMBER 14, 2023

Since yesterday, customers of Ubiquiti networking devices, ranging from routers to security cameras, have reported seeing other people's devices and notifications through the company's cloud services. [.

Technology 142

Technology 142

We Live Security

DECEMBER 11, 2023

A security compromise so stealthy that it doesn’t even require your interaction? Yes, zero-click attacks require no action from you – but this doesn’t mean you’re left vulnerable.

Media 141

Media 141

Schneier on Security

DECEMBER 13, 2023

This is not about mass surveillance of mail , this is about sorts of targeted surveillance the US Postal Inspection Service uses to catch mail thieves : To track down an alleged mail thief, a US postal inspector used license plate reader technology, GPS data collected by a rental car company, and, most damning of all, hid a camera inside one of the targeted blue post boxes which captured the suspect’s full face as they allegedly helped themselves to swathes of peoples’ mail.

Surveillance 238

Surveillance Data collection Technology 238

Tech Republic Security

DECEMBER 15, 2023

Learn about the different types of VPNs and when to use them. Find out which type of VPN suits your needs with this comprehensive guide.

VPN 164

VPN 164

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Bleeping Computer

DECEMBER 12, 2023

Roughly 1,450 pfSense instances exposed online are vulnerable to command injection and cross-site scripting flaws that, if chained, could enable attackers to perform remote code execution on the appliance. [.

141

141

Security Affairs

DECEMBER 10, 2023

WordPress 6.4.2 addressed a security vulnerability that could be chained with another flaw to achieve remote code execution. WordPress released a security update to address a flaw that can be chained with another issue to gain remote code execution. According to the advisory, the RCE flaw is not directly exploitable in the core, however, threat actors can chain it with some plugins, especially in multisite installations, to execute arbitrary code. “A Remote Code Execution vulnerability tha

Hacking 137

Hacking Cybersecurity Information Security 137

Schneier on Security

DECEMBER 14, 2023

This seems like a bad idea. And there are ongoing lawsuits against Amazon for selling them.

Surveillance 254

Surveillance Marketing 254

Tech Republic Security

DECEMBER 12, 2023

Mozilla VPN’s fast performance may not be enough to make up for its small server network and lack of features. Learn more about it in our full review below.

VPN 140

VPN 140

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Bleeping Computer

DECEMBER 11, 2023

A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites. [.

Backups 141

Backups 141

Malwarebytes

DECEMBER 11, 2023

Amazon customers have been seeing a message on social media that has caused some alarm. Most of the posts look like one of these (depending on the social media platform): “PSA!! Amazon got hacked. For USA based people, check your Amazon account. Hackers added HUB lockers as your default delivery addresses. Remove it! I had 2 added to mine.” Hub lockers are local secure places for people to pick up their Amazon order rather than risk them being left on a doorstep, so the concern was that someone

Hacking 133

Hacking Media Accountability Banking 133

Security Boulevard

DECEMBER 10, 2023

As we stand at the precipice of 2024, the intersection of artificial intelligence (AI) and cybersecurity looms large, with phishing attacks emerging as a focal point of concern. The integration of AI is poised to redefine the threat landscape, introducing unprecedented levels of complexity and stealth to these attacks. Without strategic intervention, organizations may find […] The post Navigating an AI-Enhanced Landscape of Cybersecurity in 2024: A Proactive Approach to Phishing Training in Ente

Phishing 133

Phishing Artificial Intelligence Cybersecurity 133

Tech Republic Security

DECEMBER 13, 2023

Google also announced Duet AI for Developers and Duet AI in Security Operations, but neither uses Gemini yet. Starting Dec.

Technology 157

Technology 157

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Bleeping Computer

DECEMBER 14, 2023

This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. [.

Banking 135

Banking Malware Mobile 135

IT Security Guru

DECEMBER 13, 2023

Have you ever wondered who keeps our online world safe from all the bad guys? The heroes who do this have a special kind of training – they have a Master’s degree in something called Cyber Security. It’s like being a detective in the digital world, where you need to solve online mysteries and catch cybercriminals. This field is expanding as corporations everywhere seek digital detectives to protect their data.

Banking 131

Banking Cyber threats Internet Internet 131

The Hacker News

DECEMBER 15, 2023

Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.

Firewall 130

Firewall Software 130

Tech Republic Security

DECEMBER 11, 2023

Want to make sure everyone on your team is secure? Get a lifetime subscription to FastestVPN PRO, now just $29.97 through Christmas Day for 15 devices.

VPN 136

VPN Network Security 136

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Bleeping Computer

DECEMBER 12, 2023

Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. [.

135

135

Security Affairs

DECEMBER 10, 2023

Researchers discovered a lock screen bypass bug in Android 14 and 13 that could expose sensitive data in users’ Google accounts. The security researcher Jose Rodriguez ( @VBarraquito ) discovered a new lock screen bypass vulnerability for Android 14 and 13. A threat actor with physical access to a device can access photos, contacts, browsing history and more.

Accountability 132

Accountability Hacking Mobile Information Security 132

Security Boulevard

DECEMBER 13, 2023

When will it end? Russia takes down Kyivstar cellular system, Ukraine destroys Russian tax system. The post Russia Hacks Ukraine, Ukraine Hacks Russia — Day#658 appeared first on Security Boulevard.

Hacking 130

Hacking Digital transformation Social Engineering Data privacy 130

Penetration Testing

DECEMBER 14, 2023

Subhunter A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS),... The post Subhunter: A highly efficient and powerful subdomain takeover tool appeared first on Penetration Testing.

Penetration Testing 129

Penetration Testing DNS 129

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk