Schneier on Security
MARCH 14, 2024
Kasmir Hill has the story : Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have started offering optional features in their connected-car apps that rate people’s driving.
Krebs on Security
MARCH 14, 2024
The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Troy Hunt
MARCH 12, 2024
Over the last 6 years, we've been very happy to welcome dozens of national governments to have unhindered access to their domains in Have I Been Pwned , free from cost and manual verification barriers. Today, we're happy to welcome Liechtenstein's National Cyber Security Unit who now have full access to their government domains. We provide this support to governments to help those tasked with protecting their national interests understand more about the threats posed by data breac
Lohrman on Security
MARCH 10, 2024
Many global cyber teams are analyzing cyber defense gaps now that the NIST Cybersecurity Framework 2.0 has been released. How will this guidance move the protection needle?
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Schneier on Security
MARCH 12, 2024
Researchers have demonstrated that putting words in ASCII art can cause LLMs—GPT-3.5, GPT-4 , Gemini, Claude, and Llama2—to ignore their safety instructions. Research paper.
Krebs on Security
MARCH 11, 2024
Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
Tech Republic Security
MARCH 15, 2024
Learn the key differences between multi-factor authentication (MFA) and two-factor authentication (2FA) and find out which one is best for your business needs.
Schneier on Security
MARCH 11, 2024
Initial results in using LLMs to unredact text based on the size of the individual-word redaction rectangles. This feels like something that a specialized ML system could be trained on.
Penetration Testing
MARCH 15, 2024
AttackGen AttackGen is a cybersecurity incident response testing tool that leverages the power of large language models and the comprehensive MITRE ATT&CK framework. The tool generates tailored incident response scenarios based on user-selected threat... The post attackgen: A cybersecurity incident response testing tool appeared first on Penetration Testing.
NetSpi Technical
MARCH 11, 2024
In 2023 NetSPI discovered that Microsoft Outlook was vulnerable to authenticated remote code execution (RCE) via synced form objects. This blog will cover how we discovered CVE-2024-21378 and weaponized it by modifying Ruler , an Outlook penetration testing tool published by SensePost. Note, a pull request containing the proof-of-concept code is forthcoming to provide organizations with sufficient time to patch.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Tech Republic Security
MARCH 15, 2024
What’s the best VPN to use when traveling? Our in-depth guide helps you understand what to look for in a VPN and find the best solution for your needs.
Schneier on Security
MARCH 15, 2024
C++ guru Herb Sutter writes about how we can improve the programming language for better security. The immediate problem “is” that it’s Too Easy By Defaultâ„¢ to write security and safety vulnerabilities in C++ that would have been caught by stricter enforcement of known rules for type, bounds, initialization , and lifetime language safety.
Penetration Testing
MARCH 13, 2024
Security researchers have disclosed two vulnerabilities (CVE-2024-23672 and CVE-2024-24549) in popular Apache Tomcat web server software. Organizations relying on Tomcat must prioritize updates to mitigate denial of service (DoS) attacks exploiting these flaws. What’s... The post Apache Tomcat Vulnerabilities Exposed, Prompt Updates Required appeared first on Penetration Testing.
Bleeping Computer
MARCH 15, 2024
A former manager at a telecommunications company in New Jersey pleaded guilty to conspiracy charges for accepting money to perform unauthorized SIM swaps that enabled an accomplice to hack customer accounts. [.
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Tech Republic Security
MARCH 15, 2024
Burnout and fatigue among cyber professionals are leading to flow-on consequences like more data breaches, employee apathy to cyber duties and turnover of cyber workforces during a skills crisis.
Schneier on Security
MARCH 13, 2024
The arms race continues, as burglars are learning how to use jammers to disable Wi-Fi security cameras.
Penetration Testing
MARCH 10, 2024
Today, Security researchers at The Shadowserver Foundation have sounded the alarm after discovering approximately 16,500 VMware ESXi instances exposed to a critical security flaw. The vulnerability, designated as CVE-2024-22252, could potentially allow attackers to... The post Thousands of VMware ESXi Instances Exposed to Critical CVE-2024-22252 Vulnerability appeared first on Penetration Testing.
Bleeping Computer
MARCH 14, 2024
SIM swappers have adapted their attacks to steal a target's phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. [.
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Tech Republic Security
MARCH 12, 2024
Information is the lifeblood of the business. Without it, employees can’t work, customers can’t interact with the business, bills can’t be paid and profits can’t be earned. Any given technological environment is useless if its main purpose for existence — the processing and sharing of information — is threatened or eliminated.
Security Affairs
MARCH 9, 2024
Researchers warn that the critical vulnerability CVE-2024-21762 in Fortinet FortiOS could potentially impact 150,000 exposed devices. In February, Fortinet warned that the critical remote code execution vulnerability CVE-2024-21762 (CVSS score 9.6) in FortiOS SSL VPN was actively exploited in attacks in the wild. The security firm did not provide details about the attacks exploiting this vulnerability.
Penetration Testing
MARCH 9, 2024
SiCat – The useful exploit finder SiCat is an advanced exploit search tool designed to identify and gather information about exploits from both open sources and local repositories effectively. With a focus on cybersecurity,... The post sicat: an advanced exploit search tool appeared first on Penetration Testing.
Bleeping Computer
MARCH 12, 2024
The Tor Project officially introduced WebTunnel, a new bridge type specifically designed to help bypass censorship targeting the Tor network by hiding connections in plain sight. [.
Advertisement
Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.
Tech Republic Security
MARCH 13, 2024
Learn about open-source password managers, the benefits, and the potential drawbacks of using these tools for managing your passwords securely.
Security Affairs
MARCH 9, 2024
Threat actors hacked the systems of the Cybersecurity and Infrastructure Security Agency (CISA) by exploiting Ivanti flaws. The US Cybersecurity and Infrastructure Security Agency (CISA) agency was hacked in February, the Recorded Future News first reported. In response to the security breach, the agency had to shut down two crucial systems, as reported by a CISA spokesperson and US officials with knowledge of the incident, according to CNN.
Penetration Testing
MARCH 12, 2024
A recently uncovered phishing campaign demonstrates a concerning level of sophistication in its efforts to infiltrate systems and deploy an array of powerful Remote Access Trojans (RATs). Security researchers at FortiGuard Labs have discovered... The post VCURMS: New Java RATs Unleashed in Sophisticated Phishing Scheme appeared first on Penetration Testing.
Bleeping Computer
MARCH 10, 2024
Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code. [.
Speaker: Erika R. Bales, Esq.
When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.
Tech Republic Security
MARCH 14, 2024
In the modern digital era, where businesses experience constant and persistent attacks on their information technology infrastructure from malicious and criminal third parties, data security must be a vital part of any enterprise security strategy. The attachment of substantial financial consequences for security breaches and data loss by regulatory agencies only increases that urgency.
Security Boulevard
MARCH 11, 2024
Free rides and traffic jams: U.S. Cybersecurity and Infrastructure Security Agency penetrated in February, via vuln in Ivanti. The post Irony of Ironies: CISA Hacked — ‘by China’ appeared first on Security Boulevard.
Penetration Testing
MARCH 13, 2024
Recently, researchers at the Zero Day Initiative (ZDI) have dissected a complex DarkGate malware campaign targeting users through a zero-day flaw in Microsoft Windows SmartScreen (CVE-2024-21412). The attackers, associated with the notorious DarkGate group, are... The post New DarkGate Malware Campaign Exploits 0-day CVE-2024-21412 Flaw appeared first on Penetration Testing.
Bleeping Computer
MARCH 13, 2024
Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers. [.
Speaker: William Hord, Vice President of ERM Services
A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.
Expert insights. Personalized for you.
303 
Let's personalize your content