Sat.Feb 10, 2024 - Fri.Feb 16, 2024

article thumbnail

U.S. Internet Leaked Years of Internal, Customer Emails

Krebs on Security

The Minnesota-based Internet provider U.S. Internet Corp. has a business unit called Securence , which specializes in providing filtered, secure email services to businesses, educational institutions and government agencies worldwide. But until it was notified last week, U.S. Internet was publishing more than a decade’s worth of its internal email — and that of thousands of Securence clients — in plain text out on the Internet and just a click away for anyone with a Web browser

Internet 330
article thumbnail

On the Insecurity of Software Bloat

Schneier on Security

Good essay on software bloat and the insecurities it causes. The world ships too much code, most of it by third parties, sometimes unintended, most of it uninspected. Because of this, there is a huge attack surface full of mediocre code. Efforts are ongoing to improve the quality of code itself, but many exploits are due to logic fails, and less progress has been made scanning for those.

Software 246
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Cyber Mayday and My Journey to Oz

Lohrman on Security

When we persevere through difficulties our results are often better than initially expected. Here’s a story of how pandemic disappointments and travel problems led to new professional opportunities.

216
216
article thumbnail

Google’s Threat Analysis Group’s Spyware Research: How CSVs Target Devices and Applications

Tech Republic Security

In a new report from Google's Threat Analysis Group, the researchers detail how commercial surveillance vendors particularly use spyware and target Google and Apple devices.

Spyware 181
article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Fat Patch Tuesday, February 2024 Edition

Krebs on Security

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks. Top of the heap on this Fat Patch Tuesday is CVE-2024-21412 , a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits.

article thumbnail

Improving the Cryptanalysis of Lattice-Based Public-Key Algorithms

Schneier on Security

The winner of the Best Paper Award at Crypto this year was a significant improvement to lattice-based cryptanalysis. This is important, because a bunch of NIST’s post-quantum options base their security on lattice problems. I worry about standardizing on post-quantum algorithms too quickly. We are still learning a lot about the security of these systems, and this paper is an example of that learning.

234
234

More Trending

article thumbnail

OpenAI’s Sora Generates Photorealistic Videos

Tech Republic Security

Sora is in red teamers' and selected artists' hands for now, as OpenAI tries to prevent AI video from being used for misinformation or offensive content.

article thumbnail

RETVec: Resilient and Efficient Text Vectorizer

Elie

This research study presented at NeurIPS 2024 introduces RETVec, a robust and multilingual text vectorizer that provides efficiency and resilience against typos and adversarial attacks for neural-based text processing.

137
137
article thumbnail

Upcoming Speaking Engagements

Schneier on Security

This is a current list of where and when I am scheduled to speak: I’m speaking at the Munich Security Conference (MSC) 2024 in Munich, Germany, on Friday, February 16, 2024. I’m giving a keynote at a symposium on “AI and Trust” at Generative AI, Free Speech, & Public Discourse. The symposium will be held at Columbia University in New York City and online, on Tuesday, February 20, 2024.

221
221
article thumbnail

Hackers used new Windows Defender zero-day to drop DarkMe malware

Bleeping Computer

Microsoft has patched today a Windows Defender SmartScreen zero-day exploited in the wild by a financially motivated threat group to deploy the DarkMe remote access trojan (RAT). [.

Malware 143
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Google Cloud’s Nick Godfrey Talks Security, Budget and AI for CISOs

Tech Republic Security

Google Cloud’s Director of Office of the CISO Nick Godfrey reminds business leaders to integrate security into conversations around financial and business targets.

CISO 187
article thumbnail

Google Chrome Zero-Day PoC Code Released

Penetration Testing

A proof-of-concept (PoC) exploit code and technical details have been made available for a zero-day security flaw, tracked as CVE-2022-4262 (CVSS 8.8), affecting Google Chrome. The heart of this vulnerability lies within the Chrome... The post Google Chrome Zero-Day PoC Code Released appeared first on Penetration Testing.

article thumbnail

Friday Squid Blogging: Vegan Squid-Ink Pasta

Schneier on Security

It uses black beans for color and seaweed for flavor. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here.

215
215
article thumbnail

Massive utility scam campaign spreads via online ads

Malwarebytes

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away. Enter the utility scam , where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can. This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door.

Scams 141
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

IBM, ISC2 Offer Free Cybersecurity Certificate

Tech Republic Security

The entry-level IBM and ISC2 Cybersecurity Specialist Professional Certificate takes four months to complete.

article thumbnail

CVE-2024-0985: PostgreSQL’s Critical Security Flaw Exposed

Penetration Testing

A serious security flaw has been unearthed in the popular database software PostgreSQL, raising concerns for businesses and systems administrators. This vulnerability, designated CVE-2024-0985 (CVSS 8.0), could allow attackers to execute malicious code with... The post CVE-2024-0985: PostgreSQL’s Critical Security Flaw Exposed appeared first on Penetration Testing.

article thumbnail

On Passkey Usability

Schneier on Security

Matt Burgess tries to only use passkeys. The results are mixed.

Passwords 249
article thumbnail

ExpressVPN bug has been leaking some DNS requests for years

Bleeping Computer

ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers. [.

DNS 141
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

What Is a Passphrase? Examples, Types & Best Practices

Tech Republic Security

Learn about passphrases and understand how you can use these strong yet memorable phrases to safeguard your accounts against hackers.

article thumbnail

AI-generated voices in robocalls are illegal, rules FCC

Malwarebytes

The Federal Communications Commission (FCC) has announced that calls made with voices generated with the help of Artificial Intelligence (AI) will be considered “artificial” under the Telephone Consumer Protection Act (TCPA). Effective immediately, that makes robocalls that implement voice cloning technology and target consumers illegal. Robocalls are automated phone calls, often associated with scams, which can be a nuisance to individuals and businesses alike.

Scams 139
article thumbnail

New SocGholish Infection Chain Discovered

Digital Shadows

ReliaQuest has detected a variant of the SocGholish malware that uses Python instead of PowerShell for persistence, signaling an evolution in the TTPs of threat actors utilizing this malware.

Malware 138
article thumbnail

200,000 Facebook Marketplace user records leaked on hacking forum

Bleeping Computer

A threat actor leaked 200,000 records on a hacker forum, claiming they contained the mobile phone numbers, email addresses, and other personal information of Facebook Marketplace users. [.

Hacking 138
article thumbnail

Cybersecurity Predictions for 2024

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

article thumbnail

Protect Your Private Data With an iProVPN Lifetime Subscription for Under $30

Tech Republic Security

Maintaining security is important in business, and iProVPN uses AES 256-bit encryption to keep your data secure — even on public Wi-Fi networks.

article thumbnail

Facebook Marketplace users’ stolen data offered for sale

Malwarebytes

Personal data belonging to Facebook Marketplace users has been published online, according to BleepingComputer. A cybercriminal was allegedly able to steal a partial database after hacking the systems of a Meta contractor. The leak consists of around 200,000 records that contain names, phone numbers, email addresses, Facebook IDs, and Facebook profile information of the affected Facebook Marketplace users.

article thumbnail

Leak of Russian ‘Threat’ Part of a Bid to Kill US Surveillance Reform, Sources Say

WIRED Threat Level

A surprise disclosure of a national security threat by the House Intelligence chair was part of an effort to block legislation that aimed to limit cops and spies from buying Americans' private data.

article thumbnail

Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

The Hacker News

Microsoft has released patches to address 73 security flaws spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation. Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity.

Software 136
article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Malware Response Checklist

Tech Republic Security

Whether an infection is the result of a disgruntled employee, hardware vulnerability, software-based threat, social engineering penetration, robotic attack or human error, all organizations must be prepared to immediately respond effectively to such an issue if the corresponding damage is to be minimized. Using a guide and pre-formatted malware response checklist, written by Erik Eckel.

Malware 142
article thumbnail

Microsoft: New critical Exchange bug exploited as zero-day

Bleeping Computer

Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month's Patch Tuesday. [.

122
122
article thumbnail

U.S. CISA: hackers breached a state government organization

Security Affairs

U.S. CISA revealed that threat actors breached an unnamed state government organization via an administrator account belonging to a former employee. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a threat actor gained access to an unnamed state government organization’s network environment via an administrator account belonging to a former employee.

article thumbnail

Rhysida Ransomware Cracked, Free Decryption Tool Released

The Hacker News

Cybersecurity researchers have uncovered an "implementation vulnerability" that has made it possible to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.