Sat.Feb 10, 2024 - Fri.Feb 16, 2024

article thumbnail

U.S. Internet Leaked Years of Internal, Customer Emails

Krebs on Security

The Minnesota-based Internet provider U.S. Internet Corp. has a business unit called Securence , which specializes in providing filtered, secure email services to businesses, educational institutions and government agencies worldwide. But until it was notified last week, U.S. Internet was publishing more than a decade’s worth of its internal email — and that of thousands of Securence clients — in plain text out on the Internet and just a click away for anyone with a Web browser

Internet 350
article thumbnail

On Passkey Usability

Schneier on Security

Matt Burgess tries to only use passkeys. The results are mixed.

Passwords 279
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Cyber Mayday and My Journey to Oz

Lohrman on Security

When we persevere through difficulties our results are often better than initially expected. Here’s a story of how pandemic disappointments and travel problems led to new professional opportunities.

238
238
article thumbnail

GUEST ESSAY: Why internal IT teams are ill-equipped to adequately address cyber risks

The Last Watchdog

Every industry is dealing with a myriad of cyber threats in 2024. It seems every day we hear of another breach, another scam, another attack on anything from a small business to a critical aspect of our nation’s infrastructure. Related: The case for augmented reality training Because of this, cybersecurity investments and regulatory oversight are increasing at an astounding rate , especially for those in the financial services industry, bringing an overwhelming feeling to chief compliance office

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Fat Patch Tuesday, February 2024 Edition

Krebs on Security

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks. Top of the heap on this Fat Patch Tuesday is CVE-2024-21412 , a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits.

article thumbnail

Molly White Reviews Blockchain Book

Schneier on Security

Molly White—of “ Web3 is Going Just Great ” fame— reviews Chris Dixon’s blockchain solutions book: Read Write Own : In fact, throughout the entire book, Dixon fails to identify a single blockchain project that has successfully provided a non-speculative service at any kind of scale. The closest he ever comes is when he speaks of how “for decades, technologists have dreamed of building a grassroots internet access provider” He describes one project that &

Internet 277

More Trending

article thumbnail

CVE-2024-24691 (CVSS 9.6): Critical Zoom Privilege Escalation Vulnerability

Penetration Testing

Zoom, the popular video conferencing platform, has addressed several critical security vulnerabilities affecting its Windows, iOS, and Android clients. A total of 7 security flaws were fixed. IT teams and individual users should patch... The post CVE-2024-24691 (CVSS 9.6): Critical Zoom Privilege Escalation Vulnerability appeared first on Penetration Testing.

article thumbnail

Leak of Russian ‘Threat’ Part of a Bid to Kill US Surveillance Reform, Sources Say

WIRED Threat Level

A surprise disclosure of a national security threat by the House Intelligence chair was part of an effort to block legislation that aimed to limit cops and spies from buying Americans' private data.

article thumbnail

On the Insecurity of Software Bloat

Schneier on Security

Good essay on software bloat and the insecurities it causes. The world ships too much code, most of it by third parties, sometimes unintended, most of it uninspected. Because of this, there is a huge attack surface full of mediocre code. Efforts are ongoing to improve the quality of code itself, but many exploits are due to logic fails, and less progress has been made scanning for those.

Software 275
article thumbnail

OpenAI’s Sora Generates Photorealistic Videos

Tech Republic Security

Sora is in red teamers' and selected artists' hands for now, as OpenAI tries to prevent AI video from being used for misinformation or offensive content.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Google Chrome Zero-Day PoC Code Released

Penetration Testing

A proof-of-concept (PoC) exploit code and technical details have been made available for a zero-day security flaw, tracked as CVE-2022-4262 (CVSS 8.8), affecting Google Chrome. The heart of this vulnerability lies within the Chrome... The post Google Chrome Zero-Day PoC Code Released appeared first on Penetration Testing.

article thumbnail

U.S. CISA: hackers breached a state government organization

Security Affairs

U.S. CISA revealed that threat actors breached an unnamed state government organization via an administrator account belonging to a former employee. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a threat actor gained access to an unnamed state government organization’s network environment via an administrator account belonging to a former employee.

article thumbnail

Improving the Cryptanalysis of Lattice-Based Public-Key Algorithms

Schneier on Security

The winner of the Best Paper Award at Crypto this year was a significant improvement to lattice-based cryptanalysis. This is important, because a bunch of NIST’s post-quantum options base their security on lattice problems. I worry about standardizing on post-quantum algorithms too quickly. We are still learning a lot about the security of these systems, and this paper is an example of that learning.

262
262
article thumbnail

What Is a Passphrase? Examples, Types & Best Practices

Tech Republic Security

Learn about passphrases and understand how you can use these strong yet memorable phrases to safeguard your accounts against hackers.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

CVE-2024-0985: PostgreSQL’s Critical Security Flaw Exposed

Penetration Testing

A serious security flaw has been unearthed in the popular database software PostgreSQL, raising concerns for businesses and systems administrators. This vulnerability, designated CVE-2024-0985 (CVSS 8.0), could allow attackers to execute malicious code with... The post CVE-2024-0985: PostgreSQL’s Critical Security Flaw Exposed appeared first on Penetration Testing.

article thumbnail

Bank of America warns customers of data breach after vendor hack

Bleeping Computer

Bank of America is warning customers of a data breach exposing their personal information after one of its service providers was hacked last year. [.

article thumbnail

Upcoming Speaking Engagements

Schneier on Security

This is a current list of where and when I am scheduled to speak: I’m speaking at the Munich Security Conference (MSC) 2024 in Munich, Germany, on Friday, February 16, 2024. I’m giving a keynote at a symposium on “AI and Trust” at Generative AI, Free Speech, & Public Discourse. The symposium will be held at Columbia University in New York City and online, on Tuesday, February 20, 2024.

247
247
article thumbnail

Google Cloud’s Nick Godfrey Talks Security, Budget and AI for CISOs

Tech Republic Security

Google Cloud’s Director of Office of the CISO Nick Godfrey reminds business leaders to integrate security into conversations around financial and business targets.

CISO 177
article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

The Hacker News

A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains. Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4.

Firmware 142
article thumbnail

Hackers used new Windows Defender zero-day to drop DarkMe malware

Bleeping Computer

Microsoft has patched today a Windows Defender SmartScreen zero-day exploited in the wild by a financially motivated threat group to deploy the DarkMe remote access trojan (RAT). [.

Malware 143
article thumbnail

A Hacker’s Mind is Out in Paperback

Schneier on Security

The paperback version of A Hacker’s Mind has just been published. It’s the same book, only a cheaper format. But—and this is the real reason I am posting this—Amazon has significantly discounted the hardcover to $15 to get rid of its stock. This is much cheaper than I am selling it for, and cheaper even than the paperback. So if you’ve been waiting for a price drop, this is your chance.

198
198
article thumbnail

Google’s Threat Analysis Group’s Spyware Research: How CSVs Target Devices and Applications

Tech Republic Security

In a new report from Google's Threat Analysis Group, the researchers detail how commercial surveillance vendors particularly use spyware and target Google and Apple devices.

Spyware 171
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

The Hacker News

Microsoft has released patches to address 73 security flaws spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation. Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity.

Software 142
article thumbnail

9 Possible Ways Hackers Can Use Public Wi-Fi to Steal Your Sensitive Data

Security Affairs

Exploring the Risks: Unveiling 9 Potential Techniques Hackers Employ to Exploit Public Wi-Fi and Compromise Your Sensitive Data We’ve all used public Wi-Fi: it’s convenient, saves our data, and speeds up browsing. But while we enjoy its benefits, hackers do too. Here, we’ll explore how cybercriminals exploit public Wi-Fi to access your private data and possibly steal your identity.

DNS 142
article thumbnail

Massive utility scam campaign spreads via online ads

Malwarebytes

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away. Enter the utility scam , where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can. This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door.

Scams 142
article thumbnail

Protect Your Private Data With an iProVPN Lifetime Subscription for Under $30

Tech Republic Security

Maintaining security is important in business, and iProVPN uses AES 256-bit encryption to keep your data secure — even on public Wi-Fi networks.

article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

Rhysida Ransomware Cracked, Free Decryption Tool Released

The Hacker News

Cybersecurity researchers have uncovered an "implementation vulnerability" that has made it possible to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

article thumbnail

CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day

Trend Micro

The APT group Water Hydra has been exploiting the zero-day Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.

Marketing 141
article thumbnail

ExpressVPN bug has been leaking some DNS requests for years

Bleeping Computer

ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers. [.

DNS 141
article thumbnail

NIST Establishes AI Safety Consortium

Tech Republic Security

The mixed public and private consortium will focus on safety, standards and skills-building for AI generally and generative AI in particular.

article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!