Sat.Jun 29, 2024 - Fri.Jul 05, 2024

article thumbnail

New Open SSH Vulnerability

Schneier on Security

It’s a serious one : The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration. […] This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete syste

Firewall 304
article thumbnail

New Tech Q&A: Adaptiva – CrowdStrike alliance highlights trend of blending IT and security systems

The Last Watchdog

The coalescing of the next-gen security platforms that will carry us forward continues. Related: Jump starting vulnerability management Adaptiva, a leader in autonomous endpoint management, recently announced the launch of OneSite Patch for CrowdStrike. This new solution integrates with CrowdStrike’s Falcon XDR platform to improve the efficiency and speed of patching critical vulnerabilities in enterprise systems.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Weekly Update 407

Troy Hunt

It's a long one this week, in part due to the constant flood of new breaches and disclosures I discuss. I regularly have disclosure notices forwarded to me by followers who find themselves in new breaches, and it's always fascinating to hear how they're worded. You get a real sense of how much personal ownership a company is taking, how much blame they're putting back on the hackers and increasingly, how much they've been written by lawyers.

article thumbnail

Montgomery County, Md.’s Chatbot Shows GenAI in Action

Lohrman on Security

I’m always looking for best practices and examples to share around government AI and cyber projects. Monty 2.0 is certainly praiseworthy and a GenAI project to watch and learn from.

article thumbnail

Human-Centered Cyber Security Training: Driving Real Impact on Security Culture

Speaker: Speakers:

In today's digital age, having an untrained workforce can be a significant risk to your business. Cyber threats are evolving; without proper training, your employees could be the weakest link in your defense. This webinar empowers leaders like you with the tools and strategies needed to transform your employees into a robust frontline defense against cyber attacks.

article thumbnail

Public Surveillance of Bars

Schneier on Security

This article about an app that lets people remotely view bars to see if they’re crowded or not is filled with commentary—on both sides—about privacy and openness.

article thumbnail

10 Security Tips for Business Travellers This Summer

Tech Republic Security

Travelling for work can open employees up to a new host of security threats, including insecure Wi-Fi networks, infected public charging ports and Bluetooth attacks.

Big data 185

More Trending

article thumbnail

Cloudflare’s 1.1.1.1 DNS Service Disrupted by BGP Hijacking and Route Leak

Penetration Testing

On June 27, 2024, Cloudflare’s popular 1.1.1.1 public DNS resolver service experienced disruptions, leaving a small percentage of users worldwide unable to access the service or facing significant latency issues. The culprit behind this... The post Cloudflare’s 1.1.1.1 DNS Service Disrupted by BGP Hijacking and Route Leak appeared first on Cybersecurity News.

DNS 145
article thumbnail

Model Extraction from Neural Networks

Schneier on Security

A new paper , “Polynomial Time Cryptanalytic Extraction of Neural Network Models,” by Adi Shamir and others, uses ideas from differential cryptanalysis to extract the weights inside a neural network using specific queries and their results. This is much more theoretical than practical, but it’s a really interesting result. Abstract: Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks.

232
232
article thumbnail

CISA Report Finds Most Open-Source Projects Contain Memory-Unsafe Code

Tech Republic Security

Security analysts found that 52% of open-source projects are written in memory-unsafe languages like C and C++.

Software 191
article thumbnail

How to Achieve Crypto Resilience for a Post-Quantum World

Security Boulevard

While it's unlikely that quantum computers are currently in the hands of cybercriminals or hostile nation-states, they will be. The post How to Achieve Crypto Resilience for a Post-Quantum World appeared first on Security Boulevard.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

CVE-2024-37726: MSI Center Flaw Exposes Windows Systems to Privilege Escalation Attacks

Penetration Testing

Recently, a critical local privilege escalation vulnerability has been identified in MSI Center, a popular system management application for Windows OS. Tracked as CVE-2024-37726, this vulnerability affects all versions of MSI Center up to... The post CVE-2024-37726: MSI Center Flaw Exposes Windows Systems to Privilege Escalation Attacks appeared first on Cybersecurity News.

article thumbnail

New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems

The Hacker News

OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems. The vulnerability has been assigned the CVE identifier CVE-2024-6387.

145
145
article thumbnail

Millions of Apple Applications Were Vulnerable to CocoaPods Supply Chain Attack

Tech Republic Security

The vulnerabilities have since been patched, but had quietly persisted since the CocoaPods migration in 2014.

Software 183
article thumbnail

‘Polyfill’ Supply Chain Threat: 4x Worse Than We Thought

Security Boulevard

Spackle attack: Chinese company takes over widely used free web service—almost 400,000 websites at risk. The post ‘Polyfill’ Supply Chain Threat: 4x Worse Than We Thought appeared first on Security Boulevard.

Risk 136
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

CVE-2024-6387: Critical OpenSSH Unauthenticated RCE Flaw ‘regreSSHion’ Exposes Millions of Linux Systems

Penetration Testing

The Qualys Threat Research Unit (TRU) has detailed a severe security flaw, dubbed ‘regreSSHion,’ that leaves millions of Linux systems vulnerable to remote code execution. The vulnerability, identified as CVE-2024-6387, affects OpenSSH’s server (sshd)... The post CVE-2024-6387: Critical OpenSSH Unauthenticated RCE Flaw ‘regreSSHion’ Exposes Millions of Linux Systems appeared first on Cybersecurity News.

article thumbnail

Hackers abused API to verify millions of Authy MFA phone numbers

Bleeping Computer

Twilio has confirmed that an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy multi-factor authentication users, potentially making them vulnerable to SMS phishing and SIM swapping attacks. [.

Phishing 139
article thumbnail

Bitwarden vs KeePass (2024): Battle of the Best – Who Wins?

Tech Republic Security

Bitwarden vs KeePass: Who comes out on top? Dive into our 2024 analysis and make the best decision for your security needs!

article thumbnail

Hackers stole OpenAI secrets in a 2023 security breach

Security Affairs

The New York Times revealed that OpenAI suffered a security breach in 2023, but the company says source code and customer data were not compromised. OpenAI suffered a security breach in 2023, the New York Times reported. The American newspaper revealed that the threat actors gained access to the internal discussions among researchers and other employees, but they did not access the source code of the company’s systems.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

CVE-2024-6376 (CVSS 9.8) in MongoDB Compass Exposes Systems to Code Injection Risks

Penetration Testing

A recent discovery has unveiled a critical security vulnerability in MongoDB Compass, a widely-used graphical user interface (GUI) for querying, aggregating, and analyzing MongoDB data. This tool, known for its robust capabilities and cross-platform... The post CVE-2024-6376 (CVSS 9.8) in MongoDB Compass Exposes Systems to Code Injection Risks appeared first on Cybersecurity News.

Risk 134
article thumbnail

Cloudflare blames recent outage on BGP hijacking incident

Bleeping Computer

Internet giant Cloudflare reports that its DNS resolver service, 1.1.1.1, was recently unreachable or degraded for some of its customers because of a combination of Border Gateway Protocol (BGP) hijacking and a route leak. [.

DNS 132
article thumbnail

The five most common pitfalls of cyber security awareness training

Security Boulevard

The post The five most common pitfalls of cyber security awareness training appeared first on Click Armor. The post The five most common pitfalls of cyber security awareness training appeared first on Security Boulevard.

article thumbnail

Twilio's Authy App Breach Exposes Millions of Phone Numbers

The Hacker News

Cloud communications provider Twilio has revealed that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' cell phone numbers. The company said it took steps to secure the endpoint to no longer accept unauthenticated requests.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Personal data stolen from unsuspecting airport visitors and plane passengers in “evil twin” attacks, man charged

Malwarebytes

The Australian Federal Police (AFP) have charged a man for setting up fake free WiFi access points in order to steal personal data from people. The crime was discovered when an airline reported a suspicious WiFi network identified by its employees during a domestic flight. When the alleged perpetrator landed at Perth airport, his bags were searched and authorities found a portable wireless access device, a laptop, and a mobile phone in his hand luggage.

Wireless 133
article thumbnail

Fake IT support sites push malicious PowerShell scripts as Windows fixes

Bleeping Computer

Fake IT support sites promote malicious PowerShell "fixes" for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware. [.

Malware 141
article thumbnail

Rethinking Cybersecurity in the Age of AI

Security Boulevard

IT managers and CSOs need to rethink their approach to cybersecurity and protect their organizations from this new breed of AI-powered attacks. The post Rethinking Cybersecurity in the Age of AI appeared first on Security Boulevard.

article thumbnail

Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

The Hacker News

A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware. The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.

Malware 134
article thumbnail

Cybersecurity Predictions for 2024

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

article thumbnail

Surfshark vs IPVanish (2024): Which VPN Should You Choose?

Tech Republic Security

Which is better, Surfshark or IPVanish? Use our guide to help you compare pricing, features and more.

VPN 152
article thumbnail

Xbox is down worldwide with users unable to login, play games

Bleeping Computer

The Xbox gaming service is currently down due to a major outage, impacting customers worldwide and preventing them from signing into their accounts and playing games. [.

article thumbnail

‘Perfect 10’ Apple Supply Chain Bug — Millions of Apps at Risk of CocoaPods RCE

Security Boulevard

Tim looks grim: 10 year old vulnerabilities in widely used dev tool include a CVSS 10.0 remote code execution bug. The post ‘Perfect 10’ Apple Supply Chain Bug — Millions of Apps at Risk of CocoaPods RCE appeared first on Security Boulevard.

Risk 136
article thumbnail

OVHcloud Hit with Record 840 Million PPS DDoS Attack Using MikroTik Routers

The Hacker News

French cloud computing firm OVHcloud said it mitigated a record-breaking distributed denial-of-service (DDoS) attack in April 2024 that reached a packet rate of 840 million packets per second (Mpps). This is just above the previous record of 809 million Mpps reported by Akamai as targeting a large European bank in June 2020.

DDOS 127
article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.