Sat.Sep 21, 2024 - Fri.Sep 27, 2024

article thumbnail

The Data Breach Disclosure Conundrum

Troy Hunt

The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? I'm writing this after many recent such discussions with breached organisations where I've found myself wishing I had this blog post to point them to, so, here it is.

article thumbnail

NIST Recommends Some Common-Sense Password Rules

Schneier on Security

NIST’s second draft of its “ SP 800-63-4 “—its digital identify guidelines—finally contains some really good rules about passwords: The following requirements apply to passwords: lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.

Passwords 323
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

U.S. Indicts 2 Top Russian Hackers, Sanctions Cryptex

Krebs on Security

The United States today unveiled sanctions and indictments against the alleged proprietor of Joker’s Stash , a now-defunct cybercrime store that peddled tens of millions of payment cards stolen in some of the largest data breaches of the past decade. The government also indicted and sanctioned a top Russian cybercriminal known as Taleon , whose cryptocurrency exchange Cryptex has evolved into one of Russia’s most active money laundering networks.

article thumbnail

Where Next for Real ID, Facial Recognition and Airport Security?

Lohrman on Security

There have been some new updates around airport security and identification. Here’s what you need to know.

258
258
article thumbnail

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

article thumbnail

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

The Last Watchdog

Ever since the massive National Public Data (NPD) breach was disclosed a few weeks ago, news sources have reported an increased interest in online credit bureaus, and there has been an apparent upswing in onboarding of new subscribers. Related: Class-action lawsuits pile up in wake of NPD hack So what’s the connection? NPD reported the exposure of over 2.7 billion records.

article thumbnail

Hacking the “Bike Angels” System for Moving Bikeshares

Schneier on Security

I always like a good hack. And this story delivers. Basically, the New York City bikeshare program has a system to reward people who move bicycles from full stations to empty ones. By deliberately moving bikes to create artificial problems, and exploiting exactly how the system calculates rewards, some people are making a lot of money. At 10 a.m. on a Tuesday last month, seven Bike Angels descended on the docking station at Broadway and 53rd Street, across from the Ed Sullivan Theater.

Hacking 298

LifeWorks

More Trending

article thumbnail

Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug

WIRED Threat Level

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

Hacking 145
article thumbnail

Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure

Penetration Testing

A critical security vulnerability affecting all GNU/Linux systems—and potentially others—has been identified by renowned security researcher Simone Margaritelli. The vulnerability, which allows for unauthenticated remote code execution (RCE), has been... The post Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure appeared first on Cybersecurity News.

article thumbnail

New Windows Malware Locks Computer in Kiosk Mode

Schneier on Security

Clever : A malware campaign uses the unusual method of locking users in their browser’s kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. Specifically, the malware “locks” the user’s browser on Google’s login page with no obvious way to close the window, as the malware also blocks the “ESC” and “F11” keyboard keys.

Malware 244
article thumbnail

Is Google Password Manager Safe to Use in 2024?

Tech Republic Security

Google Password Manager is a free password management service built into Chrome and Google apps. Learn how it works and how secure it is in this detailed review.

article thumbnail

Why Giant Content Libraries Do Nothing for Your Employees’ Cyber Resilience

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

article thumbnail

Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023

We Live Security

ESET Research has conducted a comprehensive technical analysis of Gamaredon’s toolset used to conduct its cyberespionage activities focused in Ukraine

144
144
article thumbnail

CVE-2024-8698: Keycloak Vulnerability Puts SAML Authentication at Risk

Penetration Testing

In a concerning development for organizations relying on Keycloak for secure identity and access management, a high-severity vulnerability has been discovered in its SAML signature validation process. Tracked as CVE-2024-8698,... The post CVE-2024-8698: Keycloak Vulnerability Puts SAML Authentication at Risk appeared first on Cybersecurity News.

article thumbnail

Squid Fishing in Japan

Schneier on Security

Fishermen are catching more squid as other fish are depleted. Blog moderation policy.

242
242
article thumbnail

Microsoft Initiative the ‘Largest Cybersecurity Engineering Effort in History’

Tech Republic Security

The Secure Future Initiative was created around the same time the U.S. Cyber Safety Review Board chided Redmond for having a poor security culture.

article thumbnail

Zero Trust Mandate: The Realities, Requirements and Roadmap

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

article thumbnail

Eliminating Memory Safety Vulnerabilities at the Source

Google Security

Posted by Jeff Vander Stoep - Android team, and Alex Rebert - Security Foundations Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding , a secure-by-design approach that prioritizes transitioning to memory-safe languages.

Risk 144
article thumbnail

Romance scams costlier than ever: 10 percent of victims lose $10,000 or more

Malwarebytes

Romance scams continue to plague users, but their costs have risen to staggering heights, according to a Malwarebytes survey carried out last month via our weekly newsletter. More than 66 percent of 850 respondents have been targeted by a romance scam, and those that were ensnared paid a hefty price, with 10 percent of victims losing $10,000 and up.

Scams 144
article thumbnail

An Analysis of the EU’s Cyber Resilience Act

Schneier on Security

A good —long, complex—analysis of the EU’s new Cyber Resilience Act.

article thumbnail

‘Titanic Mindset’: Just 54% of UK IT Pros Confident in Data Recovery

Tech Republic Security

U.K. IT pros are adopting a “Titanic mindset,” a study has found, as they are blind to the upcoming iceberg of their data recovery solution.

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Critical SQL Injection Vulnerability Discovered in ‘The Events Calendar’ WordPress Plugin (CVE-2024-8275)

Penetration Testing

A severe security flaw has been identified in the popular WordPress plugin The Events Calendar, affecting all versions up to and including 6.6.4. Designated as CVE-2024-8275, the vulnerability has been... The post Critical SQL Injection Vulnerability Discovered in ‘The Events Calendar’ WordPress Plugin (CVE-2024-8275) appeared first on Cybersecurity News.

article thumbnail

Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates

The Hacker News

Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate.

article thumbnail

Warnings after new Valencia ransomware group strikes businesses and leaks data

Graham Cluley

A new ransomware operation has started to leak information it claims has been stolen from organisations it has compromised around the world. In recent days Valencia Ransomware has posted on its dark web leak site's so-called "Wall of shame" links to gigabytes of downloadable information that has seemingly been exfiltrated from a Californian municipality, a pharmaceutical firm, and a paper manufacturer.

article thumbnail

Get Real-World Cybersecurity Skills for $30

Tech Republic Security

Engage in active learning to build skills, confidence, and competence through practical, hands-on experience with professional feedback.

article thumbnail

Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

article thumbnail

Don’t share the viral Instagram Meta AI “legal” post

Malwarebytes

A new variation of a hoax that has been doing the rounds on Facebook for years has crossed over to Instagram. We’re seeing this post on Instagram Stories a lot suddenly over the last few days. The post is usually posted as a shareable screenshot on Instagram Stories, but it’s also been spotted on Facebook and Threads as a copy-and-paste text. “Repub Goodbye Meta AI.

article thumbnail

Google's Shift to Rust Programming Cuts Android Memory Vulnerabilities by 52%

The Hacker News

Google has revealed that its transition to memory-safe languages such as Rust as part of its secure-by-design approach has led to the percentage of memory-safe vulnerabilities discovered in Android dropping from 76% to 24% over a period of six years.

Risk 142
article thumbnail

Hacking Kia cars made after 2013 using just their license plate

Security Affairs

Researchers discovered critical flaws in Kia’s dealer portal that could allow to hack Kia cars made after 2013 using just their license plate. In June 2024, a team of experts ( Neiko Rivera , Sam Curry , Justin Rhinehart , Ian Carroll ) discovered multiple vulnerabilities in Kia vehicles that allowed remote control of key functions using their license plates.

Hacking 141
article thumbnail

2024 Exposed: The Alarming State of Australian Data Breaches

Tech Republic Security

Implementing multi-factor authentication, supplier risk-management frameworks, and staff security training could help to reduce data breaches.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

CVSS 9.8 Vulnerabilities Expose Aruba Access Points to RCE: HPE Urges Immediate Action

Penetration Testing

The Hewlett Packard Enterprise (HPE) Product Security Response Team has issued a critical advisory concerning multiple command injection vulnerabilities (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507) affecting Aruba Access Points running Instant AOS-8 and... The post CVSS 9.8 Vulnerabilities Expose Aruba Access Points to RCE: HPE Urges Immediate Action appeared first on Cybersecurity News.

article thumbnail

Telegram Agrees to Share User Data With Authorities for Criminal Investigations

The Hacker News

In a major policy reversal, the popular messaging app Telegram has announced it will give users' IP addresses and phone numbers to authorities in response to valid legal requests in an attempt to rein in criminal activity on the platform.

142
142
article thumbnail

100 million+ US citizens have records leaked by background check service

Malwarebytes

A background check left a huge database unprotected online containing 2.2TB of people’s data, according to research by Cybernews. The database was left passwordless and easily accessible to anyone on the internet by background check firm MC2 Data. MC2 Data gathers publicly available data to provide decision makers with information whether someone can rent a house, work at their firm, or be granted a loan.

article thumbnail

Is Cloud Fax Secure? Yes. Compliant? It Depends.

Tech Republic Security

Explore cloud fax security and compliance. Learn about encryption, HIPAA, and records management for better document protection.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!