Security Boulevard

SEPTEMBER 3, 2023

Cyber insurance offers financial protection and support in the event of a cyber attack, data breach, or other cyber-related incidents. Ironically, the security that insurance brings to policyholders stands in contrast to the shifting, dynamic state of the cyber insurance market in general. The cyber insurance market is currently experiencing a state of flux due […] The post Cyber Insurance Explained: What It Covers, Who Needs It appeared first on Centraleyes.

Cyber Insurance 115

Cyber Insurance Insurance Marketing Data breaches 115

Schneier on Security

SEPTEMBER 6, 2023

The cryptocurrency fintech startup Prime Trust lost the encryption key to its hardware wallet—and the recovery key—and therefore $38.9 million. It is now in bankruptcy. I can’t understand why anyone thinks these technologies are a good idea.

Cryptocurrency 296

Cryptocurrency Encryption Technology 296

Troy Hunt

SEPTEMBER 6, 2023

I'm super late pushing out this week's video, I mean to the point where I now have a couple of days before doing the next one. Travel from the opposite side of the world is the obvious excuse, then frankly, just wanting to hang out with friends and relax. And now, I somehow find myself publishing this from the most mind-bending set of circumstances: Heading to 31C.

Phishing 254

Phishing Passwords 254

The Last Watchdog

SEPTEMBER 5, 2023

New government rules coupled with industry standards meant to give formal shape to the Internet of Things (IoT) are rapidly quickening around the globe. Related: The need for supply chain security This is to be expected. After all, government mandates combined with industry standards are the twin towers of public safety. Without them the integrity of our food supplies, the efficacy of our transportation systems and reliability of our utilities would not be what they are.

IoT 220

IoT Government Internet Internet 220

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Lohrman on Security

SEPTEMBER 3, 2023

Reports from cybersecurity companies in 2023 show mixed trends regarding the number of global data breaches, ransomware attacks, records affected and government costs. But one thing is clear: Cyber attack impacts steadily grow.

Data breaches 192

Data breaches Ransomware Cyber Attacks Government 192

Schneier on Security

SEPTEMBER 5, 2023

Interesting research : Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities Abstract: The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value.

Software 266

Software 266

Bleeping Computer

SEPTEMBER 7, 2023

Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group's Pegasus commercial spyware onto fully patched iPhones. [.

Spyware 144

Spyware 144

The Hacker News

SEPTEMBER 8, 2023

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The issues are described as below - CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.

Spyware 139

Spyware 139

Schneier on Security

SEPTEMBER 8, 2023

Last March, just two weeks after GPT-4 was released , researchers at Microsoft quietly announced a plan to compile millions of APIs—tools that can do everything from ordering a pizza to solving physics equations to controlling the TV in your living room—into a compendium that would be made accessible to large language models (LLMs). This was just one milestone in the race across industry and academia to find the best ways to teach LLMs how to manipulate tools, which would supercharge

Banking 243

Banking Risk Accountability Government 243

Tech Republic Security

SEPTEMBER 8, 2023

It’s a cat-and-mouse struggle as tech giants Microsoft and Apple deal with persistent threats from China state actors and Pegasus spyware.

Spyware 182

Spyware Cyber threats Mobile 182

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Bleeping Computer

SEPTEMBER 2, 2023

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code. [.

Passwords 144

Passwords 144

Security Affairs

SEPTEMBER 8, 2023

A zero-day vulnerability (CVE-2023-20269) in Cisco ASA and FTD is actively exploited in ransomware attacks, the company warns. Cisco warns that a zero-day vulnerability (CVE-2023-20269) in Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) is actively exploited by ransomware groups to gain initial access to corporate networks.

Ransomware 139

Ransomware VPN Authentication Hacking 139

Graham Cluley

SEPTEMBER 7, 2023

A Texas court has heard how last month a gang of men used a Raspberry Pi device to steal thousands of dollars from ATMs. Read more in my article on the Tripwire State of Security blog.

Malware 138

Malware 138

Tech Republic Security

SEPTEMBER 8, 2023

Australian data breach costs have jumped over the last five years to $2.57 million USD, according to IBM. Prioritizing DevSecOps and incident response planning can help IT leaders minimize the financial risk.

Data breaches 145

Data breaches Risk 145

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Bleeping Computer

SEPTEMBER 8, 2023

Notepad++ version 8.5.7 has been released with fixes for multiple buffer overflow zero-days, with one marked as potentially leading to code execution by tricking users into opening specially crafted files. [.

Software 142

Software 142

Security Affairs

SEPTEMBER 2, 2023

Identity services provider Okta warned customers of social engineering attacks carried out by threat actors to obtain elevated administrator permissions. Okta is warning customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions. The attacks targeted IT service desk staff to trick them into resetting all multi-factor authentication (MFA) factors enrolled by highly privileged users.

Social Engineering 136

Social Engineering Engineering Authentication Accountability 136

Malwarebytes

SEPTEMBER 7, 2023

An investigation by Microsoft has finally revealed how China-based hackers circumvented the protections of a "highly isolated and restricted production environment" in May 2023 to unlock sensitive email accounts belonging to US government agencies. The attack was first reported by Microsoft in July , in an article that left some important questions unanswered.

Authentication 135

Authentication Accountability Government Passwords 135

Tech Republic Security

SEPTEMBER 6, 2023

When it comes to DIY home security, there are many systems and components to consider and many decisions to make. This vendor comparison guide from TechRepublic Premium provides advice you can follow as you make decisions regarding how you will deploy a home security system. The accompanying comparison tool will document your research and provide.

137

137

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Bleeping Computer

SEPTEMBER 6, 2023

The Flipper Zero portable wireless pen-testing and hacking tool can be used to aggressively spam Bluetooth connection messages at Apple iOS devices, such as iPhones and iPads. [.

Wireless 135

Wireless Hacking 135

Security Affairs

SEPTEMBER 6, 2023

Three critical remote code execution vulnerabilities in ASUS routers potentially allow attackers to hijack the network devices. ASUS routers RT-AX55, RT-AX56U_V2, and RT-AC86U are affected by three critical remote code execution vulnerabilities that can potentially allow threat actors to take over the devices. The three vulnerabilities were reported by the Taiwanese CERT, below are their descriptions: CVE-2023-39238 (CVSS 9.8): ASUS RT-AX55, RT-AX56U_V2 and RT-AC86U iperf-related modules set_ipe

Firmware 135

Firmware Hacking Internet Internet 135

Security Boulevard

SEPTEMBER 8, 2023

Firefox looking good right now: “Privacy Sandbox” criticized as a proprietary, hypocritical, anti-competitive, self-serving contradiction. The post Google Kills 3rd-Party Cookies — but Monopolizes AdTech appeared first on Security Boulevard.

Advertising 131

Advertising Social Engineering Data privacy Engineering 131

Tech Republic Security

SEPTEMBER 7, 2023

Phones, tablets and workstations with unpatched CVEs are a clear and present danger. New Armis study lists the most vulnerable.

IoT 157

IoT Media Internet Internet 157

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Bleeping Computer

SEPTEMBER 6, 2023

Microsoft says Storm-0558 Chinese hackers stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer's corporate account. [.

Engineering 134

Engineering Accountability Government 134

Security Affairs

SEPTEMBER 6, 2023

MITRE and CISA released a Caldera extension for OT that allows the emulation of attacks on operational technology systems. MITRE Caldera is an open-source adversary emulation platform that helps cybersecurity practitioners to automate security assessments. The tool is built on the MITRE ATT&CK framework, which is a widely-recognized framework for understanding and responding to cyber threats. “Without further ado, the MITRE Caldera team is proud to announce the release of Caldera for O

Cyber threats 134

Cyber threats Technology Engineering Hacking 134

The Hacker News

SEPTEMBER 7, 2023

Microsoft on Wednesday revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forge tokens and access Outlook by compromising an engineer’s corporate account. This enabled the adversary to access a debugging environment that contained information pertaining to a crash of the consumer signing system and steal the key.

Hacking 126

Hacking Accountability 126

Tech Republic Security

SEPTEMBER 4, 2023

Linux is a powerful and customizable operating system that has been the backbone of many businesses for decades. This policy from TechRepublic Premium provides guidelines for securing Linux on company computers and computers used to conduct company business. It assumes administrative knowledge of Linux servers and/or workstation environments. From the policy: DEVELOP TEMPLATES BASED ON.

122

122

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Bleeping Computer

SEPTEMBER 8, 2023

Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks. [.

VPN 133

VPN Ransomware 133

Security Affairs

SEPTEMBER 4, 2023

A distributed denial-of-service (DDoS) attack took the site of the German Federal Financial Supervisory Authority (BaFin) down. A distributed denial-of-service (DDoS) attack took the site of the German Federal Financial Supervisory Authority (BaFin) down for some days. It is not clear who is behind the DDoS attack, but the media speculate that it was launched by pro-Russian hacktivists in response to the German financial and military support to Ukraine.

DDOS 133

DDOS Financial Services Insurance Banking 133

The Hacker News

SEPTEMBER 3, 2023

Cybersecurity researchers have called attention to a new antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file. The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023.

Antivirus 126

Antivirus Cybersecurity 126

WIRED Threat Level

SEPTEMBER 6, 2023

After leaving many questions unanswered, Microsoft explains in a new postmortem the series of slipups that allowed attackers to steal and abuse a valuable cryptographic key.

Hacking 120

Hacking 120

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk