Dark Reading
OCTOBER 9, 2023
It's past time to reimagine how to best nurture talent and expand recruiting and training to alleviate the shortage of trained cybersecurity staff. We need a diverse talent pool trained for tomorrow's challenges.
Schneier on Security
OCTOBER 11, 2023
There’s a new Cisco vulnerability in its Emergency Responder product: This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Krebs on Security
OCTOBER 9, 2023
The fake USPS phishing page. Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries. KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined
The Last Watchdog
OCTOBER 9, 2023
Clean Code’ is a simple concept rooted in common sense. This software writing principle cropped up some 50 years ago and might seem quaint in today’s era of speedy software development. Related: Setting IoT security standards At Black Hat 2023 , I had the chance to visit with Olivier Gaudin , founder and co-CEO, and Johannes Dahse , head of R&D, at SonarSource , a Geneva, Switzerland-based supplier of systems to achieve Clean Code.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Lohrman on Security
OCTOBER 8, 2023
There have been several important developments, conferences and speeches on artificial intelligence and cybersecurity trends over the past few months. Here’s a roundup.
Schneier on Security
OCTOBER 12, 2023
This is a fun challenge: The NIST elliptic curves that power much of modern cryptography were generated in the late ’90s by hashing seeds provided by the NSA. How were the seeds generated? Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry Solinas, passed away in early 2023 leaving behind a cryptographic mystery, some conspiracy theories, and an historical password cracking challenge.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
Tech Republic Security
OCTOBER 11, 2023
A vulnerability in the HTTP/2 network protocol is currently being exploited, resulting in the largest DDoS attack in history. Find out what security teams should do now, and hear what Cloudflare's CEO has to say about this DDoS.
Security Affairs
OCTOBER 8, 2023
Researchers warn that more than 70,000 Android smartphones, CTV boxes, and tablets were shipped with backdoored firmware as part of BADBOX network. Cybersecurity researchers at Human Security discovered a global network of consumer products, dubbed BADBOX, with firmware backdoors installed and sold through a compromised hardware supply chain. The experts reported that at least 74,000 Android-based mobile phones, tablets, and Connected TV boxes worldwide were shipped with the backdoored firmware.
Schneier on Security
OCTOBER 10, 2023
Adi Shamir et al. have a new model extraction attack on neural networks: Polynomial Time Cryptanalytic Extraction of Neural Network Models Abstract: Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations.
Bleeping Computer
OCTOBER 11, 2023
Microsoft Defender for Endpoint now uses automatic attack disruption to isolate compromised user accounts and block lateral movement in hands-on-keyboard attacks with the help of a new 'contain user' capability in public preview. [.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Tech Republic Security
OCTOBER 11, 2023
F5 says an artificial intelligence war could start between generative AI-toting bad actors and enterprises guarding data with AI. Australian IT teams will be caught in the crossfire.
eSecurity Planet
OCTOBER 12, 2023
Cyber attackers frequently use legacy technology as part of their attack strategies, targeting organizations that have yet to implement mitigations or upgrade obsolete components. In an Active Directory environment, one such component is legacy protocols, which attackers can use to gain access to Active Directory. While patching (or even virtual patching ) might help address obsolete components, most legacy components have been thoroughly evaluated by adversaries to determine whether they should
Schneier on Security
OCTOBER 13, 2023
Interesting New York Times article about high-school students hacking the grading system. What’s not helping? The policies many school districts are adopting that make it nearly impossible for low-performing students to fail—they have a grading floor under them, they know it, and that allows them to game the system. Several teachers whom I spoke with or who responded to my questionnaire mentioned policies stating that students cannot get lower than a 50 percent on any assignment, eve
Malwarebytes
OCTOBER 13, 2023
Quishing is phishing using QR (Quick Response) codes. QR codes are basically two-dimensional barcodes that hold encoded data, and they can be used to work as a link. Point your phone's camera at a QR code and it will ask you if you want to visit the link. The use of QR codes in malicious campaigns is not new, and because they can provide contactless access to a product or service they grew in popularity during the Covid-19 pandemic.
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Tech Republic Security
OCTOBER 10, 2023
Australian and New Zealand businesses will increase spending on cybersecurity by double digits… but they might not be able to spend their way to safety.
Bleeping Computer
OCTOBER 11, 2023
A new malware has been posing as a legitimate caching plugin to target WordPress sites, allowing threat actors to create an administrator account and control the site's activity. [.
Google Security
OCTOBER 9, 2023
Posted by Andrew Walbran, Android Rust Team Last year we wrote about how moving native code in Android from C++ to Rust has resulted in fewer security vulnerabilities. Most of the components we mentioned then were system services in userspace (running under Linux), but these are not the only components typically written in memory-unsafe languages. Many security-critical components of an Android system run in a “bare-metal” environment, outside of the Linux kernel, and these are historically writ
Security Affairs
OCTOBER 12, 2023
Ransomlooker monitors ransomware groups’ extortion sites and delivers consolidated feeds of their claims worldwide. Cybernews presented Ransomlooker , a tool to monitor ransomware groups’ extortion sites and delivers consolidated feeds of their claims worldwide. The researchers have created the tool to help cybersecurity experts in their daily jobs by providing real-time updates and actionable insights.
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Tech Republic Security
OCTOBER 12, 2023
The success of cyber attacks in Australia could make an "assume-breach" approach to cyber security inevitable and cause IT teams to shift their focus to protecting data backups at all costs.
Malwarebytes
OCTOBER 9, 2023
Information belonging to as many as seven million 23andMe customers has been put up for sale on criminal forums following a credential stuffing attack against the genomics company. On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that threat actors had "obtained information from certain accounts, including information about users’ DNA Relatives profiles.
Bleeping Computer
OCTOBER 13, 2023
Microsoft says Windows 10 security updates released during this month's Patch Tuesday may fail to install with 0x8007000d errors, although initially displaying progress. [.
The Hacker News
OCTOBER 12, 2023
The threat actors behind ShellBot are leveraging IP addresses transformed into their hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware.
Advertisement
Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.
Tech Republic Security
OCTOBER 9, 2023
You can now upgrade up to five computers to Microsoft Windows 11 Home for one low price and get a new sleek interface, advanced tools and enhanced security.
Dark Reading
OCTOBER 10, 2023
Ongoing Rapid Reset DDoS flood attacks exposed organizations need to patch CVE-2023-44487 immediately to head off crippling outages and business disruption.
Bleeping Computer
OCTOBER 12, 2023
Apple has published security updates for older iPhones and iPads to backport patches released one week ago, addressing two zero-day vulnerabilities exploited in attacks. [.
The Hacker News
OCTOBER 10, 2023
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure.
Speaker: Erika R. Bales, Esq.
When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.
Tech Republic Security
OCTOBER 11, 2023
Learn how to easily mount remote directories with the help of a more secure SSH tool. Follow along with Jack Wallen in our step-by-step tutorial.
Security Boulevard
OCTOBER 9, 2023
DNA: Do Not Agree. 23andMe says it’s not a breach—just credential stuffing. I’m not so sure. The post Huge DNA PII Leak: 23andMe Must Share the Blame appeared first on Security Boulevard.
Bleeping Computer
OCTOBER 13, 2023
Genetic testing provider 23andMe faces multiple class action lawsuits in the U.S. following a large-scale data breach that is believed to have impacted millions of its customers. [.
The Hacker News
OCTOBER 13, 2023
Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security. "The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said.
Speaker: William Hord, Vice President of ERM Services
A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.
Expert insights. Personalized for you.
108 
Let's personalize your content