2022

article thumbnail

Inserting a Backdoor into a Machine-Learning System

Schneier on Security

Interesting research: “ ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks , by Tim Clifford, Ilia Shumailov, Yiren Zhao, Ross Anderson, and Robert Mullins: Abstract : Early backdoor attacks against machine learning set off an arms race in attack and defence development. Defences have since appeared demonstrating some ability to detect backdoors in models or even remove them.

article thumbnail

The Cybersecurity Skills Gap is Another Instance of Late-stage Capitalism

Daniel Miessler

It’s common to hear that it’s hard to get into cybersecurity, and that this is a problem. That seems to be true, but it’s informative to ask a simple follow-up: The current cybersecurity jobs gap sits at around 2.7 million people. A problem for who? I think what we’re facing is an instance of the Two-Worlds Problem that’s now everywhere in US society.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

Troy Hunt

How best to punish spammers? I give this topic a lot of thought because I spend a lot of time sifting through the endless rubbish they send me. And that's when it dawned on me: the punishment should fit the crime - robbing me of my time - which means that I, in turn, need to rob them of their time. With the smallest possible overhead on my time, of course.

Passwords 363
article thumbnail

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

Krebs on Security

InfraGard , a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO tha

Hacking 361
article thumbnail

ERM Program Fundamentals for Success in the Banking Industry

Speaker: William Hord, Senior VP of Risk & Professional Services

Enterprise Risk Management (ERM) is critical for industry growth in today’s fast-paced and ever-changing risk landscape. When building your ERM program foundation, you need to answer questions like: Do we have robust board and management support? Do we understand and articulate our bank’s risk appetite and how that impacts our business units? How are we measuring and rating our risk impact, likelihood, and controls to mitigate our risk?

article thumbnail

6 ways to reduce your IoT attack surface

Tech Republic Security

As attackers target the ever-growing IoT attack surface, companies can reduce their risks with these six security best practices. The post 6 ways to reduce your IoT attack surface appeared first on TechRepublic.

IoT 214
article thumbnail

Lastpass: Hackers stole customer vault data in cloud storage breach

Bleeping Computer

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. [.].

145
145

More Trending

article thumbnail

14 lessons CISOs learned in 2022

CSO Magazine

We're about to finish yet another erratic year, in which Elon Musk bought Twitter, Russia invaded Ukraine, and many workers returned to their offices. We also saw, for the first time, a security chief sentenced to prison for concealing a data breach. These events and many more have changed the business landscape and forced CISOs to steer a course through uncertain waters.

CISO 145
article thumbnail

A new Linux flaw can be chained with other two bugs to gain full root privileges

Security Affairs

Qualys researchers demonstrated how to chain a new Linux flaw with two other two issues to gain full root privileges on an impacted system. Researchers at the Qualys’ Threat Research Unit demonstrated how to chain a new Linux vulnerability, tracked as CVE-2022-3328 , with two other flaws to gain full root privileges on an affected system. The vulnerability resides in the snap-confine function on Linux operating systems, a SUID-root program installed by default on Ubuntu.

Hacking 145
article thumbnail

Machine Learning Models: A Dangerous New Attack Vector

Dark Reading

Threat actors can weaponize code within AI technology to gain initial network access, move laterally, deploy malware, steal data, or even poison an organization's supply chain.

Malware 144
article thumbnail

Business Communication Compromise (BCC) Predictions for 2023

CyberSecurity Insiders

By Steven Spadaccini, VP Threat Intelligence, SafeGuard Cyber. In 2022, cybersecurity further became a top priority for businesses around the world following critical attacks on both the public and private sectors and of course, the use of cyber warfare as a Russian tactic in its invasion of Ukraine. This year, organizations have spent significant time and resources attempting to mitigate the risks associated with Business Communication Compromise, including phishing attacks and Personally-Ident

Phishing 143
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Detecting Deepfake Audio by Modeling the Human Acoustic Tract

Schneier on Security

This is interesting research : In this paper, we develop a new mechanism for detecting audio deepfakes using techniques from the field of articulatory phonetics. Specifically, we apply fluid dynamics to estimate the arrangement of the human vocal tract during speech generation and show that deepfakes often model impossible or highly-unlikely anatomical arrangements.

article thumbnail

My Philosophy and Recommendations Around the LastPass Breaches

Daniel Miessler

If you follow Information Security at all you are surely aware of the LastPass breach situation. It started back in August of 2022 as a fairly common breach notification on a blog, but it, unfortunately, turned into more of a blog series. The initial blog was on August 25th, saying there was a breach, but it wasn’t so bad because they had no access to customer data or password vaults: Two weeks ago, we detected some unusual activity within portions of the LastPass development environment.

article thumbnail

Memory Safe Languages in Android 13

Google Security

Posted by Jeffrey Vander Stoep For more than a decade, memory safety vulnerabilities have consistently represented more than 65% of vulnerabilities across products, and across the industry. On Android, we’re now seeing something different - a significant drop in memory safety vulnerabilities and an associated drop in the severity of our vulnerabilities.

DNS 144
article thumbnail

Mastodon: What you need to know for your security and privacy

Graham Cluley

Mastodon is hot right now. After some years of only being used by geeks (yes, I've had an account for a while now) it's at the tipping point of becoming mainstream. If you're part of the exodus of users leaving Twitter for Mastodon, what are the security and privacy issues that you need to be aware of?

article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

How to protect your organization from the top malware strains

Tech Republic Security

A joint advisory from the U.S. and Australia offers tips on combating the top malware strains of 2021, including Agent Tesla, LokiBot, Qakbot, TrickBot and GootLoader. The post How to protect your organization from the top malware strains appeared first on TechRepublic.

Malware 218
article thumbnail

Google Home speakers allowed hackers to snoop on conversations

Bleeping Computer

A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed. [.].

article thumbnail

Rust: Officially Released in Linux 6.1 Kernel

Security Boulevard

At the weekend, Linus Torvalds released Linux 6.1 to the world. Among other security features is support for writing parts of the kernel in Rust. The post Rust: Officially Released in Linux 6.1 Kernel appeared first on Security Boulevard.

article thumbnail

US Congress funds cybersecurity initiatives in FY2023 spending bill

CSO Magazine

On December 23, the House and Senate Appropriations Committee agreed to a $1.7 trillion omnibus spending bill that funds government operations through the fiscal year 2023. On December 29, President Biden signed it. The 4,155-page bill reflects an already agreed-upon $858 billion for defense spending and an additional $800 billion for non-defense spending, including several prominent cybersecurity items.

article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.

article thumbnail

Experts devised a technique to bypass web application firewalls (WAF) of several vendors

Security Affairs

Claroty researchers devised a technique for bypassing the web application firewalls (WAF) of several vendors. Researchers at industrial and IoT cybersecurity firm Claroty devised an attack technique for bypassing the web application firewalls (WAF) of several industry-leading vendors. The technique was discovered while conducting unrelated research on Cambium Networks’ wireless device management platform.

Firewall 144
article thumbnail

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

Dark Reading

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

145
145
article thumbnail

Ransomware threats grow as new vulnerabilities and threat actors are identified

CyberSecurity Insiders

Researchers at Cyber Security Works, Ivanti, and Cyware identify new vulnerabilities, blindspots in popular network scanners, and emerging Advanced Persistent Threat (APT) groups in a joint ransomware report. By Aaron Sandeen, CEO and co-founder of Cyber Security Works. Since our last ransomware report earlier this year, both the severity and complexity of attacker tactics continue to grow as we head into the final quarter of 2022.

article thumbnail

Facebook Is Now Encrypting Links to Prevent URL Stripping

Schneier on Security

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102 , which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict.

article thumbnail

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

PCI compliance can feel challenging and sometimes the result feels like you are optimizing more for security and compliance than you are for business outcomes. The key is to take the right strategy to PCI compliance that gets you both. In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization.

article thumbnail

ProxyNotShell— the story of the claimed zero day in Microsoft Exchange

DoublePulsar

Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero… Continue reading on DoublePulsar ».

article thumbnail

The 2022 Duo Trusted Access Report: Logins in a Dangerous Time

Duo's Security Blog

As global conflicts spill over into the digital realm, the idea of protecting the individual through to the enterprise has taken on a greater sense of urgency. In the 2022 Duo Trusted Access Report: Logins in a Dangerous Time , we examine the dramatic shift beyond discussions of password complexity to those where investing in multi-factor authentication (MFA) and passwordless technology are mandatory costs of doing business.

article thumbnail

Energy bill rebate scams spread via SMS and email

Graham Cluley

The UK’s National Cyber Security Centre (NCSC) has warned that fraudsters are sending out emails and SMS texts urging homeowners to sign up for a discount on their energy bills.

Scams 145
article thumbnail

Microsoft Defender protects Mac and Linux from malicious websites

Tech Republic Security

Now that attackers can phish employees on any device and try to extract credentials, endpoint protection has to cover more than just Windows. The post Microsoft Defender protects Mac and Linux from malicious websites appeared first on TechRepublic.

Phishing 212
article thumbnail

The Power of Storytelling in Risk Management

Speaker: Dr. Karen Hardy, CEO and Chief Risk Officer of Strategic Leadership Advisors LLC

Communication is a core component of a resilient organization's risk management framework. However, risk communication involves more than just reporting information and populating dashboards, and we may be limiting our skillset. Storytelling is the ability to express ideas and convey messages to others, including stakeholders. When done effectively, it can help interpret complex risk environments for leaders and inform their decision-making.

article thumbnail

Google introduces end-to-end encryption for Gmail on the web

Bleeping Computer

Google announced on Friday that it's adding end-to-end encryption to Gmail on the web, allowing enrolled Google Workspace users to send and receive encrypted emails within their domain and outside their domain. [.].

article thumbnail

A Robot’s View of AI in Cybersecurity

Security Boulevard

An AI chatbot wrote the following article on AI in cybersecurity. For real. No humans were harmed in the drafting of this article. Artificial intelligence (AI) and machine learning (ML) are rapidly advancing technologies that have the potential to greatly impact cybersecurity. These technologies can be used to enhance security by analyzing large amounts of.

article thumbnail

CPRA explained: New California privacy law ramps up restrictions on data use

CSO Magazine

On January 1, 2023, 20, the California Privacy Rights Act (CPRA) will go into effect. Approved by ballot measure as Proposition 24 in November 2020, it created a new consumer data privacy agency and put California another step ahead of other states in terms of privacy productions for consumers—and data security requirements for enterprises. California already had a privacy law in place, the California Consumer Privacy Act (CCPA), adopted in 2018.

article thumbnail

Experts detailed a previously undetected VMware ESXi backdoor

Security Affairs

A new Python backdoor is targeting VMware ESXi servers, allowing attackers to take over compromised systems. Juniper Networks researchers spotted a previously undocumented Python backdoor targeting VMware ESXi servers. The researchers discovered the backdoor in October 2022, experts pointed out the implant is notable for its simplicity, persistence and capabilities.

Passwords 144
article thumbnail

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

The COVID-19 pandemic forced many people into working remotely, opening the floodgates for a host of digital compliance issues. Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. This is especially vital if your workers were (and still are!) using company equipment from home, or are still working remotely.