Schneier on Security

APRIL 24, 2024

Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract: In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction to fact, the better approach is to lean into the fictions.

Data collection 228

Data collection Risk 228

Troy Hunt

APRIL 22, 2024

"More Data Breaches Than You Can Shake a Stick At" That seems like a reasonable summary and I suggest there are two main reasons for this observation. Firstly, there are simply loads of breaches happening and you know this already because, well, you read my stuff! Secondly, There are a couple of Twitter accounts in particular that are taking incidents that appear across a combination of a popular clear web hacking forum and various dark web ransomware websites and "raising them to th

Data breaches 211

Data breaches Accountability Ransomware Hacking 211

Lohrman on Security

APRIL 21, 2024

A new book by Alan Shark offers an excellent guide and an AI road map for state and local governments. He answers basic questions that public-sector leaders are asking in 2024.

Artificial Intelligence 159

Artificial Intelligence Government 159

Penetration Testing

APRIL 22, 2024

Security researcher Naor Hodorov has made public a proof-of-concept (PoC) exploit for a severe vulnerability (CVE-2024-21111) in Oracle VirtualBox. This vulnerability plagues VirtualBox versions before 7.0.16 and allows attackers with basic access to a... The post Oracle VirtualBox Elevation of Privilege Vulnerability (CVE-2024-21111): PoC Published appeared first on Penetration Testing.

Penetration Testing 145

Penetration Testing 145

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

APRIL 22, 2024

Interesting social-engineering attack vector : McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg. The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

Malware 255

Malware Social Engineering Engineering Software 255

The Hacker News

APRIL 22, 2024

New research has found that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes.

138

138

Penetration Testing

APRIL 22, 2024

A new critical vulnerability has emerged, targeting users of the popular enterprise file transfer software, CrushFTP. This zero-day flaw, identified as CVE-2024-4040 with a CVSS score of 7.7, poses a severe risk to organizations... The post CVE-2024-4040: CrushFTP Users Targeted in Zero-Day Attack Campaign appeared first on Penetration Testing.

Penetration Testing 138

Penetration Testing Software Risk 138

Schneier on Security

APRIL 23, 2024

Former senior White House cyber policy director A. J. Grotto talks about the economic incentives for companies to improve their security—in particular, Microsoft: Grotto told us Microsoft had to be “dragged kicking and screaming” to provide logging capabilities to the government by default, and given the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best. […] “The government needs to focus on

Banking 236

Banking Government Marketing Cybersecurity 236

Tech Republic Security

APRIL 23, 2024

Learn about the potential vulnerabilities of VPNs and the measures you can take to enhance your VPN security.

VPN 154

VPN Hacking Technology 154

Bleeping Computer

APRIL 22, 2024

BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion. [.

Malware 138

Malware 138

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Penetration Testing

APRIL 21, 2024

A recently discovered vulnerability in the popular Laravel web development framework could leave websites and applications built upon it susceptible to severe data breaches. This flaw, designated CVE-2024-29291, affects versions 8.* through 11.* of... The post Laravel Framework Hit by Data Exposure Vulnerability (CVE-2024-29291) – Database Credentials at Risk appeared first on Penetration Testing.

Penetration Testing 141

Penetration Testing Risk Data breaches 141

Schneier on Security

APRIL 25, 2024

The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is coming to an end. The advent of AI threatens to destroy the complex online ecosystem that allows writers, artists, and other creators to reach human audiences.

Engineering 202

Engineering Internet Internet Artificial Intelligence 202

Security Boulevard

APRIL 22, 2024

These women are innovating in the cybersecurity field. How many of them do you know? The post The 10 Women in Cybersecurity You Need to Follow appeared first on Security Boulevard.

Cybersecurity 128

Cybersecurity Media 128

Tech Republic Security

APRIL 24, 2024

A new report by cyber security firm Radware identifies the four main impacts of AI on the threat landscape emerging this year.

Hacking 130

Hacking Artificial Intelligence Phishing Malware 130

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Penetration Testing

APRIL 22, 2024

A new threat has emerged in the cybercrime world, specifically designed to prey on the lucrative gaming community. Security researchers from G DATA have analyzed “Sharp Stealer,” a malware family that steals login credentials,... The post Sharp Stealer: New Malware Targets Gamers’ Accounts and Online Identities appeared first on Penetration Testing.

Accountability 127

Accountability Penetration Testing Malware Cybercrime 127

Bleeping Computer

APRIL 20, 2024

The Forminator WordPress plugin used in over 500,000 sites is vulnerable to a flaw that allows malicious actors to perform unrestricted file uploads to the server. [.

142

142

Security Boulevard

APRIL 23, 2024

The ransomware group that attacked a subsidiary of UnitedHealth Group stole massive amounts of customers’ private health care data, the latest in a continuing string of information coming out about the data breach. In a statement this week, UnitedHealth said that, based on targeted sampling of the data taken, the number of files that contained. The post UnitedHealth: Ransomware Attackers Stole Huge Amount of Data appeared first on Security Boulevard.

Ransomware 123

Ransomware Data breaches Healthcare Data privacy 123

Malwarebytes

APRIL 22, 2024

Four billions public Discord messages are for sale on an internet scraping service called Spy.pet. At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard some laws: more on that later. To get this amount of data the platform gathered information from 14,201 servers about 627,914,396 users.

Cryptocurrency 123

Cryptocurrency Internet Internet Accountability 123

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Penetration Testing

APRIL 24, 2024

Netgear has issued an urgent security alert regarding a severe vulnerability found in several of its popular Nighthawk series routers. The vulnerability, labeled CVE-2023-27368, could allow hackers to completely bypass the router’s login system,... The post CVE-2023-27368: NETGEAR Nighthawk Series Routers Authentication Bypass Vulnerability appeared first on Penetration Testing.

Authentication 111

Authentication Penetration Testing 111

Bleeping Computer

APRIL 23, 2024

North Korean hackers have been exploiting the updating mechanism of the eScan antivirus to plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware. [.

Antivirus 133

Antivirus Malware Cryptocurrency 133

The Hacker News

APRIL 22, 2024

The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg.

Malware 118

Malware 118

Security Boulevard

APRIL 21, 2024

The Akira ransomware has been around for just more than a year, but has caused its share of damage, racking up more than 250 victims and pulling in about $42 million in ransom, according to law enforcement and cybersecurity agencies in the United States and Europe. Akira was first detected in 2023, showing itself to. The post Akira Ransomware Group Takes In $42 million from 250 Attacks in a Year appeared first on Security Boulevard.

Ransomware 126

Ransomware Cybersecurity Malware Network Security 126

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Penetration Testing

APRIL 22, 2024

A new report from Kaspersky Labs reveals a sophisticated toolkit used by the advanced persistent threat (APT) group, “ToddyCat,” to steal massive amounts of sensitive data and maintain control over compromised systems. The group... The post ToddyCat: Unveiling the Stealthy APT Group Targeting Asia-Pacific Governments appeared first on Penetration Testing.

Government 123

Government Penetration Testing Malware 123

Bleeping Computer

APRIL 24, 2024

The Federal Trade Commission is sending $5.6 million in refunds to Ring users whose private video feeds were accessed without consent by Amazon employees and contractors, or had their accounts and devices hacked because of insufficient security protections. [.

Accountability 126

Accountability Hacking 126

The Hacker News

APRIL 22, 2024

The MITRE Corporation revealed that it was the target of a nation-state cyber attack that exploited two zero-day flaws in Ivanti Connect Secure appliances starting in January 2024. The intrusion led to the compromise of its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and prototyping network.

Cyber Attacks 123

Cyber Attacks 123

Security Boulevard

APRIL 22, 2024

A six-year-old company that is building a platform and portfolio of tools aimed at automating organizations’ responses to data breaches and protecting executives from personal liability is getting $6.5 million in seed money and bringing on as an adviser the former chief security offer for Uber who last year became the face of legal consequences. The post BreachRx Gets $6.5 Million to Automate Security Incident Response appeared first on Security Boulevard.

Data breaches 118

Data breaches Data privacy CISO Cybersecurity 118

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Penetration Testing

APRIL 21, 2024

Citrix has released an urgent security advisory regarding a vulnerability (CVE-2024-3902) discovered in its uberAgent software. This vulnerability, which has a CVSS score of 7.3 (High), could allow attackers to escalate their privileges within... The post Citrix uberAgent Update for Privilege Escalation Vulnerability (CVE-2024-3902) appeared first on Penetration Testing.

Penetration Testing 118

Penetration Testing Software 118

Bleeping Computer

APRIL 23, 2024

The UnitedHealth Group has confirmed that it paid a ransom to cybercriminals to protect sensitive data stolen during the Optum ransomware attack in late February. [.

Ransomware 135

Ransomware Healthcare 135

The Hacker News

APRIL 22, 2024

Microsoft has revealed that North Korea-linked state-sponsored cyber actors has begun to use artificial intelligence (AI) to make its operations more effective and efficient. "They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and effective," the tech giant said in its latest report on East Asia hacking groups.

Artificial Intelligence 122

Artificial Intelligence Hacking 122

Security Affairs

APRIL 22, 2024

Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve rootkit-like capabilities. SafeBreach researcher Or Yair devised a technique, exploiting vulnerabilities in the DOS-to-NT path conversion process, to achieve rootkit-like capabilities on Windows. When a user executes a function with a path argument in Windows, the DOS path of the file or folder is converted to an NT path.

Software 118

Software Engineering Hacking Malware 118

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk