Thu.Mar 28, 2024

article thumbnail

Hardware Vulnerability in Apple’s M-Series Chips

Schneier on Security

It’s yet another hardware side-channel attack: The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing.

article thumbnail

GitLab Patches Vulnerabilities, Users Urged to Update Immediately

Penetration Testing

GitLab, the popular DevOps platform, has released critical security updates for versions 16.10.1, 16.9.3, and 16.8.5 of its popular Git management software. These patches address vulnerabilities that could expose users to attacks ranging from... The post GitLab Patches Vulnerabilities, Users Urged to Update Immediately appeared first on Penetration Testing.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Update Chrome now! Google patches possible drive-by vulnerability

Malwarebytes

Google has released an update to Chrome which includes seven security fixes. Version 123.0.6312.86/.87 of Chrome for Windows and Mac and 123.0.6312.86 for Linux will roll out over the coming days/weeks. The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention.

Risk 78
article thumbnail

New ZenHammer Attack Bypasses Rowhammer Defenses on AMD CPUs

The Hacker News

Cybersecurity researchers from ETH Zurich have developed a new variant of the RowHammer DRAM (dynamic random-access memory) attack that, for the first time, successfully works against AMD Zen 2 and Zen 3 systems despite mitigations such as Target Row Refresh (TRR).

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Facebook spied on Snapchat users to get analytics about the competition

Malwarebytes

Social media giant Facebook snooped on Snapchat users’ network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That’s according to a court document filed March 23, 2024. The document mentions Facebook’s so-called In-App Action Panel (IAAP) program, which existed between June 2016 and approximately May 2019.

69
article thumbnail

Telegram Offers Premium Subscription in Exchange for Using Your Number to Send OTPs

The Hacker News

In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends' email addresses in exchange for free pizza.

More Trending

article thumbnail

Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection

The Hacker News

A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale.

69
article thumbnail

Cyber Risk Management: A Beginner’s Guide

Security Boulevard

With the emergence of new cybersecurity regulations like the SEC’s incident disclosure rules and the EU’s NIS2 Directive, much attention is directed towards understanding and complying with these new incident reporting requirements. However, underlying these regulations is a significant emphasis on organizations fully integrating cyber risk management into their operations.

69
article thumbnail

Cisco warns of password-spraying attacks targeting VPN services

Bleeping Computer

Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. [.

68
article thumbnail

Elevating Privileges with Azure Site Recovery Services

NetSpi Technical

Cleartext credentials are commonly targeted in a penetration test and used to move laterally to other systems, obtain sensitive information, or even further elevate privileges. While this is a low effort finding to exploit, threat actors will utilize cleartext credentials to conduct attacks that could have a high impact for the target environment. NetSPI discovered a cleartext Azure Access Token for a privileged Managed Identity.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Synology Surveillance Station Vulnerabilities Expose Systems to Attack – Update Immediately

Penetration Testing

Security researchers at Synology have released a critical security advisory detailing multiple vulnerabilities in their Surveillance Station software. These weaknesses, if left unpatched, could provide malicious actors with alarming access to sensitive systems and... The post Synology Surveillance Station Vulnerabilities Expose Systems to Attack – Update Immediately appeared first on Penetration Testing.

article thumbnail

Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries

The Hacker News

A Linux version of a multi-platform backdoor called DinodasRAT has been detected in the wild targeting China, Taiwan, Turkey, and Uzbekistan, new findings from Kaspersky reveal. DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts.

66
article thumbnail

New DHS Rules Aim to Enhance Visibility Across Critical Infrastructure

SecureWorld News

The U.S. Department of Homeland Security (DHS) is set to implement long-awaited rules that will require critical infrastructure entities across multiple sectors to report cyber incidents and ransomware payments to the federal government. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) , signed into law in March 2022, directs the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations for covered entities to report cyber incidents and ransom payments.

article thumbnail

Checkmarx Aligns With Wiz to Improve Application Security

Security Boulevard

Checkmarx has integrated its platform for securing application development environments with Wiz's CNAPP. The post Checkmarx Aligns With Wiz to Improve Application Security appeared first on Security Boulevard.

64
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

“GoFetch” Vulnerability in Apple M-Series Chips

ZoneAlarm

Keeping our digital belongings secure is a top priority in our connected world. The discovery of the GoFetch vulnerability in Apple’s security mechanisms has caused a stir, shedding light on potential weaknesses that could compromise our personal information. Apple devices, widely recognized for their strong security measures, utilize cryptographic keys to encrypt data, keeping our … The post “GoFetch” Vulnerability in Apple M-Series Chips appeared first on ZoneAlarm Security B

64
article thumbnail

Cybersecurity Infrastructure Investment Crashes and Burns Without Governance

Security Boulevard

Just like pilot awareness is crucial during unexpected aviation events, cybersecurity's traditional focus on infrastructure needs to shift to more adept governance. The post Cybersecurity Infrastructure Investment Crashes and Burns Without Governance appeared first on Security Boulevard.

64
article thumbnail

DID YOU KNOW THAT YOUR IDENTITY CAN BE EASILY FAKED ONLINE? EXPOSING DEEPFAKES

Quick Heal Antivirus

Hey there! So, do you know what are deepfakes? They’re like those videos where it seems like someone. The post DID YOU KNOW THAT YOUR IDENTITY CAN BE EASILY FAKED ONLINE? EXPOSING DEEPFAKES appeared first on Quick Heal Blog.

article thumbnail

DinodasRAT Linux Malware Targets Global Entities in Expanded Attack Campaign

Penetration Testing

Security researchers at Kaspersky Labs have uncovered a dangerous new variant of the DinodasRAT malware that targets Linux operating systems. This latest version represents a significant expansion in the threat actor’s capabilities as the... The post DinodasRAT Linux Malware Targets Global Entities in Expanded Attack Campaign appeared first on Penetration Testing.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Security Affairs

Google’s Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively exploited zero-day vulnerabilities in 2023. Google’s Threat Analysis Group (TAG) and its subsidiary Mandiant reported that in 2023 97 zero-day vulnerabilities were exploited in attacks, while in 2022 the actively exploited zero-day flaws were 62.

article thumbnail

Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack

The Hacker News

The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country's Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021.

63
article thumbnail

Sellafield nuclear waste dump faces prosecution over cybersecurity failures

Graham Cluley

The UK's Office for Nuclear Regulation (ONR) has started legal action against the controversial Sellafield nuclear waste facility due to years of alleged cybersecurity breaches. Read more in my article on the Hot for Security blog.

62
article thumbnail

Behind the Scenes: The Art of Safeguarding Non-Human Identities

The Hacker News

In the whirlwind of modern software development, teams race against time, constantly pushing the boundaries of innovation and efficiency. This relentless pace is fueled by an evolving tech landscape, where SaaS domination, the proliferation of microservices, and the ubiquity of CI/CD pipelines are not just trends but the new norm.

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

DinodasRAT Linux implant targeting entities worldwide

SecureList

DinodasRAT, also known as XDealer , is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used in attacks against government entities in Guyana, and documented by ESET researchers as Operation Jacana.

article thumbnail

New Webinar: Avoiding Application Security Blind Spots with OPSWAT and F5

The Hacker News

Considering the ever-changing state of cybersecurity, it's never too late to ask yourself, "am I doing what's necessary to keep my organization's web applications secure?

article thumbnail

Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in Academia

Security Boulevard

How Autonomous Pentesting with NodeZero Transformed University Protection The post Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in Academia appeared first on Horizon3.ai. The post Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in Academia appeared first on Security Boulevard.

59
article thumbnail

How Pentesting-as-a-Service can Reduce Overall Security Costs

Bleeping Computer

Penetration testing plays a critical role in finding application vulnerabilities before they can be exploited. Learn more from Outpost24 on the costs of Penetration-Testing-as-a-Service vs classic pentest offerings. [.

56
article thumbnail

ERM Program Fundamentals for Success in the Banking Industry

Speaker: William Hord, Senior VP of Risk & Professional Services

Enterprise Risk Management (ERM) is critical for industry growth in today’s fast-paced and ever-changing risk landscape. When building your ERM program foundation, you need to answer questions like: Do we have robust board and management support? Do we understand and articulate our bank’s risk appetite and how that impacts our business units? How are we measuring and rating our risk impact, likelihood, and controls to mitigate our risk?

article thumbnail

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

Security Boulevard

Singapore, Singapore, March 28th, 2024, Cyberwire GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights the growing, widespread use and potential of Web3 user security data to aid in risk management. The findings of the report reveal a clear and growing demand for more advanced security tools that can.

59
article thumbnail

Cisco addressed high-severity flaws in IOS and IOS XE software

Security Affairs

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to trigger a denial-of-service (DoS) condition. Cisco this week released patches to address multiple IOS and IOS XE software vulnerabilities. An unauthenticated attacker can exploit several issues fixed by the IT giant to cause a denial-of-service (DoS) condition.

52
article thumbnail

Google: Zero-Day Attacks Rise, Spyware and China are Dangers

Security Boulevard

The number of zero-day vulnerabilities that are exploited jumped in 2023, with enterprises becoming a larger target and spyware vendors and China-backed cyberespionage groups playing an increasingly bigger role, according to Google cybersecurity experts. In a report this week, researchers with Google’s Threat Analysis Group (TAG) and its Mandiant business said they saw 97 zero-day.

59
article thumbnail

Veracode Customers Shielded from NVD Disruptions

Veracode Security

The US National Institute of Standards and Technology (NIST) has almost completely stopped analyzing new vulnerabilities (CVEs) listed in its National Vulnerability Database (NVD). Through the first six weeks of 2024, NIST analyzed over 3,500 CVEs with only 34 CVEs awaiting analysis.1 Since February 13th, however, nearly half (48%) of the 7,200 CVEs received this year by the NVD are still awaiting analysis.2 The number of CVEs analyzed has dropped nearly 80% to less than 750 CVEs analyzed.

52
article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.