Mon.Apr 15, 2024

article thumbnail

Crickets from Chirp Systems in Smart Lock Key Leak

Krebs on Security

The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc. , is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.

Software 325
article thumbnail

New Lattice Cryptanalytic Technique

Schneier on Security

A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems. A few things to note. One, this paper has not yet been peer reviewed. As this comment points out: “We had already some cases where efficient quantum algorithms for lattice problems were discovered, but they turned out not being correct or only worked for simple

302
302
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

TechRepublic’s Review Methodology for VPNs

Tech Republic Security

Our review methodology for VPNs provides you with a reliable assessment of the best solutions based on the key factors analyzed.

155
155
article thumbnail

The US Government Has a Microsoft Problem

WIRED Threat Level

Microsoft has stumbled through a series of major cybersecurity failures over the past few years. Experts say the US government’s reliance on its systems means the company continues to get a free pass.

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Ukrainian Blackjack group used ICS malware Fuxnet against Russian targets

Security Affairs

The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against Russian infrastructure. Industrial and enterprise IoT cybersecurity firm Claroty reported that the Ukrainian Blackjack hacking group claims to have damaged emergency detection and response capabilities in Moscow and beyond the Russian capital using a destructive ICS malware dubbed Fuxnet.

Malware 145
article thumbnail

Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users

The Hacker News

Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.

Spyware 144

More Trending

article thumbnail

Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability

The Hacker News

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. Tracked as CVE-2024-3400 (CVSS score: 10.

Software 141
article thumbnail

Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor

Security Affairs

Threat actors have been exploiting the recently disclosed zero-day in Palo Alto Networks PAN-OS since March 26, 2024. Palo Alto Networks and Unit 42 are investigating the activity related to CVE-2024-3400 PAN-OS flaw and discovered that threat actors have been exploiting it since March 26, 2024. CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software.

Firewall 141
article thumbnail

Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

The Hacker News

The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data. "Organizations often store a variety of data in SaaS applications and use services from CSPs," Palo Alto Networks Unit 42 said in a report published last week.

Software 137
article thumbnail

CISA adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog

Security Affairs

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog : CVE-2024-3400 (CVSS score of 10.0) is a critical command injection vulnerability in Palo Alto Networks PAN-OS software.

Firewall 141
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw

The Hacker News

A security flaw impacting the Lighttpd web server used in baseboard management controllers (BMCs) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal. While the original shortcoming was discovered and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.

137
137
article thumbnail

Using the LockBit builder to generate targeted ransomware

SecureList

The previous Kaspersky research focused on a detailed analysis of the LockBit 3.0 builder leaked in 2022. Since then, attackers have been able to generate customized versions of the threat according to their needs. This opens up numerous possibilities for malicious actors to make their attacks more effective, since it is possible to configure network spread options and defense-killing functionality.

article thumbnail

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

The Hacker News

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access.

Marketing 136
article thumbnail

Ex-Security Engineer Gets Three Years in Prison for $12 Million Crypto Hacks

Security Boulevard

A former Amazon engineer who scammed more than $12 million from two decentralized cryptocurrencies exchanges in 2022 was sentenced to three years in prison in a case that the U.S. Justice Department (DOJ) called the first conviction for hacking a “smart contract.” Shakeeb Ahmed, who was indicted last year, also will serve three years of. The post Ex-Security Engineer Gets Three Years in Prison for $12 Million Crypto Hacks appeared first on Security Boulevard.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

AI Copilot: Launching Innovation Rockets, But Beware of the Darkness Ahead

The Hacker News

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now.

article thumbnail

Bitcoin scams, hacks and heists – and how to avoid them

We Live Security

Here’s how cybercriminals target cryptocurrencies and how you can keep your ownbitcoin or other crypto safe.

Scams 126
article thumbnail

Microsoft will limit Exchange Online bulk emails to fight spam

Bleeping Computer

Microsoft has announced plans to fight spam by imposing a daily Exchange Online bulk email limit of 2,000 external recipients starting January 2025. [.

126
126
article thumbnail

Vulnerability in Popular VPN Software Could Lead to Crashes and Service Disruptions

Penetration Testing

A newly discovered vulnerability in Libreswan, a widely used open-source VPN (Virtual Private Network) software, could leave systems open to crashes and potential denial of service attacks, say researchers. The vulnerability poses a risk... The post Vulnerability in Popular VPN Software Could Lead to Crashes and Service Disruptions appeared first on Penetration Testing.

VPN 125
article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

Cisco Duo warns third-party data breach exposed SMS MFA logs

Bleeping Computer

Cisco Duo's security team warns that hackers stole some customers' VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. [.

article thumbnail

CVE-2024-32019 in Popular Monitoring Tool Netdata Could Allow Hackers Root Access

Penetration Testing

A serious security vulnerability (CVE-2024-32019) has been discovered in Netdata, a widely used open-source monitoring and troubleshooting tool. This flaw has a CVSS score of 8.8 (“High”) and could allow attackers to gain root-level... The post CVE-2024-32019 in Popular Monitoring Tool Netdata Could Allow Hackers Root Access appeared first on Penetration Testing.

article thumbnail

Microsoft lifts Windows 11 block on some Intel systems after 2 years

Bleeping Computer

Microsoft has finally lifted a compatibility hold blocking Windows 11 upgrades on systems with Intel 11th Gen Core processors and Intel Smart Sound Technology (SST) audio drivers. [.

article thumbnail

CVE-2024-2876: Critical Security Flaw Impacts Popular WordPress Email Marketing Plugin

Penetration Testing

A severe security vulnerability impacting the popular “Email Subscribers by Icegram Express” WordPress plugin has been discovered. The flaw, designated as CVE-2024-2876 and carrying a critical CVSS score of 9.8, allows unauthenticated attackers to... The post CVE-2024-2876: Critical Security Flaw Impacts Popular WordPress Email Marketing Plugin appeared first on Penetration Testing.

Marketing 117
article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

article thumbnail

Palo Alto Networks fixes zero-day exploited to backdoor firewalls

Bleeping Computer

Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls. [.

Firewall 116
article thumbnail

“Connect:fun” Campaign Targets Media Organizations, Exploits Critical Fortinet Vulnerability

Penetration Testing

A newly exposed attack campaign, dubbed “Connect:fun,” is raising alarms in the media sector. Researchers at Forescout Research – Vedere Labs warn that a sophisticated threat actor is exploiting a critical Fortinet vulnerability to... The post “Connect:fun” Campaign Targets Media Organizations, Exploits Critical Fortinet Vulnerability appeared first on Penetration Testing.

Media 115
article thumbnail

Roku: Credential Stuffing Attacks Affect 591,000 Accounts

Security Boulevard

Almost 600,000 Roku customers had their accounts hacked through two credential stuffing attacks several weeks apart, illustrating the ongoing risks to people who reuse passwords for multiple online accounts. The streaming service in March reported that more than 15,000 accounts were compromised in a credential stuffing attack, in which bad actors leverage usernames and passwords.

article thumbnail

New SteganoAmor attacks use steganography to target 320 orgs globally

Bleeping Computer

A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [.

Malware 113
article thumbnail

Introducing CDEs to Your Enterprise

Explore how enterprises can enhance developer productivity and onboarding by adopting self-hosted Cloud Development Environments (CDEs). This whitepaper highlights the simplicity and flexibility of cloud-based development over traditional setups, demonstrating how large teams can leverage economies of scale to boost efficiency and developer satisfaction.

article thumbnail

Global Cyberattack Campaign Dubbed “SteganoAmor”

Penetration Testing

Recently, the notorious TA558 group has escalated its offensive, orchestrating a sophisticated series of cyber attacks targeting an array of institutions and companies worldwide. This pervasive campaign, aptly named “SteganoAmor” due to its use... The post Global Cyberattack Campaign Dubbed “SteganoAmor” appeared first on Penetration Testing.

article thumbnail

Ransomware gang starts leaking alleged stolen Change Healthcare data

Bleeping Computer

The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company. [.

article thumbnail

CVE-2024-31497: Critical PuTTY Vulnerability Exposes Private Keys – Immediate Action Required

Penetration Testing

A severe security flaw (CVE-2024-31497) has been discovered in the popular SSH client PuTTY (versions 0.68 to 0.80), impacting a wide range of software including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. This defect drastically weakens... The post CVE-2024-31497: Critical PuTTY Vulnerability Exposes Private Keys – Immediate Action Required appeared first on Penetration Testing.

article thumbnail

Zscaler to Acquire Airgap Networks to Segment Endpoint Traffic

Security Boulevard

Zscaler has been making a case for a SaaS platform through which application access is provided without corporate network access. Airgap Networks will extend that strategy by enabling Zscaler to extend its cybersecurity policies to the endpoints accessing it. The post Zscaler to Acquire Airgap Networks to Segment Endpoint Traffic appeared first on Security Boulevard.

article thumbnail

IT Leadership Agrees AI is Here, but Now What?

IT leaders are experiencing rapid evolution in AI amid sustained investment uncertainty. As AI evolves, enhanced cybersecurity and hiring challenges grow. This whitepaper offers real strategies to manage risks and position your organization for success.