Schneier on Security

APRIL 3, 2024

The lawsuit has been settled : Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users­—even when they’re in private-browsing mode.

Data collection 305

Data collection 305

Krebs on Security

APRIL 3, 2024

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “ The Manipulaters ,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate.

Phishing 260

Phishing Cybercrime Malware Advertising 260

WIRED Threat Level

APRIL 3, 2024

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

Hacking 145

Hacking 145

The Hacker News

APRIL 3, 2024

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.

Firmware 145

Firmware 145

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Penetration Testing

APRIL 3, 2024

secator secator is a task and workflow runner used for security assessments. It supports dozens of well-known security tools and it is designed to improve productivity for pentesters and security researchers. Feature A curated... The post secator: The pentester’s swiss knife appeared first on Penetration Testing.

Penetration Testing 144

Penetration Testing 144

The Hacker News

APRIL 3, 2024

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware. The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said.

Authentication 143

Authentication Accountability Malware 143

The Hacker News

APRIL 3, 2024

The banking trojan known as Mispadu has expanded its focus beyond Latin America (LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and Sweden. Targets of the ongoing campaign include entities spanning finance, services, motor vehicle manufacturing, law firms, and commercial facilities, according to Morphisec.

Manufacturing 141

Manufacturing Banking 141

Malwarebytes

APRIL 3, 2024

In April’s update for the Android operating system (OS) , Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

Firmware 139

Firmware Software Mobile Risk 139

Security Affairs

APRIL 3, 2024

Google fixed another Chrome zero-day vulnerability exploited during the Pwn2Own hacking competition in March. Google has addressed another zero-day vulnerability in the Chrome browser, tracked as CVE-2024-3159, that was exploited during the Pwn2Own hacking competition in March, 2024. The vulnerability CVE-2024-3159 is an out of bounds memory access in V8 JavaScript engine.

Hacking 139

Hacking Engineering Network Security Information Security 139

Malwarebytes

APRIL 3, 2024

Google has announced the introduction of Device Bound Session Credentials (DBSC) to secure Chrome users against cookie theft. In January we reported how hackers found a way to gain unauthorized access to Google accounts, bypassing multi-factor authentication (MFA) , by stealing authentication cookies with info-stealer malware. An authentication cookie is added to a web browser after a user proves who they are by logging in.

Authentication 139

Authentication Malware Passwords Accountability 139

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

The Hacker News

APRIL 3, 2024

Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS). The list of flaws is as follows - CVE-2024-21894 (CVSS score: 8.2) - A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.

138

138

Security Affairs

APRIL 3, 2024

Resecurity researchers warn that a new Version of JsOutProx is targeting financial institutions in APAC and MENA via Gitlab abuse. Resecurity has detected a new version of JSOutProx , which is targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and.NET. It employs the.NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine.

Banking 136

Banking Financial Services Malware Phishing 136

The Hacker News

APRIL 3, 2024

Attack surface management (ASM) and vulnerability management (VM) are often confused, and while they overlap, they’re not the same. The main difference between attack surface management and vulnerability management is in their scope: vulnerability management checks a list of known assets, while attack surface management assumes you have unknown assets and so begins with discovery.

137

137

Penetration Testing

APRIL 3, 2024

Google has revealed in their April 2024 Pixel Update Bulletin that several serious security flaws could be putting your Pixel device at risk. Two of these vulnerabilities, labeled CVE-2024-29745 and CVE-2024-29748, are already being... The post CVE-2024-29745 & CVE-2024-29748: Critical Google Pixel Flaws Exploited – Update Immediately appeared first on Penetration Testing.

Penetration Testing 136

Penetration Testing Risk 136

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Security Affairs

APRIL 3, 2024

Jackson County, Missouri, confirmed that a ransomware attack has disrupted several county services. A ransomware attack disrupted several services of the Jackson County, Missouri. The County Executive Frank White, Jr. declared a state of emergency. “Jackson County has confirmed a ransomware attack was responsible for the disruption of several county services today.” reads the statement released by the County. “The rapid response by county associates, especially those within the

Ransomware 134

Ransomware Hacking Technology Cybersecurity 134

Thales Cloud Protection & Licensing

APRIL 3, 2024

Luna HSMs FIPS 140-3 Validation sparsh Wed, 04/03/2024 - 07:52 FIPS 140-3 and You, Part Two Awhile back, we shared that Thales Luna HSMs were about to kick-off the process of moving towards Federal Information Processing Standard (FIPS) 140-3 Level 3, the newest security standard to accredit cryptographic modules. Security standards, like technology, are always evolving, making compliance challenging for customers and vendors alike.

Firmware 133

Firmware Technology Backups Marketing 133

Tech Republic Security

APRIL 3, 2024

Of the IT and security professionals surveyed, 63% said AI will improve security within their organization.

Artificial Intelligence 133

Artificial Intelligence 133

The Hacker News

APRIL 3, 2024

The U.S. Cyber Safety Review Board (CSRB) has criticized Microsoft for a series of security lapses that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 last year.

131

131

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Tech Republic Security

APRIL 3, 2024

AdLock Ad Blocker is a top-rated ad blocking utility and this week only, you can get a lifetime subscription for just $15 with promo code SECURE20.

Internet 129

Internet Internet Network Security 129

Penetration Testing

APRIL 3, 2024

The Node.js project has released a critical security update addressing vulnerabilities in active release lines (v18.x, v20.x, and v21.x) of the popular JavaScript runtime environment. One of the flaws could allow attackers to crash... The post Node.js Security Update Addresses Server Crash, Request Smuggling Vulnerabilities appeared first on Penetration Testing.

Penetration Testing 120

Penetration Testing 120

Tech Republic Security

APRIL 3, 2024

Help your business by becoming your own IT expert. This week only, you can get The 2023 Ultimate IT Career Kickstarter Bundle for just $47.99 with promo code SECURE20.

124

124

Bleeping Computer

APRIL 3, 2024

The U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) has released a scathing report on how Microsoft handled its 2023 Exchange Online attack, warning that the company needs to do better at securing data and be more truthful about how threat actors stole an Azure signing key. [.

117

117

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Penetration Testing

APRIL 3, 2024

The security researcher Rafie Muhammad has found multiple high-severity vulnerabilities in the REHub WordPress theme (premium version) and the associated REHub Framework plugin. These weaknesses, if left unpatched, could have devastating consequences for businesses... The post Urgent: Patch Critical Vulnerabilities in Widely-Used REHub WordPress Theme & Plugin appeared first on Penetration Testing.

Penetration Testing 102

Penetration Testing 102

Bleeping Computer

APRIL 3, 2024

Data breach alerting service Have I Been Pwned (HIBP) warns that SurveyLama suffered a data breach in February 2024, which exposed the sensitive data of 4.4 million users. [.

Data breaches 110

Data breaches 110

Tech Republic Security

APRIL 3, 2024

In today’s world, if you’re not constantly working to secure your servers, you’re already 10 steps behind every hacker on the planet. And if you happen to be a Linux systems administrator, you might think it doesn’t apply to you. It does. Even though the Linux open source platform is considerably more secure than many.

System Administration 100

System Administration Software 100

Bleeping Computer

APRIL 3, 2024

IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. [.

VPN 107

VPN Software 107

Advertisement

Explore how enterprises can enhance developer productivity and onboarding by adopting self-hosted Cloud Development Environments (CDEs). This whitepaper highlights the simplicity and flexibility of cloud-based development over traditional setups, demonstrating how large teams can leverage economies of scale to boost efficiency and developer satisfaction.

Graham Cluley

APRIL 3, 2024

Google says it is deleting the your Google Chrome Incognito private-browsing data that it should never have collected anyway. Can a zero-risk millionaire-making bot be trusted? And what countries are banned from buying your sensitive data? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown's Thom Langford.

Risk 95

Risk Cybersecurity Cryptocurrency Scams 95

Bleeping Computer

APRIL 3, 2024

Google has fixed another zero-day vulnerability in the Chrome browser, which was exploited by security researchers during the Pwn2Own hacking contest last month. [.

Hacking 106

Hacking 106

Penetration Testing

APRIL 3, 2024

Security researchers have uncovered a serious vulnerability in several D-Link Network Attached Storage (NAS) devices, including DNS-320L, DNS-327L, and others. This flaw leaves devices wide open to attack, giving hackers the ability to execute... The post CVE-2024-3273: D-Link NAS Vulnerability Threatens 92,000 Devices appeared first on Penetration Testing.

Penetration Testing 93

Penetration Testing DNS 93

Bleeping Computer

APRIL 3, 2024

Jackson County, Missouri, is in a state of emergency after a ransomware attack took down some county services on Tuesday. [.

Ransomware 102

Ransomware 102

Advertisement

IT leaders are experiencing rapid evolution in AI amid sustained investment uncertainty. As AI evolves, enhanced cybersecurity and hiring challenges grow. This whitepaper offers real strategies to manage risks and position your organization for success.

Cybersecurity