Schneier on Security

DECEMBER 7, 2023

When you get a push notification on your Apple or Google phone, those notifications go through Apple and Google servers. Which means that those companies can spy on them—either for their own reasons or in response to government demands. Sen. Wyden is trying to get to the bottom of this : In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications. “In this case, the fed

Surveillance 320

Surveillance Government Accountability Spyware 320

Troy Hunt

DECEMBER 7, 2023

10 years later. 🤯 Seriously, how did this thing turn into this?! It was the humblest of beginning with absolutely no expectations of anything, and now it's, well, massive! I'm a bit lost for words if I'm honest, I hope the chat with Charlotte adds some candour to this week's update, she's seen this thing grow since before its first birthday, through the hardest times and the best times and now lives and breathes HIBP day in day out with me.

Malware 258

Malware 258

Tech Republic Security

DECEMBER 7, 2023

AMI, Insyde and Lenovo have released patches for LogoFAIL, an image library poisoning attack. Learn more about LogoFAIL.

Technology 194

Technology 194

The Last Watchdog

DECEMBER 7, 2023

Tel Aviv, Israel, Dec. 7, 2023 — Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new AI-powered capability enhancing its Smart Alerting system. The new AI-powered insights enhances the Reflectiz Smart Alerting system by integrating AI LLM technology on top of its traditional alerting tool for cross-checking the validity of the alert with Reflectiz’s extensive databases.

Engineering 130

Engineering Internet Internet Cybersecurity 130

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Tech Republic Security

DECEMBER 7, 2023

Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules.

Cyber threats 142

Cyber threats Cybersecurity 142

Malwarebytes

DECEMBER 7, 2023

Many people don’t realize that the instant alert push notifications you get on your phone are routed through Google or Apple’s servers, depending on which device you use. So if you have an iPhone or iPad, any push notifications can be seen by Apple, and if you use an Android, they can be seen by Google. But, it seems, it’s not just Apple and Google who can view them.

Government 145

Government Surveillance Accountability VPN 145

Malwarebytes

DECEMBER 7, 2023

Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything. Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.” The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution

Risk 141

Risk Cybersecurity 141

Veracode Security

DECEMBER 7, 2023

December 9 marks two years since the world went on high alert because of what was deemed one of the most critical zero-day vulnerabilities ever: Log4Shell. The vulnerability that carried the highest possible severity rating (10.0) was in Apache Log4j, an ubiquitous Java logging framework that Veracode estimated at the time was used in 88 percent of organizations.

138

138

Tech Republic Security

DECEMBER 7, 2023

The purpose of the Incident Reporting and Response Procedures Policy from TechRepublic Premium is to establish a clear and efficient process for employees to report security breaches, device loss, or data exposure incidents involving personal devices used for work purposes. From the policy: CONFIDENTIAL REPORTING Employees are strongly encouraged to promptly report incidents, and they.

125

125

Graham Cluley

DECEMBER 7, 2023

A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia. And earlier in the year, a zoo in Tampa Bay was targeted by the same hacking gang. Learn more about the BlackSuit ransomware in my article on the Tripwire State of Security blog.

Ransomware 132

Ransomware Hacking Data breaches Malware 132

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

WIRED Threat Level

DECEMBER 7, 2023

Mark Zuckerberg personally promised that the privacy feature would launch by default on Messenger and Instagram chat. WIRED goes behind the scenes of the company’s colossal effort to get it right.

Encryption 126

Encryption Media 126

Security Boulevard

DECEMBER 7, 2023

Understanding the scope and impact of BEC is critical for any business that wants to protect itself from this insidious threat. The post Concerned About Business Email Compromise? 4 Technologies That Can Help appeared first on Security Boulevard.

Technology 124

Technology Social Engineering Engineering Phishing 124

Security Affairs

DECEMBER 7, 2023

Russia-linked group APT28 exploited Microsoft Outlook zero-day to target European NATO members, including a NATO Rapid Deployable Corps. Palo Alto Networks’ Unit 42 reported that the Russia-linked APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) group exploited the CVE-2023-23397 vulnerability in attacks aimed at European NATO members.

Government 135

Government Telecommunications Accountability Phishing 135

Security Boulevard

DECEMBER 7, 2023

Software makers need to embrace the growing number of newer programming languages that protect memory to reduce the number of security vulnerabilities in their products, according to cybersecurity agencies in the United States and other countries. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released a report outlining steps software developers can take.

Software 124

Software Cybersecurity Mobile Network Security 124

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

We Live Security

DECEMBER 7, 2023

NFC chips have enabled us to pay in a more convenient way, but there are several flaws which can make the experience less secure. However, despite this, thanks to NFC phone payments, these security flaws can be ameliorated in some ways, like with biometric verification.

Cybercrime 123

Cybercrime 123

Security Affairs

DECEMBER 7, 2023

A previously undetected Linux RAT dubbed Krasue has been observed targeting telecom companies in Thailand. Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue has been employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) has remained undetected since at least 2021 when it was registered on Virustotal.

Malware 134

Malware Internet Internet Hacking 134

Security Boulevard

DECEMBER 7, 2023

Transparency in the disclosure of cybersecurity incidents for public companies is no longer good practice – it’s now a regulatory necessity. The imminent requirement for public companies to disclose current material cybersecurity incidents is set to reshape the disclosure landscape for public companies. It brings forth a myriad of considerations that Chief Information Security Officers […] The post Navigating Public Company Cybersecurity Disclosures appeared first on Symmetry Systems.

Cybersecurity 119

Cybersecurity Information Security Government 119

Graham Cluley

DECEMBER 7, 2023

Meta's Head of Messenger announced that the company has begun to roll out end-to-end encryption (E2EE) for personal chats and calls. Read more in my article on the Hot for Security blog.

Encryption 116

Encryption 116

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Security Boulevard

DECEMBER 7, 2023

A recent survey shows that untested software releases, rampant pushing of unvetted and uncontrolled AI-derived code, and bad developer security are all culminating to seriously expand security risks across software development. Add in the explosion of low-code/no-code development and economic headwinds that are pressuring developers to deliver features with less support, and the AppSec world is in for a perfect storm in 2024.

Software 115

Software Risk 115

eSecurity Planet

DECEMBER 7, 2023

Encryption uses mathematical algorithms to transform and encode data so that only authorized parties can access it. This guide will provide a high level overview of encryption and how it fits into IT through the following topics: How Encryption Works To understand how encryption works, we need to understand how it fits into the broader realm of cryptology, how it processes data, common categories, top algorithms, and how encryption fits into IT security.

Encryption 113

Encryption Passwords IoT Firewall 113

Security Boulevard

DECEMBER 7, 2023

The passwordless future feels close because we have the technology to do it, but progress will be slow as applications are migrated to adopt passwordless authentication. The post In Pursuit of a Passwordless Future appeared first on Security Boulevard.

Authentication 113

Authentication Technology Data privacy Passwords 113

Bleeping Computer

DECEMBER 7, 2023

Meta has announced that the immediate availability of end-to-end encryption for all chats and calls made through the Messenger app, as well as the Facebook social media platform. [.

Encryption 112

Encryption Media 112

Advertisement

Explore how enterprises can enhance developer productivity and onboarding by adopting self-hosted Cloud Development Environments (CDEs). This whitepaper highlights the simplicity and flexibility of cloud-based development over traditional setups, demonstrating how large teams can leverage economies of scale to boost efficiency and developer satisfaction.

eSecurity Planet

DECEMBER 7, 2023

Encryption scrambles data to make it unreadable to those without decryption keys. Proper use of encryption preserves secrecy and radically lowers the potential damage of a successful cybersecurity attack. The understanding of different encryption types will often be confused by the many possible, inconsistent, and confusing ways that “encryption type” can be used.

Encryption 109

Encryption Authentication Passwords Password Management 109

Security Boulevard

DECEMBER 7, 2023

In a recent cybersecurity incident, Welltok, a leading healthcare Software as a Service (SaaS) provider, reported unauthorized access to its MOVEit Transfer server, affecting the personal information of approximately 8.5 million patients in the United States. Discovered on July 26, 2023, this breach raises critical concerns about healthcare data security, with far-reaching implications for healthcare […] The post Welltok Data Breach: 8.5M US Patients’ Information Exposed appeared first on TuxCar

Data breaches 105

Data breaches Healthcare Software Cybersecurity 105

The Hacker News

DECEMBER 7, 2023

A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.

Authentication 111

Authentication 111

SecureWorld News

DECEMBER 7, 2023

New revelations have shed light on the extensive fallout of the 23andMe data breach, which exposed the personal information of a staggering 6.9 million users. This significant update comes almost two months after the genetic testing company initially reported a breach affecting 14,000 individuals. The SEC filing accompanying these recent developments reveals critical information about the breach's scope, underlining the severity of the situation.

Data breaches 104

Data breaches Passwords Data privacy Accountability 104

Advertisement

IT leaders are experiencing rapid evolution in AI amid sustained investment uncertainty. As AI evolves, enhanced cybersecurity and hiring challenges grow. This whitepaper offers real strategies to manage risks and position your organization for success.

Cybersecurity

Penetration Testing

DECEMBER 7, 2023

In the realm of Java web application development, Apache Struts stands as a paragon of efficiency and modern design. This free, open-source Model-View-Controller (MVC) framework has empowered developers to create elegant web applications with... The post CVE-2023-50164: Apache Struts Remote Code Execution Vulnerability appeared first on Penetration Testing.

Penetration Testing 109

Penetration Testing 109

ZoneAlarm

DECEMBER 7, 2023

The cyber landscape has recently been marred by a highly sophisticated social engineering scheme aimed squarely at Booking.com’s clientele. This complex operation, which cleverly manipulates hotel access credentials and employs deceptive phishing methods, has cast a spotlight on the pressing issues of cybersecurity vulnerabilities in online environments.

Scams 97

Scams Phishing Social Engineering Engineering 97

Bleeping Computer

DECEMBER 7, 2023

Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. [.

99

99

Penetration Testing

DECEMBER 7, 2023

In a digital age teeming with cyber threats, FortiGuard Labs recently identified an email phishing campaign that spread MrAnon Stealer malware. Crafted with cunning precision, this campaign entices victims through seemingly innocuous hotel booking... The post Cybercriminals Exploit Travel Season with MrAnon Stealer Email Phishing appeared first on Penetration Testing.

Phishing 105

Phishing Penetration Testing Cyber threats Malware 105

Advertisement

Leverage the Cloud Development Environment Maturity Model to elevate your software development practices with scalable, secure cloud-based workspaces. This model offers a structured approach to modernizing development, aligning technology, developer experience, security, and workflows. By implementing Cloud Development Environments (CDEs), teams can boost efficiency, improve security, and streamline operations through centralized governance.

Government