Schneier on Security

FEBRUARY 8, 2024

Over on Lawfare, Jim Dempsey published a really interesting proposal for software liability: “Standard for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor.” Section 1 of this paper sets the stage by briefly describing the problem to be solved. Section 2 canvasses the different fields of law (warranty, negligence, products liability, and certification) that could provide a starting point for what would have to be legislative action establis

Software 275

Software Government Cybersecurity 275

Troy Hunt

FEBRUARY 8, 2024

Somehow, an hour and a half went by in the blink of an eye this week. The Spoutible incident just has so many interesting aspects to it: loads of data that should never be returned publicly, awesome response time to the disclosure, lacklustre transparency in their disclosure, some really fundamental misunderstands about hashing algorithms and a controversy-laden past if you read back over events of the last year.

Passwords 244

Passwords Cybersecurity 244

Malwarebytes

FEBRUARY 8, 2024

Password Manager LastPass has warned about a fraudulent app called “LassPass Password Manager” which it found on the Apple App Store. The app closely mimics the branding and appearance of LastPass, right down to the interface. So, even if the name was a “happy accident” it seems clear that this was a purposeful attempt to trick users installing the fake app.

Identity Theft 144

Identity Theft Password Management Passwords Risk 144

The Hacker News

FEBRUARY 8, 2024

Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild. The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands.

VPN 143

VPN 143

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Tech Republic Security

FEBRUARY 8, 2024

Trying to decide between LastPass Free and Premium? This comparison guide highlights the features and benefits of each plan to help you make an informed decision.

Password Management 137

Password Management Passwords 137

Penetration Testing

FEBRUARY 8, 2024

Honeyscanner – A vulnerability analyzer for Honeypots Honeyscanner is a vulnerability analyzer for honeypots designed to automatically attack a given honeypot, in order to determine if the honeypot is vulnerable to specific types of... The post Honeyscanner – A vulnerability analyzer for Honeypots appeared first on Penetration Testing.

Penetration Testing 140

Penetration Testing 140

The Hacker News

FEBRUARY 8, 2024

The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam.

Government 138

Government Hacking 138

Security Affairs

FEBRUARY 8, 2024

26 key cyber security stats for 2024 that every user should know, from rising cyber crime rates to the impact of AI technolog y. Cyber Crime Surge: During COVID-19 , cyber crimes shot up by 600%, showing how threats adapt to global changes. Phishing Attacks: Phishing is the top cyber attack, causing 90% of data breaches. Shockingly, 96% of these attacks come through email.

Social Engineering 142

Social Engineering Cyber Attacks Cyber Insurance IoT 142

Penetration Testing

FEBRUARY 8, 2024

Apache bRPC is an Industrial-grade RPC framework using C++ Language, which is often used in high-performance system such as Search, Storage, Machine learning, Advertisement, Recommendation, etc. However, this crucial infrastructure was recently found vulnerable... The post CVE-2024-23452: Apache bRPC HTTP Request Smuggling Vulnerability appeared first on Penetration Testing.

Penetration Testing 137

Penetration Testing Advertising 137

Bleeping Computer

FEBRUARY 8, 2024

Microsoft introduced 'Sudo for Windows' today, a new Windows 11 feature allowing users to execute commands with elevated privileges from unelevated terminals. [.

139

139

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Graham Cluley

FEBRUARY 8, 2024

New research shows a 704% increase in deepfake "face swap" attacks from the first to the second half of 2023. Read more in my article on the Tripwire State of Security blog.

Risk 132

Risk 132

Security Boulevard

FEBRUARY 8, 2024

Snow joke: A Microsoft researcher found it—and it’s somehow Microsoft’s fault. The post Linux Vendors Squawk: PATCH NOW — CVSS 9.8 Bootkit Bug in shim.efi appeared first on Security Boulevard.

Social Engineering 132

Social Engineering Data privacy IoT Engineering 132

Graham Cluley

FEBRUARY 8, 2024

Two US insurance companies are warning that thousands of individuals' personal information may have been stolen after hackers compromised computer systems. Read more in my article on the Hot for Security blog.

Insurance 126

Insurance Data breaches 126

Security Boulevard

FEBRUARY 8, 2024

Hackers with the Chinese state-sponsored threat group Volt Typhoon continue to hide away in computers and networks of U.S. critical infrastructure entities, “pre-positioning” themselves to disrupt operations if conflicts between the United States and China arise, according to the top U.S. cybersecurity agency. In a stark warning this week, the Cybersecurity and Infrastructure Security Agency.

Cybersecurity 131

Cybersecurity IoT Network Security 131

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Bleeping Computer

FEBRUARY 8, 2024

LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. [.

Password Management 135

Password Management Passwords Phishing 135

Security Affairs

FEBRUARY 8, 2024

China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years. US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years. “the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and foothold

Energy and Utilities 135

Energy and Utilities VPN Manufacturing Firewall 135

The Hacker News

FEBRUARY 8, 2024

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.

Authentication 126

Authentication 126

Security Affairs

FEBRUARY 8, 2024

CISCO fixed two critical flaws in Expressway Series collaboration gateways exposing vulnerable devices to cross-site request forgery (CSRF) attacks. Cisco addressed several vulnerabilities in its Expressway Series collaboration gateways, two of which, tracked as CVE-2024-20252 and CVE-2024-20254, are critical flaws that can lead to cross-site request forgery (CSRF) attacks. “Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct c

Accountability 136

Accountability Hacking Software 136

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

The Last Watchdog

FEBRUARY 8, 2024

Kenilworth, NJ, Feb. 8, 2024 – Diversified , a leading global technology solutions provider, today announced a partnership and trio of solutions with GroCyber. Together, the companies are empowering AV and media companies to improve their cybersecurity stance by providing a “clean bill of health” for their digital media environments, ensuring hardware and software are current, and protecting media storage and devices against the threat of malware.

Media 100

Media Cybersecurity Penetration Testing Cyber Risk 100

Graham Cluley

FEBRUARY 8, 2024

After hundreds of media outlets worldwide repeated the false claim that a botnet of three million toothbrushes attacked a Swiss company, the cybersecurity firm at the centre of the story has now issued a statement.

DDOS 122

DDOS Media Cybersecurity IoT 122

Security Affairs

FEBRUARY 8, 2024

U.S. Government offers rewards of up to $10 million for information that could help locate, identify, or arrest members of the Hive ransomware group. The US Department of State announced rewards up to $10,000,000 for information leading to the identification and/or location of the leaders of the Hive ransomware group. The US government also offers rewards up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country who participated or attempted to par

Ransomware 136

Ransomware Government VPN Manufacturing 136

Malwarebytes

FEBRUARY 8, 2024

A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers. The group used SQL injection and cross-site scripting (XSS) attacks—both common techniques— to extract the sensitive information from the websites. The attacks primarily focused on the Asia-Pacific (APAC) region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam.

Identity Theft 124

Identity Theft Retail Risk Cybersecurity 124

Advertisement

Explore how enterprises can enhance developer productivity and onboarding by adopting self-hosted Cloud Development Environments (CDEs). This whitepaper highlights the simplicity and flexibility of cloud-based development over traditional setups, demonstrating how large teams can leverage economies of scale to boost efficiency and developer satisfaction.

WIRED Threat Level

FEBRUARY 8, 2024

In a test at one station, Transport for London used a computer vision system to try and detect crime and weapons, people falling on the tracks, and fare dodgers, documents obtained by WIRED show.

Surveillance 122

Surveillance Artificial Intelligence 122

Security Affairs

FEBRUARY 8, 2024

Several media reported that three million electric toothbrushes were compromised and recruited into a DDoS botnet. Is it true? The Swiss newspaper Aargauer Zeitung first published the news of a DDoS attack, carried out on January 30, that involved three million compromised electric toothbrushes. The journalists reported that threat actors gained access to three million electric toothbrushes and installed a malware that joined them to the botnet.

DDOS 139

DDOS IoT Media Internet 139

SecureList

FEBRUARY 8, 2024

The developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants and infect victims. In a recent investigation, we encountered a new malware that specifically targets users of more than 60 banking institutions, mainly from Brazil. What caught our attention was the sophisticated infection chain that makes use of various advanced technologies, setting it apart from known banking Trojan infections.

Banking 118

Banking Encryption Malware Technology 118

The Hacker News

FEBRUARY 8, 2024

The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling.

Malware 119

Malware 119

Advertisement

IT leaders are experiencing rapid evolution in AI amid sustained investment uncertainty. As AI evolves, enhanced cybersecurity and hiring challenges grow. This whitepaper offers real strategies to manage risks and position your organization for success.

Cybersecurity

Security Boulevard

FEBRUARY 8, 2024

Although generative AI is driving a spike in attacks, it can also serve as another line of cybersecurity defense. The post 2024 Cyberthreat Forecast: AI Attacks, Passkey Solutions and SMBs in the Crosshairs appeared first on Security Boulevard.

Cybersecurity 116

Cybersecurity Social Engineering Data privacy Data breaches 116

The Hacker News

FEBRUARY 8, 2024

Google has unveiled a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read one-time passwords and gather sensitive data.

Passwords 117

Passwords 117

NSTIC

FEBRUARY 8, 2024

With the new year under way, NIST is continuing to engage with our international partners to enhance cybersecurity. Here are some updates on our international work from the end of 2023 into the beginning of 2024: Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0. The current Draft CSF 2.0 has been shared in a public comment period that ended in November 2023.

Cybersecurity 115

Cybersecurity 115

Graham Cluley

FEBRUARY 8, 2024

We thought it was all over. but a Swiss newspaper has come out fighting, blaming Fortinet for spreading untruths about a toothbrush botnet. Will Fortinet return for Round 4, or is this a knockout punch?

DDOS 110

DDOS IoT Malware 110

Advertisement

Leverage the Cloud Development Environment Maturity Model to elevate your software development practices with scalable, secure cloud-based workspaces. This model offers a structured approach to modernizing development, aligning technology, developer experience, security, and workflows. By implementing Cloud Development Environments (CDEs), teams can boost efficiency, improve security, and streamline operations through centralized governance.

Government