Krebs on Security

SEPTEMBER 19, 2024

Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it’s unlikely that many programmers fell for this scam, it’s notable because less targeted versions of it are likely to be far more successful against the average Windows use

Phishing 279

Phishing Scams Malware Passwords 279

Tech Republic Security

SEPTEMBER 17, 2024

Cyber attackers are using malicious emails to infiltrate critical national infrastructure, like utilities, transport, telecommunications, and now data centres.

Telecommunications 189

Telecommunications Cyber Attacks Data breaches Cybersecurity 189

Schneier on Security

SEPTEMBER 27, 2024

NIST’s second draft of its “ SP 800-63-4 “—its digital identify guidelines—finally contains some really good rules about passwords: The following requirements apply to passwords: lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.

Passwords 315

Passwords Authentication 315

Tech Republic Security

SEPTEMBER 20, 2024

The Hacker-Powered Security Report showed mixed feelings toward AI in the security community, with many seeing leaked training data as a threat.

Artificial Intelligence 180

Artificial Intelligence Software 180

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Schneier on Security

SEPTEMBER 12, 2024

Microsoft is updating SymCrypt , its core cryptographic library, with new quantum-secure algorithms. Microsoft’s details are here. From a news article : The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST).

Firmware 332

Firmware Technology 332

Penetration Testing

SEPTEMBER 30, 2024

A serious vulnerability, dubbed KartLANPwn (CVE-2024-45200), has been identified in the wildly popular Nintendo game Mario Kart 8 Deluxe, putting millions of players at risk of remote code execution (RCE)... The post KartLANPwn (CVE-2024-45200) Exploits Mario Kart 8 Deluxe LAN Play Feature for RCE appeared first on Cybersecurity News.

Risk 145

Risk Cybersecurity 145

Malwarebytes

SEPTEMBER 12, 2024

Facebook has admitted that it scrapes the public photos, posts and other data from the accounts of Australian adult users to train its AI models. Unlike citizens of the European Union (EU), Australians are not offered an opt-out option to refuse consent. At an inquiry as to whether the social media giant was hoovering up the data of all Australians in order to build its generative artificial intelligence tools, senator Tony Sheldon asked whether Meta (Facebook’s owner) had used Australian

Media 145

Media Artificial Intelligence Accountability Government 145

Kali Linux

SEPTEMBER 10, 2024

With summer coming to an end, so are package migrations, and Kali 2024.3 can now be released. You can now start downloading or upgrading if you have an existing Kali installation. The summary of the changelog since the 2024.2 release from June is: Qualcomm NetHunter Pro Devices - Qualcomm Snapdragon SDM845 SoC now supported New Tools - 11x new tools in your arsenal Our focus has been on a lot of behind the scenes updates and optimizations since the last release.

Firmware 145

Firmware Architecture Education Passwords 145

Tech Republic Security

SEPTEMBER 3, 2024

Included in the purge are static apps, those with limited functionality and content, and apps that crash, freeze, and don’t offer an “engaging user experience,’’ the company said.

Mobile 175

Mobile 175

Schneier on Security

SEPTEMBER 9, 2024

In 2018, Australia passed the Assistance and Access Act, which—among other things—gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include: Technical Assistance Requests (TARs): TARs are voluntary requests for assistance accessing encrypted data from law enforcement to teleco and technology companies.

Encryption 324

Encryption Computers and Electronics Government Security Intelligence 324

Advertisement

Leverage the Cloud Development Environment Maturity Model to elevate your software development practices with scalable, secure cloud-based workspaces. This model offers a structured approach to modernizing development, aligning technology, developer experience, security, and workflows. By implementing Cloud Development Environments (CDEs), teams can boost efficiency, improve security, and streamline operations through centralized governance.

Government

Penetration Testing

SEPTEMBER 29, 2024

A critical vulnerability has been discovered in the popular GiveWP donation plugin for WordPress, potentially allowing unauthenticated attackers to take complete control of affected websites. The flaw, tracked as CVE-2024-8353... The post CVE-2024-8353 (CVSS 10): Critical GiveWP Flaw, 100k WordPress Sites at Risk appeared first on Cybersecurity News.

Risk 145

Risk Cybersecurity 145

WIRED Threat Level

SEPTEMBER 17, 2024

At least eight people have been killed and more than 2,700 people have been injured in Lebanon by exploding pagers. Experts say the blasts point toward a supply chain compromise, not a cyberattack.

Hacking 143

Hacking 143

Malwarebytes

SEPTEMBER 25, 2024

Romance scams continue to plague users, but their costs have risen to staggering heights, according to a Malwarebytes survey carried out last month via our weekly newsletter. More than 66 percent of 850 respondents have been targeted by a romance scam, and those that were ensnared paid a hefty price, with 10 percent of victims losing $10,000 and up.

Scams 138

Scams Media Cryptocurrency Internet 138

Trend Micro

SEPTEMBER 18, 2024

We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China.

Phishing 141

Phishing Malware 141

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Tech Republic Security

SEPTEMBER 24, 2024

The Secure Future Initiative was created around the same time the U.S. Cyber Safety Review Board chided Redmond for having a poor security culture.

Engineering 167

Engineering Cybersecurity Data breaches 167

Schneier on Security

SEPTEMBER 23, 2024

I always like a good hack. And this story delivers. Basically, the New York City bikeshare program has a system to reward people who move bicycles from full stations to empty ones. By deliberately moving bikes to create artificial problems, and exploiting exactly how the system calculates rewards, some people are making a lot of money. At 10 a.m. on a Tuesday last month, seven Bike Angels descended on the docking station at Broadway and 53rd Street, across from the Ed Sullivan Theater.

Hacking 288

Hacking Manufacturing Scams 288

Penetration Testing

SEPTEMBER 23, 2024

A critical security vulnerability affecting all GNU/Linux systems—and potentially others—has been identified by renowned security researcher Simone Margaritelli. The vulnerability, which allows for unauthenticated remote code execution (RCE), has been... The post Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure appeared first on Cybersecurity News.

Cybersecurity 145

Cybersecurity 145

Security Boulevard

SEPTEMBER 30, 2024

Understand the overarching value of PAM, the use cases, the types of systems and how users will benefit from it, including proper contingency plans. The post The Path of Least Resistance to Privileged Access Management appeared first on Security Boulevard.

Security Awareness 133

Security Awareness Cybersecurity 133

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Malwarebytes

SEPTEMBER 25, 2024

A new variation of a hoax that has been doing the rounds on Facebook for years has crossed over to Instagram. We’re seeing this post on Instagram Stories a lot suddenly over the last few days. The post is usually posted as a shareable screenshot on Instagram Stories, but it’s also been spotted on Facebook and Threads as a copy-and-paste text. “Repub Goodbye Meta AI.

Artificial Intelligence 135

Artificial Intelligence Accountability Data privacy Technology 135

Google Security

SEPTEMBER 25, 2024

Posted by Jeff Vander Stoep - Android team, and Alex Rebert - Security Foundations Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding , a secure-by-design approach that prioritizes transitioning to memory-safe languages.

Risk 138

Risk Software Manufacturing Government 138

Tech Republic Security

SEPTEMBER 5, 2024

IBM's Chris Hockings predicts a safer internet with advances in passkey tech, digital identity, deepfake defenses, and post-quantum cryptography.

Cybersecurity 168

Cybersecurity Internet Internet 168

Schneier on Security

SEPTEMBER 3, 2024

The NSA’s “ National Cryptographic School Television Catalogue ” from 1991 lists about 600 COMSEC and SIGINT training videos. There are a bunch explaining the operations of various cryptographic equipment, and a few code words I have never heard of before.

308

308

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Penetration Testing

SEPTEMBER 29, 2024

In a significant development for the cybersecurity community, researchers have published technical details and a proof-of-concept (PoC) exploit for a newly identified vulnerability in the Linux kernel, designated as CVE-2024-26808.... The post CVE-2024-26808: PoC Exploit Shows Local Privilege Escalation Risk in Linux appeared first on Cybersecurity News.

Risk 141

Risk Cybersecurity 141

Security Boulevard

SEPTEMBER 20, 2024

More than 2.1 million stolen VPN passwords have been compromised by malware in the past year, highlighting a growing risk for unauthorized access to secure networks, according to a Specops Software report. The post More Than Two Million Stolen VPN Passwords Discovered appeared first on Security Boulevard.

VPN 138

VPN Passwords Malware Software 138

Duo's Security Blog

SEPTEMBER 5, 2024

The importance of gaining visibility into identity data Over the last two years, the security of an organization's identity ecosystem has become paramount. Before diving into the specifics of dormant accounts, it's important to take a step back and discuss a prerequisite: gaining cross-platform visibility into identity and access management data.

Accountability 141

Accountability Risk Authentication Passwords 141

The Hacker News

SEPTEMBER 26, 2024

Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate.

Cybersecurity 131

Cybersecurity 131

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Tech Republic Security

SEPTEMBER 16, 2024

DuckDuckGo now has AI chat, emphasizing privacy and anonymity. Discover how this new offering aims to protect user data in conversations.

Artificial Intelligence 170

Artificial Intelligence 170

Schneier on Security

SEPTEMBER 20, 2024

This is really interesting. It’s a phishing attack targeting GitHub users, tricking them to solve a fake Captcha that actually runs a script that is copied to the command line. Clever.

Social Engineering 286

Social Engineering Engineering Phishing Malware 286

Penetration Testing

SEPTEMBER 25, 2024

A severe security flaw has been identified in the popular WordPress plugin The Events Calendar, affecting all versions up to and including 6.6.4. Designated as CVE-2024-8275, the vulnerability has been... The post Critical SQL Injection Vulnerability Discovered in ‘The Events Calendar’ WordPress Plugin (CVE-2024-8275) appeared first on Cybersecurity News.

Cybersecurity 143

Cybersecurity 143

Security Boulevard

SEPTEMBER 30, 2024

Connected cars considered crud: Kia promises bug never exploited. But even 10-year-old cars were vulnerable. The post Kia’s Huge Security Hole: FIXED (Finally) appeared first on Security Boulevard.

Internet 131

Internet Internet IoT Data privacy 131

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity