Schneier on Security

APRIL 25, 2024

The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is coming to an end. The advent of AI threatens to destroy the complex online ecosystem that allows writers, artists, and other creators to reach human audiences.

Engineering 342

Engineering Internet Internet Artificial Intelligence 342

Troy Hunt

APRIL 22, 2024

"More Data Breaches Than You Can Shake a Stick At" That seems like a reasonable summary and I suggest there are two main reasons for this observation. Firstly, there are simply loads of breaches happening and you know this already because, well, you read my stuff! Secondly, There are a couple of Twitter accounts in particular that are taking incidents that appear across a combination of a popular clear web hacking forum and various dark web ransomware websites and "raising them to th

Data breaches 213

Data breaches Accountability Ransomware Hacking 213

Tech Republic Security

APRIL 25, 2024

Researchers from the University of Illinois Urbana-Champaign found that OpenAI’s GPT-4 is able to exploit 87% of a list of vulnerabilities when provided with their NIST descriptions.

Artificial Intelligence 198

Artificial Intelligence 198

Lohrman on Security

APRIL 21, 2024

A new book by Alan Shark offers an excellent guide and an AI road map for state and local governments. He answers basic questions that public-sector leaders are asking in 2024.

Artificial Intelligence 183

Artificial Intelligence Government 183

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Schneier on Security

APRIL 22, 2024

Interesting social-engineering attack vector : McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg. The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

Malware 297

Malware Social Engineering Engineering Software 297

Penetration Testing

APRIL 22, 2024

Security researcher Naor Hodorov has made public a proof-of-concept (PoC) exploit for a severe vulnerability (CVE-2024-21111) in Oracle VirtualBox. This vulnerability plagues VirtualBox versions before 7.0.16 and allows attackers with basic access to a... The post Oracle VirtualBox Elevation of Privilege Vulnerability (CVE-2024-21111): PoC Published appeared first on Penetration Testing.

Penetration Testing 145

Penetration Testing 145

The Hacker News

APRIL 22, 2024

New research has found that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes.

144

144

Schneier on Security

APRIL 23, 2024

Former senior White House cyber policy director A. J. Grotto talks about the economic incentives for companies to improve their security—in particular, Microsoft: Grotto told us Microsoft had to be “dragged kicking and screaming” to provide logging capabilities to the government by default, and given the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best. […] “The government needs to focus on

Government 272

Government Banking Marketing Cybersecurity 272

Bleeping Computer

APRIL 20, 2024

A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with a Microsoft repository, making the files appear trustworthy.

Malware 143

Malware 143

Tech Republic Security

APRIL 26, 2024

Refreshed software and collaboration with the security researcher community may have contributed to the 5% drop.

Software 174

Software 174

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Penetration Testing

APRIL 24, 2024

GitLab’s recent security release addresses a series of vulnerabilities that could have far-reaching consequences for your code repositories and development workflows. These flaws range from the potential for complete account hijacking to resource-draining denial-of-service... The post Urgent GitLab Update Patches Account Takeover Flaw, Other High-Severity Bugs appeared first on Penetration Testing.

Accountability 143

Accountability Penetration Testing 143

Schneier on Security

APRIL 24, 2024

Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract: In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction to fact, the better approach is to lean into the fictions.

Data collection 269

Data collection Risk 269

Malwarebytes

APRIL 25, 2024

Amazon’s Ring has settled with the Federal Trade Commission (FTC) over charges that the company allowed employees and contractors to access customers’ private videos , and failed to implement security protections which enabled hackers to take control of customers’ accounts, cameras, and videos. The FTC is now sending refunds totaling more than $5.6 million to US consumers as a result of the settlement.

Accountability 139

Accountability Internet Internet Risk 139

Security Affairs

APRIL 25, 2024

U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-38028 Microsoft Windows Print Spooler Privilege Escalation vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Cisa added the flaw to the KEV catalog after Microsoft reported that the Russia-linked APT28 group (aka “ Forest Blizzard ”, “ Fancybear ” or “ Strontium ” used a previously u

Education 141

Education Government Hacking Risk 141

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Penetration Testing

APRIL 21, 2024

A recently discovered vulnerability in the popular Laravel web development framework could leave websites and applications built upon it susceptible to severe data breaches. This flaw, designated CVE-2024-29291, affects versions 8.* through 11.* of... The post Laravel Framework Hit by Data Exposure Vulnerability (CVE-2024-29291) – Database Credentials at Risk appeared first on Penetration Testing.

Penetration Testing 143

Penetration Testing Risk Data breaches 143

Schneier on Security

APRIL 26, 2024

Kashmir Hill has a really good article on how GM tricked its drivers into letting it spy on them—and then sold that data to insurance companies.

Insurance 289

Insurance Surveillance 289

Bleeping Computer

APRIL 26, 2024

A new campaign tracked as "Dev Popper" is targeting software developers with fake job interviews in an attempt to trick them into installing a Python remote access trojan (RAT). [.

Software 132

Software 132

Security Boulevard

APRIL 22, 2024

These women are innovating in the cybersecurity field. How many of them do you know? The post The 10 Women in Cybersecurity You Need to Follow appeared first on Security Boulevard.

Cybersecurity 132

Cybersecurity Media 132

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Penetration Testing

APRIL 26, 2024

pphack pphack is a CLI tool for scanning websites for client-side prototype pollution vulnerabilities. Feature Fast (concurrent workers) Default payload covers a lot of cases Payload and Javascript customization Proxy-friendly Support output in a... The post pphack: The Most Advanced Client-Side Prototype Pollution Scanner appeared first on Penetration Testing.

Penetration Testing 142

Penetration Testing 142

The Hacker News

APRIL 24, 2024

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).

Data collection 138

Data collection Malware 138

Bleeping Computer

APRIL 25, 2024

Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access. [.

Accountability 134

Accountability 134

Security Boulevard

APRIL 25, 2024

Developers in North America are more likely than their counterparts in other regions to see generative AI as a tool that can improve the security of the code they’re writing, according to a report by market research firm Evans Data Corp. The company’s most recent Global Development Survey found that 37.6% of programmers from North. The post N.A. Developers Optimistic About Generative AI and Code Security appeared first on Security Boulevard.

Marketing 130

Marketing Data privacy Software Cybersecurity 130

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Penetration Testing

APRIL 22, 2024

A new critical vulnerability has emerged, targeting users of the popular enterprise file transfer software, CrushFTP. This zero-day flaw, identified as CVE-2024-4040 with a CVSS score of 7.7, poses a severe risk to organizations... The post CVE-2024-4040: CrushFTP Users Targeted in Zero-Day Attack Campaign appeared first on Penetration Testing.

Penetration Testing 140

Penetration Testing Software Risk 140

The Hacker News

APRIL 26, 2024

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors.

Software 138

Software Social Engineering Malware Engineering 138

Bleeping Computer

APRIL 25, 2024

Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches. [.

Malware 133

Malware Banking Mobile 133

Security Boulevard

APRIL 21, 2024

The Akira ransomware has been around for just more than a year, but has caused its share of damage, racking up more than 250 victims and pulling in about $42 million in ransom, according to law enforcement and cybersecurity agencies in the United States and Europe. Akira was first detected in 2023, showing itself to. The post Akira Ransomware Group Takes In $42 million from 250 Attacks in a Year appeared first on Security Boulevard.

Ransomware 131

Ransomware Cybersecurity Malware Network Security 131

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Malwarebytes

APRIL 23, 2024

UnitedHealth Group has given an update on the February cyberattack on Change Healthcare , one of its subsidiaries. In the update, the company revealed the scale of the breach, saying: “Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.

Healthcare 132

Healthcare Identity Theft Passwords Data breaches 132

The Hacker News

APRIL 21, 2024

A new information stealer has been found leveraging Lua bytecode for added stealth and sophistication, findings from McAfee Labs reveal. The cybersecurity firm has assessed it to be a variant of a known malware called RedLine Stealer owing to the fact that the command-and-control (C2) server IP address has been previously identified as associated with the malware.

Malware 138

Malware Cybersecurity 138

Bleeping Computer

APRIL 22, 2024

BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion. [.

Malware 130

Malware 130

Security Boulevard

APRIL 26, 2024

What is a cybersecurity vulnerability, how do they happen, and what can organizations do to avoid falling victim? Among the many cybersecurity pitfalls, snares, snags, and hazards, cybersecurity vulnerabilities and the likes of zero-day attacks are perhaps the most insidious. Our lives are unavoidably woven into the fabric of digital networks, and cybersecurity has become.

Cybersecurity 130

Cybersecurity 130

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity