Schneier on Security

APRIL 11, 2024

Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery : The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers.

Software 343

Software Engineering Internet Internet 343

Krebs on Security

APRIL 10, 2024

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com , which until very recently rendered as fedex.com in tweets.

Phishing 336

Phishing Media Engineering Technology 336

Troy Hunt

APRIL 7, 2024

I suggest, based on my experiences with data breaches over the years, that AT&T is about to have a very bad time of it. Class actions following data breaches have become all too common and I've written before about how much I despise them. The trouble for AT&T (in my non-legal but "hey, I'm the data breach guy" opinion), will be their denial of a breach in 2021 and the subsequent years in which tens of millions of social security numbers were floating around.

Identity Theft 210

Identity Theft Data breaches 210

The Last Watchdog

APRIL 8, 2024

CISOs can sometimes be their own worst enemy, especially when it comes to communicating with the board of directors. Related: The ‘cyber’ case for D&O insurance Vanessa Pegueros knows this all too well. She serves on the board of several technology companies and also happens to be steeped in cyber risk governance. I recently attended an IoActive-sponsored event in Seattle at which Pegueros gave a presentation titled: “Merging Cybersecurity, the Board & Executive Team” Peguero

CISO 210

CISO Risk Cybersecurity Insurance 210

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Schneier on Security

APRIL 8, 2024

This is a newly discovered email vulnerability: The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible.

Phishing 327

Phishing 327

Krebs on Security

APRIL 11, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense , whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.

CISO 274

CISO Encryption Telecommunications Financial Services 274

The Hacker News

APRIL 12, 2024

Palo Alto Networks is warning that a critical flaw impacting its PAN-OS software used in its GlobalProtect gateways is being exploited in the wild. Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity.

Software 145

Software 145

Schneier on Security

APRIL 9, 2024

US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior U.S. government officials. From the executive summary: The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosy

Hacking 285

Hacking Government Accountability Technology 285

Krebs on Security

APRIL 9, 2024

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

DNS 265

DNS Social Engineering Malware Media 265

Tech Republic Security

APRIL 8, 2024

Read about a supply chain attack that involves XZ Utils, a data compressor widely used in Linux systems, and learn how to protect from this threat.

Social Engineering 195

Social Engineering Engineering Cybersecurity 195

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

SecureList

APRIL 12, 2024

On March 29, 2024, a single message on the Openwall OSS-security mailing list marked an important discovery for the information security, open source and Linux communities: the discovery of a malicious backdoor in XZ. XZ is a compression utility integrated into many popular distributions of Linux. The particular danger of the backdoored library lies in its use by the OpenSSH server process sshd.

Malware 144

Malware Technology Encryption Accountability 144

Schneier on Security

APRIL 10, 2024

Last week I posted a short memorial of Ross Anderson. The Communications of the ACM asked me to expand it. Here’s the longer version.

Engineering 312

Engineering Cybersecurity 312

Duo's Security Blog

APRIL 10, 2024

Enrolling users to use multi-factor authentication (MFA) is an essential security step for any organization. But user enrollment can be a logistical challenge and comes with security risks. In this blog we’ll discuss enrollment options and best security practices for Duo admins, whether they are rolling out MFA for the first time or maintaining enrollment for their users.

Authentication 144

Authentication Accountability Risk Government 144

Tech Republic Security

APRIL 12, 2024

Apple recommends that iPhone users install software updates, use strong passwords and 2FA, and don’t open links or attachments from suspicious emails to keep their device safe from spyware.

Spyware 173

Spyware Passwords Software Mobile 173

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Penetration Testing

APRIL 8, 2024

Damn Vulnerable RESTaurant An intentionally vulnerable API service designed for learning and training purposes dedicated to developers, ethical hackers, and security engineers. The idea of the project is to provide an environment that can... The post Damn Vulnerable RESTaurant: An intentionally vulnerable Web API game for learning and training appeared first on Penetration Testing.

Penetration Testing 145

Penetration Testing Engineering 145

Schneier on Security

APRIL 12, 2024

Someone got caught trying to smuggle 322 pounds of gold (that’s about 1/4 of a cubic foot) out of Hong Kong. It was disguised as machine parts: On March 27, customs officials x-rayed two air compressors and discovered that they contained gold that had been “concealed in the integral parts” of the compressors. Those gold parts had also been painted silver to match the other components in an attempt to throw customs off the trail.

267

267

Thales Cloud Protection & Licensing

APRIL 8, 2024

From Marco Polo to Modern Mayhem: Why Identity Management Matters madhav Tue, 04/09/2024 - 05:20 Imagine yourself as Marco Polo, the Venetian merchant traversing dangerous trade routes. Every border crossing meant proving your identity – who you were, where you came from, your purpose. Misrepresenting yourself could mean imprisonment or worse. Today's identity struggles aren't about camel caravans and silk, but that same core battle remains: proving who you are and protecting that identity from

Identity Theft 138

Identity Theft Passwords Banking Accountability 138

Tech Republic Security

APRIL 9, 2024

Discover the top open-source password managers for Windows. Learn about the features and benefits of each to determine which one is the best fit for your needs.

Password Management 168

Password Management Passwords 168

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

The Hacker News

APRIL 9, 2024

Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild. Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity.

143

143

Bleeping Computer

APRIL 6, 2024

A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. [.

Accountability 144

Accountability 144

Security Boulevard

APRIL 8, 2024

Cybercriminals pilfered an average of 50.9 login credentials per device, evidence of the pressing need for cybersecurity measures. The post 10 Million Devices Were Infected by Data-Stealing Malware in 2023 appeared first on Security Boulevard.

Malware 141

Malware Cybersecurity Social Engineering Engineering 141

Tech Republic Security

APRIL 11, 2024

Find the best open-source password managers to keep your sensitive information secure and easily accessible. Explore top options for protecting your passwords.

Password Management 157

Password Management Passwords Information Security 157

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

The Hacker News

APRIL 9, 2024

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

Cybersecurity 142

Cybersecurity 142

Security Affairs

APRIL 6, 2024

Cisco warns customers of Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Cross-Site scripting flaw. Cisco warns of a Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 routers Cross-Site scripting (XSS) flaw. The medium severity issue, tracked as CVE-2024-20362 (CVSS score 6.1), resides in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers.

Small Business 144

Small Business VPN Wireless Software 144

Security Boulevard

APRIL 12, 2024

A hard-coded credential catastrophe: The analytics firm kept big companies’ secrets in an insecure AWS bucket. Government says victims include the “critical infrastructure sector.” The post Sisense Hacked: CISA Warns Customers at Risk appeared first on Security Boulevard.

Risk 139

Risk Hacking Government Digital transformation 139

Tech Republic Security

APRIL 8, 2024

Find out why IT pros in Australia need to take the initiative to self-upskill, and learn how this could lead to salary increases and promotions.

Artificial Intelligence 145

Artificial Intelligence 145

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

The Hacker News

APRIL 10, 2024

Cybersecurity researchers have disclosed what they say is the "first native Spectre v2 exploit" against the Linux kernel on Intel systems that could be exploited to read sensitive data from the memory. The exploit, called Native Branch History Injection (BHI), can be used to leak arbitrary kernel memory at 3.

Cybersecurity 137

Cybersecurity 137

Security Affairs

APRIL 9, 2024

Researchers found multiple vulnerabilities in LG webOS running on smart TVs that could allow attackers to gain root access to the devices. Bitdefender researchers discovered multiple vulnerabilities in LG webOS running on smart TVs that could be exploited to bypass authorization and gain root access on the devices. The vulnerabilities discovered by the researchers impact WebOS versions 4 through 7 running on LG TVs. “WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by

Hacking 140

Hacking Internet Internet Authentication 140

Security Boulevard

APRIL 10, 2024

4×CVE=RCE or Merely CE? Update your LG TV now, or let hackers root it. But is Bitdefender overhyping the issue? The post Watch This? Patch This! LG Fixes Smart TV Vulns appeared first on Security Boulevard.

Social Engineering 135

Social Engineering IoT Data privacy Engineering 135

Penetration Testing

APRIL 12, 2024

Akamai researcher Ben Barnea has released the technical details and proof-of-concept (PoC) for a severe CVE-2023-35628 vulnerability in Microsoft Windows, specifically affecting Outlook clients and potentially exploitable through Windows Explorer. With a CVSS score... The post PoC Released for Zero-Click CVE-2023-35628 Vulnerability in Microsoft Windows appeared first on Penetration Testing.

Penetration Testing 139

Penetration Testing 139

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity