Schneier on Security

SEPTEMBER 20, 2024

This is really interesting. It’s a phishing attack targeting GitHub users, tricking them to solve a fake Captcha that actually runs a script that is copied to the command line.

Social Engineering 315

Social Engineering Engineering Phishing Malware 315

Penetration Testing

OCTOBER 27, 2024

The ReliaQuest Threat Research Team uncovered an intensified social engineering campaign tied to the ransomware group Black Basta.

Social Engineering 97

Social Engineering Engineering Ransomware Cybersecurity 97

Tech Republic Security

FEBRUARY 27, 2025

Trends in cybersecurity across 2024 showed less malware and phishing, though more social engineering. CrowdStrike offers tips on securing your business.

Social Engineering 192

Social Engineering Engineering Phishing Malware 192

Penetration Testing

DECEMBER 8, 2024

Distributed Denial of Secrets (DDoSecrets), the non-profit whistleblower organization is celebrating its sixth anniversary with the launch of a new public search engine: the Library of Leaks.

Engineering 98

Engineering Cybersecurity 98

Security Through Education

MARCH 3, 2025

When I first heard of social engineering, about 6 years ago, I couldnt define it clearly and concisely if you had offered me millions of dollars. ’ Lets re-visit what social engineering really means, how people use it, and how you can start protecting yourself from it. Either way, lets refresh and learn together!

Social Engineering 59

Social Engineering Engineering Scams Banking 59

Schneier on Security

JANUARY 30, 2025

They exploit people who are using search engines to search sites like Reddit. There are thousands of fake Reddit and WeTransfer webpages that are pushing malware. Unsuspecting victims clicking on the link are taken to a fake WeTransfer site that mimicks the interface of the popular file-sharing service. ” Boingboing post.

Malware 242

Malware Engineering 242

Penetration Testing

DECEMBER 3, 2024

Google has released a security update for its Chrome web browser to mitigate a high-severity “type confusion” vulnerability (CVE-2024-12053) residing within the V8 JavaScript engine.

Engineering 82

Engineering Cybersecurity 82

Security Affairs

FEBRUARY 6, 2025

Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes. and CVE-2025-20125 (CVSS score of 9.1), in Identity Services Engine (ISE).

Engineering 76

Engineering Authentication Software Hacking 76

Krebs on Security

NOVEMBER 12, 2024

Satnam Narang , senior staff research engineer at Tenable , says the danger with stolen NTLM hashes is that they enable so-called “pass-the-hash” attacks, which let an attacker masquerade as a legitimate user without ever having to log in or know the user’s password.

Authentication 252

Authentication Engineering Malware Passwords 252

Schneier on Security

FEBRUARY 25, 2025

This attack proves that UI manipulation and social engineering can bypass even the most secure wallets. No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. The industry needs to move to end to end prevention, each transaction must be validated.

Cryptocurrency 250

Cryptocurrency Social Engineering Hacking Engineering 250

Schneier on Security

JANUARY 21, 2025

The first is to engineer LLMs that make more human-like mistakes. If you want to use an AI model to help with a business problem, it’s not enough to see that it understands what factors make a product profitable; you need to be sure it won’t forget what money is.

Social Engineering 339

Social Engineering Engineering Technology Risk 339

Schneier on Security

APRIL 2, 2024

An intentionally placed backdoor in xz Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. The cybersecurity world got really lucky last week. modified the way the software functions.

Social Engineering 353

Social Engineering Engineering Software Encryption 353

Schneier on Security

DECEMBER 2, 2024

Here are the technical details , discovered through reverse engineering. I recently wrote about the new iOS feature that forces an iPhone to reboot after it’s been inactive for a longish period of time. The feature triggers after seventy-two hours of inactivity, even it is remains connected to Wi-Fi.

Engineering 319

Engineering 319

Zero Day

MARCH 19, 2025

Engineering careers are evolving, and LinkedIn's latest Skills on the Rise report highlights the must-have skills for 2025. From AI development to people management, here's how to future-proof your career.

Engineering 115

Engineering 115

Security Boulevard

JANUARY 15, 2025

Sweet Security today added a cloud detection engine to its cybersecurity portfolio that makes use of a large language model (LLM) to identify potential threats in real-time. The post Sweet Security Leverages LLM to Improve Cloud Security appeared first on Security Boulevard.

Engineering 124

Engineering Cybersecurity 124

Schneier on Security

APRIL 25, 2024

In response, a multibillion-dollar industry—search-engine optimization, or SEO—has emerged to cater to Google’s shifting preferences, strategizing new ways for websites to rank higher on search-results pages and thus attain more traffic and lucrative ad impressions. It is too late to stop the emergence of AI.

Engineering 360

Engineering Internet Internet Artificial Intelligence 360

Krebs on Security

JANUARY 7, 2025

Each participant in the call has a specific role, including: -The Caller: The person speaking and trying to social engineer the target. A tutorial shared by Stotle titled “Social Engineering Script” includes a number of tips for scam callers that can help establish trust or a rapport with their prey.

Phishing 333

Phishing Cryptocurrency Accountability Social Engineering 333

Security Boulevard

DECEMBER 5, 2024

Identity phishing doesn’t just lead to data theft – it can also lead to financial fraud, targeted social engineering attacks and lateral movement across endpoints. The post Identity Phishing: Using Legitimate Cloud Services to Steal User Access appeared first on Security Boulevard.

Phishing 111

Phishing Social Engineering Engineering Security Awareness 111

Krebs on Security

FEBRUARY 11, 2025

Tenable senior staff research engineer Satnam Narang noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

Artificial Intelligence 192

Artificial Intelligence Engineering Software Internet 192

The Last Watchdog

MARCH 12, 2025

Acting as a proactive teammate, Aptori’s AI Security Engineer works alongside developers and security teams to identify security weaknesses, assess risk, and implement fixes in real-time. The result is deeper coverage and more precise security insights.

Risk 130

Risk Engineering Digital transformation Technology 130

Krebs on Security

OCTOBER 20, 2023

BeyondTrust’s security team detected that someone was trying to use an Okta account assigned to one of their engineers to create an all-powerful administrator account within their Okta environment. He said that on Oct 2.,

Social Engineering 352

Social Engineering Engineering Accountability Hacking 352

Schneier on Security

MAY 16, 2024

ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform—the core component of the Windows Firewall—directly into client devices.

DNS 328

DNS Firewall Engineering Network Security 328

Schneier on Security

AUGUST 29, 2024

Listening to it, and thinking about the audience of NSA engineers, I wonder how much of what she’s talking about as the future of computing—miniaturization, parallelization—was being done in the present and in secret. She was a remarkable person.

Engineering 342

Engineering Internet Internet 342

Schneier on Security

SEPTEMBER 17, 2024

Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware.

Malware 308

Malware Social Engineering Engineering Hacking 308

Penetration Testing

NOVEMBER 11, 2024

Cado Security Labs has uncovered a targeted GuLoader malware campaign aimed at European industrial and engineering companies.

Engineering 117

Engineering Malware Cybersecurity 117

The Last Watchdog

FEBRUARY 25, 2025

He earned an electrical engineering degree from Purdue University. About the essayist: Jim Alkove is co-founder and CEO of Oleria. He led security at Salesforce, Microsoft, and Google Nest, advises startups like Aembit and Snyk, and holds 50 U.S.

Risk 219

Risk CISO Engineering 219

Schneier on Security

APRIL 22, 2024

Interesting social-engineering attack vector : McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg.

Malware 340

Malware Social Engineering Engineering Software 340

Krebs on Security

NOVEMBER 9, 2024

“This is social engineering at the highest level and there will be failed attempts at times. “In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. Don’t be discouraged.

Hacking 271

Hacking Accountability Government Social Engineering 271

Adam Shostack

FEBRUARY 20, 2025

Whether youre an engineer, security professional, or product leader, this discussion may help you refine your approach to building secure systems efficiently. The Four Question Framework At its core, we can make threat modeling more accessible to all engineers by asking four simple questions: 1. Here are some key takeaways: 1.

Cybersecurity 130

Cybersecurity Engineering 130

Security Affairs

OCTOBER 30, 2024

Google has patched a critical Chrome vulnerability, tracked as CVE-2024-10487, reported by Apple Security Engineering and Architecture (SEAR) on October 23, 2024. The vulnerability is an Inappropriate implementation issue that resides in Chrome’s V8 JavaScript engine.

Engineering 131

Engineering Architecture Hacking Information Security 131

Adam Shostack

JANUARY 2, 2025

The list of threat actors includes both internal attacker, internal malicious user, and Google engineers. I dont want to make too much of this, but making our diagrams easy to read so we can spend our mental energy on other things pays off. I think that means the first two are internal to the GCP customer. What can go wrong?

Engineering 246

Engineering Authentication 246

Schneier on Security

NOVEMBER 29, 2023

They’re not that good : Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own (..)

Engineering 336

Engineering Authentication 336

Krebs on Security

MARCH 11, 2025

Rapid7’s lead software engineer Adam Barnett said Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable. However, ESET notes the vulnerability itself also is present in newer Windows OS versions, including Windows 10 build 1809 and the still-supported Windows Server 2016.

System Administration 215

System Administration Engineering Internet Internet 215

Schneier on Security

SEPTEMBER 20, 2023

For example, hiring managers will want a network security engineer with knowledge of networks or an identity management analyst with experience in identity systems. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. They are not looking for someone interested in security.

Cybersecurity 339

Cybersecurity CISO Engineering Architecture 339

Security Boulevard

MARCH 14, 2025

Organizations can adopt FinOps, a cloud financial management practice promoting shared accountability among engineering, finance and operations teams to balance innovation, security and cost efficiency. The post Savings and Security: The Dual Benefits of FinOps and the Cloud appeared first on Security Boulevard.

Engineering 88

Engineering Accountability Security Awareness Cybersecurity 88

Adam Shostack

JANUARY 2, 2025

A less busy month in appsec, AI, and regulation, but still interesting stories Im going to kick off with two interesting engineering stories. Threat Modeling Jamie Dicken presented Teaching Software Engineers to Threat Model: We Did It, and So Can You at RSA, and her talk made Security Boulevards 8 hot talks list.

Engineering 130

Engineering Software Cybersecurity Risk 130

Schneier on Security

MAY 21, 2024

Apple and Google said they will continue collaborating with the Internet Engineering Task Force to further develop this technology and address the issue of unwanted tracking. Several Bluetooth tag companies have committed to making their future products compatible with the new standard.

Engineering 316

Engineering Internet Internet Technology 316