Mummy, where do zero days come from? Opinion One of the charms of coding is that malice can be indistinguishable from incompetence. Last week's Who, Me? story about financial transfer test software running amok is a case in point.... [...]
Health care company Ascension lost sensitive data for nearly 5.6 million individuals in a cyberattack that was attributed to a notorious ransomware gang, according to documents filed with the attorney general of Maine. Ascension owns 140 hospitals and scores of assisted living facilities. In May, the organization was …
The Justice Department has published the criminal complaint against Dmitry Khoroshev, for building and maintaining the LockBit ransomware. [...]
Welcome to the second Cloud CISO Perspectives for December 2024. To close out the year, I’m sharing the top Google Cloud security updates in 2024 that attracted the most interest from the security community. There’s a lot of AI, of course, as well as a few surprises …
Dual Russian-Israeli national arrested in August An alleged LockBit ransomware developer is in custody in Israel and awaiting extradition to the United States.... [...]
Amid claims of sabotage of undersea cables, a small wooden structure houses a key cog in Europe’s digital connectivity At the end of an unmarked path on a tiny island at the edge of Stockholm’s extensive Baltic Sea archipelago lies an inconspicuous little wooden cabin, painted a …
Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more in brief Google has announced plans to allow its business customers to begin "fingerprinting" users next year, and the UK Information Commissioner's Office (ICO) isn't happy about it.... [...]
A sticker for your water bottle. Blog moderation policy. [...]
Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence CANALYS FORUMS APAC Generative AI is being enthusiastically adopted in almost every field, but infosec experts are divided on whether it is truly helpful for red team raiders who test enterprise systems.... [...]
We continue to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce the successful completion of our first ever Protected B High Value Assets (PBHVA) assessment with 149 assessed services and features. Completion of this assessment effective October 4, 2024, makes …
Amazon Web Services (AWS) successfully completed a surveillance audit with no findings for ISO 9001:2015, 27001:2022, 27017:2015, 27018:2019, 27701:2019, 20000-1:2018, and 22301:2019, and Cloud Security Alliance (CSA) STAR Cloud Controls Matrix (CCM) v4.0. EY CertifyPoint auditors conducted the audit and reissued …
Posted by Mateusz Jurczyk, Google Project Zero As previously mentioned in the second installment of the blog post series ( "A brief history of the feature" ), the binary format used to encode registry hives from Windows NT 3.1 up to the modern Windows 11 is called regf. In a …
Amazon Web Services (AWS) is pleased to announce enhancements to our Payment Card Industry (PCI) compliance portfolio, further empowering AWS customers to build and manage secure, compliant payment environments with greater ease and flexibility. PCI Data Security Standard (DSS): Our latest AWS PCI DSS v4 Attestation of Compliance (AOC …
We continue to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce that the Fall 2024 System and Organization Controls (SOC) 1, 2, and 3 reports are now available. The reports cover 183 services over the 12-month period from October 1 …
Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which …
Today, generative AI is giving organizations new ways to process and analyze data, discover hidden insights, increase productivity and build new applications. However, data sovereignty, regulatory compliance, and low-latency requirements can be a challenge. The need to keep sensitive data in certain locations, adhere to strict regulations, and respond …
With the European Commission’s adoption of the Network and Information Systems Directive 2.0, or NIS2, Europe is taking an essential step forward in its strategy to protect consumers, businesses, and government organizations from escalating threats in cyberspace. NIS2 will help to drive a consistent high level of …
It turns out that all cluster mailboxes in the Denver area have the same master key. So if someone robs a postal carrier, they can open any mailbox. I get that a single master key makes the whole system easier, but it’s very fragile security. [...]
Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns Unknown criminals went on a phishing expedition that targeted about 20,000 users across the automotive, chemical and industrial compound manufacturing sectors in Europe, and tried to steal account credentials and then hijack …
It could end up like Huawei -Trump's gonna get ya, get ya, get ya updated The Feds may ban the sale of TP-Link routers in the US over ongoing national security concerns about Chinese-made devices being used in cyberattacks.... [...]
For the second year in a row, Amazon Web Services (AWS) is named as a Leader in the Information Services Group (ISG) Provider Lens Quadrant report for Sovereign Cloud Infrastructure Services (EU), published on December 18, 2024. ISG is a leading global technology research, analyst, and advisory firm that …
Enrollment invitations will continue until security improves Microsoft last week lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success.... [...]
With the rapid advancement and adoption of AI, organizations face increasing pressure to ensure their AI systems are developed and used responsibly. This includes considerations around bias, fairness, transparency, privacy, and security. A comprehensive framework for managing the risks and opportunities associated with AI can help by offering a …
Really interesting research into the structure of prime numbers. Not immediately related to the cryptanalysis of prime-number-based public-key algorithms, but every little bit matters. [...]
All it took to make an Google Edge TPU give up model hyperparameters was specific hardware, a novel attack technique... and several days Computer scientists from North Carolina State University have devised a way to copy AI models running on Google Edge Tensor Processing Units (TPUs), as used in …
Image: Shutterstock, iHaMoo. Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized …
Not that you needed another reason to enable the 'known senders' setting Criminals are spoofing Google Calendar emails in a financially motivated phishing expedition that has already affected about 300 organizations with more than 4,000 emails sent over four weeks, according to Check Point researchers.... [...]
Victims' feelings might get hurt, global cops contend, and that could hinder reporting Interpol wants to put an end to the online scam known as "pig butchering" – through linguistic policing, rather than law enforcement.... [...]
A cyberespionage threat group known as 'Bitter' was observed targeting defense organizations in Turkey using a novel malware family named MiyaRAT. [...]
A new Ledger phishing campaign is underway that pretends to be a data breach notification asking you to verify your recovery phrase, which is then stolen and used to steal your cryptocurrency. [...]
You applied the patch that could stop possible RCE attacks last week, right? A critical security hole in Apache Struts 2 – patched last week – is currently being exploited using publicly available proof-of-concept (PoC) code.... [...]
CISA has issued this year's first binding operational directive (BOD 25-01), ordering federal civilian agencies to secure their Microsoft 365 cloud environments by implementing a list of required configuration baselines. [...]
A recently patched critical Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited using public proof-of-concept exploits to find vulnerable devices. [...]
Not everything needs to be digital and “smart.” License plates, for example : Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing …
Editor’s note : Virgin Media O2 provides internet and communications services to more than 48.5 million subscribers, and teams are also responsible for supporting more than 16,000 employees. Virgin Media O2 is committed to empowering customers with outstanding customer-centered products and essential connectivity — all powered behind the …
The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts. [...]
€251 million? Zuck can find that in his couch cushions, but Meta still vows to appeal It's been six years since miscreants abused some sloppy Facebook code to steal access tokens belonging to 30 million users, and the slow-turning wheels of Irish justice have finally caught up with a …
Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [...]
Organizations are often caught off-guard when a data breaches occurs, forcing them to quickly perform mass password resets Learn from Specops Software about some of the common mass password reset scenarios and the challenges you may face. [...]
Fresh attempt to mix the perfect cocktail of IoT and Infosec BlackBerry's ambition to mix infosec and the Internet of Things has been squeezed, after the Canadian firm announced it is offloading Cylance's endpoint security products.... [...]
The likes of SHA-256, RSA, ECDSA and ECDH won't be welcome in just five years Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 – years before other nations plan to do …
But can you really take crims at their word? Supply chain integration vendor Cleo has urged its customers to upgrade three of its products after an October security update was circumvented, leading to widespread ransomware attacks that Russia-linked gang Cl0p has claimed are its evil work.... [...]
The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online. [...]
The Texas Tech University Health Sciences Center and its El Paso counterpart suffered a cyberattack that disrupted computer systems and applications, potentially exposing the data of 1.4 million patients. [...]
Kali Linux has released version 2024.4, the fourth and final version of 2024, and it is now available with fourteen new tools, numerous improvements, and deprecates some features. [...]
Establishing and maintaining an effective security and governance posture has never been more important for enterprises. This post explains how you, as a security administrator, can use Amazon Web Services (AWS) to enforce resource configurations in a manner that is designed to be secure, scalable, and primarily focused on …
CISA has warned U.S. federal agencies to secure their systems against ongoing attacks targeting a high-severity Windows kernel vulnerability. [...]
As organizations continue their cloud journeys, effective data security in the cloud is a top priority. Whether it’s protecting customer information, intellectual property, or compliance-mandated data, encryption serves as a fundamental security control. This is where AWS Key Management Service (AWS KMS) steps in, offering a robust foundation …
A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot. [...]
The US has never attacked Chinese critical infrastructure before, right? President-elect Donald Trump's team wants to go on the offensive against America's cyber adversaries, though it isn't clear how the incoming administration plans to achieve this.... [...]