QR Code Hacks Are Another Thing to Worry About Now
The phishing emails purported to be from Microsoft, telling receivers to scan the attached QR codes to review security requirements and update their accounts.
In fact, scanning the codes landed targets on sites set up to steal their information. The codes allowed the phishing messages to elude email security filters that search for known malicious links.
@Cyber_Security_Channel
Top 5 Disaster Recovery as a Service Providers for 2023
With Disaster recovery as a service, organizations can use a cloud-based service provider to handle their disaster recovery planning.
DRaaS can provide a quick way for organizations to restore their data and applications, providing business continuity after a natural or man-made disaster has interrupted or halted IT operations.
@Cyber_Security_Channel
More Than Half of Browser Extensions Pose Security Risks
The study showed 51% of all installed extensions were high risk and had the potential to cause extensive damage to the organizations using them.
The extensions all had the ability to capture sensitive data from enterprise apps, run malicious JavaScript, and surreptitiously send protected data including banking details and login credentials to external parties.
@Cyber_Security_Channel
GDPR from a Data Privacy Officer’s Perspective: 4 Keys to Know
GDPR will persist for many years to come but questions will arise about how it is applied as technology evolves.
For example, following the explosion of large language models like ChatGPT.
But with novelty and ease of profiling comes uncertainty, huge conversation has occurred around this from a data compliance perspective, leaving professionals wondering if GDPR is encompassing enough or whether we need separate legislation.
@Cyber_Security_Channel
University of Minnesota Confirms Data Breach, Says Ransomware Not Involved
The university also said that scans it has performed revealed no ongoing activity related to the incident and there were no system disruptions.
“Our investigation is continuing, but our security professionals have not detected any system malware (including ‘ransomware’), encrypted files or fraudulent emails related to the incident.
There have been no known disruptions to current University operations as a result of this data security incident,” the university said.
@Cyber_Security_Channel
3 Data Privacy Principles to Adopt Now, Even While Governments Still Debate
The good news is brands don’t have to be in a bad position. Yes, these issues are extremely complex and legislation will take time.
But it’s more important than ever to design your own systems to protect individuals and – as a result – to protect your own brand’s future.
Three low-risk, high-reward practices around data privacy and security:
1. Build a foundation of fairness
2. Maximize data transparency
3. Stop hoarding data.
@Cyber_Security_Channel
Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist
Adobe recommends that customers apply the security configuration settings "as outlined on the ColdFusion Security page as well as review the respective Lockdown guides".
It also recommends "updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11."
This is because applying the ColdFusion update without a corresponding JDK update will not allow for a secure server.
@Cyber_Security_Channel
US Government Publishes Guidance on Migrating to Post-Quantum Cryptography
According to the document, existing cryptographic products, protocols, and services, which rely on public key algorithms, will likely be updated or replaced to become quantum-resistant and protect against future threats.
CISA, NSA, and NIST encourage organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to implement measures to reduce the risks posed by a ‘cryptanalytically-relevant quantum computer’ (CRQC).
@Cyber_Security_Channel
Smart Light Bulbs Could Give Away Your Password Secrets
For better or for worse (the authors of the paper don’t say whether any disclosure dates were agreed with TP-Link, so we don’t know how long the company has been working on its patches), the researchers have now revealed how their attacks work, albeit without providing any copy-and-pastable attack code for wannabe home-hackers to exploit at will.
@Cyber_Security_Channel
Tesla Data Breach Investigation Reveals Inside Job
In a subsequent investigation of the breach, Tesla found that two former employees "misappropriated the information in violation of Tesla's IT security and data protection policies and shared it with the media outlet."
Handelsbatt has informed Tesla that it does not intend to publish the compromised information, nor would it legally be allowed to.
@Cyber_Security_Channel
Ivanti Ships Urgent Patch for API Authentication Bypass Vulnerability
The vulnerability, tagged as CVE-2023-38035, affects Ivanti Sentry versions 9.18 and prior, and could be exploited by malicious hackers to change configuration, run system commands, or write files onto the system, Ivanti said in an advisory.
“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS),” the company said.
While the issue carries a 9.8/10 CVSS severity score, Ivanti notes there is low risk of exploitation for enterprise administrations who do not expose port 8443 to the internet.
@Cyber_Security_Channel
Ad Firm Plans to Use People’s Data in a Maneuver to Sink Data Privacy Bill
SB 362, known as the Delete Act, would require companies to delete all data on individuals upon request — including data purchased or acquired from third parties.
This would shrink the trove of personal information they hold, such as browsing history, birthdates and past purchases.
Data brokers compile this information to build profiles of people, which can be used to craft advertisements tailored to an individual’s preferences.
But that also grants them access to some of people’s most sensitive details, such as whether they are pregnant or suffering from mental illness.
@Cyber_Security_Channel
Metabase Q Bags $3m Funding to Bolster Cybersecurity in Latin America
Metabase Q, through the recently raised funds, aims to strengthen and expand its capital-efficient operations.
Their objective is to redefine the methodologies modern enterprises adopt to manage, gauge, and advance their cybersecurity endeavours.
The company’s traction is evident, with an impressive 403% quarter-over-quarter surge in new bookings, underscoring Metabase Q’s innovative approach as the cybersecurity industry’s future trajectory.
@Cyber_Security_Channel
Experts Believe AI Could Help Prevent Some Cybersecurity Attacks in Schools
One of the benefits of AI is that they can be that set of virtual eyes on the school networks when the IT staff are not able to do that,” he said.
He explains that some vendors are incorporating AI into tools that schools are already using.
“Not only can [AI] keep their eyes on the network, they can actually take proactive steps to help defend those networks from cyber criminals who are trying to penetrate their systems and steal valuable data about students and teachers,” said Levin.
But he warns some of these high-tech upgrades may come at a major cost.“In some ways, it’s going to save schools for having to invest maybe in more IT professionals dedicated to security,” he said.
“At another level, I wouldn’t be surprised to see the prices for these solutions to continue to rise.
@Cyber_Security_Channel
Paperclip SAFE® Adds Data Masking to its Breakthrough Searchable Encryption Solution
Data masking, also referred to as de-identification or anonymization, is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel.
The addition of data masking to SAFE was driven by user feedback and changing compliance requirements.
Data masking is required by many compliance frameworks such as GDPR, CCPA, HIPAA and ISO 27002:2022 (Control 8.11) and is recognized by Gartner as a growing category within data security technology.
@Cyber_Security_Channel
11 Cybersecurity Trends to Take From Black Hat 2023
To dig deeper into the event, Techopedia reached out to security analysts, CEOs, CISOs, and CTOs following the conference to get their thoughts on the top cybersecurity trends to take note of from Black Hat 2023.
Their comments have been edited for brevity and clarity.
1. Moving Past the Hype of AI
2. Hardening the Software Supply Chain
3. Managing Costs and Showing the Value of Cybersecurity
4. Cyber Insurance and IoT Security Maturity
5. Cloud Security Remains Top of Mind
Read more about the topic here.
@Cyber_Security_Channel
5 Steps to Prepare for India's Digital Personal Data Protection Act
It is important to note that understanding exemptions for specific provisions of the Act will require careful analysis.
There are broad exclusions for government agencies, ambiguous definitions for certain exempt processing purposes and, in the future, the central government is also likely to add additional exemptions for specific data fiduciaries (data controllers) or classes of data fiduciaries, e.g., Start-Ups.
1. Determine applicability
2. Build a data inventory and data map
3. Set up consent mechanisms
4. Enable data principal rights
5. Implement technical and organizational measures
@Cyber_Security_Channel
Social Security Numbers Were Exposed in 69% of Breaches in 2023
While a person’s name continues to be the most exposed individual credential, a Social Security Number has passed date of birth as the second most often exposed individual credential in breaches in the first half of 2023.
Social Security Numbers were exposed in 69% of breaches, up from 60% last year.
Driver’s licenses or other state identification information were exposed in 31% in the first half of 2023, more than double last year’s 14% mark.
Checking or savings account numbers also saw their exposure double year-over-year.
@Cyber_Security_Channel
Speaking Up About Data Privacy in Ed Tech
A large majority of those vendors actually want to hear from education users who find something in those policies they don't like, or need clarification on part of a vendor's privacy policy.
We did truly amazing things with that data privacy program. We got kids involved, we got them excited.
We partnered with external organizations like the Future of Privacy Forum to provide different incentives for kids, as well as educational and awareness videos called Think Privacy, to really embrace a culture of privacy, safety, and security.
@Cyber_Security_Channel
The 7 Best Encryption Apps for Windows, According to MUO
To cut down your search time, we went through a host of options and have listed down the best encryption tools for Windows.
1. 7-Zip
2. VeraCrypt
3. Age
4. Gpg4win
5. BitLocker
6. Cryptomator
7. AxCrypt
Encryption, and cybersecurity in general, is no more just a passion for a select few hobbyists.
With almost everything going digital, it’s of utmost importance to keep up with the best cybersecurity practices; using an encryption app is one such practice.
@Cyber_Security_Channel
Case from one week ago: Telegram Ban in Iraq Due to “National Security Concerns” Lifted
The national security ban of Telegram appeared to be touched off by the discovery of channels that shared the names, addresses and family relationships of residents of Iraq.
The Ministry of Communications reportedly asked the messaging app to remove these channels, but received no response.
The ban was in place for a little over a week, lifted on August 14 with a post from the Ministry indicating that Telegram had responded to its requests.
@Cyber_Security_Channel
Newer, Better XLoader Signals a Dangerous Shift in macOS Malware
The new XLoader has no such flaw — it's written natively in C and Objective C.
It's packaged in an application file with the legitimate-sounding name "Office Note," the macOS Microsoft Word logo, and an Apple developer signature. Apple has since revoked the signature, but "it won't make much difference," Stokes says.
"All it means is that the developers will have to pivot to another signature. Developers' signatures are bought and sold on the Dark Net, or they're fakes.
They can even ad hoc sign, which means it doesn't actually have a developer signature, but it will still get past Apple's gatekeeper detection."
@Cyber_Security_Channel
FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
Previously, the hackers stole crypto assets in attacks against Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge.
“Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses,” the FBI says.
@Cyber_Security_Channel
'Cuba' Ransomware Group Uses Every Trick in the Book
Once inside the network, Cuba deployed BUGHATCH, its own custom downloader.
BUGHATCH establishes a connection to a command-and-control (C2) server, then downloads attacker payloads (It can also execute files and commands).
One of BUGHATCH's downloads this time, for example, was Metasploit, which it used to cement its foothold in the target environment.
@Cyber_Security_Channel
Energy One Investigates Cyberattack
The company said it took immediate steps to limit the impact of the incident, engaged specialists CyberCX, and alerted the Australian Cyber Security Centre and UK authorities.
As part of the investigation, Energy One has disabled links between its corporate and customer-facing systems as a precaution.
@Cyber_Security_Channel
AI’s Personalization Paradox: Tailored Experiences vs Data Privacy
The power of AI-driven personalization is alluring - but first, we need to solve how it clashes with data privacy.
Balancing tailored experiences with ethical considerations is going to be closely watched in the years to come.
Prioritizing privacy while empowering users - these are the challenges to navigate for a responsible AI landscape.
AI-powered personalization employs AI and machine learning to create customized customer experiences by analyzing extensive data such as browsing history, purchases, interactions, and demographics
@Cyber_Security_Channel
Motherboard Mishaps Undermine Trust, Security
As of Aug. 28, neither Microsoft nor MSI has uncovered the cause of the issue, and neither company returned a request for comment.
"Both MSI and Microsoft are aware of the 'UNSUPPORTED_PROCESSOR' error and have begun investigating the root cause," MSI wrote in its statement.
"While the investigation is underway, we recommend that all users temporarily refrain from installing the KB5029351 Preview update in Windows".
@Cyber_Security_Channel
Privacy, Data and Cybersecurity Quick Clicks
The Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.
The SEC also adopted rules requiring foreign private issuers to make comparable disclosures.
@Cyber_Security_Channel
Why Browser Security Is Crucial
Tall identified two approaches to ensure secure browser adoption: the complete "rip and replace" of existing browsers, which could warrant changes in customer behavior, and the extension of security to current browsers.
But in the realm of cybersecurity tools, secure browsing is still nascent.
Barriers to the adoption of secure browsing, Tall said, stem from the fact that these security tools are often influenced by distribution players, and "it's just a little bit of inertia.
@Cyber_Security_Channel
How to Hire Cybersecurity Professionals
"Hiring and retaining talent can often feel like an uphill battle, but there are a number of things that leaders can be doing to make more strides in this area," said Rob Rashotte, vice president of global training & technical field enablement at Fortinet.
Cybersecurity professionals "should also be offered a little space to experiment," Brown said. "Like many tech people, cyber professionals like to learn by doing and to continually optimize solutions.
Give them room to do this, even just a little, in terms of time and resources."Rashotte and other experts outline four things that employers can do to build their cybersecurity workforces.
@Cyber_Security_Channel