Users must update their vulnerable libraries manually.π Read
via "The first stop for security news | Threatpost ".
π‘ Cybersecurity & Privacy news π‘
Users must update their vulnerable libraries manually.Black Hat's lineup of Arsenal tools, Briefings, and in-depth Trainings will equip you with the skills you need to protect today's modern devices and operating systems.While more than half of organizations use a hybrid cloud setup, many are still configuring security policies manually, or are using too many tools.Cyber-threats pose an existential challenge, says RedSeal CEO Ray Rothrock.IoT devices have become part of our work and personal lives. Unfortunately, building security into these devices was largely an afterthought.Difficult-to-implement encryption schemes in self-encrypting drives are likely handled incorrectly, leading to a false sense of security.Difficult-to-implement encryption schemes in self-encrypting drives are likely handled incorrectly, leading to a false sense of security.OT and IT need to merge, says RedSeal CEO Ray Rothrock, in order to protect your company from cyberattacks.Facebook continues to address the challenges faced during the 2016 election.To prevent cyberattacks, companies must invest in training and education, says Ray Rothrock CEO RedSealFirmware updates won't address the problem, so admins need to take other action.In order to plug AI into your existing workflow you must first understand and organize master data sets, says Schneider Electric Chief Digital Officer Herve Coureil.Unauthorized users accessed HSBC accounts between Oct. 4 and 14, the bank reports in a letter to customers.Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.With every new technology comes a hype cycle followed by a wave of disappointment, says Schneider Electric Chief Digital Officer Herve Coureil.The Internet of Things, expected to grow exponentially over the next half decade, will generate the essential data that AI systems need to automate industry, says Schneider Electric Chief Digital Officer Herve Coureil.Vulnerabilities in Samsung, Crucial storage devices enable data recovery without a password or decryption key, researchers reveal.One-third of respondents in a new poll said that have been a victim of fraud or identity theft in the past.Cloud adoption drives organizations to spend in 2019 as they learn traditional security practices can't keep up.New vulnerability exposes encryption keys in the first proof-of-concept code.The data breach includes names, addresses, transaction histories, account information and more.Android'sΒ November security bulletin is here and thereβs more to patch, and more urgency about applying them.Chris Wilson of WPA Intelligence explains how businesses could use predictive analytics to target customers, much like how political campaigners use targeting of potential voters.A WhatsApp chain letter is warning of a malware-packing video called "martinelli", and selling its lie with a grain of truth.Online-note-sharing company Evernote has patched a hole that allowed attackers to infect notes shared via its service.The manual turns good advice on its head, telling officials to use, reuse and recycle weak passwords.Among the 20 application vulnerabilities, half were for Adobe Flash and 20% were by Microsoft Office.Jack Wallen discusses why everyone should use a password manager.A look at some of the more interesting investments, acquisitions, and strategic moves in the security sector over the past year.Cybersecurity folks often struggle to get threat intelligence's benefits. Fortunately, there are ways to overcome these problems.The majority of users would stop interacting with a brand after a breach.A sophisticated proxy code has infected hundreds of thousands of devices already.A file delete vulnerability in WordPress can be elevated into a remote code execution vulnerability for plugins like WooCommerce.Online gaming companies, including Sony Online Entertainment, and servers were main targets.Researchers say companies need to rethink their password training and take a more holistic approach to security.Jack Wallen walks you through the steps for enabling SSL and TLS 1.3 on your NGINX websites.The training and job-matching effort is a public-private partnership to address a growing workforce gap.The training and job-matching effort is a public-private partnership to address a growing workforce gap.Industrial companies can use the hard-won, long-fought lessons of IT to leapfrog to an advanced state of Industrial Internet of Things security.Ray Rothrock, CEO of cyber-defense firm RedSeal, explains how to weigh each threat and respond appropriately.The purchase adds DevSecOps capabilities to a software license compliance platform."Island-hopping" attackers breached StatCounter so they could get to users of gate.io.Researchers sift through millions of threat intel observations to determine where to best find valuable threat data.A trio of new attacks bypass CPUs to wring data from vulnerable GPUs.By this time next year, says Chairman Ajit Pai, the FCC wants to see an anti-robocall system on consumers' phones - or else.Having taken what it thought was a decisive swipe at the problem of βabusiveβ advertising a year ago, Google now says next monthβs Chrome 71 will unleash an even tougher crackdown.Researchers have found that a smartphone and some smart number crunching can track people moving in their homes as they reflect radio waves.Apple has widened the range of Macs running its T2 security chip. Is macOS finally catching up with other platforms when it comes to secure computing?A security researcher has published a zero-day flaw in a commonly-used virtual machine management system without notifying the vendor, justifying it with a scathing critique of the infosecurity industry.Troy Hunt sounds off on how both consumers and services have a joint role in creating and enforcing strong passwords.This day-long event for CISOs and execs will show you the way to next-level skills, strategies, and techniques that will bolster your relevance and wow the board.Bug opened door for malicious link attack, giving hacker access to stored DJI drone data of commercial and consumer customers.Windows 10 users running genuine copies of the Pro edition are being told to swap to Windows 10 Home after what appears to be an issue with Microsoft's activation servers.In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.What sets apart the largest and most innovative software engineering organizations? These five approaches are a good way to start, and they won't break the bank.Major side-channel exploits demonstrated the feasibility of programs extracting data from a program in an adjacent thread in the same core. Here's how and why to protect your ThinkPad.He admitted to taking Steam, EA Origin and Sony Online Entertainment offline in 2013 and 2014, causing at least $95,000 in damages.A vulnerability in the local status page functionality of the Cisco Meraki MR, MS, MX, Z1, and Z3 product lines could allow an authenticated, remote attacker to modify device configuration files. The vulnerability occurs when handling requests to the local status page. An exploit could allow the attacker to establish an interactive session to the device with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device that is being exploited.Cisco revealed that it had "inadvertently" shipped an in-house exploit code that was used in test scripts as part ofΒ its TelePresence Video Communication Server and Expressway Series software.Here's the latest Naked Security Podcast - enjoy!Two malware distribution campaigns are sending banking Trojans to customers of financial institutions in Brazil.The technology never really took off in IT, but it could be very helpful in the industrial world.Two samples have already been added to the malware zoo, indicating a new openness from the federal government when it comes to cyber.Microsoft's Brad Smith calls on nations and businesses to work toward "digital peace" and acknowledge the effects of cybercrime.Lazarus Group has been using FastCash Trojan on obsolete AIX servers to empty tens of millions of dollars from ATMs.IBM Marketing Operations 9.1.0, 9.1.2, and 10.1 could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted request to cause an error message to be returned containing the full root path. An attacker could use this information to launch further attacks against the affected system. IBM X-Force ID: 121171.IBM Campaign 9.1.0, 9.1.2, 10.0, and 10.1 could allow an authenticated user with access to the local network to bypass security due to lack of input validation. IBM X-Force ID: 120206.Austin Thompson pleaded guilty on November 6 in a San Diego Federal court to knowingly causing damage to third-party computers.Researchers have published details of a dangerous flaw in the way the hugely popular WooCommerce plugin interacts with WordPress that could allow an attacker with access to a single account to take over an entire site.Think fast! You'll only have up to 10 minutes to hit unsend: a lot stingier than the hour afforded by WhatsApp.They expect to cuff hundreds of criminals who used the pricey phones, which were sold with the crypto app preinstalled.If you need to stress test your VOIP (or other SIP telephony systems) installation, there's an open source tool for that. Jack Wallen shows you how to install and use SIPp.By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.How the historic Internet worm attack of 1988 has shaped security - or not.Security teams carefully monitor potential threat activity, but incidents arenβt always black and white.The Threatpost editors break down the top news stories from this week.Out of the 2 billion Android users out there, the rate of potential malware infection is less than 1 percent across the board, Google says.If you need to stress test your VOIP (or other SIP telephone systems) installation, there's an open source tool for thatβSIPp.A former West Palm Beach resident is the fifth defendant to plead guilty in a case involving thousands of victims.Grayware is a tricky security problem, but there are steps you can take to defend your organization when you recognize the risk.The partnership is expected to improve threat detection for Dropbox while growing Coronet's user base.Nearly 400 high school, undergraduate, and graduate students advance to the final round of New York University's CSAW games.The critical vulnerability, which was patched earlier in September, has put ColdFusion servers at risk.The results could start a wave of major damages for companies that collect and sell consumer information.ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a CSRF vulnerability via a cgi-bin/zysh-cgi cmd action to add a user account. This account's access could, for example, subsequently be used for stored XSS.Security is everyone's problem, but CEOs should make sure their organisation doesn't block its success. Gartner offers eight situations for CEOs to avoid if a breach occurs within their organisation.From the 'Martinelli' WhatsApp hoax to Facebook wanting to give your name to the weirdo next to you, and everything in between. Catch up with this and everything we wrote in the last seven days - it's weekly roundup time!Microsoft Windows 10 users were livid late last week after Microsoft mistakenly told them that their licenses were invalid.Facebook has removed 14 million pieces of content dubbed likely to come from terrorists, as determined by new machine learning technologyResearchers have stumbled on another large botnet thatβs been hijacking home routers while nobody was paying attention.O, that constant whirring noise? And the sky-high electricity bill? Why, it's those darn air conditioners and heaters!Gartner's continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs.Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn.Google Playβs policy prohibits apps or SDKs that download executable code, such as dex files or native code, from a source other than Google PlayA security researcher squoze 1,299,999 words into a single tweet, thanks to image metadata that Twitter doesn't remove.A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.By 2020, an exploited vulnerability will disrupt a major blockchain platform, causing significant damage, Gartner predicts. Here's how to protect your blockchain efforts.Elementary OS Juno includes a number of improvements and additions, including a slight security bump over previous releases.The World Economic Forum reports cyberattacks are a top enterprise concern following WannaCry and the rise of e-commerce.Black Hat Europe's Arsenal lineup will include demonstrations of tools addressing everything from unsecured cloud buckets to unknown IoT devices.Facebook and Synack create programs to educate vets and grow employment opportunities while shrinking the cybersecurity talent gap.More than 50 nations and 150 global companies agree to join effort to fight cybercrime.The new variant can exfiltrate emails for a period going back 180 days, en masse.Firmware may be the next frontier for IoT hacks. See below how the healthcare industry addresses these threats.A total of 3,676 breaches involving over 3.6 billion records were reported in the first nine months of this year alone.Police say it's a felony, but a woman arrested in connection with a drive-by shooting says she doesn't even know how to remotely wipe.More than half of SMBs experienced a ransomware attack in the first half of 2018, according to a Datto report.Drug and immigration cops in the US are buying surveillance cameras to hide in streetlights and traffic barrels.There's no obvious executable payload in the attack but the attackers may be building a collection of websites and biding their time.Espionage campaign uses a variety of new evasion techniques.An attorney in the infamous 2015 Jeep hack predicts that more lawsuits related to IoT security are looming in the future.A brief outage on Monday diverted traffic to providers such as Google and Cloudflare via China - was it a blunder or a hack?Some 87% of Gen Zers reuse old passwords across multiple accounts, compared to 75% of the whole employee population, a SailPoint report found.Information security is vital, of course. But the concept of "IT security" has never made sense.The $168.7 million round will go toward R&D and global expansion, says cloud access security broker provider.Overall, the company released only three patches as part of its regularly-scheduled November update.The vulnerability is one of many with the same root cause: Cross-process information leakage.The incident, which Google reports is now resolved, could be the result of either technical mistakes or malicious activity.Google cloud business customers were impacted by a Border Gateway Protocol hijacking.Another month where Android finds itself with a mixture of Critical and High vulnerabilities. Jack Wallen offers highlights.Downloading a copy of your data that Apple stores in iCloud and other services is easier than ever. Learn how to get your copy and what to do with it. Learn more about this massive privacy change.The toughest security problems involve people not technology. Here's how to motivate your frontline employees all the way from the service desk to the corner office.A new report spills the details on Magecart, the criminal groups driving it, and ongoing attacks targeting low- and high-profile victims.See where the communication breakdowns are likely to occur--and revise the disaster recovery plan accordingly.Don't miss out on the Black Hat Briefings, Trainings, and Arsenal tools that will equip you with the knowledge and skills you need to deal with today's top malware.Eight of the 12 critical vulnerabilities addressed this month affect the Chakra Scripting Engine in Microsoft Edge.Microsoftβs November Patch Tuesday fixes include mitigation against a zero-day vulnerability leaving Windows 7, Server 2008 and Server 2008 R2 open to attack.Still reeling from last week's Windows 10 Pro debacle, Microsoft dropped a fresh pile of βOops!β onto Windows 10 Mobile users.The Cryptopay customer asked customer services for a new password. They refused, given that it was against the company privacy policy.Key personnel at the Internet Engineering Task Force (IETF) have suggested basing the next version of a core web protocol on Google technology.This year's SophosLabs Threat Report is out. We talk targeted ransomware attacks, and in particular, SamSam.Some 15% of companies struggling with IoT security lost at least $34 million in the last couple years. Here are five ways to stay better protected.ATM vulnerabilities highlight the importance of securing machines against network attacks, according to a Positive Technologies report.Mega hacks like the Facebook breach provide endless ammo for spearphishers. These six tips can help you stay safer.As companies adopt emerging technologies, the cyber risk landscape is set to grow larger in the new year, according to a Forcepoint report.While 96% of US organizations say business resilience should be core to company strategy, only 61% say it actually is.The industrial company on Tuesday released mitigations for eight vulnerabilities overall.Experiments showed that processors from AMD, ARM, and Intel are affected.Don't miss out on the Black Hat Briefings, Trainings, and Arsenal tools that will equip you with the knowledge and skills you need to deal with today's top malware.The attack surface remains largely unprotected from Wi-Fi threats that can result in stolen credentials and sensitive information as well as backdoor/malware payload drops.Bad bots account for 43.9% of all traffic on their websites, APIs, and mobile apps, according to a new analysis of 100 airlines.Black Hat Europe attendee survey shows European cybersecurity leaders are uncertain of their ability to protect end user data - and are fearful of a near-term breach of critical infrastructure.At the same time, criminal organizations continue to look for new ways to attack their victims.Fewer than 30% of firms have more than a basic container security plan in place.High-end crime groups are acquiring the sorts of sophisticated capabilities only nation-states once had, while low-tier criminals maintain a steady stream of malicious activity, from cryptomining to PoS malware.Hacker contest earns participants $325,000 based on the discovery of 18 vulnerabilities.A slew of verified Twitter accounts have been hijacked and altered, used to tweet out a bogus Bitcoin giveaway scam.Burying secret data in plain sight- is it a clever cybersecurity trick, or a way to attract the very attention you wanted to avoid?Don't cry for us, Argentina: Critics saw potential for government meddling without court order, among other issues.It enacted a worst-case, "black start" scenario: swaths of the country's grid offline for a month, battery backups exhausted.The epidemic of Twitter-based Bitcoin scams took another twist this week as attackers tweeted scams directly from two verified high-profile accounts.HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.Whether you're sussing out vulnerabilities or defending enterprise networks, Black Hat Europe's lineup of Briefings, Trainings, and Arsenal tools will help you take things to the next level.As brick-and-mortar retailers use micro data centers to power unique customer experiences and compete with online giants like Amazon, they're ramping up IT to manage these mission-critical systems.Secure code development should be a priority, not an afterthought, and adopting the software development life cycle process is a great way to start.Some 62% of online shoppers are willing to shop sites vulnerable to breaches for a discount on Cyber Monday, a DomainTools report says.Enterprises are turning to security in the cloud for greater flexibility and reduced complexity, but several misconceptions exist. Here's the truth, according to a Forcepoint report.As consumers skip the store crowds in favor of online deals, cyberattackers have geared up to victimize them.In addition, most have "unacceptable" privacy policies and "non-existent user support."Yoshitaka Sakurada, who recently took on the role after a cabinet shuffling, says it's up to the government to deal with it."Our advice is to stop using this watch" as mitigations are not available, researchers told Threatpost.Cross-site scripting vulnerability in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote authenticated attackers to upload and execute any executable files via unspecified vectors.SQL injection vulnerability in the Denbun POP version V3.3P R4.0 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via HTTP requests for mail search.Buffer overflow in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R3.0 and earlier, Denbun IMAP version V3.3I R3.0 and earlier) allows remote attackers to execute arbitrary code or cause a denial-of-service (DoS) condition via multipart/form-data format data.Buffer overflow in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) allows remote attackers to execute arbitrary code or cause a denial-of-service (DoS) condition via Cookie data.Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) does not properly manage sessions, which allows remote attackers to read/send mail or change the configuration via unspecified vectors.Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) uses hard-coded credentials, which may allow remote attackers to login to the Management page and change the configuration.Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, Denbun IMAP version V3.3I R4.0 and earlier) uses hard-coded credentials, which may allow remote attackers to read/send mail or change the configuration.Cross-site scripting vulnerability in multiple FXC Inc. network devices (Managed Ethernet switch FXC5210/5218/5224 firmware prior to version Ver1.00.22, Managed Ethernet switch FXC5426F firmware prior to version Ver1.00.06, Managed Ethernet switch FXC5428 firmware prior to version Ver1.00.07, Power over Ethernet (PoE) switch FXC5210PE/5218PE/5224PE firmware prior to version Ver1.00.14, and Wireless LAN router AE1021/AE1021PE firmware all versions) allows attacker with administrator rights to inject arbitrary web script or HTML via the administrative page.Directory traversal vulnerability in Cybozu Garoon 3.5.0 to 4.6.3 allows authenticated attackers to read arbitrary files via unspecified vectors.Why manufacturing and logistics are especially challenged.The hacking duo @fluoroacetate demonstrated zero-day exploits against phones from Apple, Samsung and Xiaomi at the recent Pwn2Own contest.The makers of malware have realized that if they're going to invest time and money in compromising cyber defenses, they should do everything they can to monetize their achievement.FireEye researchers unveil an extensive list of security risks waiting in the new year's wings.Cybersecurity and Infrastructure Security Agency Act now headed to President Trump for signing into law.Cybersecurity and Infrastructure Security Agency Act now headed to President Trump for signing into law.The modular malware seems to be in a testing phase, but TA505's interest made researchers take note.Building cybersecurity skills is a must; paying a lot for the education is optional. Here are seven options for increasing knowledge without depleting a budget.Artificial intelligence can be used to 'grow' fake fingerprints that pack in common features, fooling scanners.Researchers describe breaking into the watches as "probably the simplest hack we have ever seen."A judge has ordered Amazon to turn over any recordings an Echo device may have made around the time a horrific crime occurred.Ahead of his Black Hat Europe appearance, SoarTech's Fernando Maymi explains how and why synthetic humans are critical to the future of cybersecurity.This holiday season, over half of adults plan to travel with work devices. Most don't appreciate the risks.A comprehensive new report lifts the lid on the sketchy state of ATM security.Privileged attacks will continue and Android will close open access, according to BeyondTrust's cybersecurity predictions for the new year.Only 25% of organizations feel confident in their abilities to respond effectively to cyberattacks, according to recent Ponemon Institute study.Criminals are ready to use AI to dramatically speed the process of finding zero-day vulnerabilities in systems.The flaw in a high-end phones and up-and-coming handsets made by top OEMs allows hackers to bypass handset lock screens in seconds.The privilege-escalation vulnerability would allow an attacker to inject malware, place ads and load custom code on an impacted website.The server, which lacked password protection, contained tens of millions of SMS messages, two-factor codes, shipping alerts, and other user data.You might have a FAT32-formatted drive that needs to be shared out to users. To do that with write permissions, you must make use of fstab. Jack Wallen shows you how.The issue comes from how Gmail automatically files messages into the "Sent" folder.BlackBerry aims to bring Cylance artificial intelligence and security tools into its software portfolio.Attack could expose the personal information of drivers who sync their mobile phone to a vehicle entertainment system.The "Kitten of Doom" denial-of-service attack is easy to carry out.This week: hacking phones at Pwn2Own, the brand new SophosLabs Threat report, and squeezing Shakespeare into one tweet. Enjoy!Cybersecurity is so complicated that businesses, large and small, are retaining legal counsel specializing in security. Learn two more steps businesses should take before a cyberattack hits.** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.Find out the benefits of realistic cybersecurity training, such as what is offered by IBM's X-Force Command Center. The facility is modeled on the approach used by the military and first responders.From the Microsoft mistake that left users fuming to the botnet that's pwned 100,000 routers, and everything in between. Catch up with all the stories from the last seven days - it's weekly roundup time.A court filing in an unrelated case mentioned the need to seal documents to keep secret the fact that "Assange" has been charged.Firefox Monitor, a breach notification website launched by Mozilla in September, can now deliver alerts from inside the Firefox browser.Mozilla slapped a βMeets Minimum Security Standards" badge on the IoT gadgets on its list that passed at least some muster.Not enough is being done to protect against cyber attacks on energy, water and other vital services.Experience, ecostructure, efficiency and cybersecurity are the four most crucial aspects of digital innovation for the enterprise.βKeePass is a popular and free password management tool. Learn about the benefits and techniques to get the most of out of it.Tech professionals and executives share their top security tips for work--and home.Offering APIs for external service integrations is important, but poor security practices in API access and design can put your organization in danger.Hackers took advantage of an unpatched Drupal vulnerability in the organization's website to launch a cryptojacking attack.The 'Download Your Data' tool, intended to improve users' privacy, actually became a privacy risk.It's the most wonderful of the year - and hackers are ready to pounce. Here's how to prevent them from wreaking holiday havoc.If a network-connected smoke detector starts communicating with the mail server, you know you have a problem.Ford's CEO sees the tech company model as key to the company's next chapter.Picking a secure password is crucial to protecting sensitive information. Tom Merritt offers five do's and don'ts for picking the strongest password possible.Organizations understand the need for critical data protection but may lack the resources to respond.Researchers say the Magecart threat group skimmed data of VisionDirect customers using fake Google Analytics scripts.Picking a secure password is crucial to protecting sensitive information. Tom Merritt offers five do's and don'ts for picking the strongest password possible.Risk Based Security reports 16,172 bugs disclosed through the end of October, but researchers warn things may change.The Hades APT group continues its quest to stay under the radar.A report by BAE Systems and SWIFT shows that financial market areas such as equities trading, bonds, and derivatives face more threats than banking, forex, and trade finance.It's yet another security stumble following the massive Facebook hack in September, and it likely points to shoddy encryption practices.The popular plugin for implementing Accelerated Mobile Pages returned, patched, to WordPress.org last week.So cute! So grabby with the bandwidth!Scammers don't stop trying to dupe you or take their foot off the gas just because it's the day after Cyber Monday.Despite customer demand, small businesses are slow to invest in emerging technologies like AI, IoT, and chatbots, according to Capterra.A new phishing campaign from a Russian-state backed hacking group targets American and European inboxes.As consumerization becomes the norm in most industries, devices attached to your organization require proper security protocols.If you can't get straight answers about popular industry catchphrases, maybe it's time to ask your vendor: How do you actually use the technology?The actor behind the attack on Daniel's Hosting, and their initial point of entry, remain unknown.Check out these six ways to mitigate against corruption and bounce back from a server failure.The group is best-known for hacking the DNC ahead of the 2016 presidential election.For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail.A solid response and reputation management program will go a long way in surviving a major breach Β and thereΒs software on the way that can help get you organized.Report delivered at Payment Card Industry Security Standards Council meeting flags issues in deployments of Magento, a popular e-commerce platform.A glitch in the UX in Gmail allows the βfromβ field to be forged so there is no sender listed in the email's header.Adobe issues patch for a Flash Player vulnerability that could lead to an arbitrary code execution on targeted systems.Account holders can use a FIDO2-compatible key or Windows Hello to authenticate sans username or password.The Russian-speaking threat group is changing up its tactics.APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.It's the first ever prosecution under UK drone laws for a flight that could have turned deadly, as did a recent helicopter disaster in Leicester.The database of the popular Daniel's Hosting was wiped out and all accounts deleted, taking down 30% of all hidden services.It's a long time for Office 365 and Azure AD users to be locked out of such an important business platform, but MFA remains a good idea.It's the latest Naked Security Podcast - you're welcome!Fun gift choices that foster design thinking and coding skills in kids both young and old.Your Ubuntu Server might be vulnerable to attacks. To prevent unwanted logins, Jack Wallen shows you how to install intrusion detection system, fail2ban.As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.Despite conflicting opinions about online privacy, customers choose to shop with companies that take reasonable security precautions.The crafty malware has departed from its usual cornucopia of tactics and tricks.'Technical error' exposed names and email addresses.13 malicious apps ended up on the Google Play store. Here's how to stay protected.In Novell NetWare before 6.5 SP8, a stack buffer overflow in processing of CALLIT RPC calls in the NFS Portmapper daemon in PKERNEL.NLM allowed remote unauthenticated attackers to execute code, because a length field was incorrectly trusted.Netscout says it has observed at least one dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.Consumers increasingly depend upon IoT devices to help them do everything from improving sleep to monitoring blood sugar levels. In the process, they may be giving up more privacy than expected.The FCC will consider a proposal to combat robocalls and text spam in December.How can businesses create an effective cyber defense strategy? It starts with defining success, an expert tells us.Finding a mysterious circuit board plugged into a network that you are tasked with managing is always going to be a disconcerting moment for any sysadmin.Cyberattackers are successfully evading detection on Windows computers by abusing legitimate admin tools that come pre-installed with the operating system.Adobeβs Flash Player for Windows, Mac and Linux has a critical vulnerability that should be patched as a top priority.Ahead of the holiday shopping bonanza, the security community is talking to consumers about IoT security.In the first part of our podcast series, we talked to Rapid7's chief data scientist about how Magecart has changed.Zero trust refers to the notion of evaluating Β the security risk of devices and users within the context of any given moment, without automatically conferring access based on credentials.Naked Security attempts to demystify passwordless web authentication.Discover why it might be prudent to hire veterans who are already trained in cybersecurity and understand the concepts of militarization.A security researcher claims the US Postal Service ignored a security flaw affecting 60 million users, until it was contacted by a journalist.As internet users migrate from desktop and laptop computers to mobile and Internet of Things (IoT) platforms, cybercriminals are too.Ethereum's complexity proves to be a rich source of bugs, again.The firms, known for their Chrome and Firefox web browsers, are heading a group that is devising a way for users to save changes they make using web apps.More than one-third of respondents in a new survey havenβt started or are just creating their security strategy plans.New research on an old problem reveals despite efforts, the InfoSec professionals still have a way to go when it comes to securing printers.Wake up, cybersecurity pros, and don't let your business be an easy target for cybercriminals. Learn why keeping digital infrastructure up-to-date should be an essential part of cybersecurity strategy.From Ford data security speculation to the VisionDirect data breach, the Threatpost editors talk about this week's biggest stories.The holiday season isn't just busy for shoppers--it's busy for cybercriminals, too. Here's a holiday shopping safety guide with advice on how to stay safe online.The credentials could be used to glean a variety of intel on the victims.Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.One of Intelβs fixes for the Spectre variant 2 chip flaw appears to have taken a big bite out of the performance of the latest Linux kernel.A 21-year-old allegedly SIM-swapped Silicon Valley execsβ phones to steal cryptocurrency, including one man's $1m tuition fund for his kids.Not picking up after your dog will cost you 10 points, for example, in China's Black Mirror-esque plan to socially score citizens.A Data Protection Commissioner investigation found that LinkedIn violated data protection policies shortly before onset of GDPR.The recommendation for paper ballots may go unheeded in all or part of at least 6 states in the next national election.Cybersecurity means more than bits and bytes; threats are out there IRL, and IT pros need to be prepared.Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.Sixty-six of percent of phone users said they had suffered data-related harm: 11 percent suffered identity theft, 22 percent account hacking, 14 percent credit cards hacking and 12 percent financial fraud.Β As IoT devices flood the market, consumers are pushing for more privacy initiatives, according to recent Grand View Research report.IBM Integration Bus 9.0.0.0, 9.0.0.11, 10.0.0.0, and 10.0.0.14 (including IBM WebSphere Message Broker 8.0.0.0 and 8.0.0.9) has insecure permissions on certain files. A local attacker could exploit this vulnerability to modify or delete these files with an unknown impact. IBM X-Force ID: 127406.Malware infection fallout sent ambulances away from East Ohio Regional Hospital and Ohio Valley Medical Center over the Thanksgiving weekend.The incidents affected millions, just as Black Friday, Cyber Monday and the holiday shopping season kicked off.The US Postal Service recently fixed a security bug that allowed any USPS.com account holder to view or change other users' data.A mobile malware has accelerated its activity in 2018, launching more than 70k attacks in August through October.Microsoft has posted a root cause analysis of the multifactor authentication issue which hit a number of its customers worldwide last week. Here's what happened.It's Germany's first GDPR fine, for an incident that affected millions of accounts.Cyberattacks on airports and airlines are often unrelated to passenger safety - but that's no reason to dismiss them, experts say.Did you help spread the viral scowling Pop-Tartβ’-deprived kid photo last week? Can't be helped, mom said, but using it to raise cash was "lame."What upset the Data Protection Commissioner: none of the 18 million email addresses were those of LinkedIn users.Once they get victims on the phone, the crooks get their account PINs and CVV numbers for debit/credit cards and then drain their accounts.New tools, techniques, and a plan for training a new generation of crack security experts are all in the cards for attendees of Black Hat Europe in London next week.Just weeks after issuing a Windows 10 patch of doom that started deleting usersβ precious files, Microsoft βfixedβ Outlook 2010 with a November Patch Tuesday update that promptly borked it.Your CentOS 7 servers are rock solid, but could still use a bit of help. Find out how to install an easy to use intrusion detection system in less than five minutes.βDirect Autonomous Authentication is an improved authentication method intended to better meet today's security needs for both wireless and wired networks.Stolen credentials for industrial control system workstations are fast becoming the modus operandi for ICS attacks by cybercriminals.Cyberattacks on organizations are predicted to skyrocket during the online holiday shopping season. Here is how to identify possible threats.In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the boot image header, an out of bounds read can occur in bootResearchers say the bad actor behind the malvertising campaign is still active.Advice from a millennial woman who has done it: Find your niche and master your craft. You will be amazed at how significant your work will be.Eight popular Android apps are embezzling from the ad ecosystem on a widespread basis, according to allegations.Now the penalties are coming from Europe.The patch addresses a flaw in Cisco's WebEx platform that lets hackers gain elevated privileges.Once again, multifactor authentication issues have caused login problems for users across Office 365 and Azure, among other services.Nearly 60% of organizations have suffered data breaches resulting from a third party, as suppliers pose a growing risk to enterprise security.Motives are not fully clear, though data exfiltration is one possibility, Cisco Talos says.Colleagues of slain Javier Valdez CΓ‘rdenas, known for investigating drug cartels, were targeted just days after his death.The bill would outlaw automated scripts that snap up discounted holiday must-haves so resellers can gouge people with exorbitant markups.In the latest in a long line of SNAFUs, it seems Facebook has found a new way to inadvertently torment us: resurfacing old chat messages.We all want a "perfect" babysitter. But can we trust AI to comb through years of social media posts and label people with a "score?"A mystery payload sneaked into a hugely popular JavaScript library was part of a plot to ransack Bitcoins from BitPayβs Copay mobile cryptocoin wallet, it has been alleged.Examples of how attackers carry out mass exploitation campaigns and how to defend against them.The machine learning system is being given a crash course in cybercriminal techniques.In an environment where talent is scarce, it's critical that hiring managers remove artificial barriers to those whose mental operating systems are different.Ben-Gurion University researchers developed a device-focused cybersecurity solution to act as a last line of defense to protect patients.The multi-year campaign used malware and botnets to falsify billions of webpages and "site users."New security platform aggregates information from Amazon Web Services cloud accounts and third-party tools.If you thought fake news was bad, just wait until hackers get their hands on AI-powered face swapping tech, says G2 Crowd CRO Michael Fauscette.A quarter of IT and security leaders expect a major data breach in the next year.As destructive attacks flourish and counter-incident response becomes mainstream, organizations need to make a tactical paradigm shift from prevention to detection to suppression.The rise of piracy has helped drive the spike in attacks.Two Iranians have been named in a US ransomware indictment - but given that they aren't in the US, what happens next?Cisco's Michele Guel, Distinguished Engineer and Chief Security Architect, explains how to recruit women into STEM and cybersecurity.Ransomware, DDoS extortion, and encrypted communications abound as cybercriminals in the region refine their tradecraft.3ve, an ad fraud operation amassing 1.7M infected machines, was taken down in an operation driven by law enforcement, Google, White Ops, and several security companies.The two apps are created by headset software company Sennheiser HeadSetup.Two Iranian nationals have been indicted on multiple counts by a federal grand jury in connection with the SamSam ransomware attacks that struck government, critical infrastructure, and healthcare organizations.Supplier that handles billing and online payments for health-care provider became aware of incident Oct. 1.Information security groups often underestimate or overestimate the true value of data assets, making it harder to prioritize controls.The company said it has reset passwords for all Dell.com customers.Microsoftβs multi-factor authentication (MFA) for Microsoft Office 365 and Azure Active Directory has fallen over for the second time in a week.China's air conditioning business queen Dong Mingzhu was recently outed as a jaywalker - thanks to an ad on the side of a bus.Seven European consumer organizations are planning to submit a complaint about Google's location tracking activities to their data protection authorities.Popular massage-booking app Urban lets masseurs/masseuses log comments about creepy customers, and left its database wide open.Attendees of Black Hat Europe in London next week will hear about worldwide cybersecurity developments and challenges from the Global Commission on the Stability of Cyberspace's Marina Kaljurand.The donut giant first noticed the attack Oct. 31.Attackers target office managers during the holiday season, tricking them into sending hackers gift cards, according to a Barracuda report.An old attack technique is making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can't easily detect.The vulnerability could allow attacker to execute arbitrary SQL queries.New Fancy Bear attack campaign lures victims with phony Brexit-themed document to deliver Zekapab payload.Cybercriminals have recently broken records for DDoS strength. Here's how to protect your network from attacks, and prevent devices from being assimilated into botnets.Forces potentially affected DD Perks customers to reset their passwords after learning of unauthorized access to their personal data.Hackers can spoof messages, hijack screen controls and kick others out of meetings.ZDNet's Danny Palmer examine's the aftermath of WannaCry, Notpetya, and Bad Rabbit.Our goal should not be to merely accept zero trust but gain the visibility required to establish real trust.ZDNet's Danny Palmer explains the evolution of the world's weirdest ransomware.Move prompts questions about scope of intrusion and strength of company's password hashing.The international guide is intended to help organizations defend their networks and systems from automated and distributed attacks.Nonprofit has published its first-ever evaluation of popular endpoint security tools - measured against its ATT&CK model.But ransomware attacks go through the roof, new threat data from SonicWall shows.It's been a wild of a year for tech. Here are the biggest tech news stories on our readers' minds.He slapped a tracker on the new one and installed CCTV... which did a fine job of recording the thieves' 90-second-long relay attack.Misconfigured Elasticsearch servers spilled personal details on 57 million Americans, said reports this week.Here's a quick rundown of what a man-in-the-middle attack is, and why it's so dangerous.Cybercrime takes on a lot of forms, with one of the oldest and most dangerous being man-in-the-middle attacks. Here's what you need to know about MITM attacks, including how to protect your company.They allegedly victimized 442 military men by sending nude photos and then calling, pretending to be irate fathers or police.The US Department of Justice has charged eight men with running a vast ad-fraud scheme.The hackers had access to the impacted database since 2014.Android users should beware of this dangerous attack that targets their mobile device's storage.Criminals are diversifying their target list and tactics in a continuing effort to keep email a valuable attack vector against enterprise victims.A flaw in Android external storage opens up legitimate apps to being hacked and gives illegitimate ones a window to exploit. Learn more about man-in-the-disk attacks, including how to avoid them.The bug bounty "queen" Katie Moussouris discusses the biggest mistakes that companies launching these programs are making.Hackers have had access to the Starwood guest reservation database since 2014.How security researchers tracked down Kuai and Bujoi malware through multiple vectors including client type, traffic frequency, and destination.Law enforcement officials in India raided 16 call center locations that conned primarily American and Canadian victims.The Marriott hotel empire's Starwood guest reservation database has been subject to unauthorised access since 2014.Cybercriminals are developing more sophisticated attacks, while individuals and enterprises need to be more proactive in security practices.Starwood parent Marriott International disclosed the breach today with an announcement that provided some details but left many questions unanswered.Marriott's total tab for a data breach affecting as many as 500 million consumers is going to cost billions of dollars over the next few years, based on the average cost of megabreaches.After identifying the official VLC media download page as "unsafe" with its Bing search engine, Microsoft now suggests it was done in error.Fifth annual Online Trust Alliance survey said retailers get good marks for offering clear unsubscribe links, using tools like SPF and DKIM and honoring unsubscribe requests.Fifth annual Online Trust Alliance survey said retailers get good marks for offering clear unsubscribe links, using tools like SPF and DKIM and honoring unsubscribe requests.In part two of our podcast series on Magecart, we talk to expert Yonathan Klijnsma, who has been tracking the threat for years.'Tis the season for holiday crafted phishes, scams, and a range of cyberattacks. Experts list the hottest holiday hacks for 2018.From Black Mirror-esque social ratings IRL to the guy who had his car stolen by hackers - twice, and everything in between. It's weekly roundup time.A group of researchers has found 42 zero-day flaws in a range of software tools using a new take on an old concept - fuzzing.Police raided 16 Indian call centers last week - a second big raid sparked by Microsoft filing complaints about tech support scammers.The UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.Printers worldwide printed messages urging people to subscribe to the vlogger's YouTube channel in a demo of a well-known vulnerability.The incident sheds light on just how insecure printers are.Employers must start broadening their search for experienced security professionals to include people with the right traits rather than the right skills.The two apps, βFitness Balance Appβ and βCalories Tracker app,β were tricking users into payments of $120.The laptop giant will settle a 32-state class-action lawsuit stemming from pre-installing vulnerable ad-targeting software.Biometrics and gaming are just a couple of the new cyberattack vectors professionals can expect in 2019. Here is what else to look out for.Prisoners in South Carolina posed convincingly as beautiful women on social media platforms.In this Newsmaker Interview, βbreach hunterβ Chris Vickery explores a recent spate of breaches from Marriott, USPS and Dell EMC.Huawei is developing their own OS as a contingency plan in the event US sanctions make using Android unviable. In a crowded market, is there room for a third OS?About 25% of political support in Arizona and Florida was generated by influence agents using Twitter as a platform, research shows.Class-action suits have been filed on behalf of guests and shareholders, with more expected.The lawsuit alleges that NSO Group violated international law by allowing Pegasus to be used by oppressive regimes to hunt dissidents and journalists.Cross-site scripting is one of the biggest, most persistent threats on the internet. Are you at risk for an XSS attack?Even the most trustworthy-looking website could trick you into giving up personal details through cross-site scripting. Here's what you need to know about XSS attacks.Max Ray Vision says he's innocent of owning the phone used to orchestrate the scheme and ripping off debit cards to fund the drone purchase.Zoom moved to patch a bug in its service this week that enabled people to hijack customer video conferences.Sending pics of your bits to strangers could get you a year in jail and/or a $1K fine if this NYC bill gets passed.The group's skimmer has added some capabilities that steals credentials from admins.Researchers demonstrate Cache-like ATacks against RSA key exchange.The information is an early Christmas gift for any social engineer.Organizations can start today to protect against 2019's threats. Look out for crooks using AI "fuzzing" techniques, machine learning, and swarms.A Jared customer found he could access other orders by changing a link in his confirmation email.Googleβs December Android Security Bulletin tackles 53 unique flaws.Security firm turned the tables on attackers targeting its chief financial officer in an email-borne financial scam.With proper planning, modern approaches, and tools, we can all be heroes in the epic battle against the cyber threat.Following last week's indictment, federal government issues pointers for how security pros can combat SamSam ransomware.Details are so far scant in this latest in a string of data breaches.The massive breach has exposed passwords for millions who didn't remember having a Quora account.Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.The browser comes with a new set of protections to block pop-ups that could lead to 'abusive experiences.'#TumblrIsDead? Tumblr is banning adult content in an effort to be safer, better, βmore positive,β and less (female) nipple-ish.Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the FTC warns.Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug - and itβs a mammoth one.Hackers have compromised data from the accounts of 100 million users of question and answer site Quora.com.Companies have some mistaken notions about how to comply with the new data protection and privacy regulation - and that could cost them.Only 45% of organizations offer mandatory cybersecurity training, according to a Mimecast report. Here's how to boost your employees' security education.As software bots spread throughout the enterprise, business leaders must control their access to sensitive information, according to a SailPoint report.The vulnerability could lead to arbitrary code execution.Whether traveling for business or the holidays this month, follow these tips from Matrix Integration to keep your devices safe.Wanted: a security exec responsible for identifying and mitigating the attack vectors and vulnerabilities specifically targeting and involving people.Hackers can steal data, sabotage cloud deployments and more.Adobe issued a patch for the zero-day on Wednesday.The National Republican Congressional Committee detected the compromise of four staffers' email accounts in April.The company is rolling out a device that scans for malware on USB devices to block attacks on IoT and operational technology environments.Nations must band together to face nation-state cyberattack threats, said Marina Kaljurand.The beta release of Google Cloud SCC will include broader coverage across the cloud platform and more granular access controls, among other features.IBM QRadar SIEM 7.2.8 and 7.3 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-force ID: 133120.The facial recognition pilot will identify βsubjects of interest" around the White House.Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here's where to begin.The unusually long dwell time in the Starwood breach has implications for both parent company Marriott International and the companies watching to learn from.ICSP Neural is designed to address USB-borne malware threats security.Despite the May 2018 deadline, most companies have not implemented all necessary GDPR changes, according to an IT Governance report.Google shipped version 71 of its Chrome browser yesterday, alongside fixes for 43 security issues. The latest Chrome version also introduces several new security measures.DuckDuckGo says you can go right ahead and log out of Google, then enter private browsing mode, but you'll still see tailored search results.Androidβs December security bulletin arrived this week with another decent crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Pixel users.The cache of seized Facebook documents show how Facebook whitelists certain companies so they can keep lapping up user data.The company allegedly tried to hide away new policy changes that would collect Android app users' call and message logs.Another month where Android finds itself with a mixture of Critical and High vulnerabilities. Jack Wallen offers highlights.Here's the latest Naked Security Podcast - enjoy!Attackers used methods, tools previously used by known Chinese hackers.How you report a data breach can have a big impact on its fallout.Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.Researchers identified a widespread campaign of brute force attacks against WordPress websites.Even those that provide employee training do so sparingly, a new study finds.Despite shortages of skills and staff, these six best practices can improve analysts' performance in a security operations center.Application security should be guided by its responsibility to maintain the confidentiality, integrity, and availability of systems and data. But often, compliance clouds the picture.Adobe has patched a zero-day in its Flash player after attackers leveraged the exploit in an active campaign.The security issue strikes at some of the basic reasons for the rising popularity of containers as an architecture and Kubernetes as an orchestration mechanism.Genomics England announced it's sequenced 100K Brits' genomes... and then had to store them in a military base after multiple hacking attacks.The Attorneys general of 12 states are suing an e-record provider who lost 3.9 million personal healthcare records in 2015.Attackers can boobytrap what should be access to only parent-vetted sites and can take over the webcam, speakers and microphone.If youβre among the holdouts still running Flash, you have some more updating homework to do.Social media platforms are just as susceptible to phishing attempts as email. Learn some strategies to protect yourself and your users from such attacks.Fraudulent apps rely on a backdoor opened to receive instructions from a command and control server, opening users to greater potential harm.Microsoft and the AI Now Institute are both calling for regulation as facial recognition software picks up popularity.This year alone saw more than 600 data breaches, yet only 25% of organizations are planning to defend against attacks, according to Deloitte.Infosec Insider Derek Manky discusses how new technologies and economic models are facilitating fuzzing in today's security landscape.The 'tyranny of the urgent' and three other reasons why it's hard for CISOs to establish a robust insider threat prevention program.Kubernetes owners who expose APIs to the Internet are leaving their systems open to hackers.Threat group moves away from βsmash-and-grabβ attacks and adopts a boutique approach to targeting victims.Tom Merritt explains five ways smart home technology is evolving.Tom Merritt explains five ways smart home technology is evolving.A newly-passed Australian law could allow the government to force tech companies to create backdoors in their products.The March attack used SamSam ransomware to infect 3,789 computers.Google Cloud's container security lead shares predictions, best practices, and what's top of mind for customers.Tens of millions of dollars stolen from at least eight banks in East Europe, Kasperksy Lab says.Watch out for emails about gift cards and corporate donations, researcher warn.Researcher demonstrates how attackers could steal data from smartphones while they charge up.Networking is a fairly old subject, but there are still plenty of interesting things happening. Highlights from 2018 include stories about security, 5G, net neutrality, the Linux Foundation, and more.From UPnP router attacks to the Kubernetes cloud computing bug, and everything in between. It's time for your weekly roundup.Profits are nice, but "We donβt believe that the world will be best served by a commercial race to the bottom," says President Brad Smith.Edge joins Chrome, Opera, Vivaldi, Yandex, and Brave. Better for web compatibility, but if one thing breaks, they all break.SophosLabs has uncovered a click fraud campaign in which malicious Android apps masquerade as being hosted on Apple devices to earn rewards.Attackers have infected 20,000 WordPress sites by brute-forcing administrator usernames and passwords.The ultimate to-do list for ambitious security leaders.Prioritizing user experience at the expense of security can increase sales, though pivoting from passwords is still problematic.The scam is spread via Facebook and WhatsApp messages.How the fast pace of cloud computing adoption in 2018 will dramatically change the security landscape next year.While generating trusted application id, An integer overflow can occur giving the trusted application an invalid identity in Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835 and SDA660.Bagle.A and Bagle.B date back to 2004.Emails say they contain a link with screenshots of victims' compromising activity. In reality, the link executes ransomware.The consumer version of Google+ will now be shut down in April instead of August after a bug was found that impacts at least 50 million users.A Russian firm aims to capitalize on ransomware victims' desperation by offering to unlock files then passing money to attackers.Windows, Linux systems vulnerable to self-propagating 'Lucky' malware, security researchers say.A breach affecting more than 52 million users was patched, but not before leading to the company rethinking the future of the service.Women are key to solving the workforce shortage, which is expected to reach 3.5 million open jobs by 2022.If you're looking for an easy means of enabling encrypted DNS on Android, the Cloudflare 1.1.1.1 app is the way to go.Since September, the cyber espionage actors have targeted more than 130 victims in 30 organizations including NGOs, oil and gas, and telecom businesses.A new generation of modular malware increases its value to criminals.They said Facebook emphasizes the service being free, not that it's making big bucks off users' data. They ordered the company to apologize.George Duke-Cohan is the British teen who posed as a worried father whose daughter had called him mid-flight during a hijacking.Whatβs the safest way to buy counterfeit banknotes? Not on the dark web market, as 235 people have just discovered to their cost.While AWS, Microsoft Azure, and Google Cloud Platform are responsible for protecting cloud infrastructure, customers must monitor other vulnerabilities, according to Palo Alto Networks.Administrators lost control of the domain for several hours in a DNS hijacking incident.But it still takes an average of 85 days to spot one, the security firm's incident response investigations found.The consumer version of the social networking service is being shut down faster than originally announced, but the enterprise version will live on.Read about the saga of Facebook's failures in ensuring privacy for user data, including how it relates to Cambridge Analytica, the GDPR, the Brexit campaign, and the 2016 US presidential election.Sensitive data compromise was a huge problem in 2018 and remains a top concern going into 2019. Here are the three things companies should look out for.The principles, methods, and tools for performing good risk measurement already exist and are being used successfully by organizations today. They take some effort -- and are totally worth it.The private bug bounty program has nearly 1,500 participants and is ready for a public rollout with HackerOne.Issues still exist when it comes to securing biometrics.Cloud storage providers offer virus and malware scanning, but the existence of that service is not enough to assume files from the cloud are not malicious.The organization is charged with building open, transparent testing protocols for network security.The update includes a raft of critical code-execution problems.Threat actors have updated their malware to include a macro-based delivery framework.Consumers are growing angry when it comes to data misuse - but the real change will need to come from the tech industry's culture when it comes to privacy.Once upon a time, buyers purchased products from certified sellers. Today, hoarders use botnets to amass goods at significant markup for a new gray-market economy.Businesses also leave information vulnerable in the cloud by failing to implement MFA and configure Kubernetes settings, new research reveals.Microsoft patches nine critical bugs as part of December Patch Tuesday roundup.Italy's regulator found the social giant guilty of misleading consumers as to what it does with their data.Goal is to steal banking credentials by redirecting users to phishing sites.Serious bugs addressed today include a Win32K privilege escalation vulnerability and Windows DNS server heap overflow flaw.A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'Fighting off bot attacks on Web applications extracts a heavy cost in human resources and technology, according to a just-released report.Data brokers are tracking 200 million mobile devices in the US, updating locations up to 14,000 times a day, the New York Times has found.As CAPTCHA-haters know to their frequent irritation, the death of the text-based Completely Automated Procedures for Telling Computers and Humans Apart tends to be exaggerated.Google has disclosed the second security hole in its Google+ social network in three months.Flaws in the mobile site were leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts.Experts sound off on how companies can work with their third-party suppliers and partners to secure the end-to-end supply chain.Constant learning is a requirement for cybersecurity professionals. Here are 15 books recommended by professionals to continue a professional's education.The news comes amid reports that a Chinese intelligence-gathering effort was behind the massive Marriott hotel data breach.Operation Sharpshooter uses a new implant to target mainly English-speaking nuclear, defense, energy and financial companies.Once DevOps teams decide to shift left, they can finally look forward instead of backward.One out of every 100 emails an enterprise receives is a phishing scam, and the attackers behind them are getting more sophisticated.The purchase adds risk assessment to Arctic Wolf's SOC-as-a-service.Some 88% of organizations aren't correctly managing access to data stored in files, according to a SailPoint report.Consumers are much more likely to fall for spam during the season of giving.Security experts advise Mac users to deploy security suites to protect themselves from the growing threat.A primer on choosing deception technology that will provide maximum efficacy without over-committing money, time and resources.McAfee finds malware associated with 'Operation Sharpshooter' on systems belonging to at least 87 organizations.The trojan purports to be a battery optimization app - and then steals up to 1,000 euro from victims' PayPal accounts.Ethical hackers use bug bounty programs to build the skills they need to become security professionals.Good password practices remain elusive as Dashlane's latest list of the worst password blunders can attest.If you find patching security flaws strangely satisfying, youβre in luck - Microsoftβs and Adobeβs December Patch Tuesdays have arrived with plenty for the dedicated updater to get stuck into.Here's the latest Naked Security podcast - enjoy!Computer manufacturer Supermicro is still trying to lay to rest reports that the Chinese government tempered with its equipment to spy on Western cloud users.One of the most destructive malware families ever seen is back, and researchers think its authors are gearing up to again take aim at the Middle East.It's just one of many SOP SNAFUs of a pilot program for advanced searches of travelers' devices that doesn't even have performance metrics.Attackers understand the profits that lie in the current lack of security. That must change.Aspiring hackers and cybersecurity pros are joining the ethical hacking community to earn extra cash, according to Bugcrowd.The education sector falls last on a list analyzing the security posture of 17 US industries, SecurityScorecard reports.IBM Security Guardium 10 and 10.5 uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. IBM X-Force ID: 124743.Changes to how data is encrypted can help developers ward off data leakage and exfiltration.Attacks targeting critical infrastructure system are ramping up - and defense has become a top priority for the U.S. government.The online spell check platform is taking its private bounty program public in hopes of outing more threats.Phishing attacks flourished in 2018, but organizations can protect themselves with the three tips below.Even the best chefs will produce an inferior product if they begin with the wrong ingredients.The toll from cybercrime is expected to pass $6 trillion in the next three years, according to a new report.An email campaign is demanding large sums of money in return for not blowing up schools, banks and businesses.Enterprises are struggling with familiar old security challenges as a result, new survey shows.Colleges and universities are prime targets for criminals due to huge sets of personal information and security that is weaker than in many businesses.Don't delay, update your Wordpress website today.Kanye, please keep your "all zeroes! all the time!" password away from the media. And Nutella? No, "Nutella" is NOT a good password.One such use would be to pre-stuff our devices with ads and other content before we wander into a Wi-Fi dead zone.Google keeps tabs on much of your activity. Now, it turns out that its YouTube service is also reading whatβs in your videos too.Videos uploaded as private or unlisted are subject to being crawled, but Google's documentation does not acknowledge this behavior at all.The rise in machine learning for security has forced criminals to rethink how to avoid detection.Security pundits predict the ways that cybercriminals, nation-state actors, and other attackers will refine their tactics, techniques, and procedures in the coming year.The most wonderful time of the year? Sure, but not if your business and customers are getting robbed.A business email compromise campaign cost the Save the Children Federation $1 million.The flaw allows a remote attacker to gain full access over a machine.The smart attack era is upon us. Learn how AI, machine learning, IT process automation and a bit of common sense will help our cloud security.The bug allowed 1,500 apps built by 876 developers to view users' unposted "draft" photos.One bug accidentally allowed Google to index user passwords.Experts dive into the trends and challenges defining the identity space and predict how online identities will change in years to come.Hackers ramp up efforts to infiltrate email accounts of Americans responsible for enforcing severe economic sanctions on Iran.Flaws could allow an attacker to stop or start a home charging station, or even change the current in order to start a fire.Yesterday's wave of email bomb threats appear to be an evolution of tactics by the same groups that earlier tried "sextortion" and personal threats, Talos researchers say.From a massive WordPress botnot to the Dark Web goldmine busted by Europol, and everything in between. It's time for your weekly roundup.Forbes has added to the ever-growing pantheon of ways to trick biometrics by printing a 3D head and using it to break into Android phones.A former acid house rave kingpin has been sentenced to 20 months for using a bizarre home-built machine to pilfer Β£500,000 from banking customers.This is on you, makers of sites and services that allow users to create passwords like "password." You can do better!NPM is working to course-correct after 2018 brought a handful of major incidents that caused usability and security headaches for system administrators.Here's how to tell if you were one of the 6.8 million Facebook users whose private photos could have been accessed by third-party apps.The hackers behind the attack said they have targeted 100,000 more printers in the latest attack dubbed #PrinterHack2.Companies need to take a centralized approach to protecting confidential data and assets. Here are 12 ways to get a handle on the problem.The flaw let developers access images that users may not have shared publicly, including those they started to upload but didn't post.The largest companies in the world have an average of 500 servers and devices accessible from the Internet - and many leave thousands of systems open to attack.The campaign targets politicians involved in economic and military sanctions against Iran, along with various journalists and human rights activists.Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.True auto safety can only be achieved by knowing what every piece of code and hardware is that goes into the car.The ubiquity of internet-connected devices has seen a proportional increase in security failures. Here's the most egregious failures of 2018.Cyberattacks reportedly targeted US Defense contractor.Cracking encryption is supposed to take forever, right? Not if an attacker knows what they're doing.Brute force encryption and password cracking are dangerous tools in the wrong hands. Here's what cybersecurity pros need to know to protect enterprises against brute force and dictionary attacks.Automatic vulnerability finding tools detect more than 50 CVEs in Adobe Reader and Adobe Pro during a 50-day experiment.The two flaws shed light on heightened concern around user data privacy when it comes to data.As with previous attacks, organizations in the Middle East appear to be main targets, Symantec says.Program seeks to raise employee cyber awareness at small and midsize businesses and give their owners the tools to make a difference.Widespread, unpatched vulnerabilities are just one set of problems uncovered by a Department of Defense audit.Protecting an account with multi-factor authentication (MFA) is a no-brainer, but that doesnβt mean every method for doing this is equally secure."You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic!" said the researcher.The flaw offered attackers a way of executing keystroke injection to take control of a Windows PC running Logitech Options.It affected up to 6.8 million users and up to 1,500 apps. βWe're sorry this happened,β said Facebook with what must be acute apology fatigue.Before the wrapping paper starts flying, here's some welcome cybersecurity advice to share with friends and family.MikroTik, Hadoop clusters, legislation and more will mark the botnet space in 2019.Privacy regulation is a complex topic with ever-changing parameters and requirements. Read some predictions for what's coming in 2019.The hack comes on the heels of the PewDiePie-supporting printer attacks over the weekend.Cryptojacking was the runaway security problem in 2018, damaging devices in cybercriminals' pursuit of profits. As cryptocurrency prices fall, 2019 could see more attacks.Having the right mix of tools, automation, and intelligence is key to staying ahead of new threats and protecting your organization.Analysts discover malicious code embedded in tweeted images.The malware does its best to obfuscate SEO injection in WordPress and evade notice from web admins.In the good old days, incinerating backup tapes or shredding a few hard drives would have solved the problem. Today, we have a bigger challenge.Devastating, targeted ransomware attacks didn't start with SamSam and they didn't end with it either.A popular free VPN is found to have a very high cost for users.A data leak was disclosed after attackers targeted a support form, which had "unusual activity."The group continues to evolve its custom malware in an effort to evade detection.Steganography via tweet images gave attackers a way to pass on malicious instructions to Trojan, researchers say.The fall of cryptocurrency's value doesn't signify an end to cryptomining, but attackers may be more particular about when they use it.One BMDS siteβs patching was so deficient, it failed to address a critical vulnerability that first came to light nearly three decades ago.The creator of SQLite has downplayed reports of a bug that could lead to remote code execution.Facebook and Twitter got a lot of heat, but "Instagramβs appeal is thatβs where the kids are, and that seems to be where the Russians went."The African Grey has tried to get Alexa to send him lightbulbs, a kite, watermelon, ice cream, strawberries, raisins, broccoli and ice cream.Facebook is under fire again for its data privacy policies.Total malware samples grew 34% over the past year, with major rises in coinmining and fileless attacks, according to a McAfee Labs report.Machine learning is all the rage - but don't knock human savvy just yet! One weird character can be enough to alert a smart researcher...Out-of-band management systems can be a weak link to securing your data center. Here's how a debug utility can be leveraged to brick your systems.Weigh in on Facebook and privacy in our short poll.While 73% of organizations already use some level of artificial intelligence, the technology comes with its own challenges, according to a ProtectWise report.While you prepare your defenses against the next big thing, also pay attention to the longstanding threats that the industry still hasn't put to rest.International investment scam laundered funds through US bank accounts before being sent to Nigeria.Twelve years' worth of data has blasted off into the Dark Web.Conditioning users to think "padlock equals security" has unintended consequences when cloud services are used to host malware droppers.2018 brought massive, hardware-level security vulnerabilities to the forefront. Here's the five biggest vulnerabilities of the year, and howyou can address them.An explosive new report sheds light on data-sharing deals that benefited 150 companies as Facebook handed over unknowing users' information.In 2019, usable security will become the new buzzword and signal a rejection of the argument that there must be a trade-off between convenience and security and privacy.Local governments aren't updating the vulnerable systems.Among other tried-and-true cyberattack methods, the attackers hosted malware on the Google Cloud Storage service domain storage.googleapis.com to mask their activity.Treasury Department names and imposes economic sanctions on the alleged major players behind the Russian election-meddling operation as well as the World Anti-Doping Agency breach.Researchers demonstrate the process of remotely bricking a server, which carries serious and irreversible consequences for businesses.Incident is latest manifestation of continuing security challenges at agency, where over 3,000 security incidents have been reported in recent years.Researchers demonstrate the process of remotely bricking a server, which carries serious and irreversible consequences for businesses.What will ultimately be the driving force for Facebook to value data privacy?Keep your passwords safe, since: "Quintal: Did the girl that sounded hot bring her computer last night? Preuit: No Quintal: I'm depressed"Mark Rober "over-engineered the crap" out of it, including motion detection, geofencing, and 4 cameras to record some priceless reactions.A new assessment of 28 popular models for home users failed to find a single one with firmware that had fully enabled underlying security hardening features offered by Linux.Getting a new PC is exciting, but you should follow these setup steps before using a Windows 10 machine.Facebook hit back at press reports this week that highlighted a deep network of privileged data-sharing partnerships between the social media company and other large organisations.These tech roles will pay the most and be the most heavily recruited this year, according to Scout Exchange.Microsoft issued an out-of-band patch for a zero day bug in its Internet Explorer browser.A Facebook partnership with Netflix, Dropbox, Spotify, and Royal Bank of Canada gave them access to messages.The intimate recordings paint a detailed picture of a man's life.There can be a clash of missions between security and IT Ops teams, but automation can help.Some 42% of companies say employees have fallen victim to a phishing attack, according to EdgeWave. Here's how to keep them safe.Among this year's biggest news stories: epic hardware vulnerabilities, a more lethal form of DDoS attack, Olympic 'false flags,' hijacked home routers, fileless malware - and a new world's record for data breaches.In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, There is no synchronization between msm_vb2 buffer operations which can lead to use after free.A new Amnesty International report explains how cyberattackers are phishing second-factor authentication codes sent via SMS.In an indictment unsealed this morning, the US ties China's state security agency to a widespread campaign of personal and corporate information theft.After one German user requested a copy of their Alexa voice history under the GDPR, he got another user's data in the process.A drone operator has repeatedly flown two (UAVs close to the runway, grounding flights at the airport since last night.Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.The homeland security implications are significant: the two, working with Beijing-backed APT10, allegedly stole sensitive data from orgs like the Navy and NASA.It makes it simple for attackers to find devices to take over and add to botnets.Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.Microsoft issues an emergency update to its IE browser after researchers notified the company that a scripting engine flaw is being used to compromised systems.Security experts share the skills companies are looking for, the skills students are learning, and how to best find talent you need.Microsoft has released an emergency patch for a remote code execution (RCE) zero-day vulnerability in Internet Explorerβs Jscript scripting engine affecting all versions of Windows, including Windows 10.United Health chief security strategist explains the benefits the organization reaped when it made basic coding training a requirement for security staff.The read_packet function in knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host.It's U2 dΓ©jΓ vu: Apple's yet again shoving stuff at users without their say-so. This time, it's via the TV app, to some iOS users.Does nicotine have you in its addictive grip? Chinese researchers have found that you might be helped with an SMS-based intervention.Teenage hackers have been making thousands of pounds selling stolen accounts for popular online game Fortnite, it emerged this week.Attempts to mitigate the landmark vulnerabilities have caused crashes, sudden reboots, and performance degradations. Here's the progress report on the Spectre and Meltdown solution.Unboxing a new device gift can be exciting, but you need to follow these steps to ensure you don't invite hackers in, according to Palo Alto Networks.US brings more indictments against a cyber espionage group operating in China, but what will they accomplish?Are Microsoft's new C and D updates a good idea or a beta by another name?While malware families and targets continue to evolve, the most important shift might be happening in the background.In an indictment unsealed this morning, the US ties China's state security agency to a widespread campaign of personal and corporate information theft.US brings more indictments against a cyber espionage group operating in China, but what will they accomplish?Hackers targeted hundreds of bagel stores across the U.S. to devour customers' credit card info.No shortage of political humor and inside security jokes in this batch of cartoon caption contenders. And the winners are ...Amazon mistakenly sent one user's Alexa recordings to a stranger but neglected to disclose the error.Cash-strapped small businesses get help from the PCI SSC's data security evaluation tool and additional resources to better understand and secure their digital payment systems.The second report in a week has analysed phishing attacks that are attempting β and probably succeeding β in bypassing older forms of two-factor authentication (2FA).The FBI has taken down several of the largest DDoS-as-a-service sites on the web.We ring out 2018 with a look at the big issues of the past year. Listen and enjoy!The information garnered by cybercriminals during a phishing attack is sometimes used to perpetrate costly fraudulent wire transfers. Learn how to prevent the initial phishing scams.Researchers disclose signedness bug in driver used by IBM Trusteer Rapport endpoint security tool after IBM fails to deliver timely patch.These days, security has to speak the language of business. These KPIs will get you started.A look back at the blizzard of breaches that made up 2018.A phishing attack led to the data breach of students' social security numbers, addresses, and more.Vulnerability in electric car charging stations could allow attackers to compromise devices.What are the top cyber trends to watch out for in 2019? Here's what we're hearing.The top cybersecurity and privacy trends that biggest impact in 2018.Because you can't hack back without breaking the law, these tactics will frustrate, deceive, and annoy intruders instead.A simple flaw allows attackers to derive WiFi credentials with little effort.Looking for more security on your Ubuntu 18.04 desktops? You can't go wrong with enabling the firewall on the Ubuntu Desktop.By encouraging female participation through education and retaining this interest through an inclusive culture and visible role models, we can begin to close the skill and gender gap in cybersecurity.Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0723.Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance 1.8.1014 and earlier versions could allow remote attackers to inject Javascript code in the compromised application, a different vulnerability than CVE-2018-0724.Cybersecurity threats, technology, and investment trends that are poised to dictate venture capital funding in 2019.Employees at financial services firms hit with an email attack campaign abusing a Google Cloud storage service.NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI.NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs.The scam targets Netflix users and asks for payment information.The joining of 'deep learning' and 'fake news' makes it possible to create audio and video of real people saying words they never spoke or things they never did.Machine intelligence, in its many forms, began having a significant impact on cybersecurity this year - setting the stage for growing intelligence in security automation for 2019.Due to a shared Amazon S3 credential, all users of the Guardzilla All-In-One Video Security System can view each other's videos.In-flight airplanes, social engineers, and robotic vacuums were among the targets of resourceful white-hat hackers this year.Conference showcases cutting-edge cybersecurity research, hacking collectives and art.Proof-of-concept hack of a voicemail systems shows how it can lead to account takeovers multiple online services.Quantum computing will break most of the encryption schemes on which we rely today. These five tips will help you get ready.We walk you through the important settings you can change and behaviors you can implement to lock down your privacy on Facebook.Β The home surveillance cams have hard-coded credentials.FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.Peel shopping peel-shopping_9_1_0 version contains a Cross Site Scripting (XSS) vulnerability that can result in an authenticated user injecting java script code in the "Site Name EN" parameter. This attack appears to be exploitable if the malicious user has access to the administration account.Battelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tmx/TmxCtl/src/lib/PluginStatus.cpp and TmxControl::user_info() function, which could allow the attacker to view, add, modify or delete information in the back-end database.Battelle V2I Hub 2.5.1 is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to /api/PluginStatusActions.php and /status/pluginStatus.php using the jtSorting or id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.Battelle V2I Hub 2.5.1 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by api/SystemConfigActions.php?action=add and the index.php script. A remote attacker could exploit this vulnerability using the parameterName or _login_username parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the direct checking of the API key against a user-supplied value in PHP's GET global variable array using PHP's strcmp() function. By adding "[]" to the end of "key" in the URL when accessing API functions, an attacker could exploit this vulnerability to execute API functions.Battelle V2I Hub 2.5.1 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to the API key file. An attacker could exploit this vulnerability to obtain the current API key to gain unauthorized access to the system.Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the lack of requirement to change the default API key. An attacker could exploit this vulnerability using all available API functions containing an unchanged API key to gain unauthorized access to the system.Battelle V2I Hub 2.5.1 contains hard-coded credentials for the administrative account. An attacker could exploit this vulnerability to log in as an admin on any installation and gain unauthorized access to the system.Battelle V2I Hub 2.5.1 is vulnerable to a denial of service, caused by the failure to restrict access to a sensitive functionality. By visiting http://V2I_HUB/UI/powerdown.php, a remote attacker could exploit this vulnerability to shut down the system.Longtime US resident allegedly stole information for petroleum firm in China that had offered him a position.Researcher at ESET outlines research on the first successful UEFI rootkit used in the wild.There's no need to make it easier for someone who wants to hijack your Twitter account. Here's how to lock it down in just a few minutes.Woman who helped hide Edward Snowden faces uncertain future and says she has no regrets.Facebook tracks Android users via apps, even if they arenβt Facebook users.It's a good idea to set up multi-factor authentication (2FA) on all your social accounts, so here we explain how to do that for Instagram.Cryptocurrency wallets Trezor and Ledger are vulnerable to a number of different type attacks, researchers say.Reports have linked the attack to the Ryuk ransomware.Cybersecurity prevention is essential, but it is failing miserably. Focus on how to recover from cybersecurity events by following these tips.You can use a password manager on your iOS device to easily sign into secure websites and mobile apps. Learn how to do so in iOS 12.Learn why it's critical to resolve trust issues and promote collaboration between your cybersecurity and network teams.The costs incurred from a ransomware attack can devastate SMBs, but there are ways to minimize the impact.Vulnerabilities, stolen credentials and an evolution of marketplaces mark the Dark Web in Q3.Here are 10 top malware trends to watch for in the New Year.The Citibank hack in 1994 marked a turning point for banking -- and cybercrime -- as we know it. What can we learn from looking back at the past 25 years?Attackers could craft a campaign that makes use of the device profile in order to exploit any vulnerabilities in a targeted fashion.As the bug bounty programs begin to roll out in January, security experts worry that the programs miss the mark on truly securing open source projects.Cyberinsurance might be the only way to truly survive a full-blown cyberattack. Before small business owners shop for cyberinsurance, they should check out these guidelines from the FTC.Bruce Schneier discusses the clash between critical infrastructure and cyber threats.Key steps to making those home Internet of Things devices just a bit safer.Nearly 1,000 North Koreans who defected to South Korea had personal data compromised by an unknown attacker.Small-business owners are considering whether to spend hard-earned money on historically less than effective cybersecurity and what it means if they don't. A security expert at GoDaddy weighs in.A virus disrupted print and delivery for the Chicago Tribune, Los Angeles Times, Baltimore Sun, and other US publications this weekend.New court document shows law enforcement suspected possible involvement of Harold Martin in Shadow Brokers' release of classified NSA hacking tools.No, none of us can "bypass" Facebook's newsfeed algorithms by copy-pasting our way past them.The extortionists leaked a βsmall sampleβ of what they say are 18k classified legal documents containing 9/11 βtruthβ stolen from a law firm.On 29 December one of America's largest publishing groups, Tribune Media, found itself battling a major ransomware attack.The same hacking duo behind the recent "PewDiePie" printer hacks are back - this time with publicly exposed Chromecast, Google Home and smart TV systems as their targets.In an era of tighter privacy laws, it's important to create an online environment that uses threat intelligence productively to defeat disinformation campaigns and bolster democracy.Robert Tibbo discusses the challenges he and his clients face in Hong Kong as the government there targets both in a harassment campaign for aiding Edward Snowden.BlankMediaGames disclosed a data breach that affects millions using the browser-based role-playing game.Facial recognition technology is getting a second look from solutions vendors, though legal frameworks for how biometrics are used are out of date.Buffer overflow in AES-CCM and AES-GCM encryption via initialization vector in snapdragon automobile, snapdragon mobile and snapdragon wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.Possible Buffer overflow when transmitting an RTP packet in snapdragon automobile and snapdragon wear in versions MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 810, SD 820, SD 835, SD 845 / SD 850, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130Use after free in QSH client rule processing in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 820, SD 835, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016.Security keys are logged when any WCDMA call is configured or reconfigured in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130.Cryptographic keys are printed in modem debug messages in snapdragon mobile and snapdragon wear in versions MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 800, SD 810, SD 820, SD 835, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016.Cryptographic key material leaked in debug messages - GERAN in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, SD 855, SDX24, Snapdragon_High_Med_2016.Cryptographic key material leaked in TDSCDMA RRC debug messages in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130.Cryptographic key material leaked in WCDMA debug messages in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016.Security keys used by the terminal and NW for a session could be leaked in snapdragon mobile in versions MDM9650, MDM9655, SD 835, SDA660.QSEE unload attempt on a 3rd party TEE without previously loading results in a data abort in snapdragon automobile and snapdragon mobile in versions MSM8996AU, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016, SXR1130.Information leak in UIM API debug messages in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016.When a 3rd party TEE has been loaded it is possible for the non-secure world to create a secure monitor call which will give it access to privileged functions meant to only be accessible from the TEE in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.A non-secure user may be able to access certain registers in snapdragon automobile, snapdragon mobile and snapdragon wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.Across six apps, the spyware managed to spread to 196 different countries.Password-manager Blur and role-playing game Town of Salem both disclosed data breaches this week that impacted a combined 10 million.Businesses showing good faith by modeling their cybersecurity after an approved framework will have legal protection under Ohio's Data Protection Act.Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.The company released an out-of-band update to head off vulnerabilities exposed in Acrobat and Reader, one of which had been patched by the company in December.Authors of the book LikeWar detail how social media can be weaponized. Read the questions they recommend business leaders ask and answer in preparation for a LikeWar.All of the vulnerabilities arise from improper input validations.Learn how to beef up your company's cyberdefenses by training employees on cybersecurity policies and procedures, password management, and phishing.Malware disguised as games and utilities struck more than 100,000 victims before being taken out of Google Play.Emotet's operators have been adding new capabilities, making the malware now even more dangerous to its enterprise targets.Rewards on 15 bug bounty programs start at $28,600 and include open source software such as KeePass, FileZilla, Drupal and VLC media player.An unscheduled patch fixed two critical flaws that could enable arbitrary code execution.A new presentation shows how vein authentication systems can be fooled using a fake wax hand model.First they came for your printer... and then they came for your Chromecast - learn how to tighten up your router security.Microsoft rolled out passwordless sign in option for insiders on Windows 10 build 18309. Here's why others will likely follow.Passbolt is a powerful, web-based password manager that can be employed by individuals and teams.Currently in private beta, Bali is designed to give users control over the data Microsoft collects about them.Instead of losing sight of the cybersecurity forest as we navigate the compliance trees, consolidate and simplify regulatory compliance efforts to keep your eyes on the security prize.It's not clear why the data release wasn't noticed earlier.A vintage spycraft tool was updated for the technological age as cybercriminals attempt to evade programmatic detection.The phishing campaign is using a new technique to hide the source code of its landing page - and stealing credentials from customers of a major U.S.-based bank.The hotel giant said after de-duping, the breach appears to be smaller than it thought.The lawsuit alleges that the Weather Channel app misled users about why it was collecting their (extremely precise) geolocation data.Here's what you need to know about Facebook hoaxes, all in plain English.In a newly published editorial and video, Intel details what specific actions it has taken in the wake of the discovery of the CPU vulnerabilities.The vulnerabilities could be remotely exploited and give attackers control over affected systems.The proliferation of IoT devices has led to a security nightmare that the TrustBox is designed to defeat. Learn more about this CES Innovation Awards honoree.Authorities are investigating if breach resulted from a leak or a cyberattack.βPhishing attacks remain rampant and are expected to continue to do so in 2019. Learn an insider's perspective on the difficulties combating them.New information on the Starwood breach shows that the overall breach was somewhat smaller than originally announced, but the news for passport holders is worse.From same old, same old Facebook hoaxes to PewDiePie's Chromecast-hacking fans, here are the top stories of the new year.Adobe has patched two critical flaws in Acrobat and Reader that warrant urgent attention.For over a month, hackers published data from hundreds of German politicians in a Twitter advent calendar - a massive government assault.In this week's podcast, we weigh in on the top threats to watch out for in 2019 - from fraud to IoT.Microsoft closed the hole, which let any unauthenticated phone-grabber answer a Skype call and then roam around on your mobile.A glitch allowed hackers to access contacts, photos and more on Android devices - simply by answering a Skype call.A proof-of-concept from the University of Maryland can defeat the audio challenges that are offered as an option for people with disabilities.We need more stringent controls and government action to prevent a catastrophic disaster.Akamai plans to combine Janrain's Identity Cloud with its Intelligent Platform to improve identity management.The gap between acceptance and trust for new smart devices is huge, according to a new survey.Robert Tibbo discusses being pushed to leave Hong Kong under pressure and efforts made to the Canadian government to grant refugee status to the βSnowden refugees.βSecurity incidents are set to grow as companies lag behind in securing their containers.Businesses must build IoT security measures into devices to protect consumers from hackers, according to McAfee.Apple exploits will fetch the highest price.Just as ex-tropical Cyclone Penny moved toward the coast of Queensland, Australia, users of Early Warning Network reported receiving strange messages from the emergency system.ARC 5.21q allows directory traversal via a full pathname in an archive file.2018 saw a reduced number of huge DNS-facilitated DDoS attacks. Vendors and service providers believe that malicious impact will drop with continued technology improvements.Top reward for iOS remote exploit hits $2 million, as companies who sell exploits to national governments have to offer more money to attract researchers to tackle increasingly secure software.The app is accused of being a βlocation data company powered by weatherβ and profiting from users' data without being upfront about it.Australians got scary texts, emails and phone calls from a trusted emergency warning service late last week after a hacker broke into its systems and used it to send fake messages.Stop shaking your head about "WhatsApp Gold" flimflam and start spreading these REAL nuggets of hoax-clobbering advice!How easy is it to bypass the average smartphoneβs facial recognition security? In the case of Android, a lot easier than owners may think.The update comes on the heels of critical fixes in an unscheduled patch last week.The recently disclosed Marriott breach exposed a frequently ignored issue in the M&A process.βLearn how one company is capitalizing on machine learning to address phishing problems.Deal gives Sophos a new AI-based cloud security platform.The noted cryptography expert has joined the advisory board of the quantum key exchange provider.Sometimes, the limited length of an SMS makes it easier for the crooks to 'get it to look right' and reel you in to a phishing site...A series of 2018 cybersecurity incidents shows credential stuffing is a trend to watch among healthcare organizations.The whole attack takes place in under a minute.To protect yourself, you must know where you're vulnerable - and these tips can help.Hack was not politically motivated; no sign of third-party involvement, authorities say.Microsoft January Patch Tuesday roundup includes four critical patches for its Edge browser.Bad actors are imitating high-level executives in the shipping industry to launch BEC attacks that could lead to credential theft or worse - system compromise.When criminals use technology to propagate social engineering attacks, securing your organization can become complicated. Here's what you need to know about phishing and spearphishing.This month's security update includes seven patches ranked Critical and one publicly known vulnerability.This new form of crypto wallet fraud enlists unwary consumers and companies to help defeat anti-money laundering methods for law enforcement and regulators.In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.The difference between a personal vs. an official social media account was at the crux of the case decided on Monday.There are other options for photo sharing that don't hand over every pixel to the Facebook megamind.Any chance we could appeal to your conscience and integrity and put in a call for ethical disclosure?Apps have been secretly sharing usage data with Facebook, even when users are logged - or donβt have an account at all.It looks as if at least one hot tub maker has left robust security off the to-do list.Don't assume your employees know how to spot business email compromises - they need some strong training and guidance on how to respond in the event of an attack.Container and microservices technologies, including the orchestrator Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design.The home goods company confirmed users' data may have been compromised during multiple time frames over a two-year period.Overall, the chip giant patched five vulnerabilities across an array of its products.WordPress vulnerabilities tripled over the past year, more than any other CMS, according to an Imperva report.As the hype at CES demonstrates, 5G is the newest and shiniest tech bauble out there: but security concerns loom.Should we pump the brakes on the roll out of biometric security to first consider whether we are creating new vulnerabilities?Despite fewer plugins being added to Wordpress last year, the CMS saw an astounding tripling of vulnerabilities in its platform in 2018.Dan Patterson interviews Xerox CISO Alissa Abdullah about protecting sensitive data from adversaries. They also discuss the recent Marriott hack, privacy, ransomware, machine learning, and IoT.Ask the tough questions before you invest in artificial intelligence and machine learning technology. The security of your enterprise depends on it.National Counterintelligence and Security Center (NCSC) released free online security awareness materials for businesses to defend against nation-state hackers.When companies limit the remote work options that they know will benefit the organization, security concerns are often to blame.Once downloaded, the fake apps hide themselves on the victimβs device and continue to show a full-screen ad every 15 minutes.Researchers think an organized crime gang is running the massive campaigns, prepping for large-scale follow-on attacks on Android users.Insufficient data validation in V8 builtins string generator could lead to out of bounds read and write access in V8 in Google Chrome prior to 62.0.3202.94 and allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.Inappropriate symlink handling and a race condition in the stateful recovery feature implementation could lead to a persistance established by a malicious code running with root privileges in cryptohomed in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.An ability to process crash dumps under root privileges and inappropriate symlinks handling could lead to a local privilege escalation in Crash Reporting in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to perform privilege escalation via a crafted HTML page.Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.Using an ID that can be controlled by a compromised renderer which allows any frame to overwrite the page_state of any other frame in the same process in Navigation in Google Chrome on Chrome OS prior to 62.0.3202.74 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.A memory corruption bug in WebAssembly could lead to out of bounds read and write through V8 in WebAssembly in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.Insufficient data validation on image data in PDFium in Google Chrome prior to 51.0.2704.63 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.Winston is an online privacy device that sits between a modem and router to protect the user's online browsing and identity.But this new development unlikely to do much to clear government suspicions about security vendor's ties to Russian intelligence, analyst says.A remote attacker could exploit the vulnerability simply by sending an email.Nearly half of all companies know that they're deploying containers with security flaws, according to a new survey.The number of flaws found in WordPress and its associated plugins have tripled since 2017, while Internet of Things vulnerabilities dropped significantly, according to data collected by Imperva.A vulnerability in the TCP socket code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a state condition between the socket state and the transmission control block (TCB) state. While this vulnerability potentially affects all TCP applications, the only affected application observed so far is the HTTP server. An attacker could exploit this vulnerability by sending specific HTTP requests at a sustained rate to a reachable IP address of the affected software. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition on an affected device.A vulnerability in the Redis implementation used by the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software could allow an unauthenticated, remote attacker to modify key-value pairs for short-lived events stored by the Redis server. The vulnerability is due to improper authentication when accessing the Redis server. An unauthenticated attacker could exploit this vulnerability by modifying key-value pairs stored within the Redis server database. An exploit could allow the attacker to reduce the efficiency of the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software.The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter.The court's action means that one of the first legal cases involving cyber security risks in cars will go to trial in October.After a busy sequence of updates in October, November, and December, the new yearβs first Patch Tuesday promises a lighter workload.Universities must keep pace with rapidly changing technology to help thwart malicious hacking attempts and protect student information.The technique can be used to spread disinformation while leveraging the trust people have in Google's search results.The attacks, targeting several countries to redirect traffic and harvest credentials, have been linked to Iran.New additions to the G Suite alert center are intended to notify admins of phishing and data exports.Poll shows individuals want better security from IoT device manufacturers as connected products flood the market.Winston is an online privacy device that sits between a modem and router to protect the user's online browsing and identity.The eagerness to tie recent Ryuk ransomware attacks to a specific group could be rushed, researchers say.Make no mistake, however: We'll always have to be on guard. And we can take some lessons from the world of industrial cybersecurity.The law brought sweeping new powers, allowing authorities to force technology companies to hand over user data and to censor posts.The #DeleteFacebook movement may be growing, but many Samsung users are having a tough time scraping the social networkβs preinstalled software from their phones.User lockouts, combined with requirements for new passwords, indicate an attack on accounts at the popular social media platform.When it comes to IoT, the priority at CES is the "wow factor" - but not so much a focus on security.A group believed to be operating out of Iran has manipulated DNS records belonging to dozens of firms in an apparent cyber espionage campaign, FireEye says.The new attack hits operating systems, not chips, and may give criminals the keys to a company's cryptography.modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles.Christian Rodriguez says he set up secure VoIP communications for the cartel: a system whose encryption keys he wound up giving to the FBI.A trader believes he could easily have obtained admin access to the site and potentially have stolen the funds of its 600,000 users.A researcher has published a tool called Modlishka, capable of phishing 2FA codes sent by SMS or authentication apps.Dan Patterson interviews Xerox CISO Alissa Abdullah about protecting sensitive data from adversaries. They also discuss the recent Marriott hack, privacy, ransomware, machine learning, and IoT.Old Twitter posts could reveal more about you than you think, according to researchers, even if you didnβt explicitly mention it.Security concerns top the list of challenges to cloud migration, according to a Cloud Security Alliance report.It is great to have heroes, but the real security heroes are the men and women who keep the bad guys out while fighting their own organizations at the same time.A penetration testing tool called Modlishka can defeat two-factor authentication in the latest 2FA security issue. We asked a roundtable of experts what it all means.As the shutdown continues into its 21st day, dozens of .gov websites haven't renewed their TLS certificates.A new CSA report addresses the issue of breach responsibility as more organizations move ERP application data the cloud.The latest malware from TA505 has been seen targeting banks, retailers and restaurants with two different versions.Security leaders must stay on top of a fast-moving world of cloud deployment options.Mondelez files lawsuit after Zurich rejects claim for damages from massive ransomware attack.In iOS before 11.2, an inconsistent user interface issue was addressed through improved state management.In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a logic error existed in the validation of credentials. This was addressed with improved credential validation.In iOS before 11.2, a type confusion issue was addressed with improved memory handling.In macOS High Sierra before 10.13.2, a logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management.In macOS High Sierra before 10.13.2, an access issue existed with privileged WiFi system configuration. This issue was addressed with additional restrictions.In iOS before 9.3.3, a memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials.In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation.In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, proxy authentication incorrectly reported HTTP proxies received credentials securely. This issue was addressed through improved warnings.A class-action suit over a 2015 attack demonstration against a Jeep Cherokee can move forward, US Supreme Court rules.Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.Among the problems: TLS certificates are expiring and websites are becoming inaccessible.The app was developed by legitimate Chinese manufacturing giant TCL.Xerox's CISO Alissa Abdullah discusses how innovation in technology and security has changed throughout her career.Xerox's CISO Alissa Abdullah discusses how innovation in technology and security has changed throughout her career.Here's the latest Naked Security podcast - enjoy!From vulnerable 2FA codes to phishing to critical flaws for Adobe Acrobat and Reader, and everything in between. It's weekly roundup time.The imposter claimed to be the Facebook exec and said he'd shot his wife, tied up his kids and planted pipe bombs βall over the place.βUSB-C Authentication could banish USB threats forever, but it might also mean you're tied to buying βapprovedβ accessories.Martin Gottesfeld said he wishes he βhad done moreβ than knock out BCHβs network for at least two weeks.Threatpost discusses the future of the Emotet banking trojan with Cylance.Dual data exposures and a wide-scale data leak due to a vulnerable MongoDB database have kicked off 2019 so far.The US government shutdown is affecting more than just physical sites like national parks and monuments.In 2019, there will be no end in sight to email-driven cybercrime such as business email compromise, spearphishing, and ransomware.Firefox 69 will force users to manually install Adobe Flash as the plugin inches toward end of life.The malware's operator, Grim Spider, could be affiliated with Russian cybercrime rings, according to some -- others say there's no concrete evidence.German antitrust regulators prepare to require changes from Facebook regarding privacy and personal information.Researchers created a proof-of-concept escape of Docker test environment.The firm says risk assessment should begin with understanding attacker taxonomy and continue with vulnerability analysis.Take our short poll to weigh in on the state of two-factor authentication.We asked a number of people working in different roles at Sophos how they made their way into cybersecurity. 1. Music making to malware fighting Sales Engineer, Benedict Jones I graduated from university with a first class BSc honours degree in Sound Technology and Digital Music. I have always pertained a profound interest in music [β¦]He said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.Tools for illegally mining Coinhive, Monero, and other cryptocurrency dominate list of most prevalent malware in December 2018.Researchers say people over 65 are seven times more likely to share fake news than 18 to 29-year-olds.Facebook's relying on demotion instead of removal, so users will still be able to share content, even if Full Fact rates it inaccurate.In an interesting move for villainy, a thief who stole over $1 million from the Ethereum Classic blockchain has given some of it back.Microsoft has vexed its Windows 7 users withΒ a misbehaving update that caused licensing and networking errors.Malware and bots, phishing, and DDoS attacks are some of the top threats companies face, according to Radware.High dependencies on external vendors with unclear security policies is a concern among IT professionals, according to a Deloitte report.Sonrai Security, the brainchild of two execs from IBM Security and Q1 Labs, debuts with $18.5 million in Series A funding.The paradigm shift toward always-on IT requires business leaders to rethink their defense strategy.Police can't force you to unlock your phone by iris, face or fingerLimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is mishandled in the admin panel.Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter.Brand damage, loss of productivity, falling stock prices and more contribute to significant business impacts in the wake of a breach.When it comes to privacy, it's the little things that can lead to big mishaps.A ruling found that coercing suspects to open their phones using biometrics violates the fourth and fifth amendments.Law enforcement cannot order individuals to unlock devices using facial or fingerprint scans, a California judge says.When it comes to privacy, it's the little things that can lead to big mishaps.Vendors of smart building hardware issued updates to products without disclosing that vulnerabilities were patched, leading security systems for schools and hospitals to be accessible via the web.The explosion of consumer-facing online services and applications is making it easier and cheaper for cybercriminals to host malicious content and launch attacks.One defendant is still facing charges issued in 2015 for a $30 million hacking and securities fraud scheme.January is off to a running start on the data breach front, while Experian is predicting new attack frontiers ahead.Bots that can launch hundreds of attacks per second are making account takeover fraud more difficult to defend against.Multiple hardcoded passwords allow attackers to create badges to gain building entry, access video surveillance feeds, manipulate databases and more.Researcher to show how attackers can exploit the built-in advanced connectivity functions in some Rockwell PLCs.Zenbership v107 has CSRF via admin/cp-functions/event-add.php.Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.The landmark decision asserts the same legal protection for biometrics that we're given for passcodes.Credit card thieves are laundering money by purchasing the in-game currency V-Bucks, then selling it back at a discount to players.Of the six advisories Intel released last week, the most interesting is a flaw discovered in the companyβs Software Guard Extensions (SGX).Abby Fuller got a shock when she logged into WhatsApp using a new telephone number. She found someone elseβs messages waiting for her.VOIPO acknowledged that a development server had been accidentally left publicly accessible, and took the server offline.