Banks and merchants are expanding their payment offerings but continue to be wary of the potential fraud risk.π Read
via "Dark Reading: ".
π‘ Cybersecurity & Privacy news π‘
Banks and merchants are expanding their payment offerings but continue to be wary of the potential fraud risk.The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.The simple-share-buttons-adder plugin before 6.0.0 for WordPress has XSS.Cybersecurity and government leaders discussed why Congress is unprepared for a major cyberattack and how the two parties can collaborate.Grindr, Romeo, Recon and 3fun were found to expose users' exact locations, just by knowing a user name.Research presented at DEF CON shows that attackers can hijack Wi-Fi- and Bluetooth-connected speakers to produce damaging sounds.A U.S. senator is giving the four telecommunications companies until Sept. 4 to outline how they plan to better protect customer data privacy.A new initiative to pull data from social media platforms may clash with policies prohibiting the use of information for mass surveillance.Attackers can use vulnerable drivers to escalate privilege and execute malicious code in every part of the system.Frank Abagnale, the real life inspiration behind the Spielberg hit movie, "Catch Me If You Can" talks to TechRepublic's Karen Roby about cybersecurity, passwords and where executives go wrong.New technique involves query hijacking to trigger a wide range of memory safety issues within the widely used database engine, Check Point says.Frank Abagnale, the real life inspiration behind the Spielberg hit, "Catch Me If You Can" talks to TechRepublic's Karen Roby about cybersecurity, passwords and where executives go wrong.DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process.Google Project Zero researcher Maddie Stone has found a new and concerning route for malware to find its way on to Android devices - malicious apps that have been factory pre-installed.Among the complications: traditional security tools work poorly or not at all in the cloud, and if a company screws up, the whole Internet will know.Among the complications: traditional security tools work poorly or not at all in the cloud, and if a company screws up, the whole Internet will know.Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen bookAndroid users can now verify their identity via fingerprint or screen lock, rather than a password, according to a Google Security Blog post.This year's round-up includes awards into two new categories: most under-hyped research and epic achievement.Remember that Chrome update that stopped websites from detecting Incognito mode? Well, researchers claim to have found a way around it.Security researcher Matt Wixey found that many gadgets aren't protected from being turned into hearing-damaging weapons. Or melting.The 10th anniversary of the US Cyber Command is an opportunity to prepare for unknowns in the rapidly changing cybersecurity landscape.A vulnerability in British Airways' e-ticketing system could enable a bad actor to view passengers' personal data or change their booking information.Mice can interpret speech phonemes correctly up to 80% of the time without falling for semantic hoodwinks like humans do.Many advances in artificial intelligence are innovative and extraordinary, but some are downright creepy. Here are 20 of the eeriest ways people are using, or could use, AI.Android Q's features will transform some phones into more user-friendly, customizable, and secure environments. Here's what developers, businesses, and users need to know about Google's Android 10.0.Cybercriminals reportedly stole the information from an exposed MongoDB database on a third-party server.The mobile banking trojan has a few unusual features and bears watching, researchers said.The CCPA's provision devoted to 'reasonable' cybersecurity procedures and policies could trip up your business. Get ready now.The simple-fields plugin before 1.4.11 for WordPress has XSS.The liveforms plugin before 3.2.0 for WordPress has SQL injection.The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues.The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS.The events-manager plugin before 5.6 for WordPress has code injection.The events-manager plugin before 5.6 for WordPress has XSS.The download-monitor plugin before 1.7.1 for WordPress has XSS related to add_query_arg.The contact-form-plugin plugin before 3.96 for WordPress has XSS.The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances.The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature.The contact-form-plugin plugin before 3.52 for WordPress has XSS.The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues.Mutually Agreed Norms for Routing Security (MANRS) lets network operators and the public view online router incidents worldwide.If you deploy Docker containers based on an official imagine, you might want to set a root password for heightened security.The Centre for Information Policy Leadership issued a lengthy white paper last week highlighting challenges and recommendations around standard contractual clauses (SCCs) for international data transfers.Patched critical flaws in Adobe's Photoshop CC photo editing application enable arbitrary code execution.The intellectual property acquired will add to Barracuda's bot-detection capabilities.The flaws allow remote code-execution without user interaction or authentication, and are highly exploitable.Similar to the now-patched 'BlueKeep' vulnerability, two flaws fixed today could let malware spread across vulnerable computers.On average, US organizations took nearly five months to fix critical vulnerabilities according to WhiteHat Security's annual vulnerability report.A new study explores the connections between personality traits and susceptibility to different cyberattacks.Industry observers applaud the program's ability to find exploits but fear unintended consequences.handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a negative value in a content-length header.A recent, highly targeted attack on cryptocurrency exchange Coinbase offers a glimpse into how sophisticated phishing attacks can be.As threats continue to evolve and cybercriminals become more sophisticated, organizations that lack a mature security awareness and training program place themselves at serious risk."They come in with guns, bro. They literally pulled up, holy sh*t."Scammers are profiting from TikTok's younger audience with adult dating and account impersonation tricks.A new XMRig Monero cryptominer stands apart, despite its non-flashy name.Microsoft's Patch Tuesday bought some bad news yesterday: more wormable RDP vulnerabilities, this time affecting Windows 10 users.Hundreds of contractors reportedly were hired to transcribe Messenger voice chats in order to test the accuracy of an AI algorithm -- raising questions about what Facebook does with the data.With faster application deployment comes increased security considerations.So much for trusting the Tor network to hide their tracks.The education sector is difficult to defend against malware because of the large number of outside devices connecting as guests on school networks, according to a Malwarebytes report.Bug submission program uses the SecureDrop platform to ensure anonymity.Overall, Intel stomped out three high-severity vulnerabilities and five medium-severity flaws.Thousands of organizations, including banks, governments, and the UK Metropolitan Police, use the biometric security tool to authenticate users.The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter.The newstatpress plugin before 1.0.1 for WordPress has SQL injection.The newstatpress plugin before 1.0.4 for WordPress has XSS related to the Referer header.The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element.The newstatpress plugin before 1.0.5 for WordPress has XSS related to an IMG element.The newstatpress plugin before 1.0.6 for WordPress has reflected XSS.A new lawsuit says that GitHub bears responsibility for the Capital One breach because it actively encourages hacking and stored stolen data.Cybercriminals are initiating more attacks using low-bandwidth techniques, but the tactics expand the gray area between DDoS attacks and popular methods of mass scanning.A bug in an obscure legacy Windows protocol can lead to serious real-world privilege-escalation attacks.The notebook maker is warning users of three separate vulnerabilities.Microsoft is urging users to patch a series of critical, BlueKeep-like vulnerabilities in Windows that could be used to spread malware.Far too often, there's a new breach in the headlines. Companies need to start learning some obvious lessons.The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues.The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature.The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface.A publicly accessible database exposed the fingerprints and facial recognition information of millions, thrusting biometrics security into the spotlight once again.Organizations should update to latest build as soon as possible, security vendor says.Researchers see the rise of new relationships and attack techniques as criminals put companies' resilience to the test.Criminals are using the tools intended to protect consumers to attack them through techniques that are becoming more successful with each passing month.Facebook says it's paused the practice of collecting voice clips and sending them to employees to transcribe and analyze.When users of hacking forums turn on each other, expect things to get messy quickly.The vanity plate sounded good in theory: maybe it would make his plate invisible to ALPR systems?!There are many ways to compromise company data, but IT teams often overlook one of the most serious: the humble printer.Email takeover and lateral phishing attacks are a growing threat to enterprises, according to a Barracuda report.Episode 4 of the Naked Security Podcast is now live! This week host Anna Brading is joined by Paul Ducklin and Matt Boddy. They discuss how iPhone vulnerabilities have changed Appleβs attitude towards cybersecurity researchers [3β50β], the latest twist in romance scams where crooks are recruiting money mules via dating sites [12β43β], and malware in [β¦]More businesses are recognizing the need for cyber insurance as part of an overall security strategy. Here are some key points to consider when evaluating, purchasing, and relying on a policy.Cloud computing boon is for innovation, yet security organizations find themselves running into obstacles.The old-school technology is experiencing new popularity, but too many people assume mainframes are inherently secure.Breaches happen--even with 2-factor authentication. Learn how to protect your organization from security breaches.More than 3,800 data breaches have hit organizations in 2019, according to Risk Based Security.The bug's in Firefox, but our advice is worth reading whether you use Firefox or not.Researchers said that clickjacking is a threat that's evolving, with new tactics just starting to emerge.IBM's Wendi Whitmore offers advice about how to defend against and respond to data breaches.6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter).IBM's Wendi Whitmore explains why a data breach isn't a one-time cost and recommends cost-saving tips, which include having access to an incident response team.IBM's Wendi Whitmore explains why a data breach isn't a one-time cost and recommends cost-saving tips, which include having access to an incident response team.700,000 customer records were exposed after being housed on a vendor's server that lacked appropriate security.The majority of organizations surveyed find red team exercises more effective than blue team testing, research shows.Logging into an AWS instance with SSH doesn't have to be a challenge.IBM's Christoper Scott discusses malware, how cyberattackers get into environments, and why using multifactor authentication is crucial if you use an online service.Companies will never be 100% immune to cyberattacks. But by having a realistic view of the basics, starting with endpoint vulnerabilities, we can build for a safer future.IBM's Wendi Whitmore offers advice about how to defend against and respond to data breaches.Up to 24 Apache Struts Security Advisories listed the wrong versions that were impacted by vulnerabilities, researchers warn.May's massive breach at First American Financial Corp. exposed 885 million records. Now the company is drawing the attention of regulators, curious if any laws were broken.The savvy technique of avoiding malicious links in the email allowed the phishing attack to reach its targets.Eight vulnerabilities in the HTTP/2 server implementations were found in vendors Amazon, Apple, Microsoft and Apache.Students continue to be weak links for schools and universities, according to data from security firm Malwarebytes.IBM's Christoper Scott discusses malware, how cyberattackers get into environments, and why using multifactor authentication is crucial if you use an online service.NSA researchers took the Black Hat stage to share details of how they developed and released the software reverse-engineering framework.But incidents involving SSNs, addresses, birth dates were smaller than in previous years.But incidents involving SSNs, addresses, birth dates were smaller than in previous years.Microsoft may have been caught red-handed letting contractors listen to sensitive conversations with its AI, but that doesn't mean it's going to stop.He called in bomb hoaxes days after the Manchester Arena murders, DDoSed police sites when they investigated him, then taunted via Twitter.It's more of a βpost-purchase middle fingerβ to customers than a privacy plus, say some outraged users who use the cams to catch crooks.Phishing, token codes, training, MFA, polluted data entry, and whales. And the winners are ...Watch the latest Naked Security Live video for our non-technical tips to improve your online safety, whichever type of phone you prefer.ICS Village co-founder Bryson Bort reveals plans for research-dedicated events that team independent researchers, critical infrastructure owners, and government specialists.The website was infected with malware that stole information on subscribers to a bank newsletter.Software developers are a target for phishers, a hotel chain breach, and a bank hit by malware - catch up on the week's news with this recap!At Black Hat USA, Project Zero's team lead shared details of projects it has accomplished and its influence on the security community.Password Checkup data shows some users still reuse their exposed passwords.From the biometrics of one million being exposed, to new Microsoft Bluekeep threats, Threatpost discusses the top news of the week.More than 300,000 users still utilize credentials that have been compromised - with people visiting video streaming and porn sites most at fault, Google found in a new study.Using the Windows Management Infrastructure framework, Windows admins can create filters that apply GPOs in creative ways to provide more granularity over system management in Active Directory.The number of exposed records has hit record highs in just the first two quarters.It's been around forever, but in a modern digital era marked by influence campaigns and deep fakes, information warfare has become much easier to carry out.The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection.From Microsoft patches to Android malware on brand new phones, and everything in between. Catch up with all the stories we wrote last week - it's weekly roundup time.Researchers found that 24 security advisories inaccurately listed affected versions for the open-source development framework.Even though Facebook protected employees, it failed to fix the vulnerability or to protect most users, a court filing charges.Netflix has identified several denial of service (DoS) flaws in HTTP/2, a popular network protocol that underpins large parts of the web. Exploiting them could bring servers grinding to a halt.As employees grow more comfortable using new technologies, they could inadvertently be putting their enterprises at risk. And that leaves security teams having to defend an ever-expanding attack surface.The macOS content cache service's default configurations aren't one-size-fits-all. Learn how to use Apple's advanced configurations to adapt to any enterprise network.Researchers say that the targeted ransomware cyberattack on 23 Texas local and state entities represents a shift from "attacks of opportunity" to more targeted, malicious attacks.It's time to move past trivial 'shift left' conceptions of DevSecOps and take a hard look at how security work actually gets accomplished.A coordinated ransomware attack hit 23 local Texas governments encrypts files and adds a .JSE extension at the end. Here's how to prevent an attack.Learn about the Florida Information Protection Act of 2014 (FIPA) in Data Protection 101, our series on the fundamentals of data security.While the score was up for large businesses and down for small firms, the report urges all to prioritize third-party risk management.A new analysis shows the scale of risk posed by networking vulnerabilities in a popular embedded real-time operating system.Eight vulnerabilities would allow a range of attacker activities, including taking the Nest camera offline, sniffing out network information and device hijacking.The state government and cybersecurity groups have mobilized to respond to a mass ransomware attack that simultaneously hit 23 different towns statewide.A detailed look at underground forums shows that cybercriminals aren't sure where to look on the heels of the GandCrab ransomware group shutting its doors - and low-level actors are taking advantage of that by developing their own strains.The phone company has sued the startup for copyright infringement.VideoLAN has released an updated version of its VLC Player to fix over a dozen bugs.Social media giant also launches invitation-only bug bounty program for 'Checkout on Instagram'.New Harris Poll survey says most will weigh candidates' cybersecurity positions.So many software vulnerabilities, so little time. But failure to patch them can have serious consequences. Here's help for overwhelmed security teams.Payment card giant creates a 'cyber fraud system' to thwart transaction abuse.Financial institutions interacting with customers online must prepare for a broader, more sophisticated variety of threats.A phishing campaign targeting utility grid operators uses a PDF attachment to deliver spyware.Apple accidentally re-introduced a vulnerability in its latest operating system, iOS 12.4, that had been previously fixed in iOS 12.3.Let's begin by re-evaluating IT infrastructures to determine who has access to what, why, and when.Here's an interesting phishing trick. It's a way for crooks to get lots of customised web links without doing any programming.The Better Business Bureau reports that scammers have worked out how to game search results for company customer support telephone numbers.If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?Programmers call it "regresssion" - when fixing a new bug unfixes an old one - and it's a jailbreakers dream!The user-domain-whitelist plugin before 1.5 for WordPress has CSRF.The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface.The user-access-manager plugin before 1.2 for WordPress has CSRF.Con man turned Leonardo DiCaprio movie character turned cybersecurity expert, Frank Abagnale, talks with TechRepublic's Karen Roby about the steps people can take to protect their identity.Federal lawmakers are looking for answers from educational technology companies on how they collect and process student data.With cloud misconfigurations rampant in cloud storage and IaaS environments, adding security layers to identify them is crucial for securing sensitive data.Attackers are taking aim at Fortnite's global community of 250 million gamers.Microsoft released the beta of its new Chromium-based Edge - and it is offering rewards of up to $30,000 for researchers to hunt out vulnerabilities in the browser.Newest version of iOS contains a critical bug that the company had previously already patched.Federal lawmakers are looking for answers from educational technology companies on how they collect and process student data.Engineering teams have only a certain amount of capacity. Cutting down the volume of rework inherent in the open source business model begins with three best practices.The list of vulnerabilities recently discovered by researchers relate to one model, the Nest Cam IQ Indoor camera.On August 16, Texas local government became the latest victim of the expanding global racket that is ransomware.Engineering teams have only a certain amount of capacity. Cutting down the volume of rework inherent in the open source business model begins with three best practices.Small organizations still face a long list of security threats. These threats and vulnerabilities should be top of mind.Captured through malware and sold on the Dark Web, the "digital fingerprints" of your web browsing can be used to impersonate your identity online, as described in a new report from IntSights.The Microsoft Edge browser was released in beta, and the tech giant is running a bug bounty program for researchers to find major vulnerabilities.Follow these steps to make sure your Microsoft Account is safe and protected.There's no privacy Armageddon coming βTOMORROW!β If there was, you couldn't copy and paste your way out of it!The personal email addresses - some indicating user names or government official status - of more than a million pornography website users were exposed.Companies phone enterprise customer data home securely and for a variety of perfectly legitimate and useful reasons. The problems stem from insufficient disclosure.Webcams are older than you think - but the oldest one still running won't be around much longer.The shortcode-factory plugin before 1.1.1 for WordPress has XSS via add_query_arg.More chief information security officers are modifying their security strategy from one of prevention to one of detection and response, according to a Forbes Insights report released Wednesday.Backdoor was intentionally planted in 2018 and found during the DEF CON 2019 security conference when researchers stumbled upon malicious code.Once used only by nation-state attackers, automated active attacks have gone mainstream and allow the average cyber-criminal to gain entry and engage in malfeasance, says Chet Wisniewski, Principal Research scientist with Sophos. Luckily, organizations are getting smarter at spotting these stealthy, customized attacks earlier than they used to.The Linux Foundation plans to form a community to "define and accelerate" the adoption of confidential computing.Cancer research is a particular target among Chinese espionage groups, says security firm FireEye.Six bugs found in Ciscoβs Unified Computing System gear and its 220 Series Smart switches can allow unauthenticated remote hackers to take over equipment.Ransomware masquerading as game "cheats" is hitting Fortnite players. Fortunately, there are ways to recover without paying a ransom.Healthcare organizations in New York need to be aware of a newly implemented protocol, effective immediately, when it comes to reporting a potential cybersecurity incident to the New York Department of Health.Security researchers worry that this weekend's coordinated attacks on more than 20 Texas governments mark a change in how ransomware attacks will be launched in the future.New controls and threat detection capabilities built into Box aim to prevent accidental data leakage and misuse.While many infosec pros believe they're getting managed detection response (MDR) from their managed security service providers, that's not necessarily the case, according to Eldon Sprickerhoff, Founder and Chief Innovation Officer of eSentire. Adding machine learning to the mix helps automate MDR, strengthening an organization's security posture.The profile-builder plugin before 1.1.66 for WordPress has multiple XSS issues in forms.The duplicate-post plugin before 2.6 for WordPress has SQL injection.The duplicate-post plugin before 2.6 for WordPress has XSS.The cforms2 plugin before 13.2 for WordPress has XSS in lib_ajax.php.The formbuilder plugin before 0.9.1 for WordPress has XSS via a Referer header.The count-per-day plugin before 3.2.3 for WordPress has XSS via search words.After Valve banned him from its bug bounty program, a researcher has found a second zero-day vulnerability affecting the Steam gaming client.Deal will yield 'one platform that can monitor the entire enterprise application lifecycle,' Splunk CEO says.Over the past year, the financial damage linked to the Russian-speaking threat group has spiked fivefold, Group-IP says.No major incidents mixed with continuing gaps in implementation paint an improving, but still muddy, picture of cybersecurity in the federal government.The hacking group, which specialises in stealing from banks, has been spreading its coverage and becoming more sophisticated.Tens of thousands of records with financial data were left in plaintext in a database that wasn't protected with a password.Microsoft has found itself with a large amount of RDP-related patching work during 2019.The new feature βdisconnects,β but doesn't delete, your browsing history. Facebook will still use it for analytics.Episode 5 of the Naked Security Podcast is now live - listen now!Figuring that out actually begins with a broader question.While security pros once rallied around end-device management as their organizing principle, that approach is being subsumed by asset management, according to Dean Sysman, CEO and Co-Founder of Axonius. Device management becomes a subset of asset management, as organizations create a hierarchy to protect what's most valuable to them, he adds.Microsoft, PayPal, and Facebook are the top brands hackers attempt to copy in phishing attacks, according to Vade Secure.The app purported to stream music - but actually siphoned victims' device contacts and files.The contact-form-plugin plugin before 3.3.5 for WordPress has XSS.The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas.To take control over your company's security, identify and understand the biggest identity and access management challenges facing IT teams today and start addressing them.The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field.The events-manager plugin before 5.5 for WordPress has XSS via EM_Ticket::get_post.The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form.The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links.The google-analyticator plugin before 5.2.1 for WordPress has insufficient HTML sanitization for Google Analytics API text.Eschewing the either-or approach with machine learning, security operations centers must learn to identify and exploit the best of both approaches according to Secureworks' Tim Vidas and Nash Borges. Taken together, human and machine intelligence can be a force multiplier against human cyber adversaries, they say.A lack of visibility into the app could expose business users to compliance risks and security threats, the company says.The memphis-documents-library plugin before 3.0 for WordPress has XSS via $_REQUEST.The memphis-documents-library plugin before 3.0 for WordPress has Local File Inclusion.The memphis-documents-library plugin before 3.0 for WordPress has Remote File Inclusion.Willie Sutton and mobile attackers have much in common -- but defenses have evolved since the famous bank robber had his heyday.The reflex-gallery plugin before 1.4.3 for WordPress has XSS.The tubepress plugin before 1.6.5 for WordPress has XSS.Their struggles underscore the difficulties for small towns in dealing with cyberattacks.A recent blog post explains how the social network is fighting to protect its users from interactions with fake accounts.Another month is here, and Android finds itself with a mixture of critical and high vulnerabilities.Gone are the days when users could take refuge from Windows threats with Apple devices, as malware writers are exploiting OSX and iOS with real vigor, says Mark Dufresne, VP of R&D at Endgame. And though it's taken a while, Mac security has achieved parity with Windows so that Apple users need no longer settle for "protected enough."GDPR, CCPA, PIPEDA. Privacy legislation is constantly changing these days. We asked 26 business leaders, security pros, and attorneys how to best stay ahead of changing privacy laws.Comparative research shows the relative strengths and weaknesses of five TIG vendors and which kinds of security organization will reap the most benefit.Better known for their essential role in networking, Domain Name Servers should be tapped as a means to identify - and shut down - suspicious or destructive activity, according to Anthony James, VP of Marketing for Infoblox. He also explains how to combine DNS with DHCP and IP address management to improve an organization's security.Google introduced a new initiative that it hopes will fight shady online advertising practices such as digital fingerprinting.Microsoft has given audio clips to contractors for years, but it says it recently stopped. ... For the most part.The rich-counter plugin before 1.2.0 for WordPress has JavaScript injection via a User-Agent header.The cforms2 plugin before 10.2 for WordPress has XSS.The wp-support-plus-responsive-ticket-system plugin before 4.1 for WordPress has JavaScript injection.The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has directory traversal.The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has incorrect authentication.The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has full path disclosure.The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has SQL injection.Microsoft remains the favorite brand to spoof in phishing campaigns, but more attackers are impersonating Facebook.Bad actors move faster than threat intelligence feeds and the infosec pros who monitor them, notes Joakim Kennedy, Threat Intel Manager for Anomali Research. Organizations need to establish a dedicated team to manage threat intel, and an adequate budget. Kennedy also encourages intelligence sharing as part of a stepped-up protection strategy.Some aviation experts and security researchers are trying to foster closer alliances for securing airplane networks.Employees at Portland Public Schools were breathing easier this week after thwarting a business email compromise (BEC) scam that could have cost them almost $3m.The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections.The feature-comments plugin before 1.2.5 for WordPress has CSRF for featuring or burying a comment.The slidedeck2 plugin before 2.3.5 for WordPress has file inclusion.As the CIO for both Formula 1 and NASCAR racing teams, Gary Foote is tackling the same security issues as other manufacturing CIOs -- with a huge dash of motorized mayhem thrown in.Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen bookCriminals appear to have developed it knowing some users have not patched or updated to newer versions, Trend Micro says.Against the backdrop of consolidation in the SIEM and SOAR sectors, infosec professionals are deploying some combination of analytics and security, according to Haiyan Song, Senior Vice President & General Manager of Security Markets for Splunk. Analytics helps organizations make better decisions and detect anomalies faster, she adds.From BYOD and social media to ergonomics and encryption, TechRepublic has dozens of ready-made, downloadable IT policy templates.Social engineering remains the top vulnerability organizations face because humans remain the easiest way to access networks or databases, says Stu Sjouwerman, Founder and CEO of KnowBe4. Regular training sessions coupled with creation of a "human firewall" remain the most effective protections against social engineering and phishing, he adds.End-user organizations have their security management tools, but so do cloud service providers, and that forces some hard questions about whose tools will be used to keep everything locked down, says Jesse Rothstein, CTO and Co-Founder of ExtraHop. And he makes the case that better data hygiene can help decrease the chances of a breach.Cisco just issued some urgent patching homework in the form of 31 security fixes, 4 of them for flaws rated βcriticalβ.Creativity flowed, but two captions rose to the top.Multiple celebs fell for this one. Don't believe them - it's as much as a hoax as it's always been.Creativity flowed, but two captions rose to the top.Using the new Native File System API, web apps would be able to read and save files, as well as gather info on files stored on your device.Lots of re-used code, cost pressures and long lead times for application software all lead to porous security where application software is concerned, says Chris Eng, Chief Research Officer for Veracode. But an emerging role he calls a "security champion" can help circumvent those problems and make apps safer for everyone.The overall number of reported vulnerabilities in the first half of 2019 has dropped slightly from last year, but risks remain high, according to Risk Based Security.The following hardware and software options will amplify your know-how about artificial intelligence and how to apply it to security - without busting any budgets.If the phishing page looks OK, and it has an HTTPS padlock, how are you supposed to spot phishes these days? Read our tips...Enterprises must regularly validate their security efficacy based on real-time conditions, not compliance criteria, says John Weinschenk, General manager, Enterprise Network and Application Security of Spirent. That sort of testing returns actionable data to tune devices, update policies, and fortify defenses before they are compromised, he adds.Knowing the methods of the attacker, as laid out in the federal indictment, allow us to prevent similar attacks.Virtual machine giant's big cloud move includes plans to shell out $2.7 billion in stock transactions for Pivotal Software.Security researchers at Pen Test Partners have found a privilege escalation flaw in the much-maligned Lenovo Solution Center software.Containers, virtual machines, and the advent of DevOps as a software creation tool all put new pressures on organizations' security strength, according to Dan Hubbard, CEO of Lacework. Cloud's ability to offer scale, capacity, and processing power may even exacerbate the vulnerabilities unless properly managed, he adds.From a backdoor placed in the Webmin utility to vulnerability disclosure drama around zero-days in Valve's Steam gaming clients, Threatpost breaks down this week's top stories.A group of mostly Nigerian nationals attempted to steal $46 million through business email compromise and romance scams, the FBI reports.News on how Texas is handling a rash of ransomware attacks, Sweden issues its first GDPR fine, and more - catch up on the news of the week in this wrap up!Techniques too tough for quantum computing solutions will be part of public cloud and tape storage encryption.Qualys's Chairman and CEO, Philippe Courtot talks about changes in the security landscape he's witnessed during the company's 20-year lifespan, as well as what motivated the vendor to give away its Global IT Asset Discovery and Inventory app for free.Researchers warn users of several plugins to update as vulnerabilities are being actively exploited to redirect website visitor traffic.Techniques too tough for quantum computing solutions will be part of public cloud and tape storage encryption.Ransomware writers are now targeting cloud service providers with network file encryption attacks as a way to hold hostage the maximum number of customers that they can, notes Chris Morales, head of security analytics for Vectra. He also discusses Vectra's new ransomware report, which offers tips for protecting against virtual hostage taking.By 2021, cybercrime is projected to cost the global economy more than $6 million in damages, according to an Arkose Labs report.It's not time to move to post-quantum cryptography yet -- too many things are still up in the air. But you can start to become prepared by making sure your infrastructure is agile.A spoofed IRS.gov link leads victims to a fraudulent Web page where they are prompted to download malware.Frank Abagnale, the inspiration behind the hit movie, Catch Me If You Can, talks with TechRepublic's Karen Roby about the dangers of social media posts.Frank Abagnale, the inspiration behind the hit movie, Catch Me If You Can, talks with TechRepublic's Karen Roby about the dangers of social media posts.Hostinger said that unauthorized access to an internal API server exposed hashed passwords of 14 million customers.Reassembly of fragmented packets can potentially be exploited against cloud-hosted virtual machine services.Fraudsters are using social media to spam, steal information, spread propaganda and execute social-engineering campaigns.The emails are well-crafted and extremely convincing.A breach at the popular payment card vendor last week mostly involved data of Germans belonging to a loyalty program.Apple has released an emergency patch in iOS 12.4.1 that addresses a vulnerability that opened iPhones to jailbreaks.What's definitely not working with end-user cybersecurity awareness training - and what you can do about it.The latest on the number of attacks, types of attacks, and threats to enterprises' most critical IT infrastructure.According to the indictments, the accused impersonated government officials when they demanded money from their victims.Overall, account registrations for tech companies are four times more likely to be malicious than legitimate, a new report states.iOS version 12.4.1 fixes the "use after free" vulnerability.From Chrome users ignoring password warnings to the jailbreaking iOS update, and everything in between. It's weekly roundup time.Prolific phishing scammer Grant West has been sentenced to 10 years, 8 months, and reimbursement for victims.Millions of customers of web hosting company Hostinger have received emails bearing the bad news of a data breach.GitHub is the latest company to support WebAuthn, a new standard that makes logging into online services using a browser more secure.A new threat group has been discovered targeting Middle Eastern critical infrastructure firms with spearphishing emails laced with malware.Security options for consumers improve as Internet of Things devices invade homes and data on consumers proliferates online.A recent survey from security and fraud analytics provider Gurucul shows that some employees would take company info to get a better job with another company.As new Internet of Things products enter the market, speed shouldn't trump concerns about security.As recent news can attest, travel and hospitality companies are prime targets for cybercriminals. Here are six privacy and security tips that can help lock down privacy and security.The cp-polls plugin before 1.0.1 for WordPress has XSS in the votes list.The issue impacts users of the vendor's Cloud WAF product.Of all of the ransomware variants spotted targeting victims in the first half of 2019, the infamous WannaCry was by far the most prevalent, according to Trend Micro's detection data.Adding more security tools might add more security... or just more headaches (and risk).Seemingly handy PDF and OCR app turns out to be a privacy horror show.A report Monday confirmed that the U.S. government is concerned about foreign hackers and especially ransomware when it comes to manipulating voter databases ahead of next year's election..A round of phishing emails purports to be from job seekers - but actually uses a slew of detection evasion tactics to download malware on victim systems.Researchers report Lyceum, otherwise known as Hexane, has targeted organizations in South Africa and the Middle East.It's goal is to accelerate delivery of third-party apps that add on and extend the company's Falcon cloud-hosted services.A subset of customers for the company's Incapsula web application firewall had their email addresses, hashed/salted passwords, and more open to unauthorized access, Imperva announced.It won't be long before we consider embodied AI as a form of "life" - and that will have a variety of paradigm-shifting, somewhat irritating, and potentially hilarious impacts on the daily lives of cybersecurity and privacy professionals.Most attacks are from botnets. The goals: spreading spam, stealing data, spreading propaganda, and social-engineering consumers for profit.It's semi-official: Android 10 (nΓ©e Q), the next version of the Android operating system, could start shipping 3 September.The $6m scam targeted women worldwide and victimized more than a dozen companies.You never know what those late-night infomercials are going to turn up.Mainly motorsports and luxury apparel sites, all of them were running outdated versions of the Magento eCommerce platform.In a new report, McAfee Labs said cybercriminals were focusing in on attacking weak IoT devices and extracting huge troves of data from large companies.The franchises behind sporting events are frequently open to significant cybersecurity threats. TechRepublic's Karen Roby spoke with a security expert about the unique challenges facing athletic organizations.The franchises behind sporting events are frequently open to cybersecurity threats. TechRepublic's Karen Roby spoke with a security expert about the unique challenges facing athletic organizations.Law enforcement takedown causes Retadup malware to eat itself.The sharebar plugin before 1.2.2 for WordPress has SQL injection.The sharebar plugin before 1.2.2 for WordPress has XSS, a different issue than CVE-2013-3491.The redirection plugin before 2.2.12 for WordPress has XSS, a different issue than CVE-2011-4562.The redirection plugin before 2.2.9 for WordPress has XSS in the admin menu, a different issue than CVE-2011-4562.Security has lagged behind adoption of the Internet of Things. The devices hold much promise, but only if a comprehensive security model is constructed.An analysis of threat techniques used by Silence Group, Goblin Panda and Zegost, which can help construct effective defenses.With iOS 13 nearing release, Apple users perhaps thought they were done with iOS 12 updates for good. If so, they were wrong.The bug could enable remote code-execution, information-siphoning or denial-of-service attacks.SMBs may recognize the importance of cybersecurity, but they fail to prioritize it, according to Untangle.More than 70 state and local governments were infected with ransomware in 2019, as targeted ransomware makes a comeback.CamScanner, a legitimate app used to scan and manage documents, was found executing payloads on Android devices.Apple's "grading" process, which listens to Siri voice recordings, will now be in-house and has an option for users to opt out.Ransomware, SQL injection attacks, and cross-site scripting are also serious cybersecurity risks for banks and brokerage firms, according to a new study.Fuzzing is one of the basic tools in a researcher's arsenal. Here are the things you should know about this security research foundational tool.An analysis of a sample published by the US government shows Russian espionage group APT28, also known as Fancy Bear, has stripped down its initial infector in an attempt to defeat ML-based defenses.βAll of us are free to move from job to job,β David L. Anderson, a United States attorney said of the case, βWhat we cannot do is stuff our pockets on the way out the door.βA new malicious campaign seeks cell account PINs from victims.TrickBot malware targets users of U.S. mobile carrier Verizon, T-Mobile and Sprint via web injects to steal their PIN codes; enabling SIM swapping attacks.Ransomware, SQL injection attacks, and cross-site scripting are also serious cybersecurity risks for banks and brokerage firms, according to a new study.TechRepublic Premium content helps you solve your toughest IT issues and jumpstart your career or next project.In 2.5 hours of research, one security expert uncovered more than 80 actively compromised ecommerce websites.The password-recovery mechanism once again puts users of the photo- and video-sharing platform at risk.Multiple actors in multiple campaigns are using the web shell for remote access, even though it's almost a decade old and hasn't been updated.Make sure you're not deploying containers based on vulnerable images by scanning those images with Harbor.Make sure you're not deploying containers based on vulnerable images by scanning those images with Harbor.EU data watchdogs are yet again sniffing at Windows 10.A video that shows an electronic machine switching voters' selections has gone viral, underscoring the need for paper audit trails.How criminals have adapted to develop the next generation of dark markets and operations.The number of worldwide phishing attacks detected by Kaspersky hit 129.9 million during the second quarter of 2019, according to a new report from the security vendor.The majority of security operations center professionals said the job is now simply about reducing alert investigation time or the volume of alerts.CVE-2019-12643 has been given the highest possible severity rating.The email-newsletter plugin through 20.15 for WordPress has SQL injection.The rich-counter plugin before 1.2.0 for WordPress has JavaScript injection via a User-Agent header.The wp-support-plus-responsive-ticket-system plugin before 4.1 for WordPress has JavaScript injection.The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has directory traversal.The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has incorrect authentication.The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has full path disclosure.The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections.The feature-comments plugin before 1.2.5 for WordPress has CSRF for featuring or burying a comment.The slidedeck2 plugin before 2.3.5 for WordPress has file inclusion.More than a decade after hitting the headlines, clickjacking fraud remains an under-reported hazard on hundreds of popular websites.To facilitate the innovative use of data and unlock the benefits of new technologies, we need privacy not just in the books but also on the ground.Fuzzing is one of the basic tools in a researcher's arsenal. Here are the things you should know about this security research foundational tool.New podcast episode available now!If you're serious about privacy, don't allow Firefox to save and autofill your addresses.If you're serious about privacy, don't allow Firefox to save and autofill your addresses.Enabling responsible vulnerability disclosure programs protects companies and hackers in their endeavor to squash software bugs.In an open letter, the Mozilla Foundation and EFF scolded Venmo for its data privacy policies, which they say could open the door to stalking and spear-phishing.ARES has already infected thousands of devices and is growing, IoT security firm says.Managed Service for Microsoft Active Directory was built to help admins handle cloud-based workloads.The average payout for a critical vulnerability has almost reached $3,400, but only the top bug hunters of a field of 500,000 are truly profiting.The company is significantly expanding the bug-bounty program for Google Play and starting a program aimed at user data protection.Google is looking to battle the malicious apps - and apps abusing user data - on Google Play by improving its bug-bounty program arsenal.The past few years has seen several states in the U.S. adopt, or look to adopt biometric privacy legislation that dictates what type of facial, fingerprint, or retinal data organizations can collect, use, and store.Security expert Charity Wright discusses the Dark Web in Russia, how the Dark Web is being used in Vietnam for anonymity from the government, China's surveillance efforts, and more.An operation involving French law enforcement, the FBI, and Avast forces Retadup to delete itself from victim machines.The group is using the More_eggs JScript backdoor to anchor its attack.TGI Fridays Australia restaurant chain warns loyalty reward program member of exposed data incident.TechRepublic member sagilbert47201 has discovered their VMware backup server is infected with ransomware. Can you help this TechRepublic member recover their data?Google is patching a serious bug in the desktop version of its Chrome browser that could let an attacker take over a computer simply by luring them to a website.Apple is turning off automatic review of Siri audio and locking it down so that only Apple employees get to listen to it.It won't happen again, Facebook told senators who wondered how well it's handling kids' privacy in the chat app abhorred by kids advocates.Apple recommits to privacy with Siri, news on a bug bounty program for the DHS, plus the IRS warns of a new phishing attack - catch up on the week's news with the Friday Five.Production systems aren't supposed to have the ADB turned on, but some set-top boxes do.Stolen fingerprints, fake hands, voice synthetization, and other nefarious techniques show biometrics has plenty of challenges.From new ransomware attacks to privacy issues around Venmo and Ring, Threatpost editors break down the top news of this week.Three steps for relieving the pressure of picking the right tools.Compromised iPhones were turned into surveillance tools capable of recording the ownerβs entire digital life.Practical steps municipal governments can take to better prevent and respond to ransomware infections.John Yeoh explains how CSA works with organizations on various aspects of cloud security to identify top risks, assess cloud service providers, establish baseline controls, and build best practices.Many SOC analysts are starting to shut off high-alert features to keep pace with the volume, new study shows.Up to 25 percent of valid vulnerabilities found in bug bounty programs are classified as being of high or critical severity.A new, highly capable spyware payload can monitor everything in a person's digital life.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2014. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2014. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2014. Notes: none.A group of hacked websites has been silently compromising fully patched iPhones for at least two years, Project Zero reports.As more people keep their smartphones for longer, the survey found that most companies are failing to update older versions.Deleting users on a Linux server should be handled with this best practice.Track suspicious login attempts on Nextcloud with the help of a simple app.Deleting users on a Linux server should be handled with this best practice.Track suspicious login attempts on Nextcloud with the help of a simple app.The recently discovered campaign sends stolen data out of the network as part of a DNS query.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2014. Notes: none.Twitter CEO Jack Dorsey's Twitter account was, apparently, hijacked for roughly 20 minutes and used for racist rant.Twitter CEO Jack Dorsey's Twitter account was, apparently, hijacked for roughly 20 minutes and used for racist rant.Twitter founder and CEO Jack Dorsey's Twitter account was compromised.From a system-controlling Chrome bug to the charging of 80 romance scammers - and everything in between. It's weekly roundup time.The former software engineer allegedly created scanners to look for misconfigured servers rented from a cloud computing company.Googleβs going to throw more bug bounty money at the problem of nasty apps in its Play Store, it announced on Thursday. In a post from the Android Security & Privacy teamβs Adam Bacchus, Sebastian Porst, and Patrick Mutchlerβ, the company said that itβs throwing the security net over not just its own apps, but [β¦]Implementing game mechanics and competition into the mix can incentivize employees to improve their cybersecurity posture.How information sharing and analysis centers provide contextual threat information by creating communities that helps security professionals and their organizations grow in maturity and capability.A malvertising campaign has evolved to give hackers control of entire sites.How did the Correct Horse Battery get Stapled?FBI agents issued Google with a warrant in November 2018, seeking its help with a bank robbery the month before.Fast trip: in two days, it debuted, shot to the top of China's App Store, sparked privacy outrage, and got banned by WeChat.Trivial-to-exploit authentication flaws can give an unsophisticated remote attacker 'omnipotent' control over a server and its contents.A sophisticated and sustained watering hole attack affecting iPhones may have targeted Windows and Android too.International cosmetics brand Yves Rocher found itself caught in a third-party data exposure incident that leaked the personal information of millions of customers.Frank Abagnale, the real life subject of the movie Catch Me If You Can, shares his views on blockchain, passwords, and cryptocurrency.Cybersecurity attacks can cripple small businesses that aren't prepared. TechRepublic's Karen Roby talks with a security expert about ransomware, phishing attacks, and inadequate IT defense plans.Cybersecurity attacks can cripple small businesses that aren't prepared. TechRepublic's Karen Roby talks with a security expert about ransomware, phishing attacks, and inadequate IT defense plans.An engineer recruited by the Dutch intelligence agency AIVD helped bring to Iran's Natanz nuclear facility the malware via USB that ultimately infected systems there and sabotaged centrifuges, according to an exclusive report from Yahoo News.An ongoing attack on websites has added new exploits and an administrative backdoor to its bag of tricks.The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin area.The common thread: Each acts as a force multiplier, adding value to every other security technology around it.As the number vulnerabilities hit a historic high, battle-worn security teams are upping their patching game.Mozilla's newest Firefox iteration also offers new fixes for critical and high-severity vulnerabilities.The feedwordpress plugin before 2015.0514 for WordPress has XSS via add_query_arg() and remove_query_arg().Experts from Nokia, iboss and Sectigo talk 5G mobile security for internet of things (IoT) devices in this webinar replay.Todd Fitzgerald, who wrote the books on being a chief information security officer, offers tips on what to do and what not to do in the first few months of a new CISO job.Emerging technologies are introducing entirely new ways to reach, act, and interact with people. That makes app security more important than ever.A new report finds 52% of multicloud environments have suffered a breach within the past year, compared with 24% of hybrid cloud users.Facebook will not allow users to "opt out" of its face recognition feature.Emerging technologies are introducing entirely new ways to reach, act, and interact with people. That makes app security more important than ever.Scammers leveraged artificial intelligence software to mimic the voice of a chief executive and successfully request $243,000.The tense stand-off between privacy campaigners and the popular mobile payment app Venmo has taken another turn for the worse.It's a gnat bite, critics say: The FTC's reported fine would be worth about two to three months of YouTube ad revenue.QR codes have been around since 1994, but their creator is worried. They need a security update, he says.Cynet is now providing its IR services at no cost, which will enable MSPs and SIs to include IR in their portfolio of security services.Researchers at the Georgia Institute of Technology are testing IoT devices for security flaws.Corporate accounts are the crown jewels to hackers. Learn how to stop hackers from business identity theft.The purchase is intended to boost Splunk's capabilities in microservices architectures.Exploit broker Zerodium has implemented a $2.5 million price tag for a zero-click 0-day in Android.Enterprises must learn the difference between the two and the appropriate use cases for each.Cybercrooks successfully fooled a company into a large wire transfer using an AI-powered deep fake of a chief executive's voice, according to a report.The cost of breaches will rise by two-thirds over the next five years, exceeding an estimated $5 trillion in 2024, primarily driven by higher fines as more jurisdictions punish companies for lax security.Researchers say an attacker could send a rogue over-the-air provisioning message to susceptible phones and route all internet traffic through a hacker-controlled proxy.The RAT targets users via fake WhatsApp updates in Google Play.What should be a private key used to vouch for the 'Free Basics by Facebook' app was used to sign unrelated apps.The AK-EM 800 software from Danfoss centralizes alarm management, automatic data collection and food-quality reporting.In-depth interviews with four market-leading CISOs reveal how they prioritize budgets, measure ROI on security investments, and evaluate new vendors.A New York State school district was forced to delay the start of its school year when ransomware struck.Researchers find that a spoofing a service message from the phone carrier is simple and effective on some brands of Android smartphones.Many privacy advocates, including the FTC's own commissioner, say the FTC's record $170 million fine that it violated COPPA, isn't enough.Cybercriminals targeting financial institutions in the UK bypassed Symantec email gateway and other perimeter technologies.The zero-day vulnerability could enable privilege escalation, and is not part of Google's Android September security update.Researchers had recently demonstrated how attackers could intercept device capability information and use it against 5G mobile subscribers.Field-Programmable Gate Arrays are flexible, agile-friendly components that populate many infrastructure and IoT devices -- and have recently become the targets of researchers finding vulnerabilities.Episode 7 of the Naked Security podcast is available now!Server lacked password protection and included multiple databases with records from the U.S., U.K. and Vietnam.He kept working on new botnets (and swatting a co-conspirator-cum-competitor) while indicted and on supervised release.When is a security update not a security update? When itβs patching flaws in a version of an OS nobody beyond developers is yet running.Healthcare organizations should be alarmed by the frequency and severity of cyberattacks. Don't assume you're safe from them just because you're compliant with regulations.Mozilla has told developers not to fret - it won't follow Google in tweaking its browser to be unfriendly to ad blocking software.The voice had the hint of a German accent and the same βmelodyβ that a UK CEO recognized in his boss's voice.Got a Pi? Here's a cool project idea for you...After being hit by a ransomware attack, Massachusetts city New Bedford faced a payout demand of more than $5 million - one of the latest known ransoms ever.It's still unclear who owned the server storing hundreds of millions of records online without a password.The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. A stored cross-site scripting (XSS) vulnerability in the WebFTP mode allows a remote attacker to inject malicious JavaScript code in ASG/ProxySG's web listing of a remote FTP server. Exploiting the vulnerability requires the attacker to be able to upload crafted files to the remote FTP server. Affected versions: ASG 6.6 and 6.7 prior to 6.7.4.2; ProxySG 6.5 prior to 6.5.10.15, 6.6, and 6.7 prior to 6.7.4.2.A new report investigates the evolution of crimeware, how businesses underestimate the threat, and why they should be concerned.The team will be tasked with better protecting U.S. IP from data theft; it will also issue and oversee new policies around data rights and how military IP is allocated in the DoD's contracting and acquisition stages.Faced by increasingly sophisticated threats, organizations are realizing the benefits of automation in their cybersecurity programs.Controller/ListController.php in Eventum 3.5.0 is vulnerable to Deserialization of Untrusted Data. Fixed in version 3.5.2.New Bedford, Massachusetts' refusal to pay a $5.3 million ransom highlights how victim towns and cities may be hitting the limit to what they're willing to spend to speed recovery.Tide's method for protecting passwords splinters them up into tiny pieces and stores them on distributed nodes.Learn how to sign in to your Microsoft Account site using your fingerprint, face, or a physical security key via Chrome, Firefox, or Microsoft Edge.The spyware poses as a legitimate application, spreading via SMS messages to victims' contact lists.Google has kicked 24 apps off of its official Android app marketplace after spyware was discovered in them.Malicious actors look for accounts that are springboards to other systems, according to nearly 300 attendees of Black Hat USA.Two problems, Twitter says: vulnerabilities that mobile carriers need to fix & its reliance on linked numbers for 2FA.The good news is most insider threats derive from negligence, not malicious intent. The bad news is the frequency of negligence is already ahead of where it was in 2018.Deepfake Detection Challenge aims to spur creation of technology to combat AI used for creating altered videos that intentionally mislead viewers.Facebook's replaced "tag suggestions" with "face recognition" - a setting Facebook says may help to save us from identity thieves.YouTube can't track kids online anymore without their parents' permission, says the FTC, as it fined the Google-subsidiary $170m.Facebook confirmed the breach, claiming that the total number of users in the database was 210 million.Learn how to add, remove, and otherwise manage your Windows 10 devices at your Microsoft Account site.Increasing awareness about the critical importance of DNS security is the first step in improving the risk of being attacked. It's time to get proactive.The job website says it cannot notify users since the exposure occurred on a third-party organization's servers.iPhone hacking levels up, military veterans targeted in an identity fraud scam, and more - catch up on the week's biggest stories with the Friday Five!From deepfake to data exposures, the Threatpost team talks about the top security trends driving this week's biggest news stories.The vulnerability in Exim could allow an attacker to remotely execute code with root privileges.Students should keep their eyes peeled for phishing emails purporting to be from their colleges, as well as online student resources laced with malware, researchers warn.Large portions of APT3's remote code-execution package were likely reverse-engineered from prior attack artifacts.A survey by Pew Research Center finds that Americans support use of facial recognition by law enforcement , but not by tech or advertising companies.A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json.IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate.Here's our latest Naked Security Live video - all about WordPress, plugins and patching.From backdooring WordPress sites to Raspberry Pi in space, and everything in between. It's weekly roundup time.The attack quickly encrypted 158 workstations - and would have been worse had it struck later in the working day.If you're worried about the evil potential of deepfake video, you're not alone; so is Facebook.A senior executive at private browser company Brave has accused Google of using a workaround that lets it identify users to ad networks.WordPress version 5.2.3 has just appeared on the download pipe featuring half a dozen security fixes and software enhancements.Apple said Googleβs recent analysis of vulnerabilities found January in iOS painted a misleading picture of the scope of the attacks and the risk involvedPhishing works because people are, by nature, trusting -- but these evolving phishing techniques make it even tougher for security managers to stay on top.Google's differential privacy library will give organizations a way to study their data while protecting people's information.A critical vulnerability found in Exim servers could enable a remote, unauthenticated attacker to execute arbitrary code with root privileges.Attackers don't need sophisticated James Bondian hardware to break into your company. Sometimes a $99 device will do.An issue was discovered in LibreNMS through 1.47. Several of the scripts perform dynamic script inclusion via the include() function on user supplied input without sanitizing the values by calling basename() or a similar function. An attacker can leverage this to execute PHP code from the included file. Exploitation of these scripts is made difficult by additional text being appended (typically .inc.php), which means an attacker would need to be able to control both a filename and its content on the server. However, exploitation can be achieved as demonstrated by the csv.php?report=../ substring.An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files.The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS.The Swape theme before 1.2.1 for WordPress has incorrect access control, as demonstrated by allowing new administrator accounts via vectors involving xmlPath to wp-admin/admin-ajax.php.The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS.The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation details.And be ready to turn over your first born.A critical vulnerability in Exim, by far the world's most popular email server, was disclosed on Friday.Wikipedia and World of Warcraft Classic users reported global outages over the weekend in targeted - and connected - DDoS attacks.The ransomware campaign affected 22 local governments, none of which have paid the attackers' $2.5 million ransom demand.Attackers can drop malware, add the device to a botnet or send their own audio streams to compromised devices.Over the past year, the cyber-espionage group has attacked at least 12 other companies in the military, telecom, and satellite sectors, Symantec says.Cyberespionage attackers have ditched their PowerShell backdoor in favor of the Windows BITS βnotificationβ feature.Porn-recording feature will likely be used for extortion.Experiencing a data breach purely from being internet-connected is quite rare. Hackers rely on users to open or install a malicious payload, according to Proofpoint.These steps walk you through the process of setting up an SFTP server on Linux for the secure transfer of files for specialized file transfer-only users.Passwords remain the most common way to authenticate your online identity, but companies like Microsoft and Google are using alternate login methods. Tom Merritt offers five alternatives to passwords.Passwords remain the most common way to authenticate your online identity, but companies like Microsoft and Google are using alternate login methods. Tom Merritt offers five alternatives to passwords.Research highlights how most criminals exploit human curiosity and trust to click, download, install, open, and send money or information.A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request.A βcriticalβ security vulnerability has been discovered in the Exim mail server that requires admins' urgent attention.Ever notice a missing company name next to the URL address bar? Ever change behavior because of it? Likely not, so bye-bye, useless badge.It's a first: The government has never demanded personal data of a single app's users from Apple & Google.Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox.Most cloud data breaches leave only trace signs of malfeasance, so it can be tricky.Flaws can potentially affect every device and user on the network by directing them to malicious websites or blocking their access to important data or resources.The Pinfinity theme before 2.0 for WordPress has XSS via the s parameter.The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php.The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL Injection via the admin/class-jtrt-responsive-tables-admin.php tableId parameter.The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions.A large U.S. manufacturing company is the latest organization to be targeted with the LokiBot trojan - although this most recent campaign harbored some bizarre red flags.Artificial intelligence is no substitute for common sense, and it works best in combination with conventional cybersecurity technology. Here are the basic requirements and best practices you need to know.The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-field-css parameter.The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-group-id parameter.The magic-fields plugin before 1.7.2 for WordPress has XSS via the custom-write-panel-id parameter.The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues.The avada theme before 5.1.5 for WordPress has CSRF.The avada theme before 5.1.5 for WordPress has stored XSS.The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Object Injection.The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request.The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter.The examapp plugin 1.0 for WordPress has SQL injection via the wp-admin/admin.php?page=examapp_UserResult id parameter.The examapp plugin 1.0 for WordPress has XSS via exam input text fields.The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field.The myriad rules and regulations that govern data protection and privacy need some type of framework to tie them together in our cyber society.A firewall vulnerability enabled attackers to repeatedly reboot the victim entity's firewalls, causing unexpected outages.Data breaches fuel a complex cybercriminal ecosystem, similar to copper thefts after the financial crisis.Overall Adobe's September security update addressed vulnerabilities in Flash Player and Application Manager.Prosecutors in the U.S. are pursuing criminal charges against a Chinese professor after he purportedly took trade secrets to benefit Huawei. The case is yet another instance of the Department of Justice taking its investigation around Huawei, not to mention the theft of trade secrets, seriously.Cybercrooks are using bots to create synthetic digital identities, to carry out various types of fraud.September Patch Tuesday leads off with two elevation-of-privilege bugs that have been exploited in the wild.Simply implementing best practices is not enough to address the risk coming from your own employees.Apple will introduce other features that allow more secure use of iPhones in workplace settings as well.Artificial intelligence, machine learning or deep learning? Knowing what the major terms really mean will help you sort through the morass of words on the subject and the security uses of each.September's Patch Tuesday addressed 80 vulnerabilities, two of which have already been exploited in the wild.A new report points out the dangers to customer data of website reliance on multiple third parties.The OS updates may not reflect your Facebook app setting, but Facebook says it will respect whatever users' most restrictive settings are.A security researcher uncovered a flaw in Telegram's 'unsend message' feature.The long-awaited decision found that automated scraping of publicly accessible data likely doesn't violate the CFAA.Wikipedia has suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.A coordinated effort between multiple agencies arrested suspects in Nigeria, the U.S. and eight other countries as well as seized nearly $3.7 million.Proofpoint's senior director of the threat research team discusses the strange levels that attackers are going to in order to persuade victims to click on phishing messages.The Cynet Dashboard provides 24/7 visibility into an organization's security, with real-time alerts and the ability to react as things happen.It's time for cybersecurity manufacturers and solution providers to step up and show leadership in addressing firmware security. Read why and how.A survey of 1,000 IT pros reveals plans for 2020 security spending.Scanning files you open and save isn't enough to catch malware these days. Here's how Microsoft Defender tools can help you catch attacks that are missed by traditional security software.A new attack on Intel server-grade CPUs could allow the leakage of SSH passwords - but luckily it's not easy to exploit.Don't let your Logitech dongles remain vulnerable. Upgrade the firmware and be safe.An Elastica DB belonging to Dealer Leads exposed a raft of information collected by "research" websites aimed at prospective car buyers.Don't let your Logitech dongles remain vulnerable. Upgrade the firmware and be safe.If you're looking to gain as much privacy and security from the Firefox browser, you might want to enable DNS-over-HTTPS.If you use a clipboard manager, you need to make sure to exclude certain applications. Find out how this is done with ClipIt.If you use a clipboard manager, you need to make sure to exclude certain applications. Find out how this is done with ClipIt.Conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, the Department of Justice reports.A new set of regulations converts the government ban on using Kaspersky products from a temporary rule to one that's permenant.A new set of regulations converts the government ban on using Kaspersky products from a temporary rule to one that's permanent.An exposed database containing 17 million email addresses exposed a massive fraud scheme impacting vendors like Groupon and Ticketmaster.CA/Browser Forum wants SSL certificates to expire after a year. Many businesses that rely on them aren't equipped to cope.The suspects, arrested worldwide, allegedly stole more than 250,000 identities, filed more than 10,000 fake tax returns, and tried to receive more than $91 million in refunds.If you're looking to gain as much privacy and security from the Firefox browser, you might want to enable DNS-over-HTTPS.From university courses to open source self-starters, community software projects aim to solve problems for populations in need. A focus on security is required as well.Telemetry for the first half of the year shows that Apple's ecosystem is firmly in cybercriminals' sights.The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+185001910,700 cases will be reviewed over 2 months, and 32 detainees have already been released after finding bugs in software and raw telecom data.Following hot on Mozilla's trail, Google officially announced its own DNS-over-HTTPS (DoH) experiment in Chrome this week.Operation reWired=tired cops worldwide! 167 suspects were cuffed in Nigeria and 74 in the US, among 8 other countries.Sometimes, a Patch Tuesday update arrives with a bang that sends users scrambling for cover - September's update earns that description.The organization accidentally sent the names, email addresses, gender and professional information of users of its portal Agora in an email sent in August.Some 30% of consumers surveyed said they would never again use a small business that suffered a data breach, according to a new report from Bank of America.The latest Naked Security Podcast is live - listen now!Advanced data and innovative technology will help organizations more easily identify abnormal behavior and tell legitimate customers apart from "fake" ones.More than one billion mobile users are at risk from a SIM card flaw being currently exploited by threat actors, researchers warn.The historic measure, which still needs to be signed into law, would prohibit biometric surveillance, including in bodycams.OWASP's new list of API weaknesses focuses on issues that have caused recent data breaches and pose common security hazards in modern cloud-based applications.Cobalt Dickens (a.k.a. Silent Librarian) is now actively targeting 380 universities, bent on stealing credentials and moving deeper into school networks.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers.With 35 million lines of Python code, the Athena trading platform is at the core of JPMorgan's business operations. A late start to migrating to Python 3 could create a security risk.Federal agencies are spreading awareness around the threats insiders can pose to both governments and companies this month.Researchers discover a side-channel vulnerability that exploits the network performance-enhancing capabilities of recent Intel server CPUs.Knowing about a bug and actually securing it are very different things. These six steps will get you from "oh, sh*t" to fixed.Cisco, Oracle, and LinkedIn security leaders share their challenges in communicating with business teams and advice for how CISOs can navigate the relationship.The FBI and CISA issued an alert the same week researchers disclosed a new campaign launched by actors with North Korean ties.Cobalt Dickens targeted more than 60 universities in the US and elsewhere this summer, according to a new report.Messaging is growing in importance as dislike for email increases. That means knowing how to protect critical data in the messaging era is a must for IT security.Fedir Oleksiyovich Hladyr is the first member of the infamous cybercrime network to be found guilty of hacking-related crimes in a US court.Is this week's test pilot launch of Mozilla Private Network the moment browser VPNs finally become a must-have privacy feature?New tactics aimed at business executies and users are being used to reap greater reward from e-mail based fraud, which continues to rise, researchers said.Kaspersky caught 1.6 million phishing attacks disguised as the Apple brand in the first six months of 2019.Crooks made bogus accounts to buy tickets with fake credit cards, resold them to unsuspecting buyers, and left the database-o-fraud wide open.Threatpost editors Tara Seals and Lindsey O'Donnell talk about the top news stories of the week - from leaky databases to SIM card attacks.There's another vulnerability in Intel chips, with another catchy name: NetCAT.Researchers warn that U.S. firms are being targeted with legitimate - but trojanized - documents that are often socially engineered to a tee.DNS-over-HTTPS sounds as though it should be safer than plain DNS, because of the "HTTPS" part - but not everyone is delighted about it...Maybe you love your executive team, your security processes, tools, or strategy. Maybe you hate them. Whatever the situation, it's likely at some point that things will have changed.The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking.The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.The Headway theme before 3.8.9 for WordPress has XSS via the license key field.The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter.The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter.The sirv plugin before 1.3.2 for WordPress has SQL injection via the id parameter.The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization.The Post Indexer plugin before 3.0.6.2 for WordPress has incorrect handling of data passed to the unserialize function.The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin.The wp-d3 plugin before 2.4.1 for WordPress has CSRF.The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF.The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter.The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF.The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter.The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location.The past six months have seen a 13% increase in human-initiated cyberattacks. Here's what cybercriminals are targeting.Hackers hit a U.S. power utility, a new audit on whether schools are monitoring employee access to student data, and more - catch up on the week's news with the Friday Five!At every turn, the info-stealer uses legitimate services to get around normal email, endpoint and network defenses.Security professionals see acquiring skills as the way forward, but only half of companies are training their workers, with more continuing to search for highly skilled employees.With GDPR enacted and the California Consumer Privacy Act on the near horizon, companies have to sharpen up their responses. Start by asking these six questions.Six hackers made over $1 million this year for squashing security bugs, yet just five years ago this possibility seemed remote at best.The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x before 2.2.0.9037 has a buffer overflow via a long password in an administration login POST request, leading to arbitrary code execution.Lazarus Group, Bluenoroff, and Andariel were named and sanctioned by the US Treasury for ongoing attacks on financial systems.Apple will not fix the glitch until the release of iOS 13.1 later in September.Administrator access to backend systems is becoming the holy grail for attackers.There's a fresh new slate of industry privacy guidelines for companies that handle health and wellness data to follow.A newly discovered campaign, packing traces of Ryuk ransomware, aims to steal confidential information.Sites that use the Gutenberg (found in WordPress 5.0 to 5.2.2) are open to complete takeover.From Intel's SSH-stealing NetCAT bug to Mozilla's VPN - and everything in between. It's the weekly roundup.The Marshall Islands is facing rising seas and financial isolation. But critics say their get-rich-quick cryptocurrency scheme won't work.The shadowy world of phone-surveillance-for-hire became a little clearer last week following the discovery of a phone exploit called Simjacker.Google has discovered a flaw in a Chromebook security feature which allows owners to press their deviceβs power button to initiate U2F 2FA.This time, JosΓ© RodrΓguez came up with a way to trick the iOS 13 beta into showing its address book without the need to unlock the screen.ReversingLabs identified cybercriminals duping certificate authorities by impersonating legitimate entities and then selling the certificates on the black market.The safety of our digital lives is at stake, and we need to all do our part in raising awareness of these issues.Lazarus Group, Bluenoroff, and Andariel were named and sanctioned by the US Treasury for ongoing attacks on financial systems.The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ directory traversal for file upload.The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ directory traversal for file deletion.The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header.The icegram plugin before 1.9.19 for WordPress has XSS.The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter.The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php.The estatik plugin before 2.3.0 for WordPress has unauthenticated arbitrary file upload via es_media_images[] to wp-admin/admin-ajax.php.The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter.The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.There's a new password manager in town. Find out how to connect Buttercup to a cloud account for easy password management.A new survey finds many companies are still in the dark about GDPR compliance.There's a new password manager in town. Find out how to connect Buttercup to a cloud account for easy password management.Three North Korean threat groups have been sanctioned in the U.S. as part of a larger U.S. initiative against North Korea-linked malicious cyber activity.An unsecured database containing 18GB of data exposed more than 20 million records, most of which held details about Ecuadorian citizens.Independent researchers found 125 different CVEs across 13 different router and NAS models.US appeals court said a company can legally use publicly available LinkedIn account information.More than a compliance mandate, privacy impact assessments can also spot risks early in the product development cycle.Julian Assange is among those impacted.Five amendments to the California Consumer Privacy Act were sent to governor of Californiaβs desk on Friday as the most stringent law on consumer privacy continues to take form.Sanctions on North Korean nation-state hacking groups came amid reports of fresh malicious campaigns directed at US entities from the isolated nation.The company broadens its portfolio with new services developed to centralize and automate cloud security.Manhattan District Attorney Cyrus R. Vance, Jr.: If he's guilty, he'll face the music. Heh. Heh.The US has formally sanctioned the Lazarus Group and offshoots Bluenoroff and Andariel, which are allegedly acting on behalf of the DPRK.Kyle Milliken is back from jail, and he has some advice for you: Do. Not. Reuse. Your. Passwords.According to a new report, nearly 30% of all US calls placed in the first half of 2019 were garbage, as in, nuisance, scam or fraud calls.The company has patched a vulnerability that could allow malicious sites unauthorized access to usernames and passwords.The volume of data processed in the enterprise is rapidly increasing, though strategies to secure data, including biometrics, are subject to technical and legal issues.Sparking cultural shifts within an organization -- and throughout an entire industry -- can feel like a monumental task, but the juice is well worth the squeeze.An Australian open source foundation is introducing a new approach to encryption called splintering, TechRepublic's Karen Roby talks with the Tide Foundation's co-founder.Microsoft's Windows management tools can lock PCs down to only use trusted software.US companies are poorly prepared for even the most rudimentary privacy regulations, a new report says.Fraudsters continue to attempt to fool certificate authorities into issuing valid digital certificates for legitimate organizations by impersonating an authoritative user. The reward? The ability to sign code with a legitimate signature.A configuration setting in Google Calendars does not sufficiently warn users that it makes their calendars public to all, a researcher argues.The bug was first found in 2016.Webcams could be potentially accessed and manipulated by anyone with an Internet connection, researchers say.With Google dragging their feet on the fix for Video4Linux, you might consider revoking camera permissions for certain apps.Bug impacts VMware Workstation 15 running 64-bit versions of Windows 10 as the guest VM.Common prices criminals pay one other for products and services that fuel the cybercriminal ecosystem.While using your browser to mine cryptocurrencies for profit, web miners can chew up power from your computer, says a new report from Kaspersky.Researchers said a new defense system is fueling a wave of DNS amplification attacks.It's a joint responsibility to keep data safe in the cloud. Here's what cloud customers must do to keep their end of the bargain.An Australian open source foundation is introducing a new approach to encryption called splintering, TechRepublic's Karen Roby talks with the Tide Foundation's co-founder.Civil suit argues the former CIA employee and NSA contractor violated his nondisclosure agreements with the two intel agencies.Researchers at this children's hospital purportedly stole trade secrets, then used them to start and market their own Chinese biotechnology firm.Here are five tips about what not to do when assessing the cyber-risk introduced by a third-party supplier.Though harboring unsophisticated payloads, the Panda threat group has updated its tactics - from targets to infrastructure - and successfully mined hundreds of thousands of dollars using cryptomining malware.The list includes the most frequent and critical weaknesses that can lead to serious software vulnerabilities.Staff shortages and an increasingly challenging job is turning up the heat on security pros, Dark Reading readers say.Casey Viner got into a spat over a $1.50 wager in a Call of Duty World War II game that led to the fatal shooting of an innocent man.Donβt be lulled into a false sense of security by that shiny new router or network-attached storage (NAS) device - the chances are that itβs no more secure than its predecessors.Included are deep details on 7 million minors, one grownup named Julian Assange, and perhaps a few million deceased Ecuadorians.Mozilla, Creative Commons and Coil are teaming up to launch a $100m fund to drive out advertising and advocate privacy across the web.WannaCry never went away - it just became less obvious.The malware landscape is constantly changing; including a rise in a new malware called LookBack, as well as anticipation over the return of the Emotet and Retefe malware families.The attack -- the 4th-largest the company has ever encountered -- leveraged WS-Discovery, the same exploit used in the 2016 Dyn incident.BlueKeep and DejaBlue renewed interest in brute-force scanning for vulnerable systems, which negatively impacts Windows Server performance. Cameyo offers solutions to protect your Virtual Desktop server.Cynetβs new RFP templates clearly lay out the requirements for securing potential APT vectors.Now that you've completed your digital transformation, you need to build a system to protect this new way of doing business.Managed service providers are the latest pawns in ransomware's game of chess.The U.S. is attempting to seize any assets related to Edward Snowden's new memoir, Permanent Record.The average breach causes an average of $149,000 in damages, yet most small-to-medium-sized businesses thought cyberattacks would cost them under $10,000, survey reports.The ever-changing malware is jumping in the middle of people's existing email conversations to spread itself without suspicion.Laughter is, well, contagious. Jokes begin in earnest at the one-minute mark.Several hundred servers storing medical data are connected to the Internet without any protection for sensitive information and images.The latest attacks, such as Skidmap and Smominru, add capabilities to allow them to persist longer on Windows and Linux systems, surviving initial attempts at eliminating them.Officials arrest a leader of consulting firm Novaestrat, which owned an unprotected server that exposed 20.8 million personal records.By abusing a little-known multicast protocol, attackers can launch DDoS attacks of immense power, but there may be an easy fix.GK8 creates proprietary platform for securing blockchain transactions, no Internet needed.MITRE has published a list of the most dangerous software errors - weaknesses that could lead to a critical vulnerability and in turn, code execution and the theft of data, if left unresolved.Bringing developers and security teams together guided by a common goal requires some risk-taking. With patience and confidence, it will pay off. Here's how.1Password has created an advanced protection suite with new security tools for 1Password business users.The idea that humans are the weakest link shouldn't guide the thinking on social-engineering defense.Latest moves will make it much more likely that vulnerabilities in open source projects will be found and reported, GitHub says.Social engineering is as old as mankind. But its techniques have evolved with time. Here are the latest tricks criminals are using to dupe end users.The fake emails direct victims to log into a bogus IRS site.Marc Rogers discusses the logistics behind a recently-proposed anonymous bug submission program, meant to encourage ethical hackers to submit high-level bugs anonymously.More than 12,000 variants of the infamous malware are targeting systems that are still open to the EternalBlue exploit - but the potential danger is low, Sophos warns.Symantec identifies new 'Tortoiseshell' nation-state group as the attackers.PacketFence is a network access control (NAC) system. It is actively maintained and has been deployed in numerous large-scale institutions. It can be used to effectively secure networks, from small to very large heterogeneous networks. PacketFence provides NAC-oriented features such as registration of new network devices, detection of abnormal network activities including from remote snort sensors, isolation of problematic devices, remediation through a captive portal, and registration-based and scheduled vulnerability scans.An in-depth study of reported bugs has produced a list of the top 25 bug categories in software today - with some old familiar names topping the list.Security leaders are increasingly making their case through metrics, as well they should - as long as they're not one of these.Researchers discovered that smart TVs from Samsung, LG and others are sending sensitive user data to partner tech firms even when devices are idle.The latest Naked Security Podcast is live - listen now!The government, alleging that Snowden violated NDAs with the CIA and NSA, isn't looking to stop the book's publication or distribution.Of the 2,300 archiving systems looked at, 590 were accessible from the internet, exposing 24 million medical records from 52 countries.Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen bookA full 90% of security professionals say yes, according to a poll conducted by 451 Research and commissioned by security testing company Veracode.If you had a Yahoo account between January 1, 2012 and December 31, 2016, you may be entitled to a bit of money.Crowdsourced platforms have redefined both pentesting and the cybersecurity gig economy. Just not in a good way.This year, the Air Force presented vetted hackers with a plane's subsystem, which they duly tore up. Next year, it will be a satellite.Learn about what the Electronic Healthcare Network Accreditation Commission, or EHNAC, is, its benefits, the accreditation process, and best practices in Data Protection 101, our series on the fundamentals of data security.While businesses don't want to lose data, 66% of business decision makers said their current IT resources do not keep up with growing technological demands.The identity management company plans to sell 12.5 million shares, raising $187.5 million in its initial public offering.Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).An on premise hacker can cripple even the best cybersecurity defenses.Microsoft broke its built-in antivirus utility, thanks to a patch for a different issue.Security professionals will coordinate disclosure with researchers but may keep their self-discovered vulnerabilities secret, a new study shows.The latest model, with insights from 122 firms, shows DevOps adoption is far enough along to influence how companies approach software security.Eight cities have been hit by a data breach targeting payment cards.The law, which goes into effect in on January 1, requires manufacturers equip devices with 'reasonable security feature(s).' What that entails is still an open question.Moore has built a network asset discovery tool that wasn't intended to be a pure security tool, but it addresses a glaring security problem.The breach, which reportedly exposed data on millions of passengers, is one of many that have resulted from organizations leaving data publicly accessible in cloud storage buckets.France finance minister: Libra won't be allowed onto European soil.It's not just China: at least 75 out of 176 countries globally are actively using AI technologies for surveillance purposes, research shows.IBM has boosted its growing stable of quantum computers with a new 53-quantum bit (qubit) device, the most powerful ever offered for commercial use.A researcher has just published a zero-day security bug in one of the web's most popular database administration software packages.A database lacking password protection exposed sensitive data of customers of Milwaukee-based mattress company Verlo Mattress.Threatpost editors discuss the return of Emotet, a new lawsuit against Edward Snowden and more.Report details how many organizations lack faith in their security systems to manage an ever-expanding digital landscape.We're just at the beginning of an important conversation about the future of our homes and cities, which must involve both consumers and many players in the industryIn a world in which the data center perimeter has all but evaporated, traditional segmentation no longer is enough. Enter microsegmentation. Here's what organizations need to do to maximize the benefits of this improved security architecture.For years, sensitive documents and corporate data have been easily viewable on the coworking space's open network.A report from a former NSA operative says countries across the world are still adjusting to the new reality of sophisticated cyberwarfare.Forcepoint has fixed a privilege escalation vulnerability in its VPN Client for Windows.The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 parameter.The admin-management-xtended plugin before 2.4.0.1 for WordPress has privilege escalation because wp_ajax functions are mishandled.The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name.The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.php CSRF with resultant XSS.The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options-general.php CSRF.The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via the quiz parameter during a Quiz Manage operation.The quotes-and-tips plugin before 1.20 for WordPress has XSS.The relevant plugin before 1.0.8 for WordPress has XSS.The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS.The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS.The wp-piwik plugin before 1.0.5 for WordPress has XSS.The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS.The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS.The users-ultra plugin before 1.5.59 for WordPress has uultra-form-cvs-form-conf arbitrary file upload.The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/tools.php edit_style id XSS.The wordpress-meta-robots plugin through 2.1 for WordPress has wp-admin/post-new.php text SQL injection.The wp-stats-dashboard plugin through 2.9.4 for WordPress has admin/graph_trend.php type SQL injection.The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php gcid SQL injection.The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content/plugins/auto-thickbox-plus/download.min.php?file= XSS.The users-ultra plugin before 1.5.64 for WordPress has SQL Injection via an ajax action.The users-ultra plugin before 1.5.63 for WordPress has CSRF via action=package_add_new to wp-admin/admin-ajax.php.The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.A popular password manager fixes a bug, a 20 million person breach, and more - catch up on the week's infosec and privacy news with this week's Friday Five!The education sector has seen 10 new victims in the past nine days alone, underscoring a consistent trend throughout 2019.Facebook said it has suspended and banned tens of thousands of apps on its platform after its investigation, launched after Cambridge Analytica, into how they collect and use data.With Google dragging its feet on the fix for Video4Linux, you might consider revoking camera permissions for certain apps.The purchase will bring new isolation and threat intelligence capabilities to the HP portfolio.Webfwlog is a Web-based firewall log reporting and analysis tool. It allows users to design reports to use on logged firewall data in whatever configuration they desire. Included are sample reports as a starting point. Reports can be sorted with a single click, or "drilled-down" all the way to the packet level, and saved for later use. Supported log formats are netfilter, ipfilter, ipfw, ipchains, and Windows XP. Netfilter support includes ulogd MySQL or PostgreSQL database logs using the iptables ULOG target.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers.Directory traversal vulnerability in the mTheme-Unus theme before 2.3 for WordPress allows an attacker to read arbitrary files via a .. (dot dot) in the files parameter to css/css.php.The Antioch theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to lib/scripts/download.php.The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.VPNs are critical pieces of the security infrastructure, but they can be vulnerable, hackable, and weaponized against you. Here are seven things to be aware of before you ignore your VPN.From the Simjacker phone hack to IBM's cloud-based quantum computer - and everything in between. It's the weekly security roundup.WannaCry still hasn't died out, more than two years after the original attack. We went live to find out why...The tech-support scammers were allegedly part of a network of crooks in the US and India who conned about 7,500 victims.Researchers have discovered a way to use wireless earbuds as a biometric authentication system.Google has again been reprimanded for not spotting fake extensions impersonating popular brands in its Chrome Web Store.A project intended to move a small robot around a hazardous board teaches some solid security lessons.This is the second such suit, with shareholders asking why execs sold $40m+ of their shares while downplaying the ransomware attack.A Change.org petition is demanding stronger accountability for Equifax in the 2017 leak that affected 150 million customers.Logging that is turned on, captured, and preserved immediately after a cyber event is proof positive that personal data didn't fall into the hands of a cybercriminal.Need to hide your location and encrypt your Firefox browser data? Look no further than the new Firefox Private Network add-on.Google is tightening its privacy controls over its Google Assistant voice assistant after a report earlier this year found that it was eavesdropping on user conversations.A project intended to move a small robot around a hazardous board teaches some solid security lessons.The victims, who post car reviews and other videos about the auto industry, were targeted in a seemingly coordinated campaign to steal account access.It appears this summer's 46-million-person breach at a Southeast Asian airline carrier wasnβt caused by a misconfigured bucket but by two ex-staffers at a contracting firm.To get the best out of your policy, do more than just sign on the dotted line.Don't let your Android's MAC address give away your location--use a Randomized MAC address instead.The security update fixes a vulnerability that could allow an attacker to remotely execute code at the same privilege as the legitimate user.A spearphishing campaign first uncovered in July is hitting more utilities firms and spreading the LookBack malware, which has capabilities to view system data and reboot machines.Where most organizations fall short in risk management tools, technologies, and talent, and how they can improve.Microsoft has issued a patch for an Internet Explorer remote code execution flaw that is being actively exploited in the wild.XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.Your Instagram account has value to the crooks - so they're coming up with some cunning tricks to get at your passsword.Atlassian admins have a spot of patching work on their hands after the company released updates addressing two critical flaws.Apple has turned off the ability for adblocking companies to use their own blocking mechanisms in Safari.400 developers have been naughty with user data, noncompliant with policy, and/or have ignored Facebook's audit, it says.Need to hide your location and encrypt your Firefox browser data? Look no further than the new Firefox Private Network add-on.'AdBlock' and 'uBlock' impersonate legitimate extensions but instead engage in cookie stuffing to defraud affiliate marketing programs, a researcher has found.An inside look into the engineering mindset of DevOps from the vantage of a career security professional.A cautionary tale from a pen test gone wrong in an Iowa county courthouse.Vulnerabilities originally discovered by US government security services have been used by cybercriminals against municipalities, costing taxpayers an estimated $11.5 billion in 2019.Add a password manager to Nextcloud so your users can start using strong passwords more easily.100K or so creators in the YouTube car community were targeted by a phishing campaign that captured 2FA codes.Researchers warn that the Russia-linked APT has freshened up their tools with an improved downloader and more.Nearly half of office workers said they had their data compromised. Here's why they keep falling for phishing scams.Seen this month attacking victims in India, the Dtrack malware is bent on financial gain and high-end spying.A second out-of-band patch issued this week addresses a denial-of-service vulnerability in Microsoft Defender.Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.Most electrical engineering firms are targeted by threat actors of opportunity because of two necessary ingredients: people and computers. These four tips will help keep you safer.New analysis of the software used by espionage groups linked to Russia finds little overlap in their development, suggesting that the groups are siloed.A attack has had a significant impact on the operations of Wyoming's Campbell County Memorial Hospital.The HHS Office for Civil Rights (OCR) is reiterating that when it comes to safeguarding critical data, healthcare organizations need to know the where, who, what, and how.Goal is to help websites detect and block bad bot traffic, vendor says.Overall, Adobe released three patches β one for an βimportantβ flaw and two for critical flaws βin the 2016 and 2018 versions of ColdFusion.As risk management programs differ from business to business, these factors remain constant.Despite claiming they were retiring, GandCrab's authors have been linked to the REvile/Sodinokibi ransomware via a technical analysis.'Tortoiseshell' discovered hosting a phony military-hiring website that drops a Trojan backdoor on visitors.New inside-out approach will give SMBs a way to buy insurance coverage based on a realistic and ongoing assessment of their risk, company says.βOh no! However shall I give away Bitcoin to all my followers?β sobbed a bunch of crooks.VPN vendor Forcepoint has patched a security flaw that could have given attackers unfettered access to its users' Windows computers.Yes, people have the right to be forgotten, but only if they're European, the top EU court ruled on Tuesday.Vulnerability in iOS 13 and iPadOS affects keyboards installed for iPhone, iPad, or iPod touch.Microsoft has rushed to patch two flaws affecting IE versions 9 to 11, one of which the company says is being exploited in real attacks.EDR is still recognized as quite efficient against many of the advanced threats security professionals encounter, but today's threatscape demands Next-Gen EDR solutions.The industry wide use of Remote Desktop Protocol makes it a tempting target for hackers, says a new report from threat detection company Vectra.First step: Convince machines that we are who we say we are with expanded biometrics, including behaviors, locations, and other information that makes "us" us.DoS attacks come in many varieties (not just DDoS). This simple set of descriptions will help you understand how they're different - and why each and every one is bad.Magecart 5 is targeting Layer 7 routers used in airports, casinos, hotels, and resorts, and others, to steal credit card data on popular US and Chinese shopping sites.A known threat actor, Tortoiseshell, is targeting U.S. military veterans with a fake veteran hiring website that hosts malware.With the newest Android version, Google has tried to improve and simplify the process of managing your privacy. Learn how to use the privacy controls and options in Android 10.Attackers continue to focus on bread-and-butter tactics, according to a quarterly threat report.The cloud-native SIEM is designed to search data from users, applications, servers, and devices running on-prem and in the cloud.As payment technologies evolve, so do the requirements for securing cardholder data.Digital Guardian is excited to share that our Data Protection Platform has been designated a Cyber CatalystSM solution!The issue in the Rich Reviews plugin is being actively exploited.The 2019 State of DevOps report found that teams at higher levels of DevOps evolution involved their security experts from the beginning.An active APT campaign aimed at tech companies is underway, which also uses a legitimate NVIDIA graphics function.The object of this new attack campaign is not swordfish or tuna but high-ranking executives within target organizations.The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php.As payment technologies evolve, so do the requirements for securing cardholder data.Why governance, risk, and compliance solutions lull companies into a false sense of security, and how to form a more effective approach.Code similarities show a definite technical link between the malware strains, Secureworks says.The Cybersecurity and Infrastructure Security Agency's latest version of the National Emergency Communications Plan comes after a two-year process to improve the cybersecurity and flexibility of the nation's emergency communications.Magecart Group 5 has been spotted testing and preparing code to be injected onto commercial routers - potentially opening up guests connecting to Wi-Fi networks to payment data theft.Here are Larry Dignan's key takeaways from Amazon's 2019 hardware event and what it means for smart home integration, privacy, and digital assistants.The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config parameter.The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header.The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter.The wplegalpages plugin before 1.1 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=legal-pages lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche parameters.The googmonify plugin through 0.5.1 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=googmonify.php PID or AID parameter.The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter.The social-locker plugin before 4.2.5 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next licensekey parameter.The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php global_url or admin_url parameter.The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters.The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CSRF with resultant XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load plugnedit_width, pnemedcount, PlugneditBGColor, PlugneditEditorMargin, or plugneditcontent parameters.The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omsc_popup id parameter.The soundcloud-is-gold plugin before 2.3.2 for WordPress has XSS via the wp-admin/admin-ajax.php?action=get_soundcloud_player id parameter.The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or Caption section.The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows an attacker to delete quizzes.The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS.The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header.The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter.The eshop plugin through 6.3.13 for WordPress has CSRF with resultant XSS via the wp-admin/admin.php?page=eshop-downloads.php title parameter.The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rstype parameter.The Postmatic plugin before 1.4.6 for WordPress has XSS.The Postmatic plugin before 1.4.6 for WordPress has XSS.The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.The suit was filed under BIPA, the Illinois law that requires written consent to grab people's faceprints - the same law Facebook's battling.Adobe has rushed out fixes for three vulnerabilities in its ColdFusion web development platform, two of which have been given the top billing of βcriticalβ.Andrei Tyurin is the first to be convicted in one of the largest thefts of customer data from a single US financial institution in history.If you're a Wordpress admin using a plug-in called Rich Reviews, you'll want to uninstall it. Now. The now-defunct plug-in has a major vulnerability that allows malvertisers to infect sites running Wordpress and redirect visitors to other sites.Users scrambled to find a fix for the problem and eventually Google took responsibility for the issue.How to determine -- and communicate -- the value of Threat Intelligence Gateways (TIGs) in your enterprise.While businesses don't want to lose data, 66% of business decision makers said their current IT resources do not keep up with growing technological demands.Here's the latest Naked Security podcast - listen now!Despite CISOs' apprehension about increasing dependence on SaaS applications and the security risks the cloud represents, adoption isnβt slowing down.Training is the key to helping the enterprise avoid cyber threats from phishing or other means.Businesses of all sorts are increasingly relying on APIs to interact with customers in smartphone apps, but they have their own unique set of vulnerabilities.Vimeo is under fire for allegedly collecting and storing users' facial biometrics in videos and photos without their consent or knowledge.Percentage-based URL encoding plus Google domain trickery is helping malicious emails to evade filters.One Cisco bug impacting its 800 and 1000 series routers had a CVSS severity score of 9.9.Experts from Nokia, iboss and Sectigo talk 5G mobile security for internet of things (IoT) devices in this webinar YouTube video (transcript included).Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.Google won what many viewed as a milestone case this week as Europe's top court ruled it doesn't have to extend the "right to be forgotten" privacy rule beyond the EUβs 28 states.After someone dropped a zero-day exploit on Securelist this week, the platform rushed out a fix -- time to apply it.Four separate incidents over the past year have targeted Airbus suppliers for the manufacturer's sensitive commercial data.Most devastating cloud data leaks are caused by the same kinds of common cloud security challenges and configuration errors. Here's what you need to know.Manually addressing breaches that result from email-based attacks is a time sink for IT professionals, according to a Barracuda report.Ransomware attacks are taking advantage of vulnerabilities that are older and less severe, a new report finds.Looking for a web-based tool to manage Microk8s? Look no further than the Kubernetes dashboard.DEF CON Voting Village organizers presented a final report on their findings at the Capitol.Looking for a web-based tool to manage Microk8s? Look no further than the Kubernetes dashboard.A new report explores changes in cloud-native applications and complexities involved with securing them.Accessed information includes delivery addresses, license numbers, names, phone numbers and more.The remote code execution bug was a 0-day when it was publicly disclosed Monday, but has now been patched.The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS.Match.com allegedly put users on its free version at risk - by not filtering out communications that it knew were from fake accounts.Fileless threat leverages widely used Node.js framework and WinDivert packet-capture utility to turn infected machines into proxies for malicious behavior.The malware landscape continues to evolve with the re-emergence of the GandCrab operators and a continued spearphishing attack spreading the LookBack RAT.It's an arms race: as detection methods improve, deepfake-generating algorithms are quickly updated to correct the flaws.A few days ago, movie editors started reporting that Mac Pros running Avid software were crashing throughout Hollywood.