Almost 2.7 billion records of personal information for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases. [...]

Nicely ahead of that always-a-decade-away moment when all our info becomes an open book The National Institute of Standards and Technology (NIST) today released the long-awaited post-quantum encryption standards, designed to protect electronic information long into the future – when quantum computers are expected to break existing cryptographic algorithms.…

Microsoft today released updates to fix at least 90 security vulnerabilities in Windows and related software, including a whopping six zero-day flaws that are already being actively exploited by attackers.

Dots have been joined, but hard evidence is not apparent Former US president Donald Trump's re-election campaign has claimed it's been the victim of a cyber attack.…

An alarming trend toward multiple, sometimes simultaneous cyber attacks forces business leaders to re-evaluate their cyber resilience strategies to address common points of failure, including inadequate identity system backup and recovery practices, according to Semperis. Survey of nearly 1,000 IT and security professionals shows 83% of organizations were targeted by ransomware attacks in the past year with a high degree of success, sounding alarming trends in attack frequency, severity, and consequences. Companies are suffering successful … More → The post 74% of ransomware victims were attacked multiple times in a year appeared first on Help Net Security.

A critical security vulnerability has been discovered in OpenSSH implementations on FreeBSD systems, potentially allowing attackers to execute remote code without authentication. The vulnerability, identified as CVE-2024-7589, affects all supported versions of FreeBSD. The issue stems from a signal handler in the SSH daemon (sshd) that may call logging functions that are not async-signal-safe. This […] The post Critical OpenSSH Vulnerability in FreeBSD Let’s Attackers Gain Root Access Remotely appeared first on Cyber Security News.

Browser extensions are a prime target for cybercriminals. And this isn’t just a consumer problem – it’s a new frontier in enterprises’ battle against shadow IT. Ultimately, more extension permissions result in potentially bigger attack surfaces. Research shows that the average enterprise counts almost 1500 browser extensions across its ecosystem – even one bad add-on can cause reputational, financial, and privacy problems. Going forward, admins need to step up and recognize the threat, take back … More → The post Browser backdoors: Securing the new frontline of shadow IT appeared first on Help Net Security.

Security researcher Bill Demirkapi found more than 15,000 hardcoded secrets and 66,000 vulnerable websites—all by searching overlooked data sources.

Microsoft Azure Health Bot Server-Side Request Forgery (Data Connection Endpoints)

        Tenable Research discovered a privilege escalation issue in the Azure Health Bot service via a server-side request forgery (SSRF). This issue allowed researchers access to the service’s internal metadata service (IMDS) and subsequently granted access tokens allowing for the management of cross-tenant resources. The Data Connector utilities used within Azure Health Bot’s Scenario Editor improperly handled redirect responses from user-supplied endpoints. This allowed researchers access to Azure’s IMDS, which gave management access to the internal Microsoft subscription ID governing resources of customers utilizing the Health Bot service. MSRC has assigned this issue a severity rating of Critical - Elevation of Privilege.

Jimi Sebree

Tue, 08/13/2024 - 10:31

Allan “dwangoAC” has made it his mission to expose speedrunning phonies. At the Defcon hacker conference, he’ll challenge one record that's stood for 15 years.

Lorenzo Franceschi-Bicchierai / TechCrunch: How cybersecurity researcher Jon DiMaggio used fake personas to infiltrate LockBit and trick its alleged administrator into revealing operation details  —  Jon DiMaggio used sockpuppet accounts, then his own identity, to infiltrate LockBit and gain the trust of its alleged admin, Dmitry Khoroshev.

Traditional cloud security issues often associated with cloud service providers (CSPs) are continuing to decrease in importance, according to the Top Threats to Cloud Computing 2024 report by the Cloud Security Alliance. Misconfigurations, IAM weaknesses, and API risks remain critical These findings continue the trajectory first seen in the 2022 report, along with the fact that threats such the persistent nature of misconfigurations, identity and access management (IAM) weaknesses, insecure application programming interfaces (APIs), and … More → The post Misconfigurations and IAM weaknesses top cloud security concerns appeared first on Help Net Security.

Google researchers have uncovered over nine vulnerabilities in Qualcomm's Adreno GPU, an integrated graphics processing unit in Qualcomm's Snapdragon processors. Due to the GPU having kernel privileges, the security flaws pose significant risks since they could allow attackers to gain full control of a device.Read Entire Article

As many as 10 security flaws have been uncovered in Google's Quick Share data transfer utility for Android and Windows that could be assembled to trigger remote code execution (RCE) chain on systems that have the software installed. "The Quick Share application implements its own specific application-layer communication protocol to support file transfers between nearby, compatible devices,"

Michael Weissenstein / Associated Press: Around 200 nations approved the UN Convention against Cybercrime, expected to win General Assembly approval; critics say it could be used to justify repression  —  A global deal on the criminal use of computer technology is moving ahead despite worries it will let governments around …

The vulnerabilities, which have been patched, may have novel appeal to attackers as an avenue to compromising phones.

Comments

​Microsoft has disclosed a high-severity zero-day vulnerability affecting Office 2016 and later, which is still waiting for a patch. [...]

    Illustration by Alex Castro / The Verge

Signal is being blocked in Venezuela and Russia. The app is a popular choice for encrypted messaging and people trying to avoid government censorship, and the blocks appear to be part of a crackdown on internal dissent in both countries. In Venezuela, the blockage follows the disputed results of the country’s presidential election last month, which have led to protests and arrests as president Nicolás Maduro clings to power, according to MSNBC. (The US has recognized opposition candidate Edmundo González as the winner of the election.) Internet monitoring service NetBlocks said Thursday evening that Signal had become “unreachable on multiple internet providers” in the country. Maduro has also ordered a block on X, The Associated Press...

Continue reading…

Earlier this week, an apparent breach at one of the streamer's post-production partners led to animated projects being leaked online.

Six vulnerabilities in ATM-maker Diebold Nixdorf’s popular Vynamic Security Suite could have been exploited to control ATMs using “relatively simplistic attacks.”

Is that a lot? Depends on the context. GHz, no. Voltage, yes Intel has divulged more details on its Raptor Lake family of 13th and 14th Gen Core processor failures and the 0x129 microcode that's supposed to prevent further damage from occurring.…

A team of researchers have developed a method for extracting authentication keys out of HID encoders, which could allow hackers to clone the types of keycards used to secure offices and other areas worldwide.

Sellafield, which houses the largest store of plutonium in the world, was found to have left staggering cyber vulnerabilities unaddressed for four years

Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades.