Tue.Nov 15, 2022

article thumbnail

Twitter Two-Factor Authentication Has a Vulnerability

Data Breach Today

Hackers Gain Path to Potential Account Takeover by Turning Off SMS Second Factor Twitter accounts that use SMS for two-factor authentication are at a heightened risk of account takeover with the disclosure that texting "STOP" to the verification service results in it being turned off. The vulnerability opens the door to a password reset attack or a password stuffing attack.

article thumbnail

Google Agrees to $391.5 Million Settlement with 40 States over Misleading Location Tracking Practices

Hunton Privacy

On November 14, 2022, Google LLC (“Google”) agreed to a $391.5 million settlement with the attorneys general of 40 U.S. states over the company’s location tracking controls available in its user account settings. . The investigation by the state attorneys general found that, between 2014 and 2020, Google misled users by failing to disclose that toggling the “Location History” setting to off did not disable all tracking activities.

IT 111
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Pro-Moscow Nuisance Hackers Claim DDoS Attack on FBI Website

Data Breach Today

KillNet Asserts It Temporarily Made FBI Websites Unavailable Pro-Kremlin hackers claimed credit for a denial-of-service attack against FBI websites, marking the latest in a series of nuisance attacks. The FBI earlier said it is aware of "pro-Russian hacktivist groups employing DDoS attacks to target critical infrastructure companies with limited success.

IT 246
article thumbnail

Experts found critical RCE in Spotify’s Backstage

Security Affairs

Researchers discovered a critical vulnerability impacting Spotify’s Backstage Software Catalog and Developer Platform. Researchers from the security firm Oxeye discovered a critical Remote Code Execution in Spotify’s Backstage (CVSS Score of 9.8). Backstage is Spotify’s open-source platform for building developer portals, it’s used by a several organizations , including American Airlines, Netflix, Splunk, Fidelity Investments and Epic Games.

Libraries 108
article thumbnail

Peak Performance: Continuous Testing & Evaluation of LLM-Based Applications

Speaker: Aarushi Kansal, AI Leader & Author and Tony Karrer, Founder & CTO at Aggregage

Software leaders who are building applications based on Large Language Models (LLMs) often find it a challenge to achieve reliability. It’s no surprise given the non-deterministic nature of LLMs. To effectively create reliable LLM-based (often with RAG) applications, extensive testing and evaluation processes are crucial. This often ends up involving meticulous adjustments to prompts.

article thumbnail

Arrest of Ukrainian in Cybercrime Case Shows Patience Pays

Data Breach Today

Suspect in Jabberzeus Banking Malware Gang Nabbed in Geneva The apparent arrest of a Ukrainian national long wanted on cybercrime charges in the U.S. shows that with much patience, law enforcement can notch successes. A key member of the Jabberzeus gang, which stole tens of millions of dollars, was arrested in Geneva.

244
244

More Trending

article thumbnail

FDA Updates Medical Device Cyber Response Playbook

Data Breach Today

New Edition Emphasizes Regional, Cross-Functional Response Preparedness Federal officials released updated guidance for medical device cybersecurity incidents, including ransomware, as cyberattacks against the healthcare sector continue to surge. From mid-2020 through 2021, 82% of healthcare systems reported a cyber incident, 34% of which involved ransomware.

article thumbnail

The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach

DLA Piper Privacy Matters

The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area ( the EEA ), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA has been the subject of recent regulatory and judicial attention – with European data protection supervisory authorities adopting an ab

GDPR 98
article thumbnail

US FTC Delays Safeguards Rule Deadlines by 6 Months

Data Breach Today

Regulators Heed Concerns Over Lack of Qualified Personnell in Private Sector The U.S. Federal Trade Commission pushed until June 6 the date for non-banking financial firms to follow cybersecurity mandates in the updated Safeguards Rule. The agency approved the update on a partisan vote in October 2021, imposing requirements such as a written information security program.

article thumbnail

China-linked APT Billbug breached a certificate authority in Asia

Security Affairs

A suspected China-linked APT group breached a digital certificate authority in Asia as part of a campaign aimed at government agencies since March 2022. State-sponsored actors compromised a digital certificate authority in a country in Asia as part of a cyber espionage campaign aimed at multiple government agencies in the region, Symantec warns. Symantec attributes the attack to a China-linked cyberespionage group tracked as Billbug (aka Lotus Blossom , Thrip ).

article thumbnail

How and Why Should You Be Tracking Geopolitical Risk?

Geopolitical risk is now at the top of the agenda for CEOs. But tracking it can be difficult. The world is more interconnected than ever, whether in terms of economics and supply chains or technology and communication. Geopolitically, however, it is becoming increasingly fragmented – threatening the operations, financial well-being, and security of globally connected companies.

article thumbnail

How Do Recent CISA Directives Affect Private Firms?

Data Breach Today

Complying with BOD 23-01 mandates can help prevent security breaches, compliance fines, and litigation damages

article thumbnail

Experts revealed details of critical SQLi and access issues in Zendesk Explore

Security Affairs

Researchers disclosed technical details of critical SQLi and access vulnerabilities in the Zendesk Explore Service. Cybersecurity researchers at Varonis disclosed technical details of critical SQLi and access vulnerabilities impacting the Zendesk Explore service. Zendesk Explore allows organizations to view and analyze key information about their customers, and their support resources.

Access 96
article thumbnail

[FREE Resource Kit] Stay Safe This Holiday Season with KnowBe4

KnowBe4

It's the best time of the year! But also, it's the busiest time for cybercriminals. Since your users will be distracted with seasonal activities, cybercriminals will take advantage of the surges of online shopping and travel to trick your users into becoming the next victim.

IT 94
article thumbnail

Security Technology Is Enabling Future Ways of Working

HID Global

New trusted identities technology plays a key role in helping organizations effectively meet future ways of working in the changing workplace environment.

article thumbnail

7 Pitfalls for Apache Cassandra in Production

Apache Cassandra is an open-source distributed database that boasts an architecture that delivers high scalability, near 100% availability, and powerful read-and-write performance required for many data-heavy use cases. However, many developers and administrators who are new to this NoSQL database often encounter several challenges that can impact its performance.

article thumbnail

Previously undetected Earth Longzhi APT group is a subgroup of APT41

Security Affairs

Trend Micro reported that the Earth Longzhi group, a previously undocumented subgroup of APT41, targets Ukraine and Asian Countries. Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions using a similar Cobalt Strike loader and has been active since 2020.

article thumbnail

“Hired Hand” in the Kingdom of Saudi Arabia Uses Domain Spoofing

KnowBe4

Sometimes a social engineering campaign has a clear geographical focus, often shaped by language, holidays, or current events. In this case, the scammers are taking opportunistic advantage of a company whose service offerings have a significant share in a locally important Saudi market, and their preferred technique has been domain-spoofing.

article thumbnail

Avast details Worok espionage group’s compromise chain

Security Affairs

Cyber espionage group Worok abuses Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files. Researchers from cybersecurity firm Avast observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files. The experts started their investigation from the analysis published by ESET on attacks against organizations and local governments in Asia and Africa.

article thumbnail

Wipermania: Malware Remains a Potent Threat, 10 Years Since 'Shamoon'

Dark Reading

An in-depth analysis of system-destroying malware families presented at Black Hat Middle East & Africa shows a growing nuance in terms of how they're deployed.

82
article thumbnail

Reimagined: Building Products with Generative AI

“Reimagined: Building Products with Generative AI” is an extensive guide for integrating generative AI into product strategy and careers featuring over 150 real-world examples, 30 case studies, and 20+ frameworks, and endorsed by over 20 leading AI and product executives, inventors, entrepreneurs, and researchers.

article thumbnail

Google to Pay a record $391M fine for misleading users about the collection of location data

Security Affairs

Google is going to pay $391.5 million to settle with 40 states in the U.S. for secretly collecting personal location data. Google has agreed to pay $391.5 million to settle with 40 US states for misleading users about the collection of personal location data. The settlement is the largest attorney general-led consumer privacy settlement ever, states the announcement published by DoJ. “Google misled its users into thinking they had turned off location tracking in their account settings, whe

Privacy 86
article thumbnail

The Hunt for the Dark Web’s Biggest Kingpin, Part 4: Face to Face

WIRED Threat Level

The team uses a secret technique to locate AlphaBay’s server. But just as the operation heats up, the agents have an unexpected run-in with their target.

article thumbnail

Misconfigurations, Vulnerabilities Found in 95% of Applications

Dark Reading

Weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests.

article thumbnail

A tale of two cities: Flexible-first meets privacy-first

OpenText Information Management

We have all experienced this ourselves in the workplace lately: One week to another never looking the same with a mix of working from home, from the company office, and on the road travelling. The modern workplace has allowed many of us to benefit from a flexible-first philosophy as an employee, adopting practices that best … The post A tale of two cities: Flexible-first meets privacy-first appeared first on OpenText Blogs.

Privacy 67
article thumbnail

How to Migrate From DataStax Enterprise to Instaclustr Managed Apache Cassandra

If you’re considering migrating from DataStax Enterprise (DSE) to open source Apache Cassandra®, our comprehensive guide is tailored for architects, engineers, and IT directors. Whether you’re motivated by cost savings, avoiding vendor lock-in, or embracing the vibrant open-source community, Apache Cassandra offers robust value. Transition seamlessly to Instaclustr Managed Cassandra with our expert insights, ensuring zero downtime during migration.

article thumbnail

Nasty SQL Injection Bug in Zendesk Endangers Sensitive Customer Data

Dark Reading

The API-related vulnerabilities put conversations, email addresses, tickets, and more in danger of exposure via the Zendesk Explore reporting service.

80
article thumbnail

House Energy and Commerce Leaders Demand Information from Various Toy Manufacturers

Hunton Privacy

On October 26, 2022, House Energy and Commerce Committee and Consumer Protection and Commerce Subcommittee leaders (“Committee Leaders”) sent letters to several toy manufacturers, including Bandai Namco, Hasbro, Mattel, MGA Entertainment, LEGO Group and the Toy Association, asking how they plan to protect children and their information from BigTech companies like TikTok and YouTube.

article thumbnail

Modern CISO: More Than a Security Officer

Dark Reading

YL Ventures CISO-in-Residence Frank Kim weighs in on the top security concerns facing CISOs in a Dark Reading Q&A interview.

article thumbnail

A holistic approach to security: Endpoint Protection

Jamf

Comprehensive endpoint protection provides modern threat landscape protection to your entire fleet of Apple endpoints and mobile devices. By protecting against new and evolving threats through effective and efficient defense-in-depth strategies, Jamf endpoint security solutions are not only best-of-breed, but their powerful and flexible workflows help organizations like yours to succeed with Apple at work without compromising data security, user privacy or end-user productivity.

article thumbnail

Entity Resolution Checklist: What to Consider When Evaluating Options

Are you trying to decide which entity resolution capabilities you need? It can be confusing to determine which features are most important for your project. And sometimes key features are overlooked. Get the Entity Resolution Evaluation Checklist to make sure you’ve thought of everything to make your project a success! The list was created by Senzing’s team of leading entity resolution experts, based on their real-world experience.

article thumbnail

Google Forks Over $391.5M in Record-Setting US Consumer Privacy Settlement

Dark Reading

A misleading location-tracking practice ensnared the search-engine giant in massive privacy case spanning 40 states.

Privacy 77
article thumbnail

How to Integrate Mayhem for API Into Your Github Action Workflows

ForAllSecure

Mayhem for API comes with a GitHub Action and a GitHub App to help you check every change to your API for reliability, performance, and security issues. Our CLI can also upload Mayhem for API results to GitHub Code Scanning from any CI. GitHub Action. With our GitHub Action , you'll get Mayhem for API testing with every API change in no time. To integrate Mayhem for API into your GitHub Actions workflows: Create a Service Account token for your organization.

Access 52
article thumbnail

Where Can Third-Party Governance and Risk Management Take Us?

Dark Reading

Part 2 in our series addressing the top 10 unanswered questions in security: How will TPGRM evolve?