May, 2022

FBI: Russian Forums Sell Higher Education Credentials

Data Breach Today

Agency Spotted Compromised Credentials On Various Dark Web Forums The FBI is warning the U.S. higher education sector about compromised sensitive credentials and network access information advertised for sale across various public and Dark Web forums.

When Your Smart ID Card Reader Comes With Malware

Krebs on Security

Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Multiple Microsoft Office versions impacted by an actively exploited zero-day

Security Affairs

A zero-day flaw in Microsoft Office that could be exploited by attackers to achieve arbitrary code execution on Windows systems. The cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus.

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

The Last Watchdog

Google, Microsoft and Apple are bitter arch-rivals who don’t often see eye-to-eye. Related: Microsoft advocates regulation of facial recognition tools. Yet, the tech titans recently agreed to adopt a common set of standards supporting passwordless access to websites and apps.

6 Steps to More Streamlined Data Modeling

Are you a developer, database architect, or database administrator that's new to Cassandra, but been tasked with developing a plan for implementing the technology anyway? Worry no more. Discover a streamlined methodical approach to Apache Cassandra® data modeling.

Act Now: Leveraging PCI Compliance to Improve Security

Dark Reading

Let the threat landscape guide your company's timeline for complying with new data security standards for credit cards. Use the phase-in time to improve security overall — security as a process — not just comply with new standards

More Trending

A $150 Million Plan to Secure Open-Source Software

Data Breach Today

Areas of Proposed Investments Include SBOMs, Software Supply Chains The Linux Foundation and the Open Source Security Foundation have put forth a nearly $150 million investment plan, spread across two years, to strengthen open-source security in the U.S.

Russia to Rent Tech-Savvy Prisoners to Corporate IT?

Krebs on Security

Image: Proxima Studios, via Shutterstock.

IT 239

Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw

Security Affairs

Security researchers released PoC exploit code for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

GUEST ESSAY: Why organizations need to prepare for cyber attacks fueled by quantum computers

The Last Watchdog

In today’s times, we are more aware of cyberattacks as these have become front-page news. We most recently witnessed this as Russia invaded Ukraine. Cyberattacks were used as the first salvo before any bullet or missile was fired. Related: The role of post-quantum encryption.

Intent Signal Data 101

Intent signal data helps B2B marketers engage with buyers sooner in the sales cycle. But there are many confusing terms used to describe intent data. Read this infographic to better understand three common areas of confusion.

ChromeLoader Malware Hijacks Browsers With ISO Files

Dark Reading

The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections

Thousands of Top Websites See What You Type—Before You Hit Submit

WIRED Threat Level

A surprising number of the top 100,000 websites effectively include keyloggers that covertly snag everything you type into a form. Security Security / Privacy

Phisher Jailed After Tricking Pentagon Out of $24 Million

Data Breach Today

California Resident Found Guilty on Total of 6 Criminal Counts Sercan Oyuntur, a 40-year-old California resident, has been found guilty of stealing payments of over $23 million from the U.S. Department of Defense, according to the U.S. Department of Justice.

Microsoft Patch Tuesday, May 2022 Edition

Krebs on Security

Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software.

10 Rules to More Streamlined Data Modeling

Apache Kafka is a powerful piece of software that can solve a lot of problems. Like most libraries and frameworks, you get out of it what you put into it. Learn 10 rules that will help you perfect your Kafka system to get ahead.

ERMAC 2.0 Android Banking Trojan targets over 400 apps

Security Affairs

A new version of the ERMAC Android banking trojan is able to target an increased number of apps. The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.

GUEST ESSAY: Rising global tensions put us a few lines of code away from a significant cyber event

The Last Watchdog

Reflecting on the threats and targets that we are most concerned with given the Russia-Ukraine war, cybersecurity is now the front line of our country’s wellbeing. Cyber threats endanger businesses and individuals — they can affect supply chains, cause power grid failures, and much more. Related: Reaction to Biden’s cybersecurity order.

How to Turn a Coke Can Into an Eavesdropping Device

Dark Reading

Cyber-researchers are testing the bounds of optical attacks with a technique that allows attackers to recover voice audio from meetings if there are shiny, lightweight objects nearby

114
114

NOYB open letter on the new EU – US data deal

DLA Piper Privacy Matters

Max Schrems, through his organisation, ‘My Privacy is None of your Business’ (“ noyb.eu ”) has issued an open letter to U.S. and EU officials about the announcement of an ‘agreement in principle’ for a new Trans-Atlantic Data Privacy Framework (“ letter ”).

Powering Personalization Through Customer Data

Finding the right CDP can help unlock the value of your customer data. This eBook offers guidance on choosing, deploying, and utilizing a CDP, along with a case study on how one bank put data into action to forge stronger connections with customers.

Feds Allege Former IT Consultant Hacked Healthcare Company

Data Breach Today

Experts: Case Spotlights Critical, But Often Overlooked, Insider Threats, Risks A former IT consultant has been charged with allegedly hacking into a computer server of a healthcare company client that had months earlier denied him employment with the organization.

IT 269

DEA Investigating Breach of Law Enforcement Data Portal

Krebs on Security

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases.

GhostTouch: how to remotely control touchscreens with EMI

Security Affairs

Security researchers devised a technique, dubbed GhostTouch, to remotely control touchscreens using electromagnetic signals.

Paper 112

GUEST ESSAY: A Memorial Day call to upskill more veterans for in-demand cybersecurity roles

The Last Watchdog

It’s no secret that cybersecurity roles are in high demand. Today there are more than 500,000 open cybersecurity roles in the U.S., leaving organizations vulnerable to cyber threats. Related: Deploying employees as threat sensors. Meanwhile, 200,000 well-trained and technically skilled military service members are discharged each year. These individuals have many transferable skills that would make cybersecurity a prosperous civilian career.

Modernizing Workloads with the Cloud: How to Improve Performance & Reduce Costs

In this eBook, you’ll learn how to migrate workloads to Azure and optimize performance for your serverless and containerized applications in Azure.

Majority of Kubernetes API Servers Exposed to the Public Internet

Dark Reading

Shadowserver Foundation researchers find 380,000 open Kubernetes API servers

114
114

Spear Phishing a Diplomat

KnowBe4

Researchers at Fortinet observed a spear phishing attack that targeted a Jordanian diplomat late last month. The researchers attribute this attack to the Iranian state-sponsored threat actor APT34 (also known as OilRig or Helix Kitten).

CISA Advises Federal Agencies to Patch VMware Flaws

Data Breach Today

Emergency Directive Says Many Threat Actors Are Exploiting the Bugs in the Wild An emergency directive from the U.S.

Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions

Krebs on Security

Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive.

Prioritizing Customer Experience Using SLIs & SLOs: A Case Study from The Telegraph

Service Level Indicators (SLIs) and Service Level Objectives (SLOs) are a key pillar of Site Reliability Engineering (SRE) and are the principal tool for eliminating needless alerts and focusing on what really matters to the business.

EnemyBot malware adds new exploits to target CMS servers and Android devices

Security Affairs

The operators of the EnemyBot botnet added exploits for recently disclosed flaws in VMware, F5 BIG-IP, and Android systems.

CMS 109

GUEST ESSAY: A primer on content management systems (CMS) — and how to secure them

The Last Watchdog

You very likely will interact with a content management system (CMS) multiple times today. Related: How ‘business logic’ hackers steal from companies. For instance, the The Last Watchdog article you are reading uses a CMS to store posts, display them in an attractive manner, and provide search capabilities. Wikipedia uses a CMS for textual entries, blog posts, images, photographs, videos, charts, graphics, and “ talk pages ” that help its many contributors collaborate.

CMS 196

Critical OAS Bugs Open Industrial Systems to Takeover

Dark Reading

The most serious flaw gives attackers a way to remotely execute code on systems that many organizations use to move data in critical ICS environments, security vendor says