Data Breach Today
AUGUST 23, 2022
Texas Hospital Still Being Pressured, While French Hospital Responds to Ransomware A Texas-based hospital is apparently still contending with pressure to pay an extortion group that claims to have stolen patient data months ago, while a French medical center responds to a weekend attack and demands to pay a $10 million ransom.
Dark Reading
AUGUST 24, 2022
An insider threat or remote attacker with initial access could exploit CVE-2022-31676 to steal sensitive data and scoop up user credentials for follow-on attacks.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Data Breach Today
AUGUST 24, 2022
Takeaway: Behind-the-Scenes Security Reality at Well-Known Brands Not Always Pretty Cybersecurity experts have been reacting to industry veteran Peiter Zatko's allegations of poor information security practices at Twitter, with many noting that he's hardly the first expert to have been hired to remedy serious problems, only to say they were prevented from doing their job.
The Last Watchdog
AUGUST 25, 2022
APIs have come to embody the yin and yang of our digital lives. Related: Biden moves to protect water facilities. Without application programming interface, all the cool digital services we take for granted would not be possible. But it’s also true that the way software developers and companies have deployed APIs has contributed greatly to the exponential expansion of the cyber-attack surface.
Speaker: Dr. Greg Loughnane and Chris Alexiuk
Technology professionals developing generative AI applications are finding that there are big leaps from POCs and MVPs to production-ready applications. They're often developing using prompting, Retrieval Augmented Generation (RAG), and fine-tuning (up to and including Reinforcement Learning with Human Feedback (RLHF)), typically in that order. However, during development – and even more so once deployed to production – best practices for operating and improving generative AI applications are le
Security Affairs
AUGUST 25, 2022
Russia-linked APT group Nobelium is behind a new sophisticated post-exploitation malware tracked by Microsoft as MagicWeb. Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked NOBELIUM APT group to maintain persistent access to compromised environments. The NOBELIUM APT ( APT29 , Cozy Bear , and The Dukes) is the threat actor that conducted the supply chain attack against SolarWinds, which involved multiple families of impla
Information Management Today brings together the best content for information management professionals from the widest variety of industry thought leaders.
Data Breach Today
AUGUST 23, 2022
Accenture's Robert Boyce Advises Firms to Update Monitoring and Approval Processes Accenture analyzed the top 20 most active ransomware leak sites to see how threat actors are posting sensitive corporate information and making the data easy to search and exploit. Accenture's Robert Boyce explains how cybercriminals are weaponizing stolen ransomware data for follow-up attacks.
The Last Watchdog
AUGUST 22, 2022
Short-handed cybersecurity teams face a daunting challenge. Related: ‘ASM’ is cybersecurity’s new centerpiece. In an intensely complex, highly dynamic operating environment, they must proactively mitigate myriad vulnerabilities and at the same time curtail the harm wrought by a relentless adversary: criminal hacking collectives. In short, attack surface management has become the main tent pole of cybersecurity.
Security Affairs
AUGUST 25, 2022
Password management software firm LastPass has suffered a data breach, threat actors have stole source code and other data. Password management software firm LastPass disclosed a security breach, threat actors had access to portions of the company development environment through a single compromised developer account and stole portions of source code and some proprietary technical information. “Two weeks ago, we detected some unusual activity within portions of the LastPass development env
Schneier on Security
AUGUST 22, 2022
This is a dumb crypto mistake I had not previously encountered: A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples. […]. “Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]” […].
Speaker: Keith Kmett, Principal CX Advisor at Medallia
Join Keith Kmett, Principal CX Advisor, in this new webinar that will focus on: Understanding CX Orchestration Fundamentals: Gain a solid understanding of what CX orchestration is, its significance in the customer experience landscape, and how it plays a crucial role in shaping customer journeys. This includes the key concepts, strategies, and best practices involved in CX orchestration. 🔑 Connection to Customer Journey Maps: How to effectively integrate customer journey mapping into the
Data Breach Today
AUGUST 26, 2022
Security Experts Continue to Recommend Password Managers As Security Best Practice Password manager stalwart LastPass acknowledged Thursday that a threat actor gained unauthorized access to its source code and proprietary technical information. The attacker does not appear to have gained access to customer data or encrypted password vaults.
IT Governance
AUGUST 23, 2022
Cyber liability insurance helps organisations cover the financial costs of a data breach. It’s essential for any business that wishes to adequately prepare for disruptive incidents. Without insurance, organisations spend £3.6 million on average recovering from security incidents. That includes the costs associated with incident detection, notifying affected individuals and remediation.
eSecurity Planet
AUGUST 25, 2022
The widely-used DevOps platform GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE). The vulnerability was reported for a number of versions of GitLab CE/EE: all versions starting from 11.3.4 before 15.1.5 all versions starting from 15.2 before 15.2.3 all versions starting from 15.3 before 15.3.1.
Schneier on Security
AUGUST 25, 2022
Here’s a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication: Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server’s response back to the user.
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Data Breach Today
AUGUST 23, 2022
Agency Tells Federal Government to Patch Misconfiguration by Sept. 12 Attackers could take advantage of a misconfiguration in Palo Alto firewalls to launch amplification DDoS attacks, a vulnerability that led the U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability its catalog of actively exploited vulnerabilities.
KnowBe4
AUGUST 25, 2022
Scammers created a deepfake video of Patrick Hillmann, Chief Communications Officer at cryptocurrency exchange Binance, in order to scam people. Hillmann explained in a blog post that he became aware of the scam after receiving messages from people he had never met, thanking him for meeting with them over Zoom.
Security Affairs
AUGUST 24, 2022
Threat actors are using the Tox peer-to-peer instant messaging service as a command-and-control server, Uptycs researchers reported. Tox is a peer-to-peer serverless instant messaging services that uses NaCl for encryption and decryption. Uptycs researchers reported that threat actors have started using the Tox peer-to-peer instant messaging service as a command-and-control server.
Dark Reading
AUGUST 25, 2022
The Forte Group, which gained momentum as an informal organization during the pandemic, will offer career development and advocacy for women execs in cybersecurity as well as newcomers.
Advertisement
There’s a good reason why Apache Cassandra® is quickly becoming the NoSQL database of choice for organizations of all stripes. In this white paper, discover the key use cases that make Cassandra® such a compelling open source software – and learn the important pitfalls to avoid. From understanding its distributed architecture to unlocking its incredible power for industries like healthcare, finance, retail and more, experience how Cassandra® can transform your entire data operations.
Data Breach Today
AUGUST 25, 2022
Retailer Accused of Selling Customer Data While Failing to Honor Opt-Out Requests Retailer Sephora has been fined $1.2 million as part of a settlement agreement with California's attorney general, over accusations that it violated the California Consumer Privacy Act by failing to disclose that it was selling customers' data and not honoring their opt-out requests.
KnowBe4
AUGUST 25, 2022
Companies heavily reliant on operational technology (OT) to function are just as much a target as businesses relying in traditional IT and are facing some of the same challenges to stop attacks.
eSecurity Planet
AUGUST 23, 2022
Linux has an extensive range of open-source distributions that pentesters, ethical hackers and network defenders can use in their work, whether for pentesting , digital forensics or other cybersecurity uses. Also known as “distros,” these distributions are variations of Linux that include the Linux kernel and usually a specific package manager. For example, Kali Linux, one of the most popular pentesting OSs, is Debian-based, which means it’s based on the Debian Project.
Dark Reading
AUGUST 24, 2022
The bug tracked as CVE-2022-0028 allows attackers to hijack firewalls without authentication, in order to mount DDoS hits on their targets of choice.
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Data Breach Today
AUGUST 26, 2022
Reward for White Hats Valid till Sept. 8 for Merge-related Vulnerabilities Ethereum is offering up to $1 million bounty to white hat hackers who identify merge-related critical vulnerabilities on its blockchain. The four-fold increase in reward will be applicable between Wednesday and Sept. 8. The merge is set to be completed by Sept.
KnowBe4
AUGUST 25, 2022
If you've been approached by recruiters on LinkedIn for a potential job opportunity, you may want to pay attention to this recent scam.
Threatpost
AUGUST 25, 2022
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
Security Affairs
AUGUST 23, 2022
Experts warn that over 80,000 Hikvision cameras are vulnerable to a critical command injection vulnerability. Security researchers from CYFIRMA have discovered over 80,000 Hikvision cameras affected by a critical command injection vulnerability tracked as CVE-2021-36260. The Chinese vendor addressed the issue in September 2021, but tens of thousands of devices are yet to be patched.
Speaker: Steve Pappas
As businesses strive for success in an increasingly digitized world, delivering an exceptional customer experience has become paramount. To meet this demand, enterprises are embracing innovative approaches that captivate customers and fuel their loyalty. 💥 Enter conversational AI - an absolute game-changer (if done right) in redefining CX norms.
Data Breach Today
AUGUST 26, 2022
'Subject X' Suspected in Theft of Nearly 10,000 credentials at 130 Organizations An ongoing phishing campaign has compromised Twilio, Mailchimp and about 130 other organizations by using a lookalike Okta login page to trick employees into divulging their password and multi-factor authentication code. Researchers have traced the attacks to a 22-year-old suspect in North Carolina.
Hunton Privacy
AUGUST 25, 2022
On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc. The OAG’s enforcement action against Sephora, which was part of a broader “enforcement sweep” of over 100 online retailers, involved allegations that Sephora failed to: Disclose to consumers that the company “sells” personal information (as broadly defined under the CCPA); Provid
eSecurity Planet
AUGUST 22, 2022
Twenty years ago, Saturday Night Live nailed a tendency in IT to be overly absorbed in tech-speak and to do a poor job of educating users. The Nick Burns: Your Company Computer Guy skits showed rude IT guys belittling users as they fixed their “stupid” problems. A recent experience highlighted that security awareness training and most alerts to users about unsafe practices may be making the error of being too general.
Expert insights. Personalized for you.
301 
Let's personalize your content