ChatGPT gets “eyes and ears” with plugins that can interface AI with the world
Enlarge (credit: Aurich Lawson | Getty Images)
On Thursday, OpenAI announced a plugin system for its ChatGPT AI assistant. The plugins give ChatGPT the ability to interact with the wider world through the Internet, including booking flights, ordering groceries, browsing...
Huge collection of vintage Apple computers goes to auction next week
Enlarge / I mostly recognize this early laptop from its resemblance to a similar-looking computer in the film 2010. It's up for auction along with hundreds of other old Apple computers. (credit: Julien's Auctions)
If you've been thinking your home...
If your Netgear Orbi router isn’t patched, you’ll want to change that pronto
Enlarge / An Orbi 750 series router. (credit: Netgear)
If you rely on Netgear’s Orbi mesh wireless system to connect to the Internet, you’ll want to ensure it’s running the latest firmware now that exploit code has been released for...
Russia’s iPhone ban and the digital supply chain
Russia’s Kremlin ordered officials to stop using iPhones, apparently over concerns the devices could be vulnerable to Western intelligence agencies, Reuters reports. When surveillance-as-a-service firms sit exposed for brazenly undermining device security, it's hard to think there isn't an argument there. But the bigger story isn’t the harm to...
Patch Office and Windows now to resolve two zero-days
Microsoft has resolved 80 new CVEs this month in addition to four earlier CVEs, bringing the number of security issues addressed in this month's Patch Tuesday release to 84. Unfortunately, we have two zero-day flaws in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a "Patch Now" release requirement for both...
Feds to Microsoft: Clean up your security act — or else
The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily...
Critical flaw in WooCommerce can be used to compromise WordPress websites
WooCommerce, a popular plug-in for running WordPress-based online stores, contains a critical vulnerability that could allow attackers to take over websites. Technical details about the vulnerability have not been published yet, but the WooCommerce team released updates and attackers could reverse-engineer the patch."Although what we know at this time...
Cyberpion rebrands as Ionix, offering new EASM visibility improvements
SaaS-based external attack surface management (EASM) company Cyberpion has rebranded as Ionix, at the same time adding a clutch of new cybersecurity capabilities to its namesake offering.Designed to provide a “wider coverage and deeper focus” into its customers’ internet-facing assets and connected dependencies, the revamp of Ionix's system will...
Android-based banking Trojan Nexus now available as malware-as-a-service
Italian cybersecurity firm Cleafy has found “Nexus”, a new Android Trojan capable of hijacking online accounts and siphoning funds from them, to be targeting customers from 450 banks and cryptocurrency services worldwide.First observed in June 2022 as a variant of SOVA, another Android banking Trojan, Nexus has since improved...
CyberSecure Announces Strategic Alliance
The joint partnership represents expanded market opportunities.
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest
In two days, ethical researchers from 10 countries have unearthed more than 22 zero-day bugs in a wide range of technologies at the annual hacking contest.
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository
GitHub hastens to replace its RSA SSH host key after an exposure mishap threatens users with man-in-the-middle attacks and organization impersonation.
Zoom Zoom: 'Dark Power' Ransomware Extorts 10 Targets in Less Than a Month
A new threat actor is racking up victims and showing unusual agility. Part of its success could spring from the use of the Nim programming language.
C can be memory-safe
The idea of memory-safe languages is in the news lately. C/C++ is famous for being the world's system language (that runs most things) but also infamous for being unsafe. Many want to solve this by hard-forking the world's system code, either by changing C/C++ into something that's memory-safe, or rewriting everything...
I’m still bitter about Slammer
Today is the 20th anniversary of the Slammer worm. I'm still angry over it, so I thought I'd write up my anger. This post will be of interest to nobody, it's just me venting my bitterness and get off my lawn!!Back in the day, I wrote "BlackICE", an intrusion...
The RISC Deprogrammer
I should write up a larger technical document on this, but in the meanwhile is this short (-ish) blogpost. Everything you know about RISC is wrong. It's some weird nerd cult. Techies frequently mention RISC in conversation, with other techies nodding their head in agreement, but it's all wrong....
The DEA Quietly Turned Apple’s AirTag Into A Surveillance Tool
Apple’s quarter-sized location tracker was hidden in a pill press by the DEA to conduct surveillance. The AirTag’s small size and reliability could make it an attractive tool for cops.
Jack Dorsey’s Block Slammed For Failure To Stop Criminals Abusing Cash App
Cash App’s Barcelona-based business fined for anti-money laundering and terrorist financing failures, while Hindenburg Research shorts owner Block, citing ‘Wild West’ approach to compliance.
New EU Greenwashing Rules Fail To Prevent Misinformation, Say Campaign Groups
Consumer and environmental groups have hit out at new EU anti-greenwashing rules that they say fail to prevent companies spreading misinformation about their products.
OSV and the Vulnerability Life Cycle
Posted by Oliver Chang and Andrew Pollock, Google Open Source Security Team It is an interesting time for everyone concerned with open source vulnerabilities. The U.S. Executive Order on Improving the Nation's Cybersecurity requirements for vulnerability disclosure programs and assurances for software used by the US government will go...
Thank you and goodbye to the Chrome Cleanup Tool
Posted by Jasika Bawa, Chrome Security Team Starting in Chrome 111 we will begin to turn down the Chrome Cleanup Tool, an application distributed to Chrome users on Windows to help find and remove unwanted software (UwS). Origin story The Chrome Cleanup Tool was introduced in 2015...
Google Trust Services now offers TLS certificates for Google Domains customers
Andy Warner, Google Trust Services, and Carl Krauss, Product Manager, Google DomainsWe’re excited to announce changes that make getting Google Trust Services TLS certificates easier for Google Domains customers. With this integration, all Google Domains customers will be able to acquire public certificates for their websites at no additional...
Danger USB! Journalists sent exploding flash drives
If you were sent a USB stick anonymously through the post, would you plug it into your computer?
Perhaps you'll think twice when you hear what happened to these Ecuadorian journalists.
Read more in my article on the Hot for Security blog.
Europe’s transport sector terrorised by ransomware, data theft, and denial-of-service attacks
A new report from ENISA, the European Union Agency for Cybersecurity, looking at cyberattacks targeting the European transport network over a period of almost two years, has identified that ransomware has become the prominent threat.
Read more in my article on the Tripwire State of Security blog.
Fake GPT Chrome extension steals Facebook session cookies, breaks into accounts
The world has gone ChatGPT bonkers.
Which makes it an effective lure for cybercriminals who may want to break into accounts...
New Attack Targets Online Customer Service Channels
An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.
Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart...
Cybersecurity 101: What is Attack Surface Management?
There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.
ASM is a cybersecurity...
Six Ways to Secure Your Organization on a Smaller Budget
My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience.
Many companies must now protect their...
What Is Shoulder Surfing? How Does It Affect Cybersecurity
We rely primarily on technology to protect our sensitive data, including financial information, personal information, and corporate secrets, in the extremely digital world we live in today. Our personal and sensitive information is vulnerable to being obtained by evil people as technology is widely adopted. One of the methods...
Future-Proofing Your Business Against Insider Threats
In today’s digital world, businesses face various cybersecurity threats, including malware, hacking, and phishing scams. Insider threats, unfortunately, are widely ignored. These threats could emerge from former or present staff members, professionals, or affiliates with access to sensitive company data. Insiders can cause considerable harm to a business, either...
The Revolutionizing Power of AI In Cybersecurity
AI in cybersecurity positively affects the rapid evolution of technology, and the threat landscape for cyber-attacks has increased. Cybercriminals are developing increasingly complex attacks, making it increasingly difficult for businesses to keep up with their security measures. This is where Artificial Intelligence (AI) plays a huge role, as it...
CISA Unveils Ransomware Notification Initiative
Provides businesses with early warnings to evict threat actors before they can encrypt data
WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites
The vulnerability could allow an unauthenticated attacker to gain admin privileges and take over a website
GitHub Updates Security Protocol For Operations Over SSH
The move reportedly did not stem from a compromise of GitHub systems or customer information
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting...
Why You Should Opt Out of Sharing Data With Your Mobile Provider
A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this...
Feds Charge NY Man as BreachForums Boss “Pompompurin”
The U.S. Federal Bureau of Investigation (FBI) this week arrested a New York man on suspicion of running BreachForums, a popular English-language cybercrime forum where some of the world biggest hacked databases routinely first show up for sale. The forum’s administrator “Pompompurin” has been a thorn in the side...
WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!
Admin-level holes in websites are always a bad thing... and for "bad", read "worse" if it's an e-commerce site.
S3 Ep127: When you chop someone out of a photo, but there they are anyway…
Listen now - latest episode. Full transcript inside.
Windows 11 also vulnerable to “aCropalypse” image data leakage
Turns out that the Windows 11 Snipping Tool has the same "aCropalypse" data leakage bug as Pixel phones. Here's how to work around the problem...
Google Pixel phones had a serious data leakage bug – here’s what to do!
What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?
Malware Steals Data By Adjusting Screen Brightness
Malware on an air-gapped computer can transmit data like Morse code by changing screen brightness in a way that's invisible to the naked eye but easily recorded with a camera.
Hackers Pose as Wall Street Journal Reporter to Phish Victims
Watch out for suspicious interview requests. 'The main focus of this phishing campaign was stealing email account information of the victims, and finding information about their contacts/networks,' the cybersecurity experts at Certfa Lab warned on Wednesday.
Google Photos Videos Were Shared With Strangers
Google's Takeout service was designed to let people download their data, but accidentally sent videos from Google Photos accounts to strangers.
Dish customers struggle with service disruptions weeks after ransomware attack
Customers complain that they are still having payment issues and are not able to contact customer service weeks after Dish Network suffered a ransomware attack.
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements
Patch released for critical vulnerability in WooCommerce Payments plug-in
WooCommerce Payments runs on more than 6 million websites, so security teams that use the platform need to patch immediately or risk unauthenticated administrative takeover of their websites.
Friday Squid Blogging: Creating Batteries Out of Squid Cells
This is fascinating:
“When a squid ends up chipping what’s called its ring tooth, which is the nail underneath its tentacle, it needs to regrow that tooth very rapidly, otherwise it can’t claw its prey,” he explains.
This was intriguing news and it sparked an idea in Hopkins lab where...
A Hacker’s Mind News
My latest book continues to sell well. Its ranking hovers between 1,500 and 2,000 on Amazon. It’s been spied in airports.
Reviews are consistently good. I have been enjoying giving podcast interviews. It all feels pretty good right now.
You can order a signed book from me here.
For those of you...
Exploding USB Sticks
In case you don’t have enough to worry about, people are hiding explosives—actual ones—in USB sticks:
In the port city of Guayaquil, journalist Lenin Artieda of the Ecuavisa private TV station received an envelope containing a pen drive which exploded when he inserted it into a computer, his employer said.
Artieda...
Apple backup tips for World Backup Day
Backup tips for Apple users on World Backup Day.
The post Apple backup tips for World Backup Day appeared first on SecureMac.
Checklist 321: Not Phoning It In
ICE breaks its own rules; Customer Proprietary Network Information and your privacy; the Kremlin ditches smartphones.
The post Checklist 321: Not Phoning It In appeared first on SecureMac.
Checklist 320: Speedy Scams and Securing iCloud
SVB scams and how to spot them. Plus: Simple steps to make iCloud safer.
The post Checklist 320: Speedy Scams and Securing iCloud appeared first on SecureMac.
CISA announced the Pre-Ransomware Notifications initiative
The US Cybersecurity and Infrastructure Security Agency (CISA) announced the Pre-Ransomware Notifications service to help organizations stop ransomware attacks before damage occurs.
The US Cybersecurity and Infrastructure Security Agency announced a new Pre-Ransomware Notification initiative that aims at alerting organizations of early-stage ransomware attacks.
The principle behind the initiative is simple, ransomware...
Critical flaw in WooCommerce Payments plugin allows site takeover
A patch for a critical vulnerability in the WooCommerce Payments plugin for WordPress has been released for over 500,000 websites.
On March 23, 2023, researchers from Wordfence observed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2.
The WooCommerce Payments...
Cisco fixed multiple severe vulnerabilities in its IOS and IOS XE software
Cisco addressed tens of vulnerabilities in its IOS and IOS XE software, six of these issues have been rated ‘high severity’.
Cisco published the March 2023 Semiannual IOS and IOS XE Software Security Advisory that addresses several vulnerabilities in IOS and IOS XE software.
Below is the list of flaws...
US Charges 20-Year-Old Head of Hacker Site BreachForums
The US Justice Department charged Conor Brian Fitzpatrick, founder of BreachForums, a major underground website for computer hackers.
The post US Charges 20-Year-Old Head of Hacker Site BreachForums appeared first on SecurityWeek.
Tesla Hacked Twice at Pwn2Own Exploit Contest
Researchers at French offensive hacking shop Synacktiv demonstrated successful exploit chains against Tesla’s newest electric car to take top billing at the annual Pwn2Own contest.
The post Tesla Hacked Twice at Pwn2Own Exploit Contest appeared first on SecurityWeek.
CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.
The post CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections appeared first on SecurityWeek.
DevSecOps puts security in the software cycle
Addressing cybersecurity can be a challenge when the focus is on speed in software development and production life cycles.
The post DevSecOps puts security in the software cycle appeared first on TechRepublic.
Even after armed with defense tools, CISOs say successful cyberattacks are ‘inevitable’: New study
Cisco’s just-released 2023 Cybersecurity Index shows companies will invest more in security, but the solution may be a larger tent, not more umbrellas.
The post Even after armed with defense tools, CISOs say successful cyberattacks are ‘inevitable’: New study appeared first on TechRepublic.
Massive adversary-in-the-middle phishing campaign bypasses MFA and mimics Microsoft Office
Microsoft has already seen millions of phishing emails sent every day by attackers using this phishing kit. Learn how to protect your business from this AitM campaign.
The post Massive adversary-in-the-middle phishing campaign bypasses MFA and mimics Microsoft Office appeared first on TechRepublic.
Why is TikTok banned from government phones – and should rest of us be worried?
UK has removed app over concerns data can be monitored by Chinese state, but public remain vulnerableTikTok is wildly popular, with more than 1 billion people consuming its short video posts around the world. But the app is less favoured by politicians in key markets such as the US...
Voice system used to verify identity by Centrelink can be fooled by AI
Exclusive: Voiceprint program used by millions of Australians to access data held by government agencies shown to have a serious security flaw Get our morning and afternoon news emails, free app or daily news podcastA voice identification system used by the Australian government for millions of people has a...
Labor plan to beef up government’s cyber powers faces Senate block
A paper expanding on greater ability to intervene during hacks – especially on private companies – causes alarm among Coalition and GreensFollow our Australia news live blog for the latest updatesGet our morning and afternoon news emails, free app or daily news podcastLabor could face Senate difficulties if it...
OpenAI Reveals Redis Bug Behind ChatGPT User Data Exposure Incident
OpenAI on Friday disclosed that a bug in the Redis open source library was responsible for the exposure of other users' personal information and chat titles in the upstart's ChatGPT service earlier this week.
The glitch, which came to light on March 20, 2023, enabled certain users to view brief descriptions...
Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data
A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware.
The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials...
THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps
Any app that can improve business operations is quickly added to the SaaS stack. However, employees don't realize that this SaaS-to-SaaS connectivity, which typically takes place outside the view of the security team, significantly increases risk.
Whether employees connect through Microsoft 365, Google Workspace, Slack, Salesforce, or any other app,...
CISA unleashes Untitled Goose Tool to honk at danger in Microsoft’s cloud
Not a headline we expected to write today American cybersecurity officials have released an early-warning system to protect Microsoft cloud users.…
Github publishes RSA SSH host keys by mistake, issues update
Getting connection failures? Don't panic. Get new keys Github has updated its SSH keys after accidentally publishing the private part to the world. Whoops.…
French parliament says oui to AI surveillance for 2024 Paris Olympics
Liberté, égalité, reconnaissance faciale for all Despite the opposition of 38 civil society groups, the French National Assembly has approved the use of algorithmic video surveillance during the 2024 Paris Olympics.…
Episode 249: Intel Federal CTO Steve Orrin on the CHIPS Act and Supply Chain Security
Paul speaks with Steve Orrin, the Federal CTO at Intel Corp about representing Intel and its technologies to Uncle Sam and the impact of the CHIPS Act a massive new federal investment in semiconductors.
The post Episode 249: Intel Federal CTO Steve Orrin on the CHIPS Act and Supply...
Malicious Automation is driving API Security Breaches
Removing the ability to automate against a vulnerable API is a huge step forward, as automation is a key enabler for both the exploitation and the extraction of large amounts of sensitive data.
The post Malicious Automation is driving API Security Breaches appeared first on The Security Ledger with Paul...
Spotlight: Making the Most of Cyber Threat Intelligence with Itsik Kesler of KELA
In this Spotlight episode of the Security Ledger podcast, I interview Itsik Kesler, the CTO of the threat intelligence firm Kela about the evolution of threat intelligence and findings from the company’s latest State of Cybercrime Threat Intelligence report.
The post Spotlight: Making the Most of Cyber Threat Intelligence with Itsik Kesler of...Read...
Interpol arrests thousands of scammers in operation “First Light 2022”
Law enforcement agencies around the world appear to have scored a major victory in the fight against fraudsters, in an operation that seized tens of millions of dollars and seen more than 2000 people arrested. Operation “First Light 2022”, running for two months from March 8 2002 until May...
Weekly Update 339
Presently sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.Why can't I audio right? It's my 339th video and I still make mistakes 🙂 But it came good and we got a decent show out of...
Weekly Update 338
Presently sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.I'm going lead this post with where I finished the video because it brought the biggest smile to Charlotte's and my faces this week:This. Is. Amazing 😍...
To Infinity and Beyond, with Cloudflare Cache Reserve
Presently sponsored by: Kolide ensures only secure devices can access your cloud apps. It's Device Trust tailor-made for Okta. Book a demo today.What if I told you... that you could run a website from behind Cloudflare and only have 385 daily requests miss their cache and go through to...
Highlights from TikTok CEO’s Congress grilling – Week in security with Tony Anscombe
Here are some of the key moments from the five hours of Shou Zi Chew's testimony and other interesting news on the data privacy front
The post Highlights from TikTok CEO’s Congress grilling – Week in security with Tony Anscombe appeared first on WeLiveSecurity
What TikTok knows about you – and what you should know about TikTok
As TikTok CEO attempts to placate U.S. lawmakers, it’s time for us all to think about the wealth of personal information that TikTok and other social media giants collect about us
The post What TikTok knows about you – and what you should know about TikTok appeared first on WeLiveSecurity
Understanding Managed Detection and Response – and what to look for in an MDR solution
Why your organization should consider an MDR solution and five key things to look for in a service offering
The post Understanding Managed Detection and Response – and what to look for in an MDR solution appeared first on WeLiveSecurity
The TikTok Hearing Revealed That Congress Is the Problem
The interrogation of CEO Shou Zi Chew highlighted US lawmakers’ own failure to pass privacy legislation.
TikTok Paid for Influencers to Attend the Pro-TikTok Rally in DC
The embattled social media company brought out the checkbook to ensure at least 30 of its biggest assets—creators—were in DC to help fend off critics.
Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data
Image-editing tools from Google and Microsoft contain the “aCropalypse” bug, which can reveal information users intentionally removed.
The TikTok CEO’s Face-Off With Congress Is Doomed
On Thursday, Shou Zi Chew will meet a rare united front in the US Congress against the Chinese-owned social media app that has lawmakers in a tizzy.