cyber security | Breaking Cybersecurity News | The Hacker News

Facebook on Friday said it's extending end-to-end encryption (E2EE) for voice and video calls in Messenger, along with testing a new opt-in setting that will turn on end-to-end encryption for Instagram DMs. "The content of your messages and calls in an end-to-end encrypted conversation is protected from the moment it leaves your device to the moment it reaches the receiver's device," Messenger's Ruth Kricheli  said  in a post. "This means that nobody else, including Facebook, can see or listen to what's sent or said. Keep in mind, you can report an end-to-end encrypted message to us if something's wrong." The social media behemoth said E2EE is becoming the industry standard for improved privacy and security. It's worth noting that the company's flagship messaging service gained support for E2EE in text chats in 2016, when it added a " secret conversation " option to its app, while communications on its sister platform What

As cyber threats keep on increasing in volume and sophistication, more and more organizations acknowledge that outsourcing their security operations to a 3rd-party service provider is a practice that makes the most sense. To address this demand, managed security services providers (MSSPs) and managed service providers (MSPs) continuously search for the right products that would empower their teams to deliver high-quality and scalable services. Cynet 360 Autonomous Breach Protection platform offers a multitenant security solution for MSSP/MSP, providing automated, all-in-one products that include a robust SOAR layer, on top of attack prevention and detection. (Learn more about  Cynet's partner program for MSPs and MSSPs  here). Service providers typically have a skilled security team at their disposal. The challenge is how to leverage this skill to serve as many customers as possible without compromising on the quality of the service. That makes each minute of each team member a

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

As cyber incidents increase in scope and impact, more and more organizations come to realize that outsourcing their defenses is the best practice—significantly increasing the Managed Security Service Provider (MSSP) market opportunities. Until recently, IT integrators, VARs, and MSPs haven't participated in the growing and profitable MSSP market as it entailed massive investments in building an in-house skilled security team. However, this is beginning to change as a result of certain security vendors, like Cynet, that provide a purpose-built partner offering that enables IT integrators, VARs, and MSPs to provide managed security service with zero investment in hardware or personnel. Their offering includes a 24/7 SOC that trains and supports the partner's existing team and a security platform that consolidates and automates breach protection (including endpoint, user, and network security), making it simple to operate by any IT professional. To learn more about th

Advanced Persistent Threats groups were once considered a problem that concerns Fortune 100 companies only. However, the threat landscape of the recent years tells otherwise—in fact, every organization, regardless of vertical and size is at risk, whether as a direct target, supply chain or collateral damage. The vast majority of security decision-makers acknowledge they need to address the APT risk with additional security solutions but struggle with mapping APT attack vectors to a clear-cut set of security product capabilities, which impairs their ability to choose the products that would best protect them. Cynet is now addressing this need with the definitive RFP templates for EDR/EPP and APT Protection , an expert-made security requirement list, that enables stakeholders to accelerate and optimize the evaluation process of the products they evaluate. These RFP templates aim to capture the widest common denominator in terms of security needs and deliver the essential that are

Humans are an organization's strongest defence against evolving cyber threats, but security awareness training alone often isn't enough to transform user behaviour. In this guide, usecure looks at why Human Risk Management (HRM) is the new fix for building a security-savvy workforce. Don't be fooled... Businesses are investing more than ever into strengthening their employee security awareness efforts, but a big problem still plagues SMBs and enterprises in every sector —  human-related data breaches . Even with more businesses rolling out staff security awareness training programs to combat evolving cyber threats, over 90% of data breaches still stem from human error. So, why are human-related data breaches still so prevalent? Access Now: Security Awareness Training is Broken. HRM is the Fix [Free eBook] → Security awareness training often isn't enough It's easy to think that rolling out some security awareness courses and sending a few email bulletins fro

Google on Monday announced that it's rolling out client-side encryption to Google Workspace (formerly G Suite), thereby giving its enterprise customers direct control of encryption keys and the identity service they choose to access those keys. "With client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google's native web-based collaboration, access content on mobile devices, and share encrypted files externally," the search giant  said .  "When combined with our other encryption capabilities, customers can add new levels of data protection for their Google Workspace data." The development coincides with the Google Workspace and Google Chat's  broader availability to all users  with a Google account. Workspace is the company's enterprise offering consisting of Gmail, Chat, Calendar, Drive, Docs, Sheets, Slides, Meet, and other tools. Businesses using Google Workspace have the choice o

There is a person in every organization that is the direct owner of breach protection. His or her task is to oversee and govern the process of design, build, maintain, and continuously enhance the security level of the organization. Title-wise, this person is most often either the CIO, CISO, or Directory of IT. For convenience, we'll refer to this individual as the CISO. This person is the subject-matter expert in understanding the standard set of active cyber risks, benchmarking to what degree the organization's exposure influences potential impact. They then take appropriate steps to ensure the major risks are addressed. On top of being engaged 24/7 in the organization's actual breach protection activity, the CISO has another critical task: to articulate the risks, potential impacts and appropriate steps to take to the company's management – or in other words, they must effectively translate security issues for non-security-savvy executives in a clear and busi

Cybersecurity researchers disclosed details about 13 vulnerabilities in the Nagios network monitoring application that could be abused by an adversary to hijack the infrastructure without any operator intervention. "In a telco setting, where a telco is monitoring thousands of sites, if a customer site is fully compromised, an attacker can use the vulnerabilities to compromise the telco, and then every other monitored customer site," Adi Ashkenazy, CEO of Australian cybersecurity firm Skylight Cyber, told The Hacker News via email. Nagios is an open-source IT infrastructure tool analogous to SolarWinds Network Performance Monitor (NPM) that offers monitoring and alerting services for servers, network cards, applications, and services. The issues, which consist of a mix of authenticated remote code execution (RCE) and privilege escalation flaws, were discovered and reported to Nagios in October 2020, following which they were  remediated  in  November . Chief among them i

A "severe" vulnerability in GNU Privacy Guard (GnuPG)'s Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, potentially leading to remote code execution. The flaw, which affects version 1.9.0 of libgcrypt, was discovered on January 28 by Tavis Ormandy of Project Zero, a security research unit within Google dedicated to finding zero-day bugs in hardware and software systems. No other versions of Libgcrypt are affected by the vulnerability. "There is a  heap buffer overflow  in libgcrypt due to an incorrect assumption in the block buffer management code," Ormandy  said . "Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs." GnuPG addressed the weakness almost immediately within a day after disclosure, while urging users to  stop using  the vulnerable version. The latest version can be dow

Newly discovered security vulnerabilities in ADT's Blue (formerly LifeShield) home security cameras could have been exploited to hijack both audio and video streams. The  vulnerabilities  (tracked as CVE-2020-8101) were identified in the video doorbell camera by Bitdefender researchers in February 2020 before they were eventually addressed on August 17, 2020. LifeShield was acquired by Florida-based ADT Inc. in 2019, with Lifeshield's DIY home security solutions rebranded as Blue as of January 2020. The company's products had a 33.6% market share in the U.S. last year. The security issues in the doorbell camera allow an attacker to Obtain the administrator password of the camera by simply knowing its MAC address, which is used to identify a device uniquely Inject commands locally to gain root access, and Access audio and video feeds using an unprotected  RTSP  (Real-Time Streaming Protocol) server The doorbell is designed to periodically send heartbeat messages t

With so much of the world transitioning to working, shopping, studying, and streaming online during the coronavirus pandemic, cybercriminals now have access to a larger base of potential victims than ever before. "Zoombomb"  became the new photobomb—hackers would gain access to a private meeting or online class hosted on Zoom and shout  profanities and racial slurs  or flash  pornographic images . Nation-state hacker groups mounted attacks against organizations involved in the coronavirus pandemic response, including the World Health Organization and Centers for Disease Control and Prevention, some in an attempt to politicize the pandemic. Even garden-variety cyber attacks like email phishing, social engineering, and refund theft took on a darker flavor in response to the widespread economic precarity brought on by the pandemic.  "Hackers were mostly trying to take advantage of people's fear by offering medical equipment like thermometers and masks for cheap, low

Most companies with small security teams face the same issues. They have inadequate budgets, inadequate staff, and inadequate skills to face today's onslaught of sophisticated cyberthreats. Many of these companies turn to virtual CISOs (vCISOs) to provide security expertise and guidance. vCISOs are typically former CISOs with years of experience building and managing information security programs across large and small organizations. Autonomous XDR company Cynet, a provider of an automated breach protection platform and MDR service for even the smallest security teams, is conducting a webinar with well-known vCISO Brian Haugli to understand the common challenges faced by CISOs with small security teams [ register here ]. In the first part of the webinar, Haugli will share the four foundational risks that are common across most companies he helps. He will then discuss the most common pieces of advice he provides across the companies he serves. Haugli will also share a situation

Over the years,  penetration testing  has had to change and adapt alongside the IT environments and technology that need to be assessed. Broad cybersecurity issues often influence the strategy and growth of pen-testing. In such a fast-paced field, organizations get real value from learning about others' penetration testing experiences, identifying trends, and the role they play in today's threat landscape. While there is much to be gained from a single snapshot, additional value can come from long term data collection and year over year comparisons. We can see whether the effects that recent trends have on pen testing are long term, or simply a temporary shift, and how they affect the continuing evolution of penetration testing. For instance, 2020 saw a massive influx of remote work. Unfortunately, the convenience of working safely from home increased the risk of a breach as countless new attack vectors opened up, both from the way employees connected to networks, as well a

Like it or not, 2020 was the year that proved that teams could work from literally anywhere. While terms like "flex work" and "WFH" were thrown around before COVID-19 came around, thanks to the pandemic, remote working has become the defacto way people work nowadays. Today, digital-based work interactions take the place of in-person ones with near-seamless fluidity, and the best part is that going remote helps companies save their cash in this bootstrapped time.  But while the ability to work from anywhere has truly been essential to keeping businesses and the economy functional, it has opened up new challenges that need to be addressed.  Your Devices Are Your Weakest Link With nearly ⅔ of employees still working remotely to some degree, the boundaries that once separated work and home have been completely washed away. A major ramification of this shift has been an increase in the volume of corporate and non-corporate devices connecting from remote to sensitive

With the continuing rise of IoT devices, mobile networks, and digital channels, companies face a lot of pressure to generate meaningful and actionable insights from the wealth of data they capture. Gartner Research lists data democratization as  one of the top  strategic technology trends to watch out for.  While empowering non-technical users to run ad-hoc reports gives enterprises the ability to get closer to business conditions, it also introduces problems of data governance and privacy compliance. All reports are only as good as the data they're based on, and non-technical users might not be aware of the need for data integrity and security. Even the "experts" at cybersecurity firms have been known to leak files  at alarming rates . Organizations need to implement strong data governance strategies to ensure their data is accurate, reliable and secure, while continuing to provide their employees with the resources they need to realize the full benefits of it. Here&

Sound security budget planning and execution are essential for CIO's/CISO's success. Now, for the first time, the Ultimate Security Budget Plan and Track Excel template ( download here ) provide security executives a clear and intuitive tool to keep track of planned vs. actual spend, ensuring that security needs are addressed while maintaining the budgetary frame. The dynamic nature of the threat landscape and the possibility of the organization being subject to a critical attack, make an unexpected investment in additional products, staff, or services a highly likely scenario that should be considered. Integrating this factor within the initial planning is a challenge for many CISOs encounters. The Ultimate Security Budget Plan & Track template is an excel spreadsheet that comes pre-packaged with the required formulas to continuously measure, every month, the planned and actual security investments, providing immediate visibility into any mismatch between the tw

A Russian hacker who was found guilty of  hacking LinkedIn ,  Dropbox , and Formspring over eight years ago has finally been  sentenced  to 88 months in United States prison, that's more than seven years by a federal court in San Francisco this week. Yevgeniy Aleksandrovich Nikulin , 32, of Moscow hacked into servers belonging to three American social media firms, including LinkedIn, Dropbox, and now-defunct social-networking firm Formspring, and stole data on over 200 million users. Between March and July 2012, Nikulin hacked into the computers of LinkedIn,  Dropbox, and Formspring , and installed malware on them, which allowed him to remotely download user databases of over  117 Million LinkedIn  users and more than  68 Million Dropbox  users. According to the prosecutor, Nikulin also worked with unnamed co-conspirators of a Russian-speaking cybercriminal forum to sell customer data he stole as a result of his hacks. Besides hacking into the three social media firms, Nikulin