data protection | Breaking Cybersecurity News | The Hacker News

Meta-owned WhatsApp has launched a new  Secret Code  feature to help users protect sensitive conversations with a custom password on the messaging platform. The feature has been  described  as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else." Secret Code builds on another feature called  Chat Lock  that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics. By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted. "You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added. The development comes weeks after WhatsApp 

In a rapidly evolving digital landscape, it's crucial to reevaluate how we secure web environments. Traditional antivirus-approach solutions have their merits, but they're reactive. A new report delves into the reasons for embracing proactive web security solutions, ensuring you stay ahead of emerging threats.  To learn more, download the full report  here . The New Paradigm If you've been relying on the old-style antivirus-based approach to website security up to now, then we could summarize why you need to update to the more proactive approach simply by saying — prevention is always preferable to cure. That's the overarching rationale for adopting a proactive web security solution, but let's break it down into a few more detailed reasons for updating to the newer and more effective proactive approach.  To be clear, we're not denying that an antivirus-approach solution is ideal for detecting and responding to threats, but there's no escaping the fact that it's limited

If forecasters are right, over the course of today, consumers will spend  $13.7 billion . Just about every click, sale, and engagement will be captured by a CRM platform. Inventory applications will trigger automated re-orders; communication tools will send automated email and text messages confirming sales and sharing shipping information.  SaaS applications supporting retail efforts will host nearly all of this behind-the-scenes activity. While retailers are rightfully focused on sales during this time of year, they need to ensure that the SaaS apps supporting their business operations are secure. No one wants a repeat of one of the biggest retail cyber-snafus in history, like when one U.S.-based national retailer had 40 million credit card records stolen.  The attack surface is vast and retailers must remain vigilant in protecting their entire SaaS app stack. For example, many often use multiple instances of the same application. They may use a different Salesforce tenant for eve

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. "These encoded Kubernetes configuration secrets were uploaded to public repositories," Aqua security researchers Yakir Kadkoda and Assaf Morag  said  in a new research published earlier this week. Some of those impacted include two top blockchain companies and various other fortune-500 companies, according to the cloud security firm, which leveraged the GitHub API to fetch all entries containing .dockerconfigjson and .dockercfg types that  store credentials  for accessing a container image registry. Of the 438 records that potentially held valid credentials for registries, 203 records – about 46% – contained valid credentials that provided access to the respective registries. Ninety-three of the passwords were manually set by individuals, as opposed to the 345 that were computer-generated. "In the majority of cases, these creden

What do basketball teams, government agencies, and car manufacturers have in common? Each one has been breached, having confidential, proprietary, or private information stolen and exposed by insiders. In each case, the motivations and methods varied, but the risk remained the same: insiders have access to too much data with too few controls. Insider threats  continue to prove difficult for organizations to combat because — unlike an outsider — insiders can navigate sensitive data undetected and typically without suspicion. Cybersecurity is not the first industry to tackle insider threats, however. Espionage has a long history of facing and defending against insiders by using the "CIA Triad" principles of confidentiality, integrity, and availability. Varonis' modern cybersecurity answer to insider risk is the data security triad of "sensitivity, access, and activity." Using these three dimensions of data security, you can help reduce the risk and impact of an insider attack. Sen

Effective marketing operations today are driven by the use of Software-as-a-Service (SaaS) applications. Marketing apps such as Salesforce, Hubspot, Outreach, Asana, Monday, and Box empower marketing teams, agencies, freelancers, and subject matter experts to collaborate seamlessly on campaigns and marketing initiatives.  These apps serve as the digital command centers for marketing professionals. They house essential go-to-market strategies, and are often connected to live payment systems authorized to spend substantial budgets. Ensuring their security is a complex task, given the multitude of applications, application owners, configurations within each app, users, interconnected apps and more. In this article, we explore the top Marketing SaaS application use cases, from external users and publicly shared links to connected apps and credit cards — and how to ensure the security and integrity of the data stored within them. 1 . External Users Marketing departments frequently grant

The U.S. Department of the Treasury imposed sanctions against a 37-year-old Russian woman for taking part in the laundering of virtual currency for the country's elites and cybercriminal crews, including the Ryuk ransomware group. Ekaterina Zhdanova, per the department, is said to have facilitated large cross border transactions to assist Russian individuals to gain access to Western financial markets and circumvent international sanctions. "Zhdanova utilizes entities that lack Anti-Money Laundering/Combatting the Financing of Terrorism (AML/CFT) controls, such as OFAC-designated Russian cryptocurrency exchange Garantex Europe OU (Garantex)," the treasury department  said  last week.  "Zhdanova relies on multiple methods of value transfer to move funds internationally. This includes the use of cash and leveraging connections to other international money laundering associates and organizations." It's worth noting that Garantex was  previously sanctioned

Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7  disclosed  in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of  CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the  vulnerability  carries a CVSS score of 10.0, indicating maximum severity. It has been  addressed  in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3

Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in "significant data loss if exploited by an unauthenticated attacker." Tracked as  CVE-2023-22518 , the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of "improper authorization vulnerability." All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions - 7.19.16 or later 8.3.4 or later 8.4.4 or later 8.5.3 or later, and 8.6.1 or later That said, the Australian company emphasized that "there is no impact to confidentiality as an attacker cannot exfiltrate any instance data." No other details about the flaw and the exact method by which an adversary can take advantage of it have been made available, likely owing to the fact that doing so could enable threat actors to devise an exploit. Atlassian is also u

Meta on Monday announced plans to offer an ad-free option to access Facebook and Instagram for users in the European Union (EU), European Economic Area (EEA), and Switzerland to comply with "evolving" data protection regulations in the region. The ad-free subscription, which costs €9.99/month on the web or €12.99/month on iOS and Android, is expected to be officially available starting next month. The company's proposal for a subscription version of its service was  first reported  by The Wall Street Journal earlier this month. "In November, we will be offering people who use Facebook or Instagram and reside in these regions the choice to continue using these personalized services for free with ads, or subscribe to stop seeing ads," the company  said . "While people are subscribed, their information will not be used for ads." While the fee covers all linked accounts for a user, beginning March 1, 2024, the company plans to levy an additional fee

While cyberattacks on websites receive much attention, there are often unaddressed risks that can lead to businesses facing lawsuits and privacy violations even in the absence of hacking incidents. A new case study highlights one of these more common cases.  Download the full case study here . It's a scenario that could have affected any type of company, from healthcare to finance, e-commerce to insurance, or any other industry. Recently, Reflectiz, an advanced website security solution provider, released a  case study  focusing on a forgotten and misconfigured pixel that had been associated with a leading global healthcare provider. This overlooked piece of code surreptitiously gathered private data without user consent, potentially exposing the company to substantial fines and damage to its reputation. Nowadays, it has become common practice for companies to embed such pixels into their websites. For instance, the TikTok Pixel is a typical example, added to websites to track

Critical security flaws have been disclosed in the Open Authorization (OAuth) implementation of popular online services such as Grammarly, Vidio, and Bukalapak, building upon previous shortcomings uncovered in  Booking[.]com and Expo . The weaknesses, now addressed by the respective companies following responsible disclosure between February and April 2023, could have allowed malicious actors to obtain access tokens and potentially hijack user accounts. OAuth is a  standard  that's commonly used as a mechanism for cross-application access, granting websites or applications access to their information on other websites, such as Facebook, but without giving them the passwords. "When OAuth is used to provide service authentication, any security breach in it can lead to identity theft, financial fraud, and access to various personal information including credit card numbers, private messages, health records, and more, depending on the specific service being attacked," Sa

VMware has released security updates to address a critical flaw in the vCenter Server that could result in remote code execution on affected systems. The issue, tracked as  CVE-2023-34048  (CVSS score: 9.8), has been described as an out-of-bounds write vulnerability in the implementation of the  DCE/RPC protocol . "A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution," VMware  said  in an advisory published today. Credited with discovering and reporting the flaw is Grigory Dorodnov of Trend Micro Zero Day Initiative. VMware said that there are no workarounds to mitigate the shortcoming and that security updates have been made available in the following versions of the software - VMware vCenter Server 8.0 (8.0U1d or 8.0U2) VMware vCenter Server 7.0 (7.0U3o) VMware Cloud Foundation 5.x and 4.x Given the criticality of the flaw and the lack of temporary mitigations, the virtualization

The Irish Data Protection Commission (DPC) slapped TikTok with a €345 million (about $368 million) fine for violating the European Union's General Data Protection Regulation (GDPR) in relation to its handling of children's data. The investigation, initiated in September 2021,  examined  how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020. Some of the major findings include - The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks A failure to provide transparency information to child users The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos A weakness in the Family Sharing setting that allowed any non-child user (someone who could not be

The Indian President Droupadi Murmu on Friday granted assent to the Digital Personal Data Protection Bill ( DPDPB ) after it was unanimously passed by both houses of the parliament last week, marking a significant step towards securing people's information. "The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto," the Indian government  said . The  long-awaited data protection law  comes months after the Ministry of Electronics and Information Technology (MeitY) released a  draft version  of the bill in November 2022. It has been in the making for over five years, with a first draft released in July 2018. A year before, India's Supreme Court  upheld  privacy as a  fundamental right . The legislative framework, which applies to personal data coll

In the short time since their inception, ChatGPT and other generative AI platforms have rightfully gained the reputation of ultimate productivity boosters. However, the very same technology that enables rapid production of high-quality text on demand, can at the same time expose sensitive corporate data. A recent  incident , in which Samsung software engineers pasted proprietary code into ChatGPT, clearly demonstrates that this tool can easily become a potential data leakage channel. This vulnerability introduces a demanding challenge for security stakeholders, since none of the existing data protection tools can ensure no sensitive data is exposed to ChatGPT. In this article we'll explore this security challenge in detail and show how browser security solutions can provide a solution. All while enabling organizations to fully realize ChatGPT's productivity potential and without having to compromise on data security.  The ChatGPT data protection blind spot: How can you govern