CyberSecure Specialist

05 Jul

Ghostscript bug could allow rogue documents to run system commands

Information

by Paul Ducklin Even if you haven’t heard of the venerable Ghostscript project, you may very well have used it without knowing. Alternatively, you may have it baked into a cloud service that you offer, or have it preinstalled and ready to go if you use a package-based software service such as a BSD or Linux distro, Homebrew on a Mac, or Chocolatey on Windows. Ghostscript is a free and open-source implementation of Adobe’s widely-used…

Read More
04 Jul

Verizon 2023 DBIR: What’s new this year and top takeaways for SMBs

Information

Here are some of the key insights on the evolving data breach landscape as revealed by Verizon’s analysis of more than 16,000 incidents Contrary to common perception, small and medium-sized businesses (SMBs) are often the target of cyberattacks. That’s understandable, as in the US and UK, they comprise over 99% of businesses, a majority of private sector jobs and around half of earnings. But if you’re an IT or business leader at a smaller organization,…

Read More
04 Jul

WordPress plugin lets users become admins – Patch early, patch often!

Information

by Paul Ducklin If you run a WordPress site with the Ultimate Members plugin installed, make sure you’ve updated it to the latest version. Over the weekend, the plugin’s creator published version 2.6.7, which is supposed to patch a serious security hole, described by user @softwaregeek on the WordPress support site as follows: A critical vulnerability in the plugin (CVE-2023-3460) allows an unauthenticated attacker to register as an administrator and take full control of the…

Read More
03 Jul

Who’s Behind the DomainNetworks Snail Mail Scam?

Information, Insights

If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — DomainNetworks — and some clues about…

Read More
03 Jul

VMware, Other Tech Giants Announce Push for Confidential Computing Standards

Information, News

In conjunction with the 2023 Confidential Computing Summit last week, VMware announced a partnership with tech giants to accelerate the development of confidential computing applications. Confidential computing relies on a trusted execution environment that ensures the integrity and confidentiality of applications and data, even in the cloud and on third-party infrastructure. With the emergence of multi-cloud deployments and machine learning, confidential computing is expected to help protect intellectual property and sensitive data, but its adoption…

Read More
03 Jul

Apple, Civil Liberty Groups Condemn UK Online Safety Bill

Information, News

The latest variant of the crypto wars is happening now, with the UK and EU governments attempting to force backdoors into end-to-end encryption (E2EE). The war is law enforcement and government desire to prevent criminals ‘going dark’ through E2EE. The battlefield for liberal democracies is the EU (the Child Sexual Abuse Regulation) and the UK (the Online Safety Bill – OSB). The collateral damage could be every law abiding citizen – and the audience is…

Read More
01 Jul

Army Combat Veteran to Take Over Key Election Security Role Working With State, Local Officials

Information, News

An Army combat veteran with extensive cybersecurity and counterterrorism experience is taking over as one of the nation’s top election security officials, the director of the U.S. Cybersecurity Infrastructure Security Agency announced Friday. In the position, Cait Conley will coordinate with federal, state and local officials responsible for ensuring elections are secure ahead of the 2024 presidential election. CISA Director Jen Easterly said Conley’s national security experience made her “ideally suited to help those state…

Read More
01 Jul

The good, the bad and the ugly of AI – Week in security with Tony Anscombe

Information

The growing use of synthetic media and difficulties in distinguishing between real and fake content raises a slew of legal and ethical questions The news cycle is awash with articles about (what’s not always rightly called) artificial intelligence – some good, some bad, and some ugly. The fact that some individuals are using readily available new technology for turning people’s benign public photos into sexually explicit images, including into child sex abuse material, is clearly…

Read More
30 Jun

In Other News: Hospital Infected via USB Drive, EU Cybersecurity Rules, Free Security Tools

Information, News

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar. We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape. Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and…

Read More
30 Jun

200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin

Information, News

More than 200,000 WordPress websites are exposed to ongoing attacks targeting a critical vulnerability in the Ultimate Member plugin. Designed to make it easy for users to register and log in on sites, the plugin allows site owners to add user profiles, define roles, create custom form fields and member directories, and more. Tracked as CVE-2023-3460 (CVSS score of 9.8), the recently identified security defect in Ultimate Member allows attackers to add a new user…

Read More