now browsing by tag
Source: National Cyber Security – Produced By Gregory Evans The California Attorney General released an update to its proposed California Consumer Privacy Act Regulations, and companies have until 5 pm PT on February 24 to submit comments on this updated draft. Key changes include: Definitions Clarifying that to qualify as personal information (“PI”), information must be maintained […] View full post on AmIHackerProof.com
#cybersecurity | #hackerspace | From my Gartner Blog – Updated Paper on Penetration Testing and Red Teams
I finally managed to publish the update to my paper on pentesting, “Using Penetration Testing and Red Teams to Assess and Improve Security”. It has some small tweaks from the previous version, including some additional guidance around Breach and Attack Simulation tools role.
Questions about how to define the scope of penetration tests are very common in my conversations with clients. I always tell them it should be driven primarily by their objective for running the test. Surprisingly, many have problems articulating why they are doing it.
The discussion about comparing pentests with other forms of assessments is there too, although we also published a paper focused on the multiple test methods some time ago.
A few good pieces from the document:
“Research the characteristics and applicability of penetration tests and other types of security assessments before selecting the most appropriate one for the organization. Select a vulnerability assessment if the goal is to find easily identifiable vulnerabilities.”
“Definitions for security assessments vary according to the source, with a big influence from marketing strategies and the buzzword of the day. Some vendors will define their red team service in a way that may be identified as a pentest in this research, while vulnerability assessment providers will often advertise their services as a penetration test. Due to the lack of consensus, organizations hiring a service provider to perform one of the tests described below should ensure their definition matches the one used by the vendor”
“Pentests are often requested by organizations to identify all vulnerabilities affecting a certain environment, with the intent to produce a list of “problems to be fixed.” This is a dangerous mistake because pentesters aren’t searching for a complete list of visible vulnerabilities.”
Next on the queue is the monitoring use cases paper. That’s my favorite paper and excited to refresh it again. You’ll see it here soon!
The post Updated Paper on Penetration Testing and Red Teams appeared first on Augusto Barros.
from Augusto Barros https://ift.tt/2Gx5wWq
*** This is a Security Bloggers Network syndicated blog from Security Balance authored by Unknown. Read the original post at: http://feedproxy.google.com/~r/SecurityBalance/~3/1h–omhBJ4Q/from-my-gartner-blog-updated-paper-on.html
View full post on National Cyber Security
Google has announced plans to restrict political advertising on its platforms ahead of the UK General Election and next year’s US Presidential election, in a move which will further turn the heat up on Facebook.
Although the web giant claimed that it never allows controversial micro-targeting of election ads, it announced a further clarification of its policy on Wednesday to limit election ad targeting to “age, gender, and general location.”
It’s also explicitly banning deep fake content, misleading claims about the election process, and “ads or destinations making demonstrably false claims that could significantly undermine participation or trust in an electoral or democratic process.”
“Whether you’re running for office or selling office furniture, we apply the same ads policies to everyone; there are no carve-outs,” argued Google Ads VP of product management, Scott Spencer.
“It’s against our policies for any advertiser to make a false claim — whether it’s a claim about the price of a chair or a claim that you can vote by text message, that election day is postponed, or that a candidate has died.”
That appears to put more distance between Google and Facebook, whose stance is that tech firms should not be the arbiters of what politicians can and can’t say — despite it having strict rules on false advertising elsewhere on its platform.
This position has invited heavy criticism from various quarters as tantamount to allowing politicians to lie — especially after Facebook rejected a request from Presidential hopeful Joe Biden to remove a Trump campaign ad containing misinformation about the former vice president.
“Of course, we recognize that robust political dialogue is an important part of democracy, and no one can sensibly adjudicate every political claim, counterclaim, and insinuation,” Spencer continued.
“So we expect that the number of political ads on which we take action will be very limited — but we will continue to do so for clear violations.”
Twitter has already announced a ban on virtually all political advertising, which will begin today.
The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have called for urgent legislation to regulate the “wild west” of political advertising, fearing that outside forces could sway elections and that secret micro-targeting of voters undermines the legitimacy of results.
Google has previously blocked political ads two weeks before polling in the Irish referendum and during the entirety of the recent Israeli and Canadian election periods.
#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
The post #infosec | Google’s Updated Political Ads Policy Steps Up Pressure on Facebook appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | Have you updated your browser yet? Severe Chrome Zero-day vulnerability getting actively exploited
Attention! Are you using Chrome as your web browsing software on your Windows, Linux and Mac? High time you update your browser!!
That’s right. With Google recently releasing Chrome version 78.0.3904.87 for Windows, Mac, and Linux, there come’s an urgent warning, requesting billions of users to update their software immediately. The warning comes after news of hackers exploiting two high-severity zero-day vulnerabilities. Apparently, the new Chrome version addresses these vulnerabilities.
What are these zero-day vulnerabilities?
According to Google, the following 2 zero-day vulnerabilities have been detected:
- CVE-2019-13720 – This is basically a use-after-free-bug that has been detected in the audio component of Chrome.
- CVE-2019-13721 – This again is a user-after-free security vulnerability and affects the PDFium library. This is basically used to view and generate PDF files in your browser, a feature that is commonly required by users.
How do these vulnerabilities work?
A user-after-free security vulnerability is basically a memory-corruption flaw that allows modification or corruption of memory data, allowing a hacker to take control of an affected software or system. All that the remote attackers need to do, is to escalate privileges on your Chrome web browser by convincing you to click and visit a malicious website. This instantly allows attackers to run malicious code on your affected system while bypassing any sandbox protections.
How can you protect yourself?
The use-after-free vulnerability has been existing in the wild for quite some time now and is one of the most commonly discovered vulnerabilities. Thus, the chances of it reappearing in frequent periods are high.
Thankfully, Google has already released an update for this new Chrome version, to patch this active zero-day vulnerability and the stable channel has been updated to 78.0.3904.87. So now, all you need to do is to Click on the update arrow visible at the top-right corner of Chrome browser. Once you have successfully updated to the latest version of Chrome across your desktop and mobile, you will become safe from these vulnerabilities.
Such security bugs and vulnerabilities are bound to appear and reappear from time to time. It is for this reason that Quick Heal strongly recommends that you keep your web browser and security products up-to-date and follow best security practices for optimum defense against the rising/evolving threats and zero-day vulnerabilities.
Have something to add to this story? Share it in the
View full post on National Cyber Security
CNBC – Nov 5 – Tinder has changed its algorithm, to boost matches. The details will be revealed in the next few days. Tinder CEO, Sean Rad, said that the new algorithm will increase the number of matches by ~30%. Read More….
The post Tinder Users Want Long-Term Relationship, The App Updated Matching Algorithm appeared first on Dating Scams 101.
View full post on Dating Scams 101
According to Tim Rains, director of Microsoft Trustworthy Computing Microsoft’s threat modeling tool updated with new features designed to offer organizations more flexibility and help them implement a secure development lifecycle.
“More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,” blogged Tim Rains. “Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.”
The latest version of the tool includes the following new features:
• New Drawing Surface this new release has its own drawing surface and Visio is no longer needed.
• STRIDE per Interaction Big improvement for this release is change in approach of how we generate threats. Microsoft Threat Modeling Tool 2014 uses STRIDE per interaction for threat generation, were past versions of the tool used STRIDE per element.
• Migration for v3 Models Updating your older threat models is easier than ever. You can migrate threat models built with Threat Modeling Tool v3.1.8 to the format in Microsoft Threat Modeling Tool 2014
• Update Threat Definitions We over further flexibility to our users to customize the tool according to their specific domain. Users can now extend the included threat definitions with ones of their own.
Further he wrote “Microsoft Threat Modeling Tool 2014 comes with a base set of threat definitions using STRIDE categories,” blogged Emil Karafezov, program manager on the Secure Development Tools and Policies team at Microsoft. “This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls.”
“We hope these new enhancements in Microsoft Threat Modeling Tool 2014 will provide greater flexibility and help enable you to effectively implement the SDL process in your organization,” he added.
View full post on Am I Hacker Proof
Android Marshmallow arrives today. Of course, some phones may still take months or years to get an update. We’ve collected all the information we can on which devices will get updates and when. Below, you’ll find a non-comprehensive list of all the phones and tablets we can find that may be receiving an update to Android Marshmallow. Keep in mind that we don’t have any special insider information. We only know what the companies that make these devices announce. We’ll do our best to keep this list updated and check in when updates are due. However, some manufacturers may change their plans, or simply fail to acknowledge some phones entirely. Many phones also come with variants that may delay updates. We’ll make note of carrier or regional variants wherever possible, but unless otherwise noted, assume any reference to a device refers to the generic, carrier-free version. If you bought your phone from a carrier (particularly a CDMA carrier like Verizon or Sprint), your phone may have a different update schedule. If you see a phone that’s not on this list, that a manufacturer or carrier has confirmed an upgrade to Android Marshmallow for, let us know. We can’t keep up […]
For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com
The post Every Phone That’s Getting Updated To Android Marshmallow appeared first on National Cyber Security.
View full post on National Cyber Security
The Richmond County Sheriff’s Office has released information on the investigation into child abuse allegations a deputy is facing.
Investigators say, Tuesday night at approximately 8:00 p.m., deputies responded to a residence on the 2800 block of Anne Street, in Augusta, where it was alleged an off-duty uniformed deputy from the Richmond County Sheriff’s Office was involved in the physical abuse of a 12-year-old child.
Based on the information and evidence obtained at the scene and after consulting with the District Attorney’s office; the deputy, now identified as Alton A. Walker, has been detained and criminal charges were pending.
Wednesday morning, investigators applied for and obtained arrest warrants for Deputy Walker for the felony charges of False Imprisonment and Cruelty to Children in the 1st Degree.
The post UPDATED ON 6: Richmond County Deputy Fired, Facing Child Abuse Charges appeared first on Parent Security Online.
View full post on Parent Security Online
Researchers have uncovered new, currently unpatched vulnerabilities in multiple versions of Internet Explorer that criminals are actively exploiting to surreptitiously execute unusually advanced malware on computers that visit booby-trapped websites. The vulnerabilities in various configurations of IE versions 7, 8, 9, and 10 running on Windows XP and Windows 7 are separate from the Microsoft Windows […] View full post on Gregory d. evans