Estimating the Social Cost of Corporate Data Breaches

While the size of a data breach is typically measured by the number of consumer, customer, or user records exposed or compromised, its economic impact is generally measured from the point of view of the corporation suffering the data breach: cost in crisis management, legal fees, drop in stock...

AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities

From an Anthropic blog post: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates h...

AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities

Really interesting blog post from Anthropic: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. Th...

EUVD-2014-6757

Malware in sbrugna...

Data Breaches: The Complete WIRED Guide

Everything you need to know about the past, present, and future of data security—from Equifax to Yahoo—and the problem with Social Security numbers...

Equifax-vdp: reflected XSS in [www.equifax.com]

A reflected XSS vulnerability was found in the search functionality of Equifax's website. An attacker could execute malicious JavaScript code on a victim's browser by injecting a payload into the "q" parameter of the search query. This could potentially allow the attacker to steal the victim's...

Equifax-vdp: reflected XSS in [www.equifax.com]

A reflected XSS vulnerability was found in an endpoint of Equifax's website. An attacker could execute malicious JavaScript code on victims who visit a specially crafted link, potentially stealing their cookies...

CLSA-2022-1671656460 Update of ca-certificates

update to CKBI 2.58 from NSS 3.67 - removed old certificates: - Certificate "Camerfirma Global Chambersign Root" - Certificate "Cybertrust Global Root" - Certificate "Equifax Secure eBusiness CA 1" - Certificate "Equifax Secure Global eBusiness CA" - Certificate "Explicitly Distrusted DigiNotar...

The Equifax Breach Settlement Offer is Real, For Now

Millions of people likely just received an email or snail mail notice saying theyre eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this...

Equifax-vdp: RXSS on https://equifax.gr8people.com on Password Reset page in the username parameter

Hello, While testing your program i came across a website that is owned by informatica and is vulnerable to RXSS on Password Reset page in the username parameter POC:...

FTC to Go After Companies that Ignore Log4j

The Federal Trade Commission FTC will muster its legal muscle to pursue companies and vendors that fail to protect consumer data from the risks of the Log4j vulnerabilities, it warned on Tuesday. “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable ste...

Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax

Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by t...

Gig Workers Being Paid $500 for Payroll Passwords

Fintech startup Argyle, a financial-services platform aimed at gig workers, is working to replace credit scores assigned by bureaus like Equifax. But closer security analysis hints that Argyle could be just the latest incarnation of an ongoing data-collection campaign, paying people to give up...

Fintech Startup Offers $500 for Payroll Passwords

How much is your payroll data worth? Probably a lot more than you think. One financial startup thats targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each mon...

Experian API Leaks Most Americans’ Credit Scores

A researcher is claiming that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, that he said was left open on a lender site without even basic security protections. Experian, for its part, refuted concerns from the security community...

Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact

GDPR, HIPAA, GLBA, all 50 U.S. States, and many countries have privacy breach reporting requirements. If an organization experiences a breach of customer or employee personal information, they must report it within the required time frame. The size and scope of this reporting effort can be massiv...

Equifax-vdp: Open SonarQube instance leaking internal source code

Summary I came across an open SonarQube instance which can be found here: http://34.238.92.229:9000/ In this, there are 10 projects with a total of around 100k lines of code To identify the owner, I went to the Issues tab and expanded the list of authors. There were 29 people there, and many of...

WordPress, Apache Struts Attract the Most Bug Exploits

WordPress and Apache Struts vulnerabilities were the most-targeted by cybercriminals in web and application frameworks in 2019 – while input-validation bugs edged out cross-site scripting XSS as the most-weaponized weakness type. That’s according to the RiskSense Spotlight Report, which analyzed...

WordPress, Apache Struts Attract the Most Bug Exploits

WordPress and Apache Struts vulnerabilities were the most-targeted by cybercriminals in web and application frameworks in 2019 – while input-validation bugs edged out cross-site scripting XSS as the most-weaponized weakness type. That’s according to the RiskSense Spotlight Report, which analyzed...

A week in security (February 10 – 16)

Last week on Malwarebytes Labs, we explained how to battle online coronavirus scams with facts, discussed the persistent re-infection techniques of Android/Trojan.xHelper and how to remove it, provided cyber tips for safe online dating, and showed how Hollywood teaches us misleading cybersecurity...