An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.An internal website audit revealed that a third-party company owned by a former leader of the Joomla Resource Directory team — they are still a member of the JRD

The Federal Trade Commission (FTC) has approved a settlement with Canadian smart lock maker Tapplock, which allegedly falsely claimed that its devices were designed to be “unbreakable.”Toronto-based Tapplock, Inc. is an Internet of Things (IoT) technology company that provides smart security solutions for both business and end-users alike. It sells Internet-

  Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to the same Active Directory domain, however only one network segment could connect to the internet. To control workstations in both segments remotely with Cobalt Strike, we built a tool

Australia's privacy watchdog announced legal action against Facebook Monday for alleged "systematic failures" exposing more than 300,000 Australians to a data breach by Cambridge Analytica.The Office of the Australian Information Commissioner said it had initiated proceedings against the tech giant and that Facebook committed "serious and/or repeated interfe

Microsoft representatives are in Fulton, Wisconsin, on Tuesday to conduct the first real-world trials for ElectionGuard, the company’s open source election security solution.Introduced in May 2019, the free software development kit (SDK) was created in collaboration with Galois, aiming to provide end-to-end verification of elections. Moreover, the tool opens

Proton Technologies, the company best known for its privacy-focused email service ProtonMail, this week announced that the source code for all of its ProtonVPN virtual private network (VPN) applications has been made public after each app underwent independent security audits.The source code for the Android, iOS, macOS and Windows versions of ProtonVPN are n

Hundreds of Internet-accessible, unprotected medical imaging systems expose data on millions of patients worldwide, German security firm Greenbone reveals.The analysis conducted by Greenbone, a vulnerability analysis and management solutions provider, focused on Picture Archiving and Communication Systems (PACS), which are used by healthcare organizations to

OpenSSL has evolved a great deal in terms of security since the disclosure of the Heartbleed vulnerability back in 2014.OpenSSL, an open source library that implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, is widely used by organizations to protect communications.In April 2014, the world learned that OpenSSL was affecte

Mastercard to Recommend NIST CSF for Continuous Security Between PCI AuditsCybersecurity for a business model like Mastercard is complex. First, it has the fundamental need to protect its own networks. Second, however, it has a huge global franchise that must also be kept secure to maintain trust in the product.Security for Mastercard's own infrastructure is

The European Commission said Monday it had begun a "preliminary investigation" into how Facebook and Google collect personal data and what they do with it."The Commission has sent out questionnaires as part of a preliminary investigation into Google’s and Facebook’s data practices," a Commission spokeswoman told AFP."These investigations concern the way data

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this week announced the release of an open source post-election auditing tool in preparation for the 2020 elections.CISA says it has teamed up with election officials and their private sector partners to support their efforts in improving post-election auditing

New York Attorney General Letitia James filed a lawsuit against Dunkin' Donuts in the Supreme Court of the State of New York on Thursday, September 26, 2019. The complaint alleges fraudulent, deceptive and illegal conduct, and focuses on Dunkin' Donuts breaches in 2015 and 2018. It claims an alleged failure to respond to these breaches in violation of state

During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to the username or password of the user that

Written and researched by Mark Bregman and Rindert Kramer Sending signed phishing emails Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario which looks

I spent quite a while on the road while working at NERC for about seven years. I believe at one point I had over 130+ nights stayed during a single year. One of the many roles I had while at NERC was as a compliance program auditor for NERC CIP audits and compliance investigations. I picked up some common mistakes I have seen from entities across the entire