Security Boulevard

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Uncanceled Units’ appeared first on Security Boulevard.

Not For You: “Protecting Americans from Foreign Adversary Controlled Applications Act” shouldn’t be enforced, orders President Trump.

The post Trump U-Turn: TikTok’s On-Again/Off-Again U.S. Ban appeared first on Security Boulevard.

Cyber breaches in healthcare are chronic conditions that can linger for years, quietly draining resources and eroding trust. Imagine a chronic disease. There’s the immediate crisis phase that demands urgent attention—medication, hospital stays, or even surgery. But long after those acute symptoms subside, the condition requires ongoing care and monitoring. Cyberattacks follow a similar trajectory.  […]

The post Healthcare Cybersecurity: The Chronic Condition We Can’t Ignore appeared first on ColorTokens.

The post Healthcare Cybersecurity: The Chronic Condition We Can’t Ignore appeared first on Security Boulevard.

An analysis of the operations of Hunters International, the ransomware-as-a-service platform that has been used to compromise more than 200 organizations, conducted by Forescout Technologies reveals the cybercriminal syndicate that created it is employing a wide range of new and old tactics and techniques.

The post Forescout Report Detail Hunters International Ransomware Gang Tactics appeared first on Security Boulevard.

A study by cybersecurity startup Harmonic Security found that 8.5% of prompts entered into generative AI models like ChatGPT, Copilot, and Gemini last year included sensitive information, putting personal and corporate data at risk of being leaked.

The post Almost 10% of GenAI Prompts Include Sensitive Data: Study appeared first on Security Boulevard.

On January 7, we published a press release to share our five predictions for cybersecurity in 2025. Over the next few weeks, we’ll publish a blog series that provides additional commentary on each prediction. This is the second blog in the series. Check out the first, second, and third blogs here.    Prediction Key Takeaways: […]

The post 2025 Prediction 4: Cyber Attacks Targeting High-Net-Worth Individuals Will Increase, Targeting Not Only Their Financial Lives but also Their Brands And Reputations appeared first on BlackCloak | Protect Your Digital Life™.

The post 2025 Prediction 4: Cyber Attacks Targeting High-Net-Worth Individuals Will Increase, Targeting Not Only Their Financial Lives but also Their Brands And Reputations appeared first on Security Boulevard.

As vehicles become smarter, the stakes for securing them grow higher. Learning car hacking is no longer a niche skill — it’s a necessity for anyone interested in the future of cybersecurity.

The post The Future of Automotive Cybersecurity: Why Learning Car Hacking is Essential  appeared first on Security Boulevard.

Good cyber hygiene isn’t a one-time effort; it’s an ongoing process that requires diligence, awareness and consistency.

The post Cyber Hygiene: Strengthening Your Digital Immune System Through Routine Maintenance appeared first on Security Boulevard.

By now, you will almost certainly be aware of the transformative impact artificial intelligence (AI) technologies are having on the world. What you may not be aware of, however, is the role Application Programming Interfaces (APIs) are playing in the AI revolution. The bottom line is that APIs are critical to AI systems – but [...]

The post API Security’s Role in Responsible AI Deployment appeared first on Wallarm.

The post API Security’s Role in Responsible AI Deployment appeared first on Security Boulevard.

Can Effective Non-Human Identities and Secrets Management Bolster Your Cloud-Native Security Practices? The revolution in technology has seen a significant shift in business operations, with many organizations adopting cloud-native applications. These applications offer various benefits, including scalability, versatility, and cost-efficiency. However, they also open a Pandora’s box of security threats. In the sea of these […]

The post Staying Ahead: Key Cloud-Native Security Practices appeared first on Entro.

The post Staying Ahead: Key Cloud-Native Security Practices appeared first on Security Boulevard.

Why is Secrets Rotation Technology Crucial in the Data Security Landscape? The safety of sensitive information matters more than ever. With the proliferation of Non-Human Identities (NHIs) and a marked increase in cyber threats, the management of these identities is an integral part of the data management ecosystem. This is where Secrets Rotation technology shines, […]

The post Getting Better: Advances in Secrets Rotation Tech appeared first on Entro.

The post Getting Better: Advances in Secrets Rotation Tech appeared first on Security Boulevard.

Why Are Machine Identity Protocols Crucial for Robust Security Measures? Imagine opening your virtual “front door,” only to find unknown software entities exploring your data terrain. Chilling, isn’t it? Well, that’s where Machine Identity Protocols step in. They act as vigilant watchmen, identifying authorized non-human identities (NHIs) and keeping unauthorized ones at bay. So, let’s […]

The post Feel Reassured with Robust Machine Identity Protocols appeared first on Entro.

The post Feel Reassured with Robust Machine Identity Protocols appeared first on Security Boulevard.

Gap Analysis within the Software Development Life Cycle (SDLC) involves identifying insufficient security measures, and compliance shortcomings throughout the software development process, from start to finish. It is to ensure that proper security needs are implemented from the initial design stages to deployment and maintenance. Ignoring SDLC gaps can cause project failures with catastrophic consequences. […]

The post SDLC Gap Analysis: Requirement For Organization appeared first on Kratikal Blogs.

The post SDLC Gap Analysis: Requirement For Organization appeared first on Security Boulevard.

The U.S. Treasury sanction a Chinese bad actor for participating in the hack of the agency's networks and a Chinese for its involvement with Salt Typhoon's attacks on U.S. telecoms. Meanwhile, the FCC calls for stronger cybersecurity measures for ISPs.

The post U.S. Treasury Sanctions Chinese Individual, Company for Data Breaches appeared first on Security Boulevard.

With the AI revolution comes hidden security risks. Employees are embracing AI faster than businesses can secure it, exposing critical gaps in governance.

The post The AI Revolution No One Saw Coming Until It Was Too Late appeared first on Security Boulevard.

 

The post Mobile Cybersecurity Trends for 2025: Key Predictions and Preparations appeared first on Security Boulevard.

Building on EO 14028, EO 14144 advances U.S. cybersecurity with actionable steps for NHI security and secrets management. Learn what this means for you.

The post Executive Order 14144 on Cybersecurity: Building on 2021’s Foundation with Advanced NHI Security appeared first on Security Boulevard.

The Bluesky AT Protocol aims to decentralize social media, empowering users with control over their data and interactions. By shifting power away from centralized platforms like TikTok, it paves the way for a more equitable and resilient social media landscape.

The post Bluesky AT Protocol: Building a Decentralized TikTok appeared first on Security Boulevard.

This is a news item roundup of privacy or privacy-related news items for 12 JAN 2025 - 18 JAN 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

TABLE OF CONTENTS

• Surveillance Tech in the News
• Privacy Tools and Services
• • Privacy Tools
  • Privacy Services
• Vulnerabilities and Malware
• • Vulnerabilities
  • Malware
• Phishing and Scams
• • Phishing
• Service Providers' Privacy Practices
• • Negative changes
• Legislation/Regulations/Lawsuits
• • Lawsuits
  • Legislation and Regulation
• Data Breaches and Leaks
• • Data breaches

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

May also include threat actors abusing legitimate technology - which of itself may be irrespective of user privacy in general - to gather information or otherwise target users.

How cars became the worst product category for privacy

Session

Covers the extensive data collection (and subsequent sharing with car manufacturers and their affiliates) enabled by modern vehicles; they can collect way beyond location data.

Inside the Black Box of Predictive Travel Surveillance

Wired

Covers the use of powerful surveillance technology in predicting who might be a "threat."

FTC Surveillance Pricing Study Indicates Wide Range of Personal Data Used to Set Individualized Consumer Prices

Federal Trade Commission

FTC launched a "surveillance pricing market study" which concluded that specific captured details and data is used to target consumers with different prices for the same goods and services.

They regularly use people's personal information to set tailored prices. This personal information can range from demographics, mouse movements on a web page, and a person's location.

The study is still ongoing.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes major updates to recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

Bitwarden releases native Android app

AlternativeTo

Bitwarden has made its native Android app "generally available" for download on the Google Play Store.

Privacy Services

Introducing Labels: A new era of email organization at Tuta Mail

Tuta

Tuta introduces "labels," an organization feature long requested by its users.

Brave Search now offers real-time blockchain data results with unmatched privacy

Brave

Brave adds privacy-preserving querying for real-time blockchain data results to its Brave Search service.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)

Tenable

First Patch Tuesday of 2025 from Microsoft. Three CVEs exploited in the wild and five publicly disclosed (but not expressly observed being exploited in the wild).

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) and were exploited in the wild as zero-days. These probably don't affect most users reading this.

CVE-2025-21308. This is probably a CVE most users should tune into. It is a spoofing vulnerability that affects Themes in Windows. Successful exploitation requires social engineering users into manipulating a specially crafted file. Publicly disclosed, not observed exploited in the wild at time of publication of this post.

Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344

welivesecurity (ESET)

CVE-2024-7344. A UEFI signed by a Microsoft certificate could bypass Secure Boot. This could result in the executing of code during system boot, defeating the purpose of Secure Boot - which could include loading near undetectable malware such as rootkits.

While there is a list of vulnerable software products, threat actors could use their own copy of the vulnerable reloader.efi binary to any system with the affected Microsoft certificate installed.

Microsoft revoked the certificates with the January 2025 Patch Tuesday updates.

Malware

Browser-Based Cyber-Threats Surge as Email Malware Declines

Infosecurity Magazine

According to research from the 2024 Threat Data Trends report by the eSentire Threat Response Unit, browser threats (such as drive-by downloads and malvertising) increased; these techniques are in turn used to deliver malware such as information stealers. Approximately 70% of observed malware cases in 2024 derived from browser-based malware.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

darkreading

According to researchers from Trend Micro, threat actors have been uploading video guides for installing cracked software to YouTube. These video guides function as the initial lure; they then share links to fake downloaders for the cracked software, which actually drop information stealers onto the device.

This campaign exploits the inherent trust users have when visiting extremely popular and reputable sites that host/share primarily user-generated content - such as YouTube, GitHub, and Reddit. Similar campaigns on these sites have been observed in recent years.

DOJ confirms FBI operation that mass-deleted Chinese malware from thousands of US computers

TechCrunch

The PlugX malware, used by PRC-linked APT dubbed "Twill Typhoon" or "Mustang Panda," had infected millions of computers since at least 2014. The FBI, in connection with French authorities, removed the malware from approximately 4,200 infected hosts in the US (3,000 in France).

Hackers Use Image-Based Malware and GenAI to Evade Email Security

Infosecurity Magazine

Malicious code embedded in image files; when the images are downloaded from well-known websites, they may bypass email security controls. A particular campaign abusing this has been dropping information stealers and keyloggers; specifically the campaign attempts to drop 0bj3ctivityStealer and VIP Keylogger.

Additionally, threat actors have been using HTML smuggling to deliver XWorm malware. The XWorm malware family is typically used as a remote access trojan (RAT) or information stealer.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish...

The post Privacy Roundup: Week 3 of Year 2025 appeared first on Security Boulevard.

President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide.

Some details:

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents­—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to ...

The post Biden Signs New Cybersecurity Order appeared first on Security Boulevard.