Randall Munroe’s XKCD ‘Omniroll’
via the comic humor & dry wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Omniroll’ appeared first on Security Boulevard.
Security Boulevard
Addressing The Growing Challenge of Generic Secrets: Beyond GitHub’s Push Protection
Generic secrets are hard to detect and are getting leaked more often. See how GitGuardian offers advanced protection where GitHub's push protection falls short.
The post Addressing The Growing Challenge of Generic Secrets: Beyond GitHub’s Push Protection appeared first on Security Boulevard.
Privacy Roundup: Week 11 of Year 2025
This is a news item roundup of privacy or privacy-related news items for 9 MAR 2025 - 15 MAR 2025. Information and summaries provided here are as-is for warranty purposes.
Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.
Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.
TABLE OF CONTENTS
- Privacy Tip of the Week
- Surveillance Tech in the News
- Privacy Tools and Services
- Vulnerabilities and Malware
- Phishing and Scams
- Service Providers' Privacy Practices
- Legislation/Regulations/Lawsuits
- Data Breaches and Leaks
Clear your browser cookies regularly.
Surveillance Tech in the NewsThis section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.
Data Broker Brags About Having Highly Detailed Personal Information on Nearly All Internet Users
Gizmodo
An owner of a data broker business brags and showcases his company's ability to deliver "personalized messaging at scale." Of course, personalized in this context means leveraging extensive amounts of data collected on people. The CEO claims that thanks to their "CoreAI" product/service/feature, they can leverage extreme personalized (and prediction) advertising for 91 percent of adults around the world.
The 200+ Sites an ICE Surveillance Contractor is Monitoring
404media
A contractor for ICE (and other US government agencies) has built a tool that facilitates pulling a target's publicly available data from various sources - which include social media networks, apps, and services. Most notably these include Bluesky, OnlyFans, Roblox, and various platforms owned/controlled by Meta (Instagram, Facebook). It can also reportedly pull data from sites geared towards specific demographics; for example, Black Planet, a social network for Black people.
More information on what sites this tool can pull from can be found on a Google Docs spreadsheet uploaded by 404media.
US lawmakers urge UK spy court to hold Apple ‘backdoor’ secret hearing in public
TechCrunch
This is yet another addition to the Apple vs secret order by the UK government saga. Various groups have called for Apple's official appeal to the UK order to be completed publicly, with US lawmakers now joining the chorus.
Privacy Tools and ServicesPrimarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy ServicesTuta Mail & Tuta Calendar Updates (+ What’s coming next)
Tuta
Tuta announces updates to Tuta Calendar; specifically, the introduction of advanced repeat rules and a three-day view. Tuta also shares planned updates "coming soon" to Tuta Mail.
Kagi Search introduces Privacy Pass authentication
AlternativeTo
Kagi officially rolls out Privacy Pass support for its Android app.
Telegram introduces Star Messages, cheaper user verification, Chromecast support, and more
AlternativeTo
Telegram introduces enhanced privacy controls for content creators and public figures. Telegram also implemented a detailed info page for users receiving a first-time message from outside their contacts list.
Vulnerabilities and MalwarePrimarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.
This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
VulnerabilitiesTenable
This week included Microsoft Patch Tuesday for March 2025. It included seven zero-day flaws, with six of them being exploited in the wild. Likely the most notable CVEs exploited in the wild for majority of users includes:
- CVE-2025-24985, a remote code execution vulnerability in the Windows Fast FAT File System Driver. Has been exploited in the wild; requires the attacker to trick the user into mounting a specially crafted virtual hard disk.
- CVE-2025-26633, a security feature bypass in Microsoft Management Console. Confirmed exploited in the wild as a zero-day; requires a user to open a malicious file.
Apple discloses zero-day vulnerability, releases emergency patches
Cyberscoop
CVE-2025-24201. On March Patch Tuesday, Apple released emergency updates addressing an out-of-bounds write zero-day in WebKit. Maliciously crafted web content may be able to exploit this vulnerability to escape the Web Content sandbox and potentially take unauthorized actions on the affected device.
Apple disclosed this vulnerability was exploited in attacks on "specific targeted individuals" and described it as "extremely sophisticated."
The ESP32 Bluetooth Backdoor That Wasn’t
HACKADAY
This post stems from Tarlogic's claim of finding a "backdoor" (which is strong language) in ESP32, a bluetooth chip used in approximately 1 billion (and more) devices. The reality is, the original findings found undocumented commands - that were likely manufacturer debugging tools - shipped in the final, consumer-facing products. In theory, these could be abused for malicious actions.
Tarlogic received backlash for the panic induced from using "backdoor" in their findings and has since modified their reporting.
Research on iOS apps shows widespread exposure of secrets
MalwareBytes
Out of 156,000 examined iOS apps, more than 815,000 secrets were hard-coded into. These sensitive secrets included keys to cloud storage, APIs, and keys to payment processors. According to the researchers, "the average app's code exposed 5.1 and 71% of apps leak at least one secret."
While easy to file away as the app publisher's problem, hard-coded secrets to APIs and cloud storage could result in data breaches, which naturally have a direct effect on user privacy.
MalwareNorth Korean government hackers snuck spyware on Android app store
TechCrunch
APT threat actors associated with the North Korean government uploaded spyware "KoSpy" to Google Play. According to Lookout, these nation-state threat actors also tricked some users into downloading KoSpy in likely targeted attacks.
KoSpy collects sensitive information including (but not necessarily limited to) text messages, call logs, device location data, files/folders on device, keystrokes, Wi-Fi network details, and installed apps. It can...
The post Privacy Roundup: Week 11 of Year 2025 appeared first on Security Boulevard.
Immutable Cybersecurity Law #12
“Never underestimate the simplicity of the attackers, nor the gullibility of the victims.”
Cyberattacks don’t always rely on sophisticated exploits or advanced malware. In reality, many of the most successful breaches stem from simple tactics like phishing emails, social engineering, and exploiting basic security misconfigurations. Complexity isn’t a prerequisite for effectiveness — attackers often favor the path of least resistance.
Victims can be easily deceived or manipulated. People frequently fall for scams, phishing, and other attacks due to a lack of awareness, trust in seemingly legitimate sources, or simple human error. Even experienced individuals can be tricked when caught off guard.
This Immutable Cybersecurity Law is a reminder that cyber threats often succeed not because of advanced technology but because of human vulnerabilities — both in how attacks are executed and how victims respond. While advanced security measures are necessary, organizations and individuals should not overlook basic security practices or underestimate the effectiveness of simple attack methods. It also highlights the importance of user education and awareness in preventing successful attacks, as even the most sophisticated security systems can be compromised by human error or gullibility.
Attackers benefit when victims are overly trusting, untrained, or distracted — thereby susceptible to simple manipulations that appear obviously suspicious in hindsight. Human error and susceptibility to social engineering tactics continue to be significant vulnerabilities in cybersecurity, accounting for a majority of compromises.
Criminals, like everyone else, seek the easiest means to success. The rudimentary act of asking for login credentials or to install unfamiliar software sometimes works with very little deception effort. Despite the growing sophistication of cyber-attacks, simple and seemingly outdated methods can still be highly effective. Brute force attacks, with a list of commonly used passwords remains popular among cybercriminals, even though there have been widespread campaigns teaching users to not rely on such predictable secrets.
Cybersecurity must address low-tech attack methods and human vulnerabilities which remain significant threats in the digital landscape. Behavioral and cognitive exploitation is fast, easy, and delivers results across a wide range of targets, including everyday users, employees, consumers, and executives. Even technical personnel are not immune. A recent scam targeted GitHib users, with a verification request to prove the user was not a robot — by having them press keyboard combinations which opened a PowerShell window, paste malicious code uploaded to the clipboard, and run the commands — leading to the users credentials harvested by malware. This successful attack targeted code developers — once again proving that technical savvy is not an immunity.
Cybersecurity must protect against the full range of attacks, from the complex to the absurdly simple, and not expect users will, without guidance and motivation, act in a defensive way.
The post Immutable Cybersecurity Law #12 appeared first on Security Boulevard.
Software Developer vs. Software Engineer
Which One Do You Need for Your Software Dev Initiative? When businesses set out to build a software solution, one of the most common sources...Read More
The post Software Developer vs. Software Engineer appeared first on ISHIR | Software Development India.
The post Software Developer vs. Software Engineer appeared first on Security Boulevard.
New Akira Ransomware Decryptor Leans on Nvidia GPU Power
A software programmer developed a way to use brute force to break the encryption of the notorious Akira ransomware using GPU compute power and enabling some victims of the Linux-focused variant of the malware to regain their encrypted data without having to pay a ransom.
The post New Akira Ransomware Decryptor Leans on Nvidia GPU Power appeared first on Security Boulevard.
Bedrock Security Embraces Generative AI and Graph Technologies to Improve Data Security
Bedrock Security today revealed it has added generative artificial intelligence (GenAI) capabilities along with a metadata repository based on graph technologies to its data security platform.
The post Bedrock Security Embraces Generative AI and Graph Technologies to Improve Data Security appeared first on Security Boulevard.
What Is Exposure Management and Why Does It Matter?
Each Monday, the Tenable Exposure Management Academy will provide the practical, real-world guidance you need to shift from vulnerability management to exposure management. In our first blog in this new series, we get you started with an overview of the differences between the two and explore how cyber exposure management can benefit your organization.
Traditional vulnerability management has always been about identifying and fixing vulnerabilities — hopefully as quickly as they arise. In practice, even with reasonable service level agreements (SLAs), IT usually has to mitigate those risks. But they’re not always placed at the top of the IT priority list, leaving open a window that attackers can use to gain a foothold. The growth in CVEs (in 2021, there were 20,161 new CVEs; by 2024, that figure had almost doubled to 40,077) has resulted in teams being overwhelmed chasing down vulnerabilities. But CVEs are only part of the picture.
A report from the U.S. Cybersecurity and Infrastructure Security Agency reveals that 90% of initial access to critical infrastructure comes via identity compromise — like phishing, compromised passwords, identity systems and misconfigurations. Just as alarming, the Tenable Cloud Risk Report 2024 shows that 74% of organizations have publicly exposed storage assets, including those containing sensitive data. That same research found that 84% of organizations possess unused or longstanding access keys with critical or high severity excessive permissions, which creates a significant security gap.
Faced with these challenges, most security leaders lack a cohesive, enterprise-wide understanding of risk. As new technologies are regularly adopted, they come accompanied by new threats. In response, most security teams simply add a new siloed security tool and team to defend that new attack surface. As a result, security has become disjointed. And, although vulnerability management is a critical ingredient in cybersecurity, it only looks at a portion of preventable risk. The end result is fragmented visibility with gaps that leave organizations vulnerable.
This is where exposure management comes in. It gives security leaders the processes and technologies they need to continuously assess the accessibility, exploitability and criticality of digital assets across all systems, applications, devices, resources and identities. As a result, security leaders can proactively answer questions about their organization’s exposure risk.
What is exposure management in cybersecurity?If you explore risk-based exposure management vs. vulnerability management, you'll see an evolution that provides a more holistic, programmatic approach to cost-effective decision making. It breaks down silos and factors in findings such as the likelihood of attack, identity permissions, attack path viability and business criticality. This enables security teams to prioritize true exposure and mobilize responses to the most impactful risks first. And it means you can more readily handle those questions from the board.
Exploring the security continuumTo understand where the importance of continuous exposure management fits in the context of your overall cybersecurity program, let’s explore the security continuum.
Source: Tenable, March 2025
The breach line sits at the center. Everything to the right is the world of reactive security. In this case, attacks or breaches are already underway. To the left of the breach line is the world of proactive security.
Reactive security is all about managing active threats and incidents. The goal is to minimize potential material impact. For this reason, the greater share of investment has gone into reactive security in recent years.
But with more governing bodies now requiring disclosure of breaches, such as the U.S. Securities and Exchange Commission (SEC), the burden is changing.
In addition to regulatory pressures, breaches are often accompanied by revenue impact, and incalculable damage to brand, customer loyalty and investor interest. All of this underscores the need for a more effective approach to proactive security, such as exposure management.
As a result, exposure management is being embraced by a variety of organizations — from multinational telecommunications companies to public sector agencies — because it fights three core challenges that every organization faces:
- Siloed visibility of the attack surface: The attack surface has evolved, with vendors creating myriad tools that focus on specific technology domains, such as IT, cloud, identity, OT/IoT and apps. Each of these tools often handles a subset of potential risk — across vulnerabilities, misconfigurations or privileges. This siloed approach to attack surface management leaves visibility gaps that attackers can exploit.
- Little context: Fragmented data also makes it impossible to understand the attacker’s perspective — the asset, identity and risk relationships that form viable attack pathways leading to crown jewel assets. The collection of tools also does little to help security leaders understand the potential material impact of exposures on revenue, business processes and mission-critical data.
- Inability to mobilize resources: Individual security tools provide a fragmented patchwork of remediation guidance and workflows, and limited ways to measure and communicate progress. As a result, it’s a significant challenge for security teams to figure out the best remediations as well as how and where to mobilize resources and track remediation status.
Exposure management helps by providing complete visibility into the attack surface and the critical context teams need to prioritize true business exposure. That means security teams are unburdened and can be more efficient while being less reactive. Let’s dig a bit deeper and explore how, in five steps, exposure management helps improve your security posture.
Step 1: Know your attack surface
Exposure management platforms discover and aggregate asset data across the entire external and internal attack surface, including cloud, IT, OT, IoT, identities and applications, providing a holistic view of the attack surface.
Step 2: Identify all preventable risk
Exposure management detects the three preventable forms of exposure attackers use to gain initial access and move laterally: vulnerabilities, misconfigurations and excessive privileges. Security teams can quickly identify the assets that pose the greatest potential risk to the organization.
Step 3: Align with business context
Asset tagging enables security staff to logically group assets across technology domains and align them with an important business function, service or process. Cyber exposure scores provide quick business-aligned views of exposure and show changes in exposure over time.
Step 4: Remediate true exposure
Detailed mapping of asset, identity and risk relationships reveal attack paths which lead to an organization’s crown jewels. This gives the security staff the attacker’s perspective, which is critical to separate noisy findings from true exposures that can have a material impact on the organization.
Step 5: Continuously optimize investments
The ability to quantify your overall cyber exposure score and compare it with the benchmark score of peers in your industry streamlines budget justification, while helping security leaders answer the critical question: “Are we secure?”
We explore each of these steps in more detail in the white paper “Attackers Don't Honor Silos: Five Steps to Prioritize True Business Exposure.”
By bridging and integrating people, process and technology across traditional silos, exposure management enhances collaboration and efficiency , and it frees security leaders and IT teams to focus on strategic initiatives rather than the latest crisis.
Who can benefit from exposure management?The benefits of exposure management can be transformative. Whether you’re a practitioner who’s stretched thin, a manager who struggles with understanding risk, or a C-level executive who worries about it all, exposure management can help.
- Security practitioners: The backbone of any security organization, practitioners do the heavy lifting. They’re notoriously self-sufficient, but they do need a couple of things: visibility into the attack surface and a unified view of all assets. This is what an exposure management platform brings to the table — making it simpler to prioritize remediating software vulnerabilities, misconfigurations and improperly assigned credential entitlements.
- Security managers: Just a bit further up the chain, security managers need insight and context about threat exposures, assets and privileges to marshal resources across teams and handle their most pressing security needs. An exposure management platform provides the shared visibility and insights needed to drive better collaboration across teams and better utilize limited resources they have to remediate and respond.
- Security executives: CISOs, business information security officers (BISOs) and other security executives require accurate risk posture assessment to improve investment decisions, make decisions about insurability, meet regulatory and compliance requirements and drive organizational improvement. An exposure management platform provides actionable metrics to help security leaders measure, compare and communicate exposures and cyber risk reduction, not only to operations teams within IT and security, but also up and out to non-technical executives and operating teams throughout the enterprise.
With so much noise in security, what you don’t do is as important (or even more important) as what you actually do.
Exposure management is an evolutionary approach and it’s being embraced across industries and geographies as a way to remove complexity, focus teams and understand the entire attack surface. It boils down to the unification of visibility, insight and action.
Exposure management does require a shift in mindset — recognizing that not everything is critical and not all risks are created equal. This can be a challenge at first. But think about it: The everything-is-critical approach leads to burnout, inefficiency and more exposures. Exposure management lets you prioritize the things that matter most: the exposures that can have an actual impact on crown jewels and the organization.
When you embark on the exposure management journey, you’ll be part of an expanding community of security professionals who are blazing a new trail. Join them.
Watch: What is exposure management?
The post What Is Exposure Management and Why Does It Matter? appeared first on Security Boulevard.
Six JDK 24 Features You Should Know About
I've chosen six new JDK 24 features that are particularly relevant and interesting for developers and those deploying Java.
The post Six JDK 24 Features You Should Know About appeared first on Azul | Better Java Performance, Superior Java Support.
The post Six JDK 24 Features You Should Know About appeared first on Security Boulevard.
Windsor Schools’ Proactive Approach to Cybersecurity and Student Safety
How Cloud Monitor and Content Filter Provide Visibility, Safety, and Peace of Mind at an Independent School Windsor Schools, a specialized K-12 learning program in New Jersey, is dedicated to providing a safe and supportive learning environment for its students. Soon after he started his role as IT Manager—and Windsor Schools’ sole technology staff member—Kyle ...
The post Windsor Schools’ Proactive Approach to Cybersecurity and Student Safety appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.
The post Windsor Schools’ Proactive Approach to Cybersecurity and Student Safety appeared first on Security Boulevard.
European Cyber Report 2025: 137% more DDoS attacks than last year – what companies need to know
Frankfurt am Main, Germany, 17th March 2025, CyberNewsWire
The post European Cyber Report 2025: 137% more DDoS attacks than last year – what companies need to know appeared first on Security Boulevard.
Tackling Data Overload: Strategies for Effective Vulnerability Remediation
In part one of our three part series with PlexTrac, we address the challenges of data overload in vulnerability remediation. Tom hosts Dahvid Schloss, co-founder and course creator at Emulated Criminals, and Dan DeCloss, CTO and founder of PlexTrac. They share their expertise on the key data and workflow hurdles that security teams face today. […]
The post Tackling Data Overload: Strategies for Effective Vulnerability Remediation appeared first on Shared Security Podcast.
The post Tackling Data Overload: Strategies for Effective Vulnerability Remediation appeared first on Security Boulevard.
Why Only Phishing Simulations Are Not Enough
In the world of cybersecurity awareness, phishing simulations have long been touted as the frontline defense against cyber threats. However, while they are instrumental, relying solely on these simulations can leave significant gaps in an organization’s security training program. At CybeReady, we understand that comprehensive preparedness requires a more holistic approach. The Limitations of Phishing […]
The post Why Only Phishing Simulations Are Not Enough appeared first on CybeReady.
The post Why Only Phishing Simulations Are Not Enough appeared first on Security Boulevard.
BSides Exeter 2024 – Blue Track – Lessons From The ISOON Leaks
Authors/Presenters: Will Thomas & Morgan Brazier
Our thanks to Bsides Exeter, and the Presenters/Authors for publishing their timely Bsides Exeter Conference content. All brought to you via the organizations YouTube channel.
The post BSides Exeter 2024 – Blue Track – Lessons From The ISOON Leaks appeared first on Security Boulevard.
What are the best practices for managing NHIs with dynamic cloud resources?
Why Is Management of NHIs Integral for Dynamic Cloud Resources? How often have we heard about data leaks and security breaches? The frequency of such incidents highlights the pressing need for robust security measures. One such measure that often goes overlooked is the management of Non-Human Identities (NHIs), a critical component of cloud security. New […]
The post What are the best practices for managing NHIs with dynamic cloud resources? appeared first on Entro.
The post What are the best practices for managing NHIs with dynamic cloud resources? appeared first on Security Boulevard.
How can cloud security architectures incorporate NHI protection?
Are Your Cloud Security Architectures Adequate for NHI Protection? The spotlight is often on human identity protection. But have you ever considered the protection of Non-Human Identities (NHIs)? This is quickly becoming a critical point of discussion. But what exactly are NHIs, and why do they matter? NHIs are machine identities used in cybersecurity, created […]
The post How can cloud security architectures incorporate NHI protection? appeared first on Entro.
The post How can cloud security architectures incorporate NHI protection? appeared first on Security Boulevard.
Which tools are available for cloud-based NHI monitoring?
How Crucial is Cloud Non-Human Identities Monitoring? Ever wondered how crucial it is to effectively monitor Non-Human Identities (NHIs) in the cloud? The need for high-grade cybersecurity measures has never been more apparent with the increasing reliance on cloud-based services across various industries. A pivotal aspect of these measures involves the management and careful oversight […]
The post Which tools are available for cloud-based NHI monitoring? appeared first on Entro.
The post Which tools are available for cloud-based NHI monitoring? appeared first on Security Boulevard.
BSides Exeter 2024 – Blue Track – DFIR – Ctrl+Alt+Defeat: Using Threat Intelligence To Navigate The Cyber Battlefield
Authors/Presenters: Sophia McCall
Our thanks to Bsides Exeter, and the Presenters/Authors for publishing their timely Bsides Exeter Conference content. All brought to you via the organizations YouTube channel.
The post BSides Exeter 2024 – Blue Track – DFIR – Ctrl+Alt+Defeat: Using Threat Intelligence To Navigate The Cyber Battlefield appeared first on Security Boulevard.
Call To Action: State Department Power Grab
(Re-posted from 47 Watch). The State Department, under the stewardship of Secretary Marco Rubio, has just dropped a bombshell determination that’s about as subtle as a foghorn in a library. You can/should review the Federal Register notice before continuing. There is a markdown formatted version of this on the 47 Watch knot. In a nutshell, […]
The post Call To Action: State Department Power Grab appeared first on rud.is.
The post Call To Action: State Department Power Grab appeared first on Security Boulevard.
Breaches Often Start Where You Least Expect | Grip Security
Major breaches don’t start with hackers—they start with overlooked security gaps. Learn how to find and fix SaaS blind spots before they become attacks.
The post Breaches Often Start Where You Least Expect | Grip Security appeared first on Security Boulevard.
The Home of the Security Bloggers Network