Latest news with #ethicalhackers
Daily Mail
20-06-2025
- Daily Mail
'Mother of all data breaches' sees Internet users urged to act after Apple and Google passwords are exposed
Cybersecurity researchers have uncovered what the call the 'mother of all breaches' with the discovery of a collection of 30 databases that contain over 16 billion individual records, including passwords, for government accounts as well as social media log ins for Apple, Google, Facebook, Telegram, and others. Some of the datasets had vague names such as 'logins' or 'credentials', which made it hard for the team to figure out exactly what they contained but some gave clues about where the data came from. According to the researchers, the records were most likely compiled by cybercriminals using various info-stealing malware, though they noted that some data may also have been collected by so-called 'white hat' hackers. Also known as ethical hackers, 'white hat' hackers were security professionals who use their manipulating skills to identify vulnerabilities and weaknesses in computer systems, networks, and software - with the permission of the system's owner. The team at Cybernews, which found the records, said the information available to the wider Internet was only briefly, before it was locked down, but it's not possible to determine who owned the databases. With over 5.5 billion people worldwide using the Internet, researchers warned that a staggering number of individuals probably had some of their accounts compromised. Users across the globe were urged to change their passwords immediately to protect their data from falling into the hands of cybercriminals. Researchers said: 'The inclusion of both old and recent info-stealer logs makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices.' Cybernews noted that its researchers identified a database of 184 million records that was previously uncovered in May, found by data-breach hunter and security researcher Jeremiah Fowler. The security site said: 'It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent info-stealer malware truly is.' The May discovery not only contained secure login data for millions of private citizens, but also had stolen account information connected to multiple governments around the world. While looking at a small sample of 10,000 of these stolen accounts, researcher Fowler found 220 email addresses with .gov domains, linking them to over 29 countries, including the U.S., UK, Australia, Canada, China, India, Israel, and Saudi Arabia. Fowler told WIRED: 'This is probably one of the weirdest ones I've found in many years. 'As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal's dream working list.' In total, Fowler discovered 47 gigabytes of data with sensitive information for accounts on sites including Instagram, Microsoft, Netflix, PayPal, Roblox, and Discord. The best action to take to protect your accounts would be to change the passwords and activate Two-Factor Authentication, which added another layer of security to logging in by sending a secure code to your phone or email. The unprotected database was managed by World Host Group, a web-hosting and domain name provider founded in 2019. Once Fowler confirmed that the exposed information was genuine, he reported the breach to World Host Group, which shut down access to the database. World Host Group's Seb de Lemos told WIRED: 'It appears a fraudulent user signed up and uploaded illegal content to their server.' Fowler added that 'the only thing that makes sense' is that the breach was the work of a cybercriminal because there's no other way to gain that much access to information from so many servers around the world. The cybersecurity expert warned that the breach also posed a major national security risk. Exploiting government email accounts could allow hackers and foreign agents access to sensitive or even top-secret systems. The stolen data could also be used as part of a larger phishing campaign, using one person's hacked account to gain private information from other potential victims.
Forbes
23-05-2025
- Business
- Forbes
Having Clarity On Cyber Risk Is Power
Zach Fuller - Founding Partner of Silent Sector - an Expertise-Driven Cybersecurity services firm protecting companies across the U.S. getty "We don't know what we don't know." If you've ever said this when it comes to cybersecurity, you're not alone. That uncertainty is one of the biggest threats mid-market and smaller companies face today. Too many organizations operate without a clear cyber risk management strategy. It's not because they don't care but because they're unsure where to begin. Fortunately, organizations can discover and address most cyber risks with two complementary activities: • Cyber Risk Assessment: A structured, organization-wide review of the company's policies, procedures and technical controls. • Penetration Testing: A real-world exercise where ethical hackers simulate attacks to uncover technical vulnerabilities. The Blind Spot Crisis: The Greatest Security Threat The vast majority of breaches stem from vulnerabilities companies didn't know existed. Risk assessments provide a holistic overview of cyber risk across the organization. Penetration testing identifies technical gaps a cybercriminal can use while conducting an attack. Together, they provide unmatched clarity and a direct path to fortify defenses. However, many companies focus on shiny tools while overlooking the fundamentals like incident response planning or operational continuity after a breach. That's like buying a high-end alarm system while leaving the front door wide open. Organizations serious about resilience need a proactive, comprehensive strategy that protects not just their data but their ability to operate. Conducting Cyber Risk Assessments: The Proactive Method A well-run cyber risk assessment sets the stage for everything else. Measuring Against A Cybersecurity Framework Cybersecurity isn't a "make it up as you go" type of matter. Organizations can't just throw tools at the problem and hope it works out. It's critical to follow an industry-recognized cybersecurity framework. This is a structured set of controls that guides security posture in alignment with proven best practices. Industry-backed frameworks provide a reliable benchmark. A few of the most respected options include: • NIST CSF 2.0: Widely adopted across industries, especially in the U.S. • CIS Controls: Prioritized into "implementation groups" for different organizational sizes. • ISO 27001: A global standard, particularly for international or compliance-heavy businesses. These frameworks are starting points rather than rigid rules. Every company is different, and each must tailor its assessment to its business, industry and risk tolerance. A good cybersecurity partner can help prioritize the controls that matter most and cut through the noise. The Three Pillars Of Security Strong security isn't just about tech. It's about building strength across three areas that cybersecurity frameworks cover: • People: The first line of defense—and often the weakest link. • Processes: Defined, repeatable methods for doing things securely. • Technologies: Important, but only as good as the strategy and configurations. Companies love buying new security tools, but I find that most don't need more tech to strengthen security. They need better implementation of what they already own. They don't solve complexity by adding more complexity. They solve it with clarity, discipline and alignment across their people, processes and technologies. Security Road Map: Getting Everyone On The Same Page Once organizations have completed a cyber risk assessment, they'll see where the gaps are and what needs to happen next. That's the road map. This isn't about pie-in-the-sky "initiatives." It's about practical, prioritized actions: • What reduces the most risk the fastest? • What aligns with business priorities? • What can be done within the team's capacity and budget? Balance quick wins with longer-term projects. Show progress, build momentum and always tie every security initiative back to business goals. Security for the sake of security doesn't resonate. Security that supports growth, continuity and reputation does. Penetration Testing: See What The Enemy Sees Risk assessments show where security controls fall short across the organization. Penetration tests provide a technical vantage point, showing organizations where an attacker could get through. Ethical hackers use the same tools and tactics as malicious actors to uncover weaknesses that organizations might not even know exist. A pen test isn't just a scan—it's a hands-on simulation of a breach attempt. A comprehensive test includes real cybersecurity experts (humans, not just automation) using the latest tools, technologies and methodologies to identify exploitable attack surfaces. Pen Test Scope Pen tests should focus on what matters most to the business. Depending on the environment, that could include the external network, internal network, cloud platforms, web applications, wireless networks, operational technology (OT) and even the people inside the organization through social engineering. The Three "Boxes" Of Pen Testing Pen tests come in a few flavors, each with a different perspective: • White-Box: Full access and information. Thorough, but not as realistic. • Black-Box: Simulates an outsider's view. Realistic but limited. • Gray-Box: The sweet spot. Enough access to be efficient, enough realism to simulate an attacker's perspective. Think of pen testing as an organization's chance to "fight the enemy before the enemy fights them." Just like risk assessments, it's not one-and-done. It should be a regular part of the cybersecurity strategy. Gaining Clarity: Knowing And Understanding Risks This is the goal. A proper cyber risk assessment, guided by an industry framework, tells organizations where their defenses are strong and where they're lacking. A penetration test shows how an attacker would exploit those weaknesses. Together, they provide full-spectrum clarity—technical and strategic. That clarity is power. It allows companies to direct resources where they're needed most. It gives leadership teams real answers, not guesswork. It transforms cybersecurity from a cost center into a strategic enabler. The Bottom Line Organizational leaders don't need to be cybersecurity experts, but they do need to know where their risks are and what to do about them. Companies that thrive in this new threat landscape aren't the ones that buy the most tools or shout the loudest about compliance. They're the ones who understand their vulnerabilities, prioritize wisely and take consistent, confident action. Start with visibility, build the road map, test defenses and move forward with clarity. "We don't know what we don't know" cannot be left unsolved in today's environment. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
16-05-2025
- Forbes
Windows 11 Hacked — Three New Zero-Days Deployed By Pwn2Own Elite
Windows 11 hacked three times on day one of PWN2OWN. I've said it before, and I'll say it again: hacking is not a crime. I'd have been in prison a long time ago were that true. I'm not a fan of the term ethical hackers, but it will have to do to describe the security researchers and hacking elite who have gathered in Berlin for day one of the Pwn2Own hackathon. Rather than use their undoubted hacking skills for malicious purposes, like the most prolific cybercriminal groups do, these hackers have been deploying zero-days for the good of us all, including three aimed at Windows 11 that managed to elevate privileges to system level that could enable complete system takeover. Such skills do not go unvalued, and the hackers concerned were rewarded $75,000 for their efforts. Here's what you need to know about the Windows 11 hack trilogy. If you are a regular reader of my articles, then you will know that I have covered the Pwn2Own events for many years. Most recently, detailing how Tesla fell to hackers four times in one day, and five zero-day vulnerabilities were employed to compromise the Samsung Galaxy 24 smartphone. You would also know that Tesla and Samsung submitted their products to the hackathon event, wanting to see if the elite of the hacking world could find vulnerabilities that they had not, so they could be fixed before malicious actors stumbled across them. Pwn2Own, the brainchild of the Trend Micro Zero Day Initiative, dates back to 2007 and attracts some of the best hacking minds on the planet to the twice-yearly events. Pitched against the clock to 'pwn' products, hacker and gamer slang for owning something or someone by gaining control, the zero-day hacker heroes can earn a share of more than a million dollars in prize funds. Day one of Pwn2Own Berlin 2025, held on May 15, saw no less than three successful hacking attempts targeting Windows 11 and escalating privileges to system level: I have reached out to Microsoft for a statement regarding the Windows 11 hack successes at Pwn2Own.
