Security Boulevard

OpenAI and Microsoft suspect theft, highlighting the need for better AI security

The post One Explanation for DeepSeek’s Dramatic Savings: IP Theft appeared first on Security Boulevard.

Discover how Alibaba's Qwen 2.5-Max AI model with Mixture-of-Experts architecture outperforms DeepSeek V3 in key benchmarks, challenges OpenAI, and revolutionizes healthcare, finance, and content creation. Explore technical breakthroughs and industry implications.

The post Alibaba’s Qwen 2.5-Max: The AI Marathoner Outpacing DeepSeek and Catching OpenAI’s Shadow appeared first on Security Boulevard.

Author/Presenter: Gregory Carpenter, DrPH

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Tough Adversary Don’t Blame Sun Tzu appeared first on Security Boulevard.

Security teams can now validate WAF rules before they hit production, thanks to Impart Security's new WAF Rule Tester. No more crossing fingers and hoping for the best when deploying new rules.

The Old Way: Hope-Driven Security

‍

Traditionally, testing WAF rules has been a nerve-wracking experience:

- Push rules to production in monitor mode

- Wait anxiously for days to spot issues

- Hope nothing breaks while you wait

- Struggle to simulate sophisticated attacks and edge cases

- Cross your fingers and promote to blocking mode

The Better Way: Test-Driven Security

‍

WAF Rule Tester brings confidence and speed to WAF management through powerful test cases that let you:

- Validate rules against synthetic HTTP traffic in seconds, not days

- Simulate complex scenarios including business logic attacks

- Test rule interactions and chain effects

- Verify blocking, rate limiting, and detection behaviors

- Integrate WAF testing directly into your CI/CD pipeline

How It Works

‍

1. Define your test case with synthetic HTTP requests/responses

2. Configure your expected behaviors and assertions

3. Run the test and get results in seconds

4. Deploy with confidence knowing exactly how your rules will behave

‍

Ready to bring confidence to your WAF management?

- Follow us on LinkedIn for product updates

- Schedule a demo to see WAF Rule Tester in action

Don't let WAF testing be your security team's bottleneck. With WAF Rule Tester, you can move fast AND stay secure.

‍

The post Introducing WAF Rule Tester: Test with Confidence, Deploy without Fear | Impart Security appeared first on Security Boulevard.

Instantly assess your website’s vulnerability to bot attacks with DataDome’s free Bot Vulnerability Assessment. Get real-time insights & secure your business today.

The post How to Instantly Assess Your Vulnerability to Bot Attacks appeared first on Security Boulevard.

Identity management has long been a pillar of any sound cybersecurity program, ensuring that only authorized persons and machines have access to specific data and systems. Today, the rapid adoption of artificial intelligence (AI) is making it much more complicated to manage the identities of machines, making the appearance of the OWASP Non-Human Identities Top 10 very timely.

The post The OWASP NHI Top 10 and AI risk: What you need to know appeared first on Security Boulevard.

With a high-stakes battle between OpenAI and its alleged Chinese rival, DeepSeek, API security was catapulted to priority number one in the AI community today.  According to multiple reports, OpenAI and Microsoft have been investigating whether DeepSeek improperly used OpenAI’s API to train its own AI models. Bloomberg reported that Microsoft security researchers "detected that [...]

The post API Security Is At the Center of OpenAI vs. DeepSeek Allegations appeared first on Wallarm.

The post API Security Is At the Center of OpenAI vs. DeepSeek Allegations appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Muons’ appeared first on Security Boulevard.

Watch this: Want more “speculative execution” bugs? You’re gonna be in a great mood all day.

The post SLAP/FLOP: Apple Silicon’s ‘Son of Spectre’ Critical Flaws appeared first on Security Boulevard.

The Government Accountability Office states that customers are usually unaware of the potential privacy risks and biases that arise from use of personal information.

The post Our Digital Footprints are Breadcrumbs for Mapping our Personal Behavior appeared first on Security Boulevard.

The Codefinger ransomware represents a new frontier in cyber threats, specifically targeting AWS S3 buckets. By exploiting Server-Side Encryption with Customer-Provided Keys (SSE-C), attackers gain control over the encryption process, rendering recovery impossible without their AES-256 keys.

The post Codefinger Ransomware: Detection and Mitigation Using MixMode appeared first on Security Boulevard.

Old accounts are often unmaintained and forgotten - which can be problematic when you want to "clean up" some of your digital footprint by deleting them or go back to secure them with stronger passwords/MFA.

How do you find these old accounts when your recollection isn't enough? Fortunately, we all have some tricks up our sleeves for doing so. Some methods may be more effective for some users.

TABLE OF CONTENTS

• Old accounts are a part of your digital footprint
• Finding old accounts
• • Check your password manager
  • • Check stored credentials in the browser
    • iOS and macOS users: Review accounts in the "Keychain"
    • Android (and Google account users): Check the Google password manager
  • Search inboxes of old email accounts
  • Search data breach databases
  • • Leverage CTI platforms
  • Search for old, but frequently used usernames
• Final thoughts

Old accounts are a part of your digital footprint

Everything you do on the internet leaves a trace, which is commonly collectively referred to as your digital footprint. Creating accounts - whether you use them or not - is a part of this digital footprint.

I probably don't really need to explain it to you if you're reading this, as you likely understand that there's an account for just about everything on the internet. According to a survey conducted by NordPass in 2024, the average user has around 168 passwords to manage (which for the most part translate into accounts). Their survey also indicated this is an upward trend.

A proliferation of accounts and their subsequent management contributes to users' "attack surface" as well, as the more accounts increases the the possible points an unauthorized user can gain access to the information connected to/stored in the account. In this use case, this is typically by breaking into the account itself, a data leak, or a data breach.

The term "attack surface" is typically used for organizations to describe the avenues for attacks, but on the topic of accounts and users, its principles apply here as well. The short story is the less accounts you have, the less "attack surface" you have as a user; though this is primarily a cybersecurity topic, it actually extends to privacy as well.

Of course, you can minimize this attack surface by following and maintaining good cybersecurity hygiene, which includes having good password management and using MFA to secure your accounts. However, note that even following these practices can't mitigate data breaches where the service itself is compromised by a threat actor.

On the privacy front, the less accounts you create, then the less avenues for data breaches (which can leak your personal information) and the less trust you must have in third parties not to disclose personal information - including usage data, device and connection info connected to the account - to potential "adversaries."

Unmaintained "old" accounts can be problematic, especially if you've forgotten about them. They can use weak/leaked passwords and any data contained in the account can be weak to credential stuffing attacks from threat actors... or the account data leaked in a data breach of the service itself. If the account is no longer desired or needed, deletion is the best course of action.

Finding old accounts

There are many ways to find accounts to delete. You probably know of the accounts you currently use - but here are some tips to find old accounts so you can delete them, hopefully reducing your digital footprint and "attack surface."

Check your password manager

Using a password manager is a great way to improve password management - primarily by generating and securely storing strong passwords. Regardless of your password manager - whether it is cloud-based or note, open source (which is preferable) or not, a great place to look for accounts to delete could easily begin in your current password manager vault.

Check stored credentials in the browser

Most modern browsers have a built-in "password manager" able to store website credentials. Users can search these saved logins, which may contain old/abandoned accounts, though doing so varies slightly depending on the browser. Review your browser's help pages to access/search saved logins.

Note: Using a browser "password manager" is not recommended. Dedicated password managers provide more features, usability, and security.

iOS and macOS users: Review accounts in the "Keychain"

Apple devices (iOS and macOS) have a built-in credential manager, "Keychain." On iOS this is the new default "Passwords" app.

If you've had or currently have an Apple device, there's a high likelihood you've used Keychain - and it may have old accounts you no longer use stored. If you've ever transitioned from iOS/macOS or have transitioned to using another password manager, then this is a great place to look.

Android (and Google account users): Check the Google password manager

When users are signed into their Google accounts - especially when using Google Android or Google Chrome - the Google password manager may automatically capture and store login information for websites and apps.

As such, it may contain old accounts - especially if users have multiple Google accounts, have used Google Android, or have signed into their Google account when using Google Chrome.

Search inboxes of old email accounts

If you still have access to your old(er) email accounts, searching these inboxes can provide clues to accounts you may have forgotten about - especially if you created them before using a password manager. Many of us don't delete emails; so upon creating an account, it's highly likely you could still have the welcome email for long forgotten accounts.

Some helpful search terms ideas include:

• "Account information"
• "Welcome to"
• "Thanks for creating"
• "Email confirmation"
• "Finish registration"

Similarly, even if the original welcome email is not in your inbox, you may also find old accounts from password reset messages, one-time passwords (OTP), or account information changes. With account information changes, many services will send "confirmation" of key account changes, such as address changes, payment changes, or email address changes.

Some helpful search strings could include:

• "Email address change"
• "Information change"
• "Notice of account change"
• "Change confirmation"
• "Reset link"
• "New password"
• "Password reset"

Search data breach databases

Data breach databases often house information exposed in data breaches and data leaks, which can include email addresses and password hashes/plaintext equivalents. Most breach databases can be easily searched - typically, users will be required to input an email address, username, or phone number to check against the database records.

Common (and reputable) breach databases include:

• Have I Been Pwned
• Dehashed
• Breach Directory
• Mozilla Monitor

Searching breach databases can be useful for uncovering old, long abandoned or “dead” accounts that may have been involved...

The post How to Find Old Accounts for Deletion appeared first on Security Boulevard.

We’re excited to share that we now offer Flare Academy, an educational hub with free interactive online training for cybersecurity professionals.  What is Flare Academy? Flare Academy offers online training modules led by subject matter experts on the latest cybersecurity threats to cybersecurity practitioners interested in progressing their education.  These sessions cover various pressing cybersecurity […]

The post Flare Academy is Here! appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The post Flare Academy is Here! appeared first on Security Boulevard.

Editor’s note: We will continue to provide updates as further information is forthcoming. On January 27th, 2025, GuidePoint’s Research and […]

The post Ongoing report: Babuk2 (Babuk-Bjorka) appeared first on Security Boulevard.

Trust is the cornerstone of the hospitality industry. Guests rely on you to safeguard their personal data, payment information, and loyalty rewards. However, in today's digital landscape, this trust faces constant risks. APIs, which serve as the unseen connections among various systems and applications, are particularly vulnerable to cyber threats. A single flaw can compromise sensitive data and cripple your brand’s reputation.

APIs: The Concealed Gateway to Your Critical Data

Modern hotels depend heavily on APIs. They facilitate processes from online reservations and mobile check-ins to loyalty programs and customized guest experiences. Nonetheless, these APIs often manage sensitive information, including:

• Personally Identifiable Information (PII): Names, addresses, phone numbers, passport information
• Payment Card Information (PCI): Credit card numbers, expiration dates, CVV codes
• Loyalty Program Data: Reward points, membership levels, personal preferences

A compromise of any of these APIs can lead to dire outcomes.

Exploiting Loyalty Programs: A Tempting Target

Hotel loyalty programs present a goldmine for hackers. Stolen loyalty points can be exchanged or used for complimentary stays and upgrades on the dark web. Imagine a scenario in which a hacker breaches your API and siphons millions of points from your loyalty program. This would result in financial losses, diminish customer trust, and harm your brand reputation.

Marriott: A Recurrent Cautionary Example

Marriott has repeatedly been a victim of data breaches. The expansive breach in 2018 affected nearly 500 million guests, while a more recent incident in 2024 reignited concerns regarding its system security. While the specifics of the 2024 breach remain under investigation, it is a clear reminder that even well-established hotel chains with strong security measures are susceptible. This highlights the urgent need for ongoing vigilance and robust security practices, particularly around APIs, to safeguard sensitive guest information.

Shielding Your Business with Salt Security

Standard security solutions like firewalls and WAFs are inadequate for defending against advanced API attacks. That's where Salt Security comes into play. Salt Security stands as the premier API security platform, ensuring comprehensive lifecycle protection for your APIs. Here's how Salt can assist:

• API Discovery: Salt automatically identifies all of your APIs, including hidden and neglected APIs, giving you total visibility into your API environment, which is essential in the hospitality sector where APIs frequently change and new ones are continually developed.
• Posture Governance: Salt aids you in establishing and enforcing security policies across all your APIs, ensuring they are securely configured and comply with regulatory standards, encompassing aspects like authentication, authorization, and data encryption.
• Threat Protection: Salt employs AI and machine learning to identify and prevent API attacks in real-time, targeting sophisticated threats like business logic exploitation, account hijacking, and data theft.

With Salt Security, you can rest assured that your APIs are shielded from emerging threats.

Don't Delay: Take Action Now

Investing in API security goes beyond compliance; it's about safeguarding your guests, your brand, and your financial interests. By partnering with Salt Security, you can proactively secure your APIs and reduce risks, ensuring the continued success of your hospitality business.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture governance, and run-time threat protection, please contact us, schedule a demo, or check out our website.

The post Why API Security is Essential for the Hospitality Sector: Safeguarding Your Guests and Your Rewards appeared first on Security Boulevard.

AI poses great opportunities for people and companies to implement robust systems to minimize the success and long-term effects of attacks. 

The post Using AI To Help Keep Your Financial Data Safe  appeared first on Security Boulevard.

Get educated on the security risks of DeepSeek. From data privacy concerns to compliance threats, learn how to stay secure while enabling safe AI adoption.

The post DeepSeek’s Deep Risks: What You Need to Know | Grip Security appeared first on Security Boulevard.

Discover how layered security protects businesses from cyber threats. Learn the key components, benefits, and strategies to implement a robust defense system for your data.

The post Layered Security: A Comprehensive Guide for Businesses appeared first on Security Boulevard.

Cofense Intelligence has continually observed the abuse or usage of legitimate domain service exploitation. This report highlights observed phishing threat actor abuse of .gov top-level domains (TLDs) for different countries over two years from November 2022 to November 2024.

The post Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns appeared first on Security Boulevard.

The post How Compliance Automation Enhances Data Security appeared first on AI Security Automation.

The post How Compliance Automation Enhances Data Security appeared first on Security Boulevard.