Schneier on Security

NOVEMBER 2, 2020

Google’s Project Zero has discovered and published a buffer overflow vulnerability in the Windows Kernel Cryptography Driver. The exploit doesn’t affect the cryptography, but allows attackers to escalate system privileges: Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

358

358

Troy Hunt

NOVEMBER 2, 2020

I've had this blog post in draft for quite some time now, adding little bits to it as the opportunity presented itself. In a essence, it boils down to this: people expressing their displeasure when I post about a topic they're not interested in then deciding to have a whinge that my timeline isn't tailored to their expectation of the things they'd like me to talk about.

Data breaches 349

Data breaches InfoSec Media Technology 349

Krebs on Security

NOVEMBER 4, 2020

Companies hit by ransomware often face a dual threat: Even if they avoid paying the ransom and can restore things from scratch, about half the time the attackers also threaten to release sensitive stolen data unless the victim pays for a promise to have the data deleted. Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data publi

Ransomware 346

Ransomware Backups Data breaches Encryption 346

Daniel Miessler

NOVEMBER 6, 2020

I think there are four main trends that will play out in the field of information security in the next 20 years. (2021-2030) A Surge in Demand for InfoSec people will result in many more professionals being trained and placed within companies, likely using more of a trade/certification model than a 4-year university model. (2026-) Cyberinsurance will ascend as the primary mechanism for making cybersecurity-related product and service decisions within companies. (2030-) Automation & AI will s

InfoSec 255

InfoSec Insurance Artificial Intelligence Cybersecurity 255

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

NOVEMBER 4, 2020

Accuracy isn’t great, but that it can be done at all is impressive. Murtuza Jadiwala, a computer science professor heading the research project, said his team was able to identify the contents of texts by examining body movement of the participants. Specifically, they focused on the movement of their shoulders and arms to extrapolate the actions of their fingers as they typed.

Data collection 356

Data collection Software 356

Troy Hunt

NOVEMBER 5, 2020

Alrighty, quickie intro before I rush off to hit the tennis court, catch up with old friends, onto the wake park before BBQ and, of course, ??. I'm doing a quick snapshot on how we're travelling down here COVID wise, I lament the demise (followed by resurrection) of my Ubiquiti network, there's a heap of new data breaches in HIBP and a bunch more insight into my guitar lessons (no, I'm not giving guitar lessons!

Data breaches 337

Data breaches Passwords Hacking 337

Tech Republic Security

NOVEMBER 2, 2020

The COVID-19 pandemic provided a huge opening for bad actors this year, thanks to remote work. Security experts expect more advanced cybersecurity threats in the coming year.

Data breaches 208

Data breaches Ransomware Cybersecurity 208

Schneier on Security

NOVEMBER 5, 2020

California’s Proposition 24, aimed at improving the California Consumer Privacy Act, passed this week. Analyses are very mixed. I was very mixed on the proposition, but on the whole I supported it. The proposition has some serious flaws, and was watered down by industry, but voting for privacy feels like it’s generally a good thing.

296

296

Adam Levin

NOVEMBER 4, 2020

The infamous Maze ransomware gang has announced they will cease operations, effective immediately. . On November 1, the hacking group behind several high profile ransomware attacks in 2020 issued a rambling press release, riddled with spelling errors, on the dark web announcing, “it is officially closed.”. “All the links to out [sic] project, using of our brand, our work methods should be considered to be a scam,” the announcement stated.

Ransomware 168

Ransomware Scams Hacking Malware 168

Adam Shostack

NOVEMBER 4, 2020

I posted this image in 2004. It’s even more relevant now. While we have a country that is clearly divided, the dividing lines are not so neat as the maps showing states going one way or the other.

130

130

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Tech Republic Security

NOVEMBER 2, 2020

Remote work and social media have made it easier for businesses to be impacted by security breaches. Here's why, and how organizations can protect themselves.

Media 217

Media Ransomware 217

Schneier on Security

NOVEMBER 6, 2020

Research paper: Rick Wash, “ How Experts Detect Phishing Scam Emails “: Abstract: Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems.

Phishing 230

Phishing Scams Technology Risk 230

Adam Levin

NOVEMBER 6, 2020

Network access to over 7,000 organizations in the U.S., Canada, and Australia is allegedly available for auction on Russian hacking forums. An unidentified hacker is advertising an archive of remote desktop protocol (RDP) credentials to several thousand organizations with bids starting at 25 bitcoins (roughly $390,000). . “I sell everything at once, without samples, convenient access via rdp to each network,” states the advertisement , promising administrative access to each compromised network.

Advertising 182

Advertising Hacking Ransomware Malware 182

Javvad Malik

NOVEMBER 3, 2020

We’re all honest and good people… well, at least most of us are. From a young age, we’re taught to always tell the truth and to never lie. However, our inherent honesty can be our own worst enemy when it comes to cybersecurity. We use our real names on sites, we upload our photos and share our holiday plans. Now, I’m not advocating that we create a fictitious life online and don’t share anything.

Passwords 130

Passwords Password Management Internet Internet 130

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Tech Republic Security

NOVEMBER 5, 2020

A security awareness program backed by multi-factor authentication can help protect your critical assets, says NordVPN Teams.

Social Engineering 215

Social Engineering Engineering Security Awareness Authentication 215

Anton on Security

NOVEMBER 3, 2020

My post “Why is Threat Detection Hard?” proved to be one of the most popular in recent history of my new blog. In this post, I wanted to explore a seemingly obvious, while surprisingly fascinating aspect of detection: uncertainty. Uncertainty? Are you sure, Anton? :-) Well, maybe ! Let’s start our journey with exploring the classic fallacy, “if you can detect [the threat], why can’t you prevent it?

Threat Detection 130

Threat Detection Information Security Cybersecurity 130

Adam Levin

NOVEMBER 6, 2020

Healthcare facilities are under an increased threat of cyberattack, according to the FBI. In a joint cybersecurity advisory with the Cybersecurity and Infrastructure Agency (CISA) and the Department of Health and Human Services (HHS), the FBI warned of an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”. While there are currently several strains of malware actively targeting healthcare facilities, the advisory primarily focused on TrickBot, a program with a

Healthcare 175

Healthcare Antivirus Backups Cybercrime 175

Security Affairs

NOVEMBER 1, 2020

A threat actor is offering for sale account databases containing an aggregate total of 34 million user records stolen from 17 companies. A data breach broker is selling account databases containing a total of 34 million user records stolen from 17 companies. The threat actor is advertising the stolen data since October 28 on a hacker forum. Source Bleeping Computer.

Data breaches 145

Data breaches Accountability Advertising Passwords 145

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Tech Republic Security

NOVEMBER 5, 2020

The California Privacy Rights Act adds "teeth" to the CCPA, but some advocates say it doesn't go far enough.

Data privacy 214

Data privacy 214

Dark Reading

NOVEMBER 5, 2020

From meditation to the right mindset, seasoned vulnerability researchers give their advice on how to maximize bug bounty profits and avoid burnout.

144

144

Anton on Security

NOVEMBER 6, 2020

Security continues to be a top concern for cloud customers, and therefore continues to be a driver of our business at Google Cloud. However, specific security priorities vary wildly by vertical, by organization size, and by many other factors. In fact, many “CISO priorities lists” are floating out there online and many people claim to know “what CISOs want.

CISO 100

CISO Cloud Migration CSO Information Security 100

Security Affairs

NOVEMBER 1, 2020

The Maze ransomware operators are shutting down their operations for more than one year the appeared on the threat landscape in May 2019. The Maze cybercrime gang is shutting down its operations, it was considered one of the most prominent and active ransomware crew since it began operating in May 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of 2019.

Ransomware 145

Ransomware Cybercrime Advertising Software 145

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Tech Republic Security

NOVEMBER 4, 2020

As Americans anxiously await clarity regarding final voting counts and results of yesterday's election, a new report found 26% of US consumers correlate who will win with how much they'll spend.

156

156

Adam Levin

NOVEMBER 5, 2020

Network access to over 7,000 organizations in the U.S., Canada, and Australia is allegedly available for auction on Russian hacking forums. An unidentified hacker is advertising an archive of remote desktop protocol (RDP) credentials to several thousand organizations with bids starting at 25 bitcoins (roughly $390,000). . “I sell everything at once, without samples, convenient access via rdp to each network,” states the advertisement , promising administrative access to each compromised network.

Advertising 100

Advertising Hacking Ransomware Malware 100

Threatpost

NOVEMBER 3, 2020

A threat actor is compromising telecommunications companies and targeted financial and professional consulting industries using an Oracle flaw.

Telecommunications 133

Telecommunications Malware Hacking 133

Security Affairs

NOVEMBER 1, 2020

Japan’s Nuclear Regulation Authority (NRA) issued a warning of temporary suspension of its email systems, likely caused by a cyber attack. The Japan’s Nuclear Regulation Authority (NRA) temporarily suspended its email systems, the interruption is likely caused by a cyber attack. The agency published a warning on its website, it is asking people to contact it via phone or fax because it is unable to receive emails from the outside world. “From 17:00 on October 27, 2nd year of Reiwa, sending

Cyber Attacks 144

Cyber Attacks Advertising Media Hacking 144

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Tech Republic Security

NOVEMBER 5, 2020

In the name of security, make sure the information displayed on your Google account is limited. Jack Wallen shows you how.

Accountability 161

Accountability 161

WIRED Threat Level

NOVEMBER 4, 2020

A criminal complaint alleges that a West Virginia man disguised the plastic components as wall hangers and sold hundreds of them online.

133

133

Threatpost

NOVEMBER 3, 2020

A diverse set of companies, including an adaptive-learning platform in Brazil, an online grocery service in Singapore and a cold-brew coffee-maker company, are caught up in the large data trove.

Cybercrime 111

Cybercrime Data breaches 111

Security Affairs

NOVEMBER 4, 2020

The source code for the KPot information stealer was put up for auction and the REvil ransomware operators want to acquire it. The authors of KPot information stealer have put its source code up for auction , and the REvil ransomware operators will likely be the only group to bid. #KPOT source code up for sale! pic.twitter.com/fJ3BwlaHsR — ??????

Ransomware 143

Ransomware Malware Advertising Cybercrime 143

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk