Adam Shostack

JANUARY 2, 2025

What would you like me to cover in my Blackhat talk, " Threat Modeling in 2018 ?" So this week's threat model Thursday is simply two requests: What would you like to see in the series? Attacks always get better, and that means your threat modeling needs to evolve.

Media 130

Media Engineering 130

Adam Shostack

JANUARY 2, 2025

Check out my talk from Blackhat 2018 Blackhat has released all the 2018 US conference videos. My threat modeling in 2018 video is, of course, amongst them. Slides are linked here.

130

130

Adam Shostack

JANUARY 2, 2025

STRIDE Machine Learning Conflict And of course, because it's 2018, there's cat videos and emoji to augment logic. The current core outline is: What are we working on The fast moving world of cyber The agile world Models are scary What can go wrong? Threats evolve! Yeah, that's the word. Wednesday, August 8 at 2:40 PM. *

130

130

Adam Shostack

JANUARY 2, 2025

The slides from my Blackhat talk, " Threat Modeling in 2018: Attacks, Impacts and Other Updates " are now available either as a PDF or online viewer. The slides from my Blackhat talk are now available.

130

130

Krebs on Security

JUNE 25, 2021

” Western Digital’s brief advisory includes a link to an entry in the National Vulnerability Database for CVE-2018-18472. Examine the CVE attached to this flaw and you’ll notice it was issued in 2018. We are actively investigating the issue and will provide an updated advisory when we have more information.”

Internet 332

Internet Internet Backups Small Business 332

The Hacker News

FEBRUARY 20, 2025

Cisco has confirmed that a Chinese threat actor known as Salt Typhoon gained access by likely abusing a known security flaw tracked as CVE-2018-0171, and by obtaining legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies.

Telecommunications 132

Telecommunications 132

Digital Shadows

MARCH 17, 2025

Key Findings Even years after their disclosure, VPN-related vulnerabilities like CVE-2018-13379 and CVE-2022-40684 remain essential tools for attackers, driving large-scale campaigns of credential theft and administrative control. CVE-2018-13379: The Eternal Exploit What is CVE-2018-13379?

VPN 133

VPN Authentication Ransomware Risk 133

Schneier on Security

APRIL 5, 2024

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and ­ if known ­ the attacker’s identity.

Surveillance 336

Surveillance Telecommunications 336

The Hacker News

DECEMBER 17, 2024

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined 251 million (around $263 million) for a 2018 data breach that impacted millions of users in the bloc, in what's the latest financial hit the company has taken for flouting stringent privacy laws.

Data breaches 125

Data breaches Accountability 125

Malwarebytes

OCTOBER 18, 2024

The vulnerability, tracked as CVE-2024-44133 was fixed in the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later).

Adware 145

Adware Spyware Mobile Technology 145

Krebs on Security

DECEMBER 19, 2024

But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018. That user, “ Exorn ,” has posts dating back to August 2018. THE TURKISH CONNECTION Silent Push notes that the website where Araneida is being sold — araneida[.]co

Hacking 245

Hacking Cybercrime Advertising Data breaches 245

Troy Hunt

APRIL 29, 2021

You can read more about government access in the initial post from 2018. Romania joins a steadily growing number of governments across the globe to have free and unrestricted access to API-based domain searches for their assets in HIBP.

Government 363

Government Data breaches 363

Adam Shostack

JANUARY 2, 2025

[no description provided] I'm at the OWASP AppSec Cali event, and while there's now there'll be video , I'm taking notes: Context for the talk What fails during the development process? Incomplete requirements, non-secure design, lack of security mindset, leaky development These failures are threats which can be mitigated. (eg,

Risk 130

Risk 130

Troy Hunt

MARCH 6, 2024

Back in 2018, we started making Have I Been Pwned domain searches freely available to national government cybersecurity agencies responsible for protecting their nations' online infrastructure. Today, we're very happy to welcome Germany as the 35th country to use this service, courtesy of their CERTBund department.

Government 344

Government Data breaches Cybersecurity 344

Schneier on Security

JULY 28, 2021

Carriers were caught in 2018 selling real-time location data to brokers , drawing the ire of Congress. The Pillar says it obtained 24 months’ worth of “commercially available records of app signal data” covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used.

Mobile 363

Mobile Advertising Data collection Surveillance 363

Penetration Testing

APRIL 8, 2025

Vidar Stealer, a notorious information-stealing malware that first emerged in 2018, continues to pose a significant threat by employing new distribution methods and evasion techniques. G DATA Security Lab’s analysis has uncovered a recent instance where Vidar Stealer was disguised within a legitimate system information tool.

Malware 112

Malware Cybersecurity 112

Krebs on Security

JULY 23, 2020

Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018. But in Wednesday’s filing, the DFS said First American was unable to determine whether records were accessed prior to Jun 2018.

Insurance 352

Insurance Financial Services Penetration Testing Scams 352

Adam Shostack

JANUARY 2, 2025

[no description provided] I really enjoyed being part of this panel. I felt we had a good mix of experience and some really interesting conversations.

130

130

Schneier on Security

NOVEMBER 30, 2022

Total GDPR fines are over €2 billion (EUR) since 2018. Facebook—Meta—was just fined $276 million (USD) for a data leak that included full names, birth dates, phone numbers, and location. Meta’s total fine by the Data Protection Commission is over $700 million.

275

275

Krebs on Security

AUGUST 16, 2020

In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. The last time that August 2018 file was scanned at VirusTotal (Aug 14, 2020), it was detected as a malicious Java trojan by 28 of 59 antivirus programs. And several researchers informed Microsoft about the weakness over the past 18 months.

Antivirus 363

Antivirus Malware Software 363

Security Affairs

NOVEMBER 1, 2024

ThreatFabric observed threat actors using two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver macOS implants. The experts noticed that a portion of the CVE-2018-4404 exploit is likely borrowed from the Metasploit framework.

Spyware 142

Spyware Media Malware Hacking 142

Krebs on Security

DECEMBER 1, 2020

“In early 2018, Vaughn demanded 1.5 Among the Apophis Squad’s targets was encrypted mail service Protonmail, which reached out to this author in 2018 for clues about the identities of the Apophis Squad members after noticing we were both being targeted by them and receiving demands for money in exchange for calling off the attacks.

DDOS 291

DDOS Hacking Mobile Encryption 291

Krebs on Security

FEBRUARY 19, 2020

Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. 13, 2018 and Mar. 28, 2018, a claim Citrix initially denied but later acknowledged.

VPN 363

VPN Passwords Software Telecommunications 363

Adam Shostack

JANUARY 2, 2025

In the United States in 2018, an estimated 40,000 people lost their lives in car crashes, and 4.5 And while an emergency stop may certainly be a risk minimizing action in some circumstances, describing it as such is surprising, especially when presented in contrast to a "safe stop" maneuver. million people were seriously injured.

Risk 189

Risk Manufacturing Architecture Cybersecurity 189

Schneier on Security

MAY 2, 2024

It banned default passwords in 2018, the law taking effect in 2020. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

Passwords 342

Passwords IoT Manufacturing Telecommunications 342

Krebs on Security

FEBRUARY 4, 2020

The government says Quantum Stresser had more than 80,000 customer subscriptions, and that during 2018 the service was used to conduct approximately 50,000 actual or attempted attacks targeting people and networks worldwide. and international authorities in December 2018 as part of a coordinated takedown targeting attack-for-hire services.

Internet 342

Internet Internet Government Accountability 342

SecureWorld News

NOVEMBER 17, 2024

A multifaceted regulatory environment The Data Protection Act 2018, implementing the EU's GDPR, imposes significant obligations on organizations to handle personal data responsibly. This challenge is especially prevalent for UK small and medium-sized enterprises (SMEs) which account for 99.9% of the UK's business population, 5.5

Cybersecurity 118

Cybersecurity Risk Healthcare Accountability 118

Security Affairs

AUGUST 18, 2024

Boffins demonstrated the vulnerability of fingerprint recognition systems to dictionary attacks using ‘MasterPrints, ‘which are fingerprints that can match multiple other prints.

Architecture 141

Architecture Hacking Risk Information Security 141

Security Affairs

DECEMBER 25, 2024

In 2018, the Lazarus APT group targeted several cryptocurrency exchanges , including the campaign tracked as Operation AppleJeus discovered in August 2018. The FBI will continue to expose and combat the DPRKs use of illicit activitiesincluding cybercrime and virtual currency theftto generate revenue for the regime. FBI concludes.

Cryptocurrency 123

Cryptocurrency Social Engineering Hacking Cybercrime 123

Krebs on Security

FEBRUARY 17, 2021

million in a 2018 ATM cash out scheme targeting a Pakistani bank; and a total of $112 million in virtual currencies stolen between 2017 and 2020 from cryptocurrency companies in Slovenia, Indonesia and New York. Park was previously charged in 2018 in connection with the WannaCry and Sony Pictures attacks. Image: CISA.

Cryptocurrency 341

Cryptocurrency Financial Services Banking Government 341

Schneier on Security

JANUARY 25, 2023

We know Cybercom did similar things in 2018 and 2020, and presumably will again in two years. . “We were doing operations well before the midterms began, and we were doing operations likely on the day of the midterms.” ” And they continued until the elections were certified, he said.

Hacking 312

Hacking Cybersecurity 312

Troy Hunt

JUNE 9, 2021

TB of private data and the first sentence sets the scene: Between 2018 and 2020, a custom Trojan-type malware infiltrated over 3 million Windows-based computers and stole 1.2 (Full disclosure: I'm a strategic advisor for NordVPN who shares the same parent company.) NordLocker has written about the nameless malware that stole 1.2

Malware 363

Malware 363

Schneier on Security

NOVEMBER 30, 2021

After planning began in mid-2018, the Long-Term Retention Lab was up and running in the second half of 2019. The warehouse stores around 3,000 pieces of hardware and software, going back about a decade.

Technology 324

Technology Engineering Software Cybersecurity 324

Schneier on Security

OCTOBER 13, 2021

It’s a matter of going after those with deep pockets. ” Chhabria continued, “In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare.

Retail 339

Retail Manufacturing Internet Internet 339

Security Affairs

FEBRUARY 26, 2025

ThreatFabric observed threat actors using two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver macOS implants. The experts noticed that a portion of the CVE-2018-4404 exploit is likely borrowed from the Metasploit framework.

Data collection 105

Data collection Spyware Media Surveillance 105

Krebs on Security

SEPTEMBER 14, 2020

Curiously, in May 2018, its WHOIS ownership records switched to a new name with the same initials: one “ Jonathan Bibi ,” with an address in the offshore company haven of Seychelles. Likewise, Mr. Among those is acheterdubitcoin.org , a business that was blacklisted by French regulators in 2018 for promoting cryptocurrency scams.

Scams 354

Scams Cryptocurrency Accountability Technology 354

Adam Levin

FEBRUARY 21, 2020

Travel and hospitality industries have been a frequent target of hackers in recent years, perhaps most notably being the 2018 Marriott data breach that affected 300 million customers. The company has not yet indicated whether it would be providing credit monitoring or identity theft protection to customers affected by the breach.

Data breaches 305

Data breaches Identity Theft Passwords Technology 305