March, 2021

I Now Own the Coinhive Domain. Here's How I'm Fighting Cryptojacking and Doing Good Things with Content Security Policies.

Troy Hunt

If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened.

Cyber Attacks: Is the ‘Big One’ Coming Soon?

Lohrman on Security

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

National Security Risks of Late-Stage Capitalism

Schneier on Security

Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds.

Risk 244

Deconstructing that $69million NFT

Errata Security

"NFTs" have hit the mainstream news with the sale of an NFT based digital artwork for $69 million. I thought I'd write up an explainer. Specifically, I deconstruct that huge purchase and show what actually was exchanged, down to the raw code. The answer: almost nothing).

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

GUEST ESSAY: How and why ‘pen testing’ will continue to play a key role in cybersecurity

The Last Watchdog

When we look at society today, we can see that we are moving further and further ahead with technology. Numerous advancements are being made at an extremely fast pace with no sign of slowing down. In fact, there is evidence that technology grows exponentially fast. Since we are quickly putting out large technologies, security risks always come with this. Related: Integrating ‘pen tests’ into firewalls. Even large companies are not immune to this.

A Basic Timeline of the Exchange Mass-Hack

Krebs on Security

Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion.

More Trending

Vaccine Passports: Who, What, When, Where and How?

Lohrman on Security

266
266

Illegal Content and the Blockchain

Schneier on Security

Security researchers have recently discovered a botnet with a novel defense against takedowns. Normally, authorities can disable a botnet by taking over its command-and-control server. With nowhere to go for instructions, the botnet is rendered useless.

Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…

Anton on Security

Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait… This is about the Security Operations Center (SOC). And automation. And of course SOC automation. Let’s start from a dead-obvious point: you cannot and should not automate away all people from your SOC today.

The Consumer Authentication Strength Maturity Model (CASMM)

Daniel Miessler

This post is an attempt to create an easy-to-use security model for the average internet user. Basically, how secure is someone’s current behavior with respect to passwords and authentication, and how can they improve? People like moving up rankings, so let’s use that!

Whistleblower: Ubiquiti Breach “Catastrophic”

Krebs on Security

On Jan. 11, Ubiquiti Inc. NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials.

Home Assistant, Pwned Passwords and Security Misconceptions

Troy Hunt

Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter I've come to love as I've embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently: always something.

Reducing Cybersecurity Risk With Minimal Resources

Lohrman on Security

Risk 267

No, RSA Is Not Broken

Schneier on Security

I have been seeing this paper by cryptographer Peter Schnorr making the rounds: “Fast Factoring Integers by SVP Algorithms.” ” It describes a new factoring method, and its abstract ends with the provocative sentence: “This destroys the RSA cryptosystem.”

212
212

2021 Threat Intelligence Use Cases

Anton on Security

For a reason that shall remain nameless, I’ve run this quick poll focused on the use cases for threat intelligence in 2021. The question and the results are below. Antons Threat Intel Poll 2021 Here are some thoughts and learnings based on the poll and the discussion , as well as other things.

Don’t Bother Using The “Device Filter” Security Feature Offered By Your Home Network Router

Joseph Steinberg

The MAC address “device filtering” feature of your LAN’s router is unlikely to provide you with any significant security benefits – and, if you enable the feature, it may cause you heartaches.

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

Krebs on Security

CASMM (The Consumer Authentication Strength Maturity Model)

Daniel Miessler

This post is an attempt to create an easy-to-use security model for the average internet user. People like moving up rankings, so let’s use that! Basically, how secure is someone’s current behavior with respect to passwords and authentication, and what can they do to improve?

Should Technology Product Training Be Free?

Lohrman on Security

Easy SMS Hijacking

Schneier on Security

Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding.

Don’t run that code

Javvad Malik

The dangers of downloading untrusted code from the internet is well documented. You never know what is contained within someone else’s code, be it sloppy coding, or malicious intent. If it is a snippet of code that you can easily read, it can be relatively risk free.

Joseph Steinberg On The World Of CyberSecurity: An Interview

Joseph Steinberg

This past week, Canada’s National Post newspaper ran a special supplement focusing on cybersecurity; the cover story featured an interview of Joseph Steinberg about t he ever-evolving world of cybersecurity.

Three Top Russian Cybercrime Forums Hacked

Krebs on Security

Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked.

GUEST ESSAY: ‘Cybersecurity specialist’ tops list of work-from-home IT jobs that need filling

The Last Watchdog

Even before the COVID-19 pandemic turned many office workers into work-from-home (WFH) experts, the trend toward working without having to commute was clear. Related: Mock attacks help SMBs harden defenses. As internet bandwidth has become more available, with homes having access to gigabit download speeds, a whole new world of career paths has opened for those who want to control their work hours and conditions.

Weekly Update 236

Troy Hunt

This ?????? I mean it's a lovely device, but it's just impossible to use it as an audio source in the browser without it killing the camera.

145
145

Security Analysis of Apple’s “Find My…” Protocol

Schneier on Security

Interesting research: “ Who Can Find My Devices?

Exchanging Web Shells

Doctor Chaos

Tony G and Aamir Lakhani discuss the Microsoft Exchange Zero-Day vulnerabilities. Click here to listen to the podcast on Soundcloud or find us on your favorite podcast app. Podcast

141
141

Microsoft Autoupdate hangs Excel 16.47.21032301

Adam Shostack

Microsoft AutoUpdate for Mac has gotten exceptionally aggressive about running. Even if you use launchctl to disable it, you get a pop up roughly every 15 minutes of using an Office program. That’s probably a good thing, overall. There’s plenty of evidence that update failures leave folks vulnerable. Note that I’m saying “update failures,” rather than “failure to update”, because updates fail.

131
131

Can We Stop Pretending SMS Is Secure Now?

Krebs on Security

SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else.

MY TAKE: Apple users show strong support for Tim Cook’s privacy war against Mark Zuckerberger

The Last Watchdog

Like a couple of WWE arch rivals, Apple’s Tim Cook and Facebook’s Mark Zuckerberg have squared off against each other in a donnybrook over consumer privacy. Cook initially body slammed Zuckerberg — when Apple issued new privacy policies aimed at giving U.S. consumers a smidgen more control over their personal data while online. Related: Raising kids who care about their privacy.

Weekly Update 233

Troy Hunt

Data breaches all over the place this week!

VPN 145

More on the Chinese Zero-Day Microsoft Exchange Hack

Schneier on Security

Nick Weaver has an excellent post on the Microsoft Exchange hack: The investigative journalist Brian Krebs has produced a handy timeline of events and a few things stand out from the chronology. The attacker was first detected by one group on Jan. 5 and another on Jan.

What Is Digital Forensics in Cybersecurity and Why Is It Important?

Doctor Chaos

Cybersecurity is a vast sector that incorporates several subfields. While protecting invaluable data and digital assets, it’s essential to have numerous professionals working on cybersecurity at all times.

Threat Modeling Classes

Adam Shostack

I have been lucky through these unprecendented and challenging times, and I’m grateful to have avoided many of the awful problems that others have faced.

No, I Did Not Hack Your MS Exchange Server

Krebs on Security

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let’s just get this out of the way right now: It wasn’t me.

MY TAKE: Why ‘basic research’ is so vital to bringing digital transformation to full fruition

The Last Watchdog

Basic research, also called pure research, is aimed at advancing scientific theories unfettered by commercial interests. Related: The case for infusing ethics into Artifical Intelligence. Basic research is the foundational theorizing and testing scientists pursue in order to advance their understanding of a phenomenon in the natural world, and, increasingly, in the digital realm.