April, 2021

Explaining Threats, Threat Actors, Vulnerabilities, and Risk Using a Real-World Scenario

Daniel Miessler

Casey Ellis (of Bugcrowd fame) had a great post on Twitter today about security terminology. Casey also added that Acceptable Risk would be being willing to get punched in the face.

Risk 226

Leaving WhatsApp – Treating the Symptom, Not the Cause

Javvad Malik

A few months ago, many people were riled up over the proposed updates to WhatsApp terms and conditions. The popular messaging service which was acquired by Facebook in 2014 for $16bn, was apparently updating its Ts and Cs which users had to either accept or choose to leave.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

What Are You NOT Detecting?

Anton on Security

What are you not detecting? OK, what threats are you NOT detecting? Still didn’t help? What I mean here is: are you thinking about these: Threats that you don’t need to detect due to your risk profile, your threat assessment, etc. Threats that you do need to detect, but don’t know how. Threats that you do need to detect and know how, but cannot operationally (e.g. your SIEM will crash if you inject all the cloud logs). Threats that you do need to detect and know how, but do not (yet?)

Risk 116

LinkedIn Email Subjects Remain The Top-Clicked Social Media Phishing Scams in 2021

Hot for Security

A recent study analyzing the most effective social media phishing scams shows that LinkedIn-related emails were among the most successful entry points in the first quarter of 2021.

Media 107

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

6 Most Common Web Security Vulnerabilities (And How To Tackle Them)

SecureBlitz

As a business, your website is your online headquarters. A security breach on your website is equal to someone breaking into your office and stealing your business records and information about your customers.

Passwordstate password manager hacked in supply chain attack

Bleeping Computer

Click Studios, the company behind the Passwordstate password manager, notified customers that attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks. [.]. Security

More Trending

ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users

Krebs on Security

Someone is selling account information for 21 million customers of ParkMobile , a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.

Mobile 262

Backdoor Added — But Found — in PHP

Schneier on Security

Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits , with the subject “fix typo” and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users.

Ransomware: 8 Things That You Must Know

Joseph Steinberg

While ransomware may seem like a straightforward concept, people who are otherwise highly-knowledgeable seem to cite erroneous information about ransomware on a regular basis. As such, I would like to point out 8 essential points about ransomware.

Three Years In: An Update on the Georgia Cyber Center

Lohrman on Security

211
211

The Grey Brick That Changed the World: The Nintendo Game Boy

Doctor Chaos

This week marked an important anniversary; Nintendo’s original Game Boy turned 31. The monochrome system, or more accurately a yellowish and 4 shades of grey system, may have been one of the most significant devices in the 20th century. The 8-bit system was released to the world on April 21st, 1989.

Mobile 192

Data Breaches, Class Actions and Ambulance Chasing

Troy Hunt

This post has been brewing for a while, but the catalyst finally came after someone (I'll refer to him as Jimmy) recently emailed me regarding the LOQBOX data breach from 2020.

Experian API Exposed Credit Scores of Most Americans

Krebs on Security

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned.

Signal Adds Cryptocurrency Support

Schneier on Security

According to Wired , Signal is adding support for the cryptocurrency MobileCoin, “a form of digital cash designed to work efficiently on mobile devices while protecting users’ privacy and even their anonymity.”

Five Interesting Israeli CyberSecurity Companies

Joseph Steinberg

Back in 2015 and 2017, I ran articles in Inc. about various innovative Israeli startups , in which I featured firms that I selected based on numerous discussions that I had had with tech-company CEOs and with journalists who cover the Israeli startup scene.

Adam Levin Discusses Facebook Data Leak on NPR

Adam Levin

Adam Levin spoke with NPR about the recent data archive of over 500 million Facebook accounts found on a hacking forum. “It’s serious when phone numbers are out there. The danger when you have phone numbers in particular is a universal identifier,” said Levin. Read the article here.

NIST Releases Draft Guidance on Election Cybersecurity

Lohrman on Security

Weekly Update 238

Troy Hunt

"What a s**t week". I stand by that statement in the opening couple of minutes of the video and I write this now at midday on Saturday after literally falling asleep on the couch. The Facebook incident just dominated; everything from processing data to writing code to dozens of media interviews.

Media 228

Are You One of the 533M People Who Got Facebooked?

Krebs on Security

Ne’er-do-wells leaked personal data — including phone numbers — for some 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being scraped from profiles.

Mobile 233

The FBI Is Now Securing Networks Without Their Owners’ Permission

Schneier on Security

In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange.

219
219

MY TAKE: How consumer-grade VPNs are enabling individuals to do DIY security

The Last Watchdog

Historically, consumers have had to rely on self-discipline to protect themselves online. Related: Privacy war: Apple vs. Facebook. I’ve written this countless times: keep your antivirus updated, click judiciously, practice good password hygiene. Then about 10 years ago, consumer-grade virtual private networks, or VPNs, came along, providing a pretty nifty little tool that any individual could use to deflect invasive online tracking. Consumer-grade VPNs have steadily gained a large following.

B2C 169

What if We Made Paying Ransoms Illegal?

Daniel Miessler

I was on Twitter the other day and saw someone suggest that we could fix people paying ransoms by making it illegal for them to do so. I was a bit flippant with my response.

Post-Pandemic Tech Job Market: The Good, Bad and Ugly

Lohrman on Security

As we emerge from the worst pandemic in a century, many public- and private-sector employees and employers are reassessing their options within technology and cybersecurity roles

Welcoming the Ukrainian Government to Have I Been Pwned

Troy Hunt

Another month, another national government to bring onto Have I Been Pwned. This time it's the Ukrainian National Cybersecurity Coordination Center who now has access to monitor all their government domains via API domain search, free of charge.

Ubiquiti All But Confirms Breach Response Iniquity

Krebs on Security

When AIs Start Hacking

Schneier on Security

If you don’t have enough to worry about already, consider a world where AIs are hackers. Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth.

MY TAKE: How SMBs can improve security via ‘privileged access management’ (PAM) basics

The Last Watchdog

As digital transformation kicks into high gear, it’s certainly not getting any easier to operate IT systems securely, especially for small- and medium-sized businesses. Related: Business-logic attacks target commercial websites. SMBs are tapping into cloud infrastructure and rich mobile app experiences, making great leaps forward in business agility, the same as large enterprises.

COVID-19 Vaccination Management Problems Have Created a Privacy Nightmare For Americans – Even Without Vaccine Passports

Joseph Steinberg

Poorly-designed processes and shoddy information-systems, coupled with a prevailing atmosphere of general mismanagement, have created a privacy nightmare for Americans being vaccinated against COVID-19; some of the problems being created now will likely still impact people many years after the pandemic ends.

Idaho CISO Shares Experience from Public, Private Sectors

Lohrman on Security

CISO 148

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Troy Hunt

Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world's most dangerous malware: Emotet.

Experian’s Credit Freeze Security is Still a Joke

Krebs on Security

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian , one of the big three consumer credit bureaus in the United States.

Identifying People Through Lack of Cell Phone Use

Schneier on Security

In this entertaining story of French serial criminal Rédoine Faïd and his jailbreaking ways, there’s this bit about cell phone surveillance: After Faïd’s helicopter breakout, 3,000 police officers took part in the manhunt.

How I pwned an ex-CISO and the Smashing Security Podcast

Javvad Malik

Disclaimer, this was a bit of fun with consent. But there are some worthwhile things to bear in mind. If you’re predictable, then criminals can take advantage of that.

CISO 141

GUEST ESSAY: The missing puzzle piece in DevSecOps — seamless source code protection

The Last Watchdog

We live in a time where technology is advancing rapidly, and digital acceleration is propelling development teams to create web applications at an increasingly faster rhythm. The DevOps workflow has been accompanying the market shift and becoming more efficient every day – but despite those efforts, there was still something being overlooked: application security. Related: ‘Fileless’ attacks on the rise.

The Grey Brick That Changed the World: The Nintendo Game Boy

Doctor Chaos

This week marked an important anniversary; Nintendo’s original Game Boy turned 31. The monochrome system, or more accurately a yellowish and 4 shades of grey system, may have been one of the most significant devices in the 20th century. The 8-bit system was released to the world on April 21st, 1989.

Mobile 130

Welcoming the Romanian Government to Have I Been Pwned

Troy Hunt

Today I'm very happy to announce the arrival of the 15th government to Have I Been Pwned, Romania. As of now, CERT-RO has access to query all Romanian government domains across HIBP and subscribe them for future notifications when subsequent data breaches affect aliases on those domains.