Krebs on Security

OCTOBER 31, 2021

Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness.

Software 364

Software Information Security Encryption Government 364

Lohrman on Security

OCTOBER 10, 2021

By almost any measure, the breadth, depth and impact of data breaches have dramatically increased during the COVID-19 pandemic. Here’s a roundup of the numbers.

Data breaches 363

Data breaches 363

Schneier on Security

OCTOBER 4, 2021

Facebook — along with Instagram and WhatsApp — went down globally today. Basically, someone deleted their BGP records, which made their DNS fall apart. …at approximately 11:39 a.m. ET today (15:39 UTC), someone at Facebook caused an update to be made to the company’s Border Gateway Protocol (BGP) records. BGP is a mechanism by which Internet service providers of the world share information about which providers are responsible for routing Internet traffic to which specifi

DNS 72

DNS Internet Internet Risk 72

Troy Hunt

OCTOBER 20, 2021

We choose this photo for the cover because this was when it all started. 18-year old Troy, having just discovered the web in early 1995 and chomping at the bit to do something with it. The full tale of what I first did (and how disastrous it ultimately became), is up front early in the book so I won't relay it here, but it's quite the story.

Data breaches 347

Data breaches Internet Internet 347

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

Risk

Anton on Security

OCTOBER 21, 2021

My admittedly epic (but dated) post “Security Correlation Then and Now: A Sad Truth About SIEM” mentioned the issue of TRUST as it applies to SIEM. Specifically, as a bit of a throwaway comment, I said “people write stupid string-matching and regex-based content because they trust it. They do not?—?en masse?—?trust the event taxonomies if their lives and breach detections depend on it.

Passwords 257

Passwords Threat Detection Cybersecurity 257

The Last Watchdog

OCTOBER 26, 2021

Our Public Key Infrastructure is booming but also under a strain that manual certificate management workflows are not keeping up with. Related: A primer on advanced digital signatures. PKI and digital certificates were pivotal in the formation of the commercial Internet, maturing in parallel with ecommerce. With digital transformation leading to a boom in the use of digital certificates, our bedrock authentication and encryption framework is at an inflection point, where the demand and adoption

Digital transformation 230

Digital transformation eCommerce Internet Internet 230

Lohrman on Security

OCTOBER 24, 2021

Public- and private-sector organizations are facing staffing shortages, especially in technical positions. But don’t forget to take care of your current staff, who may be struggling with burnout.

304

304

Schneier on Security

OCTOBER 21, 2021

Roger Grimes on why multifactor authentication isn’t a panacea : The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in. It turns out that the VP had approved over 10 different push-based messages for logins that he was not involved in.

Authentication 361

Authentication Ransomware Social Engineering Engineering 361

Troy Hunt

OCTOBER 9, 2021

A lot of cyber things this week: loads of data breach (or "scrape", In LinkedIn's case) incidents, Windows 11 upgrade experiences and then bricking my house courtesy of a Home Assistant update that fundamentally changed the Tuya integration. So pretty much "same, same but different" to every other week 🙂 References I've done another podcast with 1Password ("Crocodile Shower Privacy Settings with Troy Hunt" - yep!

Password Management 334

Password Management Data breaches Passwords 334

Tech Republic Security

OCTOBER 26, 2021

Supply chain attacks, misinformation campaigns, mobile malware and larger scale data breaches are just some of the threats to watch for next year, Check Point Software says.

Data breaches 218

Data breaches Mobile Malware Software 218

Advertisement

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

Cyber threats

The Last Watchdog

OCTOBER 19, 2021

Most of the people I know professionally and personally don’t spend a lot of time contemplating the true price we pay for the amazing digital services we’ve all become addicted to. Related: Blockchain’s role in the next industrial revolution. I’ll use myself as a prime example. My professional and social life revolve around free and inexpensive information feeds and digital tools supplied by Google, Microsoft, Amazon, LinkedIn, Facebook and Twitter.

Internet 223

Internet Internet Cryptocurrency Software 223

Krebs on Security

OCTOBER 13, 2021

A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.

Passwords 363

Passwords Phishing Accountability Mobile 363

Lohrman on Security

OCTOBER 3, 2021

The Cyber Incident Notification Act of 2021 would require reporting cyber incidents impacting critical infrastructure to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

Data breaches 260

Data breaches Cybersecurity 260

Schneier on Security

OCTOBER 12, 2021

I feel sorry for the accused : The “security incident” that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding — after an airline passenger mistook another traveler’s camera for a bomb, sources said Sunday. American Airlines Flight 4817 from Indianapolis — operated by Republic Airways — made an emergency landing at LaGuardia just after 3 p.m., and authorities took a suspicious passen

360

360

Advertisement

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

Cybersecurity

Troy Hunt

OCTOBER 2, 2021

Lots of little bits and pieces this week in a later and shorter than usual update. See the references for all the details, but plenty of cyber, some IoT weather station discussion and a bit of chatter around career and me deciding I want to do a "Hack Your Career More" talk once we all get back to doing events in person. Stay tuned for that last one in particular!

Password Management 66

Password Management IoT Encryption Passwords 66

Tech Republic Security

OCTOBER 13, 2021

A ransomware kit costs as little as $66, though it needs to be modified, while a spearphishing attack can run as low as $100, says Altas VPN.

Cybercrime 218

Cybercrime VPN Ransomware 218

The Last Watchdog

OCTOBER 25, 2021

When it comes to cyber attacks, most businesses think: “It could never happen to us,” but some plots are just hitting a little too close to home. Related: T-Mobile breach reflects rising mobile device attacks. For instance, if you’ve ever played Grand Theft Auto, you know the goal is quite simply mass destruction: Use whatever resources you have at your disposal to cause as much damage as you possibly can and just keep going.

Energy and Utilities 214

Energy and Utilities Cyber Attacks Mobile CISO 214

Krebs on Security

OCTOBER 4, 2021

Facebook and its sister properties Instagram and WhatsApp are suffering from ongoing, global outages. We don’t yet know why this happened, but the how is clear: Earlier this morning, something inside Facebook caused the company to revoke key digital records that tell computers and other Internet-enabled devices how to find these destinations online.

Internet 363

Internet Internet DNS Marketing 363

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Lohrman on Security

OCTOBER 17, 2021

The National Association of State Chief Information Officers (NASCIO) Annual Conference was held this past week as a live event in Seattle for the first time in two years. What happened, and what’s next?

246

246

Schneier on Security

OCTOBER 22, 2021

Someone has been hacking telecommunications networks around the world: LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures. Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2

Telecommunications 359

Telecommunications Architecture Mobile Hacking 359

Troy Hunt

OCTOBER 23, 2021

Well this is a totally different office view! I'm properly getting into working more on the acoustics and aesthetics to make this the most productive environment possible which means this week things are in a bit of disarray due to ongoing works. Speaking of disarray, I've not been able to raise this week's sponsor in time so as I say in the video, their appearance on my blog this week is a bit. unusual.

312

312

Tech Republic Security

OCTOBER 6, 2021

Unrelated to other recent problems Facebook has had, this particular batch of data was scraped from profiles, meaning it's publicly available knowledge. That doesn't stop it from being dangerous.

218

218

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

The Last Watchdog

OCTOBER 28, 2021

Over the past five years, cryptocurrency exchanges have been the target of increasingly damaging “ 51% attacks ” resulting in the theft of over $30 million worth of cryptocurrency to date. Related: Wildland restores control of data to individuals. However, these attacks aren’t due to exchange security flaws; malicious actors are exploiting the underlying consensus protocols of blockchains themselves.

Cryptocurrency 203

Cryptocurrency Technology 203

Krebs on Security

OCTOBER 1, 2021

The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity. In a long-overdue notice issued Sept. 30 , the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before

Wireless 351

Wireless Mobile Passwords Authentication 351

Javvad Malik

OCTOBER 21, 2021

I’ve been thinking of the best way to write this post for several days. Many drafts have ended up being deleted. Which, to be honest, doesn’t have the same visual satisfaction as seeing pages crumpled up into balls and tossed across the room into the bin. But here we are. Last week, KnowBe4, OneLogin, and Eskenzi PR partnered up to attempt to set the Guinness World Record for the Most views of A Cybersecurity Lesson Video on YouTube in 24 hours.

Cybersecurity 160

Cybersecurity 160

Schneier on Security

OCTOBER 18, 2021

The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state. The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state. […]. According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials.

Education 354

Education Internet Internet Hacking 354

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Troy Hunt

OCTOBER 15, 2021

I had a bunch of false starts with this one. I don't know if it was just OBS or something else, but we got there after several failed attempts and me resorting to reading Gov Parson's nutty tweets until it all started working. "Nutty" is a bit of a theme this week not just with the Gov, but particularly Thingiverse's extraordinarily poor handling of their data breach.

Data breaches 267

Data breaches Media Hacking 267

Tech Republic Security

OCTOBER 18, 2021

CIOs must prioritize the same business imperatives and find the IT force multipliers to enable growth and innovation, according to a Gartner analyst during Gartner's IT Symposium.

Technology 218

Technology Engineering 218

Security Affairs

OCTOBER 30, 2021

MITRE and CISA announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list. MITRE and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list. The list was published with the intent of raising awareness of common hardware weaknesses through CWE and educating designers and programmers on how to address them as part of the pr

Firmware 145

Firmware Manufacturing Education Engineering 145

Krebs on Security

OCTOBER 14, 2021

On Wednesday, the St. Louis Post-Dispatch ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication

Education 336

Education Computers and Electronics Hacking Media 336

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

Scams