August, 2021

Apple’s NeuralHash Algorithm Has Been Reverse-Engineered

Schneier on Security

Apple’s NeuralHash algorithm — the one it’s using for client-side scanning on the iPhone — has been reverse-engineered. Turns out it was already in iOS 14.3,

Welcoming the Turkish Government to Have I Been Pwned

Troy Hunt

Today I'm very happy to welcome the national Turkish CERT to Have I Been Pwned, TR-CERT or USOM, the National Cyber ​​Incident Response Center. They are now the 26th government to have complete and free API level access to query their government domains.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Wanted: Disgruntled Employees to Deploy Ransomware

Krebs on Security

Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection.

Biden Sets Cyber Standards for Critical Infrastructure

Lohrman on Security

A new presidential directive announced that performance standards will be released for critical infrastructure operated by the public sector and private companies to bolster national cybersecurity

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

ROUNDTABLE: Why T-Mobile’s latest huge data breach could fuel attacks directed at mobile devices

The Last Watchdog

TMobile has now issued a formal apology and offered free identity theft recovery services to nearly 48 million customers for whom the telecom giant failed to protect their sensitive personal information.

Mobile 235

13 Important Considerations When Obtaining Cyber Liability Insurance

Joseph Steinberg

(I co-wrote this article with Mark Lynd , CISSP, ISSAP & ISSMP, Head of Digital Business at NETSYNC.).

More Trending

Why No HTTPS? The 2021 Version

Troy Hunt

More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the world's largest websites that didn't properly redirect insecure requests to secure ones.

VPN 283

Phishing Sites Targeting Scammers and Thieves

Krebs on Security

I was preparing to knock off work for the week on a recent Friday evening when a curious and annoying email came in via the contact form on this site: “Hello I go by the username Nuclear27 on your site Briansclub[.]com

The Case for Establishing a Digital Geneva Convention

Lohrman on Security

Exponential increases in global cyber crime. Ransomware crippling governments and businesses. Nations ignoring cyber criminals operating on their soil. The time for international cooperation on cybersecurity is now.

25 Years In Appsec: Looking Back

Adam Shostack

Twenty-five years ago I published a set of code review guidelines that I had crafted while working for a bank. I released them (thanks, SteveMac!) to get feedback and advice, because back then, there was exceptionally little in terms of practical advice on what we now call AppSec.

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Global Foundation for Cyber Studies and Research Launches Cyber-Policy Magazine, Cyber Insights

Joseph Steinberg

The Global Foundation for Cyber Studies and Research (GFCyber) announced today that it has launched Cyber Insights , a new digital magazine that aims to help readers stay informed about contemporary cyber-related issues and their potential ramifications, from the perspectives of policy, practice, and technology.

Using “Master Faces” to Bypass Face-Recognition Authenticating Systems

Schneier on Security

Fascinating research: “ Generating Master Faces for Dictionary Attacks with a Network-Assisted Latent Space Evolution.” ” Abstract: A master face is a face image that passes face-based identity-authentication for a large portion of the population.

Weekly Update 256

Troy Hunt

Well this week went on for a bit, an hour and 6 mins in all. The 2 Apple things were particularly interesting due to the way in which both catching CSAM baddies and catching baddies who steal your things involves using technology that can be abused. Is it good tech because it can do good things?

T-Mobile: Breach Exposed SSN/DOB of 40M+ People

Krebs on Security

T-Mobile is warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company.

Mobile 232

SIM Swapping Is a Growing Cyber Threat — Here’s Help

Lohrman on Security

From cryptocurrency thefts to hacking bank accounts, SIM swapping is a growing threat online. Here are relevant definitions, real-world examples and tips to help stop cyber criminals

MY TAKE: What NortonLifeLock’s $8 billion buyout of Avast portends for consumer security

The Last Watchdog

So NortonLifeLock has acquired Avast for more than $8 billion. This deal reads like to the epilogue to a book titled The First 20 Years of the Supremely Lucrative Antivirus Market. Way back in 1990, Symantec acquired Norton Utilities and made Norton the heart of its antivirus subscription offering. Related: The coming of ubiquitous passwordless access.

Ransomware Hits Maine Sewage Treatment Plants, Sounding The Alarm About Dangerous CyberSecurity Risks At America’s Many Small Critical Infrastructure Providers

Joseph Steinberg

Two recent ransomware attacks successfully breached computers at wastewater management plants in the US State of Maine , according to a statement by the state’s Department of Environmental Protection.

More on Apple’s iPhone Backdoor

Schneier on Security

In this post, I’ll collect links on Apple’s iPhone backdoor for scanning CSAM images. Previous links are here and here. Apple says that hash collisions in its CSAM detection system were expected, and not a concern.

Weekly Update 258

Troy Hunt

A really brief intro as this is my last key strokes before going properly off the grid for the next week (like really off the grid, middle of nowhere style).

T-Mobile Investigating Claims of Massive Data Breach

Krebs on Security

Cyber in Afghanistan: Tech’s Vital Role in Kabul Evacuation

Lohrman on Security

The desperate images coming out of Afghanistan following the Taliban’s takeover last weekend underline the importance of technology and the real-life impacts when planning goes well — or not so well.

GUEST ESSAY: Top 5 cyber exposures tied to the rising use of international remote workforces

The Last Watchdog

While every business needs to prioritize cybersecurity, doing so is becoming increasingly complicated. With many employees now working remotely, securing company data isn’t as straightforward as it used to be. Things get even more complicated if you have an international remote workforce. Related: Employees as human sensors. As of 2018, more than 2 million people were working abroad for U.S. companies in China alone.

Kill SOC Toil, Do SOC Eng

Anton on Security

As you are reading our recent paper “Autonomic Security Operations?—?10X 10X Transformation of the Security Operations Center” , some of you may think “Hey, marketing inserted that 10X thing in there.” Well, 10X thinking is, in fact, an ancient tradition here at Google. We think that it is definitely possible to apply “10X thinking” to many areas of security (at the same link , they say that sometimes it is “easier to make something 10 times better than it is to make it 10 percent better” ).

Zoom Lied about End-to-End Encryption

Schneier on Security

The facts aren’t news, but Zoom will pay $85M — to the class-action attorneys, and to users — for lying to users about end-to-end encryption, and for giving user data to Facebook and Google without consent.

Weekly Update 255

Troy Hunt

I'm back in the office this week and back to decent audio and video quality.

Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents

Krebs on Security

In 2018, Andrew Schober was digitally mugged for approximately $1 million worth of bitcoin.

Remote Work Nearly Killed Email Etiquette. Let’s Bring It Back

Lohrman on Security

Email tips abound, but lasting email etiquette is severely lacking at home and work in 2021

198
198

Black Hat insights: WAFs are getting much more dynamic making them well-suited to protect SMBs

The Last Watchdog

A cornucopia of cybersecurity solutions went on public display today as Black Hat USA 2021 convened once more as a live event in Las Vegas. Related: Kaseya hack raises more supply chain worries. For small- and mid-sized businesses (SMBs) cutting through the marketing hype can be daunting.

The COVID testbed and AI

Adam Shostack

There’s a really interesting article in MIT Tech Review, Hundreds of AI tools have been built to catch covid. None of them helped. Oops, I think I gave away the ending.

Risk 151

The European Space Agency Launches Hackable Satellite

Schneier on Security

Of course this is hackable: A sophisticated telecommunications satellite that can be completely repurposed while in space has launched. […]. Because the satellite can be reprogrammed in orbit, it can respond to changing demands during its lifetime. […].

What Is Leakware?

Doctor Chaos

Ransomware — a kind of malware attack that encrypts a computer’s files, leaving PC owners scrambling to pay the ransom to gain the decryption key — has been hitting the news more often in the past few years.

Microsoft Patch Tuesday, August 2021 Edition

Krebs on Security

Microsoft today released software updates to plug at least 44 security vulnerabilities in its Windows operating systems and related products.

Cyber-Liability Insurance 101: First Party Vs. Third Party Risks

Joseph Steinberg

One of the important concepts about which people must be aware when evaluating their cybersecurity postures and related liabilities, but which, for some reason, many folks seem to be unaware, is the difference between first-party risks and third-party risks.

Black Hat insights: Deploying ‘human sensors’ to reinforce phishing email detection and response

The Last Watchdog

Human beings remain the prime target in the vast majority of malicious attempts to breach company networks. Related: Stealth tactics leveraged to weaponize email. Cybersecurity awareness training is valuable and has its place. Yet as Black Hat USA 2021 returns today as a live event in Las Vegas, it remains so true that we can always be fooled — and that the prime vehicle for hornswoggling us remains phishing messages sent via business email.

The Strange World of “Good Enough” Fencing

Daniel Miessler

I’ve always been fascinated by security that was “just good enough” I think lots of security actually qualifies (see The News), but I think fencing (and maybe bike locks) take first prize. As a kid I used to love breaking into stuff. Nighttime construction sites.

Risk 199