Troy Hunt

NOVEMBER 22, 2019

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself. I've become more familiar with this sector over recent years due to the frequency with which it's been suffering data breaches that have ultimately landed in my inbox. For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017 , Exactis who had 132M records breached last year and the Apollo dat

Data breaches 361

Data breaches Technology Software Accountability 361

Krebs on Security

NOVEMBER 26, 2019

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

Marketing 300

Marketing Cybercrime Retail Advertising 300

Adam Levin

NOVEMBER 26, 2019

One terabyte of data belonging to a major hotel booking platform was found leaked online. A huge trove of customer data belonging to Gekko Group was found online in an unsecured format. The data contained a wide array of records, including full names, credit card details, client login information, email addresses, home addresses and hotel reservations.

B2B 295

B2B Spyware VPN Phishing 295

Schneier on Security

NOVEMBER 20, 2019

Iran has gone pretty much entirely offline in the wake of nationwide protests. This is the best article detailing what's going on; this is also good. AccessNow has a global campaign to stop Internet shutdowns.

Internet 236

Internet Internet 236

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Adam Shostack

NOVEMBER 13, 2019

The more I learn about threat modeling, the more I think the toughest part is how we answer the question: “What can go wrong?” Perhaps that’s “finding threats.” Maybe it’s “discovering” or “eliciting” them. Maybe it’s analogizing from threats we know about. I’m not yet even sure what to call it.

Accountability 184

Accountability Technology Engineering Software 184

Tech Republic Security

NOVEMBER 27, 2019

Even full disk encryption can't keep you secure if your PC firmware is compromised, so Secured-core PCs will use the CPU to check if UEFI is telling the truth about secure boot.

Firmware 174

Firmware Encryption 174

Krebs on Security

NOVEMBER 25, 2019

Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices. Apparently, I’m not alone. “I believe this is the first time I’ve seen a camera on a gas pump with a Bluetooth card skimmer,” said Detective Matt Jogodka of the Las Vegas Police Departm

Banking 299

Banking Wireless Encryption Mobile 299

Adam Levin

NOVEMBER 20, 2019

Macy’s has informed customers of an e-skimming data breach following the discovery of Magecart malware on its website. In a letter to affected customers, the retailer said that it had detected malware on its e-commerce website on October 15 and that it had been active for a little over a week. . “The unauthorized code was highly specific and only allowed the third party party to capture information submitted by customers,” stated the letter, explaining that user-submitted data on the site’s chec

Data breaches 176

Data breaches Retail Malware Cybersecurity 176

Schneier on Security

NOVEMBER 29, 2019

Interesting research: " TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents ": Abstract: : Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-time vulnerabilities extend to deep reinforcement learning (DRL) agents and can be exploited by an adversary with access to the training process.

285

285

Security Affairs

NOVEMBER 26, 2019

Some third-party apps quietly scraped personal information from people’s accounts from Twitter and Facebook, the social media companies claim. Facebook and Twitter revealed that some third-party apps quietly scraped personal information from people’s accounts without their consent. According to the company, the cause of behavior that violates their policies is a couple of “malicious” software development kits (SDKs) used by the third-party iOS and Android apps.

Accountability 130

Accountability Mobile Advertising Marketing 130

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Tech Republic Security

NOVEMBER 28, 2019

As cloud complexity increases, hackers are relying on more targeted attacks, scoping out weak points across a larger attack surface.

Cybersecurity 204

Cybersecurity 204

Troy Hunt

NOVEMBER 18, 2019

You know how banks really, really want to avoid their customers falling victim to phishing scams? And how they put a heap of effort into education to warn folks about the hallmarks of phishing scams? And how banks are the shining beacons of light when it comes to demonstrating security best practices? Ok, that final one might be a bit of a stretch , but the fact remains that people have high expectations of how banks should communicate to ensure that they themselves don't come across as phishers

Banking 238

Banking Phishing Scams Accountability 238

Krebs on Security

NOVEMBER 7, 2019

Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security — or the lack thereof — may be impacting patient outcomes.

Data breaches 246

Data breaches Healthcare Ransomware Cyber threats 246

Dark Reading

NOVEMBER 25, 2019

How can you protect your precious corporate endpoints from the mysterious dangers that might await when you're not by their side? Empower home office users with these tips.

Cybersecurity 127

Cybersecurity 127

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Schneier on Security

NOVEMBER 12, 2019

The Wall Street Journal has a story about how two people were identified as the perpetrators of a ransomware scheme. They were found because -- as generally happens -- they made mistakes covering their tracks. They were investigated because they had the bad luck of locking up Washington, DC's video surveillance cameras a week before the 2017 inauguration.

Ransomware 216

Ransomware Surveillance Hacking 216

Thales Cloud Protection & Licensing

NOVEMBER 6, 2019

As most of us know, IoT devices are on the rise in enterprise networks. According to McKinsey & Company , the proportion of organizations that use IoT products has grown from 13 percent in 2014 to 25 percent today. That pace is unlikely to slow down over the coming years; Pagely noted that organizations are still turning to IoT devices as a way to automate and optimize their business processes as well as save on energy costs.

IoT 122

IoT Risk Energy and Utilities Healthcare 122

Tech Republic Security

NOVEMBER 26, 2019

There's not a one-size-fits-all approach to cybersecurity. Learn some of the common mistakes and how you can get on the right path.

Cybersecurity 205

Cybersecurity 205

Troy Hunt

NOVEMBER 17, 2019

Over the last couple of years, I've been increasingly providing governments with better access to their departments' data exposed in breaches by giving them free and unfettered API access to their domains. As I've been travelling around the world this year, I've been carving out time to spend with governments to better understand the infosec challenges they're facing and the role HIBP can play in helping them tackle those challenges.

Government 238

Government InfoSec 238

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Krebs on Security

NOVEMBER 19, 2019

National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is still working to recover from a ransomware attack late last month that affected more than half of those properties, separating many veterinary practices from their patient records, payment systems and practice management software.

Ransomware 215

Ransomware Technology Malware Software 215

Dark Reading

NOVEMBER 21, 2019

The wide availability of tools leaked by the Shadow Brokers and WikiLeaks in 2016 and 2017 have given emerging cyber powers a way to catch up, DarkOwl says.

132

132

Schneier on Security

NOVEMBER 18, 2019

Researchers have discovered and revealed 146 vulnerabilities in various incarnations of Android smartphone firmware. The vulnerabilities were found by scanning the phones of 29 different Android makers, and each is unique to a particular phone or maker. They were found using automatic tools, and it is extremely likely that many of the vulnerabilities are not exploitable -- making them bugs but not security concerns.

Firmware 214

Firmware 214

Security Affairs

NOVEMBER 26, 2019

Microsoft revealed that the new Dexphot cryptocurrency miner has already infected more than 80,000 computers worldwide. Security experts at Microsoft analyzed a new strain of cryptocurrency miner tracked as Dexphot that has been active since at least October 2018. The malicious code abuse of the resources of the infected machine to mine cryptocurrency , according to the experts it has already infected 80,000 computers worldwide.

Cryptocurrency 115

Cryptocurrency Malware Encryption Advertising 115

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Tech Republic Security

NOVEMBER 26, 2019

Cyber insurance can help protect your organization from the financial costs associated with data breaches. Learn the details to decide if it's the right fit for your company.

Cyber Insurance 169

Cyber Insurance Insurance Data breaches 169

Troy Hunt

NOVEMBER 24, 2019

Kangaroos! I've been trying to line these guys up for weeks to no avail but finally, they've delivered. Speaking of delivering, I actually got 3 blog posts out this week which I've not done for a while, the most significant of which relates to "data enrichment" companies (also often referred to as "data aggregators"). I have a fundamental issue with the very premise of how these firms operate and I'm getting a little sick of finding my own data in there.

VPN 216

VPN Surveillance Banking Data breaches 216

Krebs on Security

NOVEMBER 20, 2019

A 21-year-old Illinois man was sentenced last week to 13 months in prison for running multiple DDoS-for-hire services that launched millions of attacks over several years. This individual’s sentencing comes more than five years after KrebsOnSecurity interviewed both the defendant and his father and urged the latter to take a more active interest in his son’s online activities.

DDOS 196

DDOS Internet Internet Advertising 196

CTOVision Cybersecurity

NOVEMBER 25, 2019

Thanks to the power of computing you can watch Commodore Grace Hopper delivering her landmark lecture at MIT Laboratory on 25 April 1985. The entire presentation is excellent and worth listening to. But my favorite line is right around 23 minutes in, when after describing the nature of technology innovation she says: “Probably the most […].

Technology 113

Technology 113

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk

Schneier on Security

NOVEMBER 15, 2019

Really interesting research: TPM-FAIL: TPM meets Timing and Lattice Attacks , by Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. Abstract: Trusted Platform Module (TPM) serves as a hardware-based root of trust that protects cryptographic keys from privileged system and physical adversaries. In this work, we per-form a black-box timing analysis of TPM 2.0 devices deployed on commodity computers.

Firmware 213

Firmware Authentication Manufacturing 213

Security Affairs

NOVEMBER 28, 2019

A piece of the Ryuk Ransomware infected the network of the multinational cybersecurity firm Prosegur, forcing the company to shut down it. The Spanish multinational security company Prosegur announced that it was of a ransomware attack that disrupted its telecommunication platform. Comunicado sobre incidencia de seguridad informática pic.twitter.com/TMdOJzkFCB — Prosegur (@Prosegur) November 27, 2019.

Ransomware 113

Ransomware Cybersecurity Telecommunications Advertising 113

Tech Republic Security

NOVEMBER 29, 2019

Credential stuffing attacks pose a significant risk to consumers and businesses. Learn how they work and what you can do about them.

Risk 191

Risk 191

Troy Hunt

NOVEMBER 7, 2019

We're pretty much at a "secure by default" internet these days, at least that's the assumption with most websites, particularly so in the financial sector. About 80% of all web pages are loaded over an HTTPS connection , browsers are increasingly naggy when anything isn't HTTPS and it's never been cheaper nor easier to HTTPS all your things. Which meant that this rather surprised me: Let me break down what's happening here: I'm in (yet another) hotel and on complete autopilot, I start typing "xe

Passwords 218

Passwords Internet Internet Risk 218

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity