This site uses cookies to improve your experience. To help us insure we adhere to various privacy regulations, please select your country/region of residence. If you do not select a country, we will assume you are from the United States. Select your Cookie Settings or view our Privacy Policy and Terms of Use.
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Used for the proper function of the website
Used for monitoring website traffic and interactions
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Strictly Necessary: Used for the proper function of the website
Performance/Analytics: Used for monitoring website traffic and interactions
My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of s
No one doubts that artificial intelligence (AI) and machine learning (ML) will transform cybersecurity. We just don't know how , or when. While the literature generally focuses on the different uses of AI by attackers and defenders and the resultant arms race between the two I want to talk about software vulnerabilities. All software contains bugs.
Time and time again, I get emails and DMs from people that effectively boil down to this: Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach Many years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online.
U.S. citizens are more vulnerable to the effects of identity theft and scams as a result of the ongoing government shutdown. The two primary websites created by the government as resources for victims of identity theft, IdentityTheft.gov and FTC.gov/complaint , are currently offline as part of the partial shutdown of the Federal Trade Commission. This effectively leaves victims unable to file reports or get documentation of their stolen identities, which is typically a first step for mitigating
Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.
Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear? Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized
My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how it came to be. Before I struck a deal with Linkedin, I talked to some of the other popular training sites. Many of them will buy you a microphone and some screen recording software, and you go to town! They even “let” you edit your own videos.
A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legi
A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legi
The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI -- and some of their peer agencies in the U.K., Australia, and elsewhere -- argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make their systems susceptible to government eavesdropping.
I started doing these retrospectives 3 years ago in my first year of independence. I reckon they're a good thing for everyone to do if not in written form then at least mentally to look back on your achievements of the year. They're a great way of reflecting on success (and indeed, on failures) and they also help explain why we all feel so damn tired by the end of the year!
Trojan horse-based malware attacks and spyware rose sharply in 2018 as ransomware-based attacks declined, according to a new report published by Malwarebytes. One of the larger threats outlined in the report was the Emotet Trojan, a sophisticated malware program capable of data theft, network monitoring, and propagating itself onto other vulnerable systems, and the Trickbot Trojan that steals passwords and browser histories from infected machines.
When CyberTown, USA is fully built out, it’s backers envision it emerging as the world’s premier technology hub for cybersecurity and data science. DataTribe , a Fulton, MD-based cybersecurity startup incubator, has been a key backer of this ambitious urban redevelopment project , which broke ground last October in Port Covington, MD, once a bustling train stop on the south side of Baltimore.
Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.
For the last few years, I’ve been delivering in-person threat modeling training. I’ve trained groups ranging from 2 to 100 people at a time, and I’ve done classes as short as a few hours and as long as a week. That training is hands on and intense, and I’m very proud that my NPS customer satisfaction ratings tend to come in around 60-70, up there with Apple and Nordstroms.
The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely to have serious repercussions for federal law enforcement agencies for years to come.
A year ago , the Norwegian Consumer Council published an excellent security analysis of children's GPS-connected smart watches. The security was terrible. Not only could parents track the children, anyone else could also track the children. A recent analysis checked if anything had improved after that torrent of bad press. Short answer: no. Guess what: a train wreck.
And then there was the biggest data breach to go into HIBP ever! I wrote that sentence from home just after publishing all the data, then I got on a plane. Holy cow that's a lot of emails! Hundreds upon hundreds of emails came in whilst on the way to Dubai, more than I'll ever be able to respond to. Plus, I'm actually trying to have some downtime with my son on this trip particularly over the next few days so a bunch of stuff is going to have to go unanswered or at best, delayed.
The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.
Sidewalk Labs, a subsidiary of Google’s parent company Alphabet, is the go-to story for Data Privacy Day with its new “user-friendly” tool called Replica, which allows city planners see “how, when, and where people travel in urban areas.”. The Intercept’s explainer details a troubling use of consumer data. “Thanks for all you do,” could be Replica initiative’s tagline, since it seems to aggregate a huge amount of presumably phone-generated data to model the way cities work.
The heyday of traditional corporate IT networks has come and gone. In 2019, and moving ahead, look for legacy IT business networks to increasingly intersect with a new class of networks dedicated to controlling the operations of a IoT-enabled services of all types, including smart buildings, IoT-enabled healthcare services and driverless cars. Related: Why the golden age of cyber espionage is upon us.
Omer Levi Hevroni has a very interesting post exploring ways to represent threat models as code. The closer threat modeling practices are to engineering practices already in place, the more it will be impactful, and the more it will be a standard part of delivery. There’s interesting work in both transforming threat modeling thinking into code, and using code to reduce the amount of thinking required for a project.
Buying heavily discounted, popular software from second-hand sources online has always been something of an iffy security proposition. But purchasing steeply discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction, mainly because you may not have full control over who has access to your data.
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what's insecure, and (2) help consumers secure them: The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras.
Well, it's one more sunny weekly update then snow time again so I've gone particularly beachy today. I'm also particularly breachy , talking about a massive combo list I'm presently pondering for inclusion in HIBP. These lists are frequently used for account takeover attacks against the likes of Spotify which is the subject of this week's blog post.
A gigantic trove of email addresses and passwords containing over 2 billion records has been discovered online. The breached data, dubbed “Collection #1” by cybersecurity expert Troy Hunt , is more than 87 gigabytes and contains roughly 773 million email address and 21 million unique passwords. Hunt found an archive of the data on MEGA, a file-sharing site and has been featured on at least one hacking forum.
The disclosure that malicious intruders hacked the computer systems of the South Korean government agency that oversees weapons and munitions acquisitions for the country’s military forces is not much of a surprise. The breach of some 30 computers of South Korea’s Defense Acquisition Program Administration (DAPA), which is part of the Ministry of National Defense, reportedly occurred last October.
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
I’m excited to be able to share “ Announcement: IriusRisk Threat Modeling Platform 2.0 Released.” If you’re looking to scale your enterprise threat modeling program, this is worth a look.
Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com , the world’s largest domain name registrar, KrebsOnSecurity has learned.
This is clever : Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them.
So it's been a bit of a crazy week. I got onto the plane in Australia on Thursday evening just as Europe was waking up to the news of the 773M email address credential stuffing list I loaded into HIBP. And then the flood began; blog comments, emails, tweets - it was an absolute deluge. I spent the flight fielding the ones I could, landed in Oslo and dealt with more on the way up the mountain then frankly, got there and tuned out.
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
AT&T and T-Mobile announced that in March 2019 they would stop selling user location data to third parties. The announcements came on the heels of a Motherboard article that reported on the ability to track individual cellular phones via “location aggregator” companies with access to mobile customer information. Cellular location data was sold as a customer-friendly feature that could streamline things like roadside assistance and fraud prevention.
Malicious intruders have long recognized that getting their hands on privileged credentials equates to possessing the keys to the kingdom. This is because privileged accounts are widely deployed all across modern business networks — on-premises, in the cloud, across DevOps environments and on endpoints. Related: California enacts pioneering privacy law.
Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards , a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns. A Fuze card can store up to 30 credit/debit cards.
Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.
We organize all of the trending information in your field so you don't have to. Join 28,000+ users and stay up to date on the latest articles your peers are reading.
You know about us, now we want to get to know you!
Let's personalize your content
Let's get even more personalized
We recognize your account from another site in our network, please click 'Send Email' below to continue with verifying your account and setting a password.
55 
Let's personalize your content