Troy Hunt
SEPTEMBER 26, 2018
I have a love-hate relationship with ad blockers. On the one hand, I despise the obnoxious ads that are forced down our throats at what seems like every turn. On the other hand, I appreciate the need for publishers to earn a living so that I can consume their hard-earned work for free. Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog.
Krebs on Security
SEPTEMBER 21, 2018
It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable reven
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Schneier on Security
SEPTEMBER 11, 2018
This is really interesting research: " BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid ": Abstract : We demonstrate that an Internet of Things (IoT) botnet of high wattage devices-such as air conditioners and heaters-gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a bot
The Last Watchdog
SEPTEMBER 21, 2018
For many start-ups, DevOps has proven to be a magical formula for increasing business velocity. Speed and agility is the name of the game — especially for Software as a Service (SaaS) companies. Related: How DevOps enabled the hacking of Uber. DevOps is a process designed to foster intensive collaboration between software developers and the IT operations team, two disciplines that traditionally have functioned as isolated silos with the technology department.
Speaker: Erroll Amacker
Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.
Adam Levin
SEPTEMBER 20, 2018
An email server containing “sensitive but unclassified” data belonging to the State Department was breached, the government agency announced earlier this month. The information included personally identifiable information of an undisclosed number of employees who have since been notified. While the breach itself is relatively minor, it highlights the relative lack of progress made by the department to enact more rigorous security measures, despite repeated hack attempts and security breaches.
Adam Shostack
SEPTEMBER 14, 2018
Lately, I’ve been asking what takes threat modeling from a practice to a mission. If you’re reading this blog, you may have seen that some people are nearly mad about threat modeling. The ones who say “you’re never done threat modeling.” The ones who’ve made it the center of their work practice. What distinguishes those people from those who keep trying to teach developers about the difference between a hactivist and a script kiddie?
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
|
Krebs on Security
SEPTEMBER 17, 2018
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
Schneier on Security
SEPTEMBER 21, 2018
NIST has released a new study concluding that the AES encryption standard has resulted in a $250 billion world-wide economic benefit over the past twenty years. I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I do like the pretty block diagram of AES on the report's cover.
The Last Watchdog
SEPTEMBER 13, 2018
Of the many cybersecurity executives I’ve interviewed, Keenan Skelly’s career path may be the most distinctive. Skelly started out as a U.S. Army Explosive Ordnance Disposal (EOD) Technician. “I was on the EOD team that was actually assigned to the White House during 9/11, so I got to see our national response framework from a very high level,” she says.
Adam Levin
SEPTEMBER 19, 2018
Email systems used by some county election officials lack rudimentary security settings and are vulnerable to hacking, according to a recent survey conducted by the nonprofit investigative newsroom, ProPublica. Propublica’s findings include eleven offices protected by only a login and password. Election security best practices suggest 2-Factor authentication for sensitive email accounts.
Advertisement
Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.
Adam Shostack
SEPTEMBER 25, 2018
So cool! STARS-Me (or Space Tethered Autonomous Robotic Satellite – Mini elevator), built by engineers at Shizuoka University in Japan, is comprised of two 10-centimeter cubic satellites connected by a 10-meter-long tether. A small robot representing an elevator car, about 3 centimeters across and 6 centimeters tall, will move up and down the cable using a motor as the experiment floats in space.
Troy Hunt
SEPTEMBER 27, 2018
Home again! Another NDC is down and I talk a little about how the talks were rated and about PubConf (make sure you get to one of these one day!) I've got another couple of weeks at home before any more travel and I'll talk more about the next things as they draw closer. This week, I'm on my new iPhone (which is very similar to my old iPhone), I'm talking about Uber getting fined, Cloudflare introducing some very cool new things, Firefox Monitor launching on top of the HIBP APIs and my newfound
Krebs on Security
SEPTEMBER 27, 2018
The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside the ATM. According to a non-public alert distributed to banks this week and shared with KrebsOnSecurity by a financial industry source, the Secret Service has received multiple reports about a complex form
Schneier on Security
SEPTEMBER 20, 2018
Of course the ESS ExpressVote voting computer will have lots of security vulnerabilities. It's a computer, and computers have lots of vulnerabilities. This particular vulnerability is particularly interesting because it's the result of a security mistake in the design process. Someone didn't think the security through, and the result is a voter-verifiable paper audit trail that doesn't provide the security it promises.
Advertisement
The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.
The Last Watchdog
SEPTEMBER 18, 2018
All too many companies lack a full appreciation of how vital it has become to proactively manage and keep secure “unstructured data.”. One reason for the enduring waves of ransomware is that unstructured data is easy for hackers to locate and simple for them to encrypt. Related video: Why it’s high time to protect unstructured data. Ironically, many victimized companies are paying hefty ransoms to decrypt unstructured data that may not be all that sensitive or mission critical.
Adam Levin
SEPTEMBER 17, 2018
The first major piece of cybersecurity legislation to address vulnerabilities in Internet of Things (IoT) devices has passed in California, and is ready to be signed into law by Governor Jerry Brown. First introduced in 2017 by State Senator Hannah-Beth Jackson, SB-327 calls for “a manufacturer of a connected device… to equip [it] with a reasonable security feature or features that are appropriate to the nature and function of the device… to protect the device and any information contained there
Security Affairs
SEPTEMBER 29, 2018
The FBI Internet Crime Complaint Center (IC3) warns of cyber attacks exploiting Remote Desktop Protocol (RDP) vulnerabilities. Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed. The FBI Internet Crime Complaint Center (IC3) and the DHS issued a joint alert to highlight the rise of RDP as an attack vector.
Troy Hunt
SEPTEMBER 13, 2018
This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which appeared to contain personal data from a breach.
Advertisement
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
Krebs on Security
SEPTEMBER 28, 2018
Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles. In a short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people. “This allowed t
Schneier on Security
SEPTEMBER 17, 2018
A 2006 document from the Snowden archives outlines successful NSA operations against "a number of "high potential" virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems.". It's hard to believe that many of the Snowden documents are now more than a decade old.
The Last Watchdog
SEPTEMBER 6, 2018
All companies today are exposed to intense cyber-attacks. And yet the vast majority simply do not have the capability to effectively defend their networks. That’s where managed security services providers, or MSSPs, come in. MSSPs monitor and manage cybersecurity systems as a contracted service. This can include spam filtering, malware detection, firewalls upkeep, vulnerability management and more.
Adam Levin
SEPTEMBER 10, 2018
Only 34.5 % of the approximately 500 professionals responsible for compliance to the European Union (EU) General Data Protection Regulation (GDPR) report maintaining practices that are in keeping with the regulation, a recent Deloitte poll. According to the poll, one-third of respondents (32.7 %) hope to be compliant within 2018. And, 11.7% plan to take a “wait and see” approach amid uncertainty over how EU regulators in various countries will enforce the new regulation.
Advertisement
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
WIRED Threat Level
SEPTEMBER 28, 2018
The social networking giant confirmed Friday that sites you use Facebook to login to could have been accessed as a result of its massive breach.
Troy Hunt
SEPTEMBER 14, 2018
We're on a boat! This week, Scott Helme is back in town so I'm treating him to a rare sight for the Englishman - sunshine ??. We're also talking about my.NET Conf talk, Chrome's visual changes (and rolling back some of them), the FreshMenu data breach, getting better at filtering CSP reports, the effectiveness of public shaming, the kayo.moe credential stuffing list and lastly, Scott talks about his blog post on protecting sites from modified JavaScript (now linked to in the references below).
Krebs on Security
SEPTEMBER 24, 2018
If you’re thinking of donating money to help victims of Hurricane Florence , please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent. For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “flor
Schneier on Security
SEPTEMBER 21, 2018
Lots of people are e-mailing me about this new result on the distribution of prime numbers. While interesting, it has nothing to do with cryptography. Cryptographers aren't interested in how to find prime numbers, or even in the distribution of prime numbers. Public-key cryptography algorithms like RSA get their security from the difficulty of factoring large composite numbers that are the product of two prime numbers.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
The Last Watchdog
SEPTEMBER 2, 2018
Just like the best sourdough bread derives from a “mother” yeast that gets divided, passed around, and used over and over, open-source software applications get fashioned from a “mother” library of code created and passed around by developers. Related: Equifax hack highlights open source attack vectors. In today’s world, quick innovations are a necessity, and software developers would rather not lose valuable time reinventing the wheel.
Adam Levin
SEPTEMBER 11, 2018
The Government Accountability Office released a report detailing last year’s massive Equifax data breach and how hackers were able to infiltrate the company’s systems to gain access to the personal information of at least 145.5 million individuals. According to the report, the hackers took advantage of a recently announced vulnerability in a web server technology called Apache Struts, which Equifax failed to patch or address and that left their systems vulnerable for weeks.
Security Affairs
SEPTEMBER 28, 2018
Facebook hacked – Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users. Facebook hacked, this is news that is rapidly spreading across the Internet. A few hours ago, Facebook announced that an attack on its computer network exposed the personal information of roughly 50 million users.
Troy Hunt
SEPTEMBER 7, 2018
It's been a week of travel for me with API Days in Melbourne on Tuesday, Fortinet Fast & Secure in Sydney on Wednesday then the Varonis webinar yesterday (recorded, I'll share once it's online). Be that as it may, I did manage to pump out a long-awaited blog post on the total cost of running Pwned Passwords in HIBP and its. 2.6c per day ??. This week there's also a few random things ranging from online authenticity (the human kind), changes in Chrome 69 (there's some major visual security in
Speaker: Sierre Lindgren
Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.
Expert insights. Personalized for you.
279 
Let's personalize your content