Krebs on Security

SEPTEMBER 21, 2018

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable reven

Identity Theft 277

Identity Theft Banking Insurance Marketing 277

Troy Hunt

SEPTEMBER 26, 2018

I have a love-hate relationship with ad blockers. On the one hand, I despise the obnoxious ads that are forced down our throats at what seems like every turn. On the other hand, I appreciate the need for publishers to earn a living so that I can consume their hard-earned work for free. Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog.

DNS 274

DNS Risk 274

Schneier on Security

SEPTEMBER 14, 2018

Quantum computing is a new way of computing -- one that could allow humankind to perform computations that are simply impossible using today's computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to easily factor large numbers, something that would break the RSA cryptosystem for any key length.

Encryption 253

Encryption Technology Engineering Authentication 253

Adam Levin

SEPTEMBER 20, 2018

An email server containing “sensitive but unclassified” data belonging to the State Department was breached, the government agency announced earlier this month. The information included personally identifiable information of an undisclosed number of employees who have since been notified. While the breach itself is relatively minor, it highlights the relative lack of progress made by the department to enact more rigorous security measures, despite repeated hack attempts and security breaches.

Authentication 203

Authentication Government Cyber Attacks Cybersecurity 203

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Adam Shostack

SEPTEMBER 14, 2018

Lately, I’ve been asking what takes threat modeling from a practice to a mission. If you’re reading this blog, you may have seen that some people are nearly mad about threat modeling. The ones who say “you’re never done threat modeling.” The ones who’ve made it the center of their work practice. What distinguishes those people from those who keep trying to teach developers about the difference between a hactivist and a script kiddie?

Engineering 200

Engineering Media Technology 200

The Last Watchdog

SEPTEMBER 6, 2018

All companies today are exposed to intense cyber-attacks. And yet the vast majority simply do not have the capability to effectively defend their networks. That’s where managed security services providers, or MSSPs, come in. MSSPs monitor and manage cybersecurity systems as a contracted service. This can include spam filtering, malware detection, firewalls upkeep, vulnerability management and more.

Digital transformation 167

Digital transformation Technology Mobile Firewall 167

Troy Hunt

SEPTEMBER 11, 2018

Here's how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation and express their outrage at the stated position. Where it gets interesting (and this is the whole point of the post), is when another group of folks pop up and accuse the outraged group of doing a bit o

Media 260

Media Accountability Passwords Mobile 260

Schneier on Security

SEPTEMBER 21, 2018

NIST has released a new study concluding that the AES encryption standard has resulted in a $250 billion world-wide economic benefit over the past twenty years. I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I do like the pretty block diagram of AES on the report's cover.

Encryption 228

Encryption 228

Security Affairs

SEPTEMBER 28, 2018

Facebook hacked – Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users. Facebook hacked, this is news that is rapidly spreading across the Internet. A few hours ago, Facebook announced that an attack on its computer network exposed the personal information of roughly 50 million users.

Hacking 103

Hacking Accountability Advertising Data breaches 103

WIRED Threat Level

SEPTEMBER 28, 2018

The social networking giant confirmed Friday that sites you use Facebook to login to could have been accessed as a result of its massive breach.

111

111

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Thales Cloud Protection & Licensing

SEPTEMBER 12, 2018

The Internet of Things (IoT) is rapidly growing and expected to affect all industry verticals as well as our private lives. It is no secret that security plays a very important part in the successful deployment and management of this technology, and its applications are set to transform the way we live and do business. In this blog, we reached out to our technology partner Nexus to better understand the challenges that the industry faces to ensure safe deployment and management of IoT technologi

IoT 92

IoT Computers and Electronics Authentication Marketing 92

Krebs on Security

SEPTEMBER 27, 2018

The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside the ATM. According to a non-public alert distributed to banks this week and shared with KrebsOnSecurity by a financial industry source, the Secret Service has received multiple reports about a complex form

Banking 234

Banking Scams Cybercrime Accountability 234

Troy Hunt

SEPTEMBER 27, 2018

Home again! Another NDC is down and I talk a little about how the talks were rated and about PubConf (make sure you get to one of these one day!) I've got another couple of weeks at home before any more travel and I'll talk more about the next things as they draw closer. This week, I'm on my new iPhone (which is very similar to my old iPhone), I'm talking about Uber getting fined, Cloudflare introducing some very cool new things, Firefox Monitor launching on top of the HIBP APIs and my newfound

IoT 185

IoT 185

Schneier on Security

SEPTEMBER 20, 2018

Of course the ESS ExpressVote voting computer will have lots of security vulnerabilities. It's a computer, and computers have lots of vulnerabilities. This particular vulnerability is particularly interesting because it's the result of a security mistake in the design process. Someone didn't think the security through, and the result is a voter-verifiable paper audit trail that doesn't provide the security it promises.

Computers and Electronics 227

Computers and Electronics Hacking 227

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Security Affairs

SEPTEMBER 18, 2018

According to Avira, hundreds of thousands of unpatched Windows systems are serially infected with EternalBlue exploit code. The EternalBlue , is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack. The malicious code was leaked online by the Shadow Brokers hacking group that stole it from the arsenal of the NSA-linked Equation Group.

Advertising 102

Advertising Software Malware Hacking 102

Dark Reading

SEPTEMBER 28, 2018

A vulnerability in Facebook's "View As" feature let attackers steal security tokens linked to 50 million accounts, the company confirms.

Hacking 107

Hacking Accountability 107

Thales Cloud Protection & Licensing

SEPTEMBER 11, 2018

Vincent Van Gogh is believed to have said “Great things are … done … by a series of small things brought together.” This aptly describes the Internet of Things (IoT), where many small things are coming together to shape what we all hope will deliver a great leap in the way we live and do business. In this blog, and in and accompanying interview with our colleague Daniel Hjort from Nexus Group, we discuss the challenges that industry faces to ensure safe deployment and management of IoT technolog

Manufacturing 89

Manufacturing Internet Internet IoT 89

Krebs on Security

SEPTEMBER 28, 2018

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles. In a short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people. “This allowed t

Accountability 233

Accountability Passwords Data breaches 233

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

WIRED Threat Level

SEPTEMBER 28, 2018

Up to 50 million Facebook users were affected—and possibly 40 million more—when hackers compromised the social network's systems.

106

106

Schneier on Security

SEPTEMBER 17, 2018

A 2006 document from the Snowden archives outlines successful NSA operations against "a number of "high potential" virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems.". It's hard to believe that many of the Snowden documents are now more than a decade old.

Media 226

Media Internet Internet VPN 226

Security Affairs

SEPTEMBER 29, 2018

The FBI Internet Crime Complaint Center (IC3) warns of cyber attacks exploiting Remote Desktop Protocol (RDP) vulnerabilities. Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed. The FBI Internet Crime Complaint Center (IC3) and the DHS issued a joint alert to highlight the rise of RDP as an attack vector.

Cyber Attacks 102

Cyber Attacks Advertising Internet Internet 102

Dark Reading

SEPTEMBER 21, 2018

How Park Jin Hyok - charged by the US government for alleged computer crimes for the Sony, Bank of Bangladesh, WannaCry cyberattacks - inadvertently blew his cover via email accounts.

Banking 90

Banking Government Accountability 90

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Threatpost

SEPTEMBER 21, 2018

Cisco has patched vulnerability in its video surveillance manager software that could give an unauthenticated, remote attacker the ability to execute arbitrary commands on targeted systems.

Surveillance 79

Surveillance Software IoT 79

Krebs on Security

SEPTEMBER 10, 2018

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle.

Cybercrime 219

Cybercrime Accountability Media Retail 219

WIRED Threat Level

SEPTEMBER 19, 2018

The California Farm Bureau has given away the right of farmers to fix their equipment without going through a dealer.

109

109

Schneier on Security

SEPTEMBER 21, 2018

Lots of people are e-mailing me about this new result on the distribution of prime numbers. While interesting, it has nothing to do with cryptography. Cryptographers aren't interested in how to find prime numbers, or even in the distribution of prime numbers. Public-key cryptography algorithms like RSA get their security from the difficulty of factoring large composite numbers that are the product of two prime numbers.

220

220

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk

Security Affairs

SEPTEMBER 26, 2018

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature ADB enabled. The Hide and Seek (HNS) IoT botnet was first spotted early this year, since its discovery the authors continuously evolved its code. The IoT botnet appeared in the threat landscape in January, when it was first discovered on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and appeared again a few weeks later infecting in a few

IoT 98

IoT Wireless Advertising Malware 98

Dark Reading

SEPTEMBER 20, 2018

Actionable advice for tailoring the National Institute of Standards and Technology's security road map to your company's business needs.

Cybersecurity 103

Cybersecurity Technology 103

Threatpost

SEPTEMBER 14, 2018

Third-party breaches have become an epidemic as cybercriminals target the weakest link. Organizations such as BestBuy, Sears, Delta and even NYU Medical Center are just a few that have felt the impact of cyberattacks through third-party vendors. The fallout from these breaches can be costly, as the average enterprise pays $1.23 million per incident, up […].

Cybersecurity 76

Cybersecurity InfoSec 76

Krebs on Security

SEPTEMBER 24, 2018

If you’re thinking of donating money to help victims of Hurricane Florence , please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent. For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “flor

Scams 209

Scams Accountability Media Web Fraud 209

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity