Troy Hunt

JULY 8, 2019

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. This wasn't so much an original work on my behalf as it was a consolidation of advice from the likes of NIST, the NCSC and Microsoft about how we should be doing authentication today. I love that piece because so much of it flies in the face of traditional thinking about passwords, for example: Don't impose composition rules (upper case, lower case, numbers, etc) Don't mandate password rot

Passwords 233

Passwords Accountability Authentication Data breaches 233

Schneier on Security

JULY 11, 2019

If you need to reset the software in your GE smart light bulb -- firmware version 2.8 or later -- just follow these easy instructions : Start with your bulb off for at least 5 seconds. Turn on for 8 seconds Turn off for 2 seconds Turn on for 8 seconds Turn off for 2 seconds Turn on for 8 seconds Turn off for 2 seconds Turn on for 8 seconds Turn off for 2 seconds Turn on for 8 seconds Turn off for 2 seconds Turn on.

Firmware 222

Firmware Software 222

Adam Shostack

JULY 12, 2019

Conflict online — bullying, trolling, threats and the like are everywhere. The media coverage is shifting from “OMG what are we doing about this?!” to “ Wow, this is really hard.” (Ayup). I’ve been exploring how to engineer for these problems, and I joined Chris Romeo and Robert Hurlbut to talk about it on the AppSec Podcast.

Media 178

Media Engineering 178

Adam Levin

JULY 12, 2019

Google employees and subcontractors are listening to recordings gleaned from Google Home smart speakers and the Google Assistant smartphone app. A report from Belgian news outlet VRT NWS showed that Google regularly uses staff and subcontractors to transcribe audio recordings taken from its network of home devices for the stated purpose of improving its speech recognition technology.

Technology 114

Technology 114

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

WIRED Threat Level

JULY 7, 2019

Opinion: Kids today have an online presence starting at birth, which raises a host of legal and ethical concerns. We desperately need a new data protection framework.

111

111

Schneier on Security

JULY 8, 2019

ProPublica is reporting on companies that pretend to recover data locked up by ransomware, but just secretly pay the hackers and then mark up the cost to the victims.

Ransomware 230

Ransomware Hacking 230

Security Affairs

JULY 7, 2019

Yesterday, July 6, 2019, hackers breached the GitHub account of Canonical Ltd., the company behind the Ubuntu Linux distribution. On July 6, 2019, hackers have breached the GitHub account of Canonical Ltd., the organization behind the Ubuntu Linux distribution. The company immediately launched an investigation, the good news is that the source code of the popular Linux distro was not impacted. “We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credential

Accountability 101

Accountability Advertising Cryptocurrency Hacking 101

Dark Reading

JULY 9, 2019

Black Hat USA programming will dive into the ways DevOps-driven shifts in practices and tools are introducing both new vulnerabilities and new ways of securing enterprises.

90

90

Schneier on Security

JULY 12, 2019

At least one presidential candidate has a policy about quantum computing and encryption. It has two basic planks. One: fund quantum-resistant encryption standards. (Note: NIST is already doing this.) Two, fund quantum computing. (Unlike many far more pressing computer security problems, the market seems to be doing this on its own quite nicely.). Okay, so not the greatest policy -- but at least one candidate has a policy.

Encryption 216

Encryption Marketing 216

Adam Shostack

JULY 11, 2019

There’s a new draft available from NIST, “ Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF).” They are accepting comments through August 5th.

Software 113

Software Risk Engineering Government 113

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Affairs

JULY 11, 2019

Malware researchers from Kaspersky have discovered new and improved versions of the infamous FinFisher spyware used to infect both Android and iOS devices. Experts at Kaspersky have discovered a new improved variant of the FinFisher spyware used to spy on both iOS and Android users in 20 countries. According to the experts, the new versions have been active at least since 2018, one of the samples analyzed by Kaspersky was used last month in Myanmar, where local government is accused of violating

Spyware 96

Spyware Mobile Advertising Architecture 96

WIRED Threat Level

JULY 9, 2019

All it takes is one wrong click, and the popular video conferencing software will put you in a meeting with a stranger.

Software 109

Software Hacking 109

Schneier on Security

JULY 8, 2019

MIT Technology Review is reporting about an infrared laser device that can identify people by their unique cardiac signature at a distance: A new device, developed for the Pentagon after US Special Forces requested it, can identify people without seeing their face: instead it detects their unique cardiac signature with an infrared laser. While it works at 200 meters (219 yards), longer distances could be possible with a better laser.

Technology 212

Technology 212

Dark Reading

JULY 8, 2019

Black Hat USA session will reveal how they reverse-engineered the proprietary cryptographic protocol to attack the popular programmable logic controller.

Engineering 93

Engineering 93

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Security Affairs

JULY 11, 2019

‘Agent Smith’ is a new malware discovered by Check Point researchers that replaces legit Android Apps with malicious ones that infected 25 Million devices worldwide. Researchers at Check Point recently discovered a new variant of Android malware, dubbed Agent Smith, that has already infected roughly 25 million devices. The malware is disguised as a Google related application and exploits several known Android vulnerabilities to replace installed apps on the victim’s device with

Malware 92

Malware Advertising Mobile Information Security 92

Threatpost

JULY 9, 2019

Intel issued patches for a high-severity flaw in its processor diagnostic tool as well as a fix for a medium-severity vulnerability in its data center SSD lineup.

Firmware 70

Firmware 70

Schneier on Security

JULY 10, 2019

Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported. The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them.

Identity Theft 196

Identity Theft Mobile Hacking Technology 196

Dark Reading

JULY 10, 2019

A Raspberry Pi attached to the network at NASA JPL became the doorway for a massive intrusion and subsequent data loss. Here's how to keep the same thing from happening to your network.

85

85

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Security Affairs

JULY 11, 2019

Malware researchers at two security firms Intezer and Anomali have discovered a new piece of ransomware targeting Network Attached Storage (NAS) devices. Experts at security firms Intezer and Anomali have separately discovered a new piece of ransomware targeting Network Attached Storage (NAS) devices. NAS servers are a privileged target for hackers because they normally store large amounts of data.

Ransomware 85

Ransomware Encryption Malware Advertising 85

Threatpost

JULY 12, 2019

A lack of a Bluetooth Low Energy (BLE) pairing mechanism leaves the smart IoT devices open to malicious manipulation.

IoT 84

IoT Hacking 84

Schneier on Security

JULY 12, 2019

In Click Here to Kill Everybody , I promised clickable endnotes. They're finally available.

152

152

Dark Reading

JULY 11, 2019

About a third of cybersecurity professionals believe that their companies see more cyberattacks during the summer, but the survey data does not convince on the reasons for the perception of a summer bump.

Cybersecurity 83

Cybersecurity 83

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Security Affairs

JULY 12, 2019

BITPoint Japan-based cryptocurrency announced that hackers have stolen more than $32 million (3.5 billion yen) worth of cryptocurrency due to a cyber attack. BITPoint Japan-based cryptocurrency was victim of a cyber attack, the Remixpoint’s subsidiary announced that hackers have stolen more than $32 million (3.5 billion yen) worth of cryptocurrency.

Cryptocurrency 82

Cryptocurrency Cyber Attacks Financial Services Advertising 82

Threatpost

JULY 9, 2019

Study finds Android apps circumvented privacy opt-in rules and collected sensitive user information against user permission.

Software 80

Software Mobile 80

WIRED Threat Level

JULY 12, 2019

Parents can use Life360 to track their teen’s location in real time. The company can use that data to sell car insurance.

Insurance 80

Insurance 80

Dark Reading

JULY 9, 2019

A commercial vessel suffered a significant malware attack in February, prompting the US Coast Guard to issues an advisory to all shipping companies: Here be malware.

Malware 86

Malware 86

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Security Affairs

JULY 11, 2019

The CVE-2019-1132 flaw addressed by Microsoft this month was exploited by Buhtrap threat actor to target a government organization in Eastern Europe. Microsoft Patch Tuesday updates for July 2019 address a total of 77 vulnerabilities, including two privilege escalation flaws actively exploited in the wild. The first vulnerability, tracked as CVE-2019-1132, affects the Win32k component and could be exploited to run arbitrary code in kernel mode.

Government 82

Government Advertising Passwords Banking 82

Threatpost

JULY 11, 2019

Apple has disabled the Walkie Talkie app from its Apple Watch products after a vulnerability was discovered enabling bad actors to eavesdrop on iPhone conversations.

IoT 68

IoT Mobile 68

WIRED Threat Level

JULY 11, 2019

Magecart hackers are casting the widest possible net to find vulnerable ecommerce sites—but their method could lead to even bigger problems.

eCommerce 71

eCommerce Hacking 71

Dark Reading

JULY 11, 2019

Changes in fundamental enterprise architectures coupled with shifts in human resources mean that companies are considering new risks to their infrastructure.

Cyber Risk 88

Cyber Risk Risk Architecture 88

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk