Sat.Sep 14, 2019 - Fri.Sep 20, 2019

article thumbnail

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Troy Hunt

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway. I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against.

Banking 238
article thumbnail

Another Side Channel in Intel Chips

Schneier on Security

Not that serious, but interesting : In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO­short for Data-Direct I/O­increased input/output bandwidth and reduced latency and power consumption.

230
230
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Before He Spammed You, this Sly Prince Stalked Your Mailbox

Krebs on Security

A reader forwarded what he briefly imagined might be a bold, if potentially costly, innovation on the old Nigerian prince scam that asks for help squirreling away millions in unclaimed fortune: It was sent via the U.S. Postal Service, with a postmarked stamp and everything. In truth these old fashioned “advance fee” or “419” scams predate email and have circulated via postal mail in various forms and countries over the years.

Scams 191
article thumbnail

Small businesses underestimate financial damage of cyberattacks

Tech Republic Security

The average breach causes an average of $149,000 in damages, yet most small-to-medium-sized businesses thought cyberattacks would cost them under $10,000, survey reports.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

New Breach Exposes an Entire Nation: Living and the Dead

Adam Levin

A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children. The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.

article thumbnail

Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago

Schneier on Security

Earlier this month I made fun of a company called Crown-Sterling, for.for.for being a company that deserves being made fun of. This morning, the company announced that they "decrypted two 256-bit asymmetric public keys in approximately 50 seconds from a standard laptop computer." Really. They did. This keylength is so small it has never been considered secure.

More Trending

article thumbnail

Exposed RDP servers see 150K brute-force attempts per week: Here's how to protect them

Tech Republic Security

BlueKeep and DejaBlue renewed interest in brute-force scanning for vulnerable systems, which negatively impacts Windows Server performance. Cameyo has solutions to protect your Virtual Desktop server.

153
153
article thumbnail

Is There a Hacker in Your Wallet? Third Certainty Episode 2

Adam Levin

In the second episode of Third Certainty, Adam Levin explains how consumers can protect themselves in the aftermath of the Capital One data breach. The post Is There a Hacker in Your Wallet? Third Certainty Episode 2 appeared first on Adam Levin.

article thumbnail

A Feminist Take on Information Privacy

Schneier on Security

Maria Farrell has a really interesting framing of information/device privacy: What our smartphones and relationship abusers share is that they both exert power over us in a world shaped to tip the balance in their favour, and they both work really, really hard to obscure this fact and keep us confused and blaming ourselves. Here are some of the ways our unequal relationship with our smartphones is like an abusive relationship: They isolate us from deeper, competing relationships in favour of sup

Media 216
article thumbnail

Interesting reads

Adam Shostack

There were widely circulated reports of voice cloning being used in phishing. I’ve been predicting these for a while ( Threat modeling in 2018 at Blackhat, 28 minutes in), but Guillaume Ross asked some really good questions about it. A new John Locke manuscript, “The Toleration of Papists” has been discovered and published. ( Short analysis in the Guardian.

Phishing 100
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

A new type of DDoS attack can amplify attack strength by more than 15,300%

Tech Republic Security

By abusing a little-known multicast protocol, attackers can launch DDoS attacks of immense power, but there may be an easy fix.

DDOS 167
article thumbnail

MY TAKE: What everyone should know about the promise and pitfalls of the Internet of Things

The Last Watchdog

Internet 168
article thumbnail

Revisiting Software Vulnerabilities in the Boeing 787

Schneier on Security

I previously blogged about a Black Hat talk that disclosed security vulnerabilities in the Boeing 787 software. Ben Rothke concludes that the vulnerabilities are real, but not practical.

Software 209
article thumbnail

IoT and Quantum Computing’s Impact on the Federal Government

Thales Cloud Protection & Licensing

As government agencies get back to work after summer barbeques, family vacations and once-in-a-lifetime getaways, the focus is on the priorities for the rest of 2019. Cybersecurity remains one of the top concerns and priorities for our government. The focus on the rest of 2019 and looking ahead to 2020 was very clear when I attended two recent industry events.

IoT 100
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Governments still struggling to contend with weaponized social media platforms

Tech Republic Security

A report from a former NSA operative says countries across the world are still adjusting to the new reality of sophisticated cyberwarfare.

Media 160
article thumbnail

Backup files for Lion Air and parent airlines exposed and exchanged on forums

Security Affairs

Tens of millions of records belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums. Data belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums. The information was left exposed online on an unsecured Amazon bucket, the records were stored in two databases in a directory containing backup files mostly for Malindo Air and Thai Lion Air.

Backups 97
article thumbnail

Cracking Forgotten Passwords

Schneier on Security

Expandpass is a string expansion program. It's "useful for cracking passwords you kinda-remember." You tell the program what you remember about the password and it tries related passwords. I learned about it in this article about Phil Dougherty, who helps people recover lost cryptocurrency passwords (mostly Ethereum) for a cut of the recovered value.

Passwords 206
article thumbnail

Achieving Trust: Bake Security into Your Brand

Thales Cloud Protection & Licensing

Data is the most valuable online currency a consumer possesses. Yet most people don’t trust the companies they’re sharing data with, according to a new market trends study published by Gartner. In fact, 75% of consumers worry their online accounts may be hacked and the vast majority also believe companies are using or sharing their data without even telling them, according to the study.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

33% of executives don't trust their organization to protect employee data

Tech Republic Security

The volume of data processed in the enterprise is rapidly increasing, though strategies to secure data, including biometrics, are subject to technical and legal issues.

143
143
article thumbnail

A flaw in LastPass password manager leaks credentials from previous site

Security Affairs

A flaw in LastPass password manager leaks credentials from previous site. An expert discovered a flaw in the LastPass password manager that exposes login credentials entered on a site previously visited by a user. Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

article thumbnail

I'm Looking to Hire a Strategist to Help Figure Out Public-Interest Tech

Schneier on Security

I am in search of a strategic thought partner: a person who can work closely with me over the next 9 to 12 months in assessing what's needed to advance the practice, integration, and adoption of public-interest technology. All of the details are in the RFP. The selected strategist will work closely with me on a number of clear deliverables. This is a contract position that could possibly become a salaried position in a subsequent phase, and under a different agreement.

article thumbnail

Mozilla Introduces Mechanism to Hijack all DNS Traffic in the Name of Privacy

PerezBox Security

In September of 2019 Mozilla will begin releasing DNS over HTTPS (DOH) in Firefox via their Trusted Recursive Resolver (TRR) program. A primer on DNS Security. The change is based. Read More. The post Mozilla Introduces Mechanism to Hijack all DNS Traffic in the Name of Privacy appeared first on PerezBox.

DNS 91
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Why businesses would rather lose revenue than data

Tech Republic Security

While businesses don't want to lose data, 66% of business decision makers said their current IT resources do not keep up with growing technological demands.

article thumbnail

A bug in Instagram exposed user accounts and phone numbers

Security Affairs

Facebook addressed a vulnerability in Instagram that could have allowed attackers to access private user information. The security researcher @ZHacker13 discovered a flaw in Instagram that allowed an attacker to access account information, including user phone number and real name. ZHacker13 discovered the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue.

article thumbnail

New Biometrics

Schneier on Security

This article discusses new types of biometrics under development, including gait, scent, heartbeat, microbiome, and butt shape (no, really).

article thumbnail

Lion Air the Latest to Get Tripped Up by Misconfigured AWS S3

Dark Reading

The breach, which reportedly exposed data on millions of passengers, is one of many that have resulted from organizations leaving data publicly accessible in cloud storage buckets.

86
article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

Yahoo data breach settlement means affected users may get $100

Tech Republic Security

If you had a Yahoo account between January 1, 2012 and December 31, 2016, you may be entitled to a bit of money.

article thumbnail

More than 737 million medical radiological images found on open PACS servers

Security Affairs

Researchers at Greenbone Networks vulnerability analysis and management company discovered 400 Million medical radiological images exposed online via unsecured PACS servers. The experts at Greenbone Networks vulnerability analysis and management company discovered 600 unprotected servers exposed online that contained medical radiological images. The research was conducted between mid-July 2019 and early September 2019.

article thumbnail

Upcoming Speaking Engagements

Schneier on Security

This is a current list of where and when I am scheduled to speak: I'm speaking at University College London on September 23, 2019. I'm speaking at World's Top 50 Innovators 2019 at the Royal Society in London on September 24, 2019. I'm speaking at Cyber Security Nordic in Helsinki, Finland on October 3, 2019. I'm speaking at the Australian Cyber Conference 2019 in Melbourne on October 9, 2019.

150
150
article thumbnail

Unsupervised Learning: No. 194 (Member Edition)

Daniel Miessler

This is UL Member Content Subscribe Already a member? Login No related posts.

article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.