Adam Levin

APRIL 9, 2019

Israeli cybersecurity researchers have created malware capable of showing fake cancerous growths on CT and MRI scans. The malware, called CT-GAN, served as a proof of concept to show the potential for hacking medical devices with fake medical news that was convincing enough to fool medical technicians. In a video demonstrating the exploit, researchers at Ben Gurion University described how such an attack might be deployed.

Malware 254

Malware Healthcare Technology Ransomware 254

Krebs on Security

APRIL 11, 2019

Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys , an additional authentication layer that helps thwart phishing sites and password theft. As first disclosed by KrebsOnSecurity last summer , Google maintains it has not had any of its 85,000+ employees successfully phished on their work-related acco

Mobile 230

Mobile Authentication Passwords Accountability 230

Schneier on Security

APRIL 12, 2019

In what I am sure is only a first in many similar demonstrations, researchers are able to add or remove cancer signs from CT scans. The results easily fool radiologists. I don't think the medical device industry has thought at all about data integrity and authentication issues. In a world where sensor data of all kinds is undetectably manipulatable, they're going to have to start.

Authentication 227

Authentication Hacking 227

Troy Hunt

APRIL 12, 2019

That's the second update in a row I've done on time! It's also another one with a bunch of other things in common with last week, namely commentary on yet more data breaches. It's not just the breaches in HIBP, but the ones I'm busily trying to disclose. This is really sucking a lot of time right now and frankly, well, I summed it up here earlier in the week: Currently going through the process with 4 breach disclosures. 3 of them I just can’t get a response from and the one I can really doesn’t

Data breaches 137

Data breaches 137

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Adam Levin

APRIL 10, 2019

A security analysis of 30 major banking and financial apps has shown major security holes and a lax approach to protecting user data. The analysis was conducted by the Aite Group, which looked at mobile apps in eight categories: retail banking, credit cards, mobile payment, healthcare savings, retail finance, health insurance, auto insurance and cryptocurrency.

Banking 187

Banking Retail Insurance Mobile 187

Krebs on Security

APRIL 8, 2019

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.

Cybercrime 193

Cybercrime Passwords Identity Theft Accountability 193

The Last Watchdog

APRIL 10, 2019

As long as cyber attacks continue, financial institutions will remain a prime target, for obvious reasons. Related: OneSpan’s rebranding launch. Outside of giants JP Morgan, Bank of America, Citigroup, Wells Fargo and U.S. Bancorp, the remainder of the more than 10,000 U.S. firms are comprised of community banks and regional credit unions. These smaller institutions, much like the giants, are hustling to expand mobile banking services.

Banking 117

Banking Mobile Accountability Artificial Intelligence 117

Adam Shostack

APRIL 10, 2019

The White Box , and its accompanying book, “The White Box Essays” are a FANTASTIC resource, and I wish I’d had them available to me as I designed Elevation of Privilege and helped with Control-Alt-Hack. The book is for people who want to make games, and it does a lovely job of teaching you how, including things like the relationship between story and mechanics, the role of luck, how the physical elements teach the players, and the tradeoffs that you as a designer make as you de

Marketing 113

Marketing Hacking 113

Krebs on Security

APRIL 9, 2019

Microsoft today released fifteen software updates to fix more than 70 unique security vulnerabilities in various flavors of its Windows operating systems and supported software, including at least two zero-day bugs. These patches apply to Windows , Internet Explorer (IE) and Edge browsers, Office, Sharepoint and Exchange. Separately, Adobe has issued security updates for Acrobat/Reader and Flash Player.

Internet 184

Internet Internet Software Backups 184

Schneier on Security

APRIL 11, 2019

Kaspersky has released details about a sophisticated nation-state spyware it calls TajMahal: The TajMahal framework's 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of "files of interest," automatically stealing them if a USB drive is inserted into the infected machine.

Spyware 219

Spyware Malware 219

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

The Last Watchdog

APRIL 12, 2019

The central dilemma posed by digital transformation is this: How do companies reap the benefits of high-velocity software development without creating onerous security exposures? Related: Golden Age of cyber spying dawns. The best practices standards and protocols to pull off this delicate balancing act have been thoroughly vetted and are readily available.

Digital transformation 104

Digital transformation Marketing Architecture Technology 104

Adam Shostack

APRIL 8, 2019

When Andrew and I wrote The New School, and talked about the need to learn from other professions, we didn’t mean for doctors to learn from ‘cybersecurity thought leaders’ about hiding their problems: …Only one organism grew back. C. auris. It was spreading, but word of it was not. The hospital, a specialty lung and heart center that draws wealthy patients from the Middle East and around Europe, alerted the British government and told infected patients, but made no public

Government 113

Government Cybersecurity Risk 113

Adam Levin

APRIL 8, 2019

Unless you live under a bottle cap rusting on the bottom of Loon Lake, you know that if you’re concerned about privacy , Facebook CEO Mark Zuckerberg is the gift that keeps on taking. A week after it landed with a curious (and most likely spurious) thud, Zuckerberg’s announcement about a new tack on consumer privacy still has the feel of an unexpected message from some parallel universe where surveillance (commercial and/or spycraft) isn’t the new normal. “I believe

Hacking 100

Hacking Data privacy Artificial Intelligence System Administration 100

Schneier on Security

APRIL 12, 2019

Flame was discovered in 2012, linked to Stuxnet, and believed to be American in origin. It has recently been linked to more modern malware through new analysis tools that find linkages between different software. Seems that Flame did not disappear after it was discovered, as was previously thought. (Its controllers used a kill switch to disable and erase it.

Malware 206

Malware Software 206

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

The Last Watchdog

APRIL 11, 2019

Digital transformation is all about high-velocity innovation. But velocity cuts two ways. Related: Obsolescence creeps into perimeter defenses. Yes, the rapid integration of digital technologies into all aspects of commerce has enabled wonderful new services. But it has also translated into an exponential expansion of the attack surface available to cyber criminals.

Digital transformation 103

Digital transformation Adware Technology Software 103

Adam Shostack

APRIL 9, 2019

There’s an interesting article in Bentham’s Gaze, “ Science ‘of’ or ‘for’ security? ” It usefully teases apart some concepts, and, yes, it probably is consistent with the New School.

100

100

Dark Reading

APRIL 12, 2019

These new cloud services seek to help companies figure out what their traditional SIEM alerts mean, plus how they can prioritize responses and improve their security operations.

106

106

Schneier on Security

APRIL 8, 2019

Last month, the NSA released Ghidra , a software reverse-engineering tool. Early reactions are uniformly positive. Three news articles.

Engineering 204

Engineering Software Cybersecurity 204

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Security Affairs

APRIL 6, 2019

Security experts at Bad Packets uncovered a DNS hijacking campaign that is targeting the users of popular online services, including Gmail, Netflix, and PayPal. Experts at Bad Packets uncovered a DNS hijacking campaign that has been ongoing for the past three months, attackers are targeting the users of popular online services, including Gmail, Netflix, and PayPal.

DNS 106

DNS Advertising Internet Internet 106

Adam Shostack

APRIL 6, 2019

Congratulations to the Hayabusa2 mission team, who flew to an asteroid, dropped multiple rovers, an impactor and a separate camera satellite to observe the impactor. The Hayabusa2 then flew around, to the far side of the asteroid to avoid ejecta from the impactor. In a few weeks, Hayabusa2 will probably land, collect more samples and then fly back to Earth.

Engineering 100

Engineering 100

Thales Cloud Protection & Licensing

APRIL 10, 2019

Last week, we welcomed Gemalto as an official part of the Thales Group, marking the start of a bold new chapter in our company’s history. Together, Thales and Gemalto will have the ability to cover the digital needs of our customers and partners, in civilian and defense businesses, across all Thales market segments, with a unique portfolio of advanced technologies in the fields of digital security and the Internet of Things.

Technology 96

Technology Banking Marketing Encryption 96

Dark Reading

APRIL 11, 2019

Tax season is marked with malware campaigns, tax fraud, and identity theft, with money and data flowing through an underground economy.

Identity Theft 101

Identity Theft Scams Hacking Malware 101

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Security Affairs

APRIL 10, 2019

Security researchers discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks. Security researchers discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks. One of the main advantages of WPA3 is that it’s near impossible to crack the password of a network because it implements the Dragonfly handshake, Unfortunately, we found that even with W

Passwords 99

Passwords Hacking Advertising Network Security 99

WIRED Threat Level

APRIL 11, 2019

WikiLeaks founder Julian Assange has been arrested, and now faces extradition to the United States. But not for leaking classified information.

Hacking 95

Hacking 95

Threatpost

APRIL 11, 2019

Amazon is under fire for its privacy policies after a Bloomberg report revealed that the company hires auditors to listen to Echo recordings.

IoT 85

IoT 85

Dark Reading

APRIL 11, 2019

The sandbox is an important piece of the security stack, but an organization's entire strategy shouldn't rely on its ability to detect every threat. Here's why.

92

92

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Security Affairs

APRIL 6, 2019

A vulnerability could be exploited by attackers to trigger a denial-of-service ( DoS ) condition on devices running RouterOS. MikroTik routers made the headlines again, the company disclosed this week technical details about a year-old vulnerability that exposes the device to remote attacks. Attackers could exploit the vulnerability to trigger a denial-of-service (DoS) condition on devices running RouterOS. “ RouterOS contained several IPv6 related resource exhaustion issues, that have now

Advertising 97

Advertising Risk Internet Internet 97

WIRED Threat Level

APRIL 9, 2019

The TajMahal spyware includes more than 80 distinct spy tools, and went undetected for five years.

Spyware 99

Spyware Hacking 99

Threatpost

APRIL 12, 2019

Yet another Wordpress plugin, Yellow Pencil Visual Theme Customizer, is being exploited in the wild after two software vulnerabilities were discovered.

Software 78

Software 78

Dark Reading

APRIL 10, 2019

Bill takes aim at tactics used to convince people to give up their personal data, designing games that addict kids, and more.

Social Engineering 102

Social Engineering Engineering 102

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk