Krebs on Security

FEBRUARY 8, 2019

A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources say they suspect the non-public data may have been somehow obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions.

Phishing 244

Phishing Insurance Scams Banking 244

Schneier on Security

FEBRUARY 6, 2019

In Gmail addresses, the dots don't matter. The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. (Note: I own none of those addresses, if they are actually valid.). This fact can be used to commit fraud : Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud.

Accountability 210

Accountability Scams 210

Adam Levin

FEBRUARY 7, 2019

A recent leak compromised the personal data of all 4,557 active students at the California State Polytechnic University Science School. This was not a case of hackers gaining access through illicit means or an accidental exposure of an unsecured database. The data was inadvertently sent in a spreadsheet as an email attachment by a university employee.

Data breaches 168

Data breaches Passwords VPN Risk 168

Adam Shostack

FEBRUARY 6, 2019

Josh Corman opened a bit of a can of worms a day or two ago, asking on Twitter: “ pls RT: who are the 3-5 best, most natural Threat Modeling minds? Esp for NonSecurity people. @adamshostack is a given. ” (Thanks!). What I normally say to this is I don’t think I’m naturally good at finding replay attacks in network protocols — my farming ancestors got no chance to exercise such talents, and so it’s a skill I acquired.

162

162

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Krebs on Security

FEBRUARY 4, 2019

Godaddy.com , the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

DNS 230

DNS Ransomware Accountability Internet 230

Schneier on Security

FEBRUARY 7, 2019

Gregory C. Allen at the Center for a New American Security has a new report with some interesting analysis and insights into China's AI strategy, commercial, government, and military. There are numerous security -- and national security -- implications.

Government 189

Government 189

The Last Watchdog

FEBRUARY 6, 2019

We’re just a month and change into the new year, and already there have been two notable developments underscoring the fact that some big privacy and civil liberties questions need to be addressed before continuing the wide-scale deployment of advanced facial recognition systems. This week civil liberties groups in Europe won the right to challenge the UK’s bulk surveillance activities in the The Grand Chamber of the European Court of Human Rights.

Surveillance 109

Surveillance Technology Retail Artificial Intelligence 109

Adam Shostack

FEBRUARY 4, 2019

I hate reviewing books by people I know, because I am a picky reader, and if you can’t say anything nice, don’t say anything at all. I also tend to hate management books, because they often substitute jargon for crisp thinking. So I am surprised, but, here I am, writing a review of Kip Boyle’s “ Fire Doesn’t Innovate.” I’m giving little away by saying the twist is that attackers do innovate, and it’s a surprisingly solid frame on which Kip hangs a

CSO 100

CSO Cyber Risk Backups Risk 100

Schneier on Security

FEBRUARY 4, 2019

The Wired headline sums it up nicely -- " Facebook Hires Up Three of Its Biggest Privacy Critics ": In December, Facebook hired Nathan White away from the digital rights nonprofit Access Now, and put him in the role of privacy policy manager. On Tuesday of this week, lawyers Nate Cardozo, of the privacy watchdog Electronic Frontier Foundation, and Robyn Greene, of New America's Open Technology Institute, announced they also are going in-house at Facebook.

Technology 163

Technology 163

Security Affairs

FEBRUARY 6, 2019

Google patched a critical flaw in its Android OS that allows an attacker to send a specially crafted PNG image file to hack a target device, Opening an image file on your smartphone could allow attackers to hack into your Android device due to three critical vulnerabilities, CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988. The flaws affect millions of Android devices running versions of the Google OS, ranging from Android 7.0 Nougat to the latest Android 9.0 Pie.

Hacking 96

Hacking Advertising Mobile Manufacturing 96

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

WIRED Threat Level

FEBRUARY 6, 2019

Opinion: Cryptocurrencies are useless. Blockchain solutions are frequently much worse than the systems they replace. Here's why.

Technology 111

Technology Cryptocurrency 111

Dark Reading

FEBRUARY 7, 2019

Vulnerable plugin for a remote management tool gave attackers a way to encrypt systems belonging to all customers of a US-based MSP.

Encryption 106

Encryption Ransomware 106

Schneier on Security

FEBRUARY 5, 2019

Zcash just fixed a vulnerability that would have allowed "infinite counterfeit" Zcash. Like all the other blockchain vulnerabilities and updates, this demonstrates the ridiculousness of the notion that code can replace people, that trust can be encompassed in the protocols, or that human governance is not ncessary.

Government 162

Government Cryptocurrency 162

Security Affairs

FEBRUARY 4, 2019

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case. A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

Banking 94

Banking Telecommunications Authentication Advertising 94

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Threatpost

FEBRUARY 4, 2019

Armed with an impressive bag of exploits and other tricks for propagation, researchers believe the new trojan could be the catalyst for an upcoming, major cyber-offensive.

Malware 82

Malware 82

Dark Reading

FEBRUARY 6, 2019

Several airlines send unencrypted links to passengers for flight check-in that could be intercepted by attackers to view passenger and other data, researchers found.

86

86

eSecurity Planet

FEBRUARY 7, 2019

A third of companies are unprepared for some of the most damaging cyber attacks, such as APTs, insider threats, ransomware and DDoS attacks.

DDOS 90

DDOS Cyber Attacks Cybersecurity Ransomware 90

Security Affairs

FEBRUARY 7, 2019

A zero-day vulnerability in macOS Mojave can be exploited by malware to steal plaintext passwords from the Keychain. The security expert Linus Henze has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the Keychain. According to Henze, the flaw affects macOS Mojave and earlier versions.

Passwords 94

Passwords Password Management Advertising Malware 94

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Threatpost

FEBRUARY 7, 2019

Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices – making them "far more dangerous.".

DDOS 78

DDOS Big data IoT Malware 78

Dark Reading

FEBRUARY 5, 2019

Criminals are taking advantage of Gmail's 'dots don't matter' feature to set up multiple fraudulent accounts on websites, using variations of the same email address, Agari says.

Accountability 81

Accountability 81

WIRED Threat Level

FEBRUARY 7, 2019

Lawmakers want more information about Facebook’s Project Atlas program, which collected data from teens and sidestepped device makers’ privacy policies.

84

84

Security Affairs

FEBRUARY 3, 2019

Hungarian police arrested a young hacker because he discovered and exploited serious vulnerabilities in the systems of the Magyar Telekom. Which are the risks for a hacker that decide to publicly disclose a vulnerability? The case I’m going to discuss shows us legal implication for this conduct. Last year, Hungarian law enforcement arrested a young hacker (20) because he discovered and exploited serious vulnerabilities in the systems of the Magyar Telekom, the major Hungarian telecommunica

Telecommunications 93

Telecommunications Retail Mobile Advertising 93

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Threatpost

FEBRUARY 6, 2019

A researcher who discovered a flaw letting him steal passwords in MacOS is not sharing his findings with Apple without a macOS bug bounty program.

Passwords 81

Passwords Mobile 81

Dark Reading

FEBRUARY 4, 2019

The number of data breaches dropped overall, but the amount of sensitive records exposed jumped to 446.5 million last year, according to the ITRC.

Data breaches 86

Data breaches 86

WIRED Threat Level

FEBRUARY 8, 2019

Meanwhile, two Iowa researchers built an AI engine they say can spot abusive apps on Twitter months before the service itself.

Accountability 86

Accountability Engineering 86

Security Affairs

FEBRUARY 5, 2019

A security expert discovered a severe Remote Code Execution vulnerability in the popular LibreOffice and Apache OpenOffice. The security researcher Alex Inführ discovered a severe remote code execution vulnerability in LibreOffice and Apache OpenOffice that could be exploited by tricking victims into opening an ODT (OpenDocument Text) file embedding an event embedded.

Advertising 90

Advertising Hacking Software 90

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Threatpost

FEBRUARY 6, 2019

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google's translate feature.

Phishing 78

Phishing Scams 78

Dark Reading

FEBRUARY 8, 2019

Citrix issues update for encryption weakness dogging the popular security protocol.

Encryption 100

Encryption 100

WIRED Threat Level

FEBRUARY 5, 2019

“Password Checkup” isn’t a password manager but a simple tool that warns you if you’re using a password that’s been exposed in data breaches.

Passwords 77

Passwords Password Management Data breaches 77

Security Affairs

FEBRUARY 4, 2019

Security experts identified nearly 500,000 Ubiquit devices that may be affected by a vulnerability that has already been exploited in the wild. Security experts are warning Ubiquit users of a vulnerability that has already been exploited in the wild. Last week, the researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed that threat actors had been targeting Ubiquiti installs exposed online.

DDOS 89

DDOS Advertising Firmware Hacking 89

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk