Sat.Aug 04, 2018 - Fri.Aug 10, 2018

article thumbnail

Measuring the Rationality of Security Decisions

Schneier on Security

Interesting research: " Dancing Pigs or Externalities? Measuring the Rationality of. Security Decisions ": Abstract: Accurately modeling human decision-making in security is critical to thinking about when, why, and how to recommend that users adopt certain secure behaviors. In this work, we conduct behavioral economics experiments to model the rationality of end-user security decision-making in a realistic online experimental system simulating a bank account.

Marketing 211
article thumbnail

Florida Man Arrested in SIM Swap Conspiracy

Krebs on Security

Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims. On July 18, 2018, Pasco County authorities arrested Ricky Joseph Handschumacher , an employee of the city of Port Richey, Fla, charging him with grand theft and money laundering.

Mobile 191
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

New Pluralsight Course: Bug Bounties for Researchers

Troy Hunt

Earlier this year, I spent some time in San Fran with friend and Bugcrowd founder Casey Ellis where we recorded a Pluralsight "Play by Play" titled Bug Bounties for Companies. I wrote about that in the aforementioned post which went out in May and I mentioned back then that we'd also created a second course targeted directly at researchers. We had to pull together some additional material on that one but I'm please to now share the finished product with you: Bug Bounties for Researchers.

114
114
article thumbnail

CyberSecurity Hall of Fame

Adam Shostack

Congratulations to the 2016 winners ! Dan Geer, Chief Information Security Officer at In-Q-Tel; Lance J. Hoffman, Distinguished Research Professor of Computer Science, The George Washington University; Horst Feistel, Cryptographer and Inventor of the United States Data Encryption Standard (DES); Paul Karger, High Assurance Architect, Prolific Writer and Creative Inventor; Butler Lampson, Adjunct Professor at MIT, Turing Award and Draper Prize winner; Leonard J.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Hacking the McDonald's Monopoly Sweepstakes

Schneier on Security

Long and interesting story -- now two decades old -- of massive fraud perpetrated against the McDonald's Monopoly sweepstakes. The central fraudster was the person in charge of securing the winning tickets.

Hacking 155
article thumbnail

Millions of Android Devices Are Vulnerable Out of the Box

WIRED Threat Level

Android smartphones from Asus, LG, Essential, and ZTE are the focus of a new analysis about risks from firmware bugs introduced by manufacturers and carriers.

More Trending

article thumbnail

CSO on AppSec at the Speed of Devops

Adam Shostack

“ 20 Ways to Make AppSec Move at the Speed of DevOps ” is in CSO. It’s a good collection, and I’m quoted.

CSO 100
article thumbnail

SpiderOak's Warrant Canary Died

Schneier on Security

BoingBoing has the story. I have never quite trusted the idea of a warrant canary. But here it seems to have worked. (Presumably, if SpiderOak wanted to replace the warrant canary with a transparency report, they would have written something explaining their decision. To have it simply disappear is what we would expect if SpiderOak were being forced to comply with a US government request for personal data.).

article thumbnail

Spot the Bot: Researchers Open-Source Tools to Hunt Twitter Bots

Dark Reading

Duo security researchers compiled a massive dataset of public Twitter profiles and built a tool to scour profiles and detect the fakes.

80
article thumbnail

Weekly Update 99

Troy Hunt

It's a traveling weekly update this week as I round out a couple of workshops in Sydney and head to Canberra. That's thrown the normal video cadence out a bit with me recording on a Thursday night (hence the beer) and publishing on a Friday morning, but there's a heap of stuff in there regardless. This week, I'm talking about a couple of different data breaches and delve into the Adult-FanFiction one in particular.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

When It Comes to a Data Breach, How Do You Want to Be Notified?

Thales Cloud Protection & Licensing

August is two-thirds of the way through year, and we have already seen a number of serious, far-reaching data breaches making headlines, some occurred in 2018, and some from 2017 that are now being disclosed. This underscores the harsh realities of the state of cybersecurity today. If you have looked at our recently released annual Data Threat Report: Retail Edition , you understand this is not just hyperbole.

article thumbnail

Don't Fear the TSA Cutting Airport Security. Be Glad That They're Talking about It.

Schneier on Security

Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes -- 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations. To be clear, the TSA has put forth no concrete proposal. The internal agency working group's report obtained by CNN contains no recommendations.

Risk 129
article thumbnail

A New Pacemaker Hack Puts Malware Directly On the Device

WIRED Threat Level

Researchers at the Black Hat security conference will demonstrate a new pacemaker-hacking technique that can add or withhold shocks at will.

Hacking 76
article thumbnail

IoT Malware Discovered Trying to Attack Satellite Systems of Airplanes, Ships

Dark Reading

Researcher Ruben Santamarta shared the details of his successful hack of an in-flight airplane Wi-Fi network - and other findings - at Black Hat USA today.

IoT 63
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

That’s Right, We are Playing Both Sides of the Key Management Game:

Thales Cloud Protection & Licensing

Thales both giveth and taketh Bring Your Own Keys (BYOK). There is no longer denying that encryption is a hot topic. Encryption is everywhere. We hear about it when the FBI can’t hack an iPhone, when countries want back doors to compromise it, and, now, every major cloud provider offers at least baseline encryption as part of their service. These newbies to the land of enterprise encryption quickly learn from their prospects that offering encryption alone doesn’t earn them trust to house their d

article thumbnail

Detecting Phishing Sites with Machine Learning

Schneier on Security

Really interesting article : A trained eye (or even a not-so-trained one) can discern when something phishy is going on with a domain or subdomain name. There are search tools, such as Censys.io , that allow humans to specifically search through the massive pile of certificate log entries for sites that spoof certain brands or functions common to identity-processing sites.

Phishing 119
article thumbnail

Machine Learning Can Identify the Authors of Anonymous Code

WIRED Threat Level

Researchers have repeatedly shown that writing samples, even those in artificial languages, contain a unique fingerprint that's hard to hide.

69
article thumbnail

ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis

Security Affairs

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection. The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection. The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Weakness in WhatsApp Enables Large-Scale Social Engineering

Dark Reading

Problem lies in WhatsApp's validation of message parameters and cannot be currently mitigated, Check Point researchers say.

article thumbnail

xkcd on Voting Computers

Schneier on Security

Funny and true.

103
103
article thumbnail

The Explosive-Carrying Drones in Venezuela Won’t Be the Last

WIRED Threat Level

There's still no good defense against drones attacks like the one that targeted Venezuelan president Nicolas Maduro Saturday.

73
article thumbnail

Duo Security created open tools and techniques to identify large Twitter botnet

Security Affairs

Researchers at security firm Duo Security have created a set of open source tools and disclosed techniques that could be used to identify large Twitter botnet. Security experts from Duo Security have developed a collection of open source tools and disclosed techniques that can be useful in identifying large Twitter botnet. The experts developed the tools starting from the analysis of 88 million Twitter accounts and over half-a-billion tweets, one of the largest random datasets of Twitter account

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Mastering MITRE's ATT&CK Matrix

Dark Reading

This breakdown of Mitre's model for cyberattacks and defense can help organizations understand the stages of attack events and, ultimately, build better security.

57
article thumbnail

Quantifying the impact of the Twitter fake accounts purge - a technical analysis

Elie

This post provides an overview of the impact of the Twitter 2018 accounts purge through the lens of its impact on 16k of Twitter’s most popular accounts.

article thumbnail

Hacking a Brand New Mac Remotely, Right Out of the Box

WIRED Threat Level

Researchers found a way to compromise a Mac the first time it connects to Wi-Fi, potentially putting scores of enterprise customers at risk.

Hacking 67
article thumbnail

Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks

Security Affairs

DoE announced the Liberty Eclipse exercise to test the electrical grid ‘s ability to recover from a blackout caused by cyberattacks. This is the first time the Department of Energy will test the electrical grid’s ability to recover from a blackout caused by cyberattacks. We have discussed many times the effects of a cyber attack against an electrical grid, the most scaring scenario sees wide power outage bringing population in the dark.

article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

Dark Reading News Desk Live at Black Hat USA 2018

Dark Reading

Watch here Wednesday and Thursday, 2 p.m. - 6 p.m. Eastern Time to see over 40 live video interviews with straight from the Black Hat USA conference in Las Vegas.

54
article thumbnail

How Blackberry Does Secure Release Management

eSecurity Planet

In a Black Hat USA session, Christine Gadsby, Director of BlackBerry's global Product Security Operations Team, explained how organization can improve the product release process to reduce vulnerabilities.

47
article thumbnail

Smartphone Voting Is Happening, but No One Knows if It's Safe

WIRED Threat Level

Online voting has major security flaws, and experts are concerned that Voatz, the platform West Virginia will use this midterm election, doesn't solve them.

61
article thumbnail

DeepLocker – AI-powered malware are already among us

Security Affairs

Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today. What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses. Security researchers at IBM Research developed a “highly targeted and evasive” attack tool powered by AI,” dubbed DeepLocker that is able to co

Malware 53
article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.