Schneier on Security

NOVEMBER 15, 2018

A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe car

Hacking 277

Hacking 277

Krebs on Security

NOVEMBER 13, 2018

If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers. For nearly 10 years, Portland, Ore. resident Julie Randall posted pictures for her photography business at julierandallphotos-dot-com , and used an email address at that domain to

Accountability 260

Accountability eCommerce Cybercrime Advertising 260

Troy Hunt

NOVEMBER 14, 2018

You know what I really like? A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). You know what I really don't like? Logging on to Report URI and being greeted with something like this: This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with.

Media 242

Media Accountability Technology 242

Adam Levin

NOVEMBER 13, 2018

The American business and financial services company Moody’s will start factoring risk of getting hacked into their credit ratings for companies. The move is seen as part of a wider initiative to gauge the risk of cyberattacks and data breaches to companies and their investors. “We’ve been in the risk management business for a very long time. This is to enhance our thinking about credit as cyber becomes more and more important,” said Derek Valda, head of Moody’s Investors Services Cyber Ri

Cyber Risk 203

Cyber Risk Risk Financial Services Manufacturing 203

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

Risk

Schneier on Security

NOVEMBER 13, 2018

Due to ever-evolving technological advances, manufacturers are connecting consumer goods­ -- from toys to lightbulbs to major appliances­ -- to the internet at breakneck speeds. This is the Internet of Things, and it's a security nightmare. The Internet of Things fuses products with communications technology to make daily life more effortless. Think Amazon's Alexa, which not only answers questions and plays music but allows you to control your home's lights and thermostat.

IoT 257

IoT Manufacturing Internet Internet 257

The Last Watchdog

NOVEMBER 15, 2018

Even as enterprises across the globe hustle to get their Internet of Things business models up and running, there is a sense of foreboding about a rising wave of IoT-related security exposures. And, in fact, IoT-related security incidents have already begun taking a toll at ill-prepared companies. Related: How to hire an IoT botnet — for $20.

IoT 166

IoT Encryption Authentication Penetration Testing 166

Adam Levin

NOVEMBER 12, 2018

The Girl Scouts of Orange County has sent out letters warning almost three thousand members that their personal information may have been compromised in a breach. The letter, which was also filed with the State of California, explained that the organization “became aware that an unauthorized third party illegally gained access” to their email account, but “did not appear to gain access to any other GSOC email accounts[.]”.

Identity Theft 151

Identity Theft Insurance Accountability Cybersecurity 151

Schneier on Security

NOVEMBER 16, 2018

Both the US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) are hiding surveillance cameras in streetlights. According to government procurement data , the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for "video recording and reproducing equipment.

Surveillance 256

Surveillance Government Technology 256

Adam Shostack

NOVEMBER 15, 2018

Blackhat has released all the 2018 US conference videos. My threat modeling in 2018 video is, of course, amongst them. Slides are linked here.

140

140

The Last Watchdog

NOVEMBER 13, 2018

Cyber criminals are deploying the very latest in automated weaponry, namely botnets, to financially plunder corporate networks. The attackers have a vast, pliable attack surface to bombard: essentially all of the externally-facing web apps, mobile apps and API services that organizations are increasingly embracing, in order to stay in step with digital transformation.

Digital transformation 140

Digital transformation Mobile B2C Internet 140

Advertisement

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

Cyber threats

Security Affairs

NOVEMBER 15, 2018

Group-IB has detected massive campaigns targeting Russian financial institutions posing as the Central Bank of Russia. The emails were disguised to look as if they come from the Central Bank of Russia and FinCERT, the Financial Sector Computer Emergency Response Team. Group-IB experts have discovered that the attack on 15 November could have been carried out by the hacker group Silence , and the one on 23 October by MoneyTaker.

Banking 111

Banking Computers and Electronics Phishing Cybercrime 111

Schneier on Security

NOVEMBER 12, 2018

This is a fun steganographic application : hiding a message in a fingerprint image. Can't see any real use for it, but that's okay.

Encryption 256

Encryption 256

WIRED Threat Level

NOVEMBER 16, 2018

When we're being watched, we conform. We don't speak freely or try new things. But social progress happens in the gap between what’s legal and what’s moral.

Surveillance 111

Surveillance 111

The Last Watchdog

NOVEMBER 12, 2018

A security-first mindset is beginning to seep into the ground floor of the IT departments of small and mid-sized companies across the land. Senior executives at these SMBs are finally acknowledging that a check-box approach to security isn’t enough, and that instilling a security mindset pervasively throughout their IT departments has become the ground stakes.

Penetration Testing 133

Penetration Testing System Administration Cybersecurity Ransomware 133

Advertisement

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

Cybersecurity

Security Affairs

NOVEMBER 16, 2018

Marco Ramilli, founder and CEO at cyber security firm Yoroi has explained how to use Microsoft Powerpoint as Malware Dropper. Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel embedding macros or Microsoft Word with user actions (like links or external OLE objects) are the main players in this “Office Dropping Arena” When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I

Malware 111

Malware Computers and Electronics Penetration Testing Advertising 111

Schneier on Security

NOVEMBER 14, 2018

Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it.

Architecture 212

Architecture Software Hacking 212

WIRED Threat Level

NOVEMBER 14, 2018

On tiny Plum Island, DARPA stages a real-life blackout to put its grid recovery tools to the test.

Hacking 109

Hacking 109

Dark Reading

NOVEMBER 12, 2018

A total of 3,676 breaches involving over 3.6 billion records were reported in the first nine months of this year alone.

Data breaches 97

Data breaches 97

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Security Affairs

NOVEMBER 13, 2018

Google services were partially inaccessible on Monday due to a BGP leak that caused traffic redirection through Russia, China, and Nigeria. A BGP leak caused unavailability of Google service on Monday, the traffic was redirected through Russia, China, and Nigeria. At the time it is not clear if the incident was the result of an error or a cyber attack on the BGP protocol.

Internet 112

Internet Internet Advertising Surveillance 112

Schneier on Security

NOVEMBER 16, 2018

I understand his frustration, but this is extreme: When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb ­ or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package ­ the only thing the company could think of was that it had declined his request for a password change.

Passwords 196

Passwords 196

WIRED Threat Level

NOVEMBER 12, 2018

The US has worst rate of gun violence among all developed countries, and still we fail to regulate.

108

108

Dark Reading

NOVEMBER 15, 2018

Building cybersecurity skills is a must; paying a lot for the education is optional. Here are seven options for increasing knowledge without depleting a budget.

Cybersecurity 97

Cybersecurity Education 97

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

Scams

Security Affairs

NOVEMBER 12, 2018

David Wells, a security expert from Tenable, devised a method to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory. . A security researcher from Tenable has discovered that is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory.

Advertising 111

Advertising Accountability Hacking Technology 111

Schneier on Security

NOVEMBER 14, 2018

I've been writing about "responsible disclosure" for over a decade; here's an essay from 2007. Basically, it's a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to harass researchers and fix the vulnerabilities quickly.

Software 180

Software 180

WIRED Threat Level

NOVEMBER 14, 2018

In its second annual “Privacy Not Included” guide, the nonprofit highlights internet-connected gifts that value your privacy—and the ones that may not.

Internet 104

Internet Internet 104

Dark Reading

NOVEMBER 16, 2018

Attack could expose the personal information of drivers who sync their mobile phone to a vehicle entertainment system.

Hacking 95

Hacking Mobile 95

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Security Affairs

NOVEMBER 12, 2018

The author of an IoT botnet is distributing a backdoor script for ZTE routers that also includes his own backdoor to hack script kiddies. A weaponized IoT exploit script is being used by script kiddies, making use of a vendor backdoor account to hack the ZTE routers. Ironically, this is not the only backdoor in the script. Scarface, the propagator of this code has also deployed his custom backdoor to hack any script kiddie who will be using the script.

IoT 111

IoT Hacking Advertising Accountability 111

Schneier on Security

NOVEMBER 14, 2018

This is a current list of where and when I am scheduled to speak: I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018. I'm appearing on IBM Resilient's End of Year Review webinar on "The Top Cyber Security Trends in 2018 and Predictions for the Year Ahead," December 6, 2018 at 12:00 PM EST. I'm giving a talk on " Securing a World of Physically Capable Computers " at MIT on December 6, 2018.

172

172

WIRED Threat Level

NOVEMBER 11, 2018

Keep your data private and the environment protected.

96

96

Dark Reading

NOVEMBER 14, 2018

The attack surface remains largely unprotected from Wi-Fi threats that can result in stolen credentials and sensitive information as well as backdoor/malware payload drops.

Malware 92

Malware 92

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!