Schneier on Security

NOVEMBER 15, 2018

A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe car

Hacking 248

Hacking 248

Krebs on Security

NOVEMBER 13, 2018

If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers. For nearly 10 years, Portland, Ore. resident Julie Randall posted pictures for her photography business at julierandallphotos-dot-com , and used an email address at that domain to

Accountability 213

Accountability eCommerce Cybercrime Advertising 213

Adam Levin

NOVEMBER 13, 2018

The American business and financial services company Moody’s will start factoring risk of getting hacked into their credit ratings for companies. The move is seen as part of a wider initiative to gauge the risk of cyberattacks and data breaches to companies and their investors. “We’ve been in the risk management business for a very long time. This is to enhance our thinking about credit as cyber becomes more and more important,” said Derek Valda, head of Moody’s Investors Services Cyber Ri

Cyber Risk 203

Cyber Risk Risk Financial Services Manufacturing 203

Troy Hunt

NOVEMBER 15, 2018

Bit of a change of scenery this week; I've gone to the other end of the house whilst invasive palm tree roots are water blasted out from beneath my office window as part of our garden renos. But hey, that's a nice place to be on a day like this ?? Other than the location, it's business as usual. There's been some interesting discussion on biometric this morning, I'm appealing to developers of extensions and add-ons to whitelist themselves when a CSP is present and I'm talking about Google's U2F

167

167

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

NOVEMBER 16, 2018

Both the US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) are hiding surveillance cameras in streetlights. According to government procurement data , the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for "video recording and reproducing equipment.

Surveillance 219

Surveillance Government Technology 219

Krebs on Security

NOVEMBER 14, 2018

A California man who pleaded guilty Tuesday to causing dozens of swatting attacks — including a deadly incident in Kansas last year — now faces 20 or more years in prison. Tyler Raj Barriss, in an undated selfie. Tyler Barriss , 25, went by the nickname SWAuTistic on Twitter, and reveled in perpetrating “swatting” attacks. These dangerous hoaxes involve making false claims to emergency responders about phony hostage situations or bomb threats, with the intention of prompt

Accountability 196

Accountability 196

The Last Watchdog

NOVEMBER 15, 2018

Even as enterprises across the globe hustle to get their Internet of Things business models up and running, there is a sense of foreboding about a rising wave of IoT-related security exposures. And, in fact, IoT-related security incidents have already begun taking a toll at ill-prepared companies. Related: How to hire an IoT botnet — for $20.

IoT 136

IoT Encryption Authentication Penetration Testing 136

Schneier on Security

NOVEMBER 12, 2018

This is a fun steganographic application : hiding a message in a fingerprint image. Can't see any real use for it, but that's okay.

Encryption 219

Encryption 219

Krebs on Security

NOVEMBER 14, 2018

Microsoft on Tuesday released 16 software updates to fix more than 60 security holes in various flavors of Windows and other Microsoft products. Adobe also has security patches available for Flash Player , Acrobat and Reader users. As per usual, most of the critical flaws — those that can be exploited by malware or miscreants without any help from users — reside in Microsoft’s Web browsers Edge and Internet Explorer.

Encryption 181

Encryption Passwords Internet Internet 181

Adam Shostack

NOVEMBER 15, 2018

Blackhat has released all the 2018 US conference videos. My threat modeling in 2018 video is, of course, amongst them. Slides are linked here.

140

140

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

The Last Watchdog

NOVEMBER 13, 2018

Cyber criminals are deploying the very latest in automated weaponry, namely botnets, to financially plunder corporate networks. The attackers have a vast, pliable attack surface to bombard: essentially all of the externally-facing web apps, mobile apps and API services that organizations are increasingly embracing, in order to stay in step with digital transformation.

Digital transformation 104

Digital transformation Mobile B2C B2B 104

Schneier on Security

NOVEMBER 14, 2018

Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it.

Architecture 176

Architecture Software Hacking 176

Security Affairs

NOVEMBER 13, 2018

Google services were partially inaccessible on Monday due to a BGP leak that caused traffic redirection through Russia, China, and Nigeria. A BGP leak caused unavailability of Google service on Monday, the traffic was redirected through Russia, China, and Nigeria. At the time it is not clear if the incident was the result of an error or a cyber attack on the BGP protocol.

Internet 111

Internet Internet Advertising Surveillance 111

WIRED Threat Level

NOVEMBER 16, 2018

When we're being watched, we conform. We don't speak freely or try new things. But social progress happens in the gap between what’s legal and what’s moral.

Surveillance 107

Surveillance 107

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

The Last Watchdog

NOVEMBER 12, 2018

A security-first mindset is beginning to seep into the ground floor of the IT departments of small and mid-sized companies across the land. Senior executives at these SMBs are finally acknowledging that a check-box approach to security isn’t enough, and that instilling a security mindset pervasively throughout their IT departments has become the ground stakes.

Penetration Testing 103

Penetration Testing System Administration Cybersecurity Technology 103

Schneier on Security

NOVEMBER 16, 2018

I understand his frustration, but this is extreme: When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb ­ or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package ­ the only thing the company could think of was that it had declined his request for a password change.

Passwords 164

Passwords 164

Security Affairs

NOVEMBER 10, 2018

Nginx developers released security updates to address several denial-of-service (DoS) vulnerabilities affecting the nginx web server. nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, it is used by 25.28% busiest sites in October 2018. Nginx development team released versions 1.15.6 and 1.14.1 to address two HTTP/2 implementation vulnerabilities that can cause a DoS condition in Nginx versions 1.9.5 through 1.15.5.

Advertising 110

Advertising Engineering Hacking 110

Dark Reading

NOVEMBER 15, 2018

Building cybersecurity skills is a must; paying a lot for the education is optional. Here are seven options for increasing knowledge without depleting a budget.

Cybersecurity 97

Cybersecurity Education 97

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Thales Cloud Protection & Licensing

NOVEMBER 14, 2018

According to statistica the number of Internet of Things (IoT) devices connected will rise to 23 billion this year. From industrial machinery and intelligent transportation to health monitoring and emergency notification systems, a broad range of IoT devices are already being deployed by enterprises. And each of these devices requires network connectivity so it can collect and transfer data.

IoT 85

IoT Authentication Manufacturing Digital transformation 85

Schneier on Security

NOVEMBER 14, 2018

I've been writing about "responsible disclosure" for over a decade; here's an essay from 2007. Basically, it's a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to harass researchers and fix the vulnerabilities quickly.

Software 140

Software 140

Security Affairs

NOVEMBER 10, 2018

North Korea-linked Lazarus Group has been using FastCash Trojan to compromise AIX servers to empty tens of millions of dollars from ATMs. Security experts from Symantec have discovered a malware, tracked as FastCash Trojan , that was used by the Lazarus APT Group , in a string of attacks against ATMs. The ATP group has been using this malware at least since 2016 to siphon millions of dollars from ATMs of small and midsize banks in Asia and Africa.

Banking 105

Banking Hacking Malware Advertising 105

Dark Reading

NOVEMBER 14, 2018

The attack surface remains largely unprotected from Wi-Fi threats that can result in stolen credentials and sensitive information as well as backdoor/malware payload drops.

Malware 92

Malware 92

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

WIRED Threat Level

NOVEMBER 12, 2018

Corporations have taken the lead over nations on governing the internet: The initiative might not have counted the US as a signatory, but did include Microsoft, Facebook, Google, and others.

Internet 83

Internet Internet Government 83

Schneier on Security

NOVEMBER 14, 2018

This is a current list of where and when I am scheduled to speak: I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018. I'm appearing on IBM Resilient's End of Year Review webinar on "The Top Cyber Security Trends in 2018 and Predictions for the Year Ahead," December 6, 2018 at 12:00 PM EST. I'm giving a talk on " Securing a World of Physically Capable Computers " at MIT on December 6, 2018.

131

131

Security Affairs

NOVEMBER 12, 2018

David Wells, a security expert from Tenable, devised a method to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory. . A security researcher from Tenable has discovered that is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory.

Advertising 97

Advertising Accountability Hacking Technology 97

Threatpost

NOVEMBER 12, 2018

A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.

Malware 87

Malware 87

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

WIRED Threat Level

NOVEMBER 14, 2018

In its second annual “Privacy Not Included” guide, the nonprofit highlights internet-connected gifts that value your privacy—and the ones that may not.

Internet 88

Internet Internet 88

Thales Cloud Protection & Licensing

NOVEMBER 15, 2018

Thales eSecurity Global CISO Bridget Kenyon was recently named one of the ‘Top 25 Women in Tech 2018’ by UK publication PCR. As stated in the write-up, which may be found in the above link and below: “Passionate about data security, Bridget was the previous head of information security at University College London and a security researcher at government DEFRA.

CISO 75

CISO Government Information Security Cybersecurity 75

Security Affairs

NOVEMBER 15, 2018

Group-IB has detected massive campaigns targeting Russian financial institutions posing as the Central Bank of Russia. The emails were disguised to look as if they come from the Central Bank of Russia and FinCERT, the Financial Sector Computer Emergency Response Team. Group-IB experts have discovered that the attack on 15 November could have been carried out by the hacker group Silence , and the one on 23 October by MoneyTaker.

Banking 96

Banking Computers and Electronics Phishing Cybercrime 96

Dark Reading

NOVEMBER 12, 2018

A total of 3,676 breaches involving over 3.6 billion records were reported in the first nine months of this year alone.

Data breaches 97

Data breaches 97

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk