Schneier on Security

MARCH 20, 2019

This isn't a security story, but it easily could have been. Last Saturday, Zipcar had a system outage : "an outage experienced by a third party telecommunications vendor disrupted connections between the company's vehicles and its reservation software.". That didn't just mean people couldn't get cars they reserved. Sometimes is meant they couldn't get the cars they were already driving to work: Andrew Jones of Roxbury was stuck on hold with customer service for at least a half-hour while he and

Telecommunications 248

Telecommunications Software 248

The Last Watchdog

MARCH 21, 2019

Unless you decide to go Henry David Thoreau and shun civilization altogether, you can’t — and won’t — stop generating data , which sooner or later can be traced back to you. Related: The Facebook factor. A few weeks back I interviewed a white hat hacker. After the interview, I told him that his examples gave me paranoia. He laughed and responded, “There’s no such thing as anonymous data; it all depends on how determined the other party is.”.

Surveillance 218

Surveillance Telecommunications VPN Government 218

Adam Levin

MARCH 19, 2019

A health company’s unprotected server exposed over six million health records in the last 12 months. Meditlab, an electronic medical record company, left a server for electronic faxes completely unprotected since bringing it online in March 2018. This meant that any information transmitted between medical offices, including records, doctor’s notes, prescriptions, and patient names, addresses, health insurance information and Social Security numbers were accessible to outside parties.

Insurance 193

Insurance Government Engineering Cybersecurity 193

Troy Hunt

MARCH 17, 2019

Well that was a hell of a week of travel. Seriously, the Denver situation was just an absolute mess but when looking at the video from the day I was meant to fly in, maybe being stuck in LA wasn't such a bad thing after all: As of 1:30 p.m., all runways are closed, but the terminal & concourses are open. Airlines have cancelled flights for early afternoon/evening.

Data breaches 137

Data breaches Passwords 137

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

MARCH 21, 2019

The Daily Beast is reporting that First Look Media -- home of The Intercept and Glenn Greenwald -- is shutting down access to the Snowden archives. The Intercept was the home for Greenwald's subset of Snowden's NSA documents since 2014, after he parted ways with the Guardian the year before. I don't know the details of how the archive was stored, but it was offline and well secured -- and it was available to journalists for research purposes.

Media 234

Media 234

The Last Watchdog

MARCH 19, 2019

Security information and event management, or SIEM, could yet turn out to be the cornerstone technology for securing enterprise networks as digital transformation unfolds. Related: How NSA cyber weapon could be used for a $200 billion ransomware caper. Exabeam is a bold upstart in the SIEM space. The path this San Mateo, CA-based vendor is trodding tells us a lot about the unfolding renaissance of SIEMs – and where it could take digital commerce.

Big data 127

Big data Internet Internet Digital transformation 127

Adam Shostack

MARCH 22, 2019

“ Cybersecurity is not very important ” is a new paper by the very smart Andrew Odlyzko. I do not agree with everything he says, but it’s worth reading and pondering if and why you disagree with it. I think I agree with it more than I disagree.

Cybersecurity 113

Cybersecurity 113

Schneier on Security

MARCH 20, 2019

Andrew Odlyzko's new essay is worth reading -- " Cybersecurity is not very important ": Abstract: There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes.

Cybersecurity 223

Cybersecurity 223

The Last Watchdog

MARCH 21, 2019

As sure as the sun will rise in the morning, hackers will poke and prod at the web applications companies rely on – and find fresh weaknesses they can exploit. Related: Cyber spies feast on government shut down. Companies are scaling up their use of web apps as they strive to integrate digital technology into every aspect of daily business operation.

Digital transformation 118

Digital transformation Software Banking Internet 118

Adam Levin

MARCH 21, 2019

The U.S. Department of Homeland Security issued an emergency directive in January 2019 giving government agencies ten days to verify that they weren’t compromised by DNS hijacking. A few days later, the Internet Corporation for Assigned Names and Numbers ( ICANN ), the organization responsible for governing large parts of the internet, issued a bleak warning urging businesses to do the same, and to enact stronger security measures.

DNS 141

DNS Government Internet Internet 141

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Adam Shostack

MARCH 18, 2019

I’ve signed on to Access Now’s letter to the Indian Ministry of Electronics and Information Technology, asking the Government of India to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules. As they say in their press release : Today’s letter, signed by an international coalition of 31 organizations and individuals, explains how the proposed amendments threaten fundamental rights and the space for a free internet, while not addressing

Technology 100

Technology Internet Internet Government 100

Schneier on Security

MARCH 18, 2019

Turns out that the software a bunch of CAs used to generate public-key certificates was flawed : they created random serial numbers with only 63 bits instead of the required 64. That may not seem like a big deal to the layman, but that one bit change means that the serial numbers only have half the required entropy. This really isn't a security problem; the serial numbers are to protect against attacks that involve weak hash functions, and we don't allow those weak hash functions anymore.

Software 195

Software Authentication Encryption 195

The Last Watchdog

MARCH 22, 2019

Malvertising is rearing its ugly head – yet again. Malicious online ads have surged and retreated in cycles since the earliest days of the Internet. Remember when infectious banner ads and viral toolbars cluttered early browsers? Related: Web application exposures redouble. Historically, with each iteration of malicious ads, the online advertising industry, led by Google, has fought back, and kept this scourge at a publicly acceptable level.

Advertising 101

Advertising Retail Antivirus eCommerce 101

Security Affairs

MARCH 21, 2019

A security expert has discovered a vulnerability in the NSA Ghidra platform that could be exploited to execute code remotely. A security expert who goes online with the handle of sghctoma has discovered a vulnerability in Ghidra platform recently released by the US NSA, the issue could be exploited to execute code remotely. GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

Authentication 111

Authentication Advertising Engineering Firewall 111

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

WIRED Threat Level

MARCH 22, 2019

The Homeland Security Department inspector general released a damning report about FEMA's inability to safeguard the personal info of the people it helped.

Hacking 105

Hacking 105

Schneier on Security

MARCH 22, 2019

GCHQ has put simulators for the Enigma, Typex, and Bombe on the Internet. News article.

Internet 209

Internet Internet Encryption 209

Dark Reading

MARCH 19, 2019

Cybercriminals focus on collecting credentials, blackmailing users with fake sextortion scams, and convincing privileged employees to transfer cash. The latter still causes the most damage, and some signs suggest it is moving to mobile.

Scams 92

Scams Mobile 92

Security Affairs

MARCH 17, 2019

Threat actors targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA). Over the past months, threat actors have targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA). Experts at Proofpoint conducted an interesting study of massive attacks against accounts of major cloud services, The experts noticed that attackers leverage legacy protocols and credential dumps to increase the e

Accountability 111

Accountability Phishing Authentication Passwords 111

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

WIRED Threat Level

MARCH 21, 2019

Facebook has disclosed that it stored hundreds of millions of user passwords in plaintext, where employees could search them.

Passwords 111

Passwords 111

Schneier on Security

MARCH 19, 2019

Good article on the Triton malware which targets industrial control systems.

Malware 165

Malware Cybersecurity 165

Adam Shostack

MARCH 19, 2019

RSA has posted a video of my talk, “Threat Modeling in 2019”

100

100

Security Affairs

MARCH 21, 2019

Pwn2Own 2019 hacking competition is started and participants hacked Apple Safari browser, Oracle VirtualBox and VMware Workstation on the first day. As you know I always cover results obtained by white hat hackers at hacking competitions, for this reason, today I’ll share with you the results of the first day of the Pwn2Own 2019. Pwn2Own 2019 is the hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) that is taking place in Vancouver, Canada, alongside the CanSecWest c

Hacking 100

Hacking Advertising 100

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Threatpost

MARCH 21, 2019

The social media giant said that it is notifying users whose passwords it stored in plain text, which made them accessible for Facebook employees to view.

Passwords 91

Passwords Media 91

WIRED Threat Level

MARCH 22, 2019

Special counsel Robert Mueller finished his investigation into the 2016 presidential election Friday.

109

109

Dark Reading

MARCH 18, 2019

The latest bill to set security standards for connected devices sold to the US government has fewer requirements, instead leaving recommendations to the National Institute of Standards and Technology.

IoT 80

IoT Government Technology 80

Security Affairs

MARCH 20, 2019

James Forshaw, a white hat hacker at Google Project Zero, has discovered a new class of bugs that affect Windows and some of its drivers. Google Project Zero hacker James Forshaw discovered a new class of flaws that reside in some of the kernel mode drivers in Windows that could allow attackers to escalate privileges. The flaws are caused by the lack of necessary checks when handling specific requests.

Advertising 94

Advertising Risk Hacking 94

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Thales Cloud Protection & Licensing

MARCH 22, 2019

World Water Day is a UN initiative celebrated every March 22. It honors water and focuses on those deprived of it. The occasion is a persuasive aide-memoire to the human world to deal with the global water crisis. Population growth has increased the demand for water, and water management organizations are driven to conserve and manage this essential resource.

Digital transformation 75

Digital transformation Cybersecurity Cyber Attacks Technology 75

Threatpost

MARCH 21, 2019

On the first day of Pwn2Own 2019 hackers poked holes in Apple Safari, VMware Workstation and Oracle VirtualBox.

Hacking 101

Hacking 101

Dark Reading

MARCH 22, 2019

In an era of popular video games like Fortnite and Minecraft, there is a lot to be learned about risk, luck, and strategy from some old-fashioned board games.

Risk 84

Risk 84

Security Affairs

MARCH 22, 2019

Russian APT groups are targeting European governments for cyber-espionage purposes ahead of the upcoming European elections. According to experts from FireEye, Russia-linked APT28 (aka Fancy Bear , Pawn Storm , Sofacy Group , Sednit , and STRONTIUM ) and Sandworm Team (also TeleBots ) cyberespionage groups are targeting European governments for cyber-espionage purposes ahead of the upcoming European elections.

Government 92

Government Advertising Media Phishing 92

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk