Schneier on Security

NOVEMBER 1, 2018

This is not surprising : This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines -- those that were used in the 2016 election -- are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones. Our voting machines, billed as "next generation," and still in use today, are worse than they were before­ -- dispersed, disorganized, and susceptible to manipulation.

Hacking 238

Hacking 238

Krebs on Security

NOVEMBER 2, 2018

Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works. A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones.

Phishing 232

Phishing Banking Scams Accountability 232

Adam Levin

OCTOBER 31, 2018

The U.S. Justice Department announced charges against ten Chinese intelligence agents for hacking into computer systems belonging to U.S. and international companies to steal aerospace technology and data. The indictment , revealed earlier this week accuses agents working for the Jiangsu Province Ministry of State Security (JSSD) of conspiring “to steal sensitive commercial technological, aviation, and aerospace data by hacking into computers in the United States and abroad.”.

Government 213

Government Hacking Engineering Technology 213

Troy Hunt

NOVEMBER 2, 2018

On my first attempt at recording this, I decided the framing was crooked after a couple of minutes so I started again. On my second attempt, the PC BSOD'd after 42 mins and I thought I'd lost all the audio. I hadn't, so on the third attempt I completed the last of it. Then I waited nearly an hour for it to render before realising there was unedited material at the beginning so I had to re-render the whole thing again.

Data breaches 156

Data breaches Passwords Accountability 156

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

OCTOBER 29, 2018

This seems bad: The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane. "These devices use fixed codes that are reproducible by sniffing and re-transmission," US-CERT explained.

Internet 220

Internet Internet Software 220

Krebs on Security

NOVEMBER 1, 2018

A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor — Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service.

Identity Theft 225

Identity Theft Marketing Data breaches Accountability 225

Adam Levin

OCTOBER 29, 2018

Hong Kong-based Cathay Pacific discovered a data breach that compromised the information of more than 9 million passengers, the company announced last week. It is the biggest breach to date of an airline. In the same release, Cathay announced that the “types of personal data accessed were the names of passengers, their nationalities, dates of birth, telephone numbers, email, physical addresses, passport numbers, identity card numbers, frequent flyer programme membership numbers, customer service

Data breaches 116

Data breaches Healthcare Hacking Cybersecurity 116

Schneier on Security

OCTOBER 29, 2018

I've blogged twice about the Bloomberg story that China bugged Supermicro networking equipment destined to the US. We still don't know if the story is true, although I am increasingly skeptical because of the lack of corroborating evidence to emerge. We don't know anything more, but this is the most comprehensive rebuttal of the story I have read.

216

216

Adam Shostack

NOVEMBER 1, 2018

There’s an interesting article in the CBC, where journalists took a set of flights, swabbed surfaces, and worked with a microbiologist to culture their samples. What they found will shock you! Well, airplanes are filthy. Not really shocking. What was surprising to me was that the dirtiest of the surfaces they tested was the headrest. (They did not test the armrests.

113

113

Security Affairs

NOVEMBER 1, 2018

0x20k of Ghost Squad Hackers has released the full source code of the 0day exploit used to targeting Apache Hadoop and build the FICORA Botnet. In direct response to the publication of Radware’s analysis of the new discovery of the DemonBot malware strain effecting Hadoop clusters earlier the week, October 25th, 2018, 0x20k of Ghost Squad Hackers has released the full source code of the 0day exploit used to build his newest model; the FICORA Botnet. 0x20k, who is also credited as the autho

Malware 107

Malware Advertising Media Passwords 107

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

WIRED Threat Level

OCTOBER 31, 2018

A series of high-profile cases involving alleged Chinese recruits shows how the country identifies and develops potential spies stateside.

110

110

Schneier on Security

NOVEMBER 2, 2018

Interesting policy paper by Third Way: " To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors ": In this paper, we argue that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers. We show that: There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America.

Cybercrime 204

Cybercrime Cybersecurity Hacking 204

Adam Shostack

OCTOBER 29, 2018

Ron Woerner had me on as a guest in his business of security podcast series. It was fun to tease out some of the business justifications for threat modeling, and the podcast is now live at itunes. You can learn more about the series at Business of Security Podcast Series.

113

113

Security Affairs

OCTOBER 30, 2018

A few hours after Apple released iOS 12.1 the iPhone bug hunter Jose Rodriguez has found a new passcode bypass issue that could be exploited to see all contacts’ private information on a locked iPhone. “Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS mobile operating system, iOS 12.1, released by Apple today.” reads a post published by THN.

Mobile 98

Mobile Advertising Hacking 98

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Thales Cloud Protection & Licensing

OCTOBER 31, 2018

The unexplained and seemingly paranormal are actually a year-round phenomenon in IT Security. This year has been no exception. The shrieks and screams coming from CISOs and their staffs over malware has led to zombie-like stares. Because the never-ending battle against the evil forces of the dark web continues with regard to ransomware and its ghoulish close cousins – leakware and scareware.

Ransomware 91

Ransomware Encryption Malware CISO 91

Schneier on Security

OCTOBER 31, 2018

The conventional story is that Iran targeted Saudi Arabia with Triton in 2017. New research from FireEye indicates that it might have been Russia. I don't know. FireEye likes to attribute all sorts of things to Russia, but the evidence here look pretty good.

Malware 196

Malware 196

Dark Reading

NOVEMBER 1, 2018

Facebook, Equifax, Cambridge Analytica. Why do breaches of incomprehensible magnitude lead to a quick recovery for the businesses that lost or abused the data and such little lasting impact for the people whose information is stolen.

Data breaches 83

Data breaches 83

Security Affairs

OCTOBER 27, 2018

Security researchers at FortiGuard Labs have discovered a new DDoS-for-hire service called “ 0x-booter” built with leaked code that implements an easy to use interface. “ 0x-booter ” first appeared on October 17, 2018, a post published on Facebook advertises over 500 Gbps of power and 20,000 bots. “During our regular monitoring, the FortiGuard Labs team recently discovered a new platform offering DDoS-for-hire service called “0x-booter. ”” reads the analysis published by Fort

DDOS 94

DDOS IoT Advertising Hacking 94

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Threatpost

NOVEMBER 1, 2018

Weighing the impact of GDPR and how the historic legislation has shaped privacy protection measures in the U.S., so far.

Insurance 102

Insurance Accountability Government 102

Schneier on Security

OCTOBER 31, 2018

Jim Harper at CATO has a good survey of state ID systems in the US.

193

193

WIRED Threat Level

OCTOBER 27, 2018

It may never be clear why Robert Bowers chose to carry out a violent attack. But his social media activity mirrors an increase in anti-Semitism on the internet.

Media 84

Media Internet Internet 84

Security Affairs

NOVEMBER 2, 2018

A cyber attack on a French firm Ingerop allowed attackers to access confidential documents related to nuclear power plant plans in France. The hacker stole more than 65 gigabytes of documents back in June, the huge trove of documents includes nuclear power plant plants and blueprints for prisons and tram networks. According to the media, some of the stolen data were found on a rented server in Germany. “Thousands of sensitive documents pertaining to nuclear power plants, prisons and tram n

Cyber Attacks 93

Cyber Attacks Advertising Media Hacking 93

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Dark Reading

OCTOBER 30, 2018

A Girl Scouts of America branch in California was hacked, putting the data of 2,800 girls and their families at risk.

Hacking 98

Hacking Risk 98

Threatpost

OCTOBER 31, 2018

The Kraken ransomware author has released a second version of the malicious code, along with a unique affiliate program on the Dark Web. According to research into Kraken v.2 the new version is being promoted in a ransomware-as-a-service (RaaS) model to underground forum customers, via a video demoing its capabilities. Those interested can complete a […].

Ransomware 77

Ransomware Malware 77

Thales Cloud Protection & Licensing

OCTOBER 29, 2018

Peter Carlisle, Thales eSecurity’s VP of Sales, EMEA, recently shared his thoughts on the Cathay Pacific data breach. According to the airline, hackers were able to access the personal data of up to 9.4 million passengers. Leaked data includes passengers’ names, dates of birth, phone numbers, email addresses and passport numbers. The Cathay Pacific hack comes on the heels of last month’s British Airways data hack.

Data breaches 73

Data breaches Encryption Hacking Risk 73

Security Affairs

NOVEMBER 2, 2018

Security experts from CISCO warn of a zero-day vulnerability that is being actively exploited in attacks in the wild. The flaw, tracked as CVE-2018-15454, affects the Session Initiation Protocol (SIP) inspection engine of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD). The flaw could be exploited by a remote attacker to trigger a DoS condition on the vulnerable device. “A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adapti

Advertising 92

Advertising Software Engineering Firewall 92

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Dark Reading

NOVEMBER 2, 2018

Three individuals who worked for DRAM maker's Taiwan subsidiary stole Micron IP to benefit company controlled by China's government, US says in indictment.

Government 84

Government 84

PerezBox Security

OCTOBER 28, 2018

The need to use HTTPS on your website has been spearheaded by Google for years (since 2014), and in 2018 we saw massive improvements as more of the web became. Read More. The post How HTTPS Works – Let’s Establish a Secure Connection appeared first on PerezBox.

Technology 73

Technology Information Security Cybersecurity 73

Thales Cloud Protection & Licensing

NOVEMBER 1, 2018

The Money 20/20 conference and exhibition in Las Vegas this year was a first for me. The physical floor space, the number of speakers (500 we were told) and the diversity of the streams were so vast that it made all the numerous payment industry conferences I attended for the past 20 years seem like small gatherings in comparison. The first challenge was to identify the core sessions to attend over the next three and a half days, bearing in mind that there was often 10 minutes walking distance b

Banking 70

Banking Financial Services Data privacy Mobile 70

Security Affairs

OCTOBER 30, 2018

Paras Jha (22), the author of the Mirai botnet has been sentenced to six months of house arrest and ordered to pay $8.6 million in compensation for DDoS attacks against the systems of Rutgers University. A New Jersey court sentenced the author of the Mirai botnet , Paras Jha , 22, of Fanwood, after pleading guilty to violating the Computer Fraud and Abuse Act (CFAA).

DDOS 90

DDOS IoT Advertising Malware 90

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk