Krebs on Security

JULY 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by Yubico. The basic model featured here retails for $20. Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in

Phishing 218

Phishing Authentication Mobile Passwords 218

Schneier on Security

JULY 25, 2018

Bluetooth has a serious security vulnerability : In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages.

Wireless 141

Wireless Software Encryption 141

Adam Levin

JULY 24, 2018

Russian hackers have successfully infiltrated the control system rooms of U.S. electrical utilities, the Department of Homeland Security announced earlier this week. Suspected hacking groups Dragonfly and Energetic Bear infiltrated their targets using common methods including spear-phishing and watering-hole attacks. They first targeted third-party vendors associated with the utilities, which they then leveraged to steal credentials and gain access to operating systems.

Government 139

Government Phishing Software Hacking 139

Troy Hunt

JULY 27, 2018

Alrighty, 2 big things to discuss today and I'll jump right into them here: Exactis: it's hard to know where to even start with this one and frankly, the more I think about the more frustrated I am that services like this even exist in the first place. But they do and it's worthwhile being aware of them so have a listen to the video this week and check out the links I've shared below.

Internet 112

Internet Internet 112

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Krebs on Security

JULY 25, 2018

Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

Identity Theft 192

Identity Theft Consumer Protection Phishing Marketing 192

Schneier on Security

JULY 23, 2018

The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find.

Passwords 139

Passwords Password Management Encryption 139

Adam Shostack

JULY 26, 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series. As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes.

100

100

Krebs on Security

JULY 27, 2018

Here’s a timely reminder that email isn’t the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned. This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer.

Malware 178

Malware Phishing Government Scams 178

Schneier on Security

JULY 24, 2018

This is well-worth reading (non-paywalled version ). Here's the opening: Cryptocurrencies, although a seemingly interesting idea, are simply not fit for purpose. They do not work as currencies, they are grossly inefficient, and they are not meaningfully distributed in terms of trust. Risks involving cryptocurrencies occur in four major areas: technical risks to participants, economic risks to participants, systemic risks to the cryptocurrency ecosystem, and societal risks.

Cryptocurrency 137

Cryptocurrency Risk 137

Lenny Zeltser

JULY 27, 2018

Finding real-world malware samples that illustrate practical analysis techniques is tricky. When training professionals how to reverse-engineer malware , I’ve gone through lots of malicious programs for the purpose of educational examples. Here are some of the samples that I’ve retired from the FOR610 course over the years, because they no longer seemed current or relevant.

Malware 75

Malware Engineering Education Software 75

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Adam Shostack

JULY 24, 2018

That’s the subject of a thought-provoking Washington Post article, “ In about 20 years, half the population will live in eight states ,” and 70% of Americans will live in 15 states. “ Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent. ” Of course, as the census shows the population shifting, the makeup of the House will also change dramatically.

Government 100

Government 100

WIRED Threat Level

JULY 26, 2018

Amazon has marketed its Rekognition facial recognition system to law enforcement. But in a new ACLU study, the technology confused 28 members of Congress with publicly available arrest photos.

Marketing 75

Marketing Technology 75

Schneier on Security

JULY 26, 2018

Krebs on Security is reporting that all 85,000 Google employees use two-factor authentication with a physical token. A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons.

Authentication 127

Authentication Accountability Risk Phishing 127

Thales Cloud Protection & Licensing

JULY 26, 2018

Enterprise databases house some of the most highly-sensitive, tightly-regulated data—the very data that is sought after by malicious insiders and external attackers. As a result, database encryption has never been more crucial in order to protect the massive amounts of information that is held in the diverse mix of databases that large enterprises rely on today, including relational, SQL, NoSQL and big data environments.

Encryption 63

Encryption Big data Backups Risk 63

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Dark Reading

JULY 25, 2018

A hacker who successfully infiltrated a voting machine at last year's DEF CON will demonstrate at Black Hat USA how he did it, as well as what he later found stored on other decommissioned WinVote machines.

Hacking 67

Hacking 67

Security Affairs

JULY 26, 2018

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis. US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.

Cyber Attacks 65

Cyber Attacks Digital transformation Hacking Advertising 65

Schneier on Security

JULY 25, 2018

There are some good lessons in this article on financial fraud: That's how we got it so wrong. We were looking for incidental breaches of technical regulations, not systematic crime. And the thing is, that's normal. The nature of fraud is that it works outside your field of vision, subverting the normal checks and balances so that the world changes while the picture stays the same.

Marketing 125

Marketing Manufacturing Technology Banking 125

WIRED Threat Level

JULY 27, 2018

Over the last 15 years, JPay has quietly been moving into prisons across the country—connecting family members through email, at a cost.

63

63

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Thales Cloud Protection & Licensing

JULY 24, 2018

Originally Featured in Global Military Communications Magazine’s June/July Issue. With more than 65,000 employees in 56 countries, Thales is a global leader in technology solutions for the aerospace, transport, defence and security markets. Its unique capabilities include the design and deployment of equipment, systems and services to meet complex security requirements.

Encryption 48

Encryption Data breaches Government Threat Reports 48

Security Affairs

JULY 27, 2018

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques. The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms. “Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets.

Malware 59

Malware Advertising Passwords Retail 59

Schneier on Security

JULY 27, 2018

According to a new CSIS report , "going dark" is not the most pressing problem facing law enforcement in the age of digital data: Over the past year, we conducted a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups. We also commissioned a survey of law enforcement officers from across the country to better understand the full range of difficulties they are facing in accessing and using digital evidence in their c

Encryption 125

Encryption 125

WIRED Threat Level

JULY 22, 2018

Two-factor authentication is a must, but don't settle for the SMS version. Use a more secure authenticator app instead.

Authentication 65

Authentication Accountability 65

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Dark Reading

JULY 26, 2018

Here's some advice from leading authorities on how state and local governments can adapt to an environment where election systems will inevitably be hacked.

Government 53

Government Hacking 53

Security Affairs

JULY 23, 2018

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector. The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector, and when appropriate, the military’s hacking unit should hit back, this is what three experts said at a panel organized by APCO.

Hacking 54

Hacking Cyber Attacks Government Advertising 54

Schneier on Security

JULY 26, 2018

DARPA is funding research into resilient anonymous communications systems.

182

182

WIRED Threat Level

JULY 24, 2018

The world's biggest browser now lets you know when you're visiting an unencrypted site.

75

75

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Dark Reading

JULY 25, 2018

Lots of things keep CISOs up at night. But instead of guessing what CISOs want, investors and vendors should incorporate customer feedback throughout product ideation and development cycles.

CISO 49

CISO Cybersecurity 49

Security Affairs

JULY 24, 2018

The US Government is warning of continuous intrusions in National critical infrastructure and it is blaming the Kremlin for the cyber attacks. According to the US Department of Homeland Security, Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and are still targeting them. These attacks could have dramatic consequence, an attack against a power grid could cause a massive power outage.

Advertising 53

Advertising Government Cyber Attacks Phishing 53

Schneier on Security

JULY 27, 2018

Ross Anderson liveblogged the Third Annual Cybercrime Conference.

Cybercrime 111

Cybercrime 111

WIRED Threat Level

JULY 25, 2018

Nearly a year after hackers stole the personal data of 147 million people from Equifax, the company details how it's overhauling security.

54

54

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk