Schneier on Security
AUGUST 2, 2019
Yesterday, I blogged about a Facebook plan to backdoor WhatsApp by adding client-side scanning and filtering. It seems that I was wrong, and there are no such plans. The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference.
Krebs on Security
AUGUST 2, 2019
On Monday, a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Troy Hunt
AUGUST 2, 2019
Over the last year and a bit I've been working to make more data in HIBP freely available to governments around the world that want to monitor their own exposure in data breaches. Like the rest of us, governments regularly rely on services that fall victim to attacks resulting in data being disclosed and just like the commercial organisations monitoring domains on HIBP, understanding that exposure is important.
Adam Shostack
AUGUST 2, 2019
Shortly, I’m off to Blackhat. My Threat Modeling Intensive classes both sold out (thank you!). Nearly a decade ago, I put forth a set of best practices: Breath mints Ricola Purell Advil Gatorade This year, I’m adding a travel humidifier. I’ve been using this one, and it really needs to soak for 10 minutes, but then it adds a nice stream of moisture to the room.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Schneier on Security
JULY 31, 2019
In this piece of research, attackers successfully attack a driverless car system -- Renault Captur's "Level 0" autopilot (Level 0 systems advise human drivers but do not directly operate cars) -- by following them with drones that project images of fake road signs in 100ms bursts. The time is too short for human perception, but long enough to fool the autopilot's sensors.
Krebs on Security
JULY 29, 2019
Marcus Hutchins , the “accidental hero” who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge ruled Friday. Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
Adam Shostack
JULY 30, 2019
Alexandre Sieira has some very interesting and actionable advice from looking at the Capital One Breach in “ Learning from the July 2019 Capital One Breach.” Alex starts by saying “The first thing I want to make clear is that I sympathize with the Capital One security and operations teams at this difficult time. Capital One is a well-known innovator in cloud security, has very competent people dedicated to this and has even developed and high quality open source solutions such
Schneier on Security
AUGUST 2, 2019
There's a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved.
Adam Levin
JULY 30, 2019
Consumer audio recorded by Apple’s Siri platform has been shared with external contractors. A whistleblower working as a contractor revealed that the company’s digital voice assistant software records audio collected by consumer devices–including iPhones, Apple Watches, and HomePods–and shares it with external contractors. The recordings contained potentially sensitive information.
Thales Cloud Protection & Licensing
AUGUST 2, 2019
The British parliament has been unable to agree the exit package from the European Union. With the possibility of a “no deal” departure looming, EU leaders have granted a six-month extension to Brexit day. But the uncertainty that still lingers with regards to Britain’s future, creates various opportunities which cyber criminals could try to exploit.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
WIRED Threat Level
JULY 29, 2019
VxWorks is designed as a secure, "real-time" operating system for continuously functioning devices, like medical equipment, elevator controllers, or satellite modems.
Schneier on Security
AUGUST 2, 2019
Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don't have the same level of access to aid in their defense: The proposed privacy laws would make this situation worse. Lawmakers may not have set out to make the criminal process even more unfair, but the unjust result is not surprising.
Security Affairs
JULY 28, 2019
Watch out! Playing a video on Android devices could be a dangerous operation due to a critical CVE-2019-2107 RCE flaw in Android OS between version 7.0 and 9.0. Playing a specially-crafted video on devices with the Android’s native video player application could allow attackers to compromise them due to a dangerous critical remote code execution flaw.
Thales Cloud Protection & Licensing
JULY 31, 2019
Digital payments growth. According to 451 Research, digital payment channels are expected to grow from $2.8 trillion in 2018 to $5.8 trillion in 2022. That’s seven times the rate of in-store growth. Within digital payments, mobile payment transactions are expected to overtake e-commerce transactions in 2019 and represent 55% of transactions by 2022.
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Dark Reading
JULY 29, 2019
Vulnerabilities in VxWorks' TCP stack could allow an attacker to execute random code, launch a DoS attack, or use the vulnerable system to attack other devices.
Schneier on Security
JULY 30, 2019
Back in January, two senior GCHQ officials proposed a specific backdoor for communications systems. It was universally derided as unworkable -- by me , as well. Now Jon Callas of the ACLU explains why.
Security Affairs
JULY 28, 2019
According to a report published by cyber security firm Sixgill data for over 23 million payment card were on offer in underground forums in the first half of 2019. . A report published by cybersecurity firm Sixgill revealed that data for over 23 million payment card were offered for sale in the cybercrime underground. The report, titled “ Underground financial fraud report “, provides interesting details about the sale of stolen financial data in the Dark Web. .
Threatpost
AUGUST 1, 2019
Researchers are warning that unpatched flaws found in the Hickory Smart Bluetooth Enabled Deadbolt allow an attacker with access to a victim's phone to break into their houses.
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Dark Reading
AUGUST 1, 2019
A security consultant reported vulnerabilities in Cisco's Video Surveillance Manager in 2009 - but the company ignored the issues and fired the consultant.
Schneier on Security
JULY 29, 2019
Eli Sugarman of the Hewlettt Foundation laments about the sorry state of cybersecurity imagery: The state of cybersecurity imagery is, in a word, abysmal. A simple Google Image search for the term proves the point: It's all white men in hoodies hovering menacingly over keyboards, green "Matrix"-style 1s and 0s, glowing locks and server racks, or some random combination of those elements -- sometimes the hoodie-clad men even wear burglar masks.
Security Affairs
JULY 28, 2019
Experts at Trustwave observed threat actors using a rare technique to compromise fully patched websites. Security experts at Trustwave observed threat actors using a rare steganography technique, attackers are hiding PHP scripts in Exchangeable Image Format (EXIF) headers of JPEG images that are uploaded on the website. The Exchangeable image file format is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and ot
WIRED Threat Level
AUGUST 2, 2019
Amazon-owned Ring has cozied up to law enforcement, and critics say it's using police departments to help market its surveillance cameras.
Advertisement
Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.
Dark Reading
AUGUST 2, 2019
OK, perhaps that's self-evident, so how come it far too often still takes an incident to trigger planning?
Schneier on Security
AUGUST 1, 2019
This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp: In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is dec
Security Affairs
JULY 27, 2019
Attackers deployed a Magecart credit card skimmer script into fake Google domains used to trick visitors into making online transactions. Experts at Sucuri discovered threat actors using fake Google domains hosting a Magento skimmer script used to steal payment data when unaware visitors make transactions. The campaign was uncovered when the owner of a website discovered that its domain was blacklisted by McAfee’s SiteAdvisor service.
WIRED Threat Level
JULY 31, 2019
The Guardian Firewall app gives iOS users a reprieve from the scourge of online trackers.
Speaker: Erika R. Bales, Esq.
When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.
Dark Reading
JULY 30, 2019
Lack of security in the default settings of Internet-enabled video cameras make co-opting video feeds not just a movie-hacker technique, but a reality for millions of cameras.
Spinone
JULY 29, 2019
The number one reason why companies chose to migrate from Office 365 to G Suite is mobility. The future way of getting things done demands high speed and painless usage. The fewer actions you need to take to achieve the result, the better. And G Suite tends to cope with that better than Office 365. This is why about 5 million businesses have adopted G Suite as their productivity tool in 2019.
Security Affairs
JULY 30, 2019
Experts spotted a Java ATM malware that was relying on the XFS (EXtension for Financial Service) API to “ jackpot ” the infected machine. Introduction. Recently our attention was caught by a really particular malware sample most probably linked toa recent cybercriminal operation against the banking sector. This piece of malicious code is a so-called ‘ATM malware ‘: a malicious tool that is part of a criminal arsenal able to interact with Automatic Teller Machine.
Threatpost
AUGUST 2, 2019
Comprehensive testing of 21 free Android antivirus apps revealed big security vulnerabilities and privacy concerns; especially for AEGISLAB, BullGuard, dfndr and VIPRE.
Speaker: William Hord, Vice President of ERM Services
A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.
Expert insights. Personalized for you.
242 
Let's personalize your content