Sat.Nov 11, 2017 - Fri.Nov 17, 2017

article thumbnail

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS.

Hacking 258
article thumbnail

Apple FaceID Hacked

Schneier on Security

It only took a week : On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true.

Hacking 199
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Everything Attorney General Jeff Sessions Has Forgotten Under Oath

WIRED Threat Level

Over the course of four recent congressional hearings, Attorney General Jeff Sessions has somehow forgotten dozens of people, places, and events. Here's all of them in one place.

111
111
article thumbnail

How to lose your password

Thales Cloud Protection & Licensing

The tsunami of passwords that exist across every aspect of our digital life means that there’s a thriving underground industry of cyber-criminals trying to get at them. To borrow from Shakespeare’s Macbeth: “Each new morn, new widows howl, new orphans cry, new sorrows slap Internet giants on the face”. The modern era of mass data breaches perhaps began in 2009, with the hack of 32 million account credentials held by software developer RockYou, in which a SQL injection attack revealed that passwo

article thumbnail

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

article thumbnail

Weekly Update 61

Troy Hunt

A bit of a "business as usual" week this one, but then this business is never really "usual"! I start out with a talk at McAfee's MPOWER conference in Sydney and a bit of chatter about some upcoming ones (including the one I still can't talk about. but will next week!). In terms of new things, I've now got my hands on an iPhone X so I spend a bunch of time talking about that.

Hacking 140
article thumbnail

Google's Data on Login Thefts

Schneier on Security

This is interesting research and data: With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data. [.]. Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging.

Phishing 196

LifeWorks

More Trending

article thumbnail

Why the cybersecurity industry should care about Open Source maintenance

Thales Cloud Protection & Licensing

In June of this year, Thales eSecurity joined the Core Infrastructure Initiative (CII), a project both founded and managed by The Linux Foundation, with the aim of collaboratively enhancing and strengthening the security and resilience of critical Open Source projects. Many of the world’s largest technology companies already belong to the CII, with Thales being officially recognised as the first global security firm to join the initiative.

article thumbnail

Hacking Blockchain with Smart Contracts to Control a Botnet

eSecurity Planet

Botract attack method revealed at SecTor security conference could enable a botnet to be as resilient and as distributed as the Ethereum blockchain itself.

Hacking 83
article thumbnail

Motherboard Digital Security Guide

Schneier on Security

This digital security guide by Motherboard is very good. I put alongside EFF's " Surveillance Self-Defense " and John Scott-Railton's " Digital Security Low Hanging Fruit." There's also " Digital Security and Privacy for Human Rights Defenders.". There are too many of these.

article thumbnail

Watch a 10-Year-Old Beat Apple's Face ID on His Mom's iPhone X

WIRED Threat Level

Yes, twins can unlock each other's iPhones. But kids accessing their parents' devices raises different concerns.

112
112
article thumbnail

Why Giant Content Libraries Do Nothing for Your Employees’ Cyber Resilience

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

article thumbnail

Insider Threats: Red Flags and Best Practices

Dark Reading

Security pros list red flags indicating an insider attack and best practices to protect against accidental and malicious exposure.

79
article thumbnail

How the Government of Canada Plans To Set CyberSecurity Policy

eSecurity Planet

At SecTor security conference, the Director General for National Cyber Security in the Government of Canada details her government's policies for keeping Canadians safe online.

article thumbnail

Long Article on NSA and the Shadow Brokers

Schneier on Security

The New York Times just published a long article on the Shadow Brokers and their effects on NSA operations. Summary: it's been an operational disaster, the NSA still doesn't know who did it or how, and NSA morale has suffered considerably. This is me on the Shadow Brokers from last May.

Hacking 180
article thumbnail

How to Lock Down Your Facebook Privacy Settings

WIRED Threat Level

Friends, friends of friends, advertisers; keeping track of Facebook's privacy settings can get confusing. Here's how to get yours just right.

article thumbnail

Zero Trust Mandate: The Realities, Requirements and Roadmap

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

article thumbnail

Apple iPhone X Face ID Fooled by a Mask

Threatpost

Vietnamese security company Bkav says it has built a proof-of-concept mask that fools Apple’s Face ID technology.

article thumbnail

How to Achieve an Optimal Security Posture

eSecurity Planet

Complete and total security is impossible, so which IT security technologies will get you to your ideal security posture? We outline your options.

article thumbnail

New White House Announcement on the Vulnerability Equities Process

Schneier on Security

The White House has released a new version of the Vulnerabilities Equities Process (VEP). This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You can read the new policy or the fact sheet , but the best place to start is Cybersecurity Coordinator Rob Joyce's blog post.

article thumbnail

Hackers Claim to Break Face ID a Week After iPhone X Release

WIRED Threat Level

"I would say if this is all confirmed, it does mean Face ID is less secure than Touch ID.".

112
112
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Hybrid Analysis Grows Up – Acquired by CrowdStrike

Lenny Zeltser

CrowdStrike acquired Payload Security , the company behind the automated malware analysis sandbox technology Hybrid Analysis , in November 2017. Jan Miller founded Payload Security approximately 3 years earlier. The interview I conducted with Jan in early 2015 captured his mindset at the onset of the journey that led to this milestone. I briefly spoke with Jan again, a few days after the acquisition.

Malware 75
article thumbnail

Flood of Attacks Spread Ransomware via Remote Desktop Protocol

eSecurity Planet

The attacks present a particular threat to small businesses.

article thumbnail

White House Releases New Charter for Using, Disclosing Security Vulnerabilities

Dark Reading

Updated Vulnerability Equities Process provides transparency into how government will handle new vulnerabilities that it discovers in vendor products and services.

article thumbnail

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera

WIRED Threat Level

After hackers exposed a way to freeze the delivery service's security cameras, Amazon will push out a fix later this week.

111
111
article thumbnail

Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

article thumbnail

Consumer concerns over GDPR should set alarm bells ringing for businesses

Thales Cloud Protection & Licensing

Jim DeLorenzo, Solutions Marketing Manager, Thales eSecurity. Today, putting the letters ‘GDPR’ into Google will generate over 420,000 news articles, some detailing the expected impact of the regulation, and others casting doubt on businesses and their readiness. Ahead of the May 2018 legislation, we’ve been asking organisations if they’re #FITforGDPR – whether they’re ready to improve their personal data protections, as well as take on the increased accountability for data breaches, should they

article thumbnail

Barracuda Floats Cloud Generation Firewalls

eSecurity Planet

The updated NextGen Firewall and Web Application Firewall offerings from Barracuda are ready to tackle cloud application security challenges.

article thumbnail

2017 Has Broken the Record for Security Vulnerabilities

Dark Reading

Some 40% of disclosed vulns as of Q3 are rated as severe, new Risk Based Security data shows.

Risk 63
article thumbnail

OnePlus Phones Have an Unfortunate Backdoor Built In

WIRED Threat Level

Every OnePlus model except for the original shipped with "Engineer Mode," essentially a backdoor for anyone who get their hands on your device.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Cisco Warns of Critical Flaw in Voice OS-based Products

Threatpost

Cisco Systems issued patch that fixes a critical vulnerability impacting 12 products running the Cisco Voice Operating System software.

article thumbnail

Fear the Retailer: Forever 21 Hacked as Black Friday Approaches

eSecurity Planet

The company doesn't yet know how many locations were affected.

Retail 56
article thumbnail

IBM, Nonprofits Team Up in New Free DNS Service

Dark Reading

Quad9 blocks malicious sites used in phishing, other nefarious activity.

DNS 60
article thumbnail

Inside the Decades-Long Fight for Better Emergency Alerts

WIRED Threat Level

After years of pushing for a more effective emergency alert system, the carriers have finally come around to making improvements.

98
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!