Schneier on Security

JULY 4, 2019

Pretty horrible story of a US journalist who had his computer and phone searched at the border when returning to the US from Mexico. After I gave him the password to my iPhone, Moncivias spent three hours reviewing hundreds of photos and videos and emails and calls and texts, including encrypted messages on WhatsApp, Signal, and Telegram. It was the digital equivalent of tossing someone's house: opening cabinets, pulling out drawers, and overturning furniture in hopes of finding something -- any

Passwords 250

Passwords Media Encryption Internet 250

Troy Hunt

JULY 1, 2019

Early last year, I announced that I was making HIBP data on government domains for the UK and Australia freely accessible to them via searches of their respective TLDs. The Spanish government followed a few months later with each getting unbridled access to search their own domains via an authenticated API. As I explained in that initial post, the rationale was to help the departments tasked with looking after the exposure of their digital assets by unifying search and monitoring capabilities so

Government 234

Government Data breaches Authentication 234

Adam Levin

JULY 2, 2019

The former CIO of Equifax has been sentenced to prison for selling his stock in the company before news of its 2017 data breach was publicly announced. Jun Ying, the former Chief Information Office of Equifax U.S. Information Solutions, sold his shares in the company for over $950,000 ten days before the company admitted that its data had been accessed by hackers.

Data breaches 195

Data breaches 195

Adam Shostack

JULY 5, 2019

Google Docs has chosen to red-underline the word “feasible,” which, as you can see, is in its dictionary, to suggest “possible.” “Possible,” possibly, was not the word I selected, because it means something different. Good writing is direct. Good writing respects the reader. Good writing doesn’t tax the reader accidentally.

Engineering 124

Engineering Software 124

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

JULY 5, 2019

My Applied Cryptography is on a list of books banned in Oregon prisons. It's not me -- and it's not cryptography -- it's that the prisons ban books that teach people to code. The subtitle is "Algorithms, Protocols, and Source Code in C" -- and that's the reason. My more recent Cryptography Engineering is a much better book for prisoners, anyway.

Engineering 244

Engineering 244

The Last Watchdog

JULY 1, 2019

As the presidential debate season ramps up, the specter of nation-state sponsored hackers wreaking havoc, once more, with U.S. elections, looms all too large. It’s easy to get discouraged by developments such as Sen. McConnell recently blocking a bi-partisan bill to fund better election security , as well as the disclosure that his wife, Transportation Security Elaine Chao, has accepted money from voting machine lobbyists.

Cyber Risk 119

Cyber Risk DNS Phishing Backups 119

Thales Cloud Protection & Licensing

JULY 3, 2019

I recently had the pleasure of sharing some industry insights from our 2019 Data Threat Report-Federal Edition on Cyberwire’s Daily Podcast –specifically addressing the gap in security responsibility many federal agencies face today as they move tremendous amounts of sensitive data into multicloud environments. We also discussed a new digital landscape where perimeter defense is no longer effective.

Government 120

Government Cloud Migration IoT Encryption 120

Schneier on Security

JULY 1, 2019

Wow, is this an embarrassing bug : Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. The security keys are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.

Firmware 234

Firmware Passwords Government Encryption 234

Threatpost

JULY 3, 2019

Amazon's acknowledgment that it saves Alexa voice recordings - even sometimes after consumers manually delete their interaction history - has thrust voice assistant privacy policies into the spotlight once again.

Data privacy 106

Data privacy IoT 106

Security Affairs

JUNE 30, 2019

Explorer, Mozilla Firefox, Google Chrome, and Opera, no matter which web browser you use, here’s what you need to know to protect them against attacks. There are a number of web browsers available for surfing sites and accessing the content. The most popular and widely used are Internet Explorer, Mozilla Firefox, Google Chrome, and Opera. No matter which browser you use there are certain security leaks in each one of them.

Software 98

Software Internet Internet Small Business 98

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

WIRED Threat Level

JULY 5, 2019

Ransomware attacks, supply chain hacks, escalating tensions with Iran—the first six months of 2019 have been anything but boring.

Cybersecurity 111

Cybersecurity Hacking Ransomware 111

Schneier on Security

JULY 2, 2019

Google has released an open-source cryptographic tool: Private Join and Compute. From a Wired article : Private Join and Compute uses a 1970s methodology known as "commutative encryption" to allow data in the data sets to be encrypted with multiple keys, without it mattering which order the keys are used in. This is helpful for multiparty computation, where you need to apply and later peel away multiple layers of encryption without affecting the computations performed on the encrypted data.

Encryption 233

Encryption 233

Dark Reading

JULY 3, 2019

Russian-speaking group has sent thousands of emails containing new malware to individuals working at financial institutions in the US, United Arab Emirates, and Singapore.

Malware 92

Malware 92

Security Affairs

JULY 5, 2019

Eurofins Scientific, the UK’s biggest provider of forensic services, has paid a ransom to demand to recover its data after a ransomware attack. Eurofins Scientific, the UK’s largest police forensics lab contractor, announced to have paid a ransom to crooks to recover its data after a ransomware had been encrypted them. The company is based in Brussels and manages more than 800 laboratories all over the world.

Ransomware 93

Ransomware Advertising Insurance Encryption 93

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

WIRED Threat Level

JULY 2, 2019

Opinion: We've been assured that facial recognition technology is secure, reliable, and accurate. That's far from certain.

Technology 110

Technology 110

Schneier on Security

JULY 5, 2019

New research from Science : " Civic honesty around the globe ": Abstract: Civic honesty is essential to social capital and economic development, but is often in conflict with material self-interest. We examine the trade-off between honesty and self-interest using field experiments in 355 cities spanning 40 countries around the globe. We turned in over 17,000 lost wallets with varying amounts of money at public and private institutions, and measured whether recipients contacted the owner to retur

226

226

Dark Reading

JULY 2, 2019

As nation-states and rogue actors increasingly probe critical infrastructure, policy and technology experts worry that satellite and space systems are on the front lines.

Cybersecurity 91

Cybersecurity Technology 91

Security Affairs

JULY 4, 2019

Austin Thompson (23) from Utah, the hacker who carried out massive DDoS attacks on Sony, EA, and Steam gets a 27-months prison sentence. The hacker who brought offline with massive DDoS attacks online gaming networks between December 2013 and January 2014 has been sentenced to 27 months in prison. Austin Thompson (23) from Utah hit the principal gamins networks in 2013 and 2014, including Sony Online Entertainment. “Austin Thompson of Utah was sentenced in federal court today to 27 months

DDOS 90

DDOS Computers and Electronics Advertising Internet 90

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

WIRED Threat Level

JULY 1, 2019

Almost every month in 2019 so far has seen reports of a local government falling prey to ransomware, but this series of attacks belies an even broader threat.

Ransomware 92

Ransomware Government Hacking 92

Schneier on Security

JULY 3, 2019

They're a thing : Developers say digital plates utilize "advanced telematics" -- to collect tolls, pay for parking and send out Amber Alerts when a child is abducted. They also help recover stolen vehicles by changing the display to read "Stolen," thereby alerting everyone within eyeshot. This makes no sense to me. The numbers are static. License plates being low-tech are a feature, not a bug.

Surveillance 215

Surveillance 215

Dark Reading

JULY 2, 2019

The common belief that encryption enables bad behavior primarily used by thieves, international terrorists, and other villainous characters is simply not true. Here's why.

Encryption 86

Encryption 86

Security Affairs

JUNE 30, 2019

Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks. Medtronic and the United States government have warned of a security vulnerability affecting some Medtronic MiniMed insulin pumps that could be exploited by hackers. The Department of Homeland Security (DHS) and Medtronic, and the Food and Drug Administration (FDA) have published a press release of a high-severity flaw affecting models of insulin pumps belonging to MiniMed 508 a

Hacking 90

Hacking Wireless Healthcare Advertising 90

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Threatpost

JULY 1, 2019

A widespread malware campaign, ongoing since 2014, was using Facebook accounts and posts to spread malware through URL links.

Accountability 93

Accountability Malware Media Hacking 93

WIRED Threat Level

JULY 2, 2019

To prove a point about common location-sharing apps, I asked my wife to use them to spy on me.

95

95

Dark Reading

JULY 3, 2019

Microsoft patched a serious vulnerability in the Microsoft Outlook client in 2017, but an Iranian group continues to exploit the flaw.

97

97

Security Affairs

JUNE 29, 2019

Attunity data integration and big data management firm exposed a significant amount of sensitive data through unprotected Amazon S3 buckets. Data integration and big data management firm Attunity exposed a significant amount of sensitive data through unprotected Amazon S3 buckets. The company, owned by Qlik , provides solutions to over 2,000 enterprises and half of the Fortune 100 firms.

Banking 85

Banking Backups Big data Advertising 85

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Spinone

JULY 1, 2019

A survey, conducted by Intermedia, found that 89% of ex-employees retained access to corporate apps containing sensitive information, including G Suite after they leave the company. What is even more disturbing, 49% of them admitted to logging into a corporate account after their employment contract ended. The consequences of such data security violation can be (and usually are) disastrous: data leaks, breaches, deletions.

Accountability 65

Accountability Backups Passwords Mobile 65

Threatpost

JULY 1, 2019

LGBQT dating app Jack'd has been slapped with a $240,000 fine on the heels of a data breach that leaked personal data and nude photos of its users.

Data breaches 71

Data breaches 71

Dark Reading

JULY 3, 2019

There are important lessons to be learned from a crisis, even the ones that are more fiction than fact.

Manufacturing 111

Manufacturing 111

Security Affairs

JULY 4, 2019

Tens of VMware products are affected by recently discovered SACK Panic and SACK Slowness Linux kernel vulnerabilities. At least 30 VMware products are affected by recently discovered SACK Panic and SACK Slowness Linux kernel vulnerabilities. The vulnerabilities could be exploited by a remote unauthenticated attacker to trigger a denial-of-service (DoS) condition and reboot vulnerable systems.

Advertising 84

Advertising Firewall Hacking Software 84

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk