Sat.Jul 20, 2019 - Fri.Jul 26, 2019

article thumbnail

Attorney General William Barr on Encryption Policy

Schneier on Security

Yesterday, Attorney General William Barr gave a major speech on encryption policy -- what is commonly known as "going dark." Speaking at Fordham University in New York, he admitted that adding backdoors decreases security but that it is worth it. Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access.

article thumbnail

The Unsexy Threat to Election Security

Krebs on Security

Much has been written about the need to further secure our elections, from ensuring the integrity of voting machines to combating fake news. But according to a report quietly issued by a California grand jury this week, more attention needs to be paid to securing social media and email accounts used by election officials at the state and local level.

Media 177
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

NSA Announces New Cybersecurity Directorate

Adam Levin

The U.S. National Security Agency announced the formation of a new Cybersecurity Directorate earlier this week. Effective October 1, the directorate’a mission is will be the creation of a “major organization that unifies NSA’s foreign intelligence and cyber defense missions,” according to the agency’s website. It will be led by Anne Neuberger, the former NSA deputy director of operations and lead of the Russia Small Group.

article thumbnail

Weekly Update 149

Troy Hunt

What. A. Week. I've been in San Fran meeting with a whole bunch of potential purchasers for HIBP and it's been. intense. Daunting. Exciting. It's actually an amazing feeling to see my "little" project come to this where I'm sitting in a room with some of the most awesome tech companies whilst flanked by bankers in suits. I try and give a bit of insight into that in this week's video, keeping in mind of course that I'm a bit limited by how much detail I can go into right now.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Hackers Expose Russian FSB Cyberattack Projects

Schneier on Security

More nation-state activity in cyberspace, this time from Russia : Per the different reports in Russian media, the files indicate that SyTech had worked since 2009 on a multitude of projects since 2009 for FSB unit 71330 and for fellow contractor Quantum. Projects include: Nautilus -- a project for collecting data about social media users (such as Facebook, MySpace, and LinkedIn).

Media 224
article thumbnail

Happy Apollo Day!

Adam Shostack

Today is the 50th Anniversary of “One small step for a man, one giant leap for mankind.” It’s an event worth celebrating, in the same way we celebrate Yuri’s Night. The holy days — the holidays — that we celebrate say a great deal about us. They shape who we are. The controversies that emerge when we try to add (Martin Luther King) or remove a holiday (Columbus Day) are controversies because they express who we are, and how that could be changing.

More Trending

article thumbnail

Protecting America’s Critical Infrastructure

Thales Cloud Protection & Licensing

From taking a shower, to brewing your coffee, and watching the news, your morning routine is fueled by the energy sector. If you’re like millions of other Americans, your TV is connected to the Internet and uses technology generated from the nation’s power grid. But the energy sector also underpins our emergency and response systems, our hospitals and healthcare, our schools, our businesses, and virtually everything we do as a society.

article thumbnail

Software Developers and Security

Schneier on Security

According to a survey : "68% of the security professionals surveyed believe it's a programmer's job to write secure code, but they also think less than half of developers can spot security holes." And that's a problem. Nearly half of security pros surveyed, 49%, said they struggle to get developers to make remediation of vulnerabilities a priority. Worse still, 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the life cycle.

Software 217
article thumbnail

Valuing CyberSecurity Research Datasets

Adam Shostack

There was a really interesting paper at the Workshop on the Economics of Information Security. The paper is “ Valuing CyberSecurity Research Datasets.” The paper focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes the research that’s done. On its way to that valuation, a very useful contribution of the paper is the analysis of types of research data which exist, and the purposes for which it can be used: Note that there has b

article thumbnail

Facebook Had a Bad News Day, Great Q2 Earnings

Adam Levin

If ever the shrug emoji belonged in a blog post, today is the day. The tech giant reached a $5 billion settlement for misrepresenting the way it handles user privacy, the SEC fined it $100 million for lying to investors about the risks associated with the misuse user information, and, still later in the day, Facebook admitted that it was the target of an FTC anti-trust investigation.

Risk 114
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

The War for Cyber Talent Will Be Won by Retention not Recruitment

Dark Reading

Six steps for creating a work environment that challenges, stimulates, rewards, and constantly engages employees fighting the good fight against cybercriminals.

109
109
article thumbnail

Science Fiction Writers Helping Imagine Future Threats

Schneier on Security

The French army is going to put together a team of science fiction writers to help imagine future threats. Leaving aside the question of whether science fiction writers are better or worse at envisioning nonfictional futures, this isn't new. The US Department of Homeland Security did the same thing over a decade ago, and I wrote about it back then: A couple of years ago, the Department of Homeland Security hired a bunch of science fiction writers to come in for a day and think of ways terrorists

article thumbnail

0v1ru$ hackers breach FSB contractor SyTech and expose Russian intel projects

Security Affairs

SyTech , a contractor for the Federal Security Service of the Russian Federation (FSB) has been hacked, attackers stole data about interna l projects. Attackers have hacked SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB), and exfiltrated data about interna l projects. According to the Russian media, SyTech has been working with FSB since 2009, in particular, they contributed to several projects for FSB unit 71330 and for fellow contractor Quantum.

article thumbnail

Popular Samsung, LG Android Phones Open to ‘Spearphone’ Eavesdropping

Threatpost

A Spearphone attacker can use the accelerometer in LG and Samsung phones to remotely eavesdrop on any audio that's played on speakerphone, including calls, music and voice assistant responses.

Mobile 83
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

DEF CON Invites Kids to Crack Campaign Finance Portals

Dark Reading

DEF CON's Voting Village and AI Village team up with r00tz Asylum to let kids explore simulated campaign financial disclosure portals and disinformation campaigns.

98
article thumbnail

Insider Logic Bombs

Schneier on Security

Add to the "not very smart criminals" file : According to court documents, Tinley provided software services for Siemens' Monroeville, PA offices for nearly ten years. Among the work he was asked to perform was the creation of spreadsheets that the company was using to manage equipment orders. The spreadsheets included custom scripts that would update the content of the file based on current orders stored in other, remote documents, allowing the company to automate inventory and order management

Software 196
article thumbnail

German firms BASF, Siemens, Henkel hit by cyber attacks

Security Affairs

A new wave of cyber attacks carried out by a China-linked APT group hit German blue-chip companies BASF, Siemens, Henkel and others. On Wednesday, German blue-chip companies BASF, Siemens, Henkel along with a host of others confirmed they had been targeted by a wave of cyber attacks. German media reported that the cyber attacks were launched by China-linked cyberespionage group.

article thumbnail

VLC Media Player Plagued By Unpatched Critical RCE Flaw

Threatpost

A patch does not yet exist for a critical buffer overflow vulnerability in VLC Media Player that could enable remote code execution.

Media 94
article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

6 Actions that Made GDPR Real in 2019

Dark Reading

In the wake of recent fines levied against British Airways, Marriott, and Facebook, companies are starting to take data privacy and security more seriously.

article thumbnail

NEW TECH: Early adopters find smart ‘Zero Trust’ access improves security without stifling innovation

The Last Watchdog

120
120
article thumbnail

A flaw in LibreOffice could allow the hack of your PC

Security Affairs

LibreOffice users have to know that their unpatched computers could be hacked by simply opening a specially crafted document. Bad news for LibreOffice users, the popular free and open-source office suite is affected by an unpatched remote code execution vulnerability. Recently, LibreOffice released the latest version 6.2.5 that addresses two severe flaws tracked as CVE-2019-9848 and CVE-2019-9849.

Hacking 89
article thumbnail

Adware Is the Malware You Should Actually Be Worried About

WIRED Threat Level

For all the attention on sophisticated nation-state attacks, the malware that’s most likely to hit your phone is much more mundane.

Adware 94
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Equifax to Pay Up to $700mn for Data Breach Damages

Dark Reading

In a settlement with the FTC, consumers affected by the breach are eligible for up to $20,000 in a cash settlement, depending on damages they can prove.

article thumbnail

Protecting Against Ransomware Attacks: A Checklist

Threatpost

In the second of a two part series discussing recent ransomware attacks against municipalities, Shawn Taylor with Forescout talks about how cities can protect themselves.

article thumbnail

China-Linked APT15 group is using a previously undocumented backdoor

Security Affairs

ESET researchers reported that China-linked cyberespionage group APT15 has been using a previously undocumented backdoor for more than two years. Security researchers at ESET reported that China-linked threat actor APT15 (aka Ke3chang , Mirage , Vixen Panda , Royal APT and Playful Dragon) has been using a previously undocumented backdoor for more than two years.

DNS 88
article thumbnail

How to Get Your Equifax Settlement Money

WIRED Threat Level

A settlement with the FTC means Equifax will pay victims of its breach $125 or more. Make sure it pay ups.

100
100
article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

3 Takeaways from the First American Financial Breach

Dark Reading

Data leaks from business logic flaws are not well understood and difficult to identify before they reach production environments. Here's how to find and prevent them.

82
article thumbnail

Multi-cloud use by healthcare providers puts patient data at risk

Thales Cloud Protection & Licensing

As a result of government mandates, the need for greater efficiency, and the desire to enable better patient care, U.S. healthcare organizations are nearly universal in the adoption of digital transformation technologies (cloud, SaaS applications, big data, IoT, digital payments, containers, and blockchain). But digital transformation also introduces the potential to put patients’ sensitive financial and healthcare data at risk by changing where and how data needs to be secured.

article thumbnail

Hackers breach 62 US colleges by allegedly exploiting Ellucian Banner Web flaw

Security Affairs

Hackers breached at least 62 college and university networks exploiting a flaw in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP. US Department of Education warned that hackers have breached at least 62 college and university networks by exploiting a vulnerability in the Ellucian Banner Web Tailor module of the Ellucian Banner ERP. The module is used by colleges and universities to customize their web applications.

article thumbnail

Unique Monokle Android Spyware Self-Signs Certificates

Threatpost

Researchers have linked the surveillance tool to a Russian tech firm that has been sanctioned for interfering with the 2016 U.S. presidential election.

Spyware 76
article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.