Schneier on Security

MAY 14, 2018

A new PGP vulnerability was announced today. Basically, the vulnerability makes use of the fact that modern e-mail programs allow for embedded HTML objects. Essentially, if an attacker can intercept and modify a message in transit, he can insert code that sends the plaintext in a URL to a remote website. Very clever. The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails.

Encryption 170

Encryption Backups Accountability Software 170

Troy Hunt

MAY 17, 2018

We're on a beach! It's the day after 3 pretty intense days of NDC conference and the day before Scott heads back to the UK so beach was an easy decision. The conference went fantastically well and, in all honesty, was the most enjoyable workshop I think I've done out of ~50 of them these last few years. NDC will be back on the Gold Coast next yet, plus of course it will be in Oslo in a few weeks' time then Sydney in September where we'll both do it all again.

128

128

WIRED Threat Level

MAY 15, 2018

Special Counsel Robert Mueller’s job is to make sense of how Russia hacked the 2016 election. But to make sense of Mueller, you have to revisit some of the bloodiest battles of Vietnam.

Hacking 112

Hacking 112

Dark Reading

MAY 17, 2018

Another widespread worm attack is "inevitable," but spreading a different more lucrative or destructive payload, experts say.

95

95

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

MAY 14, 2018

EFF is reporting that a critical vulnerability has been discovered in PGP and S/MIME. No details have been published yet, but one of the researchers wrote : We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.

Encryption 165

Encryption 165

Troy Hunt

MAY 17, 2018

It's a new Pluralsight course! Yes, I know I said that yesterday too , but this is a new new Pluralsight course and it's the second part in our series on Creating a Security-centric Culture. As I wrote there back in Jan, we're doing this course on a quarterly basis and putting it out in front of the paywall so in other words, it's free! It's also a combination of video and screencast which means you see a lot of this: As for the topic in the title, shadow IT has always been an interesting one an

Technology 121

Technology Risk Marketing Passwords 121

Dark Reading

MAY 17, 2018

Two-factor authentication is a common best security practice but not ironclad. Here's how it can be bypassed, and how you can improve security.

Authentication 86

Authentication 86

Schneier on Security

MAY 15, 2018

Researchers have demonstrated the ability to send inaudible commands to voice assistants like Alexa, Siri, and Google Assistant. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple's Siri, Amazon's Alexa and Google's Assistant.

Artificial Intelligence 154

Artificial Intelligence Technology 154

Troy Hunt

MAY 16, 2018

Just a tad over 5 years ago, I released my first ever Pluralsight course - OWASP Top 10 Web Application Security Risks for ASP.NET. More than 32k people have listened to more than 78k hours of content in this course making it not just the most popular course I've ever released, but also keeping it as my most popular in the library even today by a long way.

InfoSec 120

InfoSec Risk 120

WIRED Threat Level

MAY 17, 2018

Despite improvements to algorithmic filtering, Facebook and Google+ still host scores of ISIS and related content and accounts that sometimes stay up for months.

Accountability 79

Accountability 79

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Dark Reading

MAY 16, 2018

If you don't know what's on your IoT network, you don't know what to protect -- or protect from. These tools provide visibility into your network so you can be safe with (and from) what you see.

IoT 60

IoT 60

Schneier on Security

MAY 18, 2018

Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later. The problem, of course, is that in the US there isn't any authentication of change-of-address submissions: According to the Postal Service, nearly 37 million change-of-address requests ­ known as PS Form 3575 ­ were submitted in 2017.

Authentication 141

Authentication 141

Thales Cloud Protection & Licensing

MAY 17, 2018

For many years, Thales eSecurity has been a solution provider member of the Cloud Security Alliance (CSA), a global organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment 1. Among CSA’s many activities is its research arm, which include 34 working groups, one of which is called Security Guidance.

Cloud Migration 54

Cloud Migration Engineering 54

WIRED Threat Level

MAY 16, 2018

Project Shield already defends journalists and human rights groups from DDoS attacks. Now, Jigsaw will help political campaigns out as well.

DDOS 74

DDOS 74

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Threatpost

MAY 16, 2018

The vulnerability allows an attacker to execute a malware or other payloads on a client machine by sending malicious messages from the DHCP server.

Malware 63

Malware 63

Schneier on Security

MAY 16, 2018

The New York Times is reporting about a company called Securus Technologies that gives police the ability to track cell phone locations without a warrant: The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show.

Mobile 136

Mobile Marketing Technology Surveillance 136

Thales Cloud Protection & Licensing

MAY 15, 2018

Making payments even in a face-to-face environment is no longer just about using magnetic stripe or chip cards where the security, operating rules, and risks have been long established and well understood by all the actors involved. We are now living in a world where fundamentally different types of devices are being used to initiate payment transactions.

IoT 54

IoT Technology Mobile Risk 54

WIRED Threat Level

MAY 16, 2018

How security researchers caught the creators of counter antivirus services Scan4You.

Antivirus 89

Antivirus Malware 89

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Dark Reading

MAY 16, 2018

It's time to "do the right thing" when it comes to gender in the hiring and promotion of women in cybersecurity. Four women (and a man named John) offer practical solutions for shifting the balance.

Cybersecurity 51

Cybersecurity 51

Schneier on Security

MAY 17, 2018

The White House has eliminated the cybersecurity coordinator position. This seems like a spectacularly bad idea.

Cybersecurity 155

Cybersecurity 155

Threatpost

MAY 14, 2018

A phishing scam fooled victims by claiming to be Apple and scooping up personal details – including financial information and Apple account information.

Scams 56

Scams Phishing Accountability Social Engineering 56

WIRED Threat Level

MAY 14, 2018

An attack called eFail overcomes the protections of encrypted email standards PGP and S/MIME.

Encryption 78

Encryption 78

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Dark Reading

MAY 17, 2018

RDP is used by fraudsters to steal and monetize data more often than you might think. But there are ways to stay safe.

Risk 64

Risk 64

eSecurity Planet

MAY 17, 2018

Our guide to the top managed security service providers (MSSPs), based on their ratings in analyst reports the Gartner Magic Quadrant and the IDC MarketScape Vendor Assessment.

50

50

Threatpost

MAY 17, 2018

A team of academic researchers has demonstrated that it's possible to possible to closely mimic legitimate voice commands in order to carry out nefarious actions on these home assistants.

IoT 49

IoT Hacking 49

WIRED Threat Level

MAY 12, 2018

Hidden Alexa commands, cell phone tracking, and more security news this week.

84

84

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Dark Reading

MAY 14, 2018

There's a major disconnect between Internet of Things governance and risk management, according to a new report. Follow these five steps to address the risks.

Risk 54

Risk IoT Internet Internet 54

The Falcon's View

MAY 16, 2018

In the traditional parlance of infosec, we've been taught repeatedly that the C-I-A triad (confidentiality, integrity, availability) must be balanced in accordance with the needs of the business. This concept is foundational to all of infosec, ensconced in standards and certification exams and policies. Yet, today, it's essentially wrong, and moreover isn't a helpful starting point for a security discussion.

InfoSec 40

InfoSec Risk Engineering DDOS 40

Threatpost

MAY 15, 2018

Sources said the funds were diverted to fraudulent accounts in a coordinated heist that involved hundreds of wire transfers and on-the-ground accomplices.

Banking 47

Banking Accountability Government Hacking 47

Spinone

MAY 15, 2018

In the last 20 years the global economy became increasingly digitized, and many companies hold highly sensitive and personal customer information obtained from various sources. Data is associated with a significance of risk if it’s stolen or abused. What is GDPR? The General Data Protection Regulation ( GDPR ) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protec

B2B 40

B2B Encryption Data privacy Information Security 40

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk