Sat.Apr 11, 2020 - Fri.Apr 17, 2020

article thumbnail

Welcoming the Icelandic Government to Have I Been Pwned

Troy Hunt

Hot on the heels of onboarding the USA government to Have I Been Pwned last month , I'm very happy to welcome another national government - Iceland! As of today, Iceland's National Computer Security Incident Response Team ( CERT-IS ), now has access to the full gamut of their gov domains for both on-demand querying and ongoing monitoring. As with the USA and Iceland, I expect to continue onboarding additional governments over the course of 2020 and expanding their access to meaningful data about

article thumbnail

COVID-19 Has United Cybersecurity Experts, But Will That Unity Survive the Pandemic?

Krebs on Security

The Coronavirus has prompted thousands of information security professionals to volunteer their skills in upstart collaborative efforts aimed at frustrating cybercriminals who are seeking to exploit the crisis for financial gain. Whether it’s helping hospitals avoid becoming the next ransomware victim or kneecapping new COVID-19-themed scam websites, these nascent partnerships may well end up saving lives.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Contact Tracing COVID-19 Infections via Smartphone Apps

Schneier on Security

Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. (Details, such as we have them, are here.) It's similar to the app being developed at MIT, and similar to others being described and developed elsewhere. It's nice seeing the privacy protections; they're well thought out. I was going to write a long essay about the security and privacy concerns, but Ross Anderson beat me to it.

363
363
article thumbnail

WooCommerce Sites Targeted by E-Skimming Attacks

Adam Levin

Researchers at the cybersecurity firm Sucuri have uncovered a new set of e-skimming attacks targeting websites using the WordPress WooCommerce e-commerce plugin. E-skimming attacks typically use injected code on websites to intercept customer data as it is being entered by customers. This allows hackers to bypass otherwise secure encryption and steal credit card and personal information. .

Malware 244
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

STEPS FORWARD: How the Middle East led the U.S. to adopt smarter mobile security rules

The Last Watchdog

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally. When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy. Reacting to the BYOD craze , mobile security frameworks have veered from one partially effective approach to the next over the past decade.

Mobile 179
article thumbnail

Microsoft Patch Tuesday, April 2020 Edition

Krebs on Security

Microsoft today released updates to fix 113 security vulnerabilities in its various Windows operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.

Backups 237

More Trending

article thumbnail

Your Email Needs to Shelter in Place, Too

Adam Levin

The Covid-19 pandemic created an opportunity for hackers to target the newly remote workforce. Hospitals have been targeted by ransomware (despite initial assurances to the contrary), phishing scams are using pandemic-related scare tactics, and video conferencing apps have become the new go-to for everything from domain-spoofing attacks to zoombombing.

Phishing 195
article thumbnail

Weekly Update 187

Troy Hunt

Spiders! Ok, not your normal start to a weekly update but yeah, we had a bit of an infestation this week which did take the mind of other current events for a while. Much of what's happened beyond that this week has resulted in various tweet storms; the Zoom credential stuffing situation, the Coronavirus tracking app (holy cow that has some "robust" debate around it) and the (seemingly endless) thread of progress as I build up my Ubiquiti network.

article thumbnail

Zoom: A cheat sheet about the video conferencing solution

Tech Republic Security

Zoom has become a household name because lots of people are working from home and using the video conferencing software. Here is your guide to Zoom basics, including its security vulnerabilities.

Software 218
article thumbnail

California Needlessly Reduces Privacy During COVID-19 Pandemic

Schneier on Security

This one isn't even related to contact tracing: On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal information through telehealth medi

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Everything is Insecure: What Matters is What You’re Getting vs. Giving Up

Daniel Miessler

I’ve been thinking a lot about this Zoom situation. It’s fascinating to me that millions are using it as a lifeboat to humanity while others label it a threat. Throughout the media you have people substituting their in-person events with virtual ones, and they all seem to be using Zoom. John Krasinski gave this medium a pulse when he had the entire cast of Hamilton perform together for a little girl.

Internet 190
article thumbnail

Zoom Zero-Day Exploits Up For Sale on the Dark Web

Adam Levin

Two critical zero-day exploits for the Zoom video conferencing platform just hit the market. The alleged exploits take advantage of vulnerabilities in Zoom’s Windows and MacOS applications, allowing hackers to spy on calls, and in some cases, take control of Windows machines. Zero-day exploits are vulnerabilities that are discovered by hackers before they can be identified and patched by software companies, and often fetch a high price on the dark web.

Marketing 173
article thumbnail

How ransomware attackers are doubling their extortion tactics

Tech Republic Security

Cybercriminals are threatening not only to hold sensitive data hostage but also to release it publicly unless the ransom is paid, says cyber threat intelligence provider Check Point Research.

article thumbnail

The DoD Isn't Fixing Its Security Problems

Schneier on Security

It has produced several reports outlining what's wrong and what needs to be fixed. It's not fixing them : GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress.

Education 266
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Unsupervised Learning: No. 224

Daniel Miessler

THIS WEEK’S TOPICS: Thunderbolt Attack, Celebrity Ransomware, ClearView Government, Blackhat DEFCON Virtual, War Thunder, 5G Bio Attacks, PC Game Cheating, Zoom Keybase, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…. The newsletter serves as the show notes for the podcast. —. If you get value from this content, you can support it directly by becoming a member.

article thumbnail

500,000+ Zoom accounts available for sale on the Dark Web

Security Affairs

Zoom accounts are flooding the dark web, over 500 hundred thousand Zoom accounts are being sold on hacker forums. Over 500 hundred thousand Zoom accounts are available for sale on the dark web and hacker forums. Sellers are advertising them for.0020 cents each, in some cases they are offered for free. The huge trove of account credentials was not stolen by Zoom, instead, it appears the result of credential stuffing attacks that leverage records from third-party data breaches.

article thumbnail

IoT security, neglected infrastructure, and a crisis of trust deemed major threats for 2022

Tech Republic Security

The Internet Security Forum predicts the coming threats with a very good track record so far. Get your company ready for these threats.

IoT 202
article thumbnail

Upcoming Speaking Engagements

Schneier on Security

This is a current list of where and when I am scheduled to speak: I'm being interviewed on " Hacking in the Public Interest " as part of the Black Hat Webcast Series, on Thursday, April 16, 2020 at 2:00 PM EDT. The list is maintained on this page.

Hacking 204
article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Malware Risks Triple on WFH Networks: Experts Offer Advice

Threatpost

New research found that almost half of companies had malware on their corporate-associated home networks - in comparison to malware being found on only 13 percent of corporate networks.

Malware 129
article thumbnail

Thousands Zoom credentials available on a Dark Web forum

Security Affairs

Security researchers discovered an archive available on a dark web forum that includes thousands of compromised Zoom credentials. Researchers discovered a database available on an underground forum in the dark web that contained more than 2,300 compromised Zoom credentials. Some of the records also included meeting IDs, names and host keys. The archive included credentials for Zoom accounts belonging to organizations in various industries, including banking, consultancy, healthcare software comp

article thumbnail

Balancing public safety and privacy during COVID-19: The rise of mass surveillance

Tech Republic Security

One tech company is harnessing artificial intelligence, thermal imaging, and real-time surveillance data to mitigate the spread of the coronavirus. However, serious privacy questions remain.

article thumbnail

'Nothing's Off the Table': Will Infosec Jobs Survive the Recession?

Dark Reading

With COVID-19 making a mess of the global economy, companies are seeking to cut corners - and some boardrooms still see security as a "cost center." Are infosec careers vulnerable now?

InfoSec 112
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

TikTok Flaw Allows Threat Actors to Plant Forged Videos in User Feeds

Threatpost

The popular video-sharing apps’s use of HTTP to download media content instead of a secure protocol could lead to the spread of misinformation on the platform.

Media 128
article thumbnail

SFO discloses data breach following the hack of 2 of its websites

Security Affairs

San Francisco International Airport (SFO) disclosed a data breach, its websites SFOConnect.com and SFOConstruction.com were hacked last month. In March hackers compromised two websites of San Francisco International Airport (SFO) and now it disclosed a data breach. SFO is a major gateway to Europe and Asia, it serves 45 international carriers. The attackers may have gained access to some users’ login credentials after deploying malware on both websites.

article thumbnail

Scammers exploit coronavirus for Business Email Compromise campaigns

Tech Republic Security

Cybercriminals are deploying COVID-19-themed gift card scams, wire transfer scams, and payroll scams aimed at organizations and their employees, according to security provider Trustwave.

Scams 148
article thumbnail

How to Set Up a SpiderFoot Server for OSINT Research

Lenny Zeltser

SpiderFoot is a tool for gathering Open Source Intelligence (OSINT) and threat intelligence about IPs, domains, e-mail addresses, and other research targets from many data sources, including services such as Shodan and Have I Been Pwned. Steve Micallef, the tool’s author, offers a free, open source version of SpiderFoot. His team also provides an affordable commercial SaaS version, SpiderFoot HX , which you don’t need to host and which offers additional functionality.

DNS 112
article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

Zoom Bombing Attack Hits U.S. Government Meeting

Threatpost

A recent U.S. House Oversight Committee meeting was the latest victim of Zoom bombing, according to an internal letter.

article thumbnail

The Dutch police took down 15 DDoS-for-hire services in a week

Security Affairs

Dutch authorities have taken down 15 DDoS-for-hire services in a week, this is another success of law enforcement in the fight against cybercrime. An operation conducted by Dutch authorities last week has shut down 15 DDoS-for-hire services (aka DDoS booters or DDoS stressor), states a press release published by Dutch police. The operation was conducted with the support of Europol, Interpol, and the FBI along with web hosting providers and domain registrars.

DDOS 141
article thumbnail

The end of passwords: Industry experts explore the possibilities and challenges

Tech Republic Security

Passwords have been an industry standard and industry headache for decades. Learn some best practice tips for password administration from tech security insiders.

Passwords 147
article thumbnail

Which InfoSec Jobs Will Best Survive a Recession?

Dark Reading

With COVID-19 making a mess of the global economy, companies are seeking to cut corners - and some boardrooms still see security as a "cost center." Are infosec careers vulnerable now?

InfoSec 109
article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.