Sat.Aug 25, 2018 - Fri.Aug 31, 2018

article thumbnail

Here’s how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack

The Last Watchdog

Distributed denial of service (DDoS) attacks continue to erupt all across the Internet showing not the faintest hint of leveling off, much less declining, any time soon. Related video: How DDoS attacks leverage the Internet’s DNA. To the contrary, DDoS attacks appear to be scaling up and getting more sophisticated in lock step with digital transformation; DDoS attacks today are larger, more varied and come at the targeted website from so many more vectors than ever before.

DDOS 255
article thumbnail

I'm Doing a Reddit AMA

Schneier on Security

On Thursday, September 6, starting at 10:00 am CDT, I'll be doing a Reddit " Ask Me Anything " in association with the Ford Foundation. It's about my new book , but -- of course -- you can ask me anything. No promises that I will answer everything.

224
224
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Pwned Passwords, Now As NTLM Hashes!

Troy Hunt

I'm still pretty amazed at how much traction Pwned Passwords has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows. Since that time, another big name has come on board too : I love that a service I use every day has taken something I've built and is doing awesome things with it!

Passwords 221
article thumbnail

Fiserv Flaw Exposed Customer Data at Hundreds of Banks

Krebs on Security

Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned. Brookfield, Wisc.-based Fiserv [ NASDAQ:FISV ] is a Fortune 500 company with 24,000 employees and $5.7 billion in earnings last year.

Banking 192
article thumbnail

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

article thumbnail

MY TAKE: As phishers take aim at elections, why not train employees to serve as phishing police?

The Last Watchdog

If there is a data breach or some other cybersecurity incident, a phishing attack was probably involved. Over 90 percent of incidents begin with a phishing email. One of the more infamous hacks in recent years, the DNC data breach , was the result of a phishing attack. Related: Carpet bombing of phishing emails endures. Phishing is the number one way organizations are breached, Aaron Higbee, CTO and co-founder of Cofense, told me at Black Hat USA 2018 in Las Vegas.

Phishing 194
article thumbnail

Eavesdropping on Computer Screens through the Webcam Mic

Schneier on Security

Yet another way of eavesdropping on someone's computer activity: using the webcam microphone to "listen" to the computer's screen.

LifeWorks

More Trending

article thumbnail

Instagram’s New Security Tools are a Welcome Step, But Not Enough

Krebs on Security

Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. On Tuesday, the Facebook -owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.

article thumbnail

GUEST ESSAY: A call for immediate, collective action to stem attacks on industrial control systems

The Last Watchdog

As the Industrial Internet of Things continues to transform the global industrial manufacturing and critical infrastructure industries, the threat of aggressive, innovative and dangerous cyber-attacks has become increasingly concerning. Related: The top 7 most worrisome cyber warfare attacks. Adopting modern technology has revealed a downside: its interconnectedness.

article thumbnail

Cheating in Bird Racing

Schneier on Security

I've previously written about people cheating in marathon racing by driving -- or otherwise getting near the end of the race by faster means than running. In China, two people were convicted of cheating in a pigeon race: The essence of the plan involved training the pigeons to believe they had two homes. The birds had been secretly raised not just in Shanghai but also in Shangqiu.

166
166
article thumbnail

Weekly Update 102

Troy Hunt

A few little bits and pieces this week ranging from a new web cam (primarily to do Windows Hello auth), teaching my 8-year-old son HTML, progress with Firefox and HIBP, some really ridiculous comments from Namecheap re SSL (or TLS or HTTPS) and a full set of Pwned Passwords as NTLM hashes. I didn't mention it when I recorded, but there's already a bunch of sample code on how to dump your AD hashes and compare them to the Pwned Passwords list in the comments on that blog post.

Passwords 123
article thumbnail

Why Giant Content Libraries Do Nothing for Your Employees’ Cyber Resilience

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

article thumbnail

Who’s Behind the Screencam Extortion Scam?

Krebs on Security

The sextortion email scam last month that invoked a real password used by each recipient and threatened to release embarrassing Webcam videos almost certainly was not the work of one criminal or even one group of criminals. Rather, it’s likely that additional spammers and scammers piled on with their own versions of the phishing email after noticing that some recipients were actually paying up.

Scams 167
article thumbnail

MY TAKE: Can ‘Network Traffic Analysis’ cure the security ills of digital transformation?

The Last Watchdog

If digital transformation, or DX , is to reach its full potential, there must be a security breakthrough that goes beyond legacy defenses to address the myriad new ways threat actors can insinuate themselves into complex digital systems. Network traffic analytics, or NTA , just may be that pivotal step forward. NTA refers to using advanced data mining and security analytics techniques to detect and investigate malicious activity in traffic moving between each device and on every critical system

article thumbnail

NotPetya

Schneier on Security

Andy Greenberg wrote a fascinating account of the Russian NotPetya worm, with an emphasis on its effects on the company Maersk. BoingBoing post.

article thumbnail

The Rise of an Overlooked Crime – Cyberstalking

Security Affairs

Cyberstalking is one of the most overlooked crimes. This is exactly why it is among the fastest growing crimes in the world. Learn all there is about cyberstalking here. The internet has been a blessing since its inception. The very concept of globalization has come into existence just because of the internet. The world that was previously unconnected soon became a global village with different cultures and traditions linking together via the information highway.

article thumbnail

Zero Trust Mandate: The Realities, Requirements and Roadmap

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

article thumbnail

Data Breach: Air Canada Tells 1.7 Million Customers to Reset App Passwords

Adam Levin

Air Canada is advising customers to reset their passwords on their mobile application after detecting a potential data breach of customer records. In a notice, Air Canada says that a data breach it discovered last week impacted 20,000 profiles. However, the airline operator is urging all 1.7 million users to reset their passwords. “We detected unusual login behavior with Air Canada’s mobile App between Aug. 22-24, 2018.

article thumbnail

7 Steps to Start Searching with Shodan

Dark Reading

The right know-how can turn the search engine for Internet-connected devices into a powerful tool for security professionals.

article thumbnail

Upcoming Speaking Engagements

Schneier on Security

This is a current list of where and when I am scheduled to speak: I'm giving a book talk on Click Here to Kill Everybody at the Ford Foundation in New York City, on September 5, 2018. The Aspen Institute's Cybersecurity & Technology Program is holding a book launch for Click Here to Kill Everybody on September 10, 2018 in Washington, DC. I'm speaking about my book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World at the Harvard Book Store in Cambridge, Massachuse

article thumbnail

Android mobile devices from 11 vendors are exposed to AT Commands attacks

Security Affairs

A group of researchers has conducted an interesting study on AT commands attacks on modern Android devices discovering that models of 11 vendors are at risk. A group of researchers from the University of Florida, Stony Brook University, and Samsung Research America, has conducted an interesting research on the set of AT commands that are currently supported on modern Android devices.

Mobile 108
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Phone Numbers Were Never Meant as ID. Now We’re All At Risk

WIRED Threat Level

Your phone number was never meant to be your identity. Now that it effectively is, we're all at risk.

Risk 89
article thumbnail

MagentoCore Card Skimmer Found on Mass Numbers of E-Commerce Sites

Threatpost

The Magecart group is likely behind the most prolific card-stealing operation seen in the wild to date.

Malware 81
article thumbnail

The Difference Between Sandboxing, Honeypots & Security Deception

Dark Reading

A deep dive into the unique requirements and ideal use cases of three important prevention and analysis technologies.

article thumbnail

Iran-linked COBALT DICKENS group targets universities in new phishing campaign

Security Affairs

Experts from SecureWorks discovered a large phishing campaign targeting universities carried out by an Iran-linked threat actor COBALT DICKENS. Security firm SecureWorks has uncovered a new phishing campaign carried out by COBALT DICKENS APT targeting universities worldwide, it involved sixteen domains hosting more than 300 spoofed websites for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. ̶

Phishing 106
article thumbnail

Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

article thumbnail

Android Devices Can Be Exploited With Decades Old-Telephone Tech

WIRED Threat Level

So-called Attention commands date back to the 80s, but they can enable some very modern-day smartphone hacks.

Hacking 77
article thumbnail

Newsmaker Interview: Derek Manky on ‘Self-Organizing Botnet Swarms’

Threatpost

Botnets fused with artificial intelligence are decentralized and self-organized systems, capable of working together toward a common goal – attacking networks.

article thumbnail

Passport Numbers Exposed in Air Canada Data Breach

Dark Reading

Mobile app hit in cyberattack that compromised 20K user accounts.

article thumbnail

Australia banned Huawei from 5G network due to security concerns

Security Affairs

Chinese-owned telecommunications firm Huawei has been banned from Australia’s 5G network due to security concerns. The Australian government considers risky the involvement of Huawei for the rolling out of next-generation 5G communication networks. Huawei Australia defined the decision disappointing. We have been informed by the Govt that Huawei & ZTE have been banned from providing 5G technology to Australia.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

3-D Printed Gun Blueprints Are Back, and Only New Laws Can Stop Them

WIRED Threat Level

Despite an injunction against sharing the plans online, Cody Wilson is now selling the blueprints directly.

66
article thumbnail

Bucking the Norm, Mozilla to Block Tracking Cookies in Firefox

Threatpost

Unlike its browser competitors, Firefox will soon start blocking tracking cookies by default in the name of consumer privacy.

57
article thumbnail

WhatsApp: Mobile Phishing's Newest Attack Target

Dark Reading

In 2018, mobile communication platforms such as WhatsApp, Skype and SMS have far less protection against app-based phishing than email.

Mobile 54
article thumbnail

CVE-2018-15919 username enumeration flaw affects OpenSSH Versions Since 2011

Security Affairs

Qualys experts discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011. Security experts from Qualys discovered that OpenSSH is still vulnerable to Oracle attack, it is affected by the CVE-2018-15919 flaw at least since September 2011. A few days ago the security expert Darek Tytko from securitum.pl has reported a similar username enumeration vulnerability in the OpenSSH client.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!