Schneier on Security

APRIL 9, 2018

This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses -- if they're even valid.) Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account.

Accountability 222

Accountability Scams Phishing 222

Troy Hunt

APRIL 12, 2018

I received a very nice email this week: Congratulations, your nomination has been accepted to the Microsoft Regional Director program! I am pleased to welcome you back to this worldwide community of technology thought leaders and thank you for being a part of this community. Just over 2 years ago, I first became a Microsoft Regional Director. This is a role that has meant a great deal to me over that time; it's not one you can sit an exam for and no amount of money will buy you one either.

InfoSec 158

InfoSec Technology Media Internet 158

WIRED Threat Level

APRIL 10, 2018

A Facebook permission allowed an app to read messages between 1,500 Facebook users and their friends until October 2015—data that Cambridge Analytica could have accessed.

111

111

Threatpost

APRIL 9, 2018

A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.

Malware 78

Malware Hacking 78

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

APRIL 13, 2018

Interesting research: " 'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale ": Abstract: We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps' compliance with the Children's Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S.

Advertising 133

Advertising Mobile 133

Dark Reading

APRIL 9, 2018

Retailer says customer payment and other information may have been exposed via the breach of [24]7.ai online chat provider.

Retail 93

Retail 93

Threatpost

APRIL 10, 2018

Researchers are warning of a new email phishing campaign that launches a trojan capable of distributing ransomware and stealing passwords.

Phishing 78

Phishing Passwords Ransomware Social Engineering 78

Schneier on Security

APRIL 10, 2018

DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS (Computers and Humans Exploring Software Security), and they're holding a proposers day in a week and a half. This is the kind of thing that can dramatically change the offense/defense balance.

Cybersecurity 130

Cybersecurity Software 130

Dark Reading

APRIL 11, 2018

Is it just a problem of too few security professionals, or are there other reasons enterprises struggle to build infosec teams?

InfoSec 71

InfoSec Cybersecurity 71

WIRED Threat Level

APRIL 9, 2018

Facebook has released a tool that lets you see if you were caught up in the Cambridge Analytica fiasco—and what other apps know about you know.

111

111

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Threatpost

APRIL 10, 2018

A patched vulnerability in San Francisco’s public safety warning siren system suggests other radio-based platforms could also be hacked.

Hacking 72

Hacking Software Government 72

Schneier on Security

APRIL 12, 2018

Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years' worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.

Insurance 119

Insurance Cybersecurity Data breaches Retail 119

Thales Cloud Protection & Licensing

APRIL 12, 2018

Nick Jovanovic, VP Federal of Thales eSecurity Federal (a division of TDSI), recently spoke with Federal Tech Talk’s John Gilroy about federal agency data security and key findings from the 2018 Thales Data Threat Report, Federal Government Edition. Federal Tech Talk, which looks at the world of high technology in the U.S. federal government, airs on Federal News Radio, a radio station in the Washington, D.C. region.

Media 48

Media System Administration Government Threat Reports 48

WIRED Threat Level

APRIL 9, 2018

Some network communication protocol vulnerabilities have been known for more than a decade and still aren't fixed. Now they're being exploited.

IoT 109

IoT 109

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Threatpost

APRIL 13, 2018

Many Android device manufacturers are not telling the truth when they say they have patched devices, researchers found.

Manufacturing 66

Manufacturing 66

Schneier on Security

APRIL 11, 2018

Last year I wrote about the Digital Security Exchange. The project is live : The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats. We do this by pairing civil society and social sector organizations with credible and trustworthy digital security experts and trainers who can help them keep their data and networks safe from exposure, exploitation, and attack.

111

111

Thales Cloud Protection & Licensing

APRIL 9, 2018

“Trust but verify” is a Russian proverb President Reagan used as doctrine for nuclear disarmament between the U.S. and the U.S.S.R. in the mid-1980s. Its application was instrumental in ending the nuclear arms race and the threat of war. Today, the same doctrine can be applied to enterprise applications and data that is being threatened by a complex dynamic of attack vectors.

Encryption 48

Encryption Accountability System Administration Engineering 48

WIRED Threat Level

APRIL 12, 2018

A study finds that Android phones aren't just slow to get patched; sometimes they lie about being patched when they're not.

108

108

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Threatpost

APRIL 12, 2018

Researchers have identified what they are calling an Early Bird code injection technique used by the Iranian group APT33 to burrow the TurnedUp malware inside infected systems while evading anti-malware tools.

Malware 48

Malware 48

Dark Reading

APRIL 9, 2018

Ransomware, spyware, and cryptomining were the biggest enterprise threats during an otherwise quiet quarter for malware, researchers report.

Ransomware 56

Ransomware Spyware Malware 56

eSecurity Planet

APRIL 12, 2018

There are hundreds of ways to spend your time at the 2018 RSA Conference, but here are the 10 sessions that people will be talking about.

47

47

WIRED Threat Level

APRIL 10, 2018

[In his testimony to Congress, Facebook CEO Mark Zuckerberg repeatedly misrepresented the amount of control Facebook users really have over their data.]([link].

93

93

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Threatpost

APRIL 9, 2018

A breach that exposed the credit card information of Delta Air Lines and Sears Holdings now expands its impact to include Best Buy and Kmart.

Retail 51

Retail Data breaches Hacking 51

Dark Reading

APRIL 13, 2018

Goal is to make it easier for organizations to handle the migration to quantum computing when it becomes available.

61

61

Architect Security

APRIL 12, 2018

[USA] D.C. Court: Accessing Public Information is Not a Computer Crime In a great win for OSINT and general Internet freedom (as the EFF says, “Good news for anyone who uses the Internet as a source of information” LOL), a DC court has ruled that automated tools can be used for collecting information on the […].

Internet 40

Internet Internet 40

WIRED Threat Level

APRIL 10, 2018

Balint Seeber found that cities around the US are leaving their emergency siren radio communication systems unencrypted and vulnerable to spoofing.

85

85

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Threatpost

APRIL 10, 2018

Verizon pegged ransomware as the most prevalent malware in its 2018 Data Breach Investigations Report.

Ransomware 59

Ransomware Data breaches Malware DDOS 59

Dark Reading

APRIL 11, 2018

What made Atlanta an easy target was its outdated use of technology: old computers running on non-supported platforms, which are also a characteristic of many municipalities and most major cities.

Ransomware 46

Ransomware Technology 46

Penetration Testing

APRIL 10, 2018

Digital Shadows, a UK network security company, recently published a document entitled “Research: Too Much Information Misconfigured FTP, SMB, Rsync, and S3 Buckets Exposing 1.5 Billion Files” research report. The report pointed out that... The post 1.5 billion sensitive files exposed due to FTP, SMB, rsync and S3 bucket misconfiguration appeared first on Penetration Testing.

Penetration Testing 40

Penetration Testing Network Security 40

WIRED Threat Level

APRIL 9, 2018

A new study from Pew Research shows that the bulk of links on Twitter don't come from actual humans.

101

101

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk