Sat.Jan 05, 2019 - Fri.Jan 11, 2019

article thumbnail

Dirt-Cheap, Legit, Windows Software: Pick Two

Krebs on Security

Buying heavily discounted, popular software from second-hand sources online has always been something of an iffy security proposition. But purchasing steeply discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction, mainly because you may not have full control over who has access to your data.

Software 242
article thumbnail

Machine Learning to Detect Software Vulnerabilities

Schneier on Security

No one doubts that artificial intelligence (AI) and machine learning (ML) will transform cybersecurity. We just don't know how , or when. While the literature generally focuses on the different uses of AI by attackers and defenders ­ and the resultant arms race between the two ­ I want to talk about software vulnerabilities. All software contains bugs.

Software 248
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

No, Spotify Wasn't Hacked

Troy Hunt

Time and time again, I get emails and DMs from people that effectively boil down to this: Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach Many years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online.

Hacking 223
article thumbnail

Government Shutdown Hampers Cybersecurity

Adam Levin

The ongoing shutdown of the U.S. Government has impacted federal cybersecurity according to several reports. The roughly 800,000 federal workers currently on furlough include: 45% of staff from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency , which is tasked with defending critical infrastructure from cyber and physical threats. 80% of the National Protection and Programs Directorate , which oversees the Office of Cyber and Infrastructure Analysis and the

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Linkedin Learning: Producing a Video

Adam Shostack

My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how it came to be. Before I struck a deal with Linkedin, I talked to some of the other popular training sites. Many of them will buy you a microphone and some screen recording software, and you go to town! They even “let” you edit your own videos.

Software 189
article thumbnail

Security Vulnerabilities in Cell Phone Systems

Schneier on Security

Good essay on the inherent vulnerabilities in the cell phone standards and the market barriers to fixing them. So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to "be forthright with federal courts about the disruptive nature of cell-site simulators.

Marketing 205

More Trending

article thumbnail

Q&A: Why emerging IoT platforms require the same leading-edge security as industrial controls

The Last Watchdog

The heyday of traditional corporate IT networks has come and gone. In 2019, and moving ahead, look for legacy IT business networks to increasingly intersect with a new class of networks dedicated to controlling the operations of a IoT-enabled services of all types, including smart buildings, IoT-enabled healthcare services and driverless cars. Related: Why the golden age of cyber espionage is upon us.

IoT 155
article thumbnail

Patch Tuesday, January 2019 Edition

Krebs on Security

Microsoft on Tuesday released updates to fix roughly four dozen security issues with its Windows operating systems and related software. All things considered, this first Patch Tuesday of 2019 is fairly mild, bereft as it is of any new Adobe Flash updates or zero-day exploits. But there are a few spicy bits to keep in mind. Read on for the gory details.

Internet 153
article thumbnail

New Attack Against Electrum Bitcoin Wallets

Schneier on Security

This is clever: How the attack works: Attacker added tens of malicious servers to the Electrum wallet network. Users of legitimate Electrum wallets initiate a Bitcoin transaction. If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).

article thumbnail

IriusRisk 2.0

Adam Shostack

I’m excited to be able to share “ Announcement: IriusRisk Threat Modeling Platform 2.0 Released.” If you’re looking to scale your enterprise threat modeling program, this is worth a look.

113
113
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

Dark Overlord hacking crew publishes first batch of confidential 9/11 files

Security Affairs

The Dark Overlord published the first batch of decryption keys for 650 confidential documents related to the 9/11 terrorist attacks. The Dark Overlord hacking group claims to have stolen a huge trove of documents from the British insurance company Hiscox, Hackers stole “hundreds of thousands of documents,” including tens of thousands files related to the 9/11 terrorist attacks.

Hacking 111
article thumbnail

Quiet Lawsuit in Pennsylvania May Create a Groundbreaking Data Security Priority Shift. Are You Ready?

Thales Cloud Protection & Licensing

Personally, I find the daily announcement of a company losing control of their employees’, partners’, or customers’ data depressing. My home state, California had 259 formally reported breaches in 2018 alone! It doesn’t matter where in the world you are, many companies are not properly protecting your data and hackers are very good at seeking those companies out.

Risk 82
article thumbnail

Using a Fake Hand to Defeat Hand-Vein Biometrics

Schneier on Security

Nice work : One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first took photos of their vein patterns.

article thumbnail

New year, new theme

Adam Shostack

I’ve updated the blog theme. Please let me know if I broke anything.

113
113
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Tens of thousands of hot tubs are exposed to hack

Security Affairs

Experts from security firm Pen Test Partners reported that tens of thousands of hot tubs are currently vulnerable to cyber attacks. Security experts at Pen Test Partners have discovered thousands of connected hot tubs vulnerable to remote cyber attacks. The hot tubs could be remotely controlled by an app, dubbed Balboa Water App, that lack of authentication mechanisms. “The mobile app connects to a Wi-Fi access point on the tub.

Hacking 105
article thumbnail

Web Vulnerabilities Up, IoT Flaws Down

Dark Reading

The number of flaws found in WordPress and its associated plugins have tripled since 2017, while Internet of Things vulnerabilities dropped significantly, according to data collected by Imperva.

IoT 83
article thumbnail

EU Offering Bug Bounties on Critical Open-Source Software

Schneier on Security

The EU is offering "bug bounties on Free Software projects that the EU institutions rely on.". Slashdot thread.

Software 192
article thumbnail

Hackers Infiltrate Early Warning Network System to Send Spam

Threatpost

Just as ex-tropical Cyclone Penny moved toward the coast of Queensland, Australia, users of Early Warning Network reported receiving strange messages from the emergency system.

Hacking 70
article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Victims of Pylocky ransomware can decrypt their files for free

Security Affairs

Victims of the PyLocky Ransomware can use a tool released by security researcher Mike Bautista at Cisco Talos group to decrypt their files for free. I have good and bad news for the victims of the PyLocky Ransomware. The good news is that security researcher Mike Bautista at Cisco Talos group released a decryption tool that allows them to decrypt their files for free.

article thumbnail

Kudos to the Unsung Rock Stars of Security

Dark Reading

It is great to have heroes, but the real security heroes are the men and women who keep the bad guys out while fighting their own organizations at the same time.

86
article thumbnail

Your Old Tweets Give Away More Location Data Than You Think

WIRED Threat Level

Researchers built a tool that can predict where you live and work, as well as other sensitive information, just by using geotagged tweets.

81
article thumbnail

unCAPTCHA AI Cracks Google reCAPTCHAs with 90% Accuracy

Threatpost

A proof-of-concept from the University of Maryland can defeat the audio challenges that are offered as an option for people with disabilities.

76
article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Three security bugs found in the popular Linux suite systemd

Security Affairs

Experts disclosed three flaws in the systemd , a software suite that provides fundamental building blocks for Linux operating systems. Security firm Qualys has disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd , a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions.

article thumbnail

Stronger DNS Security Stymies Would-Be Criminals

Dark Reading

2018 saw a reduced number of huge DNS-facilitated DDoS attacks. Vendors and service providers believe that malicious impact will drop with continued technology improvements.

DNS 78
article thumbnail

Mueller Investigation 2019: Indictments, Witnesses, and More

WIRED Threat Level

The special counsel has lots of unfinished business on his to-do list this year, including a final report. Here's a rundown.

83
article thumbnail

Resolve to Comply in 2019

Thales Cloud Protection & Licensing

Last year was a big year in the world of information security with data privacy issues, new regulations and several high-profile data breaches. Now that 2019 has arrived, what should corporations be doing to comply with the various data security and privacy regulations? First and foremost, businesses must manage and mitigate risk, and in the digital world order this entails keeping information secure, ensuring proper controls are in place, and policies and roles are set.

article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

Coinbase suspended Ethereum Classic (ETC) trading after a successful 51% attack

Security Affairs

The cryptocurrency exchange Coinbase suspended the trading of Ethereum Classic (ETC) after double-spend attacks worth $1.1 Million. The cryptocurrency exchange Coinbase has suspended the trading of Ethereum Classic (ETC) after double-spend attacks that consist in spending digital coins twice. Ethereum Classic (ETC) is the original unforked Ethereum blockchain, the attacks resulted in the loss of $1.1 million worth of the digital currency. 51% attack refers to an attack on a blockchain by a group

article thumbnail

DNS Hijacking Campaign Targets Organizations Globally

Dark Reading

A group believed to be operating out of Iran has manipulated DNS records belonging to dozens of firms in an apparent cyber espionage campaign, FireEye says.

DNS 81
article thumbnail

U.S. Government Shutdown Leaves Dozens of.Gov Websites Vulnerable

Threatpost

As the shutdown continues into its 21st day, dozens of.gov websites haven't renewed their TLS certificates.

article thumbnail

Gmail Backup Best Practices for IT Admins

Spinone

Every corporate Gmail contains business-critical data. However, many businesses fail to backup emails. As a result, important data might be lost due to error, mal intention, or hacker attack. In this article, we will share the best practices of Gmail Backup to help you protect your valuable data. However, there are several factors with which […] The post Gmail Backup Best Practices for IT Admins first appeared on SpinOne.

Backups 52
article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.