Sat.Dec 15, 2018 - Fri.Dec 21, 2018

article thumbnail

Drone Denial-of-Service Attack against Gatwick Airport

Schneier on Security

Someone is flying a drone over Gatwick Airport in order to disrupt service: Chris Woodroofe, Gatwick's chief operating officer, said on Thursday afternoon there had been another drone sighting which meant it was impossible to say when the airport would reopen. He told BBC News: "There are 110,000 passengers due to fly today, and the vast majority of those will see cancellations and disruption.

article thumbnail

A Chief Security Concern for Executive Teams

Krebs on Security

Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks.

CSO 207
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Faulty DoD Cybersecurity Leaves U.S. At Risk of Missile Attacks

Adam Levin

The U.S. Ballistic Missile Defense System (BMDS) falls short of critical cybersecurity standards, according to an audit issued by the Department of Defense Inspector General. The report issued by the Inspector General’s office details several basic lapses in security protocols at five separate locations, including: A lack of multifactor authentication to access BMDS technical information.

Risk 199
article thumbnail

Pivots and Payloads

Adam Shostack

SANS has announced a new boardgame, “ Pivots and Payloads ,” that “takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker. The game helps you learn while you play. It’s also a great way to showcase to others what pen testers do and how they do it.” If you register for their webinar, which is on Wednesday the 19th, they’ll send you some posters ver

Education 178
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Teaching Cybersecurity Policy

Schneier on Security

Peter Swire proposes a a pedagogic framework for teaching cybersecurity policy. Specifically, he makes real the old joke about adding levels to the OSI networking stack: an organizational layer, a government layer, and an international layer.

article thumbnail

Microsoft Issues Emergency Fix for IE Zero Day

Krebs on Security

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers. The software giant said it learned about the weakness ( CVE-2018-8653 ) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Internet 198

More Trending

article thumbnail

Weekly Update 117

Troy Hunt

I'm in Whistler! And as I say at the start of this video, I did seriously consider having a week off these videos, but I found a comfy spot by the fire and a cold beer and all was good in the world again. This week has some updates on my Canada travels, a couple of data breaches I loaded during the week, new HIBP stickers and some really screwy password practices at HSBC.

Passwords 142
article thumbnail

Congressional Report on the 2017 Equifax Data Breach

Schneier on Security

The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It's a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned. Lance Spitzner also commented on this. Here is my testimony before before the House Subcommittee on Digital Commerce and Consumer Protection last November.

article thumbnail

Feds Charge Three in Mass Seizure of Attack-for-hire Services

Krebs on Security

Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different “booter” or “stresser” sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.

DNS 169
article thumbnail

Facebook Bug Exposes Photos of 6.8 Million Users

Adam Levin

A bug on Facebook gave app developers unauthorized access to the photos of as many as 6.8 million users. The bug, which affected Facebook’s photo API, was active from September 13 through September 25, when it was discovered by Facebook and fixed. September 25 was coincidentally the same day the company announced a massive security breach that affected 30 million users.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

High ROI Security Advisory Boards

Adam Shostack

Lance Cottrell has a blog “ The Why and How of High ROI Security Advisory Boards ” over at the Ntrepid blog. I’m pleased to be a part of the board he’s discussing, and will quibble slightly — I don’t think it’s easy to maximize the value of the board. It’s taken effort on the part of both Ntrepid staff and executives and also the board, and the result is clearly high value.

124
124
article thumbnail

New Shamoon Variant

Schneier on Security

A new variant of the Shamoon malware has destroyed signifigant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem. Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no idea if this new variant is also Iranian in origin, or if it is someone else entirely using the old Iranian code base.

article thumbnail

GUEST ESSAY: Top cybersecurity developments that can be expected to fully play out in 2019

The Last Watchdog

From a certain perspective, 2018 hasn’t been as dramatic a cybersecurity year as 2017, in that we haven’t seen as many global pandemics like WannaCry. Related: WannaCry signals worse things to come. Still, Ransomware, zero-day exploits, and phishing attacks, were among the biggest threats facing IT security teams this year. 2018 has not been a d ull y ear as far as breaches.

article thumbnail

Evidence in Marriott Breach Points to Chinese Hackers

Adam Levin

The cyberattack on the Marriott hotel chain that exposed the information of up to 500 million guests was most likely conducted by Chinese state-affiliated hackers, according to a preliminary investigation. Unnamed government sources for the New York Times and Washington Post familiar with the investigation of the breach have said that the methods utilized by the hackers, as well as the targeted data both suggest that the attacks are linked to the Chinese Ministry of State Security.

Big data 100
article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Amnesty Report: Twitter Abuse Toward Women Is Rampant

WIRED Threat Level

Frustrated by Twitter's silence on abuse against women, Amnesty International crowdsourced its own data and found that the platform was especially toxic for black women.

108
108
article thumbnail

NASA data breach – The agency notifies employees of a security intrusion

Security Affairs

U.S. National Aeronautics and Space Administration (NASA) notifies employees of a data breach that exposed social security numbers and other personal information. According to the data breach notification, hackers have breached at least one of the agency’s servers, the security breach impacted both past and present employees. . Website SpaceRef published a data breach notification note sent by the NASA to its employees, the Agency informed them of an ongoing investigation due to an intrusion int

article thumbnail

A Short Cybersecurity Writing Course Just for You

Lenny Zeltser

My new writing course for cybersecurity professionals teaches how to write better reports, emails, and other content we regularly create. It captures my experience of writing in the field for over two decades and incorporates insights from other community members. It’s a course I wish I could’ve attended when I needed to improve my own security writing skills.

article thumbnail

2019 may not be the year of quantum, but it should be the year of preparation

Thales Cloud Protection & Licensing

A few weeks ago, the National Academies of Sciences, Engineering and Medicine published a new report exploring the progress and prospects – or lack of – around quantum computing. Highlighting several technical and financial problems that need to be overcome before a functional quantum computer can be built, the report states it’s too early to even predict a timeline for the development of the technology.

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

Privacy Futures: Fed-up Consumers Take Their Data Back

Dark Reading

In 2019, usable security will become the new buzzword and signal a rejection of the argument that there must be a trade-off between convenience and security and privacy.

88
article thumbnail

Microsoft issues emergency patch for IE Zero Day exploited in the wild

Security Affairs

Microsoft has issued an out-of-band security update to fix a critical zero-day flaw in the Internet Explorer (IE) browser. Microsoft has rolled out an out-of-band security update to address a critical zero-day vulnerability affecting the Internet Explorer (IE) browser. According to the tech giant, attackers already exploited in the wild the vulnerability tracked as CVE-2018-8653.

article thumbnail

How Russian Trolls Used Meme Warfare to Divide America

WIRED Threat Level

A new report for the Senate exposes how the IRA used every major social media platform to target Americans before and after the 2016 election.

Media 95
article thumbnail

2019 Predictions: Information security will be given a seat at the table without asking

Thales Cloud Protection & Licensing

Many years ago, a board member said to me, “We’ve employed you to do information security, so why do we have to do anything?” This was fairly typical. My experience in the past has been that information/cyber security professionals have often been relegated to giving advice on the threat landscape and risks, and then futilely lobbying the board for visibility and resources to put appropriate controls in place.

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

8 Security Tips to Gift Your Loved Ones For the Holidays

Dark Reading

Before the wrapping paper starts flying, here's some welcome cybersecurity advice to share with friends and family.

article thumbnail

Researcher disclosed a Windows zero-day for the third time in a few months

Security Affairs

Security researcher SandboxEscaper released a working proof-of-concept (PoC) exploit for a new Windows zero-day vulnerability. Hacker Discloses New Unpatched Windows Zero-Day Exploit On Twitter. The security researcher SandboxEscaper is back and for the third time in a few months, released proof-of-concept (PoC) exploit for a new zero-day vulnerability affecting Microsoft’s Windows OS.

article thumbnail

How Instagram Became the Russian IRA's Go-To Social Network

WIRED Threat Level

A Senate report finds that Russia's Internet Research Agency was far more active, and more successful, on Instagram in 2017 than on Facebook or Twitter.

article thumbnail

WordPress Targeted with Clever SEO Injection Malware

Threatpost

The malware does its best to obfuscate SEO injection in WordPress and evade notice from web admins.

Malware 96
article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

3 Reasons to Train Security Pros to Code

Dark Reading

United Health chief security strategist explains the benefits the organization reaped when it made basic coding training a requirement for security staff.

89
article thumbnail

Russia-linked Sofacy APT developed a new ‘Go’ variant of Zebrocy tool

Security Affairs

Researchers at Palo Alto Networks discovered that the Russian-linked Sofacy APT has written a new version of their Zebrocy backdoor using the Go programming language. The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

Malware 89
article thumbnail

How Military Tactics Apply to Cybersecurity

eSecurity Planet

Former West Point professor Greg Conti explains how military doctrines apply to cyber security, and what lessons enterprises can learn from that.

article thumbnail

Russia's IRA Targeted Black Americans, Exploiting Racial Tensions

WIRED Threat Level

A new report documents how the Internet Research Agency had a much more sustained, deliberate focus on black Americans.

article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.