Schneier on Security

OCTOBER 21, 2021

Roger Grimes on why multifactor authentication isn’t a panacea : The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in. It turns out that the VP had approved over 10 different push-based messages for logins that he was not involved in.

Authentication 360

Authentication Ransomware Social Engineering Engineering 360

Troy Hunt

OCTOBER 20, 2021

We choose this photo for the cover because this was when it all started. 18-year old Troy, having just discovered the web in early 1995 and chomping at the bit to do something with it. The full tale of what I first did (and how disastrous it ultimately became), is up front early in the book so I won't relay it here, but it's quite the story.

Data breaches 347

Data breaches Internet Internet 347

Anton on Security

OCTOBER 21, 2021

My admittedly epic (but dated) post “Security Correlation Then and Now: A Sad Truth About SIEM” mentioned the issue of TRUST as it applies to SIEM. Specifically, as a bit of a throwaway comment, I said “people write stupid string-matching and regex-based content because they trust it. They do not?—?en masse?—?trust the event taxonomies if their lives and breach detections depend on it.

Passwords 257

Passwords Threat Detection Cybersecurity 257

Lohrman on Security

OCTOBER 17, 2021

The National Association of State Chief Information Officers (NASCIO) Annual Conference was held this past week as a live event in Seattle for the first time in two years. What happened, and what’s next?

246

246

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

Risk

Schneier on Security

OCTOBER 22, 2021

Someone has been hacking telecommunications networks around the world: LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures. Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2

Telecommunications 358

Telecommunications Architecture Mobile Hacking 358

The Last Watchdog

OCTOBER 19, 2021

Most of the people I know professionally and personally don’t spend a lot of time contemplating the true price we pay for the amazing digital services we’ve all become addicted to. Related: Blockchain’s role in the next industrial revolution. I’ll use myself as a prime example. My professional and social life revolve around free and inexpensive information feeds and digital tools supplied by Google, Microsoft, Amazon, LinkedIn, Facebook and Twitter.

Internet 223

Internet Internet Cryptocurrency Software 223

Javvad Malik

OCTOBER 21, 2021

I’ve been thinking of the best way to write this post for several days. Many drafts have ended up being deleted. Which, to be honest, doesn’t have the same visual satisfaction as seeing pages crumpled up into balls and tossed across the room into the bin. But here we are. Last week, KnowBe4, OneLogin, and Eskenzi PR partnered up to attempt to set the Guinness World Record for the Most views of A Cybersecurity Lesson Video on YouTube in 24 hours.

Cybersecurity 160

Cybersecurity 160

Schneier on Security

OCTOBER 18, 2021

The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state. The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state. […]. According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials.

Education 352

Education Internet Internet Hacking 352

Security Boulevard

OCTOBER 21, 2021

Mark Zuckerberg has been added as a defendant to D.C.’s Cambridge Analytica privacy complaint—this time, it’s personal. The post Zuckerberg Accused Personally in Cambridge Analytica Next Shoe appeared first on Security Boulevard.

Social Engineering 145

Social Engineering Engineering Risk Government 145

Tech Republic Security

OCTOBER 18, 2021

CIOs must prioritize the same business imperatives and find the IT force multipliers to enable growth and innovation, according to a Gartner analyst during Gartner's IT Symposium.

Technology 218

Technology Engineering 218

Advertisement

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

Cyber threats

Graham Cluley

OCTOBER 21, 2021

The US Government has issued an alert to organisations about the threat posed by the BlackMatter ransomware group. Read more in my article on the Tripwire State of Security blog.

Government 145

Government Ransomware Malware 145

Schneier on Security

OCTOBER 19, 2021

Researchers trained a machine-learning system on videos of people typing their PINs into ATMs: By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs. This works even if the person is covering the pad with their hands.

342

342

Malwarebytes

OCTOBER 22, 2021

For those of you that remember the fuss about the Y2K bug , this story may sound familiar. The Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning to Critical Infrastructure (CI) owners and operators, and other users who get the time from GPS, about a GPS Daemon (GPSD) bug in GPSD versions 3.20 through 3.22. Y2K. If you don’t remember the Y2K bug, let me remind you quickly.

Authentication 145

Authentication System Administration Firmware Passwords 145

Tech Republic Security

OCTOBER 19, 2021

Two out of three organizations surveyed by ThycoticCentrify were hit by a ransomware attack over the past 12 months, and more than 80% reportedly opted to pay the ransom.

Ransomware 215

Ransomware 215

Advertisement

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

Cybersecurity

SecureList

OCTOBER 20, 2021

Experts at Kaspersky have been investigating various computer incidents on a daily basis for over a decade. Having been in the field for so long, we have witnessed some major changes in the cybercrime world’s modus operandi. This report shares our insights into the Russian-speaking cybercrime world and the changes in how it operates that have happened in the past five years.

Cybercrime 145

Cybercrime Banking Malware Ransomware 145

Schneier on Security

OCTOBER 20, 2021

Here’s a story of someone who, with three compatriots, rented textbooks from Amazon and then sold them instead of returning them. They used gift cards and prepaid credit cards to buy the books, so there was no available balance when Amazon tried to charge them the buyout price for non-returned books. They also used various aliases and other tricks to bypass Amazon’s fifteen-book limit.

Scams 330

Scams 330

Cisco Security

OCTOBER 20, 2021

This guest blog was written by Aaron Sherrill , Senior Research Analyst at 451 Research , part of S&P Global Market Intelligence. . Set the Stage: A World Without XDR. Security operations teams at most organizations are overwhelmed by the sheer number of security products they’re required to manage. Over the course of many years , security teams have stitched together a robust security stack with dozens, if not hundreds, of disparate, siloed security tools , each aimed at protecting specifi

Threat Detection 145

Threat Detection Technology Information Security Risk 145

Tech Republic Security

OCTOBER 19, 2021

Traditional security solutions are no longer enough to protect your organization from a data breach, Bitglass says.

Data breaches 214

Data breaches 214

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

SecureList

OCTOBER 19, 2021

Trickbot (aka TrickLoader or Trickster), is a successor of the Dyre banking Trojan that was active from 2014 to 2016 and performed man-in-the-browser attacks in order to steal banking credentials. Trickbot was first discovered in October 2016. Just like Dyre, its main functionality was initially the theft of online banking data. However, over time, its tactics and goals have changed.

Banking 145

Banking Passwords Internet Internet 145

Schneier on Security

OCTOBER 19, 2021

According to a report from CISA last week, there were three ransomware attacks against water treatment plants last year. WWS Sector cyber intrusions from 2019 to early 2021 include: In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.

Ransomware 243

Ransomware Backups 243

Cisco Security

OCTOBER 19, 2021

These days, protecting the network perimeter is a foregone conclusion. However, there is no longer a monolithic perimeter—there are often multiple perimeters to protect. Unauthorized attempts to cross perimeters are frequent, and the need to defend against threats is critical to protect your assets. In any perimeter defense a key component is firewalls—the proverbial guard towers in your fortifications.

Firewall 145

Firewall Authentication DNS Accountability 145

Tech Republic Security

OCTOBER 21, 2021

Managing passwords and privileged access is bad enough for people—but that's going to be dwarfed by the problem of dealing with non-human identities.

Passwords 212

Passwords 212

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

Scams

CSO Magazine

OCTOBER 21, 2021

Magecart definition. Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information. This is known as a supply chain attack. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT. [ How much does a data breach cost?

CSO 145

CSO Data breaches Software 145

Bleeping Computer

OCTOBER 21, 2021

Widespread malware campaigns are creating YouTube videos to distribute password-stealing trojans to unsuspecting viewers. [.].

Passwords 145

Passwords Malware 145

Security Affairs

OCTOBER 17, 2021

White hat hackers earned $1.88 million at the Tianfu Cup hacking contest by finding vulnerabilities in popular software. The Tianfu Cup is the most important hacking contest held in China, this year white hat hackers earned $1.88 Million on a total bonus of up to $1.5 Million by demonstrating vulnerabilities in popular software. The edition of this year took place on October 16 and 17 in the city of Chengdu, participants had three attempts of 5 minutes to demonstrate their exploits.

Hacking 145

Hacking Software Media Information Security 145

Tech Republic Security

OCTOBER 22, 2021

You don't have to go back to school or blow your budget to train for a career in cybersecurity, which is in high demand right now.

Cybersecurity 197

Cybersecurity 197

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Dark Reading

OCTOBER 22, 2021

When life inside the security operations center feels treacherous, here are some suggestions for getting out alive.

Cybersecurity 144

Cybersecurity 144

Bleeping Computer

OCTOBER 16, 2021

Canon USA is being sued for not allowing owners of certain printers to use the scanner or faxing functions if they run out of ink. [.].

Technology 145

Technology 145

Security Affairs

OCTOBER 20, 2021

A Cookie Theft malware was employed in phishing attacks against YouTube creators, Google’s Threat Analysis Group (TAG) warns. Financially motivated threat actors are using Cookie Theft malware in phishing attacks against YouTube creators since late 2019. According to Google’s Threat Analysis Group (TAG) researchers, who spotted the campaign, the attacks were launched by multiple hack-for-hire actors recruited on Russian-speaking forums.

Accountability 144

Accountability Malware Phishing Social Engineering 144

Tech Republic Security

OCTOBER 19, 2021

Tech support scams work because they try to trick people into believing there's a serious security crisis with their computers, says Norton Labs.

Scams 193

Scams Phishing 193

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!