Sat.Jan 11, 2020 - Fri.Jan 17, 2020

article thumbnail

Patch Tuesday, January 2020 Edition

Krebs on Security

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7 , a still broadly-used operating system that will no longer be supplied with security updates.

Software 298
article thumbnail

5G Security

Schneier on Security

The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Welcoming the Danish Government to Have I Been Pwned

Troy Hunt

In a continued bid to make breach data available to the government departments around the world tasked with protecting their citizens, I'm very happy to welcome the first country onto Have I Been Pwned for 2020 - Denmark! The Danish Centre for Cyber Security (CFCS) joins the existing 7 governments who have free and unbridled API access to query and monitor their gov domains.

article thumbnail

Baby App “Peekaboo” Leaks Photos, Videos and Personal Data

Adam Levin

An unsecured database discovered online has leaked thousands of baby photos and videos. . Bithouse, Inc. left unprotected and accessible online an Elasticsearch database containing nearly 100GB of information associated with its app Peekabo Moments. The leaked data includes photos, videos, and birthdates of babies, as well as 800,000 email addresses, location data as well as detailed device information. .

article thumbnail

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

article thumbnail

Phishing for Apples, Bobbing for Links

Krebs on Security

Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple , whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen.

Phishing 286
article thumbnail

Critical Windows Vulnerability Discovered by NSA

Schneier on Security

Yesterday's Microsoft Windows patches included a fix for a critical vulnerability in the system's crypto library. A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

Media 272

LifeWorks

More Trending

article thumbnail

Cryptographic Excitement

Adam Shostack

In the last few days, we’ve seen two big stories in the realm of cryptography. The first is that SHA-1 breaks are now practical , and those practical breaks impact things like PGP and git. If you have code that depends on SHA-1, its time to fix that. If you have a protocol that uses SHA1, you need to rapidly version cycle. Thinking a bit more strategically, SHA-1 was designed by the NSA, and published in 1993.

article thumbnail

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Krebs on Security

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from dis

Internet 277
article thumbnail

Artificial Personas and Public Discourse

Schneier on Security

Presidential campaign season is officially, officially , upon us now, which means it's time to confront the weird and insidious ways in which technology is warping politics. One of the biggest threats on the horizon: artificial personas are coming, and they're poised to take over political debate. The risk arises from two separate threads coming together: artificial intelligence-driven text generation and social media chatbots.

Media 192
article thumbnail

These subject lines are the most clicked for phishing

Tech Republic Security

The most successful email lures don't promise riches, but issue imminent cybersecurity warnings or urgent office messages, a report reveals.

Phishing 190
article thumbnail

Why Giant Content Libraries Do Nothing for Your Employees’ Cyber Resilience

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

article thumbnail

Enter the SpudNet

Adam Shostack

Spudnet is a new game to teach networking and security concepts. The creators were kind enough to send me a pre-production copy, and I can tell you – it looks and feels super solid, and, more importantly, it plays well. The Kickstarter has already met its goals, and while all Kickstarters have risk, the creators clearly have production down.

Risk 147
article thumbnail

Las Vegas Successfully Averted a Cyberattack

Adam Levin

The City of Las Vegas successfully averted what could have been a disastrous cyberattack earlier this month. City officials detected a cyberattack January 7, and in response immediately took several services offline, including its public-facing website. . “We do not believe any data was lost from our systems and no personal data was taken. We are unclear as to who was responsible for the compromise, but we will continue to look for potential indications,” the city announced on its Twitter feed.

article thumbnail

Securing Tiffany's Move

Schneier on Security

Story of how Tiffany & Company moved all of its inventory from one store to another. Short summary: careful auditing and a lot of police.

157
157
article thumbnail

How a researcher exploited the Windows 10 bug patched by Microsoft

Tech Republic Security

Security researcher Saleem Rashid "rickrolled" himself to show that the bug could be exploited in the real world to spoof security certificates on machines without Microsoft's patch.

190
190
article thumbnail

Zero Trust Mandate: The Realities, Requirements and Roadmap

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

article thumbnail

100,00 Moon Shots

Adam Shostack

Andrew McCarthy has an amazing and impressive photographs of the moon on Instagram. To call these photographs is somewhat provocative. In his trilogy, Ansel Adams focuses (sorry! Not sorry) on composition, exposure, and development. By exposure, he specifically meant exposing film to light in controlled ways that caused chemical reactions on the film, and it remains common to hear photographers talk of ‘an exposure’, in much the same way that we dial phones.

130
130
article thumbnail

All the Ways Facebook Tracks You—and How to Limit It

WIRED Threat Level

If you have a Facebook account—and even if you don't—the company is going to collect data about you. But you can at least control how it gets used.

article thumbnail

Upcoming Speaking Engagements

Schneier on Security

This is a current list of where and when I am scheduled to speak: I'm speaking at Indiana University Bloomington on January 30, 2020. I'll be at RSA Conference 2020 in San Francisco. On Wednesday, February 26, at 2:50 PM, I'll be part of a panel on "How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei." On Thursday, February 27, at 9:20 AM, I'm giving a keynote on "Hacking Society.".

Hacking 134
article thumbnail

How to better protect your organization's most valuable data

Tech Republic Security

Many organizations underestimate the value of their data to skilled and organized cybercriminals, said security provider eSentire.

173
173
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

This One Little Configuration Change Will Make It Harder For People To Steal Your Information

CTOVision Cybersecurity

Editor’s note: We are aiming this tutorial at the non-technical person. Please share with anyone in your life who could benefit from this. -bg Cyberspace is a complex domain and our adversaries are always seeking new ways to steal information or spread their malicious code or hold our data for ransom. This is the big reason […].

108
108
article thumbnail

If Russia Hacked Burisma, Brace for the Leaks to Follow

WIRED Threat Level

The Kremlin likely hacked the oil giant. Its next play: selectively release—and even forge—documents. Did the US learn enough from 2016 to ignore them?

Hacking 116
article thumbnail

A Practical Guide to Zero-Trust Security

Threatpost

There are five different pillars to implement when moving to a modern, zero-trust security model.

InfoSec 107
article thumbnail

How to add a host to Observium

Tech Republic Security

Now that you have the Observium network monitoring platform installed, it's time to add a host.

158
158
article thumbnail

Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

article thumbnail

Hack the Army bug bounty program paid $275,000 in rewards

Security Affairs

Hack the Army bug bounty program results: 146 valid vulnerabilities were reported by white hat hackers and more than $275,000 were paid in rewards. The second Hack the Army bug bounty program ran between October 9 and November 15, 2019 through the HackerOne platform. The bug bounty program operated by the Defense Digital Service, along with the U.S.

Hacking 106
article thumbnail

Unsupervised Learning: No. 211

Daniel Miessler

[advanced_iframe src=”[link] width=”100%”] No related posts.

article thumbnail

The Mandalorian Is the Only Smart Soldier in the Star Wars Galaxy

WIRED Threat Level

It took decades, but the galaxy finally has a tactical and operational genius. .

99
article thumbnail

New phishing attack hijacks email conversations: How companies can protect employees

Tech Republic Security

By inserting themselves into business emails among employees, cybercriminals can trick victims into wiring money or sharing payment information, says security firm Barracuda Networks.

Phishing 157
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Google removed 1.7K+ Joker Malware infected apps from its Play Store

Security Affairs

Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware. Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years. The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service , install malicious apps, generate

Malware 102
article thumbnail

Texas School District Loses $2.3M to Phishing Attack

Dark Reading

The Manor Independent School District is investigating a phishing email scam that led to three separate fraudulent transactions.

article thumbnail

Windows 10 Has a Security Flaw So Severe the NSA Disclosed It

WIRED Threat Level

In a shift toward transparency, the National Security Agency announced a bug that could have left over 900 million PCs vulnerable to attack.

Hacking 99
article thumbnail

Why Google plans to cut off support for third-party cookies in Chrome

Tech Republic Security

Google is aiming to phase out third-party cookies in Chrome in two years, but that will have to prove palatable to users, publishers, and advertisers.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!