Schneier on Security

DECEMBER 31, 2020

In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA: The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME (V3) allows signed receipts, security labels, and secure mailing lists… The underlying certificate used by s/MIME mechanism has to be in compliance with X.509 standard… The processing rules for s/MIM

Encryption 352

Encryption Software 352

Troy Hunt

JANUARY 1, 2021

It's a new year! With lots of breaches to discuss already ? Ok, so these may not be 2021 breaches but I betcha that by next week's update there'll be brand new ones from the new year to discuss. I managed to get enough connectivity in the middle of the Australian outback in front of Uluru to do the live stream this week, plus talk a bunch more about what we've been doing on our epic Australian journey.

Data breaches 306

Data breaches Password Management Scams Passwords 306

Adam Levin

DECEMBER 30, 2020

Hackers are using internet-connected home devices to livestream “swatting” attacks, according to the FBI. Swatting is a dangerous prank where emergency services are called to respond to a life threatening situation that requires immediate intervention by police and/or S.W.A.T. teams. In a public service announcement issued December 29, the FBI warned that “offenders have been using stolen e-mail passwords to access smart devices with cameras and voice capabilities and carry out swatting attacks.

IoT 300

IoT Hacking Internet Internet 300

Krebs on Security

DECEMBER 29, 2020

Today marks the 11th anniversary of KrebsOnSecurity! Thank you, Dear Readers, for your continued encouragement and support! With the ongoing disruption to life and livelihood wrought by the Covid-19 pandemic, 2020 has been a fairly horrid year by most accounts. And it’s perhaps fitting that this was also a leap year, piling on an extra day to a solar rotation that most of us probably can’t wait to see in the rearview mirror.

Scams 259

Scams Social Engineering Cybercrime Advertising 259

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

DECEMBER 30, 2020

Good article on the evolution of ransomware : Though some researchers say that the scale and severity of ransomware attacks crossed a bright line in 2020, others describe this year as simply the next step in a gradual and, unfortunately, predictable devolution. After years spent honing their techniques, attackers are growing bolder. They’ve begun to incorporate other types of extortion like blackmail into their arsenals, by exfiltrating an organization’s data and then threatening to

Ransomware 257

Ransomware Antivirus 257

Troy Hunt

DECEMBER 26, 2020

Well that's Christmas down for another year, and a rather different one it was for so many of us around the world. I'm pumping this post out very quickly (a couple of days after recording) whilst midway along a very long drive. I'll share more about that on my New Year's Day broadcast so for now, here's the Christmas Day weekly update: References Ledger customers are receiving some super nasty protection emails (makes me think of the mob charging business to make sure "nothing happens to them.

Password Management 210

Password Management Passwords 210

Adam Shostack

DECEMBER 27, 2020

It’s easy to forget that the Lunar Reconnaissance Orbiter has been circling the moon for nearly a dozen years. Via DIY Photography.

190

190

Daniel Miessler

DECEMBER 26, 2020

A lot of people are surprised when I tell them that computer security isn’t really a priority in most companies, or for our society in general. I captured this in my piece Why Software Remains Insecure , which basically comes down to security being precisely as good as it needs to be. Or 100 years. Before you squint at that, ask yourself how many homes are broken into every year.

Software 148

Software Security Awareness Cybersecurity Ransomware 148

Security Affairs

DECEMBER 31, 2020

Experts from Intezer discovered a new and self-spreading Golang-based malware that targets Windows and Linux servers. Experts from Intezer discovered a Golang-based worm that targets Windows and Linux servers. The malware has been active since early December targeting public-facing services, including MySQL, Tomcat admin panel and Jenkins that are protected with weak passwords.

Malware 145

Malware Passwords Authentication Hacking 145

Tech Republic Security

DECEMBER 30, 2020

Collaboration between organizations and even countries might be the only way to have a positive impact on cybercrime, according to one expert.

Cybercrime 217

Cybercrime Cybersecurity 217

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Adam Shostack

DECEMBER 28, 2020

You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines. First, the FDA has authorized two vaccines for emergency use. The review memoranda ( Pfizer , Moderna ) are all sorts of fascinating. As the kids say, TL;DR: both vaccines are safe and no meaningful side effects were seen in testing approximately 44,000 and 30,400 test subjects.

Engineering 130

Engineering Software 130

WIRED Threat Level

DECEMBER 30, 2020

This year saw plenty of destructive hacking and disinformation campaigns—but amid a pandemic and a historic election, the consequences have never been graver.

Internet 145

Internet Internet Hacking 145

Security Affairs

JANUARY 1, 2021

Cybercriminals are abusing Facebook ads in a large-scale phishing scam aimed at stealing victims’ login credentials. Researchers from security firm ThreatNix spotted a new large-scale campaign abusing Facebook ads. Threat actors are using Facebook ads to redirect users to Github accounts hosting phishing pages used to steal victims’ login credentials.

Phishing 145

Phishing Scams Accountability Malware 145

Tech Republic Security

DECEMBER 31, 2020

Cybercriminals do what they do for money, so why not make it unworthy of their time to attack your small or medium business?

Cybersecurity 218

Cybersecurity 218

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Threatpost

DECEMBER 30, 2020

Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police with a fake emergency, then watch the chaos unfold.

Surveillance 140

Surveillance Authentication IoT Government 140

Dark Reading

DECEMBER 31, 2020

Variety is the spice of life, and it's also the perfect analogy for the article topics that resonated most with Edge readers this past year.

144

144

Security Affairs

DECEMBER 31, 2020

The threat actors behind the SolarWinds supply chain attack could have had access to the source code of several Microsoft products. The threat actors behind the SolarWinds attack could have compromised a small number of internal accounts and used at least one of them to view source code in a number of source code repositories. Shortly after the disclosure of the SolarWinds attack, Microsoft confirmed that it was one of the companies breached in the recent supply chain attack, but the IT giant de

Accountability 134

Accountability Engineering Software Hacking 134

Tech Republic Security

DECEMBER 28, 2020

Using SMS for multi-factor authentication is helpful, but not always secure or reliable. What if you lose your phone? Tom Merrittlists five additional ways to receive MFA codes, without SMS.

Authentication 178

Authentication 178

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

WIRED Threat Level

DECEMBER 29, 2020

2020 was a great year for ransomware gangs. For hospitals, schools, municipal governments, and everyone else, it’s going to get worse before it gets better.

Ransomware 135

Ransomware Government Hacking 135

Anton on Security

DECEMBER 28, 2020

I got into a very insightful debate with somebody who will remain nameless in the beginning of this post, but will perhaps be revealed later. The debate focused on the role of context in threat detection. Specifically, it is about the role of local context (environment knowledge, organization context, site details, etc) in threat detection. Can threat detection work well without such local context?

Threat Detection 100

Threat Detection Malware Technology Engineering 100

Security Affairs

JANUARY 1, 2021

Zyxel addressed a critical flaw in its firmware, tracked as CVE-2020-29583 , related to the presence of a hardcoded undocumented secret account. The Taiwanese vendor Zyxel has addressed a critical vulnerability in its firmware related to the presence of a hardcoded undocumented secret account. The vulnerability, tracked as CVE-2020-29583 received a CVSS score of 7.8, it could be exploited by an attacker to login with administrative privileges and take over the networking devices. “Firmw

Firewall 134

Firewall VPN Firmware Passwords 134

Tech Republic Security

DECEMBER 29, 2020

AI and machine learning have the potential to take a bite out of cybercrime, but let's not forget the human factor.

Cybercrime 217

Cybercrime Cybersecurity 217

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Threatpost

DECEMBER 28, 2020

From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020.

Ransomware 121

Ransomware Malware Hacking 121

WIRED Threat Level

DECEMBER 28, 2020

Phone calls. Web searches. Location tracks. Smart speaker requests. They’ve become crucial tools for law enforcement, while users often are unaware.

Software 124

Software 124

Security Affairs

DECEMBER 29, 2020

Japanese giant Kawasaki Heavy Industries discovered unauthorized access to a Japanese company server from multiple overseas offices. Kawasaki Heavy Industries disclosed a security breach, the company discovered unauthorized access to a Japanese company server from multiple overseas offices. Information from its overseas offices might have been stolen as a result of a security breach that took place earlier this year.

Manufacturing 132

Manufacturing Technology Cyber Attacks Engineering 132

Tech Republic Security

DECEMBER 30, 2020

Don't forget the routine tasks that make big data work for your company.

Big data 181

Big data 181

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Threatpost

DECEMBER 29, 2020

David “moose” Wolpoff at Randori explains how hackers pick their targets, and how understanding "hacker logic" can help prioritize defenses.

InfoSec 129

InfoSec Cybersecurity 129

Dark Reading

DECEMBER 29, 2020

Eight cybersecurity leaders go deep on their most valuable (and very human) takeaways from a year like no other we've known.

Cybersecurity 136

Cybersecurity 136

Security Affairs

DECEMBER 28, 2020

The American multinational manufacturer and marketer of home appliances Whirlpool was hit by the Nefilim ransomware gang. The American multinational manufacturer and marketer of home appliances Whirlpool suffered a ransomware attack, Nefilim ransomware operators claim to have stolen data from the company and threaten to release the full dump if the company will not pay the ransom.

Ransomware 130

Ransomware Manufacturing Marketing Mobile 130

Tech Republic Security

DECEMBER 28, 2020

The BBB provides recommendations on what to include in your business website's privacy policy.

162

162

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk