Krebs on Security

JUNE 19, 2020

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.

Authentication 362

Authentication Accountability Passwords Mobile 362

Schneier on Security

JUNE 17, 2020

South Africa's Postbank experienced a catastrophic security failure. The bank's master PIN key was stolen, forcing it to cancel and replace 12 million bank cards. The breach resulted from the printing of the bank's encrypted master key in plain, unencrypted digital language at the Postbank's old data centre in the Pretoria city centre. According to a number of internal Postbank reports, which the Sunday Times obtained, the master key was then stolen by employees.

Banking 314

Banking Encryption Accountability 314

Tech Republic Security

JUNE 18, 2020

When factories, notably in China, shuttered during the COVID-19 pandemic, products the US relied on were impacted. Here's how experts see a return to "Made in America" and the incumbent risks.

Manufacturing 211

Manufacturing Risk Cybersecurity 211

Troy Hunt

JUNE 19, 2020

All my things are breaking ?? Mic broke, PC broke, boat shed handle broke, fridges (both of them) broke, fireplace broke, roof broke. and that's just the stuff I could remember in the live stream. But in happier news, listening back to that video now I'm really happy with the audio quality of the new mic and I reckon that once the pop filter is installed the sound will be spot on.

Data breaches 168

Data breaches Passwords Accountability 168

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Krebs on Security

JUNE 18, 2020

An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web. On June 16, authorities in Michigan arrested 29-year-old Justin Sean Johnson in connection with a 43-count indictment on charges of conspiracy, wire fraud and aggravated identi

Identity Theft 326

Identity Theft Healthcare Hacking Technology 326

Schneier on Security

JUNE 17, 2020

Zoom is doing the right thing : it's making end-to-end encryption available to all users, paid and unpaid. (This is a change; I wrote about the initial decision here.).we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe -- free and paid -- while maintaining the ability to prevent and fight abuse on our platform.

Encryption 280

Encryption Accountability Authentication Risk 280

Adam Levin

JUNE 17, 2020

CIA-developed hacking tools stolen in 2016 were compromised by an organizational culture of lax cybersecurity, according to an internal memo. In a 2017 memo recently acquired by the Washington Post , a CIA task force attributed the exfiltration of critical hacking tools and data to “a culture… that too often prioritized creativity and collaboration at the expense of security.” .

Hacking 165

Hacking Cybersecurity Government Passwords 165

Krebs on Security

JUNE 13, 2020

For the past year, a site called Privnotes.com has been impersonating Privnote.com , a legitimate, free service that offers private, encrypted messages which self-destruct automatically after they are read. Until recently, I couldn’t quite work out what Privnotes was up to, but today it became crystal clear: Any messages containing bitcoin addresses will be automatically altered to include a different bitcoin address, as long as the Internet addresses of the sender and receiver of the mess

Phishing 195

Phishing Encryption Internet Internet 195

Schneier on Security

JUNE 18, 2020

The Washington Post is reporting on an internal CIA report about its "Vault 7" security breach: The breach -- allegedly committed by a CIA employee -- was discovered a year after it happened, when the information was published by WikiLeaks, in March 2017. The anti-secrecy group dubbed the release " Vault 7 ," and U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA's history, causing the agency to shut down some intelligence operations and aler

Hacking 275

Hacking Cybersecurity 275

Tech Republic Security

JUNE 15, 2020

Verizon's annual Data Breach Investigations Report confirmed 3,950 data breaches across 16 industries. Tom Merritt explains five things to know about these breaches.

Data breaches 197

Data breaches 197

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

The Last Watchdog

JUNE 17, 2020

Application Programming Interfaces – APIs. Without them digital transformation would never have gotten off the ground. Related: Defending botnet-driven business logic hacks APIs made possible the astounding cloud, mobile and IoT services we have today. This happened, at a fundamental level, by freeing up software developers to innovate on the fly. APIs have exploded in enterprise use over the past several years.

Digital transformation 148

Digital transformation Internet Internet Hacking 148

Adam Shostack

JUNE 19, 2020

Juneteenth is the celebration of the end of slavery in the US. We need more holidays that celebrate freedom. Freedom isn’t always comfortable or easy, but it is the precondition to the pursuit of happiness. BTW, we’ve been celebrating Juneteenth here on this blog for a long time , if no more consistently than anything else we do. Photo: Laura Blanchard , and I’ll note that there’s a real lack of Juneteenth stock imagery on all these sites.

130

130

Schneier on Security

JUNE 19, 2020

Citizen Lab has a new report on Dark Basin, a large hacking-for-hire company in India. Key Findings: Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.

Hacking 257

Hacking Phishing Accountability Government 257

Tech Republic Security

JUNE 17, 2020

With blockchain, gamers can save their in-game purchases and retain their value to resell them to other players or move them into other games for the first time.

189

189

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Security Affairs

JUNE 18, 2020

79 Netgear router models are vulnerable to a severe unpatched security vulnerability that can be exploited by remote attackers to take over devices. Security experts Adam Nichols from GRIMM and d4rkn3ss from the Vietnamese internet service provider VNPT have independently reported a severe unpatched security vulnerability that affects 79 Netgear router models.

Firmware 132

Firmware Internet Internet Advertising 132

Adam Shostack

JUNE 16, 2020

I’m happy to announce Shostack & Associate’s new, first, corporate white paper!It uses Jenga to explain why threat modeling efforts fail so often. I’m excited for a lot of reasons. I care about learning from failure. I love games as teaching tools. But really, I’m excited because the paper has helped the people who read early copies.

Technology 130

Technology Engineering Software 130

Schneier on Security

JUNE 15, 2020

Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack. To its credit, this budget does reveal an overall growth in cybersecurity funding of about 5 percent above the fiscal 2019 estimate. However, federal cybersecurity spending on civilian departments like the departments of Homeland Security, State, Treasury and Justice is overshadowed by that going t

Cybersecurity 254

Cybersecurity Government Security Defenses 254

Tech Republic Security

JUNE 19, 2020

Companies need to look for PII across all corporate data silos and consider building an automated system to respond to requests from consumers, experts say.

185

185

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Security Affairs

JUNE 16, 2020

Wireless carrier T-Mobile suffered a major outage in the United States, that impacted service at other carriers, due to a “massive” DDoS attack. Wireless carrier T-Mobile suffered a massive DDoS attack that caused a major outage in the United States that impacted service at other carriers due to a “massive” DDoS attack. This DDoS attack is serious. It has taken down Instagram, Facebook, T-Mobile, Verizon, and Twitch… 2020 is something else. pic.twitter.com/ztU59XMWu3 — Jordan Daley (

DDOS 131

DDOS Mobile Wireless Advertising 131

Adam Shostack

JUNE 14, 2020

I want to call out some impressive aspects of a report by Proofpoint: TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware. There are many praise-worthy aspects of this report, starting from the amazing lack of hyperbole, and the focus on facts, rather than opinions. The extraordinary lack of adjectives is particularly refreshing, as is the presence of explanations for the conclusions drawn. (“This conclusion is based on the threat actor’s use of

Malware 130

Malware 130

Schneier on Security

JUNE 19, 2020

Today is the second day of the thirteenth Workshop on Security and Human Behavior. It's being hosted by the University of Cambridge, which in today's world means we're all meeting on Zoom. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself.

247

247

Tech Republic Security

JUNE 17, 2020

As multiple companies inch closer to a potentially life-saving vaccine for the coronavirus, cybercriminals with varying motives have increased attacks.

187

187

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

WIRED Threat Level

JUNE 15, 2020

3somes, Gay Daddy Bear, and Herpes Dating are among the nine services that leaked the data of hundreds of thousands of users.

137

137

Security Affairs

JUNE 17, 2020

A CIA elite hacking unit that developed cyber-weapons failed in protecting its operations, states an internal report on the Vault 7 data leak. According to an internal report drown up after the 2016 data breach that led to the ‘ Vault 7 ‘ data leak, a specialized CIA unit involved in the development of hacking tools and cyber weapons failed in protecting its operations and was able to respond after the leak of its secrets.

Hacking 113

Hacking Engineering Data breaches Advertising 113

Dark Reading

JUNE 18, 2020

The coronavirus pandemic has forced changes for much of the business world, cybersecurity included. What can we expect going forward?

Cybersecurity 131

Cybersecurity 131

Tech Republic Security

JUNE 17, 2020

Hackers who use brute force attacks can easily compromise accounts with weak passwords, according to Nordpass.

Passwords 218

Passwords Accountability 218

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Threatpost

JUNE 16, 2020

An internal investigation into the 2016 CIA breach condemned the agency's security measures, saying it “focused more on building up cyber tools than keeping them secure.".

Government 106

Government Hacking 106

Security Affairs

JUNE 19, 2020

A flaw in Cisco Webex Meetings client for Windows could allow local authenticated attackers to gain access to sensitive information. A vulnerability in Cisco Webex Meetings client for Windows, tracked as CVE-2020-3347 , could be exploited by local authenticated attackers to gain access to sensitive information. “A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system.” r

Authentication 110

Authentication Advertising Accountability Hacking 110

Dark Reading

JUNE 17, 2020

The hacker group recently took credit for two high-profile incidents -- but its actions aren't quite the same as they once were, some say.

120

120

Tech Republic Security

JUNE 18, 2020

A study of banking apps for iOS and Android found poor source code protection, cleartext storage of sensitive data, and other serious flaws that make it easy for attackers to break into accounts.

Banking 162

Banking Mobile Risk Accountability 162

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk