Krebs on Security

AUGUST 26, 2020

At the height of his cybercriminal career, the hacker known as “ Hieupc ” was earning $125,000 a month running a bustling identity theft service that siphoned consumer dossiers from some of the world’s top data brokers. That is, until his greed and ambition played straight into an elaborate snare set by the U.S. Secret Service. Now, after more than seven years in prison Hieupc is back in his home country and hoping to convince other would-be cybercrooks to use their computer sk

Identity Theft 330

Identity Theft Computers and Electronics Accountability Hacking 330

Schneier on Security

AUGUST 27, 2020

Cory Doctorow has writtten an extended rebuttal of The Age of Surveillance Capitalism by Shoshana Zuboff. He summarized the argument on Twitter. Shorter summary: it's not the surveillance part, it's the fact that these companies are monopolies. I think it's both. Surveillance capitalism has some unique properties that make it particularly unethical and incompatible with a free society, and Zuboff makes them clear in her book.

Surveillance 275

Surveillance 275

Troy Hunt

AUGUST 28, 2020

Since I recorded this morning, I've had an absolute breakthrough - I CAN OPEN MY GARAGE DOOR WITH MY WATCH ! I know, I know, it shouldn't be this hard and that's a lot of the point I'm making in this week's video. Having said that, some parts have been hard because I've made simple mistakes , but the nature of the IoT ecosystem as it stands today predisposes you to mistakes because there's so freakin' many moving parts that all need to be aligned.

InfoSec 256

InfoSec IoT Passwords 256

Adam Levin

AUGUST 26, 2020

Zoom’s service outage on August 24 caused a ripple effect felt in schools and companies across the world. Students were unable to attend classes via remote learning, meetings were cancelled and for roughly three hours users were wondered if the now-ubiquitous platform had been brought down by hackers. Although the company later released an announcement attributing the outage to an “application-level bug,” it made clear that most of us are not prepared for an interruption to a service we’ve grown

Education 246

Education Backups Social Engineering Engineering 246

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Krebs on Security

AUGUST 27, 2020

Yesterday’s piece told the tale of Hieu Minh Ngo , a hacker the U.S. Secret Service described as someone who caused more material financial harm to more Americans than any other convicted cybercriminal. Ngo was recently deported back to his home country after serving more than seven years in prison for running multiple identity theft services.

Identity Theft 313

Identity Theft Retail Government Banking 313

Schneier on Security

AUGUST 28, 2020

The US Postal Service has filed a patent on a blockchain voting method: Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot information in an election. The system separates voter identification and votes to ensure vote anonymity, and stores votes on a distributed ledger in a blockchain.

Software 342

Software Cybersecurity 342

Adam Levin

AUGUST 25, 2020

A messaging app popular with activists and protesters around the globe was found to have several major vulnerabilities that could compromise user privacy. Bridgefy is a mesh messaging app that lets users send and receive texts to others nearby without requiring an internet connection. While the developers of the app say it’s ideal for communicating during large gatherings, natural disasters, or in school settings, the app’s publicized security and encryption features have made it a favorite for

Encryption 173

Encryption Authentication Internet Internet 173

The Last Watchdog

AUGUST 24, 2020

Purchasing life insurance once meant going to an insurer’s office or booking an appointment with an insurance agent. Then, in most cases, you’d have to undergo a medical examination and wait a few weeks to get approved and complete the whole process. But this scenario doesn’t seem to fit the fast-paced world we live in anymore. Today’s generation is used to getting everything done fast and easy, so life insurance providers had to get with the times and cover all customers’ needs and requirements

Insurance 154

Insurance Internet Internet Accountability 154

Schneier on Security

AUGUST 25, 2020

Interesting paper: " Replication: Why We Still Can't Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories ": We examine the threat to individuals' privacy based on the feasibility of reidentifying users through distinctive profiles of their browsing history visible to websites and third parties. This work replicates and extends the 2012 paper Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns [ 48 ].

Data collection 281

Data collection Risk 281

Tech Republic Security

AUGUST 24, 2020

SecAdmins working to protect infrastructure, whether in a defensively or offensively, may find these programming languages helpful in safeguarding apps, systems, and hardware from threats.

211

211

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Adam Shostack

AUGUST 28, 2020

Mark Rasch, who created the Computer Crime Unit at the United States Department of Justice, has an essay, “ Conceal and Fail to Report – The Uber CSO Indictment.” The case is causing great consternation in the InfoSec community partly because it is the first instance in which a CSO or CISO has been personally held responsible (other than by firing) for a data breach response, and the first time that criminal sanctions of any kind have been sought against the corporate victim of

CSO 124

CSO Data breaches InfoSec CISO 124

Security Affairs

AUGUST 28, 2020

A new variant of the infamous Lemon_Duck cryptomining malware has been updated to targets Linux devices. Security researchers from Sophos have spotted a new variant of the Lemon_Duck cryptomining malware that has been updated to compromise Linux machines via SSH brute force attacks. The new variant also exploits SMBGhost bug in Windows systems, and is also able to target servers running Redis and Hadoop instances.

Malware 144

Malware Authentication Passwords Internet 144

Threatpost

AUGUST 27, 2020

Malicious attachments continue to be a top threat vector in the cybercriminal world, even as public awareness increases and tech companies amp up their defenses.

Phishing 128

Phishing Malware 128

Tech Republic Security

AUGUST 27, 2020

Global tech professionals reveal recruiting projects fueled by budgets prioritizing staff education, according to a recent IT trends report from Netwrix.

Education 218

Education 218

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Adam Shostack

AUGUST 26, 2020

This is a really interesting podcast interview with Sidney Dekker, who’s one of the most important thinkers in safety. The Jay Allen Show on Safety. (Fast forward through the first 3 minutes, the content is quite interesting.). Particularly interesting is his discussion of some ‘best practices’ which come out of a poorly supported chain of work by an insurance analyst. “It turns out, the deeper you dig, he made it up.

Insurance 100

Insurance Risk 100

Security Affairs

AUGUST 26, 2020

FBI authorities arrested a Russian national in the U.S. after attempting to recruit an employee at a targeted company to plant a malware. US authorities arrested the Russian national Egor Igorevich Kriuchkov (27) after attempting to recruit an employee at a targeted company to plant a piece of malware. The man was arrested on August 22 and appeared in court on August 24.

Malware 143

Malware DDOS Advertising Hacking 143

Dark Reading

AUGUST 27, 2020

Rather than just reacting to security issues in the COVID-19 era, CISOs are now in a position to be change agents alongside their C-suite peers.

CISO 129

CISO 129

Tech Republic Security

AUGUST 27, 2020

The BeagleBoyz have made off with nearly $2 billion since 2015, and they're back to attacking financial institutions after a short lull in activity.

Banking 216

Banking Government 216

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Adam Shostack

AUGUST 24, 2020

The Elevation of Privilege game has had way more staying power than I would have expected. But the online experience in this time of global pandemic has left out some of the magic that made it work. So I was really skeptical when Simon Gibbs from Agile Stationery mailed me about an approach to playing remotely. But when I look at it, and I look at the logic behind it, I find myself intrigued: The player receives the (physical) deck and looks it over The player receives his hand from the Games Ma

100

100

Security Affairs

AUGUST 23, 2020

A bug in Google Drive could be exploited by threat actors to distribute malicious files disguised as legitimate documents or images. An unpatched weakness in Google Drive could be exploited by threat actors to distribute weaponized files disguised as legitimate documents or images. enabling bad actors to perform spear-phishing attacks comparatively with a high success rate.

Malware 140

Malware Phishing Advertising Antivirus 140

Dark Reading

AUGUST 24, 2020

In the first of a series of columns set to be hosted exclusively on IFSEC Global, Sarb Sembhi, CISM, CTO & CISO, Virtually Informed outlines why physical security professionals should be investing in their cyber security skillset.

CISO 116

CISO Cybersecurity 116

Tech Republic Security

AUGUST 25, 2020

The burgeoning smart home device market has given rise to digital intrusion and potential energy market manipulation on a massive scale.

IoT 215

IoT Marketing 215

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity

Threatpost

AUGUST 26, 2020

Up to 200,000 patient records from Office 365 and Google G Suite exposed by hardcoded credentials and other improper access controls.

Data breaches 134

Data breaches 134

Security Affairs

AUGUST 27, 2020

Microsoft warned of a recently uncovered piece of malware, tracked as Anubis that was designed to steal information from infected systems. This week, Microsoft warned of a recently uncovered piece of malware, tracked as Anubis, that was distributed in the wild to steal information from infected systems. Anubis is the name of an Android malware well-known in the community of malware analysts, but the family reported by Microsoft is not related to it.

Malware 125

Malware Advertising Cryptocurrency Cybercrime 125

Dark Reading

AUGUST 28, 2020

Key to this new definition is the principle that security programs are designed to minimize business risk, not to achieve 100% no-risk.

CISO 132

CISO Risk 132

Tech Republic Security

AUGUST 24, 2020

Tech consultants and journalists have their own conflicting opinions about the best way to manage access in a world full of security risks.

Password Management 206

Password Management Risk Passwords 206

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Threatpost

AUGUST 27, 2020

Magecart's successes have led to threat actors actively advertising 'sniffers' that can be injected into e-commerce websites in order to exfiltrate payment cards.

Marketing 119

Marketing Advertising Hacking 119

Security Affairs

AUGUST 27, 2020

Experts found an unsecured data bucket containing seven gigabytes worth of unencrypted files that include 350,000,000 strings of unique email addresses. Original post at: [link]. The CyberNews research team uncovered an unsecured data bucket owned by an unidentified party, containing seven gigabytes worth of unencrypted files that include 350,000,000 strings of unique email addresses.

Social Engineering 135

Social Engineering Passwords Marketing Phishing 135

Dark Reading

AUGUST 25, 2020

Simply stated: No matter how sophisticated your security software is, data cannot be simultaneously used and secured. But that may be changing soon.

Software 123

Software 123

Tech Republic Security

AUGUST 24, 2020

The pandemic is old news for cybercriminals who are still targeting remote workers, but are doing so with botnets and familiar exploits.

191

191

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk