Sat.Oct 24, 2020 - Fri.Oct 30, 2020

article thumbnail

Humans are Bad at URLs and Fonts Don’t Matter

Troy Hunt

Been a lot of "victim blaming" going on these last few days. The victim, through no fault of their own, has been the target of numerous angry tweets designed to ridicule their role in internet security and suggest they are incapable of performing their duty. Here's where it all started: This is a great example of how bad people are at reading and understanding even the domain part of the URL then making decisions based on that which affect their security and privacy (see the answer under the pol

Phishing 363
article thumbnail

Reverse-Engineering the Redactions in the Ghislaine Maxwell Deposition

Schneier on Security

Slate magazine was able to cleverly read the Ghislaine Maxwell deposition and reverse-engineer many of the redacted names. We’ve long known that redacting is hard in the modern age, but most of the failures to date have been a result of not realizing that covering digital text with a black bar doesn’t always remove the text from the underlying digital file.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

Krebs on Security

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems.

Hacking 358
article thumbnail

Why Predator is the ultimate CISO movie

Javvad Malik

There’s often a lot of debate as to what the best security or hacking movie is. Many people talk about Hackers, or Sneakers, or try and slip Mr Robot into the mix. But they are all way way waaaaay off the mark. I was reminded of this by Phil Cracknell who posted on linkedin that in his opinion the Kevin Costner, Whitney Houston classic, Bodyguard was the best infosec movie.

CISO 246
article thumbnail

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

article thumbnail

I've Joined the 1Password Board of Advisers

Troy Hunt

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember. So, I set out to find a password manager and 10 Christmas holidays ago now, I spent the best 50 bucks ever: I choose 1Password way back then and without a shadow of a doubt, it has b

article thumbnail

The Legal Risks of Security Research

Schneier on Security

Sunoo Park and Kendra Albert have published “ A Researcher’s Guide to Some Legal Risks of Security Research.” From a summary : Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law.

Risk 354

LifeWorks

More Trending

article thumbnail

I Actually Like Remote and Pre-recorded Presentations

Daniel Miessler

I have an unpopular opinion about the security conference scene. Basically, it’s the opposite of what John Strand said here: Can we all agree that pre-recorded Conference talks are horrible? I mean… Why? — strandjs (@strandjs) October 28, 2020. I see this sentiment a lot from a lot of people in infosec, and I think I’ve figured it out.

InfoSec 229
article thumbnail

Weekly Update 215

Troy Hunt

It was a bit of a slow start this week. "Plan A" was to use the new GoPro with the Media Mod (including light and lapel mic) and do an outdoor session. This should really be much easier than it was with multiple issues ranging from connectivity drops to audio sync to simply not having a GoPro to tripod adaptor. I'll need to get on top of that before my big Xmas holiday trip and none of these are insurmountable problems, but this stuff should be easy!

Media 293
article thumbnail

The NSA is Refusing to Disclose its Policy on Backdooring Commercial Products

Schneier on Security

Senator Ron Wyden asked, and the NSA didn’t answer : The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others. These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant.

Firewall 330
article thumbnail

FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

Krebs on Security

On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime t

article thumbnail

Why Giant Content Libraries Do Nothing for Your Employees’ Cyber Resilience

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

article thumbnail

Cybersecurity policy is a must in government

Tech Republic Security

One policy expert says cybersecurity measures should be an expected item that comes with every purchase, like the safety measures in your car.

article thumbnail

Google discloses unpatched Windows zero-day exploited in the wild

Security Affairs

Google researchers disclosed today a zero-day vulnerability in the Windows operating system that is currently under active exploitation. Security researchers from Google have disclosed a zero-day vulnerability in the Windows operating system, tracked as CVE-2020-17087, that is currently under active exploitation. Ben Hawkes, team lead for Google Project Zero team, revealed on Twitter that the vulnerability was chained with another Chrome zero-day flaw, tracked as CVE-2020-15999 , that Google re

article thumbnail

Tracking Users on Waze

Schneier on Security

A security researcher discovered a wulnerability in Waze that breaks the anonymity of users: I found out that I can visit Waze from any web browser at waze.com/livemap so I decided to check how are those driver icons implemented. What I found is that I can ask Waze API for data on a location by sending my latitude and longitude coordinates. Except the essential traffic information, Waze also sends me coordinates of other drivers who are nearby.

278
278
article thumbnail

How to Clean Up Your Digital History

WIRED Threat Level

There are plenty of reasons to declutter your online traces. Here's how to tidy up.

145
145
article thumbnail

Zero Trust Mandate: The Realities, Requirements and Roadmap

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

article thumbnail

Security firm identifies 5 biggest cybersecurity risks for hospitals and healthcare organizations

Tech Republic Security

Wandera finds malicious network traffic and configuration vulnerabilities on mobile devices as popular entry points for cybercriminals.

article thumbnail

FBI, CISA alert warns of imminent ransomware attacks on healthcare sector

Security Affairs

FBI and the DHS’s CISA agencies published a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia. The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) has issued a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

article thumbnail

Cybercriminals Extort Psychotherapy Patients Following Vastaamo Breach

Dark Reading

An attacker is running a Tor site to leak the session notes of 300 patients at Vastaamo, a Finnish psychotherapy facility.

140
140
article thumbnail

New Research Reveals the Hidden Downsides of Link Previews

WIRED Threat Level

The feature is convenient, but it can also leak sensitive data, consume bandwidth, and drain batteries. And some sites are worse than others.

140
140
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Top 5 things to know about EU-US data privacy

Tech Republic Security

For companies with data users in both the EU and the US, laws protecting users' privacy vary. Tom Merritt lists five things to know about EU-US data privacy.

article thumbnail

Enel Group suffered the second ransomware attack this year

Security Affairs

Multinational energy company Enel Group has been hit by Netwalker ransomware operators that are asking a $14 million ransom. Systems at the multinational energy company Enel Group has been infected with Netwalker ransomware , it is the second ransomware attack suffered by the energy giant this year. Netwalker ransomware operators are asking a $14 million ransom for the decryption key, the hackers claim to have stolen several terabytes from the company and threaten to leak them if the ransom will

article thumbnail

Tracking Down the Web Trackers

Dark Reading

Third-party Web trackers might be following your website visitors' every step. How can new tools like Blacklight help you stop them in their tracks?

135
135
article thumbnail

The Unsinkable Maddie Stone, Google's Bug-Hunting Badass

WIRED Threat Level

The Project Zero reverse engineer shuts down some of the world's most dangerous exploits—along with antiquated hacker stereotypes.

article thumbnail

Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.

article thumbnail

Business Email Compromise attacks are on the rise

Tech Republic Security

BEC campaigns continue to shift their targets from C-suite executives and finance employees to group mailboxes, says Abnormal Security.

195
195
article thumbnail

Microsoft Teams phishing campaign targeted up to 50,000 Office 365 users

Security Affairs

Experts warn of a phishing campaign that already targeted up to 50,000 Office 365 users with a fake automated message from Microsoft Teams. Secruity researchers reported that up to 50,000 Office 365 users have been targeted by a phishing campaign that pretends to be automated message from Microsoft Teams. The bait message uses fake notifications of a “missed chat” from Microsoft Teams, the campaigns aims at stealing Office 365 recipients’ login credentials.

Phishing 145
article thumbnail

JavaScript Obfuscation Moves to Phishing Emails

Dark Reading

Attackers are hiding malicious payloads in phishing emails via a technique traditionally used to hide malicious code planted on websites.

Phishing 134
article thumbnail

Ransomware Hits Dozens of Hospitals in an Unprecedented Wave

WIRED Threat Level

As Covid-19 infections spike in many parts of the US, malware gangs are wreaking havoc on the health care system.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Going passwordless might be safer for organizations

Tech Republic Security

Passwords are a constant struggle for businesses and IT departments. There are other ways to stay safe.

Passwords 192
article thumbnail

Is the Abaddon RAT the first malware using Discord as C&C?

Security Affairs

Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform Discord as a command & control server. Researchers from MalwareHunterTeam have spotted a new piece of remote access trojan (RAT) dubbed ‘Abaddon’ that is likely the first malware using the Discord platform as command and control.

Malware 145
article thumbnail

Survey Uncovers High Level of Concern Over Firewalls

Dark Reading

More than half of respondents are planning to reduce their network firewall footprint because of what they see as limitations in the technology.

Firewall 134
article thumbnail

Microsoft Warns Threat Actors Continue to Exploit Zerologon Bug

Threatpost

Tech giant and feds this week renewed their urge to organizations to update Active Directory domain controllers.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!