Sat.Feb 09, 2019 - Fri.Feb 15, 2019

article thumbnail

Email Provider VFEmail Suffers ‘Catastrophic’ Hack

Krebs on Security

Email provider VFEmail has suffered what the company is calling “catastrophic destruction” at the hands of an as-yet unknown intruder who trashed all of the company’s primary and backup data in the United States. The firm’s founder says he now fears some 18 years’ worth of customer email may be gone forever. Founded in 2001 and based in Milwaukee, Wisc., VFEmail provides email service to businesses and end users.

Hacking 235
article thumbnail

The Queen of the Skies and Innovation

Adam Shostack

The Seattle Times has a story today about how “ 50 years ago today, the first 747 took off and changed aviation.” It’s true. The 747 was a marvel of engineering and luxury. The book by Joe Sutter is a great story of engineering leadership. For an upcoming flight, I paid extra to reserve an upper deck seat before the last of the passenger-carrying Queens of the Skies retires.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Cyberinsurance and Acts of War

Schneier on Security

I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International's claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing. Those turning to cyber insurance to manage their exposure presently face significant uncertainties about its promise. First, the scope of cyber risks vastly exceeds available coverage, as cyber perils cut across most areas of commercial insurance in an unprecedented manner: d

article thumbnail

Phishing Campaign Hits Credit Unions

Adam Levin

A phishing campaign targeting credit unions and other financial institutions recently found its way into the email inboxes of anti-money laundering officers. Credit unions and banks are both required by the Bank Secrecy Act (BSA) to report potential money laundering operations and to dedicate at least two staff members to ensure compliance. The phishing emails seemed to specifically target the accounts of these BSA officers, which raises the concern that a database containing their information m

Phishing 181
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Bomb Threat Hoaxer Exposed by Hacked Gaming Site

Krebs on Security

Federal authorities this week arrested a North Carolina man who allegedly ran with a group of online hooligans that attacked Web sites (including this one), took requests on Twitter to call in bomb threats to thousands of schools, and tried to frame various online gaming sites as the culprits. In an ironic twist, the accused — who had fairly well separated his real life identity from his online personas — appears to have been caught after a gaming Web site he frequented got hacked.

Hacking 197
article thumbnail

Podcast: DevSecOps

Adam Shostack

I did a podcast with Mark Miller over at DevSecOps days. It was a fun conversation, and you can have a listen at “ Anticipating Failure through Threat Modeling w/ Adam Shostack.

145
145

More Trending

article thumbnail

MY TAKE: Can Project Furnace solve DX dilemma by combining serverless computing and GitOps?

The Last Watchdog

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation. Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace , an all-new open source software development platform.

article thumbnail

GAO Recommends Stiffer Penalties for Privacy Violations

Adam Levin

The U.S. Federal Government should pass legislation protecting citizens’ privacy online, according to a new report by the Government Accountability Office. The GAO study referenced 101 privacy violations that had been referred to the FTC for enforcement, nearly none of them resulting in fines or penalties for offenders. All of the violations were associated with internet companies.

article thumbnail

55 5 ? Reviews?

Adam Shostack

I’m getting ready for the 5-year anniversary of my book, “ Threat Modeling: Designing for Security.” As part of that, I would love to see the book have more than 55 5 reviews on Amazon. If you found the book valuable, I would appreciate it if you could take a few minutes to write a review.

113
113
article thumbnail

Blockchain and Trust

Schneier on Security

269
269
article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

GUEST ESSAY: Australia’s move compelling VPNs to cooperate with law enforcement is all wrong

The Last Watchdog

The moment we’ve all feared has finally come to pass. When government agencies and international intelligence groups pooled together resources to gather user data, the VPN’s encryption seemed like the light at the end of the tunnel. Related: California enacts pioneering privacy law. However, it looks like things are starting to break apart now that Australia has passed the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018”.

article thumbnail

Docker runc flaw opens the door to a ‘Doomsday scenario’

Security Affairs

Security experts found a serious flaw tracked CVE-2019-5736 affecting runc , the default container runtime for Docker, containerd , Podman, and CRI-O. Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability tracked CVE-2019-5736 affecting runc , the default container runtime for Docker, containerd , Podman, and CRI-O.

article thumbnail

Cybersecurity and the Human Element: We're All Fallible

Dark Reading

We examine the issue of fallibility from six sides: end users, security leaders, security analysts, IT security administrators, programmers, and attackers.

article thumbnail

Reconstructing SIGSALY

Schneier on Security

Lessons learned in reconstructing the World War II-era SIGSALY voice encryption system.

article thumbnail

Software Composition Analysis: The New Armor for Your Cybersecurity

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

article thumbnail

Cybersecurity Workers Scramble to Fix a Post-Shutdown Mess

WIRED Threat Level

The shutdown may have ended two weeks ago, but federal cybersecurity professionals will be coping with its impact for a long time to come.

article thumbnail

Malicious PDF Analysis

Security Affairs

In the last few days I have done some analysis on malicious documents, especially PDF. Then I thought, “Why not turn a PDF analysis into an article?” Let’s go to our case study: I received a scan request for a PDF file that was reported to support an antivirus vendor, and it replied that the file was not malicious. Because the manufacturer’s analysis was not satisfactory, the team responsible for handling the incident requested a second opinion, since in other anti-virus

Antivirus 100
article thumbnail

How to Create a Dream Team for the New Age of Cybersecurity

Dark Reading

When each member of your security team is focused on one narrow slice of the pie, it's easy for adversaries to enter through the cracks. Here are five ways to stop them.

article thumbnail

Double-Stuffed: Dunkin’ Hit by Another Credential-Stuffing Attack

Threatpost

Dunkin’ Donuts may have just launched its first double-filled doughnut, but another doubling up is not quite as tasty. The chain has suffered its second credential-stuffing attack in three months. Like the first incident, the attack targeted pastry aficionados that have DD Perks accounts, which is Dunkin’s loyalty program. Names, email addresses, 16-digit DD Perks […].

article thumbnail

From Complexity to Clarity: Strategies for Effective Compliance and Security Measures

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

article thumbnail

US Air Force Defector Allegedly Helped Iran Hack Americans

WIRED Threat Level

In an astonishing indictment, the DoJ details how Monica Witt allegedly turned on her former counterintelligence colleagues.

Hacking 100
article thumbnail

A mysterious code prevents QNAP NAS devices to be updated

Security Affairs

Users of QNAP NAS devices are reporting through QNAP forum discussions of mysterious code that adds some entries that prevent software update. Users of the Network attached storage devices manufactured have reported a mystery string of malware attacks that disabled software updates by hijacking entries in host machines’ hosts file. According to the users, the malicious code adds some 700 entries to the /etc/hosts file that redirects requests to IP address 0.0.0.0.

article thumbnail

Devastating Cyberattack on Email Provider Destroys 18 Years of Data

Dark Reading

All data belonging to US users-including backup copies-have been deleted in catastrophe, VMEmail says.

Backups 107
article thumbnail

Siemens Warns of Critical Remote-Code Execution ICS Flaw

Threatpost

The affected SICAM 230 process control system is used as an integrated energy system for utility companies, and as a monitoring system for smart-grid applications.

article thumbnail

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

article thumbnail

Amber Authenticate Protects Video Footage From Deepfakes and Tampering

WIRED Threat Level

Many of the body cameras worn by police are woefully vulnerable to hacking and manipulation. Amber Authenticate wants to fix that—with the blockchain.

article thumbnail

620 million accounts stolen from 16 hacked websites available for sale on the dark web

Security Affairs

620 million accounts stolen from 16 hacked websites (Dubsmash, Armor Games, 500px, Whitepages, ShareThis) available for sale on the dark web. The Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web. The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin.

article thumbnail

2018 Was Second-Most Active Year for Data Breaches

Dark Reading

Hacking by external actors caused most breaches, but Web intrusions and exposures compromised more records, according to Risk Based Security.

article thumbnail

Does artificial intelligence mean artificial security?

Thales Cloud Protection & Licensing

Wouldn’t you like to stop losing sleep worrying about what your AI team, partners and suppliers are doing with your data? Marvin Minsky is recognised as one of the founding fathers of artificial intelligence. Increasingly eccentric, anyone who spent time with him became aware that individuals are unpredictable. What makes humans predictable is behaviour in large numbers.

article thumbnail

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

So, you’ve accomplished an organization-wide SaaS adoption. It started slow, and now just a few team members might be responsible for running Salesforce, Slack, and a few others applications that boost productivity, but it’s all finished. Or is it? Through all the benefits offered by SaaS applications, it’s still a necessity to onboard providers as quickly as possible.

article thumbnail

ThreatList: Banking Trojans Are Still The Top Big Bad for Email

Threatpost

Banking trojans, led by the ever-changing Emotet, dominated the email-borne threat landscape in Q4, according to Proofpoint.

Banking 77
article thumbnail

Experts found a way to create a super-malware implanted in SGX-enclaves

Security Affairs

Researchers devised a new technique to hide malware in the security Intel SGX enclaves, making it impossible to detect by several security technologies. Security researchers devised a new technique to hide malware in the security Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification.

Malware 92
article thumbnail

What the Government Shutdown Teaches Us about Cybersecurity

Dark Reading

As lawmakers face a Friday deadline to prevent the federal government from closing a second time, we examine the cost to the digital domain, both public and private.

article thumbnail

What Happens If Russia Cuts Itself Off From the Internet

WIRED Threat Level

State media has reported that Russia will attempt to disconnect from the global internet this spring. That's going to be tricky.

article thumbnail

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Did you know that 2021 was a record-breaking year for ransomware? The days of a “once in a while” attack against businesses and organizations are over. Cyberthreats have become a serious issue. With 495.1 million attacks, the threat marked a 148% increase compared to 2020 and was the most expensive year on record! As a result, data protection needs to be a concern for most banks, businesses, and information technology specialists.