2019

110 Nursing Homes Cut Off from Health Records in Ransomware Attack

Krebs on Security

A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States.

Scaring People into Supporting Backdoors

Schneier on Security

Back in 1998, Tim May warned us of the "Four Horsemen of the Infocalypse": "terrorists, pedophiles, drug dealers, and money launderers." I tended to cast it slightly differently.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Major Hotel Group Leaks 1TB of Customer Data

Adam Levin

One terabyte of data belonging to a major hotel booking platform was found leaked online. A huge trove of customer data belonging to Gekko Group was found online in an unsecured format.

B2B 237

Data Enrichment, People Data Labs and Another 622M Email Addresses

Troy Hunt

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself.

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

Join us as we discuss the various tangents of data and the change management process that will help you make better risk-based business decisions to save time and money for your organization.

The Queen of the Skies and Innovation

Adam Shostack

The Seattle Times has a story today about how “ 50 years ago today, the first 747 took off and changed aviation.” ” It’s true. The 747 was a marvel of engineering and luxury. The book by Joe Sutter is a great story of engineering leadership. For an upcoming flight, I paid extra to reserve an upper deck seat before the last of the passenger-carrying Queens of the Skies retires. And in a way, the 747 represents a pinnacle of aviation engineering advancements.

MY TAKE: Why DDoS weapons will proliferate with the expansion of IoT and the coming of 5G

The Last Watchdog

A couple of high-profile distributed denial-of-service (DDoS) attacks will surely go down in history as watershed events – each for different reasons. Related: IoT botnets now available for economical DDoS blasts. In March 2013, several impossibly massive waves of nuisance requests – peaking as high as 300 gigabytes per second— swamped Spamhaus , knocking the anti-spam organization off line for extended periods.

DDOS 175

More Trending

It’s Way Too Easy to Get a.gov Domain Name

Krebs on Security

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a.gov domain versus a commercial one ending in.com or.org.

Hidden Cam Above Bluetooth Pump Skimmer

Krebs on Security

Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices.

The NSA Warns of TLS Inspection

Schneier on Security

The NSA has released a security advisory warning of the dangers of TLS inspection: Transport Layer Security Inspection (TLSI), also known as TLS break and inspect, is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network.

Risk 237

Manipulating Machine Learning Systems by Manipulating Training Data

Schneier on Security

Interesting research: " TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents ": Abstract: : Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time.

229
229

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

In this webinar, Ronald Eddings, Cybersecurity Expert, will outline the relationship between SaaS apps and IT & security teams, along with several actionable solutions to overcome the new difficulties facing your organization.

Cameras that Automatically Detect Mobile Phone Use

Schneier on Security

New South Wales is implementing a camera system that automatically detects when a driver is using a mobile phone. australia cameras cars phones

Mobile 223

NY Payroll Company Vanishes With $35 Million

Krebs on Security

MyPayrollHR , a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.

The United Kingdom Leaks Home Addresses of Prominent Brits

Adam Levin

2020 seems to be getting off to an inauspicious start with the compromise of the home addresses of prominent UK citizens–many of them in lines of work that could make them targets for crime.

Teach Your Kids to Code with Ari in Oslo and London

Troy Hunt

When I first started writing code a few decades ago, it was a rather bland affair involving a basic text editor and physical books for reference.

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Through a detailed analysis of major attacks and their consequences, Karl Camilleri, Cloud Services Product Manager at phoenixNAP, will discuss the state of ransomware and future predictions, as well as provide best practices for attack prevention and recovery.

Blackhat Best Practice

Adam Shostack

Shortly, I’m off to Blackhat. My Threat Modeling Intensive classes both sold out (thank you!). Nearly a decade ago, I put forth a set of best practices: Breath mints Ricola Purell Advil Gatorade This year, I’m adding a travel humidifier. I’ve been using this one, and it really needs to soak for 10 minutes, but then it adds a nice stream of moisture to the room. Also, at a conference, you’ll ask, and get the question “What’s new?”

161
161

GUEST ESSAY: Why there’s no such thing as anonymity it this digital age

The Last Watchdog

Unless you decide to go Henry David Thoreau and shun civilization altogether, you can’t — and won’t — stop generating data , which sooner or later can be traced back to you. Related: The Facebook factor. A few weeks back I interviewed a white hat hacker. After the interview, I told him that his examples gave me paranoia. He laughed and responded, “There’s no such thing as anonymous data; it all depends on how determined the other party is.”.

Neo-Nazi SWATters Target Dozens of Journalists

Krebs on Security

Nearly three dozen journalists at a broad range of major publications have been targeted by a far-right group that maintains a Deep Web database listing the personal information of people who threaten their views. This group specializes in encouraging others to harass those targeted by their ire, and has claimed responsibility for dozens of bomb threats and “swatting” incidents, where police are tricked into visiting potentially deadly force on the target’s address.

Mobile 219

First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

Krebs on Security

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. NYSE:FAF ] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Apple Phone Phishing Scams Getting Better

Krebs on Security

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company.

DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

Schneier on Security

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it.

Legal Threats Make Powerful Phishing Lures

Krebs on Security

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

Krebs on Security

On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states.

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Towards an Information Operations Kill Chain

Schneier on Security

Cyberattacks don't magically happen; they involve a series of steps. And far from being helpless, defenders can disrupt the attack at any of those steps. This framing has led to something called the " cybersecurity kill chain ": a way of thinking about cyber defense in terms of disrupting the attacker's process. On a similar note, it's time to conceptualize the "information operations kill chain."

Media 213

Malware Infected Medical Equipment Shows Fake Tumors

Adam Levin

Israeli cybersecurity researchers have created malware capable of showing fake cancerous growths on CT and MRI scans. The malware, called CT-GAN, served as a proof of concept to show the potential for hacking medical devices with fake medical news that was convincing enough to fool medical technicians. In a video demonstrating the exploit, researchers at Ben Gurion University described how such an attack might be deployed.

The 773 Million Record "Collection #1" Data Breach

Troy Hunt

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper. Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of.

Quick Threat Model Links October 2019

Adam Shostack

Trail of Bits released a threat model for Kubernetes. There’s some context from Aaron Small, who made the project happen. Continuum has a blog and a spreadsheet on threat modeling lambdas (as a category, not specific to Amazon Lambda), and also a post on threat modeling with CAPEC.

159
159

MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

The Last Watchdog

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner. Related: The rise of ‘memory attacks’ I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant Huawei. These are the carriers that provide Internet access to rural areas all across America.

Programmers Who Don't Understand Security Are Poor at Security

Schneier on Security

A university study confirmed the obvious: if you pay a random bunch of freelance programmers a small amount of money to write security software, they're not going to do a very good job at it. In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.

How Not to Acknowledge a Data Breach

Krebs on Security

I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the nose, let alone festered unmolested in some dark corner of their operations.

MyEquifax.com Bypasses Credit Freeze PIN

Krebs on Security

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal , it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

New Breed of Fuel Pump Skimmer Uses SMS and Bluetooth

Krebs on Security

Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message, thereby enabling fraudsters to collect it from anywhere in the world.

LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

Krebs on Security

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.