2019

Data Enrichment, People Data Labs and Another 622M Email Addresses

Troy Hunt

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself.

The NSA Warns of TLS Inspection

Schneier on Security

The NSA has released a security advisory warning of the dangers of TLS inspection: Transport Layer Security Inspection (TLSI), also known as TLS break and inspect, is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network.

Risk 253
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Major Hotel Group Leaks 1TB of Customer Data

Adam Levin

One terabyte of data belonging to a major hotel booking platform was found leaked online. A huge trove of customer data belonging to Gekko Group was found online in an unsecured format.

B2B 245

110 Nursing Homes Cut Off from Health Records in Ransomware Attack

Krebs on Security

A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States.

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

The Queen of the Skies and Innovation

Adam Shostack

The Seattle Times has a story today about how “ 50 years ago today, the first 747 took off and changed aviation.” ” It’s true. The 747 was a marvel of engineering and luxury. The book by Joe Sutter is a great story of engineering leadership. For an upcoming flight, I paid extra to reserve an upper deck seat before the last of the passenger-carrying Queens of the Skies retires. And in a way, the 747 represents a pinnacle of aviation engineering advancements.

MY TAKE: Why DDoS weapons will proliferate with the expansion of IoT and the coming of 5G

The Last Watchdog

A couple of high-profile distributed denial-of-service (DDoS) attacks will surely go down in history as watershed events – each for different reasons. Related: IoT botnets now available for economical DDoS blasts. In March 2013, several impossibly massive waves of nuisance requests – peaking as high as 300 gigabytes per second— swamped Spamhaus , knocking the anti-spam organization off line for extended periods.

DDOS 176

More Trending

Teach Your Kids to Code with Ari in Oslo and London

Troy Hunt

When I first started writing code a few decades ago, it was a rather bland affair involving a basic text editor and physical books for reference.

Scaring People into Supporting Backdoors

Schneier on Security

Back in 1998, Tim May warned us of the "Four Horsemen of the Infocalypse": "terrorists, pedophiles, drug dealers, and money launderers." I tended to cast it slightly differently.

The 773 Million Record "Collection #1" Data Breach

Troy Hunt

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper. Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of.

Neo-Nazi SWATters Target Dozens of Journalists

Krebs on Security

Nearly three dozen journalists at a broad range of major publications have been targeted by a far-right group that maintains a Deep Web database listing the personal information of people who threaten their views. This group specializes in encouraging others to harass those targeted by their ire, and has claimed responsibility for dozens of bomb threats and “swatting” incidents, where police are tricked into visiting potentially deadly force on the target’s address.

Mobile 217

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Programmers Who Don't Understand Security Are Poor at Security

Schneier on Security

A university study confirmed the obvious: if you pay a random bunch of freelance programmers a small amount of money to write security software, they're not going to do a very good job at it. In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.

Protecting Yourself from Identity Theft

Schneier on Security

I don't have a lot of good news for you. The truth is there's nothing we can do to protect our data from being stolen by cybercriminals and others. Ten years ago, I could have given you all sorts of advice about using encryption, not sending information over email, securing your web connections, and a host of other things­ -- but most of that doesn't matter anymore. Today, your sensitive data is controlled by others, and there's nothing you can personally to do affect its security.

The United Kingdom Leaks Home Addresses of Prominent Brits

Adam Levin

2020 seems to be getting off to an inauspicious start with the compromise of the home addresses of prominent UK citizens–many of them in lines of work that could make them targets for crime.

Towards an Information Operations Kill Chain

Schneier on Security

Cyberattacks don't magically happen; they involve a series of steps. And far from being helpless, defenders can disrupt the attack at any of those steps. This framing has led to something called the " cybersecurity kill chain ": a way of thinking about cyber defense in terms of disrupting the attacker's process. On a similar note, it's time to conceptualize the "information operations kill chain."

Media 217

Blackhat Best Practice

Adam Shostack

Shortly, I’m off to Blackhat. My Threat Modeling Intensive classes both sold out (thank you!). Nearly a decade ago, I put forth a set of best practices: Breath mints Ricola Purell Advil Gatorade This year, I’m adding a travel humidifier. I’ve been using this one, and it really needs to soak for 10 minutes, but then it adds a nice stream of moisture to the room. Also, at a conference, you’ll ask, and get the question “What’s new?”

161
161

GUEST ESSAY: Why there’s no such thing as anonymity it this digital age

The Last Watchdog

Unless you decide to go Henry David Thoreau and shun civilization altogether, you can’t — and won’t — stop generating data , which sooner or later can be traced back to you. Related: The Facebook factor. A few weeks back I interviewed a white hat hacker. After the interview, I told him that his examples gave me paranoia. He laughed and responded, “There’s no such thing as anonymous data; it all depends on how determined the other party is.”.

NY Payroll Company Vanishes With $35 Million

Krebs on Security

MyPayrollHR , a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.

It’s Way Too Easy to Get a.gov Domain Name

Krebs on Security

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a.gov domain versus a commercial one ending in.com or.org.

I'm Leaving IBM

Schneier on Security

Today is my last day at IBM. If you've been following along, IBM bought my startup Resilient Systems in Spring 2016. Since then, I have been with IBM, holding the nicely ambiguous title of "Special Advisor." As of the end of the month, I will be back on my own. I will continue to write and speak, and do the occasional consulting job. I will continue to teach at the Harvard Kennedy School.

PayPal's Beautiful Demonstration of Extended Validation FUD

Troy Hunt

Sometimes the discussion around extended validation certificates (EV) feels a little like flogging a dead horse. In fact, it was only September that I proposed EV certificates are already dead for all sorts of good reasons that have only been reinforced since that time.

Blockchain and Trust

Schneier on Security

216
216

NSA-Inspired Vulnerability Found in Huawei Laptops

Schneier on Security

This is an interesting story of a serious vulnerability in a Huawei driver that Microsoft found. The vulnerability is similar in style to the NSA's DOUBLEPULSAR that was leaked by the Shadow Brokers -- believed to be the Russian government -- and it's obvious that this attack copied that technique. What is less clear is whether the vulnerability -- which has been fixed -- was put into the Huwei driver accidentally or on purpose. backdoors malware nsa vulnerabilities

Excellent Analysis of the Boeing 737 MAX Software Problems

Schneier on Security

This is the best analysis of the software causes of the Boeing 737 MAX disasters that I have read. Technically this is safety and not security; there was no attacker. But the fields are closely related and there are a lot of lessons for IoT security -- and the security of complex socio-technical systems in general -- in here

Malware Infected Medical Equipment Shows Fake Tumors

Adam Levin

Israeli cybersecurity researchers have created malware capable of showing fake cancerous growths on CT and MRI scans. The malware, called CT-GAN, served as a proof of concept to show the potential for hacking medical devices with fake medical news that was convincing enough to fool medical technicians. In a video demonstrating the exploit, researchers at Ben Gurion University described how such an attack might be deployed.

Why Are Cryptographers Being Denied Entry into the US?

Schneier on Security

In March, Adi Shamir -- that's the "S" in RSA -- was denied a US visa to attend the RSA Conference. He's Israeli. This month, British citizen Ross Anderson couldn't attend an awards ceremony in DC because of visa issues. You can listen to his recorded acceptance speech.) I've heard of at least one other prominent cryptographer who is in the same boat. Is there some cryptographer blacklist? Is something else going on? A lot of us would like to know.

213
213

Quick Threat Model Links October 2019

Adam Shostack

Trail of Bits released a threat model for Kubernetes. There’s some context from Aaron Small, who made the project happen. Continuum has a blog and a spreadsheet on threat modeling lambdas (as a category, not specific to Amazon Lambda), and also a post on threat modeling with CAPEC.

159
159

MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

The Last Watchdog

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner. Related: The rise of ‘memory attacks’ I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant Huawei. These are the carriers that provide Internet access to rural areas all across America.

China Spying on Undersea Internet Cables

Schneier on Security

Supply chain security is an insurmountably hard problem. The recent focus is on Chinese 5G equipment, but the problem is much broader. This opinion piece looks at undersea communications cables: But now the Chinese conglomerate Huawei Technologies, the leading firm working to deliver 5G telephony networks globally, has gone to sea. Under its Huawei Marine Networks component, it is constructing or improving nearly 100 submarine cables around the world.

Apple Phone Phishing Scams Getting Better

Krebs on Security

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company.

G7 Comes Out in Favor of Encryption Backdoors

Schneier on Security

Extended Validation Certificates are (Really, Really) Dead

Troy Hunt

203
203

DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

Schneier on Security

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it.

Influence Operations Kill Chain

Schneier on Security

Influence operations are elusive to define. The Rand Corp.'s s definition is as good as any: "the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent." Basically, we know it when we see it, from bots controlled by the Russian Internet Research Agency to Saudi attempts to plant fake stories and manipulate political debate.

Media 209

The Myth of Consumer-Grade Security

Schneier on Security

The Department of Justice wants access to encrypted consumer devices but promises not to infiltrate business products or affect critical infrastructure. Yet that's not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement.

Google Glitch Left Passwords Unprotected for 14 Years

Adam Levin

Google announced a glitch that stored unencrypted passwords belonging to several business customers, a situation that had been exploitable since 2005. In a blog post released this week, the company admitted the passwords of “some” of its G Suite customers had been stored on internal servers without cryptographic protection, also known as a hash. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords.