2020

Inside the Cit0Day Breach Collection

Troy Hunt

It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data.

U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise

Krebs on Security

Communications at the U.S. Treasury and Commerce Departments were reportedly compromised by a supply chain attack on SolarWinds , a security vendor that helps the federal government and a range of Fortune 500 companies monitor the health of their IT networks.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Russia’s SolarWinds Attack

Schneier on Security

Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world.

Hacked IoT Devices Livestreaming Swatting Attacks: FBI

Adam Levin

Hackers are using internet-connected home devices to livestream “swatting” attacks, according to the FBI. Swatting is a dangerous prank where emergency services are called to respond to a life threatening situation that requires immediate intervention by police and/or S.W.A.T. teams.

IoT 245

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Notice the Outrage Machines

Adam Shostack

With three days to the US election, the outrage machines are running on all cylinders. It’ll be easier to stay happy if you remember to notice them. To be clear, I’m not using a metaphor. Websites from news to social media use data to drive stories. Twitter’s top tweets, Facebook’s timeline, your local newspaper, but also Linkedin, Medium, Buzzfeed, – all are focused on keeping you on their site as long as possible to show you as many ads as possible.

Media 209

New Paper: “Future of the SOC: SOC People?—?Skills, Not Tiers”

Anton on Security

New Paper: “Future of the SOC: SOC People?—?Skills, Skills, Not Tiers” Back in August , we released our first Google/Chronicle?—?Deloitte

More Trending

Why Predator is the ultimate CISO movie

Javvad Malik

There’s often a lot of debate as to what the best security or hacking movie is. Many people talk about Hackers, or Sneakers, or try and slip Mr Robot into the mix. But they are all way way waaaaay off the mark.

CISO 208

Social Media Account Verification Messages: CyberCriminals’ Latest Phishing Technique Exploits Both Human Emotions And Anti-Fraud Techniques

Joseph Steinberg

Social media users’ delight at receiving notification that their accounts have qualified for Verification (that is, receiving the often-coveted “blue check mark” that appears on the social media profiles of public figures) has become the latest target of criminal exploitation.

Media 205

No, Moving Your SSH Port Isn’t Security by Obscurity

Daniel Miessler

I just came across another post on Hacker News talking about why you shouldn’t move your SSH port off of 22 because it’s Security by Obscurity. There are some good reasons not to move SSH ports in certain environments, such as usability.

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy , the world’s largest domain name registrar, KrebsOnSecurity has learned.

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Hacking Grindr Accounts with Copy and Paste

Troy Hunt

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing.

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

Troy Hunt

You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway.

Me on COVID-19 Contact Tracing Apps

Schneier on Security

I was quoted in BuzzFeed: "My problem with contact tracing apps is that they have absolutely no value," Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News.

2020 Oscar Nominees Used to Spread Malware

Adam Levin

Online scammers are using the 2020 Oscars to spread malware. A recent study released by Kaspersky Labs uncovered several hacking and phishing campaigns promising their targets free and early access to Best Picture nominees for this year’s Academy Awards.

Free Threat Modeling Training

Adam Shostack

The current situation is scary and anxiety-provoking, and I can’t do much to fix that. One thing I can do is give people a chance to learn, and so I’m making my Linkedin Learning classes free this week. (I’m

208
208

I'm Open Sourcing the Have I Been Pwned Code Base

Troy Hunt

Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base.

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

The Last Watchdog

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

IoT 206

IoT Unravelled Part 1: It's a Mess. But Then There's Home Assistant

Troy Hunt

With the benefit of hindsight, this was a naïve question: Alright clever IoT folks, I've got two of these garage door openers, what do you reckon the best way of connecting them with Apple HomeKit is?

IoT 282

US Orders Rare Emergency System Shut-Downs After Severe CyberSecurity Breach Hits Government And Businesses

Joseph Steinberg

The U.S. government instructed all of its civilian agencies to immediately shut off various popular network and system management products being exploited as part of an ongoing cyberattack.

Who’s Behind Wednesday’s Epic Twitter Hack?

Krebs on Security

Twitter was thrown into chaos on Wednesday after accounts for some of the world’s most recognizable public figures, executives and celebrities starting tweeting out links to bitcoin scams.

Thinking of a Cybersecurity Career? Read This

Krebs on Security

Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills.

Humans are Bad at URLs and Fonts Don’t Matter

Troy Hunt

Been a lot of "victim blaming" going on these last few days. The victim, through no fault of their own, has been the target of numerous angry tweets designed to ridicule their role in internet security and suggest they are incapable of performing their duty.

Analysing the (Alleged) Minneapolis Police Department "Hack"

Troy Hunt

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile.

Contact Tracing COVID-19 Infections via Smartphone Apps

Schneier on Security

Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. Details, such as we have them, are here.) It's similar to the app being developed at MIT, and similar to others being described and developed elsewhere.

285
285

MGM Data Breach Affects Over 10 Million Customers

Adam Levin

The personal information of over 10.6 million customers of MGM Resorts has been published online. MGM Resorts confirmed the leaked data as being the result of a data breach that occurred last year.

Repudiation Now Live on Linkedin Learning

Adam Shostack

My course, “ Repudiation in Depth ” is now live on Linkedin Learning. This is the fourth course I’ve created, starting with “ Learning Threat Modeling “, and courses on “ spoofing “, “ tampering “, and now, repudiation.

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Krebs on Security

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week.

MY TAKE: Iran’s cyber retaliation for Soleimani assassination continues to ramp up

The Last Watchdog

Less than 48 hours after the killing of Iran’s General Qasem Soleimani, the U.S. Department of Homeland Security issued a bulletin calling out Iran’s “robust cyber program,” and cautioning everyone to be prepared for Iran to “conduct operations in the United States.”

The Unattributable "db8151dd" Data Breach

Troy Hunt

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine.

Warning To Employers And Their Former Employees: Ex-Engineer Sentenced To 2 Years In Prison For Hacking Cisco’s WebEx

Joseph Steinberg

A former Cisco engineer was sentenced this past Wednesday (December 9, 2020) to 24 months in prison (and a $15,000 fine) for accessing Cisco’s network, and subsequently causing a service outage of Cisco’s WebEx Teams video conferencing service.

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Troy Hunt

Hey, did you hear that Facebook are going to start using your personal photos in whatever way they see fit? For real, it's going to start tomorrow unless you act quickly! All you have to do is copy and paste this message onto your own Facebook page and wammo - they're not allowed to touch them!

Scams 286

Live Coronavirus Map Used to Spread Malware

Krebs on Security

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it.

The Security Value of Inefficiency

Schneier on Security

For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that's a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that's all profitable.

TSA Admits Liquid Ban Is Security Theater

Schneier on Security

The TSA is allowing people to bring larger bottles of hand sanitizer with them on airplanes: Passengers will now be allowed to travel with containers of liquid hand sanitizer up to 12 ounces.

‘War Dialing’ Tool Exposes Zoom’s Password Problems

Krebs on Security

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom.