2020

U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise

Krebs on Security

Communications at the U.S. Treasury and Commerce Departments were reportedly compromised by a supply chain attack on SolarWinds , a security vendor that helps the federal government and a range of Fortune 500 companies monitor the health of their IT networks.

I'm Open Sourcing the Have I Been Pwned Code Base

Troy Hunt

Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Me on COVID-19 Contact Tracing Apps

Schneier on Security

I was quoted in BuzzFeed: "My problem with contact tracing apps is that they have absolutely no value," Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News.

Cybercriminals Are Exploiting the Covid-19 Pandemic

Adam Levin

Cybercriminals are actively targeting Covid-19 hotspots with malware and phishing campaigns, according to a new report from Bitdefender.

Scams 285

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

MY TAKE: Iran’s cyber retaliation for Soleimani assassination continues to ramp up

The Last Watchdog

Less than 48 hours after the killing of Iran’s General Qasem Soleimani, the U.S. Department of Homeland Security issued a bulletin calling out Iran’s “robust cyber program,” and cautioning everyone to be prepared for Iran to “conduct operations in the United States.”

New Paper: “Future of the SOC: SOC People?—?Skills, Not Tiers”

Anton on Security

New Paper: “Future of the SOC: SOC People?—?Skills, Skills, Not Tiers” Back in August , we released our first Google/Chronicle?—?Deloitte

More Trending

No, Moving Your SSH Port Isn’t Security by Obscurity

Daniel Miessler

I just came across another post on Hacker News talking about why you shouldn’t move your SSH port off of 22 because it’s Security by Obscurity. There are some good reasons not to move SSH ports in certain environments, such as usability.

US Orders Rare Emergency System Shut-Downs After Severe CyberSecurity Breach Hits Government And Businesses

Joseph Steinberg

The U.S. government instructed all of its civilian agencies to immediately shut off various popular network and system management products being exploited as part of an ongoing cyberattack.

Why Predator is the ultimate CISO movie

Javvad Malik

There’s often a lot of debate as to what the best security or hacking movie is. Many people talk about Hackers, or Sneakers, or try and slip Mr Robot into the mix. But they are all way way waaaaay off the mark.

CISO 164

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy , the world’s largest domain name registrar, KrebsOnSecurity has learned.

Inside the Cit0Day Breach Collection

Troy Hunt

It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data.

Who’s Behind Wednesday’s Epic Twitter Hack?

Krebs on Security

Twitter was thrown into chaos on Wednesday after accounts for some of the world’s most recognizable public figures, executives and celebrities starting tweeting out links to bitcoin scams.

TSA Admits Liquid Ban Is Security Theater

Schneier on Security

The TSA is allowing people to bring larger bottles of hand sanitizer with them on airplanes: Passengers will now be allowed to travel with containers of liquid hand sanitizer up to 12 ounces.

Honda Hit By Possible Ransomware Attack

Adam Levin

Japanese automotive manufacturer Honda is investigating a possible ransomware attack that has caused company-wide network outages.

MY TAKE: COVID-19 cements the leadership role CISOs must take to secure company networks

The Last Watchdog

Chief Information Security Officers were already on the hot seat well before the COVID-19 global pandemic hit, and they are even more so today. Related: Why U.S.

CISO 246

Thinking of a Cybersecurity Career? Read This

Krebs on Security

Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills.

Free Threat Modeling Training

Adam Shostack

The current situation is scary and anxiety-provoking, and I can’t do much to fix that. One thing I can do is give people a chance to learn, and so I’m making my Linkedin Learning classes free this week. (I’m

208
208

Everyday Threat Modeling

Daniel Miessler

Threat modeling is a superpower. When done correctly it gives you the ability to adjust your defensive behaviors based on what you’re facing in real-world scenarios. And not just for applications, or networks, or a business—but for life. The Difference Between Threats and Risks.

VPN 236

Social Media Account Verification Messages: CyberCriminals’ Latest Phishing Technique Exploits Both Human Emotions And Anti-Fraud Techniques

Joseph Steinberg

Social media users’ delight at receiving notification that their accounts have qualified for Verification (that is, receiving the often-coveted “blue check mark” that appears on the social media profiles of public figures) has become the latest target of criminal exploitation.

Media 169

Analysing the (Alleged) Minneapolis Police Department "Hack"

Troy Hunt

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile.

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Krebs on Security

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week.

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Troy Hunt

Hey, did you hear that Facebook are going to start using your personal photos in whatever way they see fit? For real, it's going to start tomorrow unless you act quickly! All you have to do is copy and paste this message onto your own Facebook page and wammo - they're not allowed to touch them!

Scams 286

Live Coronavirus Map Used to Spread Malware

Krebs on Security

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it.

Contact Tracing COVID-19 Infections via Smartphone Apps

Schneier on Security

Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. Details, such as we have them, are here.) It's similar to the app being developed at MIT, and similar to others being described and developed elsewhere.

274
274

MGM Data Breach Affects Over 10 Million Customers

Adam Levin

The personal information of over 10.6 million customers of MGM Resorts has been published online. MGM Resorts confirmed the leaked data as being the result of a data breach that occurred last year.

NEW TECH: Silverfort helps companies carry out smarter human and machine authentications

The Last Watchdog

Doing authentication well is vital for any company in the throes of digital transformation.

2020 Oscar Nominees Used to Spread Malware

Adam Levin

Online scammers are using the 2020 Oscars to spread malware. A recent study released by Kaspersky Labs uncovered several hacking and phishing campaigns promising their targets free and early access to Best Picture nominees for this year’s Academy Awards.

Repudiation Now Live on Linkedin Learning

Adam Shostack

My course, “ Repudiation in Depth ” is now live on Linkedin Learning. This is the fourth course I’ve created, starting with “ Learning Threat Modeling “, and courses on “ spoofing “, “ tampering “, and now, repudiation.

U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

Krebs on Security

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

Warning To Employers And Their Former Employees: Ex-Engineer Sentenced To 2 Years In Prison For Hacking Cisco’s WebEx

Joseph Steinberg

A former Cisco engineer was sentenced this past Wednesday (December 9, 2020) to 24 months in prison (and a $15,000 fine) for accessing Cisco’s network, and subsequently causing a service outage of Cisco’s WebEx Teams video conferencing service.

We Didn't Encrypt Your Password, We Hashed It. Here's What That Means:

Troy Hunt

You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway.

‘War Dialing’ Tool Exposes Zoom’s Password Problems

Krebs on Security

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom.

Turn on MFA Before Crooks Do It For You

Krebs on Security

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen.

The Unattributable "db8151dd" Data Breach

Troy Hunt

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine.

New Bluetooth Vulnerability

Schneier on Security

There’s a new unpatched Bluetooth vulnerability : The issue is with a protocol called Cross-Transport Key Derivation (or CTKD, for short).

Hacking Grindr Accounts with Copy and Paste

Troy Hunt

Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing.