What Would It Look Like If We Put Warnings on IoT Devices Like We Do Cigarette Packets?

Troy Hunt

A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack , the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via an IoT device called the InnoTab which is a wifi connected tablet designed for young kids; think Fisher Price designing an iPad. then totally screwing up the security.

IoT 219

Tracking People Without GPS

Schneier on Security

Interesting research : The trick in accurately tracking a person with this method is finding out what kind of activity they're performing. Whether they're walking, driving a car, or riding in a train or airplane, it's pretty easy to figure out when you know what you're looking for. The sensors can determine how fast a person is traveling and what kind of movements they make. Moving at a slow pace in one direction indicates walking.


Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs

WIRED Threat Level

The attack uncovers bugs in how more than a dozen programs implement email's creaky protocol. Security


Ode to the use-after-free: one vulnerable function, a thousand possibilities

Scary Beasts Security

Overview This post explores an old but wonderful vulnerability that enables us to really showcase the (oft underestimated) power of the use-after-free vulnerability class. We’re going to take a step back and consider the wider class of “use-after-invalidation”, of which use-after-free is one type of use of invalidated state.

Mobile 101

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Through a detailed analysis of major attacks and their consequences, Karl Camilleri, Cloud Services Product Manager at phoenixNAP, will discuss the state of ransomware and future predictions, as well as provide best practices for attack prevention and recovery.

The 21 best IT and tech memes on the Internet

Tech Republic Security

From Bad Luck Brian to Confession Bear to Scumbag Steve, these are the best tech-flavored memes the Internet has to offer

Top 8 Cybersecurity Skills IT Pros Need in 2018

Dark Reading

Cloud security architecture skills to customer-service savvy are among the key IT security skills needed next year as CIOs ramp up hiring

More Trending

Mozilla Patches Critical Bug in Thunderbird


Mozilla has patched one critical vulnerability in its Thunderbird email client along with two bugs rated high. Hacks Vulnerabilities email client Mozilla news reader overflow bug rss RSS feed Thunderbird Thunderbird 52.5.2 Windows XPCOM APIs XUL

Cloud Leaks Continue: 123 Million U.S. Households' Personal Information Exposed Online

eSecurity Planet

The information, from data analytics firm Alteryx, was in an Amazon S3 bucket configured to provide any AWS user with access


I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important

Troy Hunt

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine." " The latest such event was with NatWest (a bank in the UK), and it culminated with this tweet from them: I'm sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC — NatWest (@NatWest_Help) December 12, 2017.

New Report: Discovering Consumer Attitudes Toward Connected Car Security

Thales Cloud Protection & Licensing

At Thales eSecurity we are always eager to obtain data on how the world perceives threats to personal data, because it has the potential to inform us on how to make our everyday lives more safe and secure. Together with an independent firm, we recently conducted a survey of 1,000 consumers across the U.S. and UK and found that ownership of internet-connected cars is on the rise. Survey data shows that ownership of connected cars in 2017 is 28% in the U.S.

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

In this webinar, Ronald Eddings, Cybersecurity Expert, will outline the relationship between SaaS apps and IT & security teams, along with several actionable solutions to overcome the new difficulties facing your organization.

The 6-Step "Happy Path" to HTTPS

Troy Hunt

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before.


Me on the Equifax Breach

Schneier on Security

Testimony and Statement for the Record of Bruce Schneier. Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School. Fellow, Berkman Center for Internet and Society at Harvard Law School. Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce". Before the. Subcommittee on Digital Commerce and Consumer Protection. Committee on Energy and Commerce. United States House of Representatives. 1 November 2017. 2125 Rayburn House Office Building.

Snowden-Backed App 'Haven' Turns Your Phone Into a Home Security System

WIRED Threat Level

The NSA leaker's latest project aims to secure your computer—and you—from not just digital but physical attacks. Security


Introducing Qualys Project Zero?

Scary Beasts Security

Google's Project Zero team was announced in July 2014. Since then, it has become very well known for publishing offensive security research of exceptional quality. This is especially welcome to defenders at a time where top quality offensive security research is drying up. For most important software targets, it's getting harder to find and exploit bugs.

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Your internet history is now for sale. Here's how you can protect it

Tech Republic Security

Congress has voted to repeal restrictions preventing ISPs from gathering and selling your browsing data and other personal info. Here's how you can protect yourself

NIST Releases New Cybersecurity Framework Draft

Dark Reading

Updated version includes changes to some existing guidelines - and adds some new ones

Inside Mirai the infamous IoT Botnet: A Retrospective Analysis


This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices. At its peak in September 2016, Mirai temporarily crippled several high-profile services such as. OVH. , Dyn. , Krebs on Security. via massive. distributed Denial of service attacks (DDoS). reported that these attacks exceeded 1Tbps—the largest on public record.

IoT 68

Disqus Demonstrates How to Do Breach Disclosure Right

Troy Hunt

We all jumped on "the Equifax dumpster fire bandwagon" recently and pointed to all the things that went fundamentally wrong with their disclosure process. But it's equally important that we acknowledge exemplary handling of data breaches when they occur because that's behaviour that should be encouraged. Last week, someone reached out and shared a number of data breaches with me. Breaches I'd never seen before.

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Average Organization Faced 8 DDoS Attacks a Day in Q3 2017

eSecurity Planet

That's a 35 percent increase over the previous quarter


2018 Cause Awareness & Giving Day Calendar

Troy Hunt

Cause awareness and giving days can be very powerful themes upon which to launch online fundraising campaigns. The real-time, in-the-moment nature of cause awareness and giving days can inspire donors to give provided that your nonprofit knows how to promote the days effectively. The first step is to decide which days to build a campaign upon and add them to your 2018 editorial calendar.

Media 193

Websites Use Session-Replay Scripts to Eavesdrop on Every Keystroke and Mouse Movement

Schneier on Security

The security researchers at Princeton are posting. You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers.

Here's What I'm Telling US Congress about Data Breaches

Troy Hunt

Last week I wrote about my upcoming congressional testimony and wow - you guys are awesome! Seriously, the feedback there was absolutely sensational and it's helped shape what I'll be saying to the US Congress, including lifting specific wording and phrases provided by some of you. Thank you! As I explained in that first blog post, I'm required to submit a written testimony 48 hours in advance of the event. That testimony is now publicly accessible and reproduced below.

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS.

In 'Star Wars: The Last Jedi', the Resistance Keeps Making the Same Tactical Mistake

WIRED Threat Level

The urge to fight one decisive battle has undone countless real-world rebellions—and those in the Star Wars universe as well. Security


*bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images

Scary Beasts Security

Overview *bleed attacks are hot right now. Most notably, there's been Heartbleed and Cloudbleed. In both cases, out-of-bounds reads in server side code resulted in private server memory content being returned to clients. This leaked sensitive secrets from the server process' memory space, such as keys, tokens, cookies, etc. There was also a recent client-side bleed in Microsoft's image libraries , exposed through Internet Explorer.

Risk 70

There's a new Gmail phishing attack going around, and it's fooling everyone

Tech Republic Security

Tech professionals don't generally fall for phishing attacks: They know what to look for and when to be suspicious. One new attack, however, is even fooling the experienced

Insider Threats: Red Flags and Best Practices

Dark Reading

Security pros list red flags indicating an insider attack and best practices to protect against accidental and malicious exposure


Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials


In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-theshelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums.

Fixing Data Breaches Part 3: The Ease of Disclosure

Troy Hunt

This week, I've been writing up my 5-part guide on "Fixing Data Breaches" On Monday I talked about the value of education ; let's try and stop the breach from happening in the first place. Then yesterday it was all about reducing the impact of a breach , namely by collecting a lot less data in the first place then recognising that it belongs to the person who provided it and treating with the appropriate respect. Today, I want to focus on the ease of disclosure.

Needless Panic Over a Wi-FI Network Name

Schneier on Security

A Turkish Airlines flight made an emergency landing because someone named his wireless network (presumably from his smartphone) "bomb on board.". In 2006, I wrote an essay titled " Refuse to be Terrorized." (I I am also reminded of my 2007 essay, " The War on the Unexpected." A decade later, it seems that the frequency of incidents like the one above is less, although not zero. Progress, I suppose. airtravel overreactions warontheunexpected wifi wireless

Questions about the Massive South African "Master Deeds" Data Breach Answered

Troy Hunt

This week, I started looking into a large database backup file which turned out to contain the personal data of a significant portion of the South African population. It's an explosive situation with potentially severe ramifications and I've been bombarded by questions about it over the last 48 hours. This post explains everything I know. Who Am I and Why Do I Have This Data?

"Santa Claus is Coming to Town" Parody

Schneier on Security

Funny. humor privacy surveillance

Security Planner

Schneier on Security

Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It's not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don't see it replacing any of the good security guides out there, but instead augmenting them. The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date.