2017

What Would It Look Like If We Put Warnings on IoT Devices Like We Do Cigarette Packets?

Troy Hunt

A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack , the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via an IoT device called the InnoTab which is a wifi connected tablet designed for young kids; think Fisher Price designing an iPad. then totally screwing up the security.

IoT 200

Tracking People Without GPS

Schneier on Security

Interesting research : The trick in accurately tracking a person with this method is finding out what kind of activity they're performing. Whether they're walking, driving a car, or riding in a train or airplane, it's pretty easy to figure out when you know what you're looking for. The sensors can determine how fast a person is traveling and what kind of movements they make. Moving at a slow pace in one direction indicates walking.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Getting started with a career in Cyber Security and Information Security

Doctor Chaos

The Information Security Profession – Where do I Start? I am often asked by individuals to provide advice or guidance on how to get started in the field of information security. Many college students tell me they want to be a hacker, an IT systems penetration tester, or other type of cyber security professional. I […]. Cyber InfoSec education infosec security awareness tools training

‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs

WIRED Threat Level

The attack uncovers bugs in how more than a dozen programs implement email's creaky protocol. Security

158
158

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Ode to the use-after-free: one vulnerable function, a thousand possibilities

Scary Beasts Security

Overview This post explores an old but wonderful vulnerability that enables us to really showcase the (oft underestimated) power of the use-after-free vulnerability class. We’re going to take a step back and consider the wider class of “use-after-invalidation”, of which use-after-free is one type of use of invalidated state.

Mobile 101

How blockchain could revolutionize IoT security

Tech Republic Security

There may be a way to secure processing-starved IoT devices by using a new approach to blockchain. Read about researchers' proposal

IoT 131

More Trending

How to trace ransomware payments end-to-end

Elie

Over the last two years, ransomware has been all over the news. Hardly a week goes by without a report of a large ransomware outbreak or the emergence of a new ransomware family. Despite all this attention, very little is known about how profitable ransomware is and who the criminals are that benefit from it. To answer these questions and expose the inner workings of the ransomware economy, our research team at Google, in partnership with. Chainanalysis. ,

I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important

Troy Hunt

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine." " The latest such event was with NatWest (a bank in the UK), and it culminated with this tweet from them: I'm sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC — NatWest (@NatWest_Help) December 12, 2017.

The 6-Step "Happy Path" to HTTPS

Troy Hunt

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before.

170
170

2018 Cause Awareness & Giving Day Calendar

Troy Hunt

Cause awareness and giving days can be very powerful themes upon which to launch online fundraising campaigns. The real-time, in-the-moment nature of cause awareness and giving days can inspire donors to give provided that your nonprofit knows how to promote the days effectively. The first step is to decide which days to build a campaign upon and add them to your 2018 editorial calendar.

Media 168

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Disqus Demonstrates How to Do Breach Disclosure Right

Troy Hunt

We all jumped on "the Equifax dumpster fire bandwagon" recently and pointed to all the things that went fundamentally wrong with their disclosure process. But it's equally important that we acknowledge exemplary handling of data breaches when they occur because that's behaviour that should be encouraged. Last week, someone reached out and shared a number of data breaches with me. Breaches I'd never seen before.

Me on the Equifax Breach

Schneier on Security

Testimony and Statement for the Record of Bruce Schneier. Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School. Fellow, Berkman Center for Internet and Society at Harvard Law School. Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce". Before the. Subcommittee on Digital Commerce and Consumer Protection. Committee on Energy and Commerce. United States House of Representatives. 1 November 2017. 2125 Rayburn House Office Building.

Leaked NSA Exploit Spreading Ransomware Worldwide

Doctor Chaos

Original article appears from [link] A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent ShadowBrokers dump. Researchers at Kaspersky Lab said the attackers behind today’s outbreak of WannaCry ransomware are using EternalBlue, the codename for an exploit made public by the mysterious group that is in possession […]. Cyber infosec

Snowden-Backed App 'Haven' Turns Your Phone Into a Home Security System

WIRED Threat Level

The NSA leaker's latest project aims to secure your computer—and you—from not just digital but physical attacks. Security

88

Introducing Qualys Project Zero?

Scary Beasts Security

Google's Project Zero team was announced in July 2014. Since then, it has become very well known for publishing offensive security research of exceptional quality. This is especially welcome to defenders at a time where top quality offensive security research is drying up. For most important software targets, it's getting harder to find and exploit bugs.

Ukraine is a test bed for global cyberattacks that will target major infrastructure

Tech Republic Security

On the ground in Kiev, TechRepublic got a first-hand look at the frontline of a cyberwar that involves alleged Russian state-sponsored hackers, organized crime, and lone-wolf attackers

131
131

NIST Releases New Cybersecurity Framework Draft

Dark Reading

Updated version includes changes to some existing guidelines - and adds some new ones

Fixing Data Breaches Part 3: The Ease of Disclosure

Troy Hunt

This week, I've been writing up my 5-part guide on "Fixing Data Breaches" On Monday I talked about the value of education ; let's try and stop the breach from happening in the first place. Then yesterday it was all about reducing the impact of a breach , namely by collecting a lot less data in the first place then recognising that it belongs to the person who provided it and treating with the appropriate respect. Today, I want to focus on the ease of disclosure.

Websites Use Session-Replay Scripts to Eavesdrop on Every Keystroke and Mouse Movement

Schneier on Security

The security researchers at Princeton are posting. You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers.

Apple FaceID Hacked

Schneier on Security

It only took a week : On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true. I don't think this is cause for alarm, though.

Remote Hack of a Boeing 757

Schneier on Security

Last month, the DHS announced that it was able to remotely hack a Boeing 757: "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration," said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate. Which] means I didn't have anybody touching the airplane, I didn't have an insider threat.

Man-in-the-Middle Attack against Electronic Car-Door Openers

Schneier on Security

This is an interesting tactic, and there's a video of it being used: The theft took just one minute and the Mercedes car, stolen from the Elmdon area of Solihull on 24 September, has not been recovered. In the footage, one of the men can be seen waving a box in front of the victim's house. The device receives a signal from the key inside and transmits it to the second box next to the car.

159
159

Warrant Protections against Police Searches of Our Data

Schneier on Security

The cell phones we carry with us constantly are the most perfect surveillance device ever invented, and our laws haven't caught up to that reality. That might change soon. This week, the Supreme Court will hear a case with profound implications on your security and privacy in the coming years.

Morpheus – Man-in-the-Middle Security tool

Doctor Chaos

Introducing Morpheus Morpheus is a new tool that provides you with the ability to simulate automated Man-in-the-Middle attacks. Morpheus can be found at https://github.com/r00t-3xp10it/morpheus. The Morpheus application consists of a suite allowing users to manipulate TCP and UDP data packets using a few applications in the background such as ettercap, urlsnarf, msgsnarf and tcpkill. The […]. Hacking Tools hacking tools

In 'Star Wars: The Last Jedi', the Resistance Keeps Making the Same Tactical Mistake

WIRED Threat Level

The urge to fight one decisive battle has undone countless real-world rebellions—and those in the Star Wars universe as well. Security

87

"Crypto" Is Being Redefined as Cryptocurrencies

Schneier on Security

I agree with Lorenzo Franceschi-Bicchierai, " Cryptocurrencies aren't 'crypto' ": Lately on the internet, people in the world of Bitcoin and other digital currencies are starting to use the word "crypto" as a catch-all term for the lightly regulated and burgeoning world of digital currencies in general, or for the word "cryptocurrency" -- which probably shouldn't even be called "currency," by the way. [.]. To be clear, I'm not the only one who is mad about this.

How to make your employees care about cybersecurity: 10 tips

Tech Republic Security

People are the largest security vulnerability in any organization. Here's some expert advice on how to make cybersecurity training more effective and protect your business

Suspect in Yahoo Breach Case Pleads Guilty

Dark Reading

Karim Baratov admits he worked on behalf of Russia's FSB

83

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS.

Risk 156

Uber Data Hack

Schneier on Security

Uber was hacked, losing data on 57 million driver and rider accounts. The company kept it quiet for over a year. The details are particularly damning : The two hackers stole data about the company's riders and drivers ­-- including phone numbers, email addresses and names -- from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said. Uber acquiesced to the demands, and then went further.

Acoustical Attacks against Hard Drives

Schneier on Security

Interesting destructive attack: " Acoustic Denial of Service Attacks on HDDs ": Abstract : Among storage components, hard disk drives (HDDs) have become the most commonly-used type of non-volatile storage due to their recent technological advances, including, enhanced energy efficacy and significantly-improved areal density.

Equifax Versus Pretty Much All of Us

Doctor Chaos

Guess what? You are scuuuuh-REWED!!! Let’s set the record straight right up front. 143 million people had their personal information stolen in the Equifax breach. The entire US population is 324 million. It is estimated there are 125 million households in the United States. The odds of your information being safe and sound is about […]. Data Breach data breach

Needless Panic Over a Wi-FI Network Name

Schneier on Security

A Turkish Airlines flight made an emergency landing because someone named his wireless network (presumably from his smartphone) "bomb on board.". In 2006, I wrote an essay titled " Refuse to be Terrorized." (I I am also reminded of my 2007 essay, " The War on the Unexpected." A decade later, it seems that the frequency of incidents like the one above is less, although not zero. Progress, I suppose. airtravel overreactions warontheunexpected wifi wireless

Germany Preparing Backdoor Law

Schneier on Security

The German Interior Minister is preparing a bill that allows the government to mandate backdoors in encryption. No details about how likely this is to pass. I am skeptical. backdoors encryption germany

GCHQ Found -- and Disclosed -- a Windows 10 Vulnerability

Schneier on Security

Now this is good news. The UK's National Cyber Security Centre (NCSC) -- part of GCHQ -- found a serious vulnerability in Windows Defender (their anti-virus component). Instead of keeping it secret and all of us vulnerable, it alerted Microsoft. I'd like believe the US does this, too. disclosure gchq vulnerabilities windows

150
150