2017

What Would It Look Like If We Put Warnings on IoT Devices Like We Do Cigarette Packets?

Troy Hunt

A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack , the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via an IoT device called the InnoTab which is a wifi connected tablet designed for young kids; think Fisher Price designing an iPad. then totally screwing up the security.

IoT 211

Getting started with a career in Cyber Security and Information Security

Doctor Chaos

The Information Security Profession – Where do I Start? I am often asked by individuals to provide advice or guidance on how to get started in the field of information security. Many college students tell me they want to be a hacker, an IT systems penetration tester, or other type of cyber security professional. I […]. Cyber InfoSec education infosec security awareness tools training

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tracking People Without GPS

Schneier on Security

Interesting research : The trick in accurately tracking a person with this method is finding out what kind of activity they're performing. Whether they're walking, driving a car, or riding in a train or airplane, it's pretty easy to figure out when you know what you're looking for. The sensors can determine how fast a person is traveling and what kind of movements they make. Moving at a slow pace in one direction indicates walking.

‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs

WIRED Threat Level

The attack uncovers bugs in how more than a dozen programs implement email's creaky protocol. Security

148
148

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

Ode to the use-after-free: one vulnerable function, a thousand possibilities

Scary Beasts Security

Overview This post explores an old but wonderful vulnerability that enables us to really showcase the (oft underestimated) power of the use-after-free vulnerability class. We’re going to take a step back and consider the wider class of “use-after-invalidation”, of which use-after-free is one type of use of invalidated state.

Mobile 104

Your internet history is now for sale. Here's how you can protect it

Tech Republic Security

Congress has voted to repeal restrictions preventing ISPs from gathering and selling your browsing data and other personal info. Here's how you can protect yourself

More Trending

Top 8 Cybersecurity Skills IT Pros Need in 2018

Dark Reading

Cloud security architecture skills to customer-service savvy are among the key IT security skills needed next year as CIOs ramp up hiring

I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important

Troy Hunt

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine." " The latest such event was with NatWest (a bank in the UK), and it culminated with this tweet from them: I'm sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC — NatWest (@NatWest_Help) December 12, 2017.

The 6-Step "Happy Path" to HTTPS

Troy Hunt

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before.

172
172

2018 Cause Awareness & Giving Day Calendar

Troy Hunt

Cause awareness and giving days can be very powerful themes upon which to launch online fundraising campaigns. The real-time, in-the-moment nature of cause awareness and giving days can inspire donors to give provided that your nonprofit knows how to promote the days effectively. The first step is to decide which days to build a campaign upon and add them to your 2018 editorial calendar.

Media 169

Disqus Demonstrates How to Do Breach Disclosure Right

Troy Hunt

We all jumped on "the Equifax dumpster fire bandwagon" recently and pointed to all the things that went fundamentally wrong with their disclosure process. But it's equally important that we acknowledge exemplary handling of data breaches when they occur because that's behaviour that should be encouraged. Last week, someone reached out and shared a number of data breaches with me. Breaches I'd never seen before.

Leaked NSA Exploit Spreading Ransomware Worldwide

Doctor Chaos

Original article appears from [link] A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent ShadowBrokers dump. Researchers at Kaspersky Lab said the attackers behind today’s outbreak of WannaCry ransomware are using EternalBlue, the codename for an exploit made public by the mysterious group that is in possession […]. Cyber infosec

Me on the Equifax Breach

Schneier on Security

Testimony and Statement for the Record of Bruce Schneier. Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School. Fellow, Berkman Center for Internet and Society at Harvard Law School. Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce". Before the. Subcommittee on Digital Commerce and Consumer Protection. Committee on Energy and Commerce. United States House of Representatives. 1 November 2017. 2125 Rayburn House Office Building.

Snowden-Backed App 'Haven' Turns Your Phone Into a Home Security System

WIRED Threat Level

The NSA leaker's latest project aims to secure your computer—and you—from not just digital but physical attacks. Security

88

Introducing Qualys Project Zero?

Scary Beasts Security

Google's Project Zero team was announced in July 2014. Since then, it has become very well known for publishing offensive security research of exceptional quality. This is especially welcome to defenders at a time where top quality offensive security research is drying up. For most important software targets, it's getting harder to find and exploit bugs.

The 21 best IT and tech memes on the Internet

Tech Republic Security

From Bad Luck Brian to Confession Bear to Scumbag Steve, these are the best tech-flavored memes the Internet has to offer

Inside Mirai the infamous IoT Botnet: A Retrospective Analysis

Elie

This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices. At its peak in September 2016, Mirai temporarily crippled several high-profile services such as. OVH. , Dyn. , Krebs on Security. via massive. distributed Denial of service attacks (DDoS). reported that these attacks exceeded 1Tbps—the largest on public record.

IoT 80

NIST Releases New Cybersecurity Framework Draft

Dark Reading

Updated version includes changes to some existing guidelines - and adds some new ones

Fixing Data Breaches Part 3: The Ease of Disclosure

Troy Hunt

This week, I've been writing up my 5-part guide on "Fixing Data Breaches" On Monday I talked about the value of education ; let's try and stop the breach from happening in the first place. Then yesterday it was all about reducing the impact of a breach , namely by collecting a lot less data in the first place then recognising that it belongs to the person who provided it and treating with the appropriate respect. Today, I want to focus on the ease of disclosure.

Questions about the Massive South African "Master Deeds" Data Breach Answered

Troy Hunt

This week, I started looking into a large database backup file which turned out to contain the personal data of a significant portion of the South African population. It's an explosive situation with potentially severe ramifications and I've been bombarded by questions about it over the last 48 hours. This post explains everything I know. Who Am I and Why Do I Have This Data?

Bypassing Browser Security Warnings with Pseudo Password Fields

Troy Hunt

It seems that there is no limit to human ingenuity when it comes to working around limitations within one's environment. For example, imagine you genuinely wanted to run a device requiring mains power in the centre of your inflatable pool - you're flat out of luck, right? Wrong! Or imagine there's a fire somewhere but the hydrant is on the other side of train tracks and you really want to put that fire out but trains have still gotta run too - what options are you left with? Wrong again!

Morpheus – Man-in-the-Middle Security tool

Doctor Chaos

Introducing Morpheus Morpheus is a new tool that provides you with the ability to simulate automated Man-in-the-Middle attacks. Morpheus can be found at https://github.com/r00t-3xp10it/morpheus. The Morpheus application consists of a suite allowing users to manipulate TCP and UDP data packets using a few applications in the background such as ettercap, urlsnarf, msgsnarf and tcpkill. The […]. Hacking Tools hacking tools

Equifax Versus Pretty Much All of Us

Doctor Chaos

Guess what? You are scuuuuh-REWED!!! Let’s set the record straight right up front. 143 million people had their personal information stolen in the Equifax breach. The entire US population is 324 million. It is estimated there are 125 million households in the United States. The odds of your information being safe and sound is about […]. Data Breach data breach

Websites Use Session-Replay Scripts to Eavesdrop on Every Keystroke and Mouse Movement

Schneier on Security

The security researchers at Princeton are posting. You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers.

Exclusive: Tracing ISIS’ Weapons Supply Chain—Back to the US

WIRED Threat Level

The Islamic State is designing and mass-producing its own advanced munitions—with parts from all over the world. Security

87

*bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images

Scary Beasts Security

Overview *bleed attacks are hot right now. Most notably, there's been Heartbleed and Cloudbleed. In both cases, out-of-bounds reads in server side code resulted in private server memory content being returned to clients. This leaked sensitive secrets from the server process' memory space, such as keys, tokens, cookies, etc. There was also a recent client-side bleed in Microsoft's image libraries , exposed through Internet Explorer.

Risk 74

I infected my Windows computer with ransomware to test RansomFree's protection

Tech Republic Security

Jesus Vigo went hands-on with RansomFree to see if it could outmaneuver ransomware threats and keep data safe. Here's a look at what he discovered

Exposing the inner-workings of the ransomware economy

Elie

This blog post shed light on the inner workings of the ransomsphere economics and exposes which cybercriminal groups are the biggest earners. This is the second blog post in my series about ransomware economics. The first post. is dedicated to the methodology and techniques needed to trace ransomware payments end-to-end. As this post builds on that methodology, I encourage you to read through the first post if you haven’t done so. final post.

Insider Threats: Red Flags and Best Practices

Dark Reading

Security pros list red flags indicating an insider attack and best practices to protect against accidental and malicious exposure

61

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS.

Risk 149

Heimdal PRO Review

Doctor Chaos

Heimdal PRO – the security solution for everyone The Internet is not a safe place to navigate without a security software product installed on your computer. And you need more than an antivirus or a good firewall solution to keep your data safe from all kind of cyber attacks. While no software security provides 100% […]. Cyber product review

How to Stop Cyber-Bullying With Mobile Parental Control App

Doctor Chaos

The widespread adoption of mobile phones and the internet has dramatically increased the cyber-bullying occurrence. Around 75% of teens in the United States have access to mobile phone and internet and half of them have reported experiencing cyber-bullying. Among the online threats, cyberbullying is the most common and probably the most dangerous one. The online-bullying […]. Wireless cyber bullying wireless

Mobile 141

Here's What I'm Telling US Congress about Data Breaches

Troy Hunt

Last week I wrote about my upcoming congressional testimony and wow - you guys are awesome! Seriously, the feedback there was absolutely sensational and it's helped shape what I'll be saying to the US Congress, including lifting specific wording and phrases provided by some of you. Thank you! As I explained in that first blog post, I'm required to submit a written testimony 48 hours in advance of the event. That testimony is now publicly accessible and reproduced below.

I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?

Troy Hunt

There's a title I never expected to write! But it's exactly what it sounds like and on Thursday next week, I'll be up in front of US congress on the other side of the world testifying about the impact of data breaches. It's an amazing opportunity to influence decision makers at the highest levels of government and frankly, I don't want to stuff it up which is why I'm asking the question - what should I say?

Apple FaceID Hacked

Schneier on Security

It only took a week : On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true. I don't think this is cause for alarm, though.

Apple's MacOS High Sierra Update Reintroduces "Root" Bug For Some Users

WIRED Threat Level

The company's fix for an embarrassing security bug includes a big bug of its own. Security

87