2017

Tracking People Without GPS

Schneier on Security

Interesting research : The trick in accurately tracking a person with this method is finding out what kind of activity they're performing. Whether they're walking, driving a car, or riding in a train or airplane, it's pretty easy to figure out when you know what you're looking for. The sensors can determine how fast a person is traveling and what kind of movements they make. Moving at a slow pace in one direction indicates walking.

What Would It Look Like If We Put Warnings on IoT Devices Like We Do Cigarette Packets?

Troy Hunt

A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack , the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via an IoT device called the InnoTab which is a wifi connected tablet designed for young kids; think Fisher Price designing an iPad. then totally screwing up the security.

IoT 219
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs

WIRED Threat Level

The attack uncovers bugs in how more than a dozen programs implement email's creaky protocol. Security

151
151

Ode to the use-after-free: one vulnerable function, a thousand possibilities

Scary Beasts Security

Overview This post explores an old but wonderful vulnerability that enables us to really showcase the (oft underestimated) power of the use-after-free vulnerability class. We’re going to take a step back and consider the wider class of “use-after-invalidation”, of which use-after-free is one type of use of invalidated state.

Mobile 101

Successful Change Management with Enterprise Risk Management

Speaker: William Hord, Vice President of ERM Services

Join us as we discuss the various tangents of data and the change management process that will help you make better risk-based business decisions to save time and money for your organization.

How to make your employees care about cybersecurity: 10 tips

Tech Republic Security

People are the largest security vulnerability in any organization. Here's some expert advice on how to make cybersecurity training more effective and protect your business

Top 8 Cybersecurity Skills IT Pros Need in 2018

Dark Reading

Cloud security architecture skills to customer-service savvy are among the key IT security skills needed next year as CIOs ramp up hiring

More Trending

2018 Cause Awareness & Giving Day Calendar

Nonprofit Tech for Good

Cause awareness and giving days can be very powerful themes upon which to launch online fundraising campaigns. The real-time, in-the-moment nature of cause awareness and giving days can inspire donors to give provided that your nonprofit knows how to promote the days effectively. The first step is to decide which days to build a campaign upon and add them to your 2018 editorial calendar.

Mozilla Patches Critical Bug in Thunderbird

PYMNTS

Mozilla has patched one critical vulnerability in its Thunderbird email client along with two bugs rated high. Hacks Vulnerabilities email client Mozilla news reader overflow bug rss RSS feed Thunderbird Thunderbird 52.5.2 Windows XPCOM APIs XUL

Me on the Equifax Breach

Schneier on Security

Testimony and Statement for the Record of Bruce Schneier. Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School. Fellow, Berkman Center for Internet and Society at Harvard Law School. Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce". Before the. Subcommittee on Digital Commerce and Consumer Protection. Committee on Energy and Commerce. United States House of Representatives. 1 November 2017. 2125 Rayburn House Office Building.

Websites Use Session-Replay Scripts to Eavesdrop on Every Keystroke and Mouse Movement

Schneier on Security

The security researchers at Princeton are posting. You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers.

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

In this webinar, Ronald Eddings, Cybersecurity Expert, will outline the relationship between SaaS apps and IT & security teams, along with several actionable solutions to overcome the new difficulties facing your organization.

Needless Panic Over a Wi-FI Network Name

Schneier on Security

A Turkish Airlines flight made an emergency landing because someone named his wireless network (presumably from his smartphone) "bomb on board.". In 2006, I wrote an essay titled " Refuse to be Terrorized." (I I am also reminded of my 2007 essay, " The War on the Unexpected." A decade later, it seems that the frequency of incidents like the one above is less, although not zero. Progress, I suppose. airtravel overreactions warontheunexpected wifi wireless

I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important

Troy Hunt

Occasionally, I feel like I'm just handing an organisation more shovels - "here, keep digging, I'm sure this'll work out just fine." " The latest such event was with NatWest (a bank in the UK), and it culminated with this tweet from them: I'm sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC — NatWest (@NatWest_Help) December 12, 2017.

Snowden-Backed App 'Haven' Turns Your Phone Into a Home Security System

WIRED Threat Level

The NSA leaker's latest project aims to secure your computer—and you—from not just digital but physical attacks. Security

88

Introducing Qualys Project Zero?

Scary Beasts Security

Google's Project Zero team was announced in July 2014. Since then, it has become very well known for publishing offensive security research of exceptional quality. This is especially welcome to defenders at a time where top quality offensive security research is drying up. For most important software targets, it's getting harder to find and exploit bugs.

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Through a detailed analysis of major attacks and their consequences, Karl Camilleri, Cloud Services Product Manager at phoenixNAP, will discuss the state of ransomware and future predictions, as well as provide best practices for attack prevention and recovery.

The world needs more cybersecurity pros, but millennials aren't interested in the field

Tech Republic Security

Only 7% of cybersecurity workers are under age 29, and just 11% are women. Here's how your business can better recruit younger, more diverse cybersecurity workers

NIST Releases New Cybersecurity Framework Draft

Dark Reading

Updated version includes changes to some existing guidelines - and adds some new ones

Inside Mirai the infamous IoT Botnet: A Retrospective Analysis

Elie

This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices. At its peak in September 2016, Mirai temporarily crippled several high-profile services such as. OVH. , Dyn. , Krebs on Security. via massive. distributed Denial of service attacks (DDoS). reported that these attacks exceeded 1Tbps—the largest on public record.

IoT 68

"Santa Claus is Coming to Town" Parody

Schneier on Security

Funny. humor privacy surveillance

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Security Planner

Schneier on Security

Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It's not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don't see it replacing any of the good security guides out there, but instead augmenting them. The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date.

158
158

The "Extended Random" Feature in the BSAFE Crypto Library

Schneier on Security

Matthew Green wrote a fascinating blog post about the NSA's efforts to increase the amount of random data exposed in the TLS protocol, and how it interacts with the NSA's backdoor into the DUAL_EC_PRNG random number generator to weaken TLS. backdoors cryptanalysis cryptography nsa randomnumbers tls

157
157

Apple FaceID Hacked

Schneier on Security

It only took a week : On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true. I don't think this is cause for alarm, though.

Remote Hack of a Boeing 757

Schneier on Security

Last month, the DHS announced that it was able to remotely hack a Boeing 757: "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration," said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate. Which] means I didn't have anybody touching the airplane, I didn't have an insider threat.

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

The 6-Step "Happy Path" to HTTPS

Troy Hunt

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before.

208
208

Exclusive: Tracing ISIS’ Weapons Supply Chain—Back to the US

WIRED Threat Level

The Islamic State is designing and mass-producing its own advanced munitions—with parts from all over the world. Security

87

*bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images

Scary Beasts Security

Overview *bleed attacks are hot right now. Most notably, there's been Heartbleed and Cloudbleed. In both cases, out-of-bounds reads in server side code resulted in private server memory content being returned to clients. This leaked sensitive secrets from the server process' memory space, such as keys, tokens, cookies, etc. There was also a recent client-side bleed in Microsoft's image libraries , exposed through Internet Explorer.

I infected my Windows computer with ransomware to test RansomFree's protection

Tech Republic Security

Jesus Vigo went hands-on with RansomFree to see if it could outmaneuver ransomware threats and keep data safe. Here's a look at what he discovered

Insider Threats: Red Flags and Best Practices

Dark Reading

Security pros list red flags indicating an insider attack and best practices to protect against accidental and malicious exposure

75

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials

Elie

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-theshelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums.

Man-in-the-Middle Attack against Electronic Car-Door Openers

Schneier on Security

This is an interesting tactic, and there's a video of it being used: The theft took just one minute and the Mercedes car, stolen from the Elmdon area of Solihull on 24 September, has not been recovered. In the footage, one of the men can be seen waving a box in front of the victim's house. The device receives a signal from the key inside and transmits it to the second box next to the car.

149
149

"Crypto" Is Being Redefined as Cryptocurrencies

Schneier on Security

I agree with Lorenzo Franceschi-Bicchierai, " Cryptocurrencies aren't 'crypto' ": Lately on the internet, people in the world of Bitcoin and other digital currencies are starting to use the word "crypto" as a catch-all term for the lightly regulated and burgeoning world of digital currencies in general, or for the word "cryptocurrency" -- which probably shouldn't even be called "currency," by the way. [.]. To be clear, I'm not the only one who is mad about this.

Acoustical Attacks against Hard Drives

Schneier on Security

Interesting destructive attack: " Acoustic Denial of Service Attacks on HDDs ": Abstract : Among storage components, hard disk drives (HDDs) have become the most commonly-used type of non-volatile storage due to their recent technological advances, including, enhanced energy efficacy and significantly-improved areal density.

Disqus Demonstrates How to Do Breach Disclosure Right

Troy Hunt

We all jumped on "the Equifax dumpster fire bandwagon" recently and pointed to all the things that went fundamentally wrong with their disclosure process. But it's equally important that we acknowledge exemplary handling of data breaches when they occur because that's behaviour that should be encouraged. Last week, someone reached out and shared a number of data breaches with me. Breaches I'd never seen before.