Daniel Miessler

SEPTEMBER 12, 2021

This post will talk about my initial thoughts on The OWASP Top 10 release for 2021. Let me start by saying that I have respect for the people working on this project, and that as a project maintainer myself, I know how impossibly hard this is.

Software 364

Software Information Security 364

Troy Hunt

AUGUST 12, 2021

More than 3 years ago now, Scott Helme and I launched a little project called Why No HTTPS? It listed the world's largest websites that didn't properly redirect insecure requests to secure ones.

VPN 358

VPN 358

Schneier on Security

JUNE 4, 2021

Today is the second day of the fourteenth Workshop on Security and Human Behavior. The University of Cambridge is the host, but we’re all on Zoom. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself.

Risk 351

Risk 351

Lohrman on Security

OCTOBER 10, 2021

By almost any measure, the breadth, depth and impact of data breaches have dramatically increased during the COVID-19 pandemic. Here’s a roundup of the numbers.

Data breaches 337

Data breaches 337

Krebs on Security

JUNE 8, 2021

Among the zero-days are: – CVE-2021-33742 , a remote code execution bug in a Windows HTML component. – CVE-2021-31955 , an information disclosure bug in the Windows Kernel. – CVE-2021-31956 , an elevation of privilege flaw in Windows NTFS.

Backups 338

Backups Ransomware Cyber threats Phishing 338

Schneier on Security

JULY 14, 2021

This is a current list of where and when I am scheduled to speak: I’m speaking at Norbert Wiener in the 21st Century , a virtual conference hosted by The IEEE Society on Social Implications of Technology (SSIT), July 23-25, 2021. I’m speaking at DEFCON 29 , August 5-8, 2021. I’ll be speaking at an Informa event on September 14, 2021.

Internet 315

Internet Internet Technology 315

Schneier on Security

AUGUST 14, 2021

This is a current list of where and when I am scheduled to speak: I’m speaking (via Internet) at SHIFT Business Festival in Finland, August 25-26, 2021. I’ll be speaking at an Informa event on September 14, 2021. I’m keynoting CIISec Live —an all-online event—September 15-16, 2021. Details to come.

Data privacy 308

Data privacy Internet Internet Cybersecurity 308

Krebs on Security

JULY 7, 2021

At issue is CVE-2021-34527 , which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target’s system. Microsoft says it has already detected active exploitation of the vulnerability.

Backups 356

Backups Software Engineering 356

Schneier on Security

JANUARY 24, 2022

Crowdstrike is reporting that malware targeting Linux has increased considerably in 2021: Malware targeting Linux systems increased by 35% in 2021 compared to 2020. XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021. Lots of details in the report.

Malware 315

Malware Accountability 315

Krebs on Security

SEPTEMBER 8, 2021

According to a security advisory from Redmond, the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. Virtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swaths of its user base.

Software 355

Software Engineering Internet Internet 355

Daniel Miessler

MARCH 24, 2021

Mar 24, 2021 — Thanks to Andrew R. Mar 24, 2021 — Someone mentioned that there are higher ranks of authentication out there, which I agree with, but this is specifically for everyday users. Mar 24, 2021 — We can pronounce the acronym as “Chasm”, as in, “Lets see how deep into the chasm you are…” ??.

Authentication 363

Authentication Passwords Internet Internet 363

Lohrman on Security

NOVEMBER 7, 2021

Not only is ransomware the top cybersecurity story in 2021, but new twists, turns and countermeasures keep coming. Here are the latest headlines and what news you need.

Ransomware 336

Ransomware Cybersecurity 336

Schneier on Security

NOVEMBER 1, 2021

This potentially devastating attack is tracked as CVE-2021-42574, while a related attack that uses homoglyphs –- visually similar characters –- is tracked as CVE-2021-42694.

Engineering 333

Engineering 333

Krebs on Security

JANUARY 8, 2022

In January 2021, Avira was acquired by Tempe, Ariz.-based NortonLifeLock announced Avira Crypto in late October 2021 , but multiple other antivirus products have flagged Avira’s installer as malicious or unsafe for including a cryptominer as far back as Sept. Founded in 2006, Avira Operations GmbH & Co. Avira Free Antivirus).

Antivirus 362

Antivirus Cryptocurrency Identity Theft Software 362

Troy Hunt

NOVEMBER 8, 2021

Here's the thread: I f **g hate beg bounties 😡 pic.twitter.com/Giv4JRRaty — Troy Hunt (@troyhunt) November 6, 2021. Hammad continued a few minutes later: pic.twitter.com/uoaGstoASH — Troy Hunt (@troyhunt) November 6, 2021 And there we have it.

Scams 68

Scams Data breaches InfoSec Social Engineering 68

Troy Hunt

MARCH 1, 2021

I'm pleased to welcome the first new government onto Have I Been Pwned for 2021, Portugal. The Portuguese CSIRT, CERT.PT , now has full and free access to query their government domains across the entire scope of data in HIBP.

Government 335

Government 335

Daniel Miessler

DECEMBER 18, 2021

From the Apache advisory: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 Look for ${event:Message} or ${ctx:*} in your log4j2 properties or xml files — d0nut (@d0nutptr) December 15, 2021. POV: you follow me pic.twitter.com/Xw33fmji1A — d0nut (@d0nutptr) December 15, 2021. Shame on me.

Internet 363

Internet Internet Information Security 363

Krebs on Security

JANUARY 19, 2023

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company.

Mobile 339

Mobile Accountability Data breaches Identity Theft 339

Schneier on Security

FEBRUARY 17, 2022

It read: “Hey Phelim, to help us improve your Otter’s experience, what was the purpose of this particular recording with titled ‘Mustafa Aksu’ created at ‘2021-11-08 11:02:41’?”. The next day, I received an odd note from Otter.ai, the automated transcription app that I had used to record the interview. Turns out it’s hard to tell.

Surveillance 321

Surveillance Government 321

Schneier on Security

DECEMBER 10, 2021

A January 2021 FBI document outlines what types of data and metadata can be lawfully obtained by the FBI from messaging apps. Rolling Stone broke the story and it’s been written about elsewhere. I don’t see a lot of surprises in the document. Lots of apps leak all sorts of metadata: iMessage and WhatsApp seem to be the worst.

Backups 319

Backups Encryption 319

Schneier on Security

JULY 22, 2021

The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. It carries an 8.8

Encryption 334

Encryption Accountability 334

Schneier on Security

JANUARY 6, 2022

The privacy-oriented search engine netted more than 35 billion search queries in 2021 , a 46.4% DuckDuckGo has had a banner year : And yet, DuckDuckGo. jump over 2020 (23.6 That’s big.

Engineering 339

Engineering Internet Internet 339

Krebs on Security

JULY 8, 2021

On July 3, the REvil ransomware affiliate program began using a zero-day security hole ( CVE-2021-30116 ) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).

Software 326

Software Ransomware System Administration Authentication 326

Schneier on Security

AUGUST 30, 2023

With more official macOS features added in 2021 that enabled the “Night Shift” dark mode, the NightOwl app was left forlorn and forgotten on many older Macs. Interesting story of an Apple Macintosh app that went rogue. Basically, it was a good app until one particular update…when it went bad.

322

322

Troy Hunt

AUGUST 5, 2021

pic.twitter.com/iQcIMplt4s — Troy Hunt (@troyhunt) January 6, 2021 I'd always liked the idea of a 3D printer, but I had absolutely no idea where to start. Here's where it all started: Looking at a mate’s Prusa i3 printer and getting a bit tempted, what are folks using out there for hobby projects?

Education 71

Education Technology Software Retail 71

Krebs on Security

APRIL 15, 2024

The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. In 2021, RealPage was acquired by the private equity giant Thoma Bravo. Meanwhile, Chirp’s parent company, RealPage, Inc. , is being sued by multiple U.S. On March 7, 2024, the U.S. .”

Software 325

Software Mobile Marketing Engineering 325

Krebs on Security

DECEMBER 13, 2021

The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. Ireland’s Health Service Executive (HSE), which operates the country’s public health system, got hit with Conti ransomware on May 14, 2021.

Healthcare 306

Healthcare Ransomware Antivirus Hacking 306

Joseph Steinberg

DECEMBER 7, 2021

CyberSecurity and Artificial Intelligence Expert, Joseph Steinberg, will lead a panel discussion on the intersection of CyberSecurity and Artificial Intelligence (AI), to take place on Thursday, December 9, 2021, the second and final day of the AI Summit being held in person in New York’s Javits Center.

Artificial Intelligence 357

Artificial Intelligence Cybersecurity Technology 357

Schneier on Security

JANUARY 31, 2023

When we published last year’s version of this report, for example, we had only identified $602 million in ransomware payments in 2021. Still, the trend is clear: Ransomware payments are significantly down. However, that doesn’t mean attacks are down, or at least not as much as the drastic drop-off in payments would suggest.

Ransomware 306

Ransomware Cryptocurrency Cybercrime 306

Schneier on Security

JULY 13, 2021

Interesting attack : Masquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS), the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information.

Hacking 361

Hacking Phishing Accountability Cybersecurity 361

Schneier on Security

DECEMBER 20, 2021

By the way, this vulnerability was patched on 13 Sep 2021 in iOS 14.8. Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

Manufacturing 340

Manufacturing Spyware Hacking Internet 340

Troy Hunt

JULY 13, 2021

Pre-pairing everything before they go into the roof: pic.twitter.com/wfHeXrZdqd — Troy Hunt (@troyhunt) May 24, 2021 And this is where the problems begin. pic.twitter.com/lyq1wbTICX — Troy Hunt (@troyhunt) June 7, 2021 "See log for details." " Ok then: FFS. But local access will follow.

Internet 358

Internet Internet IoT Firmware 358

Schneier on Security

SEPTEMBER 19, 2024

Those devices were used to help infiltrate sensitive networks related to universities, government agencies, telecommunications providers, and media organizations… The botnet was launched in mid-2021, according to the FBI, and infected roughly 260,000 devices as of June 2024.

Telecommunications 270

Telecommunications Media Malware Internet 270

Krebs on Security

APRIL 18, 2022

A single attack by Ryuk/Conti in May 2021 against Ireland’s Health Service Executive, which operates the country’s public health system, resulted in massive disruptions to healthcare in Ireland. In June 2021, the HSE’s director general said the recovery costs for that attack were likely to exceed USD $600 million.

Healthcare 317

Healthcare Ransomware Cybersecurity Malware 317

Schneier on Security

JULY 12, 2022

Honda vehicles from 2021 to 2022 are vulnerable to this attack : On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles.

Software 343

Software Cybersecurity 343