Schneier on Security

NOVEMBER 16, 2023

Examples included: Azure Active Directory API Keys GitHub OAuth App Keys Database credentials for providers such as MongoDB, MySQL, and PostgreSQL Dropbox Key Auth0 Keys SSH Credentials Coinbase Credentials Twilio Master Credentials.

Authentication 335

Authentication Cryptocurrency Accountability Software 335

Graham Cluley

MARCH 13, 2024

Streaming company Roku has revealed that over 15,000 customers' accounts were hacked using stolen login credentials from unrelated data breaches. Read more in my article on the Hot for Security blog.

Data breaches 118

Data breaches Accountability Hacking Passwords 118

Schneier on Security

MAY 9, 2019

Excellent article on fraudulent seller tactics on Amazon. The most prominent black hat companies for US Amazon sellers offer ways to manipulate Amazon's ranking system to promote products, protect accounts from disciplinary actions, and crush competitors. This was a good article on this from last year. (My My blog post.).

Accountability 274

Accountability Scams 274

Graham Cluley

MARCH 27, 2024

Hardware wallet manufacturer Trezor has explained how its Twitter account was compromised - despite it having sensible security precautions in place, such as strong passwords and multi-factor authentication. Read more in my article on the Hot for Security blog.

Accountability 120

Accountability Cryptocurrency Manufacturing Passwords 120

Schneier on Security

JULY 13, 2021

Of note, TA453 also targeted the personal email accounts of at least one of their targets. News article. Once the conversation was established, TA453 delivered a “registration link” to a legitimate but compromised website belonging to the University of London’s SOAS radio. The report details the tactics.

Hacking 363

Hacking Phishing Accountability Cybersecurity 363

Malwarebytes

NOVEMBER 7, 2023

As we explained in our article about 1Password being a victim of this breach, it’s normal for Okta support to ask customers to upload a file known as an HTTP Archive (HAR) file. To gain access to that service account, the attacker compromised an Okta employee. Take your time.

Accountability 136

Accountability Passwords Data breaches Phishing 136

Krebs on Security

FEBRUARY 4, 2020

Federal prosecutors in Alaska said search warrants served on the email accounts Bukoski used in conjunction with Quantum Stresser revealed that he was banned from several companies he used to advertise and accept payments for the booter service. The Quantum Stresser Web site — quantumstress[.]net Attorney Adam Alexander.

Internet 312

Internet Internet Government Accountability 312

Schneier on Security

APRIL 9, 2024

Here are a few news articles. It’s worth reading in its entirety. The board was established in early 2022, modeled in spirit after the National Transportation Safety Board. This is their third report.

Hacking 332

Hacking Government Accountability Technology 332

Schneier on Security

JANUARY 21, 2020

SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours.

Authentication 268

Authentication Wireless Backups Accountability 268

Schneier on Security

FEBRUARY 6, 2019

The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. This fact can be used to commit fraud : Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. News article.

Accountability 249

Accountability Scams 249

Schneier on Security

JUNE 12, 2020

Facebook had tasked a dedicated employee to unmasking Hernandez, developed an automated system to flag recently created accounts that messaged minors, and made catching Hernandez a priority for its security teams, according to Vice. Another article. address of a person viewing a clip.

Surveillance 345

Surveillance Accountability Hacking Media 345

Krebs on Security

FEBRUARY 17, 2020

In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic. A redacted extortion email targeting users of Google’s AdSense program.

Scams 353

Scams Advertising Accountability Web Fraud 353

Malwarebytes

SEPTEMBER 1, 2023

Not long ago I wrote about a recent campaign to hold LinkedIn users' accounts to ransom. Shortly after I published the article, a co-worker, Peace, reached out to me told me they'd been a target of the campaign. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning.

Accountability 136

Accountability Passwords Mobile Authentication 136

Schneier on Security

MARCH 19, 2021

Once the hacker is able to reroute a target’s text messages, it can then be trivial to hack into other accounts associated with that phone number. In this case, the hacker sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts. Don’t focus too much on the particular company in this article.

Authentication 342

Authentication Accountability Advertising Mobile 342

Schneier on Security

OCTOBER 1, 2021

They’re certainly never going to be held accountable. Another article. Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russianbased Ryuk gang, which was singling out hospitals at the time.

Ransomware 331

Ransomware Hacking Accountability Healthcare 331

Krebs on Security

MARCH 16, 2021

Lucky225 showed how anyone could do the same after creating an account at a service called Sakari , a company that helps celebrities and businesses do SMS marketing and mass messaging. From there, the attacker can reset the password of any account which uses that phone number for password reset links. .

Telecommunications 363

Telecommunications Mobile Accountability Wireless 363

Krebs on Security

APRIL 28, 2020

But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Scams 363

Scams Banking Accountability Financial Services 363

Adam Levin

APRIL 9, 2021

Adam Levin spoke with NPR about the recent data archive of over 500 million Facebook accounts found on a hacking forum. Read the article here. “It’s serious when phone numbers are out there. The danger when you have phone numbers in particular is a universal identifier,” said Levin.

Accountability 208

Accountability Hacking 208

Schneier on Security

FEBRUARY 3, 2021

New estimates are that 30% of the SolarWinds victims didn’t use SolarWinds: Many of the attacks gained initial footholds by password spraying to compromise individual email accounts at targeted organizations. The New York Times has repeated this attribution — a good article that also discusses the magnitude of the attack.)

Computers and Electronics 363

Computers and Electronics Malware Software Government 363

Daniel Miessler

MAY 14, 2020

I wrote an article recently on how to secure your home network in three different tiers of protection. Good passwords are long, random, and unique to each account, which means it’s impossible for a human to manage them on their own. Enable two-factor authentication on all critical accounts. Automatic Logins Using Lastpass.

Risk 345

Risk Password Management Passwords Accountability 345

Schneier on Security

MAY 24, 2022

News article. Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged.

Hacking 278

Hacking Cybercrime Accountability Cybersecurity 278

Joseph Steinberg

JANUARY 26, 2022

For those unfamiliar with it, Google Voice is a phone service that offers a free phone number to anyone who has both set up a Google account in the United States and supplied and confirmed ownership of another phone number to which the Google Voice number can forward. What if you already were scammed?

Scams 321

Scams Authentication Accountability Artificial Intelligence 321

Schneier on Security

JULY 15, 2019

This can give a complete account of where someone has driven over any time period. Read the whole article -- it has a lot of details. All of this information is aggregated and synthesized in a way that gives law enforcement nearly omniscient knowledge over any suspect they decide to surveil. Boing Boing [link].

Surveillance 275

Surveillance Media Accountability Banking 275

Adam Levin

SEPTEMBER 4, 2019

The Wall Street Journal reported that the CEO of an unnamed UK energy company received a phone call from what sounded like his boss, the CEO of a German parent company, telling him to wire €220,000 (roughly $243,000) to a bank account in Hungary. Read the Wall Street Journal article here (subscription required).

Scams 233

Scams Artificial Intelligence Insurance Technology 233

Adam Levin

JULY 10, 2020

A recent article released by cybersecurity and antivirus firm Bitdefender shows that 8.4 billion records have already been exposed, and that’s only accounting for the first quarter of 2020. million records): Hackers successfully breached the accounts of two Marriott employees and compromised the PII of at least 5.2 Marriott (5.2

Data breaches 252

Data breaches Social Engineering Antivirus Scams 252

Schneier on Security

JUNE 19, 2020

BellTroX InfoTech Services has assisted clients in spying on over 10,000 email accounts around the world, including accounts of politicians, investors, journalists and activists. News article. We are in the process of notifying additional targets. Boing Boing post.

Hacking 220

Hacking Phishing Accountability Government 220

Graham Cluley

AUGUST 29, 2024

Hackers who seized control of the official Instagram account of McDonald's claim that they managed to steal US $700,000 from unsuspecting investors by promoting a fake cryptocurrency. Read more in my article on the Hot for Security blog.

Accountability 88

Accountability Cryptocurrency Hacking 88

Schneier on Security

JANUARY 29, 2020

Here's an article about Ralphs, a California supermarket chain owned by Kroger: the form proceeds to state that, as part of signing up for a rewards card, Ralphs "may collect" information such as "your level of education, type of employment, information about your health and information about insurance coverage you might carry."

Consumer Protection 275

Consumer Protection Data privacy Insurance Education 275

Schneier on Security

AUGUST 2, 2023

Good governance mechanisms delineate the accountability and responsibility for ensuring successful execution, while actionable, repeatable, meaningful, and time-dependent metrics or key performance indicators (KPI) should be used to reinforce realistic objectives and timelines. News article.

Cybersecurity 244

Cybersecurity Risk Government Accountability 244

The Last Watchdog

MAY 21, 2020

The idea was that by fingerprinting devices used to connect to the internet we could achieve better accountability. Fingerprinting is considered a necessary practice to fight challenges such as fake accounts and the misuse of internet services. However, online fingerprinting is also being used to track users.

Advertising 290

Advertising Internet Internet Accountability 290

Schneier on Security

JUNE 1, 2020

Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Of the 249 participants, 63 had accounts on breached domains;only 33% of the 63 changed their passwords and only 13% (of 63)did so within three months of the announcement.

Passwords 230

Passwords Accountability 230

Adam Levin

JUNE 4, 2021

Upon publication of this article, the Exagrid website still touted seven industry awards for work in the area of ransomware recovery solution, but this attack will harm its reputation, proving once again that no one is immune from the scourge of a well-targeted attack. We are in the midst of an ongoing ransomware epidemic.

Ransomware 289

Ransomware Backups Insurance Healthcare 289

Schneier on Security

JANUARY 31, 2019

This means that an attacker could get full access to all account information and all watch information. News article. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control!

Passwords 268

Passwords Accountability 268

The Hacker News

OCTOBER 10, 2024

This activity encompassed debugging malware, writing articles for websites, generating biographies for social media accounts, and creating AI-generated profile pictures for fake accounts on X.

Cybercrime 134

Cybercrime Media Accountability Malware 134

Troy Hunt

NOVEMBER 22, 2019

For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017 , Exactis who had 132M records breached last year and the Apollo data breach which exposed 126M accounts, one of which was my own. The vast majority of people want to know where their data has been exposed. Well, almost nothing.

Data breaches 361

Data breaches Technology Software Accountability 361

Schneier on Security

APRIL 7, 2020

Tricks like business email compromise, where an employee gets a fake email from a senior executive asking him to transfer money to some account, will be more successful when the employee can't walk down the hall to confirm the email's validity -- and when everyone is distracted and so many other things are being done differently.

Cybersecurity 276

Cybersecurity VPN Scams Phishing 276

Krebs on Security

DECEMBER 2, 2021

NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. 24, he reportedly maintained his innocence and told agents someone else must have used his Paypal account to purchase the Surfshark VPN subscription. In January 2021, technology vendor Ubiquiti Inc.

VPN 259

VPN Internet Internet Accountability 259