Schneier on Security

FEBRUARY 12, 2019

276

276

Krebs on Security

FEBRUARY 18, 2019

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

DNS 271

DNS Internet Internet Government 271

Adam Levin

FEBRUARY 18, 2019

Facebook’s long string of privacy scandals may (finally) have some meaningful repercussions by way of a multi-billion dollar fine from the Federal Trade Commission. The social media giant has been under investigation by the FTC since March 2018 in the wake of the Cambridge Analytica scandal, which affected 87 million users and may have been a pivotal influence in the 2016 election campaign.

Media 248

Media Technology Government 248

Adam Shostack

FEBRUARY 9, 2019

The Seattle Times has a story today about how “ 50 years ago today, the first 747 took off and changed aviation.” It’s true. The 747 was a marvel of engineering and luxury. The book by Joe Sutter is a great story of engineering leadership. For an upcoming flight, I paid extra to reserve an upper deck seat before the last of the passenger-carrying Queens of the Skies retires.

Engineering 223

Engineering Mobile Government 223

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Troy Hunt

FEBRUARY 11, 2019

A race to the bottom is a market condition in which there is a surplus of a commodity relative to the demand for it. Often the term is used to describe labour conditions (workers versus jobs), and in simple supply and demand terms, once there's so much of something all vying for the attention of those consuming it, the value of it plummets. On reflecting over the last 3 and a half weeks, this is where we seem to be with credential stuffing lists today and I want to use this blog post to explain

Passwords 208

Passwords Data breaches Media InfoSec 208

The Last Watchdog

FEBRUARY 25, 2019

As companies make more extensive use of evermore capable – and complex — digital systems, what has remained constant is the innumerable paths left wide open for threat actors to waltz through. Related: Applying ‘zero trust’ to managed security services. So why hasn’t the corporate sector been more effective at locking down access for users?

Government 169

Government Authentication Technology Data breaches 169

Krebs on Security

FEBRUARY 21, 2019

Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message, thereby enabling fraudsters to collect it from anywhere in the world. One interesting component of this criminal innovation is a small cellphone and Bluetooth-enabled device hidden inside the contactless payment terminal of the pump, which appears to act as a Bluetooth hub that wirelessly gathers card

Wireless 270

Wireless Mobile Accountability Technology 270

Adam Levin

FEBRUARY 27, 2019

The infrastructure at the core of the internet is vulnerable to attack from state-sponsored hackers, its governing body warned. . The Internet Corporation for Assigned Names and Numbers (ICANN), charged with overseeing Domain Name Systems (DNS), published an announcement that companies have moved too slowly to adopt security standards that would have mitigated several recent large-scale cyberattacks.

DNS 183

DNS Internet Internet Technology 183

Adam Shostack

FEBRUARY 6, 2019

Josh Corman opened a bit of a can of worms a day or two ago, asking on Twitter: “ pls RT: who are the 3-5 best, most natural Threat Modeling minds? Esp for NonSecurity people. @adamshostack is a given. ” (Thanks!). What I normally say to this is I don’t think I’m naturally good at finding replay attacks in network protocols — my farming ancestors got no chance to exercise such talents, and so it’s a skill I acquired.

162

162

Troy Hunt

FEBRUARY 16, 2019

Another week, another conference. This time it was Microsoft Ignite in Sydney and as tends to happen at these events, many casual meetups, chats, beers, selfies, delivery of HIBP stickers and an all-round good time, albeit an exhausting one. That's why I'm a day late this week having finally arrived home late last night. Moving on though, I've got a bunch of other events coming up particularly in conjunctions with the folks at NDC.

Data breaches 197

Data breaches Hacking 197

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

The Last Watchdog

FEBRUARY 1, 2019

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground. Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Small Business 164

Small Business Passwords Authentication Accountability 164

Schneier on Security

FEBRUARY 28, 2019

After years of claiming that the Terrorist Screening Database is kept secret within the government, we have now learned that the DHS shares it "with more than 1,400 private entities, including hospitals and universities.". Critics say that the watchlist is wildly overbroad and mismanaged, and that large numbers of people wrongly included on the list suffer routine difficulties and indignities because of their inclusion.

Government 224

Government 224

Krebs on Security

FEBRUARY 8, 2019

A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources say they suspect the non-public data may have been somehow obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions.

Phishing 265

Phishing Insurance Scams Banking 265

Adam Levin

FEBRUARY 11, 2019

A phishing campaign targeting credit unions and other financial institutions recently found its way into the email inboxes of anti-money laundering officers. Credit unions and banks are both required by the Bank Secrecy Act (BSA) to report potential money laundering operations and to dedicate at least two staff members to ensure compliance. The phishing emails seemed to specifically target the accounts of these BSA officers, which raises the concern that a database containing their information m

Phishing 181

Phishing Banking Accountability Malware 181

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Adam Shostack

FEBRUARY 13, 2019

I did a podcast with Mark Miller over at DevSecOps days. It was a fun conversation, and you can have a listen at “ Anticipating Failure through Threat Modeling w/ Adam Shostack.

145

145

Troy Hunt

FEBRUARY 1, 2019

I'm pumping this weekly update out a little bit later, pushing it just before I get on the plane back home to Australia. I've just wrapped up a week in London with Scott doing all things NDC including a couple of days of workshops and a couple of talks each. We discuss that, and how the UK seems to have an odd infatuation with doing anything that could even remotely be deemed a health and safety risk.

Risk 187

Risk 187

The Last Watchdog

FEBRUARY 6, 2019

We’re just a month and change into the new year, and already there have been two notable developments underscoring the fact that some big privacy and civil liberties questions need to be addressed before continuing the wide-scale deployment of advanced facial recognition systems. This week civil liberties groups in Europe won the right to challenge the UK’s bulk surveillance activities in the The Grand Chamber of the European Court of Human Rights.

Surveillance 157

Surveillance Technology Retail Artificial Intelligence 157

Schneier on Security

FEBRUARY 6, 2019

In Gmail addresses, the dots don't matter. The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. (Note: I own none of those addresses, if they are actually valid.). This fact can be used to commit fraud : Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud.

Accountability 224

Accountability Scams 224

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Krebs on Security

FEBRUARY 12, 2019

Email provider VFEmail has suffered what the company is calling “catastrophic destruction” at the hands of an as-yet unknown intruder who trashed all of the company’s primary and backup data in the United States. The firm’s founder says he now fears some 18 years’ worth of customer email may be gone forever. Founded in 2001 and based in Milwaukee, Wisc., VFEmail provides email service to businesses and end users.

Hacking 264

Hacking DDOS Backups Accountability 264

Adam Levin

FEBRUARY 7, 2019

A recent leak compromised the personal data of all 4,557 active students at the California State Polytechnic University Science School. This was not a case of hackers gaining access through illicit means or an accidental exposure of an unsecured database. The data was inadvertently sent in a spreadsheet as an email attachment by a university employee.

Data breaches 168

Data breaches Passwords VPN Mobile 168

Adam Shostack

FEBRUARY 24, 2019

Chris Eng said “ Someone should set up a GoFundMe to send whoever wrote the hit piece on password managers to a threat modeling class. ” And while it’s pretty amusing, you know, I teach threat modeling classes. I spend a lot of time crafting explicit learning goals, considering and refining instructional methods, and so when a smart fellow like Chris says this, my question is why?

Password Management 138

Password Management Passwords Engineering Accountability 138

Troy Hunt

FEBRUARY 23, 2019

It was another travel week so another slightly delayed weekly update, but still plenty of stuff going on all the same. Along with a private Sydney workshop earlier on, I'm talking about some free upcoming NDC meetup events in Brisbane and Melbourne and I'd love to get a great turnout for. I've just ordered 10k more HIBP stickers to last me through upcoming events so they'll be coming with me.

Password Management 151

Password Management Passwords Risk 151

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

The Last Watchdog

FEBRUARY 27, 2019

Google, Facebook and Amazon have gotten filthy rich doing one thing extremely well: fixating on every move each one of us makes when we use our Internet-connected computing devices. Related: Protecting web gateways. The tech titans have swelled into multi-billion dollar behemoths by myopically focusing on delivering targeted online advertising, in support of online retailing.

Retail 138

Retail Digital transformation Advertising Software 138

Schneier on Security

FEBRUARY 13, 2019

I had not heard about this case before. Zurich Insurance has refused to pay Mondelez International's claim of $100 million in damages from NotPetya. It claims it is an act of war and therefor not covered. Mondelez is suing. Those turning to cyber insurance to manage their exposure presently face significant uncertainties about its promise. First, the scope of cyber risks vastly exceeds available coverage, as cyber perils cut across most areas of commercial insurance in an unprecedented manner: d

Cyber Insurance 216

Cyber Insurance Insurance Cyber Risk Risk 216

Krebs on Security

FEBRUARY 4, 2019

Godaddy.com , the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

DNS 249

DNS Ransomware Accountability Internet 249

Adam Levin

FEBRUARY 21, 2019

As Brexit looms, the UK and the EU can still agree that Facebook needs to be reined in. A report published earlier this month by the U.K. Digital, Culture, Media and Sport committee likened the social media company to “‘digital gangsters’ in the online world, considering themselves to be ahead of and beyond the law.” The committee came to the conclusion that Facebook knowingly violated U.K. privacy and anti-competition laws and required further regulation and investigation.

Marketing 158

Marketing Media Government 158

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Adam Shostack

FEBRUARY 28, 2019

I’m quite happy to say that my next Linkedin Learning course has launched! This one is all about spoofing. It’s titled “ Threat Modeling: Spoofing in Depth.” It’s free until at least a week after RSA. Also, I’m exploring the idea that security professionals lack a shared body of knowledge about attacks, and that an entertaining and engaging presentation of such a BoK could be a useful contribution.

124

124

Troy Hunt

FEBRUARY 8, 2019

I'm back home! It was an amazing trip in many ways, not least of which was the time it gave both Scott and myself to reflect on workload and managing lives which can be a bit of a never-ending series of commitments. To that effect, I've been backing off Twitter a bit and as I say in this update, I very quickly remembered why after a couple of short engagements yesterday.

Passwords 151

Passwords Personal Security 151

The Last Watchdog

FEBRUARY 12, 2019

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation. Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace , an all-new open source software development platform.

Digital transformation 124

Digital transformation Software Surveillance IoT 124

Schneier on Security

FEBRUARY 14, 2019

It's only a prototype, but this USB cable has an embedded Wi-Fi controller. Whoever controls that Wi-Fi connection can remotely execute commands on the attached computer.

216

216

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity