Schneier on Security

OCTOBER 2, 2018

From Kashmir Hill : Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other people's contact books, a hidden layer of details Facebook has about you that I've come to call "shadow contact information.

Advertising 279

Advertising Authentication Accountability Adware 279

Krebs on Security

OCTOBER 2, 2018

A ridiculous number of companies are exposing some or all of their proprietary and customer data by putting it in the cloud without any kind of authentication needed to read, alter or destroy it. When cybercriminals are the first to discover these missteps, usually the outcome is a demand for money in return for the stolen data. But when these screw-ups are unearthed by security professionals seeking to make a name for themselves, the resulting publicity often can leave the breached organization

Data breaches 220

Data breaches Passwords Internet Internet 220

Adam Levin

OCTOBER 31, 2018

The U.S. Justice Department announced charges against ten Chinese intelligence agents for hacking into computer systems belonging to U.S. and international companies to steal aerospace technology and data. The indictment , revealed earlier this week accuses agents working for the Jiangsu Province Ministry of State Security (JSSD) of conspiring “to steal sensitive commercial technological, aviation, and aerospace data by hacking into computers in the United States and abroad.”.

Government 213

Government Hacking Engineering Technology 213

Troy Hunt

OCTOBER 2, 2018

I take more pleasure than I probably should in watching the bewilderment within organisations as the technology landscape rapidly changes and rushes ahead of them. Perhaps "pleasure" isn't the right word, is it more "amusement"? Or even "curiosity"? Whichever it is, I find myself rhetorically asking "so you just expected everything to stay the same forever, did you?

Banking 196

Banking Technology Encryption Phishing 196

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Adam Shostack

OCTOBER 12, 2018

I have regularly asked why we don’t know more about the Equifax breach, including in comments in “ That Was Close! Reward Reporting of Cybersecurity ‘Near Misses’ ” These questions are not intended to attack Equifax. Rather, we can use their breach as a mirror to reflect, and ask questions about how defenses work, and learn things we can bring to our own systems.

Encryption 189

Encryption Passwords Software Cybersecurity 189

The Last Watchdog

OCTOBER 17, 2018

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks. Related: Why carpet bombing email campaigns endure. And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime direct

Data breaches 178

Data breaches Architecture Government Accountability 178

Krebs on Security

OCTOBER 9, 2018

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.

Computers and Electronics 214

Computers and Electronics IoT Passwords Internet 214

Adam Levin

OCTOBER 16, 2018

The credit card data and travel records of roughly 30,000 employees of the U.S. Defense Department have been compromised in a data breach. The hack was first detected on October 4th, but may have occurred months ago and could have affected more accounts than initially reported. Despite this, the Pentagon has tried to downplay the potentially wider scope of the incident.

Data breaches 210

Data breaches Accountability Government Hacking 210

Troy Hunt

OCTOBER 13, 2018

I'm in Texas! And I've had enough BBQ to last me a very long time. I'm here doing a couple of speaking events and other related things as well as taking some time out with my wife to see the sites. As such, it's a bit quieter this week but there's still a couple of things I reckon are worthy of discussion. Just before jumping on the plane over here I pushed out a blog post on how my approach to callbacks in HIBP broke Mozilla's service which in turn broke my Azure Function.

InfoSec 187

InfoSec Authentication 187

Adam Shostack

OCTOBER 4, 2018

A few weeks ago, I talked about “ reflective practice in threat modeling “, thinking about how we approach the problems we face, and asking if our approaches are the best we can do. Sometimes it’s hard to reflect. It’s hard to face the mirror and say ‘could I have done that better?’ That’s human nature. Sometimes, it can be easier to learn from an analogy, and I’ll again go to physical buildings as a source.

Architecture 145

Architecture 145

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

The Last Watchdog

OCTOBER 29, 2018

The United States has experienced the most cybersecurity breaches in the world and the Equifax Breach was one of the first to be considered a “mega breach.”. The headlines immediately attempted to lay the blame, in large part, on the fact that Equifax’s chief information security officer was a music major and did not have a background in technology.

Data privacy 164

Data privacy Data breaches Insurance Information Security 164

Schneier on Security

OCTOBER 15, 2018

If you're an American of European descent, there's a 60% you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. Research paper : "Identity inference of genomic data using long-range familial searches." Abstract: Consumer genomics databases have reached the scale of millions of individuals.

264

264

Krebs on Security

OCTOBER 12, 2018

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager , senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology s

Computers and Electronics 211

Computers and Electronics Internet Internet Technology 211

Adam Levin

OCTOBER 8, 2018

Amazon revealed a breach of customer data last week, but it wasn’t a data breach of the usual variety. Rather than falling prey to a cyberattack or having hackers exploit unsecured code, customer emailed addresses were leaked by an employee to an online reseller in exchange for money. What you need to know: 1.) A crime was committed, and 2.) It still counts as a data compromise.

Data breaches 209

Data breaches Accountability 209

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Troy Hunt

OCTOBER 19, 2018

Last one before home time! But it has been an epic trip and as I say in the video, this is by far my most enjoyable trip to the US yet after probably a dozen over the last few years (that includes Hawaii, too). Given the interest after my pointing out a couple of little differences in the US compared to the rest of the world last week, after the usual tech and infosec intro this week I decided to focus a big whack of this week's video on what some of differences look like.

InfoSec 177

InfoSec Scams Data breaches Internet 177

Adam Shostack

OCTOBER 2, 2018

I had not seen this interesting letter (August 27, 2018) from the House Energy and Commerce Committee to DHS about the nature of funding and support for the CVE. This is the sort of thoughtful work that we hope and expect government departments do, and kudos to everyone involved in thinking about how CVE should be nurtured and maintained.

Government 140

Government Information Security 140

The Last Watchdog

OCTOBER 22, 2018

Tel Aviv, Israel-based Silverfort continues to make inroads into proving the efficacy of its innovative approach to multi-factor authentication, or MFA, in corporate settings. Related: Why a ‘zero-trust’ approach to security is necessary. One recent validation comes from two long established, and much larger cybersecurity vendors – Checkpoint and Palo Alto Networks – that have recently begun integrating Silverfort’s innovative MFA solution into their respective malware detection and

Authentication 160

Authentication Digital transformation IoT Risk 160

Schneier on Security

OCTOBER 4, 2018

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I've written ( alternate link ) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product.

263

263

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Krebs on Security

OCTOBER 25, 2018

The fraudsters behind the often laughable Nigerian prince email scams have long since branched out into far more serious and lucrative forms of fraud, including account takeovers, phishing, dating scams, and malware deployment. Combating such a multifarious menace can seem daunting, and it calls for concerted efforts to tackle the problem from many different angles.

Scams 211

Scams Accountability Media Banking 211

Adam Levin

OCTOBER 10, 2018

High-profile Instagram accounts are being targeted by ransomware attacks and phishing schemes, with evidence suggesting that many account holders are paying the attackers. According to a Motherboard report, hackers are infiltrating and gaining access to Instagram accounts by posing as representatives from branding giants to purport a proposed partnership with the victim.

Accountability 195

Accountability Ransomware Media Phishing 195

Troy Hunt

OCTOBER 5, 2018

It's another "business as usual" week; past events, upcoming events, major security news, someone forgetting to renew a certificate and a new Pluralsight course. Actually, thinking about it more, this is possibly the most normal week I can remember, which is kinda disconcerting considering the (potential) impact of some of that news. Next week I'll be back in the US and in Texas so the schedule may be a little erratic, but I'll do what I can to pump out another update on time and with more of th

157

157

Adam Shostack

OCTOBER 16, 2018

I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis of. It shows the 1,046 domains that have successfully activated strong protection with GCA’s DMARC tools will save an estimated $19 million to $66 million dollars from limiting BEC for the year of 2018 alone.

124

124

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

The Last Watchdog

OCTOBER 8, 2018

“May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape. Related: 7 attacks that put us at the brink of cyber war. In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.

Technology 147

Technology Cyber Attacks Internet Internet 147

Schneier on Security

OCTOBER 24, 2018

This is a long -- and somewhat technical -- paper by Chris C. Demchak and Yuval Shavitt about China's repeated hacking of the Internet Border Gateway Protocol (BGP): " China's Maxim ­ Leave No Access Point Unexploited: The Hidden Story of China Telecom's BGP Hijacking.". BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to intercept.

Hacking 258

Hacking Internet Internet 258

Krebs on Security

OCTOBER 22, 2018

A powerful, easy-to-use password stealing program known as Agent Tesla has been infecting computers since 2014, but recently this malware strain has seen a surge in popularity — attracting more than 6,300 customers who pay monthly fees to license the software. Although Agent Tesla includes a multitude of features designed to help it remain undetected on host computers, the malware’s apparent creator seems to have done little to hide his real-life identity.

Software 210

Software Accountability Malware Healthcare 210

Adam Levin

OCTOBER 22, 2018

The personal information of roughly 75,000 people was leaked in a data breach of the Healthcare.gov system October 13. The centers for Medicare and Medicaid Services announced the breach October 19, after detecting “anomalous activity in the Federally Facilitated Exchanges,” but offered assurances that Healthcare.gov is still active and operational.

Healthcare 180

Healthcare Data breaches Ransomware Government 180

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

WIRED Threat Level

OCTOBER 31, 2018

A series of high-profile cases involving alleged Chinese recruits shows how the country identifies and develops potential spies stateside.

111

111

Adam Shostack

OCTOBER 29, 2018

Ron Woerner had me on as a guest in his business of security podcast series. It was fun to tease out some of the business justifications for threat modeling, and the podcast is now live at itunes. You can learn more about the series at Business of Security Podcast Series.

113

113

The Last Watchdog

OCTOBER 15, 2018

It is disheartening, but not at all surprising, that hackers continue to pull off successful breaches of well-defended U.S. government strategic systems. Related podcast: Cyber attacks on critical systems have only just begun. On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel.

Risk 133

Risk Government Cyber Attacks Authentication 133

Schneier on Security

OCTOBER 22, 2018

IoT devices are surveillance devices, and manufacturers generally use them to collect data on their customers. Surveillance is still the business model of the Internet, and this data is used against the customers' interests: either by the device manufacturer or by some third-party the manufacturer sells the data to. Of course, this data can be used by the police as well; the purpose depends on the country.

IoT 251

IoT Surveillance Manufacturing Internet 251

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity