Daniel Miessler

APRIL 20, 2021

Casey Ellis (of Bugcrowd fame) had a great post on Twitter today about security terminology. Casey also added that Acceptable Risk would be being willing to get punched in the face. threat actor = someone who wants to punch you in the face threat = the punch being thrown vulnerability = your inability to defend against the punch risk = the likelihood of getting punched in the face — cje (@caseyjohnellis) April 19, 2021.

Risk 335

Risk Information Security 335

Javvad Malik

APRIL 7, 2021

A few months ago, many people were riled up over the proposed updates to WhatsApp terms and conditions. The popular messaging service which was acquired by Facebook in 2014 for $16bn, was apparently updating its Ts and Cs which users had to either accept or choose to leave. While the whole thing seems to have fizzled out and people have forgotten everything, and Facebook smoothed things over by assuring everyone that their comms will remain encrypted.

Advertising 165

Advertising Internet Internet Mobile 165

Anton on Security

APRIL 28, 2021

What are you not detecting? OK, what threats are you NOT detecting? Still didn’t help? What I mean here is: are you thinking about these: Threats that you don’t need to detect due to your risk profile, your threat assessment, etc. Threats that you do need to detect, but don’t know how.

Threat Detection 124

Threat Detection InfoSec Ransomware Risk 124

Hot for Security

APRIL 19, 2021

A recent study analyzing the most effective social media phishing scams shows that LinkedIn-related emails were among the most successful entry points in the first quarter of 2021. According to KnowBe4’s simulated phishing tests report, 42% of employees will click on email subjects posing as authentic LinkedIn correspondence. “LinkedIn phishing messages have dominated the social media category for the last three years,” the report said.

Scams 134

Scams Media Phishing Passwords 134

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

SecureBlitz

APRIL 5, 2021

As a business, your website is your online headquarters. A security breach on your website is equal to someone breaking into your office and stealing your business records and information about your customers. This is risky as the thief could do anything with this data to implicate you and your customers. That’s not something you’ll. The post 6 Most Common Web Security Vulnerabilities (And How To Tackle Them) appeared first on SecureBlitz Cybersecurity.

Cybersecurity 117

Cybersecurity Hacking 117

Bleeping Computer

APRIL 23, 2021

Click Studios, the company behind the Passwordstate password manager, notified customers that attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks. [.].

Password Management 145

Password Management Passwords Hacking Malware 145

Troy Hunt

APRIL 6, 2021

The headline is pretty self-explanatory so in the interest of time, let me just jump directly into the details of how this all works. There's been huge interest in this incident, and I've seen near-unprecedented traffic to Have I Been Pwned (HIBP) over the last couple of days, let me do my best to explain how I've approached the phone number search feature.

Accountability 364

Accountability Risk 364

Schneier on Security

APRIL 26, 2021

If you don’t have enough to worry about already, consider a world where AIs are hackers. Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activity. Not for long. As I lay out in a report I just published , artificial intelligence will eventually find vulnerabilities in all sorts of social, economic, and political systems, and then exploit

Hacking 363

Hacking Artificial Intelligence Government Engineering 363

Joseph Steinberg

APRIL 6, 2021

While ransomware may seem like a straightforward concept, people who are otherwise highly-knowledgeable seem to cite erroneous information about ransomware on a regular basis. As such, I would like to point out 8 essential points about ransomware. 1. Paying a demanded ransom may not get you your files back, and may not prevent a leak of your information.

Ransomware 318

Ransomware Computers and Electronics Backups Artificial Intelligence 318

Daniel Miessler

APRIL 8, 2021

I was on Twitter the other day and saw someone suggest that we could fix people paying ransoms by making it illegal for them to do so. I was a bit flippant with my response. The person making the argument appears to be a serious security professional acting in good faith, and my response was below my standard for civil discourse. Apologies @VickerySec.

Ransomware 268

Ransomware Marketing Government Information Security 268

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Lohrman on Security

APRIL 18, 2021

CISO 254

CISO 254

Krebs on Security

APRIL 12, 2021

Someone is selling account information for 21 million customers of ParkMobile , a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses. KrebsOnSecurity first heard about the breach from Gemini Advisory , a New York City based threat intelligence firm that keeps a close eye on the cybercrime forums.

Mobile 363

Mobile Passwords Accountability Cybercrime 363

Troy Hunt

APRIL 29, 2021

Today I'm very happy to announce the arrival of the 15th government to Have I Been Pwned, Romania. As of now, CERT-RO has access to query all Romanian government domains across HIBP and subscribe them for future notifications when subsequent data breaches affect aliases on those domains. Romania joins a steadily growing number of governments across the globe to have free and unrestricted access to API-based domain searches for their assets in HIBP.

Government 359

Government Data breaches 359

Schneier on Security

APRIL 14, 2021

In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised networks that would give them subsequent remote access.

363

363

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Joseph Steinberg

APRIL 7, 2021

Back in 2015 and 2017, I ran articles in Inc. about various innovative Israeli startups , in which I featured firms that I selected based on numerous discussions that I had had with tech-company CEOs and with journalists who cover the Israeli startup scene. For various reasons, when I wrote those two pieces, I intentionally featured innovators from outside of the information-security sector.

Cybersecurity 246

Cybersecurity Small Business IoT Computers and Electronics 246

Tech Republic Security

APRIL 6, 2021

IDs, names, email addresses and more personal details are part of the massive database of stolen data, which could be used to launch additional attacks on LinkedIn and its users.

218

218

Lohrman on Security

APRIL 11, 2021

234

234

Krebs on Security

APRIL 6, 2021

Ne’er-do-wells leaked personal data — including phone numbers — for some 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being scraped from profiles. To my mind, this just reinforces the need to remove mobile phone numbers from all of your online accounts wherever feasible.

Mobile 360

Mobile Accountability Passwords Authentication 360

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Troy Hunt

APRIL 9, 2021

"What a s**t week". I stand by that statement in the opening couple of minutes of the video and I write this now at midday on Saturday after literally falling asleep on the couch. The Facebook incident just dominated; everything from processing data to writing code to dozens of media interviews. And I ran a workshop over 4 half days. And had 2 lots of guests visiting.

Media 355

Media 355

Schneier on Security

APRIL 9, 2021

Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits , with the subject “fix typo” and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users. But since 79% of the Internet’s websites use PHP, it’s scary. Developers have moved PHP to GitHub, which has better authentication.

Authentication 362

Authentication Internet Internet Hacking 362

The Last Watchdog

APRIL 21, 2021

Google was absolutely right to initiate a big public push a couple of years ago to make HTTPS Transport Layer Security (TLS) a de facto standard. Related: Malicious activity plagues the cloud services. At the time, in the spring of 2018, only 25 percent of commercial websites used HTTPS; today adoption is at 98 percent and rising. Far beyond just protecting websites, TLS has proven to be a linchpin of network-level communications across the board.

Malware 214

Malware Firewall Encryption Digital transformation 214

Tech Republic Security

APRIL 27, 2021

Two email campaigns discovered by Armorblox impersonated Chase in an attempt to steal login credentials.

Banking 218

Banking Phishing 218

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Lohrman on Security

APRIL 25, 2021

As we emerge from the worst pandemic in a century, many public- and private-sector employees and employers are reassessing their options within technology and cybersecurity roles.

Marketing 221

Marketing Technology Cybersecurity 221

Krebs on Security

APRIL 26, 2021

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian , one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.

Authentication 350

Authentication Accountability Identity Theft Account Security 350

Troy Hunt

APRIL 26, 2021

Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world's most dangerous malware: Emotet. This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware.

Malware 346

Malware Passwords Banking Password Management 346

Schneier on Security

APRIL 15, 2021

The office of the Director of National Intelligence released its “ Annual Threat Assessment of the U.S. Intelligence Community.” Cybersecurity is covered on pages 20-21. Nothing surprising: Cyber threats from nation states and their surrogates will remain acute. States’ increasing use of cyber operations as a tool of national power, including increasing use by militaries around the world, raises the prospect of more destructive and disruptive cyber activity.

Surveillance 360

Surveillance Cyber threats Government Software 360

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

The Last Watchdog

APRIL 21, 2021

How do you bring a $9 billion-a-year, digitally-agile corporation to a grinding halt? Related: Why it’s vital to secure IoT. Ask Spotify. When the popular streaming audio service went offline globally, last August, we saw a glimpse of just how tenuous digital transformation sometimes can be. Someone reportedly forgot to renew Spotify’s TLS certificate.

Digital transformation 214

Digital transformation Encryption Authentication Government 214

Tech Republic Security

APRIL 20, 2021

As the use of cryptocurrency increases, so does the risk of being a target for scammers. Tom Merritt offers five tips for defending against cryptocurrency scams.

Cryptocurrency 216

Cryptocurrency Scams Risk 216

Lohrman on Security

APRIL 4, 2021

Cybersecurity 221

Cybersecurity 221

Krebs on Security

APRIL 4, 2021

For four days this past week, Internet-of-Things giant Ubiquiti did not respond to requests for comment on a whistleblower’s allegations the company had massively downplayed a “catastrophic” two-month breach ending in January to save its stock price, and that Ubiquiti’s insinuation that a third-party was to blame was a fabrication.

Authentication 345

Authentication IoT Accountability Passwords 345

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity