This site uses cookies to improve your experience. To help us insure we adhere to various privacy regulations, please select your country/region of residence. If you do not select a country, we will assume you are from the United States. Select your Cookie Settings or view our Privacy Policy and Terms of Use.
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Used for the proper function of the website
Used for monitoring website traffic and interactions
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Strictly Necessary: Used for the proper function of the website
Performance/Analytics: Used for monitoring website traffic and interactions
This is an interesting story of a serious vulnerability in a Huawei driver that Microsoft found. The vulnerability is similar in style to the NSA's DOUBLEPULSAR that was leaked by the Shadow Brokers -- believed to be the Russian government -- and it's obvious that this attack copied that technique. What is less clear is whether the vulnerability -- which has been fixed -- was put into the Huwei driver accidentally or on purpose.
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing the causes of a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it
A couple of high-profile distributed denial-of-service (DDoS) attacks will surely go down in history as watershed events – each for different reasons. Related: IoT botnets now available for economical DDoS blasts. In March 2013, several impossibly massive waves of nuisance requests – peaking as high as 300 gigabytes per second— swamped Spamhaus , knocking the anti-spam organization off line for extended periods.
This will be short, ranty and to the point: these warnings are getting ridiculous: I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet: I’m not sure if this makes it better or worse. “Cookie walls don't comply with GDPR, says Dutch DPA”: [link] — Troy Hunt (@troyhunt) March 8, 2019.
Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.
The email addresses and personal information of 982 million people were compromised in a leak from an unsecured database. The database belonged to Verifications.io, an “email validation service” that aggregates and sells information about the validity and associated personal data associated with email lists. Security researcher Bob Diachenko found the information in an unsecured 150GB-sized MongoDB database.
“ Cybersecurity is not very important ” is a new paper by the very smart Andrew Odlyzko. I do not agree with everything he says, but it’s worth reading and pondering if and why you disagree with it. I think I agree with it more than I disagree.
A university study confirmed the obvious: if you pay a random bunch of freelance programmers a small amount of money to write security software, they're not going to do a very good job at it. In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.
A university study confirmed the obvious: if you pay a random bunch of freelance programmers a small amount of money to write security software, they're not going to do a very good job at it. In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.
Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal , it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.
Unless you decide to go Henry David Thoreau and shun civilization altogether, you can’t — and won’t — stop generating data , which sooner or later can be traced back to you. Related: The Facebook factor. A few weeks back I interviewed a white hat hacker. After the interview, I told him that his examples gave me paranoia. He laughed and responded, “There’s no such thing as anonymous data; it all depends on how determined the other party is.”.
I'm not intentionally pushing these out later than usual, but events have just been such over the last few weeks that it's worked out that way. This one really is a short one though as there hasn't been a lot of newsworthy stuff going on this week, other than the new Instamics I picked up which are rather cool. The audio recording did work well (I mentioned in the video I wasn't sure if it was functioning correctly), and it's pretty damn good quality for what it is.
Citrix, a major network software company, had its internal network compromised by what appears to be an international hacking campaign. The company was alerted to the cyberattack by the FBI earlier this month. “While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords.
The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.
Kaspersky Labs is reporting on a new supply chain attack they call "Shadowhammer.". In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users. [.]. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters' MAC addresses.
Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.
A common thread runs through the cyber attacks that continue to defeat the best layered defenses money can buy. Related: We’re in the midst of ‘cyber Pearl Harbor’ Peel back the layers of just about any sophisticated, multi-staged network breach and you’ll invariably find memory hacking at the core. In fact, memory attacks have quietly emerged as a powerful and versatile new class of hacking technique that threat actors in the vanguard are utilizing to subvert conventional IT s
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
Heaps of stuff going on this week with all sorts of different bits and pieces. I bought a massive new stash of HIBP stickers (1ok oughta last. a few weeks?), I'll be giving them out at a heap of upcoming events, I was on the Darknet Diaries podcast (which is epic!) plus there's more insights into the ShareThis data breach and the ginormous verifications.io incident.
A health company’s unprotected server exposed over six million health records in the last 12 months. Meditlab, an electronic medical record company, left a server for electronic faxes completely unprotected since bringing it online in March 2018. This meant that any information transmitted between medical offices, including records, doctor’s notes, prescriptions, and patient names, addresses, health insurance information and Social Security numbers were accessible to outside parties.
The fine folks at AppSecCali have posted videos , including my talks, A Seat At The Table, and Game On! Adding Privacy to Threat Modeling – Adam Shostack & Mark Vinkovits.
A recent experiment found all sorts of personal data left on used laptops and smartphones. This should come as no surprise. Simson Garfinkel performed the same experiment in 2003, with similar results.
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.
There’s a frantic scramble going on among those responsible for network security at organizations across all sectors. Related: Why we’re in the Golden Age of cyber espionage. Enterprises have dumped small fortunes into stocking their SOCs (security operations centers) with the best firewalls, anti-malware suites, intrusion detection, data loss prevention and sandbox detonators money can buy.
From last week's update in Seattle to home to Sydney to back home and a late update (again). But regardless, I'm committed to continuing the cadence of doing these updates each week and 132 of them in, I'm yet to miss a week. This week it's a combination of more of the same (travel, events and data breaches), as well as more thoughts on the future of HIBP and Cloudflare's role when it comes to nasty content online.
The Federal Emergency Management Agency failed to properly protect the personal information of 2.3 million survivors of natural disasters. A partially redacted memo issued by the Office of the Inspector General of the Department of Homeland Security stated that FEMA released the personally identifiable information of 2.3 million survivors of hurricanes Harvey, Irma and Maria as well as the 2017 California wildfires to an unspecified contractor.
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
The Daily Beast is reporting that First Look Media -- home of The Intercept and Glenn Greenwald -- is shutting down access to the Snowden archives. The Intercept was the home for Greenwald's subset of Snowden's NSA documents since 2014, after he parted ways with the Guardian the year before. I don't know the details of how the archive was stored, but it was offline and well secured -- and it was available to journalists for research purposes.
Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.
There are certain things we as consumers have come to do intuitively: brushing our teeth in the morning; looking both ways before crossing a city street; buckling up when we get into a car. Related: What needs to happen to enable driverless transportation — safely. In the not too distant future, each one of us will need to give pause, on a daily basis, to duly consider how we purchase and use Internet of Things devices and services.
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Well that was a hell of a week of travel. Seriously, the Denver situation was just an absolute mess but when looking at the video from the day I was meant to fly in, maybe being stuck in LA wasn't such a bad thing after all: As of 1:30 p.m., all runways are closed, but the terminal & concourses are open. Airlines have cancelled flights for early afternoon/evening.
Florida police officer Leonel Marines resigned after a police investigation revealed the 12-year veteran of the Bradenton Police Department had been using police databases like a dating app to locate potential women for fun and maybe more. He’d been doing it for years. While it’s surprising this 5-0 Romeo actually got some dates playing fast and loose with his access to driver’s license and vehicle registration databases, the more shocking thing about this story is that it co
Commando VM — Turn Your Windows Computer Into A Hacking Machine. FireEye released Commando VM , a Windows-based security distribution designed for penetration testers that intend to use the Microsoft OS. FireEye released Commando VM , the Windows-based security distribution designed for penetration testing and red teaming. FireEye today released an automated installer called Commando VM (Complete Mandiant Offensive VM) , it is an automated installation script that turns a Windows operating sy
This isn't a security story, but it easily could have been. Last Saturday, Zipcar had a system outage : "an outage experienced by a third party telecommunications vendor disrupted connections between the company's vehicles and its reservation software.". That didn't just mean people couldn't get cars they reserved. Sometimes is meant they couldn't get the cars they were already driving to work: Andrew Jones of Roxbury was stuck on hold with customer service for at least a half-hour while he and
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
We organize all of the trending information in your field so you don't have to. Join 28,000+ users and stay up to date on the latest articles your peers are reading.
You know about us, now we want to get to know you!
Let's personalize your content
Let's get even more personalized
We recognize your account from another site in our network, please click 'Send Email' below to continue with verifying your account and setting a password.
279 
Let's personalize your content