Troy Hunt

JUNE 10, 2019

Back in 2013, I was beginning to get the sense that data breaches were becoming a big thing. The prevalence of them seemed to be really ramping up as was the impact they were having on those of us that found ourselves in them, myself included. Increasingly, I was writing about what I thought was a pretty fascinating segment of the infosec industry; password reuse across Gawker and Twitter resulting in a breach of the former sending Acai berry spam via the latter.

Data breaches 278

Data breaches Passwords InfoSec Accountability 278

Schneier on Security

JUNE 28, 2019

Today is my last day at IBM. If you've been following along, IBM bought my startup Resilient Systems in Spring 2016. Since then, I have been with IBM, holding the nicely ambiguous title of "Special Advisor." As of the end of the month, I will be back on my own. I will continue to write and speak, and do the occasional consulting job. I will continue to teach at the Harvard Kennedy School.

Technology 275

Technology 275

Krebs on Security

JUNE 4, 2019

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Insurance 272

Insurance Banking Accountability Data privacy 272

The Last Watchdog

JUNE 10, 2019

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner. Related: The rise of ‘memory attacks’ I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant Huawei.

Firmware 233

Firmware Cybersecurity Technology Engineering 233

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Adam Shostack

JUNE 26, 2019

Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default. It’s all too common to have a new standard come out without clear diffs. It’s all too common for new standards to build closely on other standards, without clearly saying what they’ve altered and why.

Passwords 140

Passwords 140

Adam Levin

JUNE 4, 2019

At least 11 million public and private photographs were found on an unsecured database connected to an online photo sharing service. Researchers from VPNMentor discovered an online database that they traced back to Theta360, a photo service specializing in panoramic photos taken with Ricoh-brand cameras. The unsecured data contained photographs, usernames, full names, and photo captions, including those marked by users as private.

IoT 127

IoT Engineering 127

Schneier on Security

JUNE 21, 2019

In 2017, some Android phones came with a backdoor pre-installed : Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday. Triada first came to light in 2016 in articles published by Kaspersky here and here , the first of which said the malware was "one of the most advanced mobile Trojans" the security firm's analysts had ever encountered.

Firmware 268

Firmware Manufacturing Malware Mobile 268

Krebs on Security

JUNE 27, 2019

A digital intrusion at PCM Inc. , a major U.S.-based cloud solution provider, allowed hackers to access email and file sharing systems for some of the company’s clients, KrebsOnSecurity has learned. El Segundo, Calif. based PCM [ NASDAQ:PCMI ] is a provider of technology products, services and solutions to businesses as well as state and federal governments.

Retail 267

Retail Hacking Technology Government 267

The Last Watchdog

JUNE 4, 2019

There’s oil in the state of Maryland – “cyber oil.” With the largest concentration of cybersecurity expertise –– the “oil” — in the world, Maryland is fast changing from the Old Line State into “Cybersecurity Valley.” Related: Port Covington cyber hub project gets underway That’s because Maryland is home to more than 40 government agencies with extensive cyber programs, including the National Security Agency, National Institute of Standards and Technology, Defense Information Systems

Cybersecurity 193

Cybersecurity Computers and Electronics Technology Marketing 193

Thales Cloud Protection & Licensing

JUNE 18, 2019

As organizations move more of their sensitive data to cloud platforms for the efficiency, flexibility and scalability that it promises, security and control continue to be a significant obstacle to this adoption. Although the 2019 Thales Data Threat Report-Global Edition tells us that 90% of organizations report using the cloud and 71% say they are using sensitive data in cloud environments, it also finds that, globally, 60% of organizations surveyed have been breached at some point in their his

Encryption 127

Encryption Big data Data breaches Threat Reports 127

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Adam Levin

JUNE 3, 2019

Quest Diagnostics, a leading American clinical laboratory company, announced today that 11.9 million patients may have been compromised in a vendor-related incident. A statement released by Quest revealed that an “unauthorized user” had gained access to a system used by American Medical Collection Agency (AMCA), a billing vendor subcontracted by a Quest contractor called Optum360.

Big data 125

Big data Data breaches 125

Troy Hunt

JUNE 7, 2019

I made it to the Infosecurity hall of fame! Yesterday was an absolutely unreal experience that was enormously exciting: It was an absolute honour to induct the fantastic @troyhunt into the @Infosecurity @InfosecurityMag Hall of Fame today at #Infosec19. Troy is a credit to our industry and also a really great guy. Congrats Troy, so well deserved ????

Data breaches 187

Data breaches 187

Schneier on Security

JUNE 19, 2019

Stuart Schechter writes about the security risks of using a password manager. It's a good piece, and nicely discusses the trade-offs around password managers: which one to choose, which passwords to store in it, and so on. My own Password Safe is mentioned. My particular choices about security and risk is to only store passwords on my computer -- not on my phone -- and not to put anything in the cloud.

Password Management 263

Password Management Passwords Risk 263

Krebs on Security

JUNE 25, 2019

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “ Yehuo ” or “ Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile mal

Mobile 257

Mobile Technology Manufacturing Malware 257

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

The Last Watchdog

JUNE 24, 2019

Social Engineering 176

Social Engineering Engineering 176

Adam Shostack

JUNE 19, 2019

Juneteenth is the celebration of the end of slavery in the US. We should have more holidays that celebrate freedom for the sake of freedom. So happy Juneteenth, everyone!

113

113

Adam Levin

JUNE 3, 2019

HBO’s hit series Game of Thrones is now history, but it will live on in the hearts, minds and social media interactions of its followers for some time to come. Before now the only thing GoT fans wanted besides a juicy spoiler was to know who would take the Iron Throne. How it all ended was something hackers spent significant time and effort trying to find out.

Data breaches 119

Data breaches Marketing Firewall Hacking 119

Troy Hunt

JUNE 27, 2019

Something totally new this week - Israel! I spent the week in Tel Aviv at Cyber Week , a massive infosec conference where I shared the keynote stage with an amazing array of speakers including many from three letter acronym departments and even PM Benjamin Netanyahu. It's funny how on the one hand an event like this can be so completely different to the very familiar NDC Oslo scene I was in just last week yet by the same token, I'm up there talking about all the same stuff and doing my usual thi

InfoSec 181

InfoSec Data breaches Passwords 181

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

JUNE 17, 2019

Surveillance 260

Surveillance 260

Krebs on Security

JUNE 19, 2019

A medical billing firm responsible for a recent eight-month data breach that exposed the personal information on nearly 20 million Americans has filed for bankruptcy, citing “enormous expenses” from notifying affected consumers and the loss of its four largest customers. The filing, first reported by Bloomberg, comes from the Retrieval-Masters Creditors Bureau , the parent company of the American Medical Collection Agency (AMCA).

Data breaches 250

Data breaches Hacking 250

WIRED Threat Level

JUNE 28, 2019

You may not have heard of the Border Gateway Protocol, but you definitely know when it goes wrong.

Internet 111

Internet Internet 111

Adam Shostack

JUNE 13, 2019

I’m happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance. They asked us to look at the value of DNS security, such as when your DNS provider uses threat intel to block malicious sites. It’s surprising how effective it is for a tool that’s so easy to deploy. (Just point to a DNS server like 9.9.9.9).

DNS 113

DNS 113

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Adam Levin

JUNE 14, 2019

Online invitation service Evite notified users about a data breach of user data that included names, usernames, email addresses, passwords, and mailing addresses. The company disclosed the breach following the release of the affected data on the dark web. A hacker claimed to have access to 10 million user accounts. “We became aware of a data security incident involving potential unauthorized access to our systems in April 2019.

Data breaches 114

Data breaches Passwords Accountability Technology 114

Troy Hunt

JUNE 21, 2019

So first things first - my patience for the Instamics we're wearing just reached zero. One of them recorded and one of them didn't which means we've had to fallback to audio captured by the iPhone I was recording from so apologies it's sub-par. I ended up just uploading the unedited clip direct from the phone because frankly, after trying to recover the non-existent audio both my time and patience were well into the red.

175

175

Schneier on Security

JUNE 25, 2019

Long news article ( alternate source ) on iPhone privacy, specifically the enormous amount of data your apps are collecting without your knowledge. A lot of this happens in the middle of the night, when you're probably not otherwise using your phone: IPhone apps I discovered tracking me by passing information to third parties ­ just while I was asleep ­ include Microsoft OneDrive, Intuit's Mint, Nike, Spotify, The Washington Post and IBM's the Weather Channel.

256

256

Krebs on Security

JUNE 28, 2019

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.

Authentication 248

Authentication Accountability Data breaches Software 248

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Security Affairs

JUNE 25, 2019

Belgium police have identified a member of the Anonymous Belgium collective while investigating an arson case at a local bank. The Anonymous member is a 35-year-old man from Roeselare, Belgium, was arrested after throwing a Molotov cocktail at the Crelan Bank office in Rumbeke, back in 2014. According to ZDnet , the hacker has been exposed after dropping USB drive on the ground while throwing the Molotov cocktail.

DDOS 111

DDOS Banking Computers and Electronics Cybercrime 111

Adam Shostack

JUNE 6, 2019

New at Dark Reading, my When Security Goes Off the Rails , Cyber can learn a lot from the highly regulated world of rail travel. The most important lesson: the value of impartial analysis. (As I watch the competing stories, “ Baltimore City leaders blame NSA for ransomware attack. ,” and “ N.S.A. Denies Its Cyberweapon Was Used in Baltimore Attack, Congressman Says ,” I’d like to see an investigations capability that can give us facts.).

Ransomware 113

Ransomware 113

WIRED Threat Level

JUNE 17, 2019

Scammers are taking advantage of default calendar settings to try to trick users into clicking malicious links.

Scams 111

Scams Phishing Hacking 111

Troy Hunt

JUNE 13, 2019

It's the Hack Yourself First UK Tour! I've been tweeting a bit about this over recent times and had meant to write about it earlier, but I've been a little busy of late. Last year, I asked good friend and fellow security person Scott Helme to help me out running my Hack Yourself First workshops. I was overwhelmed with demand and he was getting sensational reviews for the TLS workshops he was already running.

Hacking 175

Hacking 175

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity