Schneier on Security
JULY 18, 2018
Recently, Apple introduced restricted mode to protect iPhones from attacks by companies like Cellebrite and Greyshift , which allow attackers to recover information from a phone without the password or fingerprint. Elcomsoft just announced that it can easily bypass it. There is an important lesson in this: security is hard. Apple Computer has one of the best security teams on the planet.
Krebs on Security
JULY 19, 2018
Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information -- including names, addresses, phone numbers, email addresses and Social Security numbers -- from tax forms submitted by the company's thousands of clients on behalf of employees. Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information -- including
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
The Last Watchdog
JULY 16, 2018
When I first wrote about Cloud Access Security Brokers in 2015, so-called CASBs were attracting venture capital by the truckloads — and winning stunning customer testimonials. CASBs (pronounced caz-bees) originally sought to resolve a fast rising security nightmare: Shadow IT. Related podcast: Web gateways emerge as crucial defense layer. Striving to be productive, well-intentioned employees raced out to subscribe to cloud-enabled storage services, collaboration suites and project manageme
Troy Hunt
JULY 19, 2018
Two of my favourite developer things these days are Azure Functions and Cloudflare Workers. They're both "serverless" in that rather than running on your own slice of infrastructure, that concept is abstracted away and you get to focus on just code executions rather than the logical bounds of the server it runs on. So for example, when you have an Azure function and you deploy it under a consumption plan , you pay for per-second resource consumption (how much memory you use for how long)
Advertisement
Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.
Schneier on Security
JULY 20, 2018
The company ProtectWise just published a long report linking a bunch of Chinese cyber-operations over the past few years. The always interesting gruqq has some interesting commentary on the group and its tactics. Lots of detailed information in the report, but I admit that I have never heard of ProtectWise or its research team 401TRG. Independent corroboration of this information would be helpful.
Krebs on Security
JULY 16, 2018
A 21-year-old Kentucky man has pleaded guilty to authoring and distributing a popular hacking tool called “ LuminosityLink ,” a malware strain that security experts say was used by thousands of customers to gain unauthorized access to tens of thousands of computers across 78 countries worldwide. The LuminosityLink Remote Access Tool (RAT) was sold for $40 to thousands of customers, who used the tool to gain unauthorized access to tens of thousands of computers worldwide.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
|
Troy Hunt
JULY 20, 2018
This week I'm doing my best "dress like a professional" impersonation as I prepare to record the next episode in our quarterly Creating a Security-centric Culture series. We're putting these out for free every few months and right after wrapping up this week's update, I recorded the next Pluralsight one and that's now gone off to them for editing.
Schneier on Security
JULY 17, 2018
Watch how someone installs a credit card skimmer in just a couple of seconds. I don't know if the skimmer just records the data and is collected later, or if it transmits the data back to some base station.
Adam Levin
JULY 20, 2018
LabCorp Diagnostics, one of the biggest medical diagnostic companies in the U.S., disclosed that it was investigating a data breach that may have occurred on their networks. While LabCorp isn’t a household name, there’s a good chance they’ve handled some of your medical records or those belonging to someone you know. As listed on their website, the company handles “more than 115 million patient encounters per year [and] processes tests on more than 2.5 million patient specimens per week[.]”.
Advertisement
The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.
Threatpost
JULY 18, 2018
July's critical patch update addresses 334 security vulnerabilities (including 61 rated critical) covering a vast swathe of the Oracle enterprise portfolio.
Security Affairs
JULY 19, 2018
Cisco has found over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products. The tech giant has reported customers four critical vulnerabilities affecting the Policy Suite. The flaws tracked as CVE-2018-0374 , CVE-2018-0375 , CVE-2018-0376, and CVE-2018-0377 have been discovered during internal testing.
Adam Shostack
JULY 17, 2018
Today, a global coalition led by civil society and technology experts sent a letter asking the government of Australia to abandon plans to introduce legislation that would undermine strong encryption. The letter calls on government officials to become proponents of digital security and work collaboratively to help law enforcement adapt to the digital era.
Dark Reading
JULY 19, 2018
Malicious activity by trusted users can be very hard to catch, so look for these red flags.
Advertisement
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
WIRED Threat Level
JULY 20, 2018
Phishing attempts and DDoS attacks have begun hitting 2018 campaigns. The US seems ill-prepared to meet the challenge.
Security Affairs
JULY 17, 2018
Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers and manipulate road navigation systems. Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers. The kit could be used to deceive receivers used by navigation systems and suggest drivers the wrong direction. “we explore the feasibility of a stealthy manipulation attack against road navigation systems.
Adam Shostack
JULY 16, 2018
Emergynt has created the Emergynt Risk Deck , a set of 51 cards, representing actors, vulnerabilities, targets, consequences and risks. It’s more a discussion tool than a game, but I have a weakness for the word “emergent,” and I’ve added it to my list of security games. Also, Lancaster University has created an Agile Security Game.
Threatpost
JULY 19, 2018
Hackers are embedding malicious code within compromised, uploaded images on trusted Google sites – weaponizing the website and staying under the radar.
Advertisement
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
WIRED Threat Level
JULY 18, 2018
Buried in media scholar Jonathan Albright's research was proof of a massive political misinformation campaign. Now he's taking on the the world's biggest platforms before it's too late.
Security Affairs
JULY 16, 2018
A security researcher discovered that the IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs. The IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs, the discovery was made by security researcher Ankit Anubhav, Principal Researcher at NewSky Security. Anubhav explained that the passwords are related to Dahua DVRs running very old firmware that is known to be affected by a five-year-old vulnerability tracked as CVE-2013
Dark Reading
JULY 16, 2018
Companies are buying next-gen antivirus and fileless attack detection tools but few have the resources to use them, researchers report.
Thales Cloud Protection & Licensing
JULY 19, 2018
Recently the Payment Card Industry Security Standards Council (PCI SSC) announced a minor update to the PCI DSS standard largely to make it easier to read with respect to key dates that are now in the past. It also made clear that by now organisations should have migrated from vulnerable Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) implementations to full strength TLS when securing their communications links.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
WIRED Threat Level
JULY 16, 2018
A new facial recognition tool by RealNetworks aims to keep kids safe in school. But privacy experts fear the unchecked surveillance of kids could go awry.
Security Affairs
JULY 15, 2018
Researchers from the Z-Lab at CSE Cybsec analyzed a new collection of malware allegedly part of a new espionage campaign conducted by the APT28 group. It was a long weekend for the researchers from the Z-Lab at CSE Cybsec that completed the analysis a number of payloads being part of a new cyber espionage campaign conducted by the Russian APT28 group (aka Fancy Bear , Pawn Storm , Sednit , Sofacy, and Strontium ).
Dark Reading
JULY 19, 2018
It's a ridiculous business decision to rely on the discretion of a minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, or nation-state.
Thales Cloud Protection & Licensing
JULY 16, 2018
In June, Microsoft issued a patch for Cortana to solve a vulnerability whereby threat actors could access devices by activating their search functions, even if the devices were locked. As threat levels increase and the use of digital assistants grows, we wanted to take a look at how security concerns, as well as knowledge of security management, really plays out in the consumer mind.
Advertisement
After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!
WIRED Threat Level
JULY 14, 2018
Drone plans for sale, a Silk Road arrest, and more security news this week.
Security Affairs
JULY 18, 2018
Experts uncovered a money laundering ring that leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards. A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities. The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Secur
Dark Reading
JULY 17, 2018
Alarming, yes, but it's actually an improvement over past years, a new Gartner survey of more than 3,000 CIOs reveals.
Kali Linux
JULY 17, 2018
We use live-build to create our official Kali releases and we encourage users to jump in and build their own customized versions of Kali whenever we can. Our documentation of the process is one of the most popular items on our documentation site , and the Kali Dojo also revolves around this topic. We love it and our users love it. One roadblock of live-build has always been the fact that you need a Kali system to build a Kali system.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Expert insights. Personalized for you.
253 
Let's personalize your content