Schneier on Security
JANUARY 31, 2019
A year ago , the Norwegian Consumer Council published an excellent security analysis of children's GPS-connected smart watches. The security was terrible. Not only could parents track the children, anyone else could also track the children. A recent analysis checked if anything had improved after that torrent of bad press. Short answer: no. Guess what: a train wreck.
Adam Levin
JANUARY 28, 2019
Sidewalk Labs, a subsidiary of Google’s parent company Alphabet, is the go-to story for Data Privacy Day with its new “user-friendly” tool called Replica, which allows city planners see “how, when, and where people travel in urban areas.”. The Intercept’s explainer details a troubling use of consumer data. “Thanks for all you do,” could be Replica initiative’s tagline, since it seems to aggregate a huge amount of presumably phone-generated data to model the way cities work.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Krebs on Security
FEBRUARY 1, 2019
More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol , the European Union’s law enforcement agency. In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators.
The Last Watchdog
JANUARY 28, 2019
Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear? Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized
Advertisement
Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.
Schneier on Security
JANUARY 28, 2019
The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what's insecure, and (2) help consumers secure them: The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras.
Troy Hunt
FEBRUARY 1, 2019
I'm pumping this weekly update out a little bit later, pushing it just before I get on the plane back home to Australia. I've just wrapped up a week in London with Scott doing all things NDC including a couple of days of workshops and a couple of talks each. We discuss that, and how the UK seems to have an odd infatuation with doing anything that could even remotely be deemed a health and safety risk.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
|
The Last Watchdog
FEBRUARY 1, 2019
Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground. Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.
Schneier on Security
JANUARY 30, 2019
The security is terrible : In a very short limited amount of time, three vulnerabilities have been discovered: Wifi credentials of the user have been recovered (stored in plaintext into the flash memory). No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption). Root certificate and RSA private key have been extracted.
Security Affairs
JANUARY 31, 2019
Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January. Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January. Early this month, security firm Qualys disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd , a software suite that provides fundamental building blocks for a Linux op
WIRED Threat Level
JANUARY 29, 2019
Google wants to get rid of URLs. But first, it needs to show you why.
Advertisement
The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.
The Last Watchdog
JANUARY 31, 2019
A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe. Related: U.S. cyber foes exploit government shutdown. The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real lif
Schneier on Security
JANUARY 29, 2019
This is kind of a crazy iPhone vulnerability : it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call. This is definitely an embarrassment , and Apple was right to disable Group FaceTime until it's fixed. But it's hard to imagine how an adversary can operationalize this in any useful way.
Security Affairs
JANUARY 31, 2019
Cyber security expert Marco Ramilli, founder of Yoroi ,discovered a way to spread CSV malware via Google Sheets … but Big G says it is an Intended behavior. A. CSV file could be a malware carrier and if interpreted by Microsoft Excel it could become a malware executor ! When I personally saw this technique back in 2017 (please take a look to here , here and here ) I was fascinated.
Dark Reading
JANUARY 28, 2019
Newly found bug reportedly allows callers to spy on you -- even if you don't pick up.
Advertisement
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
Adam Shostack
FEBRUARY 1, 2019
It’s well known that adoption rates for multi-factor authentication are poor. For example, “ Over 90 percent of Gmail users still don’t use two-factor authentication.” Someone was mentioning to me that there are bonuses in games. You get access to special rooms in Star Wars Old Republic. There’s a special emote in Fortnite. (Above).
Schneier on Security
FEBRUARY 1, 2019
Our work in cybersecurity is inexorably intertwined with public policy and -- more generally -- the public interest. It's obvious in the debates on encryption and vulnerability disclosure, but it's also part of the policy discussions about the Internet of Things, cryptocurrencies, artificial intelligence, social media platforms, and pretty much everything else related to IT.
Security Affairs
JANUARY 26, 2019
Experts discovered PDF exploit that was using steganography to hide malicious JavaScript code in images embedded in PDF files. The exploit analysis firm EdgeSpot recently discovered PDF exploit that was using steganography to hide malicious JavaScript code in images embedded in PDF files. “Shortly after last week’s discovery of a PDF exploit which used the method of this.getPageNumWords() & this.getPageNthWord() for obfuscation, we found another, but much more powerful exploit ob
Dark Reading
FEBRUARY 1, 2019
A Chicago-area family's smart home controls were compromised in a hack that has left them feeling vulnerable in their own home.
Advertisement
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
Adam Shostack
JANUARY 31, 2019
This is a really interesting post* about how many simple solutions to border security fail in the real world. Not everywhere has the infrastructure necessary to upload large datasets to the cloud Most cloud providers are in not-great jurisdictions for some threat models. Lying to border authorities, even by omission, ends badly. Fact is, the majority of “but why don’t you just…” solutions in this space either require lying, reliance on infrastructure that may be non-exist
WIRED Threat Level
JANUARY 30, 2019
The so-called Collections #1-5 represent a gargantuan, patched-together Frankenstein of rotting personal data.
Security Affairs
JANUARY 26, 2019
Security experts at McAfee have discovered a new malware, dubbed Anatova ransomware, that has been spotted infecting computers worldwide. The name Anatova is based on a name in the ransom note that is dropped on the infected systems. The Anatova ransomware outstands for its obfuscation capabilities and ability to infect network shares, it has a modular structure that allows add ing new functions to the malware. “During our continuous hunt for new threats, we discovered a new ransomware fam
Dark Reading
JANUARY 31, 2019
The last thing any business needs is a swarm of myths and misunderstandings seeding common and frequent errors organizations of all sizes make in safeguarding data and infrastructure.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Thales Cloud Protection & Licensing
JANUARY 29, 2019
Around this time each year, Thales eSecurity releases our annual Data Threat Report (DTR). Now in its sixth year, the report is squarely focused on digital transformation and what that means for organizations and their data security. Today, it’s almost impossible to do business of any kind without some sensitive data being exchanged, managed or stored in the cloud or on servers with an outgoing connection to the web.
Elie
JANUARY 27, 2019
A critical part of child sexual abuse criminal world is the creation and distribution of child sexual abuse imagery (CSAI) on the Internet. To combat this crime efficiently and illuminate current defense short-coming, it is vital to understand how CSAI content is disseminated on the Internet. Despite the importance of the topic very little work was done on the subject so far.
Security Affairs
JANUARY 28, 2019
Cisco released security updates to address security flaws in several products including Small Business RV320/RV325 routers and hackers are already targeting them. The tech giant addressed two serious issues in Cisco’s Small Business RV320 and RV325 routers. The first one could be exploited by a remote and unauthenticated attacker with admin privileges. to obtain sensitive information ( CVE-2019-1653 ), while the second one can be exploited for command injection ( CVE-2019-1652 ).
Dark Reading
JANUARY 30, 2019
January 10 torrent involved nearly four times as many packets as last year's huge attack on GitHub, says Imperva.
Advertisement
After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!
Threatpost
JANUARY 30, 2019
A spam injector hides in plain site within WordPress theme files.
WIRED Threat Level
JANUARY 30, 2019
Can a trio of privacy advocates effect change from within Facebook—or will they be stifled by corporate bureaucracy?
Security Affairs
JANUARY 28, 2019
Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin. The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors.
Dark Reading
JANUARY 28, 2019
For Data Privacy Day, let's commit to a culture of privacy by design, nurtured by a knowledgeable team that can execute an effective operational compliance program.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Expert insights. Personalized for you.
271 
Let's personalize your content