Krebs on Security

AUGUST 21, 2020

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “ vishing ” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pand

VPN 361

VPN Social Engineering Authentication Engineering 361

Troy Hunt

AUGUST 21, 2020

Between still feeling a little groggy after hitting the water hard on an early wake boarding session then my camera overheating and shutting down towards the end of the live stream, this wasn't the smoothest of weekly updates, I still got across everything I needed to. I'm especially excited about those Shelly 1 units for cheaply IoT'ing existing lights and I'm hoping to have some of that up and running next week.

Cybersecurity 305

Cybersecurity 305

Schneier on Security

AUGUST 20, 2020

Researchers are using recordings of keys being used in locks to create copies. Once they have a key-insertion audio file, SpiKey's inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock's pins [and you can hear those filtered clicks online here ]. These clicks are vital to the inference analysis: the time between them allows the SpiKey software to compute the key's inter-ridge distances and what locksmiths call the "bitting depth" of

Software 362

Software 362

Adam Levin

AUGUST 21, 2020

Carnival Corporation, the largest cruise ship company in the world, announced that it had experienced a data breach following a ransomware attack on their systems. In an 8-K filing with the Securities and Exchange Commission (SEC), the company announced that it had “detected a ransomware attack that accessed and encrypted a portion of one [their] brand’s information technology systems,” adding that the hackers responsible downloaded “certain” data files.

Data breaches 263

Data breaches Ransomware Encryption Technology 263

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Krebs on Security

AUGUST 19, 2020

The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.

Phishing 360

Phishing VPN Social Engineering Media 360

Daniel Miessler

AUGUST 19, 2020

I’ve been in security for over 20 years now and have received thousands of emails asking for help or mentorship. And throughout that time I’ve also reached out to hundreds of people asking for something similar. I’ve had a mix of success and failure on both ends of that equation, and I think I might have deciphered what was going wrong. This can still work with some people, if it’s authentic.

Authentication 255

Authentication Information Security 255

Tech Republic Security

AUGUST 19, 2020

365 ICS vulnerabilities were disclosed in the first half of the year, 75% of them are high or critical on the CVSS scale, and nearly three-quarters can be exploited remotely, according to a report.

Cybersecurity 212

Cybersecurity 212

Krebs on Security

AUGUST 16, 2020

A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem. One of the 120 security holes Microsoft fixed on Aug. 11’s Patch Tuesday was CVE-2020-1464 , a problem with the way every supported version of Windows validates digital signatures for computer programs.

Antivirus 357

Antivirus Malware Software 357

Daniel Miessler

AUGUST 17, 2020

I have been following the bug bounty and security creator/influencer scenes since they started. And as someone in security who also creates content, I feel very close to it all. What I’ve seen in the last year has been troubling. I keep seeing friends and associates—both in conversations and in social media—crumble under the relentless pressure to produce.

Media 205

Media Internet Internet Hacking 205

Schneier on Security

AUGUST 21, 2020

Sound waves through the body are unique enough to be a biometric: "Modeling allowed us to infer what structures or material features of the human body actually differentiated people," explains Joo Yong Sim, one of the ETRI researchers who conducted the study. "For example, we could see how the structure, size, and weight of the bones, as well as the stiffness of the joints, affect the bioacoustics spectrum." [.].

Accountability 349

Accountability 349

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Tech Republic Security

AUGUST 19, 2020

Manufactured by Thales, the EHS8 module family has security flaws that could allow attackers to take total control over internet-connected industrial machines.

IoT 218

IoT Manufacturing Internet Internet 218

The Last Watchdog

AUGUST 17, 2020

The amazing array of digital services we so blithely access on our smartphones wouldn’t exist without agile software development. Related: ‘Business logic’ hacks on the rise Consider that we began this century relying on the legacy “waterfall” software development process. This method required a linear plan, moving in one direction, that culminated in a beta deliverable by a hard and fast deadline.

Software 189

Software Firewall Penetration Testing Digital transformation 189

Adam Shostack

AUGUST 19, 2020

These are the books that I read in Q2 2020 that I think are worth your time. Sorry it’s late. They’re still worthwhile. Cyber. You’ll See This Message When It Is Too Late , by Josephine Wolff. This is an interesting examination of the effects of finger-pointing and blame avoidance on the cybersecurity landscape, with chapter titles like “How the TJX breach set the sate for a decade of payment card conflict” and “what they aren’t telling you is their rule

Internet 147

Internet Internet Software Government 147

Schneier on Security

AUGUST 18, 2020

Interesting story of a vaccine for the Emotet malware: Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put together a tiny PowerShell script that exploited the registry key mechanism to crash Emotet itself. The script, cleverly named EmoCrash, effectively scanned a user's computer and generated a correct -- but malformed -- Emotet registry key.

Malware 261

Malware Cybersecurity 261

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Tech Republic Security

AUGUST 19, 2020

There are new issues organizations should consider as work from home continues with no end in sight. One expert offers ideas to secure your widening perimeter.

209

209

Daniel Miessler

AUGUST 20, 2020

Download the Slides. I presented at DEFCON’s Red Team Village on August 8th, and the topic was the automation of common Recon and Security activities. More specifically, it was about how to do those things with common tools like Linux, Bash, Cron, Email, and Slack. My friend Clint Gibler of TL;DR Sec fame graciously created one of his brilliant summaries of the talk, which you can find here.

Information Security 134

Information Security 134

Security Affairs

AUGUST 21, 2020

The University of Utah admitted to have paid a $457,059 ransom in order to avoid having ransomware operators leak student information online. The University of Utah admitted having paid a $457,059 ransom after the ransomware attack that took place on July 19, 2020, that infected systems on the network of the university’s College of Social and Behavioral Science [CSBS]).

Ransomware 145

Ransomware Cyber Insurance Insurance Advertising 145

Schneier on Security

AUGUST 17, 2020

A group of researchers set up a telephony honeypot and tracked robocall behavior : NCSU researchers said they ran 66,606 telephone lines between March 2019 and January 2020, during which time they said to have received 1,481,201 unsolicited calls -- even if they never made their phone numbers public via any source. The research team said they usually received an unsolicited call every 8.42 days, but most of the robocall traffic came in sudden surges they called "storms" that happened at regular

260

260

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Tech Republic Security

AUGUST 17, 2020

Proper password methodologies can be a challenge to master. Learn some tips from industry experts on how to streamline the process and safeguard your organization.

Passwords 197

Passwords 197

Dark Reading

AUGUST 18, 2020

Security vendor Prevailion says it observed signs of malicious activity on the cruise operator's network between at least February and June.

Ransomware 143

Ransomware 143

Security Affairs

AUGUST 17, 2020

The Treasury Board of Canada Secretariat confirmed that thousands of user accounts for online Canadian government services were recently hacked. According to a press release issued by the Treasury Board of Canada Secretariat, thousands of user accounts for online government services were recently hacked. The hackers targeted the GCKey service with credential stuffing attacks, the service is used by some 30 federal departments and Canada Revenue Agency accounts.

Government 144

Government Accountability Hacking Advertising 144

WIRED Threat Level

AUGUST 15, 2020

Over the last few years, so-called jackpotting attacks have gotten increasingly sophisticated—while cash machines remain largely the same.

Hacking 144

Hacking 144

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Tech Republic Security

AUGUST 17, 2020

A study explores the possible range and risk of attacks from military robots and autonomous attack drones to AI-assisted stalking. Here are the top 5.

Risk 207

Risk 207

Dark Reading

AUGUST 20, 2020

Two recent reports on smart-locks vulnerabilities show that IoT vendors have a bigger job to do in ensuring their products are safely deployed and configured.

IoT 134

IoT Hacking 134

Security Affairs

AUGUST 20, 2020

The South African branch of consumer credit reporting agency Experian disclosed a data breach that impacted 24 million customers. The South African branch of consumer credit reporting agency Experian disclosed this week a data breach that impacted 24 million customers. The company revealed that only personal information was exposed in the data breach, no financial or credit-related information was compromised.

Data breaches 139

Data breaches Advertising Insurance Banking 139

Jane Frankland

AUGUST 18, 2020

Cybersecurity is big business. It impacts industry and individuals alike and doesn’t discriminate. Last year, Verizon reported that 71% of breaches were financially motivated, 25% came from espionage, and 21% were caused by human error. Unsurprisingly, according to Gartner, spending continues to rise and is forecast to reach $133.7 billion by 2022. Furthermore, from 2019–2023E, approximately USD 5.2 trillion in global value will be at risk from cyberattacks.

Cyber Risk 100

Cyber Risk Risk Cybersecurity Technology 100

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Tech Republic Security

AUGUST 19, 2020

Without early threat detection, you may not know your website has been hit by a DDoS attack until it slows down or stops, says NordVPN Teams.

DDOS 204

DDOS Threat Detection 204

Dark Reading

AUGUST 18, 2020

GitHub, used badly, can be a source of more vulnerabilities than successful collaborations. Here are ways to keep your development team from getting burned on GitHub.

130

130

Security Affairs

AUGUST 15, 2020

A new Mac malware, tracked as XCSSET, spreads through Xcode projects and exploits two zero-day vulnerabilities, experts warn. XCSSET is a new Mac malware that spreads through Xcode projects and exploits two zero-day vulnerabilities to steal sensitive information from target systems and launch ransomware attacks. The first zero-day issue is used to steal cookies via a flaw in the behavior of Data Vaults , while the second one is used to abuse the development version of Safari.

Spyware 143

Spyware Malware Advertising Cryptocurrency 143

Adam Shostack

AUGUST 18, 2020

So Chris Romeo has a blog post, “ Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all developers.

Engineering 100

Engineering Education 100

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity