Schneier on Security

OCTOBER 5, 2020

Interesting usability study: “ More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication “: Abstract : Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code.

Authentication 353

Authentication Risk Passwords 353

Krebs on Security

OCTOBER 9, 2020

A week ago, KrebsOnSecurity broke the news that someone was attempting to disrupt the Trickbot botnet , a malware crime machine that has infected millions of computers and is often used to spread ransomware. A new report Friday says the coordinated attack was part of an operation carried out by the U.S. military’s Cyber Command. Image: Shuttstock.

Ransomware 340

Ransomware Internet Internet Passwords 340

Daniel Miessler

OCTOBER 4, 2020

The US is currently being ravaged by ransomware. Google News Results for US Ransomware. Our schools are being disabled, our small businesses are being pilfered, our cities are being taken offline, and now our hospitals are being attacked as well. I talk about the reasons here , but in short, we have long had a horrible state of security in our local governments, our small businesses, our schools, and our hospitals.

Ransomware 246

Ransomware Small Business Government InfoSec 246

Troy Hunt

OCTOBER 9, 2020

It's a bit of a mega one this week running over the 1-hour mark, but there's been an awful lot happen during the last week that I reckon is of interest. There's a decidedly adult theme running across the topics not by design, but just by pure coincidence between the Grindr incident, a query I got regarding erasing one's adult website browsing history and the IoT male chastity device full of security holes and potential requiring a grinder (not Grindr!

IoT 236

IoT Government 236

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Schneier on Security

OCTOBER 6, 2020

Previously I have written about the Swedish-owned Swiss-based cryptographic hardware company: Crypto AG. It was a CIA-owned Cold War operation for decades. Today it is called Crypto International , still based in Switzerland but owned by a Swedish company. It’s back in the news : Late last week, Swedish Foreign Minister Ann Linde said she had canceled a meeting with her Swiss counterpart Ignazio Cassis slated for this month after Switzerland placed an export ban on Crypto International , a

Cybersecurity 349

Cybersecurity 349

Krebs on Security

OCTOBER 8, 2020

There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in. But judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today’s attackers have exactly zero trouble gaining that in

Cybercrime 329

Cybercrime VPN Malware Ransomware 329

Daniel Miessler

OCTOBER 4, 2020

I’ve been writing a lot on ransomware recently , and wanted to comment on an interesting new development in attackers’ toolchests. At first they started with: If you don’t pay, you won’t get your data back. This is the original ransomware tactic. It’s a denial of service against your data. You pay, and you (sometimes) get your data back.

DDOS 134

DDOS Ransomware Backups Encryption 134

Schneier on Security

OCTOBER 7, 2020

A good rundown.

Engineering 358

Engineering 358

Krebs on Security

OCTOBER 7, 2020

September featured two stories on a phony tech investor named John Bernard , a pseudonym used by a convicted thief named John Clifton Davies who’s fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments. Those stories prompted a flood of tips from Davies’ victims that paint a much clearer picture of this serial con man and his cohorts, including allegations of hacking, smuggling, bank fraud and murder.

Banking 270

Banking Scams Government Advertising 270

Tech Republic Security

OCTOBER 9, 2020

Hackers accidentally allowed into company software by security noncompliant employees cost businesses millions annually; we asked experts to weigh in on best safety practices.

Software 217

Software 217

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Anton on Security

OCTOBER 7, 2020

While creating a recent presentation, I needed a slide on “threat detection is hard.” And it got me thinking, why is threat detection so hard for so many organizations today? We can trace the “cyber” threat detection to 1986 ( “Cuckoo’s Egg” ) and 1987 ( first IDS ) and perhaps even earlier events (like viruses of the early 1980s). This means we are “celebrating” ~35 years of cyber threat detection.

Threat Detection 130

Threat Detection Cyber threats Technology Security Awareness 130

Adam Shostack

OCTOBER 7, 2020

I haven’t talked about it much, but I spent the first few months of the pandemic learning how to deliver effective training in a distributed (online) model. I’m really proud that our distributed class NPS customer satisfaction scores are now comparable to our in-person classes. Also it’s been a lot of hard work, and in addition to our core classes (Threat Modeling for Architects and Threat Modeling in Depth), we now have classes for champs and trainers.

Engineering 130

Engineering Software Education 130

Security Affairs

OCTOBER 5, 2020

Threat actors have hacked at least three Swiss universities, including the University of Basel and managed to drain employee salary transfers. Threat actors have managed to steal employee salary payments at several Swiss universities, including the University of Basel. “According to our information, several universities in Switzerland have been affected,” explained Martina Weiss, Secretary General of the Rectors’ Conference of the Swiss Universities.

Advertising 145

Advertising Phishing Cybercrime Hacking 145

Tech Republic Security

OCTOBER 7, 2020

Freezing your child's credit is one way to stop cybercriminals from stealing their identity. But you have to be careful to keep the key to thaw it later.

Identity Theft 216

Identity Theft Cybersecurity 216

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

CompTIA on Cybersecurity

OCTOBER 6, 2020

Interested in a career in cybersecurity? Find out more about the top nine cybersecurity job titles in the United States as told by Cyberseek, and understand what education, certifications and skills you need to start a career in cybersecurity.

Cybersecurity 143

Cybersecurity Education 143

Adam Shostack

OCTOBER 9, 2020

In a simpler age, Matt Stoller famously lost his job for critiquing Google. He has a really interesting article summarizing and analyzing the massive anti-trust report at Congress Gets Ready to Smash Big Tech Monopolies. If you’re like me, unsure if or how this might matter, take the time to read what he said. (Via Wendy Grossman , who also has interesting commentary.).

Government 100

Government 100

Security Affairs

OCTOBER 4, 2020

Visa revealed that two unnamed North American hospitality merchants have been infected with some strains of point-of-sale (POS) malware. US payments processor Visa revealed that two North American hospitality merchants have been hacked, threat actors infected the systems of the two unnamed organizations with some strains of point-of-sale (POS) malware.

Malware 145

Malware Advertising Accountability Hacking 145

Tech Republic Security

OCTOBER 8, 2020

The goal is to not only secure your remote devices and endpoints but to make that security part of your overall strategy, says NordVPN Teams.

Cybersecurity 218

Cybersecurity 218

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Threatpost

OCTOBER 9, 2020

Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack.

Hacking 127

Hacking Authentication IoT Software 127

WIRED Threat Level

OCTOBER 6, 2020

The Checkm8 vulnerability that exposed years of iPhones to jailbreaking has finally been exploited in Macs as well.

Hacking 138

Hacking 138

Security Affairs

OCTOBER 3, 2020

University Hospital New Jersey paid a $670,000 ransom this month to prevent the leak of 240 GB of stolen data, including patient information. The University Hospital New Jersey (UHNJ) in Newark (New Jersey) has finally paid a $670,000 ransom to prevent the publishing of 240 GB of stolen data, including patient info. In September, systems at the University Hospital New Jersey (UHNJ) were encrypted with the SunCrypt ransomware , threat actors also stolen documents from the institution and leaked

Ransomware 145

Ransomware Advertising Encryption Phishing 145

Tech Republic Security

OCTOBER 7, 2020

The phishing page tries to obtain email credentials, Social Security numbers, driver's license numbers, and tax numbers, says Armorblox.

Phishing 217

Phishing 217

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Threatpost

OCTOBER 8, 2020

Two flaws in Microsoft's cloud-based Azure App Services could have allowed server-side forgery request (SSFR) and remote code-execution attacks.

Hacking 135

Hacking 135

WIRED Threat Level

OCTOBER 5, 2020

Seven distinct factors between now and the election threaten to combine, compound, and reinforce each other in unpredictable ways.

130

130

Security Affairs

OCTOBER 5, 2020

Security researchers provided technical details about an IoT botnet dubbed Ttint that has been exploiting two zero-days in Tenda routers. Security researchers at Netlab, the network security division Qihoo 360, have published a report that details an IoT botnet dubbed Ttint. The experts are monitoring the Mirai-based botnet since November 2019 and observed it exploiting two Tenda router 0-day vulnerabilities to spread a Remote Access Trojan (RAT).

IoT 145

IoT Firmware Advertising DNS 145

Tech Republic Security

OCTOBER 7, 2020

Remote work will lead to more phishing attacks and threats to accounting and marketing departments, according to IT security managers.

Marketing 217

Marketing Phishing Accountability 217

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Threatpost

OCTOBER 9, 2020

Immersive Labs Researcher takes advantage of lax Fitbit privacy controls to build a malicious spyware watch face.

Spyware 133

Spyware IoT Mobile Malware 133

WIRED Threat Level

OCTOBER 8, 2020

The company, launched by Oculus cofounder Palmer Luckey, is building software to connect multiple Air Force systems—allowing officers to act more quickly.

Software 112

Software Artificial Intelligence 112

Security Affairs

OCTOBER 6, 2020

The CISA agency is warning of a surge in Emotet attacks targeting multiple state and local governments in the US since August. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August. During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

Government 143

Government Banking Advertising Malware 143

Tech Republic Security

OCTOBER 8, 2020

Analysis of hundreds of millions of web pages found phishing and fraudulent sites using the Amazon brand and logos poised for big Prime Day sales, according to Bolster Research.

Phishing 186

Phishing 186

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity