Sat.Oct 06, 2018 - Fri.Oct 12, 2018

article thumbnail

Security Vulnerabilities in US Weapons Systems

Schneier on Security

The US Government Accounting Office just published a new report: " Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities " (summary here ). The upshot won't be a surprise to any of my regular readers: they're vulnerable. From the summary: Automation and connectivity are fundamental enablers of DOD's modern military capabilities.

article thumbnail

Naming & Shaming Web Polluters: Xiongmai

Krebs on Security

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Amazon Employee Fired for Leaking Customer Data, Exposing a Search Flaw or Both?

Adam Levin

Amazon revealed a breach of customer data last week, but it wasn’t a data breach of the usual variety. Rather than falling prey to a cyberattack or having hackers exploit unsecured code, customer emailed addresses were leaked by an employee to an online reseller in exchange for money. What you need to know: 1.) A crime was committed, and 2.) It still counts as a data compromise.

article thumbnail

GAO Report on Equifax

Adam Shostack

I have regularly asked why we don’t know more about the Equifax breach, including in comments in “ That Was Close! Reward Reporting of Cybersecurity ‘Near Misses’ ” These questions are not intended to attack Equifax. Rather, we can use their breach as a mirror to reflect, and ask questions about how defenses work, and learn things we can bring to our own systems.

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Security in a World of Physically Capable Computers

Schneier on Security

It's no secret that computers are insecure. Stories like the recent Facebook hack , the Equifax hack and the hacking of government agencies are remarkable for how unremarkable they really are. They might make headlines for a few days, but they're just the newsworthy tip of a very large iceberg. The risks are about to get worse, because computers are being embedded into physical devices and will affect lives, not just our data.

article thumbnail

Supply Chain Security 101: An Expert’s View

Krebs on Security

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager , senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology s

More Trending

article thumbnail

MY TAKE: Cyber attacks on industrial controls, operational technology have only just begun

The Last Watchdog

“May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape. Related: 7 attacks that put us at the brink of cyber war. In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.

article thumbnail

Another Bloomberg Story about Supply-Chain Hardware Attacks from China

Schneier on Security

Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. (I linked to other commentary and analysis here.). Again, I have no idea what's true.

article thumbnail

Patch Tuesday, October 2018 Edition

Krebs on Security

Microsoft this week released software updates to fix roughly 50 security problems with various versions of its Windows operating system and related software, including one flaw that is already being exploited and another for which exploit code is publicly available. The zero-day bug — CVE-2018-8453 — affects Windows versions 7, 8.1, 10 and Server 2008, 2012, 2016 and 2019.

Software 207
article thumbnail

Facebook Patches Major WhatsApp Vulnerability

Adam Levin

Facebook announced today that a security bug in its WhatsApp messaging service that allowed hackers to take control of users’ phones has been fixed. The vulnerability affected the WhatsApp app on both iPhone and Android devices.It allowed hackers to take control of accounts simply by having their victims answer a video call. The bug was initially discovered by Google Project Zero, and reported by ZDNet and the Register in late August, but was not fixed until this week, leaving the service’s 1.2

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

How the US Halted China’s Cybertheft—Using a Chinese Spy

WIRED Threat Level

For years, China has systematically looted American trade secrets. Here's the messy inside story of how DC got Beijing to clean up its act for a while.

111
111
article thumbnail

Access Now Is Looking for a Chief Security Officer

Schneier on Security

The international digital human rights organization Access Now (I am on the board ) is looking to hire a Chief Security Officer. I believe that, somewhere, there is a highly qualified security person who has had enough of corporate life and wants instead of make a difference in the world. If that's you, please consider applying.

Risk 210
article thumbnail

CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East

Security Affairs

A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East. The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East. The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.

article thumbnail

Google Shuts Down Google+ Social Platform After Security Fail

Adam Levin

Google announced that it will be shutting down consumer use of the long-ailing social platform Google+ after it was revealed that a security bug dating back more than six months was not disclosed by the company. According to the Wall Street Journal , Google may have opted not to disclose the bug at least in part to avoid regulatory scrutiny, though the platform, originally launched to compete against Facebook, has had lackluster adoption among users and may well have been slated for the digital

Media 110
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

How to Check If Your Facebook Account Got Hacked—And How Badly

WIRED Threat Level

Facebook Friday offered more details about its recent breach. Here's how to see if you were affected.

article thumbnail

Defeating the "Deal or No Deal" Arcade Game

Schneier on Security

Two teenagers figured out how to beat the "Deal or No Deal" arcade game by filming the computer animation than then slowing it down enough to determine where the big prize was hidden.

209
209
article thumbnail

Researchers presented an improved version of the WPA KRACK attack

Security Affairs

Security researchers who devised last year the Key Reinstallation Attack, aka KRACK attack, have disclosed new variants of the attack. Security researchers Mathy Vanhoef and Frank Piessens who devised last year the Key Reinstallation Attack against WPA, aka KRACK attack, have disclosed new variants of the attack. Last year, boffins discovered several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network

article thumbnail

Meet 5 Women Shaping Microsoft's Security Strategy

Dark Reading

Profiles of some of the women currently leading Microsoft security operations - and their efforts to drive inclusivity.

103
103
article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Pentagon Weapons Systems Are Easy Cyberattack Targets, New Report Finds

WIRED Threat Level

A new report says the Department of Defense "likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.".

article thumbnail

Breach and Attack Simulation: Find Vulnerabilities before the Bad Guys Do

eSecurity Planet

This new IT security testing technology continually monitors networks and systems to help organizations determine how secure their environment is.

article thumbnail

The Git Project addresses a critical arbitrary code execution vulnerability in Git

Security Affairs

The Git Project released a new version of the Git client, Github Desktop, or Atom. that addressed a critical remote code execution vulnerability in the Git. The Git Project addressed a critical remote code execution vulnerability in the Git command line client, Git Desktop, and Atom. The flaw tracked as CVE-2018-17456 could be exploited by malicious repositories to remotely execute commands on a vulnerable system.

article thumbnail

12 Free, Ready-to-Use Security Tools

Dark Reading

There's no excuse for not knowing your exposure. These free tools can help you analyze what your company is up against and point ways to developing a more thorough security program.

97
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

How Facebook Hackers Compromised 30 Million Accounts

WIRED Threat Level

Facebook has revealed more details about the unprecedented breach of its platform—including how hackers got away with the access tokens of 30 million users.

article thumbnail

Cybersecurity Awareness Month Blog Series: Alright boys, it’s time we have “The Talk”

Thales Cloud Protection & Licensing

As a father of two teenage boys, I should have seen this coming. It was time to have the talk about the right, wrong, and applying good judgement of things found on the Web. It started the moment I walked through the door, I was welcomed by my wife with, “I don’t know what those boys were doing on the computer, but you need to see this. It isn’t working.

article thumbnail

Sony Bravia Smart TVs affected by a critical vulnerability

Security Affairs

Experts at FortiGuard Labs team discovered three vulnerabilities in eight Sony Bravia smart TVs, one of them rated as critical. Patch management is a crucial aspect for IoT devices, smart objects are surrounding us and represent a privileged target for hackers. Experts at FortiGuard Labs team discovered three vulnerabilities (a stack buffer overflow, a directory traversal, and a command-injection issue) in eight Sony Bravia smart TVs, one of them rated as critical.

Wireless 111
article thumbnail

One-Third of US Adults Hit with Identity Theft

Dark Reading

That's double the global average and more than three times the rate of French and German adults.

article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

Fake Adobe Flash Installers Come With a Little Malware Bonus

WIRED Threat Level

A clever new cryptomining scheme downloads the latest version of Adobe for you, but adds malware to the bargain.

Malware 101
article thumbnail

The Language and Nature of Fileless Attacks Over Time

Lenny Zeltser

The language of cybersecurity evolves in step with attack and defense tactics. You can get a sense for such dynamics by examining the term fileless. It fascinates me not only because of its relevance to malware, but also because of its knack for agitating many security practitioners. I traced the origins of “fileless” to 2001, when Eugene Kaspersky (of Kaskersky Labs) used it in reference to Code Red worm’s ability to exist solely in memory.

Malware 85
article thumbnail

Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor

Security Affairs

A group of hackers is targeting Drupal vulnerabilities, including Drupalgeddon2, patched earlier this year to install a backdoor on compromised servers. Security experts from IBM are targeting Drupal vulnerabilities, including the CVE-2018-7600 and CVE-2018-7602 flaws, aka Drupalgeddon2 and Drupalgeddon3 , to install a backdoor on the infected systems and tack full control of the hosted platforms.

article thumbnail

Most Malware Arrives Via Email

Dark Reading

Watch out for messages with the word "invoice" in the subject line, too.

Malware 87
article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!