Krebs on Security

JULY 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by Yubico. The basic model featured here retails for $20. Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in

Phishing 238

Phishing Authentication Mobile Passwords 238

The Last Watchdog

JULY 25, 2018

Was it really that long ago that company networks were comprised of a straightforward cluster of servers, data bases, applications and user devices corralled largely on premises? Related article: Taking a ‘zero-trust’ approach to authentication. In today’s digitally transformed environment, companies must monitor and defend systems housed on-premises and in overlapping public and private clouds.

Digital transformation 165

Digital transformation Firewall Authentication Data breaches 165

Troy Hunt

JULY 23, 2018

As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure" This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming" Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely: The major

Government 161

Government VPN Banking 161

Schneier on Security

JULY 25, 2018

Bluetooth has a serious security vulnerability : In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages.

Wireless 152

Wireless Software Encryption 152

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Krebs on Security

JULY 25, 2018

Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

Identity Theft 197

Identity Theft Consumer Protection Phishing Marketing 197

The Last Watchdog

JULY 23, 2018

If you’re not familiar with how Facebook, Twitter and YouTube make it so easy for you and me to easily access cool content they’ve collected and stored behind their respective firewalls, then you might think “API” is a trendy type of beer. In fact, API stands for Application Programming Interface, the indispensable technology that makes it possible for software applications to exchange data across the Internet.

Digital transformation 140

Digital transformation Software Media Encryption 140

Schneier on Security

JULY 23, 2018

The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find.

Passwords 150

Passwords Password Management Encryption 150

Krebs on Security

JULY 24, 2018

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

Banking 194

Banking Insurance Computers and Electronics Cyber Insurance 194

Troy Hunt

JULY 27, 2018

Alrighty, 2 big things to discuss today and I'll jump right into them here: Exactis: it's hard to know where to even start with this one and frankly, the more I think about the more frustrated I am that services like this even exist in the first place. But they do and it's worthwhile being aware of them so have a listen to the video this week and check out the links I've shared below.

Internet 110

Internet Internet 110

Adam Shostack

JULY 26, 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series. As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes.

100

100

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Schneier on Security

JULY 24, 2018

This is well-worth reading (non-paywalled version ). Here's the opening: Cryptocurrencies, although a seemingly interesting idea, are simply not fit for purpose. They do not work as currencies, they are grossly inefficient, and they are not meaningfully distributed in terms of trust. Risks involving cryptocurrencies occur in four major areas: technical risks to participants, economic risks to participants, systemic risks to the cryptocurrency ecosystem, and societal risks.

Cryptocurrency 147

Cryptocurrency Risk 147

Krebs on Security

JULY 27, 2018

Here’s a timely reminder that email isn’t the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned. This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer.

Malware 188

Malware Phishing Government Scams 188

Lenny Zeltser

JULY 27, 2018

Finding real-world malware samples that illustrate practical analysis techniques is tricky. When training professionals how to reverse-engineer malware , I’ve gone through lots of malicious programs for the purpose of educational examples. Here are some of the samples that I’ve retired from the FOR610 course over the years, because they no longer seemed current or relevant.

Malware 75

Malware Engineering Education Advertising 75

Adam Shostack

JULY 24, 2018

That’s the subject of a thought-provoking Washington Post article, “ In about 20 years, half the population will live in eight states ,” and 70% of Americans will live in 15 states. “ Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent. ” Of course, as the census shows the population shifting, the makeup of the House will also change dramatically.

Government 100

Government 100

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Schneier on Security

JULY 26, 2018

Krebs on Security is reporting that all 85,000 Google employees use two-factor authentication with a physical token. A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons.

Authentication 135

Authentication Accountability Risk Phishing 135

WIRED Threat Level

JULY 26, 2018

Amazon has marketed its Rekognition facial recognition system to law enforcement. But in a new ACLU study, the technology confused 28 members of Congress with publicly available arrest photos.

Marketing 76

Marketing Technology 76

Thales Cloud Protection & Licensing

JULY 26, 2018

Enterprise databases house some of the most highly-sensitive, tightly-regulated data—the very data that is sought after by malicious insiders and external attackers. As a result, database encryption has never been more crucial in order to protect the massive amounts of information that is held in the diverse mix of databases that large enterprises rely on today, including relational, SQL, NoSQL and big data environments.

Encryption 63

Encryption Big data Backups Risk 63

Dark Reading

JULY 25, 2018

A hacker who successfully infiltrated a voting machine at last year's DEF CON will demonstrate at Black Hat USA how he did it, as well as what he later found stored on other decommissioned WinVote machines.

Hacking 67

Hacking 67

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Schneier on Security

JULY 25, 2018

There are some good lessons in this article on financial fraud: That's how we got it so wrong. We were looking for incidental breaches of technical regulations, not systematic crime. And the thing is, that's normal. The nature of fraud is that it works outside your field of vision, subverting the normal checks and balances so that the world changes while the picture stays the same.

Marketing 133

Marketing Manufacturing Technology Banking 133

Security Affairs

JULY 26, 2018

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis. US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.

Cyber Attacks 75

Cyber Attacks Digital transformation Hacking Advertising 75

eSecurity Planet

JULY 23, 2018

UTM appliances offer a quick path to comprehensive security for SMBs, but features differ among vendors. Here's a comprehensive look at top UTM solutions.

64

64

WIRED Threat Level

JULY 27, 2018

Over the last 15 years, JPay has quietly been moving into prisons across the country—connecting family members through email, at a cost.

63

63

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Schneier on Security

JULY 26, 2018

DARPA is funding research into resilient anonymous communications systems.

205

205

Security Affairs

JULY 27, 2018

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques. The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms. “Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets.

Malware 74

Malware Advertising Passwords Retail 74

Thales Cloud Protection & Licensing

JULY 24, 2018

Originally Featured in Global Military Communications Magazine’s June/July Issue. With more than 65,000 employees in 56 countries, Thales is a global leader in technology solutions for the aerospace, transport, defence and security markets. Its unique capabilities include the design and deployment of equipment, systems and services to meet complex security requirements.

Encryption 48

Encryption Data breaches Government Threat Reports 48

WIRED Threat Level

JULY 22, 2018

Two-factor authentication is a must, but don't settle for the SMS version. Use a more secure authenticator app instead.

Authentication 66

Authentication Accountability 66

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity

Schneier on Security

JULY 27, 2018

According to a new CSIS report , "going dark" is not the most pressing problem facing law enforcement in the age of digital data: Over the past year, we conducted a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups. We also commissioned a survey of law enforcement officers from across the country to better understand the full range of difficulties they are facing in accessing and using digital evidence in their c

Encryption 132

Encryption 132

Security Affairs

JULY 23, 2018

Sony fixed 2 remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code. Sony addressed two remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code on affected devices. The first vulnerability, tracked as CVE-2018-3937, is a command injection issue that affects the measurementBitrateExec features implemented in the IPELA E Series Network Cam

Advertising 71

Advertising Firmware Hacking Surveillance 71

Dark Reading

JULY 26, 2018

Here's some advice from leading authorities on how state and local governments can adapt to an environment where election systems will inevitably be hacked.

Government 53

Government Hacking 53

WIRED Threat Level

JULY 24, 2018

The world's biggest browser now lets you know when you're visiting an unencrypted site.

75

75

Advertisement

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.

Cybersecurity