Schneier on Security

JULY 26, 2018

DARPA is funding research into resilient anonymous communications systems.

242

242

Krebs on Security

JULY 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by Yubico. The basic model featured here retails for $20. Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in

Phishing 238

Phishing Authentication Mobile Passwords 238

Troy Hunt

JULY 23, 2018

As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being "not secure" This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We've known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying "this is coming" Yet somehow, we've arrived at today with a sizable chunk of the web still serving traffic insecurely: The major

Government 181

Government VPN Banking 181

The Last Watchdog

JULY 25, 2018

Was it really that long ago that company networks were comprised of a straightforward cluster of servers, data bases, applications and user devices corralled largely on premises? Related article: Taking a ‘zero-trust’ approach to authentication. In today’s digitally transformed environment, companies must monitor and defend systems housed on-premises and in overlapping public and private clouds.

Digital transformation 165

Digital transformation Firewall Authentication Data breaches 165

Advertisement

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

Cyber threats

Schneier on Security

JULY 25, 2018

Bluetooth has a serious security vulnerability : In some implementations, the elliptic curve parameters are not all validated by the cryptographic algorithm implementation, which may allow a remote attacker within wireless range to inject an invalid public key to determine the session key with high probability. Such an attacker can then passively intercept and decrypt all device messages, and/or forge and inject malicious messages.

Wireless 184

Wireless Software Encryption 184

Krebs on Security

JULY 25, 2018

Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

Identity Theft 197

Identity Theft Consumer Protection Phishing Marketing 197

The Last Watchdog

JULY 23, 2018

If you’re not familiar with how Facebook, Twitter and YouTube make it so easy for you and me to easily access cool content they’ve collected and stored behind their respective firewalls, then you might think “API” is a trendy type of beer. In fact, API stands for Application Programming Interface, the indispensable technology that makes it possible for software applications to exchange data across the Internet.

Digital transformation 140

Digital transformation Software Media Encryption 140

Schneier on Security

JULY 23, 2018

The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find.

Passwords 181

Passwords Password Management Encryption 181

Krebs on Security

JULY 24, 2018

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

Banking 197

Banking Insurance Computers and Electronics Cyber Insurance 197

Troy Hunt

JULY 27, 2018

Alrighty, 2 big things to discuss today and I'll jump right into them here: Exactis: it's hard to know where to even start with this one and frankly, the more I think about the more frustrated I am that services like this even exist in the first place. But they do and it's worthwhile being aware of them so have a listen to the video this week and check out the links I've shared below.

Internet 114

Internet Internet 114

Advertisement

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

Cybersecurity

Adam Shostack

JULY 26, 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series. As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes.

100

100

Schneier on Security

JULY 24, 2018

This is well-worth reading (non-paywalled version ). Here's the opening: Cryptocurrencies, although a seemingly interesting idea, are simply not fit for purpose. They do not work as currencies, they are grossly inefficient, and they are not meaningfully distributed in terms of trust. Risks involving cryptocurrencies occur in four major areas: technical risks to participants, economic risks to participants, systemic risks to the cryptocurrency ecosystem, and societal risks.

Cryptocurrency 179

Cryptocurrency Risk 179

Krebs on Security

JULY 27, 2018

Here’s a timely reminder that email isn’t the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned. This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer.

Malware 195

Malware Phishing Government Scams 195

Security Affairs

JULY 23, 2018

Sony fixed 2 remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code. Sony addressed two remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code on affected devices. The first vulnerability, tracked as CVE-2018-3937, is a command injection issue that affects the measurementBitrateExec features implemented in the IPELA E Series Network Cam

Advertising 83

Advertising Firmware Hacking Surveillance 83

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Adam Shostack

JULY 24, 2018

That’s the subject of a thought-provoking Washington Post article, “ In about 20 years, half the population will live in eight states ,” and 70% of Americans will live in 15 states. “ Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent. ” Of course, as the census shows the population shifting, the makeup of the House will also change dramatically.

Government 100

Government 100

Schneier on Security

JULY 26, 2018

Krebs on Security is reporting that all 85,000 Google employees use two-factor authentication with a physical token. A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons.

Authentication 169

Authentication Accountability Risk Phishing 169

Lenny Zeltser

JULY 27, 2018

Finding real-world malware samples that illustrate practical analysis techniques is tricky. When training professionals how to reverse-engineer malware , I’ve gone through lots of malicious programs for the purpose of educational examples. Here are some of the samples that I’ve retired from the FOR610 course over the years, because they no longer seemed current or relevant.

Malware 75

Malware Engineering Education Advertising 75

Security Affairs

JULY 23, 2018

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt. Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt. Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori , Masuta , Wicked Mirai , JenX , Omni, and the OMG botnet are just the last variants appeared online in 2018.

IoT 76

IoT Malware Advertising DDOS 76

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

WIRED Threat Level

JULY 26, 2018

Amazon has marketed its Rekognition facial recognition system to law enforcement. But in a new ACLU study, the technology confused 28 members of Congress with publicly available arrest photos.

Marketing 69

Marketing Technology 69

Schneier on Security

JULY 25, 2018

There are some good lessons in this article on financial fraud: That's how we got it so wrong. We were looking for incidental breaches of technical regulations, not systematic crime. And the thing is, that's normal. The nature of fraud is that it works outside your field of vision, subverting the normal checks and balances so that the world changes while the picture stays the same.

Marketing 166

Marketing Manufacturing Technology Banking 166

Dark Reading

JULY 25, 2018

A hacker who successfully infiltrated a voting machine at last year's DEF CON will demonstrate at Black Hat USA how he did it, as well as what he later found stored on other decommissioned WinVote machines.

Hacking 67

Hacking 67

Security Affairs

JULY 26, 2018

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis. US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.

Cyber Attacks 75

Cyber Attacks Digital transformation Hacking Advertising 75

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

WIRED Threat Level

JULY 24, 2018

The world's biggest browser now lets you know when you're visiting an unencrypted site.

69

69

Schneier on Security

JULY 27, 2018

According to a new CSIS report , "going dark" is not the most pressing problem facing law enforcement in the age of digital data: Over the past year, we conducted a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups. We also commissioned a survey of law enforcement officers from across the country to better understand the full range of difficulties they are facing in accessing and using digital evidence in their c

Encryption 165

Encryption 165

eSecurity Planet

JULY 23, 2018

UTM appliances offer a quick path to comprehensive security for SMBs, but features differ among vendors. Here's a comprehensive look at top UTM solutions.

65

65

Security Affairs

JULY 27, 2018

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques. The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms. “Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets.

Malware 75

Malware Advertising Passwords Retail 75

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Thales Cloud Protection & Licensing

JULY 26, 2018

Enterprise databases house some of the most highly-sensitive, tightly-regulated data—the very data that is sought after by malicious insiders and external attackers. As a result, database encryption has never been more crucial in order to protect the massive amounts of information that is held in the diverse mix of databases that large enterprises rely on today, including relational, SQL, NoSQL and big data environments.

Encryption 63

Encryption Big data Backups Risk 63

Schneier on Security

JULY 27, 2018

Ross Anderson liveblogged the Third Annual Cybercrime Conference.

Cybercrime 136

Cybercrime 136

eSecurity Planet

JULY 23, 2018

We review Untangle NG Firewall UTM solutions, which get high marks from small businesses for blocking advanced threats.

Firewall 61

Firewall Small Business 61

Security Affairs

JULY 26, 2018

Address Verification allows you to be sure you are securely communicating with the right person, while PGP support adds encrypted email interoperability. Starting with the latest release of ProtonMail on web (v3.14) , iOS and Android (v1.9), and the latest versions of the ProtonMail IMAP/SMTP Bridge , ProtonMail now supports Address Verification, along with full PGP interoperability and support.

Encryption 75

Encryption Accountability Advertising Architecture 75

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk