Sat.Nov 11, 2017 - Fri.Nov 17, 2017

article thumbnail

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS.

Hacking 217
article thumbnail

Apple FaceID Hacked

Schneier on Security

It only took a week : On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true.

Hacking 197
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Everything Attorney General Jeff Sessions Has Forgotten Under Oath

WIRED Threat Level

Over the course of four recent congressional hearings, Attorney General Jeff Sessions has somehow forgotten dozens of people, places, and events. Here's all of them in one place.

111
111
article thumbnail

How to lose your password

Thales Cloud Protection & Licensing

The tsunami of passwords that exist across every aspect of our digital life means that there’s a thriving underground industry of cyber-criminals trying to get at them. To borrow from Shakespeare’s Macbeth: “Each new morn, new widows howl, new orphans cry, new sorrows slap Internet giants on the face”. The modern era of mass data breaches perhaps began in 2009, with the hack of 32 million account credentials held by software developer RockYou, in which a SQL injection attack revealed that passwo

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Weekly Update 61

Troy Hunt

A bit of a "business as usual" week this one, but then this business is never really "usual"! I start out with a talk at McAfee's MPOWER conference in Sydney and a bit of chatter about some upcoming ones (including the one I still can't talk about. but will next week!). In terms of new things, I've now got my hands on an iPhone X so I spend a bunch of time talking about that.

Hacking 125
article thumbnail

Google's Data on Login Thefts

Schneier on Security

This is interesting research and data: With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data. [.]. Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging.

Phishing 178

More Trending

article thumbnail

Why the cybersecurity industry should care about Open Source maintenance

Thales Cloud Protection & Licensing

In June of this year, Thales eSecurity joined the Core Infrastructure Initiative (CII), a project both founded and managed by The Linux Foundation, with the aim of collaboratively enhancing and strengthening the security and resilience of critical Open Source projects. Many of the world’s largest technology companies already belong to the CII, with Thales being officially recognised as the first global security firm to join the initiative.

article thumbnail

Insider Threats: Red Flags and Best Practices

Dark Reading

Security pros list red flags indicating an insider attack and best practices to protect against accidental and malicious exposure.

79
article thumbnail

Motherboard Digital Security Guide

Schneier on Security

This digital security guide by Motherboard is very good. I put alongside EFF's " Surveillance Self-Defense " and John Scott-Railton's " Digital Security Low Hanging Fruit." There's also " Digital Security and Privacy for Human Rights Defenders.". There are too many of these.

article thumbnail

Watch a 10-Year-Old Beat Apple's Face ID on His Mom's iPhone X

WIRED Threat Level

Yes, twins can unlock each other's iPhones. But kids accessing their parents' devices raises different concerns.

111
111
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Apple iPhone X Face ID Fooled by a Mask

Threatpost

Vietnamese security company Bkav says it has built a proof-of-concept mask that fools Apple’s Face ID technology.

article thumbnail

Hybrid Analysis Grows Up – Acquired by CrowdStrike

Lenny Zeltser

CrowdStrike acquired Payload Security , the company behind the automated malware analysis sandbox technology Hybrid Analysis , in November 2017. Jan Miller founded Payload Security approximately 3 years earlier. The interview I conducted with Jan in early 2015 captured his mindset at the onset of the journey that led to this milestone. I briefly spoke with Jan again, a few days after the acquisition.

Malware 75
article thumbnail

Long Article on NSA and the Shadow Brokers

Schneier on Security

The New York Times just published a long article on the Shadow Brokers and their effects on NSA operations. Summary: it's been an operational disaster, the NSA still doesn't know who did it or how, and NSA morale has suffered considerably. This is me on the Shadow Brokers from last May.

Hacking 160
article thumbnail

How One Woman's Digital Life Was Weaponized Against Her

WIRED Threat Level

A rare court case exposes the all-too-common horror of online harassment that followed when one woman broke off a relationship.

111
111
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

White House Releases New Charter for Using, Disclosing Security Vulnerabilities

Dark Reading

Updated Vulnerability Equities Process provides transparency into how government will handle new vulnerabilities that it discovers in vendor products and services.

article thumbnail

Consumer concerns over GDPR should set alarm bells ringing for businesses

Thales Cloud Protection & Licensing

Jim DeLorenzo, Solutions Marketing Manager, Thales eSecurity. Today, putting the letters ‘GDPR’ into Google will generate over 420,000 news articles, some detailing the expected impact of the regulation, and others casting doubt on businesses and their readiness. Ahead of the May 2018 legislation, we’ve been asking organisations if they’re #FITforGDPR – whether they’re ready to improve their personal data protections, as well as take on the increased accountability for data breaches, should they

article thumbnail

New White House Announcement on the Vulnerability Equities Process

Schneier on Security

The White House has released a new version of the Vulnerabilities Equities Process (VEP). This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You can read the new policy or the fact sheet , but the best place to start is Cybersecurity Coordinator Rob Joyce's blog post.

article thumbnail

Hackers Claim to Break Face ID a Week After iPhone X Release

WIRED Threat Level

"I would say if this is all confirmed, it does mean Face ID is less secure than Touch ID.".

112
112
article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Death of the Tier 1 SOC Analyst

Dark Reading

Say goodbye to the entry-level security operations center (SOC) analyst as we know it.

65
article thumbnail

Hacking Blockchain with Smart Contracts to Control a Botnet

eSecurity Planet

Botract attack method revealed at SecTor security conference could enable a botnet to be as resilient and as distributed as the Ethereum blockchain itself.

Hacking 60
article thumbnail

Cisco Warns of Critical Flaw in Voice OS-based Products

Threatpost

Cisco Systems issued patch that fixes a critical vulnerability impacting 12 products running the Cisco Voice Operating System software.

article thumbnail

OnePlus Phones Have an Unfortunate Backdoor Built In

WIRED Threat Level

Every OnePlus model except for the original shipped with "Engineer Mode," essentially a backdoor for anyone who get their hands on your device.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

2017 Has Broken the Record for Security Vulnerabilities

Dark Reading

Some 40% of disclosed vulns as of Q3 are rated as severe, new Risk Based Security data shows.

Risk 63
article thumbnail

How the Government of Canada Plans To Set CyberSecurity Policy

eSecurity Planet

At SecTor security conference, the Director General for National Cyber Security in the Government of Canada details her government's policies for keeping Canadians safe online.

article thumbnail

Phishing Biggest Threat to Google Account Security

Threatpost

Phishing remains the biggest account takeover threat to Google users, surpassing keyloggers and credential leaks.

article thumbnail

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera

WIRED Threat Level

After hackers exposed a way to freeze the delivery service's security cameras, Amazon will push out a fix later this week.

107
107
article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

IBM, Nonprofits Team Up in New Free DNS Service

Dark Reading

Quad9 blocks malicious sites used in phishing, other nefarious activity.

DNS 60
article thumbnail

How to Achieve an Optimal Security Posture

eSecurity Planet

Complete and total security is impossible, so which IT security technologies will get you to your ideal security posture? We outline your options.

article thumbnail

Debugging Tool Left on OnePlus Phones, Enables Root Access

Threatpost

Phone maker OnePlus is being blasted for leaving a developer debugging app on its handsets allowing phones to be rooted by an attacker with physical access to the device.

Mobile 48
article thumbnail

Inside the Decades-Long Fight for Better Emergency Alerts

WIRED Threat Level

After years of pushing for a more effective emergency alert system, the carriers have finally come around to making improvements.

84
article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!