Sat.May 12, 2018 - Fri.May 18, 2018

article thumbnail

Details on a New PGP Vulnerability

Schneier on Security

A new PGP vulnerability was announced today. Basically, the vulnerability makes use of the fact that modern e-mail programs allow for embedded HTML objects. Essentially, if an attacker can intercept and modify a message in transit, he can insert code that sends the plaintext in a URL to a remote website. Very clever. The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails.

article thumbnail

Weekly Update 87

Troy Hunt

We're on a beach! It's the day after 3 pretty intense days of NDC conference and the day before Scott heads back to the UK so beach was an easy decision. The conference went fantastically well and, in all honesty, was the most enjoyable workshop I think I've done out of ~50 of them these last few years. NDC will be back on the Gold Coast next yet, plus of course it will be in Oslo in a few weeks' time then Sydney in September where we'll both do it all again.

138
138
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

The Untold Story of Robert Mueller's Time in the Vietnam War

WIRED Threat Level

Special Counsel Robert Mueller’s job is to make sense of how Russia hacked the 2016 election. But to make sense of Mueller, you have to revisit some of the bloodiest battles of Vietnam.

Hacking 112
article thumbnail

Get Ready for 'WannaCry 2.0'

Dark Reading

Another widespread worm attack is "inevitable," but spreading a different more lucrative or destructive payload, experts say.

95
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Critical PGP Vulnerability

Schneier on Security

EFF is reporting that a critical vulnerability has been discovered in PGP and S/MIME. No details have been published yet, but one of the researchers wrote : We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.

article thumbnail

New Pluralsight Course: The Role of Shadow IT and How to Bring it out of the Darkness

Troy Hunt

It's a new Pluralsight course! Yes, I know I said that yesterday too , but this is a new new Pluralsight course and it's the second part in our series on Creating a Security-centric Culture. As I wrote there back in Jan, we're doing this course on a quarterly basis and putting it out in front of the paywall so in other words, it's free! It's also a combination of video and screencast which means you see a lot of this: As for the topic in the title, shadow IT has always been an interesting one an

More Trending

article thumbnail

Cracking 2FA: How It's Done and How to Stay Safe

Dark Reading

Two-factor authentication is a common best security practice but not ironclad. Here's how it can be bypassed, and how you can improve security.

article thumbnail

Sending Inaudible Commands to Voice Assistants

Schneier on Security

Researchers have demonstrated the ability to send inaudible commands to voice assistants like Alexa, Siri, and Google Assistant. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple's Siri, Amazon's Alexa and Google's Assistant.

article thumbnail

New Pluralsight Course: OWASP Top 10, 2017

Troy Hunt

Just a tad over 5 years ago, I released my first ever Pluralsight course - OWASP Top 10 Web Application Security Risks for ASP.NET. More than 32k people have listened to more than 78k hours of content in this course making it not just the most popular course I've ever released, but also keeping it as my most popular in the library even today by a long way.

InfoSec 119
article thumbnail

Hidden Alexa Commands, Cell Phone Tracking, and More Security News This Week

WIRED Threat Level

Hidden Alexa commands, cell phone tracking, and more security news this week.

105
105
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

The Risks of Remote Desktop Access Are Far from Remote

Dark Reading

RDP is used by fraudsters to steal and monetize data more often than you might think. But there are ways to stay safe.

Risk 64
article thumbnail

White House Eliminates Cybersecurity Position

Schneier on Security

The White House has eliminated the cybersecurity coordinator position. This seems like a spectacularly bad idea.

article thumbnail

Critical Linux Flaw Opens the Door to Full Root Access

Threatpost

The vulnerability allows an attacker to execute a malware or other payloads on a client machine by sending malicious messages from the DHCP server.

Malware 63
article thumbnail

Inside the Takedown of Scan4You, a Notorious Malware Clearinghouse

WIRED Threat Level

How security researchers caught the creators of counter antivirus services Scan4You.

Antivirus 105
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

How to Hang Up on Fraud

Dark Reading

Three reasons why the phone channel is uniquely vulnerable to spoofing and what call centers are doing about it.

62
article thumbnail

Maliciously Changing Someone's Address

Schneier on Security

Someone changed the address of UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later. The problem, of course, is that in the US there isn't any authentication of change-of-address submissions: According to the Postal Service, nearly 37 million change-of-address requests ­ known as PS Form 3575 ­ were submitted in 2017.

article thumbnail

GDPR Phishing Scam Targets Apple Accounts, Financial Data

Threatpost

A phishing scam fooled victims by claiming to be Apple and scooping up personal details – including financial information and Apple account information.

Scams 56
article thumbnail

Gruesome Jihadi Content Still Flourishes on Facebook and Google+

WIRED Threat Level

Despite improvements to algorithmic filtering, Facebook and Google+ still host scores of ISIS and related content and accounts that sometimes stay up for months.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

7 Tools for Stronger IoT Security, Visibility

Dark Reading

If you don't know what's on your IoT network, you don't know what to protect -- or protect from. These tools provide visibility into your network so you can be safe with (and from) what you see.

IoT 60
article thumbnail

Accessing Cell Phone Location Information

Schneier on Security

The New York Times is reporting about a company called Securus Technologies that gives police the ability to track cell phone locations without a warrant: The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show.

Mobile 155
article thumbnail

Secure Cloud Migration and the Cloud Security Alliance

Thales Cloud Protection & Licensing

For many years, Thales eSecurity has been a solution provider member of the Cloud Security Alliance (CSA), a global organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment 1. Among CSA’s many activities is its research arm, which include 34 working groups, one of which is called Security Guidance.

article thumbnail

Jigsaw's Project Shield Will Protect Campaigns From Online Attacks

WIRED Threat Level

Project Shield already defends journalists and human rights groups from DDoS attacks. Now, Jigsaw will help political campaigns out as well.

DDOS 100
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

California Teen Arrested for Phishing Teachers to Change Grades

Dark Reading

The student faces 14 felony counts for using a phishing campaign to steal teachers' credentials and alter students' grades.

article thumbnail

11 Top Managed Security Service Providers (MSSPs)

eSecurity Planet

Our guide to the top managed security service providers (MSSPs), based on their ratings in analyst reports the Gartner Magic Quadrant and the IDC MarketScape Vendor Assessment.

54
article thumbnail

Issuance support for a wide range of payment instruments

Thales Cloud Protection & Licensing

Making payments even in a face-to-face environment is no longer just about using magnetic stripe or chip cards where the security, operating rules, and risks have been long established and well understood by all the actors involved. We are now living in a world where fundamentally different types of devices are being used to initiate payment transactions.

IoT 54
article thumbnail

EFail: Encrypted Email Has a Major, Divisive Flaw

WIRED Threat Level

An attack called eFail overcomes the protections of encrypted email standards PGP and S/MIME.

article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

Chili's Suffers Data Breach

Dark Reading

The restaurant believes malware was used to collect payment card data including names and credit or debit numbers.

article thumbnail

‘Voice-Squatting’ Turns Alexa, Google Home into Silent Spies

Threatpost

A team of academic researchers has demonstrated that it's possible to possible to closely mimic legitimate voice commands in order to carry out nefarious actions on these home assistants.

IoT 49
article thumbnail

CenturyLink Managed Security Services: Overview and Analysis

eSecurity Planet

We review CenturyLink's Managed Security Services, which monitor 1.3 billion security events per day and serve customers in 60 different countries.

45
article thumbnail

Forget C-I-A, Availability Is King

The Falcon's View

In the traditional parlance of infosec, we've been taught repeatedly that the C-I-A triad (confidentiality, integrity, availability) must be balanced in accordance with the needs of the business. This concept is foundational to all of infosec, ensconced in standards and certification exams and policies. Yet, today, it's essentially wrong, and moreover isn't a helpful starting point for a security discussion.

InfoSec 40
article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!