Schneier on Security

OCTOBER 2, 2018

From Kashmir Hill : Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other people's contact books, a hidden layer of details Facebook has about you that I've come to call "shadow contact information.

Advertising 279

Advertising Authentication Accountability Adware 279

Krebs on Security

OCTOBER 2, 2018

A ridiculous number of companies are exposing some or all of their proprietary and customer data by putting it in the cloud without any kind of authentication needed to read, alter or destroy it. When cybercriminals are the first to discover these missteps, usually the outcome is a demand for money in return for the stolen data. But when these screw-ups are unearthed by security professionals seeking to make a name for themselves, the resulting publicity often can leave the breached organization

Data breaches 220

Data breaches Passwords Internet Internet 220

Troy Hunt

OCTOBER 2, 2018

I take more pleasure than I probably should in watching the bewilderment within organisations as the technology landscape rapidly changes and rushes ahead of them. Perhaps "pleasure" isn't the right word, is it more "amusement"? Or even "curiosity"? Whichever it is, I find myself rhetorically asking "so you just expected everything to stay the same forever, did you?

Banking 196

Banking Technology Encryption Phishing 196

Adam Levin

OCTOBER 3, 2018

Apple’s iOS 12 update includes a workaround that can allow a hacker to access a device’s photos and contacts without having the passcode to unlock it. It does not, however, allow unauthorized users full access to the device, and executing the workaround isn’t exactly an easy thing to do. Security research Jose Rodriguez recently posted a Youtube video showing how to exploit a bug in Siri, the iPhone’s voice assistant with a relatively convoluted process (it either takes 16 or 37 steps, depending

Hacking 177

Hacking Government 177

Advertisement

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

Passwords

Schneier on Security

OCTOBER 4, 2018

Noted conspiracy theorist John McAfee tweeted : The "Presidential alerts": they are capable of accessing the E911 chip in your phones - giving them full access to your location, microphone, camera and every function of your phone. This not a rant, this is from me, still one of the leading cybersecurity experts. Wake up people! This is, of course, ridiculous.

Cybersecurity 267

Cybersecurity 267

Adam Shostack

OCTOBER 4, 2018

A few weeks ago, I talked about “ reflective practice in threat modeling “, thinking about how we approach the problems we face, and asking if our approaches are the best we can do. Sometimes it’s hard to reflect. It’s hard to face the mirror and say ‘could I have done that better?’ That’s human nature. Sometimes, it can be easier to learn from an analogy, and I’ll again go to physical buildings as a source.

Architecture 145

Architecture 145

Security Affairs

OCTOBER 4, 2018

China used tiny chips implanted on computer equipment manufactured for US companies and government agencies to steal secret information. According to a report published by Bloomberg News, China used tiny chips implanted on computer equipment manufactured for US companies and government agencies, including Amazon and Apple, to steal secret information.

Manufacturing 111

Manufacturing Government Advertising Surveillance 111

Schneier on Security

OCTOBER 4, 2018

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I've written ( alternate link ) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product.

263

263

Adam Shostack

OCTOBER 2, 2018

I had not seen this interesting letter (August 27, 2018) from the House Energy and Commerce Committee to DHS about the nature of funding and support for the CVE. This is the sort of thoughtful work that we hope and expect government departments do, and kudos to everyone involved in thinking about how CVE should be nurtured and maintained.

Government 140

Government Information Security 140

WIRED Threat Level

OCTOBER 4, 2018

A new indictment details how Russian agents camped outside hotels when remote hacking efforts weren't enough.

Hacking 111

Hacking 111

Advertisement

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

Software

Security Affairs

SEPTEMBER 29, 2018

The FBI Internet Crime Complaint Center (IC3) warns of cyber attacks exploiting Remote Desktop Protocol (RDP) vulnerabilities. Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed. The FBI Internet Crime Complaint Center (IC3) and the DHS issued a joint alert to highlight the rise of RDP as an attack vector.

Cyber Attacks 111

Cyber Attacks Advertising Internet Internet 111

Schneier on Security

OCTOBER 3, 2018

The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem: Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1) Announce & cop to max possible impacted users. 2) Everybody is confused on actual impact, lots of rumors. 3) A month later truth is included in official filing.

CISO 245

CISO Media Hacking 245

Dark Reading

OCTOBER 2, 2018

Facebook's attackers may have gained access to several third-party apps and websites via Facebook Login.

Hacking 92

Hacking 92

WIRED Threat Level

OCTOBER 2, 2018

Major sites using Facebook's Single Sign-On don't implement basic security features, potentially making the fallout of last week's hack much worse.

Hacking 111

Hacking Internet Internet 111

Advertisement

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

Security Affairs

OCTOBER 2, 2018

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0. Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users.

Ransomware 111

Ransomware Encryption Advertising Malware 111

Schneier on Security

OCTOBER 1, 2018

Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies. Susan Landau examines the details of the statement, explains what's going on, and why the statement is a lot less than what it might seem.

Encryption 243

Encryption 243

Dark Reading

OCTOBER 3, 2018

FireEye details how this money-stealing operation it now calls APT 38 has emerged in the past four years and how it operates.

Banking 92

Banking Hacking 92

WIRED Threat Level

OCTOBER 3, 2018

By only checking a file's code signature when you install it—and never again—macOS gives malware a chance to evade detection indefinitely.

Malware 111

Malware 111

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Security Affairs

OCTOBER 1, 2018

Facebook has revealed additional details about the cyber attack that exposed personal information of 50 million accounts. Last week, Facebook announced that attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users. The “View As” feature allows users to see how others see their profile, it was implemented under the privacy section to help users to check that only intended data is visible for their public profile.

Accountability 111

Accountability Hacking Advertising Cyber Attacks 111

Schneier on Security

OCTOBER 2, 2018

Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone. I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always.

Scams 241

Scams Phishing 241

Dark Reading

OCTOBER 2, 2018

As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

CISO 92

CISO Cybersecurity 92

WIRED Threat Level

OCTOBER 5, 2018

Sales intelligence firm Apollo left a "staggering amount" of exposed online, including 125 million email addresses and nine billion data points.

109

109

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Security Affairs

OCTOBER 3, 2018

A joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” used by Hidden Cobra APT. The US-CERT has released a joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “ FASTCash ,” being used by the prolific North Korean APT hacking group known as Hidden Cobra (aka Lazarus Group and Guardians of Peace).

Banking 111

Banking Retail Advertising Malware 111

Schneier on Security

OCTOBER 5, 2018

Interesting research paper: " Fear the Reaper: Characterization and Fast Detection of Card Skimmers ": Abstract: Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices including point of sale terminals, gas pumps, and ATMs. Detecting such devices can be difficult, and while many experts offer advice in doing so, there exists no large-scale characterization of skimmer technol

Technology 216

Technology 216

Threatpost

OCTOBER 4, 2018

Five out of six name brand routers, such as Linksys, NETGEAR and D-Link, contain known open-source vulnerabilities.

Firmware 89

Firmware IoT 89

WIRED Threat Level

OCTOBER 4, 2018

A blockbuster report from Bloomberg says that China has compromised servers used by major US companies. It's a problem that experts have long feared, and still don't know how to resolve.

Hacking 106

Hacking Cybersecurity 106

Advertisement

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

Software

Security Affairs

OCTOBER 5, 2018

The sales intelligence firm Apollo is the last victim of a massive data breach that exposed more than 200 million contact records. Apollo collects a lot of its information from public sources, including names, email addresses, and company contact information, it also gathers data by scraping Twitter and LinkedIn. The company already notified the security breach to its customers last week, the incident occurred on 23 Jul 2018. “On discovery, we took immediate steps to remediate our systems

Data breaches 111

Data breaches Advertising Media Passwords 111

Schneier on Security

OCTOBER 3, 2018

Interesting article on terahertz millimeter-wave scanners and their uses to detect terrorist bombers. The heart of the device is a block of electronics about the size of a 1990s tower personal computer. It comes housed in a musician's black case, akin to the one Spinal Tap might use on tour. At the front: a large, square white plate, the terahertz camera and, just above it, an ordinary closed-circuit television (CCTV) camera.

Computers and Electronics 212

Computers and Electronics Technology 212

Dark Reading

OCTOBER 3, 2018

The GhostDNS campaign, which has been mainly targeting consumers in Brazil, has exploded in scope since August.

Banking 89

Banking 89

WIRED Threat Level

OCTOBER 3, 2018

While the presidential text that hits your phone Wednesday will be the first of its kind, it's part of a decades-long lineage of official government Doomsday alerts.

Government 103

Government 103

Advertisement

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

Cybersecurity