Sat.Sep 29, 2018 - Fri.Oct 05, 2018

article thumbnail

Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising

Schneier on Security

From Kashmir Hill : Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other people's contact books, a hidden layer of details Facebook has about you that I've come to call "shadow contact information.

article thumbnail

When Security Researchers Pose as Cybercrooks, Who Can Tell the Difference?

Krebs on Security

A ridiculous number of companies are exposing some or all of their proprietary and customer data by putting it in the cloud without any kind of authentication needed to read, alter or destroy it. When cybercriminals are the first to discover these missteps, usually the outcome is a demand for money in return for the stolen data. But when these screw-ups are unearthed by security professionals seeking to make a name for themselves, the resulting publicity often can leave the breached organization

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

New Pluralsight Course: Adapting to the New Normal: Embracing a Security Culture of Continual Change

Troy Hunt

I take more pleasure than I probably should in watching the bewilderment within organisations as the technology landscape rapidly changes and rushes ahead of them. Perhaps "pleasure" isn't the right word, is it more "amusement"? Or even "curiosity"? Whichever it is, I find myself rhetorically asking "so you just expected everything to stay the same forever, did you?

Banking 193
article thumbnail

iPhone Hack Allows Access to Contacts, Photos

Adam Levin

Apple’s iOS 12 update includes a workaround that can allow a hacker to access a device’s photos and contacts without having the passcode to unlock it. It does not, however, allow unauthorized users full access to the device, and executing the workaround isn’t exactly an easy thing to do. Security research Jose Rodriguez recently posted a Youtube video showing how to exploit a bug in Siri, the iPhone’s voice assistant with a relatively convoluted process (it either takes 16 or 37 steps, depending

Hacking 177
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Conspiracy Theories Around the "Presidential Alert"

Schneier on Security

Noted conspiracy theorist John McAfee tweeted : The "Presidential alerts": they are capable of accessing the E911 chip in your phones - giving them full access to your location, microphone, camera and every function of your phone. This not a rant, this is from me, still one of the leading cybersecurity experts. Wake up people! This is, of course, ridiculous.

article thumbnail

The Architectural Mirror (Threat Model Thursdays)

Adam Shostack

A few weeks ago, I talked about “ reflective practice in threat modeling “, thinking about how we approach the problems we face, and asking if our approaches are the best we can do. Sometimes it’s hard to reflect. It’s hard to face the mirror and say ‘could I have done that better?’ That’s human nature. Sometimes, it can be easier to learn from an analogy, and I’ll again go to physical buildings as a source.

More Trending

article thumbnail

China planted tiny chips on US computers for cyber espionage

Security Affairs

China used tiny chips implanted on computer equipment manufactured for US companies and government agencies to steal secret information. According to a report published by Bloomberg News, China used tiny chips implanted on computer equipment manufactured for US companies and government agencies, including Amazon and Apple, to steal secret information.

article thumbnail

Chinese Supply Chain Hardware Attack

Schneier on Security

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I've written ( alternate link ) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product.

260
260
article thumbnail

CVE Funding and Process

Adam Shostack

I had not seen this interesting letter (August 27, 2018) from the House Energy and Commerce Committee to DHS about the nature of funding and support for the CVE. This is the sort of thoughtful work that we hope and expect government departments do, and kudos to everyone involved in thinking about how CVE should be nurtured and maintained.

article thumbnail

The Facebook Hack Is an Internet-Wide Failure

WIRED Threat Level

Major sites using Facebook's Single Sign-On don't implement basic security features, potentially making the fallout of last week's hack much worse.

Hacking 109
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP)

Security Affairs

The FBI Internet Crime Complaint Center (IC3) warns of cyber attacks exploiting Remote Desktop Protocol (RDP) vulnerabilities. Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed. The FBI Internet Crime Complaint Center (IC3) and the DHS issued a joint alert to highlight the rise of RDP as an attack vector.

article thumbnail

The Effects of GDPR's 72-Hour Notification Rule

Schneier on Security

The EU's GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem: Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete. 1) Announce & cop to max possible impacted users. 2) Everybody is confused on actual impact, lots of rumors. 3) A month later truth is included in official filing.

CISO 241
article thumbnail

7 Steps to Start Your Risk Assessment

Dark Reading

Risk assessment can be complex, but it's vital for making good decisions about IT security. Here are steps to start you down the path toward a meaningful risk assessment process.

Risk 88
article thumbnail

How Russian Spies Infiltrated Hotel Wi-Fi to Hack Their Victims Up Close

WIRED Threat Level

A new indictment details how Russian agents camped outside hotels when remote hacking efforts weren't enough.

Hacking 109
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

Z-LAB Report – Analyzing the GandCrab v5 ransomware

Security Affairs

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0. Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users.

article thumbnail

More on the Five Eyes Statement on Encryption and Backdoors

Schneier on Security

Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies. Susan Landau examines the details of the statement, explains what's going on, and why the statement is a lot less than what it might seem.

article thumbnail

US Indicts 7 Russian Intel Officers for Hacking Anti-Doping Organizations

Dark Reading

Netherlands expels four of the suspects trying to break into an organization investigating a chemical used in the recent attack on a former Russian spy in Britain.

Hacking 81
article thumbnail

The Presidential Text Alert Has a Long, Strange History

WIRED Threat Level

While the presidential text that hits your phone Wednesday will be the first of its kind, it's part of a decades-long lineage of official government Doomsday alerts.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Attackers chained three bugs to breach into the Facebook platform

Security Affairs

Facebook has revealed additional details about the cyber attack that exposed personal information of 50 million accounts. Last week, Facebook announced that attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users. The “View As” feature allows users to see how others see their profile, it was implemented under the privacy section to help users to check that only intended data is visible for their public profile.

article thumbnail

Sophisticated Voice Phishing Scams

Schneier on Security

Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone. I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always.

Scams 238
article thumbnail

Foxit PDF Reader Fixes High-Severity Remote Code Execution Flaws

Threatpost

Foxit Software has patched over 100 vulnerabilities in its popular Foxit PDF Reader. Many of the bugs tackled by the company include a wide array of high severity remote code execution vulnerabilities. Foxit on Friday released fixes for Foxit Reader 9.3 and Foxit PhantomPDF 9.3, which addressed a whopping 124 vulnerabilities. It’s important to note […].

article thumbnail

Malware Has a New Way to Hide on Your Mac

WIRED Threat Level

By only checking a file's code signature when you install it—and never again—macOS gives malware a chance to evade detection indefinitely.

Malware 94
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide

Security Affairs

A joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” used by Hidden Cobra APT. The US-CERT has released a joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “ FASTCash ,” being used by the prolific North Korean APT hacking group known as Hidden Cobra (aka Lazarus Group and Guardians of Peace).

Banking 111
article thumbnail

Detecting Credit Card Skimmers

Schneier on Security

Interesting research paper: " Fear the Reaper: Characterization and Fast Detection of Card Skimmers ": Abstract: Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices including point of sale terminals, gas pumps, and ATMs. Detecting such devices can be difficult, and while many experts offer advice in doing so, there exists no large-scale characterization of skimmer technol

article thumbnail

CISOs: How to Answer the 5 Questions Boards Will Ask You

Dark Reading

As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

CISO 92
article thumbnail

Why Supply Chain Hacks Are a Cybersecurity Worse Case Scenario

WIRED Threat Level

A blockbuster report from Bloomberg says that China has compromised servers used by major US companies. It's a problem that experts have long feared, and still don't know how to resolve.

Hacking 79
article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company

Security Affairs

Estonian sues Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017. Estonian authorities sue the security firm Gemalto for 152 million euros following the security flaws in the citizen ID cards issued by the company that caused their recall in 2017. “Estonian police are seeking to recover 152 million euros ($178 mln) in a lawsuit filed on Thursday against digital security firm Gemalto, following a recall l

article thumbnail

Terahertz Millimeter-Wave Scanners

Schneier on Security

Interesting article on terahertz millimeter-wave scanners and their uses to detect terrorist bombers. The heart of the device is a block of electronics about the size of a 1990s tower personal computer. It comes housed in a musician's black case, akin to the one Spinal Tap might use on tour. At the front: a large, square white plate, the terahertz camera and, just above it, an ordinary closed-circuit television (CCTV) camera.

article thumbnail

Inside the North Korean Hacking Operation Behind SWIFT Bank Attacks

Dark Reading

FireEye details how this money-stealing operation it now calls APT 38 has emerged in the past four years and how it operates.

Banking 92
article thumbnail

Cybersecurity Awareness Month Blog Series: Leading the cybersecurity jobs of the future

Thales Cloud Protection & Licensing

Some might say the month of October is the official kickoff to the Holiday Season. There is one holiday this month which we are particularly passionate about (and it’s not Halloween). This October marks the 15 th annual National Cybersecurity Awareness Month (NCSAM) – an initiative to raise awareness around the importance of cybersecurity. Since its inception, NCSAM has grown exponentially, reaching consumers, small and medium-sized business, corporations, educational institutions and young peop

article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!