Sat.Dec 01, 2018 - Fri.Dec 07, 2018

article thumbnail

What the Marriott Breach Says About Security

Krebs on Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

Passwords 278
article thumbnail

Your Personal Data is Already Stolen

Schneier on Security

In an excellent blog post , Brian Krebs makes clear something I have been saying for a while: Likewise for individuals, it pays to accept two unfortunate and harsh realities: Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren't, including your credit card information, Social Security number, mother's maiden name, date of birth, address, previous addresses, phone number, and yes ­ even your credit file.

Hacking 273
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Have I Been Pwned - The Sticker

Troy Hunt

So today is Have I Been Pwned's (HIBP's) 5th birthday. I started this project out of equal parts community service and curiosity and then somehow, over the last 5 years it's grown into something massive; hundreds of thousands of unique sessions a day, millions of subscribers, working with governments around the world and even fronting up to testify in Congress.

article thumbnail

114 Million US Citizens and Companies Found Unprotected Online

Adam Levin

The data of 114 million businesses and individuals has been discovered in an unprotected database. The information exposed included the full name, employer, email, address, phone number and IP address of 56,934,021 individuals, and the revenues and employee counts for up to 25 million business entities. Hackenproof, the Estonian cybersecurity company that found the data trove online, announced their discovery on their blog.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Jared, Kay Jewelers Parent Fixes Data Leak

Krebs on Security

The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers. In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receipt via email for a pair of earrings he’d just purchased as a surprise gift for his girlfriend.

Retail 226
article thumbnail

Bad Consumer Security Advice

Schneier on Security

There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport. To remain anonymous and secure on the Internet, invest in a Virtual Private Network account, but remember, the bad guys are very smart, so by the time this column runs, they may have figured out a way to hack

More Trending

article thumbnail

Mozilla Releases Annual Privacy Guide to Holiday Shopping

Adam Levin

The Mozilla Foundation has released the second installation of *Privacy Not included, the organization’s annual privacy guide to internet-connected gifts. The list was started to promote the idea that privacy and security by design can and should be a major selling point. Mozilla is the non profit organization behind the popular open source Firefox web browser.

Internet 187
article thumbnail

A Breach, or Just a Forced Password Reset?

Krebs on Security

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case.

Passwords 224
article thumbnail

The DoJ's Secret Legal Arguments to Break Cryptography

Schneier on Security

Earlier this year, the US Department of Justice made a series of legal arguments as to why Facebook should be forced to help the government wiretap Facebook Messenger. Those arguments are still sealed. The ACLU is suing to make them public.

article thumbnail

GUEST ESSAY: Atrium Health data breach highlights lingering third-party exposures

The Last Watchdog

The healthcare industry has poured vast resources into cybersecurity since 2015, when a surge of major breaches began. While the nature of these breaches has evolved over the last four years, the growth in total healthcare incidents has unfortunately continued unabated. Related: How to get of HIPAA hit list. The recent disclosure from Atrium Health that more than 2.65 million patients had significant amounts of PII exposed by the healthcare provider’s third-party billing vendor, AccuDoc Solutio

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

Weekly Update 116

Troy Hunt

I'm on countdown to take-off for the next 2 and a bit weeks so I'm going to keep this intro really short because it's sitting between me and a relaxing cold one (as soon as the bags are ready). Heaps of services got pwned, Australia has a screwy set of circumstances (and reactions) around a cyber bill and HIBP had a 5th birthday celebration which resulted in stickers and a really fun live AMA video.

149
149
article thumbnail

Bomb Threat Hoaxer, DDos Boss Gets 3 Years

Krebs on Security

The ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions — has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials.

DDOS 197
article thumbnail

Banks Attacked through Malicious Hardware Connected to the Local Network

Schneier on Security

Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network: In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company's local network.

Banking 223
article thumbnail

GUEST ESSAY: 5 security steps all companies should adopt from the Intelligence Community

The Last Watchdog

The United States Intelligence Community , or IC, is a federation of 16 separate U.S. intelligence agencies, plus a 17th administrative office. The IC gathers, stores and processes large amounts of data, from a variety of sources, in order to provide actionable information for key stakeholders. And, in doing so, the IC has developed an effective set of data handling and cybersecurity best practices.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Structures, Engineering and Security

Adam Shostack

J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers. Buildings don’t fall down because they’re engineered from a set of materials to meet the goals of carrying appropriate loads. Those materials have very different properties than the ways you, me, and everything from grass to trees have evolved to keep standing.

article thumbnail

IT Security Lessons from the Marriott Data Breach

eSecurity Planet

500 million people are at risk because of a data breach at Marriott's Starwood hotel chain. What steps can your organization take to limit the risk of suffering the same fate?

article thumbnail

Back Issues of the NSA's Cryptolog

Schneier on Security

Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course. What's new is a nice user interface for the issues, noting highlights and levels of redaction.

210
210
article thumbnail

ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Security Affairs

Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet. In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP) , experts tracked the botnet as UPnProxy. Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

Hacking 111
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Foreign Trolls Are Targeting Veterans on Facebook

WIRED Threat Level

Opinion: The VA needs to take preventative measures to protect vets—and more broadly, our democracy—from digital manipulation and fraud.

111
111
article thumbnail

A Shift from Cybersecurity to Cyber Resilience: 6 Steps

Dark Reading

Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here's where to begin.

article thumbnail

Problems with the Squid Emoji

Schneier on Security

The Monterey Bay Aquarium has some problems with the squid emoji. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.

170
170
article thumbnail

CVE-2018-15982 Adobe zero-day exploited in targeted attacks

Security Affairs

Adobe released security updates for Flash Player that address two vulnerabilities, including a critical flaw, tracked as CVE-2018-15982, exploited in targeted attacks. Adobe fixed two flaws including a critical use-after-free bug, tracked as CVE-2018-15982, exploited by an advanced persistent threat actor aimed at a healthcare organization associated with the Russian presidential administration.

article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

2019 IT Security Outlook: New Attack Vectors Will Emerge

eSecurity Planet

Our 2019 IT security predictions: Encryption will lose its luster, cloudjacking and containers will be growing risks, and more.

article thumbnail

Bringing Compliance into the SecDevOps Process

Dark Reading

Application security should be guided by its responsibility to maintain the confidentiality, integrity, and availability of systems and data. But often, compliance clouds the picture.

82
article thumbnail

Financial Services Data – More at risk than you’d believe

Thales Cloud Protection & Licensing

One of the top findings from the 2018 Thales Data Threat Report, Financial Services Edition was that data breaches in U.S. financial services organizations are increasing at an alarming rate. Not only are breaches at record highs – with 65% of U.S. IT security pros in financial services organizations reporting that their organization already had a data breach – but breaches are increasing at alarming rates.

article thumbnail

Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool

Security Affairs

Takuya Yoshida from Toyota’s InfoTechnology Center and his colleague Tsuyoshi Toyama are members of a Toyota team that developed the new tool, called PASTA (Portable Automotive Security Testbed). PASTA is an open-source testing platform specifically designed for car hacking, it was developed to help experts to test cyber security features of modern vehicles.

Hacking 111
article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!

article thumbnail

Australia's Encryption-Busting Law Could Impact the World

WIRED Threat Level

Australia has passed a law that would require companies to weaken their encryption, a move that could reverberate globally.

article thumbnail

Filling the Cybersecurity Jobs Gap - Now and in the Future

Dark Reading

Employers must start broadening their search for experienced security professionals to include people with the right traits rather than the right skills.

article thumbnail

A look back on 2018: What was hype and what was, perhaps, underrated

Thales Cloud Protection & Licensing

As we close in on the final few days of the year and look ahead to the clean slate that 2019 represents, I wanted to take a few moments to reflect on 2018 – specifically, what tech innovations and predictions held true, which fell a bit flat and which were entirely unexpected. If we examine Gartner’s Top Predictions for 2018 and beyond, IoT and cryptocurrencies rise to the top.

IoT 70
article thumbnail

MITRE evaluates Enterprise security products using the ATT&CK Framework

Security Affairs

The MITRE Corporation’s ATT&CK framework has been used to evaluate the efficiency of several enterprise security products designed by several vendors. In April, MITRE announced a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

article thumbnail

Cybersecurity Predictions for 2024

Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.