Sat.Mar 23, 2019 - Fri.Mar 29, 2019

article thumbnail

Programmers Who Don't Understand Security Are Poor at Security

Schneier on Security

A university study confirmed the obvious: if you pay a random bunch of freelance programmers a small amount of money to write security software, they're not going to do a very good job at it. In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.

Passwords 279
article thumbnail

A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach

Krebs on Security

On Feb. 21, 2019, KrebsOnSecurity contacted Italian restaurant chain Buca di Beppo after discovering strong evidence that two million credit and debit card numbers belonging to the company’s customers were being sold in the cybercrime underground. Today, Buca’s parent firm announced it had remediated a 10-month breach of its payment systems at dozens of restaurants, including some locations of its other brands such as Earl of Sandwich and Planet Hollywood.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

MY TAKE: Why DDoS weapons will proliferate with the expansion of IoT and the coming of 5G

The Last Watchdog

A couple of high-profile distributed denial-of-service (DDoS) attacks will surely go down in history as watershed events – each for different reasons. Related: IoT botnets now available for economical DDoS blasts. In March 2013, several impossibly massive waves of nuisance requests – peaking as high as 300 gigabytes per second— swamped Spamhaus , knocking the anti-spam organization off line for extended periods.

DDOS 263
article thumbnail

Nearly One Billion Emails Exposed in Data Breach

Adam Levin

The email addresses and personal information of 982 million people were compromised in a leak from an unsecured database. The database belonged to Verifications.io, an “email validation service” that aggregates and sells information about the validity and associated personal data associated with email lists. Security researcher Bob Diachenko found the information in an unsecured 150GB-sized MongoDB database.

article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

NSA-Inspired Vulnerability Found in Huawei Laptops

Schneier on Security

This is an interesting story of a serious vulnerability in a Huawei driver that Microsoft found. The vulnerability is similar in style to the NSA's DOUBLEPULSAR that was leaked by the Shadow Brokers -- believed to be the Russian government -- and it's obvious that this attack copied that technique. What is less clear is whether the vulnerability -- which has been fixed -- was put into the Huwei driver accidentally or on purpose.

article thumbnail

Weekly Update 131

Troy Hunt

So firstly, sorry for the audio quality. I'm pretty damn frustrated with those Instamics right now between the flakey firmware upgrade process and the unexpected loss of recording today. I'll make sure I get on top of it for next time. I'm sitting at the gate in Seattle right now about to board so I'm going to cut this intro short and jump straight into the vid.

More Trending

article thumbnail

FEMA Leaked Personal Data of 2.3 Million Disaster Victims

Adam Levin

The Federal Emergency Management Agency failed to properly protect the personal information of 2.3 million survivors of natural disasters. A partially redacted memo issued by the Office of the Inspector General of the Department of Homeland Security stated that FEMA released the personally identifiable information of 2.3 million survivors of hurricanes Harvey, Irma and Maria as well as the 2017 California wildfires to an unspecified contractor.

article thumbnail

Malware Installed in Asus Computers Through Hacked Update Process

Schneier on Security

Kaspersky Labs is reporting on a new supply chain attack they call "Shadowhammer.". In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users. [.]. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters' MAC addresses.

Hacking 262
article thumbnail

Commando VM – Using Windows for pen testing and red teaming

Security Affairs

Commando VM — Turn Your Windows Computer Into A Hacking Machine. FireEye released Commando VM , a Windows-based security distribution designed for penetration testers that intend to use the Microsoft OS. FireEye released Commando VM , the Windows-based security distribution designed for penetration testing and red teaming. FireEye today released an automated installer called Commando VM (Complete Mandiant Offensive VM) , it is an automated installation script that turns a Windows operating sy

article thumbnail

NEW TECH: Cequence Security deploys defense against botnets’ assault on business logic

The Last Watchdog

One way to grasp how digital transformation directly impacts the daily operations of any organization – right at this moment — is to examine the company’s application environment. Related: How new exposures being created by API sprawl. Pick any company in any vertical – financial services, government, defense, manufacturing, insurance, healthcare, retailing, travel and hospitality – and you’ll find employees, partners, third-party suppliers and customers all demanding remote access to an

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

The Cybersecurity Lessons Your Company Can Learn From a Sensational Police Misconduct Story

Adam Levin

Florida police officer Leonel Marines resigned after a police investigation revealed the 12-year veteran of the Bradenton Police Department had been using police databases like a dating app to locate potential women for fun and maybe more. He’d been doing it for years. While it’s surprising this 5-0 Romeo actually got some dates playing fast and loose with his access to driver’s license and vehicle registration databases, the more shocking thing about this story is that it co

article thumbnail

Personal Data Left on Used Laptops

Schneier on Security

A recent experiment found all sorts of personal data left on used laptops and smartphones. This should come as no surprise. Simson Garfinkel performed the same experiment in 2003, with similar results.

251
251
article thumbnail

Experts found 36 vulnerabilities in the LTE protocol

Security Affairs

A team of researchers from the Korea Advanced Institute of Science and Technology Constitution (KAIST ) discovered 36 vulnerabilities in the LTE protocol. Security experts from the Korea Advanced Institute of Science and Technology Constitution (KAIST) have discovered 36 vulnerabilities in the LTE protocol used by most mobile carriers. The researchers used a fuzzing technique to discover the vulnerabilities, they developed a semi-automated testing tool named LTEFuzz based on open-source LTE soft

article thumbnail

Q&A: How cybersecurity has become a primal battleground for AI one-upsmanship

The Last Watchdog

A discussion of how – and why – adversaries are using artificial intelligence to juice up malicious activities. When antivirus (AV) software first arrived in the late 1980s, the science of combating computer viruses was very straightforward. AV kept close track of known malicious files, and then quarantined or deleted any known malware that had managed to embed itself on the protected computing device.

article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

HTTPS Isn't Always As Secure As It Seems

WIRED Threat Level

A surprising number of high-traffic sites have TLS vulnerabilities that are subtle enough for the green padlock to still appear.

111
111
article thumbnail

Mail Fishing

Schneier on Security

Not email, paper mail : Thieves, often at night, use string to lower glue-covered rodent traps or bottles coated with an adhesive down the chute of a sidewalk mailbox. This bait attaches to the envelopes inside, and the fish in this case -- mail containing gift cards, money orders or checks, which can be altered with chemicals and cashed -- are reeled out slowly.

223
223
article thumbnail

PewDiePie ransomware oblige users subscribe to PewDiePie YouTube channel

Security Affairs

It is a battle with no holds barred between T-Series and PewDiePie, their fans are spreading the PewDiePie ransomware to force users to subscribe to PewDiePie Youtube channel. The story I’m going to tell you is another chapter of the battle between the most followed Youtuber T-Series and PewDiePie. T-Series is an Indian music company, while PewDiePie a Youtuber whom fans are accused to use any means to increase the number of subscribers to its channel.

article thumbnail

Cloud computing 101: basic types and business advantages of cloud-delivered services

The Last Watchdog

If you are looking for a simpler method of managing issues such as storage, software, servers and database, cloud computing could have the answers that your business needs. The cloud is becoming increasingly popular around the world, as organisations are starting to understand the organisational and cost benefits to using them. Related: Using a ‘zero-trust’ managed security service.

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

How to Check Your Computer for Hacked Asus Software Update

WIRED Threat Level

Hackers compromised Asus’s Live Update tool to distribute malware to almost a million people. Here’s how to find out if your computer has it.

Software 111
article thumbnail

10 Movies All Security Pros Should Watch

Dark Reading

Don't expect to read about any of the classics, like 'War Games' or 'Sneakers,' which have appeared on so many lists before. Rather, we've broadened our horizons with this great mix of documentaries, hacker movies, and flicks based on short stories.

109
109
article thumbnail

How to get back files encrypted by the Hacked Ransomware for free

Security Affairs

Good news for the victims of the Hacked Ransomware, the security firm Emsisoft has released a free decryptor to decrypt the data of infected computers. Security experts at Emsisoft released a free decryptor for the Hacked Ransomware. The Hacked Ransomware was first spotted in 2017, it appends.hacked extension to the encrypted files and includes ransom notes in Italian, English, Spanish, and Turkish.

article thumbnail

Cisco Releases Flood of Patches for IOS XE and Small Business Routers

Threatpost

The networking giant issued 27 patches impacting a wide range of its products running the ISO XE software.

article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

Mastercard Wades Into Murky Waters With Its New Digital ID

WIRED Threat Level

The credit card company has more details about its plan for a decentralized, universal digital ID, but questions remain.

111
111
article thumbnail

Quantum Computing and Code-Breaking

Dark Reading

Prepare today for the quantum threats of tomorrow.

108
108
article thumbnail

Pwn2Own 2019 Day 3: Experts hacked Tesla 3 browser

Security Affairs

Pwn2Own 2019 Day 3 – Experts earned $35,000 and a Tesla Model 3 after hacking the vehicle’s web browser. Pwn2Own 2019 Day 3 – Hackers focused their efforts on car hacking, two teams participated in the competitions but only one of them reached the goal. The security experts Amat Cama and Richard Zhu of team Fluoroacetate, earned $35,000 for their exploit, along with the Tesla they hacked.

Hacking 112
article thumbnail

Critical Bug in Cisco WebEx Browser Extensions Allows Remote Code-Execution

Threatpost

Users of the conferencing platform should update immediately.

85
article thumbnail

The Cloud Development Environment Adoption Report

Cloud Development Environments (CDEs) are changing how software teams work by moving development to the cloud. Our Cloud Development Environment Adoption Report gathers insights from 223 developers and business leaders, uncovering key trends in CDE adoption. With 66% of large organizations already using CDEs, these platforms are quickly becoming essential to modern development practices.

article thumbnail

Kushner Used WhatsApp, a Very Bad Database Leak, and More Security News This Week

WIRED Threat Level

Jared and Ivanka used private messaging against the rules, and more security news this week.

110
110
article thumbnail

20 Years of STRIDE: Looking Back, Looking Forward

Dark Reading

The invention of STRIDE was the key inflection point in the development of threat modeling from art to engineering practice.

article thumbnail

New Shodan Monitor service allows tracking Internet-Exposed devices

Security Affairs

Shodan IoT search engine announced the launch of a new service called Shodan Monitor designed to help organizations to maintain track of systems connected to the Internet. Shodan , the popular IoT search engine, announced this week the launch of a new service called Monitor designed to help organizations to maintain track of systems connected to the Internet.

Internet 111
article thumbnail

Malware Payloads Hide in Images: Steganography Gets a Reboot

Threatpost

Low-key but effective, steganography is an old-school trick of hiding code within a normal-looking image, where many cybersecurity pros may not think to look.

Malware 85
article thumbnail

Bringing the Cybersecurity Imperative Into Focus

Tech leaders today are facing shrinking budgets and investment concerns. This whitepaper provides insights from over 1,000 tech leaders on how to stay secure and attract top cybersecurity talent, all while doing more with less. Download today to learn more!