October, 2018

Voice Phishing Scams Are Getting More Clever

Krebs on Security

Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams.

Cell Phone Security and Heads of State

Schneier on Security

Earlier this week, the New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cell phone and using the information gleaned to better influence his behavior. This should surprise no one.

GUEST ESSAY: A guide to implementing best security practices — before the inevitable breach

The Last Watchdog

The United States has experienced the most cybersecurity breaches in the world and the Equifax Breach was one of the first to be considered a “mega breach.”. The headlines immediately attempted to lay the blame, in large part, on the fact that Equifax’s chief information security officer was a music major and did not have a background in technology. Equifax was not special in this regard. Related: How social media is used to spread malware, influence elections.

Connecticut City Pays Ransom After Crypto-Locking Attack

Data Breach Today

Separately, a Water Utility Hit by Ryuk Ransomware Vows to Restore, Not Pay A tale of two different ransomware victims' responses: One Connecticut city says it had little choice but to pay a ransom to restore crypto-locked systems.

A few hours after Apple released iOS 12.1, a researcher presented a Passcode Bypass issue

Security Affairs

A few hours after Apple released iOS 12.1 the iPhone bug hunter Jose Rodriguez has found a new passcode bypass issue that could be exploited to see all contacts’ private information on a locked iPhone.

List of data breaches and cyber attacks in October 2018 – 44,701,278 records leaked

IT Governance

Rather than posting the usual long list of data breaches and cyber attacks, I’ve decided to go down a new route. These monthly blogs will now look at three lesser-known stories in detail, as well as give a total number for all records exposed in the month.

When Security Researchers Pose as Cybercrooks, Who Can Tell the Difference?

Krebs on Security

A ridiculous number of companies are exposing some or all of their proprietary and customer data by putting it in the cloud without any kind of authentication needed to read, alter or destroy it.

More Trending

NEW TECH: Silverfort extends ‘adaptive multi-factor authentication’ via key partnerships

The Last Watchdog

Tel Aviv, Israel-based Silverfort continues to make inroads into proving the efficacy of its innovative approach to multi-factor authentication, or MFA, in corporate settings. Related: Why a ‘zero-trust’ approach to security is necessary.

Mirai Co-Author Gets House Arrest, $8.6 Million Fine

Data Breach Today

Paras Jha Launched DDoS Attacks Against Rutgers, Ran Click-Fraud Botnets One of the co-authors of the devastating Mirai botnet malware has been sentenced to home incarceration and community service, and ordered to pay $8.6

243

Experts presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol

Security Affairs

Security experts Antonio Pirozzi and Pierluigi Paganini presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol.

List of data breaches and cyber attacks in October 2018 – 44,701,278 records leaked

IT Governance

Rather than posting the usual long list of data breaches and cyber attacks, I’ve decided to go down a new route. These monthly blogs will now look at three lesser-known stories in detail, as well as give a total number for all records exposed in the month.

Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?

Krebs on Security

From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times.

IT 212

How DNA Databases Violate Everyone's Privacy

Schneier on Security

If you're an American of European descent, there's a 60% you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public.

GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

The Last Watchdog

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks. Related: Why carpet bombing email campaigns endure. And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas.

Crypto-Locking Kraken Ransomware Looms Larger

Data Breach Today

Ransomware-as-a-Service Operation Joins Forces With Fallout Exploit Kit A slick ransomware-as-a-service operation called Kraken Cryptor has begun leveraging the Fallout exploit kit to help it score fresh victims, researchers from McAfee and Recorded Future warn.

Expert released PoC Code Microsoft Edge Remote Code Execution flaw

Security Affairs

Security expert published the PoC exploit code for the recently fixed critical remote code execution flaw in Edge web browser tracked as CVE-2018-8495. The October 2018 Patch Tuesday addressed 50 known vulnerabilities in Microsoft’s products, 12 of them were labeled as critical.

Trends 113

Know your enemy – understanding the 7 different types of data breaches

IT Governance

Every day almost 7 million data records are compromised , with no organisation or sector immune. Organisations are facing a war on data breaches, so it’s imperative that ‘know your enemy’ becomes part of their battle tactics.

Supply Chain Security 101: An Expert’s View

Krebs on Security

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager , senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency.

Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising

Schneier on Security

From Kashmir Hill : Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising.

MY TAKE: Cyber attacks on industrial controls, operational technology have only just begun

The Last Watchdog

“May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape. Related: 7 attacks that put us at the brink of cyber war. In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.

FDA Reveals Steps to Bolster Medical Device Cybersecurity

Data Breach Today

China planted tiny chips on US computers for cyber espionage

Security Affairs

China used tiny chips implanted on computer equipment manufactured for US companies and government agencies to steal secret information.

Will Digital Healthcare Technology Disrupt Independent Physicians

Perficient Data & Analytics

Why fear change? Change is good and has developed the world into what it is today. Change partners with adaptation, to promote a new way of doing things. However, is change in the healthcare industry putting independent physicians at risk? With the increased usage of digital healthcare technology, will the independent physician still be able to maintain the walk-in base of customers?

Who Is Agent Tesla?

Krebs on Security

A powerful, easy-to-use password stealing program known as Agent Tesla has been infecting computers since 2014, but recently this malware strain has seen a surge in popularity — attracting more than 6,300 customers who pay monthly fees to license the software.

Groups 177

Are the Police using Smart-Home IoT Devices to Spy on People?

Schneier on Security

IoT devices are surveillance devices, and manufacturers generally use them to collect data on their customers.

IoT 110

GUEST ESSAY: Supply chain vulnerabilities play out in latest Pentagon personnel records breach

The Last Watchdog

It is disheartening, but not at all surprising, that hackers continue to pull off successful breaches of well-defended U.S. government strategic systems. Related podcast: Cyber attacks on critical systems have only just begun. On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel. The Associated Press, quoting a U.S.

Anthem Mega-Breach: Record $16 Million HIPAA Settlement

Data Breach Today

Regulators Say Health Insurer Failed to Take Basic Security Steps Federal regulators have smacked health insurer Anthem with a record $16 million HIPAA settlement in the wake of a cyberattack revealed in 2015, which impacted nearly 79 million individuals. What missteps does the settlement highlight

DarkPulsar and other NSA hacking tools used in hacking operations in the wild

Security Affairs

Attackers are targeting high-value servers using a three of hacking tools from NSA arsenal, including DarkPulsar, that were leaked by the Shadow Brokers hacker group. The hackers used the powerful cyber weapons to compromise systems used in aerospace, nuclear energy, R&D, and other industries.

Ransomware, Leakware, Scareware… Oh My!

Thales Data Security

The unexplained and seemingly paranormal are actually a year-round phenomenon in IT Security. This year has been no exception. The shrieks and screams coming from CISOs and their staffs over malware has led to zombie-like stares.

Naming & Shaming Web Polluters: Xiongmai

Krebs on Security

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act?

Chinese Supply Chain Hardware Attack

Schneier on Security

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I've written ( alternate link ) this threat more generally. Supply-chain security is an insurmountably hard problem.

Breaking Azure Functions with Too Many Connections

Troy Hunt

For the most part, Have I Been Pwned (HIBP) runs very smoothly, especially given how cheaply I run many parts of the service for. Occasionally though, I screw up and get something wrong that interrupts the otherwise slick operation and results in some outage.

Cathay Pacific Says 9.4 Million Affected by Data Breach

Data Breach Today

Airline's Five-Month Delay Before Public Disclosure Raises Concern Hong Kong-based airline Cathay Pacific says the personal details of 9.4 million passengers were inappropriately accessed in March, a breach the company confirmed in early May but publicly revealed on Wednesday.

A few dollars to bring down sites with new Bushido-based DDoS-for-hire service

Security Affairs

Security researchers at FortiGuard Labs have discovered a new DDoS-for-hire service called “ 0x-booter” built with leaked code that implements an easy to use interface.

5 tips to keep your data safe and secure

IT Governance

There is no escaping the threat of data breaches. Organisations are being warned about data breaches in the media, regulators are demanding improved information security and the public is getting more vocal when organisations make mistakes.

Tips 99

Patch Tuesday, October 2018 Edition

Krebs on Security

Microsoft this week released software updates to fix roughly 50 security problems with various versions of its Windows operating system and related software, including one flaw that is already being exploited and another for which exploit code is publicly available.

Tips 168

Security Vulnerability in Internet-Connected Construction Cranes

Schneier on Security

This seems bad: The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane.