Sat.Nov 17, 2018 - Fri.Nov 23, 2018

Here's Why Account Authentication Shouldn't Use SMS

Data Breach Today

Database Blunder Left Two-Step Codes, Account Reset Links Exposed A database security blunder revealed on Friday serves as a reminder that the days of SMS-based authentication should be over.

How to Shop Online Like a Security Pro

Krebs on Security

‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping.

How To 278

GUEST ESSAY: The privacy implications of facial recognition systems rising to the fore

The Last Watchdog

Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn. A string of advances in biometric authentication systems has brought facial recognition systems, in particular, to the brink of wide commercial use. Related: Drivers behind facial recognition boom. Adoption of facial recognition technology is fast gaining momentum, with law enforcement and security use cases leading the way.

Information Attacks against Democracies

Schneier on Security

Democracy is an information system. That's the starting place of our new paper: " Common-Knowledge Attacks on Democracy." In it, we look at democracy through the lens of information security, trying to understand the current waves of Internet disinformation attacks.

Groups 113

Magecart Spies Payment Cards From Retailer Vision Direct

Data Breach Today

Card-Sniffing JavaScript Posed as Google Analytics Script on Retailer's Sites Online contact lens retailer Vision Direct says it suffered a data breach that exposed customers' names and complete payment card details.

Retail 219

USPS Site Exposed Data on 60 Million Users

Krebs on Security

Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf. Image: USPS.com.

Data 271

GUEST ESSAY: California pioneers privacy law at state level; VA, VT, CO, NJ take steps to follow

The Last Watchdog

Privacy regulations and legislation are topics that continue to be of concern for consumers and businesses alike. News of data breaches, data vulnerabilities and compromised private information is released almost daily from businesses both small and large. Related: Europe’s GDPR ushers in new privacy era. Legislation has recently been proposed for individual states, addressing data privacy regulations head-on.

More Trending

Two Friends Who Hacked TalkTalk Receive Prison Sentences

Data Breach Today

Telecom Company Says Total Losses Due to Data Breach Stand at $99 Million Two men who pleaded guilty to participating in the massive 2015 hack of London-based telecom company TalkTalk have been sentenced to serve time in jail.

Using Machine Learning to Create Fake Fingerprints

Schneier on Security

Researchers are able to create fake fingerprints that result in a 20% false-positive rate. The problem is that these sensors obtain only partial images of users' fingerprints -- at the points where they make contact with the scanner.

Paper 97

Massive Vulnerability Exposed at USPS

Adam Levin

Krebs on Security reported a security weakness that affected millions of USPS customers. The vulnerability in question allowed anyone with an account on USPS.com to view granular information about the site’s more than 60 million users.

Protonmail hacked …. a very strange scam attempt

Security Affairs

A hacker going online by the moniker AmFearLiathMor is claiming to have hacked the most popular end-to-end encrypted email service ProtonMail.

Lessons Learned From 2018's Top Attacks

Data Breach Today

Cisco's Paul Singleton on Why It's Important to Know Your Adversary How have cyberattacks evolved in 2018? Cisco's Paul Singleton describes the common threats and vectors, as well as why it's important to know exactly who your attacker is - and how they are exploiting your defenses

IT 203

Worst-Case Thinking Breeds Fear and Irrationality

Schneier on Security

Here's a crazy story from the UK. Basically, someone sees a man and a little girl leaving a shopping center.

Protecting Big Data, while Preserving Analytical Agility

Thales Data Security

The age of Big Data is upon us. And, as more data is available for analytical purposes, more sensitive and private information is at risk.

6,500+ sites deleted after Dark Web hosting provider Daniel’s Hosting hack

Security Affairs

On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider, and deleted 6,500+ sites. On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider.

Amazon Snafu Exposed Customers' Names and Email Addresses

Data Breach Today

Scant Detail on Incident and Unusual Email Notification Raises Eyebrows Amazon has blamed a technical error for its inadvertent exposure of some customers' names and email addresses online.

Retail 199

Weekly podcast: Amazon, TalkTalk and City of York

IT Governance

This week, we discuss Amazon’s exposure of customer names and addresses, jail sentences for two TalkTalk hackers, and a data breach affecting a City of York rubbish app. Hello and welcome to the IT Governance podcast for Friday, 23 November. Here are this week’s stories.

Julian Assange Charges, Japan's Top Cybersecurity Official, and More Security News This Week

WIRED Threat Level

Safer browsing, more bitcoin scams, and the rest of the week's top security news. Security

Million password resets and 2FA codes exposed in unsecured Vovox DB

Security Affairs

Million of password resets and two-factor authentication codes exposed in unsecured Vovox DB.

Malware Moves: Attackers Retool for Cryptocurrency Theft

Data Breach Today

Radisson Rewards programme breached

IT Governance

Last month the Radisson Hotel Group, a global player in the hospitality industry with more than 1,400 hotels in 114 countries, discovered that its rewards programme had been breached. The hack occurred on 11 September 2018 but was only detected on 1 October.

Machine Learning Can Create Fake ‘Master Key’ Fingerprints

WIRED Threat Level

Researchers have refined a technique to create so-called DeepMasterPrints, fake fingerprints designed to get past security. Security

CarsBlues Bluetooth attack Affects tens of millions of vehicles

Security Affairs

The CarsBlues attack leverages security flaws in the infotainment systems installed in several types of vehicles via Bluetooth to access user PII. A new Bluetooth hack, dubbed CarsBlues, potentially affects millions of vehicles, Privacy4Cars warns.

Did China Spy on Australian Defense Websites?

Data Breach Today

One Answer Is Clear: Network Re-Routing Raises Suspicions For nearly 30 months, internet traffic going to Australian Department of Defense websites flowed through China Telecom data centers, an odd and suspicious path. Why the strange routing occurred is known. But the reasons why it persisted for so long aren't

Data 189

JavaScript keylogger sees Vision Direct’s customer data stolen

IT Governance

Contact lens supplier Vision Direct has released information about a data breach it suffered earlier this month.

Using Airport and Hotel Wi-Fi Is Much Safer Than It Used to Be

WIRED Threat Level

You were right not to trust hotel and airport Wi-Fi a few years ago. But these days, it's (probably) fine. Security

IT 83

13 fraudulent apps into Google Play have been downloaded 560,000+ times

Security Affairs

Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.

Texas Hospital Catches Dharma Ransomware Infection

Data Breach Today

Altus Baytown Hospital Among Latest Healthcare Cyberattack Victims An attack on Altus Baytown Hospital in Texas is the latest ransomware incident reported to federal regulators as a health data breach. What other major ransomware incidents are impacting the healthcare sector

Scotland’s SMEs – how much should be invested in cyber security?

IT Governance

With only 40% of organisations confident that they can prevent cyber attacks and 42% of micro/small businesses identifying at least one breach or attack in the last 12 months, it is only too clear why businesses need to invest more in cyber security.

Rowhammer Data Hacks Are More Dangerous Than Anyone Feared

WIRED Threat Level

Researchers have discovered that the so-called Rowhammer technique works on "error-correcting code" memory, in what amounts to a serious escalation. Security

Data 80

Flaw allowing identity spoofing affects authentication based on German eID cards

Security Affairs

The authentication process via German eID cards with RFID chips is flawed, an attacker could impersonate any other citizen.

US Postal Service Plugs API Flaw - One Year Later

Data Breach Today

Flaw Exposed Personal Data For 60 Million 'Informed Visibility' Accounts A vulnerability in a U.S.

Data 167

FRANCE: Facebook could face a 100 million euros class action suit for violating GDPR

DLA Piper Privacy Matters

By Denise Lebeau-Marianna and Caroline Chancé. On 8 November 2018, French NGO Internet Society France sent Facebook a formal notice listing seven areas where it has allegedly infringed GDPR. The social network has 4 months to respond. Failing that, the Internet Society France could launch the first class action suit for compensation since the entry into application of GDPR.

GDPR 79

What is a cyber security incident?

IT Governance

You often hear the term ‘cyber security incident’ when an organisation’s systems are compromised rather than ‘breach’ or ‘hack’. What is the difference between those terms?

Hackers target Drupal servers chaining several flaws, including Drupalgeddon2 and DirtyCOW

Security Affairs

Hackers targeted Drupal web servers chaining some known vulnerabilities, including Drupalgeddon2 and DirtyCOW issues. Security experts at Imperva reported an attack against Drupal Web servers running on Linux-based systems.

How Machine Learning Transforms Fraud Management

Data Breach Today

Germany: First data protection authority issues GDPR fine

DLA Piper Privacy Matters

The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first German data protection authority to impose a fine under the GDPR. The fine of € 20,000 sanctions the violation by a social media company of its obligation to ensure data security of processing of personal data pursuant to Art. 32 (1) (a) GDPR (obligation to pseudonymise and encrypt personal data).