Sat.Oct 30, 2021 - Fri.Nov 05, 2021

‘Trojan Source’ Bug Threatens the Security of All Code

Krebs on Security

Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns.

Ransomware Evolves: Affiliates Set to Wield Greater Power

Data Breach Today

Operators Left Exposed After Overreaching, Says McAfee Enterprise’s John Fokker How is the ransomware ecosystem set to evolve?

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

MY TAKE: lastwatchdog.com receives recognition as a Top 10 cybersecurity webzine in 2021

The Last Watchdog

Last Watchdog’s mission is to foster useful understanding about emerging cybersecurity and privacy exposures. Related article: The road to a Pulitzer. While I no longer concern myself with seeking professional recognition for doing this, it’s, of course, always terrific to receive peer validation that we’re steering a good course. That’s why I’m thrilled to point out that Last Watchdog has been recognized, once again, as a trusted source of information on cybersecurity and privacy topics.

1.8TB of Police Helicopter Surveillance Footage Leaks Online

WIRED Threat Level

DDoSecrets published the trove Friday afternoon. Privacy advocates say it shows how pervasive law enforcement's eye has become, and how lax its data protection can be. Security Security / Privacy

IT 113

Your Guide to Using Conversational Marketing to Drive Demand Generation

What is conversational marketing really about? This guide will examine the market forces at play, shifting buyer trends, how to leverage conversation marketing, and the tactics involved in adopting it for a B2B demand generation strategy.

‘Tis the Season for the Wayward Package Phish

Krebs on Security

The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a lure about a wayward package that needs redelivery.

More Trending

GUEST ESSAY: How stricter data privacy laws have redefined the ‘filing’ of our personal data

The Last Watchdog

Filing systems, historically speaking, have been all about helping its users find information quickly. Related: GDPR and the new privacy paradigm. Europe’s General Data Protection Regulations (GDPR) changed the game. Generally, filing systems sort by date, department, topic, etc. Legacy filing systems were not built to keep track of the personal data of specific individuals primarily to be in compliance with the many data protection regulations popping up around the world.

A Drone Tried to Disrupt the Power Grid. It Won't Be the Last

WIRED Threat Level

An attack attempt in 2020 proves the UAS threat is real—and not enough is being done to stop it. Security Security / Security News

IT 113

The ‘Groove’ Ransomware Gang Was a Hoax

Krebs on Security

A number of publications in September warned about the emergence of “ Groove ,” a new ransomware group that called on competing extortion gangs to unite in attacking U.S. government interests online.

California Clinic Network Cyber Incident Affects 656,000

Data Breach Today

A Nevada Cancer Center Is Also Dealing With the Aftermath of an Attack A recent cyberattack on Community Medical Centers in Northern California has potentially compromised the information of more than 656,000 individuals.

The Modern Software Checklist: The Secret to Understanding Your Data Security Needs

Understanding your data security needs is tough enough, but what can be even more difficult is choosing the right software to fit your company. This checklist will help you evaluate the scope of services offered by various encryption solutions on the market.

MY TAKE: For better or worse, machine-to-machine code connections now form much of the castle wall

The Last Watchdog

Managing permissions is proving to be a huge security blind spot for many companies. Related: President Biden’s cybersecurity order sets the stage. What’s happening is that businesses are scaling up their adoption of multi-cloud and hybrid-cloud infrastructures. And in doing so, they’re embracing agile software deployments, which requires authentication and access privileges to be dispensed, on the fly, for each human-to-machine and machine-to-machine coding connection.

Cloud 130

A drone was modified to disrupt U.S. Power Grid, says intelligence bulletin

Security Affairs

US officials believe that a drone was employed in an attempted attack on a power substation in Pennsylvania last year. . US officials believe threat actors used a drone in an attempted attack on a power substation in Pennsylvania last year.

Having Trouble Finding Cybersecurity Talent? You Might Be the Problem

Dark Reading

Hiring managers must rethink old-school practices to find the right candidates and be ready to engage in meaningful conversations about their company's values. Here are three ways to start

Changing Employee Mindsets During Digital Transformation

Data Breach Today

How CISOs Can Ensure That the Business Succeeds While It Transforms While doing digital transformation, CISOs tend to look more at technology and try to adapt it without making the distinction between technologies that are must-have and good to have.

The Importance of PCI Compliance and Data Ownership When Issuing Payment Cards

This eBook provides a practical explanation of the different PCI compliance approaches that payment card issuers can adopt, as well as the importance of both protecting user PII and gaining ownership and portability of their sensitive data.

GUEST ESSAY: Here’s what every business should know — and do — about CaaS: crime-as-a-service

The Last Watchdog

It doesn’t matter if you want to learn a new language or figure out how to fix your broken clothes dryer; the tools, tutorials, and templates you need are available online. Related: Enlisting ‘human sensors’ Unfortunately, with crime-as-a-service, the same is true for people interested in trying their hand at cybercrime. The dark web provides virtually everything potential attackers need to make their move.

Cisco warns of hard-coded credentials and default SSH key issues in some products

Security Affairs

Cisco fixed critical flaws that could have allowed unauthenticated attackers to access its devices with hard-coded credentials or default SSH keys.

To Secure DevOps, Security Teams Must be Agile

Dark Reading

The evolution of agile development and infrastructure-as-code has given security teams the tools they need to gain visibility, find vulnerabilities early, and continuously evaluate infrastructure

Multinational Police Force Arrests 12 Suspected Hackers

Data Breach Today

Threat Actors Believed Responsible For More Than 1,800 Ransomware Attacks The suspected cyber actors behind deployment of ransomware strains such as LockerGoga, MegaCortex and Dharma, among others, are under arrest, after a joint operation involving law enforcement and judiciary from eight countries.

LinkedIn + ZoomInfo Recruiter: Better Data for Better Candidates

Check out our latest ebook for a guide to the in-depth, wide-ranging candidate and company data offered by ZoomInfo Recruiter — and make your next round of candidate searches faster, more efficient, and ultimately more successful.

Hiding Vulnerabilities in Source Code

Schneier on Security

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. It’s really clever, and not the sort of attack one would normally think about.

Paper 101

MITRE and CISA publish the 2021 list of most common hardware weaknesses

Security Affairs

MITRE and CISA announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list.

How Is Zero Trust Different From Traditional Security?

Dark Reading

Unlike traditional security approaches, the zero-trust security model verifies a user's identity each and every time they need specific system access

Access 107

CISA Directs Federal Agencies to Patch Known Vulnerabilities

Data Breach Today

BOD 22-01 Imposes Strict Deadlines for Remediation of Publicly Known Exploits The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday issued a new directive - BOD 22-01 - requiring federal civilian agencies to patch vulnerabilities known to be actively exploited in the wild

Make Payment Optimization a Part of Your Core Payment Strategy

Everything you need to know about payment optimization – an easy-to-integrate, PCI-compliant solution that enables companies to take control of their PSPs, minimize processing costs, maximize approval rates, and keep control over their payments data.

On Cell Phone Metadata

Schneier on Security

Interesting Twitter thread on how cell phone metadata can be used to identify and track people who don’t want to be identified and tracked. Uncategorized cell phones identification tracking

Trojan Source attack method allows hiding flaws in source code

Security Affairs

Researchers devised a new attack method called ‘Trojan Source’ that allows hide vulnerabilities into the source code of a software project.

Paper 106

5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls

Dark Reading

Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques

New Cybersecurity Norms for Wireless Device Makers in EU

Data Breach Today

European Commission: Guidelines Aim to Protect Wireless Privacy, Prevent Fraud Wireless device makers in the European Union market will soon have to adhere to a new set of cybersecurity guidelines at the design and production stages of manufacturing, according to the European Commission.

A Recruiter’s Guide To Hiring In 2021

With vaccination rates rising, consumers spending more money, and people returning to offices, the job market is going through a period of unprecedented adjustment. As the New York Times observed, “It’s a weird moment for the American economy.” And recruiting professionals are caught in the middle. To make the most of this disruption, you need to understand the economic drivers, develop a strong strategy for unearthing valuable talent, and use the latest tech tools to get the job done. Read this guide to get your recruiting practice ready to thrive in the new normal.

U.S. State Department Puts $10 Million Bounty on DarkSide Ransomware Group

eSecurity Planet

The United States government is putting a $10 million bounty on the leaders of the DarkSide cybercriminal organization, the ransomware group behind the attack earlier this year on Colonial Pipeline that caused major gas shortages and long lines at filling stations in the Southeast.

50% of internet-facing GitLab installations are still affected by a RCE flaw

Security Affairs

Researchers warn of a now-fixed critical remote code execution (RCE) vulnerability in GitLab ‘s web interface actively exploited in the wild.

Free Tool Scans Web Servers for Vulnerability to HTTP Header-Smuggling Attacks

Dark Reading

A researcher will release an open source tool at Black Hat Europe next week that roots out server weaknesses to a sneaky type of attack

107
107