November, 2018

How Cyber Insurance Is Changing in the GDPR Era

Data Breach Today

U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service

Krebs on Security

A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S.

Search is Becoming Everything, And Vice Versa

Weissman's World

I’ve just come out of a series of discussions on the issue of records preservation, and one of my take-aways is how similar at least one current approach to the issue is to what we nominally call “search.” And the more I think about it, the more I wonder whether search is on its way […].

Groups 156

New DigiCert poll shows companies taking monetary hits due to IoT-related security missteps

The Last Watchdog

Even as enterprises across the globe hustle to get their Internet of Things business models up and running, there is a sense of foreboding about a rising wave of IoT-related security exposures. And, in fact, IoT-related security incidents have already begun taking a toll at ill-prepared companies. Related: How to hire an IoT botnet — for $20. That’s the upshot of an extensive survey commissioned by global TLS, PKI and IoT security solutions leader DigiCert.

IoT 129

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Troy Hunt

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices.

Google Services down due to BGP leak, traffic hijacked through Russia, China, and Nigeria

Security Affairs

Google services were partially inaccessible on Monday due to a BGP leak that caused traffic redirection through Russia, China, and Nigeria. A BGP leak caused unavailability of Google service on Monday, the traffic was redirected through Russia, China, and Nigeria.

Romanian Hacker 'Guccifer' Extradited to US

Data Breach Today

238

More Trending

Speaking Of: (Not Your Father’s) Capture

Weissman's World

Information capture has come a long way, baby! From stuffing paper through a scanner to taking pictures in the literal blink of an eye, it’s so much more than what we grew up with. Here, the illustrious Bob Larrivee and I talk about the “latest-and-greatest” in the world of capture, and the need to update […]. The post Speaking Of: (Not Your Father’s) Capture appeared first on Holly Group. capture Capture infogov information governance

GUEST ESSAY: Did you know these 5 types of digital services are getting rich off your private data?

The Last Watchdog

Now more than ever before, “big data” is a term that is widely used by businesses and consumers alike. Consumers have begun to better understand how their data is being used, but many fail to realize the hidden privacy pitfalls in every day technology. Related: Europe tightens privacy rules. From smart phones, to smart TVs, location services, and speech capabilities, often times user data is stored without your knowledge.

Access 129

Chip Cards Fail to Reduce Credit Card Fraud in the US

Schneier on Security

A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals. The reasons seem to be twofold.

Sales 107

Nginx server security flaws expose more than a million of servers to DoS attacks

Security Affairs

Nginx developers released security updates to address several denial-of-service (DoS) vulnerabilities affecting the nginx web server. nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, it is used by 25.28% busiest sites in October 2018.

Magecart Cybercrime Groups Mass Harvest Payment Card Data

Data Breach Today

Card-Scraping Code Has Infiltrated Over 100,000 E-Commerce Sites Over the past year, there's been a surge in so-called Magecart attacks, involving payment card data being stolen from e-commerce sites via injected attack code.

Groups 242

SMS Phishing + Cardless ATM = Profit

Krebs on Security

Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.

When Accounts are "Hacked" Due to Poor Passwords, Victims Must Share the Blame

Troy Hunt

It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed.

NEW TECH: Cequence Security launches platform to shield apps, APIs from malicious botnets

The Last Watchdog

Cyber criminals are deploying the very latest in automated weaponry, namely botnets, to financially plunder corporate networks. The attackers have a vast, pliable attack surface to bombard: essentially all of the externally-facing web apps, mobile apps and API services that organizations are increasingly embracing, in order to stay in step with digital transformation. Related: The ‘Golden Age’ of cyber espionage is upon us.

B2C 117

Hidden Cameras in Streetlights

Schneier on Security

Both the US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) are hiding surveillance cameras in streetlights.

Video 101

Expert found a way to bypass Windows UAC by mocking trusted Directory

Security Affairs

David Wells, a security expert from Tenable, devised a method to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory. .

Course 111

Ransomware Keeps Ringing in Profits for Cybercrime Rings

Data Breach Today

SamSam, Dharma, GandCrab and Global Imposter Make for Ongoing Bitcoin Paydays Criminals wielding crypto-locking ransomware - especially Dharma/CrySiS, GandCrab and Global Imposter, but also SamSam - continue to attack.

Busting SIM Swappers and SIM Swap Myths

Krebs on Security

KrebsOnSecurity recently had a chance to interview members of the REACT Task Force , a team of law enforcement officers and prosecutors based in Santa Clara, Calif.

The GDPR: Everything you need to know about data controllers and data processors

IT Governance

Data controllers and data processors are an integral part of the GDPR. This article explains what those roles involve and helps you understand if you are a controller, processor or both.

GDPR 103

Q&A: How certifying in-house IT staffers as cyber analysts, pen testers can boost SMB security

The Last Watchdog

A security-first mindset is beginning to seep into the ground floor of the IT departments of small and mid-sized companies across the land. Senior executives at these SMBs are finally acknowledging that a check-box approach to security isn’t enough, and that instilling a security mindset pervasively throughout their IT departments has become the ground stakes. Related: The ‘gamification’ of cybersecurity training.

Security of Solid-State-Drive Encryption

Schneier on Security

Interesting research: " Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) ": Abstract: We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware.

Symantec shared details of North Korean Lazarus’s FastCash Trojan used to hack banks

Security Affairs

North Korea-linked Lazarus Group has been using FastCash Trojan to compromise AIX servers to empty tens of millions of dollars from ATMs.

HSBC Bank Alerts US Customers to Data Breach

Data Breach Today

Unauthorized Entry' to Some Accounts Exposes Account Details and Statements HSBC bank is warning some of its U.S. customers that their personal data was compromised in a breach, although it says it's detected no signs of fraud following the "unauthorized entry."

Calif. Man Pleads Guilty in Fatal Swatting Case, Faces 20+ Years in Prison

Krebs on Security

A California man who pleaded guilty Tuesday to causing dozens of swatting attacks — including a deadly incident in Kansas last year — now faces 20 or more years in prison. Tyler Raj Barriss, in an undated selfie.

Here's Why [Insert Thing Here] Is Not a Password Killer

Troy Hunt

These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture.

NEW TECH: How ‘adaptive multi-factor authentication’ is gaining traction via partnerships

The Last Watchdog

Tel Aviv, Israel-based Silverfort continues to make inroads into proving the efficacy of its innovative approach to multi-factor authentication, or MFA, in corporate settings. Related: Why a ‘zero-trust’ approach to security is necessary.

iOS 12.1 Vulnerability

Schneier on Security

This is really just to point out that computer security is really hard : Almost as soon as Apple released iOS 12.1

Access 106

Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwide

Security Affairs

Security researchers revealed in a recent paper that over the past years, China Telecom used BGP hijacking to misdirect Internet traffic through China. Security researchers Chris C.

Paper 113

US Again Indicts Chinese Intel Agents Over Hacking

Data Breach Today

Scheme Sought to Steal Data on Turbofan Engines, Saving on Development Costs The Justice Department says two Chinese intelligence officers and eight others were indicted for stealing trade secrets that are intended to help the country shortcut technology research.

Data 227

Equifax Has Chosen Experian. Wait, What?

Krebs on Security

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

Troy Hunt

You know what I really like? A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). You know what I really don't like?

Demo 98

BA data breach: 565,000 customers may have been affected

IT Governance

In September, British Airways announced it had suffered a data breach that compromised the personal and financial data of more than 380,000 customers. However, the airline has since admitted that an extra 185,000 people may have been affected. Then and now.

Buying Used Voting Machines on eBay

Schneier on Security

This is not surprising : This year, I bought two more machines to see if security had improved.

Hacking the hackers – IOT botnet author adds his own backdoor on top of a ZTE router backdoor

Security Affairs

The author of an IoT botnet is distributing a backdoor script for ZTE routers that also includes his own backdoor to hack script kiddies. A weaponized IoT exploit script is being used by script kiddies, making use of a vendor backdoor account to hack the ZTE routers.

IoT 109

Bankers Life Hack Affects More Than 566,000

Data Breach Today

Company Says Medicare Supplemental Plan Policyholders Among Those Impacted Bankers Life is notifying more than 566,000 individuals, including Medicare supplemental insurance policyholders, that their personal information was exposed in a hacking incident.

Who’s In Your Online Shopping Cart?

Krebs on Security

Crooks who hack online merchants to steal payment card data are constantly coming up with crafty ways to hide their malicious code on Web sites. In Internet ages past, this often meant obfuscating it as giant blobs of gibberish text that was obvious even to the untrained eye.