π΄ Cybersecurity at the Core π΄
π Read
via "Dark Reading: ".
For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail.π Read
via "Dark Reading: ".
Dark Reading
Cybersecurity at the Core
For too long, cybersecurity has been looked at as one team's responsibility. If we maintain that mentality, we will fail.
π΄ Consumers Are Forgiving After a Data Breach, but Companies Need To Respond Well π΄
π Read
via "Dark Reading: ".
A solid response and reputation management program will go a long way in surviving a major breach Β and thereΒs software on the way that can help get you organized.π Read
via "Dark Reading: ".
Dark Reading
Consumers Are Forgiving After a Data Breach, but Companies Need To Respond Well
A solid response and reputation management program will go a long way in surviving a major breach - and there's software on the way that can help get you organized.
π΄ Report: Tens of Thousands of E-Commerce Sites at Heightened Security Risk π΄
π Read
via "Dark Reading: ".
Report delivered at Payment Card Industry Security Standards Council meeting flags issues in deployments of Magento, a popular e-commerce platform.π Read
via "Dark Reading: ".
Dark Reading
Report: Tens of Thousands of E-Commerce Sites at Heightened Security Risk
Report delivered at Payment Card Industry Security Standards Council meeting flags issues in deployments of Magento, a popular e-commerce platform.
β Gmail Glitch Enables Anonymous Messages in Phishing Attacks β
π Read
via "Threatpost | The first stop for security news".
A glitch in the UX in Gmail allows the βfromβ field to be forged so there is no sender listed in the email's header.π Read
via "Threatpost | The first stop for security news".
Threat Post
Gmail Glitch Enables Anonymous Messages in Phishing Attacks
A glitch in the UX in Gmail allows the βFromβ field to be forged so there is no sender listed in the email's header.
β Critical Adobe Flash Bug Impacts Windows, macOS, Linux and Chrome OS β
π Read
via "Threatpost | The first stop for security news".
Adobe issues patch for a Flash Player vulnerability that could lead to an arbitrary code execution on targeted systems.π Read
via "Threatpost | The first stop for security news".
Threat Post
Critical Adobe Flash Bug Impacts Windows, macOS, Linux and Chrome OS
Adobe issues patch for a Flash Player vulnerability that could lead to an arbitrary code execution on targeted systems.
π΄ Microsoft Enables Account Sign-In via Security Key π΄
π Read
via "Dark Reading: ".
Account holders can use a FIDO2-compatible key or Windows Hello to authenticate sans username or password.π Read
via "Dark Reading: ".
Dark Reading
Endpoint Security recent news | Dark Reading
Explore the latest news and expert commentary on Endpoint Security, brought to you by the editors of Dark Reading
β Sofacy APT Takes Aim with Novel βCannonβ Trojan β
π Read
via "Threatpost | The first stop for security news".
The Russian-speaking threat group is changing up its tactics.π Read
via "Threatpost | The first stop for security news".
Threat Post
Sofacy APT Takes Aim with Novel βCannonβ Trojan
The Russian-speaking threat group is changing up its tactics.
π΄ Russia Linked Group Resurfaces With Large-Scale Phishing Campaign π΄
π Read
via "Dark Reading: ".
APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.π Read
via "Dark Reading: ".
Darkreading
Russia Linked Group Resurfaces With Large-Scale Phishing Campaign
APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.
β Drone owner fined for putting police helicopter crew βin dangerβ β
π Read
via "Naked Security".
It's the first ever prosecution under UK drone laws for a flight that could have turned deadly, as did a recent helicopter disaster in Leicester.π Read
via "Naked Security".
Naked Security
Drone owner fined for putting police helicopter crew βin dangerβ
Itβs the first ever prosecution under UK drone laws for a flight that could have turned deadly, as did a recent helicopter disaster in Leicester.
β Dark Web hosting provider hacked, 6,500 sites erased β
π Read
via "Naked Security".
The database of the popular Daniel's Hosting was wiped out and all accounts deleted, taking down 30% of all hidden services.π Read
via "Naked Security".
Naked Security
Dark Web hosting provider hacked, 6,500 sites erased
The database of the popular Danielβs Hosting was wiped out and all accounts deleted, taking down 30% of all hidden services.
β Microsoftβs MFA is so strong, it locked out users for 8 hours β
π Read
via "Naked Security".
It's a long time for Office 365 and Azure AD users to be locked out of such an important business platform, but MFA remains a good idea.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Big breach, Creep-O-Meter and Black Friday [PODCAST] β
π Read
via "Naked Security".
It's the latest Naked Security Podcast - you're welcome!π Read
via "Naked Security".
Naked Security
Big breach, Creep-O-Meter and Black Friday [PODCAST]
Itβs the latest Naked Security Podcast β youβre welcome!
π΄ 2018 Hacker Kids Gift Guide π΄
π Read
via "Dark Reading: ".
Fun gift choices that foster design thinking and coding skills in kids both young and old.π Read
via "Dark Reading: ".
Dark Reading
Slideshows - Dark Reading
Dark Reading: Connecting The Information Security Community. Explore our slideshows.
π How to install fail2ban on Ubuntu Server 18.04 π
π Read
via "Security on TechRepublic".
Your Ubuntu Server might be vulnerable to attacks. To prevent unwanted logins, Jack Wallen shows you how to install intrusion detection system, fail2ban.π Read
via "Security on TechRepublic".
TechRepublic
How to install fail2ban on Ubuntu Server 18.04 | TechRepublic
Your Ubuntu Server might be vulnerable to attacks. To prevent unwanted logins, Jack Wallen shows you how to install intrusion detection system, fail2ban.
π΄ To Stockpile or Not to Stockpile Zero-Days? π΄
π Read
via "Dark Reading: ".
As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.π Read
via "Dark Reading: ".
Darkreading
To Stockpile or Not to Stockpile Zero-Days?
As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.
π Why e-commerce is winning: Most Americans now trust online retailers with their data π
π Read
via "Security on TechRepublic".
Despite conflicting opinions about online privacy, customers choose to shop with companies that take reasonable security precautions.π Read
via "Security on TechRepublic".
TechRepublic
Why e-commerce is winning: Most Americans now trust online retailers with their data
Despite conflicting opinions about online privacy, customers choose to shop with companies that take reasonable security precautions.
β Emotetβs Thanksgiving Campaign Delivers New Recipes for Compromise β
π Read
via "Threatpost | The first stop for security news".
The crafty malware has departed from its usual cornucopia of tactics and tricks.π Read
via "Threatpost | The first stop for security news".
Threat Post
Emotetβs Thanksgiving Campaign Delivers New Recipes for Compromise
The crafty malware has departed from its usual cornucopia of tactics and tricks.
π΄ Amazon Low-Key Reveals Breach of Some Customer Data π΄
π Read
via "Dark Reading: ".
'Technical error' exposed names and email addresses.π Read
via "Dark Reading: ".
Dark Reading
Amazon Low-Key Reveals Breach of Some Customer Data
'Technical error' exposed names and email addresses.
π 500K Android users hit with malware, and what to do if you're infected π
π Read
via "Security on TechRepublic".
13 malicious apps ended up on the Google Play store. Here's how to stay protected.π Read
via "Security on TechRepublic".
TechRepublic
500K Android users hit with malware, and what to do if you're infected
13 malicious apps ended up on the Google Play store. Here's how to stay protected.
ATENTIONβΌ New - CVE-2009-5153
π Read
via "National Vulnerability Database".
In Novell NetWare before 6.5 SP8, a stack buffer overflow in processing of CALLIT RPC calls in the NFS Portmapper daemon in PKERNEL.NLM allowed remote unauthenticated attackers to execute code, because a length field was incorrectly trusted.π Read
via "National Vulnerability Database".
<b>⌨ USPS Site Exposed Data on 60 Million Users ⌨</b>
<code>U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.</code><code>Media</code><code>Image: USPS.com</code><code>KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.</code><code>The problem stemmed from an authentication weakness in a USPS Web component known as an βapplication program interface,β or API β basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.</code><code>The API in question was tied to a Postal Service initiative called βInformed Visibility,β which according to the USPS is designed to let businesses, advertisers and other bulk mail senders βmake better business decisions by providing them with access to near real-time tracking dataβ about mail campaigns and packages.</code><code>In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.</code><code>Many of the APIβs features accepted βwildcardβ search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.</code><code>Media</code><code>A USPS brochure advertising the features and benefits of Informed Visibility.</code><code>In cases where multiple accounts shared a common data element β such as a street address β using the API to search for one specific data element often brought up multiple records. For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.</code><code>βThis is not good,β said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. βEspecially since we moved due to being threatened by a neighbor.β</code><code>Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said the API should have validated that the account making the request had permission to read the data requested.</code><code>βThis is not even Information Security 101, this is Information Security 1, which is to implement access control,β Weaver said. βIt seems like the only access control they had in place was that you were logged in at all. And if you can access other peoplesβ data because they arenβt enforcing access controls on reading that data, itβs catastrophically bad and Iβm willing to bet theyβre not enforcing controls on writing to that data as well.β</code><code>A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details.</code><code>Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes β at least with some data fields. Attempts to modify the email address associated with my USPS account via the API prompted a confirmation message sent to the email address tied to that accountβ¦
<code>U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.</code><code>Media</code><code>Image: USPS.com</code><code>KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.</code><code>The problem stemmed from an authentication weakness in a USPS Web component known as an βapplication program interface,β or API β basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.</code><code>The API in question was tied to a Postal Service initiative called βInformed Visibility,β which according to the USPS is designed to let businesses, advertisers and other bulk mail senders βmake better business decisions by providing them with access to near real-time tracking dataβ about mail campaigns and packages.</code><code>In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.</code><code>Many of the APIβs features accepted βwildcardβ search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.</code><code>Media</code><code>A USPS brochure advertising the features and benefits of Informed Visibility.</code><code>In cases where multiple accounts shared a common data element β such as a street address β using the API to search for one specific data element often brought up multiple records. For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.</code><code>βThis is not good,β said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. βEspecially since we moved due to being threatened by a neighbor.β</code><code>Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said the API should have validated that the account making the request had permission to read the data requested.</code><code>βThis is not even Information Security 101, this is Information Security 1, which is to implement access control,β Weaver said. βIt seems like the only access control they had in place was that you were logged in at all. And if you can access other peoplesβ data because they arenβt enforcing access controls on reading that data, itβs catastrophically bad and Iβm willing to bet theyβre not enforcing controls on writing to that data as well.β</code><code>A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details.</code><code>Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes β at least with some data fields. Attempts to modify the email address associated with my USPS account via the API prompted a confirmation message sent to the email address tied to that accountβ¦