β Microsoftβs MFA is so strong, it locked out users for 8 hours β
π Read
via "Naked Security".
It's a long time for Office 365 and Azure AD users to be locked out of such an important business platform, but MFA remains a good idea.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Big breach, Creep-O-Meter and Black Friday [PODCAST] β
π Read
via "Naked Security".
It's the latest Naked Security Podcast - you're welcome!π Read
via "Naked Security".
Naked Security
Big breach, Creep-O-Meter and Black Friday [PODCAST]
Itβs the latest Naked Security Podcast β youβre welcome!
π΄ 2018 Hacker Kids Gift Guide π΄
π Read
via "Dark Reading: ".
Fun gift choices that foster design thinking and coding skills in kids both young and old.π Read
via "Dark Reading: ".
Dark Reading
Slideshows - Dark Reading
Dark Reading: Connecting The Information Security Community. Explore our slideshows.
π How to install fail2ban on Ubuntu Server 18.04 π
π Read
via "Security on TechRepublic".
Your Ubuntu Server might be vulnerable to attacks. To prevent unwanted logins, Jack Wallen shows you how to install intrusion detection system, fail2ban.π Read
via "Security on TechRepublic".
TechRepublic
How to install fail2ban on Ubuntu Server 18.04 | TechRepublic
Your Ubuntu Server might be vulnerable to attacks. To prevent unwanted logins, Jack Wallen shows you how to install intrusion detection system, fail2ban.
π΄ To Stockpile or Not to Stockpile Zero-Days? π΄
π Read
via "Dark Reading: ".
As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.π Read
via "Dark Reading: ".
Darkreading
To Stockpile or Not to Stockpile Zero-Days?
As the debate rages on, there is still no simple answer to the question of whether the government should stockpile or publicly disclose zero-day vulnerabilities.
π Why e-commerce is winning: Most Americans now trust online retailers with their data π
π Read
via "Security on TechRepublic".
Despite conflicting opinions about online privacy, customers choose to shop with companies that take reasonable security precautions.π Read
via "Security on TechRepublic".
TechRepublic
Why e-commerce is winning: Most Americans now trust online retailers with their data
Despite conflicting opinions about online privacy, customers choose to shop with companies that take reasonable security precautions.
β Emotetβs Thanksgiving Campaign Delivers New Recipes for Compromise β
π Read
via "Threatpost | The first stop for security news".
The crafty malware has departed from its usual cornucopia of tactics and tricks.π Read
via "Threatpost | The first stop for security news".
Threat Post
Emotetβs Thanksgiving Campaign Delivers New Recipes for Compromise
The crafty malware has departed from its usual cornucopia of tactics and tricks.
π΄ Amazon Low-Key Reveals Breach of Some Customer Data π΄
π Read
via "Dark Reading: ".
'Technical error' exposed names and email addresses.π Read
via "Dark Reading: ".
Dark Reading
Amazon Low-Key Reveals Breach of Some Customer Data
'Technical error' exposed names and email addresses.
π 500K Android users hit with malware, and what to do if you're infected π
π Read
via "Security on TechRepublic".
13 malicious apps ended up on the Google Play store. Here's how to stay protected.π Read
via "Security on TechRepublic".
TechRepublic
500K Android users hit with malware, and what to do if you're infected
13 malicious apps ended up on the Google Play store. Here's how to stay protected.
ATENTIONβΌ New - CVE-2009-5153
π Read
via "National Vulnerability Database".
In Novell NetWare before 6.5 SP8, a stack buffer overflow in processing of CALLIT RPC calls in the NFS Portmapper daemon in PKERNEL.NLM allowed remote unauthenticated attackers to execute code, because a length field was incorrectly trusted.π Read
via "National Vulnerability Database".
<b>⌨ USPS Site Exposed Data on 60 Million Users ⌨</b>
<code>U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.</code><code>Media</code><code>Image: USPS.com</code><code>KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.</code><code>The problem stemmed from an authentication weakness in a USPS Web component known as an βapplication program interface,β or API β basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.</code><code>The API in question was tied to a Postal Service initiative called βInformed Visibility,β which according to the USPS is designed to let businesses, advertisers and other bulk mail senders βmake better business decisions by providing them with access to near real-time tracking dataβ about mail campaigns and packages.</code><code>In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.</code><code>Many of the APIβs features accepted βwildcardβ search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.</code><code>Media</code><code>A USPS brochure advertising the features and benefits of Informed Visibility.</code><code>In cases where multiple accounts shared a common data element β such as a street address β using the API to search for one specific data element often brought up multiple records. For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.</code><code>βThis is not good,β said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. βEspecially since we moved due to being threatened by a neighbor.β</code><code>Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said the API should have validated that the account making the request had permission to read the data requested.</code><code>βThis is not even Information Security 101, this is Information Security 1, which is to implement access control,β Weaver said. βIt seems like the only access control they had in place was that you were logged in at all. And if you can access other peoplesβ data because they arenβt enforcing access controls on reading that data, itβs catastrophically bad and Iβm willing to bet theyβre not enforcing controls on writing to that data as well.β</code><code>A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details.</code><code>Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes β at least with some data fields. Attempts to modify the email address associated with my USPS account via the API prompted a confirmation message sent to the email address tied to that accountβ¦
<code>U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.</code><code>Media</code><code>Image: USPS.com</code><code>KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.</code><code>The problem stemmed from an authentication weakness in a USPS Web component known as an βapplication program interface,β or API β basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.</code><code>The API in question was tied to a Postal Service initiative called βInformed Visibility,β which according to the USPS is designed to let businesses, advertisers and other bulk mail senders βmake better business decisions by providing them with access to near real-time tracking dataβ about mail campaigns and packages.</code><code>In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.</code><code>Many of the APIβs features accepted βwildcardβ search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.</code><code>Media</code><code>A USPS brochure advertising the features and benefits of Informed Visibility.</code><code>In cases where multiple accounts shared a common data element β such as a street address β using the API to search for one specific data element often brought up multiple records. For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.</code><code>βThis is not good,β said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. βEspecially since we moved due to being threatened by a neighbor.β</code><code>Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said the API should have validated that the account making the request had permission to read the data requested.</code><code>βThis is not even Information Security 101, this is Information Security 1, which is to implement access control,β Weaver said. βIt seems like the only access control they had in place was that you were logged in at all. And if you can access other peoplesβ data because they arenβt enforcing access controls on reading that data, itβs catastrophically bad and Iβm willing to bet theyβre not enforcing controls on writing to that data as well.β</code><code>A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details.</code><code>Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes β at least with some data fields. Attempts to modify the email address associated with my USPS account via the API prompted a confirmation message sent to the email address tied to that accountβ¦
π΄ Mirai Evolves From IoT Devices to Linux Servers π΄
π Read
via "Dark Reading: ".
Netscout says it has observed at least one dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.π Read
via "Dark Reading: ".
Darkreading
Mirai Evolves From IoT Devices to Linux Servers
Netscout says it has observed at least one dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.
π How IoT medical devices save your life and threaten your privacy π
π Read
via "Security on TechRepublic".
Consumers increasingly depend upon IoT devices to help them do everything from improving sleep to monitoring blood sugar levels. In the process, they may be giving up more privacy than expected.π Read
via "Security on TechRepublic".
TechRepublic
How IoT medical devices save your life and threaten your privacy
Consumers increasingly depend upon IoT devices to help them do everything from improving sleep to monitoring blood sugar levels. In the process, they may be giving up more privacy than expected.
β FCC Addresses Robocalling β But Questions Remain β
π Read
via "Threatpost | The first stop for security news".
The FCC will consider a proposal to combat robocalls and text spam in December.π Read
via "Threatpost | The first stop for security news".
Threat Post
FCC Addresses Robocalling, Questions Remain
The FCC will consider a proposal to combat robocalls and text spam in December.
β Podcast: Why βThrowing Moneyβ at Threats Wonβt Work β
π Read
via "Threatpost | The first stop for security news".
How can businesses create an effective cyber defense strategy? It starts with defining success, an expert tells us.π Read
via "Threatpost | The first stop for security news".
Threat Post
Podcast: Why βThrowing Moneyβ at Threats Wonβt Work
How can businesses create an effective cyber defense strategy? It starts with defining success, an expert tells us.
β Reddit helps admin solve mystery of rogue Raspberry Pi β
π Read
via "Naked Security".
Finding a mysterious circuit board plugged into a network that you are tasked with managing is always going to be a disconcerting moment for any sysadmin.π Read
via "Naked Security".
Naked Security
Reddit helps admin solve mystery of rogue Raspberry Pi
Finding a mysterious circuit board plugged into a network that you are tasked with managing is always going to be a disconcerting moment for any sysadmin.
β Cybercriminal techniques β Sophoslabs 2019 Threat Report β
π Read
via "Naked Security".
Cyberattackers are successfully evading detection on Windows computers by abusing legitimate admin tools that come pre-installed with the operating system.π Read
via "Naked Security".
Naked Security
Cybercriminal techniques β SophosLabs 2019 Threat Report
Cyberattackers are successfully evading detection on Windows computers by abusing legitimate admin tools that come pre-installed with the operating system.
β Update now! Adobe Flash has another critical security vulnerability β
π Read
via "Naked Security".
Adobeβs Flash Player for Windows, Mac and Linux has a critical vulnerability that should be patched as a top priority.π Read
via "Naked Security".
Naked Security
Update now! Adobe Flash has another critical security vulnerability
Adobeβs Flash Player for Windows, Mac and Linux has a critical vulnerability that should be patched as a top priority.
β As Black Friday Looms, IoT Gadgets Take the Risk Spotlight β
π Read
via "Threatpost | The first stop for security news".
Ahead of the holiday shopping bonanza, the security community is talking to consumers about IoT security.π Read
via "Threatpost | The first stop for security news".
Threat Post
As Black Friday Looms, IoT Gadgets Take the Risk Spotlight
Ahead of the holiday shopping bonanza, the security community is talking to consumers about IoT security.
β Podcast: Breaking Down the Magecart Threat (Part One) β
π Read
via "Threatpost | The first stop for security news".
In the first part of our podcast series, we talked to Rapid7's chief data scientist about how Magecart has changed.π Read
via "Threatpost | The first stop for security news".
Threat Post
Podcast: Breaking Down the Magecart Threat (Part One)
In the first part of our podcast series, we talked to Rapid7's chief data scientist about how Magecart has changed.
β Zero-Trust Frameworks: Securing the Digital Transformation β
π Read
via "Threatpost | The first stop for security news".
Zero trust refers to the notion of evaluating the security risk of devices and users within the context of any given moment, without automatically conferring access based on credentials.π Read
via "Threatpost | The first stop for security news".
Threat Post
Zero-Trust Frameworks: Securing the Digital Transformation
Zero trust refers to the notion of evaluating the security risk of devices and users within the context of any given moment, without automatically conferring access based on credentials.