❌ ThreatList: One-Third of Firms Say Their Container Security Lags ❌
📖 Read
via "Threatpost | The first stop for security news".
More than one-third of respondents in a new survey haven’t started or are just creating their security strategy plans.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
ThreatList: One-Third of Firms Say Their Container Security Lags
More than one-third of respondents in a new survey haven’t started or are just creating their security strategy plans.
❌ Old Printer Vulnerabilities Die Hard ❌
📖 Read
via "Threatpost | The first stop for security news".
New research on an old problem reveals despite efforts, the InfoSec professionals still have a way to go when it comes to securing printers.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
Old Printer Vulnerabilities Die Hard
New research on an old problem reveals despite efforts, the InfoSec professionals still have a way to go when it comes to securing printers.
🔐 5 reasons to improve cybersecurity by updating software 🔐
📖 Read
via "Security on TechRepublic".
Wake up, cybersecurity pros, and don't let your business be an easy target for cybercriminals. Learn why keeping digital infrastructure up-to-date should be an essential part of cybersecurity strategy.📖 Read
via "Security on TechRepublic".
TechRepublic
5 reasons to improve cybersecurity by updating software
Wake up, cybersecurity pros, and don't let your business be an easy target for cybercriminals. Learn why keeping digital infrastructure up-to-date should be an essential part of your strategy.
❌ Threatpost News Wrap Podcast for Nov. 23 ❌
📖 Read
via "Threatpost | The first stop for security news".
From Ford data security speculation to the VisionDirect data breach, the Threatpost editors talk about this week's biggest stories.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
Threatpost News Wrap Podcast for Nov. 23
From Ford data security speculation to the VisionDirect data breach, the Threatpost editors talk about this week's biggest stories.
🔐 8 tips for avoiding phishing, malware, scams, and hacks while holiday shopping online 🔐
📖 Read
via "Security on TechRepublic".
The holiday season isn't just busy for shoppers--it's busy for cybercriminals, too. Here's a holiday shopping safety guide with advice on how to stay safe online.📖 Read
via "Security on TechRepublic".
TechRepublic
8 tips for avoiding phishing, malware, scams, and hacks while holiday shopping online
The holiday season isn't just busy for shoppers--it's busy for cybercriminals, too. Here's a holiday shopping safety guide with advice on how to stay safe online.
<b>⌨ How to Shop Online Like a Security Pro ⌨</b>
<code>‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.</code><code>Media</code><code>Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.</code><code>Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.</code><code>I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.</code><code>Here are some other safety and security tips to keep in mind when shopping online:</code><code>-WHEN IN DOUBT, CHECK ‘EM OUT: If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. After all, it’s not uncommon for bargain basement phantom Web sites to materialize during the holiday season, and then vanish forever not long afterward.</code><code>If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.</code><code>-USE A CREDIT CARD: It’s nearly impossible for consumers to tell how secure a main street or online merchant is, and safety seals or attestations that something is “hacker safe” are a guarantee of nothing. In my experience, such sites are just as likely to be compromised as e-commerce sites without these dubious security seals.</code><code>No, it’s best just to shop as if they’re all compromised. With that in mind, if you have the choice between using a credit or debit card, shop with your credit card.</code><code>Sure, the card associations and your bank are quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, whether it’s debit or a credit card. But this assurance may ring hollow if you wake up one morning to find your checking accounts emptied by card thieves after shopping at a breached merchant with a debit card.</code><code>Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.</code><code>-PADLOCK, SCHMADLOCK: For years, consumers have been told to look for the padlock when shopping online. Maybe this was once sound advice. But to my mind, the “look for the lock” mantra has created a false sense of security for many Internet users, and has contributed to a dangerous and widespread misunderstanding about what the lock icon is really meant to convey.</code><code>To be clear, you absolutely should run away from any e-commerce site that does not include the padlock (i.e., its Web address does not begin with “https://”). But the presence of a padlock icon next to the Web site name in your browser’s address bar does not mean…
<code>‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.</code><code>Media</code><code>Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.</code><code>Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.</code><code>I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.</code><code>Here are some other safety and security tips to keep in mind when shopping online:</code><code>-WHEN IN DOUBT, CHECK ‘EM OUT: If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. After all, it’s not uncommon for bargain basement phantom Web sites to materialize during the holiday season, and then vanish forever not long afterward.</code><code>If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.</code><code>-USE A CREDIT CARD: It’s nearly impossible for consumers to tell how secure a main street or online merchant is, and safety seals or attestations that something is “hacker safe” are a guarantee of nothing. In my experience, such sites are just as likely to be compromised as e-commerce sites without these dubious security seals.</code><code>No, it’s best just to shop as if they’re all compromised. With that in mind, if you have the choice between using a credit or debit card, shop with your credit card.</code><code>Sure, the card associations and your bank are quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, whether it’s debit or a credit card. But this assurance may ring hollow if you wake up one morning to find your checking accounts emptied by card thieves after shopping at a breached merchant with a debit card.</code><code>Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.</code><code>-PADLOCK, SCHMADLOCK: For years, consumers have been told to look for the padlock when shopping online. Maybe this was once sound advice. But to my mind, the “look for the lock” mantra has created a false sense of security for many Internet users, and has contributed to a dangerous and widespread misunderstanding about what the lock icon is really meant to convey.</code><code>To be clear, you absolutely should run away from any e-commerce site that does not include the padlock (i.e., its Web address does not begin with “https://”). But the presence of a padlock icon next to the Web site name in your browser’s address bar does not mean…
❌ Spotify Phishers Hijack Music Fans’ Accounts ❌
📖 Read
via "Threatpost | The first stop for security news".
The credentials could be used to glean a variety of intel on the victims.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
Spotify Phishers Hijack Music Fans’ Accounts
The credentials could be used to glean a variety of intel on the victims.
⚠ Monday review – the hot 18 stories of the week ⚠
📖 Read
via "Naked Security".
Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.📖 Read
via "Naked Security".
Naked Security
Monday review – the hot 18 stories of the week
Get yourself up to date with everything we've written in the last seven days – it's weekly roundup time.
⚠ Spectre mitigation guts Linux 4.20 performance ⚠
📖 Read
via "Naked Security".
One of Intel’s fixes for the Spectre variant 2 chip flaw appears to have taken a big bite out of the performance of the latest Linux kernel.📖 Read
via "Naked Security".
Naked Security
Spectre mitigation guts Linux 4.20 performance
One of Intel’s fixes for the Spectre variant 2 chip flaw appears to have taken a big bite out of the performance of the latest Linux kernel.
⚠ His phone went dark, then $1m was sucked out in SIM-swap crypto-heist ⚠
📖 Read
via "Naked Security".
A 21-year-old allegedly SIM-swapped Silicon Valley execs’ phones to steal cryptocurrency, including one man's $1m tuition fund for his kids.📖 Read
via "Naked Security".
Naked Security
The phone went dark, then $1m was sucked out in SIM-swap crypto-heist
A Silicon Valley exec lost $1m in cryptocoin savings when a 21-year-old allegedly SIM-swapped his phone.
⚠ That Black Mirror episode with the social ratings? It’s happening IRL ⚠
📖 Read
via "Naked Security".
Not picking up after your dog will cost you 10 points, for example, in China's Black Mirror-esque plan to socially score citizens.📖 Read
via "Naked Security".
Naked Security
That Black Mirror episode with the social ratings? It’s happening IRL
Not picking up after your dog will cost you 10 points, for example, in China’s Black Mirror-esque plan to socially score citizens.
🔐 LinkedIn used 18M non-member emails to target Facebook ads. Were you a victim? 🔐
📖 Read
via "Security on TechRepublic".
A Data Protection Commissioner investigation found that LinkedIn violated data protection policies shortly before onset of GDPR.📖 Read
via "Security on TechRepublic".
TechRepublic
LinkedIn used 18M non-member emails to target Facebook ads. Were you a victim?
A Data Protection Commissioner investigation found that LinkedIn violated data protection policies shortly before onset of GDPR.
🕴 Paper Trail Absence May Still Plague 2020 Election 🕴
📖 Read
via "Dark Reading: ".
The recommendation for paper ballots may go unheeded in all or part of at least 6 states in the next national election.📖 Read
via "Dark Reading: ".
Dark Reading
Paper Trail Absence May Still Plague 2020 Election
The recommendation for paper ballots may go unheeded in all or part of at least 6 states in the next national election.
🕴 7 Real-Life Dangers That Threaten Cybersecurity 🕴
📖 Read
via "Dark Reading: ".
Cybersecurity means more than bits and bytes; threats are out there IRL, and IT pros need to be prepared.📖 Read
via "Dark Reading: ".
Dark Reading
7 Real-Life Dangers That Threaten Cybersecurity
Cybersecurity means more than bits and bytes; threats are out there IRL, and IT pros need to be prepared.
<b>⌨ Half of all Phishing Sites Now Have the Padlock ⌨</b>
<code>Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.</code><code>Media</code><code>A live Paypal phishing site that uses https:// (has the green padlock).</code><code>Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.</code><code>This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.</code><code>In reality, the https:// part of the address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.</code><code>Media</code><code>A live Facebook phish that uses SSL (has the green padlock).</code><code>Most of the battle to combat cybercrime involves defenders responding to offensive moves made by attackers. But the rapidly increasing adoption of SSL by phishers is a good example in which fraudsters are taking their cue from legitimate sites.</code><code>“PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not secure’ for web sites that do not use SSL,” said John LaCour, chief technology officer for the company. “The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.”</code><code>The major Web browser makers work with a number of security organizations to index and block new phishing sites, often serving bright red warning pages that flag the page of a phishing scam and seek to discourage people from visiting the sites. But not all phishing scams get flagged so quickly.</code><code>I spent a few minutes browsing phishtank.com for phishing sites that use SSL, and found this cleverly crafted page that attempts to phish credentials from users of Bibox, a cryptocurrency exchange. Click the image below and see if you can spot what’s going on with this Web address:</code><code>Media</code><code>This live phish targets users of cryptocurrency exchange Bibox. Look carefully at the URL in the address bar, and you’ll notice a squiggly mark over the “i” in Bibox. This is an internationalized domain name, and the real address is https://www.xn--bbox-vw5a[.]com/login</code><code>
</code><code>Load the live phishing page at https://www.xn--bbox-vw5a[.]com/login (that link has been hobbled on purpose) in Google Chrome and you’ll get a red “Deceptive Site Ahead” warning. Load the address above — known as “punycode” — in Mozilla Firefox and the page renders just fine, at least as of this writing.</code><code>This phishing site takes advantage of internationalized domain names (IDNs) to introduce visual confusion. In this case, the “i” in Bibox.com is rendered as the Vietnamese character “ỉ,” which is extremely difficult to distinguish in a URL address bar.</code><code>As KrebsOnSecurity noted in March…
<code>Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.</code><code>Media</code><code>A live Paypal phishing site that uses https:// (has the green padlock).</code><code>Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.</code><code>This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.</code><code>In reality, the https:// part of the address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.</code><code>Media</code><code>A live Facebook phish that uses SSL (has the green padlock).</code><code>Most of the battle to combat cybercrime involves defenders responding to offensive moves made by attackers. But the rapidly increasing adoption of SSL by phishers is a good example in which fraudsters are taking their cue from legitimate sites.</code><code>“PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not secure’ for web sites that do not use SSL,” said John LaCour, chief technology officer for the company. “The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.”</code><code>The major Web browser makers work with a number of security organizations to index and block new phishing sites, often serving bright red warning pages that flag the page of a phishing scam and seek to discourage people from visiting the sites. But not all phishing scams get flagged so quickly.</code><code>I spent a few minutes browsing phishtank.com for phishing sites that use SSL, and found this cleverly crafted page that attempts to phish credentials from users of Bibox, a cryptocurrency exchange. Click the image below and see if you can spot what’s going on with this Web address:</code><code>Media</code><code>This live phish targets users of cryptocurrency exchange Bibox. Look carefully at the URL in the address bar, and you’ll notice a squiggly mark over the “i” in Bibox. This is an internationalized domain name, and the real address is https://www.xn--bbox-vw5a[.]com/login</code><code>
</code><code>Load the live phishing page at https://www.xn--bbox-vw5a[.]com/login (that link has been hobbled on purpose) in Google Chrome and you’ll get a red “Deceptive Site Ahead” warning. Load the address above — known as “punycode” — in Mozilla Firefox and the page renders just fine, at least as of this writing.</code><code>This phishing site takes advantage of internationalized domain names (IDNs) to introduce visual confusion. In this case, the “i” in Bibox.com is rendered as the Vietnamese character “ỉ,” which is extremely difficult to distinguish in a URL address bar.</code><code>As KrebsOnSecurity noted in March…
🕴 Transforming into a CISO Security Leader 🕴
📖 Read
via "Dark Reading: ".
Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.📖 Read
via "Dark Reading: ".
Dark Reading
Transforming into a CISO Security Leader
Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.
❌ User Confidence in Smartphone Security Abysmal ❌
📖 Read
via "Threatpost | The first stop for security news".
Sixty-six of percent of phone users said they had suffered data-related harm: 11 percent suffered identity theft, 22 percent account hacking, 14 percent credit cards hacking and 12 percent financial fraud. 📖 Read
via "Threatpost | The first stop for security news".
Threat Post
User Confidence in Smartphone Security Abysmal
Sixty-six percent of phone users said they had suffered data-related harm: 11 percent suffered identity theft, 22 percent account hacking, 14 percent credit cards hacking and 12 percent financial fraud.
🔐 IoT security market will hit $9.88B by 2025, as privacy issues abound 🔐
📖 Read
via "Security on TechRepublic".
As IoT devices flood the market, consumers are pushing for more privacy initiatives, according to recent Grand View Research report.📖 Read
via "Security on TechRepublic".
TechRepublic
IoT security market will hit $9.88B by 2025, as privacy issues abound
As IoT devices flood the market, consumers are pushing for more privacy initiatives, according to recent Grand View Research report.
ATENTION‼ New - CVE-2017-1418
📖 Read
via "National Vulnerability Database".
IBM Integration Bus 9.0.0.0, 9.0.0.11, 10.0.0.0, and 10.0.0.14 (including IBM WebSphere Message Broker 8.0.0.0 and 8.0.0.9) has insecure permissions on certain files. A local attacker could exploit this vulnerability to modify or delete these files with an unknown impact. IBM X-Force ID: 127406.📖 Read
via "National Vulnerability Database".
🕴 Ransomware Attack Forced Ohio Hospital System to Divert ER Patients 🕴
📖 Read
via "Dark Reading: ".
Malware infection fallout sent ambulances away from East Ohio Regional Hospital and Ohio Valley Medical Center over the Thanksgiving weekend.📖 Read
via "Dark Reading: ".
Darkreading
Ransomware Attack Forced Ohio Hospital System to Divert ER Patients
Malware infection fallout sent ambulances away from East Ohio Regional Hospital and Ohio Valley Medical Center over the Thanksgiving weekend.
❌ USPS, Amazon Data Leaks Showcase API Weaknesses ❌
📖 Read
via "Threatpost | The first stop for security news".
The incidents affected millions, just as Black Friday, Cyber Monday and the holiday shopping season kicked off.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
USPS, Amazon Data Leaks Showcase API Weaknesses
The incidents affected millions, just as Black Friday, Cyber Monday and the holiday shopping season kicked off.