<b>⌨ What the Marriott Breach Says About Security ⌨</b>
<code>We donβt yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.</code><code>TO COMPANIES</code><code>For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesnβt mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.</code><code>It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.</code><code>The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.</code><code>This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that β left undetected for days, months or years β can cost the entire organism dearly.</code><code>The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. Theyβre reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer β anyone but the Chief Technology Officer.</code><code>Theyβre constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.</code><code>Media</code><code>TO INDIVIDUALS</code><code>Likewise for individuals, it pays to accept two unfortunate and harsh realities:</code><code>Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless arenβt, including your credit card information, Social Security number, motherβs maiden name, date of birth, address, previous addresses, phone number, and yes β even your credit file.</code><code>Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold β usually through no fault of your own. And if youβre an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.</code><code>Marriott is offering affected consumers a yearβs worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably canβt hurt as long as youβre not expecting it to prevent some kind of bad outcome. But once youβve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you donβt already know.</code><code>Once youβve owned both of these realities, you realize that expecting another company to safeguard your security is a foolβs errandβ¦
<code>We donβt yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.</code><code>TO COMPANIES</code><code>For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesnβt mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.</code><code>It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.</code><code>The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.</code><code>This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that β left undetected for days, months or years β can cost the entire organism dearly.</code><code>The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. Theyβre reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer β anyone but the Chief Technology Officer.</code><code>Theyβre constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.</code><code>Media</code><code>TO INDIVIDUALS</code><code>Likewise for individuals, it pays to accept two unfortunate and harsh realities:</code><code>Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless arenβt, including your credit card information, Social Security number, motherβs maiden name, date of birth, address, previous addresses, phone number, and yes β even your credit file.</code><code>Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold β usually through no fault of your own. And if youβre an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.</code><code>Marriott is offering affected consumers a yearβs worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably canβt hurt as long as youβre not expecting it to prevent some kind of bad outcome. But once youβve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you donβt already know.</code><code>Once youβve owned both of these realities, you realize that expecting another company to safeguard your security is a foolβs errandβ¦
β Monday review β the hot 21 stories of the week β
π Read
via "Naked Security".
From Black Mirror-esque social ratings IRL to the guy who had his car stolen by hackers - twice, and everything in between. It's weekly roundup time.π Read
via "Naked Security".
Naked Security
Monday review β the hot 21 stories of the week
From Black Mirror-esque social ratings IRL to the guy who had his car stolen by hackers β twice, and everything in between. Itβs weekly roundup time.
β Faster fuzzing ferrets out 42 fresh zero-day flaws β
π Read
via "Naked Security".
A group of researchers has found 42 zero-day flaws in a range of software tools using a new take on an old concept - fuzzing.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Microsoft cracks down on tech support scams, 16 call centers raided β
π Read
via "Naked Security".
Police raided 16 Indian call centers last week - a second big raid sparked by Microsoft filing complaints about tech support scammers.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Router attack exploits UPnP and NSA malware to target PCs β
π Read
via "Naked Security".
The UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.π Read
via "Naked Security".
Naked Security
Router attack exploits UPnP and NSA malware to target PCs
The UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.
β Printers pulled into 9100 port attack spew PewDiePie propaganda β
π Read
via "Naked Security".
Printers worldwide printed messages urging people to subscribe to the vlogger's YouTube channel in a demo of a well-known vulnerability.π Read
via "Naked Security".
Naked Security
Printers pulled into 9100 port attack spew PewDiePie propaganda
Printers worldwide printed messages urging people to subscribe to the vloggerβs YouTube channel in a demo of a well-known vulnerability.
β YouTuber PewDiePie Promoted Via 50K Hacked Printers β
π Read
via "Threatpost | The first stop for security news".
The incident sheds light on just how insecure printers are.π Read
via "Threatpost | The first stop for security news".
Threat Post
YouTuber PewDiePie Promoted Via 50K Hacked Printers
YouTube celeb PewDiePie gets illegal boost from Twitter user @HackerGiraffe in a popularity contest with Bollywood YouTuber T-Series.
π΄ Filling the Cybersecurity Jobs Gap - Now and in the Future π΄
π Read
via "Dark Reading: ".
Employers must start broadening their search for experienced security professionals to include people with the right traits rather than the right skills.π Read
via "Dark Reading: ".
Dark Reading
Filling the Cybersecurity Jobs Gap - Now and in the Future
Employers must start broadening their search for experienced security professionals to include people with the right traits rather than the right skills.
β iOS Fitness Apps Robbing Money From Apple Victims β
π Read
via "Threatpost | The first stop for security news".
The two apps, βFitness Balance Appβ and βCalories Tracker app,β were tricking users into payments of $120.π Read
via "Threatpost | The first stop for security news".
Threat Post
iOS Fitness Apps Robbing Money From Apple Victims
The two apps, βFitness Balance Appβ and βCalories Tracker app,β were tricking users into payments of $120.
β Lenovo Ordered to Pay $7.3M in Superfish Fiasco β
π Read
via "Threatpost | The first stop for security news".
The laptop giant will settle a 32-state class-action lawsuit stemming from pre-installing vulnerable ad-targeting software.π Read
via "Threatpost | The first stop for security news".
Threat Post
Lenovo Ordered to Pay $7.3M in Superfish Fiasco
The laptop giant will settle a 32-state class-action lawsuit stemming from pre-installing vulnerable ad-targeting software.
π 5 major data breach predictions for 2019 π
π Read
via "Security on TechRepublic".
Biometrics and gaming are just a couple of the new cyberattack vectors professionals can expect in 2019. Here is what else to look out for.π Read
via "Security on TechRepublic".
TechRepublic
5 major data breach predictions for 2019
Biometrics and gaming are just a couple of the new cyberattack vectors professionals can expect in 2019. Here is what else to look out for.
β U.S. Military Members Catfished and Hooked for Thousands of Dollars β
π Read
via "Threatpost | The first stop for security news".
Prisoners in South Carolina posed convincingly as beautiful women on social media platforms.π Read
via "Threatpost | The first stop for security news".
Threat Post
U.S. Military Members Catfished and Hooked for Thousands of Dollars
Prisoners in South Carolina posed convincingly as beautiful women on social media platforms.
β Chris Vickery on the Marriott Breach and a Rash of Recent High-Profile Hacks β
π Read
via "Threatpost | The first stop for security news".
In this Newsmaker Interview, βbreach hunterβ Chris Vickery explores a recent spate of breaches from Marriott, USPS and Dell EMC.π Read
via "Threatpost | The first stop for security news".
Threat Post
Chris Vickery on the Marriott Breach and a Rash of Recent High-Profile Hacks
In this Newsmaker Interview βbreach hunterβ Chris Vickery explores a recent spate of breaches from Marriott, USPS and Dell EMC.
π Huawei's smartphone OS aims to challenge iOS/Android dominance: Can it succeed? π
π Read
via "Security on TechRepublic".
Huawei is developing their own OS as a contingency plan in the event US sanctions make using Android unviable. In a crowded market, is there room for a third OS?π Read
via "Security on TechRepublic".
TechRepublic
Huawei's smartphone OS aims to challenge iOS/Android dominance: Can it succeed?
Huawei is developing their own OS as a contingency plan in the event US sanctions make using Android unviable. In a crowded market, is there room for a third OS?
π΄ 'Influence Agents' Used Twitter to Sway 2018 Midterms π΄
π Read
via "Dark Reading: ".
About 25% of political support in Arizona and Florida was generated by influence agents using Twitter as a platform, research shows.π Read
via "Dark Reading: ".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
π΄ First Lawsuits Filed in Starwood Hotels' Breach π΄
π Read
via "Dark Reading: ".
Class-action suits have been filed on behalf of guests and shareholders, with more expected.π Read
via "Dark Reading: ".
Dark Reading
Cyberattacks & Data Breaches recent news | Dark Reading
Explore the latest news and expert commentary on Cyberattacks & Data Breaches, brought to you by the editors of Dark Reading
β Lawsuit Claims Pegasus Spyware Helped Saudis Spy on Khashoggi β
π Read
via "Threatpost | The first stop for security news".
The lawsuit alleges that NSO Group violated international law by allowing Pegasus to be used by oppressive regimes to hunt dissidents and journalists.π Read
via "Threatpost | The first stop for security news".
Threat Post
Lawsuit Claims Pegasus Spyware Helped Saudis Spy on Khashoggi
The lawsuit alleges that NSO Group violated international law by allowing Pegasus to be used by oppressive regimes to hunt dissidents and journalists.
π Cross-site scripting: What is it? π
π Read
via "Security on TechRepublic".
Cross-site scripting is one of the biggest, most persistent threats on the internet. Are you at risk for an XSS attack?π Read
via "Security on TechRepublic".
TechRepublic
Cross-site scripting attacks: A cheat sheet
Even the most trustworthy-looking website could trick you into giving up personal details through cross-site scripting. Here's what you need to know about XSS attacks.
π Cross-site scripting attacks: A cheat sheet π
π Read
via "Security on TechRepublic".
Even the most trustworthy-looking website could trick you into giving up personal details through cross-site scripting. Here's what you need to know about XSS attacks.π Read
via "Security on TechRepublic".
TechRepublic
Cross-site scripting attacks: A cheat sheet
Even the most trustworthy-looking website could trick you into giving up personal details through cross-site scripting. Here's what you need to know about XSS attacks.
β βIcemanβ hacker charged with running drone-smuggling ring from jail β
π Read
via "Naked Security".
Max Ray Vision says he's innocent of owning the phone used to orchestrate the scheme and ripping off debit cards to fund the drone purchase.π Read
via "Naked Security".
Naked Security
βIcemanβ hacker charged with running drone-smuggling ring from jail
Max Ray Vision says heβs innocent of owning the phone used to orchestrate the scheme and ripping off debit cards to fund the drone purchase.