π Huawei's smartphone OS aims to challenge iOS/Android dominance: Can it succeed? π
π Read
via "Security on TechRepublic".
Huawei is developing their own OS as a contingency plan in the event US sanctions make using Android unviable. In a crowded market, is there room for a third OS?π Read
via "Security on TechRepublic".
TechRepublic
Huawei's smartphone OS aims to challenge iOS/Android dominance: Can it succeed?
Huawei is developing their own OS as a contingency plan in the event US sanctions make using Android unviable. In a crowded market, is there room for a third OS?
π΄ 'Influence Agents' Used Twitter to Sway 2018 Midterms π΄
π Read
via "Dark Reading: ".
About 25% of political support in Arizona and Florida was generated by influence agents using Twitter as a platform, research shows.π Read
via "Dark Reading: ".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
π΄ First Lawsuits Filed in Starwood Hotels' Breach π΄
π Read
via "Dark Reading: ".
Class-action suits have been filed on behalf of guests and shareholders, with more expected.π Read
via "Dark Reading: ".
Dark Reading
Cyberattacks & Data Breaches recent news | Dark Reading
Explore the latest news and expert commentary on Cyberattacks & Data Breaches, brought to you by the editors of Dark Reading
β Lawsuit Claims Pegasus Spyware Helped Saudis Spy on Khashoggi β
π Read
via "Threatpost | The first stop for security news".
The lawsuit alleges that NSO Group violated international law by allowing Pegasus to be used by oppressive regimes to hunt dissidents and journalists.π Read
via "Threatpost | The first stop for security news".
Threat Post
Lawsuit Claims Pegasus Spyware Helped Saudis Spy on Khashoggi
The lawsuit alleges that NSO Group violated international law by allowing Pegasus to be used by oppressive regimes to hunt dissidents and journalists.
π Cross-site scripting: What is it? π
π Read
via "Security on TechRepublic".
Cross-site scripting is one of the biggest, most persistent threats on the internet. Are you at risk for an XSS attack?π Read
via "Security on TechRepublic".
TechRepublic
Cross-site scripting attacks: A cheat sheet
Even the most trustworthy-looking website could trick you into giving up personal details through cross-site scripting. Here's what you need to know about XSS attacks.
π Cross-site scripting attacks: A cheat sheet π
π Read
via "Security on TechRepublic".
Even the most trustworthy-looking website could trick you into giving up personal details through cross-site scripting. Here's what you need to know about XSS attacks.π Read
via "Security on TechRepublic".
TechRepublic
Cross-site scripting attacks: A cheat sheet
Even the most trustworthy-looking website could trick you into giving up personal details through cross-site scripting. Here's what you need to know about XSS attacks.
β βIcemanβ hacker charged with running drone-smuggling ring from jail β
π Read
via "Naked Security".
Max Ray Vision says he's innocent of owning the phone used to orchestrate the scheme and ripping off debit cards to fund the drone purchase.π Read
via "Naked Security".
Naked Security
βIcemanβ hacker charged with running drone-smuggling ring from jail
Max Ray Vision says heβs innocent of owning the phone used to orchestrate the scheme and ripping off debit cards to fund the drone purchase.
β Zoom patches serious video conferencing bug β
π Read
via "Naked Security".
Zoom moved to patch a bug in its service this week that enabled people to hijack customer video conferences.π Read
via "Naked Security".
Naked Security
Zoom patches serious video conferencing bug
Zoom moved to patch a bug in its service this week that enabled people to hijack customer video conferences.
β AirDrop an unwanted nude pic and you could face stiff penalties β
π Read
via "Naked Security".
Sending pics of your bits to strangers could get you a year in jail and/or a $1K fine if this NYC bill gets passed.π Read
via "Naked Security".
Naked Security
AirDrop an unwanted nude pic and you could face stiff penalties
Sending pics of your bits to strangers could get you a year in jail and/or a $1K fine if this NYC bill gets passed.
β Magecart Group Ups Ante: Now Goes After Admin Credentials β
π Read
via "Threatpost | The first stop for security news".
The group's skimmer has added some capabilities that steals credentials from admins.π Read
via "Threatpost | The first stop for security news".
Threat Post
Magecart Group Ups Ante: Now Goes After Admin Credentials
The group's skimmer has added some capabilities that steals credentials from admins.
β Bleichenbacherβs CAT puts another scratch in TLS β
π Read
via "Naked Security".
Researchers demonstrate Cache-like ATacks against RSA key exchange.π Read
via "Naked Security".
Naked Security
Bleichenbacherβs CAT puts another scratch in TLS
Researchers demonstrate Cache-like ATacks against RSA key exchange.
β Quora Breach Exposes a Wealth of Info on 100M Users β
π Read
via "Threatpost | The first stop for security news".
The information is an early Christmas gift for any social engineer.π Read
via "Threatpost | The first stop for security news".
Threat Post
Quora Breach Exposes a Wealth of Info on 100M Users
The information is an early Christmas gift for any social engineer.
π΄ 5 Emerging Trends in Cybercrime π΄
π Read
via "Dark Reading: ".
Organizations can start today to protect against 2019's threats. Look out for crooks using AI "fuzzing" techniques, machine learning, and swarms.π Read
via "Dark Reading: ".
Dark Reading
5 Emerging Trends in Cybercrime
Organizations can start today to protect against 2019's threats. Look out for crooks using AI fuzzing techniques, machine learning, and swarms.
π΄ Jared, Kay Jewelers' Web Vuln Exposed Shoppers' Data π΄
π Read
via "Dark Reading: ".
A Jared customer found he could access other orders by changing a link in his confirmation email.π Read
via "Dark Reading: ".
Dark Reading
Jared, Kay Jewelers Web Vuln Exposes Shoppers' Data
A Jared customer found he could access other orders by changing a link in his confirmation email.
β Google Patches 11 Critical RCE Android Vulnerabilities β
π Read
via "Threatpost | The first stop for security news".
Googleβs December Android Security Bulletin tackles 53 unique flaws.π Read
via "Threatpost | The first stop for security news".
Threat Post
Google Patches 11 Critical RCE Android Vulnerabilities
Googleβs December Android Security Bulletin tackles 53 unique flaws.
π΄ 'London Blue' BEC Cybercrime Gang Unmasked π΄
π Read
via "Dark Reading: ".
Security firm turned the tables on attackers targeting its chief financial officer in an email-borne financial scam.π Read
via "Dark Reading: ".
Darkreading
βLondon Blueβ BEC Cybercrime Gang Unmasked
Security firm turned the tables on attackers targeting its chief financial officer in an email-borne financial scam.
π΄ 4 Lessons Die Hard Teaches About Combating Cyber Villains π΄
π Read
via "Dark Reading: ".
With proper planning, modern approaches, and tools, we can all be heroes in the epic battle against the cyber threat.π Read
via "Dark Reading: ".
Darkreading
4 Lessons Die Hard Teaches About Combating Cyber Villains
With proper planning, modern approaches, and tools, we can all be heroes in the epic battle against the cyber threat.
π΄ DHS, FBI Issue SamSam Advisory π΄
π Read
via "Dark Reading: ".
Following last week's indictment, federal government issues pointers for how security pros can combat SamSam ransomware.π Read
via "Dark Reading: ".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
β 1-800-Flowers Becomes Latest Payment Breach Victim β
π Read
via "Threatpost | The first stop for security news".
Details are so far scant in this latest in a string of data breaches.π Read
via "Threatpost | The first stop for security news".
Threat Post
1-800-Flowers Becomes Latest Payment Breach Victim
Details are so far scant in this latest in a string of data breaches.
π΄ Quora Breach Exposes Information of 100 Million Users π΄
π Read
via "Dark Reading: ".
The massive breach has exposed passwords for millions who didn't remember having a Quora account.π Read
via "Dark Reading: ".
Darkreading
Quora Breach Exposes Information of 100 Million Users
The massive breach has exposed passwords for millions who didn't remember having a Quora account.
<b>⌨ A Breach, or Just a Forced Password Reset? ⌨</b>
<code>Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains thatβs not the case. Hereβs a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.</code><code>The notice sent to ShareFile users looked like this:</code><code>Media</code><code>Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didnβt understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.</code><code>I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.</code><code>A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).</code><code>More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using multi-factor authentication. To wit:</code><code>βThis is not in response to a breach of Citrix products or services,β wrote spokesperson Jamie Buranich. βCitrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attackerβs additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls [emphasis added]. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.β</code><code>The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended the National Institute of Standards and Technology (NIST), which warns:</code><code>βVerifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.β</code><code>NIST explains its rationale for steering organizations away from regular forced password resets thusly:</code><code>βUsers tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.β</code><code>βBut if there is evidence that the memorized secret has been compromised, such as by a breach of the verifierβs hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.β</code><code>In short, NIST says it makesβ¦
<code>Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains thatβs not the case. Hereβs a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.</code><code>The notice sent to ShareFile users looked like this:</code><code>Media</code><code>Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didnβt understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.</code><code>I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.</code><code>A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).</code><code>More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using multi-factor authentication. To wit:</code><code>βThis is not in response to a breach of Citrix products or services,β wrote spokesperson Jamie Buranich. βCitrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attackerβs additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls [emphasis added]. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.β</code><code>The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended the National Institute of Standards and Technology (NIST), which warns:</code><code>βVerifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.β</code><code>NIST explains its rationale for steering organizations away from regular forced password resets thusly:</code><code>βUsers tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.β</code><code>βBut if there is evidence that the memorized secret has been compromised, such as by a breach of the verifierβs hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.β</code><code>In short, NIST says it makesβ¦