⚠ Zoom patches serious video conferencing bug ⚠

Zoom moved to patch a bug in its service this week that enabled people to hijack customer video conferences.

📖 Read

via "Naked Security".

⚠ AirDrop an unwanted nude pic and you could face stiff penalties ⚠

Sending pics of your bits to strangers could get you a year in jail and/or a $1K fine if this NYC bill gets passed.

📖 Read

via "Naked Security".

❌ Magecart Group Ups Ante: Now Goes After Admin Credentials ❌

The group's skimmer has added some capabilities that steals credentials from admins.

📖 Read

via "Threatpost | The first stop for security news".

⚠ Bleichenbacher’s CAT puts another scratch in TLS ⚠

Researchers demonstrate Cache-like ATacks against RSA key exchange.

📖 Read

via "Naked Security".

❌ Quora Breach Exposes a Wealth of Info on 100M Users ❌

The information is an early Christmas gift for any social engineer.

📖 Read

via "Threatpost | The first stop for security news".

🕴 5 Emerging Trends in Cybercrime 🕴

Organizations can start today to protect against 2019's threats. Look out for crooks using AI "fuzzing" techniques, machine learning, and swarms.

📖 Read

via "Dark Reading: ".

🕴 Jared, Kay Jewelers' Web Vuln Exposed Shoppers' Data 🕴

A Jared customer found he could access other orders by changing a link in his confirmation email.

📖 Read

via "Dark Reading: ".

❌ Google Patches 11 Critical RCE Android Vulnerabilities ❌

Google’s December Android Security Bulletin tackles 53 unique flaws.

📖 Read

via "Threatpost | The first stop for security news".

🕴 'London Blue' BEC Cybercrime Gang Unmasked 🕴

Security firm turned the tables on attackers targeting its chief financial officer in an email-borne financial scam.

📖 Read

via "Dark Reading: ".

🕴 4 Lessons Die Hard Teaches About Combating Cyber Villains 🕴

With proper planning, modern approaches, and tools, we can all be heroes in the epic battle against the cyber threat.

📖 Read

via "Dark Reading: ".

🕴 DHS, FBI Issue SamSam Advisory 🕴

Following last week's indictment, federal government issues pointers for how security pros can combat SamSam ransomware.

📖 Read

via "Dark Reading: ".

❌ 1-800-Flowers Becomes Latest Payment Breach Victim ❌

Details are so far scant in this latest in a string of data breaches.

📖 Read

via "Threatpost | The first stop for security news".

🕴 Quora Breach Exposes Information of 100 Million Users 🕴

The massive breach has exposed passwords for millions who didn't remember having a Quora account.

📖 Read

via "Dark Reading: ".

<b>&#9000; A Breach, or Just a Forced Password Reset? &#9000;</b>

<code>Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case. Here’s a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.</code><code>The notice sent to ShareFile users looked like this:</code><code>Media</code><code>Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didn’t understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.</code><code>I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.</code><code>A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).</code><code>More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using multi-factor authentication. To wit:</code><code>“This is not in response to a breach of Citrix products or services,” wrote spokesperson Jamie Buranich. “Citrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attacker’s additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls [emphasis added]. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.”</code><code>The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended the National Institute of Standards and Technology (NIST), which warns:</code><code>“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”</code><code>NIST explains its rationale for steering organizations away from regular forced password resets thusly:</code><code>“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.”</code><code>“But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”</code><code>In short, NIST says it makes…

🕴 Backdoors Up 44%, Ransomware Up 43% from 2017 🕴

Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.

📖 Read

via "Dark Reading: ".

❌ Google Chrome 71 Touts 43 Fixes, Fights Ad Abuse ❌

The browser comes with a new set of protections to block pop-ups that could lead to 'abusive experiences.'

📖 Read

via "Threatpost | The first stop for security news".

⚠ Could adult content ban spell the end for Tumblr? ⚠

#TumblrIsDead? Tumblr is banning adult content in an effort to be safer, better, “more positive,” and less (female) nipple-ish.

📖 Read

via "Naked Security".

⚠ Those are NOT your grandchildren! FTC warns of new scam ⚠

Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the FTC warns.

📖 Read

via "Naked Security".

⚠ Kubernetes cloud computing bug could rain data for attackers ⚠

Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug - and it’s a mammoth one.

📖 Read

via "Naked Security".

⚠ Quora.com admits data breach affecting 100 million accounts ⚠

Hackers have compromised data from the accounts of 100 million users of question and answer site Quora.com.

📖 Read

via "Naked Security".

🕴 6 Ways to Strengthen Your GDPR Compliance Efforts 🕴

Companies have some mistaken notions about how to comply with the new data protection and privacy regulation - and that could cost them.

📖 Read

via "Dark Reading: ".