π΄ Attackers Using New Exploit Kit to Hijack Home & Small Office Routers π΄
π Read
via "Dark Reading: ".
Goal is to steal banking credentials by redirecting users to phishing sites.π Read
via "Dark Reading: ".
Darkreading
Attackers Using New Exploit Kit to Hijack Home & Small Office Routers
Goal is to steal banking credentials by redirecting users to phishing sites.
π΄ Patch Tuesday Arrives with 9 Critical CVEs, 1 Under Attack π΄
π Read
via "Dark Reading: ".
Serious bugs addressed today include a Win32K privilege escalation vulnerability and Windows DNS server heap overflow flaw.π Read
via "Dark Reading: ".
Dark Reading
Patch Tuesday Arrives with 9 Critical CVEs, 1 Under Attack
Serious bugs addressed today include a Win32K privilege escalation vulnerability and Windows DNS server heap overflow flaw.
π΄ Equifax Breach Underscores Need for Accountability, Simpler Architectures π΄
π Read
via "Dark Reading: ".
A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'π Read
via "Dark Reading: ".
Dark Reading
Equifax Breach Underscores Need for Accountability, Simpler Architectures
A new congressional report says the credit reporting firm's September 2017 breach was 'entirely preventable.'
π΄ Battling Bots Brings Big-Budget Blow to Businesses π΄
π Read
via "Dark Reading: ".
Fighting off bot attacks on Web applications extracts a heavy cost in human resources and technology, according to a just-released report.π Read
via "Dark Reading: ".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
β Phones are selling location data from βtrustedβ apps β
π Read
via "Naked Security".
Data brokers are tracking 200 million mobile devices in the US, updating locations up to 14,000 times a day, the New York Times has found.π Read
via "Naked Security".
Naked Security
Phones are selling location data from βtrustedβ apps
Data brokers are tracking 200 million mobile devices in the US, updating locations up to 14,000 times a day, the New York Times has found.
β Text CAPTCHAs easily beaten by neural networks β
π Read
via "Naked Security".
As CAPTCHA-haters know to their frequent irritation, the death of the text-based Completely Automated Procedures for Telling Computers and Humans Apart tends to be exaggerated.π Read
via "Naked Security".
Naked Security
Text CAPTCHAs easily beaten by neural networks
As CAPTCHA-haters know to their frequent irritation, the death of the text-based Completely Automated Procedures for Telling Computers and Humans Apart tends to be exaggerated.
β Google+ to power down early after second security hole found β
π Read
via "Naked Security".
Google has disclosed the second security hole in its Google+ social network in three months.π Read
via "Naked Security".
Naked Security
Google+ to power down early after second security hole found
Google has disclosed the second security hole in its Google+ social network in three months. This one exposed 100 times as many usersβ private information as the first, and has prompted the cβ¦
β Samsung fixes flaws that could have let attackers hijack your account β
π Read
via "Naked Security".
Flaws in the mobile site were leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts.π Read
via "Naked Security".
Naked Security
Samsung fixes flaws that could have let attackers hijack your account
Flaws in the mobile site were leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts.
β Supply Chain Security: Managing a Complex Risk Profile β
π Read
via "Threatpost | The first stop for security news".
Experts sound off on how companies can work with their third-party suppliers and partners to secure the end-to-end supply chain.π Read
via "Threatpost | The first stop for security news".
Threat Post
Supply Chain Security: Managing a Complex Risk Profile
Experts sound off on how companies can work with their third-party suppliers and partners to secure the end-to-end supply chain.
π΄ Higher Education: 15 Books to Help Cybersecurity Pros Be Better π΄
π Read
via "Dark Reading: ".
Constant learning is a requirement for cybersecurity professionals. Here are 15 books recommended by professionals to continue a professional's education.π Read
via "Dark Reading: ".
Dark Reading
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Constant learning is a requirement for cybersecurity professionals. Here are 15 books recommended by professionals to continue a professional's education.
β Super Micro Says Its Gear Wasnβt Bugged By Chinese Spies β
π Read
via "Threatpost | The first stop for security news".
The news comes amid reports that a Chinese intelligence-gathering effort was behind the massive Marriott hotel data breach.π Read
via "Threatpost | The first stop for security news".
Threat Post
Super Micro Says Its Gear Wasnβt Bugged By Chinese Spies
The news comes amid reports that a Chinese intelligence-gathering effort was behind the massive Marriott hotels data breach.
β Operation Sharpshooter Takes Aim at Global Critical Assets β
π Read
via "Threatpost | The first stop for security news".
Operation Sharpshooter uses a new implant to target mainly English-speaking nuclear, defense, energy and financial companies.π Read
via "Threatpost | The first stop for security news".
Threat Post
Operation Sharpshooter Takes Aim at Global Critical Assets
Operation Sharpshooter uses a new implant to target mainly U.S.-based nuclear, defense, energy and financial companies.
π΄ Forget Shifting Security Left; It's Time to Race Left π΄
π Read
via "Dark Reading: ".
Once DevOps teams decide to shift left, they can finally look forward instead of backward.π Read
via "Dark Reading: ".
Darkreading
Forget Shifting Security Left; It's Time to Race Left
Once DevOps teams decide to shift left, they can finally look forward instead of backward.
π΄ Microsoft, PayPal, Google Top Phishing's Favorite Targets in Q3 π΄
π Read
via "Dark Reading: ".
One out of every 100 emails an enterprise receives is a phishing scam, and the attackers behind them are getting more sophisticated.π Read
via "Dark Reading: ".
Darkreading
Microsoft, PayPal, Google Top Phishing's Favorite Targets in Q3
One out of every 100 emails an enterprise receives is a phishing scam, and the attackers behind them are getting more sophisticated.
π΄ Arctic Wolf Buys RootSecure π΄
π Read
via "Dark Reading: ".
The purchase adds risk assessment to Arctic Wolf's SOC-as-a-service.π Read
via "Dark Reading: ".
Dark Reading
Arctic Wolf Buys RootSecure
The purchase adds risk assessment to Arctic Wolf's SOC-as-a-service.
π 8% of organizations are not properly governing its own data π
π Read
via "Security on TechRepublic".
Some 88% of organizations aren't correctly managing access to data stored in files, according to a SailPoint report.π Read
via "Security on TechRepublic".
TechRepublic
88% of organizations are not properly governing its own data
Some 88% of organizations aren't correctly managing access to data stored in files, according to a SailPoint report.
β ThreatList: Holiday Spam, the Perfect Seasonal Gift for Criminals β
π Read
via "Threatpost | The first stop for security news".
Consumers are much more likely to fall for spam during the season of giving.π Read
via "Threatpost | The first stop for security news".
Threat Post
ThreatList: Holiday Spam, the Perfect Seasonal Gift for Criminals
Consumers are much more likely to fall for spam during the season of giving.
π΄ Mac Malware Cracks WatchGuard's Top 10 List π΄
π Read
via "Dark Reading: ".
Security experts advise Mac users to deploy security suites to protect themselves from the growing threat.π Read
via "Dark Reading: ".
Dark Reading
Mac Malware Cracks WatchGuard's Top 10 List
Security experts advise Mac users to deploy security suites to protect themselves from the growing threat.
<b>⌨ Scanning for Flaws, Scoring for Security ⌨</b>
<code>Is it fair to judge an organizationβs information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. Whatβs remarkable is how many organizations donβt make an effort to view their public online assets as the rest of the world sees them β until itβs too late.</code><code>Media</code><code>Image: US Chamber of Commerce.</code><code>For years, potential creditors have judged the relative risk of extending credit to consumers based in part on the applicantβs credit score β the most widely used being the score developed by FICO, previously known as Fair Isaac Corporation. Earlier this year, FICO began touting its Cyber Risk Score (PDF), which seeks to measure an organizationβs chances of experiencing a data breach in the next 12 months, based on a variety of measurements tied to the companyβs public-facing online assets.</code><code>In October, FICO teamed up with the U.S. Chamber of Commerce to evaluate more than 2,500 U.S. companies with the Cyber Risk Score, and then invited these companies to sign up and see how their score compares with that of other organizations in their industry. The stated use cases for the Cyber Risk Score include the potential for cyber insurance pricing and underwriting, and evaluating supply chain risk (i.e., the security posture of vendor partners).</code><code>The company-specific scores are supposed to be made available only to vetted people at the organization who go through FICOβs signup process. But in a marketing email sent to FICO members on Tuesday advertising its new benchmarking feature, FICO accidentally exposed the FICO Cyber Risk Score of energy giant ExxonMobil.</code><code>The marketing email was quickly recalled and reissued in a redacted version, but it seems ExxonMobilβs score of 587 puts it in the βelevatedβ risk category and somewhat below the mean score among large companies in the Energy and Utilities sector, which was 637. The October analysis by the Chamber and FICO gives U.S. businesses an overall score of 687 on a scale of 300-850.</code><code>Media</code><code>Data accidentally released by FICO about the Cyber Risk Score for ExxonMobil.</code><code>How useful is such a score? Mike Lloyd, chief technology officer at RedSeal, was quoted as saying a score βtaken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street.β</code><code>βYou can, of course, establish some important things about the quality of a building from a photograph, but itβs no substitute for really being able to inspect it from the inside,β Lloyd told Dark Reading regarding the Chamber/FICO announcement in October.</code><code>Naturally, combining external scans with internal vulnerability probes and penetration testing engagements can provide organizations with a much more holistic picture of their security posture. But when a major company makes public, repeated and prolonged external security foibles, itβs difficult to escape the conclusion that perhaps it isnβt looking too closely at its internal security either.</code><code>ENTIRELY, CERTIFIABLY PREVENTABLE</code><code>Too bad the errant FICO marketing email didnβt expose the current cyber risk score of big-three consumer credit bureau Equifax, which was relieved of personal and financial data on 148 million Americans last year after the company failed to patch one of its Web servers and then failed to detect an intrusion into its systems for months.</code><code>A 96-page report (PDF) released this week by a House oversight committee found the Equifax breach was βentirely preventable.β For 76 days beginning mid May 2017, the intruders made moreβ¦
<code>Is it fair to judge an organizationβs information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. Whatβs remarkable is how many organizations donβt make an effort to view their public online assets as the rest of the world sees them β until itβs too late.</code><code>Media</code><code>Image: US Chamber of Commerce.</code><code>For years, potential creditors have judged the relative risk of extending credit to consumers based in part on the applicantβs credit score β the most widely used being the score developed by FICO, previously known as Fair Isaac Corporation. Earlier this year, FICO began touting its Cyber Risk Score (PDF), which seeks to measure an organizationβs chances of experiencing a data breach in the next 12 months, based on a variety of measurements tied to the companyβs public-facing online assets.</code><code>In October, FICO teamed up with the U.S. Chamber of Commerce to evaluate more than 2,500 U.S. companies with the Cyber Risk Score, and then invited these companies to sign up and see how their score compares with that of other organizations in their industry. The stated use cases for the Cyber Risk Score include the potential for cyber insurance pricing and underwriting, and evaluating supply chain risk (i.e., the security posture of vendor partners).</code><code>The company-specific scores are supposed to be made available only to vetted people at the organization who go through FICOβs signup process. But in a marketing email sent to FICO members on Tuesday advertising its new benchmarking feature, FICO accidentally exposed the FICO Cyber Risk Score of energy giant ExxonMobil.</code><code>The marketing email was quickly recalled and reissued in a redacted version, but it seems ExxonMobilβs score of 587 puts it in the βelevatedβ risk category and somewhat below the mean score among large companies in the Energy and Utilities sector, which was 637. The October analysis by the Chamber and FICO gives U.S. businesses an overall score of 687 on a scale of 300-850.</code><code>Media</code><code>Data accidentally released by FICO about the Cyber Risk Score for ExxonMobil.</code><code>How useful is such a score? Mike Lloyd, chief technology officer at RedSeal, was quoted as saying a score βtaken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street.β</code><code>βYou can, of course, establish some important things about the quality of a building from a photograph, but itβs no substitute for really being able to inspect it from the inside,β Lloyd told Dark Reading regarding the Chamber/FICO announcement in October.</code><code>Naturally, combining external scans with internal vulnerability probes and penetration testing engagements can provide organizations with a much more holistic picture of their security posture. But when a major company makes public, repeated and prolonged external security foibles, itβs difficult to escape the conclusion that perhaps it isnβt looking too closely at its internal security either.</code><code>ENTIRELY, CERTIFIABLY PREVENTABLE</code><code>Too bad the errant FICO marketing email didnβt expose the current cyber risk score of big-three consumer credit bureau Equifax, which was relieved of personal and financial data on 148 million Americans last year after the company failed to patch one of its Web servers and then failed to detect an intrusion into its systems for months.</code><code>A 96-page report (PDF) released this week by a House oversight committee found the Equifax breach was βentirely preventable.β For 76 days beginning mid May 2017, the intruders made moreβ¦
π΄ Deception: Honey vs. Real Environments π΄
π Read
via "Dark Reading: ".
A primer on choosing deception technology that will provide maximum efficacy without over-committing money, time and resources.π Read
via "Dark Reading: ".
Darkreading
Deception: Honey vs. Real Environments
A primer on choosing deception technology that will provide maximum efficacy without over-committing money, time and resources.
π΄ U.S. Defense, Critical Infrastructure Companies Targeted in New Threat Campaign π΄
π Read
via "Dark Reading: ".
McAfee finds malware associated with 'Operation Sharpshooter' on systems belonging to at least 87 organizations.π Read
via "Dark Reading: ".
Darkreading
U.S. Defense, Critical Infrastructure Companies Targeted in New Threat Campaign
McAfee finds malware associated with 'Operation Sharpshooter' on systems belonging to at least 87 organizations.