Making Sense of Security

Securing your Digital World.

Making Sense of Security

The Top 19 Information Security Conferences of 2020

With the 2010s now over, the infosec industry is now fully invested in 2020 and beyond. The 2020s will no doubt present their fair share of challenging digital security threats. But they will also enable security professionals to discuss shared difficulties at conferences and summits. To help promote these collaborative events, we at The State of Security are proud once again to assemble a list of the top information security conferences that are planned for Read more…


Dating apps share personal data with advertisers, study says

Some of the most popular dating services may be violating GDPR or other privacy laws Unbeknownst to their users, several popular dating apps, including Tinder, OkCupid and Grindr, share detailed personal data on their users with third parties for advertising purposes, a study conducted by the Norwegian Consumer Council has found. The details spanned the gamut and included location, age, gender, as well as, in some cases, sexual orientation, drug use, and religious and political Read more…


Configuration Error Reveals 250 Million Microsoft Support Records

Some the records, found on five identically configured servers, might have contained data in clear text. Researchers have found five servers revealing almost 250 million Customer Service and Support (CSS) records. Each server contains what appears to be the same set of data stored, with no security or authentication. In a blog post, Microsoft acknowledged the exposure and blamed it on misconfigured security rules after changes made in early December. A security research team at Read more…


Big Microsoft data breach – 250 million records exposed

by Paul Ducklin Microsoft has today announced a data breach that affected one of its customer databases. The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world. Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, Read more…


Startup Privafy Raises $22M with New Approach to Network Security

The company today disclosed an approach to data security designed to protect against modern threats at a lower cost than complex network tools. Data security startup Privafy has officially entered the market with a new security-as-a-service application and $22 million in minority investment to continue scaling its cloud-based business. Privafy, founded by executives of Verizon and NXP Semiconductors, aims to secure data in motion as it travels across on-prem locations, clouds, mobile, and the Internet Read more…


Email malware targets U.S. senator and military

The cybercriminals behind the powerful banking malware have turned their attention to government targets like Sen. Cory Booker. View Original Source Article HERE


Cybersecurity Lessons Learned from ‘The Rise of Skywalker’

They’re especially relevant regarding several issues we face now, including biometrics, secure data management, and human error with passwords. The Star Wars film franchise has fascinated society with unprecedented fervor for over 40 years, and it’s easy to see why: They’re Shakespearean tales with lightsabers and spaceships. But aside from timeless lessons about love and friendship and good versus evil, there are tertiary lessons about technology that can be useful for our progression toward a Read more…


UPS Says Phishing Incident Might Have Exposed Some Customers’ Data

The United Parcel Service (UPS) revealed that a phishing incident might have exposed the information of some of its customers. In its “Notice of Data Breach” letter, UPS disclosed that an unauthorized person had used a phishing attack to gain access to store email accounts at some of its store locations between September 29, 2019 and January 13, 2020. The American multinational package delivery and supply chain management company responded by launching an investigation with Read more…


NIST’s new privacy rules – what you need to know

by Danny Bradbury You’ve waded through the relevant privacy regulations until your brain hurts, and you understand the basic requirements under GDPR, CCPA, or whatever industry rules you must abide by. But how do you ensure that you’re compliant? Worry no more. NIST has released a Privacy Framework to help you get your house in order. The federal US government’s National Institute of Standards and Technology (NIST) has a good track advising organisations on cybersecurity. Read more…


Regus spills data of 900 staff on Trello board set to ‘public’

by John E Dunn Another company has ended up accidentally spilling sensitive data from business collaboration tool Trello. According to a Daily Telegraph report, the company that put the boot to its own throat this time is office space company Regus, which posted performance ratings of 900 managers to a public Trello board. Trello boards come in three types – private (password needed), approved (i.e. visible to specific people), and public. It seems the Regus Read more…


Navigating ICS Security: Best Practices for ICS Decision-Makers

As a security consultant, I’m not going into an environment to design and build an organization’s network from the ground up in most situations. For the majority of the time, I’m working with legacy environments where some old technologies might be phasing out and newer ones joining the mix of solutions. In the case of one environment I went to, for instance, it was all of this plus a variety of Shadow IT that was Read more…


The Vendor Security Assessment (VSA): What You Need to Know

Requesting that a SaaS company answer a Vendor Security request has become a regular thing for companies who work in the cloud. But have you thought about how the reverse works, that is, when your customer has a VSA process focusing on you? The Vendor Security Assessment, or VSA, is the means by which your infosec team confirms that a cloud vendor, or any vendor who might have access to your data, is going to Read more…


Microsoft, DHS Warn of Zero-Day Attack Targeting IE Users

Software firm is “aware of limited targeted attacks” exploiting a scripting issue vulnerability in Internet Explorer 9, 10, and 11 that previously has not been disclosed. A targeted attack is targeting a previously unknown vulnerability in Internet Explorer to corrupt memory and exploit victims’ Windows systems, Microsoft warned in an advisory published on January 17. The flaw, described as a scripting engine memory corruption vulnerability and designated CVE-2020-0674, allows an attacker to take control of Read more…


New Ransomware Tactic Shows How Windows EFS Can Aid Attackers

Researchers have discovered how ransomware can take advantage of the Windows Encrypting File System, prompting security vendors to release patches. Security researchers today published the details of how a ransomware attack could abuse the Windows Encrypting File System (EFS). Several major security vendors have released patches to protect machines from this attack after anti-malware tools failed to defend against the technique. The discovery comes from SafeBreach Labs, where researchers were brainstorming new, more sophisticated ways Read more…


FireEye Buys Cloudvisory

The purchase is intended to bring new cloud capabilities to the FireEye Helix security platform. FireEye has announced the purchase of Cloudvisory, a company specializing in visibility, compliance, and policy governance for multicloud environments. Financial terms of the purchase were not disclosed. According to the announcement, the acquisition is intended to add cloud security capabilities to the FireEye Helix platform, allowing more customers to have a single solution for cloud and container security. Founded in Read more…


3 ways to browse the web anonymously

Are you looking to hide in plain sight? Here’s a rundown of three options for becoming invisible online As concern about internet privacy grows and grows, more and more people are actively seeking to browse the web anonymously. There are various ways to avoid being identified or tracked on the internet, although, in fact, “attempt to avoid” might often be more appropriate. Online anonymity can often feel like a fleeting goal, and a problem as Read more…


Avoid That Billion-Dollar Fine: Blurring the Lines Between Security and Privacy

While doing good for the user is the theoretical ideal, the threat of fiscal repercussions should drive organizations to take privacy seriously. That means security and data privacy teams must work more closely. In the wake of companies such as British Airways, Marriott, and Facebook facing record privacy violation fines, organizations are seeing the ramifications of not having their privacy compliance under control. Clearly, the lines between data security and data privacy are blurring, and Read more…


When Away

We want you to be able to make the most of technology at all times, including when you travel. In this newsletter, we cover how you can connect to the Internet and use your devices securely on the road. Pre-check While your network at home or at work may be secure, you should assume that any network you connect to when traveling cannot be trusted. You never know who else is on it and what Read more…


Ransomware Upgrades with Credential-Stealing Tricks

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database CVE-2020-7227PUBLISHED: 2020-01-18 Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, … CVE-2019-15625PUBLISHED: 2020-01-18 A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim’s memory Read more…


iOS-based devices: Zero-touch management essentials

Managing multiple devices can be a full-time job. With a few tools in your arsenal, you can optimize mobile devices for zero-touch management. It’s no mystery why Apple’s mobile devices have permeated into just about every workspace and industry. Initially hailed as a consumer device, the iPhone and later the iPad began to appear in meetings for note-taking, on-the-go conference calls, as a virtual assistant belting out reminders, calendar alerts, and as our digital rolodex Read more…


Data Awareness Is Key to Data Security

Traditional data-leak prevention is not enough for businesses facing today’s dynamic threat landscape. Data attacks reached an all-time high in 2019 as we continued to transform our lives digitally — moving our work, health, financial, and social information online. In response, businesses must meet hefty data and information protection regulatory and compliance requirements. There’s no room for error. Protections are required for everything from simple user mistakes, such as downloading a file on the corporate Read more…


Windows 7 remains an albatross at many large organizations

Among 60,000 large companies analyzed by security ratings company BitSight, almost 90% still have Windows 7 PCs in their environment. View Original Source Article HERE


How to use a physical security key to sign into supported websites

A security key is a good option to use for two-factor authentication when logging into certain websites. With the Windows Hello and FIDO2 standards, you can authenticate supported website logins through different methods, including facial recognition, fingerprint recognition, a PIN, or a physical security key. The goal is to eliminate or reduce the need to remember a complex password for each site. SEE: What to do if you’re still running Windows 7 (free PDF) (TechRepublic)  Read more…


If you don’t like your browser, why won’t you change to a different one?

Commentary: Users tend to stick with their preferred browser even when it works poorly for them. Consumers should care more about browser security, which is why the primary browser providers keep focusing on privacy improvements. Google just announced plans to drive a stake through the heart of third-party cookies in its Chrome browser, potentially improving consumer privacy. Meanwhile, Microsoft is rolling out a brand-spanking new Chromium-based Edge browser, which comes with better default tracking protection Read more…


Elaborate Honeypot ‘Factory’ Network Hit with Ransomware, RAT, and Cryptojacking

A fictitious industrial company with phony employees personas, website, and PLCs sitting on a simulated factory network fooled malicious hackers – and raised alarms for at least one white-hat researcher who stumbled upon it. S4x20 CONFERENCE – Miami – For seven months, researchers at Trend Micro ran a legitimate-looking phony industrial prototyping company with an advanced interactive honeypot network to attract would-be attackers. The goal was to create a convincing-looking network that attackers wouldn’t recognize Read more…


Citrix ships patches as vulnerable servers come under attack

by John E Dunn Citrix has issued its first set of patches fixing a nasty vulnerability that’s been hanging over some of its biggest products. The flaw, identified as CVE-2019-19781 on 17 December 2019, affected Citrix’s Application Delivery Controller (ADC) load and application balancer, and the Citrix Gateway Virtual Private Network (VPN) appliance (previously known as the NetScaler ADC or NetScaler Gateway). Citrix was vague about what the flaw might allow an attacker to do Read more…


Health Quest Begins Notifying Patients Affected by Phishing Incident

Health Quest announced that it’s begun notifying patients whose information might have been exposed in a phishing incident. According to its website notice, Health Quest first learned of the incident in July 2018 when several employees fell for a phishing attack and thereby inadvertently disclosed their email account credentials to an unauthorized party. The Hudson Valley-based group of nonprofit hospitals and healthcare providers responded by securing the compromised email accounts and retaining a digital security Read more…


7 Tips for Infosec Pros Considering A Lateral Career Move

Looking to switch things up but not sure how to do it? Security experts share their advice for switching career paths in the industry. 1 of 8 (Image: Punsa – stock.adobe.com) Cybersecurity professionals have their pick from a diverse range of specialties within the industry, from network security to penetration testing to incident response. It’s not uncommon to switch specialties over the course of a career. The question is, how do you to go about Read more…


China and US top user data requests in Apple transparency report

by Lisa Vaas Governments in the US and China are at the front of the line when it comes to knocking on Apple’s door to request user data relating to fraud/phishing, according to the company’s latest transparency report. Like any tech company that handles user data, Apple gets different types of requests: those that are made when an account holder is in imminent danger, those from law enforcement agencies (LEA) trying to help people find Read more…


What do online file sharers want with 70,000 Tinder images?

by Danny Bradbury A researcher has discovered thousands of Tinder users’ images publicly available for free online. Aaron DeVera, a cybersecurity researcher who works for security company White Ops and also for the NYC Cyber Sexual Assault Taskforce, uncovered a collection of over 70,000 photographs harvested from the dating app Tinder, on several undisclosed websites. Contrary to some press reports, the images are available for free rather than for sale, DeVera said, adding that they Read more…


China-Based Cyber Espionage Group Reportedly Behind Breach at Mitsubishi Electric

Personal data on over 8,100 individuals and confidential business information likely exposed in June 2019 incident. A data breach at Japan’s Mitsubishi Electric that may have exposed some 200 MB of personal and confidential business data is the latest reminder of the growing threat many organizations face from sophisticated cyber espionage groups. Mitsubishi on Monday admitted it had experienced a data breach last June after at least two Japanese newspapers reported on the incident this Read more…


How to access your 2FA Docker Hub account from the command line

With 2FA enabled on your Docker Hub account, you’ll find you cannot access it with your user password from within the CLI. Jack Wallen shows you how to make this work. View Original Source Article HERE


What does it take to attract top cybersecurity talent?

From professional backgrounds to competitive salaries – a study delves into what it takes to build strong cybersecurity teams Cybersecurity professionals are in high demand, but in low supply, the 2019 (ISC)2 Cybersecurity Workforce Study finds. In fact, the supply is so low that it needs to grow by an estimated 145 percent to fill the estimated 4.07 million gap. The United States alone needs growth of 62% to meet the needs of its businesses. Read more…


Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon

ESET researchers have discovered a new downloader with a novel, not previously seen in the wild installation technique DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due Read more…


Should cybersecurity be taught in schools?

Experts weigh in on whether schools should teach kids the skills they need to safely reap the benefits of the online world With education being one of the key factors in everyone’s life, the education system of any country seeks to provide children not only with elementary competencies, but also equip them with at least some of the skills that they’ll need to successfully navigate their daily lives. In our technology-infused era, then, there’s a Read more…


CyberwarCon – the Future of Nation‑State Nastiness

How the field of play has changed and why endpoint protection still often comes down to doing the basics, even in the face of increasingly complex threats The news cycle is awash with coverage of campaigns that have nation-state fingerprints all over them. Now, here at CyberwarCon in Washington, D.C., there’s a deluge of energy surrounding the subject from all corners of the globe. From information campaigns of all kinds to serious hacking attempts, the Read more…


New Internet Explorer zero‑day remains unpatched

You may want to implement a workaround or stop using the browser altogether, at least until Microsoft issues a a fix Microsoft has released a security advisory alerting users to an as-yet unpatched vulnerability in its Internet Explorer (IE) web browser that is being exploited in limited targeted attacks. The zero-day, which is tracked as CVE-2020-0674, is a memory corruption issue in the browser’s scripting engine. Its exploitation could enable remote attackers to run code Read more…


Secure Your Home Wi-Fi Network

Several years ago, creating a cybersecure home was simple; most homes consisted of nothing more than a wireless network and several computers. Today, technology has become far more complex and is integrated into every part of our lives, from mobile devices and gaming consoles to your home thermostat and your refrigerator. Here are four simple steps for creating a cybersecure home. Your Wireless Network Almost every home network starts with a wireless (or Wi-Fi) network. Read more…


Are We Secure Yet? How to Build a “Post-Breach” Culture

There are many ways to improve your organization’s cybersecurity practices, but the most important principle is to start from the top. Are we secure yet? I was asked this question in a board meeting a many years ago. The way it was phrased implied that getting secure is a task to be completed. Managing cybersecurity is actually more like doing the laundry, in that it’s never finished. So, are we secure yet? The answer is Read more…


The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem

We all make assumptions. They rarely turn out well. A new/old date problem offers a lesson in why that’s so. (image by kwarkot, via Adobe Stock) Twenty years ago, the IT world collectively thought it had dodged a millennium-sized bullet when years of preparation saw the dawn of January 1, 2000 without a world-wide computer catastrophe. For some, though, the Y2K bullet has turned out to be a boomerang. And it’s a boomerang that carries Read more…


GDPR Regulators Have Imposed $126M in Fines Thus Far, Finds Survey

A new survey found that regulators have thus far imposed $126 million worth of fines for data breaches and other GDPR infringements. According to DLA Piper’s GDPR Data Breach Survey, data protection regulators imposed €114 million (about US$126 million / £97 million) in GDPR-related fines between May 25, 2018 and January 27, 2020. The international law firm pointed out that France, Germany and Austria received the highest totals of those fines at €51 million, €24.5 Read more…


Teen entered ‘dark rabbit hole of suicidal content’ online

by Lisa Vaas You’re fat. You’re worthless. You don’t deserve to be alive. Those are the kind of comments left on social media posts as innocent as a picture of a flower, as Sarah Lechmere – who has struggled with eating disorders – told the BBC. Social media posts also pointed her to pro-anorexia sites that gave her “tips” on how to self-harm, she said. This is precisely why UK psychiatrists want to see social Read more…


Facebook and Instagram ban alleged ‘brainwashing’ service

by John E Dunn Updated to include response from Elliot Shefler. Have you ever tried to persuade a friend or family member to do something they don’t really want to? Not easy – the person being persuaded knows you’re trying to persuade them, which makes them more likely to question your motives and resist. Now imagine there was a way to persuade that individual to agree with your wishes by feeding them advertising on your Read more…


This new startup aims to make developers love security

Commentary: As more workloads move to the cloud, developers need help with security. Find out how the startup Cyral is helping to improve data security in the cloud. Even as enterprises increasingly move workloads to the cloud, with IDC predicting the world’s data will balloon from 29 zettabytes in 2018 to 175 zettabytes by 2025, much of that in the cloud, developers are pushed to keep up and keep things secure as they embrace cloud-native Read more…


You’ve Bought Security Software. Now What?

Many years ago when I first started my career in network security as a support engineer, I received a phone call from a customer. (Let’s call him “Frank.”) He used our vulnerability scanner as a consultant for his own customers, and he was concerned that the scanner came back with 0 results. After reviewing his set-up, I easily discovered the answer. “Here’s the problem: you’re not using credentials to gain access to your customer’s assets.” Read more…


Stantinko botnet adds cryptomining to its pool of criminal activities

ESET researchers have discovered that the criminals behind the Stantinko botnet are distributing a cryptomining module to the computers they control The operators of the Stantinko botnet have expanded their toolset with a new means of profiting from the computers under their control. The roughly half-million-strong botnet – known to have been active since at least 2012 and mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan – now distributes a cryptomining module. Mining Monero, a Read more…


Cryptocurrency exchange loses US$50 million in apparent hack

UPbit has announced that, as a precaution, all transactions will remain suspended for at least two weeks Cryptocurrency exchange UPbit announced today that it lost almost US$50 million worth of ether (ETH) in an apparent security breach. According to this statement by Lee Seok-woo, the CEO of the exchange’s operator Dunamu, around 342,000 ETH were moved from the platform’s ‘hot wallet’ to this unrecognized wallet today shortly after 1 p.m. local time. Client funds were Read more…


Smartwatch exposes locations and other data on thousands of children

A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device Researchers at the AV-Test Institute have uncovered gaping privacy and security holes in the SMA-WATCH-M2 smartwatch that is designed to keep children safe and their parents feeling secure about their offspring. The security lapses were so severe that the researchers were able to piece together a snapshot of Read more…


5 personal (and cheap) data privacy tools that scale for business

Smart selections when starting small can ease the pain as you scale up your company’s privacy infrastructure If, unlike enterprise customers, you don’t have six figures to spend, what are some things you can do to protect your data that can scale as your business grows? Even if you don’t plan on scaling to an IPO, but are looking for good, solid privacy tech on the cheap, here are five ideas to help. Multifactor authentication Read more…


Notorious spy tool taken down in global operation

IM-RAT, which could be had for as little as US$25, was bought by nearly 15,000 people Law enforcement authorities in a number of countries have broken up a cybercriminal operation that peddled a notorious Remote Access Trojan (RAT) capable of giving anyone with ill intentions total control over compromised machines, according to announcements by Europol, the United Kingdom’s National Crime Agency (NCA) and the Australian Federal Police (AFP). If installed undetected, the insidious tool – Read more…


%d bloggers like this: