BuzzSec

Good-looking recipe . As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2018/06/friday_squid_bl_631.html

SANS - Issue #51 - Volume XX - SANS Newsbites - June 29th, 2018

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xx/51

TrustedSec - First Came the GDPR, Now Comes “The California Consumer Privacy Act of 2018”

If you count California residents amongst your customers, or those whose data you have (and given that California is one of the 10 largest economies in the world, there is a good chance that you do), it is likely that The California Consumer Privacy Act of 2018 could significantly change the way that you must handle data. Note that the recent legislation, set to take effect on January 1 st , 2020, can still be modified prior to implementation; there have been many reports of affected parties furiously lobbying to do just that. What Protections Are Afforded to Citizens? Described as the most comprehensive data protection law in the US (Massachusetts, are you going to let that stand?), this law is going to require many companies to change a number of their business and technical processes. The bill ensures the following rights to consumers: (1) The right of Californians to know what personal information is being collected about them. (2) The right of Californians to know whether

Schneier - Conservation of Threat

Here's some interesting research about how we perceive threats. Basically, as the environment becomes safer we basically manufacture new threats. From an essay about the research: To study how concepts change when they become less common, we brought volunteers into our laboratory and gave them a simple task -- to look at a series of computer-generated faces and decide which ones seem "threatening." The faces had been carefully designed by researchers to range from very intimidating to very harmless. As we showed people fewer and fewer threatening faces over time, we found that they expanded their definition of "threatening" to include a wider range of faces. In other words, when they ran out of threatening faces to find, they started calling faces threatening that they used to call harmless. Rather than being a consistent category, what people considered "threats" depended on how many threats they had seen lately. This has a lot of implication

Black Hills InfoSec - Offensive SPF: How to Automate Anti-Phishing Reconnaissance Using Sender Policy Framework

Kent Ickler// TL;DR: This post describes the process of building an active system to automatically recon SPF violations. Disclaimer: There are parts of this build that might not be legal in your area. Use in the wild at your own risk. Discuss with your peeps before implementing. BHIS @Krelkci are not liable for your actions. Background: In our […] The post Offensive SPF: How to Automate Anti-Phishing Reconnaissance Using Sender Policy Framework appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/offensive-spf-how-to-automate-anti-phishing-reconnaissance-using-sender-policy-framework/

Krebs - Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you. The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses. Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accoun

TrustedSec - Another Standard to Keep in Mind

In TrustedSec’s Advisory division, one question we often hear is, “how can we prioritize our information security efforts?” It is not surprising, as there are many things organizations can and often should be doing from an information security perspective, but there are only so many hours in the day, and so many dollars in the budget. Without fully understanding an organization’s operations and risk tolerance, it is challenging to determine what security controls and program elements are of the highest priority. With that being said, there are tons of standards and frameworks that provide guidance around these components. Many of these can be overwhelming for an organization wondering where to start implementing an information security program. On June 25, the Cabinet Office in the UK released a new Minimum Cyber Security Standard. At first glance, it is hard miss the similarities to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). As with the N

Schneier - Manipulative Social Media Practices

The Norwegian Consumer Council just published an excellent report on the deceptive practices tech companies use to trick people into giving up their privacy. From the executive summary: Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process. They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected. The popups from Facebook, Google and Windows 10 have design, symbols and wording that nudge users away from the privacy friendly choices. Choices are worded to compel users to make certain choices, while key information is omitted or downplayed. None of them lets the user freely postpone decisions. Also, Facebook and Google threaten users with loss of functionality or deletion of the user account if the user does not choose the privacy intrusive option. [...] The combination of privacy intrusive defaults and the use of da

HACKMAGEDDON - May 2018 Cyber Attacks Statistics

It’s time to publish the statistics derived from the Cyber Attacks Timelines of May (Part I and Part II). Let’s from HACKMAGEDDON https://www.hackmageddon.com/2018/06/28/may-2018-cyber-attacks-statistics/

SANS - Issue #50 - Volume XX - SANS Newsbites - June 26th, 2018

June 27, 2018

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xx/50

Schneier - IEEE Statement on Strong Encryption vs. Backdoors

June 27, 2018

The IEEE came out in favor of strong encryption: IEEE supports the use of unfettered strong encryption to protect confidentiality and integrity of data and communications. We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms such as "backdoors" or "key escrow schemes" in order to facilitate government access to encrypted data. Governments have legitimate law enforcement and national security interests. IEEE believes that mandating the intentional creation of backdoors or escrow schemes -- no matter how well intentioned -- does not serve those interests well and will lead to the creation of vulnerabilities that would result in unforeseen effects as well as some predictable negative consequences The full statement is here . from Schneier on Security https://www.schneier.com/blog/archives/2018/06/ieee_statement_.html

Schneier - Bypassing Passcodes in iOS

Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once: We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature. I didn't write about it, because it seemed too good to be true. A few days later, Apple pushed back on the findings -- and it seems that it doesn't work. This isn't to say that no one can break into an iPhone. We know that companies like Cellebrite and Grayshift are renting/selling iPhone unlock tools to law enforcement -- which means governments and criminals can do the same thing -- and tha

KnowBe4 - CyberheistNews Vol 8 #26 [Heads-up] New Sleeper Strain of SamSam Ransomware Bypasses AV And Stays Hidden On Your Network

from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-8-26-heads-up-new-sleeper-strain-of-samsam-ransomware-bypasses-av-and-stays-hidden-on-your-network

KnowBe4 - Do employees open your network to the bad guys by using hacked passwords?

A whopping 25% of employees are using the same password for all logins . What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization? Using breached passwords puts your network at risk . Password policies often do not prevent employees using known bad passwords. Making your users frequently change their password s isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access. KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately! from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/do-employees-open-your-

TrustedSec - Check Yo Privilege

Many of our customers follow the best practice of creating separate accounts for day-to-day tasks and administrative ones. In the event of an attack, using separate accounts is often a great way to slow things down and give security teams a little extra time for discovery and identification of an attack. Because many attacks happen in the user context, this creates an extra step for an attacker, who must escalate the privileges to administrative permissions. Unfortunately, something I have discovered on a number of engagements is that users don’t like to remember multiple passwords. Many users just set the same password for both accounts. This practice circumvents the whole purpose of having separate accounts. Many organizations even make it easy for an attacker to identify these accounts by using “tags” in the naming convention to designate if the user is administrative or not. For example, the user John Smith’s regular account may be jsmith , while the administrative account assi

KnowBe4 - Don't Underestimate The Economic Side of Russia's Cyber Warfare

I just ran into an excellent article by Boris Zilberman, deputy director of congressional relations and a Russia analyst at the Foundation for Defense of Democracies. It was posted at The Cipher Brief, which is a digital, security-based conversation platform that connects the private sector with the world`s leading security experts. You should check it out , warmly recommended. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/dont-underestimate-the-economic-side-of-russias-cyber-warfare

HACKMAGEDDON - 16-31 May 2018 Cyber Attacks Timeline