Posts

Showing posts from August, 2018

Schneier - Friday Squid Blogging: Giant Squid Washes up on Wellington Beach

Another giant squid washed up on a beach, this time in Wellington, New Zealand. Is this a global trend? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2018/08/friday_squid_bl_640.html

KnowBe4 - Mobile Phishing Campaign: Homograph Characters + "Free Flights"

Image
Kacy Zurkus at the InfoSec group had the scoop on a campaign recently reported by  Farsight Security  involved an internationalized domain name (IDN) "homograph-based" phishing website that tricked mobile users into inputting their personal information. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/mobile-phishing-campaign-homograph-characters-free-flights

Schneier - I'm Doing a Reddit AMA

On Thursday, September 6, starting at 10:00 am CDT, I'll be doing a Reddit " Ask Me Anything " in association with the Ford Foundation . It's about my new book , but -- of course -- you can ask me anything. No promises that I will answer everything.... from Schneier on Security https://www.schneier.com/blog/archives/2018/08/im_doing_a_redd.html

Schneier - Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I'm giving a book talk on Click Here to Kill Everybody at the Ford Foundation in New York City, on September 5, 2018. The Aspen Institute's Cybersecurity & Technology Program is holding a book launch for Click Here to Kill Everybody on September 10, 2018 in Washington, DC. I'm speaking about my book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World at the Harvard Book Store in Cambridge, Massachusetts on September 11, 2018. I'm giving a keynote on supply chain security at Tehama's " De-Risking Your Global Workforce " event in New York City on September 12, 2018. I'll be appearing at an Atlantic event on Protecting Privacy in Washington, DC on September 13, 2018. I'll be speaking at the 2018 TTI/Vanguard Conference in Washington, DC on September 13, 2018. I'm giving a book talk at Fordham Law School in New York City on September 1...

KnowBe4 - Healthcare Organizations are Unprepared Without Cybersecurity Insurance!

Image
With the Healthcare industry as a primary target by cybercriminals, analytics firm FICO’s latest findings indicate Healthcare is simply not ready for the aftermath of a cyberattack. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/healthcare-organizations-are-unprepared-without-cybersecurity-insurance

Black Hills InfoSec - Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure

Mike Felch// With so many Microsoft technologies, services, integrations, applications, and configurations it can create a great deal of difficulty just to manage everything. Now imagine trying to secure an environment that goes well beyond the perimeter. While moving everything to a cloud provider can provide amazing return in scalability, functionality, and even savings, it […] The post Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/

SANS - Issue #69 - Volume XX - SANS Newsbites - August 31st, 2018

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xx/69

SBS CyberSecurity - What Fiserv’s Internet Banking Flaw Means for You

Fiserv, Inc., is one of the largest Financial Services technology providers in the world. They serve more than 12,000 clients in over 80 countries, including around 1700 banks in the US. Fiserv also recently fixed an issue with their web-based Internet Banking Platform to which all banks should pay attention. from SBS CyberSecurity https://sbscyber.com/resources/articleType/ArticleView/articleId/2538/what-fiservs-internet-banking-flaw-means-for-you

TrustedSec - TrustedSec Podcast Episode 3.1 – Another Epic? Struts Exploit and PHP

Welcome to the Trusted Security Podcast – a podcast dedicated to bringing the latest news on information security and the industry. This episode features the following members: Geoff Walton, Rob Simon, Justin Bollinger, and introducing Logan Sampson Title: Experts Urge Rapid Patching of Struts Bug URL: https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/ Author: Brian Krebs Title: Epic Games First Fortnite Installer allowed hackers to download and install silently URL: https://www.androidcentral.com/epic-games-first-fortnite-installer-allowed-hackers-download-install-silently Author: Andrew Martonik Title: The Ticking PHP Time Bomb URL: https://www.linkedin.com/pulse/ticking-php-time-bomb-martin-wheatley/ Author: Martin Wheatley Title: Crowdsourcing the hunt for software bugs is a booming business—and a risky one Url: https://www.technologyreview.com/s/611892/crowdsourcing-the-hunt-for-software-bugs-is-a-booming-businessand-a-risky-one/ Author: Ma...

KnowBe4 - One in five employees share their email password with co-workers

Image
Negligent employees remain the number one cause of data breaches at small businesses across America. So why do small businesses continue to struggle with good cyber security practices and what can they do to correct those habits? from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/one-in-five-employees-share-their-email-password-with-co-workers

KnowBe4 - See Ridiculously Easy Security Awareness Training and Phishing in Action: September Live Demo

Image
Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/security-awareness-training-live-demo-knowbe4

Schneier - Eavesdropping on Computer Screens through the Webcam Mic

Yet another way of eavesdropping on someone's computer activity: using the webcam microphone to "listen" to the computer's screen. from Schneier on Security https://www.schneier.com/blog/archives/2018/08/eavesdropping_o_7.html

KnowBe4 - KnowBe4 is The ONLY simulated phishing and awareness training platform that is SOC2 Type 2 certified

Image
KnowBe4, Inc, the world's largest security awareness training and simulated  phishing  platform, this week announced it has successfully completed a Service Organization Controls (SOC) 2 Type II examination for the hosted phishing and training product lines, which help organizations address the human sources of risk associated with phishing attacks. This makes KnowBe4 the first organization in its field to achieve a SOC2 Type II certification. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4-is-the-only-simulated-phishing-and-awareness-training-platform-that-is-soc2-type-2-certified

KnowBe4 - Spike in Business Email Compromise

Image
Business email compromise attacks (BEC) have spiked by 80% over the past quarter, according to a report by Mimecast. The security provider revealed that over the past three months it had blocked over 41,000 BEC attempts that went undetected by other vendors. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/spike-in-business-email-compromise

KnowBe4 - [INFOGRAPHIC] The Problem: More Data Breaches Despite Increasing Security Budgets

Image
The CyberEdge 2018 Cyberthreat Defense Threat Report shows that lack of security talent, low security awareness among employees, and too much data to analyze are the three major headaches IT pros have to deal with trying to keep their networks safe. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/infographic-the-problem-more-data-breaches-despite-increasing-security-budgets

KnowBe4 - SEO Extortion by STD

Image
A group is attempting to extort money from a company by threatening to destroy its online reputation. CheapAir, a flight comparison website, says it received an email in which a group calling itself “STD Company” threatened to give CheapAir thousands of negative reviews in order to manipulate the website’s position in search engine results. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/seo-extortion-by-std

KnowBe4 - SAVE THE DATE FOR KB4-CON 2019!

Image
Join KnowBe4 for the second annual KB4 Con May 8-10, 2019 at the Orlando World Center Marriott. The KB4 Con user conference is designed for CISOs, security awareness training program administrators and information security professionals. Once again, this event will be offered at no charge to all KnowBe4 customers. You only pay for your flight and the hotel. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/save-the-date-for-kb4-con-2019

KnowBe4 - This is a map of KnowBe4's 20,000+ customers Worldwide

Image
Sometimes it's just fun to use some mapping software and see the geographic picture of where your customers are. We have many organizations using KnowBe4 all over the world, but the highest density is in the U.S. Here is how it looks for Q3, 2018, after we just broke the 20,000 customer record, and if you click on the picture, a larger file with more detail shows up!   from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/this-is-a-map-of-knowbe4s-20000-customers-in-the-u.s-and-europe

Black Hills InfoSec - Having Fun with ActiveX Controls in Microsoft Word

Marcello Salvati// During Red Team and penetration tests, it’s always important and valuable to test assumptions. One major assumption I hear from Pentesters, Red teamers and clients alike is that most networks (or their own network) block outbound SMB traffic. In my phishing payloads I always try to inject a UNC path: If macros are […] The post Having Fun with ActiveX Controls in Microsoft Word appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word/

KnowBe4 - Think Size Matters to Hackers? It Doesn’t

Image
The largest of organizations aren’t the only ones being hit with cyberattacks. Everyone from the SMB on up is at risk and is actively a target. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/think-size-matters-to-hackers-it-doesnt

KnowBe4 - Google Warns of Govt-Backed Phishing

Image
This latest heads-up around phishing-based warfare from a source as reputable as Google show the need to both be watchful for and responsive to phishing attacks. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/google-warns-of-govt-backed-phishing

KnowBe4 - KnowBe4 Now Listed In The World's Top Security Companies - #6 of 20

Image
Pagan Research is an online B2B Database & Business Intelligence website and they focus on delivering quality data for the US, EU and Asia regions' startups, recent fundings, and exits. They just listed the first 20 of their full list of top 500 cybersecurity companies. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4-now-listed-in-the-worlds-top-security-companies-6-of-20

TrustedSec - Making the InfoSec Rounds

Image
Special thanks to mumblingsages  for giving me the idea for this blog. Let’s face it, we in the information security industry like conferences and talks. I’d wager it’s not because we like to hear ourselves speak, but because it’s a great way to set aside a short amount of time and learn something new. I find it ironic, then, that in my experience, most organizations don’t do this internally. I’m not even talking about a big to-do like Microsoft does with BlueHat . Very few organizations even have a weekly meeting where they go over the interesting and unusual cases they have worked. Doing something like this isn’t a new concept—other industries have been doing it for ages. In the healthcare industry, doctors and medical students go on rounds to present their cases to their peers and the more experienced doctors. This happens in one of two ways: patient rounds where doctors discuss a patient and their line of care, and grand rounds where a patient’s case is presented in a more f...

Schneier - Cheating in Bird Racing

I've previously written about people cheating in marathon racing by driving -- or otherwise getting near the end of the race by faster means than running. In China, two people were convicted of cheating in a pigeon race: The essence of the plan involved training the pigeons to believe they had two homes. The birds had been secretly raised not just in Shanghai but also in Shangqiu. When the race was held in the spring of last year, the Shanghai Pigeon Association took all the entrants from Shanghai to Shangqiu and released them. Most of the pigeons started flying back to Shanghai. But the four specially raised pigeons flew instead to their second home in Shangqiu. According to the court, the two men caught the birds there and then carried them on a bullet train back to Shanghai, concealed in milk cartons. (China prohibits live animals on bullet trains.) When the men arrived in Shanghai, they released the pigeons, which quickly fluttered to their Shanghai loft, seemingly winni...

Krebs - Instagram’s New Security Tools are a Welcome Step, But Not Enough

Image
Instagram users should soon have more secure options for protecting their accounts against Internet bad guys.  On Tuesday, the Facebook -owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime. New two-factor authentication options Instagram says it is rolling out to users over the next few weeks. For years, security experts have warned that hackers are exploiting weak authentication at Instagram to commandeer accounts. Instagram has long offered users a security option to have a one-time code sent via text message to a mobile device, but these codes can be intercepted via several methods (more on that in a bit). The new authentication offering requires users to download a third-party app like Authy , Duo  or  Google Authentica...

SBS CyberSecurity - Known Risk Exceptions and the Capability Maturity Model

To truly manage your risk, you need to identify and quantify your risk, and understand that you can't mitigate all risk. Often known as “Risk Acceptance,” documenting and tracking the risks your organization knows about and have accepted is the difference between proactive and reactive security. from SBS CyberSecurity https://sbscyber.com/resources/known-risk-exceptions-and-the-capability-maturity-model

KnowBe4 - KnowBe4 Fresh Content Update & New Features August 2018

Image
Check out the new feature updates and training content in the KnowBe4 platform for August! from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4-fresh-content-update-new-features-august-2018

Schneier - CIA Network Exposed Through Insecure Communications System

Interesting story of a CIA intelligence network in China that was exposed partly because of a computer-security failure: Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected -- and there would be no way to trace the communication back to the CIA. But the CIA's interim system contained a technical error: It connected back architecturally to the CIA's main covert communications platform. When the compromise was suspected, the FBI and NSA both ran "penetration tests" to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the f...

US-CERT - Cisco Releases Security Update

Original release date: August 28, 2018 Cisco has released a security update to address a vulnerability in Cisco Data Center Network Manager. A remote attacker could exploit this vulnerability to obtain access to sensitive information. NCCIC encourages users and administrators to review the Cisco Security Advisory and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team https://www.us-cert.gov/ncas/current-activity/2018/08/28/Cisco-Releases-Security-Update

US-CERT - FTC Promotes Resources to Prevent Cyberbullying

Original release date: August 28, 2018 The Federal Trade Commission (FTC) has released an announcement on the importance of addressing cyberbullying. As children return to school, FTC encourages parents and educators to monitor kids' online activity and engage in conversations about preventing cyberbullying. NCCIC encourages users to review FTC’s article and the following resources for more information: Stand Up to Cyberbullying video StopBullying.gov website Dealing with Cyberbullies tip Keeping Children Safe Online tip This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team https://www.us-cert.gov/ncas/current-activity/2018/08/28/FTC-Promotes-Resources-Prevent-Cyberbullying

SBS CyberSecurity - SBS CyberSecurity Joins INC 5000 Hall of Fame

For the sixth consecutive year, SBS CyberSecurity was featured on the prestigious Inc. 5000 list. Each year Inc. magazine publishes a ranking of the nation's fastest-growing private companies. The list represents a unique look at the most successful companies within the American economy’s most dynamic segment— its independent small businesses. With a three-year growth of 96%, SBS CyberSecurity earned a ranking of #3,797. This year's ranking puts the company in the Inc. 5000 Honor Hall of Fame, an award for those that have made the list more than five times.  To be considered for the Inc. 5000 list, companies must be headquartered in the U.S., be independent, and have revenue greater than $100,000 in 2013 and $2,000,000 in 2016. from SBS CyberSecurity https://sbscyber.com/resources/articleType/ArticleView/articleId/2536/sbs-cybersecurity-joins-inc-5000-hall-of-fame

Black Hills InfoSec - PODCAST: From Active Countermeasures – Attack Tactics 4

Join John Strand as he continues his Attack Tactic series this time with the defense ideas for the attacks mentioned in episode 3 (see more here) To see the entire webcast visit the Active Countermeasures YouTube channel Blogs mentioned in this episode: Mike Felch’s Stealing 2FA Tokens on Red Teams with CredSniper Carrie Roberts’ Gathering […] The post PODCAST: From Active Countermeasures – Attack Tactics 4 appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/podcast-from-active-countermeasures-attack-tactics-4/

SANS - Issue #68 - Volume XX - SANS Newsbites - August 28th, 2018

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xx/68

US-CERT - Adobe Releases Security Update for Creative Cloud

Original release date: August 28, 2018 Adobe has released a security update to address a vulnerability in Adobe Creative Cloud Desktop Application. An attacker could exploit this vulnerability to cause a denial-of-service condition. NCCIC encourages users and administrators to review Adobe Security Bulletin APSB18-32 and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team https://www.us-cert.gov/ncas/current-activity/2018/08/28/Adobe-Releases-Security-Update-Creative-Cloud

KnowBe4 - New Malicious PDFs Carry Stealthy Backdoor And Exfiltrate Data Via Email

Image
The Turla threat group, certainly Russian-speaking and widely attributed to Russian intelligence services, is back with a new phishing technique. The threat actor is distributing emails whose payloads, malicious pdf files, install a stealthy backdoor. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/malicious-pdfs-carry-stealthy-backdoor

Krebs - Fiserv Flaw Exposed Customer Data at Hundreds of Banks

Image
Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned. Brookfield, Wisc.-based Fiserv [ NASDAQ:FISV ] is a Fortune 500 company with 24,000 employees and $5.7 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions. Two weeks ago this author heard from security researcher  Kristian Erik Hermansen , who said he’d discovered something curious while logged in to an account at a tiny local bank that uses Fiserv’s platform. Hermansen had signed up to get email alerts any time a new transaction posted to his account, and he noticed the site assigned his alert a specific “event number.” Working on a hunch that these event numbers might be assigned sequen...

KnowBe4 - Suspicious Emails Are a Problem…to the Tune of 6.4 Billion a Day!

Image
Even with authentication, identification, and validation frameworks and solutions in place, the number of potentially malicious emails remains staggering. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/suspicious-emails-are-a-problem-to-the-tune-of-6.4-billion-a-day

Schneier - NotPetya

Andy Greenberg wrote a fascinating account of the Russian NotPetya worm, with an emphasis on its effects on the company Maersk. BoingBoing post . from Schneier on Security https://www.schneier.com/blog/archives/2018/08/notpetya.html

SBS CyberSecurity - {Webinar} Information Security Program Frameworks

Your information security program can be more than a document created for compliance. We will help develop a program that provides your institution with clear direction and guidance that meets and exceeds regulatory expectations while addressing real-world risks. from SBS CyberSecurity https://sbscyber.com/resources/webinar-information-security-program-frameworks

US-CERT - SB18-239: Vulnerability Summary for the Week of August 20, 2018

Original release date: August 27, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severi...