What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-10-17 10:00:00 | Inside Olympic Destroyer, the Most Deceptive Hack in History (lien direct) | The untold story of how digital detectives unraveled the mystery of Olympic Destroyer-and why the next big cyberattack will be even harder to crack. | Hack | ||
 |
2019-10-16 13:45:21 | (Déjà vu) Experts On “BriansClub” Hack Rescues 26m Stolen Cards (lien direct) | “BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from “BriansClub” encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 … The ISBuzz Post: This Post Experts On “BriansClub” Hack Rescues 26m Stolen Cards | Hack | ||
 |
2019-10-16 13:00:00 | Are smart homes really safe from hackers? (lien direct) |
Image Source: Pexels
There are a number of smart devices becoming commonplace in homes around the world, leading us closer and closer to the reality of smart homes, or houses that depend primarily on interconnected smart tech. Heating, lighting, and common appliances like doorbells, alarms, and entertainment devices are now increasingly being designed to operate on the internet of things (IoT).
However, some experts have expressed valid security concerns regarding smart technology, believing that these systems are specifically vulnerable to cybercriminals. Some may argue that implementing smart systems isn’t worth the time it takes unless the security bugs are worked out.
This points to the fact that smart home cybersecurity is often overlooked. If you’re thinking about using a variety of smart home devices in your home and have never thought about this, now may be the time. Below are some things to consider that will help you make a more informed choice regarding smart tech in your home.
The risks of IoT
The truth is that IoT-based devices are growing in popularity at a faster rate than their security measures can keep up with. This could have some extremely serious consequences for those who have filled everyday lives with multiple interconnected smart devices. While these things may be convenient for a home, IoT technology itself comes with a cost.
As Javvad Malik suggested in his article “IoT: Usability Dream or Privacy Nightmare?”, imagine what might happen if a hacker got control of your smart thermostat. They could hold your temperature for ransom unless you paid them in bitcoin, Malik argued. This is a real concern with the growing popularity of IoT smart homes because, frankly, they’re not designed to defend themselves against cyberattacks.
The risks of IoT systems have been well documented, specifically by the Open Web Application Security (OWASP) Project. Each year they cover concerns about the IoT in their “IoT project.” In their most recent update, they included the following things with the most major concerns in the implementation of IoT:
Insecure network services.
Lack of secure update mechanisms.
Insecure data transfer and storage.
Insufficient privacy protection.
Lack of device management.
Lack of secure default settings.
The importance and trustworthiness of testing
Smart devices can be tested for cybersecurity, but these tests aren’t foolproof. A common type of test is penetration (or “pen”) testing, and is used to check how easy it is to hack into a network. In general, they’re very helpful. But for IoT, they are harder to perform successfully. This was best summed up in a rhetorical example put forth by Ryan Francis, a contributor to Network World,
Penetration testing was much like taking a battering ram to the door of the fortress. Keep pounding away and maybe find a secret backdoor to enter through |
Hack Guideline | ||
 |
2019-10-16 12:53:23 | Approaching the Reverse Engineering of a RFID/NFC Vending Machine (lien direct) | Security expert Pasquale Fiorillo demonstrates how to hack n RFID/NFC Vending Machine. The affected vendor did not answer to my responsible disclosure request, so I'm here to disclose this “hack” without revealing the name of the vendor itself. The target vending machine uses an insecure NFC Card, MIFARE Classic 1k, that has been affected by multiple […] | Hack | ||
 |
2019-10-16 09:05:21 | Hack of fraud bazaar leaks data of 26 million stolen card details (lien direct) | A thriving online bazaar selling stolen payment card data has been hacked in a heist that leaked the records for more than 26 million cards, KrebsOnSecurity reported on Tuesday. The 26 million figure isn’t significant only to the legitimate consumers and businesses who own the stolen cards or the financial institutions that issued them. Fortunately for the […] | Hack | ||
|
2019-10-16 09:05:04 | iOS iPhone users warned of new hack (lien direct) | Users of older versions of Apple's iPhone are being warned against jailbreaking their device after Cisco Talos security researchers discovered a new targeted click fraud campaign. Capitalising on the recently disclosed “checkra1n”, the malicious campaign leverages a fake website that claims to give iPhone users the ability to jailbreak their phones. Instead, the fake website, checkrain[.]com, prompts […] | Hack | ||
|
2019-10-16 09:04:49 | (Déjà vu) 26 million stolen cards rescued from “BriansClub” hack (lien direct) | “BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 […] | Hack | ||
 |
2019-10-15 15:52:00 | Hollywood hack job: How cybersecurity consultant for hit TV show "Mr. Robot" brought authenticity to actor Rami Malek\'s character (lien direct) | James Plouffe, cybersecurity consultant for "Mr. Robot" reveals how he helped make hacking a reality on the USA-Network drama series starring Rami Malek and Christian Slater. | Hack | ||
 |
2019-10-15 11:10:03 | Argentinian security researcher arrested after tweeting about government hack (lien direct) | Researcher claims "political persecution," all while police are looking for a hacker who doxed thousands of officers. | Hack | ||
 |
2019-10-15 11:05:09 | “BriansClub” Hack Rescues 26M Stolen Cards (lien direct) | "BriansClub," a popular underground store for buying stolen credit card data that uses Yours Truly's likeness in its advertising, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone. | Hack | ||
 |
2019-10-12 03:02:51 | SIM Cards in 29 Countries Vulnerable to Remote Simjacker Attacks (lien direct) | Until now, I'm sure you all might have heard of the SimJacker vulnerability disclosed exactly a month ago that affects a wide range of SIM cards and can remotely be exploited to hack into any mobile phone just by sending a specially crafted binary SMS.
If you are unaware, the name "SimJacker" has been given to a class of vulnerabilities that resides due to a lack of authentication and |
Hack Vulnerability | ||
 |
2019-10-11 11:19:07 | Sex workers\' clients exposed by Dutch hack attack (lien direct) | The names of people who visited sex workers as well as of the workers themselves have been stolen. | Hack | ||
|
2019-10-11 11:16:33 | Dutch Website Hack Reveals Data Of 250000 Sex Workers\' Clients (lien direct) | The account details of the 250 thousand users of Dutch website Hookers.nl have leaked out after a vulnerability on the website was exploited. A hacker captured the members’ data and is offering it for sale, NOS reports based on its own research after an anonymous tip. The website is popular among clients of sex workers, … The ISBuzz Post: This Post Dutch Website Hack Reveals Data Of 250000 Sex Workers’ Clients | Hack Vulnerability | ||
|
2019-10-10 08:55:55 | Sesame Street Online Store Targeted by Credit-Card Stealing Hack (lien direct) | The official Sesame Street online store, along with thousands of other retailers, has been targeted by a credit card-stealing hack. Card details were collected by a piece of malicious software, dubbed JavaScript Cookie. The code was found in shopping cart software built by Volusion, which has 20,000 small business customers. The issue was spotted by […] | Hack | ||
|
2019-10-09 09:16:14 | 10,000 customers credit card information stolen in data breach (lien direct) | Hackers may have absconded with tens of thousands of online shoppers’ credit card information in an attack on cloud infrastructure company, Volusion. According to ZDNet, multiple cyber security firms have confirmed the hack on Volusion, a software company that claims to provide infrastructure for more than 30,000 merchants. Among the affected parties are the Sesame Street […] | Data Breach Hack | ||
|
2019-10-08 12:50:11 | Developer hacked back Muhstik ransomware crew and released keys (lien direct) | One of the victims of the Muhstik ransomware gang who initially paid the ransomware, decided to hack back the crooks and released their decryption keys. Tobias Frömel, is a German software developer, who was a victim of the Muhstik ransomware. Frömel initially paid the ransom to decrypt his files, but later decided to get his […] | Ransomware Hack | ||
|
2019-10-08 09:06:48 | Yahoo! Engineer has pleaded guilty to stealing pictures of women (lien direct) | Reyes Daniel Ruiz, a former Yahoo! software engineer, has pleaded guilty to using his access privileges at the company to hack users' accounts so that he could download private images and videos mostly belonging to young women. A 10-year veteran of Yahoo!, Ruiz admitted to accessing around 6,000 accounts and storing the pilfered files at […] | Hack Guideline | Yahoo | |
|
2019-10-02 13:00:00 | How to avoid becoming a victim of cybercrime: 5 tips (lien direct) |
Description: Do you want to avoid cybercrime? Online identity theft and fraud, webcam hackers, ransomware cyber-attacks, phishing, and other scams are a threat to all of us. Keep reading to protect your data and privacy and save your files and finances from fraudsters.
How to avoid cybercrime
The cyber definition relates to the field of digital technology, and today is often associated with cybercrime. You might say that it doesn’t matter to you as you’re not a big cheese in the business world. Big mistake - since all individuals save data on their computers that is potentially profitable for scammers.
Unfortunately, plenty of people are reckless when dealing with cybercrime. For example, up to 73% of users reuse passwords in their online accounts. The following tips can protect you from cybercrime.
Cybercrime – types of threats
A definition of cybersecurity is the integrated protection of internet-connected systems – hardware, software, and data from attacks. What are the types of cyber-attacks that lie in our virtual path?
Webcam cybercrime means that scammers can hack web cameras to spy on you when using Trojan horse attacks.
Screenshot managers do cybercrime when they make a snapshot of your PC when you click a doubtful link or download a file from a suspicious source.
Cybercrime occurs when the ad clickers display ads and motivate you to click them, for example, when you are reading gadgets and electronic reviews and let end up with malware instead
DDoS attacks were developed to disrupt business/e-commerce websites to by directing tons of traffic from numerous sources, and disrupt business operations.
There are plenty of other attacks in the modern web world. For example, online identity cybercrime means that a hacker gets unauthorized access to your personal data. It can happen if you provide somebody with private information when communicating with a scammer via email or by the phone. Fraudsters can even deliver you (or themselves) a credit card that you’ve never applied for.
5 tips to stay safe online
Cybercrime is an everyday danger, and sometimes cyber police are unable to help. So, it’s arguably easier to prevent cybercrime than to deal with the consequences. How to achieve that?
Install a current antivirus system and accept updates when getting official notifications/
Never use the same passwords on several websites. Try to complicate them with symbols and numbers. Don’t choose your name or date of birth for a password.
Cyber-attacks today are not a joke, so you should strengthen your security system with a firewall to protect yourself from unwanted traffic.
Pay attention to the web camera LED indicators (they’re red on external devices and blue on laptops).
Be cautious with strangers. Don’t talk to them online and don’t accept offline tech help if you’re not sure it’s credible. A stranger from an unknown company can offer you computer support and then do cybercrime and spy on you remotely.
 |
Ransomware Malware Hack Threat | ||
|
2019-10-02 01:30:32 | Former Yahoo Employee Admits Hacking into 6000 Accounts for Sexual Content (lien direct) | An ex-Yahoo! employee has pleaded guilty to misusing his access at the company to hack into the accounts of nearly 6,000 Yahoo users in search of private and personal records, primarily sexually explicit images and videos.
According to an press note released by the U.S. Justice Department, Reyes Daniel Ruiz, a 34-year-old resident of California and former Yahoo software engineer, admitted |
Hack Guideline | Yahoo | |
|
2019-10-01 10:39:31 | Researchers Find New Hack to Read Content Of Password Protected PDF Files (lien direct) | Looking for ways to unlock and read the content of an encrypted PDF without knowing the password?
Well, that's now possible, sort of-thanks to a novel set of attacking techniques that could allow attackers to access the entire content of a password-protected or encrypted PDF file, but under some specific circumstances.
Dubbed PDFex, the new set of techniques includes two classes of attacks |
Hack | ||
|
2019-10-01 04:39:49 | Comodo Forums Hack Exposes 245,000 Users\' Data - Recent vBulletin 0-day Used (lien direct) | If you have an account with the Comodo discussion board and support forums, also known as ITarian Forum, you should change your password immediately.
Cybersecurity company Comodo has become one of the major victims of a recently disclosed vBulletin 0-day vulnerability, exposing login account information of over nearly 245,000 users registered with the Comodo Forums websites.
In a brief |
Hack | ||
|
2019-09-30 14:25:45 | \'Hundreds Of Millions\' Of iPhones Vulnerable To New \'Unfixable\' Hack (lien direct) | It has been reported that a new vulnerability in Apple's iOS operating system is sitting on hundreds of millions of iPhones, iPads and iPods, according to the researcher who found it. The hack has been dubbed checkm8 by a researcher who goes by the name axi0mX, who described the hack as “a permanent unpatchable bootrom exploit for hundreds … The ISBuzz Post: This Post 'Hundreds Of Millions' Of iPhones Vulnerable To New 'Unfixable' Hack | Hack Vulnerability | ||
 |
2019-09-30 13:22:54 | Hack strikes Words with Friends and Draw Something, amid claims 218 million players\' details breached (lien direct) | Players of the popular Words with Friends and Draw Something smartphone games are being advised to change their passwords following what sounds like a security breach at game developer Zynga. Read more in my article on the Hot for Security blog. | Hack | ||
 |
2019-09-30 03:00:52 | SecTor 2019 Hack Lab Sneak Peak (lien direct) | Fall is officially here, and that can only mean that SecTor is right around the corner! All summer long, I've been planning and prepping new ideas for this year's IoT Hack Lab and training session. With just a few weeks to go until the conference kicks off, I'm more than a little excited about the […]… Read More | Hack | ||
 |
2019-09-27 07:31:42 | FBI Reviewed Cybersecurity Firm\'s Evidence in 2016 DNC Election Hack (lien direct) | CLAIM: The FBI only relied on the word of a cybersecurity firm, CrowdStrike, to determine that Russia hacked the emails of the Democratic National Committee. AP'S ASSESSMENT: False. CrowdStrike provided forensic evidence and analysis for the FBI to review during its investigation into a 2016 hack of DNC emails. | Hack | ||
 |
2019-09-26 13:24:44 | CrowdStrike-Ukraine Explained (lien direct) | Trump's conversation with the President of Ukraine mentions "CrowdStrike". I thought I'd explain this.What was said?This is the text from the conversation covered in this“I would like you to find out what happened with this whole situation with Ukraine, they say Crowdstrike... I guess you have one of your wealthy people... The server, they say Ukraine has it.”Personally, I occasionally interrupt myself while speaking, so I'm not sure I'd criticize Trump here for his incoherence. But at the same time, we aren't quite sure what was meant. It's only meaningful in the greater context. Trump has talked before about CrowdStrike's investigation being wrong, a rich Ukrainian owning CrowdStrike, and a "server". He's talked a lot about these topics before.Who is CrowdStrike?They are a cybersecurity firm that, among other things, investigates hacker attacks. If you've been hacked by a nation state, then CrowdStrike is the sort of firm you'd hire to come and investigate what happened, and help prevent it from happening again.Why is CrowdStrike mentioned?Because they were the lead investigators in the DNC hack who came to the conclusion that Russia was responsible. The pro-Trump crowd believes this conclusion is false. If the conclusion is false, then it must mean CrowdStrike is part of the anti-Trump conspiracy.Trump always had a thing for CrowdStrike since their first investigation. It's intensified since the Mueller report, which solidified the ties between Trump-Russia, and Russia-DNC-Hack.Personally, I'm always suspicious of such investigations. Politics, either grand (on this scale) or small (internal company politics) seem to drive investigations, creating firm conclusions based on flimsy evidence. But CrowdStrike has made public some pretty solid information, such as BitLy accounts used both in the DNC hacks and other (known) targets of state-sponsored Russian hackers. Likewise, the Mueller report had good data on Bitcoin accounts. I'm sure if I looked at all the evidence, I'd have more doubts, but at the same time, of the politicized hacking incidents out there, this seems to have the best (public) support for the conclusion.What's the conspiracy?The basis of the conspiracy is that the DNC hack was actually an inside job. Some former intelligence officials lead by Bill Binney claim they looked at some data and found that the files were copied "locally" instead of across the Internet, and therefore, it was an insider who did it and not a remote hacker.I debunk the claim here, but the short explanation is: of course the files were copied "locally", the hacker was inside the network. In my long experience investigating hacker intrusions, and performing them myself, I know this is how it's normally done. I mention my own experience because I'm technical and know these things, in contrast with Bill Binney and those other intelligence officials who have no experience with such things. He sounds impressive that he's formerly of the NSA, but he was a mid-level manager in charge of budgets. Binney has never performed a data breach investigation, has never performed a pentest.There's other parts to the conspiracy. In the middle of all this, a DNC staffer was murdered on the street, possibley due to a mugging. Naturally this gets included as part of the conspiracy, this guy ("Seth Rich") must've been the "insider" in this attack, and mus | Data Breach Hack Guideline | NotPetya | |
|
2019-09-26 13:00:00 | How to manage Internet of Things (IoT) security in 2019 (lien direct) |
Photo by BENCE BOROS on Unsplash
The challenges of IoT security
Welcome to the world of Internet of Things (IoT) and a glimpse into the future. The IoT is where the physical world merges with the digital world. Soon, we expect the world IoT population to outnumber the human population tenfold—perhaps as many as 80 billion connected devices by 2025.
As you witness the accelerating global and economic growth of IoT you are probably wondering how you and your business will connect and take part in the multi-trillion dollar opportunities that will be created by it.
It means different things to everyone—from a connected car to a smart lamppost, a wearable health monitor, or a robot on the assembly line of a factory floor. It might even be ‘connected dirt’—with swarms of small, solar-powered sensors on the fields of a farm.
No matter which way you do it, there’s a daunting task ahead: the acceleration of IoT, combined with the diversity of these devices, their different capabilities, and the many places and ways they can be deployed—make security a unique challenge.
What you need is a consistent way to establish and maintain security for all aspects of the IoT deployments you envision for the future of your business.
This is within your reach, by adopting a holistic, multi-layered approach to protect your IoT ecosystem, your other valuable assets they connect to, as well as the physical world they reside in.
Solutions for your Internet of Things security needs
Protect your IoT with a layered approach.
Every IoT ecosystem has its own distinct security needs. Even for a single client, seemingly similar IoT deployments may have different underlying designs. For example, a factory built today may have a radically different design from the one built just a few years ago. This means a combination of different solutions may be needed to help provide security for each of them.
A thorough security assessment of IoT is a multi-layered process. Every layer needs care and attention. Some endpoint devices are complex, with multiple ways to access the internal functions of the device. Others are simple, years behind smart phones with regard to security. Do you know your devices’ security capabilities?
Endpoints may connect with each other, to and through gateways, to other networks, on the Internet, and to the cloud. They may use connections that include wired, wireless, short-range, cellular, and satellite. What could potentially disrupt them from communicating?
To make your IoT deployment successful, data from your devices must be acquired, transported, processed, and consumed. How are you providing for trust and appropriate access to your vital data and applications?
Realize that some IoT ecosystems can vary wildly from a traditional IT environment. Industrial IoT deployments use operational technology which flips the script on the classic model for information security. Availability and integrity are the priority, while confidentiality isn’t typically a consideration. This requires specialized passive scanning tools to perform assessments. Slight disruption to manufacturing or utility processes turn into massive financial loss. An example of this is a factory that produces a pickup truck every minute—it cannot afford downtime. Life-sensitive devices will affect remediation and response plans. So for example, a connected healthcare device like an insulin pump—even if you think someone is accessing the data, you wouldn’t want to disable the device.
What’s your formal plan for handling threats to your devices? Have you tested it |
Hack | ||
|
2019-09-26 03:00:27 | Join Tripwire VERT at SecTor 2019 (lien direct) | For the past few years, VERT has been running an IoT Hack Lab at SecTor, a security conference in Toronto, Ontario, Canada. Interested attendees (including Expo attendees, who can get a free pass using code Tripwire2019) can visit the Hack Lab with their laptop and learn how to hack various IoT devices from routers and […]… Read More | Hack | ||
 |
2019-09-25 16:32:50 | Episode 162: Have We missed Electric Grid Cyber Attacks for Years? Also: Breaking Bad Security Habits (lien direct) | In this episode of the podcast #162: according to the non profit that oversees it, the first disruptive hack of the U.S. grid happened in March of this year. Our guest, Joe Weiss, said it really happened more than a decade ago and that hundreds more like it have been overlooked or mis-classified. Also: Rachel Stockton of the firm LastPass* joins...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/607155916/0/thesecurityledger -->»
|
Hack | LastPass | |
|
2019-09-24 17:05:25 | (Déjà vu) Hack the Box Challenge: Baniston Walkthrough (lien direct) | Today we are going to solve another CTF challenge called “Baniston” which is categorized as a retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let's start and learn how to breach it. Level: Intermediate... Continue reading → | Hack | ||
 |
2019-09-23 04:03:00 | CISA\'s Krebs seeks more measured approach to election security heading into 2020 (lien direct) | Given the too-late realization that Russia interfered in the 2016 presidential election through massive disinformation campaigns and -- as the Mueller report most recently documented with a few new twists -- actual efforts to hack into state elections systems, it's no surprise that election security under the rubric of “Protect 2020” was a key theme running throughout the Cybersecurity and Infrastructure Security Agency's (CISA) second annual Cybersecurity Summit.[ Learn what you need to know about defending critical infrastructure . | Get the latest from CSO by signing up for our newsletters. ] Even so, CISA Director Christopher Krebs kicked off the summit by cautioning against the kind of fearful language and overwrought concerns currently surrounding the topic of election security. “We've got to be more straightforward, more measured, more reasonable in how we talk about things. Election security is a great example. Are there true, absolute, fundamental risks in the infrastructure? Yes, but we have to take the hysteria out of the conversation because ultimately what we do is we drive broader voter confidence down,” he said. | Hack | ||
|
2019-09-21 14:09:15 | One of the hackers behind EtherDelta hack also involved in TalkTalk hack (lien direct) | US authorities have indicted two men for hacking the exchange EtherDelta in December 2017, one of them was also accused of TalkTalk hack. US authorities have indicted two men, Elliot Gunton and Anthony Tyler Nashatka, for hacking the cryptocurrency exchange EtherDelta in 2017. In December 2017, the popular cryptocurrency exchange EtherDelta was hacked, attackers conducted […] | Hack | ||
|
2019-09-21 12:00:00 | Hackers Hit Click2Gov Bill-Paying Portals in 8 Cities (lien direct) | The new wave of attacks comes after a previous Click2Gov hack compromised 300,000 payment cards. | Hack | ||
|
2019-09-20 15:17:31 | Hack the Box: Luke Walkthrough (lien direct) | Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called 'Luke,' which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience... Continue reading → | Hack | ||
|
2019-09-20 10:38:01 | Crooks hacked other celebrity Instagram accounts to push scams (lien direct) | There is the same group behind the hack of the celebrity Instagram accounts, attackers used the same attack pattern to push scams. The same threat actor continues to target celebrity Instagram accounts to push scam sites to their wide audience. Recently the Instagram account of the popular actor Robert Downey Jr. (43.3M followers) has been […] | Hack Threat | ||
|
2019-09-18 11:08:42 | TFlower Ransomware Targeting Businesses via Exposed RDS (lien direct) | A new crypto-ransomware threat called “TFlower” is targeting corporate environments via exposed Remote Desktop Services (RDS). First discovered in August, the ransomware makes its way onto a corporate network after attackers hack into a machine’s exposed Remote Desktop Services. This attack vector enables bad actors to infect the local machine with TFlower. At that point, […]… Read More | Ransomware Hack Threat | ||
 |
2019-09-17 13:18:17 | TFlower Ransomware - The Latest Attack Targeting Businesses (lien direct) | The latest ransomware targeting corporate environments is called TFlower and is being installed on networks after attackers hack into exposed Remote Desktop services. [...] | Ransomware Hack | ||
|
2019-09-16 13:00:00 | Hacker prevention: tips to reduce your attack surface (lien direct) |
These days it seems that every time you open your favorite news source there is another data breach related headline. Victimized companies of all sizes, cities, counties, and even government agencies have all been the subject of the “headline of shame” over the past several months or years. With all this publicity and the increasing awareness of the general public about how data breaches can impact their personal privacy and financial wellbeing, it is no surprise that there is a lot of interest in preventing hacking. The trouble is that there is no way to prevent others from attempting to hack into any target they chose. Since there is a practically limitless number of targets to choose from, the attacker need only be lucky or skilled enough to succeed once. In addition, the risk of successful prosecution of perpetrators remains low. However, while you can’t prevent hacking, you can help to reduce your attack surface to make your organization less likely to be the subject of attacks.
At this point, lets differentiate between opportunistic attacks and targeted attacks. Opportunistic attacks are largely automated, low-complexity exploits against known vulnerable conditions and configurations. Ever wonder why a small business with a small geographic footprint and almost no online presence gets compromised? Chances are good they just had the right combination of issues that an automated attack bot was looking to exploit. These kinds of events can potentially end a small to medium business as a going concern while costing the attacker practically nothing.
Targeted attacks are a different story all together. These attacks are generally low, slow and persistent; targeting your organizations technical footprint as well as your employees, partners and supply chain. While targeted attacks may utilize some of the same exploitable conditions that opportunistic attacks use, they tend to be less automated in nature so as to avoid possible detection for as long as possible. In addition, they may involve a more frequent use of previously unknown exploit vectors (“zero day’s”) to reach their goals or abuse trusted connections with third parties to gain access to your organization. Ultimately it doesn’t matter which of these kinds of attacks results in a breach event, but it is important to think of both when aligning your people, processes and technology for maximum effect to mitigate that risk.
There have been many articles written regarding best practices for minimizing the risk of a cyber-security incident. Rather than recount a list of commonly cited controls, I would like to approach the topic from a slightly different perspective and focus on the top six technical controls that I feel are likely to help mitigate the most risk, provided that all the “table stakes” items are in place (i.e. you have a firewall, etc.).
Patch and Update Constantly: Ultimately the most hacker-resistant environment is the one that is best administered. Organizations are short cutting system and network administration activities through budget / staff reductions and lack of training. This practice often forces prioritization and choice about what tasks get done sooner, later or at all. Over time this creates a large, persistent baseline of low to medium risk issues in the environment that can contribute to a wildfire event under the right conditions. Lack |
Data Breach Malware Hack | ||
|
2019-09-13 20:16:20 | North Korean Hackers Behind WannaCry and Sony Hack Sanctioned by USA (lien direct) | The U.S. Treasury signed sanctions against three hacking groups actively engaged in cyber operations meant to bring financial assets to the government of North Korea.. [...] | Hack | Wannacry | |
 |
2019-09-13 12:02:18 | Hacking LED Wristbands: A \'Lightning\' Recap of RF Security Basics (lien direct) |  We're always eager for new research and learning opportunities, but this time, serendipitously, the opportunity found us. At the closing party of the Hack In The Box Amsterdam conference - where we presented our industrial radio research and ran a CTS contest - we were given LED wristbands to wear. They're flashing wristbands meant to enhance the experience of an event, party, or show. At the beginning, we were not interested in the security impact; we just wanted to learn. Later on, however, we discovered that the RF link was used to transport an industrial protocol: DMX512 (Digital MultipleX 512), the same protocol used to pilot large light exhibitions.
|
Hack | ★★★ | |
|
2019-09-11 13:00:00 | Practicing safe charging (lien direct) |
This past June, I attended the 2019 Bitcoin Conference in San Francisco, CA. With the various discussions on Bitcoin, Cryptocurrency, and with the chance to hang out with my favorite Crypto personalities, it was easy to lose myself in all the festivities.
While taking a break, I found a seat and decided to charge my iPhone. The station by where I was seated was a wooden cube with two standard wall sockets and two USB ports. Other users took the wall sockets, but I knew that I could charge my phone via USB.
But before I did, I remembered on the trip up to San Francisco, one of my travel companions who was with a startup known as CoinCards passed out what they called a "USB data blocker” usb adaptor."
So, what is a USB data blocker?
 
Chargers for modern cellphones, in my case an iPhone Lightning Charger, serve dual purposes. 1. The charge your phone and 2. They allow for the transfer of data.
Why is this important to understand?
So, take the charging cube from the conference. Consider that a hacker placed the cube with a device, say a Raspberry Pi and the USB ports that were visible from the outside where the USB ports for the PI or USB hub connected to the Pi.
Once my phone was plugged in, it could potentially expose me to whatever malware was on the Raspberry Pi. A USB data blocker
stops the data flow aspect of the charging cable and allows only the charging element.
Cybersecurity is no longer a corporate issue; we have all become our own cybersecurity firm and responsible for protecting our data.
Anti-virus and firewalls can only protect us so much; we have to do our due diligence when it comes to our safety online. Consider the computer housed behind a firewall. There can be some expectation of safety inside of the firewall, especially one that is monitored and updated.
But that firewall will not make a difference if someone brings in an infected USB device and then plugs that device into one of the company's computers. I know this from experience.
A client was confident that their firewall would protect them from cyber threats to the point where they refused to purchase anti-virus for their computers. One day, an employee brought in a USB flash drive that they had used at home and plugged it into their work computer. Turns out a file on their home computer was infected with malware and they brought it into the office. It put data on the server so that others could access it and the malware was able to spread, including to the server.
But how does this fit into our discussion on USB data blockers? If you take the phone aspect out of it, smart devices are computers. Smart devices access the internet, upload, and download and generally utilize USB to charge or sync data.
While iPhones are less likely to be the victim of malware than Android or Windows phones. We would be foolish to assume that a potential hacker could not use the lightning charger to send malicious software to the iPhone.
Apple has recently offered a bounty to anyone who can hack the iPhone OS; which means this topic has made the rounds at Apple as well.
Cyber awareness, training, and education are more critical now than ever. We can no longer assume because we have a particular type of device that we are automatically safe from harm.
Safe is not the world we live in anymore.
|
Malware Hack | ||
|
2019-09-10 08:54:03 | Student pleads guilty to IRS hack attempt for Trump tax returns (lien direct) | Prosecutors call him a mastermind. Defenders say it was Wayne's World gone awry. | Hack | ||
|
2019-09-10 05:53:00 | IDG Contributor Network: How a small business should respond to a hack (lien direct) | Hacks and data breaches are, unfortunately, part of doing business today. Ten years ago, it was the largest corporations that were most targeted by hackers, but that has changed. As large organizations have improved their cybersecurity, and more and more small businesses go online, hackers have shifted their attention to smaller targets.The threat Putting numbers on the scale of cybercrime is difficult, not least because many companies are resistant to acknowledging that they've been hacked. A huge study from 2010, though, conducted by Verizon working in conjunction with the US Secret Service, found that even then smaller businesses were under huge threat from cybercriminals: over 60% of the data breaches covered in that report were from businesses with less than 100 employees. | Hack Threat | ||
|
2019-09-09 23:09:04 | Brain hack devices must be scrutinised, say top scientists (lien direct) | The UK's Royal Society warns of the risk of companies accessing our thoughts and moods. | Hack | ||
|
2019-09-09 13:29:02 | Man Pleads Guilty for Trying to Access Trump\'s Tax Returns (lien direct) | A Philadelphia man has pleaded guilty to trying to hack the IRS to obtain President Donald Trump's tax returns. Andrew Harris pleaded guilty Thursday to two computer fraud counts in federal court. The 23-year-old faces up to two years in prison and $200,000 fine. | Hack Guideline | ||
 |
2019-09-09 11:18:05 | Apple responds to Google\'s statement on iOS security vulnerabilities (lien direct) | Google's Report On iPhone Exploit Was Exaggerated, Says Apple Last week, Google in a blog post had announced that its Threat Analysis Group (TAG) and Project Zero had discovered a series of iOS exploit chains in the wild that were designed to hack iPhones over a period of at least two years. They were being used […] | Hack Threat | ||
|
2019-09-07 21:52:04 | Google report on iPhone hack created \'False Impression,\' states Apple (lien direct) | Apple replied to Google about the recent report suggesting iPhones may have been hacked as part of a long-running hacking campaign. Apple criticized the report recently published by Google that claims that iPhones may have been hacked by threat actors as part of a long-running hacking campaign. Apple defines the report as inaccurate and misleading. […] | Hack Threat Guideline | ||
|
2019-09-07 17:02:04 | Apple: Security Report on iPhone Hack Created \'False Impression\' (lien direct) | Apple hit back Friday at a Google research report suggesting iPhones may have been targeted by a long-running hacking operation, calling it inaccurate and misleading. | Hack Guideline | ||
|
2019-09-05 09:59:03 | Twitter temporarily disables feature to tweet via SMS after CEO hack (lien direct) | Twitter opted to temporarily disable the feature that allows users to post tweets via SMS, in response to the hack of the CEO’s account. Twitter announced to temporarily disable the feature that allows users to post tweets via SMS, in response to the hack of the CEO’s account. “We're taking this step because of vulnerabilities […] | Hack | ||
|
2019-09-05 07:24:01 | Twitter Temporarily Disables Tweeting via SMS After CEO Hack (lien direct) | Twitter announced on Wednesday that it has decided to temporarily disable the feature that allows users to post tweets via SMS, in an effort to protect accounts. | Hack |
To see everything:
Our RSS (filtrered)
