What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-04-06 16:21:54 | Yahoo Answers to end as Trump fans see plot to “silence conservatives” (lien direct) | "Should Trump buy Yahoo to prevent Answers from being shut down?" user asks. | Yahoo Yahoo | ||
 |
2021-01-12 11:00:00 | Why cybersecurity awareness is a team sport (lien direct) |
Image Source
This blog was written by an independent guest blogger.
Cybersecurity may be different based on a person's viewpoint. One may want to simply protect and secure their social media accounts from hackers, and that would be the definition of what cybersecurity is to them. On the other hand, a small business owner may want to protect and secure credit card information gathered from their point-of-sale registers and that is what they define as cybersecurity.
Despite differences in implementation, at its core, cybersecurity pertains to the mitigation of potential intrusion of unauthorized persons into your system(s). It should encompass all aspects of one’s digital experience--whether you are an individual user or a company.
Your cyber protection needs to cover your online platforms, devices, servers, and even your cloud storage. Any unprotected area of your digital journey can serve as an exploit point for hackers and cyber criminals intent on finding vulnerabilities.
People assume that it is the responsibility of the IT Department to stop any intrusion. That may be true up to a certain point, cybersecurity responsibility rests with everyone, in reality.
Cybersecurity should be everybody’s business.
The cybersecurity landscape is changing. With 68% of businesses saying that their cybersecurity risks have increased, it is no wonder that businesses have been making increased efforts to protect from, and mitigate attacks.
During the height of the pandemic, about 46% of the workforce shifted to working from home. We saw a surge in cybersecurity attacks - for example, RDP brute-force attacks increased by 400% around the same time.
This is why cybersecurity must be and should be everybody’s business. According to the 2019 Cost of Cybercrime Study, cyberattacks often are successful due to employees willingly participating as an internal actors or or employees and affiliates carelessly clicking a link by accident.
Sadly, it is still happening today. Unsuspecting employees can be caught vulnerable and cause a corporate-wide cyberattack by opening a phishing email or bringing risks into the company’s network in a BYOD (Bring Your Own Device) system.
Just a decade ago, Yahoo experienced a series of major data breaches, via a backdoor to their network system established by a hacker (or a group of hackers). Further digital forensic investigation shows the breach started from a phishing email opened by an employee.
Another example was Equifax when it experienced a data breach in 2017 and was liable for fines amounting to $425 million by the Federal Trade Commission (FTC).
Companies continue to double up on their investments in cybersecurity and privacy protection today to ensure that incidents like these do not happen to their own networks. But a network is only as strong as its weakest link. Hackers continue to innovate, making their attacks more and mo |
Ransomware Data Breach Malware Vulnerability Guideline | Equifax Equifax Yahoo Yahoo | |
 |
2021-01-08 15:21:31 | SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos (lien direct) | SolarWinds Hires New Cybersecurity Firm Founded by Former CISA Director Chris Krebs and Alex Stamos, Former Security Chief at Yahoo and Facebook | Yahoo Yahoo | ||
 |
2020-11-18 14:00:00 | Marissa Mayer\'s Next Act Is Here (lien direct) | The former Yahoo CEO wants to build a better address book on your phone. Does anyone want it? | Yahoo | ||
|
2020-11-09 12:00:00 | SecTor 2020, Canada\'s Biggest Cybersecurity Event: Day Two (lien direct) |
This blog was written by an independent guest blogger.
Even though SecTor had to be entirely online this year due to our unusual international circumstances, there have been plenty of excellent talks from many experienced cybersecurity professionals. The talks took place over the course of two days, October 21st and 22nd. Last time I covered the talks I attended on day one. Interestingly enough, the talks all had to do with threat detection and analysis. Maybe that’s just what I’m fixated on these days.
The talks I attended on the second day all covered matters businesses must be aware of these days and well into the future. On day two, I learned a lot about how to talk to non-technical executives about security, the unique challenges of cloud security, and the legal implications of cyber threats. Enjoy!
How to Talk to the Board About Cybersecurity
The first talk I attended on the second day was presented by Jeff Costlow, a CISO with nearly 25 years of industry experience. This is the description of the talk from SecTor’s web app:
“With the sudden shift of the global workforce from in-office to remote, IT teams quickly transformed their operations to accommodate the new realities of business — including large-scale adoption of work-from-home technologies, heightened activity on customer-facing networks, and greater use of online services. While these examples of agility allowed business to continue, they also greatly increased the risk of misconfigurations and cyberthreats. Now, it’s looking like they could be here to stay for a while. On top of that, bad actors have wasted no time trying to exploit new vulnerabilities. In the past several weeks, we’ve seen ransomware attacks affect several major organizations. These attacks come on the tail of a surge of attacks across the board brought on during the pandemic, as hackers scanned and took advantage of new workloads, and vulnerable VPN connections and misconfigurations left the gates to the network open.
When attacks like these make headlines, panicked board members have one question for CISOs: how can we be sure that won’t happen to us? Drawing from nearly 25 years of experience in the security industry, Jeff Costlow, CISO at ExtraHop, will share his top strategies for CISOs to lead board-level conversations about risk management amidst the stark new realities of IT.”
When risk enters an organization through devices that the IT department cannot control, securing a network becomes very difficult. Any devices and applications that connect to the network that administrators can’t administrate are considered to be “shadow IT.” This is often a consequence of bring-your-own-device habits, but not always.
Costlow discussed the implications of shadow IT:
“All you have to do is Google or use the search engine of your choice. Search ‘shadow IT horror stories,’ and you will find a ton of these. There is the laptop that runs underneath someone's desk. It turns out it's a business critical piece of software that everyone's using, and it's just running on a laptop under a desk somewhere.
There are also plenty of stories. These are some of my favorites the ones about somebody just wanted to get their job done. And so they started forwarding all their business email to their Google account or their Yahoo account or something like that. Or maybe a personal Dropbox use. One of my favorites is unapproved chat clients. Or an even worse, operating those chat rooms. This is sometimes called ChatOps. We're inside a chat r |
Ransomware Vulnerability Threat Guideline | Yahoo | |
 |
2020-11-08 11:52:00 | Yahoo Mail discontinues automatic email forwarding for free users (lien direct) | Automatic email forwarding to be discontinued on January 1, 2021. Existing users told to get a Pro account. | Yahoo | ||
 |
2020-07-16 05:43:03 | CIA covert operations likely behind attacks against APT34 and FSB (lien direct) | CIA orchestrated dozens of hacking operations against targets worldwide, including APT34 and FSB hacks, states an exclusive report from Yahoo News. In 2018, US President Trump gave to the Central Intelligence Agency (CIA) more powers to conduct covert offensive cyber operations against hostile threat actors, including Iranian and Russian APT groups and intelligence agencies. In […] | Threat | Yahoo APT 34 | |
|
2020-07-12 07:56:33 | Security Affairs newsletter Round 272 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. CISA warns organizations of cyberattacks from the Tor network Cisco Talos discloses technicals details of Chrome, Firefox flaws Huawei faces 5G ban from Britishs 5G network within months Former Yahoo! […] | Yahoo | ★★★★★ | |
|
2020-07-06 19:04:02 | Former Yahoo! employee who accessed 6K accounts avoids jail (lien direct) | A former Yahoo! employee who hacked into the accounts of thousands of users was sentenced to five years of probation. In September the former Yahoo software engineer Reyes Daniel Ruiz has admitted in court to hacking into 6,000 Yahoo! accounts back in 2018. Last week Ruis (35), of Tracy, California, was sentenced to five years of probation […] | Yahoo | ||
 |
2020-07-06 16:02:50 | Ex-Yahoo employee avoids jail, despite hacking 6000 accounts, and stealing nude photos and videos (lien direct) | A former employee of Yahoo has been sentenced and ordered to pay a fine after exploiting his privileged access to hack into the personal accounts of thousands of Yahoo users, in his hunt for naked photographs and videos of young women. Read more in my article on the Hot for Security blog. | Hack | Yahoo | |
|
2020-07-06 10:53:40 | Yahoo engineer gets no jail time after hacking 6,000 accounts to look for porn (lien direct) | Hacker sentenced to five years probation, with home confinement condition. | Yahoo | ||
 |
2020-04-14 11:32:35 | Apple Is Most Imitated Brand For Phishing: Check Point Research\'s Q1 2020 Brand Phishing Report (lien direct) | Check Point's researchers highlight Yahoo! as most imitated brand for email-based phishing, and Netflix as the most imitated for mobile-based phishing attempts Check Point Research has published its new Brand Phishing Report for Q1 2020, highlighting the brands which were most frequently imitated by criminals in attempts to steal individuals' personal information or payment credentials … The ISBuzz Post: This Post Apple Is Most Imitated Brand For Phishing: Check Point Research's Q1 2020 Brand Phishing Report | Yahoo | ||
|
2020-02-10 22:41:37 | Oscars Woes for Netflix, Money for Yahoo Users, and More News (lien direct) | Catch up on the most important news from today in two minutes or less. | Yahoo | ||
 |
2020-02-10 14:05:43 | OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery (lien direct) |  The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.
Information Gathering Techniques Used by OWASP Amass for DNS Enumeration and More
The main functionality of Amass is as follows:
DNS: Basic enumeration, Brute forcing (optional), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (optional)
Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Dogpile, Exalead, Google, HackerOne, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ViewDNS, Yahoo
Certificates: Active pulls (optional), Censys, CertSpotter, Crtsh, Entrust, GoogleCT
APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, CommonCrawl, DNSDB, GitHub, HackerTarget, IPToASN, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Spyse (CertDB & FindSubdomains), Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML
Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback
Usage of Amass for DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The Amass tool has several subcommands shown below for handling your Internet exposure investigation.
Read the rest of OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery now! Only available at Darknet.
|
Tool Guideline | Yahoo | |
|
2020-02-08 12:00:00 | How to Get Your Yahoo Breach Settlement Money (lien direct) | If you had a Yahoo account from 2012-2016, you probably have $100 coming your way. | Yahoo | ||
|
2019-12-13 12:38:25 | 1 Billion Email And Password Combinations Leaked – Expert Comment (lien direct) | Over one billion email and password combinations were leaked online by an unnamed party– giving bad actors the information necessary to conduct countless credential stuffing or other spam campaigns. The unsecured database primarily features emails from Chinese domains, as well as numerous Gmail and Yahoo addresses. The ISBuzz Post: This Post 1 Billion Email And Password Combinations Leaked – Expert Comment | Spam | Yahoo | |
 |
2019-10-17 12:50:00 | Yahoo Breach Victims May Qualify for $358 Payout (lien direct) | Pending approval of the settlement, affected account holders may be eligible for a payout or two years of free credit monitoring. | Yahoo | ||
|
2019-10-10 08:37:46 | Smashing Security #149: Falling in love with fraudsters (lien direct) | We take a trip to Staten Island, New York, to hear how a case of cyberstalking resulted in the arrest of 20 alleged mobsters, learn about the nude photo-loving insider threat at Yahoo, and discover how fraudsters might be boosting Match.com’s profits. All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by Graham Cluley and Carole Theriault, joined this week by Ran Levi of “Malicious Life.” | Threat | Yahoo | |
|
2019-10-09 11:08:14 | Piratage Yahoo – L\'indispensable contrôle des utilisateurs (lien direct) |  Les experts, Julien Chamonal de Varonis et Jean-Paul Kerouanton de Vectra, proposent leurs commentaires sur la condamnation de l'ancien ingénieur informatique de Yahoo qui avait utilisé ses privilèges en tant qu'employé de l'entreprise pour accéder à 6000 comptes Yahoo à la recherche de contenus personnels explicites. |
Yahoo | ||
 |
2019-10-08 09:06:48 | Yahoo! Engineer has pleaded guilty to stealing pictures of women (lien direct) | Reyes Daniel Ruiz, a former Yahoo! software engineer, has pleaded guilty to using his access privileges at the company to hack users' accounts so that he could download private images and videos mostly belonging to young women. A 10-year veteran of Yahoo!, Ruiz admitted to accessing around 6,000 accounts and storing the pilfered files at […] | Hack Guideline | Yahoo | |
|
2019-10-04 12:51:28 | Former Yahoo employee admits he hacked 6000 users\' accounts, stole nude photos and videos (lien direct) | A former Yahoo software engineer has admitted hacking into thousands of Yahoo users’ accounts in a search for naked images and videos of young women. Read more in my article on the Hot for Security blog. | Yahoo | ||
 |
2019-10-02 14:53:45 | Yahoo porn hacking breach shows need for better security: 5 ways to protect your company (lien direct) | This week, a former Yahoo employee pleaded guilty to hacking into the email accounts of more than 6,000 users, looking for porn. Companies need to protect themselves from similar security breaches. Here's what to do. | Guideline | Yahoo | |
|
2019-10-02 14:53:24 | Ex-Yahoo Engineer Hacked Accounts To Steal Pornography (lien direct) | A former Yahoo engineer has confessed to breaking into as many as 6,000 email accounts belonging to Yahoo users. Once he had access to an email inbox, he scoured other online accounts belonging to his victims — who were primarily young women — for private photos and videos The photos and videos were gathered from … The ISBuzz Post: This Post Ex-Yahoo Engineer Hacked Accounts To Steal Pornography | Yahoo | ||
 |
2019-10-02 01:30:32 | Former Yahoo Employee Admits Hacking into 6000 Accounts for Sexual Content (lien direct) | An ex-Yahoo! employee has pleaded guilty to misusing his access at the company to hack into the accounts of nearly 6,000 Yahoo users in search of private and personal records, primarily sexually explicit images and videos.
According to an press note released by the U.S. Justice Department, Reyes Daniel Ruiz, a 34-year-old resident of California and former Yahoo software engineer, admitted |
Hack Guideline | Yahoo | |
|
2019-10-01 13:24:45 | Former Yahoo Programmer Pleads Guilty to Hacking User Accounts (lien direct) | A former Yahoo software engineer has admitted in court to hacking into the accounts of thousands of the platform's users. The man, Reyes Daniel Ruiz, 34, of Tracy, California, pleaded guilty to accessing about 6,000 Yahoo accounts, in search of private and personal records, mainly sexual images and videos. | Guideline | Yahoo | |
|
2019-10-01 09:07:07 | Former Yahoo engineer pleads guilty to hacking user emails in search for porn (lien direct) | Former Yahoo engineer accessed about 6,000 email accounts, primarily belonging to young women. | Yahoo | ||
 |
2019-09-23 08:46:59 | NEW TECH: How \'cryptographic splitting\' bakes-in security at a \'protect-the-data-itself\' level (lien direct) | How can it be that marquee enterprises like Capital One, Marriott, Facebook, Yahoo, HBO, Equifax, Uber and countless others continue to lose sensitive information in massive data breaches? Related: Breakdown of Capital One breach The simple answer is that any organization that sustains a massive data breach clearly did not do quite enough to protect […] | Data Breach | Equifax Yahoo Uber | |
|
2019-09-19 13:45:54 | Yahoo data breach settlement means affected users may get $100 (lien direct) | If you had a Yahoo account between January 1, 2012 and December 31, 2016, you may be entitled to a bit of money. | Data Breach | Yahoo | |
|
2019-09-06 15:32:04 | Industry Reactions to Iranian Mole Planting Stuxnet: Feedback Friday (lien direct) | Yahoo News reported this week that an Iranian mole recruited by Dutch intelligence helped the United States and Israel sabotage Iran's nuclear program by planting the | Yahoo | ||
|
2019-09-03 11:55:00 | Report: Iranian \'Mole\' Carried Stuxnet to Iranian Nuclear Facility (lien direct) | An engineer recruited by the Dutch intelligence agency AIVD helped bring to Iran's Natanz nuclear facility the malware via USB that ultimately infected systems there and sabotaged centrifuges, according to an exclusive report from Yahoo News. | Malware | Yahoo | |
|
2019-07-01 08:00:01 | Reference: TaoSecurity Press (lien direct) | I started appearing in media reports in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. As of 2017, Mr. Bejtlich generally denies press inquiries on cybersecurity matters, including those on background.2016Mr. Bejtlich was cited in the Forture story Meet the US's First Ever Cyber Chief, published 8 September 2016.Mr. Bejtlich was interviewed for the NPR story Cybersecurity: Who's Vulnerable To Attack?, aired 30 July 2016.Mr. Bejtlich was interviewed for the Washington Post story It's not just the DNC; we all send emails we probably shouldn't, published 25 July 2016.Mr. Bejtlich was interviewed for the New Scientist story NATO says the internet is now a war zone – what does that mean?, published 22 June 2016.Mr. Bejtlich was interviewed for the Military Times story The Pentagon's controversial plan to hire military leaders off the street, published 19 June 2016.Mr. Bejtlich was interviewed for the Idealog story Idealog talks with a cyber-war expert, published 6 May 2016.Mr. Bejtlich was cited in the New Zealand Herald story Cyber-attacks part of doing business with China - experts, published 5 May 2016.Mr. Bejtlich was cited in the Christian Science Monitor story Iran hacking indictment highlights US naming and shaming strategy, published 30 March 2016.Mr. Bejtlich was cited in the Financial Times story Defence groups take aim at cyber security, published 28 March 2016.Mr. Bejtlich was interviewed for the Security Management story A Chinese New Year, published 4 January 2016.2015Mr. Bejtlich was cited in the AP story US Advised to Examine "Hack Back" Options against China, published 17 November 2015.Mr. Bejtlich was cited in the Reuters story Data from US agency cyber breach not on black market - researcher, published 2 November 2015.Mr. Bejtlich was cited in the NextGov story Creative, Audacious or Destructive: The Different Personalities of Nation-State Hackers, published 2 November 2015.Mr. Bejtlich was cited in the Baltimore Sun story As more devices go online, hackers hunt for vulnerabilities, published 24 October 2015.Mr. Bejtlich was cited in the Atlantic story Can Campus Networks Ever Be Secure?, published 12 October 2015.Mr. Bejtlich was cited in the Info Security story | Guideline | Yahoo | |
|
2019-06-04 15:55:02 | The Next Generation Of Agnostic Cloud Security Delivered By cloudAshur (lien direct) | The year is 2019, and I doubt anyone attending Infosecurity Show 2019 would challenge the statement 'We live in times of Insecurity'. With a backdrop covering a spectrum of Cyber Attacks, by example, with Yahoo suffering a 3 billion record compromise back in 2013, through to the Marriott Hack circa 2014 – 2018 which exposed … The ISBuzz Post: This Post The Next Generation Of Agnostic Cloud Security Delivered By cloudAshur | Hack | Yahoo | |
|
2019-04-11 13:00:00 | DNS cache poisoning part 2 (lien direct) |
My last blog on DNS cache poisoning only covered the superficial aspects of this long-standing issue. This installment aims to give a bit more technical detail, and expose some of the tactics used by the "bad-actors" looking to leverage a poisoned DNS cache against you and your network. In a worst-case scenario, the results of a poisoned DNS cache could lead to more than just a headache: civil liability, phishing, increased DNS overhead, and other kinds of nightmares are too easy to overlook with this type of 'attack'.
So, you may be wondering, "What exactly makes a DNS cache poisoning attack so dangerous, and what can we do to prevent it?" Well, as outlined in my first article, not answering DNS requests on the web is a great place to start. If you're only running an internal DNS infrastructure, your attack-surface is much lower. However, this comes with a caveat; "internal-only" DNS attacks are much harder to detect, and can often go weeks or months before even the keenest of sysops recognize them. This has to do with the fundamental structure of DNS. Let me explain.
Fundamental structure of DNS
In a typical DNS server (e.g. Windows DNS, or BIND) there is little mechanism (e.g. NONE) to provide any sanity checking. In its simplest form, a DNS query will look to its local database (the 'cache') first, upon finding no answer for the request it will then send a lookup request to its configured DNS server (the one you hopefully manage) and see if it can find an answer for the request.
If this lookup fails a 2nd time, there is a 'forwarder' configuration that kicks in, and the request goes to a list of pre-specified DNS hosts that your server will send the request to, looking for a resolution to the name. If this final 'forward' lookup fails, the final lookup happens out on the internet, on one of the 'Root' nameservers that share a distributed list of all the DNS hosts that make up the TCP/IPv4 internet. If this final lookup fails, the original requesting client is returned with a 'DNS Name not found' answer, and the name will not resolve. At any point during this journey, a "faked" response can be issued, and the initiator will accept it. No questions asked.
Problems with the model
This model is good when we can trust each one of the segments in the process. However, even during the early days of the web - there were some issues that became apparent with the way DNS works. For example, what if the root servers are unavailable? Unless your local DNS server has a record of ALL of the domains on the web, or one of your 'forwarders' does - the DNS name will not resolve. Even if it is a valid domain, DNS will simply not be able to lookup your host.
There was an "attack" on several of the root servers in the late 1990's. Several of the root servers were knocked offline, effectively taking down the internet for a large portion of the USA. It was during this outage that many network operators realized a large oversight of the DNS system, and a push was made to distribute control of these systems to a variety of trustworthy and capable internet entities. At the time of this attack, much of the internet name resolution duties fell to a single entity: Yahoo. A DDoS of Yahoo effectively killed the internet. Sure, we could still get to our desired hosts via IP, but e-mail, for example, was not as resilient. It was a great learning lesson for the web community at-large.
This was just a denial-of-service at the highest level of the infrastructure. What would happen if the localized database on every computer in your organization had different "answers" for DNS lookups? Instead of consistent |
Tool Guideline | Yahoo | |
|
2019-04-10 19:22:02 | Yahoo In New $117.5 Million Data Breach Settlement (lien direct) | Yahoo has reached a revised $117.5 million (89.8 million pounds) settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. Verizon's plan to spend $300M on #cybersecurity is 5X what Yahoo had previously spent during the #breach years 🙈 And they're pledging to quadruple Yahoo's #infosec staff. 👍😊 … The ISBuzz Post: This Post Yahoo In New $117.5 Million Data Breach Settlement | Yahoo | ||
 |
2019-04-10 15:21:02 | Yahoo Offers $117.5M Settlement in Data Breach Lawsuit (lien direct) | Yahoo is taking a second stab at settling a massive lawsuit regarding the data breaches that the Internet company faced between 2013 and 2016. | Data Breach | Yahoo | |
|
2019-04-10 10:48:05 | Yahoo data breach settlement effort reaches $117.5 million (lien direct) | $50 million was too low for one of the largest data breaches on record. | Data Breach | Yahoo | |
|
2019-04-09 21:27:04 | Yahoo proposes $117.5 million for the settlement of data breach (lien direct) | Yahoo is continuously trying to settle a lawsuit on the massive data breach over the period of 2013 to 2016. This time Yahoo could pay $117.5 million for the settlement of 3 billion hacked accounts. As the news was first published by the team of Reuters, “Yahoo has struck a revised $117.5 million settlement with […] | Data Breach | Yahoo | |
|
2019-04-09 11:00:00 | Yahoo Reaches $117.5M Breach Accord Following Failed Settlement (lien direct) | An adjusted settlement between Yahoo and the victims of its massive data breach is still awaiting approval. | Data Breach | Yahoo | |
|
2019-03-17 02:59:02 | Dutch hacker who DDoSed the BBC and Yahoo News gets no jail time (lien direct) | Hacker used a Mirai botnet to DDoS companies and ask for ransoms to stop attacks. | Yahoo | ||
|
2019-03-11 03:32:00 | Unintended inferences: The biggest threat to data privacy and cybersecurity (lien direct) | Find out why data privacy breaches and scandals (think Facebook, Marriott, and Yahoo), artificial intelligence, and analytics have implications for how your business manages cybersecurity and privacy. | Threat | Yahoo | |
|
2019-02-25 10:02:01 | Expert awarded $10,000 for a new XSS flaw in Yahoo Mail (lien direct) | A security expert discovered a critical cross-site scripting (XSS) flaw in Yahoo Mail that could have been exploited to steal the targeted user's emails and attach malicious code to their outgoing messages. Yahoo addressed a critical cross-site scripting (XSS) vulnerability in Yahoo Mail that could have been exploited by hackers to steal user's emails and […] | Vulnerability | Yahoo | |
|
2019-02-22 07:14:00 | Researcher Earns $10,000 for Another XSS Flaw in Yahoo Mail (lien direct) | A researcher says he has discovered yet another critical cross-site scripting (XSS) vulnerability in Yahoo Mail. The recently patched flaw could have been exploited to steal the targeted user's emails and attach malicious code to their outgoing messages. | Vulnerability | Yahoo | |
|
2019-02-01 14:00:00 | Things I Hearted This Week, 1st Feb 2019 (lien direct) |
Hello February! I was doing some research last night and was surprised to discover that the Target breach is over five years old! Five years! I was sure it only happened a couple of years ago - but such is the fast-paced nature of the industry, and also I guess a testament to how certain major breaches become part of infosec folklore. Like TJX, or Heartland - and no, I’m not going to look up when any of those occurred because I’ll probably end up feeling a lot older than I already do.
Enough reminiscing - let’s get down to it.
The Big Five
There’s been a lot of things I didn’t heart this week, although for one reason or another they ended up in my list of things to talk about. So, if you’re wondering about the stories regarding Facebook and Apple, and also Google, then yes, I did see them, and no, I don’t fancy talking about them.
But speaking of large companies, Kashmir Hill has undertaken what is perhaps becoming my favourite piece of tech journalism ever. WIth detailed write ups and slick videos showcasing how she cut out the big five of Amazon, Facebook, Google, Microsoft, and Apple from her life, one week at a time.
Life without the tech giants | Gizmondo
Week 1, Amazon | Gizmondo
Week 2, Facebook | Gizmondo
Week 3, Google | Gizmondo
Considerations for When Your Apartment Goes “Smart”
Everything is getting ‘smart’ these days. By smart, I mean connected and vulnerable. So, what should you do if you live in an apartment where everyone is getting fancy new smart locks (or terribly insecure cheap locks depending on how you look at it).
Lesley Carhart recently found herself in the same position, and has written a really good post on security considerations if you ever find yourself in a similar position.
Security Things to Consider When Your Apartment Goes ‘Smart’ | tisiphone
Abusing Exchange: One API Call Away From Domain Admin
An attacker with just the credentials of a single lowly Exchange mailbox user can gain Domain Admin privileges by using a simple tool. Very good writeup here.
Abusing Exchange: One API call away from Domain Admin | dirkjanm.io
_(1)_(1).jpg)
Sending Love Letters
The "Love Letter" malspam campaign has now changed its focus to Japanese targets and almost doubled the volume of malicious attachments it delivers.
Love Letter Malspam Serves Cocktail of Malware, Heavily Targets Japan | Bleeping Computer
While we’re talking about Japan, a new law in Japan allows the nation's National Institute of Information and Communications Technology (NICT) to hack into citizens' personal IoT equipment as part of a survey of vuln |
Data Breach Hack | Yahoo | |
|
2019-01-31 10:31:03 | Yahoo\'s Settlement Proposal on Data Breach Case Rejected by Court. (lien direct) | Yahoo's proposed a $50 million pay-out, plus two years of free credit monitoring for about 200 million people in the United States and Israel was rebuffed by U.S. District Judge Lucy Koh, who said she couldn't declare the settlement “fundamentally fair, adequate and reasonable” because it did not say how much victims could expect to […] | Data Breach | Yahoo | |
|
2019-01-30 18:57:04 | Yahoo Breach Settlement Rejected by Judge (lien direct) | A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees. | Yahoo | ||
 |
2019-01-30 12:19:00 | Judge Denies Approval of $50M Settlement to Yahoo Data Breach Lawsuit (lien direct) | A federal judge has denied the approval of a proposed $50 million settlement to a class action lawsuit over a data breach at Yahoo. On 28 January, Judge Lucy Koh rejected the settlement in a order submitted to the San Jose division of the U.S. District Court in the Northern District of California. The settlement, […]… Read More | Data Breach | Yahoo | |
|
2019-01-29 23:26:03 | Podcast Episode 131: suing Yahoo! Executives…and winning (lien direct) | In this week's episode (#131): a shareholder lawsuit targeting Yahoo! executives was settled quietly. But it could have big implications for the C-Suite at breached firms. Also: as the US pursues criminal charges against Huawei for corporate espionage, we look at one of the federal government's most potent tools to stop the transfer of...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/594686064/0/thesecurityledger -->»
|
Yahoo | ||
 |
2019-01-29 14:50:00 | Yahoo data breach payout blocked by judge (lien direct) | The judge is unhappy about the sum involved and the vagueness of promised cyber-security fixes. | Data Breach | Yahoo | |
 |
2019-01-07 06:05:00 | IDG Contributor Network: Managing identity and access management in uncertain times (lien direct) | If we remember one thing from 2018, it is that we are all victims now through one breach or another. Every day, we hear more news about another data breach affecting millions of users with significant financial and reputational consequences to its victims. With massive breaches like Equifax, Facebook, Deloitte, Quora and Yahoo, it is clear that breach notification services and multi-factor authentication (MFA) are not enough to prevent the next data breach headline from appearing in tomorrow's newspapers.Organizations have started thinking holistically, and rightly so, about risk and approaches to security using frameworks such as CARTA, Zero Trust, NIST SP 800 and IDSA. These frameworks offer progressive thinking and valuable approaches to modern identity strategy, but there is no one size fits all. These frameworks are akin to buying furniture from IKEA; assembly required, but with a lot more complexity and a lot more at stake. | Data Breach | Equifax Deloitte Yahoo | |
|
2018-12-25 20:14:03 | Hackers launched phishing attacks aimed at bypassing Gmail, Yahoo 2FA at scale (lien direct) | Amnesty International warns of threat actors that are launching phishing attacks aimed at bypassing Gmail, Yahoo 2FA at scale Amnesty International published a report that details how threat actors are able to bypass 2FA authentication that leverages text message as a second factor. Attackers are using this tactic to break into Gmail and Yahoo accounts […] | Threat | Yahoo |
To see everything:
Our RSS (filtrered)
