The cost of data is not just the bytes that are required to store them. Increasingly laws will target companies for over-collecting, misusing, and not doing enough to protect PII data.
California recently passed an extremely powerful, far-reaching law, the California Consumer Privacy Act (CCPA), that will likely drive even more change than the GDPR. Here’s what your dev team needs to know and how to prepare.
Source: CCPA will hit your dev team harder than GDPR. Here’s why.
This is a serious hijack of a toolchain used by developers.
Pear.php.net shuts down after maintainers discover serious supply-chain attack.
Source: If you installed PEAR PHP in the last 6 months, you may be infected | Ars Technica
Marvell Wifi System-on-chip, which is used by Valve Steamlink, PS 4, Microsoft Surface and Samsung Chromebook is susceptible to remote compromise. Here’s the kicker: the device can be compromised just by the fact that it’s powered on. There is no need for the victim to visit any website or click on any links. That’s what makes this RCE (remote code execution) so dangerous and potent.
This vulnerability can be triggered without user interaction during the scanning for available networks. This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network).
This is a case that will test the limits of exclusion in the brave new world of cybersecurity insurance. Basically, the insurance company is refusing to pay for cybersecurity related damages by citing an exclusion clause which states the malware was created as part of a cyber warfare.
What if courts and lawyers actually start believing the cyberwar narrative and acting as if any damage caused to Western companies is uninsurable war damage?
…
What will happen to the insurance of cyber risks if any attack could potentially be declared part of a war?
Source: Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg
CAPTCHA is almost ubiquitous in today’s web applications and an extremely popular CAPTCHA implementation is Google’s, namely reCaptcha. reCaptcha provides an audio version for visually-impaired users. Researchers manage to make use of free speech-to-text services to defeat audio reCaptcha.
unCaptcha: Talk is cheap in defeating reCaptcha
Source: unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge
In a move that has sent shock waves through the cybersecurity and software community, Australia passes new law that could potentially devastate its software industry, by compelling tech companies to help law enforcement break into user’s encrypted data.
Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.
Source: In the New Fight for Online Privacy and Security, Australia Falls:
A novel way of scamming. Make your phone number appear in Google Maps by claiming it. People who clicks on the result of Google Maps gets directed to you. Profit!
When you see any information listed on a website, your first reaction isn’t to immediately question whether or not that information is accurate. It is to blindly trust the technology that has helped you unfailingly countless times in the past. That is precisely why this scam is so potent.
Source: New form of Google banking scam
Great story based on a true hacking attempt.
Except for the last bit which was dramatized, the author gave a fairly good first-person account of an internal pentesting being carried out. It involves everything from impersonation, social engineering, physical theft, wits and a good amount of luck.
“Good afternoon, Pam. I’m Josh from IT. We’re about to migrate your Citrix instance to a new server. I’m going to send you a 6 digit number. I’ll need you to read that off to me. As a reminder, IT will never ask for your password.”
I already had her password.
She gave a hesitant, “Okay…”
I clicked on the “Click for MFA token” button and stated, “Alright, I’ve sent you the number. You should get a text. Please read it to me.”
She said, “Umm, alright. Got it. It’s 9-0-5-2-1-2.”
Source: A thread written by @TinkerSec
Bloomberg’s big story on alleged China hacking through server hardware implants. If true, it would be an absolutely incredible feat, equivalent in terms of impressiveness to the Stuxnet worm.
The attack by Chinese spies reached almost 30 U.S. companies by compromising America’s technology supply chain.
Source: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg
At the moment, Bloomberg seems to double-down on its story with the following statement:
“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson told BuzzFeed News in response to a series of questions. “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”
It’ll be interesting to see who’s telling the truth as the story develops. Meanwhile, governments and companies around the world should be in panic mode, as they try to figure out if they are using Supermicro servers, and if so, whether they are affected by the so-called hacking.
(2018-Oct-04) Apple and Amazon both issued strong denials to the claims of the article.
(2018-Oct-04) Separately, Apple and Amazon both issued even stronger statements on their website to set the record straight on the matter.
(2018-Oct-05) Buzzfeed’s coverage of the story also seem to indicate that even senior staff in Apple doesn’t know about the alleged hacks.
(2018-Oct-20) Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story
(2018-Oct-23) Amazon cloud chief Jassy follows Apple in calling for retraction of Chinese spy chip story
There are many articles on how people chooses passwords. This article is purely on analyzing PIN numbers. Some observations are obvious but there are quite insightful ones too.
There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code. Out of these ten thousand codes, which is the least commonly used?Which of these pin codes is the least predictable?Which of these pin codes is the most predictable?
Source: PIN number analysis