Threat modeling is an approach that can potentially be overly complicated, but it doesn’t have to be that way, according to Alyssa Miller, business information security officer (BISO) at S&P Global Rating, in a session at the RSA Conference 2022, Miller also explained an approach for plain language threat modeling that can help accelerate DevSecOps efforts.
Security
by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
In the immediate wake of a ransomware attack, you can bet that the C-suite is going to panic and demand an immediate fix. Carol Barkes, a conflict resolution consultant, talked about the physiological considerations a CISO should think about when dealing with a panicked C-suite Carol Barkes is the best-selling author of NeuroMediation. She is
by Paul Ducklin SSN is an abbreviation that’s specific to America, and DOB is shorthand that’s specific to the English language. Nevertheless, their meanings are widely known throughout the world, not least because of their widespread use in reports and discussions about identity theft and cybercrime. SSN is short for Social Security Number, which is
Bryan Palmer, CEO of Trellix, delivering his keynote at RSA Conference The cybersecurity industry must capitalize on the exodus of technologists leaving their roles in social media companies seeking soulful work by welcoming and converting them. This was the sentiment of Bryan Palmer, CEO of Trellix, as he delivered his keynote on 07 June 2022
by Paul Ducklin Over on our sister site, Sophos News, we’ve just published some fascinating and informative insights into cybercriminals… …answering the truly practical question, “How do they do it?” In theory, the crooks can (and do) use any and all of thousands of different attack techniques, in any combination they like. In real life,
Cyber-threat intelligence firm Checkpoint Research (CPR) spotted a critical vulnerability in the Unisoc Tiger T700 chips that power the Motorola Moto G20, E30 and E40 smartphones. The components, which replaced MediaTek’s chips in the aforementioned devices due to global shortages, have been marked as threat vectors due to a stack overflow vulnerability. More specifically, due to
Hybrid working and cloud migration during the course of the pandemic has led to a surge in DNS-related attacks, with application downtime and data theft a major consequence, according to IDC. The analyst’s 2022 Global DNS Threat Report is sponsored by security vendor efficientIP and compiled from interviews with over 1000 global organizations with more
Global healthcare organizations (HCOs) experienced a 94% year-on-year surge in ransomware attacks last year, with almost twice as many electing to pay their extorters, according to new data from Sophos. The security vendor commissioned Vanson Bourne to compile its report, The State of Ransomware in Healthcare 2022, from interviews with 381 IT pros in 31
by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. [00’36”] This Week in Tech. Naming a computer after a famous scientist doesn’t always help. [02’25”] The wacky but dangerous 0-day hole in Windows. [14’14”] Supply chain attacks and the crooks who orchestrate
Connecticut Governor Ned Lamont officially signed into law the Public Act No. 22-15, titled ‘An Act Concerning Personal Data Privacy and Online Monitoring’ on May 10. Commonly referred to as the Connecticut Privacy Act (CTPA), the new legislation provides consumers with enhanced privacy rights, including the right of access, rectification and deletion of data. It also provides the
by Paul Ducklin Software development and colloboration toolkit behemoth Atlassian is warning of a dangerous zero-day in its collaboration software. There’s no alert about the bug visible on the company’s main web page, which features the company’s best-known tools JIRA (an IT ticketing system) and Trello (a discussion board), but you’ll find Confluence Security Advisory
The latest phase of the UK government-backed Digital Security by Design (DSbD) program will see 10 companies experimenting with prototype cybersecurity technology designed to radically strengthen computers’ underlying hardware. The technology, developed by semiconductor and software design company Arm in collaboration with researchers from the University of Cambridge, is known as Capability Hardware Enhanced RISC Instructions (CHERI). This
by Paul Ducklin Just as the dust started to settle on the weirdly-named Follina vulnerability… … along came another zero-day Windows security hole. Sort of. We’re not convinced that this one is quite as dramatic or as dangerous as some of the headlines seem to suggest (which is why we carefully added the words “sort
Europol’s European Cybercrime Centre (EC3) announced the execution of an international law enforcement operation that involved 11 countries and resulted in the takedown of the so-called “FluBot” Spyware. The technical achievement reportedly followed an investigation involving law enforcement authorities of Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands, and the United States and
by Paul Ducklin The latest scheduled Firefox update is out, bringing the popular alternative browser to version 101.0. This follows an intriguing month of Firefox 100 releases, with Firefox 100.0 arriving, as did Chromium 100 a month or so before it, without any trouble caused by the shift from a two-digit to a three-digit version
Microsoft released an advisory on Monday acknowledging the zero-day Office flaw dubbed ‘Follina’ and suggested a possible fix for it. The document assigned the vulnerability the identifier CVE-2022-30190 and a rating of 7.8 out of 10 on the Common Vulnerability Scoring System (CVSS) on the basis that its exploitation may enable malicious actors to achieve code
by Paul Ducklin The internet is abuzz with news of a zero-day remote code execution bug in Microsoft Office. More precisely, perhaps, it’s a code execution security hole hole that can be exploited by way of Office files, though for all we know there may be other ways to trigger or abuse this vulnerability. Security
by Paul Ducklin Home delivery scams, where the crooks falsely apologise to you for not delivering your latest parcel, have been around for years. However, as we have unfortunately needed to say many times on Naked Security, these scams seem to have become steadily more professional-looking during the pandemic, as more and more people have
Anonymous-affiliated collective Spid3r claims to have attacked Belarus’ government websites in retaliation for the country’s alleged support of Russia’s invasion of Ukraine. The group made the announcement on Twitter, publishing screenshots of various websites connected with the Belarus state being down, including the Ministry of Communications, the Ministry of Justice and the Ministry of Economy. In
A group of hackers from Russia could be behind the leak of a list of emails between former director of MI6 Sir Richard Dearlove, Gisela Stuart, Robert Tombs, and other political figures within Theresa May’s government between August 2018 and July 2019. According to an investigation by Reuters, the cache of intercepted emails contained alternative
Twitter has agreed to pay a $150m fine to settle a federal privacy suit over privacy data violations. The row saw the social company reportedly collecting phone numbers and email addresses for account security measures and then using the information for advertising purposes without letting users know. “This practice affected more than 140 million Twitter
by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. Listen on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.Or simply drop the URL
The Cybersecurity and Infrastructure Security Agency (CISA) has published a new five-step 5G Security Evaluation Process to help companies improve their security posture before deploying new 5G applications. More specifically, the new guidelines include information about relevant threat frameworks, 5G system security standards, industry security specifications, federal security guidance documents and methodologies to conduct cybersecurity
by Paul Ducklin We’ve often warned about the risks of browser extensions – not just for Chrome, but for any browser out there. That’s because browser extensions aren’t subject to the same strict controls as the content of web pages you download, otherwise they wouldn’t be extensions… …they’d basically just be locally-cached web pages. An
Pro-consumer website Comparitech has released a new report exploring legislation about child data collection in the world’s top 50 countries by gross domestic product (GDP). The document assessed 23 different aspects of these policies to assess whether specific legislation was in place for children’s online data or not. Aspects examined included requirements for privacy policies,
by Paul Ducklin A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP. Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received
The Cybersecurity and Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws this week. The US federal agency has urged all organizations to remediate these vulnerabilities promptly to “reduce their exposure to cyber-attacks.” Federal Civilian Executive Branch (FCEB) agencies are required by law to remediate all vulnerabilities in the catalog by the specified
The US government lacks comprehensive data on ransomware attacks, including how much is lost in payments, according to a new report by the United States Senate Committee on Homeland Security & Governmental Affairs. The report presented the findings of a 10-month investigation into the growing threat of ransomware. It cited FBI figures showing that the agency had
The District of Columbia announced that it sued Meta Platforms Inc. CEO Mark Zuckerberg for his role in the data breach that allowed political consulting firm Cambridge Analytica to target Facebook users during the 2016 US presidential election. The “sweeping investigation” found that Zuckerberg had lax oversight of users and created misleading privacy agreements that resulted in
- « Previous Page
- 1
- …
- 40
- 41
- 42
- 43
- 44
- …
- 51
- Next Page »