news

Supply Chain Risk Escapes Notice At Many Firms

Online attacks that come by way of suppliers and other third party business partners are one of the biggest threats that modern organizations face. But too few firms are giving supply chain security the attention it deserves, a panel of legal and information security experts told attendees at a cyber security forum in Boston on Wednesday. Companies need to protect their exposure through third parties better, according to the panel: beefing up auditing of internal- and partner assets and including contractual protections that will indemnify them in the event that a breach at a supplier or business partner exposes data that materially affects their firm. The panel, “Fortifying the Supply Chain,” was part of a day long event at The Federal Reserve in Boston and sponsored by the Advanced Cyber Security Center, a technology industry consortium. It brought together top legal and information security experts, including FireEye researcher Alex Lanstein and Jim Halpert, the […]

Continue Reading

Metadata Matters: EFF To Argue Collection Violates Constitution

Lawyers from The Electronic Frontier Foundation will argue on Tuesday that the U.S. government’s bulk collection of phone records and other “metadata” is a violation of the Constitution’s protection against unlawful searches. In a blog post on Monday, EFF said that it plans to make oral arguments before the D.C. Circuit Court of Appeals on Tuesday and will argue that the call records collected by the government constitute “intimate portraits of the lives of millions of Americans” that are protected under the Constitution’s Fourth Amendment. The EFF is presenting in the Klayman vs. Obama, a 2013 case filed by Larry Klayman, conservative activist, in the immediate aftermath of the publication of data leaked by former NSA contractor Edward Snowden. EFF and the ACLU filed an amicus brief in that case in August. The government’s argument is that the bulk collection of phone records is legal under a precedent called “third party doctrine,” which […]

Continue Reading

Study Reveals (Sad) Psychology of Facebook Scam Victims

Bad is good enough, according to a study of over 850,000 Facebook scams by the antivirus software provider Bitdefender. (PDF version of the report is here.) The two-year study of Facebook scams in the UK, the US and Europe found that a short list of lame, repackaged tricks are a well that never runs dry: fooling Facebook users by playing on their curiosity, vanity or naiveté.   Almost half of social media e-threats prey on users’ curiosity. Far and away the top category of scam on Facebook  are ‘profile view’ scams that offer Facebook users the ability to see who has viewed their profile. That ruse accounted for 45% of all scams on the 1 billion strong social network. The scam has been linked to malicious software downloads – often in the form of browser ‘plug-ins’ that promise to reveal Facebook profile views. It works well because it plays on Facebook users curiosity […]

Continue Reading

Customer Support A Weak Link In Two Factor | Ars Technica

Ars Technica has an interesting write-up on an apparently successful compromise of Google’s two-factor authentication technology. Though in this case, the culprit wasn’t any system Google deployed or managed, but a gullible customer support representative working for the victim’s cell phone carrier. According to this post over at Facebook-for-hipsters site Ello.co, Grant Blakeman woke up on a recent Saturday morning to find that his Google account had been hijacked – despite the fact that he used Google’s two-factor authentication to protect access to the account. How? Blakeman enlisted the help of none-other than Mat Honan, whose own struggles with account hijacking became the subject of a much-cited Wired feature article. As with Honan, Blakeman’s valuable three-character Instagram account, @gb, appears to have been the lure for hackers. (Honan’s @mat Twitter account was what lured his attackers.) Read “Researchers sidestep Paypal Two-Factor Authentication.” After a conversation with Honan, Blakeman contacted his cell provider and […]

Continue Reading

Malware Campaign Against Industrial Systems Almost 3 Years Old

The U.S. Government’s Industrial Control System CERT (ICS-CERT) said on Thursday that a campaign targeting industrial control system (ICS) software began in January, 2012 and targeted industrial systems that were directly connected to the public Internet. ICS-CERT said in an alert published on Wednesday that “HMI” (or Human-Machine Interfaces) products from vendors including GE, Advantech/Broadwin and Siemens may have been infected with variants of the BlackEnergy malware since January, 2012. Infected firms were running versions of the GE’s Cimplicity, Advantech/Broadwin’s WebAccess or Siemens’ WinCC with what ICS-CERT called a “direct Internet connection.” In some cases, as with the GE Cimplicity attacks, hackers exploited a known vulnerability in the Cimplicity software to gain access. In others (as with WebAccess and WinCC) the method by which the software was compromised isn’t known, ICS-CERT said. CERT said it hasn’t documented any cases of control processes being modified by the malware. However, BlackEnergy is typically used […]

Continue Reading
1 48 49 50 51 52 76