May 1, 2016

3 reasons why teaching somebody to drive a car is easier than training employees to work securely

I love using analogies when explaining things to people. If we compare learning some common activity that we all understand, like training people to drive, with […]
May 1, 2016

Data Breach Story: Law firms hacked for insider information

As you can imagine, there are a multitude of reasons why businesses get hacked. Often, its for personal information in support of identity theft. But while […]
May 12, 2016

The Teachable Moment: Finding your organization's current level of vulnerability to phishing attacks… for free.

Are Phishing Assessments Really a Thing? By now, you've probably heard that some organizations are using simulated phishing attacks on their employees. Is this a smart thing to do, or is it just the security team trying to scare people? Filling up employees' inboxes with even more malicious email may just sound cruel. But there's a very good reason for doing this.
May 30, 2016

Beware the ghosts of smart device owners – past and future

I haven’t been able to find a reliable source for this story, other than that it was recounted by Leo Laporte on the Security Now podcast episode #561. However, the scenario illustrates a couple of interesting risks from using Smart devices, where the devices may have been returned by an original purchaser, and then purchased by somebody else.
May 30, 2016

LinkedIn: Oops. Did we say you weren’t affected by that breach back in 2012?

If this sounds like old news, it actually is, but with a slight twist that you should think about. In 2012, LinkedIn was hacked, and password data for millions of the social network’s users was exposed. At the time, LinkedIn assessed the situation and made a public disclosure, as well as forcing millions of affected users to reset their passwords. However, they seem to have made an error in determining which accounts were actually at risk.
May 30, 2016

With a target as big as SWIFT, you’d expect them to be prepared for breaches originating from within trusted banks

If you were an attacker looking for the biggest financial return on your investment in evil criminal schemes, you would probably look at international banking transfer systems as being a nice, big target. In fact, a security investigation company revealed that at a number of banks connected to the Society for Worldwide Interbank Financial Transactions (SWIFT) network were recently targeted in massive fraud attacks. It may seem surprising, but the attackers were able to easily cover their tracks on the systems they accessed after submitting bogus transfer request messages.
May 30, 2016

Even with isolated networks, nuclear power plants are still infested with malware

You might imagine nuclear power facilities to have state-of-the-art security, with locked-down computers that can only run software that the installers authorized. Well, this doesn’t seem to be the case in some facilities. At a nuclear power-plant 75km from Munich, Germany, employees discovered serious pieces of malware, including Conficker and Ramnit. In addition, they discovered 18 USB drives that had malware on them in the facility. And this isn’t the only case.
May 30, 2016

When there's a choice between privacy and sizzle Google usually goes with sizzle by default

Google is offering an innovative messaging product called Allo to compete with other mobile messaging apps. It has features like suggesting responses to messages from your friends, to save you time. But to do this, it needs access to all of the message content. On the other hand, you will have an option to turn on end-to-end encryption, which uses the secure SIGNAL protocol... On the other hand, if you do turn on the end-to-end encryption feature, you won't get the "sizzle" features like the message reply suggestions. So, let's just be clear about privacy versus convenience.
June 3, 2016

A live recorded example of how attackers get into online accounts using social engineering

If you think companies you trust have good security practices for authenticating their customers in phone support calls, you may be right. But the security of call-centre support processes is becoming a serious issue. Every call-centre rep is human, and humans respond to emotional situations in different ways. This is what many attackers are learning to exploit.
June 9, 2016

It just got more expensive to lose your personal information to identity theft

In one sense, it’s hard to believe it’s taken so long for identity theft to get to this point. At least, up until now, most of […]