recentpopularlog in


« earlier   
Breach of Spyware Company mSpy Exposes iCloud Account Information for Millions - SecureMac
Apple users should consider changing their iCloud passwords after a recent breach reportedly exposed the account information of millions of people. The breach involved a company called mSpy, a spyware-as-a-service business. mSpy sells mobile and computer software that allows users to spy on their friends or family members. The software is also marketed to allow parents to see what their children are doing on their devices. However, this type of software is technically illegal and mSpy has a shady reputation.
At the end of August, security researchers Brian Krebs and Nitish Shah discovered that mSpy had posted a database containing millions of iCloud usernames and authentication tokens. Shah discovered the database first and tried to notify mSpy of the issue but was blocked by the company for requesting an audience with their chief technology officer. Krebs later got in touch with mSpy’s CTO and the database was taken down.
data  breach  icloud  security  privacy  krebs  passwords 
2 days ago by rgl7194
What the Marriott Breach Says About Security — Krebs on Security
We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.
It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.
security  privacy  data  breach  marriott  hack  krebs 
8 days ago by rgl7194
Marriott: Data on 500 Million Guests Stolen in 4-Year Breach — Krebs on Security
Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.
Marriott said the breach involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sept. 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.
Marriott said the intruders encrypted information from the hacked database (likely to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network), and that its efforts to decrypt that data set was not yet complete. But so far the hotel network believes that the encrypted data cache includes information on up to approximately 500 million guests who made a reservation at a Starwood property.
security  privacy  data  breach  marriott  hack  krebs 
8 days ago by rgl7194
Half of all Phishing Sites Now Have the Padlock — Krebs on Security
Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.
Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.
This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.
phishing  security  privacy  HTTP/S  krebs  browser 
15 days ago by rgl7194
How to Shop Online Like a Security Pro — Krebs on Security
‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.
Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.
Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.
I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.
shopping  security  privacy  krebs  internet 
17 days ago by rgl7194
USPS Site Exposed Data on 60 Million Users — Krebs on Security
U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at to view account details for some 60 million other users, and in some cases to modify account details on their behalf.
KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.
The problem stemmed from an authentication weakness in a USPS Web component known as an “application program interface,” or API — basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.
mail  gov2.0  security  privacy  bug  krebs  data  API 
18 days ago by rgl7194
U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service — Krebs on Security
A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.
The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.
According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”
mail  scanning  identity_theft  security  privacy  krebs  gov2.0  email 
4 weeks ago by rgl7194
Supply Chain Security 101: An Expert’s View — Krebs on Security
Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.
Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.
The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.
Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.
apple  hack  security  privacy  chip  china  supply_chain  server  amazon  krebs  interview  101 
8 weeks ago by rgl7194
Supply chain security is the whole enchilada, but who’s willing to pay for it? • Krebs On Security
Brian Krebs:
<p>Most of what I have to share here is based on conversations with some clueful people over the years who would probably find themselves confined to a tiny, windowless room for an extended period if their names or quotes ever showed up in a story like this, so I will tread carefully around this subject.

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

That example gives a whole new meaning to the term “supply chain,” doesn’t it? If Bloomberg’s reporting is accurate, that’s more or less what we’re dealing with here in Supermicro as well.

But here’s the thing: Even if you identify which technology vendors are guilty of supply-chain hacks, it can be difficult to enforce their banishment from the procurement chain. One reason is that it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today.</p>
Krebs  supermicro 
9 weeks ago by charlesarthur
Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? — Krebs on Security
From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation alleging that Chinese cyber spies had used a U.S.-based tech firm to secretly embed tiny computer chips into electronic devices purchased and used by almost 30 different companies. There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.
In the context of computer and Internet security, supply chain security refers to the challenge of validating that a given piece of electronics — and by extension the software that powers those computing parts — does not include any extraneous or fraudulent components beyond what was specified by the company that paid for the production of said item.
apple  hack  security  privacy  chip  china  supply_chain  server  amazon  krebs 
9 weeks ago by rgl7194
Sophisticated Voice Phishing Scams - Schneier on Security
Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone.
I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always.
EDITED TO ADD: In 2009, I wrote:
When I was growing up, children were commonly taught: "don't talk to strangers." Strangers might be bad, we were told, so it's prudent to steer clear of them.
And yet most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest thing he can do is find a nice-looking stranger and talk to him.
These two pieces of advice may seem to contradict each other, but they don't. The difference is that in the second instance, the child is choosing which stranger to talk to. Given that the overwhelming majority of people will help, the child is likely to get help if he chooses a random stranger. But if a stranger comes up to a child and talks to him or her, it's not a random choice. It's more likely, although still unlikely, that the stranger is up to no good.
That advice is generalizable to this instance as well. The problem is that someone claiming to be from your bank asking for personal information. The problem is that they contacted you first.
Where else does this advice hold true?
banking  cellphones  credit_cards  krebs  phishing  privacy  scam  security 
9 weeks ago by rgl7194
Voice Phishing Scams Are Getting More Clever — Krebs on Security
Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).
Matt Haughey is the creator of the community Weblog MetaFilter and a writer at Slack. Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.
Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.
Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.
Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California.
phishing  security  privacy  credit_cards  scam  banking  krebs  cellphones 
10 weeks ago by rgl7194
Facebook Security Bug Affects 90M Users — Krebs on Security
Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles.
In a short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Facebook said it was removing the insecure “View As” feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.
facebook  security  privacy  data  breach  krebs 
10 weeks ago by rgl7194
Privatpraxis Dr. Strunz
Wir wissen mehr. Damit Sie keine Angst mehr vor Chemotherapie haben müssen, empfehlen wir

No carb. Maximal 20g KH am Tag.
Maximale Vitaminversorgung.
Wobei sich in der Praxis allein schon der zweite Punkt als häufig ausreichend herausgestellt hat. Eine Glücksbotschaft für viele von Ihnen. Maximal? Heißt praktisch

Multivitamine wie Vitamineral oder Orthomolar sechs Mal täglich.
Gezieltes Optimieren von Vitamin D, Zink.
Ein perfektes Aminogramm.
Das waren soeben praktische Ratschläge. Erprobt. In der wiss. Literatur noch nicht beschrieben. Ab und zu lesen Sie ja Briefe in diesen News von diesen Krebspatienten, die erstaunt berichten, dass sie von der Chemotherapie „gar nichts gemerkt“ hätten.

Jenseits aller typisch akademischen Debatten, aller Querelen, aller Eifersüchteleien unter Professoren: Sollte man sowieso geschlagenen Menschen, also Krebspatienten, diese so einfach wahrzumachende Hoffnung nicht nahebringen?

Heißt übersetzt: Verehrter Herr Kollege Onkologe, auch wenn Sie nicht an diesen „Quatsch“ glauben, würden Sie sich doch nichts vergeben, den Patient über solch harmlose Maßnahmen aufzuklären. Wenn der dann nicht mehr leiden muss...
Hilfe  gegen  Krebs  Chemotherapie  Vitamine  low_carb  Dosis  20g_KH 
11 weeks ago by snearch
Credit Freezes are Free: Let the Ice Age Begin — Krebs on Security
It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.
Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.
krebs  security  privacy  credit_freeze  free  gov2.0 
11 weeks ago by rgl7194

Copy this bookmark:

to read