recentpopularlog in


« earlier   
Supply Chain Security 101: An Expert’s View — Krebs on Security
Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.
Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.
The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.
Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.
apple  hack  security  privacy  chip  china  supply_chain  server  amazon  krebs  interview  101 
7 days ago by rgl7194
Supply chain security is the whole enchilada, but who’s willing to pay for it? • Krebs On Security
Brian Krebs:
<p>Most of what I have to share here is based on conversations with some clueful people over the years who would probably find themselves confined to a tiny, windowless room for an extended period if their names or quotes ever showed up in a story like this, so I will tread carefully around this subject.

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

That example gives a whole new meaning to the term “supply chain,” doesn’t it? If Bloomberg’s reporting is accurate, that’s more or less what we’re dealing with here in Supermicro as well.

But here’s the thing: Even if you identify which technology vendors are guilty of supply-chain hacks, it can be difficult to enforce their banishment from the procurement chain. One reason is that it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today.</p>
Krebs  supermicro 
13 days ago by charlesarthur
Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? — Krebs on Security
From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation alleging that Chinese cyber spies had used a U.S.-based tech firm to secretly embed tiny computer chips into electronic devices purchased and used by almost 30 different companies. There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.
In the context of computer and Internet security, supply chain security refers to the challenge of validating that a given piece of electronics — and by extension the software that powers those computing parts — does not include any extraneous or fraudulent components beyond what was specified by the company that paid for the production of said item.
apple  hack  security  privacy  chip  china  supply_chain  server  amazon  krebs 
14 days ago by rgl7194
Sophisticated Voice Phishing Scams - Schneier on Security
Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone.
I second his advice: "never give out any information about yourself in response to an unsolicited phone call." Always call them back, and not using the number offered to you by the caller. Always.
EDITED TO ADD: In 2009, I wrote:
When I was growing up, children were commonly taught: "don't talk to strangers." Strangers might be bad, we were told, so it's prudent to steer clear of them.
And yet most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest thing he can do is find a nice-looking stranger and talk to him.
These two pieces of advice may seem to contradict each other, but they don't. The difference is that in the second instance, the child is choosing which stranger to talk to. Given that the overwhelming majority of people will help, the child is likely to get help if he chooses a random stranger. But if a stranger comes up to a child and talks to him or her, it's not a random choice. It's more likely, although still unlikely, that the stranger is up to no good.
That advice is generalizable to this instance as well. The problem is that someone claiming to be from your bank asking for personal information. The problem is that they contacted you first.
Where else does this advice hold true?
banking  cellphones  credit_cards  krebs  phishing  privacy  scam  security 
17 days ago by rgl7194
Voice Phishing Scams Are Getting More Clever — Krebs on Security
Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).
Matt Haughey is the creator of the community Weblog MetaFilter and a writer at Slack. Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.
Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.
Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.
Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California.
phishing  security  privacy  credit_cards  scam  banking  krebs  cellphones 
18 days ago by rgl7194
Facebook Security Bug Affects 90M Users — Krebs on Security
Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles.
In a short blog post published this afternoon, Facebook said hackers have been exploiting a vulnerability in Facebook’s site code that impacted a feature called “View As,” which lets users see how their profile appears to other people.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Facebook wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Facebook said it was removing the insecure “View As” feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.
facebook  security  privacy  data  breach  krebs 
22 days ago by rgl7194
Privatpraxis Dr. Strunz
Wir wissen mehr. Damit Sie keine Angst mehr vor Chemotherapie haben müssen, empfehlen wir

No carb. Maximal 20g KH am Tag.
Maximale Vitaminversorgung.
Wobei sich in der Praxis allein schon der zweite Punkt als häufig ausreichend herausgestellt hat. Eine Glücksbotschaft für viele von Ihnen. Maximal? Heißt praktisch

Multivitamine wie Vitamineral oder Orthomolar sechs Mal täglich.
Gezieltes Optimieren von Vitamin D, Zink.
Ein perfektes Aminogramm.
Das waren soeben praktische Ratschläge. Erprobt. In der wiss. Literatur noch nicht beschrieben. Ab und zu lesen Sie ja Briefe in diesen News von diesen Krebspatienten, die erstaunt berichten, dass sie von der Chemotherapie „gar nichts gemerkt“ hätten.

Jenseits aller typisch akademischen Debatten, aller Querelen, aller Eifersüchteleien unter Professoren: Sollte man sowieso geschlagenen Menschen, also Krebspatienten, diese so einfach wahrzumachende Hoffnung nicht nahebringen?

Heißt übersetzt: Verehrter Herr Kollege Onkologe, auch wenn Sie nicht an diesen „Quatsch“ glauben, würden Sie sich doch nichts vergeben, den Patient über solch harmlose Maßnahmen aufzuklären. Wenn der dann nicht mehr leiden muss...
Hilfe  gegen  Krebs  Chemotherapie  Vitamine  low_carb  Dosis  20g_KH 
27 days ago by snearch
Credit Freezes are Free: Let the Ice Age Begin — Krebs on Security
It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.
Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.
krebs  security  privacy  credit_freeze  free  gov2.0 
29 days ago by rgl7194
Instagram’s New Security Tools are a Welcome Step, But Not Enough — Krebs on Security
Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.
New two-factor authentication options Instagram says it is rolling out to users over the next few weeks.
For years, security experts have warned that hackers are exploiting weak authentication at Instagram to commandeer accounts. Instagram has long offered users a security option to have a one-time code sent via text message to a mobile device, but these codes can be intercepted via several methods (more on that in a bit).
The new authentication offering requires users to download a third-party app like Authy, Duo or Google Authenticator, which generates a one-time code that needs to be entered after the user supplies a password.
In a blog post Tuesday, Instagram said support for third-party authenticator apps “has begun to roll out and will be available to the global community in the coming weeks.
2FA  instagram  privacy  security  krebs 
6 weeks ago by rgl7194
Fiserv Flaw Exposed Customer Data at Hundreds of Banks — Krebs on Security
Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned.
Brookfield, Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with 24,000 employees and $5.7 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions. According to, Fiserv is by far the top bank core processor, with more than 37 percent market share.
banking  bug  security  privacy  krebs  web-dev 
6 weeks ago by rgl7194
Hanging Up on Mobile in the Name of Security — Krebs on Security
An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.
The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.
A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.
security  privacy  mobile  banking  SIM  krebs  smartphone  cryptocurrency 
6 weeks ago by rgl7194
Who’s Behind the Screencam Extortion Scam? — Krebs on Security
The sextortion email scam last month that invoked a real password used by each recipient and threatened to release embarrassing Webcam videos almost certainly was not the work of one criminal or even one group of criminals. Rather, it’s likely that additional spammers and scammers piled on with their own versions of the phishing email after noticing that some recipients were actually paying up. The truth is we may never find out who’s responsible, but it’s still fun to follow some promising leads and see where they take us.
On August 7, 2018, a user on the forum of free email service hMailServer posted a copy of the sextortion email he received, noting that it included a password he’d formerly used online.
Helpfully, this user pasted a great deal of information from the spam email message, including the domain name from which it was sent (williehowell-dot-com) and the Internet address of the server that sent the message (
security  privacy  extortion  email  sex  twitter  scam  hack  passwords  krebs 
7 weeks ago by rgl7194
The Year Targeted Phishing Went Mainstream — Krebs on Security
A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).
But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.
security  privacy  phishing  sex  crime  krebs 
8 weeks ago by rgl7194
Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M — Krebs on Security
Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.
According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.
The email allowed the intruders to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.
security  privacy  banking  hack  money  insurance  krebs  phishing  ATM 
8 weeks ago by rgl7194
Darmkrebs-Früherkennung: Das ändert sich für Versicherte - SPIEGEL ONLINE
Zu den Risikofaktoren für Darmkrebs zählen Rauchen, Übergewicht, ballaststoffarme Ernährung, Bewegungsmangel und der regelmäßige Konsum von Fleisch und Alkohol.
health  Früherkennung  Krebs  Darmkrebs  Vorsorge  Koloskopie  Risikofaktor  ballaststoffarme_Ernährung  Ballaststoff  Krankenkasse  Pflichtprogramm 
8 weeks ago by snearch

Copy this bookmark:

to read