DNS service provider Dyn was attacked several times on Friday via a DDoS (distributed denial of service) – hackers basically flooded their systems with so much traffic that nothing could get through. This impacted Dyn clients such as Twitter, Netflix, The NY Times, Spotify, and others. This was a sophisticated, highly distributed attack involving tens of millions of endpoints, using bots that co-opted insecure IoT (Internet of Things) devices like IP-enabled cameras and smart-home devices. Those bots hijack IoT devices via malware and use the devices to blast the Dyn servers with bogus traffic, clogging the pipes.
As the Digital Marketing Manager, I often find myself on social media every day. I keep our company accounts updated, and I’m always browsing around for the latest news.
Prior to starting at Security Innovation, I worked a great deal in the agency space. I remember one instance when a client contacted me and asked whether I had posted anything to their account recently...turns out, their Facebook page admin (an employee) had their account hacked and the hacker used the company page she was connected with to start posting some spam messages on their behalf. After investigating, I realized very few clients actually had security measures in place for any of their online accounts. These are were some large, well known businesses. What should they have done to better protect their brand reputation and information in their accounts? And if they don't protect their personal accounts, what happens to their business?
Today, I want to talk about a recent form of malware that has been causing major trouble: Ransomware.
That’s right- RANSOMware. It is exactly how it sounds:
A type of malicious software that restricts access to a victim’s infected computer while demanding that the victim pay money to the operators of the malicious software before that software is removed and access is regained.
One year ago, if you asked me how much I thought about securing my information online, I would probably have said very little. I was in the majority of users who believed "It won't happen to me. I know what a spam email looks like. I pay attention to my accounts. I'm careful in protecting my information." It never cross my mind that someone could potentially tamper with my Nest thermostats. I'd probably have my phone automatically connect to any public WiFi. Two factor authentication or passcodes on my phone? Not worth the extra inconvenience.
Google paid over $1.2 M in bug bounties to security researchers for reporting cross-site scripting (XSS) bugs in Google applications during the past 2 years. This fact is mentioned matter-of-factly in a blog article discussing a newly-released security tool.
Week 1 of National Cyber Security Awareness Month has a focus on educating and getting people involved in cybersecurity - including careers.
You've probably noticed there aren't a lot of women in information security. This is presumably for the same reasons there aren't many women in technology in general: it's partly a pipeline problem and partly because women get frustrated with the unfriendly culture and leave. Some progressive organizations, like WISP and TiaraCon, are working to change this, and even Facebook's CISO has talked about the need to make women feel more welcome. At Security Innovation, we're trying to do our part by running web security hackathons for women, to help them build their security skills and get newcomers excited about the field.
The moment you realize one of your online accounts has been hacked can send a number of emotions raging through your head. Unfortunately, when it comes to online security, many of us don't think about it seriously until after it's too late. And even if we do everything in our power to create strong passwords and store data safely, there are many factors out of the end-user’s control such as vulnerabilities in the software itself that could result in a data breach. However, if you act quickly and rationally, you can mitigate the damage caused by a hack.
Tesla Motors recently issued an over-the-air software update to make its Autopilot system rely more on radar than cameras. This update was in response to a highly publicized crash in May 2016 in which a 40-year-old man was killed when his Tesla crashed into a turning tractor trailer. Tesla wrote in a blog post that Autopilot didn't detect "the white side of the tractor trailer against a brightly lit sky, so the brake was not applied." Without more information about the accident I can only speculate, but let me try to reflect on the problem and how security plays a role. The cause of the accident was that the camera did not detect the object because of natural/non-malicious blinding. I define blinding as the action of affecting the camera in a way that objects are not detected, either partial or full blinding. So, what does it say about the robustness of the system against blinding attacks? It says that Tesla's Autopilot apparently does not prioritize safety or does not do sensor fusion correctly, if at all.
Multiple options are available for mitigating automated password guessing attacks and choosing the most appropriate one(s) requires understanding the trade-offs between security and usability of each. Regardless, the goal is to implement a set of controls to effectively prevent all types of password guessing attacks from being successful. The solution typically entails a combination of strong password requirements, accounts lockouts, throttling authentication attempts, logging, and multi-factor authentication (MFA).
The National Highway Traffic Safety Administration (NHTSA), part of the US Department of Transportation recently issued their much anticipated Federal Automated Vehicles Policy. This 116-page document is guidance, not mandatory rulemaking to "guide manufacturers and other entities in the safe design, development, testing, and deployment of HAVs [Highly Automated Vehicles]."