Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

October 14 2017

3we

Adware auf Equifax-Webseite: Unternehmen macht Drittanbieter verantwortlich

Schon wieder macht Equifax mit einem Sicherheitsvorfall von sich reden: Diesmal lieferte die Webseite des Unternehmens Adware aus. Auslöser soll allerdings kein Server-Hack, sondern Drittanbieter-Code gewesen sein.

3we

Verschlüsselung: Niemand hat die Absicht, TLS zu knacken

Mit einer vorgeschlagenen Erweiterung für das kommende TLS 1.3 könnte die Verschlüsselung effektiv gebrochen werden. Internet-, Mobilfunk- und Cloud-Provider wollen dazu aber nicht öffentlich Stellung nehmen. Und die nächste ähnliche Idee steht schon wieder auf der Agenda.

Reposted byv2pxsofiasnitrovent

October 12 2017

3we

IoT-Penetrationstest

Dieser Artikel befasst sich mit Schwachstellen in IT-Netzen, die durch unsichere IoT- Geräte verursacht werden. Er zeigt, wie IoT-Sicherheitstests zur Verbesserung der Anwendungssicherheit speziell im Internet beitragen können. Eine neu entdeckte Sicherheitslücke in einer Waschmaschine etwa erlaubt Zugriff  auf den darauf laufenden Webserver. Das Problem ist dabei weniger die Lücke, als der Umgang des Herstellers damit.

Erschienen in: Datenschutz und Datensicherheit – DuD, Oktober 2017, Band 41, Ausgabe 10, S. 623–627

3we

Moscow Has Turned Kaspersky Antivirus Software Into a Global Spy Tool, Using It To Scan Computers For Secret US Data

WSJ has a major scoop today. From a report:

The Russian government used a popular antivirus software to secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool (could be paywalled), according to current and former U.S. officials with knowledge of the matter. The software, made by the Moscow-based company Kaspersky Lab, routinely scans files of computers on which it is installed looking for viruses and other malicious software. But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as "top secret," which may be written on classified government documents, as well as the classified code names of U.S. government programs, these people said. The Wall Street Journal reported last week that Russian hackers used Kaspersky's software in 2015 to target a contractor working for the National Security Agency, who had removed classified materials from his workplace and put them on his home computer, which was running the program. The hackers stole highly classified information on how the NSA conducts espionage and protects against incursions by other countries, said people familiar with the matter. But the use of the Kaspersky program to spy on the U.S. is broader and more pervasive than the operation against that one individual, whose name hasn't been publicly released, current and former officials said.
This link should get you around WSJ's paywall. Also read: Israeli Spies 'Watched Russian Agents Breach Kaspersky Software'
3we

Equifax website borked again, this time to redirect to fake Flash update

In May credit reporting service Equifax's website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers.

...[weiter]...

3we

heise-Angebot: heisec-Webinar: SSL/TLS für Admins

Von CAA bis TLS 1.3: alles was Administratoren über den sicheren Einsatz von TLS-Verschlüsselung wissen müssen – kompakt in einer Stunde, garantiert ohne Marketing und mit ausreichend Zeit für Ihre Fragen.

October 11 2017

3we

Vertrauliche Daten von Accenture auf ungeschützten Webservern

Tag der offenen Tür in Accentures Cloud: Mindestens vier Server voll vertraulicher Daten wie Passwörter und Entschlüsselungscodes waren laut Sicherheitsforschern im Netz frei zugänglich.

3we

Equifax Increases Number of Britons Affected By Data Breach To 700,000

phalse phace writes:

You know those 400,000 Britons that were exposed in Equifax's data breach? Well, it turns out the number is actually closer to 700,000. The Telegraph reports: "Equifax has just admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. The company originally estimated that the number of people affected in the UK was 'fewer than 400,000.' But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers."
3we

BSI-Chef: IT-Sicherheit muss für Firmen wichtiger werden

Arne Schönbohm sieht insbesondere kleine und mittelständische Unternehmen in der Pflicht, sich gegen Cyberangriffe zu wappnen.

October 10 2017

3we

TLS 1.3: Security-Devices verhindern die Einführung

Alle Security-Experten sind sich einig, dass der Standard TLS 1.3 ein deutlicher Schritt zu mehr Sicherheit im Internet wäre. Doch ausgerechnet Security-Devices, die Verschlüsselung aufbrechen, verhindern die Einführung auf nicht absehbare Zeit.

3we

Zero Days: Bundesregierung prüft Zurückhaltung von Sicherheitslücken

Noch hat die Bundesregierung keine abgestimmte Einstellung zum Umgang mit Zero-Day-Exploits, doch vorbereitet wird laut einem Bericht ein Verfahren, das eine Zurückhaltung vorsieht, wenn Geheimdienste das wünschen. Das Auswärtige Amt hatte anderes vor.

October 09 2017

3we

Passwortmanager im Vergleich: Das letzte Passwort, das du dir jemals merken musst

Menschen scheinen nicht dafür gemacht, sich sehr viele komplizierte Passwörter zu merken. Abhilfe schaffen Passwortmanager. Wir haben die Lösungen von Keypass, Lastpass, 1Password und Dashlane verglichen - und bei allen Stärken gefunden. Ein Test von Hauke Gierow

3we

iOS 11’s Misleading “Off-ish” Setting for Bluetooth and Wi-Fi is Bad for User Security

Turning off your Bluetooth and Wi-Fi radios when you’re not using them is good security practice (not to mention good for your battery usage). When you consider Bluetooth’s known vulnerabilities, it’s especially important to make sure your Bluetooth and Wi-Fi settings are doing what you want them to. The iPhone’s newest operating system, however, makes it harder for users to control these settings.

On an iPhone, users might instinctively swipe up to open Control Center and toggle Wi-Fi and Bluetooth off from the quick settings. Each icon switches from blue to gray, leading a user to reasonably believe they have been turned off—in other words, fully disabled. In iOS 10, that was true. However, in iOS 11, the same setting change no longer actually turns Wi-Fi or Bluetooth  “off.”

Instead, what actually happens in iOS 11 when you toggle your quick settings to “off” is that the phone will disconnect from Wi-Fi networks and some devices, but remain on for Apple services. Location Services is still enabled, Apple devices (like Apple Watch and Pencil) stay connected, and services such as Handoff and Instant Hotspot stay on. Apple’s UI fails to even attempt to communicate these exceptions to its users.

...[weiter]...

3we

Neue Kolumne: Was hilft gegen Cyberattacken?

Von mir gibt es eine neue ARAG-Kolumne. Diesmal geht es um das Thema Cyberattacken, also Angriffe auf die Rechner und Netzwerke von Privatleuten und Firmen. Ein Schwerpunkt ist natürlich, wie man sich gegen solche Angriffe wirksam schützt.

Viel Spaß beim Lesen.

October 04 2017

3we

Former Equifax CEO Blames Breach On One Individual Who Failed To Deploy Patch

Equifax's recently departed CEO is blaming the largest data breach in history on a single person who failed to deploy a patch. TechCrunch reports:

Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred. Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.

Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team. However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice -- one person didn't do their job. "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.

October 03 2017

3we

Equifax Says 2.5 Million More Americans May Be Affected By Hack

According to Reuters, Equifax said about 2.5 million additional U.S. consumers may have been impacted by a cyber attack at the company last month. Last month, the company disclosed that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July.

As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report:

Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.
3we

Eine standardisierte API für Bankkonten

Ein Standard zum externen Zugriff auf Konteninformationen bei Banken soll Fintechs, Verbrauchern und Unternehmen das Leben leichter machen – und für mehr Sicherheit und Komfort beim Zahlen im Internet sorgen.

3we

Datenschutz: Internet Explorer verrät anderen Webseiten Suchanfragen

Wer Internet Explorer nutzt und aus der Adressleiste Suchanfragen startet, verrät der aktuell geöffneten Webseite unter Umständen seine Suchworte - oder anderen eingegebenen Text. Microsoft will sich das Problem anschauen.

September 29 2017

3we

Internet Security Days 2017: Gewinner des iX-Awareness-Wettbewerbs ausgezeichnet

Eine Maschinenfabrik aus dem Schwarzwald, ein Krankenhaus, ein Luxusuhrenhersteller und eine Großbank sind die Gewinner des iX-Wettbewerbs zu User-Awareness in Sachen IT-Security.

September 28 2017

3we

Stiftung Warentest: Die meisten Überwachungskameras haben Sicherheitsmängel

Ungeschützte IoT-Kameras gehören zu den großen Problemen bei der IT-Sicherheit. Aus den Vorfällen der vergangenen Monate scheinen einige Hersteller jedoch nicht viel gelernt zu haben.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl