Kategorie

The technology industry is always in the crosshairs of criminal enterprises – be it a vast network of thieves or a lone hacker. The sector, comprised of Fortune 500 companies as well as garage-based startups, creates innovations intended to advance society such as computers, smartphones, robots, and even the (eventual?) flying car. The rogue groups […]

The post Phishing Attacks in the Technology Industry appeared first on InfoSec Resources.

Phishing Attacks in the Technology Industry was first posted on October 19, 2017 at 5:38 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Mitigating risk is an essential component of the insurance industry, the sector that provides individuals and businesses policies that cover health, life, and property. Yet when it comes to their own cyber security, many insurance companies, overconfident in their protection, are running unnecessary risks. In 2016, the consulting firm Accenture found that while 4 out […]

The post Phishing Attacks in the Insurance Industry appeared first on InfoSec Resources.

Phishing Attacks in the Insurance Industry was first posted on October 19, 2017 at 5:28 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Google announced a public bug bounty for Google Play that brings developers and researchers together to find and patch flaws in popular apps.

Posted by Renu Chaudhary, Android Security and Rahul Mishra, Program Manager

We have long enjoyed a close relationship with the security research community. To recognize the valuable external contributions that help us keep our users safe online, we maintain reward programs for Google-developed websites and apps, for Chrome and Chrome OS, and for the latest version of Android running on Pixel devices. These programs have been a success and helped uncover hundreds of vulnerabilities, while also paying out millions of dollars to participating security researchers and research teams.

Today, we’re introducing the Google Play Security Reward Program to incentivize security research into popular Android apps available on Google Play. Through our collaboration with independent bug bounty platform, HackerOne, we’ll enable security researchers to submit an eligible vulnerability to participating developers, who are listed in the program rules. After the vulnerability is addressed, the eligible researcher submits a report to the Play Security Reward Program to receive a monetary reward from Google Play.

With the ongoing success of our other reward programs, we invite developers and the research community to work together with us on proactively improving the security of some of the most popular Android apps on Google Play.

The program is limited to a select number of developers at this time to get initial feedback. Developers can contact their Google Play partner manager to show interest. All developers will benefit when bugs are discovered because we will scan all apps for them and deliver security recommendations to the developers of any affected apps. For more information, visit the Play Security Reward Program on HackerOne.

Better late than never. Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps. Dubbed "Google Play Security Reward," the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their

SSH private keys are being targeted by hackers who have stepped up the scanning of thousands of WordPress website in search of private keys.

American's should “assume their data is already in the hands of criminals and ‘act accordingly.’”

  IT auditors are responsible for performing independent verifications of an organization’s security posture. These positions can have many name variations on job boards, including: information technology auditor, IT compliance analyst, internal auditor, CISA or business analyst. IT auditor positions exist in almost every industry, with salaries ranging from $50,000 to $175,000 depending on industry, […]

The post IT Auditor Interview Questions appeared first on InfoSec Resources.

IT Auditor Interview Questions was first posted on October 19, 2017 at 11:48 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Do you think your wireless network is secure because you're using WPA2 encryption? If yes, think again! Security researchers have discovered several key management vulnerabilities in the core of Wi-Fi Protected Access II (WPA2) protocol that could allow an attacker to hack into your Wi-Fi network and eavesdrop on the Internet communications. WPA2 is a 13-year-old WiFi authentication scheme

Norwegian Consumer Council says "these watches should be in no stores, even less so on a child's arm"

Kryptoměny jsou fenoménem dnešní doby. Nefascinují přitom pouze běžné uživatele, ale také kybernetické piráty. Ti neustále hledají cesty, jak virtuální mince získat. Neštítí se při tom používat podvodný software, který je těží od nic netušících uživatelů. Takto napadených PC je na světě podle aktuálně zveřejněné analýzy až půl miliardy.

We're looking at how Mr Robot's treatment of security stacked up in episode 2 of season 3

Experts applaud a new Google service, Advanced Protection, which beefs up account password protection and limits access to a user’s Gmail and Drive.

It's not just the advertisers who can track you

LinuxSecurity.com: The Carnegie-Mellon University's Software Engineering Institute has nominated transport systems, machine learning, and smart robots as needing better cyber-security risk and threat analysis.

Locky patřil v loňském roce k těm nejrozšířenějším vyděračským virům, které kolují internetem. I když se mohlo zkraje letošního roku zdát, že je na ústupu, v minulém měsíci udeřil opět plnou silou. Vyplývá to z analýzy jednotlivých virových hrozeb společnosti Check Point.

Dohoda označovaná jako Štít EU-USA na ochranu soukromí funguje po prvním roce dobře, uvedla ve své zprávě Evropská komise (EK). Stále je však podle ní co zlepšovat. Cílem dohody je chránit osobní údaje osob v EU předávané společnostem v USA ke komerčním účelům.

Máte Subaru? Brzy už tomu tak možná nebude, zdá se totiž, že přinejmenším u několika modelů automobilka nehorázně odflákla zabezpečení dálkového ovládání. Každé dálkové ovládání vyšle zpravidla na kmitočtu 433 MHz signál, který dveře odemkne. Tento signál musí být pochopitelně pokaždé ...

Posted by Ben McIlwain, Google Registry
The security of the Web is of the utmost importance to Google. One of the most powerful tools in the Web security toolbox is ensuring that connections to websites are encrypted using HTTPS, which prevents Web traffic from being intercepted, altered, or misdirected in transit. We have taken many actions to make the use of HTTPS more widespread, both within Google and on the larger Internet.

We began in 2010 by defaulting to HTTPS for Gmail and starting the transition to encrypted search by default. In 2014, we started encouraging other websites to use HTTPS by giving secure sites a ranking boost in Google Search. In 2016, we became a platinum sponsor of Let’s Encrypt, a service that provides simple and free SSL certificates. Earlier this year we announced that Chrome will start displaying warnings on insecure sites, and we recently introduced fully managed SSL certificates in App Engine. And today we’re proud to announce that we are beginning to use another tool in our toolbox, the HTTPS Strict Transport Security (HSTS) preload list, in a new and more impactful way.

The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections. For example, gmail.com is on the list, which means that the aforementioned browsers will never make insecure connections to Gmail; if the user types http://gmail.com, the browser first changes it to https://gmail.com before sending the request. This provides greater security because the browser never loads an http-to-https redirect page, which could be intercepted.

The HSTS preload list can contain individual domains or subdomains and even top-level domains (TLDs), which are added through the HSTS website. The TLD is the last part of the domain name, e.g., .com, .net, or .org. Google operates 45 TLDs, including .google, .how, and .soy. In 2015 we created the first secure TLD when we added .google to the HSTS preload list, and we are now rolling out HSTS for a larger number of our TLDs, starting with .foo and .dev.

The use of TLD-level HSTS allows such namespaces to be secure by default. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list. Moreover, since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.

We hope to make some of these secure TLDs available for registration soon, and would like to see TLD-wide HSTS become the security standard for new TLDs.

Updated 2017-10-06: To clear up some confusion in the responses to this post, we are not rolling out HSTS to Google's previously launched open TLDs (.how, .soy, and .みんな).

The FBI has made an appeal to organizations victimized by DDoS attacks to share details and characteristics of those incidents.