Archive | Security Updates RSS feed for this section

Fake Government Sites – Daily Security Byte EP.61

The FBI has warned US citizens to beware of fake government websites showing up in search results. Watch today’s Daily Byte to learn about this latest phishing campaign, what blackhat SEO means, and how to avoid evil search results.

 

(Episode Runtime: 2:20)

Direct YouTube Link: https://www.youtube.com/watch?v=ZLzIZsOJ9p4

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

John Oliver Interviews Snowden – Daily Security Byte EP.60

You may not assume an HBO comedy host can teach you much about information security and privacy, but I think you might be surprised. Check out today’s episode to see how to watch John Oliver interviewing Edward Snowden.

 

(Episode Runtime: 2:34)

Direct YouTube Link: https://www.youtube.com/watch?v=j3zQFT9LG6c

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

The Dyre Wolf Bites – Daily Security Byte EP.59

The Dyre trojan has been stealing banking credentials for awhile now, but IBM has discovered a new campaign that adds a human element to this digital attack. Watch the video to learn what to look out for, and how to protect your bank account from getting drained.

 

(Episode Runtime: 2:51)

Direct YouTube Link: https://www.youtube.com/watch?v=E3_jjP3gL3M

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Google vs. CNNIC – Daily Security Byte EP.58

Google has discovered unauthorized digital certificates being used in a SSL man-in-the-middle attacks in Egypt. They tracked the certs to CNNIC and decided to remove the popular Chinese certificate authority from Chrome’s trust chain. Watch the video for more details.

 

(Episode Runtime: 2:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hKUs-kLKa50

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Obama Orders Cyber Sanctions – Daily Security Byte EP.57

President Obama released a new executive order threatening economic sanctions against foreign cyber attackers. Learn what this means in today’s video.

 

(Episode Runtime: 2:17)

Direct YouTube Link: https://www.youtube.com/watch?v=ambFEAFaAJY

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Chinese GitHub DDoS – Daily Security Byte EP.56

Github has suffered a heavy distributed denial of service (DDoS) attack for over four days. Researchers say the attack comes from China, and is related to the political site GreatFire.org. Watch the video to learn about man-on-the-side attacks, and what to look for in DDoS protection.

 

(Episode Runtime: 2:04)

Direct YouTube Link: https://www.youtube.com/watch?v=imoPp5DmFrE

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Cisco Routers Need Patching – Daily Security Byte EP.54

This week, Cisco released an advisory telling IOS device users to patch. The latest IOS update fixes three vulnerabilities, which specifically affect administrators who use Cisco’s Autonomic Networking Infrastructure (ANI). Watch today’s video to learn more about these flaws, especially if you have ANI enabled.

 

(Episode Runtime: 1:21)

Direct YouTube Link: https://www.youtube.com/watch?v=PMOESrmT8qU

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Business is booming for bug bounty hunters

Editor’s Note: A few months ago, I shared an article and video from a new InfoSec related site, Third Certainty. This security news and analysis site isn’t just a great professional resource, but one I think appeals to normal consumers as well. It’s lead by pulitzer prize winning journalist,  Byron Acohido, who excels at breaking down complex topics into stories that everyone can understand. Sign up for the free weekly newsletter, and recommend the site to your less technical friends.

In any case, Acohido recently published an article talking about bug bounty programs, which includes a video where I talk about the underbelly of the zero day vulnerability market. Check out Acohido’s article in full below, and visit his site for more great content.

Business is booming for bug bounty hunters

By Byron Acohido, ThirdCertainty

Corporate-sponsored bug bounty programs have become an indispensible means of tempering new forms of cyber attacks.

It is now routine for Google, Mozilla, Adobe, Facebook and Microsoft to pay five- and six-figure fees to hackers who make a living ferreting out fresh security holes in the software applications consumers and companies use every day.

Hackers are continually on the hunt for overlooked flaws in popular operating systems, such as Windows, Mac OS, and Android, as well as in ubiquitous software applications — all of the major Web browsers and any software that runs on browsers, such as Adobe Flash and Java.

The more widely the operating system or app is used, the more hackers probe it for flaws. These flaws are referred to as zero-day vulnerabilities, or zero days. There are endless zero days yet to be discovered. And each one discovered, has to be patched.

Security & Privacy News Roundup: Stay informed of key patterns and trends

There is an entire cottage industry of white hat hackers who do little else but search for zero days. When one is discovered, the tech company responsible for the OS or app gets notified of the new bug. And the white hat gets paid handsomely. The tech company then develops a patch and seeks to get it widely deployed.

Black hat hackers hunt for bugs, too, and also are compensated well. The difference is that they sell to the top cyber crime rings that then use the zero days for thievery and spying.

There also is a third major group paying out bug bounties: governments, including the United States.

Like organized crime rings, governments don’t want the zero days patched, because they have something very specific in mind for them, Corey Nachreiner, director of security strategy at WatchGuard Technologies, tells ThirdCertainty.

Governments are seeking to stockpile zero days, and hold them in reserve to use against rival nations. In modern cyber warfare, no superpower wants to be on the short side of a zero-day gap.

“Governments need an arsenal, so it’s in their advantage not to get the vulnerability fixed,” Nachreiner says.

In harm’s way

American companies are aware of this potential to be hacked by a government-backed hackers, armed with the best-available zero-days, and many are seeking to strengthen their encryption systems. And they are resisting government efforts to ensure that U.S. intelligence agencies can still crack into their communications, according to a recent report in The New York Times. While the government’s request seems reasonable, it also leaves businesses more vulnerable.

The problem is, of course, there are a lot of busy, motivated bug hunters out there.

So it is very plausible that sooner or later someone else will discover a flaw that’s stockpiled in a government cyber war chest, Nachreiner says.

If a black hat hacker finds a security hole that, say, the U.S. government has had in its stockpile for a long time, that’s not a good thing.

A crime group could put the zero day to work for an extended period, doing wide damage, before anyone notices.

“Not fixing these vulnerabilities as quickly as we know about them, in the long term, harms everyone’s security because we’re all using the same software,” Nachreiner argues.

More on security concerns

3 steps for figuring out if your business is secure

5 data protection tips for SMBs

6 steps for stopping hacks via a contractor or supplier

 

Win2003 EoL Danger – Daily Security Byte EP.53

First Windows XP and now Server 2003. A number of articles this week reminded the IT community that Microsoft will discontinue Windows Server 2003 in July. Learn how this affects your security, and what you should do about it in today’s Daily Byte.

 

(Episode Runtime: 2:09)

Direct YouTube Link: https://www.youtube.com/watch?v=YCqn9YPjESA

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,886 other followers

%d bloggers like this: