Something to consider in your threat modeling. IDK how common this is, but the gear to do effective wifi signal jamming is not hard to find and works. They're illegal as hell to use in the US, but that isn't going to stop thieves. Argues in favor of direct IP cams or POE-type cams. And cams that allow backup of a certain amount of recording to an SD card.
Just had another breach notification/quote request go sideways in an icky way. I'm only mentioning it because this has happened to me more times than I care to remember, and it infuriates me every time.
Here's the scenario. I hear from a researcher who finds bad thing, data exposure, etc. If I can confirm the researcher's findings, I'll then seek comment from the organization in question. Mind you, this effort usually includes both written and oral communications clearly stating that I am a journalist, and that I am working on a story about the problem and its hopeful resolution.
The response in this scenario involves a reply from a senior executive -- often the CEO -- thanking me for the information, and in the same breath asking if I do any consulting work.
I can't pretend to know what's going on in the mind of the person who asks me this question in this situation, but as a journalist it always sounds and feels like a thinly veiled bribe offer.
To my mind, it's bit like getting pulled over for plowing through a red light, and then handing the cop a $100 bill along with your license.
I always try to respond charitably, by politely declining and explaining that's not really something I do. If I'm not totally insulted at that point, I may even suggest some competent experts. Because god knows anyone who responds this way needs all the help they can get.
Just notified a company specializing in email security that their internal email -- and that of their customers -- was sitting out on the web.
Each inbox -- whether for company customers or employees of those companies -- was viewable just by visiting a link with a web browser and clicking links. Everything was exposed in basically one big file index.
This level of ineptitude is remarkable, and somehow they have a lot of customers (think state/local govs). To their credit, they took everything offline within a few minutes of my notifying them. But their entire business schtick is about how all your email is encrypted and protected and scanned and blah blah. Meanwhile, no it's not. At all.
Google is too big to fail, and yet they seem to be failing at basic things they used to do well (like search) while removing useful features (like cache) and adding a bunch of crap nobody needs or wants.
Want to know if a given domain name shows up anywhere in search? Well screw you, we're not going to tell you that anymore, but here's 1,400 completely useless and irrelevant results that could possibly have some info (but don't). When the search engine could have done what it's done for years, and admit that it doesn't know WTF you're talking about and say "no results found." Now it just makes shit up if it doesn't know the answer.
Hey cool! My search result shows the term I was looking for is present on 7 websites. Shoot! None of them are online anymore. How about showing us your cached version of the site, you know the one that was used to create this search result? Oh wait, no, you can't see that anymore. Why? Here's Danny Sullivan's dismissive and mystifying explanation: "“It was meant for helping people access pages when way back, you often couldn’t depend on a page loading,” Sullivan wrote on X. “These days, things have greatly improved. So, it was decided to retire it.”
Want software? Great, Google will serve a malicious ad on top that looks a lot like an organic search result but which is paid for by scammers and installs malware.
@gsuberland I looked at this story and thought, 3 million toothbruth botnet! Wow. But the source research can't be viewed unless you subscribe to something. Hrm. Likelihood of some toothbrushes being owned bc shitty app or whatever is not nothing, but a 3M strong botnet is going to get noticed by a lot of places. I assigned this a "probably wildly untrue" label and promptly forgot about it.
Another unhappy customer of BriansClub who got phished complains to me, as if in my spare time I run the underground's biggest stolen credit card shop.
As several people responding here have already noted, what this suggests is there is broad downward pressure on what companies are willing to pay for security.
Which again seems slightly nuts when you think about how the costs of not paying adequately for security are increasing. I mean, the security headlines just in the past week alone are frankly terrifying and to my mind paint a pretty grim near-term future cyber-wise.
Perhaps the costs of not investing enough in security are not high enough yet?
There's a huge disconnect for me rn in the IT space. Companies love to talk about an increasing deficit of smart, talented and skillful people available to help defend the cybers. Welp, a lot of those people are somehow now seeking gainful employment bc they've been laid off. Which is just nuts to me given the sheer scale, resources and effort our adversaries are throwing at everything now.
p.s. AI isn't going to fix anyone's security problems. If anything, it's going to compound them by orders of magnitude (at least in terms of data governance).
Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.
Google continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.
If you've ever wondered why some Wi-Fi is free (like in hotels), it's because typically data about your browsing is sold to countless ad companies that will happily buy it.
Had to use the hotel WiFi recently on a trip, and after clicking "agree" to their terms of service, the Little Snitch firewall on my Mac went bonkers. I must have denied 20-30 outbound requests to advertising networks. It still worked, though, so I'm guessing I didn't manage to block all of it.
This is some impressive research: IOActive researchers figured out how to get root access on a bitcoin ATM, using the same physical access that a regular customer might have (the touch screen).
The rapper and social media personality Punchmade Dev is perhaps best known for his flashy videos singing the praises of a cybercrime lifestyle. With memorable hits such as “Internet Swiping” and “Million Dollar Criminal” earning millions of views, Punchmade has leveraged his considerable following to peddle tutorials on how to commit financial crimes online. But until recently, there wasn’t much to support a conclusion that Punchmade was actually doing the cybercrime things he promotes in his songs.
GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.
The vendor strongly recommends updating as soon as possible all vulnerable versions of the DevSecOps platform (manual update required for self-hosted installations) and warns that if there is "no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”
Been noodling a lot about AI stuff lately, and just keep SMH about how willing so many people seem to be to trust this technology.
My problem w/ the idea of AI chat bots being asked to do anything consequential is that we seem to want them to be ever-more human, while at the same time expecting them not to make mistakes.
Probably what we really want is for them to also learn from their mistakes. But that requires admitting when you're wrong -- changing your mind, if you will -- and letting others impacted know that you were in the wrong. On some levels, that seems incompatible with what many expect out of AI today.
This story is an important development in piracy, but it also portends an increase in malware infections from more people seeking pirated content from any available source. There has always been and will always be a strong connection between pirated software, music, movies, etc. and malware droppers that turn systems into proxies or worse. And pirated products remain a major source of malware infections.
Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Twitter: @briankrebs Linkedin: https://www.linkedin.com/in/bkrebs/