Monday, December 30, 2019
Ransomware rises a few complex questions - When a company pays a Ransom - Shouldn't it start the breach notification process (as the crooks have our data)? OR Should it wait for the cyber-crooks to expose our data or, what happens if there is a recurring demand for ransom?. I guess, "Prevention is better than cure" makes sense here.
Thursday, December 19, 2019
Want to keep track of your child with GPS enabled smartwatches? , good idea but, remember the same device may also help others to track OUR kid. Welcome to the (gadget hungry) world filled with insecure toys
This year alone, researchers have found several vulnerabilities in a number of child-tracking smartwatches. But new findings out today show that nearly all were harboring a far greater, more damaging flaw in a common shared cloud platform used to power millions of cellular-enabled smartwatches.
The cloud platform is developed by Chinese white-label electronics maker Thinkrace, one of the largest manufacturers of location-tracking devices. The platform works as a backend system for Thinkrace-made devices, storing and retrieving locations and other device data. Not only does Thinkrace sell its own child-tracking watches to parents who want to keep tabs on their children, the electronics maker also sells its tracking devices to third-party businesses, which then repackage and relabel the devices with their own branding to be sold on to consumers.
https://techcrunch.com/2019/12/18/cloud-flaws-millions-child-watch-trackers/
Tuesday, December 17, 2019
We can see 3 three security mistakes in this statement - "The data was stored on unencrypted hard drives in payroll worker’s computer equipment placed in the worker’s vehicle
1. No encryption (obvious)
2. Sensitive data was stored on hard drive (why?) ;
3. No DLP (security budget cut?).
So, where is Facebook spending its security budget? (on products and people producing fancy dashboards?)
https://www.hackread.com/unencrypted-hard-drives-facebook-employees-stolen/
2. Sensitive data was stored on hard drive (why?) ;
3. No DLP (security budget cut?).
So, where is Facebook spending its security budget? (on products and people producing fancy dashboards?)
https://www.hackread.com/unencrypted-hard-drives-facebook-employees-stolen/
Thursday, December 12, 2019
Wednesday, December 11, 2019
Mega Breaches (in TB) when IGNORANT SaaS vendors store our data in Cloud
- In this instance the organizations exposed include California Courts, CenturyLink and Nasdaq and Xerox. The bucket also contained directories with other files relevant to clients – including internal public-relations strategy documents.
https://threatpost.com/ge-dunkin-forever21-internal-doc-leak/150920/
https://threatpost.com/ge-dunkin-forever21-internal-doc-leak/150920/
Tuesday, December 10, 2019
End of "AWS S3 security" excuse (when there is a data breach) - We have a new feature in AWS - AWS Identity & Access Management Access Analyzer
- It Monitors S3 bucket access policies and provides alerts if you have a cloud-storage bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts. If the Access Analyzer tool discovers that a bucket is misconfigured you can respond to the alert by making a single click to "Block All Public Access,"
https://businessinsights.bitdefender.com/amazon-battles-leaky-s3-buckets-with-a-new-security-tool
https://businessinsights.bitdefender.com/amazon-battles-leaky-s3-buckets-with-a-new-security-tool
Monday, December 9, 2019
End of "S3 security is complex" Excuse leading to data breach - Use the new feature - AWS Identity & Access Management Access Analyzer
It Monitors S3 bucket access policies and provides alerts if you have a cloud-storage bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts. If the Access Analyzer tool discovers that a bucket is misconfigured you can respond to the alert by making a single click to "Block All Public Access,"
https://businessinsights.bitdefender.com/amazon-battles-leaky-s3-buckets-with-a-new-security-tool
Thursday, December 5, 2019
Your Cyber Insurance provider can deny your claim under "Act Of War" (Are they learning from Health Insurance Providers?)
After the Ransomware attack Merck was stunned when most of its 30 insurers and reinsurers denied coverage because the policies specifically excluded another class of risk called "an act of war"
https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war
https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war
Tuesday, December 3, 2019
Monday, December 2, 2019
Can a zero-trust approach help us to reduce 3rd Party Risk ("Elephant in the room") which is becoming the 2nd common reason for data breaches (The first one being misconfiguration in the cloud) .
- Palo Alto Networks confirmed to Business Insider that the personal details of seven current and former employees had been "inadvertently" published online by a "third-party vendor" in February.
https://businessinsights.bitdefender.com/palo-alto-networks-employee-data-breach-highlights-risks-posed-by-third-party-vendors
https://businessinsights.bitdefender.com/palo-alto-networks-employee-data-breach-highlights-risks-posed-by-third-party-vendors
Subscribe to:
Posts (Atom)