krebs   554

« earlier    

Mirai IoT Botnet Co-Authors Plead Guilty — Krebs on Security
The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called “Internet of Things” devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site).
Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania.
Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks.
botnet  college  DDOS  minecraft  privacy  scam  security  krebs 
yesterday by rgl7194
Phishers Are Upping Their Game. So Should You. — Krebs on Security
Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.
According to stats released this week by anti-phishing firm PhishLabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter.
“A year ago, less than three percent of phish were hosted on websites using SSL certificates,” wrote Crane Hassold, the company’s threat intelligence manager. “Two years ago, this figure was less than one percent.”
security  phishing  privacy  krebs 
2 days ago by rgl7194
MacOS High Sierra Users: Change Root Password Now — Krebs on Security
A newly-discovered flaw in macOS High Sierra — Apple’s latest iteration of its operating system — allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.
For better or worse, this glaring vulnerability was first disclosed today on Twitter by Turkish software developer Lemi Orhan Ergin, who unleashed his findings onto the Internet with a tweet to @AppleSupport:
“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”
macOS  10.13  security  privacy  root  bug  passwords  0day  krebs 
17 days ago by rgl7194
Name+DOB+SSN=FAFSA Data Gold Mine — Krebs on Security
KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.
Short for the Free Application for Federal Student Aid, FAFSA is an extremely lengthy and detailed form required at all colleges that accept and award federal aid to students.
Visitors to the login page for FAFSA have two options: Enter either the student’s FSA ID and password, or choose “enter the student’s information.” Selecting the latter brings up a prompt to enter the student’s first and last name, followed by their date of birth and Social Security Number.
security  privacy  SSN  krebs  finances  college 
21 days ago by rgl7194
Immer schön dem Patienten die Schuld geben! 🤬 und nein, es gibt keine Hinweis auf seelische Bedingungen von
Krebs  from twitter_favs
23 days ago by p3k
How to Opt Out of Equifax Revealing Your Salary History — Krebs on Security
A KrebsOnSecurity series on how easy big-three credit bureau Equifax makes it to get detailed salary history data on tens of millions of Americans apparently inspired a deeper dive on the subject by Fast Company, which examined how this Equifax division has been one of the company’s best investments. In this post, I’ll show you how to opt out of yet another Equifax service that makes money at the expense of your privacy.
My original report showed how the salary history for tens of millions of employees at some of the world’s largest corporations was available to anyone armed with an employee’s Social Security number and date of birth — information that was stolen on 145.5 million Americans in the recent breach at Equifax.
Equifax took down their salary portal — a service from the company’s Workforce Solutions division known as The Work Number (formerly “TALX“) — just a few hours after my story went live on Oct. 8. The company explained that the site was being disabled for routine maintenance, but Equifax didn’t fully reopen the portal until Nov. 2, following the addition of unspecified “security improvements.”
Fast Company writer Joel Winston’s story examines how some 70,000 companies — including Amazon, AT&T, Facebook, Microsoft, Oracle, Twitter and Wal-Mart — actually pay Equifax to collect, organize, and re-sell their employees’ personal income information and work history.
equifax  breach  data  identity_theft  privacy  security  krebs  jobs  money 
4 weeks ago by rgl7194
Equifax Reopens Salary Lookup Service — Krebs on Security
Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”
At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.
equifax  security  privacy  career  money  data  krebs 
5 weeks ago by rgl7194
Equifax Breach Fallout: Your Salary History — Krebs on Security
In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.
At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.
breach  data  equifax  identity_theft  privacy  security  krebs  jobs  money 
6 weeks ago by rgl7194
What You Should Know About the ‘KRACK’ WiFi Security Weakness — Krebs on Security
Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.
Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.
“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”
wi-fi  security  privacy  KRACK  krebs  encryption 
8 weeks ago by rgl7194
Krebs Given ISSA’s ‘President’s Award’ — Krebs on Security
KrebsOnSecurity was honored this month with the 2017 President’s Award for Public Service from the Information Systems Security Association, a nonprofit organization for cybersecurity professionals. The award recognizes an individual’s contribution to the information security profession in the area of public service.
It’s hugely gratifying to have received this award, mainly because of the company I now keep.
krebs  security  award 
8 weeks ago by rgl7194
Here’s What to Ask the Former Equifax CEO — Krebs on Security
Richard Smith — who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers — is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I’d ask when Mr. Smith goes to Washington.
Before we delve into the questions, a bit of background is probably in order. The new interim CEO of Equifax — Paulino do Rego Barros Jr. — took to The Wall Street Journal and other media outlets this week to publish a mea culpa on all the ways Equifax failed in responding to this breach (the title of the op-ed in The Journal was literally “I’m sorry”).
breach  credit_report  data  equifax  identity_theft  privacy  security  krebs  CxO  gov2.0 
10 weeks ago by rgl7194
Fear Not: You, Too, Are a Cybercrime Victim! — Krebs on Security
Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.
Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users. Meanwhile, big three credit bureau Equifax added 2.5 million more victims to its roster of 143 million Americans who had their Social Security numbers and other personal data stolen in a breach earlier this year. At the same time, Equifax’s erstwhile CEO informed Congress that the breach was the result of even more bone-headed security than was first disclosed.
hack  privacy  security  yahoo  equifax  data  breach  identity_theft  krebs  credit_report 
10 weeks ago by rgl7194
USPS ‘Informed Delivery’ Is Stalker’s Dream — Krebs on Security
A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.
The service, dubbed “Informed Delivery,” has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide, according to the Postal Service. U.S. residents can tell if their address is eligible by visiting
security  privacy  mail  email  krebs  scanning 
10 weeks ago by rgl7194
Equifax or Equiphish? — Krebs on Security
More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.
Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.
breach  credit_report  data  equifax  identity_theft  krebs  privacy  security  phishing 
11 weeks ago by rgl7194
Equifax Breach: Setting the Record Straight — Krebs on Security
Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017.
In my initial Sept. 7 story about the Equifax breach affecting more than 140 million Americans, I noted that this was hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans.
breach  credit_report  data  equifax  identity_theft  privacy  security  krebs 
12 weeks ago by rgl7194
Experian Site Can Give Anyone Your Credit Freeze PIN — Krebs on Security
An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.
Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad other breaches.
The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).
After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!
security  krebs  privacy  credit_report  credit_freeze 
12 weeks ago by rgl7194

« earlier    

related tags

0day  10.13  2fa  90-120_min_sport_täglich  @svenja  a  aid  aktion  alkohol  amazon  anabol  anabole_diät  aspartam  aspirin  attack  ausleiten  award  basketball  bewegung  bgp  blutspiegel  botnet  bots  breach  brian  browser  bug  business  butter  bücher  c  career  censorship  chemotherapie  cia  college  comic  cortisol  creativity  credit  credit_cards  credit_freeze  credit_report  creditcards  creditfreeze  crime  cxo  cybersecurity  cycle  d  d14  data  ddos  democracy  dems  dnc  dns  dosis  ecommerce  economics  einsamkeit  election  email  encryption  equifax  fasten  fastening  fcc  feil_dr._wolfgang  fettleber  finances  fisch  fitness  flash  flying  forschung  gegen  gesund  gesundheit  google  gop  gov2.0  graphic_novel  hack  hacking  health  herz  hijack  hilfe  hillary  hochdosistherapie  html5  iarc  identity_theft  immunotherapie  influence  infrastructure  infusion  interaktion  internet  iot  isp  jhu  jigsaw  jobs  k1  k2  ketogene_diät  ketose  kinder  kontakte  krack  kurkuma  leben  leber  legal  m07  macos  mail  malware  manipulation  meditation  medizin  mefi  metastase  methadon  minecraft  money  mäuse  nahrungsergänzungsmittel  netflix  nutrition  nytimes  otf  palliativ-medizin  passwords  pflanzenschutzmittel  pflichtprogramm_täglich  phishing  politics  privacy  propaganda  pros  rapidresponse  rinderleber  robocalls  root  rr  running  russia  saccharin  scam  scanning  schadstoffe_ausleiten  schwermetalle  security  seefisch  social  social_engineering  socialmedia  software  sollwert  south_america  sozial  spam  spotify  ssn  stevia  stress  stresshormon  studien  sucralose  süßstoff  technology  temporäre_kalorienrestriktion  tobuy  tod  tools  trump  twitter  ukraine  vitamin  vpn  web  wi-fi  wikileaks  wissenschaft  y2017  yahoo  yoga  zucker  übergewicht 

Copy this bookmark: