You are here
Home > Author: Peter Glock

Text message database reportedly leaked password resets

I use Google Authenticator and Authy for two-factor authentication rather than SMS. This is why...: A massive database managing millions of text messages was reportedly discovered unsecured, exposing sensitive information such as password resets and two-factor security codes. Vovox, a San Diego-based communications company maintained the server, which was left unprotected by password, offering anyone knowing where to look a real-time glimpse at a steady stream of text mes

Security Teams Struggle with Container Security Strategy

Many sysadmins have just got to grips with old-school virtualisation so expecting maturity in protecting containers is naive...: [...] Ultimately, Bouchard says, containers aren't necessarily any different than any other asset enterprises must protect. "We're not talking about reinventing security," he says, explaining that all the basic principles, such as the rule of least privilege, threat monitoring, and vulnerability scanning, all still apply. However, security profe

Apple’s Safari tests ‘not secure’ warning for unencrypted websites

Fallback Image

For once, Apple is following Google in a privacy protection. I wonder if anyone has noticed...: [...] Apple is trying hard to improve privacy right now, an effort that could dispel apathy about the issue and help Apple stand out from tech rivals. It's also meant Apple has butted heads with law enforcement officials and politicians who want to preserve something like the ability to tap phone lines. But when it comes to pushing website operators to secure connections, it's

More Spectre/Meltdown-Like Attacks

Bruce Schneier expresses surprise that we haven't seen more attacks yet, but warns that they're coming...: Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years t

The insider threat and data protection

Lots to learn from this case. Here's Denton's take on the background and verdict...: If we were to hazard a guess at what furrows the brows of Data Protection Officers (DPOs) when considering data breach risk, following the Court of Appeal's judgment in WM Morrison Supermarkets Plc v. Various Claimants[2018] EWCA Civ 2339, the "insider threat" should be at the forefront of our minds. Below, we offer our views on the Morrisons case and some practical tips on how to mitigat

Judge Says “Alexa, Please Testify in a Double Murder Case”: eDiscovery Trends

Just a reminder...check what's listening. Alexa, Siri, Goggle, your TV...: The occurrence of Internet of Things (IoT) devices in criminal cases is becoming more and more frequent.  Just last month, we covered a case where data from a Fitbit led to the arrest of a murder suspect (we covered another case like it last year as well).  Now, an Amazon Echo may have key evidence in a double murder committed last year. According to Time (Judge Says Amazon Must Hand Over Echo Reco

Eight reasons more CEOs will be fired over cybersecurity breaches

My personal fave from this list is "Risk tolerance and appetite are fluffy". This applies to individuals as well as business. We tend to focus on high impact events which are actually low risk because they are vanishingly rare. An example is the risk of being murdered by someone you don't know: The latest stats  for England and Wales show that there were 709 homicides in the year ending March 2017, 141 more (25% increase) than in the previous year, this includes the 96 cas

Adobe ColdFusion servers under attack from APT group

I didn't even know that ColdFusion was still in use, but a simple Shodan search throws up a few likely candidates. This is a fascinating insight into the 'persistent' part of APT attacks...: A nation-state cyber-espionage group is actively hacking into Adobe ColdFusion servers and planting backdoors for future operations, Volexity researchers have told ZDNet. The attacks have been taking place since late September and have targeted ColdFusion servers that were not updated

Healthcare Data Breach Enforcements and Fines

I look at the charts and have to conclude that the regulatory regime isn't working. If it did, you'd expect to see an early spike then a levelling-off or decline in actions. It seems to be the same across any sector we look at, not just healthcare...: The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Enf

Top