Longer Minimum Passwords Help Prevent Fraud

The all-too-common practice of using the same email address/password combination to log into multiple websites can be damaging, especially for employers with many users and valuable assets protected by passwords, like universities.

“If someone uses their university email address and passphrase to sign up for, say, LinkedIn, and LinkedIn is breached by cybercriminals, that would mean their university password is sitting on the web for everyone to see,” said Indiana University’s Dan Calarco, co-author on a new paper that examines the practice of password reuse.

Complete article on securitymagazine.com

Cloudflare Advances New Internet Standards for Speed and Security

As part of its Birthday Week, Cloudflare announces support for internet standards that help to improve speed and security, as well as unveiling the new Bandwidth Alliance that could help to save customers millions of dollars in bandwidth costs.

Cloudflare is celebrating its eighth birthday this week with a series of announcements that look to accelerate and secure the internet, as well as helping organizations to save some money.

On Sept. 24, Cloudflare announced its support of the Encrypted Server Name Indication (ESNI) service in a bid to keep service providers from being able to spy on users. On Sept 25, the company announced its support for the QUIC protocol to help accelerate mobile traffic over User Datagram Protocol (UDP). On Sept. 26, Cloudflare announced the Bandwidth Alliance, which is a multi-stakeholder group of cloud providers that have pledged to reduce data transfer fees for mutual customers.

Complete article on eweek.com

For Hackers, Anonymity Was Once Critical. That’s Changing.

At Defcon, one of the world’s largest hacking conferences, new pressures are reshaping the community’s attitudes toward privacy and anonymity.

LAS VEGAS — Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed.

After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh.

Complete article on nytimes.com

Black Hat and Defcon cybersecurity experts share tips on how to protect yourself

During the week of Black Hat and Defcon, tens of thousands of security experts and hackers flock to Las Vegas for the back-to-back conferences. They hold discussions on issues like smart cities getting hacked, two-factor authentication, and security issues with voice assistants.

It can all get a little technical. But with so much cybersecurity knowledge in one place, I decided to ask individual experts for a single useful cybersecurity tip for the average person.

Complete article on cnet.com

Black Hat 2018: Google’s Tabriz Talks Complex Security Landscapes

At Black Hat, Google’s Parisa Tabriz discussed how to navigate the complex security environment with long-term thinking and a policy of open collaboration.

LAS VEGAS – The complexity of the cybersecurity landscape is at an all-time high, with security researchers, vendors, third-party ecosystems and even governments all trying to come to a consensus for making the cyber-world a safer place.

For security experts, navigating these choppy and crowded waters means embracing partnerships across these stakeholders, according to Parisa Tabriz, director of engineering at Google.

Complete article on threatpost.com

Symantec Warns of Increasingly Sophisticated Tech Support Scams

Symantec issued a report on Aug. 3 revealing that technical support fraud scammers are using call optimization services to improve their results. The new techniques come as the volume of tech support scams blocked by Symantec continues to grow.

Tech support scams come in multiple forms, including malware advertising where an ad shows up on a user’s screen warning that they have been infected with malware and need to call a certain number to get help. Symantec researchers found that scammers are making use of call optimization services to inject local numbers into malware alerts, as well providing additional features to improve call delivery.

Complete article on eweek.com

The Year Targeted Phishing Went Mainstream

A story published  on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).

But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.

Complete article on krebsonsecurity.com

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.

Complete article on krebsonsecurity.com

Librarian Sues Equifax Over 2017 Data Breach, Wins $600

In the days following revelations last September that big-three consumer credit bureau Equifax had been hacked and relieved of personal data on nearly 150 million people, many Americans no doubt felt resigned and powerless to control their information. But not Jessamyn West. The 49-year-old librarian from a tiny town in Vermont took Equifax to court. And now she’s celebrating a small but symbolic victory after a small claims court awarded her $600 in damages stemming from the 2017 breach.

Complete article on krebsonsecurity.com

Intel, Microsoft to use GPU to scan memory for malware

Since the news of the Meltdown and Spectre attacks earlier this year, Intel has been working to reassure the computer industry that it takes security issues very seriously and that, in spite of the Meltdown issue, the Intel platform is a sound choice for the security conscious.

To that end, the company is announcing some new initiatives that use features specific to the Intel hardware platform to boost security. First up is Intel Threat Detection Technology (TDT), which uses features in silicon to better find malware.

Complete article on arstechnica.com