Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

To protect query privacy, browser maker will run everything through Cloudflare

On Friday, Mozilla said it plans to implement the DNS-over-HTTPS (DoH) protocol by default in its Firefox browser, with a slow rollout starting in late September.

Under development since 2017, DoH transfers domain-name queries – which try to match domain names with server IP addresses – over a secure, encrypted HTTPS connection to a DNS server, rather than via an unprotected, unencrypted bog-standard DNS connection.

Complete Article on The Register

If Uncle Sam could quit using insecure .zip files to swap info across the ‘net, that would be great, says Silicon Ron Wyden

Influential US Senator Ron Wyden (D-OR) is not happy about Uncle Sam’s employees using insecure .zip files and other archive formats to electronically transfer information.

The Oregon Democrat today sent a letter [PDF] to Walter Copan, director of America’s National Institute of Standards and Technology (NIST), asking that the standards body put together a guidance document for government workers on alternatives to .zip archiving tools.

Complete article on wired.com

Radiohead Dropped 18 Hours of Unreleased Music to Screw Pirates

ON TUESDAY, RADIOHEAD guitarist and composer Jonny Greenwood made an announcement on Twitter and Facebook: The band had been “hacked,” and the perpetrator attempted a $150,000 shakedown to prevent the public release of the files. In response? Radiohead dumped all of it online for free. You can stream it below for the next 18 days, or buy it on Bandcamp for about $23. All proceeds will go to a climate protest organization called Extinction Rebellion.

Complete article on wired.com

How Call Centers are the Weakest Links in Authentication Chain

As companies increase their cybersecurity defenses, fraudsters are now targeting call centers with easily obtained and plentiful personally identifying information and they are sharing it too.

A report from TRUSTID confirms that call center professionals are being inundated with social engineering attempts from fraudsters looking to takeover customer accounts.

The results spotlighted six insights…

Complete article on securitymagazine.com

How Traditional Training Is Weakening Businesses’ Cybersecurity

Just a decade ago, cybersecurity was a relative myth to the public – something taken care of by any old antivirus and certainly nothing to worry about. But as the internet age gathered momentum, rolling like a freight train on an endless slope, things changed. Cyber attackers were not perceived as hoodie-wearing teens with abundant spare time anymore, but seen for what they are: organized, often well-funded groups – and a genuine menace to society.

The evolving threat landscape has changed the way cybersecurity is viewed by businesses, too. No longer should it be handled by a select few while other employees move irresponsibly through the digital world; instead, it is something of which every employee must be aware. But traditional training models, whereby swathes of employees travel to one-day events periodically, are expensive – and not very practical either.

Complete article on forbes.com

Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?

From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation alleging that Chinese cyber spies had used a U.S.-based tech firm to secretly embed tiny computer chips into electronic devices purchased and used by almost 30 different companies. There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.

Complete article on krebsonsecurity.com

For Hackers, Anonymity Was Once Critical. That’s Changing.

At Defcon, one of the world’s largest hacking conferences, new pressures are reshaping the community’s attitudes toward privacy and anonymity.

LAS VEGAS — Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed.

After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh.

Complete article on nytimes.com

The Biggest Email Security Challenge Facing Organizations Today

Email is the single most effective and commonplace way of reaching someone in the business world today. Even as other methods of digital communication have come and gone over its 40-year history, email remains the backbone of business communications with 3.7 billion users worldwide collectively sending 269 billion messages every day.

But email’s ubiquity and popularity comes at a price: vulnerability. With the growing prevalence and success of targeted social engineering attacks, email continues to be a shockingly easy entry point for cybercriminals. In fact, the FBI’s 2017 Internet Crime Report indicates that business email compromise and phishing drive 48 percent of ALL internet crime-driven financial loss – more than all other business-related internet crime combined. Depending on their form, these targeted attacks are called by a number of names – spear phishing, business email compromise, impersonation, credential theft, etc. – and have a disproportionately large impact on an organization as they gain access to confidential information, intellectual property and in many circumstances, east-west migration attacks that go from email into core backend systems that contain customer data or even financial access.

Complete article on securitymagazine.com

Google Outlines Incident Response Process for Cloud Customers

In its ongoing campaign to build trust through transparency, Google this week released a white paper describing the company’s process for responding to incidents impacting the confidentiality, integrity or availability of customer data.

The paper shows that Google has implemented a four-phased approach for responding to data incidents, which it describes as a breach of Google security that results in the disclosure, alteration or destruction of customer data in its care.

Complete article on eweek.com

How To Protect Yourself Against a SIM Swap Attack

A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all have roots in an old problem that has lately found new urgency: SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life.

At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.

Complete article on wired.com