# SANS ISC

# Reddit netsec

# Krebs On Security

  • Crooks Go Deep With ‘Deep Insert’ Skimmers Thu, 05 May 2016 17:30:00 +0000
    ATM maker NCR Corp. says it is seeing a rapid rise in reports of what it calls "deep insert skimmers," wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine.
  • Fraudsters Steal Tax, Salary Data From ADP Tue, 03 May 2016 17:04:15 +0000
    Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms, KrebsOnSecurity has learned. ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.
  • How the Pwnedlist Got Pwned Mon, 02 May 2016 11:13:36 +0000
    Last week, I learned about a vulnerability that exposed all 866 million account credentials harvested by pwnedlist.com, a service designed to help companies track public password breaches that may create security problems for their users. The vulnerability has since been fixed, but this simple security flaw may have inadvertently exacerbated countless breaches by preserving the data lost in them and then providing free access to one of the Internet's largest collections of compromised credentials.

# Bruce Schneier's blog

  • Own a Pair of Clipper Chips Thu, 05 May 2016 06:31:32 -0500
    The AT&T TSD was an early 1990s telephone encryption device. It was digital. Voice quality was okay. And it was the device that contained the infamous Clipper Chip, the U.S. government's first attempt to put a back door into everyone's communications. Marcus Ranum is selling a pair on eBay. He has the decryption wrong, though. The TSD-3600-E is the model...
  • $7 Million Social Media Privacy Mistake Wed, 04 May 2016 14:28:45 -0500
    Forbes estimates that football player Laremy Tunsil lost $7 million in salary because of an ill-advised personal video made public....
  • Credential Stealing as an Attack Vector Wed, 04 May 2016 06:51:25 -0500
    Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits vulnerabilities. We have automatic patching systems to fix vulnerabilities. We debate whether the FBI should be permitted to introduce vulnerabilities in our software so it can get access to systems with a warrant. This is all important, but what's missing is a recognition that...
  • Julian Sanchez on the Feinstein-Burr Bill Tue, 03 May 2016 13:10:03 -0500
    Two excellent posts. It's such a badly written bill that I wonder if it's just there to anchor us to an extreme, so we're relieved when the actual bill comes along. Me: "This is the most braindead piece of legislation I've ever seen," Schneier -- who has just been appointed a Fellow of the Kennedy School of Government at Harvard...
  • Fake Security Conferences Mon, 02 May 2016 15:45:31 -0500
    Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story....
  • Vulnerabilities in Samsung's SmartThings Mon, 02 May 2016 09:01:13 -0500
    Interesting research: Earlence Fernandes, Jaeyeon Jung, and Atul Prakash, "Security Analysis of Emerging Smart Home Applications": Abstract: Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such...
  • Friday Squid Blogging: Global Squid Shortage Fri, 29 Apr 2016 16:05:18 -0500
    There's a squid shortage along the Pacific coast of the Americas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
  • I'm Writing a Book on Security Fri, 29 Apr 2016 13:02:33 -0500
    I'm writing a book on security in the highly connected Internet-of-Things World. Tentative title: Click Here to Kill Everybody Peril and Promise in a Hyper-Connected World There are two underlying metaphors in the book. The first is what I have called the World-Sized Web, which is that combination of mobile, cloud, persistence, personalization, agents, cyber-physical systems, and the Internet of...
  • Documenting the Chilling Effects of NSA Surveillance Fri, 29 Apr 2016 06:28:27 -0500
    In Data and Goliath, I talk about the self-censorship that comes along with broad surveillance. This interesting research documents this phenomenon in Wikipedia: "Chilling Effects: Online Surveillance and Wikipedia Use," by Jon Penney, Berkeley Technology Law Journal, 2016. Abstract: This article discusses the results of the first empirical study providing evidence of regulatory "chilling effects" of Wikipedia users associated with...
  • Amazon Unlimited Fraud Thu, 28 Apr 2016 08:20:03 -0500
    Amazon Unlimited is a all-you-can-read service. You pay one price and can read anything that's in the program. Amazon pays authors out of a fixed pool, on the basis of how many people read their books. More interestingly, it pays by the page. An author makes more money if someone reads his book through to page 200 than if they...

# WIRED Threat Level

# exploit-db.com

# Securiteam