As the bug bounty business matures, the bounties themselves present opportunities for hacker entrepreneurs to pocket profits while developing an important blend of business skills.
At DefCon’s Aviation Village, experts convene to explore planes’ burgeoning hacking vulnerabilities and highlight a need for proactive collaboration to protect their systems.
More than 54,000 leaked customer service calls of Colombian financial-services provider Filialcoop variably include customer names, addresses, and numbers said in confidence.
Using off-the-shelf parts and the help of a nurse enthusiast, a biohacking group designed, built, and subcutaneously implanted three networked hard drives. We inquired and watched.
LAS VEGAS—Are you too sexy for your license plate? Hacker and fashion designer Kate Rose thinks not.
Until now, most antisurveillance fashion has surrounded... Read More...
Alongside key U.S. businesses, the desktop manufacturers of unofficial conference badges explain how the president’s trade war against China has put their razor-thin margins at risk.
As a chorus of voices pursuing antitrust action against Big Tech grows louder, it’s important to note that even using regulations to protect consumer privacy is far from a simple endeavor.
A slow spread of privacy- and security-focused updates included in the upcoming version of Google’s mobile operating system will undoubtedly add to criticism of version fragmentation.
Security researcher Dale “Woody” Wooden explains how a hacker could manipulate Ford key fob radio frequency signals to unlock, manipulate, or start the engine of at least two newer Ford models.
Are the nuclear-power industry’s collective responses to the 1986 disaster enough to stave off clever nation-state cyberattacks? The Parallax visits the toxic site and takes a closer look.
From vulnerability exploits to encrypted messaging, the report outlines tech Russia and Trump associates used to interfere in U.S. elections and stymie Mueller’s investigation.
Whether spreading malware or disinformation, attackers study their targets, create artifacts, and get the artifacts in front of their targets. So why not combat fake news like malware?
Security experts worry that U.S. charges against WikiLeaks publisher Assange could scare whistleblowers—or cloud the nature of his relationships with Russia and Trump associates.
IOActive’s director of penetration testing says memsad causes software to expose passwords, keys, and tokens we use to protect our data. And the rot has spread far and wide.
Unlike its competitors, the Backstory security data platform, built on Google’s robust infrastructure, is built to retain and surface even years-old Internet traffic data by default.
App functionality or commercial demands sometimes require access to calendars, cameras, or contacts. Here, a basic, if crassly capitalistic, explanation is appropriate.
It’s no secret that few Wi-Fi routers have strong security. It might be alarming, however, to hear that many of today’s high-rated routers have fewer protections than those of 15 years ago, says the CITL research lab at ShmooCon.
When a company goes under or gets sold, its customer data is often the most valuable asset it holds—one it can usually sell or transfer to another entity, depending on the terms of its privacy policy.
A California judge’s ruling might give weight to privacy advocates’ arguments in future cases regarding forced device log-ins. But it isn’t expected to change much in the near term.
Three patterns surface from a look at expectations for the year that turned out wrong: We got lucky, we expected too much, or we were looking in the wrong direction.
Facebook might not sell user data. But it has been trading deep access to it with tech powerhouses Amazon, Netflix, Huawai, and others, according to a New York Times report.
DriveSavers isn’t divulging what its “proprietary technology” is or how it works. It is saying, however, that it won’t use its tech to help law enforcement agencies carry out search warrants.
Over four years, Marriott hackers accessed millions of guest records, including names, mailing and email addresses, passport numbers, and birth dates. Here’s what we’re learning.
High midterm voter turnout highlighted vulnerabilities in dated voting systems. But new machines aren’t the ticket to a smoother and more secure presidential election, experts say.
New exemptions to the controversial copyright law cover hacks of both software and hardware controlled by code. But they stop short of giving security researchers a free pass.
At the Context Conversations event on election security, veteran software engineer Ben Adida explains how he plans to “build open-source voting machines on commodity hardware.”
In a column for The Parallax, Gary McGraw outlines why his band wrote a song that passionately encourages every eligible voter to fill out and submit a ballot.
Despite knowing that current voting systems are highly vulnerable, lawmakers’ inaction on providing badly needed funding for updates has thus far resulted in maintaining the status quo.
Ensuring the integrity and security of a ballot submitted from overseas has long been challenging, and only 7 percent of eligible voters even attempt it. Can technology help?
At our second event, on November 5, we’ll discuss voting-machine vulnerabilities, effective social-engineering tactics, and how to secure elections while respecting democratic values.
Like last week’s Kavanaugh hearings, Facebook’s acknowledgment of a cyberattack that led to a mass account reset alarmed officials and left key questions unanswered.
Torii, named after the Japanese word for “gate,” uses Tor and its network of anonymously linked computers to both obscure Internet traffic and steal data, Avast researchers say.
Tech firms would like one privacy law to cover all U.S. communications—as long as it’s not as strict as the GDPR and also supersedes any pesky state regulations like the CCPA.
Without regulatory pressure to enforce a federal health care cybersecurity task force’s recommendations, involved experts acknowledge, industry progress will remain slow.
For implanted medical devices, where a faulty update could harm or even kill a patient, a doctor’s office visit is in order. With no billing code, hospitals have been eating the costs.
Cluttered EHRs are reducing doctors’ ability to make good decisions for their patients while decreasing patient privacy, argues Twila Brase, author of Big Brother in the Exam Room.
Default device authentication settings, insufficient patches, and internal networks that assume all participants are trusted can lead to health care operations-thwarting infections.
You can’t personally prevent a data breach, nor someone from attempting to defraud your insurance provider. But you can take steps to minimize how much a breach can affect you.
As technology has become the lifeblood of the health care industry, hospitals and patient care clinics are often ill-equipped to confront a Hydra-headed cybersecurity monstrosity.
To get a clearer picture of how pervasive ransomware attacks against hospitals and patient care clinics have become, check out the publicly acknowledged cases since 2016.
There’s no understanding trans-Atlantic privacy politics, nor policy, without recognizing Germany’s pre-1989 memories of the Stasi regime, which enforced conformity through spying.
So-called private channels and encryption aren’t necessarily enough to keep our chats private. How each messaging service sends and stores our data is confusingly inconsistent.
Medical-security researchers are having a harder time getting people to take flaws seriously than discovering serious flaws. We’ll discuss the most pressing issues at Context Conversations.
On stage at DefCon, veteran NSA leader Rob Joyce says the agency’s ability to monitor and counteract international cyberattacks relies on recruiting—and working well—with hackers.
European regulators fined Google for abusing power and demanded that it relaxes restrictions on Android vendors. What could a privacy-focused phone maker do with this new latitude?
Registration, tabulation, social media—there are other aspects of elections we need to better secure, say experts who examined eight notoriously insecure Winvote machines.
Following the massacre from the Mandalay Bay, hotel security personnel began routinely checking rooms. They’re now clashing with privacy advocates attending security conferences.
There might be no better way to reveal just how lax we still are about encryption than to highlight security professionals’ own unprotected communications.
Parisa Tabriz, head of Chrome security and leader of Project Zero, calls out Google’s leadership approach in Internet security as a combination of muscle and joint efforts.
Hackers are divided on the prospects of SBOM standards. Some say they could reduce many patching obstacles. Others worry that they could do more harm than good.
The extortion scam email looks legitimate because it contains accurate personal information. It says it has webcam evidence of online porn consumption and demands thousands of dollars in bitcoin.
As VPN services face increasing obstacles across the globe, the key to their success is in the details. And Verizon is lacking in details about its data collection practices.
Touring the British wartime relic, one might hear: Keep your team focused. Educate and motivate. Be wary of your enemies’ mutual tools. And use deception to keep them off your trail.
In updating its dominant Chrome browser to red-flag sites lacking HTTPS as insecure, Google completes a two-year project to strong-arm site owners into more safely transmitting data.
A lackluster response to speaker harassment by attendees wearing MAGA gear underscores an ongoing struggle among conference organizers to enforce codes of conduct.
At the HOPE hacker conference, a talk about turning oxycodone into its overdose antidote prompts a broader look at the expanding definition—and increasing relevance—of biohacking.
The technically detailed indictment of 12 Russian GRU officers implies a struggle to find appropriate and effective cybersecurity deterrents to geopolitical hacking, experts say.
“A CERT is like FEMA for cyber,” one expert says. Post-WannaCry, Israel is following the Netherlands, England, and Norway in creating a health care CERT.
In its 5-4 decision that police need a search warrant to obtain a target’s location data, the Supreme Court says in Carpenter vs. United States that carrying a phone is “indispensable to participation in modern society.”
A billion-plus people use WeChat to chat, pay, and shop. But while its walled-garden success puts Facebook and Apple’s messaging apps to shame, the success comes with only-in-China costs.
The VPNFilter botnet could collect information and block network traffic, the FBI said. Beyond rebooting our routers, we should be keeping their firmware up-to-date. Here’s how.
Distributed denial-of-service (DDoS) attacks, which hackers have used for decades to pester online organizations, are expected to plague the Internet of Things. Here’s why.
The 12th version of Apple’s browser will expand its Intelligent Tracking Prevention to shield users from tracking related to social networks’ commenting systems. Here’s why.
While the privacy regulations focus on protecting EU residents, regulators like the FTC could force major companies to abide by their GDPR-compliant policies around the world.
Two decades after presenting at the Senate’s first cybersecurity hearing, veteran L0pht hackers Kingpin, Mudge, Weld Pond, and Space Rogue reflect on progress and urge for much more.
The state of Internet of Things security stinks, experts say. And while device manufacturers and lawmakers aren’t anxious to address it, there are clear signs of influence from other actors. IoT regulation is likely on its way.
As Google prepares to release Android P, which is packed with security features, experts note that efforts to address the mobile OS’ version fragmentation “plague” can only go so far.
You can’t prevent a major earthquake or critical-infrastructure hack, but you can prepare for one. So are industrial-security experts focused on seismic retrofits and post-hack kits?
Despite the legitimacy of the findings in new security research report EFail, experts caution that calls to abandon PGP- and S/MIME-protected email for Signal are irresponsible.
The top-level domain, which Google bought in 2015, is designed to host the Web presence of mobile apps. One key .app security feature that sets it apart: HTTPS is turned on by default.
When researchers inspected the ingredients of SiliVaccine, North Korea-developed Windows antivirus software, they found a mix of spyware and old stolen Trend Micro code.
In revealing that it had been storing unencrypted user passwords, the social media company requests, but doesn’t force, Twitter password resets of its 330 million users—the “bare minimum for doing right” by them, one expert says.
Industrial facilities ranging from oil rigs to breweries use Schneider software to monitor and control their machines. Hacks could have serious commercial or safety implications.
They’re key to advanced persistent threats. They’re increasingly simple. And they’re called zero-days because there’s essentially no time to patch them before a potential cybercriminal exploit.
Fighting the spread of fake news bears similarities to fighting spam. Using tech and human insights, Facebook is essentially filtering it via flagging, fact checking, and feed demotion.
The WebAuthn authentication protocol, backed by Google, Microsoft, PayPal, and others (but notably not Apple), uses physical second factors like phones, and supports biometrics.
Software updates and security patches for critical-infrastructure systems like those of hospitals, 911 dispatchers, and power plants aren’t easy or cheap. But there’s no excuse, experts say, for neglecting them.
At BSides and RSA, bug bounty experts Amit Elazari and Katie Moussouris say today’s programs lack adequate "safe harbor" hacker protections and vulnerability-patching requirements.
About 40 percent of Gmail accounts used to phish for log-ins were recently operating out of Nigeria, Google researchers say, and half of them were targeting people in the United States.
FOSTA and SESTA remove legal protections from online services that “knowingly” facilitate prostitution. Critics say ambiguity over liability may lead sites to major site changes.
Worried about what the social network’s advertisers might be able to see? Take a hard look at the Facebook data you've shared (perhaps inadvertently). You might be unpleasantly surprised.
When consumer-facing companies don’t take reports of data leaks seriously, customers become exposed to financial fraud and identity theft as in the recent Panera Bread incident.
Without investing in technology and personnel to implement preventative measures, experts say, ransomware like the SamSam attack in Atlanta will continue to wreak havoc across computer systems and networks.
Virtual private networks, like all other software—and all software users—aren’t infallible as identity concealers. And investigators can use failures to track down their targets, such as Guccifer 2.0.
Effectively social engineering at scale—simultaneously targeting millions of people across diverse ecosystems—isn’t necessarily a plausible concept. Not without AI and chatbots, that is.
Critics push for the Trump administration to deliver on its promise of a national cybersecurity policy—one that has more legal weight than words like “should” and “may.”
Rewards and penalties tied to China’s social-credit systems are designed to control citizens’ online behavior, experts say. Gamifying it makes the process more palatable.
Symantec researchers say Inception Framework is hijacking vulnerable old routers to forward malicious traffic and thus obscure the source of its advanced persistent threats.
The so-called Cloud Act would allow U.S. law enforcement agencies to obtain customer data stored on foreign servers—in many cases with a subpoena rather than a warrant.
A hack of the Nao humanoid robot, researchers say, demonstrates that cutting-edge consumer robots are just as susceptible to malware attacks as computers or phones.
The point of the Bishop Fox Cybersecurity Style Guide, its editor says, is to “bridge the gap between people who are writing in security, and the people who have to read that.”
The gig economy’s investment in cybersecurity education and protection is hard to quantify, but it’s easy to see that it’s important, researchers explain at the Enigma Conference.
Some privacy advocates say it calls for a resurrected debate over FISA practices. But Nunes himself is a steadfast surveillance supporter of the existing process.
Georgia Senate Bill 315 includes vague language reflective of the CFAA antihacking law that experts and advocates fear would be used to unfairly punish security researchers.
Google says it’s removing more malware than ever from its Android app store. But there are indications that the risks have also risen, as hackers see dollar signs in Android users.
The FISA Amendments Reauthorization Act, approved last week, authorizes and encourages more invasive NSA surveillance, advocates of privacy and civil liberties say.
Cyber Independent Testing Lab research revealed at ShmooCon shows which browsers have been improving in security the most over the past year—and which has suffered setbacks.
Researchers say the nation-state developers behind the Android spyware campaign Dark Caracal took a page from developers of legitimate software, relying on recycled components.
The Meltdown and Spectre chip flaw exploits are prompting a deluge of security patches. They might also represent a rude wake-up call to chip designers that speed and energy efficiency aren’t everything.
