The state of Internet of Things security stinks, experts say. And while device manufacturers and lawmakers aren’t anxious to address it, there are clear signs of influence from other actors. IoT regulation is likely on its way.
As Google prepares to release Android P, which is packed with security features, experts note that efforts to address the mobile OS’ version fragmentation “plague” can only go so far.
You can’t prevent a major earthquake or critical-infrastructure hack, but you can prepare for one. So are industrial-security experts focused on seismic retrofits and post-hack kits?
Despite the legitimacy of the findings in new security research report EFail, experts caution that calls to abandon PGP- and S/MIME-protected email for Signal are irresponsible.
The top-level domain, which Google bought in 2015, is designed to host the Web presence of mobile apps. One key .app security feature that sets it apart: HTTPS is turned on by default.
When researchers inspected the ingredients of SiliVaccine, North Korea-developed Windows antivirus software, they found a mix of spyware and old stolen Trend Micro code.
In revealing that it had been storing unencrypted user passwords, the social media company requests, but doesn’t force, Twitter password resets of its 330 million users—the “bare minimum for doing right” by them, one expert says.
Industrial facilities ranging from oil rigs to breweries use Schneider software to monitor and control their machines. Hacks could have serious commercial or safety implications.
They’re key to advanced persistent threats. They’re increasingly simple. And they’re called zero-days because there’s essentially no time to patch them before a potential cybercriminal exploit.
Fighting the spread of fake news bears similarities to fighting spam. Using tech and human insights, Facebook is essentially filtering it via flagging, fact checking, and feed demotion.
The WebAuthn authentication protocol, backed by Google, Microsoft, PayPal, and others (but notably not Apple), uses physical second factors like phones, and supports biometrics.
Software updates and security patches for critical-infrastructure systems like those of hospitals, 911 dispatchers, and power plants aren’t easy or cheap. But there’s no excuse, experts say, for neglecting them.
At BSides and RSA, bug bounty experts Amit Elazari and Katie Moussouris say today’s programs lack adequate "safe harbor" hacker protections and vulnerability-patching requirements.
About 40 percent of Gmail accounts used to phish for log-ins were recently operating out of Nigeria, Google researchers say, and half of them were targeting people in the United States.
FOSTA and SESTA remove legal protections from online services that “knowingly” facilitate prostitution. Critics say ambiguity over liability may lead sites to major site changes.
Worried about what the social network’s advertisers might be able to see? Take a hard look at the Facebook data you've shared (perhaps inadvertently). You might be unpleasantly surprised.
When consumer-facing companies don’t take reports of data leaks seriously, customers become exposed to financial fraud and identity theft as in the recent Panera Bread incident.
Without investing in technology and personnel to implement preventative measures, experts say, ransomware like the SamSam attack in Atlanta will continue to wreak havoc across computer systems and networks.
Virtual private networks, like all other software—and all software users—aren’t infallible as identity concealers. And investigators can use failures to track down their targets, such as Guccifer 2.0.
Effectively social engineering at scale—simultaneously targeting millions of people across diverse ecosystems—isn’t necessarily a plausible concept. Not without AI and chatbots, that is.
Critics push for the Trump administration to deliver on its promise of a national cybersecurity policy—one that has more legal weight than words like “should” and “may.”
Rewards and penalties tied to China’s social-credit systems are designed to control citizens’ online behavior, experts say. Gamifying it makes the process more palatable.
Symantec researchers say Inception Framework is hijacking vulnerable old routers to forward malicious traffic and thus obscure the source of its advanced persistent threats.
The so-called Cloud Act would allow U.S. law enforcement agencies to obtain customer data stored on foreign servers—in many cases with a subpoena rather than a warrant.
A hack of the Nao humanoid robot, researchers say, demonstrates that cutting-edge consumer robots are just as susceptible to malware attacks as computers or phones.
The point of the Bishop Fox Cybersecurity Style Guide, its editor says, is to “bridge the gap between people who are writing in security, and the people who have to read that.”
The gig economy’s investment in cybersecurity education and protection is hard to quantify, but it’s easy to see that it’s important, researchers explain at the Enigma Conference.
Some privacy advocates say it calls for a resurrected debate over FISA practices. But Nunes himself is a steadfast surveillance supporter of the existing process.
Georgia Senate Bill 315 includes vague language reflective of the CFAA antihacking law that experts and advocates fear would be used to unfairly punish security researchers.
Google says it’s removing more malware than ever from its Android app store. But there are indications that the risks have also risen, as hackers see dollar signs in Android users.
The FISA Amendments Reauthorization Act, approved last week, authorizes and encourages more invasive NSA surveillance, advocates of privacy and civil liberties say.
Cyber Independent Testing Lab research revealed at ShmooCon shows which browsers have been improving in security the most over the past year—and which has suffered setbacks.
Researchers say the nation-state developers behind the Android spyware campaign Dark Caracal took a page from developers of legitimate software, relying on recycled components.
The Meltdown and Spectre chip flaw exploits are prompting a deluge of security patches. They might also represent a rude wake-up call to chip designers that speed and energy efficiency aren’t everything.
As sexual-misconduct allegations across industries proliferate, many organizations, including hacker conferences such as CCC, are realizing that they need a better conflict resolution protocol.
Using a bug bounty payment to conceal extortion or a breach, as Uber did, violated platform policies and Justice Department guidelines. Security experts explain how it also put consumers at risk.
Privacy and online-rights advocates say Spain’s recent heavy-handed Internet control is unprecedented for a Western democracy—and it could return with this week’s snap election.
From drones to dishwashers, these connected tech gifts should give you pause this holiday season, experts say. Here’s why—and, if they remain on your list, how to use them more safely.
The vast majority of anti-Net neutrality public comments made to the FCC were sent from stolen email addresses, according to study results. And the implications are serious.
At the second Enigma Interviews, we discussed how easy car software is to manipulate—what carmakers are really chasing, as they promote their connectedness.
What threats might faulty software in autonomous and connected vehicles pose? During a fireside chat Wednesday, the UC field experts and I will drive the conversation forward.
The sexual advances of the infamous John T. Draper, Captain Crunch, on young men in the hacker community—”inappropriate…and awkward,” sources say—were uninvited and unwelcome.
At Bitcoin Cafe in Prague, on the first floor of a hacker haven, you can buy a brew only with bitcoin or litecoin. We sat down with a Paralelní Polis board member to learn how—and why.
The newly announced Blackfish technology is designed to detect a credential-stuffing attack, “see” the stolen username-password combinations being tested, and prevent a successful log-in.
Fingerprints, faces, and other unique physical characteristics make great identifiers, security experts say. But because they’re public and permanent, they don’t make safe authenticators.
What happens to your genetic information after you send your saliva to a DNA testing company? The rules aren't always clear. And the consequences aren’t consistent.
The USA Liberty Act, designed to revamp and reauthorize FISA Section 702, would still allow the FBI and other agencies to query the NSA database of U.S. communications sans warrant.
To address an apparent disconnect between educational-technology vendors, school administrations, and families, experts say parents should dig into policies and speak up.
Government agencies—and the individuals who work for them—often trust the deep-scanning skills of security software like Kaspersky’s to keep their computer files safe.
“There’s just not enough cybertalent, not enough people with the level of expertise needed,” one expert says. Filling critical roles will mean recruiting and training outside the box.
The CCleaner hack shows that even utilities can be used to hack unsuspecting targets. Software vendors need to verify that the software they distribute is secure, experts say, scrutinizing it from acquisition through routine updates.
Retailers rely on point-of-sale readers to process purchases and protect customer data. Due to lax security within the devices and at stores, they make for tantalizing hacking targets.
While a passed House bill doesn’t directly address autonomous-vehicle hacking dangers, some experts maintain that broad regulatory language is better for rapidly developing technology.
Traditional passwords, often easily cracked or guessed, aren’t likely to lose much ground to multifactor or biometric authentication any day soon, experts say. Here’s why.
After an engineer enters an office building using an easily guessable default code programmed into an Airbnb-integrated smart lock, the RemoteLock 6i, the manufacturer pushes out updates.
While riding my motorcycle to DefCon and Black Hat, I visualized the security industry’s high-water mark—that place, Hunter S. Thompson wrote, “where the wave finally broke and rolled back.”
The first Enigma Interviews event will focus on the challenges Facebook and others face in protecting average users alongside high-profile hacking targets.
After President Trump fires James Comey, a leading U.S. backer of encryption backdoor mandates, officials in Europe and Australia renew arguments for the “technically infeasible.”
Addressing EVM vulnerabilities uncovered at DefCon—and plugging related holes across disparate election systems—would require years of concentrated work, experts say.
At DefCon, hackers discuss flaws—and real dangers—in dozens of biomedical devices, from pacemakers and insulin pumps to glucose monitors and digital intravenous drips.
During a fireside chat in Las Vegas, Reps. Will Hurd of Texas and Jim Langevin of Rhode Island plead for proactive hacker-lawmaker collaboration and voice concerns about election security.
Unaffiliated, limited-edition conference badges are utilitarian status symbols among the hacker community. They also are effective (and safe) tools for learning how to hack connected devices.
Privacy advocates in Congress oppose reauthorization of FISA’s Section 702 without major reform. The implication: Existing surveillance programs won’t survive without new privacy protections.
The NotPetya attack highlights that today’s critical security vulnerabilities are tied to far more than one outdated operating system, experts say. They stem from systemic issues well beyond the OS.
A lawsuit against the Trump administration highlights a presidential mandate to keep records of all official communications—something consumer encrypted-messaging apps aren’t designed to do.
The release of computer vulnerability exploits collected and stockpiled by U.S. intelligence agencies highlights internal security and cultural structures that aren’t likely to change. Here’s why.
Organizations don’t necessarily need to pay for zero-days, experts say. First, they need to set up vulnerability disclosure channels and establish reasonable response times.
As the controversy-laden ride-sharing service unrolls new privacy controls for users, Uber's technological turns still seem slightly speedier than its customers’ perceptions, if not the law.
As ride-sharing giant Uber contends that it’s been tracking devices’ unique identifiers on legitimate grounds, security experts outline how they can be used to both protect and expose.
Even the most secure, stable, and well-positioned open-source messaging apps need a smart user interface to catch on. Look no further than Demonsaw’s demise—and Signal’s success.
The requirement of apps such as Signal and WhatsApp that both senders and recipients use them makes it easier to confirm cryptographic exchanges. It also slows adoption.
The “biggest cyberthreat” of the year isn’t just a problem for big businesses. Eager to pluck the lowest-hanging fruit, cybercriminals are increasingly targeting small organizations and consumers.
Machine learning, enabled by finely tuned algorithms and a plethora of data, "artificial intelligence" is quickly growing in influence among security professionals, cybercrime rings, and data-probing government agencies. Here’s how.
At hacking contests like Pwn2Own, individual hackers can shine. Participating companies, meanwhile, can find and recruit badly needed talent, as they build hacker-friendly reputations.
Revision proposals for the international agreement to control weapons exports aim to address language that could have severe consequences for security researchers.
Precisely because biometrics are harder to steal and spoof than passwords, they have the capacity—for better or worse—to be used in more powerful ways. Here are the key risk factors.
As the new president establishes his cabinet, and issues (and holds back on) security-focused executive orders, questions abound about his cybersecurity intentions—and how he might follow through on them.
Delegated Recovery, debuted alongside GitHub, unlocks linked accounts without texted log-in codes, secret questions, or emailed links. Its special sauce? Tokens sent over an encrypted connection.
After a presidential election marked by hacks and leaks and claims of “bleak” urban streets, those of the nation’s capital were filled—quite literally—with anger and worry. And hope.
What was once an obscure app offering protection for which most people couldn’t contemplate a use is being rapidly adopted by tech titans and rebels alike. Here’s why.
In the wake of stunted recounts in three closely contested states, security researchers argue that to ward off hacker manipulation of elections, municipalities must maintain and audit paper ballots.
With nothing more than a boarding pass bar code, someone could steal your airline miles, access your personal data, stalk you, and even cancel or register your flight to himself, a security researcher demonstrates.
Following revelations of two of the biggest user account breaches ever, ex-Yahoo engineers are advocating ditching all of its services, including Mail, Flickr, and Tumblr.
Money mules perform a critical task for online thieves by agreeing to transfer money through their legitimate bank accounts. Here’s how to tell if you’ve been money muling—and what to do about it.
Sans regulation or consistent guidelines, experts say it’s in the best interest of software vendors and security researchers to coordinate on disclosures and patch releases.
The ways private companies and government agencies use information created by and attached to all forms of digital communication are far-reaching and, in some cases, vital.
First Amendment protections haven’t stopped attempts to regulate organized protests and other civic action. But effective community organization doesn’t have to sacrifice privacy.
Will Trump be able to fill key positions? Will he heed warnings about Russia? Will he look to force tech companies to create encryption backdoors? Here’s what several experts tell us.
Regardless of whether the Mirai botnet disrupts the U.S. election, IOT device exploits will continue to contribute to a less stable Internet until stronger security protocols are implemented, security experts say.
Questions regarding the veracity and transparency of evidence lie at the center of the debate over whether to trust government accusations of culpability for cyberattacks and computer hacking.
Email is the most important communication means for garnering campaign awareness, funds, and participation. Here’s how campaign data scientists and marketers are using it to entice you.
From publicity and hacker humiliation to machine-learning algorithms and taxonomy, we outline the factors leading to names such as Melissa, Stuxnet, Nimda, and Code Red.
A Veracode-sponsored study of “the relationship between bug bounties and internal efforts to secure software” concludes that using bug bounties alone would be a highly expensive endeavor.
The assumption that all map search results for businesses are accurate, legitimate, and locked down “is wrong,” says hacker Bryan Seely. Here’s how fake listings can put you and businesses at risk.
Properly protected vote databases are tough to hack, security experts say. But in places lacking up-to-date software, proper IT training, or a paper trail, hackers have an advantage.
Hidden trackers and malicious ads can respectively threaten your privacy and security while on the Web. To augment your browser settings, experts recommend installing these extensions.