Microsoft is no longer supporting Windows 7. Everyone should have long since left it behind for a more secure operating system. But for some, upgrading isn’t an easy option.
More than two dozen zero-day vulnerabilities revealed in bootloaders of popular devices ranging from Androids to Linksys routers to Samsung TVs strike at the core of digital insecurity.
RCS brings a feature boost to the 30-year-old texting standard. Google and networks are pushing it hard. But their implementations aren’t ready for prime time, security researchers say.
“Disney did not use any of the best practices that can protect users,” GroupSense’s CEO says. It’s largely to blame for Disney+ credentials selling on the Dark Web at a premium.
Ever wondered how that cool-looking chip on your bank card works? The EMV chip is actually a powerful computer that helps cryptographically process payments. Here’s how.
Results from a survey of 3,419 respondents in 12 U.S. states supports the implementation of a new password security feature expected in all Google accounts next week.
You know that on its own, email is not secure for sending credit card or passport numbers. But you still need to send some personal information over the Internet. Here’s how.
As smart TVs with very little built-in security features become ubiquitous, consumers can take basic steps to better secure their network access, microphones, and cameras.
Do you use a code-generating app from Google, Microsoft, LastPass, or Authy that supports multiple services? Migrating it to your new Android or iOS device requires a few steps.
While traditional malware infects a system via a file that requires execution, fileless malware can infect a device’s memory via an instruction set hiding in an email attachment.
Google’s move to turn Android devices—the ones already in consumers’ hands—into the physical keys needed to unlock accounts is a “game changer.” Here’s why, and how to do it.
A slow spread of privacy- and security-focused updates included in the upcoming version of Google’s mobile operating system will undoubtedly add to criticism of version fragmentation.
Security researcher Dale “Woody” Wooden explains how a hacker could manipulate Ford key fob radio frequency signals to unlock, manipulate, or start the engine of at least two newer Ford models.
At the CyberMed Summit in Arizona, simulated hospital emergencies highlight today’s medical-cybersecurity challenges. At their heart: education, collaboration, and advocacy.
Major sites and browser vendors are increasingly supporting physical two-step authentication keys, known as U2F keys. Could they remedy your account security anxiety?
Google CEO Sundar Pichai’s first congressional hearing—a milestone he probably wished he could have postponed for a few more years—did not lack drama. As he de... Read More...
The new Gmail feature Confidential Mode gives senders several ways to protect their messages, including timed deletion, passcode-required opening, and blocked forwarding. But experts are wary.
DriveSavers isn’t divulging what its “proprietary technology” is or how it works. It is saying, however, that it won’t use its tech to help law enforcement agencies carry out search warrants.
New exemptions to the controversial copyright law cover hacks of both software and hardware controlled by code. But they stop short of giving security researchers a free pass.
A device’s unwitting participation in a malicious robot network, or botnet, is practically detectable only through a forensic examination, experts tell us. But we can take steps to protect our devices.
At our second event, on November 5, we’ll discuss voting-machine vulnerabilities, effective social-engineering tactics, and how to secure elections while respecting democratic values.
The massive data breach Facebook reported at the end of September isn’t quite as big as the company thought it might be. That might sound good, but it isn’t lik... Read More...
A small group of cybersecurity experts get together to ‘Hack the Capitol’ and raise awareness among lawmakers of the digital risks to industrial-control systems.
Like last week’s Kavanaugh hearings, Facebook’s acknowledgment of a cyberattack that led to a mass account reset alarmed officials and left key questions unanswered.
As endless studies show, the first lesson in stopping a phishing attempt is to be skeptical of links in emails, text messages, or anything appearing to be a personal, private communication.
For implanted medical devices, where a faulty update could harm or even kill a patient, a doctor’s office visit is in order. With no billing code, hospitals have been eating the costs.
You can’t personally prevent a data breach, nor someone from attempting to defraud your insurance provider. But you can take steps to minimize how much a breach can affect you.
As technology has become the lifeblood of the health care industry, hospitals and patient care clinics are often ill-equipped to confront a Hydra-headed cybersecurity monstrosity.
Many social-media companies and email providers have services to help executors settle a decedent’s digital assets, and some have services to help users prepare for their own death.
The Tel Aviv-based company Karamba explains how its technology protects a car’s CAN bus, or nervous system, from common hacks. There are caveats, of course, and “really bold” claims.
So-called private channels and encryption aren’t necessarily enough to keep our chats private. How each messaging service sends and stores our data is confusingly inconsistent.
Medical-security researchers are having a harder time getting people to take flaws seriously than discovering serious flaws. We’ll discuss the most pressing issues at Context Conversations.
On stage at DefCon, veteran NSA leader Rob Joyce says the agency’s ability to monitor and counteract international cyberattacks relies on recruiting—and working well—with hackers.
Cryptographer and security technologist Bruce Schneier coined the term "security theater" in 2004. How has the term been appropriated since then—and is it ever appropriate? We asked Schneier.
California Secretary of State Alex Padilla discusses the importance of preventing (and addressing) system breaches alongside misinformation campaigns. There’s a lot to balance.
Registration, tabulation, social media—there are other aspects of elections we need to better secure, say experts who examined eight notoriously insecure Winvote machines.
Hackers are divided on the prospects of SBOM standards. Some say they could reduce many patching obstacles. Others worry that they could do more harm than good.
As VPN services face increasing obstacles across the globe, the key to their success is in the details. And Verizon is lacking in details about its data collection practices.
Touring the British wartime relic, one might hear: Keep your team focused. Educate and motivate. Be wary of your enemies’ mutual tools. And use deception to keep them off your trail.
Need to lock down your accounts, block a harasser, and move on with your digital life? Follow these five steps, from documenting and reporting to adding two-factor authentication.
In updating its dominant Chrome browser to red-flag sites lacking HTTPS as insecure, Google completes a two-year project to strong-arm site owners into more safely transmitting data.
The technically detailed indictment of 12 Russian GRU officers implies a struggle to find appropriate and effective cybersecurity deterrents to geopolitical hacking, experts say.
A notorious cyberthief turned security consultant walks us through the “synthetic identity fraud” process, from searching the Dark Web to pulling credit reports to opening accounts.
Even if your boss isn't actively surveilling you—or you think you have nothing to hide—you should know how blurring the line between personal and professional puts your privacy at risk.
Watering-hole attacks use predator tactics to improve attackers’ odds of infiltrating large organizations. They’re hard to detect or defend—and they can have devastating effects.
Vulnerable devices on your network can lead to intrusions of your most sensitive data, and IOT patches are rare. While manufacturers need accountability, we need to make better security choices.
“A CERT is like FEMA for cyber,” one expert says. Post-WannaCry, Israel is following the Netherlands, England, and Norway in creating a health care CERT.
Distributed denial-of-service (DDoS) attacks, which hackers have used for decades to pester online organizations, are expected to plague the Internet of Things. Here’s why.
Two decades after presenting at the Senate’s first cybersecurity hearing, veteran L0pht hackers Kingpin, Mudge, Weld Pond, and Space Rogue reflect on progress and urge for much more.
Most people think that the General Data Protection Regulation is about privacy, but it’s really about security. Shifting this thinking will drive investment that benefits everyone.
The state of Internet of Things security stinks, experts say. And while device manufacturers and lawmakers aren’t anxious to address it, there are clear signs of influence from other actors. IoT regulation is likely on its way.
As Google prepares to release Android P, which is packed with security features, experts note that efforts to address the mobile OS’ version fragmentation “plague” can only go so far.
You can’t prevent a major earthquake or critical-infrastructure hack, but you can prepare for one. So are industrial-security experts focused on seismic retrofits and post-hack kits?
Despite the legitimacy of the findings in new security research report EFail, experts caution that calls to abandon PGP- and S/MIME-protected email for Signal are irresponsible.
To address the great talent dearth in good cyberthreat analysts, hiring managers need to move the focus of their searches from technical skills to less teachable soft skills, Simone Petrella writes.
The top-level domain, which Google bought in 2015, is designed to host the Web presence of mobile apps. One key .app security feature that sets it apart: HTTPS is turned on by default.
As Google reveals a Duplex power boost to its Assistant, security experts weigh in on the risks. In the smart home, added conveniences and insights come with a wider “attack surface.”
When researchers inspected the ingredients of SiliVaccine, North Korea-developed Windows antivirus software, they found a mix of spyware and old stolen Trend Micro code.
In revealing that it had been storing unencrypted user passwords, the social media company requests, but doesn’t force, Twitter password resets of its 330 million users—the “bare minimum for doing right” by them, one expert says.
They’re key to advanced persistent threats. They’re increasingly simple. And they’re called zero-days because there’s essentially no time to patch them before a potential cybercriminal exploit.
Fighting the spread of fake news bears similarities to fighting spam. Using tech and human insights, Facebook is essentially filtering it via flagging, fact checking, and feed demotion.
The WebAuthn authentication protocol, backed by Google, Microsoft, PayPal, and others (but notably not Apple), uses physical second factors like phones, and supports biometrics.
Software updates and security patches for critical-infrastructure systems like those of hospitals, 911 dispatchers, and power plants aren’t easy or cheap. But there’s no excuse, experts say, for neglecting them.
At BSides and RSA, bug bounty experts Amit Elazari and Katie Moussouris say today’s programs lack adequate "safe harbor" hacker protections and vulnerability-patching requirements.
To address cyberrisks, former Pennsylvania governor and DHS secretary Tom Ridge says the relationship between the private and public sectors needs to move from punitive to collaborative.
When consumer-facing companies don’t take reports of data leaks seriously, customers become exposed to financial fraud and identity theft as in the recent Panera Bread incident.
The next self-driving car death easily could result from a hack. If companies investing in the technology aren’t prioritizing cybersecurity, they aren’t prioritizing safety—or their business.
Spear phishing differs from its more prevalent counterpart, phishing, in that it casts a smaller, more targeted net. Its tactics are also much more sophisticated.
“No one is immune” to advanced persistent threats, or APTs, which hackers use to surreptitiously gain access to a network and stay undetected for a long period of time.
The gig economy’s investment in cybersecurity education and protection is hard to quantify, but it’s easy to see that it’s important, researchers explain at the Enigma Conference.
Google’s dominant browser will now filter notoriously intrusive ad types. While enforcing Better Ad Standards doesn’t directly address security, experts say it’ll benefit the whole Web.
Heading to the Winter Olympics in South Korea or another major public event? Don’t let yourself get so carried away with excitement that you forget that the bad guys are just waiting for you to slip up.
Georgia Senate Bill 315 includes vague language reflective of the CFAA antihacking law that experts and advocates fear would be used to unfairly punish security researchers.
Combine its nefarious applications with its inherent stealthiness and rapid proliferation, and it’s easy to see why cryptojacking has become a hot new topics in security circles.
Google says it’s removing more malware than ever from its Android app store. But there are indications that the risks have also risen, as hackers see dollar signs in Android users.
Cyber Independent Testing Lab research revealed at ShmooCon shows which browsers have been improving in security the most over the past year—and which has suffered setbacks.
New year, new job? Getting a fresh start means ensuring that you don’t leave any personal data baggage behind. Here’s how to clean up your company-issued devices before turning them in.
The Meltdown and Spectre chip flaw exploits are prompting a deluge of security patches. They might also represent a rude wake-up call to chip designers that speed and energy efficiency aren’t everything.
As sexual-misconduct allegations across industries proliferate, many organizations, including hacker conferences such as CCC, are realizing that they need a better conflict resolution protocol.
Channel those feelings you have about getting hacked in 2017. To better secure your digital life in 2018, make a resolution to follow these seven steps, garnered from how-tos we’ve published this year.
We drill through 2017's cybersecurity news, from election hacks to rampant ransomware attacks, massive data breaches to decried surveillance overreaches, IoT manipulation to cryptocurrency mania causation.
Using a bug bounty payment to conceal extortion or a breach, as Uber did, violated platform policies and Justice Department guidelines. Security experts explain how it also put consumers at risk.
From drones to dishwashers, these connected tech gifts should give you pause this holiday season, experts say. Here’s why—and, if they remain on your list, how to use them more safely.
The vast majority of anti-Net neutrality public comments made to the FCC were sent from stolen email addresses, according to study results. And the implications are serious.
Dismantling FCC Open Internet rules might allow ISPs to mess with privacy and security. But doing so today simply wouldn’t be practical or even profitable, Rob Graham argues.
Petr Svenda, who disclosed a key vulnerability in popular identification chips, says it’s hard for researchers to ensure that devices are secure when just seeing their specs requires an NDA.
At the second Enigma Interviews, we discussed how easy car software is to manipulate—what carmakers are really chasing, as they promote their connectedness.
The sexual advances of the infamous John T. Draper, Captain Crunch, on young men in the hacker community—”inappropriate…and awkward,” sources say—were uninvited and unwelcome.
At Bitcoin Cafe in Prague, on the first floor of a hacker haven, you can buy a brew only with bitcoin or litecoin. We sat down with a Paralelní Polis board member to learn how—and why.
From peer-to-peer apps to debit cards at retail, security experts sort through the myriad ways to make holiday purchases—and explain why Pay apps are the most secure.
The newly announced Blackfish technology is designed to detect a credential-stuffing attack, “see” the stolen username-password combinations being tested, and prevent a successful log-in.
Fingerprints, faces, and other unique physical characteristics make great identifiers, security experts say. But because they’re public and permanent, they don’t make safe authenticators.
The tech in Google’s Advanced Protection Program for high-profile targets is widely available. Here’s how to use a YubiKey to better resist account hacks.
On stage at Structure Security, The Parallax asks Yahoo’s former chief hacker what he learned from his time at Yahoo, why he left, and what other CISOs could glean from his experiences.
Traditional passwords, often easily cracked or guessed, aren’t likely to lose much ground to multifactor or biometric authentication any day soon, experts say. Here’s why.
From verifying link destinations to being cautious about what you share, social-media privacy expert Hayley Kaplan outlines how to safely use President Trump’s favorite pulpit.
While experts acknowledge that pacemaker hacks aren’t likely, the risk underscores a need for better communication among security researchers, doctors, the FDA, and medical-device manufacturers.
During a fireside chat in Las Vegas, Reps. Will Hurd of Texas and Jim Langevin of Rhode Island plead for proactive hacker-lawmaker collaboration and voice concerns about election security.
You might be protected against credit card fraud, but your payment apps are still susceptible to attacks intended to take over your accounts, or steal your credentials and use them elsewhere.
