igor - Fotolia
Security Bytes
This blog covers topics across the spectrum of security, privacy and compliance, as well as the people and issues driving enterprise infosec today.
Recent Posts
-
Google focuses more on steering the Android ship than righting it
- Senior Reporter 09 May 2019 -
At RSAC 2019, speculative execution threats take a back seat
- News Director 20 Feb 2019 -
Marriott Starwood data breach notification de-values customers
- Senior Technology Editor 17 Dec 2018
Google's security and privacy upgrades to Android are mostly forward-thinking changes, readying for a future that is inevitable but unclear, rather than ways to improve security today.
The Meltdown and Spectre vulnerabilities loomed large last year, but RSAC 2019 will have little fodder on speculative execution threats and side channels attacks.
The Marriott Starwood data breach exposed half a billion customers' data, but the hospitality giant seems to have learned from recent megabreaches that the standard response to a breach can be the ...
-
Are US hacker indictments more than Justice Theater?
- Senior Reporter 30 Nov 2018 -
Breaking down Dell's "potential cybersecurity incident" announcement
- News Director 29 Nov 2018 -
Will cybersecurity safety ever equal air travel safety?
- Senior Technology Editor 29 Nov 2018 -
Android Ecosystem Security Transparency Report is a wary first step
- Senior Reporter 12 Nov 2018 -
Google sets Android security updates rules but enforcement is unclear
- Senior Reporter 26 Oct 2018 -
Mystery around Trend Micro apps still lingers one month later
- News Director 15 Oct 2018 -
FBI, DHS blaming the victims on Remote Desktop Protocol
- Senior Technology Editor 01 Oct 2018
New hacker indictments and U.S.Treasury Department sanctions highlight the disconnect between government action and real world consequences for threat actors.
Dell provided some information about a "potential cybersecurity incident" earlier this month, but it's unclear how the company and customers should be reacting.
Guaranteeing cybersecurity safety is one of the biggest challenges facing the tech industry, but using aviation safety as a model may help achieve that goal.
Reading through Google's first quarterly Android Ecosystem Security Transparency Report feels like a mix of missed opportunities and déjà vu all over again. Much of what is in the new Android ...
The vendor requirements for Android are a strange and mysterious thing but a new leak claims Google has added language to force manufacturers to push more regular Android security updates. ...
The mystery around the Trend Micro apps that were removed from the Mac App Store continues despite Trend Micro's numerous updates on the matter.
FBI, DHS call on users to mitigate Remote Desktop Protocol vulnerabilities and handle RDP exploits on their own, even as the "going dark" campaign continues unabated.
-
What the GAO Report missed about the Equifax data breach
- News Director 14 Sep 2018 -
DHS cybersecurity rhetoric offers contradictions at DEF CON
- Senior Reporter 17 Aug 2018 -
Five things to watch for at Black Hat USA this year
03 Aug 2018 -
How Dropbox dropped the ball with anonymized data
- News Director 27 Jul 2018 -
Is the new California privacy law a domestic GDPR?
- Senior Technology Editor 17 Jul 2018 -
Cyber attribution: Why it won't be easy to stop the blame game
- News Director 29 Jun 2018 -
It's GDPR Day. Let the privacy regulation games begin!
- Senior Technology Editor 30 May 2018 -
Google I/O's security and privacy focus missing on day one
- Senior Reporter 09 May 2018 -
Cybersecurity pervasiveness subsumes all security concerns
- Senior Reporter 03 May 2018 -
Algorithmic discrimination: A coming storm for security?
- News Director 30 Apr 2018 -
GDPR deadline: Keep calm and GDPR on
- Senior Technology Editor 27 Apr 2018 -
CrowdStrike unveils Meltdown exploit in unusual fashion
- News Director 19 Apr 2018 -
FedRAMP security requirements put a premium on automation
- News Director 17 Apr 2018 -
Privacy protections are needed for government overreach, too
- News Director 31 Mar 2018 -
Apple GDPR privacy protection will float everyone's privacy boat
- Senior Technology Editor 30 Mar 2018 -
RSA Conference keynotes miss the point of diversity
- Associate Site Editor 27 Mar 2018 -
Facebook's 2FA bug lands social media giant in hot water
- News Director 23 Feb 2018 -
Symantec's untrusted certificates: How many are still in use?
- News Director 08 Feb 2018 -
Blizzard security flaw should put game developers on notice
- News Director 26 Jan 2018 -
The strange case of the 'HP backdoor' in Lenovo switches
- News Director 18 Jan 2018 -
Intel keynote misses the mark on Meltdown and Spectre vulnerabilities
- News Director 09 Jan 2018 -
Official TLS 1.3 release date: Still waiting, and that's OK
- Senior Technology Editor 29 Dec 2017 -
After 2017, data breach fatigue should be a thing of the past
- News Director 28 Dec 2017 -
OWASP Top Ten: Surviving in the cyber wilderness
- Senior Technology Editor 07 Dec 2017 -
The CASB market is (nearly) gone but not forgotten
- News Director 30 Nov 2017 -
Uber data breach raises unsettling questions for infosec
- News Director 22 Nov 2017 -
The Equation Group malware mystery: Kaspersky offers an explanation
- News Director 31 Oct 2017 -
Is "responsible encryption" the new answer to "going dark"?
- Senior Technology Editor 31 Oct 2017 -
Latest Kaspersky controversy brings new questions, few answers
- News Director 20 Oct 2017 -
FBI's Freese: It's time to stop blaming hacking victims
- News Director 29 Sep 2017 -
DerbyCon cybersecurity conference is unique and troubling
- Senior Reporter 22 Sep 2017 -
Fearmongering around Apple Face ID security announcement
- Senior Reporter 15 Sep 2017 -
Project Treble is another attempt at faster Android updates
- Senior Reporter 23 Aug 2017 -
The Symantec-Google feud can't be swept under the rug
- News Director 08 Aug 2017 -
Symantec certificate authority aims for more delays on browser trust
- Senior Technology Editor 06 Jun 2017 -
Verizon DBIR 2017 loses international contributors
- Senior Reporter 03 May 2017 -
RSA Conference 2017: Are software regulations coming for developers?
- News Director 24 Feb 2017 -
Christopher Young: Don't sleep on the Mirai botnet
- News Director 15 Feb 2017 -
Five things to watch at RSA Conference 2017
- News Director 08 Feb 2017 -
Environment variables: Should they be considered harmful?
21 Jul 2016
The Government Accountability Office investigated the Equifax data breach, but the GAO's report leaves out several important points about the infamous incident.
The Vote Hacking Village at Defcon 26 in Las Vegas was an overwhelming jumble of activity -- a mock vote manipulated, children hacking election results websites, machines being disassembled -- and ...
As Black Hat USA 2018 approaches, we take a quick look at trends in the conference agenda and sessions not to miss.
Dropbox came under fire for sharing anonymized data with academic researchers after questions emerged about how the data was protected and used.
The difference between data privacy protections afforded to European Union residents and people in the U.S. is more sharply highlighted now that the EU's General Data Protection Regulation has ...
Infosec experts have argued that too much focus is put on cyber attribution, but moving away from publicly identifying threat groups and nation-states may be easier said than done.
GDPR Day -- May 25, 2018 -- has passed and enforcement is now accepting complaints against companies violating the terms of the EU's new privacy regulation.
It's fairly easy to find stories sparking security and privacy concerns regarding a Google product or service — Search, Chrome, Android, AdSense and more — but if you watched or attended Google ...
Given the increased digitization of society and explosion of devices generating data (including retail, social media, search, mobile, and the internet of things), it seems like it might have been ...
Following several RSA Conference 2018 talks on machine learning and AI, it's worth asking how algorithmic discrimination might manifest in the infosec industry.
With the GDPR deadline looming, companies may still be scrambling to do "something" about it, but with less than 30 days to go the best move for many may be to wait and watch, and perhaps just ...
At RSA Conference 2018, CrowdStrike demonstrated a new Meltdown exploit that can harvest sensitive data such as passwords even on systems that are patched.
Matt Goodrich, director for the Federal Risk and Authorization Management Program, detailed FedRAMP security requirements and automation at RSA's Cloud Security Alliance Summit.
Following the Facebook-Cambridge Analytica controversy, major tech companies pledged to defend users from corporate data misuse, but they're ignoring a more serious privacy threat.
With its embrace of new tools for protecting consumer privacy, Apple GDPR privacy protection will be available to all users as the EU's new privacy protection legislation is set to start ...
RSA Conference keynotes now include a handful of distinguished women, but very few will be speaking about cybersecurity, falling short of truly equal representation.
Facebook came under fire after a two-factor authentication bug sent non-security notifications to users' phones, sparking a debate about media coverage and 2FA adoption.
A security researcher found that a significant number of popular websites are still using untrusted certificates from Symantec, which will be invalidated this year.
A newly-discovered Blizzard security bug, which affected all of the company's popular PC games including Overwatch, should serve as a warning for the video game industry.
Lenovo's discovery of an authentication bypass, literally titled "HP backdoor," within its networking switches brings unsettling implications for the IT industry.
With CEO Brian Krzanich's keynote at the 2018 Consumer Electronics Show, Intel missed an opportunity for the Meltdown and Spectre vulnerabilities.
Protocol scrutiny is good for the upcoming TLS 1.3 update as the process continues to expose, and fix, problems.
Data breach fatigue should be put on hold after the Equifax data breach and Uber hack taught us painful lessons about enterprise security shortcomings.
The latest version of the OWASP Top Ten web application risks is much like previous versions, and that's not a bad thing at all.
A series of acquisitions have drastically reduced the number of stand-alone cloud access security brokers and reshaped the CASB market for years to come.
The Uber data breach episode is another black eye for the ride sharing company, but the cover up raises troubling implications for the infosec community.
Kaspersky Lab finally explained how it came to possess Equation Group malware, but does the company's latest statement answer enough questions about the ongoing drama?
"Three may keep a Secret, if two of them are dead." So wrote Benjamin Franklin, in Poor Richard's Almanack, in 1735. Franklin knew a thing or two about secrets, as well as about cryptography, given ...
The Kaspersky controversy continued this week as the antivirus company responded to several explosive news stories about its relationship with the Russian government.
The FBI's Don Freese spoke at the (ISC)2 Security Congress this week about the need to end the practice of blaming hacking victims. But will infosec professionals listen?
Walking up to DerbyCon 7.0 cybersecurity conference it immediately has a very different feel from the "major" infosec conferences. Attendees would never be caught loitering outside of the Black Hat ...
As fears grow over government surveillance, the phrase "facial recognition" often triggers a bit of panic in the public, and some commentators are exploiting that fear to overstate any risks ...
Google has historically had a problem with getting mobile device manufacturers to push out Android updates, which has left hundreds of millions in the Android ecosystem at risk. Google hopes that ...
The Symantec-Google feud regarding the antivirus vendor's web certificate practices appears to be over. But that doesn't mean it should be minimized or ignored.
Is the Symantec certificate authority operation too big to fail? That seems to be the message the security giant is sending in its latest response to a proposal from the browser community to turn ...
Looking at the overall numbers for the contributors to the Verizon Data Breach Investigations Report (DBIR) from the past five years, it would seem like the amount of partners is hitting a plateau, ...
Security expert Bruce Schneier said programmers' freedom to code whatever they want will likely come to an end. Should the industry brace itself for software regulations?
RSA Conference 2017 was full of talk about future IoT attacks, but Intel Security's Christopher Young said the Mirai botnet is still an enormous threat and demonstrated why that is.
With no single trend or theme dominating at RSA Conference 2017, this year's show will still have plenty of material on machine learning, IoT security and much more.
In the wake of the httpoxy vulnerability, should environment variables be considered harmful? Perhaps, but they are just so useful.