Category Archives: Nicholas Weaver

Why CISA is Warning CISOs About a Breach at Sisense

Posted on by

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. Continue reading Why CISA is Warning CISOs About a Breach at Sisense

Juniper Support Portal Exposed Customer Device Info

Posted on by

Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including the exact devices each customer bought, as well as each device’s warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal. Continue reading Juniper Support Portal Exposed Customer Device Info

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Posted on by

The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass. Continue reading LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Posted on by

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults. Continue reading Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Barracuda Urges Replacing — Not Patching — Its Email Security Gateways

Posted on by

It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes. Continue reading Barracuda Urges Replacing — Not Patching — Its Email Security Gateways

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

Posted on by

Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device. Continue reading Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn

Posted on by

On October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at Amazon comes as LinkedIn is struggling to combat a significant uptick in the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users. Continue reading Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn

Experian, You Have Some Explaining to Do

Posted on by

Twice in the past month KrebsOnSecurity has heard from readers who’ve had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address. Continue reading Experian, You Have Some Explaining to Do

DEA Investigating Breach of Law Enforcement Data Portal

Posted on by

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. Continue reading DEA Investigating Breach of Law Enforcement Data Portal

Your Phone May Soon Replace Many of Your Passwords

Posted on by

Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites. Continue reading Your Phone May Soon Replace Many of Your Passwords