May 25, 2018 was the deadline for GDPR compliance. The media was abuzz. Businesses were rushing to update their privacy policy page. Companies were emailing newsletter subscribers to approve updated privacy policies. Everybody seemed to be paying attention to this new law, which appeared to be the beginning of a new dawn in data privacy. Or was it?...

As a patient moves down the small, loud tunnel of an MRI tube, CT scan, or other high-powered radiology device, it’s safe to assume they believe the diagnostic benefits outweigh the risk of radiation exposure (and a possible claustrophobic-induced panic attack). In fact, only after understanding – and accepting -- these risks is a patient permitted...

Back in July, I wrote about the sextortion scam that had been circulating for a while. A new wave was spreading, and I’d seen multiple people taking about it on my Facebook, so I figured putting pen to paper (I suppose today that is fingers to keyboard.) made sense. Today, my aunt reached out to share the latest scam email she's received, one that I...

Thanks to a new notification service launched by the United States government in 2018, the President now has the power to issue alerts to every citizen with a working cell phone. The technology for this service, known as the Wireless Emergency Alerts (WEA) system, has been around for a number of years and has been implemented for events like Amber...

Tripwire's October 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from libssh, Microsoft and Oracle. First on the patch priority list this month is an authentication bypass vulnerability in libssh. This vulnerability can be exploited remotely, and exploit code has recently been added to Metasploit. Next are patches for...

The definition of "operational risk" is variable but it generally covers the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. I, however, want to re-examine this general definition, so that the definition of operational risk takes into account all the cybersecurity-related risks that...

There have been many scams that have utilized the phone system to gain access to funds or personal information from hardworking individuals. One of the most prevalent scams that seems to persist in both Canada and the United States is the tax agency scam. The Canada Revenue Agency (CRA) and the Internal Revenue Agency (IRS) were both victims of...

Kraken ransomware recently added the Fallout exploit kit as another means of reaching users and encrypting their information. Working with the Insikt group from Recorded Future, the McAfee Advanced Threat Research team found evidence that the authors of the ransomware had asked those behind Fallout to be added to the exploit kit. Fallout's...

Mac malware, or macOS malware, exists contrary to the popular belief that Apple’s operating system is immune to online threats. Cybersecurity researchers have been closely observing the threat landscape only to conclude that malware infections targeting Mac devices have increased in 2018. Is Apple Losing Its Grip? According to statistics, Mac...

Federal investigators traced a malware infection at the U.S. Geological Survey (USGS) to an employee's habit of viewing adult content. On 17 October, the Office of Inspector General (OIG) submitted a report in which it revealed its discovery of suspicious internet traffic during an IT security audit of the USGS computer network. The OIG specifically...

Last time, I had the opportunity to talk to Toronto’s own Jennifer Fernick. Somehow, she juggles graduate computer science studies with taking care of a bank’s cybersecurity. I couldn’t do that! This time, I had the honour of speaking with software tester Claire Reckless. Testing an application’s security and functionality is a vital cybersecurity...

Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted. This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe. However, file names may not be so easy to spot like...

A New Jersey man received a court order to pay $8.6 million for launching a series of distributed denial-of-service (DDoS) attacks against Rutgers University. On October 26, the U.S. Attorney's Office for the District of New Jersey announced the sentence handed down by U.S. District Judge Michael...

The 2018 Data Breach Investigations Report digs deep into data-driven findings about the state of global cybersecurity across a number of industries that include manufacturing, healthcare, financial and public administration. Verizon’s 11th annual report revealed the trends behind 53,000 cybersecurity incidents and 2,216 confirmed data breaches. As...

Has there ever been a time in your life when you asked, “How does that work”? In the early days of computing, we learned that BIOS stood for “Basic Input Output (instruction) Set.” It is a set of nonvolatile instructions that dictate how a hardware system should function at startup. I remember my first experiences interacting with BIOS. I...

One of the biggest concerns of any cybersecurity analyst is whether or not they will be able to stop an attack before it can do any damage. That said, making sense of the flood of alerts is, in itself, a time-consuming task. As networks become more complex and malicious attacks become more advanced, it can become difficult to hit your incident...

GandCrab has become one of the most devastating, and hence most successful, ransomware families of 2018. Alongside the Dharma cryptovirus family, GandCrab has enslaved the files of millions of users in a number of active campaigns via several iterations. This is the list of all the versions of the ransomware: GandCrab .GDCB GandCrab .CRAB (v2) ...

The Information Commissioner's Office (ICO) has issued a fine of £500,000 to Facebook for the the data scandal involving Cambridge Analytica. On 25 October, the ICO confirmed it had issued the fine after notifying Facebook of its intention back in July. The United Kingdom's independent authority...

Most people in the world would describe it as a company "admitting they've been hacked." But if you're the breached company and want to apply the maximum amount of PR spin, you might instead issue a release saying you're "announcing a data security event affecting customer data." Read beyond the...

I had the opportunity to go to my local DevOps Days this year – DevOps PDX. If you've never been, and this was my first time attending, I highly recommend finding the next one closest to you and going. When I say closest to you, it's quite likely there will be one in a city nearby. Aside from the wonderful content, community and interactions, DevOps...