惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
V
Vulnerabilities – Threatpost
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
L
LINUX DO - 热门话题
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
D
Docker
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
P
Palo Alto Networks Blog
T
Tenable Blog
P
Privacy International News Feed
Google DeepMind News
Google DeepMind News
小众软件
小众软件
Cisco Talos Blog
Cisco Talos Blog
aimingoo的专栏
aimingoo的专栏
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
Arctic Wolf
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
T
Threat Research - Cisco Blogs
NISL@THU
NISL@THU
The Hacker News
The Hacker News
Project Zero
Project Zero
AWS News Blog
AWS News Blog
Simon Willison's Weblog
Simon Willison's Weblog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threatpost
V
Visual Studio Blog
The GitHub Blog
The GitHub Blog
The Cloudflare Blog
Last Week in AI
Last Week in AI
Jina AI
Jina AI
Cyberwarzone
Cyberwarzone
The Register - Security
The Register - Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
Vercel News
Vercel News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
Scott Helme
Scott Helme
A
About on SuperTechFans
WordPress大学
WordPress大学
F
Fortinet All Blogs
大猫的无限游戏
大猫的无限游戏
G
GRAHAM CLULEY
Latest news
Latest news
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Schneier on Security

Discover

Shadow AI agents – when the problem isn’t human Cyber Insurance for Small Business: When Getting Hacked Stops Everything Anthropic Mythos: The model, the myth and the mundane​ Your developers work for cyber gangs The four shifts reshaping Microsoft 365 security and resilience Your staff will click: why cyber security must be engineered, not trained FIIG Fined: Federal Court orders $2.5M penalty for cyber security failures Australian Organisations Must Manage Supplier Risk to Strengthen Cyber Defence How Omri Hurwitz Became Cybersecurity’s Most Dominant PR Firm How to Remove Personal Info From the Internet? Australia’s New Boardroom Baseline: 5 New ASD and AICD Security Priorities Heidi Cuthbert - Chief Executive Grafa Marco Delgado - 365mesh continues to lead the AI space by pioneering cutting-edge technologies that redefine what’s possible across industries.
Five billion-dollar companies in two months... the past and the future
DotSec · 2026-06-04 · via Discover

Skimming malware was found on the sites owned by multi-billion dollar companies. Don't worry about what data it stole: What is worrying is how it got the data out!

Five billion-dollar companies in two months... the past and the future

Planning for a breach you might not see

Now, before we start, it’s worth noting that the first few paragraphs below might make you tempted to file this article under "e-commerce problem" or "old news" and just move on. But if you keep reading you’ll see that would be a mistake. OK, let’s go!

In March, researchers at the Dutch security firm Sansec found a payment skimmer on the online store of a car maker with revenues north of US$100 billion. Skimmers can be a bit ho-hum; but this one wasn't! Instead of sending stolen card data over the usual web requests, it used WebRTC, the peer-to-peer protocol browsers use for video calls.

That choice mattered, because the site's Content Security Policy (CSP), the control most organisations rely on to stop scripts talking to unauthorised servers, does not govern WebRTC. Nor will conventional web application firewalls, which are designed to guard the inbound HTTP path; the WebRTC connection runs outbound, browser to attacker, over a protocol the WAF was never in a position to inspect. That's a different kettle of slippery fish entirely!

The tactic changes; the gap does not

The interesting thing about the March attack is not WebRTC because exfiltration over a "legitimate" channel is an old category of problem, not a novelty. WebRTC was (in March) simply one of the newer data-exit doors.

And here’s why it’s not old news: In the weeks since that Sansec-reported attack, attackers have run developer supply-chain malware over WebRTC nodes, and researchers showed an AI sandbox could be tricked into leaking documents over DNS when its HTTP path was blocked. And that is worth dwelling on, because it tells you something about where to spend money for greatest effect.

Chasing channels, WebRTC or otherwise, is a race the defender cannot win, because prevention controls only cover what they were told about in advance. The only path to success is, perversely, to assume failure: Assume that something will eventually run and send data where it shouldn't, and to be confident that if (when) it does, we'll be able to see it happen, no matter what the exfiltration channel.

And that means we spend our money on strategies like:

  • Integrity monitoring on sensitive pages, and,
  • Anomaly detection on what leaves your network.

The questions that we can then answer are:

  • "Did this page/site change from what we published?", and,
  • "Is data leaving over a channel that is abnormal for our system?"

Those questions can, with planning, be answered without knowing the attacker's method in advance.

The legal turn

Here is where it stops being a technical preference and becomes a question of legal exposure.

In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million in civil penalties for contravening section 912A of the Corporations Act over a four-year period. It was the first civil penalty for cyber security failures under the general financial services licensee obligations.

The detail that matters for everyone, regulated or not, is what the Court was careful to say: The mere fact of a successful cyberattack does not by itself mean an organisation failed its obligations. In fact, Justice Derrington was explicit in noting that preventing every attack is all but impossible.

The finding against FIIG was not that it was breached. It was that it had not maintained adequate risk-management and monitoring systems, and had not consistently implemented the controls its own policies required. The duty the Court enforced was not "be impenetrable." It was "manage the risk and be able to detect and account for what happens." That is the same distinction the WebRTC story illustrates from the technical side: Prevention may eventually fail, and if it does, it is increasingly likely that the courts (or insurers, or other interested parties) will ask whether there were strategies in place to identify the failure and respond to it.

The principle is not confined to financial services. As several firms analysing the judgment noted, the inadequacies were treated as failures of general statutory duty, building on the earlier ASIC v RI Advice decision, not breaches of a bespoke cyber standard. Layered on top are the Notifiable Data Breaches scheme and the recent privacy reforms, under which an organisation that cannot tell what was taken faces the worst of both worlds: A notification obligation it cannot properly discharge, and no evidence that it did the reasonable things beforehand.

We continue to contend that it remains cheaper, and far more manageable, to spend your own money on your own terms than to have the bill set by an attacker and a court. Whether it's taking cardholder data or medical records, the skimmer whose activities you cannot see is increasingly likely to result in the breach that's much harder (both technically and legally) to defend.