惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
Microsoft Azure Blog
Microsoft Azure Blog
The Register - Security
The Register - Security
Stack Overflow Blog
Stack Overflow Blog
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
V2EX - 技术
V2EX - 技术
Hacker News: Ask HN
Hacker News: Ask HN
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Proofpoint News Feed
J
Java Code Geeks
Microsoft Security Blog
Microsoft Security Blog
M
MIT News - Artificial intelligence
AI
AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Proofpoint News Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
B
Blog
N
News and Events Feed by Topic
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
WordPress大学
WordPress大学
C
Cybersecurity and Infrastructure Security Agency CISA
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
U
Unit 42
腾讯CDC
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
H
Help Net Security
Recent Announcements
Recent Announcements
P
Privacy & Cybersecurity Law Blog
IT之家
IT之家
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
L
LINUX DO - 热门话题
Martin Fowler
Martin Fowler
MongoDB | Blog
MongoDB | Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
H
Heimdal Security Blog
博客园 - 聂微东
S
Securelist
大猫的无限游戏
大猫的无限游戏
Cloudbric
Cloudbric
Cisco Talos Blog
Cisco Talos Blog

Discover

Shadow AI agents – when the problem isn’t human Cyber Insurance for Small Business: When Getting Hacked Stops Everything Anthropic Mythos: The model, the myth and the mundane​ Your developers work for cyber gangs The four shifts reshaping Microsoft 365 security and resilience Your staff will click: why cyber security must be engineered, not trained FIIG Fined: Federal Court orders $2.5M penalty for cyber security failures Australian Organisations Must Manage Supplier Risk to Strengthen Cyber Defence How Omri Hurwitz Became Cybersecurity’s Most Dominant PR Firm How to Remove Personal Info From the Internet? Australia’s New Boardroom Baseline: 5 New ASD and AICD Security Priorities Heidi Cuthbert - Chief Executive Grafa Marco Delgado - 365mesh continues to lead the AI space by pioneering cutting-edge technologies that redefine what’s possible across industries.
Five billion-dollar companies in two months... the past and the future
DotSec · 2026-06-04 · via Discover

Skimming malware was found on the sites owned by multi-billion dollar companies. Don't worry about what data it stole: What is worrying is how it got the data out!

Five billion-dollar companies in two months... the past and the future

Planning for a breach you might not see

Now, before we start, it’s worth noting that the first few paragraphs below might make you tempted to file this article under "e-commerce problem" or "old news" and just move on. But if you keep reading you’ll see that would be a mistake. OK, let’s go!

In March, researchers at the Dutch security firm Sansec found a payment skimmer on the online store of a car maker with revenues north of US$100 billion. Skimmers can be a bit ho-hum; but this one wasn't! Instead of sending stolen card data over the usual web requests, it used WebRTC, the peer-to-peer protocol browsers use for video calls.

That choice mattered, because the site's Content Security Policy (CSP), the control most organisations rely on to stop scripts talking to unauthorised servers, does not govern WebRTC. Nor will conventional web application firewalls, which are designed to guard the inbound HTTP path; the WebRTC connection runs outbound, browser to attacker, over a protocol the WAF was never in a position to inspect. That's a different kettle of slippery fish entirely!

The tactic changes; the gap does not

The interesting thing about the March attack is not WebRTC because exfiltration over a "legitimate" channel is an old category of problem, not a novelty. WebRTC was (in March) simply one of the newer data-exit doors.

And here’s why it’s not old news: In the weeks since that Sansec-reported attack, attackers have run developer supply-chain malware over WebRTC nodes, and researchers showed an AI sandbox could be tricked into leaking documents over DNS when its HTTP path was blocked. And that is worth dwelling on, because it tells you something about where to spend money for greatest effect.

Chasing channels, WebRTC or otherwise, is a race the defender cannot win, because prevention controls only cover what they were told about in advance. The only path to success is, perversely, to assume failure: Assume that something will eventually run and send data where it shouldn't, and to be confident that if (when) it does, we'll be able to see it happen, no matter what the exfiltration channel.

And that means we spend our money on strategies like:

  • Integrity monitoring on sensitive pages, and,
  • Anomaly detection on what leaves your network.

The questions that we can then answer are:

  • "Did this page/site change from what we published?", and,
  • "Is data leaving over a channel that is abnormal for our system?"

Those questions can, with planning, be answered without knowing the attacker's method in advance.

The legal turn

Here is where it stops being a technical preference and becomes a question of legal exposure.

In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million in civil penalties for contravening section 912A of the Corporations Act over a four-year period. It was the first civil penalty for cyber security failures under the general financial services licensee obligations.

The detail that matters for everyone, regulated or not, is what the Court was careful to say: The mere fact of a successful cyberattack does not by itself mean an organisation failed its obligations. In fact, Justice Derrington was explicit in noting that preventing every attack is all but impossible.

The finding against FIIG was not that it was breached. It was that it had not maintained adequate risk-management and monitoring systems, and had not consistently implemented the controls its own policies required. The duty the Court enforced was not "be impenetrable." It was "manage the risk and be able to detect and account for what happens." That is the same distinction the WebRTC story illustrates from the technical side: Prevention may eventually fail, and if it does, it is increasingly likely that the courts (or insurers, or other interested parties) will ask whether there were strategies in place to identify the failure and respond to it.

The principle is not confined to financial services. As several firms analysing the judgment noted, the inadequacies were treated as failures of general statutory duty, building on the earlier ASIC v RI Advice decision, not breaches of a bespoke cyber standard. Layered on top are the Notifiable Data Breaches scheme and the recent privacy reforms, under which an organisation that cannot tell what was taken faces the worst of both worlds: A notification obligation it cannot properly discharge, and no evidence that it did the reasonable things beforehand.

We continue to contend that it remains cheaper, and far more manageable, to spend your own money on your own terms than to have the bill set by an attacker and a court. Whether it's taking cardholder data or medical records, the skimmer whose activities you cannot see is increasingly likely to result in the breach that's much harder (both technically and legally) to defend.