Mastodawn

Any folks with cybersecurity experience ALSO familiar with the LTI standard? https://www.1edtech.org/standards/lti I'm at the edge of my technical knowledge, and would love to confirm/disabuse myself of a hunch re: Instructure statements about the Canvas incident. #edtech #LTI

Learning Tools Interoperability | 1EdTech

Doug Levin 3d ago

Serious question for infosec colleagues. Is it expected and/or reasonable for a company to require an NDA to review SOC 2 or other security documentation they publicly claim to have?

Doug Levin 4d ago

Chris Wysopal 4d ago

28 years ago today, 7 members of the hacking group @L0pht told the U.S. Senate they could "shut down the internet in 30 minutes." Happy #L0phtDay

Doug Levin 4d ago

Seán Fobbe 4d ago

We somehow went from "script kiddies are bad" to giving any random office worker the power to launch hundreds of programs that will hammer unknown servers across the web to make mediocre power point presentations.

Not to mention the massive usage spikes that are now hitting public software and data repositories.

What a world.

Doug Levin May 16

Zack Whittaker May 16

Sign up (or RSS!) for my weekly cybersecurity newsletter https://this.weekinsecurity.com for all the cyber news from the week that you need to know but might've missed. Parsed and hand-written by me, and no email open or link traffic, because privacy! Out Sundays.

My site also features an online archive of my weekly newsletters dating back to 2018, documenting 7+ years of cybersecurity news for anyone to read.

I also regularly blog analysis for subscribers. 👀

~this week in security~

a weekly cybersecurity newsletter by Zack Whittaker, plus articles and more.

~this week in security~

Doug Levin May 15

On a call with an edu vendor, seeking to reassure me that they have strong security practices.

"We use CrowdStrike and KnowBe4 and have brought our click rate down in phishing tests from 20% to 4%, "they said.

Don't think they grokked that their flex didn't quite land the way it was intended.

Doug Levin May 12

Mike Sheward May 12

they paid a ransom to criminals with nothing but a pinky promise they wouldn’t do more crimes and yet this linkedin notification makes it sound like they entered into a strategic partnership to deliver value for their customers

Doug Levin May 10

@karlnelson Against all odds, I am starting to believe that DCU is actually turning around

Doug Levin May 9

If anyone is bored this weekend - and wants to help the edu sector out in the wake of the Canvas LMS attacks - take a gander at the recently implemented and forthcoming security patches in Canvas LMS and see what you might glean. Instructure - the company that was attacked - has provided scant technical details on how initial access and exfil happened - and as a result customers (schools and universities) are left unsure as to how to trust the software or what mitigations to put in place.

Instructure has said the attack was "carried out...by exploiting an issue related to our Free-For-Teacher accounts" https://www.instructure.com/incident_update

Precautionary UX changes made by Instructure in response https://community.instructure.com/en/discussion/666044/incident-change-log-for-may-2026

Instructure Enforcements, Deprecations, and Breaking Changes (which contain some upcoming security related changes): https://community.instructure.com/en/kb/articles/664261-instructure-enforcements-deprecations-and-breaking-changes

May be other threads to pull; this is being actively worked on by many.

Thank you!

#edtech #Instructure #Canvas cc/ @funnymonkey @PogoWasRight