A new analysis of over 40 popular consumer and enterprise websites revealed that many fail to implement the most basic password security requirements. According to the Password Power Rankings study conducted by Dashlane, a surprising 46 percent of consumer sites have “dangerously lax” password policies, including widely used Dropbox, Netflix and...

British Home Secretary Amber Rudd has been duped into sharing her personal email address with a prankster who has previously embarrassed the likes of Bank of England governor Mark Carney and Barclays boss Jes Staley, as well as Donald Trump Jr and various White House officials. Rudd, who recently courted controversy in the security industry by...

Nationwide and one of its wholly owned subsidiaries have agreed to a $5.5 million settlement for a data breach that occurred in 2012. On 9 August, the Ohio-based insurance corporation along with Allied Property & Casualty Insurance Company agreed to the "Assurance of Voluntary Compliance" (PDF) with 33 Attorneys General of Alaska, Arizona, Arkansas,...

The WannaCry and NotPetya attacks caused disruption on a global scale in the spring and early summer of June 2017. Following those malware campaigns, businesses around the world should have heard the alarms and responded by tightening their security systems in an effort to mitigate against similar attacks in the future. But reality doesn't always...

Well, to start off, Las Vegas is in my view and experience not the best location for all these annual cyber happenings. Prices are going up through the roof—it's just crazy. For example, my hotel cost $3,500 for 10 nights at Caesars Palace, and I paid $50 for a burger with fries and a drink. Really? Or a simple bottle of water for $10? Is that worth...

Sophisticated and coordinated hackers are constantly adapting and using innovative techniques to gain unauthorized access to corporate data. Recently, 48 Office 365 customers experienced exactly this kind of threat where an attacker implemented a new strategy to try to access high-level information. The brute force login attack was unique in that it...

The Federal Trade Commission (FTC) is warning the public to be on the lookout for scams that leverage fake government grants as lures. This type of ruse begins when an individual receives a cold call from someone they don't know. The caller informs them that they have won a grant of $14,000 from the National Institutes of Health (NIH), an agency of...

Containers can be traced back to 1979 with chroot but the advent of Docker has exponentially increased the popularity and usefulness of this technology. Any technology that becomes popular and useful also becomes a target for attacks. Containers are designed to provide isolated environments rather than full virtual machines, but they make great...

I have had the pleasure of working on the latest curriculum for Tripwire University. In that capacity, I've noticed more and more interest around securing cloud environments as our customers and the market continue to move towards cloud technologies. Whether it be customers who are 100% committed to the cloud and moving all of their assets up into...

Today’s VERT Alert addresses the Microsoft August 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-737 on Wednesday, August 9th. In-The-Wild & Disclosed CVEs CVE-2017-8627 The first publicly disclosed vulnerability this month is a denial of service in the Windows Subsystem for Linux....

In 490 B.C. an important battle was fought between the Athenians and the powerful and seemingly unconquerable Persians: The Battle of Marathon. Going it alone, without the help of the Spartans, the Athenian army of about 10,000 men defeated King Darius’ army of about 35,000. Knowledge of the local geography, technological advantage and tactical...

July was relatively slow in terms of ransomware. Some crooks must have been on vacation spending ill-gotten money at deluxe resorts. Well, why not? They sure can afford it. The rest were busy releasing small shoddy strains and reanimating old ones. Here’s what the month looked like in the numbers: 42 new samples went live, 33 existing ones were fine...

The UK government has published a series of new guidelines designed to protect smart cars against hackers and data thieves. The Department for Transport and the Centre for Protection of National Infrastructure (CPNI) created the recommendations so that organizations can use them to build safer, more secure cars as smart technology continues to...

DEF CON 22 was my third DEF CON and the first time ever for the IoT Village and related "SOHOpelessly Broken" contests. That year, I easily won both tracks of the competition with only a handful of hours spent analyzing and hacking routers. As anyone who’s ever attended DEF CON can tell you, there are roughly one billion options for how to spend the...

The developers of Cerber ransomware have equipped their creation with the ability to steal victims' Bitcoin wallet files. Security researchers first discovered Cerber in early 2016. Since then, the crypto-malware family has gone through at least six iterations. It's also sparked a ransomware-as-a-service (RaaS) platform that's raked in upwards of a...

Adventure (ad•ven•ture) / ad-ven-cher / noun: an undertaking usually involving danger and unknown risks; an exciting or remarkable experience; and enterprise involving financial risk. Origin: Old French aventure (noun), based on Latin adventurus ‘about to happen.’ There are many people who have the privilege of saying that they get paid to be...

"Web Developer" is a popular extension that adds various web developer tools to a variety of browsers. Unfortunately, the fact that the Chrome edition of the Web Developer extension has over one million users has also made its author - San Francisco-based Chris Pederick - a target for attack. Yesterday, Pederick had some bad news for his Chrome...

A new trojan leverages a fileless infection chain in that it never saves a file to the machine, thereby making analysis via a sandbox more difficult. It's unclear how the malware, detected by Trend Micro as JS_POWMET, initially arrives on a computer. Users could unknowingly download it from malicious websites. Alternatively, other malware could drop...

The internet is full of personal and business-sensitive information if you know where to look. In a previous post, we detailed our method of collecting Open Source Intelligence (OSINT) by “scraping” the content posted to public websites where stolen information is regularly released by hackers. That post focused on email and password combinations ...

With Black Hat 2017 and DEFCON rapidly receding into the desert sunset, I am left with a couple of thoughts after several days on the show floor talking to customers: 1. Wow! So many fidget spinners – cheap ones, expensive ones, plastic, metal, ones that lit up, ones that didn’t, and ones that were supposed to, but didn’t. The go-to schwag for...