Security researchers have uncovered a zero-day deserialization vulnerability that allows for arbitrary code execution in 55% of Android devices. For their presentation at USENIX WOOT '15, researchers Or Peles and Roee Hay at IBM Security explain that their vulnerability (CVE-2015-3825) can be exploited in the context of many apps and can be used to...

Noise is a problem. As information security practitioners, we've been dealing with the problem of the signal-to-noise ratio for a long time. The solution hasn't really changed, but the landscape certainly has. Ultimately, what drives noise down and elevates signal is, context. For his presentation at Black Hat USA, Travis Smith, a fellow Tripwirian,...

The 18th annual Black Hat USA conference gathered thousands of professionals, researchers and enthusiasts to discuss not only the industry’s current trends and threats but also what we, as a community, can do to improve the security of ourselves, and of those around us. With over 100 briefings to choose from, this year’s presentations discussed a...

Attackers are exploiting the hack of adulterer website Ashley Madison to disseminate spam and malware across the web. In July, Brian Krebs reported that a group of hackers known as The Impact Team had released some sensitive internal data stolen from Avid Life Media (ALM), a Toronto-based company that owns Ashley Madison as well as other hookup...

Back in December of 2014, The State of Security first reported on the story of Ercan "Segate" Findikoglu, a 33-year-old Turkish man who is accused of having stolen over $60 million as part of a number of card heists in the United States. At the time of our reporting, Germany had denied Findikoglu's extradition to the United States based upon...

A Business Email Compromise (BEC) scam has resulted in a $39.1 million loss for Ubiquiti Networks, an American technology company that manufactures wireless networking products. On August 6th, Ubiquiti Networks issued a press release summarizing the results of its fourth fiscal quarter of 2015, which ended on June 30, 2015. The company reveals in...

ICANN, the organisation which oversees the internet's domain name system, regulating web addresses and working with registrars around the world, has revealed that it has fallen victim to a hacker attack during which the details of users who had created profiles on the organisation's public website were exposed. Email addresses (which act as...

A security firm has released the results of an experiment that used a honeypot script named "GasPot" to determine the security threats facing gas tanks. These results were announced by Trend Micro researcher Kyle Wilhoit and Industrial Control Systems (ICS) expert Stephen Hilt during their presentation for Black Hat 2015, "The Little Pump Gauge that...

Today was another successful day at BSides Las Vegas, with more intriguing presentations and an amped up crowd ready to hear from security researchers, engineers, analysts and catalysts alike. Although there were numerous interesting topics to choose from, my time only permitted for about a half-day of sessions. Luckily, many of the presenters noted...

Malware is one of the most dangerous classes of computer threats facing users today, and as a risk category, it is growing in sophistication. First, malware is now more difficult to detect. In an effort to stay one step ahead of security researchers, authors of malicious software are integrating evasion techniques, including environmental awareness...

Fiat Chrysler and Harman International, the maker of the Uconnect dashboard computer, have been slammed with a class-action lawsuit after two security researchers successfully exploited a vulnerability in uConnect to hijack a 2014 Jeep. As reported in The State of Security's July 24th security roundup, researchers Chris Valasek and Charlie Miller...

RFID is one of those ubiquitous technologies showing up everywhere from contactless payment cards to the neighborhood swimming pool. Some of these technologies offer appropriate security controls but many applications still use legacy technology that is easily subverted by an attacker. Back in 2013, data from HID Global indicated that 70-80% of...

This year’s BSides in sunny Las Vegas, Nevada, is off to an amazing start, with an overwhelming crowd and a great lineup of presentations from some of the industry’s brightest – and most inspiring – professionals. In the biggest BSides LV event yet, hundreds of attendees gathered at the Tuscany bright and early – eagerly waiting to hear from experts...

A true zero day, such as the recent vulnerability affecting Apple’s DYLD_PRINT_TO_FILE variable that an adware installer is said to be exploiting in the wild, is called that because it comes without warning, because by the time you know about it, you have already been compromised. They're expensive; they are the domain of nation states and the most...

A security researcher has found the first known exploit of a zero-day vulnerability affecting Apple's DYLD_PRINT_TO_FILE variable in the wild. The vulnerability, which was first found by researcher Stefan Esser in July, involves the addition of DYLD_PRINT_TO_FILE as a new environment variable to the dynamic linker dyld. As of this writing, this...

To quote Lewis Carrol, from Alice's Adventures in Wonderland: 'Would you tell me, please, which way I ought to go from here?' 'That depends a good deal on where you want to get to,' said the Cat. 'I don't much care where —' said Alice. 'Then it doesn't matter which way you go,' said the Cat It might sound like a relaxing way to go through life,...

There is a horrible prank that has been in circulation for the last few years whereby a person calls a local police department and reports a terrible crime in progress at a remote address, usually the address of an enemy. Using telephone number spoofing techniques, the call appears to originate from the home of the pranking victim. The police often...

Our new weekly security roundup series covers the week’s trending topics in the world of information security. In this compilation, we’ll let you know of the latest announcements, reports and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of July 27, 2015: A major password-reset...

Black Hat USA – one of the most anticipated security events of the year, and recently ranked among our top information security conferences – returns to Las Vegas this August for its 18th year. With an expected 9,000 attendees, this year's conference will offer over 100 briefings on the latest and most innovative security research from industry...

"Honey... Did you make sure you locked the basement door and activated the security system? I can't wait to get to the Big Rock Campground, the kids are going to love the waterslide..." Sound familiar? The majority of new homes today have some sort of physical security system protecting the property while the family is away, but are these security...