Resources

Blog

VERT Vuln School – SQL Injection 101

SQL injection is arguably the most severe problem web applications face. OWASP, an online community devoted to web application security, consistently classifies injection vulnerabilities as number one on their OWASP Top 10 Project. SQL injection vulnerabilities are a favorite amongst a number of “hactivist” groups whose aim is to cause disruption in...
Blog

Managing Cyber Risks and Budgets

According to the 2015 Information Security Breaches Survey, 44 percent of both large and small organizations increased their security expenditure in 2015 compared with 53 percent and 27 percent in 2014, respectively. Despite the increase in expenditure, however, 90 percent of large organizations and 74 percent of small organizations reported that...
Blog

15 Million T-Mobile Customers' Information Exposed in Experian Hack

Hackers have compromised the personal information of 15 million T-Mobile customers after successfully infiltrating one of Experian's servers. John Legere, CEO of T-Mobile, has published a letter about the incident: "We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The...
Blog

Homo Sapiens and the Human Equation of Ethics

I recall engaging into a conversation with a fellow security professional this year on the subject of where the CISO role should reside and to whom they should report.My opponent’s opinion was very much contrary to my own, vocalising the value of the CISO having full alignment with the main board and the company executive.I, on the other hand, feel...
Blog

Targeted Security Risk Assessments Using NIST Guidelines

What a whirlwind the past few months have been for data security, breaches and hacking events. From the Wyndham v. FTC ruling to yet another breach by a BCBS affiliate, there is increasing pressure across the information security industry to push organizations to perform those pesky security risk assessments touted by the National Institute of...
Blog

Russian AV Firm Firebombed for Malware Report

A Russian antivirus (AV) firm was firebombed back in 2014 as a result of a report it published on a particular malware sample. On December 18, 2013, the AV company Doctor Web published a news item announcing that Trojan.Skimmer.18 had been added to the company's virus database. Later that same day, the company received a threatening email presumably...
Blog

Post Office Email Scams Target Denmark, Drop Crypt0l0cker Ransomware

The post office email scam is a time-tested method of attack among malicious actors. Indeed, when users see that they have received an email from an actor purporting to be their local post office, most of them buy into the familiarity of this governmental institution and click on a link without taking the time to inspect the sender address....
Blog

Thousands of Medical Systems Exposed to Web Attacks, Find Researchers

Two security researchers uncovered thousands of medical systems exposed online that are vulnerable to web attacks. On Saturday, September 26, researchers Scott Erven and Mark Collao presented their findings at Derby Con 5.0 in a presentation entitled "Medical Devices: Pwnage and Honeypots." "We know medical devices are exposed to the Internet both...
Blog

Securing the Smart Home (and Office)

Today, a segment will air on Crime Watch Daily where Tripwire Senior Security Researcher Craig Young and I reveal on camera how vulnerable smart homes can be when not properly secured. We show firsthand that the key weaknesses in most smart homes are a combination of insecure networks and default configurations, including systems that installers may...
Blog

GreenDispenser ATM malware found in the wild, stealing cash from banks

Banks have another security headache on their hands, as ATM-infecting malware is becoming increasingly sophisticated in its attempt to help criminals audaciously empty out cash machines on the high street on demand, without having to have previously stolen the payment cards of legitimate customers. Dubbed GreenDispenser by researchers at Proofpoint,...
Blog

US Navy Develops New System to Protect Ships Against Cyber Attacks

The United States Navy has announced it is currently working on developing a new system aimed at protecting its ships from pervasive Internet attacks, often leading to network spying and confidential data theft. Codenamed the Resilient Hull, Mechanical, and Electrical Security (RHIMES) system, the Office of Naval Research (ONR) revealed the enhanced...
Blog

Hackers Have Stolen Almost Six Million US Government Fingerprints

The Office of Personnel Management (OPM) has revealed in a statement that when hackers breached its systems earlier this year they made away with approximately 5.6 million fingerprints - a significant increase from the 1.1 million previously reported. As is now well known, in addition to fingerprint data being stolen the Social Security numbers,...
Blog

It's 2AM – Do You Know Who Your Smartphone is Talking to?

Our smartphones know everything about us – who our friends are, where we have been, our financial details, our health information and other intimate details of our lives. But can we trust our phones to keep these our personal information secret? One of the biggest security and privacy challenges of smartphones are the very apps we install on them...