Resources

Blog

2018 VERT IoT Hack Lab Training

I’m pleased to announce that next month, I will be offering the two-day training series A Guided Tour of Embedded Software Hacks at Shakacon X as well as at Black Hat USA in August. As a reminder, I will also be back at SecTor with reloaded material for a one-day Brainwashing Embedded Systems advanced class aimed at students who have already...
Blog

Scammers Targeting Booking.com Users with Phishing Messages

UPDATE 05/06/18: Booking.com sent over the following statement in an email: Security and the protection of our partner and customer data is a top priority at Booking.com. Not only do we handle all personal data in line with the highest technical standards, but we are continuously innovating our processes and systems to ensure robust security on our...
Blog

How to Protect Your Organization From Within

While stories of international espionage and government-sponsored hack attacks may captivate public attention, cyber security threats that originate from inside an organization pose a remarkably large threat. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches. Insider threats can range from...
Blog

The Future of Nano IoT Security

Imagine you're sitting on your couch relaxing on a Sunday afternoon when your smart device alerts you that you are having a heart attack or that you have gone into renal failure. You jump up, head to the ER and spend hours on test after test only to discover that nothing's wrong with you. So, what happened? Bad actors hacked your device, a type of...
Blog

Lagging Legacy Systems: How Federal Agencies Are Tackling Old IT

If you're a U.S. taxpayer, you've likely heard how Tax Day 2018 was uniquely rocky for the Internal Revenue Service (IRS). A series of technical problems prevented the IRS from processing tax returns filed electronically on 17 April. The agency rebooted its systems and restored them later that night, but it nevertheless extended the deadline for...
Blog

Dozens of Vulnerabilities Found Under Hack the DTS Bug Bounty Program

The Hack the DTS bug bounty program uncovered dozens of vulnerabilities in the Defense Travel System serving the Department of Defense. On 30 May, vulnerability coordination platform HackerOne revealed the results of Hack the DTS. Nineteen trusted security researchers participated in the 29-day program and submitted 100 vulnerability reports over...
Blog

Tripwire Patch Priority Index for May 2018

Tripwire's May 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft Browsers and Scripting Engine. The patches for Internet Explorer resolve a security feature bypass vulnerability and the patches for Edge resolve memory corruption,...
Blog

Insurance Software Provider Exposed Clients' Data Stored on S3 Bucket

An insurance software provider exposed clients' sensitive data that it had stored on an Amazon Simple Storage Solution (S3) bucket. Andrew Lech, founder of AgentRun, confirmed the breach in an email sent out to the insurance agency management software company's clients. As quoted by ZDNet: We were migrating to this bucket during an application...
Blog

The State of ICS: One Year Into the Cyber Executive Order

It's been a full year since the new administration issued its first cyber executive order, “Presidential Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” with an emphasis on leadership accountability and a risk management approach to cybersecurity strategies, policies and practices. The EO...
Blog

Women in Information Security: Anna Westelius

Last time, I had the honor of speaking with Veronica of DFIRLABS. She’s a self-described cyborg who got into cybersecurity early and has a passion for reverse engineering code. This time, I got to speak with Anna Westelius. Not only is she a web security specialist; she also has experience with Linux driver development. What do Anna and I have in...
Blog

Knowledge18 - Can You Prevent the Breach?

I had the opportunity to attend the Knowledge18 conference this past week, and from the registration to closing, I’ve never been to a show that's had so much energy. Knowledge18 staff would start the morning with a DJ playing music and with the staff energetically greeting attendees/sponsors while moving to the music. The Tripwire booth also had...
Blog

VPNFilter botnet has hacked 500,000 routers. Reboot and patch now!

At least half a million routers and storage devices in dozens of countries around the world have been infected by a sophisticated botnet, in preparation for an alleged planned cyber attack on Ukraine. The botnet, which has been given the rather unglamorous name of VPNFilter, is believed to be likely to be controlled by a state-sponsored hacking...
Blog

Why You Need to Master the Basics – A Three Step Campaign

When I was growing up, my father enrolled me in martial arts at an early age. I liked everything about it. I liked the friends I made, I liked the sense of achievement getting the next belt, I liked breaking boards, but more than anything, I liked to fight. Furthermore, I liked to win. The first school I enrolled in, it wasn’t long until I was promoted to yellow belt. It was your typical “pay to...
Blog

Mozilla Rolls Out Two-Step Verification for Firefox Accounts

Mozilla announced the rollout of two-step verification (2SV) as an optional security feature for all Firefox user accounts. The engineers at Mozilla Foundation designed the feature without support for SMS-based codes. They likely did so for the same reasons as Twitter when it moved away from this form of verification in December 2017. Criminals...