Resources

Blog

Yahoo Bug Bounty Program Awards $1 Million to Security Researchers

Yahoo announced that it has paid security researchers one million dollars as part of its bug bounty program. According to a post written by Ramses Martinez, Senior Director and Interim CISO at Yahoo, the company's bug bounty program, which The State of Security named one of our 11 Essential Bug Bounty Programs in 2015, has shown significant growth...
Blog

Sweet Security: Deploying a Defensive Raspberry Pi

The hardware used in both the Internet of Things (IoT) and Industrial Control Systems (ICS) have many similarities; both often involve older systems incapable of running detection tools or monitoring agents due to outdated operating systems, resource limitations, proprietary systems and odd protocols such as Modbus and DNP3, amongst other...
Blog

Phishing Up 74% in Q2 2015, Reveals Infoblox DNS Threat Index

The Domain Name System (DNS) is a hierarchical system that assigns names to computers, resources and services connected to the web. It is responsible for relating information associated with each Internet-based entity to a domain name. As such, DNS is an essential tool for organizing the web. In the wrong hands, however, it can be used to create...
Blog

Apple Patches 'High' Input Validation Vulnerability in iTunes, App Store

Apple has patched an application-side input validation web vulnerability in iTunes and the App Store that allowed attackers to inject malicious code into user invoices. The vulnerability received a 'High' severity level and a CVSS rating of 5.8. It allows for session hijacking, persistent phishing attacks, and other malicious activities. Benjamin...
Blog

Landing a Hands-On Security Gig – Part 2

In Part 1, I discussed several important elements to landing a hands-on security gig, including passion and having the skills to pay the bills. Now, I’ll continue to guide you through various other essentials that could impact your career. Tools vs. Knowledge A good security analyst understands how various tools work, along with how to run the...
Blog

How to bust keyboard biometrics, and why you might want to

We all know that there's a problem with passwords. Most internet users are careless when choosing passwords - either re-using the same passwords they've used elsewhere or making them too easy to crack. And if they're not guilty of that mistake, there's always the chance that their computers are infected with spyware watching their keystrokes and...
Blog

Darkode Underground Web Forum Resurfaces Just Two Weeks After Takedown

Darkode, one of approximately 800 underground web forums, has resurfaced just two weeks after international law enforcement shut the site down. The takedown, known as "Operation Shrouded Horizon," began two years ago under the auspices of the Federal Bureau of Investigation's office in Pittsburgh, Pennsylvania. It eventually expanded to include...
Blog

Planned Parenthood Website Compromised by Political Hacking Group

A politically motivated hacking group who calls themselves 3301, appears to have compromised the website of Planned Parenthood. The politically motivated attack appears to have taken advantage of a vulnerability in an outdated version the Concrete5 website content management system. The group was not able to access the file system and the compromise...
Blog

Landing a Hands-On Security Gig - Part 1

I have been involved in the hiring process for our Security Operations Center (SOC) for about a year and a half. Throughout this time, I have reviewed resumes, conducted phone screens, and participated in the technical interviewing process. I have been both dumbfounded by the audacity of some individuals and amazed by the sheer awesomeness of rising...
Blog

Five Men Arrested in Connection with the 2014 JPMorgan Hack

In August of 2014, it was reported that a group of hackers had exploited a vulnerability in the websites of JPMorgan. After breaking into the company’s network, the attackers then allegedly staged additional attacks that were custom-made to JPMorgan’s servers, which gained them access to internal systems on which customer account data was stored. Several months later, investigators revealed that...
Blog

What Businesses Can Learn From the OPM Security Breach

The security breach that hit the U.S. Office of Personnel Management (OPM) has many people demanding answers as to how something so egregious could happen at such an important office. Some reports indicate that as many as 35 million federal employees’ records were exposed in the cyber attack, with some of the data coming from as far back as 35 years...
Blog

This Week in Security: AshleyMadison, Hacked Jeeps and Zero-Days

Welcome to our new blog series, covering the week’s trending topics in the world of information security. In this quick news roundup, we’ll let you know of the latest research, reports and discussions that the industry has been talking about recently. Here’s what you don't want to miss from the week of July 24, 2015: Adultery website...
Blog

Why Companies Are Still Unprepared for the EMV Transition

While the national transition to Europay, MasterCard and Visa, known as EMV or “Chip and PIN,” is well underway, a recent study found that as many as 42 percent of companies have either taken no steps or are unaware of any progress being made to meet the October 1, 2015, deadline. The EMV readiness study conducted by Randstad Technologies, which...
Blog

The Four 'C's' of a Nigerian Payment Diversion Scam

419 scams are one of the oldest and most common tricks used by fraudsters to extort money from online users. These schemes promise victims a large sum of money in exchange for a small upfront payment. In this sense, ploys, such as the Nigerian Prince scam, resemble social engineering attacks to the extent that they rely less on the expertise of the...
Blog

Password Brute Force Attacks Threaten Millions of App Users

In September of 2014, private photos of a number of celebrities, including Kate Upton and Jennifer Lawrence, were leaked onto the image-based bulletin board 4chan. It was soon discovered that this leak occurred as a result of a brute force attack against Apple's iCloud, which until then had not limited the number of login attempts for each user...
Blog

Corporate Espionage Risk Management For Financial Institutions

In the financial industry, business success and sustainability depends on the health of information systems. Damage to a firm’s information systems can tarnish its reputation, compromise its data, as well as result in legal fines and penalties. Large firms often depend on thousands of such systems interconnected via the internet, which raises a...
Blog

DEF CON 23 Preview: Confessions of a Professional Cyber Stalker

I am honored to be presenting at DEF CON 23 this August in Las Vegas where I will be presenting a session titled “Confessions of a Professional Cyber Stalker." In my talk, I will be discussing various technologies and methods I developed and used to track criminals leading to at least two dozen convictions. Many times in the process of recovering...
Blog

Escalation of Commitment Part 2: Three Possible Scenarios

Following from a recent post on ‘Escalation of Commitment’, a topic studied by both Economists and Psychologist, I could not resist writing a follow-up to explore the consequences for third parties that do not have the preparation and/or resources of the parties involved in scenarios of escalation of commitment in the IT security field. In the...