*UPDATE: Padcheck source is now available on GitHub: https://github.com/Tripwire/padcheck* Since August, I’ve spent countless hours studying CBC padding oracle attacks toward the development of a new scan tool called padcheck. Using this tool, I was able to identify thousands of popular domains which could be targeted by an active network adversary ...

This post is one in a series of posts describing TLS CBC padding oracles I have identified on popular web sites. The other posts in this series include an overview of CBC padding oracles, a walkthrough of how I came to develop a new CBC padding oracle scanner, and a write-up on the Zombie POODLE attack. GOLDENDOODLE is the name I’ve given for...

A parking garage used by employees of the Canadian Internet Registration Authority (CIRA) suffered a ransomware infection. At the end of their morning commute on 27 March, employees of CIRA arrived at a parking garage maintained by Precise Parklink. The garage typically uses Precise Parklink's "Automated Parking Revenue Control System" to verify...

Taiwan-based technology giant ASUS is advising concerned customers to run a newly-created diagnostic tool on their Windows computers after hackers pushed out malware to what some security researchers have estimated to be as many as one million PCs using ASUS's own Live Update software tool. As Motherboard reported earlier this week, researchers at...

A popular web browser's hidden ability poses a serious risk to more than 500 million Google Play users and their Android devices. Malware analysts at Doctor Web recently observed that UC Browser, a web browser developed by the Alibaba-owned Chinese mobile Internet company UCWeb, can secretly download and execute new libraries and modules from third...

It’s a turbulent time in geopolitics today, and activity in the geopolitical landscape inevitably intertwines with increased cyber activity across borders. Reports of nation-state attacks are on the rise. Attacks on U.S. energy infrastructure, NotPetya, the Sony breach and the WannaCry global outbreak have all recently been attributed to nation...

This is now my third year of interviewing women in information security for Tripwire’s The State of Security. My experience has been amazing so far. I have learned so much from so many people – a few of whom were transgender and one nonbinary. In response to this diversity of viewpoints, I decided to rename my spring 2019 series to be more inclusive...

The U.S. Federal Emergency Management Agency (FEMA) improperly shared the personally identifiable information (PII) of 2.3 million hurricane and disaster survivors with a contractor. The Department of Homeland Security's Office of Inspector General (DHS OIG) detected FEMA's violation while auditing...

When Shelley published his famous poem in 1816, he was telling us that the only constant in life is change. This was not a new concept, even then. Heraclitus proposed the same concept around 500 BCE with ‘Panta rhei’ (Life is Flux or everything changes). Even though we all know and understand this ancient concept, people still have difficulty with...

Welcome to Tripwire Patch Insanity! Comprised of 26 vulnerabilities divided into two conferences and four divisions, the goal of this tournament is to declare which named vulnerability is king of Patch Insanity! The original list of named vulnerabilities was taken from Hanno Böck’s named vulnerabilities repo. Any entries that did not have published...

A county government in North Carolina has suffered a ransomware infection for the third time in the past six years. According to a statement published on its website, the Orange County government observed on 18 March that a virus had infected its network. It responded by shutting down all servers,...

Even the most tech savvy companies in the world can fall for business email compromise. A Lithuanian man has this week pleaded guilty to tricking Google and Facebook into transferring over $100 million into a bank account under his control after posing as a company that provided the internet giants with hardware for their data centers. Fifty-year...

A data breach remains a common headline in the news cycle. A different company, website or social network reports a security issue almost daily. If it feels like using the internet has become a risky endeavor, the feeling is accurate. But what exactly classifies an event as a data breach? The world wide web is littered with different security gaps...

It wasn’t a very long time ago when cloud computing was a niche field that only the most advanced organizations were dabbling with. Now the cloud is very much the mainstream, and it is rare to find a business that uses IT that doesn’t rely on it for a part of its infrastructure. But if you're going to add cloud services to your company, you will...

An ongoing phishing campaign code-named "Bad Tidings" has been targeting several Kingdom of Saudi Arabia government agencies for years. Researchers at Anomali Labs first detected the Bad Tidings campaign back in November 2016. Since then, the operation has targeted four government agencies in Saudi Arabia: the Ministry of Labor and Social...

Extortionists have launched a new sextortion scam campaign that leverages a fake Central Intelligence Agency (CIA) investigation to try to scare users. In an email I obtained from a wary user, the scammers pose as a fake CIA technical collection officer named Roxana Mackay. This character claims in the email that she's found the user's personal...

Return on investment: is it worth the money? That is the central question in deciding on any procurement. Demonstrating ROI on cybersecurity products is notoriously difficult and is one of the underlying reasons for the poor state of our nation’s cybersecurity posture. Ah, but here’s the rub: showing tangible ROI on cybersecurity products is...

I have been on the receiving end of many vendor security assessments from customers and prospects. Here are some tips to increase the likelihood that you’ll get a timely, usable response to the next vendor security assessment that you send out. Understand what data you will be providing One size doesn’t fit all. The level of attention and...

“The best defense is a good offense.” History credits Revolutionary War hero George Washington with being among the first to vocalize this concept, later famously echoed by heavyweight boxing champ Jack Dempsey and football god Vince Lombardi. And it’s easy to see what they mean. The idea is that being proactive—going on the offense instead of...

A spam campaign is using two recent crashes involving Boeing 737 Max aircraft to distribute malware to unsuspecting users. Discovered by 360 Threat Intelligence Center, a research division of 360 Enterprise Security Group, the campaign sends out attack emails that come from "[email protected]" with the subject line "Fwd: Airlines plane crash Boeing 737...