Anyone who has a presence on the internet is likely to be suffering from breach fatigue. Data leaks are reported in the headlines on a daily basis, and users can feel so overwhelmed by the sheer number of breaches that they feel there's little they can do to keep ahead of hackers. It can almost feel like a full-time job as you try to determine if...

Vulnerabilities in software used by 200 Vermont municipalities left town employees' Social Security Numbers and other information exposed. Brett Johnson, owner of IT company simpleroute, discovered the flaws after two Vermont towns hired him to do some work for them back in 2017. According to a report in which he wrote about the weaknesses, Johnson...

Technology has advanced to a state where clients now expect a constant stream of updates for their software and applications. To fulfill this demand, developers commonly turn to what’s known as a CI/CD pipeline. As noted by Synopsys, this practice embraces two important software development concepts of today’s streamlined world: Continuous...

Most people do not regard their cybersecurity and privacy documentation as a proactive security measure. On the contrary, many oftentimes view documentation as a passive effort that offers little protection to a company, generally an afterthought that must be addressed to appease compliance efforts. Where documentation may get some much-needed...

Scammers are now using the threat of channel suspension to coerce YouTube content creators into meeting their demands and sending over money. These digital attackers are specifically targeting YouTube's policy infringement system through which users can report a video that they feel violates the video-sharing website's policies for acceptable...

I’m excited to announce that I will be presenting at this year’s Black Hat Asia about my research into detecting and exploiting CBC padding oracles! Zombie POODLE and GOLDENDOODLE are the names I’ve given to the vulnerabilities I’ll be discussing. Similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from...

Home design website and community Houzz revealed that a security incident might have exposed some users' personal and account data. On 1 February, Houzz published a security update explaining that it detected the security event in late December 2018. The company didn't provide exact details about how...

For the final book purchase of 2018, members of VERT decided to read "Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments," written by Matt Burrough and published by No Starch Press. Matt has spent nearly four years with Microsoft’s Digital Security & Risk Engineering (DSRE) Red Team as a Senior Penetration Tester...

Tripwire's January 2019 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe and Oracle. First on the patch priority list this month are patches for Microsoft's Browser and Scripting Engine. These patches resolve six vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege and Remote Code...

European aerospace corporation Airbus SE has revealed that a digital security incident recently affected some of its computer systems. In a press release published on 30 January, Airbus confirmed that its “Commercial Aircraft business” information systems suffered a security incident. The corporation said that the event did not affect Airbus'...

A federal judge has denied the approval of a proposed $50 million settlement to a class action lawsuit over a data breach at Yahoo. On 28 January, Judge Lucy Koh rejected the settlement in a order submitted to the San Jose division of the U.S. District Court in the Northern District of California....

An undisclosed number of Discover card account holders have learned of a data breach that might have compromised their account information. According to Bleeping Computer, Discover Financial Services first learned of the security incident on 13 August 2018. The American financial services company...

In the last few years, organizations have been subject to extortion through ransomware. Now, hackers are bypassing the nasty business of trying to get people to give them cryptocurrency to simply hijacking your processor to mine for cryptocurrency. As a result, the methods employed are growing in sophistication and creativity, including using...

In May 2017, the Equifax data breach compromised critical credit and identity data for 56 percent of American adults, 15 million UK citizens and 20,000 Canadians. The Ponemon Institute estimates that the total cost to Equifax could approach $600M in direct expenses and fines. That doesn’t include the cost of the security upgrades required to bring...

If you’ve been online recently, you may have read the news about hackers demanding a ransom from Dublin’s tram system. Visitors to the Luas website were greeted by the hackers’ message threatening to publish the stolen information unless they were paid one Bitcoin (approximately 3,300 Euros or US $3,800). While the message itself appeared to be...

A short-lived malvertising campaign leveraged a steganography-based payload to target Mac users with the Shlayer trojan. Named for its use of veryield-malyst[dot]com as one of its ad-serving domains, the "VeryMal" threat actor conducted its malvertising campaign between 11 January 2019 and 13 January 2019. That's not a long time period to remain...

Security researchers are warning of a new wave of phishing emails which are using an unusual disguise in their attempt to both bypass scanners at email gateways and dupe unsuspecting users. The attack arrives in users' inboxes in the form of an email purporting to be a notification about a voice message using subject lines such as "PBX Message," ...

When he issued Executive Order 13800 (EO 13800) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, President Trump’s goal was to highlight that security and public accountability of government officials are foundational pillars while emphasizing the importance of reducing cybersecurity risks to the Nation. In...

The Department of Homeland Security (DHS) has issued an emergency directive that requires federal agencies to mitigate the threat of Domain Name System (DNS) infrastructure tampering. In "Emergency Directive 19-01," DHS explains that it's been working with the Cybersecurity and Infrastructure...

If you have ever heard of the Federal Information Security Management Act, then you are aware of the work done by the National Institute of Standards and Technology. The goal of the Act, not to mention the subsequent documents that resulted from strategies designed around implementing it, led NIST to create works designed to bolster security on the...