Fuzz testing is one of the most powerful tools in the bug hunter’s toolset. At a basic level, fuzzing is the art of repeatedly processing crafted test inputs while checking for ill-effects, such as memory corruptions or information disclosures. One of the main advantages of fuzz testing is that it works 24x7 without a break and with no need for...

Developers today recognize the importance of secure software development. Indeed, security was one of the key topics at this month's DeveloperWeek conference in San Francisco. This level of focus should be applauded. At the same time, however, we must recognize that planning for secure software development is not the same thing as implementing it....

A hospital located in Southern California has paid $17,000 for the restoration of its system following a ransomware attack. News first broke last week about how staff at the Hollywood Presbyterian Medical Center began noticing issues in the hospital's IT system in early February. The Center decided to temporarily suspend its computer system, which...

Since the Middle Ages, chess has been used to teach strategic and tactical concepts to military leaders. For the same reasons, chess can be a great tool for today’s security leaders. We’re going to take a look at the parallels between chess and security in a series of blog posts. In Part 1, we will consider the specific elements that make up the...

In today's interconnected world, computer crime knows no age requirements. People of all ages are capable of committing malicious acts online. That includes teenagers. For example, in October 2015, a teenager allegedly breached the email account of CIA Director John Brennan. UK authorities now believe that they have arrested that same individual,...

Apple has contested a court order requiring it to create an iOS backdoor that would assist an FBI investigation into last year' San Bernardino shooting. On December 2nd, Syed Rizwan Farook and his wife killed 14 people and injured 22 others at a holiday luncheon for Farook's coworkers. The couple was...

There’s so much doom and gloom in the security industry because of ransomware. And yet, occasional success stories inspire us to fight back. Last time we wrote about ten ransomware recovery cases. New ransom Trojan variants have surfaced ever since, including the one dubbed HydraCrypt. The operators of TeslaCrypt campaign pulled off defiant attacks...

Active Directory should be the single source of truth for user and account management. With Windows Server system penetration, it is surprising to note that a significant majority of Microsoft customers do not extend their user management processes into the Active Directory. This is a world where your employees are granted accounts on partners or...

Security researchers are warning owners of Android smartphones about a new malware attack, spreading via SMS text messages. As the team at Scandinavian security group CSIS describes, malware known as MazarBOT is being distributed via SMS in Denmark and is likely to also be encountered in other countries. Victims' first encounter with the malware...

Research reveals that attackers exploited a vulnerability that allowed them to drain $103,000 out of password-protected Bitcoin wallets. Security researcher Ryan Castellucci first presented on the vulnerability at DEF CON, one of Tripwire's top 10 conferences in information security. The flaw affects...

One advantage of running a small boutique consultancy is I get to steer the business activity towards subjects I personally find interesting. Throughout my career, I have always been fascinated with frauds and that is where my focus normally lies. It’s that magic-like performance for me that has a very similar feeling to the showmanship of great...

Cisco has patched a 'critical' buffer overflow vulnerability affecting the Internet Key Exchange (IKE) implementation in Cisco ASA. On Wednesday, the multinational technology company published a security advisory for CVE-2016-1287. First discovered and reported by researchers at Exodus Intelligence, the vulnerability could lead to a complete...

Security researchers have identified a new phishing scam that is targeting customers of the popular accommodation booking site Airbnb. Christopher Boyd, a malware intelligence analyst at Malwarebytes, says he recently discovered an email phishing campaign impersonating the company and redirecting users to a fake Airbnb login page in an attempt to...

In today's ever-evolving world, the PC is no longer the sole endpoint found on organizations' networks. It is joined by the likes of servers and point-of-sale terminals (PoS), endpoint devices which are contributing to a growing complexity of modern IT environments. Such change demands that IT professionals rethink their organizations' endpoint...

Sometimes things would be better if people didn't keep their word. Take hackers, for instance. Hackers using the online handle "DotGovs" published information about 9,000 Department of Homeland Security (DHS) workers earlier this week after stealing it from the Department of Justice's intranet. Many of us probably hoped that DotGovs couldn't be...

Another change of the seasons is upon us. An interesting correlation is that these quarterly seasonal changes also follow the password change schedule in use in many organizations. If you work in an office, you probably receive a notice to change your password every 90 days. The odd correlation of requiring a password change every 90 days in a...

Security incidents pose a real threat to industrial networks. In 2014 alone, organizations in the energy, utilities, industrial, and oil and gas sectors encountered 245 unique industrial control system (ICS) incidents, with more than 800 security advisories published that same year. To make matters even more daunting, only a fraction of those events...

Week after week and year after year penetration tests are performed against companies and we continue to find the same things. Do you really want to hire that pentest company to come in and tell you the obvious? You could get better value from your tester if you take some simple steps to prepare before they start their assessment, not to mention you...

Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-656 on Wednesday, February 10th. Ease of Use (published exploits) to Risk Table Automated Exploit ...

The Obama administration has announced its intention to appoint the United States' first ever federal chief information security officer (CISO). On Tuesday, the President is expected to roll out a budget of $19 billion for federal information security spending. That budget, which marks a 35 percent increase over last year's allotment of $14 billion,...