I’m pleased to announce that next month, I will be offering the two-day training series A Guided Tour of Embedded Software Hacks at Shakacon X as well as at Black Hat USA in August. As a reminder, I will also be back at SecTor with reloaded material for a one-day Brainwashing Embedded Systems advanced class aimed at students who have already...

UPDATE 05/06/18: Booking.com sent over the following statement in an email: Security and the protection of our partner and customer data is a top priority at Booking.com. Not only do we handle all personal data in line with the highest technical standards, but we are continuously innovating our processes and systems to ensure robust security on our...

While stories of international espionage and government-sponsored hack attacks may captivate public attention, cyber security threats that originate from inside an organization pose a remarkably large threat. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches. Insider threats can range from...

Imagine you're sitting on your couch relaxing on a Sunday afternoon when your smart device alerts you that you are having a heart attack or that you have gone into renal failure. You jump up, head to the ER and spend hours on test after test only to discover that nothing's wrong with you. So, what happened? Bad actors hacked your device, a type of...

If you're a U.S. taxpayer, you've likely heard how Tax Day 2018 was uniquely rocky for the Internal Revenue Service (IRS). A series of technical problems prevented the IRS from processing tax returns filed electronically on 17 April. The agency rebooted its systems and restored them later that night, but it nevertheless extended the deadline for...

The Hack the DTS bug bounty program uncovered dozens of vulnerabilities in the Defense Travel System serving the Department of Defense. On 30 May, vulnerability coordination platform HackerOne revealed the results of Hack the DTS. Nineteen trusted security researchers participated in the 29-day program and submitted 100 vulnerability reports over...

The world is full of first responders. You may not realize it, but you will know someone who is a first responder. Typically, one would associate a first responder with the three main emergency professions: Ambulance, Police and Fire. Within the Ambulance profession, that person who is first on the scene to deliver medical assistance to a poorly...

Tripwire's May 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft Browsers and Scripting Engine. The patches for Internet Explorer resolve a security feature bypass vulnerability and the patches for Edge resolve memory corruption,...

An insurance software provider exposed clients' sensitive data that it had stored on an Amazon Simple Storage Solution (S3) bucket. Andrew Lech, founder of AgentRun, confirmed the breach in an email sent out to the insurance agency management software company's clients. As quoted by ZDNet: We were migrating to this bucket during an application...

It's been a full year since the new administration issued its first cyber executive order, “Presidential Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” with an emphasis on leadership accountability and a risk management approach to cybersecurity strategies, policies and practices. The EO...

As blockchain technology becomes an increasingly popular option for companies searching for secure business solutions, we’re seeing more use cases for the network and smart contracts. A smart contract is a computer protocol that is used to digitally facilitate, verify and enforce the performance of credible transactions without the need for a third...

Fraudsters contacted two Canadian banks claiming they stole tens of thousands of customers' personal and account information. Simplii Financial, the direct banking brand for the Canadian Imperial Bank of Commerce (CIBC), disclosed on 28 May that fraudsters had contacted CIBC a day earlier and claimed...

Last time, I had the honor of speaking with Veronica of DFIRLABS. She’s a self-described cyborg who got into cybersecurity early and has a passion for reverse engineering code. This time, I got to speak with Anna Westelius. Not only is she a web security specialist; she also has experience with Linux driver development. What do Anna and I have in...

I had the opportunity to attend the Knowledge18 conference this past week, and from the registration to closing, I’ve never been to a show that's had so much energy. Knowledge18 staff would start the morning with a DJ playing music and with the staff energetically greeting attendees/sponsors while moving to the music. The Tripwire booth also had...

At least half a million routers and storage devices in dozens of countries around the world have been infected by a sophisticated botnet, in preparation for an alleged planned cyber attack on Ukraine. The botnet, which has been given the rather unglamorous name of VPNFilter, is believed to be likely to be controlled by a state-sponsored hacking...

Mozilla announced the rollout of two-step verification (2SV) as an optional security feature for all Firefox user accounts. The engineers at Mozilla Foundation designed the feature without support for SMS-based codes. They likely did so for the same reasons as Twitter when it moved away from this form of verification in December 2017. Criminals...

If breaches to electronic health record systems continue at their current pace, each and every American can expect their private medical data to be compromised at least once by 2024. Once adversaries obtain a patient’s health information (PHI), they can sell it to the highest bidder—leaving targets vulnerable to all manner of fraud and theft....

Regular readers of The State of Security should now have a general understanding of why organizations need security for their containers. But they still might be a bit fuzzy on the specifics. In particular, they might still be unclear on the types of threats they need to address as well as the container areas that are most at risk. This knowledge is...

The Information Commissioner's Office (ICO) fined the University of Greenwich £120,000 for a "serious" security breach of personal data. On 21 May, the United Kingdom's Information Commissioner announced the fine. It's the first time the ICO has levied such a penalty against a university under the...