Industrial Control Systems (ICS) are the technology workhorses responsible for powering the electric grid and utilities, water treatment plants, oil and gas production, food and beverage manufacturing, and transportation systems, among many others. Our society relies on these systems more than we know to keep life running smoothly. ...

Two security researchers have demonstrated how attackers can steal unsuspecting users' payment card data via a PIN pad. On Wednesday, researchers Nir Valtman and Patrick Watson of NCR Corp described to an audience at Black Hat USA 2016 how an attacker can extract cardholder data from intercepted...

Good samaritans and skinflints beware! Plugging in that USB stick you found lying around on the street outside your office could lead to a security breach. This is no secret, of course. We have all (hopefully) been aware of the dangers of inserting an unknown USB device into our computers for some time. Heck, the technique has even made it into the...

There is never a dull moment for compliance and security. Case in point, amidst a brewing storm of regulation, version 3.2 of the Payment Card Industry Data Security Standards (PCI DSS) announced in late spring articulates good data security intent along with controversy. PCI has been around since 2006, and aims to protect payment data for consumers...

Authorities have arrested a Nigerian mastermind scammer for leading an international criminal network's efforts to steal $60 million from its victims. INTERPOL arrested the 40-year-old Nigerian national, known as "Mike," in June 2016 after law enforcement officers received a report containing actionable intelligence from Trend Micro, a strategic...

Wireless routers designed for consumers often do not employ proper security practices. This topic was extensively covered in VERT’s 2014 report, “SOHO Wireless Router (In)security.” Our research revealed that 74% of the 50 top-selling consumer routers on Amazon shipped with security vulnerabilities, including 20 different models where the latest...

Embedded devices on enterprise networks make attractive targets for hackers because they provide potential footholds. These systems perform a variety of functions, often involving sensitive data or control of critical systems. Network gear, printers, storage appliances and other equipment generally do not have end-point protection installed, making...

First, security professionals should understand that people’s resources are limited. Moreover, people tend to struggle with making effective decisions when they are tired. To test the validity of this argument, psychologists designed an experiment in which they divided participants into two groups. The first group was asked to memorise a two-digit...

Disney Consumer Products and Interactive Media has confirmed a data breach that affected some users of its Playdom forums. A spokesperson for the business segment of the Walt Disney Company explains in a statement that security teams detected the incident back in July: "On July 12, 2016, we became aware that an unauthorized party gained access to...

In today’s vulnerability market, vendors want to squeeze every ounce of publicity out of their security researchers. As a result, responsible disclosure often falls by the wayside. The same is true of independent researchers in search of their 15 minutes of fame. A fatal flaw in a major product is akin to Kennedy’s dream of landing a man on the moon...

Think of a word that sparks an emotion in you. It could be as simple as “shoes,” which makes my wife smile every time, or it could be a dark and foreboding word. Certain words trigger an emotional—sometimes visceral—response. For me, one of those words is “breach.” In a recent post about the Department of Health and Human Services’ (HHS)...

It is becoming more and more evident that cybersecurity is one of the focal points regarding security risks in the twenty-first century for all organisations. It is understandable that almost every organisation which has access to any kind of computing devices will be at risk and will probably experience harmful cyber incidents. Hackers, whether...

There is no silver bullet in security awareness. What I mean by that is there is not a right or wrong way to teach people about cyber security. Just like any other type of education, you must surround yourself with it. You cannot expect to show a once-a-year "death by Powerpoint" presentation and have your staff become cyber experts. This is...

Mobile devices are rapidly becoming the primary need of any user. Ease of use, portability, user-friendly GUI, robust computing, a wide variety of applications... all of these features makes a mobile device much more compelling than a normal computer. However, mobile phones are becoming more of a security concern, and organizations need to consider...

With the 2016 Olympic Games opening on August 5, hundreds of thousands of tourists will soon be traveling to Rio de Janeiro, Brazil. Although major international events like the Summer Olympics boost tourism and economic transactions, they also present lucrative opportunities for cybercriminals. Rio visitors and Olympic travelers alike have been...

When it comes to the Internet of Things and security, it seems individuals and organizations keep making the same fatal mistakes – over and over again – because we continuously see it as a technology problem. It’s not. It’s a business strategy failure. Whether it’s insecure hospital devices, hackable power grids, or lethal connected cars, the same...

It was just after 6pm on December 23, 2013, and Lennon Ray Brown, a computer engineer at the Citibank Regents Campus in Irving, Texas, was out for revenge. Earlier in the day, Brown - who was responsible for the bank's IT systems - had attended a work performance review with his supervisor. It hadn't gone well. Brown was now a ticking time bomb...

I’m working with a couple of organizations faced with NIST 800-171 compliance. The first is a small manufacturing company doing business with a prime contractor. The second is a tribal business unit with federal contracts. Both must be compliant by December 2017 or risk losing their federal business. From what I can tell, neither organization was...

TiaraCon started with a group of women having lunch in the foodcourt at Def Con last year. It was an oasis in the midst of testosterone. We bonded over shared experiences, both good and bad, of being women in a field that is unquestionably male-dominated. We really enjoyed the opportunity to come together, since many of us are “the only woman” in...

In my ongoing blog series “Hacker Mindset,” I’ll explore an attacker's assumptions, methods and theory, including how information security professionals can apply this knowledge to increase cyber-vigilance on the systems and networks they steward. In this article, I share my thoughts on NetWars – a live interactive Capture the Flag training exercise...