If your doctor walks into the exam room for your annual physical and listens to your heart, takes a quick look at your throat, and then gives a clean bill of health without asking many questions, a quick interaction might make you feel good if you’re not worried about your health. However, if you haven’t been feeling well, or if you are at risk for...

At least 30 Twitter accounts received a disturbing message from the site late last week, warning that they may have been targeted by government or state-sponsored hackers. Canadian non-profit Coldhak, which focuses on privacy and freedom of speech issues, was one of the first to reveal that they had received the warning from Twitter, and included a...

For most retailers, the holiday season is easily the most profitable time of the year, bringing in huge crowds of shoppers the last couple weeks of the year. However, the much-anticipated holiday season is also notorious for being the season of hacking, as illustrated by several massive breaches during this time in previous years. Hence, retailers...

An interesting ruling was released by the Federal Trade Commission a few weeks ago. The ruling dealt with a case in which LabMD, a cancer research company, was accused of improperly protecting consumer data that, if disclosed, is likely to cause substantial consumer injury. The initial incident, which led to the FTC investigation, started back in...

A member of the hacking group NullCrew has pleaded guilty in federal court to having participated in at least seven targeted attacks between 2012 and 2014. Source: Softpedia On Tuesday, Timothy Justen French, 21, of Morristown, pleaded guilty to a single count of intentionally damaging a computer...

Earlier this fall, a contributor to The State of Security explained that one of the greatest privacy and security challenges confronting our smartphones today are the apps we choose to install. He noted in his post how app developers often make money by harvesting data from users' devices and in turn selling this information to marketers. They also...

Computer crime is a persistent challenge in the digital age, yet our collective understanding of it is skewed. Many would like to believe that people associated with criminal organizations or state-sponsored hacker collectives are the only people capable of devious behavior online. That is simply not the case. Individuals can perpetuate computer...

Microsoft is warning XBox Live users of possible man-in-the-middle (MitM) attacks after accidentally leaking users' private keys. In an advisory released on December 8th, Microsoft states that a a disclosed digital certificate could lead to spoofing attacks against users. "Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for...

Over the past 20 years, I have implemented many different security solutions – from IDS in the 90s to browser protection in 2014, and just about everything else in between. One thing that quickly became obvious during my time in information security is that security considerations are just one part of the equation for most organizations. Involving...

File Integrity Monitoring (FIM) has been around for a long time. In fact, Tripwire has been a pioneer in FIM since the early 1990s when Gene Kim released the first version of Tripwire. Monitoring for change enables you to know what changes were made, who made the changes, and the changes that occurred. This allows you to easily roll back to a known...

Adobe has patched 79 "critical" vulnerabilities affecting Flash Player in its December 2015 security bulletin. The alert, which bears the vulnerability identifier APSB15-32, warns that all platforms are affected by the flaws. This includes Windows and Macintosh regarding the Flash desktop version 19.0.0.245 and earlier, as well as the Google Chrome,...

Last month, Microsoft released a report on the advanced threat group Fancy Bear. This alert, as noted by security blogger Graham Cluely, explains how the group—otherwise known as "Sofacy," "Sednit," "STRONTIUM," and "APT 28"—stalks mailing lists, social media sites, and public forums in search of potential victims from whom it can steal login...

CVSSv3 was released this past summer and a number of vendors, including Tripwire, are beginning to adopt it both internally and within their tools. I wanted to talk about some of my favourite (and not-so-favourite) aspects of CVSSv3. Up first, we have the addition of Scope. I have a bit of a love-hate relationship with the notion of Scope. I think...

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-648 on Wednesday, December 9th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

I’ve been enjoying Bob Covello’s recent posts on passwords and password managers – A LastPass Hack with a Happy Ending shows how idiot simple it can be to find someone’s “hidden” password list. A surprising interchange on passwords came up in November, during a Chertoff Group Security Series panel entitled “Enough with Getting Pwned Through...

There was an interesting court case that took place back in 2010. The case involved an employee who was injured on the job and sued the employer. A few years later, the employer wanted to see how the employee’s quality of life was affected, and they requested access to the employee’s social media pages. The employee objected, asserting the right to...

Federal authorities have confirmed that Roger Thomas Clark, the alleged mentor of Silk Road mastermind Ross Ulbricht, has been arrested in Thailand. A press release issued by the Department of Justice reveals that Clark, who went by the names "Variety Jones," "VJ," "Cimon," and "Plural of Mongoose," regularly advised Ulbricht on the ongoing...

Despite the huge rise in media reporting of cyber insecurity, organisational and individual behaviours are still demonstrating a lack of information security awareness and basic good security practices. The TalkTalk attack demonstrates the extent to which organisations are failing to establish basic security on their websites and the woeful...

Earlier this fall, researchers struck a significant blow against the Angler Exploit Kit. Security blogger Graham Cluley explains in a blog post how analysts with Cisco’s Talos Security Intelligence and Research Group analyzed the exploit kit and traced one of the primary locations for its proxy servers back to Limestone Networks located in Dallas,...

A malicious hacker that successfully breached the IT systems of a large bank in the United Arab Emirates (UAE) demanded nearly $3 million worth of cryptocurrency or the financial information of hundreds of its customers would be leaked online. The hacker – who goes by the alias ‘Hacker Buba’ – reportedly gained access to the bank’s systems last...