GoDaddy has remediated a blind cross-site scripting (XSS) vulnerability that attackers could have used to take over, modify, or delete users' accounts. Security researcher Matthew Bryant discovered the flaw using a tool XSS Hunter late last year. At that time, he found he could set his first and last name to an XSS payload. He opted to use a generic...

We tend to fear what we do not understand. Especially when it comes to new technologies. We oftentimes worry… and worry some more… before finally embracing a new gadget, platform, or feature and deciding to incorporate it into our lives. Brian David Johnson, futurist at Intel, is responsible for creating models that predict how people will interact...

Here at Tripwire, one of the responsibilities of VERT (Vulnerability and Exposure Research Team) is the monthly publication of our Patch Priority Index (PPI). Equal parts science and art, the PPI is released by VERT researchers who deal with vulnerabilities resolved by these patches on a daily basis. When this process first began, it prompted a very...

Baby retailer Kiddicare has alerted nearly 800,000 customers that a recent data breach led to the exposure of their personal information. The UK-based company notified potentially affected customers via email, stating that the compromised information included names, delivery addresses, emails and phone numbers. Kiddicare stressed that the...

Google has begun notifying some of its employees that their information was compromised by one of its third-party vendors. In a sample breach notification letter Softpedia obtained from the Office of the Attorney General for the State of California, the tech giant provides some details on what transpired in the incident: "We recently learned that a...

An investment firm recently lost $495,000 as a result of a successful spear-phishing attack against one of its employees. According to The Detroit News, an employee at Pomeroy Investment Corporation recently received a spear-phishing email in which an attacker posed as a fellow company employee and asked the recipient to transfer $495,000 to a bank...

As I discussed in my previous article, threat intelligence provides organizations with contextual details regarding specific threats. Such information is crucial for companies that are committed to formalizing their information security practices. By relying on multiple feeds of threat intelligence, for instance, enterprises can continuously prioritize vulnerabilities based upon their severity...

The retail industry’s critical infrastructure, point-of-sale (POS), continues to be plagued with breaches, according the recent Verizon’s 2016 Data Breach Investigations Report. Though retail as an industry depends on POS, the accommodations/hospitality sector this year took the top spot for confirmed POS-related data breaches at 95 percent. (Only...

Payroll processing provider ADP has confirmed fraudsters gained access to some clients’ online portals and compromised the W-2 data of employees at more than a dozen customer firms. According to ADP, however, the theft occurred after the impacted companies mistakenly published unique access codes to...

An employee was fired from a company after they fell for a phishing scam involving W-2 data. The unnamed individual previously worked for Alpha Payroll, a payroll and merchant services provider that provides payment processing services to companies located all over the United States. Alpha's leadership terminated the employee following an incident...

The 2016 Verizon Data Breach Investigations Report (DBIR) is out, and I’m excited to announce that this year’s findings leveraged vulnerability data from Tripwire and other vendors, including our partner Kenna Security. The 2016 Verizon DBIR recommends establishing “a process for vulnerability remediation that targets vulnerabilities which attackers...

Instagram has rewarded 10-year-old “Jani” with $10,000 for finding a flaw in the popular social media platform. Jani found that he could change code on Instagram’s servers and force-delete users’ posts. According to Forbes, he ultimately verified the bug by deleting a comment the company had posted on a test account. A spokesperson for Instagram has...

OpenSSL has issued fixes for six vulnerabilities, including two flaws with a "high" severity rating. On Tuesday, the corporate entity responsible for OpenSSL, a software library that helps to secure web communications against eavesdropping, published a security advisory in which it provides details on the two "high" severity vulnerabilities. ...

On April 21st, an email from Microsoft appeared in the mailbox of mailing list subscribers informing everyone that MS16-039 had been revised and the update for Microsoft Live Meeting 2007 Console had been re-released. It contained an additional tidbit of information that many people overlooked: "Effective as of the May 2016 security bulletin...

The Federal Bureau of Investigations (FBI) is warning businesses to be on the lookout for a rise in ransomware attacks. On Friday, the FBI published a letter revealing that the threat posed by ransomware to hospitals, state and local governments, law enforcement, small businesses, and private individuals is growing. "Ransomware has been around for...

Phishing is a common social engineering attack, but it does not have a very high success rate. In ordinary phishing campaigns, attackers send out fake messages with the hope that at least some of the recipients will click on a malicious URL or email attachment. Phishing correspondence is, for the most part, never personalized and its content varies...

When talking about the state of information security in the healthcare world, it’s all too easy to come up with witty titles along the lines of, “Is IT Security in Need of a Check-Up?” or, “<Insert Software Name Here> Is Just What the Doctor Ordered For Securing Your Data!” However, indulge me here: In the healthcare sphere in general, it’s...

Organizations face a constant barrage of digital threats. To mitigate the risk of an attack, IT staff need to continually protect all of an organization's endpoints, such as by creating patching schedules and by hardening vulnerable devices. Unfortunately, protection has its limitations. Security personnel can harden a device or implement a patch...

Business secrets could be at risk, after researchers discovered a worrying number of developers were posting access credentials for the Slack chat system on GitHub, embedded inside code repositories and public gists. Detectify Labs blew the whistle on the problem, reporting that it had uncovered thousands of Slack access tokens by simply searching...

There is a lot security professionals disagree on when it comes to Identity & Access Management (IAM). One thing most would agree on though is that IAM means many things to many people, and has been shaped more by vendor product boundaries over the years than by overarching architectures, processes and governance. The basic term “Identity Management...