Dropbox relies on a defense in depth strategy consisting of multiple layers of hashing and encryption to protect its users' passwords. Devdatta Akhawe, a security engineer at the file storage service, says Dropbox went to all this trouble to prevent attackers not only from directly compromising members' plaintext passwords but also from accessing...

Money makes the world go around, and SWIFT - the worldwide inter-bank communication network - is the system that allows banks to send money to each other. So when online criminals find a way to exploit SWIFT, they can transfer huge amounts of money to bank accounts under their control. As we have...

Many people don’t understand how fraudulent charges range from as little as $7.19 from some odd electronics store to $655.38 at some store in Russia while you reside in North America. We tend to think that this may have happened because we used our cards to pay for parking at random locations or for public transportation. As it is easier and quicker...

James Bond always orders his martini prepared a special way: “Shaken, not stirred.” Being a teetotaler, I have always wondered what would happen if Bond – James Bond – was served a stirred martini. Would he be able to tell? Many of the more notable drink masters in the infosec community could probably educate me about the subtle differences between...

According to new data, the education sector now ranks as the most-targeted industry by ransomware attacks. In a recent report, security firm BitSight analyzed the growing ransomware threat across nearly 20,000 companies over the last 12 months. Researchers found that organizations in education had the highest rate of ransomware – with at least one...

Australian police is advising people to be on the lookout for unmarked, malware-laden USB sticks that someone is dropping into their mailboxes. On 21 September, the Victoria Police published a statement revealing that residents of the suburb of Pakenham in Victoria's capital Melbourne are discovering unmarked USB drives in their mailboxes. Here's a...

Everyone has done it at least once – entered the wrong URL when trying to visit a website. Maybe instead of "google.com" you fat-fingered "google.cm," Google's main search page for Cameroon. No big deal there, and we hear the scenery there is lovely. But sometimes a tiny mistake can result in big problems. Entering a URL that’s off by just one...

Whenever there's a big event like the Olympic Games, there's a concern that fraudsters will target spectators and attempt to compromise their digital security. That's why we at The State of Security published some tips on how attendees of the 2016 Summer Olympics in Rio de Janeiro, Brazil could avoid getting hacked and defend themselves against...

In its 2016 Breach Detection Study, Tripwire evaluated the confidence and efficacy of 763 information security professionals in implementing seven key security controls: PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS Top 20 and IRS 1075. Those resources, which align with the United States Computer Emergency Readiness Team (US-CERT) recommendations...

In 2015, Tripwire partnered with FIRST Robotics to bring on summer interns from local high schools. Our goal was to teach the students about various aspects of information security on both the offensive and defensive side. The goals I set out for our interns in 2015 were a bit lofty, to say the least. I had planned on teaching them about the various...

A research team is blaming dark web sellers and websites for foolishly uploading geotagged images to underground marketplaces. Paul Lisker and Michael Rose, who are both Harvard students of CS and Government , authored a study in which they asked the following question: is it possible dark web users are unwittingly revealing their location as they...

Surveillance cameras have become a common sight pretty much anywhere you go. From banks to retail outlets and airports to malls, cameras are placed mainly to monitor the area and check for signs of security threats. This has traditionally been done with security personnel monitoring what the cameras are sending back, often in a tightly controlled...

In a prior post, I gave a broad overview of some of the challenges we face in securing unrestricted DNS resolvers. I presented a talk at BSides Las Vegas on the topic and wanted to take some time to delve into more technical details regarding some of the attacks we have seen, as well as review some mitigation strategies. You can find video of the...

A security researcher has come up with a method that would allow an attacker to bypass the iOS passcode limit on certain iPhone models. Sergei Skorobogatov's process consists of an attacker mirroring the Flash memory stored in an iPhone 5c's NAND cells. During a press conference back in March, FBI Director James Comey explained his agents could not...

In my last blog post, I introduced the topic of automation and how it can help improve security posture. In this post, we’ll be covering some of the risks automation can mitigate against. Data Breaches and Cyber Attacks A recent survey by ISACA on organization preparedness indicated that only 38% of businesses were confident they were prepared to...

FBI Director James Comey feels that covering up a computer's webcam with a piece of tape is "sensible" and "a good thing." In an interview commemorating 10 years of operation for the National Security Division (NSD), a body of the U.S. Department of Justice that leverages law enforcement, intelligence, and other government resources to respond to...

Looking at the cyberthreat landscape, millions of new devices come online every day. But there’s a shortage of qualified cybersecurity workers to protect those devices once they come online. Additionally, in almost every case, it takes minutes or less to compromise them. Simply running more vulnerability scans to collect more data and generating...

It’s hard to believe that in such a relatively short period of time, smartphones and other mobile devices, such as tablets, have become so tightly woven into both our personal and work lives. And unlike desktop or laptop computers that are usually company-owned, personally-owned mobile devices are often filled with company related apps, data, email...

Authorities confirmed that Russian hackers accessed a database containing the medical data of U.S. athletes who participated in the Rio 2016 Olympics. On 13 September, the World Anti-Doping Agency (WADA) said in a statement that a Russian cyber-espionage group known as APT28 or "Fancy Bear" gained...

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-689 on Wednesday, September 14th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy...