Vulnerabilities in software used by 200 Vermont municipalities left town employees' Social Security Numbers and other information exposed. Brett Johnson, owner of IT company simpleroute, discovered the flaws after two Vermont towns hired him to do some work for them back in 2017. According to a report in which he wrote about the weaknesses, Johnson...

Technology has advanced to a state where clients now expect a constant stream of updates for their software and applications. To fulfill this demand, developers commonly turn to what’s known as a CI/CD pipeline. As noted by Synopsys, this practice embraces two important software development concepts of today’s streamlined world:Continuous Integration ...

I’m excited to announce that I will be presenting at this year’s Black Hat Asia about my research into detecting and exploiting CBC padding oracles! Zombie POODLE and GOLDENDOODLE are the names I’ve given to the vulnerabilities I’ll be discussing. Similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from continued...

Home design website and community Houzz revealed that a security incident might have exposed some users' personal and account data. On 1 February, Houzz published a security update explaining that it detected the security event in late December 2018. The company didn't provide exact details about how...

Tripwire's January 2019 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe and Oracle. First on the patch priority list this month are patches for Microsoft's Browser and Scripting Engine. These patches resolve six vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege and Remote Code...

If you’ve been online recently, you may have read the news about hackers demanding a ransom from Dublin’s tram system. Visitors to the Luas website were greeted by the hackers’ message threatening to publish the stolen information unless they were paid one Bitcoin (approximately 3,300 Euros or US $3,800). While the message itself appeared to be...

When he issued Executive Order 13800 (EO 13800) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, President Trump’s goal was to highlight that security and public accountability of government officials are foundational pillars while emphasizing the importance of reducing cybersecurity risks to the Nation. In...

If you have ever heard of the Federal Information Security Management Act, then you are aware of the work done by the National Institute of Standards and Technology. The goal of the Act, not to mention the subsequent documents that resulted from strategies designed around implementing it, led NIST to create works designed to bolster security on the...

The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable and/or controllable via the internet. This includes everything from edge computing devices to home appliances, from wearable technology to cars. IoT represents the melding of the physical world and the digital worked, as...

Hopefully, the title of this blog has gotten your attention. In one of my prior blogs, ICS Cybersecurity: Visibility, Protective Controls, Continuous Monitoring – Wash, Rinse, Repeat, we talked about how the malicious threat landscape for industrial controls systems is constantly evolving and getting more sophisticated, thereby raising the need to...

Mozilla has announced that it will disable support for the Adobe Flash Player plugin by default in version 69 of its Firefox web browser. On 11 January, Mozilla senior software engineer Jim Mathies opened a Bugzilla ticket announcing his employer's plan to "disable Flash by default in Nightly 69 and...

This article covers the main techniques cybercriminals use at the initial stage of attacks against enterprise networks. There are several dangerous phases of cyberattacks targeting the corporate segment. The first one encountered by businesses boils down to getting initial access into their systems. The malefactor’s goal at this point is to deposit...

Today’s VERT Alert addresses Microsoft’s January 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-812 on Wednesday, January 9th. In-The-Wild & Disclosed CVEs CVE-2019-0579 The Windows Jet Database Engine improperly handles objects in memory and, if an attacker can convince a victim to...

Many organizations have DevOps on their mind going into 2019. This is a global movement. In fact, Puppet and Splunk received responses for their 2018 State of DevOps Report from organizations on every continent except Antarctica. Those organizations varied in their industry, size and level of DevOps maturity, but they were all interested in learning...

The website of Luas, the tram system operating in Ireland's capital city of Dublin, has been taken offline this morning after hackers defaced the site and demanded a ransom be paid within five days. Early morning visitors to the website were greeted with a message from the hackers, claiming that data had been stolen from operator Transdev Ireland,...

There’s nothing more impactful than a proactive cybersecurity strategy. What’s your preferred scenario: the one where you’re reeling from a lethal data breach with thousands of customer profiles compromised, or, the one where your team identified and diffused a problem before it had time to wreak havoc? The key difference between a company that...

A lot has been going on with autonomous vehicles these days. Almost every famous car manufacturer seems to be in a rush to master the perfected version of self-driving cars. While most people believe that fully autonomous vehicles are still in their infancy stage, manufacturers think that they will dominate the roads by 2020. The problem with...

Doxxing means publishing private information about someone online to harass or intimidate them. It has ruined reputations and caused untold distress to hundreds of people. On occasion, doxxing has resulted in injury or even death. Being doxxed can have serious consequences for your safety and privacy. How can you prevent it? Doxxing and...

If you own a WordPress site, then you should be careful about your website security. To successfully run a blog, business or online store, you need to make sure your website is totally safe. Customers visit your website, purchase products and pass sensitive information like passwords, credit card details etc. If there is a place to infiltrate to...

Tripwire's December 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft's Internet Explorer and Scripting Engine. These patches resolve nine vulnerabilities, including fixes for Memory Corruption and Remote Code Execution (RCE)...