Over the past few months, the security industry has witnessed several major cloud data breaches. The Deep Root Analytics leak sent shockwaves across the cybersecurity community in June, as sensitive information on 197 million American voters was exposed. A few weeks later, data on six million Verizon users was exposed by Nice systems, a third-party...

In 2015, The State of Security published a list of 11 essential bug bounty frameworks. Numerous organizations and even some government entities have launched their own vulnerability reward programs (VRPs) since then. With that in mind, I think it's time for an updated list. Here are 10 essential bug bounty programs for 2017. 1. Apple Website:...

Responsible disclosure is the gold standard for fixing security vulnerabilities. But as we all know, sometimes at least one stakeholder doesn't hold up their end of the agreement. Parties violate a responsible disclosure timeline for many reasons. Take the Zero Day Initiative, for instance. One of its security researchers discovered a vulnerability...

“Cyber” is not an appropriate category of risk. Often cited in 10-K reports, discussed by board directors and C-suite executives, and referenced by Enterprise Risk Management (ERM) or Governance, Risk and Compliance (GRC) professionals, the category merely perpetuates ambiguity and lack of understanding related to all things “cyber.” Because of this ...

Recently, an incident commonly referred to as “stackoverflowin” swept social media. On February 4, 2017, a 17-year-old hacker from the UK using the alias ‘stackoverflowin’ decided on a whim to do some printing. He printed quite a bit. In fact, he printed so much that it started to trend on Twitter. That’s because he printed to every open printer on...

Bad actors commonly abuse LinkedIn to launch digital attacks. With over 500 million members spread across 200 countries, the professional networking site contains crucial information that nefarious individuals can use to attack nearly any organization and its corporate data. They just need to establish an initial foothold in the company. Most of the...

Friday, August 18th was Bad Poetry Day. To celebrate, Tripwire decided to ask some of it's employees and friends in the community to share some of their security poems with us. Some folks tweeted theirs out using the hashtag #tripwirebadpoetryday. Others sent them in. Here are some of our favorites: Roses are red, Violets are blue Tripwire is...

The WannaCry and NotPetya attacks caused disruption on a global scale in the spring and early summer of June 2017. Following those malware campaigns, businesses around the world should have heard the alarms and responded by tightening their security systems in an effort to mitigate against similar attacks in the future. But reality doesn't always...

Containers can be traced back to 1979 with chroot but the advent of Docker has exponentially increased the popularity and usefulness of this technology. Any technology that becomes popular and useful also becomes a target for attacks. Containers are designed to provide isolated environments rather than full virtual machines, but they make great...

I have had the pleasure of working on the latest curriculum for Tripwire University. In that capacity, I've noticed more and more interest around securing cloud environments as our customers and the market continue to move towards cloud technologies. Whether it be customers who are 100% committed to the cloud and moving all of their assets up into...

Today’s VERT Alert addresses the Microsoft August 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-737 on Wednesday, August 9th. In-The-Wild & Disclosed CVEs CVE-2017-8627 The first publicly disclosed vulnerability this month is a denial of service in the Windows Subsystem for Linux....

DEF CON 22 was my third DEF CON and the first time ever for the IoT Village and related "SOHOpelessly Broken" contests. That year, I easily won both tracks of the competition with only a handful of hours spent analyzing and hacking routers. As anyone who’s ever attended DEF CON can tell you, there are roughly one billion options for how to spend the...

For a cybersecurity program to succeed, it must identify the assets it aims to protect. Without a clear understanding of its assets, no organization can truly understand the value of its resources, assess the risks they face, or understand how much to spend to secure its infrastructure. Unfortunately, the process of identification is not getting any...

DevOps is revolutionizing the way enterprises deliver apps to the market. It blends software development and information technology operations, or the processes and services used by IT staff, as well as their internal and external clients to fulfill their business duties. Such a convergence creates an assembly line for the cloud, as Tim Erlin wrote...

Security vulnerabilities are becoming the new oil, and the bug bounty economy is booming. As news of cyberattacks and data breaches continue to consume the press, never before has the market for vulnerabilities been so dynamic. “Bug bounty programs,” frameworks where security researchers legally trade previously undiscovered vulnerabilities for...

Critical security vulnerabilities have been discovered in the Segway/Ninebot MiniPro Hoverboard, but don't panic - firmware patches have already been issued to prevent malicious hackers from attacking the devices. Which is a relief - as successful exploitation of the security holes could have seen attackers seize remote control of a hoverboard and...

A hacker took over a dark web hosting provider by exploiting a "major security vulnerability" and thereby accessing a server. On 8 July, an attacker calling themselves "Dhostpwned" set up a shared hosting account on the service offered by Deep Hosting. They used that account to upload two shells on their servers. One was written in PHP, whereas the...

The Phoenix Project was an easy and enjoyable read about Bill Palmer, a manager in the IT department who unexpectedly gets promoted to VP of IT Operations. To succeed in this new role, Bill had to expand his view from just his group to the organization as a whole in order to master the "Three Ways" for how to evolve from a dysfunctional group of...

Today’s VERT Alert addresses the Microsoft July 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-733 on Wednesday, July 12th. In-The-Wild & Disclosed CVEs CVE-2017-8584 In a Patch Tuesday first, we have a HoloLens code execution vulnerability. This vulnerability impacts Windows 10 and...

I’ve been studying the security designs of various embedded devices for the past couple of years. This research has led me to uncover dozens of critical flaws in internet-connected devices ranging from enterprise NAS devices and access points to countless consumer products like wireless routers, home automation controllers, security cameras and more...