Chinese networking telecommunications equipment and services company Huawei has patched a vulnerability in its MBB (Mobile Broadband) product E3272s that if exploited could lead to denial-of-service attacks and remote arbitrary code execution. According to a security bulletin released by the company, "An attacker could send a malicious packet to...

In today's world, our notion of endpoints has evolved from something with a user and a keyboard to something with exploitable vulnerabilities. This conceptualization therefore covers network connections beyond laptops, personal computers and mobile devices. Indeed, vulnerabilities arising from Internet of Things (IoT) appliances; automobiles, such...

SQL injection is arguably the most severe problem web applications face. OWASP, an online community devoted to web application security, consistently classifies injection vulnerabilities as number one on their OWASP Top 10 Project. SQL injection vulnerabilities are a favorite amongst a number of “hactivist” groups whose aim is to cause disruption in...

Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of September 28, 2015: A massive data breach at Experian – one of largest...

What a whirlwind the past few months have been for data security, breaches and hacking events. From the Wyndham v. FTC ruling to yet another breach by a BCBS affiliate, there is increasing pressure across the information security industry to push organizations to perform those pesky security risk assessments touted by the National Institute of...

Today, a segment will air on Crime Watch Daily where Tripwire Senior Security Researcher Craig Young and I reveal on camera how vulnerable smart homes can be when not properly secured. We show firsthand that the key weaknesses in most smart homes are a combination of insecure networks and default configurations, including systems that installers may...

Tripwire recently hosted a webcast entitled, “Talking To The Board: How To Improve Your Board's Cyber Security Literacy -- UK Edition.” For the presentation, Amar Singh, Interim CISO and Founder of both Cyber Management Alliance and Give01Day, an organization that connects volunteer information security professionals together with charities seeking to...

Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of September 21, 2015: According to independent security journalist Brian...

The United States Navy has announced it is currently working on developing a new system aimed at protecting its ships from pervasive Internet attacks, often leading to network spying and confidential data theft. Codenamed the Resilient Hull, Mechanical, and Electrical Security (RHIMES) system, the Office of Naval Research (ONR) revealed the enhanced...

Today, enterprises must grapple with a panoply of numerous and highly sophisticated threats. In response to this dangerous landscape, it is no wonder that businesses are increasingly turning to security dashboards – a powerful communication vehicle for all information security professionals. An effective security dashboard provides personnel,...

The one-month countdown is on and I figured it was time for a reminder that Tripwire VERT will be at SecTor in the Expo area running an IoT Hack Lab. If you aren’t considering attending SecTor, you really should be. Even if you don’t want to attend the full conference, there’s an Expo Only admission that is free on their website until the start of...

A security firm has announced a one million dollar bounty in reward for anyone who submits exploits and jailbreaks for Apple's iOS 9 mobile operating system. In a blog post published on Monday, Zerodium officially unveiled "The Million Dollar iOS 9 Bug Bounty". "Apple iOS, like all operating system, is often affected by critical security...

UPDATE 9/23/15: VERT has released a script based on FireEye's nping command to report if a host is affected or not. The script is available on the Tripwire VERT GitHub here. For IP360 customers, a variant of this is available as a custom rule. Please contact Tripwire Support or view the TechNote in TCC for details. I’ve always been a big fan of...

A Russian hacker has pleaded guilty to stealing 160 million credit cards numbers and to attacking several large American companies. On Tuesday, Vladmir Drinkman, 34, admitted in federal court in Camden, New Jersey that he and four other individuals conspired to steal credit card numbers from Heartland Payment Systems Inc., 7-Eleven Inc., and the...

All too often, I find that vendors discount the risks associated with attack vectors involving cross-site request forgery (CSRF). Naturally, remediation of vulnerabilities involving user-interaction should generally take a back seat to those that are exposed to completely remote/unauthenticated exploitation, but that doesn’t mean it is OK to simply...

FireEye filed an injunction against German IT security research firm ERNW GmBH last month in order to protect its intellectual property. According to CIO, ERNW first contacted FireEye, a former intern of which recently pleaded guilty to selling Dendroid malware on Darkode, back in April of this year after its researchers discovered five...

Ransomware is on the rise. According to the McAfee Labs Threat Report: May 2015, this threat saw a 165% increase in the first quarter of 2015 alone. In response, security researchers have periodically released removal kits designed to help victims of crypto-ransomware variants recover their encrypted files. However, given the diversification of...

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-632 on Wednesday, September 9th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy...

The Federal Trade Commission (“FTC”) can now sue a company for failing to adequately protect client data. Let that sink in for a moment. In short, the recent court ruling confirmed the FTC’s authority to create, impose, and enforce data security rules on virtually any business that holds consumer data. QUICK BACKGROUND On August 24, 2015, the US...

Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of August 31st, 2015: On the one-year anniversary of 'The Fappening,' an...