Apple has patched an application-side input validation web vulnerability in iTunes and the App Store that allowed attackers to inject malicious code into user invoices. The vulnerability received a 'High' severity level and a CVSS rating of 5.8. It allows for session hijacking, persistent phishing attacks, and other malicious activities. Benjamin...

In September of 2014, private photos of a number of celebrities, including Kate Upton and Jennifer Lawrence, were leaked onto the image-based bulletin board 4chan. It was soon discovered that this leak occurred as a result of a brute force attack against Apple's iCloud, which until then had not limited the number of login attempts for each user...

Democratic Senators Ed Markey and Richard Blumenthal introduced on Tuesday new legislation, which would require automakers to adhere to certain standards of protection against privacy and hacking. The new bill, entitled the SPY Car Act, would call on the Federal Trade Commission (FTC) and the National Highway Traffic Safety Administration (NHTSA) to...

Following from a recent post on ‘Escalation of Commitment’, a topic studied by both Economists and Psychologist, I could not resist writing a follow-up to explore the consequences for third parties that do not have the preparation and/or resources of the parties involved in scenarios of escalation of commitment in the IT security field. In the...

Late last week, UCLA Health – the Californian university’s hospital – announced it had suffered a cyber attack on its network, potentially exposing the personal and medical information of nearly 5 million patients. In a statement, the hospital said it had determined the attacker had accessed parts of...

Oracle has released its July 2015 Critical Patch Update that provides fixes for 193 security vulnerabilities, including a zero-day vulnerability recently discovered in Java. According to a post published on Oracle's blog, the update contains patches for a number of applications, such as Oracle Database, for which there are provided 10 security fixes...

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-623 on Wednesday, July 15th. MS15-058 SQL Server Elevation of Privilege Vulnerability CVE-2015-1761 SQL Server Remote Code Execution...

Mozilla has blocked every version of Adobe Flash Player running in its Firefox web browser and will continue to do so until Adobe has patched certain publicly known security vulnerabilities. Firefox users who seek to view videos, adverts, and other Flash-based content will now be required to dismiss a warning that reads, "Flash is known to be...

Yet another zero-day Flash exploit has been found in the massive data dump that is the result of a major compromise of Italian espionage software maker Hacking Team. Vulnerabilities CVE-2015-5122 and CVE-2015-5123 are similar to the previous Flash vulnerability (CVE-2015-5119 ) found in the Hacking Team arsenal CVE-2015-5119, however there is...

A cyber attack on the United States power grid, causing outages and damage to infrastructure, could have a major impact on the country’s economy, costing up to $1 trillion in the most extreme scenario. A recent report, produced by the University of Cambridge’s Centre for Risk Studies and Lloyd’s of London insurance, outlines the potential implications...

Earlier this year, the PCI Security Standards Council officially released PCI DSS 3.1 only months after its predecessor (version 3.0) came into effect. With a typical three-year period between standard revisions, the out-of-band update caught many off guard, especially organizations still in the process of complying with the changes from the...

OpenSSL has released an advisory urging users to update their systems in the wake of a high-severity alternative chains certificate forgery bug. "During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails," the advisory...

Cisco has released a patch for a password vulnerability that was recently discovered in its Unified Communications Domain Manager (Unified CDM) Platform Software. According to a security advisory released by the company, "A vulnerability in the Cisco Unified Communications Domain Manager Platform Software could allow an unauthenticated, remote...

Commercial Virtual Private Network (VPN) services, claiming to provide users enhanced privacy and anonymity, may not be as secure as users think. A group of researchers from Queen Mary University of London and the University of Rome disclosed their findings today, revealing that many of the most widely used VPN services are susceptible to DNS...

The Magnitude exploit kit (EK) is leveraging a recently patched zero-day vulnerability found in Adobe Flash Player to drop CryptoWall ransomware. Early last week, Adobe released a security update for the critical vulnerability CVE-2015-3113, which affects Windows, Macintosh, and Linux. If unpatched, the flaw allows for an attacker to take control of...

Cisco has released patches for SSH keys vulnerabilities affecting several of its virtual appliances. The vulnerabilities were discovered during internal security testing and have been found to affect Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv). ...

If you read my previous post about Microsoft ending extended support for Windows Server 2003 (WS2003) on July 14, 2015, you’re familiar with what that means - Microsoft will not be providing further security patches, hot fixes, or software updates without a costly extended support agreement. “Many IT teams are very comfortable using Windows Server...

Tripwire is pleased to announce the release of its newest infographic, “Where Are Your Cyberattacks Coming From?” Created in response to the release of Verizon’s 2015 Data Breach Investigations Report (DBIR 2015) back in April, the infographic explains the five most common attack patterns behind today’s data breaches. In this article, I will review...

Gift cards have caused quite a headache for retailers in the last month, exposing another way that fraudulent activity can eat into razor-thin profit margins. Gift card fraud can range from physical theft to cloning to exploiting programming errors on the merchant side. The methods of attack are very similar to what is seen with credit card fraud,...

The issue of cybersecurity has finally gained the attention of top company decision-makers in light of the ongoing large-scale breaches that continue to jeopardize company assets and customers’ privacy. However, as executives and board members become more aware of the impact of cyber attacks on the business, is awareness enough to allow them to...