The OpenSSL Project, a collaborative effort designed to develop an open source toolkit that implements SSL and TLS, has announced that it will be fixing a number of security flaws on Thursday, one of which it has labeled “high” severity. The initiative made the announcement in a message circulated yesterday. “The OpenSSL project team would like to...

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-605 on Wednesday, March 11.MS15-018Multiple Memory Corruption Vulnerabilities in Internet ExplorerMULTIPLEVBScript Memory Corruption VulnerabilityCVE-2015-0032Internet...

The term APT (Advanced Persistent Threat), like many other acronyms in the world of IT/Information/Cyber Security entered our vocabulary some years ago, along with other partnering phrases, such as Advanced Evasion Techniques (AET), which at the time took the headlines as something new. Whilst these new outlined logical dangers do serve up a very...

Imagine coming into the office one day, and finding that visitors to your website are not only seeing messages and images posted by hackers, but that the attackers are also posting screenshots of private emails sent to your company on Twitter. That's the scenario Lenovo faces today—although there is no evidence that the PC manufacturer's own servers...

For the past several months, the major threats to mobile security, especially within large enterprises, have relied on exploiting one thing—iOS Enterprise Certificates. With this part of Apple’s framework seemingly a significant source of danger, we’re taking a look at iOS Enterprise certificates from a mobile security perspective. By examining...

According to a recent report, companies are failing to properly patch and update their systems despite the disclosure of threatening vulnerabilities. The 2015 Cyber Risk Report (PDF) produced by HP analyzing last year’s threat landscape found that as many as 44 percent of breaches were the result of attackers leveraging a patched two- to four-year...

Updated Tuesday, Feb. 24, 2015, 2:11 PM: Added content for Tripwire Enterprise customers to find Samba in their environment. A major vulnerability (CVE-2015-0240) has been discovered in Samba, which is a widely used and distributed SMB/CIFS Linux/Unix application for interoperability with Microsoft Windows. Samba provides integration of Linux...

Have you ever had your identity stolen? Or perhaps an identity crisis? I hope for your sake the answer is "no." However, if it's yes, you are in good company. Computing devices, which I'll loosely refer to as "assets," often change their identity, and at times even have it stolen (as a side note, NIST has a much broader definition of asset more...

Last summer, security researchers Karsten Nohl and Jakob Lell developed a malware program, dubbed ‘BadUSB,’ to prove the insecure development of USB devices. The pair of security researchers revealed how they managed to reprogram the firmware on removable USB drives to include malicious code, giving potential attackers the ability to take over PCs...

Last month, Michal Nemcok blogged about the lack of security in the Progressive Insurance diagnostic monitoring dongle. By hacking the monitoring device, someone may be able to gain access to and change the behavior of the car, itself. Now, this is serious stuff – vulnerabilities that might impact the operation of the thing that carries your body...

Anyone who has ever visited blog posts on the Forbes website has properly been irritated from time-to-time by its practice of displaying a "Thought of the Day" for a few seconds before it passes you onto the article that you actually wish to read. We all understand that Forbes has to make money like any other web publisher, but the "thought" (which...

Attackers can use gaps in the X-Frame Options (XFO) support on Google’s Play Store web application to remotely install malware onto users’ Android devices. “A malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected...

In the face of the current wave of cyber threats, the U.S. government announced this week in Washington DC that as part of the Homeland Security initiative the current administration is creating a new agency called the Cyber Threat Intelligence Integration Centre (CTIIP) to monitor cybersecurity threats by acquiring, pooling and analysing any...

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-601 on Wednesday, February 11.MS15-009Multiple Memory Corruption Vulnerabilities in Internet ExplorerMULTIPLEMultiple Elevation of Privilege Vulnerabilities in Internet...

In February’s Patch Tuesday, Microsoft issued an update to fix a privately reported critical vulnerability in Group Policy that could allow potential attackers to achieve remote code execution (RCE) in domain networks. If successfully exploited, an attacker could gain complete control of a vulnerable system, install programs, view data and even...

With cybercrime and major hacking incidents reaching epidemic proportions, the importance of locating application-layer vulnerabilities is rising. Developers and companies are constantly striving to scan their code and improve code integrity in the early development stages, but no application is completely vulnerability-free and external scrutiny...

Major cyber security incidents continue to hit the headlines. Security and privacy are top concerns for IT and security professionals, especially after 2014’s highly publicized data breaches. Companies around the globe were victim to malware, stolen data and exploited vulnerabilities. Big companies weren’t immune to this, with Target, JPMogan Chase,...

It seems only fitting that 2014 should have ended with the much publicized hacking of Sony as the American public was inundated all year with one sensational account after another of damaging data security breaches. Those surrounding Target, UPS, K-Mart, Staples, Dairy Queen and Home Depot have certainly received the full attention of the media, as...

Patch Tuesday, the unofficial day on which Microsoft regularly releases security updates for its software products, has long been a staple of the information security community. On the second (and sometimes fourth) Tuesday of every month, Microsoft releases a unique set of security bulletins that provide patches for a range of new Common...

Cross-Site Scripting (XSS) vulnerabilities can, unfortunately, be found in all types of web-based applications. Indeed, they appear to be rather ubiquitous across the web. XSS falls into the category of code injection vulnerabilities and is a result of web-based applications consuming user-supplied input without proper filtering and sanitization....