Blog

Blog

Should Companies Strike Back at Hackers?

I was just reading an article about an FBI investigation of whether US banks are attacking their cyber attackers in an attempt to fight back. Along similar lines, we recently saw reports of Sony taking an offensive position by DDOS-ing sites hosting its content. The question of whether it makes sense to attack your cyber attackers isn't new—this has...
Blog

Six Strategies for Reducing Vulnerability Risk

There's little doubt that effectively remediating vulnerabilities is an important part of a comprehensive information security strategy. Vulnerabilities in desktops, servers, laptops and infrastructure are commonly involved in intrusions and incidents. For example, the Chthonic malware designed to steal banking details, exploits a known Microsoft...
Blog

Vulnerability Scoring 101

On any given day, my inbox is a flurry of activity that would make a January snow squall in Canada feel like a light breeze with the occasional flake. Like a snowflake, each email is unique but many share common themes. One of these themes is my favourite discussion topic: vulnerability scoring. I was inspired to further discuss this issue after the...
Blog

Mobile Payment Security Faces an Uphill Battle in 2015

Only one percent of consumers believe using a third-party mobile payment provider, such as Apple Pay or Google Wallet, is a safe way to pay for in-store purchases, reveals Tripwire, Inc. This past holiday season, One Poll and Dimensional Research conducted a consumer survey of over 2,011 consumers in the United States and UK. The survey’s findings...
Blog

2014: The Year of the Breach – Part 2

In anticipation of the New Year, Tripwire recently published an article that surveyed some of the better-known data breaches that occurred in 2014. We now present Part 2 of our two-part series, “2014: The Year of the Breach.” Home Depot (September) – On September 18th, Home Depot acknowledged that it had suffered a data breach. The attackers...
Blog

Second Member of Hacker Group ‘Lizard Squad’ Allegedly Arrested

British authorities have allegedly arrested another member of the hacker group ‘Lizard Squad.’ The Daily Dot recently broke the story after it received an email from Vinnie Omari, a 22-year-old member of the hacker group. “They took everything,” Omari explained in the email, which allegedly also contained an image of the British authorities’ search...
Blog

Ingredients for Architecting the Security of Things

One of Tripwire's many strengths is our ability to collect security data and build meaning from it. Meanwhile, the rapidly emerging Internet of Things (IoT) poses some juicy problems to tackle in this regard. I recently came across an interesting article titled 4 Big Trends that Impact Industrial Automation and What To Do About Them, Part 1 of 2 by...
Blog

Apple To Add New Security Alerts Following iCloud Hack

In response to the recent debacle that exposed multiple celebrities by hackers breaking into their personal Apple accounts and leaking private images on the web, Apple has stated it plans to launch additional security alerts warning users of possible intrusion.
Blog

Vulnerability Management: Just Turn It Off! Part III

Four unnecessary risks that often appear in even the most secure networks, and step-by-step instructions on how to immediately address these considerable risks that can be hurting the security of our environment.
Blog

Vulnerability Management: Just Turn It Off! Part II

Our last post in the “Turn It Off!” blog series discussed some of the most common and yet unnecessary features that can make your environment more vulnerable, including JBoss JMX consoles, server banners and the Apache HTExploit. These risks are often encountered by our Vulnerability and Exposure Research Team (VERT), even on well-defended networks and many of which have been around for quite...
Blog

The 36th Article About VPN Split Tunneling

I have done is the most comprehensive meta-analysis on the security world’s view of VPN split tunneling. Will it change my IT team’s mind? Let’s find out…
Blog

NETGEAR Wireless Router Configuration Guide

This guide assumes that the reader has a NETGEAR branded wireless router and knows it’s address on the network. If you have forgotten the administrative password for your device, it may be necessary to perform a factory reset as outlined in this NETGEAR knowledge base article and then to login with the default password. Please note that while...
Blog

Friends Don’t Let Friends Mix XSS and CSRF

In preparation for my upcoming talk at BSides SF about finding vulnerabilities, I would like to share today some insights regarding two common types of vulnerabilities which leverage web browser in two unique ways. The goal of these vulnerabilities is quite different however. One is used to run untrusted code while the other is used to hijack authentication. The combined effect of these issues...