It’s January again, and as usual, various media outlets are busy reporting on vulnerability statistics from the previous year. As usual, the CVE Details folks have worked up a lot of hype based on CVE counts, and once again, the media has taken the bait with sensational headlines about Google’s Android being the most vulnerable product of 2016. For...

Back in the spring of 2015, I wrote about five types of social engineering attacks against which users should protect themselves. One of the techniques I discussed is called pretexting. It's when an attacker creates a pretext, or a fabricated scenario, to trick a target. Attackers will assume any pretense to achieve their nefarious ends. Some of...

A Dutch website builder leveraged a secret script to steal 20,000 users' login credentials, hack their accounts, and commit payment fraud. On 17 January, police in the northern Netherlands announced they're contacting 20,000 users with the advice that they change their passwords as soon as possible. This move comes several months after the world...

The ever-fickle world of pop culture has seen a resurgence of interest in Sherlock Holmes in the last five years. Fresh re-imaginings of the detective residing at 221B Baker Street have come both to the big screen and small to varying degrees of critical acclaim. Robert Downey Jr.’s version premiered in 2009, while Benedict Cumberbatch’s modern...

Another year has gone by...but "123456" still remains the most common password employed by users to protect their web accounts. On 13 January, password manager and digital vault developer Keeper Security broke the somber news in a blog post: "Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent...

Implicit deny and explicit allow were two core fundamentals from the start of the information security discipline. However, as the scale and complexity of infrastructures grew, it became evident the list of things we should allow is exponentially smaller than the list of things we should deny. Say "no" to everything unless it is known to be good....

The digital world is riddled with threat actors of which we know very little. Some of these mysterious agents launch one or two modest attacks and peter out soon after crawling their way into existence. Others last a bit longer, raising hubbub and gaining notoriety in the process. Not a lot of actors make it into the latter category without the...

A targeted email campaign used a fake Microsoft Silverlight update to trick users into installing a keylogger onto their computers. Overall, the attack campaign consisted of only a few malicious emails sent to employees at a major financial services provider. Each email bore a Microsoft Office document as an attachment--an attack vector seen in...

On November 17, 2016, the security community witnessed the resurgence of a familiar enemy. That's the day when Shamoon 2, the successor of an attack campaign which first emerged in 2012, delivered Disttrack wiper malware to an organization based in Saudi Arabia. True to its design, Disttrack spread through the company's network and overwrote the...

Hopefully, we all know by now that it's a big mistake to post too much personal information on social media. For instance, telling the world that your house will empty because you're going away on holiday could lead to burglary. Similarly, it's a pretty dumb idea to post photos of your debit card on Twitter. And we all should know by now about the...

Scammers are using fake Amazon payment sites to steal money from customers lured in by unbeatable deals. Comparitech, a website which offers consumer advice on topics relating to technology and information security, recently investigated one such fraudster. The fake seller goes by the name Sc-Elegance. They have a reputation for selling expensive...

John Callahan’s October article “4 Reasons to Get Your Masters in Cyber Security” made me think about how to help students and cyber professionals strengthen a critical soft skill: written communication. Research synthesis and analysis papers are common in academic environments. These critical thinking assignments require students to conduct...

"By sitting in the alcove, and keeping well back, Winston was able to remain outside the range of the telescreen, so far as sight went. He could be heard, of course, but so long as he stayed in his present position he could not be seen." The above quote is a snippet from George Orwell’s dystopian-themed novel 1984, where Big Brother is constantly...

A new ransomware family called Spora comes outfitted with a sophisticated encryption scheme and a professionally designed payment portal. Spora, which is Russian for the word "spore," relies on fake invoice emails for distribution. The emails bear ZIP files containing HTML Application (HTA) files as attachments. But users might not realize it. That...

** UPDATED 2018 Blog Here: The Top 17 Information Security Conferences of 2018 ** 2017 is finally here. You know what that means: another information security conference season is upon us. We couldn't be more excited! Just like we did last year, we at The State of Security have assembled a list of the top 13 conferences in information security...

The Russian hacking fiasco we've been following over the past weeks – hysteria, which is due to the flawed Grizzly Steppe report and subsequent haphazard news reporting – has done a grave disservice to the serious issue of national cybersecurity. If the world is going to ever turn the corner from its current state of rampant cyber(in)security, it...

Today’s VERT Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-706 on Wednesday, January 11th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

A school located in Los Angeles County, California has paid computer criminals 28,000 USD after it suffered a ransomware attack. Officials at Los Angeles Valley College (LAVC) came to the decision after a ransomware infection left them with no way to recover their organization's encrypted data. As the school explains in an update (PDF): "In...

A large Australian bank exposed 60,000 of its customers' account details after it inadvertently sent an email to the wrong recipient. National Australia Bank (NAB), which was one of the targets of sophisticated Android malware in March 2016, disclosed the data leak in December. It appears a former NAB employee sent confirmation emails to 60,000 new...

Most organizations are overwhelmed, understaffed, and/or underfunded when it comes to cybersecurity. These constraints create a critical need to prioritize on the most critical cybersecurity measures. However, often these priorities are unclear or hard to determine, leading to less-than-optimal cybersecurity product purchases and/or activities. This...