With the rise in popularity of containers, development and DevOps paradigms are experiencing a massive shift while security admins are left struggling to figure out how to secure this new class of assets and the environments they reside in. While containers do increase the complexity of the ecosystem that security admins are responsible for securing...

The Australian Broadcasting Corporation (ABC) leaked sensitive data online through a publicly accessibly Amazon Web Services (AWS) S3 bucket. Public search engine Censys indexed the misconfigured asset on 14 November during a regular security audit of the S3 environment. Researchers at the Kromtech security center don't know who might have accessed...

Last time, I had fun talking with Victoria Walberg. She really understands cloud and IoT cybersecurity. This time, I got to speak to Beth Cornils. She has a pretty cool job that involves making IoT cars safe! Kim Crawley: Hi, Beth! Tell me about what you do. Beth Cornils: I am a product manager for an autonomous vehicle company. Prior to that, I was...

Enterprise networks regularly see change in their devices, software installations and file content. These modifications can create risk for the organization. Fortunately, companies can mitigate this risk by implementing foundational security controls. For example, enterprises can monitor their important files for change using file integrity...

Scammers stole S$80,000 from a woman by tricking her into visiting a fake phishing website for the Singapore Police Force (SPF). On 13 November, local law enforcement received a report from the woman that someone had stolen several thousand Singapore dollars from her bank account. She told investigators that the trouble started sometime earlier when...

If you thought it was scary when security researchers remotely hijacked a Jeep as it was driven down the freeway, consider this - now airplanes are getting hacked. The US Department of Homeland Security has revealed that a Boeing 757 airliner was successfully hacked as it sat on the runway at the airport in Atlantic City, New Jersey on September 19,...

In the first part of this blog series, we discussed some core objectives, characteristics and principles of the GDPR, which is due to take effect on 25th May 2018. In this second article, we will discuss in greater depth some of the core IT security objectives relating to GDPR. The purpose of the GDPR is to establish directions to protect “natural...

Microsoft has patched a 17-year-old bug hidden in its Office suite that attackers can use to execute arbitrary code on vulnerable machines. The vulnerability resides in Microsoft Equation Editor (EQNEDT32.EXE). It's a component that allows users to insert and edit equations into Microsoft Word documents as an Object Linking and Embedding (OLE) item....

Phishing is becoming a major threat vector for organizations all around the world. Phishing is the exercise of sending illegitimate emails designed to elicit a response from the end user, whether that’s clicking on a link that infects them with malware or tricking the user into volunteering information that they normally would not provide like a...

Unless you’ve been living in Slab City or off the grid for a while, you’ve probably heard this year’s omnipresent buzzword ‘blockchain.’ But perhaps you're a bit clueless as to what this newer technology entails. In a recent HSBC survey of 12,000 respondents in 11 countries, 80 percent of people could not explain how blockchain works. Don’t worry,...

Today’s VERT Alert addresses the Microsoft November 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-752 on Wednesday, November 15th. In-The-Wild & Disclosed CVEs CVE-2017-8700 A Cross Origin Resource Sharing bypass could allow information disclosure in ASP.NET Core. Microsoft has...

Security researchers have discovered a new banking Trojan that is actively targeting U.S. financial institutions. Dubbed IcedID, the malware is believed to have emerged in the wild back in September 2017, when its first test campaigns were launched. According to IBM X-Force, IcedID was developed with “modular malicious code and modern capabilities”...

A cryptocurrency miner has earned its place on a list of the top 10 most wanted malware for the month of October 2017. The browser-mining service in question goes by the name "CoinHive." It's a piece of JavaScript that site owners can embed into their websites. Whenever a user visits their domain thereafter, CoinHive will activate and begin mining...

In part one of this two-part series, I described what we know about the September 14 attack against the drug sites on the Tor network. To review: The attack simultaneously took down 11 drug sites on the dark web, yet traffic patterns were unaffected. The site administrators indicated a problem on a public forum; and There was no discernible...

Last time, I spoke with Nitha Suresh. She's written IEEE papers and knows her stuff when it comes to pentesting and aircraft data networks. This time, I had the pleasure of interviewing Victoria Walberg. She has a lot of ideas when it comes to IoT and the cloud. Kimberly Crawley: Please tell me about what you do, Victoria. Victoria Walberg: I'm a...

A group of Muslim activists hacked a 'secure' mailing list used by the ISIS terrorist group and published 2,000 of its email subscribers online. On 10 November, a spokesperson for Amaq, one of the Islamic State's key outlets for communicating with its supporters and members, sent out an email written in Arabic to its subscribers. The update...

Think of all the recent DDoS attacks. They all seem to share the common trait of bad guys disrupting the normal flow of data against a legitimate business. Sometimes, these attacks are used for revenge, and other times, they are used for ransom. Sometimes, however, the bad guys become the targets. This is the story of an odd caper that played out on...

It's always encouraging to see Tripwire's products hold its own in an independent review. It's even better when the solutions excel. Indeed, those positive assessments confirm what everyone at Tripwire already knows about the strength of the company's offerings. The folks at SC Magazine recently published one such evaluation of Tripwire Enterprise....

Soft skills are a hot topic in information security. You’ll see a lot of articles, blogs and talks on the subject. I’d like to go a little deeper – beyond the basics of soft skills and talk about a concept from communication theory that can be used to achieve behavior change – efficacy. Efficacy is the ability to achieve a desired effect. In risk...