The 2016 Verizon Data Breach Investigations Report (DBIR) is out, and I’m excited to announce that this year’s findings leveraged vulnerability data from Tripwire and other vendors, including our partner Kenna Security. The 2016 Verizon DBIR recommends establishing “a process for vulnerability remediation that targets vulnerabilities which attackers...

Instagram has rewarded 10-year-old “Jani” with $10,000 for finding a flaw in the popular social media platform. Jani found that he could change code on Instagram’s servers and force-delete users’ posts. According to Forbes, he ultimately verified the bug by deleting a comment the company had posted on a test account. A spokesperson for Instagram has...

OpenSSL has issued fixes for six vulnerabilities, including two flaws with a "high" severity rating. On Tuesday, the corporate entity responsible for OpenSSL, a software library that helps to secure web communications against eavesdropping, published a security advisory in which it provides details on the two "high" severity vulnerabilities. ...

On April 21st, an email from Microsoft appeared in the mailbox of mailing list subscribers informing everyone that MS16-039 had been revised and the update for Microsoft Live Meeting 2007 Console had been re-released. It contained an additional tidbit of information that many people overlooked: "Effective as of the May 2016 security bulletin...

The Federal Bureau of Investigations (FBI) is warning businesses to be on the lookout for a rise in ransomware attacks. On Friday, the FBI published a letter revealing that the threat posed by ransomware to hospitals, state and local governments, law enforcement, small businesses, and private individuals is growing. "Ransomware has been around for...

Phishing is a common social engineering attack, but it does not have a very high success rate. In ordinary phishing campaigns, attackers send out fake messages with the hope that at least some of the recipients will click on a malicious URL or email attachment. Phishing correspondence is, for the most part, never personalized and its content varies...

When talking about the state of information security in the healthcare world, it’s all too easy to come up with witty titles along the lines of, “Is IT Security in Need of a Check-Up?” or, “<Insert Software Name Here> Is Just What the Doctor Ordered For Securing Your Data!” However, indulge me here: In the healthcare sphere in general, it’s...

Organizations face a constant barrage of digital threats. To mitigate the risk of an attack, IT staff need to continually protect all of an organization's endpoints, such as by creating patching schedules and by hardening vulnerable devices. Unfortunately, protection has its limitations. Security personnel can harden a device or implement a patch...

Business secrets could be at risk, after researchers discovered a worrying number of developers were posting access credentials for the Slack chat system on GitHub, embedded inside code repositories and public gists. Detectify Labs blew the whistle on the problem, reporting that it had uncovered thousands of Slack access tokens by simply searching...

There is a lot security professionals disagree on when it comes to Identity & Access Management (IAM). One thing most would agree on though is that IAM means many things to many people, and has been shaped more by vendor product boundaries over the years than by overarching architectures, processes and governance. The basic term “Identity Management...

2016 marks the ninth year Verizon has published its annual Data Breach Investigations Report (DBIR). Once again, organizations sent their data on thousands of security incidents and data breaches to Verizon, whose researchers analyzed that information to highlight new patterns, steady trends, and interesting tidbits in the evolving digital threat...

A recent hacking competition challenged teams of cyber security students from some of the United Kingdom's top universities. On Saturday, April 23, the University of Cambridge hosted the Inter-ACE Cyberchallenge 2016, a two-competition ethical hacking event between the UK Academic Centres of Excellence in Cyber Security Research. Dr. Frank Stajano,...

Researchers have developed a utility that allows victims affected by CryptXXX ransomware to decrypt their files for free. CryptXXX is one the newest crypto-ransomware samples to be observed in the wild. It is being delivered to users as a Dynamic-Link Library (DLL) dropped by Bedep, a piece of malware which has the ability to download additional...

Data breaches pose a significant threat to each and every organization. The danger is that a group of attackers will not only gain an initial foothold into a company's systems but will also find a way to conceal any signs of their entry. By covering their tracks, they can remain undetected on corporate networks for a longer period of time, allowing...

The healthcare landscape has many challenges – security being at the forefront. Ransomware attacks grow increasingly rampant with each day and healthcare is the perfect target due to hospitals relying on antiquated technology that alerts them only after the infection occurs. Cybercriminals are always on the forefront and looking at innovative ways...

Shopware has patched a 'critical' remote code execution bug that affects the functions of both the shop and the overall system. According to a thread posted on Bugtraq, David Vieira-Kurz, a security engineer at Immobilien Scout GmbH, found that the script located at "/backend/Login/load" in Shopware's eCommerce platform is susceptible to remote code...

Technology infrastructure (TI) at banks involves a dizzying array of things – from employee laptops and desktops, software applications, and hosting networks to networking and cabling linking offices around the world, Internet of Things (IoT) devices, sophisticated enterprise tools, data centers... and so on. Just as a country needs its critical...

As I discussed in last week's post, smartphones, tablets, desktops, industrial equipment, servers and other technologies that connect to a corporate network are considered endpoints. Unfortunately, bad actors can abuse those devices and their network access to attack an organization. That is why IT staff need to protect as many of their company's...

Researchers have determined that those who stole approximately $81 million from the Bangladesh Bank most likely did so by hacking into SWIFT's client software. SWIFT, or the Society for Worldwide Interbank Financial Telecommunications, provides banks and other organizations with secure messaging services. According to its 2015 traffic, more than 11...

In the fall of 2015, Heimdal Security detected a post-office email scam targeting unsuspecting Danish users. The campaign sent out fake emails purporting to originate from PostNord and Post Denmark. When clicked on, the infected emails downloaded Cryptolocker2 ransomware onto users' machines. Several months later, Heimdal has now spotted another...