Blog

Blog

Yahoo! Mail Patches Stored XSS Vulnerability, Awards Researcher $10,000

Yahoo Mail! has patched a stored cross-site scripting (XSS) vulnerability and awarded a researcher $10,000 for finding the flaw. Discovered by Finnish researcher Jouko Pynnonen, the bug allowed an attacker to embed malicious Javascript code into a specially crafted email. The code would automatically execute whenever the message was viewed,...
Blog

Can We Ever Rescind Our Data?

I received a phone call from a friend the other night. He was very concerned because he received one of those now infamous letters from the Office of Personnel Management, which indicated that his records were among one of the millions that were taken in the OPM hack. His information was originally submitted as he was applying for a security...
Blog

"123456" and "password" Once Again Top Annual Worst Passwords Ranking

"123456" and "password" were the most-used and second most-used passwords of 2015, according to an annual worst passwords ranking. Every year, SplashData, a developer of password management software, releases an annual list of the worst--in this case, most commonly used--passwords. It builds its ranking based on more than two million leaked...
Blog

Threat Models in the Real World

In a previous post, I noted some security issues that I had observed during recent visits to medical professional offices and hospitals. In reflecting on that post, I realized an important aspect of the disconnect I experienced as I observe security around me. It is that I carry with me a threat model that is probably very different than the threat...
Blog

Information Security Podcast Roundup: 2016 Edition

Looking for a great information security podcast? There are plenty to choose from! Here’s a roundup of currently active information security podcasts. The list is split into two categories: podcasts run by people representing themselves (meaning they are not speaking for a company) and podcasts produced under the name of a company. I made the...
Blog

Vulnerability Management Program Best Practices – Part 2

Recently, I introduced a three-part series on how to build a successful vulnerability management program. The first installment examined Stage 1, the vulnerability scanning process. My next article investigates Stages 2 (asset discovery and inventory) and 3 (vulnerability detection), which occur primarily using the organization’s technology of...
Blog

Netflix to Crack Down on Use of Proxies among Members

Netflix has announced its intention to counter the use of proxies among members who wish to view content outside of their immediate geographic territory. David Fullagar, Vice President of Content Delivery Architecture at Netflix, broke the news in a blog post on Thursday: "[I]n coming weeks, those using proxies and unblockers will only be able to...
Blog

The Ten Keys to Cyber-Survival

I don’t know if you have noticed, but when it comes to incident response, the methodology applied by organisations can vary from the downright chaotic, to a well-disciplined, well-oiled machine. However, from what I have observed over the preceding five years of my professional life, the general approach seems to be ad-hoc and has suffered from a...
Blog

DDoS Attacks Increased by 180% Compared to 2014, Reveals Akamai Report

Last September, CloudFlare detected a large-scale browser-based L7 flood. Over the course of the distributed denial of service (DDoS) attack, 650,000 IP addresses sent out a total of 4.5 billion HTTP requests, with the campaign peaking at 250,000 requests per second. After investigating the incident, the security company concluded that the attack...
Blog

Hacker Receives 334 Years in Prison for Bank Phishing Scheme

Computer crime is on the rise around the world. Every day, nefarious actors develop increasingly more sophisticated forms of malware for their attacks. Additionally, as reported by the United Kingdom's National Crime Agency (NCA) back in December, the average age of online criminals has dropped to 17 years old, suggesting that teenagers are more...
Blog

VERT Threat Alert: January 2016 Patch Tuesday Analysis

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-652 on Wednesday, January 13th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...
Blog

The Ad Blocking Conundrum: Stealing or a Sound Security Practice?

Is using ad blocking software stealing or is it a sound security practice? On one hand, many websites and content creators make money from advertising. They certainly deserve to be compensated for their time and effort. On the other hand, advertising – at best – can be annoying, and at worst, can serve up malware, suck up bandwidth and redirect...
Blog

Vulnerability Management Program Best Practices – Part 1

An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals that address the information needs of all stakeholders, its output is tied back to the goals of the enterprise, and there is a reduction in the overall risk of the organization. Such vulnerability management technology...