Blog

Blog

How To Take Charge of Your Infosec Career

A typical information security conference can cost $5,000 plus plane and hotel costs and, although it might seem to be an exorbitant sum of money, many of us could easily defend the value and necessity of the training to bolster one’s technical capabilities. But when was the last time you invested even just a few hours of your time to working on...
Blog

80% of Retailers Failed Interim PCI Compliance Assessments

Despite retailers’ continuous improvement in compliance with the Payment Card Industry (PCI) security standards, four out of five companies are still failing at interim assessments, according to Verizon’s latest report. The report highlights that the overall state of compliance grew significantly in 2014, with 20 percent of organizations...
Blog

VERT Threat Alert: March 2015 Patch Tuesday Analysis

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-605 on Wednesday, March 11. MS15-018 Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE VBScript Memory...
Blog

VERT Vuln School: Stack Overflow 102

In VERT Vuln School: Stack Overflow 101 we reviewed a contrived example of a simple stack-based buffer overflow vulnerability in a binary wrapper for the nMap scanning tool. With this example, I showed how crafted command line parameters could be trigger an overflow of user-controlled data onto the stack. The synscan binary performed no checking on...
Blog

The CIA Spy Campaign Against Apple: Security Research or Espionage?

Join us for a live webcast Thursday, March 26, 2015 - 11:00 AM Pacific / 2:00 PM Eastern "Caught in the Crossfire: The Business Impact Of Cyberwar & High Tech Espionage " with Shane Harris, author of @War: The Rise of the Military-Internet Complex The Intercept¹ is reporting a secret program targeting Apple devices and software as part of a CIA...
Blog

A Triple-A Approach to Telephone Security

With technology, we are constantly looking to improve security. We moved from HTTP to HTTPS to help secure online transactions and mitigate man-in-the-middle attacks. With DNS, we have started to implement DNSSEC. Why are we not looking backward at the cornerstone of modern communication, the device that still ties everyone together? The telephone....
Blog

Cyber Criminals Brought to Justice – The DoD Hacker

Earlier this month, Tripwire published its final installment of 10 Notorious Cyber Criminals Brought to Justice, a series that sought to demonstrate how law enforcement frequently catches up with individuals who use cyberspace for malicious purposes. Although our series has concluded, we as information security professionals realize that law...
Blog

Cyber Insurance: Managing the Risk

Cyber insurance is a hot topic of many debates today. It is believed to be the long-awaited cure for high-impact security risks, especially in light of constantly evolving privacy legislation and disclosure obligations – but what actually is it? Simply put, cyber insurance is a tool intended to mitigate the loss from information security incidents....
Blog

Why Companies Have Little Incentive to Invest in Information Security

According to a fellow at Columbia University, companies are not investing significantly more in information security partly because of the influence of moral hazards, or the act of one entity taking risks because others bear the burden of those actions. Benjamin Dean, a staff associate and fellow in cyber-security and internet governance at the...
Blog

All Versions of Windows Vulnerable to FREAK Attack, Confirms Microsoft

There's bad news for any Windows users who were thinking that the recently-announced FREAK vulnerability wasn't something they had to particularly worry about. When first announced, it was thought that the newly-discovered flaw in SSL/TLS was limited to Apple's Safari and Google's Android web browsers, opening the possibility of hackers and...
Blog

Who is Responsible for Secure Software Development?

An interesting dialogue came up in my security circles that I believe outlines a fundamental disconnect within organizations developing software products. We have all heard that communication is key, but are the conversations happening at the proper levels to expose a product’s security requirements? The conversation went something like this: ...
Blog

‘CSI: Cyber’ Riddled with Misperceptions, Lacks ‘Cyber’ Substance

On March 4, the series premiere for the new crime drama CSI: Cyber aired on CBS. The show stars Patricia Arquette, who recently won an Oscar for Best Supporting Actress in a Supporting Role, as Avery Ryan, a behavioral analyst who solves crimes under the FBI Cyber Division. Peter MacNiol, Charley Koontz, Hayley Kiyoko, James Van Der Beek,and Shad...
Blog

Understanding U.S. NSS 2015 Using the International Strategy for Cyberspace

Last week, we used the United States’ 2015 National Security Strategy (NSS) as a reference point to analyze “A Strong Britain in an Age of Uncertainty: The National Security Strategy,” the United Kingdom’s 2010 National Security Strategy. Though limited in scope, this comparative analysis revealed a number of important findings, including the UK’s...
Blog

RBAC is Dead – Now What?

Historically, access control has been based on the identity of a user requesting execution of a capability to perform an operation (e.g., read) on an object (e.g., a file). This was done directly either as in Discretionary Access Control or Mandatory Access Control or through predefined attribute types, such as roles or groups assigned to that user...
Blog

The ‘ABC’ of the ‘APT’

The term APT (Advanced Persistent Threat), like many other acronyms in the world of IT/Information/Cyber Security entered our vocabulary some years ago, along with other partnering phrases, such as Advanced Evasion Techniques (AET), which at the time took the headlines as something new. Whilst these new outlined logical dangers do serve up a very...
Blog

Look How Easy TAXII Is

Tripwire has been getting more involved in connecting its products to threat intelligence services lately. I described the reasons why we care about threat intelligence, particularly STIX and TAXII, in my article last month: Why We Should Care About STIX & TAXII. My colleagues also talked in more specifics about some of the partners Tripwire is...
Blog

‘Gazon’ Malware Spreads Via SMS Using Fake Amazon Gift Card Offers

A security firm has identified a new type of malware that spams a mobile device’s contact list with SMS text messages touting fake Amazon gift card offers. According to an article posted on its blog, AdaptiveMobile states that the malware, dubbed ‘Gazon,’ is quickly becoming “one of the ‘spammiest’ mobile malware outbreaks seen yet.” Gazon employs a...
Blog

Hillary Clinton's Private Email Account Hacked? The Perils of Shadow IT

It was revealed this evening that Hillary Clinton was using a personal email account while serving as the secretary of state. This has raised a number of issues with regards to both compliance and security. Apparently, Clinton chose not to use a government-issued email address despite the Federal Records Act, which only applies to official email...