Yahoo Mail! has patched a stored cross-site scripting (XSS) vulnerability and awarded a researcher $10,000 for finding the flaw. Discovered by Finnish researcher Jouko Pynnonen, the bug allowed an attacker to embed malicious Javascript code into a specially crafted email. The code would automatically execute whenever the message was viewed,...

I received a phone call from a friend the other night. He was very concerned because he received one of those now infamous letters from the Office of Personnel Management, which indicated that his records were among one of the millions that were taken in the OPM hack. His information was originally submitted as he was applying for a security...

"123456" and "password" were the most-used and second most-used passwords of 2015, according to an annual worst passwords ranking. Every year, SplashData, a developer of password management software, releases an annual list of the worst--in this case, most commonly used--passwords. It builds its ranking based on more than two million leaked...

In a previous post, I noted some security issues that I had observed during recent visits to medical professional offices and hospitals. In reflecting on that post, I realized an important aspect of the disconnect I experienced as I observe security around me. It is that I carry with me a threat model that is probably very different than the threat...

Looking for a great information security podcast? There are plenty to choose from! Here’s a roundup of currently active information security podcasts. The list is split into two categories: podcasts run by people representing themselves (meaning they are not speaking for a company) and podcasts produced under the name of a company. I made the...

Ukrainian officials stated over the weekend that they have traced a targeted attack against Boryspil International Airport back to the BlackEnergy trojan. Last week, Specialists of the State Service of Special Communications and Information Protection of Ukraine revealed that malware had infected one of the workstations at Boryspil. That workstation...

Recently, I introduced a three-part series on how to build a successful vulnerability management program. The first installment examined Stage 1, the vulnerability scanning process. My next article investigates Stages 2 (asset discovery and inventory) and 3 (vulnerability detection), which occur primarily using the organization’s technology of choice...

Following an investigation launched after discovering malware on its payment processing systems, Hyatt Hotels has revealed the breach affected 250 hotels in more than 50 countries. The Chicago-based hospitality company announced it identified signs of unauthorized access to payment card data from cards...

Netflix has announced its intention to counter the use of proxies among members who wish to view content outside of their immediate geographic territory. David Fullagar, Vice President of Content Delivery Architecture at Netflix, broke the news in a blog post on Thursday: "[I]n coming weeks, those using proxies and unblockers will only be able to...

I don’t know if you have noticed, but when it comes to incident response, the methodology applied by organisations can vary from the downright chaotic, to a well-disciplined, well-oiled machine. However, from what I have observed over the preceding five years of my professional life, the general approach seems to be ad-hoc and has suffered from a...

Last September, CloudFlare detected a large-scale browser-based L7 flood. Over the course of the distributed denial of service (DDoS) attack, 650,000 IP addresses sent out a total of 4.5 billion HTTP requests, with the campaign peaking at 250,000 requests per second. After investigating the incident, the security company concluded that the attack...

European data center services provider Interxion recently announced it had suffered a security data breach, potentially exposing the personal information of more than 23,000 existing and prospective customers. The company notified affected customers via email this weekend, saying it had become aware...

Normally when you see a headline referring to intelligence agencies and phone accounts being hacked, you expect in this day and age that it's law enforcement that is doing the hacking. But not in this case. Director of National Intelligence James R. Clapper appears to have become the latest to fall foul of hackers, after a teenage hacker called ...

Computer crime is on the rise around the world. Every day, nefarious actors develop increasingly more sophisticated forms of malware for their attacks. Additionally, as reported by the United Kingdom's National Crime Agency (NCA) back in December, the average age of online criminals has dropped to 17 years old, suggesting that teenagers are more...

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-652 on Wednesday, January 13th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

eBay has patched a cross-site scripting (XSS) vulnerability that attackers could have exploited in order to steal users' passwords. A researcher who goes by the name MLT explains in a blog post how he was able to exploit a "fairly basic" XSS vulnerability without needing to resort to any additional measures, such as bypassing the WAF, in order to...

Is using ad blocking software stealing or is it a sound security practice? On one hand, many websites and content creators make money from advertising. They certainly deserve to be compensated for their time and effort. On the other hand, advertising – at best – can be annoying, and at worst, can serve up malware, suck up bandwidth and redirect...

Online fraudsters recently broke into a number of Fitbit customer accounts using leaked usernames and passwords from third-party websites. According to a report by BuzzFeed, at least two dozen cases were discovered in December. Fitbit did not disclose how many users were affected but told the...

An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals that address the information needs of all stakeholders, its output is tied back to the goals of the enterprise, and there is a reduction in the overall risk of the organization. Such vulnerability management technology...

Time Warner Cable (TWC) is planning to notify 320,000 of its customers whose account information might have been compromised. The American cable telecommunications company first learned of the issue after the Federal Bureau of Investigations (FBI) reached out and alerted them to the fact that some of their customers' email addresses and passwords...