Back in December of 2014, The State of Security first reported on the story of Ercan "Segate" Findikoglu, a 33-year-old Turkish man who is accused of having stolen over $60 million as part of a number of card heists in the United States. At the time of our reporting, Germany had denied Findikoglu's extradition to the United States based upon different laws governing jail time for hackers. The...

A Business Email Compromise (BEC) scam has resulted in a $39.1 million loss for Ubiquiti Networks , an American technology company that manufactures wireless networking products. On August 6th, Ubiquiti Networks issued a press release summarizing the results of its fourth fiscal quarter of 2015, which ended on June 30, 2015. The company reveals in that statement that it was the victim of a BEC...

ICANN, the organisation which oversees the internet's domain name system, regulating web addresses and working with registrars around the world, has revealed that it has fallen victim to a hacker attack during which the details of users who had created profiles on the organisation's public website were exposed. Email addresses (which act as usernames for profiles on the ICANN site) and hashed...

A security firm has released the results of an experiment that used a honeypot script named "GasPot" to determine the security threats facing gas tanks. These results were announced by Trend Micro researcher Kyle Wilhoit and Industrial Control Systems (ICS) expert Stephen Hilt during their presentation for Black Hat 2015, " The Little Pump Gauge that Could: Attacks Against Gas Pump Monitoring...

Today was another successful day at BSides Las Vegas , with more intriguing presentations and an amped up crowd ready to hear from security researchers, engineers, analysts and catalysts alike. Although there were numerous interesting topics to choose from, my time only permitted for about a half-day of sessions. Luckily, many of the presenters noted they would make their slides available online...

Malware is one of the most dangerous classes of computer threats facing users today, and as a risk category, it is growing in sophistication. First, malware is now more difficult to detect. In an effort to stay one step ahead of security researchers, authors of malicious software are integrating evasion techniques, including environmental awareness and obfuscation , into their code. These...

Fiat Chrysler and Harman International, the maker of the Uconnect dashboard computer, have been slammed with a class-action lawsuit after two security researchers successfully exploited a vulnerability in uConnect to hijack a 2014 Jeep. As reported in The State of Security's July 24th security roundup , researchers Chris Valasek and Charlie Miller last month exploited a vulnerability in Uconnect's...

RFID is one of those ubiquitous technologies showing up everywhere from contactless payment cards to the neighborhood swimming pool. Some of these technologies offer appropriate security controls but many applications still use legacy technology that is easily subverted by an attacker. Back in 2013, data from HID Global indicated that 70-80% of physical access control deployments in the US were...

This year’s BSides in sunny Las Vegas, Nevada, is off to an amazing start, with an overwhelming crowd and a great lineup of presentations from some of the industry’s brightest – and most inspiring – professionals. In the biggest BSides LV event yet, hundreds of attendees gathered at the Tuscany bright and early – eagerly waiting to hear from experts in all things “cyber.” Below is a quick-read...

A true zero day, such as the recent vulnerability affecting Apple’s DYLD_PRINT_TO_FILE variable that an adware installer is said to be exploiting in the wild , is called that because it comes without warning, because by the time you know about it, you have already been compromised. They're expensive; they are the domain of nation states and the most advanced of APTs. Chances are, if you have...

A security researcher has found the first known exploit of a zero-day vulnerability affecting Apple's DYLD_PRINT_TO_FILE variable in the wild. The vulnerability, which was first found by researcher Stefan Esser in July, involves the addition of DYLD_PRINT_TO_FILE as a new environment variable to the dynamic linker dyld. As of this writing, this variable does not come with certain safeguards and...

To quote Lewis Carrol, from Alice's Adventures in Wonderland: 'Would you tell me, please, which way I ought to go from here?' 'That depends a good deal on where you want to get to,' said the Cat. 'I don't much care where —' said Alice. 'Then it doesn't matter which way you go,' said the Cat It might sound like a relaxing way to go through life, but it is one we cannot follow in security. After all...

There is a horrible prank that has been in circulation for the last few years whereby a person calls a local police department and reports a terrible crime in progress at a remote address, usually the address of an enemy. Using telephone number spoofing techniques, the call appears to originate from the home of the pranking victim. The police often rush to the scene with weapons drawn, sometimes...

As the recent breaches at the Office of Personnel Management , the Internal Revenue Service , and more recently, the anti-virus firm BitDefender illustrate, attackers are more than ever focused on gaining unauthorized access to organizations in an attempt to steal sensitive corporate and customer information. One tactic that malicious actors commonly employ is concealing malware within seemingly...

Our new weekly security roundup series covers the week’s trending topics in the world of information security. In this compilation, we’ll let you know of the latest announcements, reports and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of July 27, 2015: A major password-reset exploit was discovered in Valve's Steam , leading to...

Black Hat USA – one of the most anticipated security events of the year, and recently ranked among our top information security conferences – returns to Las Vegas this August for its 18th year. With an expected 9,000 attendees, this year's conference will offer over 100 briefings on the latest and most innovative security research from industry experts around the world. From technical trainings...

"Honey... Did you make sure you locked the basement door and activated the security system? I can't wait to get to the Big Rock Campground, the kids are going to love the waterslide..." Sound familiar? The majority of new homes today have some sort of physical security system protecting the property while the family is away, but are these security systems fail-proof? Are they fool-proof? Most will...

Yahoo announced that it has paid security researchers one million dollars as part of its bug bounty program. According to a post written by Ramses Martinez, Senior Director and Interim CISO at Yahoo, the company's bug bounty program, which The State of Security named one of our 11 Essential Bug Bounty Programs in 2015 , has shown significant growth over the past year. "2015 has been a pivotal year...

The hardware used in both the Internet of Things (IoT) and Industrial Control Systems (ICS) have many similarities; both often involve older systems incapable of running detection tools or monitoring agents due to outdated operating systems, resource limitations, proprietary systems and odd protocols such as Modbus and DNP3, amongst other restrictions. The lack of visibility into these enclaves...

The Domain Name System (DNS) is a hierarchical system that assigns names to computers, resources and services connected to the web. It is responsible for relating information associated with each Internet-based entity to a domain name. As such, DNS is an essential tool for organizing the web. In the wrong hands, however, it can be used to create domains from which to launch attacks against...