While I work in security, when it’s quitting time, I’m a gamer through and through. My home is littered with consoles from Sega Genesis and NES to PS3 and Xbox One. My last two PC purchases have been strictly gaming machines, and I even bought a game pad for my iPhone because I enjoy playing (and streaming) Asphalt 8. This year, I’ve casually streamed a few times because I took part in Extra Life...

Ransomware has disabled a New Jersey school district’s computer systems, with the attackers demanding hundreds of Bitcoins as ransom to restore access to files seized in the attack. In a post published to the district’s website , officials at Swedesboro-Woolwich School District explain that the incident, which occurred on March 22 nd , thus far indicates no signs of a data breach. “The files...

Over the past decade, the role of the Internet has moved beyond just email and websites viewable from a small window on a heavy desktop to something we now carry with us in our bags, pockets and strapped to our wrists. It is now a driving force of the world economy and is creeping its way into every aspect of our lives. For better or worse, we are now all connected. Individuals, as well as...

One could argue that cybersecurity is by far the most important Homeland Security, National Security and Public safety issue of our time. In the age of terror specifically, groups like ISIS, Al Shabaab and AQAP have managed to use the Internet to recruit and successfully spread their message with little to no counter narrative of merit. Cybersecurity has been rightfully picked up and vocalized as...

A vulnerability in Cisco IP phones could allow unauthenticated attackers to remotely listen in on the phones’ audio streams. According to an advisory Cisco published on its website, the vulnerability (CVE-2015-0670) results from improper authentication in the default configuration of certain Cisco IP phones. “An attacker could exploit this vulnerability by sending a crafted XML request to the...

Earlier this month, Tripwire announced Computer Criminals Brought to Justice , a continuation of its 10 Notorious Computer Criminals Brought to Justice series, by investigating the story of a young man who was recently arrested in connection with the 2014 hack of the U.S. Department of Defense. This week, we continue our series with Aleksei Shushliannikov, a hacker who is responsible for having...

The printf() family of functions (printf(), fprintf(), sprintf(), etc.) are surprisingly powerful and, if not properly used, can expose a class of vulnerabilities called format string attacks. These attacks can be very bad because with a well-crafted format string, an attacker could write an arbitrary value into an arbitrary memory location. This could allow the attacker to do things like hijack...

Last week, the Internet fell over itself to report on a botnet allegedly comprised of 100,000 smart devices. Things. The Internet of Things had finally attacked! While it's inarguable that, at some point, these devices will be compromised, corrupted and otherwise made to serve the pernicious purposes of attackers, deeper technical analysis points out that there's plenty of reason to be skeptical...

Another serious privacy vulnerability has been found on Facebook, which could have put at risk the private photos of millions of users. The problem lies in Facebook Photo Sync, an opt-in feature that the social network introduced in late 2012, which meant any photos you took on your iPhone or Android device would automatically sync up with your Facebook account. The good news is that the feature...

A recent study found that more than 2,000 apps in the Apple App Store and Google Play Store are still vulnerable to FREAK – a widespread security flaw discovered earlier this month. Attackers exploiting the vulnerability can intercept HTTPS connections between vulnerable users and servers, thus forcing them to use weakened encryption, which can then be broken or manipulated to steal sensitive data...

Vulnerability Description The CVE-2015-0291 vulnerability introduces the possibility of a denial of service attack against a system running OpenSSL 1.0.2. If a malicious client connects to an OpenSSL server and the server requests a certificate from the malicious client, the malicious client can return a malformed cert that may trigger a NULL pointer dereference causing software reliability...

On Monday, the OpenSSL project team announced new releases that would be available today to fix security issues in OpenSSL that have been discovered as part of a major security audit and code refactoring project. When this announcement hit on Monday, there was a general panic in the IT and security community as it was mentioned vulnerabilities with a high severity were being patched, leading many...

Target Corp has agreed to pay $10 million in order to settle a class-action lawsuit related to a 2013 breach that compromised users’ financial and personal information, according to court documents. The proposed settlement, which has yet to be heard in federal court, would require Target to deposit the total settlement amount into an escrow account, which the retailer would use to compensate...

Information security professionals are all too familiar with the work of black hat hackers. These individuals seek to gain unauthorized access to enterprises’ computer networks by exploiting security vulnerabilities – malicious activity which frequently threatens the personal and/or financial information of millions of customers. But what motivates an individual to become a black hat hacker? And...

Sarah Clarke and a few others were running a discussion on Twitter trying to hash out if security policies have any value. The discussion was started by a person critically stating that as far as he was concerned, they have no value at all. As Twitter isn't a good medium for summarizing the potential values that were identified, Sarah and I challenged each other to both blog about, with both a...

…that was the question. How many people actually find your security policies useful? Go on, guess. I’m willing to bet it’s only audit, risk, compliance management and the third-parties that assess you. Here’s the tweet from Phil Huggins ( @oracuk ) that kicked off a lively enough debate to make me want to write this. Phil’s core and continuing assertion was that good tech, awareness and risk...

The OpenSSL Project, a collaborative effort designed to develop an open source toolkit that implements SSL and TLS, has announced that it will be fixing a number of security flaws on Thursday , one of which it has labeled “high” severity. The initiative made the announcement in a message circulated yesterday. “The OpenSSL project team would like to announce the forthcoming release of OpenSSL...

Discussions around industrial control systems (ICS), such as supervisory and control data acquisition (SCADA) systems, often focus on how vulnerable the systems are. A key aspect of President Obama’s information sharing acts have been designed to encourage threat sharing to help protect the organizations and networks involved in critical infrastructure. However, while there are many advancements...

I don't often use Siri on my iPhone, but I've got to admit that when I do it's really handy. I'll be driving the car and thinking "Arrrghh! I forgot to put out the recycling last night. I'd better say sorry to my wife as soon as possible, as she'll be mad at me." I could stop the car on the hard shoulder (which would be dangerous), I could risk waiting until I get to my destination to tell my wife...

An analysis of the EquationDrug espionage platform has revealed that its capabilities can be extended via modules, leading security researchers to compare the framework’s architecture to a “mini-operating system.” In an article published on Securelist, Kaspersky Lab explains that EquationDrug is the main espionage platform used by Equation Group, an advanced threat actor that is responsible for...