eBay has patched three vulnerabilities found in its Magento shopping platform that could have allowed for hijacking sessions and man-in-the-middle (MitM) attacks. Hadji Samir, a penetration tester with Vulnerability Labs, released technical descriptions of a persistent input validation web vulnerabiility, a cross-site scripting (XSS) hole, and a...

Several of Canada’s federal government websites were momentarily taken down Wednesday afternoon after reportedly being hit by a massive cyber attack. Canada's Treasury Board President Tony Clement later took to Twitter his confirmation that the government servers had experienced denial of service attacks, affecting Canada.ca, sencanada.ca, CSIS, and...

What more can be done about passwords? We tell users to choose unique, complicated passwords that contain a gallimaufry of bizarre characters - and they tell us they're impossible to remember, especially when they need to remember different passwords for the many different websites out there. We tell computer users to get help with remembering their...

What happens when users or employees take it upon themselves to decide what tech they want to use and how they want to implement it? From my vantage point, InfoSec faces a constant challenge of trying to keep up with threats, let alone stay one step ahead. But as the Internet of Things proliferates, and human nature takes its course, we cannot out...

Ever looked at the messages in the Oracle listener logs generated by Tripwire IP360 scans and wondered what was going on? The most common one you see probably looks something like this: 01-JUN-2015 12:39:37 * (CONNECT_DATA=(COMMAND=VERSION)) * version * 1189 TNS-01189: The listener could not authenticate the user TNS-01169: The listener has not...

As news of information breaches and personal data theft become more prevalent and popular in the press, technologists are witnessing and taking part in the rapid evolution of the once neglected realm of cybersecurity. Hopefully, this process results in an integrated, enlightened solution to what is a very complicated puzzle. Moving Beyond a Fear...

A June 2015 report reveals that perceptions on the impact of 50 different security issues are worsening across the board. This is one of the latest reports released by the Index of Cyber Security, a sentiment-based measure which helps evaluate the level of risk posed by a number of security threat areas to corporations, governments, and other...

During my talk at DEF CON 23 last week, I discussed my experience developing USB based trojans and highlighted the fact that attempts to patch these vulnerabilities have done little to mitigate the risks associated with this attack vector. The revelation of CVE-2015-0096, which is a continuation of CVE-2010-2568, was believed to have been patched by...

Many see endless possibilities in facial recognition technology, an optimism which has all ready led to a number of applications for this emerging form of identification and verification. For example, local and state police departments, not to mention the Federal Bureau of Investigations, have spent the past few decades incorporating recognition...

Security researchers have uncovered a zero-day deserialization vulnerability that allows for arbitrary code execution in 55% of Android devices. For their presentation at USENIX WOOT '15, researchers Or Peles and Roee Hay at IBM Security explain that their vulnerability (CVE-2015-3825) can be exploited in the context of many apps and can be used to...

A Business Email Compromise (BEC) scam has resulted in a $39.1 million loss for Ubiquiti Networks, an American technology company that manufactures wireless networking products. On August 6th, Ubiquiti Networks issued a press release summarizing the results of its fourth fiscal quarter of 2015, which ended on June 30, 2015. The company reveals in...

RFID is one of those ubiquitous technologies showing up everywhere from contactless payment cards to the neighborhood swimming pool. Some of these technologies offer appropriate security controls but many applications still use legacy technology that is easily subverted by an attacker. Back in 2013, data from HID Global indicated that 70-80% of...

A security researcher has found the first known exploit of a zero-day vulnerability affecting Apple's DYLD_PRINT_TO_FILE variable in the wild. The vulnerability, which was first found by researcher Stefan Esser in July, involves the addition of DYLD_PRINT_TO_FILE as a new environment variable to the dynamic linker dyld. As of this writing, this...

The story of cybersecurity involves bad actors and security professionals constantly trying to thwart each other, often using newer and more advanced measures in an attempt to outdo each other. In recent years, especially, cybercriminals have evolved to include sophisticated technology and advanced tactics in their attacks. With the increasing popularity of tools and practices like artificial...

While the national transition to Europay, MasterCard and Visa, known as EMV or “Chip and PIN,” is well underway, a recent study found that as many as 42 percent of companies have either taken no steps or are unaware of any progress being made to meet the October 1, 2015, deadline. The EMV readiness study conducted by Randstad Technologies, which...

The recent ‘Logjam’ attack shows that a well-funded intelligence agency might be able to crack 1024-bit Diffie Hellman keys (at least if the same group is used by many systems). When using RSA, cracking 1024-bit keys may not be beyond the most powerful adversaries either. There are two solutions to this problem. The first is to simply use longer...

Since the very first day I started working in the information security industry, I have found everything to be just so interesting and fascinating. The fire inside me I have for knowledge has been doused in petrol by stories of complex crimes, and this has educated me and forced me in to some real life studies. Over the years, I have delved quite...

Approximately 1.25 million personal records were compromised by hackers in a recent targeted attack, confirmed the organization that manages Japan's universal public pension system. According to the Wall Street Journal, hackers succeeded in compromising the names and pension numbers of 31,000 people in the attack, as well as the names, pension...

Those in the IT world are always looking to develop the right skill sets that will help them get noticed above their competition. Considering how quickly technology changes, possessing a highly-desired set of skills can lead to better jobs and higher wages. Trends, of course, come and go, and keeping up with what is currently the most in-demand...

The Internal Revenue Service has confirmed a data breach of 100,000 taxpayers' account information. According to a statement posted on the IRS website, criminals allegedly used sensitive information stolen from non-IRS sources to gain unauthorized access to taxpayers' accounts. To access the site, the criminals made use of stolen Social Security...