The post office email scam is a time-tested method of attack among malicious actors. Indeed, when users see that they have received an email from an actor purporting to be their local post office, most of them buy into the familiarity of this governmental institution and click on a link without taking the time to inspect the sender address. Attackers further exploit users' implicit trust by...

Two security researchers uncovered thousands of medical systems exposed online that are vulnerable to web attacks. On Saturday, September 26, researchers Scott Erven and Mark Collao presented their findings at Derby Con 5.0 in a presentation entitled "Medical Devices: Pwnage and Honeypots." "We know medical devices are exposed to the Internet both directly and indirectly, so just how hard is it to...

Today, a segment will air on Crime Watch Daily where Tripwire Senior Security Researcher Craig Young and I reveal on camera how vulnerable smart homes can be when not properly secured. We show firsthand that the key weaknesses in most smart homes are a combination of insecure networks and default configurations, including systems that installers may say are "unhackable." So, what exactly is an IoT...

Banks have another security headache on their hands, as ATM-infecting malware is becoming increasingly sophisticated in its attempt to help criminals audaciously empty out cash machines on the high street on demand, without having to have previously stolen the payment cards of legitimate customers. Dubbed GreenDispenser by researchers at Proofpoint, the new malware targeting ATMs allows thieves to...

Tripwire recently hosted a webcast entitled, “Talking To The Board: How To Improve Your Board's Cyber Security Literacy -- UK Edition.” For the presentation, Amar Singh , Interim CISO and Founder of both Cyber Management Alliance and Give01Day , an organization that connects volunteer information security professionals together with charities seeking to protect their networks; Ray Stanton , the...

Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of September 21, 2015: According to independent security journalist Brian Krebs , multiple sources in the banking industry...

A new study reveals that dozens of apps endorsed by the National Health Service (NHS), four publicly funded health care systems in the United Kingdom, are transmitting personal and medical information over the web without any protection. According to The Guardian , researchers from the Imperial College London examined 79 apps endorsed by the NHS health apps library and found that several of them...

Craig Young and I spent several days with the crew at Crime Watch Daily in Los Angeles – a new national crime show. In this first segment, we showed them how malicious hackers gain access to baby monitors and IP cameras, demonstrating a number of techniques that can be used to gain access to the devices to hijack the video feeds and audio, as well as control the camera and even speak through...

The United States Navy has announced it is currently working on developing a new system aimed at protecting its ships from pervasive Internet attacks, often leading to network spying and confidential data theft. Codenamed the Resilient Hull, Mechanical, and Electrical Security (RHIMES) system, the Office of Naval Research (ONR) revealed the enhanced security system is designed to make its...

The Office of Personnel Management (OPM) has revealed in a statement that when hackers breached its systems earlier this year they made away with approximately 5.6 million fingerprints - a significant increase from the 1.1 million previously reported. As is now well known, in addition to fingerprint data being stolen the Social Security numbers, addresses, employment history, and financial records...

Our smartphones know everything about us – who our friends are, where we have been, our financial details, our health information and other intimate details of our lives. But can we trust our phones to keep these our personal information secret? One of the biggest security and privacy challenges of smartphones are the very apps we install on them and use every day . Many applications that we...

Today, enterprises must grapple with a panoply of numerous and highly sophisticated threats. In response to this dangerous landscape, it is no wonder that businesses are increasingly turning to security dashboards – a powerful communication vehicle for all information security professionals. An effective security dashboard provides personnel, ranging from security analysts to CISOs, with the tools...

The styles associated with Sakawa scammers have been highlighted in previous articles, but today I would like to describe the anatomy of a scam for people to be aware of just how they complete these wicked assaults on our inboxes. This could serve as a guide for Sakawa , but is intended to give insight. Nothing is new here – these guides are passed through the African scam communities already...

The one-month countdown is on and I figured it was time for a reminder that Tripwire VERT will be at SecTor in the Expo area running an IoT Hack Lab. If you aren’t considering attending SecTor, you really should be. Even if you don’t want to attend the full conference, there’s an Expo Only admission that is free on their website until the start of the show. We’ve got quite the experience planned...

Android users are being warned of a newly discovered type of malware that has recently infected hundreds of thousands of devices each day. Security researchers at Android developer Cheetah Mobile claim to have found a virus – dubbed ‘Ghost Push’ – being packaged in seemingly legitimate applications downloaded from non-Google app stores. “This is the most widespread and infectious virus we’ve...

A security firm has announced a one million dollar bounty in reward for anyone who submits exploits and jailbreaks for Apple's iOS 9 mobile operating system. In a blog post published on Monday, Zerodium officially unveiled "The Million Dollar iOS 9 Bug Bounty". "Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of...

Over the last year we've seen the healthcare industry become a motivating target for malicious actors attempting to take advantage of stolen healthcare data. This is a unique sector and completely different from organizations within the retail, financial or any other vertical for that matter. The difference here is when network connectivity and operating system restraints occur within healthcare...

UPDATE 9/23/15: VERT has released a script based on FireEye's nping command to report if a host is affected or not. The script is available on the Tripwire VERT GitHub here . For IP360 customers, a variant of this is available as a custom rule. Please contact Tripwire Support or view the TechNote in TCC for details. I’ve always been a big fan of language. I’m a stickler for proper usage of the...

Systema Software, a provider of claims management software solutions, is investigating a breach that exposed the personal information of at least 1.5 million of its customers. According to The Register , insurers using Systema Software allegedly posted the names, addresses, phone numbers, medical records, and other personal information in the clear to Amazon Web Services (AWS). It is currently...

My first few blog entries were written at a time when I had had a couple of prowler incidents at my house, and I wrote about how I installed security counter measures. After all this time, I was out maintaining the motion sensors, and it occurred to me I hadn't taken a look at my network security around the house lately and should put in some maintenance time on that system, as well. I put aside...