In September of 2014, private photos of a number of celebrities, including Kate Upton and Jennifer Lawrence, were leaked onto the image-based bulletin board 4chan. It was soon discovered that this leak occurred as a result of a brute force attack against Apple's iCloud, which until then had not limited the number of login attempts for each user account . Hackers exploited this oversight via the...

In the financial industry, business success and sustainability depends on the health of information systems. Damage to a firm’s information systems can tarnish its reputation, compromise its data, as well as result in legal fines and penalties. Large firms often depend on thousands of such systems interconnected via the internet, which raises a major security concern of corporate espionage . The...

Democratic Senators Ed Markey and Richard Blumenthal introduced on Tuesday new legislation, which would require automakers to adhere to certain standards of protection against privacy and hacking. The new bill, entitled the SPY Car Act , would call on the Federal Trade Commission (FTC) and the National Highway Traffic Safety Administration (NHTSA) to collaborate in developing the new standards for...

I am honored to be presenting at DEF CON 23 this August in Las Vegas where I will be presenting a session titled “ Confessions of a Professional Cyber Stalker ." In my talk, I will be discussing various technologies and methods I developed and used to track criminals leading to at least two dozen convictions. Many times in the process of recovering stolen devices, larger crimes would be uncovered...

Following from a recent post on ‘ Escalation of Commitment ’, a topic studied by both Economists and Psychologist, I could not resist writing a follow-up to explore the consequences for third parties that do not have the preparation and/or resources of the parties involved in scenarios of escalation of commitment in the IT security field. In the previous post, I covered the example of financial...

Late last week, UCLA Health – the Californian university’s hospital – announced it had suffered a cyber attack on its network, potentially exposing the personal and medical information of nearly 5 million patients. In a statement, the hospital said it had determined the attacker had accessed parts of the UCLA Health system, which contained names, addresses, dates of births, social security numbers...

Today’s VERT Alert addresses one new Out of Band Microsoft Security Bulletin. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-624 on Tuesday, July 21st. MS15-078 OpenType Font Driver Vulnerability CVE-2015-2426 MS15-078 Microsoft has released an OOB update to the Adobe Type Manager Library. ATMFD.dll (Adobe Type Manager Font Driver...

Source: Krebs on Security A recent hack at Ashley Madison, an online cheating website, could expose the personal information of 37 million users. According to Brian Krebs, who broke the story on his blog, a group of hackers known as The Impact Team have all ready released some sensitive internal data stolen from Avid Life Media (ALM), a Toronto-based company that owns Ashley Madison as well as...

Back in April, the London-based insurance market Lloyd's reported a 50 percent increase in the number of data breach insurance submissions filed in the first three months of 2015 as compared to last year. This development challenges some of the arguments offered by leading experts in the field of information security that seek to explain why more companies are not investing in data breach...

This week, as part of our new "Infosec Influencer" series, I had the pleasure of sitting down with Bruce Schneier, an internationally renowned security technologist and one of The State of Security's Top Influencers in Security You Should Be Following in 2015 . He has written 12 books, including Liars and Outliers: Enabling the Trust Society Needs to Thrive , not to mention published hundreds of...

For just over a week, government departments, research institutes and other high-value targets have been on the sharp end of a sophisticated attack, where fake voicemails are being used to create a diversion while malware infects computer systems. As security researchers at Palo Alto Networks's Unit 42 division detail , it is believed the attack is being perpetrated by the same gang responsible...

Two Belgian security researchers have developed a method that allows an attacker to exploit weaknesses found in the RC4 encryption algorithm and subsequently expose information that was once thought to be encrypted. According to a blog post written by Mathy Vanhoef and and Frank Piessens of the University of Leuven, their RC4 NOMORE attack concentrates on decrypting web cookies, which are...

Due to the increased number of reported high-profile attacks, it is likely that you have heard of " phishing ". What exactly is phishing? At its core, phishing is the sending of an email to a target with the intent of having the target perform some action that will lead to the attacker gaining some new piece of information or access. While the phishing attack can have any number of intended...

Oracle has released its July 2015 Critical Patch Update that provides fixes for 193 security vulnerabilities, including a zero-day vulnerability recently discovered in Java. According to a post published on Oracle's blog, the update contains patches for a number of applications, such as Oracle Database, for which there are provided 10 security fixes including a patch for a vulnerability (CVE-2015...

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-623 on Wednesday, July 15th. MS15-058 SQL Server Elevation of Privilege Vulnerability CVE-2015-1761 SQL Server Remote Code Execution Vulnerability CVE-2015-1762 SQL Server Remote Code Execution Vulnerability CVE-2015...

In the past, information technology (IT) and operational technology (OT) were seen as two distinct domains of a business. The former focused on all technologies that were necessary to manage the processing of information, whereas the latter supported the devices, sensors and software that were necessary for physical value creation and manufacturing processes. While their foci have remained the...

It is always the case that changes – particularly radical changes – to application architectures have a ripple effect across the data center. And ripples turn into waves as they travel away from the epicenter, in this case leaving security professionals swamped. And like a bad “B-side” disaster flick, the danger isn’t coming from just one side; it’s coming from two and threatening to squash...

Click-fraud is traditionally thought of as a widespread but low-impact online risk. Using this method of attack, criminals steal money away from pay-per-click (PPC) online advertisers by commanding another person or bot to click on an ad for the purposes of generating a charge per click. No actual interest is generated by these fake clicks, and the advertiser's budget is subsequently exhausted...

The Bundesrat of Germany – the country’s Federal Council – passed legislation last week requiring critical infrastructure businesses and institutions to implement more robust information security standards. According to reports , the new law will affect more than 2,000 essential service providers, including transportation, health, water, utilities, telecoms, as well as financial services and...

Mozilla has blocked every version of Adobe Flash Player running in its Firefox web browser and will continue to do so until Adobe has patched certain publicly known security vulnerabilities. Firefox users who seek to view videos, adverts, and other Flash-based content will now be required to dismiss a warning that reads, "Flash is known to be vulnerable. Use with caution." Mozilla's decision...