Target Corp has agreed to pay $10 million in order to settle a class-action lawsuit related to a 2013 breach that compromised users’ financial and personal information, according to court documents. The proposed settlement, which has yet to be heard in federal court, would require Target to deposit the total settlement amount into an escrow account, which the retailer would use to compensate...

Information security professionals are all too familiar with the work of black hat hackers. These individuals seek to gain unauthorized access to enterprises’ computer networks by exploiting security vulnerabilities – malicious activity which frequently threatens the personal and/or financial information of millions of customers. But what motivates an individual to become a black hat hacker? And...

Sarah Clarke and a few others were running a discussion on Twitter trying to hash out if security policies have any value. The discussion was started by a person critically stating that as far as he was concerned, they have no value at all. As Twitter isn't a good medium for summarizing the potential values that were identified, Sarah and I challenged each other to both blog about, with both a...

…that was the question. How many people actually find your security policies useful? Go on, guess. I’m willing to bet it’s only audit, risk, compliance management and the third-parties that assess you. Here’s the tweet from Phil Huggins ( @oracuk ) that kicked off a lively enough debate to make me want to write this. Phil’s core and continuing assertion was that good tech, awareness and risk...

The OpenSSL Project, a collaborative effort designed to develop an open source toolkit that implements SSL and TLS, has announced that it will be fixing a number of security flaws on Thursday , one of which it has labeled “high” severity. The initiative made the announcement in a message circulated yesterday. “The OpenSSL project team would like to announce the forthcoming release of OpenSSL...

Discussions around industrial control systems (ICS), such as supervisory and control data acquisition (SCADA) systems, often focus on how vulnerable the systems are. A key aspect of President Obama’s information sharing acts have been designed to encourage threat sharing to help protect the organizations and networks involved in critical infrastructure. However, while there are many advancements...

I don't often use Siri on my iPhone, but I've got to admit that when I do it's really handy. I'll be driving the car and thinking "Arrrghh! I forgot to put out the recycling last night. I'd better say sorry to my wife as soon as possible, as she'll be mad at me." I could stop the car on the hard shoulder (which would be dangerous), I could risk waiting until I get to my destination to tell my wife...

An analysis of the EquationDrug espionage platform has revealed that its capabilities can be extended via modules, leading security researchers to compare the framework’s architecture to a “mini-operating system.” In an article published on Securelist, Kaspersky Lab explains that EquationDrug is the main espionage platform used by Equation Group, an advanced threat actor that is responsible for...

A typical information security conference can cost $5,000 plus plane and hotel costs and, although it might seem to be an exorbitant sum of money, many of us could easily defend the value and necessity of the training to bolster one’s technical capabilities. But when was the last time you invested even just a few hours of your time to working on developing your information security career in truly...

Last week, Tripwire published an article analyzing the ways in which the United States’ International Strategy for Cyberspace (ISC 2011) has informed the ideas outlined in the recently released 2015 National Security Strategy (U.S. NSS 2015). In my analysis, I compared both documents’ usage of the term “cyber” and found that while they vary somewhat in their approach, both documents support the...

Despite retailers’ continuous improvement in compliance with the Payment Card Industry (PCI) security standards, four out of five companies are still failing at interim assessments, according to Verizon’s latest report . The report highlights that the overall state of compliance grew significantly in 2014, with 20 percent of organizations achieving full compliance – up from 11 percent in 2013, and...

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-605 on Wednesday, March 11. MS15-018 Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE VBScript Memory Corruption Vulnerability CVE-2015-0032 Internet Explorer Elevation of Privilege Vulnerability...

In VERT Vuln School: Stack Overflow 101 we reviewed a contrived example of a simple stack-based buffer overflow vulnerability in a binary wrapper for the nMap scanning tool. With this example, I showed how crafted command line parameters could be trigger an overflow of user-controlled data onto the stack. The synscan binary performed no checking on the length of a user-supplied buffer before...

Join us for a live webcast Thursday, March 26, 2015 - 11:00 AM Pacific / 2:00 PM Eastern "Caught in the Crossfire: The Business Impact Of Cyberwar & High Tech Espionage " with Shane Harris, author of @War: The Rise of the Military-Internet Complex The Intercept ¹ is reporting a secret program targeting Apple devices and software as part of a CIA sponsored event called "Jamboree," where groups of...

With technology, we are constantly looking to improve security. We moved from HTTP to HTTPS to help secure online transactions and mitigate man-in-the-middle attacks. With DNS, we have started to implement DNSSEC. Why are we not looking backward at the cornerstone of modern communication, the device that still ties everyone together? The telephone. There have been minor updates to user experience...

Earlier this month, Tripwire published its final installment of 10 Notorious Cyber Criminals Brought to Justice , a series that sought to demonstrate how law enforcement frequently catches up with individuals who use cyberspace for malicious purposes. Although our series has concluded, we as information security professionals realize that law enforcement will always be working to counter the...

Cyber insurance is a hot topic of many debates today. It is believed to be the long-awaited cure for high-impact security risks, especially in light of constantly evolving privacy legislation and disclosure obligations – but what actually is it? Simply put, cyber insurance is a tool intended to mitigate the loss from information security incidents. The decision to use it, however, should be based...

According to a fellow at Columbia University, companies are not investing significantly more in information security partly because of the influence of moral hazards, or the act of one entity taking risks because others bear the burden of those actions. Benjamin Dean , a staff associate and fellow in cyber-security and internet governance at the Columbia School of International and Public Affairs...

There's bad news for any Windows users who were thinking that the recently-announced FREAK vulnerability wasn't something they had to particularly worry about. When first announced, it was thought that the newly-discovered flaw in SSL/TLS was limited to Apple's Safari and Google's Android web browsers, opening the possibility of hackers and intelligence agencies intercepting HTTPS-protected...

An interesting dialogue came up in my security circles that I believe outlines a fundamental disconnect within organizations developing software products. We have all heard that communication is key, but are the conversations happening at the proper levels to expose a product’s security requirements? The conversation went something like this: (Sales employee): “Developers are not thinking about...