In my previous post, I took deep dive into AWS S3 permissions to outline the myriad of ways someone could expose their AWS S3 buckets and objects to everyone on the Internet. As I discussed there, the complexity of the S3 permission system is very powerful and provides users with a lot of flexibility; however, it also makes it very easy to...

It seems like everyday you see a new report about a massive data leak caused by someone accidentally exposing files stored in AWS S3 Buckets to everyone on the Internet. Many may remember Verizon’s infamous snafu that leaked data records for six million of their customers due to a misconfiguration in their S3 buckets. Since then, there have also been...

A new attack framework known as "Triton" is targeting industrial control systems (ICS) in an attempt to cause operational disruption and/or physical consequences. FireEye recently detected an incident at a critical infrastructure organization in which an attacker gained access to a Distributed Control System (DCS) that allows human operators to...

Unless you’ve been living in Slab City or off the grid for a while, you’ve probably heard this year’s omnipresent buzzword ‘blockchain.’ But perhaps you're a bit clueless as to what this newer technology entails. In a recent HSBC survey of 12,000 respondents in 11 countries, 80 percent of people could not explain how blockchain works. Don’t worry,...

Back in June, Robert Hansen posted an interesting write-up[1] on his Smartphone Exec blog about outsourced web development that was returned with multiple embedded PHP backdoors. While this betrayal of trust by a freelance web developer shouldn’t have been surprising, it was, and it prompted Tripwire’s Vulnerability and Exposure Research Team (VERT)...

The college year is rapidly coming to a close, and for many students who are in their early college years, an internship is usually part of the summer plans. With the growing interest in cyber security and infosec, as well as the increased availability of cyber security programs in many higher education establishments, some students are entering the...

Information security, cybersecurity, IT security, and computer security are all terms that we often use interchangeably. I know that I do. I've written a lot about those areas for the past several years. I notice that sometimes I switch between the terms in an article simply to avoid repeating the same phrases over and over again in my prose. Very...

BSides is known for its collaborative and welcoming environment – something that truly sets it apart from the many other security conferences that are held these days. Today, the conference series has spread all across the world, yet its mission remains the same: to provide an open forum for infosec discussion and debate. Tony Martin-Vegue, a...

Ever since the first large-scale ransomware attacks started targeting individual users, companies, and government institutions, we have witnessed that the primary malicious actor is usually a hacker or a hacker collective. More and more victims are now browsing the web looking for a way to get rid of the threat by not paying the ransom sum, a trend...

Last week, while browsing various news feeds and websites, I took a scroll through Facebook and saw this video posted from our local morning show, Breakfast Television. They were talking about a Lifehacker post that referenced a github repository belonging to Viljami Kousmanen. The doom and gloom statements of the video are pretty clear evidence of...

Much of my time spent working is focused on performing technology assessments against some kind of baseline. Most of the time, these are specific government or industry standards like HIPAA, NIST, ISO and PCI. But when some of my clients reach out to me about evaluating their environment in light of these standards, it’s often done out of a feeling...

The ever-fickle world of pop culture has seen a resurgence of interest in Sherlock Holmes in the last five years. Fresh re-imaginings of the detective residing at 221B Baker Street have come both to the big screen and small to varying degrees of critical acclaim. Robert Downey Jr.’s version premiered in 2009, while Benedict Cumberbatch’s modern...

Businesses of all sizes are taking note that cyber threats are continually on the rise. No one is safe. In our digital world, you just can't be too cautious when it comes to protecting your data. This is true whether your company employs 200,000 or 10 employees. Cyber criminals have no bounds. They just want to profit off of your information. That...

Since 2003, the Department of Homeland Security (DHS) has designated October as National Cyber Security Awareness Month (NCSAM). Each week of NCSAM carries its own theme that is meant to help users stay safe online. To help promote those topics, the DHS partners with public and private entities. Together, they create resources, hold special events...

When it comes to the Internet of Things and security, it seems individuals and organizations keep making the same fatal mistakes – over and over again – because we continuously see it as a technology problem. It’s not. It’s a business strategy failure. Whether it’s insecure hospital devices, hackable power grids, or lethal connected cars, the same...

Organized cybercrime is a business just like any other legitimate business; they want to have low-risk and efficient operations in order to maximize their profits. The main caveat for criminals is that pesky problem of getting caught and spending the rest of your life in jail. Data is the currency of the 21st century – historically, cyber criminals...

These days, consumers are constantly being pushed to move away from paper correspondence and communication to an electronic alternative. Every time I sign into my bank account, I’m reminded of my option to forego the physical receipt of my monthly statement and go paperless. While the benefits of going paperless are clear to both businesses and...

Recently, I read an article that suggested the 'human firewall' is broken and that it cannot be fixed. This observation comes from a company that provides commercial technical solutions to assist with mitigating cyber threats. The first aspect of this comment I would like to address is the element referred to as ‘the human firewall.’ Let's call it...

Is using ad blocking software stealing or is it a sound security practice? On one hand, many websites and content creators make money from advertising. They certainly deserve to be compensated for their time and effort. On the other hand, advertising – at best – can be annoying, and at worst, can serve up malware, suck up bandwidth and redirect...

Thanksgiving is a time for reflection. It provides us with a space for acknowledging all those many people and life experiences that one way or another enrich our lives, year after year. With the spirit of Thanksgiving in mind, we have gathered together the comments of some of the industry's leading professionals on who they are thankful for fueling...