An independent reviewer in the United Kingdom has called for a new "comprehensive" law to help define security services' online surveillance powers. According to BBC News, David Anderson QC, an independent reviewer of terrorism legislation, stated that a "clean slate" is needed in the approach to surveillance powers used by security services to...

New York’s Superintendent of Financial Services Benjamin Lawsky announced on Wednesday a new set of rules and regulations for businesses accepting, selling or buying virtual currencies. Following nearly a two-year-long effort, Lawsky introduced the first-ever comprehensive framework – known as BitLicense – in a speech at the BITS Emerging Payments...

It’s been a tough few weeks for those of us that are responsible for patching vulnerabilities in the companies we work at. Not only do we have the usual operating system and application patches, we also have patches for VENOM and Logjam to contend with. The two aforementioned vulnerabilities are pretty serious and deserve extra attention. But, where...

It's been almost a year since what some analysts consider the first successful major threat to mobile banking, known as Svpeng, hit the United States. Spreading via a text message campaign, the Svpeng malware went after Android phones. While Svpeng didn’t steal mobile banking credentials, it did detect the presence of certain mobile banking apps and...

Last week, we explored the story of Konstantin Simeonov Kavrakov, a Bulgarian who hacked Bill Gates’ bank account and stole thousands of dollars. We now report on the story of Valérie Gignac, a Canadian woman who is believed to have hacked users’ webcams and subsequently harassed them. According to a statement published by the Royal Canadian Mounted...

The number of data breaches increased 27.5% in 2014, making measures against these types of security incidents increase significantly among large companies. What about small businesses? Do they really stand a chance against hackers and security incidents? Being a small company might make you think no hacker will bother stealing your data. But, just...

Recently, we compiled a list of the top 10 highest paying jobs in information security in an effort to help individuals navigate this exciting field as a career choice. That being said, we would be remiss if we stopped there. Information security is continuously evolving, so knowing which events offer the best opportunities for learning new ideas...

Last week, Tripwire explored the story of Austin Alcala, a teenager who penetrated a number of American videogame corporations and the United States military as a member of an international hacking group. We now report on the story of Konstantin Simeonov Kavrakov, a Bulgarian hacker who is responsible for having infiltrated Bill Gates’ bank account...

You know what I don’t want to talk about any more? Responsible disclosure. The problem is that, as old as that discussion is for information security, it and the adjacent topics, remain relevant for many other industries. There’s a good chance you caught the media coverage of a recent incident...

In ages past, invading armies would poison the water source – usually a well – of a city in order to reduce the fighting capability of the enemy or to force the populace of a city under siege to surrender. This method was usually successful because an invader could have a devastating effect on a very large population with minimal yet targeted effort...

Earlier this month, an explosion at a power station in Maryland caused outages at the White House, the Capital, and the State Department. The service interruption, which affected between 10,000 and 30,000 people, was caused by a 230-kilovolt transmission conductor that broke free from its support structure, according to NBC News. As a result, the...

Network Forensics is a branch of Digital Forensics that deals with the capture, storage and analysis of network traffic. Incident handlers working on computer incident response and security operations teams around the world engage in this type of analysis in order to answer the “Five Ws” in relation to incidents: [W]ho did it? [W]hat happened? ...

Verizon’s annual Data Breach Investigations Report (DBIR), published since 2008, has become one of the most anticipated information security industry reports. Think of it as the Data Breach Bible, as it dissects thousands of confirmed data breaches and security incidents from around the globe into emergent and shifting trends, providing us with...

Detecting and preventing malicious software from executing on critical systems has received a lot of attention in the information security industry lately. Being able to detect new applications, drivers and files is what Tripwire Enterprise excels at. However, there are quite a few options for a motivated attacker to take advantage of built in...

The evil twin is not just a schlocky plot device for TV crime shows and absurd soap operas, it's also a threat to your company's data. It's relatively easy for a criminal to set up an evil twin rogue wireless access point that mimics one that your users and visitors connect to, whether on your premises or in a public place, with the intention of...

If you've recently found your web browsing plagued by pornographic pop-ups and irritating adverts, there might be a simple - but dangerous - explanation. Maybe hackers have hijacked your internet router? Security researchers at Ara Labs have warned of an active campaign which has seen attackers changing DNS settings on routers, causing unauthorised...

Over the past decade, the role of the Internet has moved beyond just email and websites viewable from a small window on a heavy desktop to something we now carry with us in our bags, pockets and strapped to our wrists. It is now a driving force of the world economy and is creeping its way into every aspect of our lives. For better or worse, we are...

The printf() family of functions (printf(), fprintf(), sprintf(), etc.) are surprisingly powerful and, if not properly used, can expose a class of vulnerabilities called format string attacks. These attacks can be very bad because with a well-crafted format string, an attacker could write an arbitrary value into an arbitrary memory location. This...

Sarah Clarke and a few others were running a discussion on Twitter trying to hash out if security policies have any value. The discussion was started by a person critically stating that as far as he was concerned, they have no value at all. As Twitter isn't a good medium for summarizing the potential values that were identified, Sarah and I...

…that was the question. How many people actually find your security policies useful? Go on, guess. I’m willing to bet it’s only audit, risk, compliance management and the third-parties that assess you. Here’s the tweet from Phil Huggins (@oracuk) that kicked off a lively enough debate to make me want to write this. Phil’s core and continuing...