Crowd-sourced review service Yelp says it will award researchers up to 15,000 USD for reporting exploits as part of its newly public bug bounty program. The company successfully ran a private bug-bounty program for the past two years, during which it worked with private researchers and bug bounty hunters to fix as many as 100 vulnerabilities. But to...

Apple issued critical updates for OS X Yosemite and El Capitan on Thursday to patch security vulnerabilities resembling those discovered on iOS 9.3.5 earlier this week. Dubbed Trident, the three zero-day vulnerabilities (CVE-2016-4655, CVE-2016-4656 and CVE-2016-4657) could allow an attacker to silently jailbreak an iOS device and spy on victims,...

You, a creative entrepreneur with a great idea, finally launch a business. As a startup, having your own website is essential in conducting business. Startups must always take extra precaution when it comes to their web security. Because startups are the perfect targets for hackers, your website should be protected as soon as it is ready to go live....

We are moving into an era of inter-connectivity with billions of devices, including a previously disconnected industry of automotive vehicles. Vehicles were not designed with computer security in mind, and that worked just fine for the last few decades. However, now we are at a point where we can take an "unhackable" 1997 Honda Civic and add in a...

Industrial control system (ICS) security is a growing concern for organizations around the world. On the one hand, research suggests that vulnerabilities and exposures are increasingly jeopardizing the security of ICS assets. In their report Overload: Critical Lessons from 15 Years of ICS Vulnerabilities, the FireEye iSIGHT threat intelligence team...

Cisco has confirmed the legitimacy of two exploits found in a data dump of code released by the Shadow Brokers hacker group. On 13 August, the mysterious hacking group announced an auction of files allegedly containing exploit code used by the Equation Group, a sophisticated threat actor which leverages unknown vulnerabilities in multiple vendor...

An organization's computer network is never fixed. It is constantly changing. To illustrate, as a company continues to grow, it might adopt a different mission that requires the installation of new endpoints onto its network. Additionally, with the detection of new exposures, security teams will need to update all critical devices running the...

It's just a week since Apple announced its first-ever bug bounty for researchers who find vulnerabilities in its widely-used software and hardware, in the hope that it can provide better security and privacy to its millions of customers. The Cupertino-based company made headlines for its belated entry into the bug bounty marketplace, offering up to ...

I was incredibly happy with the initial release of CVSSv3. While it wasn’t perfect, it was a huge improvement over CVSSv2 in that a couple of the weaknesses in v2 were removed. The first of two particularly great changes was the language related to the network attack vector in the specification document:A vulnerability exploitable with network access...

To protect against evolving digital threats, more and more organizations are employing endpoint detection and response (EDR) systems on their computer networks. EDR consists of six crucial security controls. The first two, endpoint discovery and software discovery, facilitate the process of inventorying each device that is connected to the network and...

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-684 on Wednesday, August 10th. EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE Automated Exploit Easy ...

The Internet of Things (IoT) is slowly taking over consumer markets in every category, from coffee makers to fitness trackers. Yet while smart automation might seem like the ideal for consumer convenience, when it comes to home security systems, connecting to the Internet can lead to increased vulnerability. In this article, we take a look at some...

Security is not the same for the industrial control systems (ICS) as it is for information technology (IT). This difference in part arises from the unique characteristics that set IoT and IT environments apart from one another. Take IT, for instance. One of the most important business drivers for securing systems in those types of environments is...

Apple has announced it will be launching a bug bounty program that will pay security researchers upwards of USD 200,000 for finding flaws in its software. On Thursday at the Black Hat USA 2016 security conference in Las Vegas, Nevada, head of the Apple Security Engineering and Architecture group Ivan Krstic made the announcement at the end of his...

Industrial Control Systems (ICS) are the technology workhorses responsible for powering the electric grid and utilities, water treatment plants, oil and gas production, food and beverage manufacturing, and transportation systems, among many others. Our society relies on these systems more than we know to keep life running smoothly. ...

There is never a dull moment for compliance and security. Case in point, amidst a brewing storm of regulation, version 3.2 of the Payment Card Industry Data Security Standards (PCI DSS) announced in late spring articulates good data security intent along with controversy. PCI has been around since 2006, and aims to protect payment data for consumers...

Wireless routers designed for consumers often do not employ proper security practices. This topic was extensively covered in VERT’s 2014 report, “SOHO Wireless Router (In)security.” Our research revealed that 74% of the 50 top-selling consumer routers on Amazon shipped with security vulnerabilities, including 20 different models where the latest...

Embedded devices on enterprise networks make attractive targets for hackers because they provide potential footholds. These systems perform a variety of functions, often involving sensitive data or control of critical systems. Network gear, printers, storage appliances and other equipment generally do not have end-point protection installed, making...

In today’s vulnerability market, vendors want to squeeze every ounce of publicity out of their security researchers. As a result, responsible disclosure often falls by the wayside. The same is true of independent researchers in search of their 15 minutes of fame. A fatal flaw in a major product is akin to Kennedy’s dream of landing a man on the moon...

When it comes to the Internet of Things and security, it seems individuals and organizations keep making the same fatal mistakes – over and over again – because we continuously see it as a technology problem. It’s not. It’s a business strategy failure. Whether it’s insecure hospital devices, hackable power grids, or lethal connected cars, the same...