Back in 2011, Facebook launched its bug bounty program in an effort to provide recognition and compensation to security researchers for practicing responsible disclosure. The program is not bound by a maximum bounty reward. Instead, it awards monetary rewards based on the severity of each disclosed vulnerability, with $500 USD serving as the minimum...

German engineering company Siemens has patched two vulnerabilities affecting some of its SIMATIC controllers. The first vulnerability (CVE-2016-3949) is a denial-of-service (DoS) bug that affects SIMATIC S7-300 CPU, a product which is used by companies worldwide to manage process control in various industrial environments including Chemical, Energy,...

Organizations are constantly looking to obtain a "big picture" view of information security so that they can better protect themselves against digital threats. To answer that call, a variety of companies regularly publish security trend reports in which they analyze how threats in the digital space are evolving. Some reports target specific kinds of...

I was there when the bubble burst in ’99. If you are too young to know the reference to the bubble of 1999, or if you are so old that you have forgotten it, 1999 was the year that the "internet bubble" burst. What was it that caused this bursting effect? The internet wasn’t the problem. The internet is still here. The problem was driven by the...

Suppose you get a call from a college classmate with the following pitch: "David, I want to give you the opportunity of a lifetime. We started up our business last year called 'Super Duper Application.' We tested it, and we put it on the Apple App Store. It has done resoundingly well since then. We now have thousands of customers who love the...

Dropbox has responded to security concerns regarding one of its new technology's abilities to obtain kernel access. Back in April, the secure file sharing and storage service announced "Project Infinite," an initiative which will help revolutionize the way Dropbox interfaces with a user's computer. Dropbox software engineer Damien Deville provides...

Instead of imagining myself as a chess piece, I prefer to try and look at the chess board as a whole and see where the biggest perceived vulnerabilities or weakness lie. Most organisations could be seen as being modelled the same ‘in terms of staff ratio’ to a chess board. Usually, there is only 1 king (CEO), and then the rest of the chess pieces...

Several days after the Panama Papers leak had echoed in global media as the greatest international tax scandal in history, security analysts confirmed that the heart of the problem lies in security flaws. As revealed by a detailed examination, the compromised law firm Mossack Fonseca used content management and emailing systems, which had dozens of...

Information security is more than just checking a box. It also includes security awareness, a feature I discussed in my previous article on endpoint detection and response (EDR) which is just as important as the tools, technologies and other solutions an organization uses to strengthen its digital security. To make a difference, security awareness...

Our ability to protect our systems from vulnerabilities is often only as good as the information available to us. One source, OVAL definitions, promises to “provide enterprises with accurate, consistent, and actionable information so they may improve their security.” Unfortunately, blindly trusting that this data is accurate could still leave your...

In February 2015, the FBI seized control of computer servers running a child sexual abuse website called Playpen. But rather than shutting down the site immediately, the FBI chose to continue to make the site available, planting software that could collect the real IP and MAC addresses of users. On a regular website that might not be a hard thing to...

Adobe is expected to release a patch for a "critical" vulnerability in Flash Player in its upcoming monthly security update. On Tuesday, the American multinational computer software company released a security advisory for Flash Player. In that bulletin, it discusses the vulnerability CVE-2016-4117."A critical vulnerability (CVE-2016-4117) exists in...

Back in February, Tripwire first unveiled its 2016 Breach Detection Survey. The study evaluated the confidence and efficacy with which IT professionals in the United States could implement seven key security controls: PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS 20 Critical Controls, and IRS 1075. Together, those controls recommend accurate...

Today’s VERT Alert addresses 17 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-670 on Wednesday, May 11th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

GoDaddy has remediated a blind cross-site scripting (XSS) vulnerability that attackers could have used to take over, modify, or delete users' accounts. Security researcher Matthew Bryant discovered the flaw using a tool XSS Hunter late last year. At that time, he found he could set his first and last name to an XSS payload. He opted to use a generic...

Here at Tripwire, one of the responsibilities of VERT (Vulnerability and Exposure Research Team) is the monthly publication of our Patch Priority Index (PPI). Equal parts science and art, the PPI is released by VERT researchers who deal with vulnerabilities resolved by these patches on a daily basis. When this process first began, it prompted a very...

As I discussed in my previous article, threat intelligence provides organizations with contextual details regarding specific threats. Such information is crucial for companies that are committed to formalizing their information security practices. By relying on multiple feeds of threat intelligence, for instance, enterprises can continuously...

The 2016 Verizon Data Breach Investigations Report (DBIR) is out, and I’m excited to announce that this year’s findings leveraged vulnerability data from Tripwire and other vendors, including our partner Kenna Security. The 2016 Verizon DBIR recommends establishing “a process for vulnerability remediation that targets vulnerabilities which attackers...

OpenSSL has issued fixes for six vulnerabilities, including two flaws with a "high" severity rating. On Tuesday, the corporate entity responsible for OpenSSL, a software library that helps to secure web communications against eavesdropping, published a security advisory in which it provides details on the two "high" severity vulnerabilities. ...

Organizations face a constant barrage of digital threats. To mitigate the risk of an attack, IT staff need to continually protect all of an organization's endpoints, such as by creating patching schedules and by hardening vulnerable devices. Unfortunately, protection has its limitations. Security personnel can harden a device or implement a patch...