Image It could be said that the proliferation of automation is the defining characteristic of the last 100 years. In almost every area of our lives, we’ve found a way to leverage technology to increase our efficiency, freeing us up for higher-order tasks… The things we like to do, the things that are hard, the things we’re good at. A...

Image Earlier this month, an explosion at a power station in Maryland caused outages at the White House, the Capital, and the State Department. The service interruption, which affected between 10,000 and 30,000 people, was caused by a 230-kilovolt transmission conductor that broke free from its support structure, according to NBC News...

Image It’s that time of year, again, when the brightest minds in the business gather to talk all things cyber in the city of San Francisco. To start off the busy week ahead, BSidesSF kicked off day one with some great speakers and intriguing presentations. For those of you that didn’t make it out, here’s a short and sweet recap of...

Image The Internet of Things (IoT) is a buzzword that many use to describe a not-so-distant reality in which devices and machines talk to one another. To some, however, the potential of IoT extends well beyond the mere notion of a “smart,” interconnected world. Included in this group of observers is Jeremy Rifkin, an author, political...

Image If, on Tuesday, you find yourself in San Francisco, with access to RSA, then I know how you should spend your time from 1PM PST. Alex Cox, Ken Westin, and I will be introducing our panel: Killing the Kill Chain: Disrupting the Cyber Attack Progression. Instead of talking about how you can preemptively stop an attack, we plan to...

Image The Verizon 2015 Data Breach Investigations Report has always had a conversational, quirky style to share some pretty technical information about the security breach data it analyzes. So if you’re wondering what Prince has to do with vulnerability management, just know that when you read the full report, you’ll understand – a...

Image In the first installment of this blog post, I took you through how I completed level 1 of Tripwire Vulnerability and Exposure Research (VERTs) Capture the Flag contest. Now, I’ll show you how I finished level 2 and successfully completed the challenge. Level 2 Going to the link above results in a registration page (pictured...

Image Today’s VERT Alert addresses 11 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-610 on Wednesday, April 15th. MS15-032 Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE Internet Explorer ASLR...

Image The Android operating system has overthrown the mobile ecosystem, and has taken no prisoners. You can barely walk down the street these days, without seeing consumers completely glued to the screens of their devices. This is the age of instant, unadulterated access to the Internet, email, music and social networking. And Android...

Image Verizon’s annual Data Breach Investigations Report (DBIR), published since 2008, has become one of the most anticipated information security industry reports. Think of it as the Data Breach Bible, as it dissects thousands of confirmed data breaches and security incidents from around the globe into emergent and shifting trends,...

Image We have a problem in the security community – or maybe within the modern information age of humanity in general. That problem is we see security as a technology, policy, privacy or people issue, instead of an integrated combination thereof. However, despite standards, laws, best practices, lessons learned and new technology we...

Image On Tuesday, March 24, Germanwings Flight 9525 crashed into the French Alps. All 150 people onboard were killed. After studying one of the aircraft’s black boxes recovered in the crash, investigators determined that Andreas Lubitz, the co-pilot of Flight 9525, deliberately locked the pilot out of the cockpit and altered the...

Image The first step towards creating a successful security awareness program is to recognize that this is not a project with a defined timeline and an expected completion date, but is instead a development of organizational culture. Akin to “safety first” cultures that develop in manufacturing and other heavy industries, there are...

Image A new Trojan-based campaign is targeting energy companies around the world in an effort to gain access to sensitive information. The majority of companies experiencing attacks are distinctly linked to the petroleum, gas and helium industries located in the Middle East – including UAE, Pakistan, Saudi Arabia and Kuwait. However,...

Image When I was about 10 years old, I read a book about Kevin Mitnick, Pengo and Robert Morris. While their exploits seemed very interesting, each story ended in jail time or at the very least, derailment of career goals. My unsophisticated Internet searching circa the early 2000s led me to the same conclusion. Hacking was a neat...

Image If you've recently found your web browsing plagued by pornographic pop-ups and irritating adverts, there might be a simple - but dangerous - explanation. Maybe hackers have hijacked your internet router? Security researchers at Ara Labs have warned of an active campaign which has seen attackers changing DNS settings on routers,...

Image Banks regularly undergo mandatory stress tests. These tests are clearly defined, and the results are used to determine how well each bank can maneuver through an economic calamity. If we apply the basic blueprint of a financial stress test to an IT infrastructure, we can loosely define it as: “An analysis conducted under...

Image A vulnerability in Cisco IP phones could allow unauthenticated attackers to remotely listen in on the phones’ audio streams. According to an advisory Cisco published on its website, the vulnerability (CVE-2015-0670) results from improper authentication in the default configuration of certain Cisco IP phones. “An attacker could...

Image The printf() family of functions (printf(), fprintf(), sprintf(), etc.) are surprisingly powerful and, if not properly used, can expose a class of vulnerabilities called format string attacks. These attacks can be very bad because with a well-crafted format string, an attacker could write an arbitrary value into an arbitrary...

Image   Vulnerability Description The CVE-2015-0291 vulnerability introduces the possibility of a denial of service attack against a system running OpenSSL 1.0.2. If a malicious client connects to an OpenSSL server and the server requests a certificate from the malicious client, the malicious client can return a malformed cert that...