Image   Patch Tuesday, the unofficial day on which Microsoft regularly releases security updates for its software products, has long been a staple of the information security community. On the second (and sometimes fourth) Tuesday of every month, Microsoft releases a unique set of security bulletins that provide patches for a range of...

Image Cross-Site Scripting (XSS) vulnerabilities can, unfortunately, be found in all types of web-based applications. Indeed, they appear to be rather ubiquitous across the web. XSS falls into the category of code injection vulnerabilities and is a result of web-based applications consuming user-supplied input without proper filtering...

Image   Last week, the information security community was saddened to learn of Joseph Edwards, a 17-year-old secondary school student who committed suicide after his computer became infected with ransomware. Edwards’ computer was corrupted by Reveton (or Police Ransomware), a common type of malware that locks a victim’s computer,...

Image If you’re following threat feeds, you’ve probably heard about GHOST (CVE 2015-0235), the new critical vulnerability that Qualys disclosed yesterday. This vulnerability has been found in glibc, the GNU C library, and it affects all Linux systems dating back to 2000. Redhat listed it on their CVE database as ‘critical’ with a CVSS...

Image   There’s a lot of chatter going on right now related to the GHOST vulnerability that was announced yesterday. Lots of folks are talking about the vulnerability, particularly focused on the threat advisory published by Qualys. However, I thought I would spend a little time looking at the history of this vulnerability and how its...

Image Researchers have discovered a critical vulnerability (CVE-2015-0235) in the Linux GNU C Library (glibc) that could potentially allow attackers to execute code on servers and gain remote control of Linux machines, without the necessary system credentials. This flaw is found in most versions of Linux, in which a buffer overflow...

Image Here's a piece of advice for anyone responsible for securing a corporation's data: If you discover security researcher Randy Westergren is using your app, you had best take a long hard look at whether you are protecting your users' information properly. Because, if you're not, there's a good chance that he might be about to tell...

Image   We’ve looked at the Tripwire IP360 Scoring System and how risk is commonly used in two different scenarios, so I figured it was worthwhile to dive into the other complex element of Tripwire’s scoring: skill. Skill is a term that, even within the IP360 Scoring System, has evolved over the years and it’s worth looking at the...

Image The ever-controversial hacker-turned-millionaire-entrepreneur Kim Dotcom has announced the public beta launch of an end-to-end encrypted audio and video chat service, which he calls MegaChat. Anyone with an account on Mega's file-sharing file-syncing service can now access what is claimed to be a more secure alternative to Skype...

Image Cross-site scripting, commonly referred to as XSS, is listed third in the OWASP Top 10 for 2013 Web Application Security risks. Unlike SQL injection attacks, which target data on the server, XSS provides a vector for attacking the users of a vulnerable web site. At a general level, XSS is when an attacker can cause a web site to...

Image Hacker Halted is an IT security conference with the intention of educating the attendees in security and ethics. Last year, the conference was held in Atlanta on October 16-17. What VERT Presented at Hacker Halted VERT presented an implementation of a protocol independent fuzzer, which was built using python. We developed a...

Image In my last post, I talked about the basics of vulnerability scoring in vulnerability management and the disparity that can exist when you score the subjective elements of a vulnerability. We looked at the variance that can exist within CVSSv2 and how a properly developed score can show a clear difference between two unique...

Image In December of 2011, Tripwire published a list of security’s top 25 influencers. More than three years later, we are pleased to announce a new list for 2015 -- The Infosec Avengers! For each influencer whom we have selected, we include their Twitter handle, blog URL and reasoning for selecting them. We also include their answer...

Image There's little doubt that effectively remediating vulnerabilities is an important part of a comprehensive information security strategy. Vulnerabilities in desktops, servers, laptops and infrastructure are commonly involved in intrusions and incidents. For example, the Chthonic malware designed to steal banking details, exploits...

Image Only one percent of consumers believe using a third-party mobile payment provider, such as Apple Pay or Google Wallet, is a safe way to pay for in-store purchases, reveals Tripwire, Inc. This past holiday season, One Poll and Dimensional Research conducted a consumer survey of over 2,011 consumers in the United States and UK....