Hacking cars has made big headlines in recent months. Back in July of this year, security researchers Charlie Miller and Chris Valasek won the attention of the information security community and beyond when they successfully hacked a Jeep Cherokee's computer via its Uconnect infotainment system. The duo was able to rewrite the automobile's firmware,...

I am looking forward to presenting at BSidesDC this weekend, where I'll be giving a talk titled "Point-of-Sale to Point-of-Fail." In my presentation, I will be discussing the recent rash of retail breaches over the past couple of years and how and why they are occurring, and what retailers can do to protect themselves. The epidemic of mega-retail...

Getting root is fun, and with IoT gadgets, getting root is generally easy. This is why the IoT Hack Lab @ SecTor will be so much fun! If you still reminisce about (or look forward to) the first time you got root on a device, and you will be in Toronto on October 20-21, visit us at the convention centre where we’ll be setup in the expo hall. Expo...

Today’s VERT Alert addresses 6 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-638 on Wednesday, October 14th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

In continuing our VERT Vuln School series on SQL Injection vulnerabilities, we’re going to take a look at how attackers can leverage this vulnerability to steal and exfilitrate data. Once we views bob’s account balance page, we notice that there’s another input-field that might be of interest, the...

If you are reading this article, you are probably aware that Security Incident and Event Management solutions, or SIEMs, are powerful systems that allow IT professionals to gather and analyze activity in a company’s infrastructure through the collection and correlation of logs. Though SIEM solutions have a significant amount of built-in content in...

In December 1890, Samuel Warren and Louis Brandeis, concerned about privacy implications of the new “instantaneous camera,” penned The Right to Privacy, where they argue for protecting “all persons, whatsoever their position or station, from having matters which they may properly prefer to keep private, made public against their will.” 125 years...

Chinese networking telecommunications equipment and services company Huawei has patched a vulnerability in its MBB (Mobile Broadband) product E3272s that if exploited could lead to denial-of-service attacks and remote arbitrary code execution. According to a security bulletin released by the company, "An attacker could send a malicious packet to...

In today's world, our notion of endpoints has evolved from something with a user and a keyboard to something with exploitable vulnerabilities. This conceptualization therefore covers network connections beyond laptops, personal computers and mobile devices. Indeed, vulnerabilities arising from Internet of Things (IoT) appliances; automobiles, such...

SQL injection is arguably the most severe problem web applications face. OWASP, an online community devoted to web application security, consistently classifies injection vulnerabilities as number one on their OWASP Top 10 Project. SQL injection vulnerabilities are a favorite amongst a number of “hactivist” groups whose aim is to cause disruption in...

Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of September 28, 2015: A massive data breach at Experian – one of largest...

What a whirlwind the past few months have been for data security, breaches and hacking events. From the Wyndham v. FTC ruling to yet another breach by a BCBS affiliate, there is increasing pressure across the information security industry to push organizations to perform those pesky security risk assessments touted by the National Institute of...

Today, a segment will air on Crime Watch Daily where Tripwire Senior Security Researcher Craig Young and I reveal on camera how vulnerable smart homes can be when not properly secured. We show firsthand that the key weaknesses in most smart homes are a combination of insecure networks and default configurations, including systems that installers may...

Tripwire recently hosted a webcast entitled, “Talking To The Board: How To Improve Your Board's Cyber Security Literacy -- UK Edition.” For the presentation, Amar Singh, Interim CISO and Founder of both Cyber Management Alliance and Give01Day, an organization that connects volunteer information security professionals together with charities seeking to...

Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently. Here’s what you don’t want to miss from the week of September 21, 2015: According to independent security journalist Brian...

The United States Navy has announced it is currently working on developing a new system aimed at protecting its ships from pervasive Internet attacks, often leading to network spying and confidential data theft. Codenamed the Resilient Hull, Mechanical, and Electrical Security (RHIMES) system, the Office of Naval Research (ONR) revealed the enhanced...

Today, enterprises must grapple with a panoply of numerous and highly sophisticated threats. In response to this dangerous landscape, it is no wonder that businesses are increasingly turning to security dashboards – a powerful communication vehicle for all information security professionals. An effective security dashboard provides personnel,...

The one-month countdown is on and I figured it was time for a reminder that Tripwire VERT will be at SecTor in the Expo area running an IoT Hack Lab. If you aren’t considering attending SecTor, you really should be. Even if you don’t want to attend the full conference, there’s an Expo Only admission that is free on their website until the start of...

A security firm has announced a one million dollar bounty in reward for anyone who submits exploits and jailbreaks for Apple's iOS 9 mobile operating system. In a blog post published on Monday, Zerodium officially unveiled "The Million Dollar iOS 9 Bug Bounty". "Apple iOS, like all operating system, is often affected by critical security...

UPDATE 9/23/15: VERT has released a script based on FireEye's nping command to report if a host is affected or not. The script is available on the Tripwire VERT GitHub here. For IP360 customers, a variant of this is available as a custom rule. Please contact Tripwire Support or view the TechNote in TCC for details. I’ve always been a big fan of...