Here's a piece of advice for anyone responsible for securing a corporation's data: If you discover security researcher Randy Westergren is using your app, you had best take a long hard look at whether you are protecting your users' information properly. Because, if you're not, there's a good chance that he might be about to tell you what you're doing wrong. Westergren, who has recently uncovered...

We’ve looked at the Tripwire IP360 Scoring System and how risk is commonly used in two different scenarios, so I figured it was worthwhile to dive into the other complex element of Tripwire’s scoring: skill . Skill is a term that, even within the IP360 Scoring System, has evolved over the years and it’s worth looking at the evolution of the word in terms of IP360 and vulnerabilities. To really...

The ever-controversial hacker-turned-millionaire-entrepreneur Kim Dotcom has announced the public beta launch of an end-to-end encrypted audio and video chat service, which he calls MegaChat. Anyone with an account on Mega's file-sharing file-syncing service can now access what is claimed to be a more secure alternative to Skype, boasting end-to-end encryption. If it does what it claims, MegaChat...

Cross-site scripting, commonly referred to as XSS, is listed third in the OWASP Top 10 for 2013 Web Application Security risks . Unlike SQL injection attacks, which target data on the server, XSS provides a vector for attacking the users of a vulnerable web site. At a general level, XSS is when an attacker can cause a web site to render with unintended script content. This script content is...

Hacker Halted is an IT security conference with the intention of educating the attendees in security and ethics. Last year, the conference was held in Atlanta on October 16-17. What VERT Presented at Hacker Halted VERT presented an implementation of a protocol independent fuzzer, which was built using python. We developed a fuzzer because we noticed some oddities when we were developing an RDP...

In my last post , I talked about the basics of vulnerability scoring in vulnerability management and the disparity that can exist when you score the subjective elements of a vulnerability. We looked at the variance that can exist within CVSSv2 and how a properly developed score can show a clear difference between two unique issues. This time, I want to talk about vulnerability versus risk. This is...

In December of 2011, Tripwire published a list of security’s top 25 influencers . More than three years later, we are pleased to announce a new list for 2015 -- The Infosec Avengers! For each influencer whom we have selected, we include their Twitter handle, blog URL and reasoning for selecting them. We also include their answer for what infosec-related superpower they would choose to have. This...

There's little doubt that effectively remediating vulnerabilities is an important part of a comprehensive information security strategy. Vulnerabilities in desktops, servers, laptops and infrastructure are commonly involved in intrusions and incidents. For example, the Chthonic malware designed to steal banking details, exploits a known Microsoft Office vulnerability (CVE-2014-1761). While there's...

Only one percent of consumers believe using a third-party mobile payment provider, such as Apple Pay or Google Wallet, is a safe way to pay for in-store purchases, reveals Tripwire, Inc . This past holiday season, One Poll and Dimensional Research conducted a consumer survey of over 2,011 consumers in the United States and UK. The survey’s findings include the following: Over a quarter (26 percent...