Earlier this month, Tripwire published its final installment of 10 Notorious Cyber Criminals Brought to Justice , a series that sought to demonstrate how law enforcement frequently catches up with individuals who use cyberspace for malicious purposes. Although our series has concluded, we as information security professionals realize that law enforcement will always be working to counter the...

Cyber insurance is a hot topic of many debates today. It is believed to be the long-awaited cure for high-impact security risks, especially in light of constantly evolving privacy legislation and disclosure obligations – but what actually is it? Simply put, cyber insurance is a tool intended to mitigate the loss from information security incidents. The decision to use it, however, should be based...

According to a fellow at Columbia University, companies are not investing significantly more in information security partly because of the influence of moral hazards, or the act of one entity taking risks because others bear the burden of those actions. Benjamin Dean , a staff associate and fellow in cyber-security and internet governance at the Columbia School of International and Public Affairs...

There's bad news for any Windows users who were thinking that the recently-announced FREAK vulnerability wasn't something they had to particularly worry about. When first announced, it was thought that the newly-discovered flaw in SSL/TLS was limited to Apple's Safari and Google's Android web browsers, opening the possibility of hackers and intelligence agencies intercepting HTTPS-protected...

An interesting dialogue came up in my security circles that I believe outlines a fundamental disconnect within organizations developing software products. We have all heard that communication is key, but are the conversations happening at the proper levels to expose a product’s security requirements? The conversation went something like this: (Sales employee): “Developers are not thinking about...

On March 4, the series premiere for the new crime drama CSI: Cyber aired on CBS. The show stars Patricia Arquette, who recently won an Oscar for Best Supporting Actress in a Supporting Role, as Avery Ryan, a behavioral analyst who solves crimes under the FBI Cyber Division. Peter MacNiol, Charley Koontz, Hayley Kiyoko, James Van Der Beek,and Shad Moss co-star as members of Ryan’s team. The first...

Last week, we used the United States’ 2015 National Security Strategy (NSS) as a reference point to analyze “A Strong Britain in an Age of Uncertainty: The National Security Strategy,” the United Kingdom’s 2010 National Security Strategy. Though limited in scope, this comparative analysis revealed a number of important findings, including the UK’s recognition of benefits and challenges of...

Historically, access control has been based on the identity of a user requesting execution of a capability to perform an operation (e.g., read) on an object (e.g., a file). This was done directly either as in Discretionary Access Control or Mandatory Access Control or through predefined attribute types, such as roles or groups assigned to that user as in Role Based Access Control or RBAC. While...

A report explains how Google Play Book publishers that are offering cracked and modded Android APK files as part of fake game guides are exposing users to malware and phishing scams. In a post published on its website, Android Police notes how it has identified at least a dozen sellers of these fake guides, though it concedes that the actual number is likely much greater than that. Some of the...

The term APT ( Advanced Persistent Threat) , like many other acronyms in the world of IT/Information/Cyber Security entered our vocabulary some years ago, along with other partnering phrases, such as Advanced Evasion Techniques (AET), which at the time took the headlines as something new . Whilst these new outlined logical dangers do serve up a very real threat to the modern era of high-dependency...

Tripwire has been getting more involved in connecting its products to threat intelligence services lately. I described the reasons why we care about threat intelligence, particularly STIX and TAXII, in my article last month: Why We Should Care About STIX & TAXII . My colleagues also talked in more specifics about some of the partners Tripwire is working with in the post Threat Intelligence: Reduce...

A security firm has identified a new type of malware that spams a mobile device’s contact list with SMS text messages touting fake Amazon gift card offers. According to an article posted on its blog , AdaptiveMobile states that the malware, dubbed ‘Gazon,’ is quickly becoming “one of the ‘spammiest’ mobile malware outbreaks seen yet.” Gazon employs a shortened link that advertises free Amazon gift...

It was revealed this evening that Hillary Clinton was using a personal email account while serving as the secretary of state. This has raised a number of issues with regards to both compliance and security. Apparently, Clinton chose not to use a government-issued email address despite the Federal Records Act, which only applies to official email accounts created by the government, and are...

Financial gain or fraud was the primary driver of the 11,698 instances of insider privilege abuse – defined as any unapproved or malicious use of organization resources – in last year's Verizon Data Breach Investigations Report. Source: 2014 VDBIR A malicious insider can be detected in a number of ways, and there are both non-technical and technical indicators of risk. Some non-technical...

A new phishing campaign has been targeting European users of the popular video streaming service Netflix. According to security researcher Jovi Umawing from Malwarebytes, the fake website – with the domain nefixx.co.uk – is nearly identical to that of netflix.co.uk, and even offers potential customers a "free trial." The malicious campaign prompts users for personal and payment information when...

In the fall of 2014, Tripwire published a series on the 10 Most Wanted Hackers by the FBI . Each of those articles revealed the extent to which cyber crime has become more sophisticated and threatens online users’ information now more than ever. Given this growing threat, it is understandable that some might feel disheartened by the challenges confronting information security professionals today...

Outsourcing critical aspects of our lives is nothing new. We trust banks to safeguard our money, even though many of us do not trust bankers. We trust taxi cab drivers with our lives, even if we do not know their first name. We do this not out of ignorance but because we trust the overall system that these components work within. With the commoditization of IT, Cloud is proving to be a disruptive...

Cyber criminals are phishing for customers’ sensitive information following a data breach at TalkTalk, a UK Internet service provider. In an email sent to its four million customers, TalkTalk confirmed that “in a small number of cases,” scammers might have compromised customers’ information. “We have now become aware that some limited, non-sensitive information about some customers could have been...

Companies like mine, and consultants like me, have long been instructed and expected to pass on the mantra that the solution to security is compliance with standards and that being in compliance means you are secure. Having worked in the industry for more than a decade, I know that this is demonstrably not true. My hypothesis is that compliance and security need to be seen as two separate entities...

Computer manufacturer Lenovo has been under fire lately after news of an ad-injecting software, known as Superfish , was discovered to come pre-installed on some of its laptops. The issue, which was ongoing for several months, posed significant risk to affected users, as the software installed self-signed root certificates capable of intercepting HTTPS encrypted traffic. Recently, however...