We’ve looked at the Tripwire IP360 Scoring System and how risk is commonly used in two different scenarios, so I figured it was worthwhile to dive into the other complex element of Tripwire’s scoring: skill . Skill is a term that, even within the IP360 Scoring System, has evolved over the years and it’s worth looking at the evolution of the word in terms of IP360 and vulnerabilities. To really...

The movie ‘ Blackhat ’ succeeds in highlighting the prevalence of security breaches caused by human error. Even so, it fantasizes many aspects of our digital world to help depict an international cyber crisis and flubs as a film more generally. ‘Blackhat,’ starring Chris Hemsworth and Viola Davis, is an American action thriller about a former blackhat hacker who is summoned by the FBI to aid in an...

More than 5,000 devices used to operate gas stations across the United States were found vulnerable to dangerous Internet attacks, revealed a security researcher this week. The flaw was found in the gas stations’ automated tank gauges, or ATGs, which raise alarms indicating an issue with the tank or gauge, such as a fuel spill. The devices also serve to monitor fuel tank inventory levels, track...

As part of a security awareness campaign, a seven-year-old girl was able to successfully hack a public WiFi hotspot in 10 minutes and 54 seconds. Seven-year-old Betsy Davis entered into the ethical hacking demo , meaning that a security expert supervised the entirety of the experiment, with only her laptop. She was then able to find out how to hack the controlled environment’s public WiFi using...

The ever-controversial hacker-turned-millionaire-entrepreneur Kim Dotcom has announced the public beta launch of an end-to-end encrypted audio and video chat service, which he calls MegaChat. Anyone with an account on Mega's file-sharing file-syncing service can now access what is claimed to be a more secure alternative to Skype, boasting end-to-end encryption. If it does what it claims, MegaChat...

I started getting involved in learning about the STIX (more here ) and TAXII standards in earnest last year. These emerging standards enable effective sharing of cyber threat data in automated ways between different products, people and organizations. In many ways, that makes me a newcomer to these emerging standards; by that point in time The MITRE Corporation and DHS had completed much of the...

Cross-site scripting, commonly referred to as XSS, is listed third in the OWASP Top 10 for 2013 Web Application Security risks . Unlike SQL injection attacks, which target data on the server, XSS provides a vector for attacking the users of a vulnerable web site. At a general level, XSS is when an attacker can cause a web site to render with unintended script content. This script content is...

Hacker Halted is an IT security conference with the intention of educating the attendees in security and ethics. Last year, the conference was held in Atlanta on October 16-17. What VERT Presented at Hacker Halted VERT presented an implementation of a protocol independent fuzzer, which was built using python. We developed a fuzzer because we noticed some oddities when we were developing an RDP...

The Dallas-based restaurant chain Wingstop has reported its currently investigating a possible “data security attack” at four of its franchise locations, with one incident suspected of dating back to 2012. The company announced over the weekend that the potential breach may have allowed attackers to steal payment card information, such as account number, expiration date or cardholder name, from...

Security researchers have found that the developers of ComRAT, a complex remote administration tool, are still hard at work. Per an article published on its blog, G Data Software was able to successfully identify 46 different samples of the spyware and trace it to as far back as 2007. Some believe that the malware, otherwise known as ‘Turla’ and ‘Snake,’ goes back even further and may have...

Within the last 10 years, our communities have become dependent on technology to support their homes and their business relationships. It may even arrive at the assertion that 99.99% of the population in any developed society will be utilising technology in both direct and indirect ways, say by association with the use of online banking, ATMs, on-demand TV and media subscriptions, in-car...

Last week, Tripwire published the story of Albert Gonzalez , a notorious hacker who was arrested in 2010 for his colorful record of cybercrime, including the 2009 breach against Heartland Payment Systems, Inc. that compromised 134 million credit cards. Tripwire now continues its series of some of the most notorious cyber criminals brought to justice with Lin Mun Poo, a Malaysian hacker best known...

On Friday, Verizon patched a vulnerability in its My FIOS app that allowed users to compromise and send messages from other users’ email accounts. The vulnerability was first reported by Randy Westergren , a senior software developer for XDA-Developers . Westergren details in a blog post that he first found the vulnerability while he was proxying requests from his device using the My FIOS Android...

Recently, Tripwire reported on the launch of ‘ Silk Road Reloaded ,’ the newest iteration of the Silk Road underground market where users can purchase drugs and fake IDs. The fact that Silk Road has returned is a testament to users’ ongoing ability to purchase illegal goods online, not to mention merchants’ ability to sell these products. After all, as noted in a recent CNBC news article by Ken...

This report was prepared by The Institute for National Security Studies (INSS) and The Cyber Security Forum Initiative (CSFI) to create better cyber situational awareness (Cyber SA) of the nature and scope of threats and hazards to national security worldwide in the domains of cyberspace and open source intelligence. It is provided to Federal, State, Local, Tribal, Territorial and private sector...

The United States and the UK have announced that they will be creating “cyber cells,” intelligence units which will share information and conduct simulated cyber attacks in an effort to enhance the security cooperation between the two countries. “We have got hugely capable cyber defences,” UK Prime Minister David Cameron said about the agreement. “We have got the expertise, and that is why we...

Regularly in the news we hear about organisations having their Twitter or Facebook accounts compromised by cybercriminals - but they're not the only social media outlets which hackers and fraudsters have an interest in hijacking. Researchers at Symantec have warned this week of an increasing number of phishing emails being spammed out, claiming to come from LinkedIn's support team. Due to...

In my last post , I talked about the basics of vulnerability scoring in vulnerability management and the disparity that can exist when you score the subjective elements of a vulnerability. We looked at the variance that can exist within CVSSv2 and how a properly developed score can show a clear difference between two unique issues. This time, I want to talk about vulnerability versus risk. This is...

A Birmingham hacker who is believed to be fighting for the Islamic State in Iraq and Syria, better known as ‘ISIS,’ is suspected of having orchestrated the defacement of U.S. CENTCOM social media accounts earlier this week. Investigators believe that 20-year-old Junaid Hussain helped administrate a Twitter account that operated under the pseudonym “Abu Hussain al Britani,” which was linked to the...

At Tripwire , we have recently seen increasing interest from our customers in being able to match up file changes found by our products with threat intelligence that comes from a variety of external sources. We have run into a common issue here when we have gotten down to the implementation details, and so I write this post as a plea to all the new, emerging and growing providers of threat...