Cisco has patched a remote file overwrite vulnerability in its Integrated Management Controller (IMC) Supervisor and UCS Director products. On Thursday, Cisco issued an advisory that explains how a vulnerability in JavaServer Pages (JSP) input validation routines of both the IMC Supervisor and UCS Director products could be exploited by a remote, unauthenticated attacker to produce system...

You can't protect what you don't know about. It may seem trite to bring out that cliché, but the fact is that it remains relevant in information security today. So much of what we do in this industry is about discovery, whether it's discovery of assets, discovery of vulnerabilities, or discovery of an existing compromise. As information security professionals, we often play the role of a high-tech...

According to recent research , employees in the finance and human resources departments are seen as the mostly likely to cause a data breach. The study, which polled more than 500 information technology decision makers and 4,000 employees in the US, UK, Germany and Australia, found that nearly half of respondents (46%) believe finance departments pose the biggest security threat to the...

Netflix has released a new tool called Sleepy Puppy that helps security researchers capture, manage, and track cross-site scripting (XSS) propagation over extended periods of time. Two application security researchers for the movie-streaming service, Scott Behrens ( @helloarbit ) and Patrick Kelley ( @monkeysecurity ), created the Sleepy Puppy tool to address a critical weakness in traditional XSS...

Imperva has published some pretty interesting research on how an attacker might use cloud-based file synchronization services to exfiltrate data and deliver malware to systems inside an organization. The TL;DR of this attack is that a malicious adversary can steal and replace the authentication token for these services, allowing them to effectively both retrieve and plant files on the target...

British retailer WHSmith has suffered a data breach that has resulted in users' personally identifiable information (PII) being sent out to hundreds of customers' inboxes. According to The Guardian , personal information including names, phone numbers, and email addresses that users typed into the retailer's contact form was not sent to the company but was instead delivered to its entire mailing...

Ashley Madison, a website for those who are interested in committing adultery, has made headline after headline in recent weeks after a hacking group penetrated its servers and published the information of all 37 million users online. As of this writing, it is believed that this incident dates back to mid-July of 2015. The timeline below recounts all of the major developments of this ongoing...

A former United States Secret Service Agent has admitted in court that he stole Bitcoin from drug dealers and attempted to hinder an investigation into Silk Road , the underground dark web market. On Monday, Shaun Bridges, 33, appeared in federal court in San Francisco and pleaded guilty to money laundering and the obstruction of justice, reports The Guardian . Source: Business Insider Between...

When working in security, the top priority is to protect your organization’s business-critical data from cyber attacks. You know that your traditional security mechanisms are in place – the database is secure; you have implemented audit trails and encryption on sensitive data, and you instituted pretty tight access control. Anti-virus solutions are in place, patches are applied systematically, and...

North Dakota was named the first U.S. state authorizing local police departments to fly drones with “less-than-lethal” weapons, including tasers, sound cannons, teargas and non-penetrating firearms, after the passage of House Bill 1328 last week. The initial proposal of the legislation, introduced by Rep. Rick Becker, was aimed at requiring police to obtain search warrants before using drones to...

Siemens , a leading producer of systems for power generation and transmission as well as medical diagnosis, has patched three vulnerabilities affecting a variety of SIMATIC HMI devices. The multinational technology company was first alerted to the vulnerabilities, among them two Schneider kits and a number of remote and local exploits , by the Quarkslab team and Ilya Karpov of Positive...

Tripwire senior security analyst, and frequent security slice guest, Ken Westin , recently gave a popular presentation at DEF CON 23 called “ Confessions of a Professional Cyber Stalker .” In his presentation, Ken discussed the various technologies and methods he has developed to track criminals, which has led to at least two dozen convictions . Listen to this special two-part Security Slice...

As part of Tripwire’s Threat Intelligence University webcast series, we recently had the pleasure of hosting industry expert and renowned author Adam Shostack who shared with us how threat modeling can effectively drive security through your product, service or system. Shostack has championed several security start-ups and previously led Microsoft’s Software Development Lifecycle (SLD). His latest...

Malware is continually evolving to meet the challenges posed by security researchers and antivirus software. Recently, malicious programs have begun to incorporate evasive behaviors, which include four of the most common anti-detection techniques: 1) environmental awareness, 2) confusing automated tools, 3) timing-based evasion, and 4) obfuscating internal data. The way in which malware integrates...

Where would the dark web be without Tor? Probably in the bright, uncomfortable spotlight of law enforcement if it doesn't find an alternative method of cloaking itself. Agora, the dark web site that grabbed the dubious honour of being the world's most popular online drugs marketplace following the shut down of Silk Road and Silk Road 2.0, has ann o unced that it is "pausing" operations. The reason...

A former intern at FireEye has pleaded guilty to selling the Dendroid malware on the underground web forum Darkode. According to The Register , Morgan Culbertson, 20, of Pittsburgh recently pleaded guilty to his crimes before a Pittsburgh federal judge. "I committed the crime, so I am responsible," Culbertson told Senior U.S. District Judge Maurice Cohill Jr. on Tuesday. "I understand what I did...

It is 2015, and social media is everywhere. It is embedded in your smartphone, and its logos are printed on nearly every product packaging. A few years ago, having an online presence by way of a website for a company was enough. Today, consumers expect a company to have a presence on the App Store, Play Store and every social media platform out there. It has become a way of social proof for both...

At a recent press conference, U.S. Presidential candidate Hillary Clinton was asked if she wiped the drive that came out of her now infamous personal e-mail server . She responded: “ What, like, with a cloth? ” Please note that I will never make a public political comment. That is not my area of interest. I would like to take a moment, however, to explain exactly what happens when hard drives stop...

The average organization could potentially spend up to $3.7 million per year responding to phishing attacks , says a new report issued by the Ponemon Institute . The study, which surveyed nearly 400 IT professionals at companies with employees ranging from less than 100 to more than 75,000, found that the majority of phishing costs (48 percent) are due to loss of employee productivity. According...

Up until this month, I wasn't aware of Ashley Madison's site or the nature of the services they offered – what may be described ‘RaaS’ (Relationships as a Service). However, since this organisation has come to my attention, I have conducted research and completed interviews for BBC TV, the radio, news publications, and a host of other agencies, which serve non-IT/cyber security related audiences...