igor - Fotolia
Security Bytes
This blog covers topics across the spectrum of security, privacy and compliance, as well as the people and issues driving enterprise infosec today.
Recent Posts
-
Google focuses more on steering the Android ship than righting it
- Senior Reporter 09 May 2019 -
At RSAC 2019, speculative execution threats take a back seat
- News Director 20 Feb 2019 -
Marriott Starwood data breach notification de-values customers
17 Dec 2018
Google's security and privacy upgrades to Android are mostly forward-thinking changes, readying for a future that is inevitable but unclear, rather than ways to improve security today.
The Meltdown and Spectre vulnerabilities loomed large last year, but RSAC 2019 will have little fodder on speculative execution threats and side channels attacks.
The Marriott Starwood data breach exposed half a billion customers' data, but the hospitality giant seems to have learned from recent megabreaches that the standard response to a breach can be the ...
-
Are US hacker indictments more than Justice Theater?
- Senior Reporter 30 Nov 2018 -
Breaking down Dell's "potential cybersecurity incident" announcement
- News Director 29 Nov 2018 -
Will cybersecurity safety ever equal air travel safety?
29 Nov 2018 -
Android Ecosystem Security Transparency Report is a wary first step
- Senior Reporter 12 Nov 2018 -
Google sets Android security updates rules but enforcement is unclear
- Senior Reporter 26 Oct 2018 -
Mystery around Trend Micro apps still lingers one month later
- News Director 15 Oct 2018 -
FBI, DHS blaming the victims on Remote Desktop Protocol
01 Oct 2018
New hacker indictments and U.S.Treasury Department sanctions highlight the disconnect between government action and real world consequences for threat actors.
Dell provided some information about a "potential cybersecurity incident" earlier this month, but it's unclear how the company and customers should be reacting.
Guaranteeing cybersecurity safety is one of the biggest challenges facing the tech industry, but using aviation safety as a model may help achieve that goal.
Reading through Google's first quarterly Android Ecosystem Security Transparency Report feels like a mix of missed opportunities and déjà vu all over again. Much of what is in the new Android ...
The vendor requirements for Android are a strange and mysterious thing but a new leak claims Google has added language to force manufacturers to push more regular Android security updates. ...
The mystery around the Trend Micro apps that were removed from the Mac App Store continues despite Trend Micro's numerous updates on the matter.
FBI, DHS call on users to mitigate Remote Desktop Protocol vulnerabilities and handle RDP exploits on their own, even as the "going dark" campaign continues unabated.
-
What the GAO Report missed about the Equifax data breach
- News Director 14 Sep 2018 -
DHS cybersecurity rhetoric offers contradictions at DEF CON
- Senior Reporter 17 Aug 2018 -
Five things to watch for at Black Hat USA this year
03 Aug 2018 -
How Dropbox dropped the ball with anonymized data
- News Director 27 Jul 2018 -
Is the new California privacy law a domestic GDPR?
17 Jul 2018 -
Cyber attribution: Why it won't be easy to stop the blame game
- News Director 29 Jun 2018 -
It's GDPR Day. Let the privacy regulation games begin!
30 May 2018 -
Google I/O's security and privacy focus missing on day one
- Senior Reporter 09 May 2018 -
Cybersecurity pervasiveness subsumes all security concerns
- Senior Reporter 03 May 2018 -
Algorithmic discrimination: A coming storm for security?
- News Director 30 Apr 2018 -
GDPR deadline: Keep calm and GDPR on
27 Apr 2018 -
CrowdStrike unveils Meltdown exploit in unusual fashion
- News Director 19 Apr 2018 -
FedRAMP security requirements put a premium on automation
- News Director 17 Apr 2018 -
Privacy protections are needed for government overreach, too
- News Director 31 Mar 2018 -
Apple GDPR privacy protection will float everyone's privacy boat
30 Mar 2018 -
RSA Conference keynotes miss the point of diversity
- Associate Site Editor 27 Mar 2018 -
Facebook's 2FA bug lands social media giant in hot water
- News Director 23 Feb 2018 -
Symantec's untrusted certificates: How many are still in use?
- News Director 08 Feb 2018 -
Blizzard security flaw should put game developers on notice
- News Director 26 Jan 2018 -
The strange case of the 'HP backdoor' in Lenovo switches
- News Director 18 Jan 2018 -
Intel keynote misses the mark on Meltdown and Spectre vulnerabilities
- News Director 09 Jan 2018 -
Official TLS 1.3 release date: Still waiting, and that's OK
29 Dec 2017 -
After 2017, data breach fatigue should be a thing of the past
- News Director 28 Dec 2017 -
OWASP Top Ten: Surviving in the cyber wilderness
07 Dec 2017 -
The CASB market is (nearly) gone but not forgotten
- News Director 30 Nov 2017 -
Uber data breach raises unsettling questions for infosec
- News Director 22 Nov 2017 -
The Equation Group malware mystery: Kaspersky offers an explanation
- News Director 31 Oct 2017 -
Is "responsible encryption" the new answer to "going dark"?
31 Oct 2017 -
Latest Kaspersky controversy brings new questions, few answers
- News Director 20 Oct 2017 -
FBI's Freese: It's time to stop blaming hacking victims
- News Director 29 Sep 2017 -
DerbyCon cybersecurity conference is unique and troubling
- Senior Reporter 22 Sep 2017 -
Fearmongering around Apple Face ID security announcement
- Senior Reporter 15 Sep 2017 -
Project Treble is another attempt at faster Android updates
- Senior Reporter 23 Aug 2017 -
The Symantec-Google feud can't be swept under the rug
- News Director 08 Aug 2017 -
Symantec certificate authority aims for more delays on browser trust
06 Jun 2017 -
Verizon DBIR 2017 loses international contributors
- Senior Reporter 03 May 2017 -
RSA Conference 2017: Are software regulations coming for developers?
- News Director 24 Feb 2017 -
Christopher Young: Don't sleep on the Mirai botnet
- News Director 15 Feb 2017 -
Five things to watch at RSA Conference 2017
- News Director 08 Feb 2017 -
How cloud file sharing is creating new headaches for security teams
- News Director 30 Nov 2016 -
Android malware delivery is harder than you might think
- Senior Reporter 26 Oct 2016 -
Patent race picks up speed in the cloud access security broker market
- News Director 06 Oct 2016 -
Windows 10 Anniversary update adds headaches for antivirus vendors
- News Director 31 Aug 2016 -
Netskope nabs another patent for CASB technology
- News Director 18 Aug 2016 -
Environment variables: Should they be considered harmful?
21 Jul 2016 -
The healthcare industry is making it far too easy for hackers
- News Director 30 Jun 2016 -
What Symantec's acquisition of Blue Coat says about the CASB market
- News Director 17 Jun 2016 -
Sorry Mr. Snowden -- encryption isn't the only path to security
- Senior Reporter 24 May 2016 -
Throwing money at the cybersecurity problem?
20 May 2016 -
EMM software on every device? MobileIron makes the case
- News Director 13 May 2016 -
Vulnerability branding becomes another marketing tool
- Senior Reporter 08 Apr 2016 -
RSA Conference 2016: An opportunity to take a stand
- News Director 24 Feb 2016 -
Morphisec plans to bring back endpoint security – with a twist
- News Director 29 Jan 2016 -
How millennials can be the saviors -- not the scourge -- of the security staffing shortage
- Associate Site Editor 27 Jan 2016 -
Cybersecurity and CES 2016: A comedy of omissions
- News Director 08 Jan 2016 -
The transaction that lasts forever
03 Apr 2015 -
Why Hillary can't mail
04 Mar 2015 -
When is an ISAC not an ISAC?
18 Feb 2015 -
Prevoty offers context-aware, automatic RASP
13 Feb 2015 -
Trojan exploiting MS08-067 RPC vulnerability
- R.I.S.C. Associates 24 Oct 2008
The Government Accountability Office investigated the Equifax data breach, but the GAO's report leaves out several important points about the infamous incident.
The Vote Hacking Village at Defcon 26 in Las Vegas was an overwhelming jumble of activity -- a mock vote manipulated, children hacking election results websites, machines being disassembled -- and ...
As Black Hat USA 2018 approaches, we take a quick look at trends in the conference agenda and sessions not to miss.
Dropbox came under fire for sharing anonymized data with academic researchers after questions emerged about how the data was protected and used.
The difference between data privacy protections afforded to European Union residents and people in the U.S. is more sharply highlighted now that the EU's General Data Protection Regulation has ...
Infosec experts have argued that too much focus is put on cyber attribution, but moving away from publicly identifying threat groups and nation-states may be easier said than done.
GDPR Day -- May 25, 2018 -- has passed and enforcement is now accepting complaints against companies violating the terms of the EU's new privacy regulation.
It's fairly easy to find stories sparking security and privacy concerns regarding a Google product or service — Search, Chrome, Android, AdSense and more — but if you watched or attended Google ...
Given the increased digitization of society and explosion of devices generating data (including retail, social media, search, mobile, and the internet of things), it seems like it might have been ...
Following several RSA Conference 2018 talks on machine learning and AI, it's worth asking how algorithmic discrimination might manifest in the infosec industry.
With the GDPR deadline looming, companies may still be scrambling to do "something" about it, but with less than 30 days to go the best move for many may be to wait and watch, and perhaps just ...
At RSA Conference 2018, CrowdStrike demonstrated a new Meltdown exploit that can harvest sensitive data such as passwords even on systems that are patched.
Matt Goodrich, director for the Federal Risk and Authorization Management Program, detailed FedRAMP security requirements and automation at RSA's Cloud Security Alliance Summit.
Following the Facebook-Cambridge Analytica controversy, major tech companies pledged to defend users from corporate data misuse, but they're ignoring a more serious privacy threat.
With its embrace of new tools for protecting consumer privacy, Apple GDPR privacy protection will be available to all users as the EU's new privacy protection legislation is set to start ...
RSA Conference keynotes now include a handful of distinguished women, but very few will be speaking about cybersecurity, falling short of truly equal representation.
Facebook came under fire after a two-factor authentication bug sent non-security notifications to users' phones, sparking a debate about media coverage and 2FA adoption.
A security researcher found that a significant number of popular websites are still using untrusted certificates from Symantec, which will be invalidated this year.
A newly-discovered Blizzard security bug, which affected all of the company's popular PC games including Overwatch, should serve as a warning for the video game industry.
Lenovo's discovery of an authentication bypass, literally titled "HP backdoor," within its networking switches brings unsettling implications for the IT industry.
With CEO Brian Krzanich's keynote at the 2018 Consumer Electronics Show, Intel missed an opportunity for the Meltdown and Spectre vulnerabilities.
Protocol scrutiny is good for the upcoming TLS 1.3 update as the process continues to expose, and fix, problems.
Data breach fatigue should be put on hold after the Equifax data breach and Uber hack taught us painful lessons about enterprise security shortcomings.
The latest version of the OWASP Top Ten web application risks is much like previous versions, and that's not a bad thing at all.
A series of acquisitions have drastically reduced the number of stand-alone cloud access security brokers and reshaped the CASB market for years to come.
The Uber data breach episode is another black eye for the ride sharing company, but the cover up raises troubling implications for the infosec community.
Kaspersky Lab finally explained how it came to possess Equation Group malware, but does the company's latest statement answer enough questions about the ongoing drama?
"Three may keep a Secret, if two of them are dead." So wrote Benjamin Franklin, in Poor Richard's Almanack, in 1735. Franklin knew a thing or two about secrets, as well as about cryptography, given ...
The Kaspersky controversy continued this week as the antivirus company responded to several explosive news stories about its relationship with the Russian government.
The FBI's Don Freese spoke at the (ISC)2 Security Congress this week about the need to end the practice of blaming hacking victims. But will infosec professionals listen?
Walking up to DerbyCon 7.0 cybersecurity conference it immediately has a very different feel from the "major" infosec conferences. Attendees would never be caught loitering outside of the Black Hat ...
As fears grow over government surveillance, the phrase "facial recognition" often triggers a bit of panic in the public, and some commentators are exploiting that fear to overstate any risks ...
Google has historically had a problem with getting mobile device manufacturers to push out Android updates, which has left hundreds of millions in the Android ecosystem at risk. Google hopes that ...
The Symantec-Google feud regarding the antivirus vendor's web certificate practices appears to be over. But that doesn't mean it should be minimized or ignored.
Is the Symantec certificate authority operation too big to fail? That seems to be the message the security giant is sending in its latest response to a proposal from the browser community to turn ...
Looking at the overall numbers for the contributors to the Verizon Data Breach Investigations Report (DBIR) from the past five years, it would seem like the amount of partners is hitting a plateau, ...
Security expert Bruce Schneier said programmers' freedom to code whatever they want will likely come to an end. Should the industry brace itself for software regulations?
RSA Conference 2017 was full of talk about future IoT attacks, but Intel Security's Christopher Young said the Mirai botnet is still an enormous threat and demonstrated why that is.
With no single trend or theme dominating at RSA Conference 2017, this year's show will still have plenty of material on machine learning, IoT security and much more.
A sharp rise in cloud file sharing and collaboration activity is creating big problems for security teams – even when the number of security incidents is miniscule.
Headlines about Android malware often gloss over just how difficult the process is for a user to install a malicious app on a device. Let's talk about that.
SkyHigh Networks was awarded another patent for its CASB platform. The newest patent is for technology for managing encrypted enterprise data used in cloud applications and services.
The antivirus industry has been under fire lately, and Microsoft's Windows 10 Anniversary update has added new troubles for antivirus software vendors.
Netskope's second patent for its cloud access security broker techhnology illustrates how the CASB market is evolving and what that means for potential investors and suitors.
In the wake of the httpoxy vulnerability, should environment variables be considered harmful? Perhaps, but they are just so useful.
Hospitals and healthcare organizations are far too vulnerable to cyberattacks, and a recent healthcare security study shows the issue isn't just outdated legacy technology -- medical professionals ...
Symantec's $4.65 billion acquisition of Blue Coat Systems could lead to a dramatic shift at the antivirus vendor, but what does the deal mean for the cloud access security broker space?
Encryption shouldn't be used to protect people from themselves, especially if it gets in the way of innovation.
According to market forecasts, more companies are investing in cybersecurity and that spending is likely to increase dramatically in the next few years. MarketsandMarkets has forecast cybersecurity ...
MobileIron's enterprise mobile management software wasn't installed on the iPhone of San Bernardino shooter Syed Rizwan Farook. Was that the right move?
Vulnerability branding was once a practice that elevated understanding of flaws and potentially led to better remediation, but now serves as little more than marketing for security researchers.
The technology industry has allowed the debate over encryption and "going dark" to get out of hand. But it can start to right that wrong at RSA Conference next week.
Security startup Morphisec has introduced a new approach to defending endpoint devices that turns the tables on attackers. Here's how the company's "moving target defense" technology works.
The security industry is suffering from a complex staffing shortage, and the dreaded millennials might just be the answer to this problem. Some in the industry disagree because "millennial" is a ...
CES 2016 has come to a close, and once again the mega-trade show had little to offer in terms of information security. Here's why that's bad news.
Whether or not you think Bitcoin has a future, it has a couple of very interesting technological elements that will probably have a life of their own. The aspect that everyone talks about is that ...
Reporting by The New York Times notwithstanding, it appears to this non-lawyer that Hillary Clinton probably didn't break any laws by using a personal email account to conduct state business. But ...
A lot of what went on at the White House Summit on Cybersecurity and Consumer Protection, held at Stanford University last week was for show — a reaction in particular to the attacks allegedly ...
Though I’ll admit to a bit of skepticism about Runtime Application Self Protection (RASP), I was nevertheless impressed with a recent look at Prevoty. The two-year-old company’s product, which ...
There are reports emerging Friday morning of a new Trojan exploiting the MS08-067 RPC vulnerability in Windows that Microsoft patched with an emergency fix yesterday. Known as Gimmiv.A, the Trojan ...