News

News

• May 13, 2016 13 May'16

  FBI asked for responsible disclosure of Tor vulnerability

  A court filing is asking the FBI for responsible disclosure of the Tor vulnerability used to exploit the Tor browser and de-anonymize users during a criminal investigation.

• May 13, 2016 13 May'16

  Google insider data breach exposed employee personal info

  Roundup: Google experiences an insider data breach, but the data leakage is cleaned up by a conscientious benefits manager. Plus, the FDIC reports five 'major' incidents, and more.

• May 13, 2016 13 May'16

  DHS warns on actively exploited SAP Java vulnerability

  DHS US-CERT warns of a patched SAP Java vulnerability from 2010 that has enabled breaches at three dozen global enterprises due to configuration issues.

• May 12, 2016 12 May'16

  Senate asks President Obama for a cyber act-of-war definition

  A new bill from the Senate asked President Obama for a cyber act-of-war definition in order to enable a proper response following a cyberattack.

• May 12, 2016 12 May'16

  EU regulatory critics, Rule 41 pose threat to Privacy Shield

  The new Privacy Shield framework for transatlantic data flows faces challenges from Article 29 Working Party criticism, as well as U.S. changes to Rule 41 for computer searches.

• May 11, 2016 11 May'16

  Ransomware warning issued to Congress following attack

  Representatives in Congress have received a ransomware warning following an increased number of attacks perpetrated via phishing schemes.

• May 10, 2016 10 May'16

  May 2016 Patch Tuesday: IE zero-day patch tops the list

  Microsoft's May 2016 Patch Tuesday takes aim at an IE zero-day vulnerability, which experts say is the top priority, as well as a couple server-side flaws to keep an eye on.

• May 10, 2016 10 May'16

  U.S. intelligence agencies cut off from Twitter firehose

  Twitter ordered its business partner Dataminr to cut off the Twitter firehose feed access for U.S. intelligence agencies, but experts expect the NSA won't miss much.

• May 06, 2016 06 May'16

  Commercial code riddled with open source vulnerabilities

  Roundup: Customers, vendors both unaware of unpatched open source vulnerabilities in commercial software. Plus OpenSSL patches, warrantless wiretaps and more.

• May 05, 2016 05 May'16

  DARPA to build a cyber attribution system to ID criminals

  DARPA has decided to take on one of the most difficult tasks in cybersecurity -- building a cyber attribution system to be able to identify attackers and maybe prevent attacks.

• May 03, 2016 03 May'16

  Craig Wright fails, again, to prove he's the bitcoin creator

  Craig Wright's second attempt to prove he's the bitcoin creator, Satoshi Nakamoto, was debunked after fooling the mainstream press, but his motives are still a mystery.

• April 29, 2016 29 Apr'16

  Apple/FBI battle continues over iPhone vulnerabilities

  More fallout from the Apple/FBI conflict: The second iPhone suit was dropped; the FBI can't provide details of a tool used to unlock the San Bernardino shooter's phone.

• April 28, 2016 28 Apr'16

  PCI DSS 3.2 focuses on encryption and multifactor authentication

  PCI DSS 3.2 marks the start of refining the payment data regulations, rather than minor changes, and includes requirements to strengthen encryption and multifactor authentication.

• April 26, 2016 26 Apr'16

  Verizon DBIR 2016 shows we haven't learned how to improve security

  The 2016 Verizon DBIR skimps on data breach analysis and instead focuses on common issues, such as phishing, vulnerability management and access controls, which are still befuddling IT pros.

• April 26, 2016 26 Apr'16

  Simple, yet undetectable Windows AppLocker bypass discovered

  A Windows command-line utility dating back to XP, Regsvr32, reportedly enables a simple and virtually undetectable Windows AppLocker whitelist bypass.

• April 22, 2016 22 Apr'16

  'Going dark' battle moves to Congressional encryption hearing

  Experts face off in Congress over 'going dark' encryption debate, stake out positions on security, privacy and government access; polls show support for strong encryption.

• April 21, 2016 21 Apr'16

  Oracle patches now more critically rated with CVSS 3.0

  Oracle patches 136 security flaws in various products and a number of vulnerabilities were rated more critical because of a switch to CVSS 3.0.

• April 21, 2016 21 Apr'16

  JBoss vulnerability highlights dangers of unpatched systems

  Up to 3.2 million servers with unpatched JBoss vulnerability from 2010 are open to spread ransomware through networks; experts urge keeping up with software patches to stay safe.

• April 21, 2016 21 Apr'16

  Google's second Android Security Report is a mixed bag

  The second annual Android Security Report details a number of ways Google has been working to improve security on its mobile platform but also highlights persistent problems.

• April 19, 2016 19 Apr'16

  Apple won't patch zero days so uninstall QuickTime now

  DHS says users need to uninstall QuickTime for Windows immediately as Apple quietly sends the software to its end of life following the disclosure of two zero-day flaws.

• April 15, 2016 15 Apr'16

  Microsoft fights to notify users of FBI surveillance

  Microsoft has sued the Department of Justice in an effort to be allowed to notify users of FBI surveillance requests; expert worried about continuous surveillance.

• April 15, 2016 15 Apr'16

  Burr-Feinstein draft bill fuels encryption debate

  The encryption debate continues with release of the official draft of Burr-Feinstein 'Compliance with Court Orders Act of 2016' mandating court order compliance.

• April 14, 2016 14 Apr'16

  Badlock vulnerability proves a bust for responsible disclosure

  The much-hyped Badlock bug is still important to patch, but raised issues with celebrity vulnerability promotion and responsible disclosure of security vulnerabilities.

• April 12, 2016 12 Apr'16

  April 2016 Patch Tuesday: Badlock isn't a priority

  Microsoft's April 2016 Patch Tuesday includes a patch for Badlock, a vulnerability which experts call "overhyped," but the most important patches may need extra care to apply.

• April 12, 2016 12 Apr'16

  WordPress SSL now free for hosted sites, thanks to Let's Encrypt

  Customers with hosted sites will now have WordPress SSL turned on for free by default, thanks to Let's Encrypt certificates, potentially making a large number of websites more secure.

• April 08, 2016 08 Apr'16

  Encrypted messaging for all, as WhatsApp encryption announced

  WhatsApp encryption was turned on for all types of messaging, including group chats, which advanced the conversation on 'going dark,' as new encryption legislation draft goes public.

• April 08, 2016 08 Apr'16

  Vulnerability branding becomes another marketing tool

  Vulnerability branding was once a practice that elevated understanding of flaws and potentially led to better remediation, but now serves as little more than marketing for security researchers.

• April 07, 2016 07 Apr'16

  OSVDB shutdown leaves questions for vulnerability databases

  OSVDB shutdown, blamed on lack of community support and engagement, raises questions about whether open source vulnerability databases can work and how they can be improved.

• April 05, 2016 05 Apr'16

  Gmail BREACH attack gets much faster but still easy to stop

  Security researchers updated BREACH attack that would allow a Facebook Messenger or Gmail breach to be performed much faster, but the overall risk is limited.

• April 01, 2016 01 Apr'16

  Apple-FBI suit dropped, but crypto wars continue

  Roundup: After the Apple-FBI suit, ACLU reports U.S. ramping up crypto wars with All Writs suits for at least 63 iOS, Android devices; Senator Wyden stands up for strong crypto.

• April 01, 2016 01 Apr'16

  Can cybersecurity spending protect the U.S. government?

  CNAP articulates the right things, as many U.S. government cyber initiatives do, but what has captured the attention of the Beltway is the billion-dollar budget proposals.

• April 01, 2016 01 Apr'16

  What endpoint protection software is on your short list?

  Roughly half of survey respondents indicated that their organization is shifting away from static scanning as the primary protection for endpoints.

• March 31, 2016 31 Mar'16

  Ransomware vaccine promises protection, but experts are wary

  A new ransomware vaccine promises to protect against infections by popular ransomware variants like Locky and TeslaCrypt, but experts are wary about implementation and security.

• March 31, 2016 31 Mar'16

  Badlock flaw hits Samba, Windows and responsible disclosure

  The serious Badlock vulnerability in Windows and Samba, announced three weeks prior to patches, triggers a debate over responsible disclosure of software flaws.

• March 29, 2016 29 Mar'16

  Report: 1.5 million Verizon Enterprise customer records stolen

  Krebs on Security reports 1.5 million customer contact records were swiped from Verizon Enterprise Solutions and offered for sale on Dark Web; customers are at risk for phishing attacks.

• March 29, 2016 29 Mar'16

  DOJ finds successful iPhone crack; drops backdoor bid, for now

  The DOJ found a successful iPhone crack to access the San Bernardino, Calif., terrorist's device and dropped the pending legal action against Apple, but only in that one case.

• March 25, 2016 25 Mar'16

  Congress considers 'going dark' encryption legislation

  Roundup: Sens. Dianne Feinstein and Richard Burr seek support for an encryption legislation draft, as U.S. politicians consider their options to address the 'going dark' problem.

• March 25, 2016 25 Mar'16

  Outbreak of ransomware attacks hit hospitals, enterprises

  A series of ransomware attacks have been reported at hospitals in the U.S. and Canada, leading to experts recommending automated backup for enterprises.

• March 24, 2016 24 Mar'16

  FBI iPhone backdoor case on hold, as potential hack surfaces

  The FBI iPhone backdoor case was put on hold temporarily, as reports surfaced of a possible hack that would allow FBI access without the help of Apple.

• March 21, 2016 21 Mar'16

  Stagefright exploit created with reliable ASLR bypass

  Researchers have developed a Stagefright exploit, which could mean hundreds of millions of Android devices are at risk, despite mitigations and an available patch.

• March 18, 2016 18 Mar'16

  Apple court filing challenges iPhone backdoor as rhetoric heats up

  The rhetoric about the iPhone backdoor from Apple and the FBI has gotten more intense as Apple challenged the FBI in court by calling its motion unconstitutional.

• March 18, 2016 18 Mar'16

  Google boosts HTTPS, Certificate Transparency to encrypt Web

  Roundup: Google pushes efforts on HTTPS, Certificate Transparency and more to safeguard the Web with encryption, while other tech firms are eyeing more, stronger encryption.

• March 18, 2016 18 Mar'16

  Automated penetration testing prototype uses machine learning

  A team created a prototype machine learning vulnerability scanner that can think like a human in order to perform automated penetration testing.

• March 16, 2016 16 Mar'16

  Phishing campaign takes ransomware attacks to a global scale

  Research has uncovered ransomware attacks that begin with a sophisticated phishing campaign hitting users around the globe.

• March 16, 2016 16 Mar'16

  Java vulnerability report strains responsible disclosure

  A security researcher reports Oracle's 30-month-old failed patch for a Java vulnerability, and experts suggest it was an irresponsible disclosure, despite frustration with Oracle's patching process.

• March 11, 2016 11 Mar'16

  DROWN attack: TLS under fire again

  News roundup: DROWN attack affects millions of servers with an SSLv2 vulnerability; the Home Depot breach lawsuit settlement is pending; and Chinese smartphone-maker ZTE is sanctioned.

• March 09, 2016 09 Mar'16

  Crowdsourced vulnerability patching could save us all

  Patching systems can be time-consuming and troublesome, so one expert suggests crowdsourced vulnerability patching to make the process faster and easier.

• March 08, 2016 08 Mar'16

  March 2016 Patch Tuesday highlights Windows 10 security

  Microsoft's March 2016 Patch Tuesday release has put Windows 10 security on display for good and bad, experts say.

• March 04, 2016 04 Mar'16

  AI may soon find and patch a software bug automatically

  The cybersecurity industry is getting closer to artificial intelligence that can find and patch software bugs automatically, but that same tech could lead to autonomous hacking.

• March 04, 2016 04 Mar'16

  McCaul pitches encryption commission to solve 'going dark' problem

  Rep. Michael McCaul makes the case for encryption commission legislation as an answer to the 'going dark' problem in the face of global cyberthreats.

• March 03, 2016 03 Mar'16

  Military-grade security focuses on isolation and action

  Presenters at the RSA Conference 2016 said military-grade security for enterprise networks is possible by taking a zero-tolerance policy to network traffic.

• March 03, 2016 03 Mar'16

  Cybersecurity checklist a strategy tool for increasing attack costs

  The U.S. Cyber Consequences Unit rolled out a new version of its cybersecurity checklist, which it claims will help reduce attacks by increasing the costs of those attacks.

• March 03, 2016 03 Mar'16

  Admiral Rogers, chief of U.S. Cyber Command, seeks cooperation

  Private sector cooperation with the government is key to successful protection against cyberthreats, says U.S. Cyber Command chief Michael Rogers in an address to RSA Conference 2016.

• March 03, 2016 03 Mar'16

  DOD announces 'Hack the Pentagon' bug bounty program

  Defense Secretary Ashton Carter announces the 'Hack the Pentagon' bug bounty program and new Defense Innovation Advisory Board to be headed by Eric Schmidt.

• March 03, 2016 03 Mar'16

  Government encryption backdoor debate is more nuanced at RSAC

  RSAC panelists had a spirited and nuanced debate about government encryption backdoors, and the topic is more difficult to parse than expected.

• March 02, 2016 02 Mar'16

  Cybercrime trends point to growing sophistication

  Sophos' James Lyne warns that cybercriminals are becoming more effective, thanks to document-based malware and advanced social engineering techniques.

• March 02, 2016 02 Mar'16

  Bruce Schneier on IBM grabbing him up with Resilient Systems

  Bruce Schneier chats with SearchSecurity during lunch at RSAC about IBM's plans to acquire Resilient Systems to complete their security offering.

• March 02, 2016 02 Mar'16

  Diffie, Hellman win Turing Award; cryptography research update

  Diffie, Hellman receive Turing Award and experts review cryptography research, Apple vs. FBI, Juniper backdoors, quantum crypto and the future of cryptography.

• March 01, 2016 01 Mar'16

  Incident response procedures speed discovery-response time

  Many companies become aware of a security event but take hours or days to perform triage and finally remediate it. Incident response procedures can vary based on the organization, and the type of security incident, which could involve DDoS attacks, ...

• March 01, 2016 01 Mar'16

  Yoran: Solve cybersecurity challenges with creativity, encryption

  Amit Yoran kicked off RSAC 2016 by publicly backing strong encryption, denouncing the 'going dark' debate and calling for more creativity in cybersecurity.

• March 01, 2016 01 Mar'16

  Microsoft sounds the bell for strong encryption, privacy

  Microsoft's top lawyer criticized the U.S. government's efforts to undermine strong encryption, and called on the industry to support and defend the technology.

• March 01, 2016 01 Mar'16

  Security incident handling: Prepare to find answers

  CISOs work in stressful scenarios. Before you face executives armed with questions about security incident handling, it's time to formulate some of your own.

• February 26, 2016 26 Feb'16

  Lines drawn in iPhone backdoor case; Apple gets backup

  The public debate surrounding the iPhone backdoor case heats up; Apple and the FBI clarify their messages; and Apple gets legal support from major tech companies.

• February 26, 2016 26 Feb'16

  Microsoft EMET vulnerability turns tool against itself

  Roundup: Microsoft EMET is vulnerable to exploit; it's time to update to v5.5.Plus; Dell, IBM and Gemalto research reports claim cybercriminals are getting smarter, bigger and faster.

• February 24, 2016 24 Feb'16

  RSA Conference 2016: An opportunity to take a stand

  The technology industry has allowed the debate over encryption and "going dark" to get out of hand. But it can start to right that wrong at RSA Conference next week.

• February 19, 2016 19 Feb'16

  PCI DSS 3.2 marks the end of major updates to the standard

  The PCI council has determined its data security standard is finally mature enough to forego significant updates, so PCI DSS 3.2 will be more of an incremental modification.

• February 19, 2016 19 Feb'16

  DHS posts CISA rules for reporting cyberthreat indicators

  Roundup: DHS posts first pass at guidelines for cyberthreat indicator reporting under CISA. Plus, the U.S. planned a major cyberattack against Iran if nuclear diplomacy had failed, and more news.

• February 18, 2016 18 Feb'16

  RSA Conference 2016 preview: IoT and encryption take center stage

  The Internet of Things once again dominates the agenda at RSA Conference 2016, but experts say there will be other hot topics, including the growing debate between IT and the government over encryption backdoors.

• February 18, 2016 18 Feb'16

  Data breach lawsuits indicate a troubling trend for enterprises

  Data breaches are becoming more and more common -- as are class-action lawsuits from affected customers and employees. So, what are the costs of data breach lawsuits?

• February 17, 2016 17 Feb'16

  Security startups vie for honors in RSA Innovation Sandbox

  The RSA 2016 Innovation Sandbox competition highlights the top security startups, but only one will be awarded title of 'RSA Conference 2016's Most Innovative Startup.'

• February 17, 2016 17 Feb'16

  Court rules Apple needs iPhone backdoor; Tim Cook opposes

  A court order has ruled that Apple needs to create an iPhone backdoor to unlock the device used by the gunman in the San Bernardino killings, but Tim Cook opposed the ruling.

• February 16, 2016 16 Feb'16

  Ransomware attack causes internal emergency at Hollywood hospital

  The FBI, along with the LAPD, began investigating a ransomware attack at a Hollywood hospital that has crippled the facility's operations and could cost millions.

• February 16, 2016 16 Feb'16

  RSA Conference 2016 special coverage: News and analysis

  Find out what's happening in the information security industry with breaking news by the SearchSecurity team at RSA's 2016 conference in San Francisco.

• February 12, 2016 12 Feb'16

  Study: IT staff pressured to buy useless cybersecurity products

  A new study found that IT managers feel pressured to purchase new cybersecurity products even if they don't have the skills to implement the technology properly.

• February 12, 2016 12 Feb'16

  Uncertainty over Privacy Shield as Facebook faces penalties

  Roundup: Details are uncertain for the EU-U.S. Privacy Shield framework, as Facebook is charged with privacy violations in France over the use of the now-illegal Safe Harbor framework; more news.

• February 11, 2016 11 Feb'16

  IRS hack leveraged stolen Social Security numbers

  An IRS hack has compromised thousands of tax returns, and the attack was made possible through the use of stolen Social Security numbers.

• February 10, 2016 10 Feb'16

  Congress Republicans rebuff Obama cyber budget effort

  Obama ups spending by 35% in the 2017 cyber budget, adds a federal CISO and pushes multifactor authentication, but still faces stiff Republican opposition in Congress.

• February 09, 2016 09 Feb'16

  February 2016 Patch Tuesday: IE Flash vulnerabilities get a bulletin

  Microsoft's February 2016 Patch Tuesday release goes after Adobe Flash vulnerabilities and more Windows Journal flaws.

• February 09, 2016 09 Feb'16

  Social engineering attack leads to leaked info on 20,000 FBI agents

  A hacker took advantage of insufficient authentication protocols within the DOJ to perform a social engineering attack, resulting in leaked info on 20,000 FBI agents.

• February 05, 2016 05 Feb'16

  Researchers offer motive behind China cyberattacks

  Roundup: A new report may explain China's cyber targeting of health insurers. Plus, malware activity shows a big rise at year-end; more software vulnerabilities were reported.

• February 04, 2016 04 Feb'16

  Former CIA/NSA director Hayden supports strong encryption

  Former CIA and NSA director General Michael Hayden came out in favor of strong encryption but representatives in Congress and the Senate are continuing to pursue encryption backdoor legislation.

• February 03, 2016 03 Feb'16

  Costly government cybersecurity system needs major changes

  A new report on the EINSTEIN government cybersecurity system concluded that it is only 'partially meeting its stated system objectives,' and needs some major changes.

• February 01, 2016 01 Feb'16

  Threat defense, hybrid clouds and 'connections others miss'

  We often talk about shifts in information security from advanced threats to emerging technology defenses, but this year marks a few major turning points.

• February 01, 2016 01 Feb'16

  Security attack? 2016 defenses focus on damage control

  What methods are attackers using to find vulnerabilities in corporate networks? Are these security attacks really advancing? We look at the latest hacking techniques and find out from top security researchers how malware and advanced cyberthreats ...

• February 01, 2016 01 Feb'16

  Harvard report: Metadata means there is no 'going dark' for the FBI

  A new report from Harvard said data 'going dark' in the face of strong encryption shouldn't be a problem for law enforcement and intelligence agencies.

• February 01, 2016 01 Feb'16

  Readers' top picks for DLP products

  The companies and DLP products that organizations consider, when they seek to address compliance and data security requirements across multiple platforms and environments.

• January 29, 2016 29 Jan'16

  Deadline looms for Safe Harbor framework successor

  Roundup: As the deadline looms to replace the Safe Harbor data-sharing framework, the U.S. and EU continue to make progress; Senate is ready to vote on the Judicial Redress Act.

• January 29, 2016 29 Jan'16

  OpenSSL patch fixes encryption flaw and strengthens Logjam defense

  A new OpenSSL patch fixes a severe encryption flaw and strengthens the protocol against the Logjam vulnerability.

• January 29, 2016 29 Jan'16

  Morphisec plans to bring back endpoint security – with a twist

  Security startup Morphisec has introduced a new approach to defending endpoint devices that turns the tables on attackers. Here's how the company's "moving target defense" technology works.

• January 28, 2016 28 Jan'16

  Oracle closing an attack vector by deprecating the Java browser plug-in

  Oracle announced plans to deprecate the Java browser plug-in, a noted attack vector, though the choice was not entirely its own.

• January 27, 2016 27 Jan'16

  Congress demands Juniper backdoor audits by government agencies

  Congressional oversight committee wants to know which U.S. government agencies used firewalls that may have been affected by the recently uncovered Juniper backdoor vulnerability.

• January 26, 2016 26 Jan'16

  Fortinet SSH vulnerability more widespread than thought

  Fortinet denies that a vulnerability found in many of its products is a true backdoor, but finds that the flaw is more widespread than once thought.

• January 22, 2016 22 Jan'16

  Will California ban smartphone encryption?

  News roundup: California mulls a ban on encrypted smartphone sales; France backs away from encryption backdoors; EU and U.K. privacy regulations; key escrow fail and more.

• January 21, 2016 21 Jan'16

  Linux kernel vulnerability has unknown risk, but Google has fix

  A newly found Linux kernel vulnerability has garnered big headlines. Google said the risk to Android has been overstated, and experts are unsure about the danger to the wider Linux ecosystem.

• January 20, 2016 20 Jan'16

  Cisco Security Report: Dwell time and encryption security struggles

  The Cisco Security Report for 2016 covered a lot of ground and adds to the encryption debate by noting that increased encryption creates more challenges for cybersecurity.

• January 19, 2016 19 Jan'16

  David Chaum's cMix: New tool for anonymity on the Internet

  David Chaum presents Internet anonymity tool PrivaTegrity, using the cMix mix network for reliable, high-performance Internet anonymity and protection against attacks or unauthorized backdoors.

• January 18, 2016 18 Jan'16

  DHCP servers must be patched against denial-of-service attacks

  The Internet Systems Consortium released a critical patch for DHCP servers that fixed a flaw that could lead to denial-of-service attacks.

• January 15, 2016 15 Jan'16

  Trend Micro Password Manager flaw; backdoors and passwords

  In this roundup, Trend Micro's Password Manager flamed over JavaScript flaw; Android malware breaks two-factor authentication; Cisco vulnerabilities; Juniper backdoor update and more.

• January 14, 2016 14 Jan'16

  Microsoft Silverlight patch might be a Hacking Team zero day

  A Microsoft Silverlight patch becomes more important as researchers claim it may be a Hacking Team zero day that has been known for years.

• January 12, 2016 12 Jan'16

  January 2016 Patch Tuesday: Address-spoofing patch starts the new year

  Microsoft's January 2016 Patch Tuesday started the year with the IE end of life for older versions of the browser and an important address-spoofing patch.