News

News

• August 23, 2016 23 Aug'16

  Hospital cybersecurity failing to encrypt transmitted health records

  New research found a number of troubling issues with hospital cybersecurity, including transmitting unencrypted health records and failing to deploy cybersecurity measures.

• August 23, 2016 23 Aug'16

  Leaked Cisco security vulnerability found in NSA exploit stockpile

  A Cisco security vulnerability affecting routers was found in the Shadow Brokers cyberweapon dump, and it may have been used by the NSA for years to decrypt VPN traffic.

• August 19, 2016 19 Aug'16

  Fallout from Equation Group cyberweapons leak continues to mount

  Mystery continues to surround the Shadow Brokers' release of Equation Group vulnerability exploits and hacking tools, as vendors scramble to patch zero days.

• August 19, 2016 19 Aug'16

  Dell: Machine learning security hard to explain, harder to beat

  Dell's Brett Hansen explains why machine learning security is better than signature-based detection and how it can stop emerging threats.

• August 19, 2016 19 Aug'16

  Google AdSense malware silently delivers to Android users

  Google AdSense malware has been silently delivered to Android devices, but the danger seems to be mitigated by Google itself.

• Sponsored News

  • It’s Time to Modernize Your SOC

    Sponsored by Microsoft - With the shift to remote work caused by COVID-19, Security Operations Centers (SOCs) are under more pressure than ever, particularly with many SOC workers also working from home. Today’s reality is that SOCs have to embrace a new way of working in order to keep their analysts and admins effective and to ensure that morale doesn’t collapse under the weight of too much work and pressure. See More

  • 6 Factors to Consider in Building Resilience Now

    Sponsored by Microsoft - COVID-19 has been, and continues to be, a stark reminder of the importance of business resilience. Organizations of all types and sizes have had to adjust to rapidly changing and unpredictable circumstances: A shift to remote work, supply chain disruptions, new digitally driven business models and an environment where uncertainty is the rule, not the exception. See More

  • Why Zero Trust, Why Now

    Sponsored by Microsoft - The concept of a Zero Trust cybersecurity architecture has been around for more than a decade, but adoption didn’t really begin to take hold until the past couple of years. As with many technology innovations, it hasn’t always been clear just what Zero Trust is all about and, more important, how to implement it easily and cost effectively. See More

  • 5 Best Practices To Secure Remote Workers

    Sponsored by Microsoft - The impact of COVID-19 has changed the dynamics and landscape of remote work for at least the foreseeable future and, probably, forever. All of a sudden, organizations across all industries had to scale remote workers at unprecedented intensity and speed. See More

  View All Sponsored News
• August 18, 2016 18 Aug'16

  SWIFT banking execs admit to ignoring security before hacks

  The SWIFT banking system had a number of high-profile hacks earlier this year, and execs are now admitting they ignored security issues until it was too late.

• August 18, 2016 18 Aug'16

  Netskope nabs another patent for CASB technology

  Netskope's second patent for its cloud access security broker techhnology illustrates how the CASB market is evolving and what that means for potential investors and suitors.

• August 17, 2016 17 Aug'16

  PGP collision attack on Linux creator highlights flaws with short IDs

  A PGP short ID collision attack on the creator of Linux brings to light a flaw that experts have known about for years with short ID keys.

• August 17, 2016 17 Aug'16

  Windows Bash could open the door to more Linux-based attacks

  Will Windows 10's new native version of the Ubuntu Linux command line, Windows Bash, enable new attack vectors? Experts weigh in on Windows Subsystem for Linux.

• August 16, 2016 16 Aug'16

  New Vawtrak Trojan variant leverages SSL pinning, HTTPS

  Fidelis Cybersecurity reports notorious Vawtrak banking Trojan gets upgrades to increase security and evade detection, including SSL pinning and domain generation algorithm.

• August 16, 2016 16 Aug'16

  Equation Group cyberweapons auctioned off; WikiLeaks promises release

  Cyberweapons purportedly stolen from the NSA-linked Equation Group have been put up for auction; WikiLeaks promises it will publish a 'pristine copy in due course.'

• August 15, 2016 15 Aug'16

  DNC forms cybersecurity advisory board after breach

  Following an embarrassing data breach, the Democratic National Committee has formed a cybersecurity advisory board, but experts have questioned the pedigree of board members.

• August 15, 2016 15 Aug'16

  Windows Secure Boot broken after Microsoft leaks golden key

  Microsoft accidentally released the golden key for Windows Secure Boot, causing a serious security issue for the company despite putting only less popular devices at risk.

• August 12, 2016 12 Aug'16

  White House aims to secure open source government programs

  The White House unveils a new open source government policy and new research estimates the government's zero-day exploit stockpile to be smaller than expected.

• August 11, 2016 11 Aug'16

  Risk & Repeat: Highlights and lowlights from Black Hat 2016

  In this Risk & Repeat podcast, SearchSecurity editors discuss the good and bad news from Black Hat 2016 in Las Vegas, including critical flaws in web protocols.

• August 09, 2016 09 Aug'16

  Browser vulnerabilities, Office flaws lead August 2016 Patch Tuesday

  Microsoft's August 2016 Patch Tuesday focuses on critical browser vulnerabilities in Edge and Internet Explorer, as well as flaws with Microsoft Office and PDF Library.

• August 09, 2016 09 Aug'16

  More DDoS DNS amplification attacks use SSDP than NTP

  Black Hat: New research finds DDoS DNS amplification attacks are more likely to use SSDP than NTP and DDoS attacks may generally be smaller than reported.

• August 09, 2016 09 Aug'16

  Bluetooth LE security hit with GATTack at Black Hat

  Amid varying attacks targeting IoT devices at Black Hat 2016, a new software proxy offered leverage against the latest Bluetooth LE security protections.

• August 09, 2016 09 Aug'16

  Oracle MICROS breached, password reset recommended

  Oracle's MICROS PoS systems breached, possibly by Carbanak cybergang; Oracle issues mandatory password reset for customers.

• August 05, 2016 05 Aug'16

  Security of HTTP/2 protocol takes big hit at Black Hat 2016

  Black Hat researchers report flaws in key web protocols, demonstrating widespread flaws in HTTP/2 implementations; Banner Health announces breach affecting 3.7 million.

• August 05, 2016 05 Aug'16

  Apple starting its own bug bounty program with big rewards

  Apple will be starting a bug bounty program for researchers who find critical vulnerabilities in iOS or iCloud and offer big rewards.

• August 05, 2016 05 Aug'16

  Government data requests have little legal backing say experts

  Experts find law enforcement data requests have little legal support and suggest enterprises use independent judgment when deciding whether to comply or push back.

• August 04, 2016 04 Aug'16

  EMV cards, PIN pads vulnerable to man in the middle attacks

  Researchers at Black Hat 2016 poked holes in chip and PIN security by demonstrating simple attacks that can intercept EMV card transaction data, including CVV codes and PINs.

• August 03, 2016 03 Aug'16

  Black Hat 2016 keynote: We need sharing, not competition, in security

  Black Hat 2016 keynote speaker Dan Kaminsky called for more information sharing and in security and more long-term public work in the cybersecurity space.

• August 03, 2016 03 Aug'16

  Barclays replaces passwords with voice authentication

  Barclays is offering U.K. retail banking customers the option to do voice authentication instead of using passwords, with voiceprints that are as unique as fingerprints.

• July 29, 2016 29 Jul'16

  Android security boosted with memory protection of Linux kernel, more

  Google details how it is improving Android security with better memory protections and reduction of the Linux kernel's attack surface.

• July 29, 2016 29 Jul'16

  White House unveils federal cybersecurity plan and attack rating system

  The White House's new federal cybersecurity plan outlines the responsibilities of each agency in a cyberattack and creates a rating system to determine the severity of an attack.

• July 29, 2016 29 Jul'16

  Researchers uncover malicious probing of Tor hidden services

  Researchers discovered attempts to snoop on dark web servers through malicious changes to Tor Project hidden services directories.

• July 28, 2016 28 Jul'16

  Dell: Signature-based detection must give way to machine learning

  Dell's Brett Hansen discusses his company's new approach to advanced threat protection, which leaves behind signature-based detection and embraces machine learning.

• July 27, 2016 27 Jul'16

  LastPass security flaws put passwords at risk; patch rolling out

  Problems with LastPass security might have been improperly disclosed, putting user passwords at higher risk, but the flaws have already been fixed, with an update rolling out now.

• July 27, 2016 27 Jul'16

  KeySniffer vulnerability enables eavesdropping on wireless keyboards

  The KeySniffer wireless vulnerability goes beyond the similar MouseJack flaw in exposing users of inexpensive wireless keyboards to sniffing, injection attacks.

• July 26, 2016 26 Jul'16

  Experts say NIST deprecating SMS 2FA is long overdue

  America's National Institute for Standards and Technology is advising the deprecation of using SMS-based two-factor authentication in order to improve security.

• July 22, 2016 22 Jul'16

  Oracle CPU fixes record crop of critical flaws in quarterly patchfest

  Oracle patches its biggest batch yet of security fixes in this quarter's CPU cycle.

• July 22, 2016 22 Jul'16

  DNS DDoS attack shuts down Library of Congress websites for three days

  A DNS DDoS attack hit the Library of Congress, disrupting various Library services and websites for three days before IT staff was able to restore normal functionality.

• July 21, 2016 21 Jul'16

  FBI accused of avoiding FOIA requests in the name of security

  A lawsuit against the Department of Justice claims the FBI is using outdated technology in order to avoid fulfilling FOIA requests.

• July 20, 2016 20 Jul'16

  Flaw in ASN.1 compiler potentially critical, hard to find

  A critical flaw was discovered in the ASN.1 compiler used by leading telecommunications and networking vendors, and the extent of the vulnerability has yet to be determined.

• July 18, 2016 18 Jul'16

  Responsible disclosure of latest named vulnerability, 'httpoxy'

  Responsible disclosure wins as researchers roll out branded website for 'httpoxy,' a set of vulnerabilities in server-side web apps that use the HTTP_PROXY variable.

• July 18, 2016 18 Jul'16

  John Curran explains benefits of IPv6 connectivity progress

  John Curran, ARIN chief, explains IPv6 connectivity progress and gives compelling security arguments in favor of IPv6 support sooner rather than later.

• July 15, 2016 15 Jul'16

  FDIC found hiding multiple APT attacks and more from investigators

  An investigation by a federal committee found the FDIC had multiple breaches, including an APT attack, spanning years but hid the hacks from Congress.

• July 15, 2016 15 Jul'16

  EU member states approve EU-U.S. Privacy Shield data flow framework

  The EU-U.S. Privacy Shield framework takes effect, replacing Safe Harbor for transatlantic data flows; U.S. beefs up Cyber Command.

• July 14, 2016 14 Jul'16

  John Curran explains the importance of IPv6 connectivity

  A year after the depletion of the IPv4 address space, ARIN chief John Curran talks about IPv6 benefits, the IPv6 NAT conundrum and the importance of offering IPv6 connectivity.

• July 14, 2016 14 Jul'16

  New 'ransomware' variant proves there's no honor among thieves

  A new 'ransomware' variant, which could be considered more scareware, doesn't encrypt files at all and instead deletes data and tricks victims into paying anyway.

• July 13, 2016 13 Jul'16

  Pokémon GO reveals full account access flaw for Google authentication

  The wildly popular Pokémon GO mobile game obtained a full account access token to iOS users' Google accounts, revealing a major issue with Google's OAuth authentication system.

• July 12, 2016 12 Jul'16

  July 2016 Patch Tuesday is more about Adobe Reader bugs than Microsoft

  Adobe Reader bugs take center stage for the July 2016 Patch Tuesday, as Microsoft has a smaller bulletin list of fixes for its products.

• July 12, 2016 12 Jul'16

  SWIFT banking security adds a dedicated cyberintelligence team

  SWIFT attempts to improve banking security include partnerships with two cybersecurity firms, and the creation of a new Customer Security Intelligence team.

• July 08, 2016 08 Jul'16

  Avast purchase of AVG shows uncertainty in antivirus market

  Avast purchased competitor AVG to improve consumer and enterprise products, but one expert said the purchase price proves the antivirus market may be on the decline.

• July 08, 2016 08 Jul'16

  Microsoft calls for independent body to address cyber attribution

  In a move to support the development of global cybersecurity norms, Microsoft calls for improved cyber attribution to identify cyberattack perpetrators.

• July 08, 2016 08 Jul'16

  Risk & Repeat: More critical Symantec vulnerabilities emerge

  In this Risk & Repeat podcast, SearchSecurity editors discuss a new Google Project Zero report on yet another round of critical Symantec vulnerabilities.

• July 07, 2016 07 Jul'16

  New EU GDPR privacy regulation set to take effect in 2018

  As the new General Data Protection Regulation privacy regulation looms, many firms face new rules and challenges to protect the privacy of EU citizens, regardless of location.

• July 07, 2016 07 Jul'16

  Android full-disk encryption is flawed enough for government work

  Vulnerabilities on devices with Qualcomm chipsets can allow Android full-disk encryption to be bypassed by malicious actors or law enforcement.

• July 06, 2016 06 Jul'16

  FBI says Hillary Clinton's email setup was irresponsible, not illegal

  The FBI gave a scathing review of Hillary Clinton's email setup, using personal servers for sensitive federal information, but deemed her actions were not illegal.

• July 01, 2016 01 Jul'16

  House Homeland Security Committee proposes encryption debate commission

  The House Homeland Security Committee officially proposed the creation of a commission to study both sides of the encryption debate and provide official recommendations.

• July 01, 2016 01 Jul'16

  Enterprise encryption strategies rise as firms' use of encryption grows

  Report: Enterprise encryption is on the rise as firms embrace use of encryption strategies; also, new Bart ransomware, IRS drops e-file PIN tool, and more.

• June 30, 2016 30 Jun'16

  The healthcare industry is making it far too easy for hackers

  Hospitals and healthcare organizations are far too vulnerable to cyberattacks, and a recent healthcare security study shows the issue isn't just outdated legacy technology -- medical professionals ...

• June 29, 2016 29 Jun'16

  Nearly 10 million hospital patient records for sale on dark web market

  Nearly 10 million patient records have been posted for sale on a dark web market, putting the personally identifiable information of many at risk for abuse.

• June 29, 2016 29 Jun'16

  Google Project Zero exposes more critical Symantec vulnerabilities

  A raft of new Symantec and Norton antivirus vulnerabilities exposed by Google Project Zero are 'as bad as it gets,' according to Tavis Ormandy: RCE, no user interaction and wormable.

• June 27, 2016 27 Jun'16

  Intel reportedly considering selling its security business

  New reports suggest Intel may be looking into selling off its security business, and experts are unclear whether it means Intel's McAfee acquisition has gone sour.

• June 27, 2016 27 Jun'16

  NASCAR race team hit with ransomware attack

  Hit by a ransomware attack, a NASCAR race team paid to restore data worth millions, then called on Malwarebytes to secure their systems -- and Malwarebytes joined up as a sponsor.

• June 24, 2016 24 Jun'16

  Cyber attribution relies on human intelligence, not technical info

  Experts said human intelligence was the key to the cyber attribution effort for the Democratic National Committee attack, which confirmed Russian agents were to blame.

• June 24, 2016 24 Jun'16

  FBI surveillance access with National Security Letter unchanged, for now

  U.S. Senate fails to pass National Security Letter regulation to enhance warrantless FBI surveillance access to metadata, including email headers and browser history.

• June 22, 2016 22 Jun'16

  Activists, DOJ spar over Rule 41 changes to enhance FBI searches

  EFF and privacy activists oppose Rule 41 changes, while the Department of Justice claims the changes do not alter 'traditional protections' under the Fourth Amendment.

• June 21, 2016 21 Jun'16

  Acer's e-commerce website hit by a customer data breach

  Computer maker Acer was hit by a customer data breach of its e-commerce website, leaving approximately 34,500 customers' contact and payment information exposed for about a year.

• June 20, 2016 20 Jun'16

  CIA chief denies encryption backdoor effect on U.S. business

  The director of the CIA denied that a government-mandated encryption backdoor would have an effect on U.S. business, but experts said the statement ignores the global market.

• June 17, 2016 17 Jun'16

  DNC hack raises questions about cyber attribution methods

  The hack of the Democratic National Committee has called into question methods for cyber attribution after the alleged attacker comes forward.

• June 17, 2016 17 Jun'16

  FBI facial recognition systems draw criticism over privacy, accuracy

  GAO report blasts FBI facial recognition programs over privacy and accuracy concerns; FBI systems offer access to over 411 million photos from federal and state sources.

• June 17, 2016 17 Jun'16

  What Symantec's acquisition of Blue Coat says about the CASB market

  Symantec's $4.65 billion acquisition of Blue Coat Systems could lead to a dramatic shift at the antivirus vendor, but what does the deal mean for the cloud access security broker space?

• June 16, 2016 16 Jun'16

  Russian hacker arrests linked to ransomware and exploit kit shutdowns

  The Lurk group hacker arrests in Russia came at the same time as the shutdown of a major exploit kit, ransomware family and botnet, but no one is sure if it is coincidence or causation.

• June 15, 2016 15 Jun'16

  SAP vulnerability, reported in 2010, finally patched

  SAP vulnerability patched, finally: The Java flaw was originally patched in 2010 but became the subject of an unprecedented US-CERT alert in May.

• June 15, 2016 15 Jun'16

  Ransomware worm raises concerns for enterprise security

  In this Risk & Repeat podcast, SearchSecurity editors break down the discovery of the ZCryptor ransomware worm and what it means for future ransomware threats.

• June 14, 2016 14 Jun'16

  Adobe Flash zero-day overshadows June 2016 Microsoft Patch Tuesday

  Microsoft's June 2016 Patch Tuesday release is not the most important of the day according to experts, instead another Adobe Flash zero-day vulnerability gets the spotlight.

• June 14, 2016 14 Jun'16

  Ransomware attack, education highlight 2016 Information Security Summit

  User education, ransomware attacks and cyberliability insurance are among the hot topics for infosec attendees at the annual 2016 Information Security Summit.

• June 13, 2016 13 Jun'16

  Symantec acquisition of Blue Coat shakes up security industry

  Symantec agreed to acquire Blue Coat Systems for $4.65 billion, with Blue Coat CEO Greg Clark taking over as new CEO of the combined company.

• June 10, 2016 10 Jun'16

  Mozilla Secure Open Source Fund to aid developers with audits

  Mozilla created the Secure Open Source Fund to help developers perform security audits on software in an effort to reduce the potential of another Heartbleed or Shellshock.

• June 10, 2016 10 Jun'16

  Ransomware attack hits UCalgary as CryptXXX devs up their game

  As the University of Calgary contends with a ransomware attack, the actors behind CryptXXX are rolling out patches and upgrades and attackers are shifting from Angler to Neutrino EK.

• June 09, 2016 09 Jun'16

  TeamViewer hacks have everyone placing blame

  A rash of TeamViewer hacks has led to confusion concerning what the issues are and who is responsible for user security in this case.

• June 09, 2016 09 Jun'16

  Petraeus slams encryption backdoors, supports Apple

  Speaking at the Cloud Identity Summit, Gen. David H. Petraeus blasted the FBI's recent efforts to compel Apple to break the company's own encryption protection.

• June 08, 2016 08 Jun'16

  SWIFT banking system boosts security following cyberattacks

  Following a number of attacks on the SWIFT banking system that led to the theft of millions of dollars, SWIFT promised new rules to improve security for bank transfers.

• June 07, 2016 07 Jun'16

  Angler exploit kit skips Microsoft EMET to subvert Flash, Silverlight

  FireEye researchers spotted the Angler exploit kit bypassing the current Microsoft EMET version 5.5 security tool running on Windows 7 to subvert Flash and Silverlight.

• June 03, 2016 03 Jun'16

  SandJacking attack enables installation of rogue apps on iOS devices

  Roundup: The new SandJacking attack technique allows attackers with physical access to iOS devices to install rogue apps. Plus, more on medical software security and Privacy Shield obstacles.

• June 02, 2016 02 Jun'16

  Crypto-confusion: The search for the real bitcoin creator continues

  In this Risk & Repeat podcast, SearchSecurity editors discuss Craig Wright's failed effort to prove he is bitcoin creator Satoshi Nakamoto and what that means for cryptocurrency.

• June 02, 2016 02 Jun'16

  Lack of bug bounty programs won't deter cyber extortion attacks

  IBM reports 30 'bug poaching' cyber extortion attacks in the past year, as black hat hackers aim to "help" enterprises by exploiting SQL injection vulnerabilities.

• June 01, 2016 01 Jun'16

  Microsoft warns of rare ransomware worm

  Microsoft warned users of a rare ransomware worm affecting older versions of Windows, but experts are wary of the recommended mitigation technique.

• May 27, 2016 27 May'16

  House Reps tackle Rule 41 to limit government hacking

  US Reps. Poe and Conyers join Sen. Wyden's fight against changes to Rule 41 that would remove limits on government hacking, introduce companion bill to quash changes.

• May 27, 2016 27 May'16

  'Ingenious' attack mixes memory deduplication with Rowhammer

  Researchers demonstrated an exploit that combines rare attacks on memory deduplication and Rowhammer in order to allow an adversary access to read or write system memory.

• May 27, 2016 27 May'16

  RSA: Cloud visibility, analytics crucial to enterprises

  RSA's Rashmi Knowles spoke with SearchCloudSecurity about enterprises struggling with security visibility, and how analytics and data science can help.

• May 26, 2016 26 May'16

  Retiring obsolete SHA-1 and RC4 cryptographic algorithms, SSLv3 protocol

  Microsoft speeds deprecation of SHA-1, Google dropping support for RC4, SSLv3, as web software publishers approach end of life for obsolete cryptographic algorithms and protocols.

• May 26, 2016 26 May'16

  New spec aims to improve DNS privacy with TLS

  In order to stop metadata snooping by law enforcement and hackers, a proposed spec aims to improve DNS privacy with TLS.

• May 24, 2016 24 May'16

  Lieu, Hurd school House colleagues on cyberhygiene, defense

  Former computer science majors Lieu and Hurd wrote to their U.S. House of Representatives colleagues, urging improved awareness of cyber risks and cyberhygiene.

• May 24, 2016 24 May'16

  Paul Vixie on IPv6 NAT, IPv6 security and Internet of Things

  Internet pioneer Paul Vixie spoke with SearchSecurity about IPv6 NAT, IPv6 and the Internet of Things, and the long, thankless path to deploying IPv6.

• May 24, 2016 24 May'16

  Sorry Mr. Snowden -- encryption isn't the only path to security

  Encryption shouldn't be used to protect people from themselves, especially if it gets in the way of innovation.

• May 24, 2016 24 May'16

  Android N security updates leave unanswered questions

  Google unveiled the next version of its mobile OS, and Android N security will be improved in a few ways, although Google still can't fix OS updates.

• May 20, 2016 20 May'16

  Senate bill would quash unlimited Rule 41 government hacks

  Rule 41 changes face bipartisan opposition in Senate with the Wyden-Paul bill to rein in the expansion of authority to let the government hack unlimited numbers of devices with a single warrant.

• May 19, 2016 19 May'16

  ImageMagick calls into question responsible disclosure reporting

  The ImageTragick bug raises questions over responsible disclosure, as the flaw in the ImageMagick image-processing library exposes millions of websites to remote code execution.

• May 19, 2016 19 May'16

  TeslaCrypt master key release confounds experts

  In a move that surprised and confused experts, the TeslaCrypt master key was released, effectively killing the ransomware.

• May 18, 2016 18 May'16

  Android clickjacking attack research updated but questions remain

  New research claims more than 95% of Android devices are vulnerable to clickjacking attacks, but the true danger may not be that severe.

• May 18, 2016 18 May'16

  Paul Vixie on the glibc bug, Internet crime and more

  Internet pioneer Paul Vixie spoke with SearchSecurity about Internet crime, the glibc bug and other pervasive vulnerabilities that may never be eradicated.

• May 17, 2016 17 May'16

  Google Project Zero discloses dangerous Symantec vulnerability

  Google Project Zero disclosed a Symantec vulnerability that can be exploited with zero interaction and was described being as bad as it can possibly get.

• May 13, 2016 13 May'16

  EMM software on every device? MobileIron makes the case

  MobileIron's enterprise mobile management software wasn't installed on the iPhone of San Bernardino shooter Syed Rizwan Farook. Was that the right move?

• May 13, 2016 13 May'16

  FBI asked for responsible disclosure of Tor vulnerability

  A court filing is asking the FBI for responsible disclosure of the Tor vulnerability used to exploit the Tor browser and de-anonymize users during a criminal investigation.

• May 13, 2016 13 May'16

  Google insider data breach exposed employee personal info

  Roundup: Google experiences an insider data breach, but the data leakage is cleaned up by a conscientious benefits manager. Plus, the FDIC reports five 'major' incidents, and more.