News

News

• January 08, 2016 08 Jan'16

  Cybersecurity and CES 2016: A comedy of omissions

  CES 2016 has come to a close, and once again the mega-trade show had little to offer in terms of information security. Here's why that's bad news.

• January 08, 2016 08 Jan'16

  Warning: Internet Explorer end of life for 8, 9 and 10 on Tuesday

  Internet Explorer end of life is on the way for three versions of Microsoft's Web browser, and enterprises need to understand which versions of Windows will still be supported.

• January 08, 2016 08 Jan'16

  NSA whistleblower William Binney: Bulk data collection costs lives

  News roundup: NSA whistleblower William Binney testifies in the U.K. against bulk data collection, a new Snowden revelation, Windows 10 snooping revealed, JavaScript ransomware, and more.

• January 07, 2016 07 Jan'16

  MD5 vulnerability renews calls for faster SHA-256 transition

  Researchers have found a new way to exploit an MD5 vulnerability to put users at risk, and experts say this is all the more reason to move faster in transitioning to SHA-256.

• January 06, 2016 06 Jan'16

  Blackphone vulnerability patched to prevent phone hijacking

  Silent Circle has patched a critical modem vulnerability in its first-generation Blackphone to prevent phone hijacking by attackers.

• Sponsored News

  • Part I: Keep the Cloud Your Safe Place

    Sponsored by Forcepoint - Organizations of all sizes have been called upon to swiftly support remote work in order to safeguard the health of their workforce and local communities. As businesses are called upon to scale up remote work procedures for the physical safety of employees, IT teams must accelerate the adoption of technology that ensures their people and data are secure—without hurting productivity or morale. See More

  • Part II: Safeguard Data Everywhere

    Sponsored by Forcepoint - As security teams are tasked with the duty of rapidly scaling up protections for remote workers, one of the key considerations they must keep in mind is how to safeguard data no matter where it resides or travels. This is hardly a new problem. However, the vastly broadened scope of remote work today requires security teams to revisit policies and technologies. Some solutions that may have been sufficient for isolated use cases don't adequately protect a completely distributed workforce. See More

  • Part III: Protect Your People

    Sponsored by Forcepoint - In response to the rapid rise in remote work, cybersecurity teams have increased their efforts to protect their dispersed team’s cyber hygiene. The rapid rise in remote work to protect the health of employees has required cybersecurity teams to scale their efforts to similarly protect the cyber hygiene of these workers as they operate in new conditions. One of the key directives for cybersecurity departments looking to safeguard the people and data within a distributed enterprise is the implementation of cyber defenses that can move with employees and protect them—regardless of their location or device. See More

  View All Sponsored News
• January 04, 2016 04 Jan'16

  Russian actors accused of attacking Ukraine with BlackEnergy malware

  Russia-based threat actors were accused of attacking media outlets and electric companies in Ukraine using BlackEnergy malware.

• December 31, 2015 31 Dec'15

  China's anti-terror law mandates tech firm cooperation

  News roundup: China passes anti-terror law requiring tech firms' help on surveillance, while new analysis of North Korea's Red Star OS shows different approach to cybersecurity.

• December 30, 2015 30 Dec'15

  Adobe issues emergency patch for critical Flash vulnerabilities

  Just weeks after its biggest security update of the year, Adobe issued emergency patches for a new round of Flash bugs, including one already being exploited by attackers.

• December 29, 2015 29 Dec'15

  Open database exposes 191 million voter registration records

  A mysterious voter database containing 191 million voter registration records found last week was online for over a week, with few clues as to who is responsible.

• December 23, 2015 23 Dec'15

  Google accelerates Chrome SHA-1 deprecation schedule

  Increasing desire to be rid of SHA-1-signed certificates causes Google to join Microsoft, Mozilla in a likely acceleration of Chrome SHA-1 deprecation by six months.

• December 23, 2015 23 Dec'15

  Juniper firewall backdoors add fuel to encryption debate

  Juniper firewalls are reportedly vulnerable to two serious backdoors, and the NSA may be at least indirectly responsible for one that exposes VPN data.

• December 22, 2015 22 Dec'15

  PCI DSS 3.1 deadline for TLS migration pushed back

  The Payment Card Industry Security Standards Council unexpectedly pushed back the deadline for enterprises to migrate off of early versions of TLS.

• December 18, 2015 18 Dec'15

  Compliance costs expected to rise as EU GDPR advances

  News roundup: As EU's Global Data Protection Regulation advances, businesses anticipate higher penalties and compliance costs. Also, malware roundup.

• December 18, 2015 18 Dec'15

  CISA added to budget omnibus, with privacy protection stripped

  The Cybersecurity Information Sharing Act passed after being added to the emergency budget omnibus bill, but critics warned the privacy protections have been stripped out.

• December 17, 2015 17 Dec'15

  Experts: Lawmakers don't understand encryption backdoor problems

  Strong encryption and encryption backdoors have become hot topics in the world of lawmakers and politicians, but security experts said those people don't understand the problem.

• December 15, 2015 15 Dec'15

  Old Microsoft Kerberos vulnerability gets new spotlight

  A new blog post detailed authentication vulnerabilities in Microsoft Kerberos that cannot be patched and could lead to attackers having free rein over systems.

• December 14, 2015 14 Dec'15

  Symantec asks browser makers to distrust one of its root certificates

  Symantec announced it will retire one of its root certificates because it was based on older security, and Google made sure users knew the risks.

• December 11, 2015 11 Dec'15

  Governments weigh strong encryption vs. terror threats

  News roundup: Cyber politics in U.S., as leaders attempt to balance access to strong encryption with terror threats. Also: Microsoft's German data centers, SHA-1 deprecation schedule, and more.

• December 10, 2015 10 Dec'15

  FBI: Encryption backdoor laws are unnecessary, if companies comply

  FBI Director James Comey is sticking to the message that the FBI doesn't want encryption backdoor legislation, but one senator doesn't expect companies to comply without the legal impetus.

• December 10, 2015 10 Dec'15

  FBI admits to using zero-day exploits, not disclosing them

  The FBI has admitted to using zero-day exploits rather than disclosing them, and experts say this should not be a surprise considering the history of federal agency actions.

• December 08, 2015 08 Dec'15

  December 2015 Patch Tuesday: DNS query and zero-day flaws fixed

  Microsoft's December 2015 Patch Tuesday brought a number of fixes to Windows, including a patch for a DNS query bug and zero-day flaws in the Windows kernel and Microsoft Office.

• December 08, 2015 08 Dec'15

  Temporary workers cause access management troubles over the holidays

  A new report showed that while retail companies are confident in their security, many use bad access-management practices with temporary workers brought in for the holiday season.

• December 04, 2015 04 Dec'15

  HTML5 support could mean Adobe Flash end of life

  Adobe moves could signal the end of the ever-vulnerable Flash Player, and experts say more support for HTML5 could lead to the Adobe Flash end of life.

• December 04, 2015 04 Dec'15

  First-ever high-level talks on US-China cyber issues

  News roundup: Chinese hacking activity drops in advance of US-China cyber talks, Australia blames China for major breach, mature malware, National Security Letter unveiled, and more.

• December 04, 2015 04 Dec'15

  Alleged OPM breach hackers arrested by Chinese government

  Hackers arrested by the Chinese government are allegedly the criminals behind the OPM breach, but experts want more evidence before trusting China.

• December 03, 2015 03 Dec'15

  Experts question customized TLS implementation after Amazon s2n flaw

  Amazon's s2n passed its first test by patching a flaw quickly, but experts said enterprises still need to be wary of the complexities surrounding TLS implementation.

• December 01, 2015 01 Dec'15

  Amex credit card hack predicts replacement card number

  Samy Kamkar found a weakness in the algorithm American Express uses to generate replacement card information and created a credit card hack as a proof-of-concept.

• November 24, 2015 24 Nov'15

  Dell fixes root certificate issue reminiscent of Superfish

  Dell issued a fix for a root certificate similar to Superfish that could potentially allow attackers to intercept encrypted private data on its PCs.

• November 23, 2015 23 Nov'15

  Lessons learned from the Adobe data breach

  Adobe CSO Brad Arkin spoke at the recent Privacy. Security. Risk. 2015 event about his experiences dealing with the company's massive data breach two years ago.

• November 20, 2015 20 Nov'15

  Safe Harbor framework update in danger of capsizing

  News roundup: Rights groups join critics of Safe Harbor framework update, OPM breach testimony pushback, FBI hiring part of cybersecurity issue for Justice Department. Plus: recycled malware, Microsoft's security push.

• November 19, 2015 19 Nov'15

  Experts: DNSSEC protocol can't be worse than certificate authorities

  The DNSSEC protocol is a flawed solution to certificate authorities, but experts said any controversy surrounding the potential spying is more misunderstanding than fact.

• November 19, 2015 19 Nov'15

  TechTarget Survey: IT risk management, compliance top tasks

  TechTarget 2015 Annual Salary and Careers Survey: Out of the myriad of security responsibilities for an enterprise, IT risk management and regulatory compliance occupy the most time.

• November 18, 2015 18 Nov'15

  Going dark: FBI continues effort to bypass encryption

  The FBI's effort to gain access to encrypted devices and data has led to a standoff with technology companies, such as Apple. Here's where the 'going-dark' debate stands.

• November 13, 2015 13 Nov'15

  FBI accused of paying Carnegie Mellon $1M to hack Tor network

  The Tor Project said that the Carnegie Mellon researchers behind an attack on the hidden service subsystem carried out last year were paid $1 million by the FBI to hack Tor network.

• November 13, 2015 13 Nov'15

  Java vulnerability caused by unpatched open source library

  News roundup: WebSphere, JBoss, Jenkins and more hit by Java vulnerability in an open source library. Plus, SAP HANA deals with critical vulnerabilities, and more.

• November 11, 2015 11 Nov'15

  November 2015 Patch Tuesday: Font handling strikes again

  Microsoft's November 2015 Patch Tuesday delivers 12 total bulletins, four of which are critical, and one issue with font handling that angers one expert.

• November 10, 2015 10 Nov'15

  Bluebox tackles mobile application threats for BYOD

  Bluebox Security unveiled a troubling study on mobile application threats and also introduced a new product to protect consumer apps on employee-owned devices.

• November 10, 2015 10 Nov'15

  NSA vulnerability disclosure policy balances offense and defense

  The NSA published its vulnerability disclosure policy, which aims to balance intelligence benefits with security, but experts said the policy raises more questions than it answers.

• November 06, 2015 06 Nov'15

  Bad news for encryption security, PKI certificate revocation

  News roundup: Troubling research on PKI certificate revocation; encryption research finds usability lacking; GnuPG adds features. Plus: More zero-days, xCodeGhost still haunting Apple and more.

• November 05, 2015 05 Nov'15

  Experts: Cyber liability insurance and lawsuits set to improve security

  Cyber liability insurance claims and lawsuits are expected to rise considerably in the next couple years, and experts believe they will lead to improved security for enterprises and developers.

• November 03, 2015 03 Nov'15

  CSIP aims to modernize U.S. government cybersecurity

  Experts approve of the Cybersecurity Strategy and Implementation Plan issued by the White House to strengthen government cybersecurity guidelines and practices, but worry about implementation.

• November 02, 2015 02 Nov'15

  CoinVault, Bitcryptor ransomware declared dead following arrests

  CoinVault and Bitcryptor variants of ransomware have been declared dead after the authors were arrested and decryption keys were recovered by law enforcement.

• November 02, 2015 02 Nov'15

  Cryptowall 3.0 ransomware reported to cost victims $325 million

  A new report analyzed Cryptowall 3.0 ransomware attacks and found that it may have cost victims $325 million and that money may be going to a single source.

• October 30, 2015 30 Oct'15

  Google slams Symantec over Certificate Transparency trouble

  Google demands Certificate Transparency for all Symantec-issued certificates in wake of last month's escalating disclosures about fake "testing" certificates.

• October 29, 2015 29 Oct'15

  Congress can still fix CISA privacy issues in reconciliation

  CISA passed the Senate despite complaints over privacy issues, but experts said there is still hope those troubles can be fixed when the bill goes to the House for reconciliation.

• October 28, 2015 28 Oct'15

  U.S. and E.U. enter into new data sharing agreement

  The European Union and United States have agreed in principle to a new data sharing framework to replace the Safe Harbor pact, but the details of the new rules are still a mystery.

• October 28, 2015 28 Oct'15

  Disputed Cybersecurity Information Sharing Act passes Senate

  Despite vocal criticism from privacy advocates and technology companies, the U.S. Senate passed the Cybersecurity Information Sharing Act by an overwhelming majority.

• October 26, 2015 26 Oct'15

  Dridex malware returns despite DOJ arrests

  The Dridex malware has made a return, and attackers are once again using botnets to send the Trojan to banks, despite the Department of Justice making high-profile arrests last month.

• October 23, 2015 23 Oct'15

  Google to adopt strictest DMARC policy to fight spam, phishing

  News roundup: Google to implement strictest DMARC policy in anti-phishing campaign. Plus: CISA is coming, the health care industry is lagging and SHA-1 is failing.

• October 22, 2015 22 Oct'15

  Experts say Oracle patches need to be faster

  Oracle patches 154 flaws in its quarterly update. Experts said patches need to be released faster, but Oracle stands by its release schedule.

• October 21, 2015 21 Oct'15

  Trend Micro acquires HP TippingPoint for $300 million

  Trend Micro agreed to purchase HP TippingPoint for $300 million in an effort to bolster network security, but experts disagree on the strategy of either company involved.

• October 20, 2015 20 Oct'15

  Report: CIA director's email hacked repeatedly by high school student

  CIA Director John Brennan had his email hacked multiple times, and the hacker found that Brennan stored potentially sensitive information in his AOL email account.

• October 20, 2015 20 Oct'15

  Social media attacks a growing concern for enterprises

  It's important for online users to understand social media risks and the caution they should use when sharing personal information online.

• October 19, 2015 19 Oct'15

  Adobe patches Flash zero-day used in foreign ministry attacks

  Adobe has released an emergency patch for Flash zero-day vulnerabilities that have been exploited in the wild in attacks on foreign affairs ministries.

• October 16, 2015 16 Oct'15

  EMV transition: FBI warns while Target opts for PINs

  News roundup: FBI issues a public service announcement about EMV chip-and-signature cards. Plus: bumper crop of OS X malware in 2015; phishing sites with authenticated certificates and more.

• October 16, 2015 16 Oct'15

  Automating security, privacy in software programming

  Jean Yang, who created the Jeeves software language, explains why the industry needs to do a better job of enforcing security and privacy policies in its applications.

• October 16, 2015 16 Oct'15

  What does the Consumer Privacy Bill of Rights mean for enterprises?

  The Consumer Privacy Bill of Rights, if made a federal law, would create a uniform set of privacy requirements. Here's a look at the potential benefits.

• October 15, 2015 15 Oct'15

  Cybersecurity strategy needs to be more dynamic, experts say

  The digital world moves very fast, but a new survey claims that cybersecurity strategy does not move fast enough to keep up with threats -- and experts tend to agree.

• October 14, 2015 14 Oct'15

  Windows 10 security fixes longtime OS vulnerabilities

  Windows 10 security incorporates years of improvements to remove or mitigate long-term issues with Windows vulnerabilities.

• October 13, 2015 13 Oct'15

  October Patch Tuesday: The first of 2015 with no zero-day exploits

  Microsoft's October 2015 Patch Tuesday has the fewest number of bulletins of any release this year, and is also the first of the year to not feature any patches related to zero-day exploits.

• October 13, 2015 13 Oct'15

  Chinese hackers arrested at the request of the US

  China's government has reportedly arrested a number of Chinese hackers suspected of involvement with attacks on the US, but one expert is unsure this will lead to more cooperation between nations.

• October 09, 2015 09 Oct'15

  Safe Harbor agreement invalid: Privacy win or enterprise woe?

  News roundup: The EU Court has invalidated the Safe Harbor agreement, leaving companies scrambling to deal with overseas data transfers securely. Plus: SHA-1 collision attack; NIST email security initiatives; worry over cyberthreats.

• October 09, 2015 09 Oct'15

  Vigilante Team White hackers admit to infecting 300,000 devices

  Team White hackers have taken credit for infecting more than 300,000 devices with the Wifatch malware designed to harden security, but experts still question the team's vigilante actions.

• October 08, 2015 08 Oct'15

  Cybercrime costs rising, experts say application layer needs budget

  Two separate reports noted that cybercrime costs are significant. Some experts said reallocating budget resources to application layer security may be the answer.

• October 06, 2015 06 Oct'15

  New YiSpecter iOS malware affects non-jailbroken devices

  Malicious actors have found new ways to attack non-jailbroken iOS devices, but experts say the YiSpecter iOS malware may not be as dangerous as it sounds.

• October 02, 2015 02 Oct'15

  Router malware may be white hat security vigilantism

  An unknown source is infecting thousands of routers with malware not to intentionally cause harm, but apparently as an act of white hat security vigilantism to make the routers safer.

• October 02, 2015 02 Oct'15

  As EMV adoption lags, industry remains optimistic

  News roundup: Despite a low adoption rate going into the liability shift, many in the industry are optimistic about the future of EMV use. Plus: TrueCrypt flaws; AWS crypto keys stolen; women in infosec.

• October 01, 2015 01 Oct'15

  Android Stagefright 2.0 affects all 1.4 billion Android devices

  The Android Stagefright vulnerability has been updated to version 2.0, as the original researcher found the flaw in all versions of Android released to date. Google has promised a fix within days.

• October 01, 2015 01 Oct'15

  Study claims enterprise vulnerability remediation can take 120 days

  A new study has found that although flaws are most likely to be exploited within 60 days of discovery, companies can take between 100 and 120 days for vulnerability remediation.

• October 01, 2015 01 Oct'15

  The EMV liability shift date is here, now what?

  The Oct. 1, 2015 deadline for EMV liability has arrived, though merchants and retailers alike aren't ready for the change.

• September 25, 2015 25 Sep'15

  Google Project Zero reports more Kaspersky software vulnerabilities

  Kaspersky Lab has fixed some of the vulnerabilities in its antivirus products, but a new report from Google Project Zero reveals there's more work to be done.

• September 25, 2015 25 Sep'15

  OPM breach widens to 5.6 million fingerprint records

  News roundup: More fingerprint records were stolen during the OPM breach than originally reported. Plus: the $1 million iOS bounty; DHS CISO calls for harsher phishing policies; Safe Harbor in hot water.

• September 23, 2015 23 Sep'15

  As the CIA enters the picture, iOS malware count up to 4,000

  The largest incident of iOS malware found in the Apple App Store has grown exponentially, as researchers find more than 4,000 apps infected. And the attackers may have been inspired by CIA techniques.

• September 22, 2015 22 Sep'15

  Internal report on Target data breach reveals glaring security holes

  An internal report on Target's breach, obtained by security reporter Brian Krebs, shows the retailer suffered from major security flaws.

• September 22, 2015 22 Sep'15

  Certificate Transparency catches bad digital certificates from Symantec

  Symantec testers created unauthorized Extended Validation certificates, but the bad certificates were caught by the Certificate Transparency log.

• September 21, 2015 21 Sep'15

  Google wants sites to disable SSLv3 to boost Web security

  Google is trying to drag Web security into 2008 by asking sites to disable SSLv3 and RC4, and setting a minimum transfer security protocol of TLS 1.2.

• September 21, 2015 21 Sep'15

  App Store iOS malware found after first large-scale attack

  For the first time, a large amount of iOS malware has made it past Apple's App Store security controls, potentially affecting hundreds of millions of users.

• September 18, 2015 18 Sep'15

  Cisco router malware in the wild more widespread than first believed

  News roundup: Additional research shows a Cisco router implant affects more devices than originally reported. Plus: Let's Encrypt's first cert issued; Tor in the library; the mitigated (but not fixed) iOS AirDrop vulnerability.

• September 18, 2015 18 Sep'15

  DHS audit details cyber mission failures and future efforts

  An internal audit of the U.S. Department of Homeland Security has been completed, detailing areas where its cyber mission has failed and what plans are in place to make improvements.

• September 17, 2015 17 Sep'15

  Hacker groups shifting to corporate cyberespionage schemes

  There is a growing concern for cyberespionage in U.S. after a financially motivated hacker group stole inside information to make millions from insider trading schemes.

• September 16, 2015 16 Sep'15

  Stolen credentials are key to avoiding breach detection

  A new report details how attackers can fly under the radar by using stolen credentials in order to avoid breach detection and forgoing the use of malware in malicious activity.

• September 15, 2015 15 Sep'15

  Hackers hijack website analytics for black hat SEO and more

  A new report shows that hackers are manipulating the ownership settings of the Google Search Console in order to hijack website analytics for use in black hat SEO campaigns and more.

• September 11, 2015 11 Sep'15

  Department of Energy latest victim of a government data breach

  The U.S. Department of Energy became the latest government cyberattack victim after a report disclosed the agency had suffered more than 1,000 cyberattacks in a four-year span.

• September 11, 2015 11 Sep'15

  Cybersecurity Information Sharing Act has 'significant problems'

  A new version of the Cybersecurity Information Sharing Act is scheduled to go in front of the Senate this fall, but one expert said the bill has 'significant problems.'

• September 10, 2015 10 Sep'15

  CAPTCHA-bypassing malware on Android apps found in Google Play Store

  Researchers found advanced CAPTCHA-bypassing malware on Android apps in the official Google Play Store, but Google downplayed the impact.

• September 09, 2015 09 Sep'15

  IT pros don't get cybersecurity risks around certificate authorities

  A survey of IT professionals at the Black Hat conference shows that understanding of certificate authorities is low, and Venafi believes this could lead to cybersecurity risks.

• September 08, 2015 08 Sep'15

  September 2015 Patch Tuesday: More critical Microsoft Office fixes

  Microsoft's September 2015 Patch Tuesday is available now and includes five critical bulletins, two of which tackle remote code execution flaws affecting Microsoft Office.

• September 04, 2015 04 Sep'15

  DOJ Stingray rules require warrant to track mobile phones

  The U.S. Department of Justice announced the establishment of a new policy for cell-site simulator devices that will require law enforcement to obtain warrants in order to track mobile phones.

• September 03, 2015 03 Sep'15

  OPM breach protection services on the way for 21.5M victims

  The contract for identity theft and credit protection services for OPM breach victims has been awarded, but protection notifications will not be going out to OPM victims until later this month.

• September 02, 2015 02 Sep'15

  Deception may be next big IT security tool, or may be hype

  A new report claims that deception may become a big factor in the future of IT security tools, but one expert warns that the efficacy of such tactics can diminish with popularity.

• September 01, 2015 01 Sep'15

  Warnings, neglect and a massive OPM data breach

  Why no one should have been surprised by the massive government Office of Personnel Management data hack.

• September 01, 2015 01 Sep'15

  Chip and PIN migration slow as EMV deadline approaches

  A major deadline for EMV card adoption is just one month away. Can chip-and-PIN and chip-and-signature technology improve payment card security and reduce fraud?

• August 31, 2015 31 Aug'15

  Qualcomm claims new mobile SoC will feature zero-day detection

  Qualcomm announced that its next flagship chipset will include Smart Protect, a feature designed for machine learning and zero-day detection on mobile devices.

• August 28, 2015 28 Aug'15

  Tor vulnerabilities make the Dark Web too risky for the black market

  The Dark Web is where many shady deals can happen on the Internet, but Tor vulnerabilities have made it too risky for one of the largest online black markets to stay in business.

• August 28, 2015 28 Aug'15

  Gula talks Nessus agents and Nessus cloud

  Video: SearchSecurity spoke with Tenable co-founder Ron Gula about recent additions to the Nessus feature set, including a version that lives in the cloud.

• August 27, 2015 27 Aug'15

  Report: phishing training could cut damage costs by $1.8M

  A new report breaks down the potential costs associated with a phishing breach and claims that phishing training could cut those costs by as much as $1.8 million.

• August 27, 2015 27 Aug'15

  Angler EK and Flash zero-days make malvertising more effective

  Malvertising campaigns are becoming more effective due to the popularity of the Angler EK and its use of Flash zero-day vulnerabilities. And one expert says ad blockers are not the answer.

• August 27, 2015 27 Aug'15

  CISOs: Application security programs need improvements

  An up-to-date application security program -- as well as knowing how to connect with stakeholders -- is critical to being a successful CISO today, said Renee Guttmann, vice president, Office of the CISO at Accuvant Inc.

• August 25, 2015 25 Aug'15

  Report says SMB IT still doesn't get virtualization security

  A new report makes controversial claims about the costs of breaches in virtualized environments, strongly suggesting IT pros may not understand the challenges of virtualization security.

• August 25, 2015 25 Aug'15

  Choosing a threat intelligence platform: What enterprises should know

  Video: Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.