News

News

• June 11, 2015 11 Jun'15

  From the frontlines: Horror stories on information breach response

  Video: KPMG's Ronald Plesco has seen some crazy things in his time helping organizations in security incident response, and he shares some of them with SearchSecurity.

• June 09, 2015 09 Jun'15

  June 2015 Patch Tuesday brings critical IE security fix, Flash update

  Microsoft's June 2015 Patch Tuesday features eight bulletins, including a critical update for Internet Explorer and Windows Media Player. Plus: Adobe releases fix for 13 Flash vulnerabilities.

• June 05, 2015 05 Jun'15

  Government data breach puts EINSTEIN defense system under question

  The FBI is investigating a government data breach in which up to 4 million records may have been stolen and China-based hackers are the prime suspects, but the efficacy of the DHS EINSTEIN defense system has been put under question.

• June 05, 2015 05 Jun'15

  Vulnerability study questions accuracy of CVSS scores

  A new study claims social media may be a useful indicator of vulnerability risk and lead to more accurate CVSS scores and prioritization.

• June 05, 2015 05 Jun'15

  Facebook, Google, Mozilla raise the bar with new user privacy controls

  News roundup: New settings and options to boost user privacy and security are emerging on major websites, but is it enough?

• June 05, 2015 05 Jun'15

  McGraw: Software security testing is increasingly automated

  Security software expert Gary McGraw says testing for security flaws must be automated if everything is going to be checked.

• June 03, 2015 03 Jun'15

  Adversaries never sleep: unknown malware downloaded every 34 seconds

  In its 2015 Security Report, Check Point Software has found adversaries are exploiting the ease of creating unknown malware to boost the chance of a successful attack, and sandboxing adoption may be the best way to mitigate risk.

• June 03, 2015 03 Jun'15

  Schneier: Weighing the costs of mass surveillance

  Security expert Bruce Schneier says his new book, Data and Goliath, lays out a compelling case against government mass surveillance.

• June 02, 2015 02 Jun'15

  Insecure mobile cloud backups leave millions of credentials exposed

  Researchers find that insecure implementation of cloud backups by mobile apps may affect hundreds of thousands of apps and leave as many as 56 million credentials exposed.

• June 02, 2015 02 Jun'15

  Malware analysis beyond the sandbox

  Researchers estimate that 70% of organizations will have implemented virtual servers by the end of 2015, representing a tipping point in enterprises’ adoption of virtualization. Virtual machines (VMs) must be protected from malware like other ...

• May 29, 2015 29 May'15

  IRS breach shows the importance of PII security

  A breach of the IRS' Internet tax form service "Get Transcript" exposed the personal information and tax filings of thousands of people.

• May 29, 2015 29 May'15

  Cybersecurity threat discussion (finally) in boardroom

  News roundup: Cybersecurity is finally garnering attention at the boardroom table, but not necessarily for the right reasons. Plus: Ponemon's "Cost of Data Breach"; D-Link vulnerabilities; NitlovePOS; bad bots.

• May 29, 2015 29 May'15

  Smartphone security threats plague Android and iPhone alike

  As the global smartphone market slows, it's becoming readily apparent that the rise of smartphone security threats isn't slowing -- and no OS is safe.

• May 28, 2015 28 May'15

  President urges Senate to act on Section 215 question

  With Section 215 of the Patriot Act meeting its demise on June 1, President Obama calls for the Senate to get busy.

• May 28, 2015 28 May'15

  Cisco Security Services set for 2x product growth in 2015

  Cisco's Bryan Palma discusses Cisco's strategy for security services and talks about the recent Neohapsis acquisition.

• May 26, 2015 26 May'15

  NetUSB router vulnerability puts devices in jeopardy

  A newly discovered router vulnerability could leave millions of connected devices open to denial-of-service attacks and remote code execution.

• May 22, 2015 22 May'15

  2015 DDoS attacks on the rise, attackers shift tactics

  News roundup: New research highlights the changing nature of DDoS attack frequency and methodology. Plus: New malware strains double in second half of 2014; two new address bar spoofing vulnerabilities.

• May 22, 2015 22 May'15

  Government backdoor security concerns prompt letter to president

  As privacy and security concerns rise, President Obama is urged to dismiss the call for government backdoors.

• May 21, 2015 21 May'15

  Too many false positives, security alerts inundate enterprise, study says

  A new study shows enterprises with security analytics are confident in their threat detection capabilities, while those without are overwhelmed by copious false positives and alerts.

• May 20, 2015 20 May'15

  Google changes Chrome extension policy amid security concerns

  Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.

• May 20, 2015 20 May'15

  Logjam flaw crimps TLS encryption; NSA may have used it

  A newly discovered TLS vulnerability that affects thousands of websites, servers and browser users could allow attackers to bypass encryption.

• May 19, 2015 19 May'15

  Fortinet, DHS form security information sharing partnership

  Network security vendor Fortinet and DHS signed an agreement on security information sharing for better cyber protection in the public and private sectors.

• May 18, 2015 18 May'15

  Alleged airplane hack creates more questions than answers

  As details emerge about a security researcher's alleged hack -- and subsequent denial -- of an airplane, more questions are being asked than answers given.

• May 15, 2015 15 May'15

  Will Microsoft Edge security features make up for past sins?

  News roundup: Microsoft released security details of its new Edge browser, but is enough to restore user confidence? Plus: Millennial security threats; new ransomware, GPU-based malware; black hat cybersecurity services.

• May 13, 2015 13 May'15

  Security ethics survey shows honesty is a tricky business

  A security ethics survey conducted at the 2015 RSA Conference indicates that infosec professionals may be wary of media attention in breach and vulnerability reporting.

• May 12, 2015 12 May'15

  AlienVault updates SIEM platforms after vulnerabilities exposed

  Security software maker AlienVault scrambled to patch two of its products after a security researcher exposed longstanding vulnerabilities in them.

• May 12, 2015 12 May'15

  May 2015 Patch Tuesday isn't all about critical patches, experts say

  Microsoft's May 2015 Patch Tuesday has made 2015 this biggest year for patches through the first five months and is highlighted by two non-critical patches, according to experts.

• May 11, 2015 11 May'15

  Intel's Security Connected aims to be the glue for enterprise security

  Intel Security wants to offer a full set of security products, but believes highest value may come from being a bridge. Security Connected aims to integrate non-Intel products and place Intel at the center, although experts worry about complexity.

• May 08, 2015 08 May'15

  How the WordPress XSS vulnerability was patched so quickly

  WordPress was found to have two new zero-day XSS vulnerabilities that were being exploited, but a patch has already been issued to mitigate the issues.

• May 08, 2015 08 May'15

  Mobile malware statistics highlight unknown state of mobile threats

  News roundup: Contradicting mobile malware statistics published this year prove the mobile malware debate is alive and well. Plus: SAP vulnerabilities; spam-sending Linux malware; criminal attacks leading healthcare threat.

• May 07, 2015 07 May'15

  Malware detection tool tackles medical device security

  WattsUpDoc, an embedded system security tool used to detect malware in medical devices, is now in beta testing at two major U.S. hospitals.

• May 07, 2015 07 May'15

  Inside the WhiteHat Aviator Web browser controversy

  Robert 'Rsnake' Hansen of WhiteHat Security discusses the Aviator Web browser, why Google lashed out against it, the challenges of browser security and lessons learned for developing secure software.

• May 06, 2015 06 May'15

  Experts debate the value and future of data loss prevention tools

  Data loss prevention tools have been on the market for close to 10 years, but adoption and deployment are still inconsistent. Experts point to a shift in how enterprises will deploy DLP moving forward.

• May 06, 2015 06 May'15

  Microsoft debuts password-free Windows Hello, PatchTuesday changes

  Microsoft Ignite 2015 showed that Microsoft may have rethought the Tuesday part of Patch Tuesday, but Windows Update is stronger than ever.

• May 05, 2015 05 May'15

  Local Administrator Password Solution aims to stop credential replay

  Microsoft has released its Local Administrator Password Solution for a common admin login account across all domain-joined computers in hopes that it will decrease pass-the-hash attacks.

• May 04, 2015 04 May'15

  Anti-sandbox capabilities found in Dyre malware

  Seculert research discovers that a new version of the financial malware Dyre is avoiding sandbox detection by counting the number of cores.

• May 01, 2015 01 May'15

  Subscription model for SSL certificates could be easier and cheaper

  A Utah-based startup hopes to change the way enterprises buy SSL certificates to a subscription model, and one expert thinks it could work as long as enterprises can trust the security.

• May 01, 2015 01 May'15

  Government cybersecurity flounders as cybersecurity bills pass House

  News roundup: Many believe the government should help avert cybersecurity woes, yet two House-approved cybersecurity bills are frowned upon. Plus: DDoS increase linked to IoT; Google password alert; 70% put networks at risk with undocumented changes.

• April 30, 2015 30 Apr'15

  How WestJet Airlines nixed network complexity, boosted security

  At an RSA Conference session, attendees learned how WestJet Airlines' Security Architecture Made Simple with software-defined security and automation reduced network turbulence.

• April 30, 2015 30 Apr'15

  Government agencies struggling with security data analytics

  Security data analytics are a must-have for government agencies to stay one step ahead of cyber attackers, according to a study conducted by MeriTalk.

• April 29, 2015 29 Apr'15

  Port monitoring critical to detecting, mitigating attacks using SSL

  As SSL traffic increases, so inevitably will the number of attacks using it to hide. A session at RSA Conference 2015 explained why hackers love SSL, and how enterprises can defend against them.

• April 29, 2015 29 Apr'15

  Secunia: End-of-life software posing a big security risk

  Secunia's quarterly Personal Software Inspector (PSI) report shows that while OS and application patching has remained steady, users may be ignoring end-of-life software and the risks associated with it.

• April 29, 2015 29 Apr'15

  IT security and compliance: Get leadership on board to find balance

  At an RSA Conference 2015 session, finance information security officer Steve Winterfeld explained why having complementary IT security and compliance strategies requires leadership buy-in and cooperation.

• April 29, 2015 29 Apr'15

  RSA Conference 2015 recap: Record attendance, record stakes

  This year's RSA Conference once again broke the previous year's attendance record. Is the show getting too big for San Francisco? Plus key takeaways and final words from our executive editor.

• April 28, 2015 28 Apr'15

  Comparing the top SSL VPN products

  Expert Karen Scarfone examines the top SSL VPN products available today to help enterprises determine which option is the best fit for them.

• April 28, 2015 28 Apr'15

  Open source threat model aims to make enterprise safer with less work

  An open source threat model is aiming to be a repository for risk assessment with the aim of allowing enterprise to focus on creating the right security controls for each business.

• April 28, 2015 28 Apr'15

  Despite benefits, skepticism surrounds bug bounty programs

  Some people think bug bounty programs are the answers to vulnerability woes, yet others remain skeptical of the negative impacts they present. RSA Conference panelists discussed both sides of one of today's hottest and most controversial IT topics.

• April 28, 2015 28 Apr'15

  Insider threat programs need people, not technology

  A panel discussion at RSA Conference 2015 outlined strategic methods enterprises can use to build and advocate for an insider threat program.

• April 27, 2015 27 Apr'15

  DevOps explained: Why experts call DevOps and security a perfect match

  At RSA Conference 2015, a pair of DevOps proponents explained why the nascent movement to integrate development and IT operations staff pays security dividends.

• April 27, 2015 27 Apr'15

  New study shows enterprise security confidence high but defenses low

  A new study from network security firm Fortinet shows that enterprise security confidence levels are high despite a lack of comprehensive security measures.

• April 27, 2015 27 Apr'15

  WordPress vulnerable to stored XSS bug, researchers find

  A researcher has released a proof-of-concept exploit for a WordPress vulnerability leveraging stored XSS, which could lead to remote code execution on affected servers.

• April 27, 2015 27 Apr'15

  On healthcare data security, not all security pros see unique challenges

  At an RSA Conference 2015 discussion on healthcare data security, experts with decades of experience perceive a unique challenge, while security pros see similarities with other verticals.

• April 24, 2015 24 Apr'15

  Long-duration advanced persistent threat attacks now the norm, say experts

  Threat experts at RSA Conference 2015 say today's most dangerous attack techniques reflect a shift toward long-duration attacks that are often nearly impossible to detect.

• April 24, 2015 24 Apr'15

  Clarity needed to cultivate next-gen cybersecurity workforce

  Millennials are hesitant to pursue a career in cybersecurity, mainly because they aren't sure exactly what the job entails -- and if they have the proper training for it.

• April 24, 2015 24 Apr'15

  NIST wants help building the one ID proofing system to rule them all

  The U.S. government wants to solve the weaknesses in online ID proofing systems, but it needs the help of enterprise and security professionals in order to overcome privacy concerns and other issues.

• April 24, 2015 24 Apr'15

  Insecure SSL coding could lead to Android man-in-the-middle attacks

  Researchers have found thousands of apps that feature insecure coding practices in implementing SSL protocols, which could lead to Android man-in-the-middle attacks.

• April 23, 2015 23 Apr'15

  Opportunity abounds for those with both business, security skills

  Executives now listen to their security managers but experts speaking at the RSA Conference 2015 say infosec leaders must learn business security skills and think long term.

• April 23, 2015 23 Apr'15

  RSA attendees ponder how to trim bloated security portfolios

  At a roundtable discussion at RSA Conference 2015, security admins pondered what to do about bloated security portfolios.

• April 23, 2015 23 Apr'15

  Effective data breach response plans hinge on human preparedness

  Experts at a Verizon event at RSA Conference 2015 say no data breach response plan is complete until certain human factors are considered.

• April 23, 2015 23 Apr'15

  Pescatore on security success: Breach prevention is possible

  At RSA Conference 2015, John Pescatore offered real-world case studies proving that information security technologies can help prevent data breaches.

• April 22, 2015 22 Apr'15

  Industry experts warn only cyberliability insurance covers breaches

  Cyberliability insurance gains popularity as industry experts warn that, contrary to popular belief, general insurance won't protect against cyberattacks.

• April 22, 2015 22 Apr'15

  Can supply chain security assuage Huawei security concerns?

  Huawei's U.S. CSO pitched the rigor of its supply chain security processes to RSA Conference 2015 attendees, but they remained skeptical at best on whether to trust the Chinese networking and security vendor.

• April 22, 2015 22 Apr'15

  Mobile malware is not a serious threat, Damballa shows

  An Atlanta-based threat prevention company says the chances of acquiring mobile malware infection are as slim as the chance of being struck by lightning.

• April 22, 2015 22 Apr'15

  Government cybersecurity experts push for better information sharing

  At RSA 2015, former federal officials called for better government cybersecurity cooperation between agencies and with the private sector.

• April 22, 2015 22 Apr'15

  Threat intelligence programs maturing despite staffing, tech obstacles

  A Forrester analyst told RSA Conference 2015 attendees that enterprise threat intelligence programs are maturing, though obstacles like nascent technology and hard-to-find employees mean some firms may never reach full maturity.

• April 21, 2015 21 Apr'15

  Yoran: RSA, information security industry needs 'radical change'

  New RSA President Amit Yoran says business as usual isn't stopping the evolving threat landscape, and hints at radical changes coming to the information security industry and within RSA itself.

• April 21, 2015 21 Apr'15

  Raytheon cybersecurity bolstered by Websense acquisition

  Vista sells majority stake in security provider Websense to boost Raytheon cybersecurity defense amidst copious information breaches.

• April 21, 2015 21 Apr'15

  Waratek grabs RSA Innovation Sandbox honors

  Runtime application self-protection startup Waratek wins coveted RSA Innovation award.

• April 21, 2015 21 Apr'15

  SIMDA botnet down: 770,000 infected computers rescued

  INTERPOL collaborated with Trend Micro, Microsoft and Kaspersky to take down botnet affecting 770,000 users.

• April 20, 2015 20 Apr'15

  Successful women in security tout need for mentoring, encouragement

  Female infosec pros say the industry needs to do more to not only encourage women to pursue infosec careers, but also help mentor them along the way.

• April 20, 2015 20 Apr'15

  Hiring millennials key to reducing security workforce shortage

  At RSA Conference 2015, speakers at an (ISC)2 panel said attracting and hiring millennials is a huge key to alleviating the worsening information security workforce shortage.

• April 17, 2015 17 Apr'15

  Machine versus the bots: Does your website pass the Turing 2.0 test?

  New Web security models use browser behavior and polymorphism to protect against data theft and fraud.

• April 17, 2015 17 Apr'15

  Patch Tuesday's Windows HTTP.sys flaw under attack

  A critical vulnerability in Windows HTTP.sys was detailed as part of Microsoft's April Patch Tuesday, and the flaw is already being actively exploited in the wild.

• April 17, 2015 17 Apr'15

  Microsoft cybersecurity strategy: Time for another Bill Gates email

  Opinion: Executive Editor Eric Parizo says Microsoft's security strategy may have once been the benchmark for other vendors to emulate, but in 2015 the software giant's priorities lie elsewhere.

• April 16, 2015 16 Apr'15

  Oracle Critical Patch Update features important Java SE updates

  The latest Oracle Critical Patch Update includes fixes for close to 100 vulnerabilities, but one expert says there is a critical update for Java on the desktop that needs immediate attention.

• April 15, 2015 15 Apr'15

  PCI DSS 3.1 debuts, requires detailed new SSL security management plan

  PCI DSS 3.1 grants merchants about 14 months to nix flawed SSL and TLS protocols, but demands they quickly provide detailed new documentation on how they plan to make the transition.

• April 14, 2015 14 Apr'15

  April 2015 Patch Tuesday addresses critical HTTP.sys flaw

  Microsoft's April 2015 Patch Tuesday release is lighter than usual with 11 total bulletins, but experts say that system admins should immediately install a critical HTTP.sys patch for Windows Server.

• April 14, 2015 14 Apr'15

  'Redirect to SMB' vulnerability affects all versions of Windows

  The new 'Redirect to SMB' vulnerability is an update to an 18-year-old flaw that can lead to man-in-the-middle attacks on all versions of Windows.

• April 14, 2015 14 Apr'15

  Sony Pictures hack used easily available malware, destroyed computers

  A '60 Minutes' interview Sunday revealed that not only did Sony Pictures fall victim to well-known, off-the-shelf malware, but that the attackers also destroyed thousands of computers and servers after stealing the data.

• April 14, 2015 14 Apr'15

  Verizon DBIR 2015 tackles data breach cost predictions

  In its 2015 Data Breach Investigations Report, Verizon debuts data breach cost estimates based on newly available data, and also advocates for better threat intelligence sharing among different industries facing common threats.

• April 13, 2015 13 Apr'15

  Cybersecurity risks masked by controversial vulnerability counts

  Experts have split opinions regarding the correct methodology for counting vulnerabilities, but all agree that focusing on numbers can mask real cybersecurity risks.

• April 10, 2015 10 Apr'15

  Ways to secure Web apps: WAFs, RASP and more

  Protecting a Web application increasingly means tuning your protections to the individual characteristics of your applications. There’s more than one way to go about this, though. In this three-part guide we review best practices for taking your Web...

• April 10, 2015 10 Apr'15

  Chrome security under fire from third-party extension

  Security researchers say Webpage Screenshot, a popular third-party extension for Google Chrome, was secretly collecting end-user browsing data. Its true purpose and how Google missed it remain up for debate.

• April 10, 2015 10 Apr'15

  Tech, security M&A activity booms thanks to mobile, cloud

  News roundup: Technology and security acquisitions have seen some healthy activity in 2015, driven by two key trends. Plus: 75% of users aren't vulnerable to Heartbleed?; White House hack tied to phishing; first state digital ID law.

• April 09, 2015 09 Apr'15

  SANS: Enterprises overconfident in ability to detect insider threats

  Enterprises may be increasingly aware of insider threats and believe they can find and stop them, but a new SANS Institute survey suggests they may be overconfident and lack the necessary insider threat-detection technology.

• April 08, 2015 08 Apr'15

  Experts disagree on growth, complexity of cybersecurity threats

  The Websense 2015 Threat Report claims that cybersecurity threats are getting more complex, but one expert says the trends aren't anything new.

• April 08, 2015 08 Apr'15

  Dyre malware returns to rob banks of millions

  Financial malware Dyre, in tandem with social engineering, was used in a new campaign to steal millions from financial institutions, according to IBM researchers.

• April 06, 2015 06 Apr'15

  In first Android Security Report, Google cites drop in Android malware

  Google's first Android Security Report claims that malware on the platform was found on fewer than 1% of devices in 2014, but experts question if the ecosystem is really as safe as it has ever been.

• April 05, 2015 05 Apr'15

  Amid SSL security issues, enterprises face many problems, few answers

  Experts say even enterprises that carefully secure TLS may still be at the mercy of the numerous security issues affecting the SSL ecosystem.

• April 03, 2015 03 Apr'15

  The transaction that lasts forever

  Whether or not you think Bitcoin has a future, it has a couple of very interesting technological elements that will probably have a life of their own. The aspect that everyone talks about is that ...

• April 03, 2015 03 Apr'15

  U.S. cyberattacker sanctions program causes stir on social media

  News roundup: President Obama's executive order allowing sanctions on cyberattackers has been met with mixed reaction. Plus: Threat intelligence perception versus reality; healthcare breach consequences; Verizon tosses supercookie.

• April 02, 2015 02 Apr'15

  Massive GitHub DDoS attack tied to Chinese government

  Security experts say the largest DDoS attack in GitHub history, which lasted five days, was the work of the Chinese government.

• April 02, 2015 02 Apr'15

  Obama threatens foreign cyber attackers with sanctions

  US president Barack Obama has signed an executive order establishing a framework for the US to impose sanctions on foreign cyber attackers

• April 01, 2015 01 Apr'15

  NSA’s big data security analytics reaches the enterprise with Sqrrl

  Competition for Hadoop-based analytics may put tools and services within reach for large and midsize organizations, says Robert Richardson.

• April 01, 2015 01 Apr'15

  Information security jobs unfilled as labor pains grow

  Why cybersecurity hiring is the real cyberwar.

• April 01, 2015 01 Apr'15

  Defending against the digital invasion

  As attackers move beyond “spray and pray” tactics to advanced persistent threats -- having better security than your competitors is no longer enough. Targeted attacks today are often for financial gain through extortion and threats to expose or ...

• March 31, 2015 31 Mar'15

  Amid growing SSL concerns, Qualys expands free public SSL tester

  Qualys has added a free, public API to its SSL testing services, which will enable an enterprise to test any website or server for SSL vulnerabilities.

• March 31, 2015 31 Mar'15

  New PCI SSC penetration testing guidelines aim to be more prescriptive

  The PCI SSC has issued prescriptive new supplemental guidance on penetration testing in an effort to reverse current trends and improve merchant compliance.

• March 30, 2015 30 Mar'15

  PCI DSS 3.1 set for April 2015 release, will cover SSL vulnerabilities

  The PCI Security Standards Council has confirmed that PCI DSS 3.1 will be released in just a few weeks. According to a Gartner analyst, the surprise new release could cause major problems for merchants.

• March 27, 2015 27 Mar'15

  Is the RSA 2015 'booth babe' ban a win for women in security?

  News roundup: The ban of "booth babes" at RSA Conference 2015 has been met with praise; does it equal an increase of women in infosec? Plus: Cyberthreat data-sharing bill advances; Flash flaw exploited days after patching; new twist on Google Play ...