News
News
- May 15, 2015
15 May'15
Will Microsoft Edge security features make up for past sins?
News roundup: Microsoft released security details of its new Edge browser, but is enough to restore user confidence? Plus: Millennial security threats; new ransomware, GPU-based malware; black hat cybersecurity services.
- May 13, 2015
13 May'15
Security ethics survey shows honesty is a tricky business
A security ethics survey conducted at the 2015 RSA Conference indicates that infosec professionals may be wary of media attention in breach and vulnerability reporting.
- May 12, 2015
12 May'15
AlienVault updates SIEM platforms after vulnerabilities exposed
Security software maker AlienVault scrambled to patch two of its products after a security researcher exposed longstanding vulnerabilities in them.
-
- May 12, 2015
12 May'15
May 2015 Patch Tuesday isn't all about critical patches, experts say
Microsoft's May 2015 Patch Tuesday has made 2015 this biggest year for patches through the first five months and is highlighted by two non-critical patches, according to experts.
- May 11, 2015
11 May'15
Intel's Security Connected aims to be the glue for enterprise security
Intel Security wants to offer a full set of security products, but believes highest value may come from being a bridge. Security Connected aims to integrate non-Intel products and place Intel at the center, although experts worry about complexity.
- May 08, 2015
08 May'15
How the WordPress XSS vulnerability was patched so quickly
WordPress was found to have two new zero-day XSS vulnerabilities that were being exploited, but a patch has already been issued to mitigate the issues.
- May 08, 2015
08 May'15
Mobile malware statistics highlight unknown state of mobile threats
News roundup: Contradicting mobile malware statistics published this year prove the mobile malware debate is alive and well. Plus: SAP vulnerabilities; spam-sending Linux malware; criminal attacks leading healthcare threat.
- May 07, 2015
07 May'15
Malware detection tool tackles medical device security
WattsUpDoc, an embedded system security tool used to detect malware in medical devices, is now in beta testing at two major U.S. hospitals.
- May 07, 2015
07 May'15
Inside the WhiteHat Aviator Web browser controversy
Robert 'Rsnake' Hansen of WhiteHat Security discusses the Aviator Web browser, why Google lashed out against it, the challenges of browser security and lessons learned for developing secure software.
- May 06, 2015
06 May'15
Experts debate the value and future of data loss prevention tools
Data loss prevention tools have been on the market for close to 10 years, but adoption and deployment are still inconsistent. Experts point to a shift in how enterprises will deploy DLP moving forward.
-
- May 06, 2015
06 May'15
Microsoft debuts password-free Windows Hello, PatchTuesday changes
Microsoft Ignite 2015 showed that Microsoft may have rethought the Tuesday part of Patch Tuesday, but Windows Update is stronger than ever.
- May 05, 2015
05 May'15
Local Administrator Password Solution aims to stop credential replay
Microsoft has released its Local Administrator Password Solution for a common admin login account across all domain-joined computers in hopes that it will decrease pass-the-hash attacks.
- May 04, 2015
04 May'15
Anti-sandbox capabilities found in Dyre malware
Seculert research discovers that a new version of the financial malware Dyre is avoiding sandbox detection by counting the number of cores.
- May 01, 2015
01 May'15
Subscription model for SSL certificates could be easier and cheaper
A Utah-based startup hopes to change the way enterprises buy SSL certificates to a subscription model, and one expert thinks it could work as long as enterprises can trust the security.
- May 01, 2015
01 May'15
Government cybersecurity flounders as cybersecurity bills pass House
News roundup: Many believe the government should help avert cybersecurity woes, yet two House-approved cybersecurity bills are frowned upon. Plus: DDoS increase linked to IoT; Google password alert; 70% put networks at risk with undocumented changes.
- April 30, 2015
30 Apr'15
How WestJet Airlines nixed network complexity, boosted security
At an RSA Conference session, attendees learned how WestJet Airlines' Security Architecture Made Simple with software-defined security and automation reduced network turbulence.
- April 30, 2015
30 Apr'15
Government agencies struggling with security data analytics
Security data analytics are a must-have for government agencies to stay one step ahead of cyber attackers, according to a study conducted by MeriTalk.
- April 29, 2015
29 Apr'15
Port monitoring critical to detecting, mitigating attacks using SSL
As SSL traffic increases, so inevitably will the number of attacks using it to hide. A session at RSA Conference 2015 explained why hackers love SSL, and how enterprises can defend against them.
- April 29, 2015
29 Apr'15
Secunia: End-of-life software posing a big security risk
Secunia's quarterly Personal Software Inspector (PSI) report shows that while OS and application patching has remained steady, users may be ignoring end-of-life software and the risks associated with it.
- April 29, 2015
29 Apr'15
IT security and compliance: Get leadership on board to find balance
At an RSA Conference 2015 session, finance information security officer Steve Winterfeld explained why having complementary IT security and compliance strategies requires leadership buy-in and cooperation.
- April 29, 2015
29 Apr'15
RSA Conference 2015 recap: Record attendance, record stakes
This year's RSA Conference once again broke the previous year's attendance record. Is the show getting too big for San Francisco? Plus key takeaways and final words from our executive editor.
- April 28, 2015
28 Apr'15
Comparing the top SSL VPN products
Expert Karen Scarfone examines the top SSL VPN products available today to help enterprises determine which option is the best fit for them.
- April 28, 2015
28 Apr'15
Open source threat model aims to make enterprise safer with less work
An open source threat model is aiming to be a repository for risk assessment with the aim of allowing enterprise to focus on creating the right security controls for each business.
- April 28, 2015
28 Apr'15
Despite benefits, skepticism surrounds bug bounty programs
Some people think bug bounty programs are the answers to vulnerability woes, yet others remain skeptical of the negative impacts they present. RSA Conference panelists discussed both sides of one of today's hottest and most controversial IT topics.
- April 28, 2015
28 Apr'15
Insider threat programs need people, not technology
A panel discussion at RSA Conference 2015 outlined strategic methods enterprises can use to build and advocate for an insider threat program.
- April 27, 2015
27 Apr'15
DevOps explained: Why experts call DevOps and security a perfect match
At RSA Conference 2015, a pair of DevOps proponents explained why the nascent movement to integrate development and IT operations staff pays security dividends.
- April 27, 2015
27 Apr'15
New study shows enterprise security confidence high but defenses low
A new study from network security firm Fortinet shows that enterprise security confidence levels are high despite a lack of comprehensive security measures.
- April 27, 2015
27 Apr'15
WordPress vulnerable to stored XSS bug, researchers find
A researcher has released a proof-of-concept exploit for a WordPress vulnerability leveraging stored XSS, which could lead to remote code execution on affected servers.
- April 27, 2015
27 Apr'15
On healthcare data security, not all security pros see unique challenges
At an RSA Conference 2015 discussion on healthcare data security, experts with decades of experience perceive a unique challenge, while security pros see similarities with other verticals.
- April 24, 2015
24 Apr'15
Long-duration advanced persistent threat attacks now the norm, say experts
Threat experts at RSA Conference 2015 say today's most dangerous attack techniques reflect a shift toward long-duration attacks that are often nearly impossible to detect.
- April 24, 2015
24 Apr'15
Clarity needed to cultivate next-gen cybersecurity workforce
Millennials are hesitant to pursue a career in cybersecurity, mainly because they aren't sure exactly what the job entails -- and if they have the proper training for it.
- April 24, 2015
24 Apr'15
NIST wants help building the one ID proofing system to rule them all
The U.S. government wants to solve the weaknesses in online ID proofing systems, but it needs the help of enterprise and security professionals in order to overcome privacy concerns and other issues.
- April 24, 2015
24 Apr'15
Insecure SSL coding could lead to Android man-in-the-middle attacks
Researchers have found thousands of apps that feature insecure coding practices in implementing SSL protocols, which could lead to Android man-in-the-middle attacks.
- April 23, 2015
23 Apr'15
Opportunity abounds for those with both business, security skills
Executives now listen to their security managers but experts speaking at the RSA Conference 2015 say infosec leaders must learn business security skills and think long term.
- April 23, 2015
23 Apr'15
RSA attendees ponder how to trim bloated security portfolios
At a roundtable discussion at RSA Conference 2015, security admins pondered what to do about bloated security portfolios.
- April 23, 2015
23 Apr'15
Effective data breach response plans hinge on human preparedness
Experts at a Verizon event at RSA Conference 2015 say no data breach response plan is complete until certain human factors are considered.
- April 23, 2015
23 Apr'15
Pescatore on security success: Breach prevention is possible
At RSA Conference 2015, John Pescatore offered real-world case studies proving that information security technologies can help prevent data breaches.
- April 22, 2015
22 Apr'15
Industry experts warn only cyberliability insurance covers breaches
Cyberliability insurance gains popularity as industry experts warn that, contrary to popular belief, general insurance won't protect against cyberattacks.
- April 22, 2015
22 Apr'15
Can supply chain security assuage Huawei security concerns?
Huawei's U.S. CSO pitched the rigor of its supply chain security processes to RSA Conference 2015 attendees, but they remained skeptical at best on whether to trust the Chinese networking and security vendor.
- April 22, 2015
22 Apr'15
Mobile malware is not a serious threat, Damballa shows
An Atlanta-based threat prevention company says the chances of acquiring mobile malware infection are as slim as the chance of being struck by lightning.
- April 22, 2015
22 Apr'15
Government cybersecurity experts push for better information sharing
At RSA 2015, former federal officials called for better government cybersecurity cooperation between agencies and with the private sector.
- April 22, 2015
22 Apr'15
Threat intelligence programs maturing despite staffing, tech obstacles
A Forrester analyst told RSA Conference 2015 attendees that enterprise threat intelligence programs are maturing, though obstacles like nascent technology and hard-to-find employees mean some firms may never reach full maturity.
- April 21, 2015
21 Apr'15
Yoran: RSA, information security industry needs 'radical change'
New RSA President Amit Yoran says business as usual isn't stopping the evolving threat landscape, and hints at radical changes coming to the information security industry and within RSA itself.
- April 21, 2015
21 Apr'15
Raytheon cybersecurity bolstered by Websense acquisition
Vista sells majority stake in security provider Websense to boost Raytheon cybersecurity defense amidst copious information breaches.
- April 21, 2015
21 Apr'15
Waratek grabs RSA Innovation Sandbox honors
Runtime application self-protection startup Waratek wins coveted RSA Innovation award.
- April 21, 2015
21 Apr'15
SIMDA botnet down: 770,000 infected computers rescued
INTERPOL collaborated with Trend Micro, Microsoft and Kaspersky to take down botnet affecting 770,000 users.
- April 20, 2015
20 Apr'15
Successful women in security tout need for mentoring, encouragement
Female infosec pros say the industry needs to do more to not only encourage women to pursue infosec careers, but also help mentor them along the way.
- April 20, 2015
20 Apr'15
Hiring millennials key to reducing security workforce shortage
At RSA Conference 2015, speakers at an (ISC)2 panel said attracting and hiring millennials is a huge key to alleviating the worsening information security workforce shortage.
- April 17, 2015
17 Apr'15
Machine versus the bots: Does your website pass the Turing 2.0 test?
New Web security models use browser behavior and polymorphism to protect against data theft and fraud.
- April 17, 2015
17 Apr'15
Patch Tuesday's Windows HTTP.sys flaw under attack
A critical vulnerability in Windows HTTP.sys was detailed as part of Microsoft's April Patch Tuesday, and the flaw is already being actively exploited in the wild.
- April 17, 2015
17 Apr'15
Microsoft cybersecurity strategy: Time for another Bill Gates email
Opinion: Executive Editor Eric Parizo says Microsoft's security strategy may have once been the benchmark for other vendors to emulate, but in 2015 the software giant's priorities lie elsewhere.
- April 16, 2015
16 Apr'15
Oracle Critical Patch Update features important Java SE updates
The latest Oracle Critical Patch Update includes fixes for close to 100 vulnerabilities, but one expert says there is a critical update for Java on the desktop that needs immediate attention.
- April 15, 2015
15 Apr'15
PCI DSS 3.1 debuts, requires detailed new SSL security management plan
PCI DSS 3.1 grants merchants about 14 months to nix flawed SSL and TLS protocols, but demands they quickly provide detailed new documentation on how they plan to make the transition.
- April 14, 2015
14 Apr'15
April 2015 Patch Tuesday addresses critical HTTP.sys flaw
Microsoft's April 2015 Patch Tuesday release is lighter than usual with 11 total bulletins, but experts say that system admins should immediately install a critical HTTP.sys patch for Windows Server.
- April 14, 2015
14 Apr'15
'Redirect to SMB' vulnerability affects all versions of Windows
The new 'Redirect to SMB' vulnerability is an update to an 18-year-old flaw that can lead to man-in-the-middle attacks on all versions of Windows.
- April 14, 2015
14 Apr'15
Sony Pictures hack used easily available malware, destroyed computers
A '60 Minutes' interview Sunday revealed that not only did Sony Pictures fall victim to well-known, off-the-shelf malware, but that the attackers also destroyed thousands of computers and servers after stealing the data.
- April 14, 2015
14 Apr'15
Verizon DBIR 2015 tackles data breach cost predictions
In its 2015 Data Breach Investigations Report, Verizon debuts data breach cost estimates based on newly available data, and also advocates for better threat intelligence sharing among different industries facing common threats.
- April 13, 2015
13 Apr'15
Cybersecurity risks masked by controversial vulnerability counts
Experts have split opinions regarding the correct methodology for counting vulnerabilities, but all agree that focusing on numbers can mask real cybersecurity risks.
- April 10, 2015
10 Apr'15
Ways to secure Web apps: WAFs, RASP and more
Protecting a Web application increasingly means tuning your protections to the individual characteristics of your applications. There’s more than one way to go about this, though. In this three-part guide we review best practices for taking your Web...
- April 10, 2015
10 Apr'15
Chrome security under fire from third-party extension
Security researchers say Webpage Screenshot, a popular third-party extension for Google Chrome, was secretly collecting end-user browsing data. Its true purpose and how Google missed it remain up for debate.
- April 10, 2015
10 Apr'15
Tech, security M&A activity booms thanks to mobile, cloud
News roundup: Technology and security acquisitions have seen some healthy activity in 2015, driven by two key trends. Plus: 75% of users aren't vulnerable to Heartbleed?; White House hack tied to phishing; first state digital ID law.
- April 09, 2015
09 Apr'15
SANS: Enterprises overconfident in ability to detect insider threats
Enterprises may be increasingly aware of insider threats and believe they can find and stop them, but a new SANS Institute survey suggests they may be overconfident and lack the necessary insider threat-detection technology.
- April 08, 2015
08 Apr'15
Experts disagree on growth, complexity of cybersecurity threats
The Websense 2015 Threat Report claims that cybersecurity threats are getting more complex, but one expert says the trends aren't anything new.
- April 08, 2015
08 Apr'15
Dyre malware returns to rob banks of millions
Financial malware Dyre, in tandem with social engineering, was used in a new campaign to steal millions from financial institutions, according to IBM researchers.
- April 06, 2015
06 Apr'15
In first Android Security Report, Google cites drop in Android malware
Google's first Android Security Report claims that malware on the platform was found on fewer than 1% of devices in 2014, but experts question if the ecosystem is really as safe as it has ever been.
- April 05, 2015
05 Apr'15
Amid SSL security issues, enterprises face many problems, few answers
Experts say even enterprises that carefully secure TLS may still be at the mercy of the numerous security issues affecting the SSL ecosystem.
- April 03, 2015
03 Apr'15
The transaction that lasts forever
Whether or not you think Bitcoin has a future, it has a couple of very interesting technological elements that will probably have a life of their own. The aspect that everyone talks about is that ...
- April 03, 2015
03 Apr'15
U.S. cyberattacker sanctions program causes stir on social media
News roundup: President Obama's executive order allowing sanctions on cyberattackers has been met with mixed reaction. Plus: Threat intelligence perception versus reality; healthcare breach consequences; Verizon tosses supercookie.
- April 02, 2015
02 Apr'15
Massive GitHub DDoS attack tied to Chinese government
Security experts say the largest DDoS attack in GitHub history, which lasted five days, was the work of the Chinese government.
- April 02, 2015
02 Apr'15
Obama threatens foreign cyber attackers with sanctions
US president Barack Obama has signed an executive order establishing a framework for the US to impose sanctions on foreign cyber attackers
- April 01, 2015
01 Apr'15
NSA’s big data security analytics reaches the enterprise with Sqrrl
Competition for Hadoop-based analytics may put tools and services within reach for large and midsize organizations, says Robert Richardson.
- April 01, 2015
01 Apr'15
Information security jobs unfilled as labor pains grow
Why cybersecurity hiring is the real cyberwar.
- April 01, 2015
01 Apr'15
Defending against the digital invasion
As attackers move beyond “spray and pray” tactics to advanced persistent threats -- having better security than your competitors is no longer enough. Targeted attacks today are often for financial gain through extortion and threats to expose or ...
- March 31, 2015
31 Mar'15
Amid growing SSL concerns, Qualys expands free public SSL tester
Qualys has added a free, public API to its SSL testing services, which will enable an enterprise to test any website or server for SSL vulnerabilities.
- March 31, 2015
31 Mar'15
New PCI SSC penetration testing guidelines aim to be more prescriptive
The PCI SSC has issued prescriptive new supplemental guidance on penetration testing in an effort to reverse current trends and improve merchant compliance.
- March 30, 2015
30 Mar'15
PCI DSS 3.1 set for April 2015 release, will cover SSL vulnerabilities
The PCI Security Standards Council has confirmed that PCI DSS 3.1 will be released in just a few weeks. According to a Gartner analyst, the surprise new release could cause major problems for merchants.
- March 27, 2015
27 Mar'15
Is the RSA 2015 'booth babe' ban a win for women in security?
News roundup: The ban of "booth babes" at RSA Conference 2015 has been met with praise; does it equal an increase of women in infosec? Plus: Cyberthreat data-sharing bill advances; Flash flaw exploited days after patching; new twist on Google Play ...
- March 27, 2015
27 Mar'15
Social engineering techniques are becoming harder to stop, experts say
As more data moves online, social engineering techniques are becoming increasingly advanced and traditional training methods may not be enough to keep enterprises safe.
- March 25, 2015
25 Mar'15
Study finds lack of investment in mobile app security
The Ponemon Institute says enterprises are devoting millions of dollars to mobile application development, but barely any of the money is focused on security.
- March 25, 2015
25 Mar'15
Major browser makers revoke unauthorized Chinese TLS certificates
Google, Microsoft, and Mozilla have revoked unauthorized TLS certificates issued by an intermediate certificate authority that could have been used in man-in-the-middle attacks.
- March 25, 2015
25 Mar'15
Secunia: Better vulnerability reporting doesn't mean more patches
Secunia's 2015 Vulnerability Report shows that better vulnerability reporting and awareness of flaws doesn't necessarily mean vendors offer more patches or focus on the most critical issues.
- March 24, 2015
24 Mar'15
BandarChor: New ransomware based on old malware family emerges
Antivirus vendor F-Secure discovered BandarChor, a type of ransomware based on an existing malware family.
- March 23, 2015
23 Mar'15
Open source security tool indicates Android app vulnerability spike
A new open source security tool from CERT, dubbed 'Tapioca,' shows that Android app vulnerabilities are ubiquitous, according to new research from IBM.
- March 23, 2015
23 Mar'15
Cisco IP phones vulnerable to eavesdropping; no patch available yet
Cisco says a vulnerability in some of its IP phones for SMBs could allow eavesdropping. A fix is not yet available, but Cisco has offered mitigation techniques.
- March 20, 2015
20 Mar'15
At 2015 Pwn2Own competition, browser exploits in the spotlight
News roundup: Researchers at the 2015 Pwn2Own exploited every major Web browser, casting doubt on browser security once again. Plus: high-severity OpenSSL update; IE being phased-out in Windows 10; Americans dodging online surveillance.
- March 18, 2015
18 Mar'15
Experts: Consumer Privacy Bill of Rights may ease privacy compliance
The Consumer Privacy Bill of Rights proposed by the Obama administration is a good first step, according to experts, and may simplify privacy compliance for enterprises currently dealing with many different state laws.
- March 17, 2015
17 Mar'15
Yahoo’s attempt to kill off passwords raises security concerns
Yahoo’s attempt to kill off passwords by introducing an on-demand one-time passcode option for its email services has raised security concerns
- March 17, 2015
17 Mar'15
Microsoft warns of fake SSL certificate for Windows Live
Microsoft has warned that a fake security certificate has been issued for the Windows Live domain that could be abused by attackers
- March 16, 2015
16 Mar'15
Microsoft re-releases EMET 5.2 to fix IE bug
Update: Microsoft has re-released Enhanced Mitigation Experience Toolkit version 5.2 to correct a bug involving IE 11.
- March 13, 2015
13 Mar'15
Hillary Clinton email debate highlighted by security mistakes
News roundup: Hillary Clinton's decision to use a private email domain and server has created a firestorm over her email security mistakes. Plus: OpenSSL audit, Blue Coat acquisition, more Equation details emerge.
- March 13, 2015
13 Mar'15
Does Rowhammer mark a new wave of hardware vulnerabilities?
Experts agree that the Rowhammer vulnerability likely isn't an immediate threat to enterprises, but disagree on whether hardware vulnerabilities are about to reach a tipping point.
- March 11, 2015
11 Mar'15
Verizon 2015 PCI report: More achieve PCI compliance, but fail to keep it
The 2015 edition of the Verizon PCI report shows enterprises are, on the whole, getting better at achieving full PCI compliance. Unfortunately, few can sustain it.
- March 11, 2015
11 Mar'15
Study warns security certificates, cryptographic keys are in peril
A growing number of cryptographic keys and security certificates are being abused, according to a new study from cybersecurity firm Venafi and the Ponemon Institute.
- March 11, 2015
11 Mar'15
HP enterprise security: Can acquisitions lead to cohesive strategy?
Through acquisitions Hewlett-Packard has built a formidable lineup of enterprise security offerings, but experts question whether a strong brand can overcome legacy technology and a lacking endpoint strategy.
- March 10, 2015
10 Mar'15
March 2015 Patch Tuesday: Microsoft offers quick FREAK fix
Microsoft's March 2015 Patch Tuesday bulletins include a fix for the FREAK vulnerability, as well as five critical fixes, but surprisingly, an expert says one of the fixes deemed non-critical actually demands immediate attention.
- March 10, 2015
10 Mar'15
Venmo struggles put spotlight on mobile payment security
The mobile payment app maker responds to criticism by stepping up security with better verifications and notifications for email and phone number changes.
- March 10, 2015
10 Mar'15
Rowhammer takes a big swing at DRAM memory security
Google's Project Zero has detailed a new proof-of-concept exploiting the "rowhammer" DRAM flaw to allow for root access on various operating systems.
- March 09, 2015
09 Mar'15
For threat intelligence programs, ROI evaluation proves tricky
Threat intelligence programs are taking root in many enterprises, but experts say variables like disparate service offerings, pricing models and response capabilities make ROI evaluation a vexing proposition.
- March 09, 2015
09 Mar'15
Group claiming links to Isis hacks small business websites
The FBI is investigating the hacking of a number of SME websites in the US and Europe by people claiming affiliation with Islamic State
- March 06, 2015
06 Mar'15
Adobe's new twist on bug bounty programs: No cash for bug hunters
News roundup: Bug bounty programs can offer big rewards to researchers, unless Adobe is handing out the prizes. Plus: Signal 2.0 encryption app; app cloning risk increasing; Angler adopts 'domain shadowing' capability.