News

News

• December 09, 2014 09 Dec'14

  December 2014 Patch Tuesday features three critical fixes

  Capping a busy year of software updates, Microsoft's December 2014 Patch Tuesday release delivers three critical bulletins; separately Adobe offers a pair of critical fixes.

• December 09, 2014 09 Dec'14

  Many SMBs still lack controls to limit sensitive data exposure

  Trustwave says one out of every five organizations has no controls in place to prevent sensitive data exposure, despite growing criminal interest.

• December 09, 2014 09 Dec'14

  FIDO Alliance releases 1.0 specifications for passwordless authentication

  Amid growing fears of stolen credentials and data breaches, the FIDO Alliance released its long-awaited 1.0 specifications for passwordless and multifactor authentication systems.

• December 05, 2014 05 Dec'14

  How to find malware? It's hidden malware here, there and everywhere

  News roundup: The industry is losing the battle against hidden malware, finding it in unlikely places from sandboxes to e-cigarettes. Plus: Richard Clarke's security tips for CEOs; data loss and downtime cost companies big; and are cheap tablets ...

• December 03, 2014 03 Dec'14

  Expert: FIN4 phishing attacks show new operational sophistication

  According to one expert, the FIN4 attack group's successful advanced phishing operations prove that phishing attacks can't be thwarted solely with user awareness training.

• December 02, 2014 02 Dec'14

  FBI warning links wiper malware to Sony Pictures hack

  A confidential FBI warning circulated to U.S. businesses warns of attacks that may utilize wiper malware like that used in the Sony Pictures cyberattack.

• December 02, 2014 02 Dec'14

  Information Security 2014: Shifts ahead after a watershed year

  Editorial Director Robert Richardson looks at the year in review and offers his take on the security blunders and breakthroughs and some lessons learned.

• December 01, 2014 01 Dec'14

  2014 Security 7 winners announced

  This year’s honorees have worked to move InfoSec forward with contributions in secure information sharing, cybersecurity science, community building and incident response.

• November 26, 2014 26 Nov'14

  Enterprise security licensing models present complex problems

  Information security managers say the challenges posed by vendors' onerous security product-licensing models often increase the risk of shadow IT and threaten enterprise security.

• November 26, 2014 26 Nov'14

  (ISC)2 board chairman: 'We've definitely turned it around'

  (ISC)2 Board Chairman Wim Remes, who is seeking re-election, details the organization's management changes and efforts to boost member engagement in this interview.

• November 25, 2014 25 Nov'14

  Regin malware: Why did it take so long to uncover?

  Industry observers say the unveiling of the Regin malware, which came after more than half a decade in the wild, highlights the need for better detection methods.

• November 24, 2014 24 Nov'14

  Non-traditional employee recruitment may remedy security hiring woes

  With viable job and training opportunities finally emerging, the time is now for CISOs and hiring managers to boost infosec's ranks with non-traditional candidates.

• November 21, 2014 21 Nov'14

  SSDP DDoS attacks driving up average DDoS sizes

  New research shows that average DDoS attacks are growing larger and more prevalent as attackers have moved to exploit SSDP, the latest protocol to be abused for its amplification factor.

• November 21, 2014 21 Nov'14

  Encryption everywhere: Debating the risks and rewards

  News roundup: As the industry responds to growing demand for end-to-end Internet encryption, some fear unintended consequences. Plus: Black hats wanted; Windows Phone survives Pwn2Own; webcam spying resurgence.

• November 20, 2014 20 Nov'14

  Staples breach update: Cyberinsurance may cover retailer's costs

  A new report links the Staples security breach to an intrusion at craft retailer Michaels. Meanwhile, Staples confirmed it had purchased cyberinsurace to cover the still unknown cost of its breach.

• November 18, 2014 18 Nov'14

  Microsoft addresses Kerberos security flaw with critical out-of-band patch

  Originally scheduled by Microsoft as part of its November Patch Tuesday release, the out-of-band patch resolves a serious security vulnerability in Kerberos.

• November 17, 2014 17 Nov'14

  Microsoft's Schannel security patch affecting TLS connections

  Microsoft admitted that MS14-066, released last week to patch a serious Schannel security vulnerability, is causing some users to drop TLS connections.

• November 14, 2014 14 Nov'14

  Enterprise business leaders overconfident in basic security measures

  News roundup: A recent study revealed IT pros' confidence in implementing basic security measures is high, contradicting data that enterprises consistently fail to thwart basic attacks. Plus: BrowserStack hack lessons; responsible phishing reporting...

• November 12, 2014 12 Nov'14

  Daily log monitoring selected for 2015 PCI special interest group

  Pain points related to finding indicators of compromise in system logs and CDE outsourcing have led to a pair of new PCI special interest groups that will begin work next year.

• November 11, 2014 11 Nov'14

  Hefty November 2014 Patch Tuesday delivers four critical bulletins

  The zero-day patch was one of four critical bulletins Microsoft delivered as part of its largest Patch Tuesday release of 2014; a fifth critical bulletin was dropped at the last moment.

• November 10, 2014 10 Nov'14

  Experts: Cyber risk management requires teamwork, preparation

  At the 2014 Advanced Cyber Security Center conference, industry experts touted the increasing importance of information sharing and incident preparation, yet also admitted both are easier said than done.

• November 10, 2014 10 Nov'14

  Network security assessment should play part in M&A process

  Mergers and acquisitions present opportunities for attackers interested in valuable data, but experts say most enterprises fail to perform a network security assessment before proceeding with a deal.

• November 07, 2014 07 Nov'14

  With expanded open Wi-Fi, are ISPs offering convenience or aiding criminals?

  News roundup: Open Wi-Fi allegedly aided a fugitive in evading authorities, highlighting Wi-Fi hotspot risks as ISPs including Comcast turn residential gateways into hotspots. Plus: Google's nogotofail tool; messaging apps fail EFF security review; ...

• November 07, 2014 07 Nov'14

  Home Depot security breach: Losses include 53 million email addresses

  The email addresses were taken in addition to the 56 million debit and credit card numbers that were compromised as part of the massive data breach at the nation's biggest home-improvement retailer.

• November 04, 2014 04 Nov'14

  Despite skeptics, security awareness training for employees is booming

  Employee security awareness training has been derided in the past, but new Gartner research suggests that a market of competitive, high-quality vendors are making security awareness a must-have.

• November 01, 2014 01 Nov'14

  We honor the winners of Information Security Readers' Choice 2014

  More than 1,700 voters weighed in and helped us award this year's top security technologies in 22 categories.

• October 31, 2014 31 Oct'14

  Browser vendors to disable SSL 3.0 in response to POODLE attack

  The outdated encryption protocol was spotlighted earlier this month when Google researchers released details on the POODLE attack, which preyed on systems that support the SSL 3.0 fallback mechanism.

• October 31, 2014 31 Oct'14

  Verizon's mobile persistent cookie is more trick than treat

  News roundup: Verizon gave its mobile users an early Halloween trick: a cookie that cannot be erased, despite a number of privacy concerns. Also: compromising an air-gapped computer over the air; an alleged government-funded hack against a CBS ...

• October 30, 2014 30 Oct'14

  CurrentC breach raises questions about mobile-payment security

  CurrentC, the retailer-backed mobile-payment platform, admitted to the breach shortly after the Apple Pay competitor was blamed for shutting down other NFC-based payment options.

• October 29, 2014 29 Oct'14

  McAfee security products to gain integrated threat intelligence feeds

  Customers and partners like the new effort by the Intel-owned security vendor to integrate threat intelligence feeds with all of its existing products, but analysts are leery of lacking threat intelligence standards.

• October 29, 2014 29 Oct'14

  White House hack confirmed; state-affiliated actors suspected

  State-affiliated actors, possibly tied to the Russian government, are thought to be behind a newly confirmed breach of the White House's unclassified computer network.

• October 27, 2014 27 Oct'14

  Research finds more organizations use big data analytics for security

  Research from Nemertes shows an increasing percentage of enterprises are utilizing big data analytics for security as traditional defenses fail to hold off attackers.

• October 24, 2014 24 Oct'14

  Symantec pcAnywhere end-of-life highlights Big Yellow's many stumbles

  News roundup: As the trouble-ridden pcAnywhere's end-of-life nears, it highlights how Symantec snatched defeat from the jaws of victory. Plus: F-Secure raises the bar on privacy policy; Lifehacker breaking bad during Evil Week; and Americans fear ID...

• October 24, 2014 24 Oct'14

  Report: Backoff malware infections spiked in recent months

  A report from security vendor Damballa shows that the Backoff malware variant has infected an increasing number of point-of-sale systems in recent months.

• October 21, 2014 21 Oct'14

  Suspected Staples breach under investigation

  The Staples breach is suspected to have affected payment card information in an as-yet-undetermined number of the office supply chain's stores in the northeast U.S.

• October 20, 2014 20 Oct'14

  How Apple Pay security controls may mitigate payment card breaches

  The newly launched Apple Pay mobile payment system could deliver the most secure shopping experience for U.S. customers yet, though it still may not be perfect.

• October 17, 2014 17 Oct'14

  October 2014 Oracle CPU fixes 25 Java vulnerabilities, 154 total flaws

  The October 2014 Oracle CPU delivered fixes for 154 unique bugs, with Java vulnerabilities making up the bulk of the most pressing updates.

• October 17, 2014 17 Oct'14

  Ponemon research: Cost of a breach rising, U.S. hit hardest

  News roundup: New research shows a dramatic increase in the cost of cybercrime and data breach remediation. Plus: Security as a service popularity surges, Snowden journalist touts the importance of free security software, and more.

• October 15, 2014 15 Oct'14

  Remembering Shon Harris: Logical Security founder passes away

  Shon Harris, founder and CEO of Logical Security and recognized security certification training expert, died Oct. 8, 2014, after a long illness. SearchSecurity pays tribute to her contributions to the information security field.

• October 10, 2014 10 Oct'14

  Analysis: Symantec split was a long time coming

  The long-anticipated Symantec split will leave one company focused entirely on security, but experts caution that it's just the first step in fixing the many problems in Big Yellow's product lines.

• October 10, 2014 10 Oct'14

  Are offensive hacking courses ethical? Debating the ethics of hacking

  News roundup: Colleges across the country are offering courses in offensive hacking, but are they ethical? Plus: Why the first 'online murder' may happen in 2014; Palo Alto and NSS Labs make up; numerous Android security issues surface.

• October 08, 2014 08 Oct'14

  More Bash security flaws emerge; Yahoo says attack was not related

  Yahoo says a reported attack was not the result of a Shellshock exploit, but researchers have found new vulnerabilities in SSH key-management and network-attached storage systems.

• October 07, 2014 07 Oct'14

  IT security salary survey shows steady pay, rising budgets

  While demand for qualified security professionals may be outpacing supply, the 2014 TechTarget IT Salary Survey shows little change in security pros' compensation levels.

• October 03, 2014 03 Oct'14

  Palo Alto NGFW fails NSS Labs report, war of words ensues

  News roundup: Palo Alto's next-generation firewall fared poorly in a recent NSS Labs report, leading to a testy back-and-forth about NGFW testing. Plus: Mitnick selling zero days; EMET bypassed, again; iThemes stored plaintext passwords.

• October 03, 2014 03 Oct'14

  Open-source security model undermined by lack of resources

  Shellshock and Heartbleed showed how flawed even ubiquitous open-source software components can be, but experts say that doesn't necessarily mean the open-source security model is to blame.

• October 02, 2014 02 Oct'14

  PCI 3.0 changes: A PCI compliance requirements checklist for 2015

  In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.

• October 01, 2014 01 Oct'14

  Zeus malware is back with a new target: Mobile devices

  Zeus malware is back with a new target -- mobile devices. Expert Nick Lewis explains how Zeus-in-the-mobile differs from traditional Zeus and how to defend against it.

• September 29, 2014 29 Sep'14

  Malvertising problem to worsen as attacks become more sophisticated

  Malvertising is already being used by attackers as a delivery mechanism for exploit kits, and new research reveals the problem is likely to get worse, specifically in the form of malicious Flash banners.

• September 26, 2014 26 Sep'14

  Attackers already targeting Bash security vulnerability

  Exploits are already being written and rewritten for the 'Shellshock' Bash security vulnerability, which was announced just days ago, increasing the urgency for enterprises to remediate it quickly.

• September 26, 2014 26 Sep'14

  Bash bug creates wave of shell security concerns on social media

  News roundup: The revelation that the Bash bug could be the worst worm outbreak in more than a decade started a frenzy on social media. Plus: a 'Kyle and Stan' malvertising update; GM ups auto cybersecurity; two data breaches; and more.

• September 25, 2014 25 Sep'14

  On Shellshock Bash vulnerability, experts scramble amid active exploits

  As attackers begin exploiting the 'Shellshock' Bash vulnerability, experts say many attack vectors remain unknown, making immediate remediation extremely critical.

• September 25, 2014 25 Sep'14

  In Heartbleed's wake, Bash shell flaw puts Linux, Mac OS users at risk

  Experts say a 20-year-old vulnerability uncovered in the Bash shell, found in Unix-based operating systems including Linux and Mac OS, could lead to a dangerous worm outbreak unlike anything seen in more than a decade.

• September 23, 2014 23 Sep'14

  BYOD security concerns not deterring personal device use

  A new Ponemon survey shows that while enterprises may harbor concerns about BYOD security, business-wide use of personal mobile devices is growing rapidly.

• September 19, 2014 19 Sep'14

  Bitcoin exchanges maturing, but Bitcoin security still a concern

  The Bitcoin market is maturing but security issues, such as private key management, persist. The Bitcoin Foundation gives the good news and bad news regarding Bitcoin security.

• September 19, 2014 19 Sep'14

  Rogue IMSI catchers heighten enterprise cell phone security risks

  News roundup: Rogue cell phone towers are popping up across the United States, heightening enterprise communication and data privacy concerns. Plus: Goodwill breach update; Adobe patches released; and security in 2025.

• September 19, 2014 19 Sep'14

  Home Depot data breach update: 56 million cards confirmed stolen

  Home Depot said late Thursday that its recent breach involving 56 million payment cards was the result of custom-built malware, and that the company has since rolled out new POS encryption technology.

• September 17, 2014 17 Sep'14

  Research finds holes in defense-in-depth security model

  The defense-in-depth security model is often touted as a must for enterprises, but research shows that security products often fail to do what they're supposed to.

• September 17, 2014 17 Sep'14

  Apple rolls out more robust iCloud two-factor authentication

  Following a high-profile leak of celebrity photos, Apple has moved to improve its iCloud two-factor authentication mechanisms.

• September 16, 2014 16 Sep'14

  Programmers unknowingly inherit development framework security issues

  Developers increasingly rely on a variety of open source components, but a VerSprite researcher warns that security issues accompany many popular frameworks.

• September 15, 2014 15 Sep'14

  Apple Pay security: Hope abounds, but questions linger

  Security controls integrated into the new Apple Pay mobile payment system could strengthen the payment security ecosystem, but unanswered questions remain, like the ramifications of a lost iPhone.

• September 12, 2014 12 Sep'14

  Situational awareness software raises surveillance questions

  News roundup: City-sponsored situational awareness software use at a music festival illustrates the importance of enterprise surveillance strategy evaluation. Plus: Apache Tomcat upgrade; OpenSSL security policy; and call center security concerns.

• September 11, 2014 11 Sep'14

  Healthcare.gov breach shows poor website security testing

  Experts say the latest security breach of the Healthcare.gov website was caused by lacking security process maturity, downplaying the importance of website security testing.

• September 11, 2014 11 Sep'14

  Time to end women and security stereotypes, says Facebook security pro

  Facebook's director of security operations says women can have successful careers in information security, and more diversity can help shift the playing field toward security defenders rather than attackers.

• September 09, 2014 09 Sep'14

  September 2014 Patch Tuesday includes critical IE security fix

  Microsoft's September 2014 Patch Tuesday features four bulletins, including one critical update for Internet Explorer. Plus: Adobe releases a Flash fix, but delays a planned patch release for Reader and Acrobat.

• September 09, 2014 09 Sep'14

  Home Depot confirms data breach began in April

  The home improvement retailer confirms its customers' payment card data was breached in an incident that is believed to have begun in April, likely compromising millions of card accounts.

• September 08, 2014 08 Sep'14

  Heartbleed patch efforts ignored on thousands of websites

  Data from McAfee shows many organizations have yet to fully patch the Heartbleed vulnerability, and as many as 300,000 websites remain at risk.

• September 05, 2014 05 Sep'14

  Goodwill breach highlights need for service provider due diligence

  News roundup: The recent Goodwill security breach has been blamed on a third-party service provider, highlighting the need for due diligence. Plus: Mobile device theft; Android app vulnerabilities and a 12-year-long cyber-espionage network.

• September 04, 2014 04 Sep'14

  Card trail shows Home Depot data breach could be huge

  The reported Home Depot data breach may have affected stores nationwide over the course of several months if new data proves to be correct.

• September 03, 2014 03 Sep'14

  Apple two-factor authentication fail leaves iCloud users vulnerable

  Apple's decision to not extend its two-factor authentication security mechanism to all iCloud services may leave users more vulnerable to attacks

• September 02, 2014 02 Sep'14

  Apple and FBI launch iCloud hack investigation

  Apple and FBI investigate the breach of Apple’s iCloud causing fresh business concerns over cloud security

• August 29, 2014 29 Aug'14

  IDC reports endpoint security market is booming, but isn't antivirus dead?

  News roundup: Endpoint antimalware has been long considered ineffective, yet a recent IDC report projects endpoint security growth. What gives? Plus: AWS Zocalo, new gTLDs, QR code authentication and more.

• August 28, 2014 28 Aug'14

  Plan ahead to avoid SIEM deployment pitfalls

  Despite SIEM technology improvements, Gartner says many organizations still dive into SIEM deployments without adequate planning, often resulting in disaster.

• August 28, 2014 28 Aug'14

  PCI SSC issues SIG guidance on maintaining PCI compliance

  The new information supplement offers advice on how to address obstacles in maintaining year-round PCI compliance, even though PCI experts say the challenge is only getting harder.

• August 25, 2014 25 Aug'14

  Backoff point-of-sale malware hits over 1,000 businesses

  In an advisory Friday, the U.S. government estimated that the Backoff point-of-sale malware campaign has struck over 1,000 businesses to date.

• August 22, 2014 22 Aug'14

  Community Health breach shows detecting Heartbleed exploits a struggle

  The difficulty of detecting Heartbleed exploits means that the Community Health breach is unlikely to be the last incident linked to the OpenSSL flaw.

• August 22, 2014 22 Aug'14

  Breaches show information security fundamentals prove hard to learn

  News roundup: Heartbleed vulnerabilities, point-of-sale malware and phishing scams are nothing new, yet numerous companies continue to fall victim to them. Shouldn't the lesson be learned by now? Plus: HTTP Shaming, Dropbox improvements and more.

• August 21, 2014 21 Aug'14

  Is mobile app data collection a greater threat than mobile malware?

  A vendor report found that while mobile malware may receive more attention, unrestrained mobile app data collection actually poses a greater risk to consumers and data security.

• August 20, 2014 20 Aug'14

  Heartbleed exploit linked to Community Health data breach

  An infosec consultancy has claimed that a Heartbleed exploit was used by attackers to gain access as part of the Community Health data breach.

• August 19, 2014 19 Aug'14

  Healthcare data breach exposes personal data of 4.5 million patients

  The Community Health data breach exposed the personal data of 4.5 million patients of the healthcare entity, opening up potential regulatory issues.

• August 18, 2014 18 Aug'14

  Exploit kits put Silverlight security issues in focus

  Silverlight security issues will demand more attention as attackers increasingly target the plug-in, leaving users vulnerable to various exploits.

• August 15, 2014 15 Aug'14

  Insider security threats: Negligence is a data loss double bogey

  News roundup: Pro golfer Rory McIlroy inadvertently revealed his passcode on live TV, highlighting how easy it is to inadvertently reveal sensitive information. Plus: BlackBerry and Google issue updates, and Gartner hit with Magic Quadrant lawsuit.

• August 14, 2014 14 Aug'14

  Common bypasses found in mobile application management products

  Crypto failures enable attackers to bypass mobile application management products, according to a researcher, leaving sensitive mobile data unprotected and casting doubts on MAM's value.

• August 12, 2014 12 Aug'14

  August 2014 Patch Tuesday targets IE security improvements

  Beyond the usual slew of IE security patches, Microsoft's August 2014 Patch Tuesday made a couple of moves to improve the security of its browser.

• August 12, 2014 12 Aug'14

  PCI audit conflict of interest problems persist

  Discussing the state of PCI DSS compliance, Gartner's Avivah Litan says the industry still struggles with PCI auditors who both identify PCI problems and sell remediation services to fix them, causing a conflict of interest.

• August 11, 2014 11 Aug'14

  Black Hat 2014 session debuts BadUSB

  Do USB drives pose a major threat to enterprise security? Experts at a recent A Black Hat 2014 session have unveiled a new threat -- dubbed BadUSB -- that could infiltrate your network using common USB devices.

• August 11, 2014 11 Aug'14

  Need to decrypt CryptoLocker files? Researchers offer help

  A new site gives remaining victims of the CryptoLocker ransomware the private keys needed to decrypt and recover locked files.

• August 08, 2014 08 Aug'14

  Yahoo CISO: Enterprise security companies letting us down

  At Black Hat 2014, Yahoo CISO Alex Stamos decried enterprise security companies' inability to handle scale and system diversity, and called on vendors to seize the opportunity for innovation.

• August 08, 2014 08 Aug'14

  Black Hat legal panel bemoans vagueness of cybercrime laws

  A Black Hat 2014 panel featuring computer crime legal specialists Marcia Hofmann and Kevin Bankston found much for researchers to fear regarding vague cybercrime laws.

• August 08, 2014 08 Aug'14

  Hold and catch fire: Debating ethical data breach notification policy

  News roundup: When a breach occurs, it's common practice to share the information with victims -- both the users and the companies involved. However, Hold Security's billion-password hack disclosure hasn't followed standard procedure.

• August 07, 2014 07 Aug'14

  Oracle's data redaction security feature riddled with flaws

  At Black Hat, David Litchfield skewered Oracle and its approach to security while detailing several flaws in a new Oracle database security feature.

• August 07, 2014 07 Aug'14

  SSC issues PCI compliance checklist for third-party service providers

  The PCI Security Standards Council's new information supplement helps enterprises implement a security assurance program to ensure their third-party service providers meet PCI DSS requirements.

• August 07, 2014 07 Aug'14

  Black Hat 2014: Researcher reveals Amazon cloud security weaknesses

  At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for AWS customers that don't take security seriously.

• August 06, 2014 06 Aug'14

  Black Hat 2014: Dan Geer says system dependencies threaten security

  At Black Hat USA 2014, keynote speaker Dan Geer said bounding system dependencies was only hope for managing the risks of complexity.

• August 06, 2014 06 Aug'14

  EMET 5.0 release offers new ways to block plug-ins

  EMET 5.0, the latest version of Microsoft's zero-day prevention tool, includes several new features, most notably improved ways to block plug-ins like Flash and Java.

• August 06, 2014 06 Aug'14

  Russian hackers steal over a billion usernames and passwords

  A group of Russian cyber criminals have attacked 500 million email addresses and gained 1.2 billion usernames and passwords.

• August 04, 2014 04 Aug'14

  'Poweliks' malware variant employs new antivirus evasion techniques

  The file-less 'Poweliks' malware incorporates a unique combination of antivirus evasion techniques involving the Windows registry to remain undetected on victims' machines.

• August 01, 2014 01 Aug'14

  Android vulnerability enables app impersonation, heightens BYOD risks

  News roundup: The 'Fake ID' flaw on Android devices allows malicious apps to impersonate trusted ones, putting confidential data at risk and reigniting BYOD security concerns.

• August 01, 2014 01 Aug'14

  U.S. government warns of point-of-sale malware campaign

  The U.S. government has divulged details on the 'Backoff' point-of-sale malware campaign, which purportedly targets remote access software for entry.

• July 30, 2014 30 Jul'14

  Heartbleed scan shows majority of Global 2000 still vulnerable

  A vendor's Heartbleed scan shows that a majority of Global 2000 organizations may still be vulnerable despite patching the OpenSSL flaw.

• July 29, 2014 29 Jul'14

  Board interest in information security principles growing

  Corporate boards have increased their awareness of security issues, but experts say they still lack information security principles.