News

April 13, 2015 13 Apr'15
Cybersecurity risks masked by controversial vulnerability counts

Experts have split opinions regarding the correct methodology for counting vulnerabilities, but all agree that focusing on numbers can mask real cybersecurity risks.
April 10, 2015 10 Apr'15
Ways to secure Web apps: WAFs, RASP and more

Protecting a Web application increasingly means tuning your protections to the individual characteristics of your applications. There’s more than one way to go about this, though. In this three-part guide we review best practices for taking your Web...
April 10, 2015 10 Apr'15
Chrome security under fire from third-party extension

Security researchers say Webpage Screenshot, a popular third-party extension for Google Chrome, was secretly collecting end-user browsing data. Its true purpose and how Google missed it remain up for debate.
April 10, 2015 10 Apr'15
Tech, security M&A activity booms thanks to mobile, cloud

News roundup: Technology and security acquisitions have seen some healthy activity in 2015, driven by two key trends. Plus: 75% of users aren't vulnerable to Heartbleed?; White House hack tied to phishing; first state digital ID law.
April 09, 2015 09 Apr'15
SANS: Enterprises overconfident in ability to detect insider threats

Enterprises may be increasingly aware of insider threats and believe they can find and stop them, but a new SANS Institute survey suggests they may be overconfident and lack the necessary insider threat-detection technology.
Sponsored News
- Keep out vulnerable third-party scripts that help steal data from your website
  
  Sponsored by Akamai - Visiting a website today, users gain access to a rich, interactive experience that is often customized to their preferences and enhanced for their convenience. See More
- Part I: Keep the Cloud Your Safe Place
  
  Sponsored by Forcepoint - Organizations of all sizes have been called upon to swiftly support remote work in order to safeguard the health of their workforce and local communities. As businesses are called upon to scale up remote work procedures for the physical safety of employees, IT teams must accelerate the adoption of technology that ensures their people and data are secure—without hurting productivity or morale. See More
- DDoS attacks are growing in frequency and scale during the pandemic. What can businesses do?
  
  Sponsored by Akamai - At a time when many businesses have their resources stretched to the limit, the scourge of distributed denial-of-service (DDoS) attacks has continued unabated and added to the difficulties faced by many during this ongoing pandemic. See More
- Part II: Safeguard Data Everywhere
  
  Sponsored by Forcepoint - As security teams are tasked with the duty of rapidly scaling up protections for remote workers, one of the key considerations they must keep in mind is how to safeguard data no matter where it resides or travels. This is hardly a new problem. However, the vastly broadened scope of remote work today requires security teams to revisit policies and technologies. Some solutions that may have been sufficient for isolated use cases don't adequately protect a completely distributed workforce. See More
View All Sponsored News
April 08, 2015 08 Apr'15
Experts disagree on growth, complexity of cybersecurity threats

The Websense 2015 Threat Report claims that cybersecurity threats are getting more complex, but one expert says the trends aren't anything new.
April 08, 2015 08 Apr'15
Dyre malware returns to rob banks of millions

Financial malware Dyre, in tandem with social engineering, was used in a new campaign to steal millions from financial institutions, according to IBM researchers.
April 06, 2015 06 Apr'15
In first Android Security Report, Google cites drop in Android malware

Google's first Android Security Report claims that malware on the platform was found on fewer than 1% of devices in 2014, but experts question if the ecosystem is really as safe as it has ever been.
April 05, 2015 05 Apr'15
Amid SSL security issues, enterprises face many problems, few answers

Experts say even enterprises that carefully secure TLS may still be at the mercy of the numerous security issues affecting the SSL ecosystem.
April 03, 2015 03 Apr'15
The transaction that lasts forever

Whether or not you think Bitcoin has a future, it has a couple of very interesting technological elements that will probably have a life of their own. The aspect that everyone talks about is that ...
April 03, 2015 03 Apr'15
U.S. cyberattacker sanctions program causes stir on social media

News roundup: President Obama's executive order allowing sanctions on cyberattackers has been met with mixed reaction. Plus: Threat intelligence perception versus reality; healthcare breach consequences; Verizon tosses supercookie.
April 02, 2015 02 Apr'15
Massive GitHub DDoS attack tied to Chinese government

Security experts say the largest DDoS attack in GitHub history, which lasted five days, was the work of the Chinese government.
April 02, 2015 02 Apr'15
Obama threatens foreign cyber attackers with sanctions

US president Barack Obama has signed an executive order establishing a framework for the US to impose sanctions on foreign cyber attackers
April 01, 2015 01 Apr'15
NSA’s big data security analytics reaches the enterprise with Sqrrl

Competition for Hadoop-based analytics may put tools and services within reach for large and midsize organizations, says Robert Richardson.
April 01, 2015 01 Apr'15
Information security jobs unfilled as labor pains grow

Why cybersecurity hiring is the real cyberwar.
April 01, 2015 01 Apr'15
Defending against the digital invasion

As attackers move beyond “spray and pray” tactics to advanced persistent threats -- having better security than your competitors is no longer enough. Targeted attacks today are often for financial gain through extortion and threats to expose or ...
March 31, 2015 31 Mar'15
Amid growing SSL concerns, Qualys expands free public SSL tester

Qualys has added a free, public API to its SSL testing services, which will enable an enterprise to test any website or server for SSL vulnerabilities.
March 31, 2015 31 Mar'15
New PCI SSC penetration testing guidelines aim to be more prescriptive

The PCI SSC has issued prescriptive new supplemental guidance on penetration testing in an effort to reverse current trends and improve merchant compliance.
March 30, 2015 30 Mar'15
PCI DSS 3.1 set for April 2015 release, will cover SSL vulnerabilities

The PCI Security Standards Council has confirmed that PCI DSS 3.1 will be released in just a few weeks. According to a Gartner analyst, the surprise new release could cause major problems for merchants.
March 27, 2015 27 Mar'15
Is the RSA 2015 'booth babe' ban a win for women in security?

News roundup: The ban of "booth babes" at RSA Conference 2015 has been met with praise; does it equal an increase of women in infosec? Plus: Cyberthreat data-sharing bill advances; Flash flaw exploited days after patching; new twist on Google Play ...
March 27, 2015 27 Mar'15
Social engineering techniques are becoming harder to stop, experts say

As more data moves online, social engineering techniques are becoming increasingly advanced and traditional training methods may not be enough to keep enterprises safe.
March 25, 2015 25 Mar'15
Study finds lack of investment in mobile app security

The Ponemon Institute says enterprises are devoting millions of dollars to mobile application development, but barely any of the money is focused on security.
March 25, 2015 25 Mar'15
Major browser makers revoke unauthorized Chinese TLS certificates

Google, Microsoft, and Mozilla have revoked unauthorized TLS certificates issued by an intermediate certificate authority that could have been used in man-in-the-middle attacks.
March 25, 2015 25 Mar'15
Secunia: Better vulnerability reporting doesn't mean more patches

Secunia's 2015 Vulnerability Report shows that better vulnerability reporting and awareness of flaws doesn't necessarily mean vendors offer more patches or focus on the most critical issues.
March 24, 2015 24 Mar'15
BandarChor: New ransomware based on old malware family emerges

Antivirus vendor F-Secure discovered BandarChor, a type of ransomware based on an existing malware family.
March 23, 2015 23 Mar'15
Open source security tool indicates Android app vulnerability spike

A new open source security tool from CERT, dubbed 'Tapioca,' shows that Android app vulnerabilities are ubiquitous, according to new research from IBM.
March 23, 2015 23 Mar'15
Cisco IP phones vulnerable to eavesdropping; no patch available yet

Cisco says a vulnerability in some of its IP phones for SMBs could allow eavesdropping. A fix is not yet available, but Cisco has offered mitigation techniques.
March 20, 2015 20 Mar'15
At 2015 Pwn2Own competition, browser exploits in the spotlight

News roundup: Researchers at the 2015 Pwn2Own exploited every major Web browser, casting doubt on browser security once again. Plus: high-severity OpenSSL update; IE being phased-out in Windows 10; Americans dodging online surveillance.
March 18, 2015 18 Mar'15
Experts: Consumer Privacy Bill of Rights may ease privacy compliance

The Consumer Privacy Bill of Rights proposed by the Obama administration is a good first step, according to experts, and may simplify privacy compliance for enterprises currently dealing with many different state laws.
March 17, 2015 17 Mar'15
Yahoo’s attempt to kill off passwords raises security concerns

Yahoo’s attempt to kill off passwords by introducing an on-demand one-time passcode option for its email services has raised security concerns
March 17, 2015 17 Mar'15
Microsoft warns of fake SSL certificate for Windows Live

Microsoft has warned that a fake security certificate has been issued for the Windows Live domain that could be abused by attackers
March 16, 2015 16 Mar'15
Microsoft re-releases EMET 5.2 to fix IE bug

Update: Microsoft has re-released Enhanced Mitigation Experience Toolkit version 5.2 to correct a bug involving IE 11.
March 13, 2015 13 Mar'15
Hillary Clinton email debate highlighted by security mistakes

News roundup: Hillary Clinton's decision to use a private email domain and server has created a firestorm over her email security mistakes. Plus: OpenSSL audit, Blue Coat acquisition, more Equation details emerge.
March 13, 2015 13 Mar'15
Does Rowhammer mark a new wave of hardware vulnerabilities?

Experts agree that the Rowhammer vulnerability likely isn't an immediate threat to enterprises, but disagree on whether hardware vulnerabilities are about to reach a tipping point.
March 11, 2015 11 Mar'15
Verizon 2015 PCI report: More achieve PCI compliance, but fail to keep it

The 2015 edition of the Verizon PCI report shows enterprises are, on the whole, getting better at achieving full PCI compliance. Unfortunately, few can sustain it.
March 11, 2015 11 Mar'15
Study warns security certificates, cryptographic keys are in peril

A growing number of cryptographic keys and security certificates are being abused, according to a new study from cybersecurity firm Venafi and the Ponemon Institute.
March 11, 2015 11 Mar'15
HP enterprise security: Can acquisitions lead to cohesive strategy?

Through acquisitions Hewlett-Packard has built a formidable lineup of enterprise security offerings, but experts question whether a strong brand can overcome legacy technology and a lacking endpoint strategy.
March 10, 2015 10 Mar'15
March 2015 Patch Tuesday: Microsoft offers quick FREAK fix

Microsoft's March 2015 Patch Tuesday bulletins include a fix for the FREAK vulnerability, as well as five critical fixes, but surprisingly, an expert says one of the fixes deemed non-critical actually demands immediate attention.
March 10, 2015 10 Mar'15
Venmo struggles put spotlight on mobile payment security

The mobile payment app maker responds to criticism by stepping up security with better verifications and notifications for email and phone number changes.
March 10, 2015 10 Mar'15
Rowhammer takes a big swing at DRAM memory security

Google's Project Zero has detailed a new proof-of-concept exploiting the "rowhammer" DRAM flaw to allow for root access on various operating systems.
March 09, 2015 09 Mar'15
For threat intelligence programs, ROI evaluation proves tricky

Threat intelligence programs are taking root in many enterprises, but experts say variables like disparate service offerings, pricing models and response capabilities make ROI evaluation a vexing proposition.
March 09, 2015 09 Mar'15
Group claiming links to Isis hacks small business websites

The FBI is investigating the hacking of a number of SME websites in the US and Europe by people claiming affiliation with Islamic State
March 06, 2015 06 Mar'15
Adobe's new twist on bug bounty programs: No cash for bug hunters

News roundup: Bug bounty programs can offer big rewards to researchers, unless Adobe is handing out the prizes. Plus: Signal 2.0 encryption app; app cloning risk increasing; Angler adopts 'domain shadowing' capability.
March 05, 2015 05 Mar'15
Microsoft confirms Windows vulnerable to FREAK attack

The serious HTTPS FREAK exploit was thought to only affect Android, iOS, and MacOS, but Microsoft has confirmed that it also affects all supported versions of Windows.
March 05, 2015 05 Mar'15
Emerging cyberthreats exploit battle between compliance and security

While regulatory compliance is valuable and necessary for enterprises, cyberthreat experts say a compliance-centric security strategy may leave organizations with few resources to ward off emerging cyberthreats.
March 05, 2015 05 Mar'15
China and US cross swords over software backdoors

Barack Obama criticises Chinese plans to force tech firms trading in China to share encryption keys and put backdoors in software
March 04, 2015 04 Mar'15
Big data security analytics: Can it revolutionize information security?

Demetrios Lazarikos describes the security big data system he implemented at retail giant Sears, as well as how it helped thwart retail fraud activity and how he convinced executives to support the implementation.
March 04, 2015 04 Mar'15
Why Hillary can't mail

Reporting by The New York Times notwithstanding, it appears to this non-lawyer that Hillary Clinton probably didn't break any laws by using a personal email account to conduct state business. But ...
March 04, 2015 04 Mar'15
Maturing NoSQL database security is key to big data analytics

NoSQL database security has taken a backseat to performance in Hadoop-based security big data analytics systems, but that may soon change thanks to growing demand and maturing NoSQL security products.
March 03, 2015 03 Mar'15
Amid Apple Pay fraud, banks scramble to fix Yellow Path process

Banks are rushing to fix sloppy authentication processes at the heart of rising Apple Pay fraud. Experts also worry about potential fraud with other mobile payment systems.
March 02, 2015 02 Mar'15
Q&A: Marcus Ranum chats with AT&T's CSO Ed Amoroso

There's no shortage of new security technology, but enterprise integration is still a major hang-up, says AT&T's chief of security.
March 02, 2015 02 Mar'15
Uber database breach source of stolen driver information

Following the theft of data affecting about 50,000 of its drivers, Uber says it has filed a subpoena to obtain GitHub data that may pinpoint the source of its data breach.
March 02, 2015 02 Mar'15
New scrutiny on bug bounties: Is there strength in numbers?

Bug bounty programs are a cool idea and often work, so why haven't they taken off for non-tech companies?
March 02, 2015 02 Mar'15
Is the bug bounty program concept flawed?

Looking for security vulnerabilities? Tread lightly. The benefits of vulnerability rewards programs are great, but so are the risks.
March 02, 2015 02 Mar'15
US retailer Natural Grocers investigates data breach

Natural Grocers is the latest US retailer to announce it is investigating a possible data breach involving customer payment cards
February 27, 2015 27 Feb'15
Data breach consequences: Get breached, make money?

News roundup: Data breaches aren't associated with soaring stock prices, but recent examples show breaches may boost stocks. Plus: Gemalto confirms possibility of GHCQ/NSA hack; Target breach costs company $162 million; Superfish swims on.
February 26, 2015 26 Feb'15
HP: Threat intelligence sources need vetting, regression testing

According to HP Security Research, threat intelligence best practices can be difficult to implement, and even the most trustworthy sources must be tested for fidelity.
February 25, 2015 25 Feb'15
Google Project Zero changes fuel new vulnerability disclosures debate

Google's Project Zero has added more leeway to its vulnerability disclosure policy, but industry observers are split on whether 90 days is enough time to fix software flaws, or not enough time to manage a sensitive, resource-intensive process.
February 25, 2015 25 Feb'15
3G and 4G phones not affected by NSA and GCHQ hack, says Gemalto

The world’s largest maker of Sim cards, Gemalto, says it has “reasonable grounds” to believe it was hacked by UK and US spy agencies in 2010 and 2011
February 24, 2015 24 Feb'15
Macro viruses reemerge in Word, Excel files

Macro viruses haven't been popular since the early 2000s, but recent malware discoveries indicate that macro-infected Word and Excel files are on the rise.
February 24, 2015 24 Feb'15
Business disruption cyber attacks set to spur defence plans, says Gartner

By 2018, 40% of organisations will have plans to address cyber-security business disruption attacks, up from 0% in 2015, says Gartner
February 23, 2015 23 Feb'15
Slow adoption of DMARC policy leaves email vulnerable, vendor says

A new study finds that enterprises, especially healthcare companies, are slow to adopt the DMARC email authentication standard, making them vulnerable to malicious emailers.
February 23, 2015 23 Feb'15
Cisco touts OpenAppID for internal application traffic visibility

Use of Cisco's OpenAppID application-layer traffic-detection tool is still modest compared to Snort, but the networking giant says it can help enterprises improve traffic visibility on internal applications.
February 23, 2015 23 Feb'15
Lenovo faces lawsuit for pre-installing Superfish adware

A class action lawsuit has been filed against Lenovo after it was found to have pre-installed adware vulnerable to cyber attacks
February 20, 2015 20 Feb'15
Maintaining vendor trust proves tough for Lenovo, Microsoft

News roundup: Amid hidden add-ons, discontinued services and walled gardens, vendor trust proves elusive for several high-profile tech firms. Plus: Evidence ties North Korea to Sony Pictures hack; card brands boost cybersecurity; and cookies that ...
February 20, 2015 20 Feb'15
Flaws in alternative Android browsers pose underestimated risk

Exclusive: VerSprite research on 10 alternative Android browsers has found at least one major security vulnerability in all of them, posing a significant security risk for enterprise Android users.
February 20, 2015 20 Feb'15
Gemalto denies knowledge of GCHQ and NSA Sim card hack

Gemalto says it cannot verify a report that it was hacked by the NSA and GCHQ to steal encryption keys
February 18, 2015 18 Feb'15
Password reuse and password sharing prevalent in enterprises

The high percentage of password reuse and sharing by employees leaves enterprises vulnerable to breaches, according to a recent survey from SailPoint Technologies.
February 18, 2015 18 Feb'15
When is an ISAC not an ISAC?

A lot of what went on at the White House Summit on Cybersecurity and Consumer Protection, held at Stanford University last week was for show — a reaction in particular to the attacks allegedly ...
February 17, 2015 17 Feb'15
UTM vs. NGFW: Unique products or advertising semantics?

In comparing UTM vs. NGFW, organizations find it difficult to see if there are differences between the two products or if it is just marketing semantics.
February 17, 2015 17 Feb'15
International spyware operation linked to NSA

The US National Security Agency has reportedly hidden surveillance software in the hard drives of several top computer makers
February 13, 2015 13 Feb'15
Security information sharing: A double-edged sword

News roundup: While data sharing can boost intelligence and improve security, recent events show the benefits don't always outweigh the pitfalls. Plus: Chip-enabled POS systems coming quickly; MongoDB databases exposed; sophisticated phishing scams.
February 13, 2015 13 Feb'15
Prevoty offers context-aware, automatic RASP

Though I’ll admit to a bit of skepticism about Runtime Application Self Protection (RASP), I was nevertheless impressed with a recent look at Prevoty. The two-year-old company’s product, which ...
February 12, 2015 12 Feb'15
Report: Firewall policy management is a hot mess

A new report from FireMon finds that firewalls are still a critical security component, but firewall policy management is a major pain point for admins.
February 10, 2015 10 Feb'15
February 2015 Patch Tuesday: Group Policy flaw tops three critical fixes

Microsoft's February 2015 Patch Tuesday release offers three critical fixes, including one for a dangerous Group Policy vulnerability, but does not patch a recently revealed IE XSS zero-day flaw.
February 10, 2015 10 Feb'15
Will Chip and PIN technology boost payment card transaction security?

Visa and MasterCard are putting pressure on merchants to implement Chip and PIN technology, and while it will improve transaction security, it won't make PCI compliance any easier.
February 10, 2015 10 Feb'15
Voltage Security acquisition to bolster HP's data protection offerings

HP has agreed to acquire encryption vendor Voltage Security. Gartner says the move will bolster HP's data protection and cloud security products.
February 09, 2015 09 Feb'15
Security professionals warn against relying on cyber insurance

Security professionals have warned businesses not to rely on cyber insurance in the face of increased cyber attacks.
February 06, 2015 06 Feb'15
Same-origin policy IE vulnerability may signal new attack trend

A new IE vulnerability has led to a proof-of-concept same-origin policy exploit, and some experts say it highlights a technique that may soon become popular among attackers.
February 06, 2015 06 Feb'15
Budget, breach law highlight growing federal cybersecurity awareness

News roundup: With the proposed 2016 federal budget and push for a national data breach law, Washington may finally care about cybersecurity. Plus: Coviello to retire; Flash patched again; Sony Pictures breached by Russians and loses its co-chair.
February 06, 2015 06 Feb'15
Report: Most enterprise security operations centers ineffective

A new report by HP shows most enterprise security operations centers fail to meet recommended maturity levels needed to detect and manage cybersecurity threats.
February 05, 2015 05 Feb'15
Digitally signed malware risk on the rise, Kaspersky finds

Kaspersky reports digitally signed malware -- malicious files using legitimate digital certificates -- is a growing threat to enterprises, increasing four-fold in the past six years.
February 05, 2015 05 Feb'15
US health insurer Anthem hacked, exposing up to 80 million records

Hackers have broken into a database at US health insurer Anthem said to contain the personal data of up to 80 million people
February 04, 2015 04 Feb'15
Sony says cyber attack will cost $15m

Sony expects the investigation and remediation costs of the November 2014 cyber attack on its movie subsidiary will amount to $15m
February 02, 2015 02 Feb'15
Adobe Flash patch promised this week for new zero-day bug

Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.
January 30, 2015 30 Jan'15
GHOST Linux bug update: WordPress, other PHP applications vulnerable

PHP applications, including WordPress, are vulnerable to the GHOST Linux exploit, but overall the flaw may not be as dangerous as first thought.
January 30, 2015 30 Jan'15
Will YouTube HTML5 transition mean the end of Flash security issues?

News roundup: YouTube announced it has stopped using Flash by default in favor of HTML5. Is this the long-awaited end for Flash? Plus: Java was the riskiest software in 2014; BEC scam cost $215 last year; NFL data interceptions.
January 29, 2015 29 Jan'15
The politics of DDoS response

Reports of a 'hack back' DDoS attack by Sony stirred up acceptable use questions.
January 27, 2015 27 Jan'15
Qualys finds GHOST: Critical Linux remote code execution flaw

A critical Linux vulnerability, called GHOST, has been found to affect glibc versions released since 2000, and could pose a remote exploit risk on many Linux systems.
January 23, 2015 23 Jan'15
Detection vs. prevention: Ponemon report points to controversial trend

A Ponemon Institute report highlights the biggest risks to endpoint security, and what IT professionals plan to do to fight back, including one controversial tactic in malware protection.
January 23, 2015 23 Jan'15
Patchapalooza: In 2015, software patches, software security flaws surge

News roundup: An of onslaught Adobe, Oracle, OpenSSL, Chrome and Firefox patches highlights the sad state of software security in 2015. Plus, security budgets increasing; HealthCare.gov security woes; false-positive alerts cost millions annually.
January 23, 2015 23 Jan'15
CryptoWall 3.0: Ransomware returns, adopts I2P

Shortly after CryptoWall began using TOR to conduct transcations, a new version of the ransomware, dubbed CryptoWall 3.0, has begun using I2P.
January 22, 2015 22 Jan'15
Report: Popularity of biometric authentication set to spike

Juniper Research claims that the popularity of biometric authentication will rise dramatically in the next five years, incorporating innovative technology beyond today's fingerprint sensors and voice authentication systems.
January 21, 2015 21 Jan'15
Report: More than 90% of 2014 data breaches could have been prevented

The Online Trust Alliance finds that over 90% of data breaches resulting in data loss could have been prevented.
January 21, 2015 21 Jan'15
Wasted spending on security shelfware affects small businesses more

Osterman Research and Trustwave report that organizations waste money on underutilized security software because IT often doesn't have enough time or resources to use it.
January 20, 2015 20 Jan'15
ISACA: Majority of enterprises report cybersecurity workforce shortage

In its new 2015 Global Cybersecurity Status Report, ISACA finds that most organizations are aware of cyberattack risk, but few believe they have the capability to thwart a sophisticated attack.
January 19, 2015 19 Jan'15
Android vulnerability highlights Google's controversial patch policy

WebView vulnerabilities in older versions of Android are putting the majority of Android devices at risk. Google will not provide patches, forcing enterprises to determine the risk posed by unpatched Android devices.
January 19, 2015 19 Jan'15
Google's Project Zero reveals another Windows zero-day vulnerability

For the third time in one month, Microsoft couldn't meet Google's 90-day public disclosure deadline, leading to Project Zero's disclosure, though experts say this Windows zero-day vulnerability may have little value to attackers.
January 16, 2015 16 Jan'15
Hardware security issues prove tough to find, harder to fix

News roundup: Recently discovered firmware flaws highlight the challenges posed by hardware security. Plus: Heartland's breach warranty; RSA's overhaul; and Download.com's app (in)security.
January 16, 2015 16 Jan'15
Preview of 2015 Verizon PCI report hints at firewall compliance issues

In a sneak preview of its 2015 PCI Compliance Report, Verizon says improper firewall maintenance is among the leading causes of PCI DSS compliance failures.

News

Sponsored News