News

News

• January 06, 2015 06 Jan'15

  IBM: Retail cyberattacks become less frequent, but more effective

  Research from IBM indicates cyberattackers are going after retailers with surgical precision, using fewer attack attempts yet frequently compromising vulnerable databases.

• January 05, 2015 05 Jan'15

  Evolving mobile security management thwarts unified endpoint management

  Experts say unified endpoint management for mobile devices, laptops and desktops will take more time due to the complex, evolving demands of mobile security management.

• December 19, 2014 19 Dec'14

  Home router security vulnerability exposes 12 million devices

  Check Point has uncovered a widespread home router security vulnerability, dubbed Misfortune Cookie, that could allow attackers to gain control over millions of devices.

• December 12, 2014 12 Dec'14

  Sony Pictures hacking back: The ethics of obfuscation

  News roundup: Amid a devastating breach incident Sony Pictures is fighting back, raising legal and ethical questions. Plus: A big week in security acquisitions; Comcast sued over open Wi-Fi; and Yahoo announces vulnerability disclosure policy.

• December 09, 2014 09 Dec'14

  FIDO Alliance releases 1.0 specifications for passwordless authentication

  Amid growing fears of stolen credentials and data breaches, the FIDO Alliance released its long-awaited 1.0 specifications for passwordless and multifactor authentication systems.

• Sponsored News

  • Keep out vulnerable third-party scripts that help steal data from your website

    Sponsored by Akamai - Visiting a website today, users gain access to a rich, interactive experience that is often customized to their preferences and enhanced for their convenience. See More

  • Part I: Keep the Cloud Your Safe Place

    Sponsored by Forcepoint - Organizations of all sizes have been called upon to swiftly support remote work in order to safeguard the health of their workforce and local communities. As businesses are called upon to scale up remote work procedures for the physical safety of employees, IT teams must accelerate the adoption of technology that ensures their people and data are secure—without hurting productivity or morale. See More

  • DDoS attacks are growing in frequency and scale during the pandemic. What can businesses do?

    Sponsored by Akamai - At a time when many businesses have their resources stretched to the limit, the scourge of distributed denial-of-service (DDoS) attacks has continued unabated and added to the difficulties faced by many during this ongoing pandemic. See More

  • Part II: Safeguard Data Everywhere

    Sponsored by Forcepoint - As security teams are tasked with the duty of rapidly scaling up protections for remote workers, one of the key considerations they must keep in mind is how to safeguard data no matter where it resides or travels. This is hardly a new problem. However, the vastly broadened scope of remote work today requires security teams to revisit policies and technologies. Some solutions that may have been sufficient for isolated use cases don't adequately protect a completely distributed workforce. See More

  View All Sponsored News
• November 21, 2014 21 Nov'14

  Encryption everywhere: Debating the risks and rewards

  News roundup: As the industry responds to growing demand for end-to-end Internet encryption, some fear unintended consequences. Plus: Black hats wanted; Windows Phone survives Pwn2Own; webcam spying resurgence.

• November 17, 2014 17 Nov'14

  Microsoft's Schannel security patch affecting TLS connections

  Microsoft admitted that MS14-066, released last week to patch a serious Schannel security vulnerability, is causing some users to drop TLS connections.

• November 04, 2014 04 Nov'14

  Despite skeptics, security awareness training for employees is booming

  Employee security awareness training has been derided in the past, but new Gartner research suggests that a market of competitive, high-quality vendors are making security awareness a must-have.

• October 15, 2014 15 Oct'14

  Remembering Shon Harris: Logical Security founder passes away

  Shon Harris, founder and CEO of Logical Security and recognized security certification training expert, died Oct. 8, 2014, after a long illness. SearchSecurity pays tribute to her contributions to the information security field.

• October 10, 2014 10 Oct'14

  Are offensive hacking courses ethical? Debating the ethics of hacking

  News roundup: Colleges across the country are offering courses in offensive hacking, but are they ethical? Plus: Why the first 'online murder' may happen in 2014; Palo Alto and NSS Labs make up; numerous Android security issues surface.

• October 03, 2014 03 Oct'14

  Palo Alto NGFW fails NSS Labs report, war of words ensues

  News roundup: Palo Alto's next-generation firewall fared poorly in a recent NSS Labs report, leading to a testy back-and-forth about NGFW testing. Plus: Mitnick selling zero days; EMET bypassed, again; iThemes stored plaintext passwords.

• October 02, 2014 02 Oct'14

  PCI 3.0 changes: A PCI compliance requirements checklist for 2015

  In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.

• September 19, 2014 19 Sep'14

  Rogue IMSI catchers heighten enterprise cell phone security risks

  News roundup: Rogue cell phone towers are popping up across the United States, heightening enterprise communication and data privacy concerns. Plus: Goodwill breach update; Adobe patches released; and security in 2025.

• September 19, 2014 19 Sep'14

  Home Depot data breach update: 56 million cards confirmed stolen

  Home Depot said late Thursday that its recent breach involving 56 million payment cards was the result of custom-built malware, and that the company has since rolled out new POS encryption technology.

• September 05, 2014 05 Sep'14

  Goodwill breach highlights need for service provider due diligence

  News roundup: The recent Goodwill security breach has been blamed on a third-party service provider, highlighting the need for due diligence. Plus: Mobile device theft; Android app vulnerabilities and a 12-year-long cyber-espionage network.

• September 03, 2014 03 Sep'14

  Apple two-factor authentication fail leaves iCloud users vulnerable

  Apple's decision to not extend its two-factor authentication security mechanism to all iCloud services may leave users more vulnerable to attacks

• September 02, 2014 02 Sep'14

  Apple and FBI launch iCloud hack investigation

  Apple and FBI investigate the breach of Apple’s iCloud causing fresh business concerns over cloud security

• August 28, 2014 28 Aug'14

  Plan ahead to avoid SIEM deployment pitfalls

  Despite SIEM technology improvements, Gartner says many organizations still dive into SIEM deployments without adequate planning, often resulting in disaster.

• August 07, 2014 07 Aug'14

  SSC issues PCI compliance checklist for third-party service providers

  The PCI Security Standards Council's new information supplement helps enterprises implement a security assurance program to ensure their third-party service providers meet PCI DSS requirements.

• August 07, 2014 07 Aug'14

  Black Hat 2014: Researcher reveals Amazon cloud security weaknesses

  At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for AWS customers that don't take security seriously.

• August 06, 2014 06 Aug'14

  Russian hackers steal over a billion usernames and passwords

  A group of Russian cyber criminals have attacked 500 million email addresses and gained 1.2 billion usernames and passwords.

• July 24, 2014 24 Jul'14

  How the CryptoLocker ransomware was defeated with its own DGA

  Preview: At Black Hat USA, experts will detail the steps taken by the security community and law enforcement to put down the infamous CryptoLocker ransomware.

• July 15, 2014 15 Jul'14

  Pass the hash? Severity of Active Directory security flaw questioned

  Despite what may be a dangerous new Active Directory "pass the hash" attack variant, Microsoft has downplayed the issue as a technical limitation.

• July 08, 2014 08 Jul'14

  Multifactor authentication key to cloud security success

  Following the collapse of an AWS-based cloud hosting provider, experts say enterprises should prioritize use of multifactor authentication.

• June 24, 2014 24 Jun'14

  On prevention vs. detection, Gartner says to rebalance purchasing

  At its annual security confab, the research giant said enterprises buy too much threat prevention and not enough detection and response technology.

• June 19, 2014 19 Jun'14

  Amazon EC2 control panel hack submarines hosting provider

  Update: Following a hack that destroyed much of Code Spaces' AWS EC2 data, cloud app provider One More Cloud reported similar compromises.

• June 17, 2014 17 Jun'14

  API gateways emerge to address growing security demands

  With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.

• June 12, 2014 12 Jun'14

  Pandemiya banking malware emerges as Zeus-level threat

  RSA researchers say the costly Pandemiya banking malware was written entirely from scratch, a dangerous oddity in the world of malware.

• June 05, 2014 05 Jun'14

  OpenID Connect: Poised for greatness in enterprise authentication?

  Despite the popularity of SAML, the mobile and cloud benefits of OpenID Connect may spur adoption as an enterprise authentication platform.

• May 23, 2014 23 May'14

  Next-generation firewall comparisons show no product is perfect

  When comparing NGFW appliances, experts say that enterprises should focus on products that meet specific needs, not just those with the most features.

• May 16, 2014 16 May'14

  For infosec career success, do security certifications trump all?

  Respondents to a SANS survey say security certifications lead to career success, but a top infosec career consultant says their value is limited.

• April 10, 2014 10 Apr'14

  'Heartbleed' OpenSSL vulnerability: A slow-motion train wreck

  Analysis: The 'Heartbleed' OpenSSL vulnerability is one of the worst bugs a SANS expert has seen, and that's before the fallout is fully understood.

• April 10, 2014 10 Apr'14

  NSA TAO: What Tailored Access Operations unit means for enterprises

  The NSA's top-secret Tailored Access Operations offensive hacking unit offers enterprise defense strategy lessons. Expert Nick Lewis discusses.

• April 03, 2014 03 Apr'14

  NTP-based DDoS attacks on the rise, but SYN floods still more perilous

  NTP-based DDoS attacks are increasing, but a report warns that SYN floods are still more likely to cause enterprises damage.

• April 01, 2014 01 Apr'14

  Data encryption, notification and the NIST Cybersecurity Framework

  Awkward? The NIST Cybersecurity Framework arrives as the U.S. government struggles to counter negative reports on its data privacy and encryption standards.

• March 12, 2014 12 Mar'14

  For merchants, Windows XP POS systems put PCI compliance at risk

  PCI compliance may be nearly impossible after the April 2014 Windows XP end-of-life date if merchants don't address vulnerable XP-based POS systems.

• March 03, 2014 03 Mar'14

  Ranum Q&A with Aaron Turner: Whitelisting is on enterprise blacklist

  An early proponent of Microsoft SRP, Aaron Turner says application whitelisting has finally taken hold in consumer app stores.

• February 24, 2014 24 Feb'14

  Richard Clarke: NSA revelations show potential for police state

  At the 2014 CSA Summit, presidential cybersecurity advisor Richard Clarke said NSA monitoring efforts are negatively affecting U.S. cloud providers.

• February 17, 2014 17 Feb'14

  Final version of NIST cybersecurity framework draws mixed reviews

  Experts differed over whether the NIST cybersecurity framework provides critical infrastructure firms with the tools to defend themselves.

• February 05, 2014 05 Feb'14

  Amid Microsoft MD5 deprecation, experts warn against SHA-1 algorithm

  With Microsoft's MD5 deprecation set for next week, experts say companies must be careful to avoid other weak protocols, like SHA-1.

• February 03, 2014 03 Feb'14

  Mobile security report: Data on devices

  New survey shows the battle between corporate-issued devices versus personally owned smartphones and tablets is too close to call.

• January 28, 2014 28 Jan'14

  McGraw: Software [in]security and scaling automated code review

  Gary McGraw and Jim Routh talk through the pitfalls of scaling static source code review and offer some potential process improvements.

• January 28, 2014 28 Jan'14

  On Data Privacy Day, OTA highlights need for data protection policy

  The Online Trust Alliance marks Data Privacy Day with events to help enterprises plan for inevitable data protection and privacy incidents.

• January 24, 2014 24 Jan'14

  Spear phishing still popular, but more watering hole attacks coming

  A report from CrowdStrike shows spear phishing remains popular in targeted attacks, but that watering hole attacks are gaining favor.

• January 10, 2014 10 Jan'14

  Target breach update: Information on up to 70 million customers stolen

  Updated details on the Target breach show a much greater scope than originally announced, and reveal its Q4 finances were hurt by related charges.

• January 03, 2014 03 Jan'14

  FireEye buys Mandiant in $1 billion deal

  In acquiring the incident response firm, FireEye will combine Mandiant's endpoint defense product with its network-based detection technology.

• December 24, 2013 24 Dec'13

  McGraw: Software [in]security and scaling architecture risk analysis

  Software architecture risk analysis doesn't have to be hard. Gary McGraw and Jim DelGrosso discuss an easier, more scalable process.

• December 02, 2013 02 Dec'13

  Return on security investment: The risky business of probability

  You are better off with real numbers when it comes to measuring probability and the elements of security risk, even if they are wrong.

• November 08, 2013 08 Nov'13

  Web application firewalls may not fix Web application security issues

  Some consultants are finding Web application firewall products don't deliver due to poor deployment strategies and a lack of skilled maintenance.

• October 28, 2013 28 Oct'13

  Software [In]security: BSIMM-V does a number on secure software dev

  The fifth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick for software security initiatives.

• October 15, 2013 15 Oct'13

  The role of the enterprise intrusion prevention system in APT defense

  One research group says an enterprise IPS can't help detect APTs. But network security expert Brad Casey explains why that isn't necessarily true.

• September 20, 2013 20 Sep'13

  HP introduces 'self-healing' BIOS protection with SureStart

  HP's new SureStart feature detects and 'heals' corrupted BIOS code.

• September 10, 2013 10 Sep'13

  Opinion: Software [in]security -- software flaws in application architecture

  Many defects aren't found with code review. Gary McGraw and Jim DelGrosso think architectural risk analysis is a must to uncover software flaws.

• August 09, 2013 09 Aug'13

  Five major technology trends affecting software security assurance

  Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure.

• August 01, 2013 01 Aug'13

  New data on enterprise mobile security

  We polled readers in our annual Enterprise Mobile Security Survey and the 2013 results are in.

• August 01, 2013 01 Aug'13

  Black Hat 2013 opens with testy keynote, smart device hacks

  After a contentious opening keynote by NSA Director Gen. Keith Alexander, day one of Black Hat 2013 showed smart device hacks, severe SCADA issues.

• August 01, 2013 01 Aug'13

  Ten years later: The legacy of SB 1386 compliance on data privacy laws

  A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.

• June 19, 2013 19 Jun'13

  RSA Silver Tail improves online fraud detection, enterprise security

  Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.

• April 24, 2013 24 Apr'13

  PayPal CISO: Laws must foster better cybersecurity information sharing

  PayPal's Michael Barrett says many firms fear misuse of shared cybersecurity data. He also discusses the evolution of PCI DSS and mobile payment security.

• March 25, 2013 25 Mar'13

  Why information security education isn’t making the grade

  Security experts explain why a holistic approach to security is critical to training computer engineers and computer scientists for a career in information security.

• March 05, 2013 05 Mar'13

  RSA 2013: Experts struggle to define offensive security, hacking back

  Is offensive security or 'hacking back' a viable cyberdefense tactic? RSA Conference 2013 experts struggled to define the terms, never mind the role they play.

• February 25, 2013 25 Feb'13

  DHS cybersecurity boss pushes 'cyber 911', new voluntary standards

  At the CSA Summit 2013, Mark Weatherford said the DHS 'cyber 911' service will better support the private sector, and new voluntary standards are in the works.

• February 25, 2013 25 Feb'13

  Well-rounded information security education benefits IT professionals

  A security-savvy IT staff can help reduce risk. Learn about information security training and education options for IT professionals.

• January 28, 2013 28 Jan'13

  Testing, assessment methods offer third-party software security assurance

  No ultimate test can give third-party software a clean bill of health, but careful assessment can help organizations gain more control over vendors.

• January 17, 2013 17 Jan'13

  Thirteen principles to ensure enterprise system security

  Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades.

• December 07, 2012 07 Dec'12

  Twelve common software security activities to lift your program

  Software security expert Gary McGraw explains the processes commonly found in highly successful software security programs.

• December 03, 2012 03 Dec'12

  Many in industry at odds over pending cybersecurity executive order

  Some security industry veterans fear regulatory overreach, others believe an executive order won't go far enough.

• November 27, 2012 27 Nov'12

  Unrealistic expectations, skills gap mire market for IT security jobs

  Unrealistic HR and hiring manager expectations and a widening security skills gap is challenging CISOs trying to find the right security talent.

• November 27, 2012 27 Nov'12

  Chief information security officer skills go beyond customary technical roles

  A trusted advisor and a strong communicator and promoter, a good CISO should be a jack-of-all-trades to rally the IT security team to support the business needs by minimizing risk.

• November 21, 2012 21 Nov'12

  Phishing attack, stolen credentials sparked South Carolina breach

  A phishing attack and stolen credentials gave an attacker access to the systems of the South Carolina Department of Revenue for two months.

• November 14, 2012 14 Nov'12

  Enterprises can obtain value from red teaming exercises, expert says

  Red teaming assesses the security of an organization and can be a more effective way to assess the organization's security posture.

• November 01, 2012 01 Nov'12

  Protecting Intellectual Property: Best Practices

  Organizations need to implement best practices to protect their trade secrets from both internal and external threats.

• November 01, 2012 01 Nov'12

  Gary McGraw: Proactive defense prudent alternative to cyberwarfare

  Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons.

• October 23, 2012 23 Oct'12

  Pros and Cons of Information Security Certifications

  Educating the security professional requires far more than a certification exam.

• September 04, 2012 04 Sep'12

  Data supports need for security awareness training despite naysayers

  Claims that security awareness training doesn't work are unsubstantiated, explain software security experts Gary McGraw and Sammy Migues.

• July 25, 2012 25 Jul'12

  Crisis Trojan, new Mac OSX Trojan, considered a low risk for now

  Mac security vendor Intego identified the Crisis Trojan, a new Mac OSX Trojan, as a likely future weapon for targeted attacks against Apple endpoints.

• July 23, 2012 23 Jul'12

  Black Hat 2012: MITRE to detail STIX cyberthreat intelligence system

  Sean Barnum of MITRE will describe Structured Threat Information eXpression (STIX), a new cyberthreat intelligence system for incident response teams.

• July 16, 2012 16 Jul'12

  Black Hat 2012: Google Chrome sandbox security flaws to be exposed

  The Google Chrome Native Client was designed to secure browser plug-ins, but researcher Chris Rohlf says Google Chrome sandbox security flaws exist.

• July 11, 2012 11 Jul'12

  AWS outage doesn't discourage Netflix

  Netflix says it remains bullish on the cloud despite major Amazon outage.

• July 11, 2012 11 Jul'12

  Survey: Firewall rules sprawl makes firewall policy management a mess

  Bloated firewall rules are making security unmanageable and audits a nightmare, according to a survey by firewall management vendor Athena.

• July 09, 2012 09 Jul'12

  DNSChanger malware problems unlikely

  DNSChanger infections have declined precipitously, but remaining systems could have Internet access turned off today.

• June 28, 2012 28 Jun'12

  Putting the mobile botnet threat in perspective

  While lucrative mobile botnets do exist, Industry experts provide a perspective on seems to be a relatively small mobile botnet threat.

• June 28, 2012 28 Jun'12

  Operation High Roller: Online bank fraud

  McAfee and Guardian Analytics released the findings of an investigation into a global online bank fraud ring that takes the old techniques up a notch.

• June 26, 2012 26 Jun'12

  LinkedIn password leak: Lessons to be learned from LinkedIn breach

  Breach at the professional networking site highlights password practices, storage procedures.

• June 21, 2012 21 Jun'12

  Review your security contingency plan during the Games

  U.K. companies are preparing to manage their security during the Olympics. Would your security contingency plan hold up to such a disruptive event?

• June 20, 2012 20 Jun'12

  Gartner: Web app firewalls can support secure application development

  Web app firewalls can’t erase the need for secure application development, but Gartner says WAF patching may have a growing role in the enterprise.

• June 14, 2012 14 Jun'12

  Opinion: LinkedIn hacking incident betrays users’ trust

  Users are told to create strong passwords, but the LinkedIn hacking showed strong passwords are no defense when the application provider is attacked.

• June 08, 2012 08 Jun'12

  Arbor Networks warns of IP-Killer, MP-DDoser DDoS tool

  Arbor Networks researchers found robust capabilities in the MP-DDoser/IP-Killer tool used to conduct powerful distributed denial-of-service attacks.

• June 07, 2012 07 Jun'12

  Information technology security jobs hiring outlook

  The unemployment rate for IT security pros is 0%, says CompTIA, leaving some companies with key information technology security jobs unfilled.

• June 06, 2012 06 Jun'12

  LinkedIn investigating user account password breach

  More than 6 million passwords may have been stolen from the servers of social network LinkedIn and posted to a Russian hacking forum.

• June 01, 2012 01 Jun'12

  Stuxnet details should prompt call to action, not words

  Security experts have warned of potential problems with military cyberstrikes. Cyberwarfare is difficult to plan and could put civilians at risk.

• May 31, 2012 31 May'12

  Why execs really need corporate security training

  Senior executives may be the most likely to disobey all your hard-won corporate security training. Here are five reasons why.

• May 24, 2012 24 May'12

  A bold view on prioritizing computer security laws

  The number of computer security laws in the U.S. can be daunting. One bold lawyer suggests a way to prioritize the laws and avoid most legal battles.

• May 24, 2012 24 May'12

  Technology raises visibility of partner networks

  Lookingglass shines a light on the security posture of an enterprise’s partners, clients and third-party providers.

• May 17, 2012 17 May'12

  Maybe security is recession proof; VCs investing again

  Venture capital firms are funding security technologies after a quiet period. The investments are a silver lining in a still bleak overall outlook.

• May 17, 2012 17 May'12

  Division of CISO responsibilities may prevent burnout

  CISO responsibilities can be overwhelming, according to a new IBM survey. One solution may be to divide the role into two jobs.

• May 02, 2012 02 May'12

  Analysis: Oracle trips on TNS zero-day workaround

  Oracle's refusal to patch a zero-day in its flagship database management system is another example of how it carelessly exposes customers to risk.

• April 27, 2012 27 Apr'12

  Reverse engineering tools for mobile apps emerging, expert says

  Reverse engineering mobile apps help pen testers find weaknesses and hidden malware, but the various mobile platforms and different versions make automation difficult, according to one expert.

• April 27, 2012 27 Apr'12

  CISPA threat intelligence bill passes House

  The Cyber Intelligence Sharing and Protection Act (CISPA), clears security vendors of any liability for sharing customer attack data with federal officials.

• April 24, 2012 24 Apr'12

  Spam filter gets better of Microsoft SDL—almost

  Two program managers at SOURCE Boston shared how a serious vulnerability reported to the MSRC fell into a spam filter and caused an out-of-band patch.