The percentage of open source code in proprietary apps is rising

The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black […]

Fighting ransomware with network segmentation as a path to resiliency

Recent cybersecurity events involving the use of ransomware (WannaCry and similar variants) represent the latest examples highlighting the need for organizations to not only take an initial hit, but survive, adapt, and endure. In other words, be resilient. All too often, our community is a witness to any number of similar events where an initial breach […]

New BIND Vulnerabilities Threaten DNS Availability

One of the most common pieces of software for implementing a Domain Name System (DNS) server — BIND — has just become the subject of security advisories from the Internet Systems Consortium and a related notice from DHS. The advisories cite two new vulnerabilities in BIND. Both describe a scenario in which one of the […]

Spectre chip security vulnerability strikes again; patches incoming

After the first-wave of Spectre and Meltdown attacks were conquered, people relaxed. That was a mistake. Since the CPU vulnerabilities Spectre and Meltdown showed an entirely new way to attack systems, security experts knew it was only a matter of time until new assault methods would be found. They’ve been found. Jann Horn, a Google Project Zero security researcher, discovered […]

North Korean Defectors Targeted with Malicious Apps on Google Play

A new form of mobile malware in the Google Play app store was found targeting North Korean defectors and journalists. McAfee researchers believe the Sun Team hacking group is responsible for the attacks, which McAfee has dubbed RedDawn. This is the second attack McAfee has seen from Sun Team this year. Back in January, McAfee’s […]

The operations and economics of organized criminal email groups

Nine of the 10 captured organized criminal email groups operate out of Nigeria, they all leverage a multitude of attack methods, and business email compromise (BEC) is far more lucrative than any other attack, according to Agari. “While much of the high-profile attention paid to email security has focused on nation state actors, the reality is that American businesses […]

Malware campaign expands to add cryptocurrency mining and iOS phishing attacks

A rapidly evolving information-stealing malware campaign has added iOS device phishing and cryptocurrency mining to its arsenal, having previously just focused on Android targets. Dubbed Roaming Mantis, the initial attacks mostly targeted South East Asia, but now the malware has been updated with the capability to specifically target users across Europe and the Middle East. Those […]

Phone tracking service LocationSmart exposed API, allowing anyone to track you

An unsecured product demo on the web site of phone geolocation firm LocationSmart allowed any user to look up the location of any arbitrary mobile phone number without needing to supply a password or any other credentials, according a report by veteran security reporter Brian Krebs. Under intended operation, the LocationSmart product demo requires prospective customers to […]

Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets

Yuriy Bulygin, the former head of Intel’s advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). Spectre and Meltdown vulnerabilities enable software attacks using CPU design flaws common to Intel, AMD, and Arm […]

PCI Security Standards Council publishes PCI DSS 3.2.1

PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and SSL/early TLS migration deadlines that have passed. No new requirements are added in PCI DSS 3.2.1. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019. “This update is designed to eliminate any confusion around effective […]