-
Is the Breach Quadrilateral the Key to Understanding Security?
TORONTO – The security business is full of different terms and methodologies for describing the threat model. In a presentation at the SecTor conference this week, Chris Pogue, director of Digital Forensics and Incident Responce at Trustwave, explained his firm’s simple four-step model for defining cybercrime. “As difficult as people want to make cybercrime, there […]
-
Inside the Bluebox Android Master Key Vulnerability
Every security researcher dreams of the day they can find one master vulnerability that acts like a skeleton key to unlock an entire system. Jeff Forristal, aka Rain Forest Puppy, has found this kind of vulnerability in Android, the wildly popular mobile operating system. The vulnerability involves a feature that is intended to actually help […]
-
Most Common Web Security Attack? Not SQL Injection
Jeremiah Grossman, founder and CTO of Whitehat Security, has seen a lot of different types of security attacks in his time. He knows the most common types of attacks aren’t necessarily the ones that have the most risk. In its just-released Annual Website Security Statistics report, Whitehat Security provides insight into the attacks it saw […]
-
Is SSL Secure?
Secure Sockets Layer/Transport Layer Security is the foundational technology that secures Web transactions and communications, but it is not infallible. New research dubbed Lucky13 reveals that SSL/TLS is at risk from a theoretical timing attack that could expose encrypted data. TLS headers include 13 bytes of data used for the secure handshake protocol, said […]
-
As Malware Evolves, Are AV Signatures Still Relevant?
In the beginning of the virus era, computer users were introduced to the concept of signature-based anti-virus scanners. It’s an idea whose time may well have come and gone. “Since the 1990s people have used signature-based scanners as their primary line of defense,” said Roger Thompson, chief emerging threats researcher at ICSA Labs, a research […]
-
Metasploit Goes Phishing
The Metasploit penetration testing framework has always been about finding ways to exploit IT, in an effort to improve defense. The new Metasploit 4.5 release from security vendor Rapid7 goes a step further than its predecessors, offering a new phishing engine and updated exploit modules. “The phishing engine is part of a larger Social Engineering […]
-
What Star Wars Teaches Us About BYOD and IT Security
TORONTO – For the last 35 years, Star Wars has been the cornerstone of mainstream and geek cultural awareness. While Star Wars is a piece of dramatic fiction, many have found inspiration and solace in it that can apply to the everyday real world. According to Kellman Meghu, head of Security Engineering for Check Point […]
-
Why Are Web Applications a Security Risk?
As users have moved more of their activities to the Web, fraudsters have followed, devoting more of their attention to creating security threats based on Web applications. The shift from desktop-based threats to Web-based threats is changing the way modern IT security needs to be implemented and managed. Web applications by definition are accessible over […]
-
HTML5 WebSockets Identified As Security Risk
In the modern world of web development, there are a set of new and emerging specifications sometimes grouped under the moniker HTML5. One of those specifications is the WebSocket API, which enables two-way communications. WebSockets offer the promise of faster communications than traditional TCP — but according to a pair of security researchers, there is […]
-
Black Hat: Open Source Web Application Firewall Comes to Microsoft IIS
LAS VEGAS. For the last decade, Apache web server users have been able to benefit from the open source ModSecurity Web Application Firewall (WAF). At the Black Hat security conference this week, ModSecurity developers will for the first time make their WAF available for the Microsoft IIS web server as well as the nginx open […]
IT Security Resources
Top Cybersecurity Companies
Top 10 Cybersecurity Companies
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis