-
The DHS is inviting hackers to break into its systems, but there are rules of engagement
The United States Department of Homeland Security (DHS) is inviting security researchers to uncover vulnerabilities and hack into its systems, in an attempt to better protect itself from malicious attacks. Read more in my article on the Tripwire State of Security blog. Read More
-
Smashing Security podcast #256: Virgin Media just won’t take no for an answer, NFT apes, and bad optics
After a brief discussion of the Log4Shell vulnerability panic, we chat about how Virgin Media has got itself into hot water, a fat-fingered fumble at the Bored Ape Yacht Club, and how to hack around your sleeping girlfriend’s facial recognition. All this and more is discussed in the latest edition of the award-winning “Smashing Security”…
-
How to Defend Against Windows Management Instrumentation Attacks
The Windows Management Instrumentation (WMI) protocol – infrastructure on a Windows-based operating system – is used for management data and operations. It provides a uniform interface for local or remote applications or scripts to obtain management data from a computer system, network, or enterprise; the interface is designed so that WMI client applications and scripts…
-
Microsoft Patch Tuesday, December 2021 Edition
Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find…
-
Inside Ireland’s Public Healthcare Ransomware Scare
The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousands of outdated Windows…
-
Log4Shell: The race is on to fix millions of systems and internet-connected devices
Everyone is talking about Log4Shell, a zero-day remote code execution exploit in versions of log4j, the popular open source Java logging library. Read More
-
Top 10 Malware November 2021
In November 2021, the Top 10 stayed consistent with the previous month with the exception of Gh0st, Mirai, and Ursnif, which returned to the Top 10. The Top 10 Malware variants comprise 69% of the total malware activity in November 2021, decreasing 2% from October 2021. Shlayer and CoinMiner continue to lead the Top 10…
-
End-of-Support Software Report List
The importance of replacing software before its End-of-Support (EOS) is critical. EOS occurs when software updates, patches, and other forms of support are no longer offered, resulting in software becoming prone to future security vulnerabilities. Using unsupported software and firmware/hardware, puts organizations at risk in the following ways: Subsequent vulnerability disclosures place your organization at…
-
CIS Benchmarks December 2021 Update
The following CIS Benchmarks have been updated or released. We’ve highlighted the major updates below. Each Benchmark includes a full changelog that can be referenced to see all changes made. CIS F5 Networks Benchmark v1.0.0 This new Benchmark provides prescriptive guidance for establishing a secure configuration posture for F5 Networks. Thanks to the entire CIS F5…
-
Smashing Security podcast #255: Revolting receipts, a Twitter fandango, and shopkeeper cyber tips
“Demonically” possessed devices print out antiwork propaganda, advice on how to secure your store, and is Twitter’s new photo privacy policy practical? All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dinah Davis. Read…