A groundbreaking study from RAND Corporation quantifies the stakes around how zero-day software vulnerabilities get discovered and persist, bringing hard facts to bear on related - and contentious - debates surrounding vulnerability disclosure and public safety.
Apache Struts 2 users are being warned to upgrade immediately, after attackers began targeting a zero-day flaw in the widely used, open source Java EE platform. Some attacks deactivate firewalls on vulnerable Linux systems and install DDoS or BillGates malware, amongst other malicious code.
Confide, an encrypted messaging application, received a surge of attention after White House officials began using it for leaks. But a teardown of the app by two security firms revealed a raft of serious security issues.
A new release from WikiLeaks - of what's alleged to be classified material from the CIA - has seemingly exposed some of the agency's most sensitive hacking projects and malware capabilities. Technology experts are scrambling to assess the impact, as well as WikiLeaks' claims.
CA Technologies has announced plans to snap up application security testing vendor Veracode for $614 million cash, to offer SaaS-based application security testing. The move signals that secure coding - and agile-inflected DevOps - is hot. But will it come in time to secure the internet of things?
A look at the return of the Crypt0L0cker ransomware leads the latest edition of the ISMG Security Report. Also, assuring the security of medical devices; and U.S. federal prosecutors drop charges against a child porn suspect rather than reveal the hacking technique used to ensnare him.
When it comes to massive DDoS attacks powered by the likes of a Mirai botnet, "the sky is not falling," says ESET security researcher Cameron Camp. But organizations do need to prepare - and here's where to start.
Crypt0L0cker ransomware - originally tied to the Gameover Zeus gang - has returned, researchers warn, and in some cases is digitally signed to make it appear legitimate. Other attack campaigns are spreading Cerber and Sage Locker via spam emails sent via short-lived domain names.
With Verizon's data breach investigations team finding that 90 percent of breaches trace to a phishing or other social engineering attack, lead investigator Chris Novak says that using multifactor authentication should be a no-brainer for all organizations.
When trying to detect which security events are malicious, analysts have long battled signal-to-noise problems. LogRhythm's James Carder describes how behavioral analytics, case management, security automation and threat intelligence can help.
The European Union's General Data Protection Regulation, which will be enforced beginning in May 2018, will affect organizations throughout the world because it applies to any company that handles Europeans' personal data, says Fred Kost of HyTrust.
To meet the increasing customer demands for effective solutions, security vendors must ensure their products work together well, says Dr. Mike Lloyd of RedSeal. This is particularly essential to achieving "digital resilience," the ability to promptly detect and respond to network intrusions, he says.
In the history of data breaches, Cloudflare's recent breach was strikingly unique, in that a software bug caused a random regurgitation of data from server memory. But a postmortem from CEO Matthew Prince should put most people's concerns to rest.
Vice President Mike Pence used a personal AOL email account while governor of Indiana to conduct official business, and his account was hacked. Live by the private email account, die by the private email account?
Yahoo CEO Marissa Mayer will lose her cash bonus after an independent investigation into security breaches at the search giant found that the company's senior executives and legal team failed to properly comprehend or investigate the severity of the attacks.