A security researcher called Tavis Ormandy found a zero day affecting LastPass, a popular password vault, meaning millions of users may be at risk until the problem is patched. Security experts from Lieberman Software and AlienVault commented below: Jonathan Sander, VP of Product Strategy at Lieberman Software: “One thing that’s interesting about the LastPass zero-day hole is that it proves they are likely using a good dose of their own medicine. LastPass is about protecting credentials. Nearly every story you see hitting the headlines and bad guys breaking in these days involves some form of stolen credentials. If that was…
ISBuzz Team
Security researchers have discovered nine separate vulnerabilities in internet-connected lightbulbs made by Osram, four of which remain unpatched. The flaws include the app storing an unencrypted copy of the user’s wifi password and allowing the attacker to turn the lightbulbs on and off without permission. There are also flaws in the ZigBee hub device which relays commands to the lightbulbs. Security Experts commented below. Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock: “The initial wave of IoT implementations have mostly been about communications and connectivity, with the technical challenges of adding network connectivity to previously dumb, offline devices meaning that security has taken something…
Following the news that Pokémon Go app is putting users’ data at risk, Richard Stiennon, Chief Strategy Officer at Blancco Technology Group commented below. Richard believes that the app, as well as the platforms it connects to (Facebook and Google), have a responsibility to adhere to strict data privacy guidelines such as the upcoming EU GDPR. The large amount of personal data to which the app has access has the potential to cause a great level of damage if breached. Richard Stiennon, Chief Strategy Officer at Blancco Technology Group: “To say the Pokémon Go app is a viral sensation is an…
In response to the recent scandal whereby O2 users found their data up for sale on the dark web, Richard Stiennon, Chief Strategy Officer for Blancco Technology Group believes that claiming they have been a victim of ‘credential stuffing’ is an insufficient excuse when attempting to compensate for the fact that their customers’ data has been leaked to the dark web. Richard Stiennon, Chief Strategy Officer at Blancco Technology Group: “Earlier this week, it was revealed that hackers stole customer data from telecommunications provider O2. Essentially, the hackers stole the data from another source nearly three years ago, but now they’re selling…
The Problem of Unfilled Cybersecurity Jobs is that Attack Volume has Made Those Roles Feel Futile Every day when I scan my news feed I find a new article describing a stunning scarcity of qualified cybersecurity professionals. Most recently, a study by global recruiting firm Robert Half entitled “Cybersecurity – Protecting Your Future” found that the majority of CIOs (77%) believe that they are due to face more security threats in the next five years due to a shortage of IT security talent. From the report’s description: The days when cybersecurity was viewed as simply an IT problem are over.…
Kimpton Hotels, a boutique hotel brand that includes 62 properties across the United States, said yesterday it is investigating reports of a credit card breach at multiple locations. Security Experts commented below. George Rice, Senior Director, Payments at HPE Security – Data Security: “Once again with last night’s news of a data breach at Kimpton Hotels, we see that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS). Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel…
NEWS HIGHLIGHTS New report by Intel Security and CSIS reveals current cybersecurity talent crisis in Australia, France, Germany, Israel, Japan, Mexico, U.S. and U.K. Cybersecurity skills shortage is worse than talent deficits in other IT professions. Shortage in cybersecurity skills is responsible for significant damages. Talent shortage is largest for individuals with highly technical skills. 76 percent of those surveyed believe governments are not investing enough in building cybersecurity talent. Hands-on training and practical training are perceived as better ways to develop skills than through traditional education resources. LONDON, UK. Intel Security, in partnership with the Center for Strategic and…
Following the news of wireless keyboards being easy to intercept, David Emm, principal security researcher at Kaspersky Lab commented below. David Emm, principal security researcher at Kaspersky Lab: “The recent news of wireless keyboards being easy to intercept demonstrates that, while wireless products provide convenience, as with any digital device that is connected to the internet, if it isn’t secure it can be compromised and the data you transmit can be intercepted. In this case, it would seem that none of the affected firms has taken measures to warn customers or take steps to secure the products – something that might not be…
Joe Uchill with The Hill, who has previously covered Guccifer 2.0 and the Wikileaks DNC data dump, has provided us with redacted information on his communications with Guccifer 2.0 that has raised our confidence in our current assessments and hypotheses. ThreatConnect follows Guccifer 2.0’s French breadcrumbs back to a Russian VPN Service Read the full series of posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee”, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?”, and “Guccifer 2.0: the Man, the Myth, the Legend?” In our initial Guccifer 2.0 analysis, ThreatConnect highlighted technical and…
Deral Heiland, Research Lead at Rapid7, is disclosing a vulnerability that reveals how popular home lighting system, Osram Lightify leaves users vulnerable to attack. A link to the blog post with additional details can be found here. Specifically, a malicious actor can: Execute commands to change lighting, and also execute commands to reconfigure the devices Inject code which could modify the system configuration, exfiltrate or alter stored data, or take control of the product in order to launch browser-based attacks against the authenticated user’s workstation. Deral commented below. Deral Heiland, Research Lead at Rapid7: “As consumer based IoT solutions find their way into our enterprise…