It’s the holiday season, and if you are an IT security professional like me, going home for the holidays often means you are the designated briefing correspondent on all things data breaches. This year, instead of trying to explain IT jargon to my friends and family, I decided to compile a list of 2016 breaches and security incidents that will be sure

Breaches involving stolen credentials don’t surprise anyone these days. Those of us in infosec know too well that it’s a thousand times easier for the bad guys to gain access to a network and fly under the radar with a stolen login—often obtained through social engineering—than it is to get through cyber defenses. From the bad actors’ perspective, why pick t

Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services. "Big data breaches found at major email services" warned Reuters, the news service that broke the news. Within hours, other news services were running

Update Comcast’s Xfinity Home Security System is vulnerable to attacks that interfere with its ability to detect and alert to home intrusions.Researchers at Rapid7 today disclosed the issue after fruitless attempts to contact and report the problem to Comcast dating back to Nov. 2; Rapid7 did disclose the vulnerability to CERT, which is expected to iss

Well, if you thought you had it rough in 2014 because of big, bad Poodles and an irritating case of Heartbleed, things only got worse this year. Rather than intrusions permeating our IT systems and stealing our data, attacks got a bit more personal in 2015. Not only were privacy and civil liberties put at risk by legislators pushing overbearing rules based o

A relatively small number of Twitter users, including a few connected to security and privacy advocacy, have been informed that their accounts have been targeted by state-sponsored hackers.Notifications began appearing in the inboxes of affected users two days ago, with very little concrete information accompanying the warning. Twitter said in the notifica

An unusual DDoS amplification attack was carried out 10 days ago against many of the Internet’s 13 root name servers, the authoritative servers used to resolve IP addresses.The attacks happened on Nov. 30 and again on Dec. 1, and each time, massive volumes of traffic, peaking at five million queries per second, were fired at the servers. A note from th

An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries, has now pointed its focus inward at China’s autonomous territory Hong Kong.An August attack against several media companies in Hong Kong was carried out shortly after a high-profile controversy over an appointment at the prestigiou

Lenovo has patched two serious vulnerabilities that hackers could abuse in targeted attacks, or at scale, to easily guess administrator passwords on a compromised device, or elevate privileges to Windows SYSTEM user.The vulnerabilities were patched last Thursday by the manufacturer and details were disclosed Tuesday by researchers at IOActive, who privately

The FBI has put law enforcement and high-profile public officials on notice that they could be targeted by hacktivists following the recent doxing of CIA director John Brennan by the hacktivism collective called Crackas With Attitude.Brennan’s AOL email account was taken over by a teen associated with the group who posed as a Verizon employee to steal

Barcodes’ pervasiveness in retail, health care and other service industries notwithstanding, hackers really haven’t paid much attention to these tiny lines of data.But like other technologies supporting the so-called Internet of Things, there are bound to be vulnerabilities and there are bound to be white hats and black hats poking about. Case

A nasty cross-site request forgery vulnerability was patched Thursday in the Spring Social core library, one of the most pervasive Java application libraries.Spring Social facilitates social authentication between applications and online services, and the vulnerability allowed attackers to bypass authentication checks, impersonate users and take over social

The Xen Project, which oversees the open source Xen hypervisor, yesterday patched a seven-year-old vulnerability that allows an attacker to escape a guest virtual machine and attack the host operating system.The flaw is so bad that the developers of the Qubes OS Project, a security-heavy operating system whose protections rely on virtualization to compartmen

U.K. telecom TalkTalk, still reeling from a break-in reported last Wednesday, tried to cushion the blow over the weekend by telling those affected that the number of records stolen was smaller than originally thought.CEO Dido Harding said in a video update posted Sunday to the TalkTalk site that the Metropolitan Police Cyber Crime Unit investigation continue

Sharon Goldberg remembers the cold February day when her Boston University PhD candidate Aanchal Malhotra was studying routing security, in particular, attacks against the resource public key infrastructure (RPKI)—and kept hitting a dead end because of a cache-flushing issue.The resourceful Malhotra decided to roll back the time on her computer as a last-dit