SecurityWeek

A journalist asked me an interesting question this week: “Why doesn’t the Agile Manifesto address security?” After some thought, I think I have a good answer.It does.

Industrial networking, computing and automation solutions provider Moxa has released a firmware update for one of its industrial secure routers to address several high severity vulnerabilities that can be exploited for denial-of-service (DoS) attacks, privilege escalation, and arbitrary code execution.

Updates released by Cisco for the AsyncOS operating system powering the company’s Web Security Appliance (WSA) address several high severity denial-of-service (DoS) vulnerabilities.

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

Truly random numbers are difficult to produce. The clue is in that very description: if it can be produced once, it can be reproduced. And if a random number can be reproduced, it isn't random.

Cyber attackers are targeting the campaigns of Democratic and Republican presidential contenders, US Director of National Intelligence James Clapper said Wednesday. "We already have some indications of that," he said during a cyber-security discussion at the Bipartisan Policy Center in Washington.

Yahoo has paid out a total of more than $1.6 million since the launch of its public bug bounty program in 2013, the tech giant reported on Tuesday.Yahoo teamed up with HackerOne in October 2013 and launched a proper bug bounty program after researchers complained that they only got low-value vouchers and Yahoo-themed swag for reporting serious vulnerabilities.

Four years ago approximately 6.5 million LinkedIn passwords found their way on to a Russian password forum. The incident was a huge embarrassment for LinkedIn, and although hashed, the passwords were not salted, and were consequently relatively easy to crack.

Macro malware, a major threat in the 1990s, has recently returned to focus and is evolving, courtesy of tricks designed to better keep the malicious code hidden, Microsoft warns.

The focus of security is shifting from perimeter protection to network detection. Anti-virus at the perimeter is no longer enough, and the AV industry itself has long said that it should be part of a multi-layered defense. Now a major AV vendor is providing one of those additional layers with the launch of its own incident detection and response service.

Why Centralizing Enterprise Security Resources is Not a Great Idea

The lead developer of the Nuclear exploit kit is an individual located in Russia, and the group behind the crimeware makes roughly $100,000 per month, according to security firm Check Point.

Microsoft CEO Satya Nadella's transformation of the company from a staid desktop sales company into a dynamic cloud subscription company has been remarkable. By the number of enterprise users, Microsoft has become the most widely used cloud service provider in just two years. Perhaps unsurprisingly, because of its ease and ubiquity, OneDrive is the most used part of the Office 365 suite.

Just as the story of the “Panama Papers” was about to die out, we in the security community are treated to new data, some celebrities and a manifesto. The leaked data from the Mossack Fonseca breach is supposed to illuminate dark corners of international tax evaders, but the story has many mysteries around it still.

Malware authors are constantly trying to build their malicious files to remain undetected by security products and pack their malicious programs with anti-virus detection capabilities, but the newly observed "Furtim" malware is one of a kind in this regard.

VMware has released updates for several of its products to patch a couple of vulnerabilities rated critical and important.The critical vulnerability is related to how the RMI server of Oracle JRE JMX deserializes authentication credentials. A remote, unauthenticated attacker can leverage the weakness to cause deserialization flaws and execute arbitrary commands.

Google has paid out $5,000 to a bug bounty hunter who discovered a serious vulnerability in the Google Cloud Platform.Germany-based researcher Patrik Fehrenbach discovered that the Google Cloud Platform Console was plagued by a stored cross-site scripting (XSS) flaw.

Clickjacking attacks where users are tricked into enabling Android accessibility features are possible on a majority of devices, enterprise mobile security firm Skycure warned on Tuesday.

Hackers once again took a swing at the Locky distribution network and replaced the malicious payload with a benign file, researchers at F-Secure report.

Researchers at Kaspersky Lab have come across a new and improved version of an old piece of malware that allows cybercriminals to steal money and payment card data from ATMs.