The Security Ledger

Critical Flaws in VxWorks affect Billions of Connected Things

Serious and exploitable security flaws in VxWorks, a commonly used operating system for embedded devices, span 13 years and could leave billions of connected devices vulnerable to remote cyber attacks and hacks.

The security firm Armis on Monday published a warning about 11 critical, zero day vulnerabilities in the VxWorks operating system, which is owned and managed by the firm Wind River. The…

Spotlight Podcast: To Fix Remote Access, CyberArk Alero Ditches Passwords and VPNs

In this Spotlight edition of The Security Ledger Podcast, sponsored by CyberArk*, we interview serial entrepreneur Gil Rapaport about his latest creation: Alero, a new remote authentication tool that promises to fix remote vendor access by doing away with passwords…and agents…and VPNs. If that sounds like a tall order, check out our podcast to learn how he does it! 

(more…)

Episode 154: Richard Clarke on Defending the Fifth Domain

The Pentagon calls cyberspace “the fifth domain” of conflict. But what does that mean? And how do you defend a human-made space that’s everywhere and nowhere? In this episode of the podcast, Richard Clarke joins us to discuss his new book, The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats. 

(more…)

Researcher warns DevOps Security is Back to the Future

The deployment of DevOpS tools and platforms at many organizations recalls the bad old days of the 1990s, with lax control of authentication, loose configuration and scant attention to security, experts warn.

(more…)

Robot Account Apocalypse: RPA Risk Exploding with Adoption

Robotic Process Automation is taking over mundane tasks in the workplace. But those bots may pose a serious security risk, according to researchers from the firm CyberArk.

(more…)

Opinion: We need a way to talk about Cyber Physical Risk

Last week’s warnings about serious, remote access flaws affecting GE anesthesiology machines underscore a major gap in our understanding of cyber risk. Namely: we don’t have a good way to measure security flaws that carry cyber physical risk. 

(more…)

Episode 153: Hacking Anesthesia Machines and Mayors say No to Ransoms

In this week’s podcast episode (#153): The researcher who discovered serious remote access security flaws in anesthesia machines by GE says such security holes are common. Also: the US Conference of Mayors voted unanimously to swear off paying ransoms for cyber attacks. But is that a smart idea? We’re joined by Andrew Dolan of the Multi State Information Sharing and Analysis Center to talk about…

Breath Deeply: DHS warns of Flaw in Hospital Anesthesia Machines

The U.S. Department of Homeland Security on Tuesday warned that a serious and remotely exploitable security hole has been found in two anesthesia devices made by GE Healthcare.

DHS issued an ICS Medical Advisory (ICSMA-19-190-01) Tuesday for the GE Aestiva and GE Aespire Anesthesia Machines, versions 7100 and 7900. A vulnerability in software that runs the devices could allow a remote attacker to…

Episode 152: What the Silex Malware says about IoT Insecurity and Cloud Security CEO Steve Mullaney on Amazon ReInforce

In this week’s podcast episode, #152: we talk with Akamai researcher Larry Cashdollar about his discovery of Silex, a new example of IoT killing malware allegedly authored by a 14 year old. Also: Steve Mullaney, the CEO of the cloud security start up Aviatrix joins us to talk about Amazon’s new cloud security conference: Re:Inforce.

When Akamai researcher Larry Cashdollarchecked the…

In this week’s episode, #151: Cesar Cerrudo, the head of research at the firm IOActive joins us to talk about the recent spate of massive ransomware payouts and why municipal government networks are the favorite target of hackers these days.

It happened again. Less than a week after Riviera Beach Florida agreed to pay a whopping $600,000  ransom to get their data back from hackers,…

Podcast Episode 150: Microsoft’s Tanya Janca on securing Azure and Armor Scientific’s CTO on Life after Passwords

In this week’s episode, #150: Microsoft cloud evangelist Tanya Janca joins us to talk about securing Azure and the challenges of pushing security left. Also: we continue our series on life after passwords as we speak with Nick Buchanan, CTO of Armor Scientific joins us to talk about the imminent demise of the password and what might replace it. 

Microsoft dominated the 1980s, 90s and 2000s…

Episode 149: How Real is the Huawei Risk?

In this episode of the podcast we’re joined by Priscilla Moriuchi of the firm Recorded Future, which released a report this week analyzing the security risks posed by Huawei, the Chinese telecommunications and technology giant.

In recent months, the Trump Administration has made the technology and telecommunications giant Huawei Technologies a poster child for its assault on China’s…

Episode 148: Joseph Menn on Cult of the Dead Cow also Veracode CEO Sam King on InfoSec’s Leaky Talent Pipeline

In this week’s episode of the podcast: Joseph Menn’s new book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World hit store shelves this week. We reprise our March interview with Joe and talk about the origins of CDC. Also: is the talent pipeline for information security empty, or has it sprung a leak? We’re joined by Veracode *CEO Sam King to talk about one of the…

Forty Year Old GPS Satellites tell us lots about securing the Internet of Things

A programming glitch in GPS satellite software grounded planes in China and other countries. But what does it tell us about the security of the Internet of Things? Bill Malik of Trend Micro joins us to discuss.

You’ve  no doubt heard about (or lived through) the Y2K crisis. You remember: Y2K was the software “dragon” that lurked just beyond midnight on December 31st 1999, threatening…

Episode 146: Elections Loom, Political Parties struggle with Cyber Security and Securing Cloud with Aporeto CEO Amir Sharif

In this week’s episode, #146: we speak with the researchers behind a new analysis of more than 40 political parties in the US and Europe showing that many suffer from poor cyber security. Also: DEV-OPS methodologies are transforming the way organizations are creating and consuming software. But security technology is stuck in the past. In our second segment, we speak with the  Amir Sharifof the…

Spotlight Podcast: Managing the Digital in your Digital Transformation

Companies are pursuing digital transformation at all costs. But do they really understand the risks lurking in their digital transformation strategies? In this Spotlight Podcast, sponsored by RSA,* we’re joined by RSA Portfolio Strategist Steve Schlarman for a discussion of managing the risks in digital transformation. 

Scan through the pages of your favorite business publication or…

Episode 145: Veracode CTO Chris Wysopal and Life After Passwords with Plurilock

In this week’s episode, #145 Veracode CTO Chris Wysopal joins us to talk about the early days of the information security industry with L0pht and securing software supply chains. Also: we continue our series on life after the password by speaking to Ian Paterson, the CEO of behavioral authentication vendor Plurilock.

Chris Wysopal (aka Weld Pond)is one of the most recognized and…