Security experts have urged users to think more carefully about their password choice after spotting as many as one million based on simple football-related words. Authentication firm Authlogics manages a Password Breach Database — a collection of previous stolen or cracked credentials which that allows it to spot trends and offer industry advice. It claimed that of the one billion passwords in the trove, over 1.1 million are linked to the beautiful game. These are led…

Some 80% of global organizations that have paid a ransom demand experienced another attack, often at the hands of the same threat actors, according to a new study from Cybereason. The security vendor polled 1,263 cybersecurity professionals in multiple verticals across the US, UK, Spain, Germany, France, the United Arab Emirates, and Singapore to compile its latest report, Ransomware: The True Cost to Business. It confirmed what law enforcers and commentators have been saying for some…

Security experts have warned of a critical IoT supply chain vulnerability that may affect millions of connected cameras globally, allowing attackers to hijack video streams. Nozomi Networks revealed the flaw in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices. The bug itself is found in a P2P SDK produced by the firm. In this case, P2P refers to functionality that…

Back in 2018, the State of Security spent a lot of time going over v7 of the Center for Internet Security’s Critical Security Controls (CIS Controls). We noted at the time how the Center for Internet Security shuffled the order of requirements for many of the existing controls in that version. It also cleaned up the language of the CIS Controls, simplified some working, removed duplicate requirements, and created an abstract for each of the…

Executive Summary  The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. As security researchers, something that we always try to establish before looking at a target is what our scope should be. More specifically, we often assume well-vetted technologies like network stacks or the OS layers are sound and instead focus our attention on the application layers or software that is specific to a target. Whether that approach is comprehensive sometimes doesn’t…

[Disclaimer: The McAfee ATR team disclosed this vulnerability to Peloton and promptly started working together to responsibly develop and issue a patch within the disclosure window. The patch was tested and confirmed effective on June 4, 2021.] Picture this: A hacker enters a gym or fitness center with a Peloton Bike+. They insert a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the…

[Disclaimer: The McAfee ATR team disclosed this vulnerability to Peloton and promptly started working together to responsibly develop and issue a patch within the disclosure window. The patch was tested and confirmed effective on June 4, 2021.] Picture this: A hacker enters a gym or fitness center with a Peloton Bike+. They insert a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the…