SecureState: What state are you in?
by

Recently, SecureState has seen a significant increase in our clients asking us about physical security assessments. This type of work is especially relevant for our clients in the medical industry, where protecting personal health information (PHI) is an essential part of HIPAA compliance. As hospitals, doctors, and insurers are depending further and further on third party companies, they want to know that each of these third party companies is protecting information and their business environment physically, not just electronically.

by

Given the relative inaccuracies of the CSI franchise as a whole and how Hollywood regularly fails to tackle hackers with any sort of realism, it should surprise nobody that the new CSI show, CSI:Cyber, plays fast and loose with realistic hacking. The question we all had going in was just how inaccurate it would all be. The answer is, for the most part, completely inaccurate. Below is our take on the first episode.

by

Recently, a team of cryptographers at INRIA, Microsoft, and IMDEA discovered an SSL vulnerability in OpenSSL and Apple’s SecureTransfer that allow attackers to downgrade the encryption being used from ‘strong’ RSA to ‘export-grade’ RSA. By using a Man-in-the Middle style attack, attackers intercept communications and are able to trick servers into providing a much weaker encryption key than they otherwise would. With this new vulnerability making the rounds among the various news outlets, SecureState is here to answer some questions you might have about the new vulnerability, known as FREAK.

by

In a free market, supply and demand should ideally self-regulate, maximizing value. The market (often in the form of consumers) responds to negative corporate events such as faulty products or warranty issues by refusing to purchase from those responsible, reducing the profits and overall financial outlook for that company. It is entirely reasonable to assume that security breaches would have a similar negative effect on companies, as consumers who no longer feel their financial information is safe with the company would take their business elsewhere. However, over the past several months, several egregious security compromises have seemingly led to very little financial harm to the breached organizations.

by

Phishing is a social engineering tactic used by unauthorized users to gain access to sensitive data. Within the last few years, social engineering attacks have been growing in popularity and while end users have certainly improved in identifying a potential attack, this only means that the attackers have also improved in their methods. Modern phishing websites and emails are getting more and more sophisticated, often duplicating the styling and logo of familiar brands, making it extremely hard for consumers to recognize an attack.

by

Researchers at Qualys recently warned organizations about a remote code execution vulnerability in the Linux GNU C Library (glibc). Named GHOST, this is a buffer overflow vulnerability that affects the GetHOSTbyname functions used to resolve host names in glibc. Ghost has been compared to Heartbleed (CVE-2014-0160), Poodle (CVE-2014-3566), and Shellshock (CVE-2014-6271), but is it as serious a threat?

by

With our recent pleasant surprise at the realistic nature of hacking in the movie Blackhat, we decided to find a few other realistic depictions of hacking in fictional media. While everyone has seen ridiculous hacking examples in movies (think of Michael Douglas strapping on VR goggles in Disclosure, or almost anything in Lawnmower Man), realistic depictions of hacking are not so easy to come by. Some of the SecureState team got together and found their favorite examples of realistic and not-so-realistic hacking in movies and TV shows.

by

With the recent breach of Anthem, the focus on information security, particularly for the healthcare sector is higher than ever. SecureState has worked with a variety of healthcare companies, including hospitals and insurance providers, and we can answer some important questions on healthcare information security that have arisen as people learn more about this incident.