SolarWinds compromise focuses new attention on trust in vendor supply chain


Software vendors, like other types of organizations, may in fact be worthy of customers’ trust, but it is at least a semantic mistake for any buyer to say they trust software.

Tax season means it’s time to watch out for W-2 scams

W-2 phishing

Perhaps harder to understand is why so many of these emails make it through to their recipients, whether or not the recipients actually fall for the scam.

After Yahoo! breach, can users do anything to protect their online data?

In light of news reports that company executives did little to strengthen cyber-defenses, the group that seems most overlooked in the aftermath of the breach is Yahoo! customers.

It’s hardly treason, but Trump’s call for Russian hacking still encourages illegal actions

A brief examination of relevant U.S. laws suggests that Trump is at the very least encouraging action that violates U.S. law, because computer hacking generally (whether perpetrated by domestic or foreign actors) is illegal.

Epic Mossack Fonseca breach tied to basic patch management failures

Mossack Fonseca failed to understand even basic information security and privacy principles and lacked the IT management skills or oversight necessary to ensure that they were adequately protecting their own and their clients’ information.

MedStar attack apparently enabled by unpatched software

Attackers who find vulnerable servers can deploy ransomware without any action on the part of users in the targeted organization.

OPM (finally) notifies people affected by breach

My notification letter arrived on November 23, 137 days after the public announcement and approximately 200 days after OPM says it discovered the incident.