Apache Tomcat is the leading Java application server by market share and the world's most widely used web application server overall. Currently at version 8, the popular web server has not been without its security flaws, perhaps most famously publicized in this incident of aircraft hacking by security researcher Chris Roberts earlier this year. However, hardening Tomcat's default configuration is just plain good security sense—even if you don't plan on using it on your plane's network.

When it comes to application security (AppSec), most experts recommend using Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) as “complementary” approaches for robust AppSec. However, these experts rarely specify how to run them in a complementary fashion.

The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in Chinese speaking countries, Korea and Japan. The spyware, which we have named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.

Digital threats confronting Critical National Infrastructure (CNI) are on the rise. That’s because attackers are increasingly going after the Operational Technology (OT) and Industrial Control Systems (ICS) that shareholders use to protect these assets.

It’s a busy season for card issuers, card networks and payment service providers. Transaction and purchase volumes are rising across mobile and online channels — with Black Friday and Cyber Monday e-commerce sales up 15% from last year. Despite this holiday season’s resilient e-commerce sales, organizations must continue to find ways to maximize transactions and card profitability in the face of reduced in-store purchase volumes, interest margins, fees and interchange revenues.

On December 8, 2020, cybersecurity company FireEye announced in a blog post that it had been attacked by what CEO Kevin Mandia described as a “highly sophisticated threat actor” that “targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers.”

The burden of software security often falls solely on security teams, but to be successful, organizations need to make security a team effort. Remember group projects in school? Teachers love them because they have less grading to do; in a class of 25 students, they might only need to look at 5 projects. For team members, team projects can be difficult, usually when individual motivation levels don’t match up.

The FireEye breach on Dec 8, 2020, was executed by a “nation with top-tier offensive capabilities.” These hackers got a hold of FireEye’s own toolkit, which they can use to mount new attacks globally. What does this mean for you? Mandiant is a leading Red Team/Penetration Testing company with a highly sophisticated toolkit, called the "Red Team tools." These are digital tools that replicate some of the best hacking tools in the world.

One of the lasting changes brought about by the COVID-19 pandemic is that it forced organizations to rethink the concept of a workspace. As remote work became inevitable, IT teams had to enable the secure transition to remote work almost overnight. Opening up offices, on the contrary, will likely be executed in planned phases. A United States Department of State advisory recommends that workforces return to an office in three phases, with the employees most at risk coming in at a later stage.

Your business is growing at a steady rate, and you have big plans for the future. Then, your organization gets hit by a cyberattack, causing a massive data breach. Suddenly, your company’s focus is shifted to sending out letters to angry customers informing them of the incident - which is required by law in most states - and devising strategies to deal with the backlash.