Academic Research: A Survey of Email Attacks

article / Oct 31, 2017 (MODIFIED: Nov 16, 2017)

by David Hammerstrom, Sara McGarvey, Russel Parham, Kyle Uecker, Anthony Wade

Email has become such an ordinary part of our daily lives that we can forget how vulnerable it is.

Reaper: The Professional Bot Herder’s Thingbot

blog / Oct 26, 2017 (MODIFIED: Nov 09, 2017)

by David Holmes, Justin Shattuck

While Reaper might be considered an “object lesson” today, it should serve as a blistering warning that IoT security needs to be fixed now.

Help Guide the Future of Apps – Ultimately your Threat Landscape – by Responding to our SOAD Survey!

blog / Oct 24, 2017 (MODIFIED: Nov 02, 2017)

by Lori MacVittie

Assessing the State of Application Delivery depends on getting information from you about your applications!

Interview with the Experts: The Future of IoT Security through the Eyes of F5 Threat Researchers

blog / Oct 19, 2017 (MODIFIED: Nov 14, 2017)

by Debbie Walkowski

When it comes to IoT threats, we’re nowhere near being out of the woods yet; we’ve just barely entered the forest.

New Threat May Slip through the KRACK in BYOD Policies

blog / Oct 17, 2017 (MODIFIED: Nov 16, 2017)

by Lori MacVittie

Combating this vulnerability might mean you have to force updates on employees’ personal devices or deny them access altogether.

Joining Forces with Criminals, Deviants, and Spies to Defend Privacy

blog / Oct 12, 2017 (MODIFIED: Nov 07, 2017)

by Jennifer Chermoshnyuk, Matt Beland

Organizations need to provide clear and specific guidance to employees who travel across national borders when it comes to giving up passwords and surrendering devices.

Academic Research: Web Application Attacks

article / Oct 10, 2017 (MODIFIED: Nov 09, 2017)

by Andrew Cox, Daniel Freese, Matthew Martin, Daniel Massie

Personally identifiable information and user credentials are the primary nuggets attackers are after when they exploit known vulnerabilities in web applications.

The Good News about Breaches

blog / Oct 04, 2017 (MODIFIED: Oct 31, 2017)

by Lori MacVittie

Security breaches in the news serve as a good reminder to check and make sure you have a solid application protection strategy in place, starting with never trusting user input.

Profile of a Hacker: The Real Sabu, Part 2 of 2

blog / Sept 21, 2017 (MODIFIED: Oct 17, 2017)

by David Holmes

New information sheds light on Sabu’s activities following the revelation of his identity.

URL Obfuscation—Still a Phisher's Phriend

blog / Aug 29, 2017 (MODIFIED: Sept 28, 2017)

by Ray Pompon

Cyber crooks use several common URL disguising techniques to trick users into thinking their sham sites are legitimate.

"Cry 'Havoc' and Let Loose the Thingbots of War!"

blog / Aug 17, 2017 (MODIFIED: Sept 21, 2017)

by Lori MacVittie

Gray hats might have good intentions launching their “vigilante” botnets, but are they really helping us win the war against Death Star-sized thingbots?

NSA, CIA Leaks Provide a Roadmap to Stealthier, Faster, More Powerful Malware Like SambaCry and NotPetya

blog / Jun 27, 2017 (MODIFIED: Aug 09, 2017)

by Mike Convertino

Recent NSA and CIA leaks exposed advanced new techniques for building automated malware factories that churn out threats like SambaCry and Petya/NotPetya, which deploy over untraceable networks.

Russian Hackers, Face to Face

blog / Jun 21, 2017 (MODIFIED: Aug 01, 2017)

by Ray Pompon

An undercover interview of two infamous Russian hackers speak volumes about skills, passion, and motivation of some of the world’s most dangerous cybercriminals.

Default Passwords Are Not the Biggest Part of the IoT Botnet Problem

blog / Jun 06, 2017 (MODIFIED: Jul 20, 2017)

by Lori MacVittie

Providers and manufacturers could go a long way toward reducing the very real threat of IoT.

Fight Credential Stuffing by Taking a New Approach to Authorization

blog / May 31, 2017 (MODIFIED: Jul 06, 2017)

by Michael Koyfman

How a token-based authorization model can help organizations dramatically reduce credential stuffing attacks.

SambaCry: The Linux Sequel to WannaCry

blog / May 26, 2017 (MODIFIED: Jul 11, 2017)

by Malcolm Heath, Ray Pompon

With simple exploits plaguing Windows and Linux SMB week over week, do yourself a favor and patch for CVE-2017-7494 now to avoid having to do it in panic mode.

Why Cloud Sprawl is a Security Risk

blog / May 18, 2017 (MODIFIED: Jul 24, 2017)

by Lori MacVittie

Cloud sprawl isn’t just a budget sinkhole; it’s quickly becoming a security blind spot and potential attack vector for data theft.

Strike Back at Silent Bob: Scan and Block Ports Used by Intel AMT

blog / May 16, 2017 (MODIFIED: Jul 24, 2017)

by David Holmes

Is the Intel AMT vulnerability as bad as we all first thought? Either way, here are some suggestions for protecting yourself.

Internet, We (Still) Have a Problem with Internationalized Domain Names

blog / Apr 25, 2017 (MODIFIED: Jul 24, 2017)

by Lori MacVittie

Even URLs that look legitimate can be fake, so train, train, train your users to verify links before they click.

Profile of a Hacker: The Real Sabu, Part 1 of 2

blog / Apr 18, 2017 (MODIFIED: Sept 05, 2017)

by David Holmes

Notorious hacker of Anonymous and LulzSec fame is challenged by rival hacker, The Jester, to reveal his identity.

Doxing, DoS, and Defacement: Today’s Mainstream Hacktivism Tools

article / Apr 12, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

Readily available hacking tools provide new ways for civil disobedience groups to antagonize their targets anonymously.

Virtual Kidnapping: The Latest in an Endless Stream of Scams

blog / Mar 30, 2017 (MODIFIED: Jul 24, 2017)

by Mike Levin, Center for Information Security Awareness

The virtual kidnapping scam is on the rise because of the excessive amount of personal information people volunteer on social media.

DNS Is Still the Achilles’ Heel of the Internet

article / Mar 10, 2017 (MODIFIED: Jul 24, 2017)

by Ray Pompon

Since the Internet can’t survive without DNS, let’s make our best effort to defend it.

Security’s “Rule Zero” Violated Again with Zero-Day Apache Struts 2 Exploit

blog / Mar 09, 2017 (MODIFIED: Jul 06, 2017)

by Lori MacVittie

If you’re running Apache Struts 2 and the vulnerable component, stop reading and update now.

Why Managing Low-Severity Vulnerabilities Can’t Be Just a Pipe Dream

blog / Mar 03, 2017 (MODIFIED: Jul 25, 2017)

by Sara Boddy

Putting off fixing low-severity vulnerabilities can have high-impact effects.

Speed Over Security Still Prevalent in Spite of Substantial Risk for IoT Apps

blog / Mar 03, 2017 (MODIFIED: Jul 06, 2017)

by Lori MacVittie

Speed to market means IoT and mobile apps are being released with known vulnerabilities.

Friendly Reminder: App Security in the Cloud is Your Responsibility

blog / Feb 02, 2017 (MODIFIED: Jul 06, 2017)

by Lori MacVittie

Nearly 200,000 servers are still vulnerable to Heartbleed—and the organizations who own them might surprise you.

Using F5 Labs Application Threat Intelligence

report / Jan 26, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon, Sara Boddy

As security professionals, we often feel like we’re fighting a losing battle when it comes to cyber security.

IoT Threats: A First Step into a Much Larger World of Mayhem

blog / Jan 17, 2017 (MODIFIED: Sept 01, 2017)

by Ray Pompon

So far, we’ve seen IoT DDoS attacks on a Death Star scale. What's next for those of us that may be caught in the blast?

DARPA Proves Automated Systems Can Detect, Patch Software Flaws at Machine Speed

article / Oct 23, 2016 (MODIFIED: Jul 06, 2017)

by Debbie Walkowski, David Holmes, John Hall

According to DARPA, it takes an average of 312 days for security pros to discover software vulnerabilities such as viruses, malware, and other attacks. In hacker time, that’s a virtual eternity in which bad actors can wreak havoc.

Is HEIST a Risk or a Threat?

blog / Aug 12, 2016 (MODIFIED: Jul 06, 2017)

by Lori MacVittie

HEIST is an example of how risk and threat are different, and why the distinction matters.

Web Injection Threats: The Cost of Community Engagement on Your Site

article / Jul 22, 2016 (MODIFIED: Jul 06, 2017)

by Sara Boddy

Customer engagement drives web application design, but user-generated content brings inherent security challenges.

stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.