In the News

Read what the experts are saying about Zscaler

SoakSoak bug hits 100,000 websites using old plugin flaw

More than 100,000 websites worldwide have been infected with new ‘SoakSoak' malware which is being distributed from a Russian website. Michael Sutton, VP of security research at Zscaler, criticised ThemePunch, the makers of Slider Revolution. He said that in February, they silently patched a critical flaw, only acknowledging this in September when Sucuri highlighted the vulnerability - which by then was being actively exploited.
December 16, 2014

Targeted Attacks: A Defender's Playbook

Most cyber attacks today are random, automatically generated exploits that prey on vulnerable systems. But security experts now say there's a small but growing percentage of online attacks that are carefully targeted to compromise a single victim. Advanced attackers are picking targets deliberately in order to steal very specific intellectual property, collect trade secrets, and scoop up troves of customer data. Zscaler’s Michael Sutton weighs in.
December 15, 2014

Arista's Enhanced OS Supports 3rd Party Functions

Arista Networks announced an enhanced version of its EOS (Extensible Operating System) that integrates with a wide range of technology partner solutions from Zscaler among others.
December 14, 2014

Pirated Assassins Creed Spreads Malware

A new Android malware disguising itself as an Assassins Creed app is taking a particularly savvy approach to compromising users. It will install a pirated version of the Assassins Creed game that functions normally, making the end user oblivious to the malicious activities it performs in background. According to researchers at Zscaler, the malicious application is capable of sending multi-part text messages, harvesting text messages from a victim's device and sending stolen information to a remote command & control (C2) server.
December 12, 2014

Android Malware Installs Pirated Assassin’s Creed App

A pirated version of the Assassin’s Creed application for Android is bundled with malware according to the security-as-as-service from Zscaler.
December 12, 2014

Google tops Glassdoor’s best places to work; F5 outranks Facebook, Qualcomm, Apple

Technology companies named to the Best Places to Work list by Glassdoor include Zscaler at #35.
December 10, 2014

Google Tops Glassdoor’s Best Places to Work; F5 Outranks Facebook, Qualcomm, Apple

Tech players made a strong showing on Glassdoor’s Best Places to Work list, with Zscaler ranking #35.
December 2, 2014

Winter Freeze

Deepen Desai, head of security research for Zscaler said that “the main incentive for businesses to adapt to a more proactive strategy is to prevent huge financial losses and safeguard customer loyalty.” Therefore, a shift to EMV chip-based payments is a good move. Retailers have started upgrading the Point of Sale terminals to support EMV chip enabled cards more aggressively in the wake large breaches and also because of the new Counterfeit Card Liability Shift policy that will become effective in October, 2015.
December 8, 2014

Defending Against ‘Wiper’ Malware

Backing up data is also essential, in case systems get wiped and must be reinstalled, and such backups must be disconnected from the network, lest they get deleted by the same wiper malware. "Continual, offsite data backups are critical for any organization," says Michael Sutton, vice president of security research at cloud security firm Zscaler. "Backups can be a challenge with a mobile workforce when devices rarely return to the corporate office, but Internet-based backup solutions provide a means of remote backup so long as an Internet connection is available."
December 2, 2014

Are AnonGhostTeam Hacktivists Using Malware to Infect End Users?

Many security experts tend to ridicule the threat of hacktivist groups, in many professionals consider the groups that express political dissent through cyber attacks as a harmless threat. Now cyber experts are warning of a new hacktivist campaign managed by the AnonGhostTeam collective that is spreading a malware that allow attackers to gain remote code execution on the infected victims, as explained by Chris Mannon, security expert at Zscaler firm, in a blog post.
December 1, 2014

Tasty Spam: Black Friday, Cyber Monday Phishing Scams

Cyber-criminals are stepping up their cyber-scams and phishing campaigns against shoppers looking for the best deals this holiday shopping season, Zscaler researchers said. Check out some of the common spam and phishing attacks targeting Black Friday, Cyber Monday, and Thanksgiving.
November 28, 2014

Feedback Friday: 'Regin' Cyber Espionage Tool - Industry Reactions

“Regin is being referred to as malware, but ‘malware framework’ would be a better description. With some 50 payloads identified thus far and some dating back to 2008, this isn’t a simple matter of analyzing a single binary to determine what it does. Analyzing Regin is akin to a paleontologist that finds one fossil today and others later on, only realizing at some point in the future that they’re all part of the same beast,” said Zscaler’s Michael Sutton.
November 28, 2014

Hacktivists Get Serious with Remote Code Malware

Security experts are warning of a new hacktivist campaign which goes further than merely defacing websites, by linking to malware which could allow for remote code execution by an attacker. The group in question claims to be part of the ‘AnonGhostTeam’ collective which has targeted government and mass media sites in the past, Zscaler security researcher Chris Mannon explained in a blog post.
November 28, 2014

Experimental Malware Bypasses Top APT Detection Solutions: Report

APT campaigns are increasingly common and since they usually rely on tools that are not detected by regular antivirus products, many security companies have developed specialized solutions designed to identify and block such threats. The list of firms that offer such solutions includes Cisco, Damballa, Checkpoint, FireEye, Fortinet, Palo Alto Networks, LastLine, Zscaler, Trend Micro and Websense.
November 26, 2014

Is Your Security Plan in Order for Black Friday and Cyber Monday?

In a blog post, Zscaler reported a large spike in phishing and other online scams meant to lure unsuspecting customers to bogus websites, and despite being more educated than ever about how to spot a phishing scam, consumers are still falling for them.
November 26, 2014

Viptela Partners With Zscaler On Wide Area Network Security

Both San Jose, Calif.-based startups have high-profile venture backers. Lightspeed Venture Partners has invested $38 million in Zscaler, and Viptela in March received a $33.5 million round from Sequoia Capital.
November 19, 2014

CipherCloud Scores Monster Series B

The platform also ensures compliance and protects against data breaches and insider threats, through data and user activity analysis and anomaly detection. The company competes with products from legacy vendors, but perhaps more importantly, a raft of startup vendors like Netskope, SkyHigh Networks, Adallom and ZScaler.
November 19, 2014

Cloud security startup CipherCloud raises $50M

It competes with a number of legacy security software providers and a host of startups in the sector, including Los Altos-based Netskope, Cupertino-based SkyHigh Networks, Menlo Park-based Adallom and San Jose-based Zscaler.
November 19, 2014

Ransomware: City of Detroit didn't pay, TN sheriff's office did pay to decrypt

Zscaler ThreatLab said ransomware is one of the most popular malware threats this year, and claims infection rates have increased 700%.
November 19, 2014

Apple: Want a PATCH for iOS Masque attack? TOUGH LUCK, FANBOI

Deepen Desai, head of security research at cloud security firm Zscaler, explained: "WireLurker has been found using the Masque exploit where it is possible to install a malicious app masquerading as a legitimate app by using the same bundle identifier string. The malicious app will completely replace the legitimate app and will also have access to the cached data as well as cached login tokens."
November 14, 2014

Apple downplays Masque malware threat despite US CERT warning

Deepen Desai, head of security research at Zscaler, said: "Users will always be susceptible to social engineering tactics luring them into installing an app from an untrusted source.
November 14, 2014

Feedback Friday: WireLurker Malware Targets Mac OS X, iOS - Industry Reactions

Michael Sutton weighs in on WireLurker, “We keep waiting for mobile malware to eclipse traditional PC malware but it turns out that we're waiting for the wrong thing. We'll never see the drive by downloads and fast spreading device to device malware that we've become accustomed to in the Windows world, due to the differing architectures of Windows vs Mobile operating systems. That doesn't however mean that malware on mobile devices isn't a concern, it just means that malware is being forced to evolve and adapt to a more restrictive environment.”
November 7, 2014

What is WireLurker? Malware attacking iPhones and iPads through your Mac

Zscaler comments on WireLurker, noting “WireLurker takes advantage of Enterprise Provisioning to install apps on the device, but when doing so users must accept a provisioning profile before apps can be installed. If the device is jailbroken, WireLurker has greater flexibility and can fully control the device.”
November 7, 2014

WireLurker infects Apple devices via compromised applications

Michael Sutton, VP of security research at Zscaler, said that what is unique about WireLurker is that it takes the approach of first infecting a Mac OS X device, and then monitoring for connected devices.
November 6, 2014

A balancing act: Apple technology

“Apple has an opportunity to be the platform of choice for enterprises wishing to made standard security policies for BYOD devices,” Zscaler’s Michael Sutton says
November 3, 2014

Beyond SWGs (Part 3): What’s in the sandbox?

SWG vendors know that they can’t risk newcomers like FireEye encroaching much further. Trend Micro, Websense and Zscaler are three vendors that have built their own sandboxes. This post looks at Zscaler’s new sandbox technology.
November 2, 2014

Feedback Friday: Hackers Infiltrate White House Network - Industry Reactions

Zscaler’s Michael Sutton weights in on the White House security breach, noting "The breach of a compromised White House computer reported this week is simply the latest in ongoing and continual attacks on government networks. While such breaches periodically hit the headlines thanks to 'unnamed sources', it's safe to assume that the general public only has visibility into the tip of the iceberg.”
October 31, 2014

New Koler Variant Spreading through SMS

Zscaler weighs in on a new iteration of the Android ransomware Koler that’s trying to trick its victims into downloading the malware by propagating through SMS messages.
October 27, 2014

Beyond SWGs: Cyber-security in the Cloud (Part 2)

In part 2, Dan Blum covers the changing Secure Web Gateway market and calls for a new unified platform approach to security.
October 27, 2014

New Products of the Week: Zscaler Fall 2014

Zscaler’s Fall 2014 release featured in Network World’s round up of the most interesting products of the week.
October 27, 2014

Zscaler Expands Partner Program, Security Platform

Internet security providerZscaler has expanded itsTechnology Partner Program, announced in tandem with the release of the company’s Fall 2014 Internet security and compliance platform, which promises to provide new ways to protect end users from security risks.
October 24, 2014

Beyond SWGs: Cyber-security in the Cloud (Part 1)

Dan Blum covers the evolving Secure Web Gateway market and the benefits of cloud-based security.
October 24, 2014

Zscaler Launches APT Protection

Zscaler Fall 2014 offers Internet security, APT protection, data loss prevention, SSL decryption, traffic shaping, policy management, security assessment and threat intelligence - without the need for on-premises hardware, appliances or software.
October 24, 2014

China Linked to Cyber-attacks on Taiwan Exploiting Windows Vulnerability

Zscaler comments on a new, unpatched software vulnerability affecting almost all Windows machines, which is remarkably similar to a flaw used in recent cyberattacks on the Ukrainian government.
October 23, 2014

Zscaler pitches cloud-based Internet security suite to the mid-market

Zscaler believes its SaaS-like approach to delivering an Internet security and compliance suite from the cloud will help stem embarrassing breaches at midmarket enterprises.
October 22, 2014

China Attack Aims at Apple iCloud Storage Service

Cybersecurity monitoring groups and security experts said on Monday that people trying to useApple’s online data storage service, known as iCloud, were the target of a new attack that sought to steal users’ passwords and then spy on their activities.
October 21, 2014

Apple’s iCloud Storage Service Is Aim of Attack in China

“All signs point to the Chinese government’s involvement,” said Michael Sutton, vice president for threat research at Zscaler, a San Jose, Calif., security company. “Evidence suggests this attack originated in the core backbone of the Chinese Internet and would be hard to pull off if it was not done by a central authority like the Chinese government.”
October 21, 2014

Zscaler Adds New Capabilities to Cloud Security Platform

Zscaler today announced the availability of a new version of the its cloud-based Internet security platform, which now provides protection against advanced persistent threats (APT).
October 21, 2014

Zscaler Launches New Advanced Persistent Threat Protection

Available now, Zscaler Fall 2014 includes breakthrough new capabilities for Advanced Persistent Threat (APT) protection, guest Wifi security, global administration, policy management and reporting and instant assessment of security risks.
October 21, 2014

Zscaler eyes enterprise wins with expanded partner program

Internet security vendor Zscaler has boosted its Technology Partner Program to expand sales of its security and compliance SaaS platform. The Technology Partner Program promotes a portfolio of complementary offerings aimed at boosting security while reducing total cost of ownership, the vendor said, and this is being enhanced alongside a refresh and update of Zscaler's own platform.
October 21, 2014

Zscaler Adds Partners For SaaS-Based Security Service, Ups Battle Against Websense

Zscaler is pushing past its SaaS-based Web filtering technology and extending its add-on services to include licenses for cloud-based antimalware, data loss prevention and secure Wi-Fi services. Partners say the San Jose, Calif.-based vendor has been a solid choice for companies that are ripping out legacy, on-premise secure Web gateways that primarily were used for URL filtering capabilities to gain end-user productivity improvements.
October 21, 2014

Zscaler Expands Partner Ecosystem

No single security technology or vendor can fully protect everyone against all of today’s rapidly evolving threats. Zscaler’s Technology Partner Program brings together an ecosystem of complementary solutions to help organizations implement the best security infrastructure with the lowest TCO.
October 21, 2014

Shellshock flaw hits Lycos and Winzip – but not Yahoo

Just when you thought the Shellshock vulnerability issue couldn't get any more complex, a "handful" of Yahoo's servers were apparently infected by malware at the start of the week. Zscaler weighs in.
October 9, 2014

Shellshock used to spread Mayhem

Cybercriminals are already exploiting Shellshock through the most obvious attack vector: vulnerable web servers. On its blog, ZScaler has an overview of various such attacks seen in the wild.
October 8, 2014

Government trains lawyers and accountants in cyber threat

In March, Zscaler identified an APT watering-hole campaign that used the website of a law firm that works with energy companies to plant the LightsOut exploit kit on its intended victims.
October 7, 2014

107 Career-Launching Technology Companies

Wealthfront names Zscaler to its list of rapidly growing mid-sized private technology companies.
October 7, 2014

Hackers using Shellshock to sneak into NAS systems

Researchers from Zscaler reported uncovering evidence that hackers are exploiting Shellshock to install malware on Nginx and Apache web servers.
October 2, 2014

Driven by mobile: The challenge of protecting mobile devices

Zscaler weighs in on how the use of mobile devices in the enterprise has forced those in charge of maintaining the integrity of business networks to consider new security strategies and new tools. All the old assumptions about how to protect endpoints have been under challenge.
October 1, 2014

MSSPs Tracking Shellshock Attacks, FireEye Uncover NAS Systems Assault

Security vendor Zscaler observed an attack shortly after the Bash vulnerability was reported last week and identified malware that was able to collect system information and perform denial of service attacks.
October 1, 2014

Shellshock: Apple issues OS X Mavericks, Lion and Mountain Lion bash patches

Researchers from Zscaler ThreatLabz reported uncovering evidence hackers are exploiting Shellshock to install malware on Nginx and Apache web servers.
September 30, 2014

Shellshock’ Bug Exploits Spotted in the Real World

Zscaler has also issued warnings that it has spotted the bug in the wild, while the UK government has given the bug "the highest possible threat rating" via its cybersecurity response team.
September 29, 2014

Vendors Patch ‘Shellshock’ as Hackers Attack

Security vendors including AlienVault, Zscaler and TrendMicro reported that thousands of servers have already been compromised using Shellshock.
September 29, 2014

Attackers Exploit Shellshock Bug

According to Deepen Desai, Zscaler's director of security research, "the two malware payloads that were getting dropped had almost zero AV detection" when they were first spotted. But about 24 hours later, "the detection level is slightly better," with 23 out of 55 antivirus engines on VirusTotal now flagging the malware.
September 26, 2014

Feedback Friday: ‘Shellshock’ Vulnerability – Industry Reactions

That said, we're in very much in the same boat having potentially millions of vulnerable machines, many of which will simply never be patched. Shellshock, like Heartbleed, will live on indefinitely."
September 26, 2014

Hackers ‘already using Shellshock bug to attack victims’

The Zscaler research team said this morning that it had spotted attacks using the flaw “within hours of the public disclosure”. Hackers have been gaining access to machines using the hole and using it to install additional malware that then leaves them wide open to abuse.
September 26, 2014

Hackers caught exploiting Shellshock Bash vulnerability

Hackers are exploiting the Bash bug, codenamed Shellshock, to install malware on Nginx and Apache web servers, according to researchers from Zscaler. Director of security research for Zscaler Deepen Desai revealed the attacks in a blog post, claiming the firm spotted it after detecting one of the infected servers.
September 26, 2014

Shellshock-related attacks detected

According to Zscaler’s research team, upon successful exploitation of the CVE-2014-6271 vulnerability, an attacker is able to download and install a malicious ELF binary on the target Linux system. The malware connects to a predetermined Command and Control server on a specific port and awaits further instructions from the attacker.
September 26, 2014

Apple Fills IOS 8 Security Basket to Brim

"Apple has a tendency to perform bulk security patching with OS upgrades, and iOS 8 didn't disappoint," said Michael Sutton, vice president of security research at Zscaler.
September 19, 2014

Scammers tap the power of Facebook to offer `free' iPhones a-plenty

According to Michael Sutton, VP of security research with Zscaler, this particular `like harvesting' scam for the iPhone 6 is quite basic as it is a straightforward social engineering scam.
September 17, 2014

Apple pushes 2FA to iCloud users

Michael Sutton, vice president of security research at Zscaler, said that as the iCloud leak of celebrity photos didn’t occur due to an attack on the iCloud infrastructure, but rather on individual accounts whereby account passwords were successfully brute forced or reset, this was not a timely or reactive addition.
September 17, 2014

New CVE Naming Convention Could Break Vulnerability Management

"It's certainly a sign of the times when Mitre has determined that ten thousand entries simply won't suffice for a given year and has instead moved to a more flexible scheme which allows for an unlimited number of vulnerabilities to be tracked," says Michael Sutton, vice president of security research for Zscaler. "While this will require some relatively minor coding changes for applications that digest CVEs, the pain shouldn't be too great. Mitre has given vendors sufficient warning, providing a full year to make the necessary changes."
September 16, 2014

Salesforce issues advice on avoiding Dyreza attack

"By restricting logins to Salesforce only from corporate networks, Dyre would not be able to access a compromised account externally, although it could still make such a connection from a compromised PC within the enterprise," said Michael Sutton, vice-president of security research at Zscaler.
September 15, 2014

Peter Pan pantomine warning over ticket phishing scam

Researchers from security firm Zscaler reported that the hacker gang behind the notorious Gameover Zeus campaign has returned to action and is attempting to spread a less complex version of the original malware on 2 September.
September 9, 2014

Hackers going Nuclear following Blackhole takedown

Hackers are leveraging the Nuclear exploit to launch a fresh wave of attacks using compromised webpages on a number of popular websites, including Facebook, according to researchers at Zscaler.
September 9, 2014

Feedback Friday: iCloud Accounts of Celebrities Hacked - Industry Reactions

"Whenever a story like this week's 'iCloud hack' hits the headlines, it's inevitably followed by an angry mob demonizing the cloud for reducing security. Let's be clear about one thing - this was not a 'cloud issue'. The breach that took place followed a very basic script that was in use by attackers long before 'cloud' was ever a buzz word. If we believe Apple, there was no compromise of the iCloud infrastructure, but instead, this was 'a very targeted attack on user names, passwords and security questions'.”
September 5, 2014

Home Depot confirms payment data breach investigation

Zscaler VP of security research Michael Sutton said that US retailers like Home Depot and Target could provide their customers with more protection through the use of "chip and PIN", which is used in the UK.
September 3, 2014

Home Depot’s Suspected Breach Adds Security Pressure

The incident raises fresh questions about retailers’ slow adoption of “chip and PIN” technology, which makes cards more secure, said Michael Sutton, vice president of security research for San Jose, California-based cloud-computing company Zscaler Inc.
September 3, 2014

Zscaler Celebrates Record Growth

Jay Chaudhry, chief executive of Zscaler, said: “The world of IT security has undergone tremendous transformation, sparked by the consumerization of the enterprise, mobility, the adoption of cloud computing and the ever-increasing threat landscape.
September 3, 2014

NUDE SELFIE CLOUD PERV menace: Apple 2FA? Sweet FA, more like

Third party security experts told El Reg that Apple had yet to update its technology to address the security weakness in iCloud backups. Michael Sutton, VP of security research at cloud security firm Zscaler, explained: "Apple's two factor authentication (what they refer to as 'Two Step Verification') applies only to a specific set of tasks related to managing your Apple ID account and making purchases.
September 3, 2014

De-evolved Gameover Zeus malware found in spam messages

Director of security research for Zscaler Deepen Desai revealed the campaign in a blog post, reporting that the firm spotted the attack while examining a wave of spam messages being sent from the Cutwail botnet.
September 2, 2014

Following the iCloud hack and resulting leak of celebrity photos, experts say many enterprises 'don't have a clue' that corporate data could also be at risk

Michael Sutton, vice president of security research at San Jose, Calif.-based cloud security vendor Zscaler Inc., said that enterprise security teams must accept that the use of consumerized IT services is a reality, and that the cost savings and productivity boost provided by such services makes it nearly impossible to bar them from being used.
September 2, 2014

Home Depot breach could be as big as Target's

The latest breach appears to have followed the same pattern as previous breaches at Target, Nieman Marcus and P.F. Changs, said Michael Sutton, vice president of security research at security vendor ZScaler.
September 2, 2014

Heartbleed affecting more than half of the Forbes Global 2000

However Michal Sutton, VP security research at Zscaler, warned that this will not be the last we hear of Heartbleed. “With an impact the size of Heartbleed, we can be sure that vulnerable machines will be discovered for years to come.”
August 28, 2014

Heartbleed vulnerability is still a threat six months on

“Heartbleed represented an unprecedented challenge for the security community both in terms of impact and reach. The vulnerability is trivially easy to exploit, leaks critical information and impacted a huge portion of the Internet due to the ubiquity of OpenSSL usage. While a significant portion of affected machines were patched in the days following Heartbleed's initial disclosure, the rallying cry has since faded. With an impact the size of Heartbleed, we can be sure that vulnerable machines will be discovered for years to come.
August 28, 2014

Zscaler hat 75.000 Android-Apps analysiert

Der Zscaler-Blog hat Google Play unter die Lupe genommen. Der Blogpost richtet sein Augenmerk auf Risiken und Nebenwirkungen für den Datenschutz, die der Nutzer beim Installieren einer App gleich mit herunterlädt. Dazu wurden 75.000 hinsichtlich ihrer Zugriffsrechte analysiert.
August 28, 2014

Hackers attack Nuclear Regulatory Commission 3 times in 3 years

“In the cyber era of numerous state-sponsored targeted attacks with the motive of cyber espionage, surveillance, or sabotage, it is not very surprising that Nuclear Regulatory Commission (NRC) has been targeted multiple times,” added Deepen Desai, director of security research for San Jose, Calif.-based Zscaler ThreatLabZ, in an emailed statement.
August 20, 2014

US Nuclear Regulatory Commission successfully hacked three times

"It is extremely concerning that these attacks involved a commonly used technique of spear-phishing,” Deepen Desai, director of security research for Zscaler, said in an email to SC. “The sensitive information of prime interest to some foreign states, makes it very important for organisations like NRC to not only continuously train their employees but also update their training content more frequently. It is also imperative for such organisations to adopt a stronger security policy."
August 20, 2014

US nuclear regulator hacked by foreign parties

The security community has commented on the attack, and Zscaler Threatlabs said that while it is not surprising to see the NRC as a target, it is shocked by the method.
August 20, 2014

Sicherheitsrisiken im SSL-Datenverkehr

16% des von Zscaler geblockten Malware-Traffics verbirgt sich in SSL-verschlüsseltem Datenverkehr. Man könnte jetzt fälschlicherweise davon ausgehen, dass sich hierbei um eher harmlose Varianten von Schadcode handelt. Leider ist genau das Gegenteil der Fall: ZeroAccess-Attacken, Bitcoin-Mining- und Kazy-Trojaner waren ebenso unter den aufgespürten Schädlingen, wie Black Holes, aktuelle Ransomware und Backdoors. Und alle wurden durch SSL-Traffic transportiert.
August 20, 2014

Mobile App Attacks: No Malware, No Problem

Sixty-eight percent of Android apps examined by security researchers required that the user grant permission to send SMS messages, according to Zscaler research. Of that 68 percent, 28 percent also were able to access SMS, putting them in a position to spy on mobile authentication methods.
August 19, 2014

Supervalu Says Hackers May Have Stolen U.S. Customers’ Data

The fact that the Supervalu breach occurred a month ago raises questions about why it took so long to hear about it, said Michael Sutton, vice president of security research at Zscaler Inc.
August 15, 2014

New Zeus Gameover employs novel approach to malware

Michael Sutton, vice president of security research with Zscaler, picked up on Bunker's comments, noting that, whilst the new variants of newGOZ are currently a fraction of the size of their predecessor, the resurgence of the popular malware illustrates the temporary nature of botnet takedown efforts.
August 14, 2014

Yahoo, Google Team Up to Fight Email Snoops

PGP encryption is a little tricky to use, but it might be worth it. "The beauty to a solution like this is the email providers themselves won't have access to the email," said Michael Sutton, vice president of security research at Zscaler. "So if the government came to Yahoo or Google with a court order to see someone's email, they would have to say, 'We can't do that.'" - See more at:
August 13, 2014

Is the CyberVor Breach Real?

Having a password stolen from a small website that holds little personally identifying information may not sound like a big deal, but the threat is when people use the same password for multiple websites, said Michael Sutton, vice president of security research at Zscaler.
August 13, 2014

Die unsichere Verschlüsselung; Mathias Widler

IT-Sicherheitsfachmann Mathias Widler von Zscaler warnt vor den Gefahren unsicherer Internet-Verschlüsselung.Mit SSL* verschlüsselte E-Mails und Internetseiten sind keineswegs sicher, sagt Experte Mathias Widler von Zscaler**.
August 14, 2014

Sicher­heits­ri­siko SSL — wie sich moderne Mal­ware versteckt

Cyber­at­ta­cken: was wir bis jetzt gese­hen haben, ist nur die Spitze des Eis­bergs. Die des unver­schlüs­sel­ten, offe­nen und gut ein­seh­ba­ren Daten­ver­kehrs. Doch es gibt noch die andere Seite: die ver­schlüs­selte Seite — SSL. Sie wird in der Regel nicht gescannt und birgt jede Menge Risi­ken. SaaS-​​Scanner-​​Anbieters Zsca­ler plau­dert aus dem täg­li­chen Scan-​​Nähkästchen.
August 14, 2014

The Hyperconnected World Has Arrived

Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge, according to Zscaler’s Michael Sutton.
August 8, 2014

Security experts baffled by the extent of Russian hack

With 420,000 sites infected, it will be impossible to work with all of the impacted companies and ensure that the vulnerabilities that led to the breaches are ultimately patched. Many will remain vulnerable for some time, if not indefinitely. The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks.
August 7, 2014

Russian Gang Steals 1.2 Billion User Credentials in Biggest Ever Hack

“The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks,” said Michael Sutton, vice president of security research at Zscaler.
August 6, 2014

Russian hackers steal 1.2 billion web passwords

Michael Sutton, vice president of security research at Zscaler, said that given the huge scale of the attack it was likely many of those attacked will remain vulnerable for some time.
August 6, 2014

Exposed: An inside look at the Magnitude Exploit Kit

"We tend to see higher infection rates in countries where pirated software is more common as software vendors often provide patches only to those customers with a valid license. It's often therefore not that users don't want to upgrade but are unable to and feel that's a reasonable trade off to get free software," explained Michael Sutton, the VP of Security Research for Zscaler.
August 5, 2014

Every USB Device Under Threat. New Hack Is Undetectable And Unfixable

Read-only mode on a USB device implemented via a physical switch would apply to the flash memory where data is stored, not the firmware, so no, such a switch would not prevent the BadUSB threat. While the researchers have yet to reveal the full details of the attack, it presumably requires physical access to the USB device, so any settings on the device could be overridden anyway.
August 1, 2014

The iOS "Backdoor" Confusion: Hysteria, Insults & Finally Debate

"While a 'backdoor' has no universal definition, it is generally deemed to not only allow remote access to a machine but to also be hidden, bypass traditional security controls and be used for nefarious purposes. Given that Apple has at least at a high level, responded to Zdziarski's findings to detail the purpose of the diagnostic tools and they are accessed via documented processes, which require user consent (device pairing), I would not define the services as a backdoor."
July 31, 2014

Hackers Back to Their Old Tricks

Zscaler reports CNN app for iPhone contains vulnerability that allows transmission of passwords in unencrypted form, allowing them to be snatched by network sniffers.
July 30, 2014

Emmental Hackers Pick Holes in Online Banking to Nab Account Details

Zscaler VP of security research, Michael Sutton, argued that Google should restrict Android apps from accessing SMS content. “[‘Read SMS’] is a high risk permission to grant as any app with these privileges can read all incoming SMS content as there is no way to restrict a given SMS message to a specific application,” he said.
July 24, 2014

CNN news app has major security flaw, user data at risk

"Transmissions are sent in clear text (HTTP) and the password is sent unencrypted, along with all other registration/login information," the Zscaler report said.
July 24, 2014

Report: CNN App for iPhone has a security flaw that exposes login info

If you’re a CNN iReporter, we’ve got some important news for you. Zscaler Research has announced that the current version of the CNN App for iPhone includes a dangerous security flaw.
July 23, 2014

Emerging Vendors 2014: Security Vendors

Zscaler was recognized as one of CRN’s Emerging Vendors in security for 2014. The list identifies rising technology vendors introducing new, innovative products that are changing the technology landscape and creating numerous opportunities for channel partners in North America. —By Rick
July 22, 2014

CNN App Leaks Passwords Of Citizen Reporters

According to a zScaler blog post, the current CNN for iPhone App, Version 2.30 (Build 4948), sends passwords in clear text. According to zScaler, which observed the behavior using its ZAP tool, a network traffic sniffer, the password is exposed when a user first creates their iReport account and during any subsequent logins to the application.
July 22, 2014

CNN-app verstuurt wachtwoorden onversleuteld over internet

Het gaat dan om foto's, video's en tekst die aan een CNN-artikel worden toegevoegd. Om een iReport-account aan te maken moeten gebruikers een e-mailadres, gebruikersnaam en wachtwoord opgeven. Ook kunnen gebruikers hun echte naam en telefoonnummer invullen. Tijdens het inloggen op iReport worden de inloggegevens onversleuteld verstuurd, aldus onderzoekers van Zscaler. Volgens de onderzoekers is dit met name een probleem omdat er via de iReport-functie ook anoniem nieuwsberichten kunnen worden ingestuurd.
July 22, 2014

Mobile Threat Monday: CNN iPhone App Exposes Identities of iReport Citizen Reporters

This week, security company Zscaler reveals an issue in CNN's iPhone app that allows an attacker to obtain the login information for users of the citizen journalist iReporter feature.
July 21, 2014

38 Prozent aller iOS-Apps greifen nach wie vor auf UDID zu

Zscaler weist ausdrücklich darauf hin, dass man sich im Gegensatz zu anderen, vergleichbaren Untersuchungen nicht darauf beschränkt habe, zu prüfen, ob eine App grundsätzlich bestimmte Funktionen ausführen könnte, sondern ob sie das auch tatsächlich tut. Dazu war allerdings ein Jailbreak der zu dem Test herangezogenen iPhones erforderlich – sonst hätten die Experten nicht den erforderlichen Einblick bekommen.
July 21, 2014

Les applications Android restent beaucoup trop intrusives, selon Zscaler

Selon l'éditeur spécialisé dans la sécurité Zscaler, le business modèle des applications Android est basé sur un système publicitaire beaucoup trop intrusif.
July 17, 2014

Whoah! How many Google Play apps want to read your texts?

Zscaler analysed more than 75,000 apps from the Google Play store in order to find out the permissions that are commonly requested by the apps at the time of installation.
July 16, 2014

Android And Windows Phone To Get A Mobile ‘Kill Switch’

Zscaler comments on “kill switches” for Android and Windows phones, noting that “Kill switches are not a foolproof plan as thieves could still sell stolen devices for parts, but it does reduce the overall value of the device for the criminal.
June 20, 2014

Don't be a World Cup loser online: give football cyber-scammers the boot

Cyber-scams abound during the World Cup and Zscaler offers tips for how to protect yourself.
June 12, 2014

Edward Snowden: One Year On - History Will Decide if Whistleblower is Hero or Villain

One year after Edward Snowden released files showing mass surveillance by the NSA, security experts weigh in on the implications for privacy and security.
June 5, 2014

DARPA Contest Aims to Create Self-Defending Networks

Zscaler’s Michael Sutton comments on the DARPA contest designed to create self-defending networks, and notes that “While companies and academic researchers have created components of self-healing networks and biologically inspired digital immune systems, no one has succeeded in creating a fully automated system.”
June 3, 2014

Asprox Botnet Targets Snail Mail Users

InfoSecurity publishes Zscaler’s analysis of a botnet named Asprox, which forwards messages that are supposedly from USPS in order to get victims to click on a link.
June 2, 2014

Emerging products: Cloud security

SC Magazine reviews the Zscaler Internet security platform, noting “Zscaler is, in my view, a secure data center in the cloud. That is saying a lot, but Zscaler delivers and has been since 2008.”
June 2, 2014

Zscaler Security Cloud Product Review

This is another service that forces users through the cloud instead of direct access to the organization's internet portal. However, in this case it is not just a content delivery issue for a website with which we are concerned - outside-in access, so-to-speak. Rather it is outward-looking in that it is the organizations' employees, not its customers, who get the advantage. Zscaler is, in my view, a secure data center in the cloud. That is saying a lot, but Zscaler delivers and has been since 2008.
June 2, 2014

Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation

Zscaler’s Michael Sutton comments on the NEWSCASTER attacks by Iran
May 29, 2014


Zscaler’s CEO discusses alternatives to MPLS. “Is MPLS really dead? It’s not, but its peak is over," said Jay Chaudhry, founder and CEO of Zscaler, who estimated half of MPLS traffic will move to alternatives within five years.
May 28, 2014

iDevice ransomware stalks OZ, demands payoff

Michael Sutton, Zscaler VP of Security Research, offers advice for Apple iOS users in Australia who found their devices held for ransom.
May 27, 2014

EBay, hit by a cyber attack, urges 145 million users to change passwords

Zscaler weighs in on cyber attack that led eBay to encourage 145 million users to change their passwords.
MAY 21, 2014

Cyber spies in disguise: Nation-state

Commenting on cyber espionage among nation-states, Sutton says the best thing organizations can do to protect themselves against foreign predators is to share information, despite the natural competitive instinct to keep things quiet.
May 01, 2014

Fave Raves: 33 tech pros share their favorite IT products

Why it's a favorite: “As BAT operates in 186 countries, BAT’s gateways had evolved over time to consist of 40 different Internet gateways with products from various vendors. In response to the non-standard environment, BAT had a locked-down approach to Internet browsing. This created user dissatisfaction, which was aggravated by the high latency resulting from the need to VPN into the BAT infrastructure and the associated back-hauling of Internet traffic. With Zscaler, users can go direct to the internet without VPN-ing into the office infrastructure with user traffic being routed to the closest node in the Zscaler’s network. This provides a fast user experience with near zero traffic latency and has enabled BAT to provide methods to ‘protect’ BYOD.”
April 24, 2014

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”
April 11, 2014

Zscaler dreams of 'Shift'-ing routing to the cloud

Shift is the latest innovation from Jay and the folks at Zscaler. Patrick Foxhoven, VP and CTO of Emerging Technology at the company, said Shift represents a move to intelligent routing. While it offers many advantages, the real benefit of Shift for Foxhoven is that it allows Zscaler to offer its world-class security offering to a whole new class of organizations that perhaps couldn't have afforded it before. Shift is targeted and priced for midmarket and SMBs.
March 19, 2014

EA games web server hacked to host phishing website

Michael Sutton, from security research firm Zscaler, said that hackers using legitimate websites to host malicious content was now the norm. "Social engineering attacks always involve an element of communication - the victim must be tricked into performing an action such as providing data, clicking on a link, downloading a file, et cetera. Attackers have learned that it's far easier to simply infect an already popular web property than to attempt communication with victims directly," he said.
March 19, 2014

Fiber Optics Wins, Routing Loses in Needham Cloud Think Piece

The shift to cloud-centric deliver models is also driving the rapid emergence and the massively disruptive transition to Network as a Service (NaaS) platforms. Perhaps the best example of this is Zscaler, but there are numerous companies such as Cloudflare, Aryaka and Pertino positioning into the NaaS market. We recently caught up with Zscaler at the RSA security trade show.
March 17, 2014

Energy Watering Hole Attack Used LightsOut Exploit Kit

The attack, which was active during late February according to researchers at Zscaler, follows a familiar pattern seen in many other such attacks. It began with the compromise of a law firm’s site at 39essex[.]com and when users hit the site, they were redirected to a third-party site, which hosted the exploit kit. When victims visited the second compromised site hosting the kit, it performed a number of diagnostic tests on the user’s browser to see what sort of exploits should be delivered.
March 13, 2014

Security Services Cater To SMBs

Cloud security firm Zscaler, for example, is beta-testing a slimmed-down version, dubbed SHIFT, of its enterprise security offering, limiting the dashboard to a single page and aiming to get companies "up and running in 5 minutes or less."
March 11, 2014

Less than zero: Zero-day vulnerabilities

Michael Sutton, vice president of security research for Zscaler, says the landscape for zero-day vulnerabilities has evolved significantly in recent years as software makers, Microsoft in particular, have gotten increasingly better about putting out patches, and organizations have become more adept at shortening the patch cycle. Instead, it's no longer the “low-hanging fruit” of simple vulnerabilities, Sutton says. “It's not getting worse so much in terms of sheer volume, it's the severity of the threats and the length of time they are taking to come to the surface to get to where a vendor can address them,” Sutton says.
March 3, 2014

Six things companies do that thwart their IT security efforts

A comprehensive approach to IT security includes prevention, detection and remediation. Most companies spend 90% of their security budget on prevention in the belief that they should focus on stopping or preventing attacks in the first place. From his position with the Zscaler ThreatLabz, Sutton can see that most companies are already infected to some degree. “Of course we want to protect and defend against attacks before they affect us if at all possible, but we absolutely can’t ignore the detection side or the remediation side,” says Sutton. “We know we’re going to get some infections and we need to limit that damage as quickly as possible and isolate the problem and do the appropriate remediation steps. Enterprises need to adopt that focus.”
February 28, 2014

Don't Threaten Me: 10 Of The Hottest Security Updates From RSA Conference

Cloud security vendor Zscaler said it has created a joint product with communications services provider BT aimed at addressing mobile security risks. The BT Assure Threat Monitoring service will support real-time threat monitoring from the Zscaler Global Security Cloud. The joint products integrate Zscaler Web logs with BT’s service to provide monitoring, data analysis and regulatory compliance.
February 26, 2014

Will software eat the security industry?

Well, the first day of RSA week is in the books and things are off to a rousing start. My day started early today as I was the moderator of a great panel at the Americas Growth Capital Conference. My panel was on Security Automation. Panel members were Jay Chaudry of Zscaler, Marty Roesch of Cisco/Sourcefire, John Summers of Akami, Marc Willebeek-LeMair of Click Security and Rajat Bhargava of JumpCloud.
February, 25, 2014

For BYOD-SaaS security, consider established IT security controls

Moderator Jay Chaudhry, CEO of vendor Zscaler, said that tactic needs to be modified to account for the distributed access demands of an organization that broadly uses cloud applications. He mentioned that one Zscaler customer with 150,000 employees in more than 100 countries suddenly realized its gateway strategy wasn't working when it implemented SaaS applications and backhauled its traffic to just four gateways, grinding activity to a halt.
February, 25, 2014

Target, Neiman Marcus and other security breaches: organized crime?

While the Target theft and others like it may be the work of organized crime, Sutton explains, it's not necessarily the same group: “I think that we're seeing the tip of the iceberg here. Because yes, Target was the first and now we're starting to see other retailers, Neiman Marcus, Michael's have also stepped forward.
February, 25, 2014

Hot, new products from RSA

Advances Internet security with intelligent routing that automatically applies adaptive security and policy to dynamic Internet threats, enabling global protection and visibility in minutes through a cloud based service
February 24, 2014

Samsung's Knox smartphone security integrated with Zscaler cloud

Samsung’s Knox mobile security platform has bolstered its status as the emerging standard in mobile enterprise device security by inking a deal with Zscaler to integrate its technology with the software.
February 24, 2014

Zscaler Shifts to DNS to Protect Enterprises

While larger companies have the ability to deploy DNS servers in their internal networks, cloud services have quickly begun offering much of the flexibility of internal configurations while delivering on a passel of security features as well, says Patrick Foxhoven, chief technology officer for cloud security firm Zscaler.
February 21, 2014

The top 10 cloud-based security tools to protect your network in a hurry

These security services aren’t the same as an on-premise firewall that watches the network from a physical appliance attached in your data center. But these products promise to protect you from malware, help you keep track of who signs into your network, monitor all your other cloud applications such as Salesforce and Google Docs, and more.
January 30, 2014

The 20 Coolest Cloud Security Vendors Of The 2014 Cloud 100

Zscaler specializes in providing a fully SaaS-based antivirus, vulnerability management and user activity control for Web, email and mobile devices. The company recently added suspicious file analysis capabilities to its cloud-based security platform to detect advanced threats. It also rolled out Zscaler for Office 365 deployments that it says will provide protection without impacting performance.
January 29, 2014

Google+, 'Candy Crush' Show Risk of World's Leakiest Apps: Tech

“Privacy is dead in the digital world that we live in,” said Michael Sutton, vice president of security research at San Jose, California-based Zscaler. “I tell people, unless you are comfortable putting that statement on a billboard in Times Square and having everyone see it, I would not share that information digitally.”
January 29, 2014

Zscaler predicts big security challenges ahead for 2014

In a nutshell, Zscaler sees these two major trends – the evolution of advanced threats and the complexity of cloud and mobile environments – increasingly intersect. In particular, there are five areas (below) that information security practitioners should be considering as they take on challenges in the new year.
January 21, 2013

Spying reforms seek to balance privacy, security

Michael Sutton, a cybersecurity analyst from Zscaler, noted that few of the other recommendations from the presidential advisory panel were adopted. "Those that were, ended up being watered down," Sutton says. "For example, rather than adding a permanent public advocate to the FISA court, he instead noted that 'significant cases' before the FISA court would also go to an independent panel for review."
January 17, 2013

Six Ways that Most Companies Shortchange Their Enterprise Security

I recently had a conversation with Michael Sutton, vice president of security research for Zscaler and head of Zscaler ThreatLabZ. We talked about where many organizations are falling short today in defending against current threats and especially the more dangerous advanced persistent threats. I’ve singled out six common shortcomings that Sutton sees among most companies today.
January 14, 2014

Leahy seeks criminal penalty for attempted hacking

Zscaler senior researcher Michael Sutton says SMS Tracker, in essence, functions as spyware. While the vendor is promoting the apps usefulness to parents who want to monitor their kids' online activities, it could also be surreptitiously download to someone's device and used as a " very effective tool for spying."
January 10, 2013

Ad Retargater