In the News

Read what the experts are saying about Zscaler

Hackers attack Nuclear Regulatory Commission 3 times in 3 years

“In the cyber era of numerous state-sponsored targeted attacks with the motive of cyber espionage, surveillance, or sabotage, it is not very surprising that Nuclear Regulatory Commission (NRC) has been targeted multiple times,” added Deepen Desai, director of security research for San Jose, Calif.-based Zscaler ThreatLabZ, in an emailed statement.
August 20, 2014

US Nuclear Regulatory Commission successfully hacked three times

"It is extremely concerning that these attacks involved a commonly used technique of spear-phishing,” Deepen Desai, director of security research for Zscaler, said in an email to SC. “The sensitive information of prime interest to some foreign states, makes it very important for organisations like NRC to not only continuously train their employees but also update their training content more frequently. It is also imperative for such organisations to adopt a stronger security policy."
August 20, 2014

US nuclear regulator hacked by foreign parties

The security community has commented on the attack, and Zscaler Threatlabs said that while it is not surprising to see the NRC as a target, it is shocked by the method.
August 20, 2014

Sicherheitsrisiken im SSL-Datenverkehr

16% des von Zscaler geblockten Malware-Traffics verbirgt sich in SSL-verschlüsseltem Datenverkehr. Man könnte jetzt fälschlicherweise davon ausgehen, dass sich hierbei um eher harmlose Varianten von Schadcode handelt. Leider ist genau das Gegenteil der Fall: ZeroAccess-Attacken, Bitcoin-Mining- und Kazy-Trojaner waren ebenso unter den aufgespürten Schädlingen, wie Black Holes, aktuelle Ransomware und Backdoors. Und alle wurden durch SSL-Traffic transportiert.
August 20, 2014

Mobile App Attacks: No Malware, No Problem

Sixty-eight percent of Android apps examined by security researchers required that the user grant permission to send SMS messages, according to Zscaler research. Of that 68 percent, 28 percent also were able to access SMS, putting them in a position to spy on mobile authentication methods.
August 19, 2014

Supervalu Says Hackers May Have Stolen U.S. Customers’ Data

The fact that the Supervalu breach occurred a month ago raises questions about why it took so long to hear about it, said Michael Sutton, vice president of security research at Zscaler Inc.
August 15, 2014

New Zeus Gameover employs novel approach to malware

Michael Sutton, vice president of security research with Zscaler, picked up on Bunker's comments, noting that, whilst the new variants of newGOZ are currently a fraction of the size of their predecessor, the resurgence of the popular malware illustrates the temporary nature of botnet takedown efforts.
August 14, 2014

Yahoo, Google Team Up to Fight Email Snoops

PGP encryption is a little tricky to use, but it might be worth it. "The beauty to a solution like this is the email providers themselves won't have access to the email," said Michael Sutton, vice president of security research at Zscaler. "So if the government came to Yahoo or Google with a court order to see someone's email, they would have to say, 'We can't do that.'" - See more at: http://www.ecommercetimes.com/story/80882.html#sthash.rinLXwrC.dpuf
August 13, 2014

Is the CyberVor Breach Real?

Having a password stolen from a small website that holds little personally identifying information may not sound like a big deal, but the threat is when people use the same password for multiple websites, said Michael Sutton, vice president of security research at Zscaler.
August 13, 2014

Die unsichere Verschlüsselung; Mathias Widler

IT-Sicherheitsfachmann Mathias Widler von Zscaler warnt vor den Gefahren unsicherer Internet-Verschlüsselung.Mit SSL* verschlüsselte E-Mails und Internetseiten sind keineswegs sicher, sagt Experte Mathias Widler von Zscaler**.
August 14, 2014

Sicher­heits­ri­siko SSL — wie sich moderne Mal­ware versteckt

Cyber­at­ta­cken: was wir bis jetzt gese­hen haben, ist nur die Spitze des Eis­bergs. Die des unver­schlüs­sel­ten, offe­nen und gut ein­seh­ba­ren Daten­ver­kehrs. Doch es gibt noch die andere Seite: die ver­schlüs­selte Seite — SSL. Sie wird in der Regel nicht gescannt und birgt jede Menge Risi­ken. SaaS-​​Scanner-​​Anbieters Zsca­ler plau­dert aus dem täg­li­chen Scan-​​Nähkästchen.
August 14, 2014

The Hyperconnected World Has Arrived

Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge, according to Zscaler’s Michael Sutton.
August 8, 2014

Security experts baffled by the extent of Russian hack

With 420,000 sites infected, it will be impossible to work with all of the impacted companies and ensure that the vulnerabilities that led to the breaches are ultimately patched. Many will remain vulnerable for some time, if not indefinitely. The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks.
August 7, 2014

Russian Gang Steals 1.2 Billion User Credentials in Biggest Ever Hack

“The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks,” said Michael Sutton, vice president of security research at Zscaler.
August 6, 2014

Russian hackers steal 1.2 billion web passwords

Michael Sutton, vice president of security research at Zscaler, said that given the huge scale of the attack it was likely many of those attacked will remain vulnerable for some time.
August 6, 2014

Exposed: An inside look at the Magnitude Exploit Kit

"We tend to see higher infection rates in countries where pirated software is more common as software vendors often provide patches only to those customers with a valid license. It's often therefore not that users don't want to upgrade but are unable to and feel that's a reasonable trade off to get free software," explained Michael Sutton, the VP of Security Research for Zscaler.
August 5, 2014

Every USB Device Under Threat. New Hack Is Undetectable And Unfixable

Read-only mode on a USB device implemented via a physical switch would apply to the flash memory where data is stored, not the firmware, so no, such a switch would not prevent the BadUSB threat. While the researchers have yet to reveal the full details of the attack, it presumably requires physical access to the USB device, so any settings on the device could be overridden anyway.
August 1, 2014

The iOS "Backdoor" Confusion: Hysteria, Insults & Finally Debate

"While a 'backdoor' has no universal definition, it is generally deemed to not only allow remote access to a machine but to also be hidden, bypass traditional security controls and be used for nefarious purposes. Given that Apple has at least at a high level, responded to Zdziarski's findings to detail the purpose of the diagnostic tools and they are accessed via documented processes, which require user consent (device pairing), I would not define the services as a backdoor."
July 31, 2014

Hackers Back to Their Old Tricks

Zscaler reports CNN app for iPhone contains vulnerability that allows transmission of passwords in unencrypted form, allowing them to be snatched by network sniffers.
July 30, 2014

Emmental Hackers Pick Holes in Online Banking to Nab Account Details

Zscaler VP of security research, Michael Sutton, argued that Google should restrict Android apps from accessing SMS content. “[‘Read SMS’] is a high risk permission to grant as any app with these privileges can read all incoming SMS content as there is no way to restrict a given SMS message to a specific application,” he said.
July 24, 2014

CNN news app has major security flaw, user data at risk

"Transmissions are sent in clear text (HTTP) and the password is sent unencrypted, along with all other registration/login information," the Zscaler report said.
July 24, 2014

Report: CNN App for iPhone has a security flaw that exposes login info

If you’re a CNN iReporter, we’ve got some important news for you. Zscaler Research has announced that the current version of the CNN App for iPhone includes a dangerous security flaw.
July 23, 2014

Emerging Vendors 2014: Security Vendors

Zscaler was recognized as one of CRN’s Emerging Vendors in security for 2014. The list identifies rising technology vendors introducing new, innovative products that are changing the technology landscape and creating numerous opportunities for channel partners in North America. —By Rick
July 22, 2014

CNN App Leaks Passwords Of Citizen Reporters

According to a zScaler blog post, the current CNN for iPhone App, Version 2.30 (Build 4948), sends passwords in clear text. According to zScaler, which observed the behavior using its ZAP tool, a network traffic sniffer, the password is exposed when a user first creates their iReport account and during any subsequent logins to the application.
July 22, 2014

CNN-app verstuurt wachtwoorden onversleuteld over internet

Het gaat dan om foto's, video's en tekst die aan een CNN-artikel worden toegevoegd. Om een iReport-account aan te maken moeten gebruikers een e-mailadres, gebruikersnaam en wachtwoord opgeven. Ook kunnen gebruikers hun echte naam en telefoonnummer invullen. Tijdens het inloggen op iReport worden de inloggegevens onversleuteld verstuurd, aldus onderzoekers van Zscaler. Volgens de onderzoekers is dit met name een probleem omdat er via de iReport-functie ook anoniem nieuwsberichten kunnen worden ingestuurd.
July 22, 2014

Mobile Threat Monday: CNN iPhone App Exposes Identities of iReport Citizen Reporters

This week, security company Zscaler reveals an issue in CNN's iPhone app that allows an attacker to obtain the login information for users of the citizen journalist iReporter feature.
July 21, 2014

38 Prozent aller iOS-Apps greifen nach wie vor auf UDID zu

Zscaler weist ausdrücklich darauf hin, dass man sich im Gegensatz zu anderen, vergleichbaren Untersuchungen nicht darauf beschränkt habe, zu prüfen, ob eine App grundsätzlich bestimmte Funktionen ausführen könnte, sondern ob sie das auch tatsächlich tut. Dazu war allerdings ein Jailbreak der zu dem Test herangezogenen iPhones erforderlich – sonst hätten die Experten nicht den erforderlichen Einblick bekommen.
July 21, 2014

Les applications Android restent beaucoup trop intrusives, selon Zscaler

Selon l'éditeur spécialisé dans la sécurité Zscaler, le business modèle des applications Android est basé sur un système publicitaire beaucoup trop intrusif.
July 17, 2014

Whoah! How many Google Play apps want to read your texts?

Zscaler analysed more than 75,000 apps from the Google Play store in order to find out the permissions that are commonly requested by the apps at the time of installation.
July 16, 2014

Android And Windows Phone To Get A Mobile ‘Kill Switch’

Zscaler comments on “kill switches” for Android and Windows phones, noting that “Kill switches are not a foolproof plan as thieves could still sell stolen devices for parts, but it does reduce the overall value of the device for the criminal.
June 20, 2014

Don't be a World Cup loser online: give football cyber-scammers the boot

Cyber-scams abound during the World Cup and Zscaler offers tips for how to protect yourself.
June 12, 2014

Edward Snowden: One Year On - History Will Decide if Whistleblower is Hero or Villain

One year after Edward Snowden released files showing mass surveillance by the NSA, security experts weigh in on the implications for privacy and security.
June 5, 2014

DARPA Contest Aims to Create Self-Defending Networks

Zscaler’s Michael Sutton comments on the DARPA contest designed to create self-defending networks, and notes that “While companies and academic researchers have created components of self-healing networks and biologically inspired digital immune systems, no one has succeeded in creating a fully automated system.”
June 3, 2014

Asprox Botnet Targets Snail Mail Users

InfoSecurity publishes Zscaler’s analysis of a botnet named Asprox, which forwards messages that are supposedly from USPS in order to get victims to click on a link.
June 2, 2014

Emerging products: Cloud security

SC Magazine reviews the Zscaler Internet security platform, noting “Zscaler is, in my view, a secure data center in the cloud. That is saying a lot, but Zscaler delivers and has been since 2008.”
June 2, 2014

Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation

Zscaler’s Michael Sutton comments on the NEWSCASTER attacks by Iran
May 29, 2014

IS MPLS DEAD?

Zscaler’s CEO discusses alternatives to MPLS. “Is MPLS really dead? It’s not, but its peak is over," said Jay Chaudhry, founder and CEO of Zscaler, who estimated half of MPLS traffic will move to alternatives within five years.
May 28, 2014

iDevice ransomware stalks OZ, demands payoff

Michael Sutton, Zscaler VP of Security Research, offers advice for Apple iOS users in Australia who found their devices held for ransom.
May 27, 2014

EBay, hit by a cyber attack, urges 145 million users to change passwords

Zscaler weighs in on cyber attack that led eBay to encourage 145 million users to change their passwords.
MAY 21, 2014

Cyber spies in disguise: Nation-state

Commenting on cyber espionage among nation-states, Sutton says the best thing organizations can do to protect themselves against foreign predators is to share information, despite the natural competitive instinct to keep things quiet.
May 01, 2014

Fave Raves: 33 tech pros share their favorite IT products

Why it's a favorite: “As BAT operates in 186 countries, BAT’s gateways had evolved over time to consist of 40 different Internet gateways with products from various vendors. In response to the non-standard environment, BAT had a locked-down approach to Internet browsing. This created user dissatisfaction, which was aggravated by the high latency resulting from the need to VPN into the BAT infrastructure and the associated back-hauling of Internet traffic. With Zscaler, users can go direct to the internet without VPN-ing into the office infrastructure with user traffic being routed to the closest node in the Zscaler’s network. This provides a fast user experience with near zero traffic latency and has enabled BAT to provide methods to ‘protect’ BYOD.”
April 24, 2014

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”
April 11, 2014

Zscaler dreams of 'Shift'-ing routing to the cloud

Shift is the latest innovation from Jay and the folks at Zscaler. Patrick Foxhoven, VP and CTO of Emerging Technology at the company, said Shift represents a move to intelligent routing. While it offers many advantages, the real benefit of Shift for Foxhoven is that it allows Zscaler to offer its world-class security offering to a whole new class of organizations that perhaps couldn't have afforded it before. Shift is targeted and priced for midmarket and SMBs.
March 19, 2014

EA games web server hacked to host phishing website

Michael Sutton, from security research firm Zscaler, said that hackers using legitimate websites to host malicious content was now the norm. "Social engineering attacks always involve an element of communication - the victim must be tricked into performing an action such as providing data, clicking on a link, downloading a file, et cetera. Attackers have learned that it's far easier to simply infect an already popular web property than to attempt communication with victims directly," he said.
March 19, 2014

Fiber Optics Wins, Routing Loses in Needham Cloud Think Piece

The shift to cloud-centric deliver models is also driving the rapid emergence and the massively disruptive transition to Network as a Service (NaaS) platforms. Perhaps the best example of this is Zscaler, but there are numerous companies such as Cloudflare, Aryaka and Pertino positioning into the NaaS market. We recently caught up with Zscaler at the RSA security trade show.
March 17, 2014

Energy Watering Hole Attack Used LightsOut Exploit Kit

The attack, which was active during late February according to researchers at Zscaler, follows a familiar pattern seen in many other such attacks. It began with the compromise of a law firm’s site at 39essex[.]com and when users hit the site, they were redirected to a third-party site, which hosted the exploit kit. When victims visited the second compromised site hosting the kit, it performed a number of diagnostic tests on the user’s browser to see what sort of exploits should be delivered.
March 13, 2014

Security Services Cater To SMBs

Cloud security firm Zscaler, for example, is beta-testing a slimmed-down version, dubbed SHIFT, of its enterprise security offering, limiting the dashboard to a single page and aiming to get companies "up and running in 5 minutes or less."
March 11, 2014

Less than zero: Zero-day vulnerabilities

Michael Sutton, vice president of security research for Zscaler, says the landscape for zero-day vulnerabilities has evolved significantly in recent years as software makers, Microsoft in particular, have gotten increasingly better about putting out patches, and organizations have become more adept at shortening the patch cycle. Instead, it's no longer the “low-hanging fruit” of simple vulnerabilities, Sutton says. “It's not getting worse so much in terms of sheer volume, it's the severity of the threats and the length of time they are taking to come to the surface to get to where a vendor can address them,” Sutton says.
March 3, 2014

Six things companies do that thwart their IT security efforts

A comprehensive approach to IT security includes prevention, detection and remediation. Most companies spend 90% of their security budget on prevention in the belief that they should focus on stopping or preventing attacks in the first place. From his position with the Zscaler ThreatLabz, Sutton can see that most companies are already infected to some degree. “Of course we want to protect and defend against attacks before they affect us if at all possible, but we absolutely can’t ignore the detection side or the remediation side,” says Sutton. “We know we’re going to get some infections and we need to limit that damage as quickly as possible and isolate the problem and do the appropriate remediation steps. Enterprises need to adopt that focus.”
February 28, 2014

Don't Threaten Me: 10 Of The Hottest Security Updates From RSA Conference

Cloud security vendor Zscaler said it has created a joint product with communications services provider BT aimed at addressing mobile security risks. The BT Assure Threat Monitoring service will support real-time threat monitoring from the Zscaler Global Security Cloud. The joint products integrate Zscaler Web logs with BT’s service to provide monitoring, data analysis and regulatory compliance.
February 26, 2014

Will software eat the security industry?

Well, the first day of RSA week is in the books and things are off to a rousing start. My day started early today as I was the moderator of a great panel at the Americas Growth Capital Conference. My panel was on Security Automation. Panel members were Jay Chaudry of Zscaler, Marty Roesch of Cisco/Sourcefire, John Summers of Akami, Marc Willebeek-LeMair of Click Security and Rajat Bhargava of JumpCloud.
February, 25, 2014

For BYOD-SaaS security, consider established IT security controls

Moderator Jay Chaudhry, CEO of vendor Zscaler, said that tactic needs to be modified to account for the distributed access demands of an organization that broadly uses cloud applications. He mentioned that one Zscaler customer with 150,000 employees in more than 100 countries suddenly realized its gateway strategy wasn't working when it implemented SaaS applications and backhauled its traffic to just four gateways, grinding activity to a halt.
February, 25, 2014

Target, Neiman Marcus and other security breaches: organized crime?

While the Target theft and others like it may be the work of organized crime, Sutton explains, it's not necessarily the same group: “I think that we're seeing the tip of the iceberg here. Because yes, Target was the first and now we're starting to see other retailers, Neiman Marcus, Michael's have also stepped forward.
February, 25, 2014

Hot, new products from RSA

Advances Internet security with intelligent routing that automatically applies adaptive security and policy to dynamic Internet threats, enabling global protection and visibility in minutes through a cloud based service
February 24, 2014

Samsung's Knox smartphone security integrated with Zscaler cloud

Samsung’s Knox mobile security platform has bolstered its status as the emerging standard in mobile enterprise device security by inking a deal with Zscaler to integrate its technology with the software.
February 24, 2014

Zscaler Shifts to DNS to Protect Enterprises

While larger companies have the ability to deploy DNS servers in their internal networks, cloud services have quickly begun offering much of the flexibility of internal configurations while delivering on a passel of security features as well, says Patrick Foxhoven, chief technology officer for cloud security firm Zscaler.
February 21, 2014

The top 10 cloud-based security tools to protect your network in a hurry

These security services aren’t the same as an on-premise firewall that watches the network from a physical appliance attached in your data center. But these products promise to protect you from malware, help you keep track of who signs into your network, monitor all your other cloud applications such as Salesforce and Google Docs, and more.
January 30, 2014

The 20 Coolest Cloud Security Vendors Of The 2014 Cloud 100

Zscaler specializes in providing a fully SaaS-based antivirus, vulnerability management and user activity control for Web, email and mobile devices. The company recently added suspicious file analysis capabilities to its cloud-based security platform to detect advanced threats. It also rolled out Zscaler for Office 365 deployments that it says will provide protection without impacting performance.
January 29, 2014

Google+, 'Candy Crush' Show Risk of World's Leakiest Apps: Tech

“Privacy is dead in the digital world that we live in,” said Michael Sutton, vice president of security research at San Jose, California-based Zscaler. “I tell people, unless you are comfortable putting that statement on a billboard in Times Square and having everyone see it, I would not share that information digitally.”
January 29, 2014

Zscaler predicts big security challenges ahead for 2014

In a nutshell, Zscaler sees these two major trends – the evolution of advanced threats and the complexity of cloud and mobile environments – increasingly intersect. In particular, there are five areas (below) that information security practitioners should be considering as they take on challenges in the new year.
January 21, 2013

Spying reforms seek to balance privacy, security

Michael Sutton, a cybersecurity analyst from Zscaler, noted that few of the other recommendations from the presidential advisory panel were adopted. "Those that were, ended up being watered down," Sutton says. "For example, rather than adding a permanent public advocate to the FISA court, he instead noted that 'significant cases' before the FISA court would also go to an independent panel for review."
January 17, 2013

Six Ways that Most Companies Shortchange Their Enterprise Security

I recently had a conversation with Michael Sutton, vice president of security research for Zscaler and head of Zscaler ThreatLabZ. We talked about where many organizations are falling short today in defending against current threats and especially the more dangerous advanced persistent threats. I’ve singled out six common shortcomings that Sutton sees among most companies today.
January 14, 2014

Leahy seeks criminal penalty for attempted hacking

Zscaler senior researcher Michael Sutton says SMS Tracker, in essence, functions as spyware. While the vendor is promoting the apps usefulness to parents who want to monitor their kids' online activities, it could also be surreptitiously download to someone's device and used as a " very effective tool for spying."
January 10, 2013

Ad Retargater