“Every step of the way, we were like, ‘This can’t be possible.’ ”Yet this – opening a Brinks CompuSafe Galileo using its standard USB port, a keyboard and 100 lines of code – was most definitely possible for a pair of security researchers, Daniel Petro and Oscar Salazar, who work for the IT security consulting company Bishop Fox.From an IDG News Service story on our site:
They bought a Galileo CompuSafe on eBay. The most egregious problem they found is a fully functional USB port on the side of the safe. That allowed them to plug in a keyboard and a mouse, which worked.To read this article in full or to leave a comment, please click here
Hacker News had me laughing today as a company called HeavyGifts took a joke and turned it into a real and free product by using metal band logos as CAPTCHAs. Unless there is another computer virus based on weaponizing heavy metal, such as the malware reported to F-Secure’s Mikko Hypponen by an Iranian nuclear scientist after AC/DC’s Thunderstruck was allegedly blasting from workstations in the middle of the night, when else can I write about metal music?To read this article in full or to leave a comment, please click here
How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There's evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them.There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.To read this article in full or to leave a comment, please click here
A new vulnerability in emulation code used by the Xen virtualization software can allow attackers to bypass the critical security barrier between virtual machines and the host operating systems they run on.The vulnerability is located in the CD-ROM drive emulation feature of QEMU, an open source hardware emulator that’s used by Xen, KVM and other virtualization platforms. The flaw is tracked as CVE-2015-5154 in the Common Vulnerabilities and Exposures database.The Xen Project released patches for its supported releases Monday and noted that all Xen systems running x86 HVM guests without stubdomains and which have been configured with an emulated CD-ROM drive model are vulnerable.To read this article in full or to leave a comment, please click here
If you are sick of your ever-increasing cable bill, have you considered becoming a cord cutter? If you spent a bundle on your TVs but they aren't smart TVs, you likely aren't planning to abandon them. PCMag has a decent cord cutter's guide; for folks without a smart TV, TechHive's media streamer buyers' guide compared Amazon Fire TV, Apple TV, Google Chromecast, Nvidia Shield Android TV, and Roku 3 before recommending Roku 3 "as the best all-around option." TechHive explained:To read this article in full or to leave a comment, please click here
The vast majority of Android phones can be hacked by sending them a specially crafted multimedia message (MMS), a security researcher has found.The scary exploit, which only requires knowing the victim’s phone number, was developed by Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium.Drake found multiple vulnerabilities in a core Android component called Stagefright that’s used to process, play and record multimedia files. Some of the flaws allow for remote code execution and can be triggered when receiving an MMS message, downloading a specially crafted video file through the browser or opening a Web page with embedded multimedia content.To read this article in full or to leave a comment, please click here
We're just a couple months shy of the big EMV liability shift. That’s when companies that don't accept chip-enabled debit and credit cards take on financial responsibility for hacks and fraud.But who's ready? Who's not? And who will come out ahead when that October 1 deadline rolls around?"We operate a very large, diversified, complex payments ecosystem in the U.S.," says Randy Vanderhoof, director of the EMV Migration Forum. "We have thousands of issuers of payment cards. We have millions of merchant retailers and tens of millions of point of sale devices that all need to be upgraded and changed to support EMV."To read this article in full or to leave a comment, please click here
Facebook prevails in shareholder lawsuit over IPOYou have to own stock to participate in a shareholder class action lawsuit, an appeals court has ruled, confirming an earlier Manhattan district court ruling. The case brought by Facebook shareholders accused the company of withholding key financial information from the public until after its IPO. Circuit Judge Dennis Jacobs said that because the shareholders weren’t owners of Facebook stock at the time the sales information wasn’t disclosed, they had no legal standing to sue.To read this article in full or to leave a comment, please click here
The U.S. Census Bureau said a data breach early last week did not expose survey data it collects on households and businesses.The leak came from a database belonging to the Federal Audit Clearinghouse, which collects audit reports from government agencies and other organizations spending federal grants, wrote John H. Thompson, the Census Bureau’s director, on Friday.The exposed information included the names of people who submitted information, addresses, phone numbers, user names and other data, he wrote.A group calling itself Anonymous Operations posted a link on Twitter leading to four files. The cyberattack was allegedly in protest of the Trans-Pacific Partnership and the Transatlantic Trade and Investment Partnership, two pending trade agreements that have been widely criticized.To read this article in full or to leave a comment, please click here
At the 2015 Intelligent Defense European Technical Research Conference in June, Tripwire security researcher Craig Young presented Smart Home Invasion and revealed zero-day flaws in the “brains” of Internet of Things platform hubs such as SmartThings hubs, Wink hubs and MiOS Vera. The Wink and Vera products “contained critical remotely exploitable flaws.” Young warned that “if not addressed, smart home flaws can give rise to a new type of ‘smart criminal' able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.”To read this article in full or to leave a comment, please click here
When Cisco Systems employees head into work Monday they’ll encounter something they haven’t seen in two decades: A new boss. Chuck Robbins – formerly senior vice president of worldwide operations – takes over as CEO from John Chambers, one of the most visible and quotable figures in business.In this early-access interview with John Gallant, chief content officer of IDG US Media, Robbins sets out his priorities for Cisco and his new management team, and talks about the opportunities and challenges facing the network giant. Robbins dissects the competitive landscape and explains why so-called ‘white box’ data center gear and software-defined networks are not the threats to Cisco that some pundits contend. He also describes his vision for the “hyper-connected architecture” that will speed customer digitization efforts and help IT capture the value in the Internet of Things. Finally, Robbins talks about life at Cisco under a leader not named John.To read this article in full or to leave a comment, please click here
A government investigation has concluded that Hillary Clinton sent classified information through a personal email account while she served as Secretary of State, The Wall Street Journal reported on Friday.The internal review of Clinton’s use of a personal account by the Inspector General for the intelligence community examined just 40 emails of the thousands sent through the account and found four of them contained information that should have been classified as “secret,” the newspaper said. None of the emails were marked as such.At the time they were sent, that was the second highest level of classification in the U.S. government.To read this article in full or to leave a comment, please click here
Health care providers are increasingly using smartphones and tablets for tasks such as accessing and transferring medical records, and submitting prescriptions, but these devices may not be secure enough to protect sensitive medical information from hackers.That’s the conclusion of the U.S. National Institute of Standards and Technology, whose cybersecurity center released a draft guide Thursday to help health IT professionals shore up the mobile devices.“Mobile devices are being used by many providers for health care delivery before they have implemented safeguards for privacy and security,” the agency said.To read this article in full or to leave a comment, please click here
DDoS attacks aren't going away anytime soon. In fact, they're getting bigger, according to network security company Arbor Networks. But there's good news for potential attacks in the Internet of Things arena—some heat is off there.DDoS, or Distributed Denial-of-Service, attacks are where numerous compromised computers are used to target a single system. In simple terms, the sheer size of the blast of traffic overwhelms the system.Large attacks
Arbor Networks says that "while very large attacks are what makes headlines, average attacks are approaching one gigabit per second, and are rapidly becoming a real problem for more and more enterprises."To read this article in full or to leave a comment, please click here
Chrysler has launched a recall of 1.4 million recent model cars that were vulnerable to being remotely accessed and controlled by hackers.The recall comes days after Wired reported a demonstration by hackers in which they were able to access and control a Chrysler Jeep as it was being driven.The hack detailed in the Wired article took place under somewhat controlled conditions—the driver, a Wired writer knew that it was about to happen—but it occurred on the busy Interstate 64 near St. Louis. It culminated in the vehicle slowing down and causing something of a traffic obstacle for cars behind.To read this article in full or to leave a comment, please click here
Companies often fail to hide if an email address is associated with an account on their websites, even if the nature of their business calls for this and users implicitly expect it.This has been highlighted by data breaches at online dating sites AdultFriendFinder.com and AshleyMadison.com, which cater to people looking for one-time sexual encounters or extramarital affairs. Both were vulnerable to a very common and rarely addressed website security risk known as account or user enumeration.In the Adult Friend Finder hack, information was leaked on almost 3.9 million registered users, out of the 63 million registered on the site. With Ashley Madison, hackers claim to have access to customer records, including nude pictures, conversations and credit card transactions, but have reportedly leaked only 2,500 user names so far. The site has 33 million members.To read this article in full or to leave a comment, please click here
A surveillance law rushed through the French parliament in the wake of the Charlie Hebdo shootings in Paris in January is constitutional, the country’s highest court ruled late Thursday. The decision gives law enforcers and intelligence agencies the power to gather communications metadata—who is communicating with whom, where, and when—in real time, with few restrictions.As the law on surveillance progressed through parliament, the government declared it “urgent”, meaning elected representatives in the Senate and National Assembly had only one opportunity to amend it instead of the usual two. They waved it through anyway. Some parliamentarians challenged parts of the law on constitutional grounds, calling on the Constitutional Council to give its verdict.To read this article in full or to leave a comment, please click here
I first met cybersecurity veteran, Rick Howard, when he joined Palo Alto Networks as Chief Security Officer. During our discussion, Rick mentioned an idea he was promoting for a cybersecurity canon: A list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and that, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.Rick’s notion of a cybersecurity canon hit home for a few reasons. I am an avid reader of cybersecurity books and am usually reading or re-reading something. And whenever someone asked me how they could learn about cybersecurity concepts, I would tell them to eschew text books and begin their education by reading more mainstream works like Cyberwar by Richard Clarke, Fatal System Error by Joseph Menn, Worm by Mark Bowden, and Kingpin by Kevin Poulsen.To read this article in full or to leave a comment, please click here
The Chinese military strategist Sun Tzu once wrote, "What is of supreme importance in war is to attack the enemy's strategy."The automobile industry needs to follow Sun Tzu's advice to secure increasingly connected vehicles from hackers, according to experts.Instead of building firewalls to keep cyber attacks out, which industry watchers say is ultimately a futile endeavor, build systems that recognize what a security breach looks like in order to stop it before any real damage is done."If you hack into my car's head unit and change the radio station, I don't care. I can live with that," said Charlie Miller, one of the security experts who this week demonstrated they could hack into -- and remotely control -- a Chrysler Jeep.To read this article in full or to leave a comment, please click here
Google has removed dozens of apps from its Play Store that purport to be games but secretly click on advertisements on pornographic websites.Security company Eset found 51 new apps that contained the “porn clicker” component, which it first discovered in April in a fake app mimicking a video app called Dubsmash.Over the last three months, some 60 fake apps have been downloaded 210,000 times, showing how common it is for users to stumble across and download them.“Following ESET’s notification, Google has pulled the malware from the Play Store and also reports some of them as potentially harmful applications using its built-in security service,” wrote Lukas Stefanko, an Eset malware researcher.To read this article in full or to leave a comment, please click here