60% of companies cannot detect compromised credentials, according to Rapid7’s incident detection and response survey results. Rapid7
That is just one of the yikes revealed when 271 security professionals from all size organizations and industries responded to the survey so Rapid7 could learn more about challenges to security teams, strategic initiatives and current security tools being used. It is little wonder why over 90% of respondents admitted to being worried about attacks that use compromised credentials.To read this article in full or to leave a comment, please click here
Sixty percent of companies cannot detect compromised credentials, according to Rapid7’s incident detection and response survey results. Rapid7
That is just one of the "yikes" revealed when 271 security professionals from all size organizations and industries responded to the survey so Rapid7 could learn more about challenges to security teams, strategic initiatives, and current security tools being used. It is little wonder why over 90% of respondents admitted to being worried about attacks that use compromised credentials.To read this article in full or to leave a comment, please click here
To start off 2016 Patch Tuesdays, Microsoft released nine security bulletins, six of which are rated as critical and seven resolve remote code execution vulnerabilities.While that many RCEs don’t set any records, Bobby Kuzma, CISSP, systems engineer at Core Security, said, “It still distresses me. Web browsers are not safe, and everyone should be using some kind of content filtering on their networks. It's like wearing a seat belt. Just do it.”Rated criticalFirst up is MS16-001, the cumulative fix for flaws in Internet Explorer which an attacker could exploit to gain remote code execution and have the same rights as the user. The patch is meant to modify how VBScript handles objects in memory and to help ensure that cross-domain policies are properly enforced in Internet Explorer.To read this article in full or to leave a comment, please click here
High-tech is increasingly used by police departments, but some have gone so far as surveilling citizens via software that calculates a citizen’s threat score.Intrado, the company behind the threat-scoring software, says Beware “sorts and scores billions of publicly-available commercial records in a matter of seconds - alerting responders to potentially dangerous situations while en route to, or at the location of, a 9-1-1 request for assistance.”In much the same way as the Harris Corporation keeps the lid tightly sealed on the details of its Stingray cell-site simulators and trackers, Intrado considers the how’s of Beware calculating threat scores to be a “trade secret.” However the Washington Post said the program scours “billions of data points, including arrest reports, property records, commercial databases, deep Web searches” as well as a citizen’s “social- media postings.” The calculated threat level is color-coded with green, yellow or red as the highest warning.To read this article in full or to leave a comment, please click here
Imagine launching a game on your PC and the black loading screen instead shows the porn you had been viewing hours ago via Google’s incognito browser mode. That’s exactly what happened to Evan Andersen, according to his blog post detailing how an Nvidia GPU driver bug breaks Chrome incognito.Andersen said the porn he’d viewed hours previously had been “perfectly preserved” and was “splashed on the screen” while Diablo III was loading. He added:
So how did this happen? A bug in Nvidia's GPU drivers. GPU memory is not erased before giving it to an application. This allows the contents of one application to leak into another. When the Chrome incognito window was closed, it’s framebuffer was added to the pool of free GPU memory, but it was not erased. When Diablo requested a framebuffer of its own, Nvidia offered up the one previously used by Chrome. Since it wasn't erased, it still contained the previous contents. Since Diablo doesn't clear the buffer itself (as it should), the old incognito window was put on the screen again.To read this article in full or to leave a comment, please click here
While Microsoft may not be building its own smart, connected vehicles, can you imagine a world in which Microsoft provides the “ultimate platform for all intelligent cars?” Microsoft certainly can and the company has previously claimed that it invented or invisibly runs nearly everything. Yet several announcements coming from CES 2016 make it seem like Microsoft’s plan to take over the world of intelligent cars is not so far-fetched.“In the near future, the car will be connected to the Internet, as well as to other cars, your mobile phone and your home computer,” said Microsoft’s Peggy Johnson, executive vice president of business development. “The car becomes a companion and an assistant to your digital life. And so our strategy is to be the ultimate platform for all intelligent cars.”To read this article in full or to leave a comment, please click here
Rapid7 disclosed serious flaws in Comcast’s Xfinity Home Security system which thieves or thugs could exploit to break into homes while the homeowners continue to receive 'it’s-all-good' messages even as an intruder moves about the house. Even worse, there currently is no fix.Comcast customers might be induced to sign up for one of the Xfinity Home Security packages as the company suggests options like being able to check in on your kids, your pets, and “the things you love most.” With Xfinity Home Security, Comcast said you can “Sit back. Relax. You’re in control.” But today Rapid7 publicly disclosed vulnerabilities in Xfinity Home Security, flaws that can cause the security system to fail to sense motion and instead continue to report “All sensors are intact and all doors are closed. No motion is detected.”To read this article in full or to leave a comment, please click here
Steam set a new record on Jan. 3 when over 12 million gamers were all gaming at the same time. Gamasutra reported that there were 12,332,504 concurrent users. The Steam stats showed Dota 2 as the most played game which peaked at 940,373 concurrent gamers. Counter-Strike had 643,402 concurrent players and Fallout 4 came in third at the peak with 116,599 gamers. That being said, today is the last day of the Steam winter sale.To read this article in full or to leave a comment, please click here
When checking around for what’s been happening with Microsoft, it seems like the company is following its normal pattern of gaining ground and then shooting itself in the foot. Here are a few examples:At the end of 2015, Microsoft announced that it will start notifying users if the company believes “your account has been targeted or compromised by an individual or group working on behalf of a nation state.” Scott Charney, Microsoft’s Corporate VP of Trustworthy Computing, added:
We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be “state-sponsored” because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others.To read this article in full or to leave a comment, please click here
According to the song Santa Claus is Coming to Town: Santa “sees you when you're sleeping;” and he “knows when you're awake;” Saint Nick “knows if you've been bad or good…” But what if any he or she with an Internet connection could see you when you’re sleeping, know when you’re awake, or if you’ve been bad or good? The idea is creepy as can be, but it’s still a fact for people who have installed a security camera without setting a secure password.I’m all for domain privacy, even though the U.S. wants to kill it off via the TPP, but the admin of Insecam is wise enough to use a privacy protection service. There is a bit of irony in that perhaps.To read this article in full or to leave a comment, please click here
As for why the U.S. has the most cameras connected to the Internet that have no unique passwords to protect them, could it be that all those cameras are not actually located in the U.S.? For example, there was a camper with icicles that appeared to be about a foot long hanging off of it as a deep snow covered the ground, but it was tagged as being located in Ocala, Florida. A quick search revealed the temperature to be 80 degrees and that didn’t come close to matching the real-time image.To read this article in full or to leave a comment, please click here
As for why the U.S. has the most cameras connected to the Internet that have no unique passwords to protect them, could it be that all those cameras are not actually located in the U.S.? For example, there was a camper with icicles that appeared to be about a foot long hanging off of it as a deep snow covered the ground, but it was tagged as being located in Ocala, Florida. A quick search revealed the temperature to be 80 degrees, and that didn’t come close to matching the real-time image.To read this article in full or to leave a comment, please click here
In November 2014, access to the video streams of 73,011 unsecured security cameras were available on a site that provided a Peeping Tom paradise for voyeurs and creepers. At that time, there were 11,046 unsecured security cameras in the U.S. Now there is roughly half that amount, but the U.S. is still number one by having more insecure security cameras than any other nation in the world.On December 17, there were 4,104 unsecured security cameras located in the United States that were listed as part of the Insecam project, which claims to have “the world’s biggest directory of online surveillance security cameras.” With six cameras per page, that was equal to 684 pages which I viewed while counting the brand of network video cameras available online, because each of those U.S. cameras did not have a unique password to protect it. That took between five and six hours, including the time to grab some screenshots as well; during that time, the number of unsecured cameras in the U.S. fluctuated wildly and dropped to barely 4,000 before going back up to cover 684 pages again. The most common unsecured cameras in the U.S. Continue reading
Juniper Networks’ announcement of discovering “unauthorized code” in its software which could allow attackers to take over machines and decrypt VPN traffic has shaken up more than the security world; the Department of Homeland Security and the FBI are reportedly involved in investigating the backdoor.After Juniper warned that attackers could exploit the “unauthorized code” in order “to gain administrative access to NetScreen devices and to decrypt VPN connections,” and then wipe the logs to remove any trace of a compromise, an unnamed senior official told Reuters that the Department of Homeland Security is involved in Juniper’s investigation.To read this article in full or to leave a comment, please click here
Juniper Networks’ announcement of discovering “unauthorized code” in its software which could allow attackers to take over machines and decrypt VPN traffic has shaken up more than the security world; the Department of Homeland Security and the FBI are reportedly involved in investigating the backdoor.After Juniper warned that attackers could exploit the “unauthorized code” in order “to gain administrative access to NetScreen devices and to decrypt VPN connections,” and then wipe the logs to remove any trace of a compromise, an unnamed senior official told Reuters that the Department of Homeland Security is involved in Juniper’s investigation.To read this article in full or to leave a comment, please click here
Rapid7 disclosed six vulnerabilities affecting four Network Management Systems, two of which are not patched. The vendors are Opsview, Spiceworks, Ipswitch, and Castle Rock, with the latter having neither issued a security bulletin nor a fix for two vulnerabilities in its NMS.An “an array of cross-site scripting (XSS) and SQL injection (SQLi)” vulnerabilities found in NMS products were discovered by Rapid7’s Deral Heiland, aka Percent_X, and independent researcher Matthew Kienow, aka HacksForProfit. The flaws were responsibly disclosed to the vendors and CERT.To read this article in full or to leave a comment, please click here
What do you do if you are worried about killer robots? If you are the Pentagon and those killer robots belong to the Chinese and Russians, then you propose a $12 to $15 billion budget to fund your own AI army and next-gen weapon technology.The Pentagon’s plan for new tech, according to Reuters, will include “wearable electronics, exoskeletons, greater use of drones and manned aircraft working together, and mother ships that would send out mini-drones to execute military missions.”To read this article in full or to leave a comment, please click here
If you have a PS4 and want to run homebrew content, then you might be happy to know developer CTurt claimed, “PS4 is now officially jailbroken.”Over the weekend, CTurt took to Twitter to make the announcement. CTurt
CTurt
He did not use a jail vulnerability, he explained in a tweet. Instead, he used a FreeBSD kernel exploit.To read this article in full or to leave a comment, please click here
When shopping for a smart device, are you most influenced by the device’s capabilities, by its coolness factor, or by holiday sales that dropped the price? Do you first review the company’s policies, terms and conditions, the potentially excessive permissions a mobile app will require to control the connected device, or with whom the manufacturer will share or sell your collected data? If you receive a smart gadget as a gift, do you think the giver was wise enough to consider the small print before purchasing, to think of security and privacy before buying the smart device?To read this article in full or to leave a comment, please click here
Way to go! Congratulations on suffering through another year of deploying security patches. Microsoft released 12 security bulletins for the last Patch Tuesday of 2015, eight of which are rated as critical for remote code execution vulnerabilities. Hopefully none will result in exceedingly uncool changes like Microsoft snuck into Windows 10 last month to reset privacy settings and default programs.Although Microsoft regards MS15-135 only as “important,” it would be wise to jump on this one as it is the fix for a zero-day vulnerability in the Windows kernel that attackers are exploiting to escalate privilege, according to Qualys CTO Wolfgang Kandek. You wouldn’t know it by its Microsoft-rated “important” status, as Redmond’s security team mentioned that it resolves flaws in Windows kernel-mode drivers. Nils Sommer of bytegeist, working with Google Project Zero, is credited with reporting three CVE’s associated with this patch.To read this article in full or to leave a comment, please click here
Ms. Smith