It was an especially happy Thanksgiving for security researchers, thanks to what they have called long-overdue exemptions to the Digital Millennium Copyright Act (DMCA).Those exemptions, which took effect Oct. 28, provide a two-year window allowing “good-faith” researchers to break into the software that controls most consumer and commercial Internet of Things (IoT) devices – those used in everything from “smart” homes to smartphones, cars, medical devices, voting machines and more – without violating copyright laws.To read this article in full or to leave a comment, please click here
It was an especially happy Thanksgiving for security researchers, thanks to what they have called long-overdue exemptions to the Digital Millennium Copyright Act (DMCA).Those exemptions, which took effect Oct. 28, provide a two-year window allowing “good-faith” researchers to break into the software that controls most consumer and commercial Internet of Things (IoT) devices – those used in everything from “smart” homes to smartphones, cars, medical devices, voting machines and more – without violating copyright laws.To read this article in full or to leave a comment, please click here
The massive Distributed Denial of Service (DDoS) attack last month on Dyn, the New Hampshire-based Domain Name System (DNS) provider, was mostly an inconvenience.While it took down a portion of the internet for several hours, disrupted dozens of major websites and made national news, nobody died. Nobody even got hurt, other than financially.But the attack, enabled by a botnet of millions of Internet of Things (IoT) devices, inevitably led to speculation on what damage a DDoS of that scale or worse could do to even a portion of the nation’s critical infrastructure (CI).To read this article in full or to leave a comment, please click here
The massive Distributed Denial of Service (DDoS) attack last month on Dyn, the New Hampshire-based Domain Name System (DNS) provider, was mostly an inconvenience.While it took down a portion of the internet for several hours, disrupted dozens of major websites and made national news, nobody died. Nobody even got hurt, other than financially.But the attack, enabled by a botnet of millions of Internet of Things (IoT) devices, inevitably led to speculation on what damage a DDoS of that scale or worse could do to even a portion of the nation’s critical infrastructure (CI).To read this article in full or to leave a comment, please click here
Politicians are fond of saying that the only poll that matters is the one on election day.That may be especially true this year, especially when it comes to online polls that, like anything in the digital, connected world, are vulnerable to mischief.The mischief is enabled by bots – hundreds to many thousands of computers under the control of an attacker that are more typically used to send out spam, create Distributed Denial of Service (DDoS) attacks and commit various kinds of fraud – but in this case are used to skew poll results. They can make it look like public opinion views one candidate as the winner of a debate when the real vote would show the other candidate did.To read this article in full or to leave a comment, please click here
Politicians are fond of saying that the only poll that matters is the one on election day.That may be especially true this year, especially when it comes to online polls that, like anything in the digital, connected world, are vulnerable to mischief.The mischief is enabled by bots – hundreds to many thousands of computers under the control of an attacker that are more typically used to send out spam, create Distributed Denial of Service (DDoS) attacks and commit various kinds of fraud – but in this case are used to skew poll results. They can make it look like public opinion views one candidate as the winner of a debate when the real vote would show the other candidate did.To read this article in full or to leave a comment, please click here
If you want to have even a chance of defeating cyber attacks, you have to be quick.So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.To read this article in full or to leave a comment, please click here
If you want to have even a chance of defeating cyber attacks, you have to be quick.So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.To read this article in full or to leave a comment, please click here
The hack of the Democratic National Committee this past summer, allegedly by Russia, prompted a political firestorm, but didn’t cause even a ripple in the US economy.But imagine the economic firestorm that would result if online attackers brought the entire internet down, even temporarily.You may not have to imagine it, according to Bruce Schneier, CTO of Resilient Systems, cryptography guru, blogger and international authority on internet security. In a recent post titled, "Someone is Learning How to Take Down the Internet," he wrote that he had been told by multiple sources that, ““someone has been probing the defenses of … some of the major companies that provide the basic infrastructure that makes the Internet work.”To read this article in full or to leave a comment, please click here
The intractable nature of the “privacy vs. security” debate, in a world where the internet is a tool for criminals, spies and terrorists as well as for billions of law-abiding citizens, was on full display during Wednesday’s Cambridge Cyber Summit at MIT.Not surprisingly, it didn’t get resolved.The event, hosted by The Aspen Institute, CNBC and MIT, featured top-level government officials, private-sector experts and activists, who all agreed that there needs to be a “conversation” about how to “balance” the two, and that to achieve it will require more effective cooperation between the public and private sectors.But there was no agreement about where that balance lies. About the best they could do, after some conversation that got chaotic at times, was agree that they should continue the conversation.To read this article in full or to leave a comment, please click here
The intractable nature of the “privacy vs. security” debate, in a world where the internet is a tool for criminals, spies and terrorists as well as for billions of law-abiding citizens, was on full display during Wednesday’s Cambridge Cyber Summit at MIT.Not surprisingly, it didn’t get resolved.The event, hosted by The Aspen Institute, CNBC and MIT, featured top-level government officials, private-sector experts and activists, who all agreed that there needs to be a “conversation” about how to “balance” the two, and that to achieve it will require more effective cooperation between the public and private sectors.But there was no agreement about where that balance lies. About the best they could do, after some conversation that got chaotic at times, was agree that they should continue the conversation.To read this article in full or to leave a comment, please click here
The warnings about the longevity of email are regular and ominous: Don’t be careless with it. Email is forever.Indeed, in some very high-profile cases it seems that way. Former CIA director and retired US Army General David Petraeus lost his job and his reputation, and "gained" a criminal record in 2012, when emails from an account he thought was private exposed his mishandling of classified information and an affair with his biographer.Much more recently – just in the past couple of weeks – a trove of embarrassing correspondence from the email account of former secretary of state Colin Powell was posted on the website DCLeaks.com. In the words of an anonymous television anchor, they upended the perception of Powell, also a retired four-star US Army general, as a stoic diplomat and revealed him to be, “just as gossipy as everyone else.”To read this article in full or to leave a comment, please click here
Security experts agree that humans are the weakest link in the security chain. Virtually all of them agree that security awareness training can strengthen many of those weaknesses.But how best to do that can generate some debate.Lysa Myers, a security researcher at ESET, summarized in a recent post what she said was a collective message from several presentations at the recent Black Hat conference: While it is possible to train employees to be "hyper-vigilant, it can create more problems than it solves.To read this article in full or to leave a comment, please click here
You should be worried about the November election. Not so much that the candidates you support won’t win, but about the risk that the “winners” may not really be the winners, due to hackers tampering with the results.Or, that even if the winners really are the winners, there will be enough doubt about it to create political chaos.This is not tinfoil-hat conspiracy theory. The warnings are coming from some of the most credible security experts in the industry.Richard Clarke, former senior cybersecurity policy adviser to presidents Bill Clinton and George W. Bush, wrote recently in a post for ABC News that not only are US election systems vulnerable to hacking, but that it would not be difficult to do so.To read this article in full or to leave a comment, please click here
You should be worried about the November election. Not so much that the candidates you support won’t win, but about the risk that the “winners” may not really be the winners, due to hackers tampering with the results.Or, that even if the winners really are the winners, there will be enough doubt about it to create political chaos.This is not tinfoil-hat conspiracy theory. The warnings are coming from some of the most credible security experts in the industry.Richard Clarke, former senior cybersecurity policy adviser to presidents Bill Clinton and George W. Bush, wrote recently in a post for ABC News that not only are US election systems vulnerable to hacking, but that it would not be difficult to do so.To read this article in full or to leave a comment, please click here
Security experts have been saying for decades that human weakness can trump the best technology.Apparently, it can also trump conventional wisdom.Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person’s, or an organization’s, security.Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, “time to rethink mandatory password changes.” To read this article in full or to leave a comment, please click here
Security experts have been saying for decades that human weakness can trump the best technology.Apparently, it can also trump conventional wisdom.Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person’s, or an organization’s, security.Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, “time to rethink mandatory password changes.” To read this article in full or to leave a comment, please click here
“Privacy is dead,” has been a mantra, for different reasons, for generations. In the cybersecurity community, it has been conventional wisdom for at least a decade. But Edward Snowden and Andrew “bunnie” Huang apparently think they can revive it a bit, at least if you own an iPhone 6.
Their goal, they say in a white paper titled, “Against the Law – Countering Lawful Abuses of Digital Surveillance,” is to create an add-on hardware component that will protect “front-line journalists” in repressive regimes where governments have demonstrated the capability to track people through their smartphones even if the devices are set to “Airplane Mode.”To read this article in full or to leave a comment, please click here
“Privacy is dead,” has been a mantra, for different reasons, for generations. In the cybersecurity community, it has been conventional wisdom for at least a decade. But Edward Snowden and Andrew “bunnie” Huang apparently think they can revive it a bit, at least if you own an iPhone 6.
Their goal, they say in a white paper titled, “Against the Law – Countering Lawful Abuses of Digital Surveillance,” is to create an add-on hardware component that will protect “front-line journalists” in repressive regimes where governments have demonstrated the capability to track people through their smartphones even if the devices are set to “Airplane Mode.”To read this article in full or to leave a comment, please click here
The quickest way to launch the cyber equivalent of a nuclear war is for the targets of cyberattacks to try to “hack back” against their tormentors.Or, maybe not.The debate over that has raged for decades, with a majority of security experts arguing that the difficulties of attribution and the dangers of escalating retaliatory counterattacks make hacking back a losing proposition.But what if it didn’t involve trying to corrupt or destroy an attacker’s network? What if it wasn’t exactly “kinder,” but was a bit “gentler,” involving intermediate-level responses like so-called “naming and shaming” of perpetrators, or blocking access to U.S. markets of foreign companies that benefit from cyber espionage?To read this article in full or to leave a comment, please click here