Comcast’s XFINITY Home Security System can be readily exploited so it registers that doors and windows in customers’ homes are closed when they are actually open, Rapid7 has discovered.Fixing the problem requires a software or firmware upgrade, Rapid7 says. Comcast hasn’t responded to Rapid7s November notifications about the flaw, the company says.SHOCKER! Cape Cod cops find iPhone stun gunComcast hasn’t responded to an email asking for comment, but this story will be updated when it does.The security system consists of a sensor placed at windows, doors and other locations to detect motion, and a base station. When the sensor is triggered, it notifies the base station, which alarms that there is an intrusion.To read this article in full or to leave a comment, please click here
Figuring out mysteriesImage by FlickrCyber technology couldn’t get by without algorithms to encrypt, analyze metadata and find traffic anomalies, but they are used more and more widely in other fields. Here are 10 algorithms that perform functions as varied as scanning for disease genes, catching classroom cheats and figuring out murder mysteries as well as Agatha Christie’s heroine Miss Marple.To read this article in full or to leave a comment, please click here
Oracle promises to give customers tools that easily uninstall insecure older versions of Java SE that may still lurk as vulnerabilities within Web browsers.That promise comes in a consent decree with the Federal Trade Commission that is currently up for public review before taking effect in January.+More on Network World: After Juniper security mess, Cisco searches own gear for backdoors+To read this article in full or to leave a comment, please click here
While it says it has no reason to think there are backdoors in any of its products, Cisco has started an additional code review looking for “malicious modifications” after Juniper’s announcement that its ScreenOS operating system has been vulnerable for years.
Anthony Greico
“Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience,” according to the Cisco Security blog written by Anthony Grieco, senior director of the company’s Security and Trust Organization. The company says it will release its findings in accordance with its security vulnerability policy.To read this article in full or to leave a comment, please click here
The Internet Storm Center has upgraded its warning about the corruption of Juniper ScreenOS firewalls to yellow, which means it’s imperative to patch them today, literally, given that details on how to exploit the flaws has been published and that it’s a holiday week when applying firewall patches can be easily overlooked.
According to the ISC warning, the upgraded yellow warning was made because Juniper’s NetScreen firewalls are popular and that the “'backdoor’ password is now known, and exploitation is trivial at this point,” and for most businesses, this “being a short week for many of us, addressing this issue today is critical.”To read this article in full or to leave a comment, please click here
Now that Juniper has created a patch for its vulnerable firewall/VPN appliances, bad actors are setting to work reverse engineering the flaw so they can exploit devices that users don’t patch, and also make a profit by selling their exploits to others.“That’s what they do,” says John Pironti, president of IP Architects, who says he spent Friday responding to concerns about the compromised Juniper firewalls with his clients.The pattern cyber criminals follow after vendors patch vulnerabilities is to compare the patched code to the unpatched code, figure out what the flawed code was and figure out how to use it to break into the device and the network it protects, Pironti says.To read this article in full or to leave a comment, please click here
Juniper Networks is warning customers to patch their NetScreen enterprise firewalls against bad code that enables attackers to take over the machines and decrypt VPN traffic among corporate sites and with mobile employees.The danger is that attackers could exploit the code “to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper says in a security announcement.It would enable smart attackers to exploit the vulnerability and wipe out log files, making compromises untraceable, the company says.To read this article in full or to leave a comment, please click here
As privacy of The Onion Router (Tor) network comes into question, MIT researchers say they have devised a secure system called Vuvuzela that makes text messaging sent through it untraceable and that could be more secure than Tor when it comes to hiding who is talking to whom.While it’s not ready for prime time, the messaging system makes it extremely difficult for attackers to find out which connected users are communicating with which others or whether they are sending or receiving messages at all, the researchers say in “Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis”.To read this article in full or to leave a comment, please click here
Despite the risks to online commerce, international high-tech sales, security of trade secrets and the fact that it won’t actually make encryption useless to criminals, decryption backdoors to let law enforcement access encrypted communications could become U.S. law in 2016 – and a nightmare to enterprises – especially if terrorists succeed in carrying out major acts of violence.So far the arguments against such a law have prevailed, but that could change if public opinion turns strongly in favor of it, which is more likely in the wake of events that generate fear.+More on Network World: 20 years ago: Hot sci/tech images from 1995 | Read all the stories that predict what is to come in 2016 +To read this article in full or to leave a comment, please click here
The FBI still wants backdoors into encrypted communications, it just doesn’t want to call them backdoors and it doesn’t want to dictate what they should look like.FBI Director James Comey told the Senate Judiciary Committee that he’d been in talks with unspecified tech leaders about his need to crack encrypted communications in order to track down terrorists and that these leaders understood the need.In order to comply, tech companies need to change their business model – by selling only communications gear that enables law enforcement to access communications in unencrypted form, he says, rather than products that only the parties participating in the communication can decrypt.To read this article in full or to leave a comment, please click here
IBM is launching a program where customers can share apps they write to augment IBM’s QRadar platform that analyzes security data, detects behavior anomalies and sorts out high-priority risks from the mass of incidents it examines.To accomplish this, the company is opening APIs into QRadar, issuing software developer kits and creating a Security App Exchange where these custom apps can be distributed.The exchange has already been seeded with 14 apps written by IBM itself and some of its partners including Bit9 + Carbon Black, BrightPoint Security, Exabeam and Resilient Systems.Four of these apps are:
User Behavior Analytics – Integrates Exabeam’s analysis of user behaviors and risk profiling into QRadar’s dashboard.
Threat Intelligence – Pulls data from threat feeds and create rules about how to handle the data, such as raising the threat score for incidents involving IP addresses from a particular watch list.
Carbon Black App for QRadar – Analyzes data from Carbon Black’s endpoint sensors within the QRadar interface, enabling faster responses to endpoint attacks.
Incident Overview – A visualization app that uses bubbles, colors and correlation lines to help analysts quickly identify links among incidents.
IBM says it will vet applications before they are made Continue reading
Criminals are tapping Web-based services that are advertised as tools to stress test customers’ networks but in actuality they are using them to launch DDoS attacks against victims, according to Akamai.The paid sites can make DDoS attacks a viable option for actors looking to shut down targeted servers, the company says in its “State of the Internet/Security Q3 2015” report. “Many of the sites are simply DDoS-for-hire tools in disguise, relying on the use of reflection attacks to generate their traffic,” the report says.+More on Network World: DARPA scheme would let high-tech systems “see” as never before+To read this article in full or to leave a comment, please click here
It’s hard to figure out how secure software is but the Software Assurance Forum for Excellence in Code (SAFECode) has issued guidelines to make it easier, especially for businesses trying to decide which products to buy.The industry group published a white paper, “Principles for Software Assurance Assessment”, that recommends questions corporate software buyers should ask their suppliers beforehand so they wind up with products less likely to be riddled with security flaws.One of the big problems these buyers may face is that they don’t know the relevant questions to ask, says Eric Baize, SAFECode chairman and Senior Director, Product Security and Trusted Engineering for EMC.To read this article in full or to leave a comment, please click here
Dell acknowledges a root certificate it installed on its laptops was a bad idea and is pushing a patch to permanently remove it.In a blog post company spokesperson Laura Thomas says eDellRoot was installed as a support tool to make it faster and easier for customers to service the devices. But some of those customers discovered the certificate and recognized it as a serious security threat.To read this article in full or to leave a comment, please click here
At least some Dell laptops are shipping with a trusted root certificate authority pre-installed, something that those who discovered the CA are comparing to the Superfish adware installed on Lenovo machines that left them open to man-in the-middle attacks.
Called eDellRoot, the trusted root CA comes as part of the standard software load on new Dell machines. A Reddit contributor who uses rotocowboy for a screen name says the implications could be dire. “For those that are unfamiliar with how this works,” he writes, “a network attacker could use this CA to sign his or her own fake certificates for use on real websites and an affected Dell user would be none the wiser unless they happened to check the website's certificate chain. This CA could also be used to sign code to run on people's machines, but I haven't tested this out yet.”To read this article in full or to leave a comment, please click here
It’s only a game, but LightCyber hopes its Cyber Attack Training System (CATS) helps IT folks think like attackers in order to better defend their networks.The online game sets players up with stolen login credentials for a networked machine and turns them loose with Metasploit tools. The idea is for security pros to discover and compromise other devices on the network with the goal of capturing a specific file.Public access to CATS is available for 12 hours only on Nov. 10 and is open to anyone who can provide a legitimate corporate email address. The first 100 players who successfully find the target file win a black hoodie.The game will give network security pros who spend their days searching logs for indicators of compromise the chance to better understand the mindset of attackers so they are better prepared to search for their footprints.To read this article in full or to leave a comment, please click here
With the Cybersecurity Information Sharing Act (CISA) the feds are trying to make it more attractive to share threat intelligence, but it won’t do much to help businesses deal with the high cost of sorting through what can be an overwhelming flow of possible security incidents and find which ones need to be checked out.And deciding what data to share, what threat intelligence feeds to subscribe to and what tools are needed to turn potentially valuable information into action takes sizeable resources, experts say.To read this article in full or to leave a comment, please click here
Of 200 USB sticks distributed at public places in Chicago, Cleveland, San Francisco and Washington, D.C., earlier this year, 17 percent wound up plugged into computers – some of them by IT pros - where they could have done all sorts of damage had they been loaded with malware.Not only were they plugged in, the finders followed instructions on them to email a specified address and include what they did for a living, according to a study by the IT industry association CompTIA.MORE: Sorriest network companies of 2015To read this article in full or to leave a comment, please click here
Data-loss-prevention provider InteliSecure is taking in new money, new employees and an entire U.K. security company in an effort to establish itself as a high-end security boutique.The company has raised $22 million in equity financing and a $6 million debt financing in order to buy Pentura – a U.K. managed security service provider – as well as expand its operations globally and hire additional hard-to-find security personnel.
CEO Rob Eggebrecht
Its premiere service, protecting data by identifying the most critical assets, configuring the infrastructure to enforce security policies and managing it, is highly customized, says CEO Rob Eggebrecht.To read this article in full or to leave a comment, please click here
A bill that encourages businesses to share threat intelligence with each other and the government is closer to becoming a law than it has been for years now that it offers businesses near immunity from liability if the data they share is stolen and causes harm, but such sharing is still fraught with problems.
Nathan Taylor
The proposed Cybersecurity Information Sharing Act (CISA) proposal doesn’t force anyone to participate in sharing, but it creates incentives for businesses to do so willingly, says Nathan Taylor, a partner in the law firm Morrison & Foerster, who is following the bill as it wends its way through Congress.To read this article in full or to leave a comment, please click here
Tim Greene