DARPA is looking for a platform that can tell whether Internet of Things devices have been hijacked based on fluctuations in the heat, electromagnetic waves and sound they put out as well as the power they use.The agency wants technology that can decipher these analog waves and reveal what IoT devices are up to in their digital realms, according to a DARPA announcement seeking research proposals under the name “Leveraging the Analog Domain for Security (LADS)”.The LADS program would separate security monitoring from the device itself so if it is compromised, the monitoring platform can’t be affected.To read this article in full or to leave a comment, please click here
It’s actually possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman key exchange groups, so it’s time for businesses to switch to something else like elliptic curve cryptography, researchers say.“It’s been recommended to move from 1024-bit [encryption] for a long time, and now there are very concrete risks of not doing that,” says Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania who is an author of a paper titled “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice”.To read this article in full or to leave a comment, please click here
Chinese hackers have gone after seven U.S. tech and pharmaceutical companies since the presidents of both countries agreed not to knowingly carry out corporate espionage, according to security firm CrowdStrike.The company says in a blog post that it has identified a known hacking group in China as intruding into the seven U.S. companies starting the day after Presidents Xi and Obama announced the pact.“It is important to note that this is not an exhaustive list of all the intrusions from Chinese-government affiliated actors we have detected during this time period; it is limited only to commercial entities that fit squarely within the hacking prohibitions covered under the Cyber agreement,” says CrowStrike CTO Dmitri Alperovitch.To read this article in full or to leave a comment, please click here
Instances of Apple OS X malware are soaring this year, already totaling more than five times the number tallied over the previous five years combined, according to an in-house Bit9 + Carbon Black tally.Instances totaled 180 from 2010 through 2014, but have already reached 948, according to “2015: The most Prolific Year in History for OS X Malware”, the results of a 10-week study of malware crafted for the operating system.The Bit9+Carbon Black research team analyzed data it gathered from its own research efforts, culling open source data such as Contagio malware dump, experience from incident response-engagements involving OS X that were made by Bit9 + Carbon Black’s partners, and suspicious code uploaded to Bit9 + Carbon Black from its customers. They came up with 1,400 unique OS X malware samples.To read this article in full or to leave a comment, please click here
Bracket Computing is expanding its cloud-storage data protection offerings and has received an additional $46.4 million in venture funding to further develop its products and roll them out worldwide.Now in addition to Bracket’s Computing Cell service, customers can license an in-house version of the technology and control all aspects of the encryption/policy enforcement/data integrity platform.+ More on Network World: Gartner: Risk, relentless data center demand, open source and other tech trends IT needs to know +To read this article in full or to leave a comment, please click here
Following its disruption of a major distributor of Angler ransomware, Cisco is offering up free security consulting for hosting providers that’s aimed at wiping out persistent attacks that abuse providers’ services and threaten the rest of the Internet.Cisco’s Talos security intelligence and research group has launched Project Aspis, which hosting providers can sign up for to work with Talos and in return receive help including systems forensics, reverse engineering, threat intelligence sharing and, in the right circumstances, dedicated research engineers to work with, according to Cisco’s security blog.To read this article in full or to leave a comment, please click here
Prioritizing security measures is the first step toward accomplishing them, and the SANS Institute has created a list of the top 20 critical security controls businesses should implement.They include some obvious steps, such as getting a comprehensive inventory of all network devices and software, implementing secure hardware configurations and providing for data recovery, but also gets into areas that are less evident.+More on Network World: Gartner: IT should simplify security to fight inescapable hackers+To read this article in full or to leave a comment, please click here
Corporate security pros should note that journalist Matthew Keys was convicted this week of changing a headline on the LA Times Web site, a case that may help define what can be included when a toting up damages caused by hackers.
The bill cited in court came to $929,977 for the cost of changing back the altered headline, which stayed live for less than an hour, but also the cost of assessing what other damage was done and fixing it, which took months. You can read details about the case here and here.To read this article in full or to leave a comment, please click here
The former head of the NSA says the U.S. is better served by strong encryption than it would be by encryption schemes with backdoors that allow law enforcement to decrypt the content of communications, according to reports, and he should know.Under Michael Hayden’s watch as director of the NSA, the agency exploited back doors into phone switches in Greece in order to spy on calls including those made by the Greek prime minister and the mayor of Athens.The legal-intercept capabilities baked into the switches are supposed to be used only under strict legal supervision, but they can be abused. According to a story by James Bamford for The Intercept, documents stolen by Edward Snowden help show that the NSA took unauthorized advantage of legal-intercept backdoors in the Greek phone system to eavesdrop on what calling parties assumed would be private communications.To read this article in full or to leave a comment, please click here
Endpoint security vendor Digital Guardian has bought Code Green Networks, which makes data loss prevention appliances for businesses.The purchase gives Digital Guardian a DLP offering that, rolled in with the company’s existing products, will provide endpoint, network and cloud data protection overseen by a single console, the company says. This will enable applying policies that will be enforced regardless of where the data is located and regardless of who accessed it and with what device.+ MORE MERGERS: 2015 Tech M&A Tracker +To read this article in full or to leave a comment, please click here
Verizon consultants probed Target’s network for weaknesses in the immediate aftermath of the company’s 2013 breach and came back with results that point to one overriding – if not dramatic - lesson: be sure to implement basic security best practices.In a recent KrebsOnSecurity post, Brian Krebs details Verizon’s findings as set down in a Target corporate report.The findings demonstrate that it really is important to put in place all the mundane security best practices widely talked about, and that without them even the best new security platforms can’t defend against breaches.To read this article in full or to leave a comment, please click here
Presidents Obama and Xi agree that the U.S. and China won’t steal corporate secrets from each other, but the wording is so full of loopholes that CISOs shouldn’t take too much comfort in the pact for quite a while.The agreement sets up high-level talks twice a year to deal with complaints the U.S. and China have about whether the other is responding quickly and thoroughly to claims by the other side about malicious cyber activity.It also takes a run at corporate spying in particular: “[N]either country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”To read this article in full or to leave a comment, please click here
ZingBox, an Internet of Things security startup whose founders have ties to Cisco and Stanford University, is working on software that guards IoT devices from threats on the Internet.
May Wang
The year-old company’s focus is upgrading routers and gateways with intelligence to detect when IoT devices are behaving abnormally, indicating that they might be compromised, says May Wang, CTO of the company and a co-founder who spent 14 years at Cisco in its office of the CTO where she was a principal architect.To read this article in full or to leave a comment, please click here
Datiphy, a service provider founded in Taiwan, has bundled its technology for sale as a software package to make inroads in the U.S. as a security/data auditing tool that detects and reports suspicious access to databases.The company has been selling its service in Asia-Pacific since 2011 but has decided to improve the user interface and give it natural-language search to make it more attractive in the U.S. where the large enterprises it seeks as customers want to have an on-premises platform, says Mike Hoffman, executive vice president of sales and marketing.Datiphy has also gotten a financial shot in the arm, pulling down $7 million from Highland Capital Partners in its first round of institutional funding that it will use in part to hire staff to pursue partnerships so data gathered by the platform can be shared with other security products.To read this article in full or to leave a comment, please click here
Now the federal Office of Personnel Management says the number of individuals whose fingerprints were stolen is 5.6 million – up from 1.1 million – and that they can look forward to having those prints misused as criminals get better at exploiting them.OPM says, “an interagency working group with expertise in this area … will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”To read this article in full or to leave a comment, please click here
Volkswagen is in a lot of trouble for installing software on some of its diesel cars that figures out when they are undergoing emissions tests so it can adjust the cars to put out nitrogen oxide at acceptable levels.That’s likely to win the company billions of dollars in fines, but it’s not the first time the company has hidden problems rather than fix them.Just last month, security researchers delivered a paper that showed three ways to get around the Volkswagen lockout system that prevents its cars from being started unless the correct key with the correct chip embedded is used to crank it over.The paper was noteworthy for the ingenuity of the three attacks it outlines but also for the length of time it sat on the shelf before being delivered to the public. It was ready to go back in 2013 but Volkswagen got a court order to block it then, and that was nearly a year after the researchers had told the manufacturers of the hardware about it under the principle of responsible disclosure.To read this article in full or to leave a comment, please click here
When businesses are hit by noticeable distributed denial-of-service attacks, three-quarters of the time those attacks are accompanied by another security incident, according to Kaspersky Lab.Those other attacks may or may not originate from the same party, but they can go undetected if IT staff is totally focused on defending against the DDoS, says Evgeny Vigovsky, head of Kaspersky DDoS Protection.“In many cases, it may be a coordinated effort, but even if these attacks originate from different sources, IT staff have to allocate resources to solve two problems at the same time, under a lot of stress,” Vigovsky says. Kaspersky polled top managers and IT pros at 5,500 companies in 26 countries about their experiences with DDoS attacks.To read this article in full or to leave a comment, please click here
Online poker malware lets players cheat by getting a peek at cards held by opponents whose machines have been infected.The Trojan, called Win32/Spy.Odlanor, is typically downloaded by victims because it is disguised as installers or resources such as poker databases and poker calculators, according to the ESET WeLiveSecurity blog.“In other cases, it was loaded onto the victim’s system through various poker-related programs … such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others,” the blog says.Once installed it grabs screenshots of the PokerStars and Full Tilt Poker clients, letting the attackers see what cards the victim holds. In order to carry out the scam, the cheaters have to find and join the table at which the infected machine is playing.To read this article in full or to leave a comment, please click here
Making encryption backdoors available to law enforcement would be bad for cybersecurity in general and hurt vendors that make encryption gear, a presidential advisory group says.While the FBI argues that it needs legislation to require access points into encryption platforms, the National Security Council is preparing to tell President Obama that the downsides include weakening the privacy of Internet communications, according to a draft NSC report obtained by the Washington Post.“[B]ecause any access point to encrypted data increases risk, if government efforts to secure access are successful, this approach would reduce cybersecurity,” the document says.To read this article in full or to leave a comment, please click here
The SYNful Knock compromise of routers can implant software that creates backdoors to let attackers return over and over, a sophisticated endeavor that demonstrates the ingenuity of its creators, according to a member of the team that discovered the attack in the wild.The software has features that enable it to stay hidden within networks so it can be updated and new attack modules can be downloaded for long periods of time, according to FireEye researchers.“The impressive portion of the attack is the implant and not the delivery,” says Tony Lee, technical director at FireEye. “This sort of implant would take significant skills to produce and go undetected for so long.”To read this article in full or to leave a comment, please click here