Archive

Category Archives for "Network World Security"

DARPA wants to simulate how social media spreads info like wildfire

When it comes to understanding which, what and how popular information travels the Internet, we have a lot to learn.That seems to be the idea behind a new program that the researchers at The Defense Advanced Research Projects Agency will unravel next month that aims to simulate the spread and evolution of online information.+More on Network World: DARPA: Show us how to weaponize benign technologies+To read this article in full or to leave a comment, please click here

IDG Contributor Network: IoT security principles from Homeland Security

Power grids were bombed in World War II to cripple industrial output. Today, attacks against Internet of Things (IoT) infrastructure causes even broader disruptions—without bombs.The danger is real. The U.S. Department of Homeland Security (DHS) recently published guidelines to “provide a strategic focus on security and enhance the trust framework that underpins the IoT ecosystem.” The report explains why security has to be a combined effort.To read this article in full or to leave a comment, please click here

Oracle patches raft of vulnerabilities in business applications

Oracle released its first batch of security patches this year, fixing 270 vulnerabilities, mostly in business-critical applications. Many of the flaws can be exploited remotely without authentication.The majority of the fixes are for flaws in business products such as Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products and Oracle Database Server.E-Business Suite, which is used by companies to store key data and manage a wide range of business processes, accounts for more than 40 percent of the patched vulnerabilities -- 121. Out of these, 118 are remotely exploitable and the highest rated one has a score of 9.2 (critical) in the Common Vulnerability Scoring System.To read this article in full or to leave a comment, please click here

Tips on where to start in managing risk

Plugging the holesImage by Les ChatfieldWhat is risk management? Any time you have something of value (like a corporate network, a website, or a mobile application), there will be risk to manage in order to protect it. As organizations innovate and change the way they use technology, the risks change too. Traditional approaches and controls are no longer good enough. Caroline Wong, vice president of security strategy at Cobalt, provides a fewtips for managing risk in today’s modern business environment.To read this article in full or to leave a comment, please click here

How—and why—you should use a VPN any time you hop on the internet

One of the most important skills any computer user should have is the ability to use a virtual private network (VPN) to protect their privacy. A VPN is typically a paid service that keeps your web browsing secure and private over public Wi-Fi hotspots. VPNs can also get past regional restrictions for video- and music-streaming sites and help you evade government censorship restrictions—though that last one is especially tricky.The best way to think of a VPN is as a secure tunnel between your PC and destinations you visit on the internet. Your PC connects to a VPN server, which can be located in the United States or a foreign country like the United Kingdom, France, Sweden, or Thailand. Your web traffic then passes back and forth through that server. The end result: As far as most websites are concerned, you’re browsing from that server’s geographical location, not your computer’s location.To read this article in full or to leave a comment, please click here

Repealing passwords is a long way away

The campaign to eliminate passwords has been ongoing, and growing, for close to a decade. There are even some declarations that this might be the year, or at least ought to be the year, that it happens.Don’t hold your breath. Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology.To read this article in full or to leave a comment, please click here

WikiLeaks’ Assange confident of winning ‘any fair trial’ in the US

WikiLeaks said that its founder Julian Assange is confident of winning 'any fair trial' in the U.S. and indicated that the founder of the whistleblowing website would stand by all the promises he had made in return for clemency to Chelsea Manning, the former U.S. soldier who disclosed classified data relating to the Iraq War to the site.On Tuesday, Manning’s prison sentence was commuted by U.S. President Barack Obama raising questions whether Assange would keep his part of a deal he proposed online, and agree to extradition to the U.S.To read this article in full or to leave a comment, please click here

Can a DDoS attack on Whitehouse.gov be a valid protest?

When Donald Trump is inaugurated as the U.S. President on Friday, Juan Soberanis intends to protest the event -- digitally.His San Francisco-based protest platform is calling on Americans to oppose Trump’s presidency by visiting the Whitehouse.gov site and overloading it with too much traffic. In effect, he’s proposing a distributed denial-of-service attack, an illegal act under federal law. But Soberanis doesn’t see it that way.“It’s the equivalent of someone marching on Washington, D.C,” he said on Monday. “Civil disobedience has been part of the American democratic process.”Soberanis’s call to action is raising eyebrows and highlights the isssue of whether DDoS attacks should be made a legitimate form of protest. Under the Computer Fraud and Abuse Act, sending a command to a protected computer with the intent to cause damage can be judged a criminal offense. But that hasn’t stopped hacktivists and cyber criminals from using DDoS attacks to force websites offline.  To read this article in full or to leave a comment, please click here

Obama commutes sentence for Manning, a WikiLeaks source

President Barack Obama has commuted the prison sentence of Chelsea Manning, the former U.S. soldier who disclosed classified data to WikiLeaks relating to the Iraq War.Manning was originally serving a 35-year sentence, but on Tuesday Obama reduced it. She’ll now be freed on May 17.Manning was convicted of leaking U.S. military and diplomatic information to WikiLeaks back in 2010 that included videos of airstrikes in Iraq and Afghanistan, along with classified documents sent to the U.S. State Department. She was arrested and began serving jail time the same year.The data supplied by Manning helped put WikiLeaks on the map as source for secret government information but drew swift condemnation from U.S. officials.   To read this article in full or to leave a comment, please click here

7 really cool network and IT research projects

Researchers at top universities, backed by funding from federal and other outfits, are pumping out loads of research on network security, wireless networking and more. Here's a recap of 7 impressive projects from recent months.1. Not that you trust mobile apps in the first place… Carnegie Mellon University researchers took a deep dive into about 18,000 popular free apps on the Google Play store and found that not only about half of them lacked a privacy policy but a good number of those that have policies aren’t adhering to them. As many as 4 in 10 apps with policies could be collecting location information and nearly 1 in 5 could be sharing that data without getting your permission to do so, To read this article in full or to leave a comment, please click here

Think employers must protect workers’ personal info? Think again

There’s good news for security pros worried that their organizations may be liable if their employees’ personal information gets hacked: a panel of judges in Pennsylvania says workers can’t collect damages from their employer if things like Social Security numbers, bank account information, birth dates, addresses and salaries are compromised in a data breach.Even though the stolen data was used to file phony tax returns in order to get the refunds, the workers at University of Pittsburgh Medical Center (UPMC) had no reasonable expectation that the data would be safe, the Superior Court of Pennsylvania ruled recently.The case, known as in Dittman v. UPMC, pertains solely to employee records, not customer records, and not patient records, which are protected by HIPAA.To read this article in full or to leave a comment, please click here

Sensitive access tokens and keys found in hundreds of Android apps

Many developers still embed sensitive access tokens and API keys into their mobile applications, putting data and other assets stored on various third-party services at risk.A new study performed by cybersecurity firm Fallible on 16,000 Android applications revealed that about 2,500 had some type of secret credential hard-coded into them. The apps were scanned with an online tool released by the company in November.Hard-coding access keys for third-party services into apps can be justified when the access they provide is limited in scope. However, in some cases, developers include keys that unlock access to sensitive data or systems that can be abused.To read this article in full or to leave a comment, please click here

Terrorists are winning the digital arms race, experts say

Terrorist groups are embracing a huge number of digital tools to recruit members and plan attacks, putting them a step ahead of governments trying to combat them, a group of counterterrorism experts said.Twitter removed about 250,000 accounts connected with ISIS in one year, but the terrorist group uses 90 other social media platforms, Rob Wainwright, the director of Europol said Tuesday. Terrorist groups have begun to live stream their attacks, and they are using the internet to launch "innovative crowdfunding" campaigns, he said at the World Economic Forum in Davos-Klosters, Switzerland."The technology is advanced," Wainwright added. "They know what to do, and they know how to use it."To read this article in full or to leave a comment, please click here

25 most common passwords in 2016 and how quickly they can be cracked

It’s nearly that time again when SplashData will release its annual list of worst passwords, but this list of passwords comes from Keeper Security. The company analyzed over 10 million passwords available on the public web before publishing a list of 25 most common passwords of 2016.Keeper pointed a finger of blame at websites for not enforcing password best practices. Even if a site won’t help you determine if a password is decent, then people could use common sense. It’s disheartening to know that 17 percent of people still try to safeguard their accounts with “123456.” And “password” is, of course, still on the list, as well as keyboard patterns such as “qwerty” and “123456789”.To read this article in full or to leave a comment, please click here

When real-time threat detection is essential

Finding the bad guys right awayImage by ThinkstockWhile organizations always want to find threats as quickly as possible, that ideal is far from being met. On average, dwell times last months and give cyber criminals all the time they need to peruse a network and extract valuable information that can impact a company, its customers and its employees.To read this article in full or to leave a comment, please click here

Why Linux users should worry about malware and what they can do about it

Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If you’ve migrated to Linux or Mac seeking refuge from the never-ending stream of threats that seems to target Windows, you can breath a lungful of fresh air—just don’t let your guard down.Though UNIX-like systems such as Mac OS X and Linux can claim fewer threats due to their smaller user bases, threats do still exist. Viruses can be the least of your problem too. Ransomware, like the recent version of KillDisk, attacks your data and asks you to pay, well, a king’s ransom to save your files. (In the case of KillDisk, even paying the ransom can’t save you if you’re running Linux.)To read this article in full or to leave a comment, please click here

The war for cybersecurity talent hits the Hill

Many analysts and business leaders believe there is a severe need for qualified cybersecurity professionals in the U.S., something that has caught the eye of at least one key congressman.U.S. House Homeland Security Committee Chairman Michael McCaul (R-Texas) on Wednesday said more needs to be done to address the cybersecurity labor shortage.[To comment on this story, visit Computerworld's Facebook page.]"I agree 110% that we need to strengthen the workforce" of cybersecurity professionals, McCaul said during a meeting with reporters at the National Press Club.To read this article in full or to leave a comment, please click here

The unseemly world of Darkweb marketplaces

The genesis of underground markets goes back to when communication used to take place via Internet Relay Chat channels. Fast forward to the 21st Century with the evolution of cryptocurrencies and anonymous communications the underground market ecosystem has evolved.Underground markets offer a variety of services for cyber criminals to profit from, says Luis Mendieta, senior security researcher at Anomali. These forums offer items ranging from physical world items like drugs and weapons to digital world items such as spam/phishing delivery, exploit kit services, "Crypters", "Binders", custom malware development, zero-day exploits, and bulletproof hosting.To read this article in full or to leave a comment, please click here(Insider Story)

How to handle security vulnerability reports

If there’s a flaw in your IT security — and there probably is — you can’t assume that someone in your organization will be the first to find it. But if you’re lucky, instead of ending up with ransomware or a data breach, you might hear about it from a security researcher or even a smart customer who’s spotted the problem and wants to warn you. Are you ready to listen?Many companies aren’t, warns security consultant Troy Hunt. Hunt runs haveibeenpwned.com, a website that helps people discover if any of their accounts have been compromised by data breaches. Because of his role with the website, he routinely finds himself in a position to contact organizations about breaches and other security issues that he’s found or that other people pass on to him.To read this article in full or to leave a comment, please click here(Insider Story)

Tackling cybersecurity threat information sharing challenges

There’s been considerable talk in recent years about the importance of cybersecurity information sharing. After all, few organizations can really work in a vacuum and no single organization can see all of the threats laying in wait on the internet.And many CISOs find it helpful to share notes with others in their industry to compare which strategies and practices work best and compare program maturity levels. But the nearly two-decade effort to share such information hasn’t been smooth.Many organizations are wary of sharing sensitive cybersecurity information, especially with governments. Not only can such information jeopardize the security posture of an organization, it can damage customer impressions of a company and even affect stock values.To read this article in full or to leave a comment, please click here