You think you have your hands full as an IT pro now? Just wait until blockchain, IoT, augmented and virtual reality, and these other technologies really start to take hold in 2017. Thinkstock
The Internet of Things – for real
Yes, yes, we know – it’s one of those long-standing tech industry jokes, like “the year of the Linux desktop” and “Java security.” But 2017 really could be the year that all the hub-bub and hype around the Internet of Things comes home to roost.To read this article in full or to leave a comment, please click here
Lynda.com, the online learning unit of LinkedIn, has reset passwords for some of its users after it discovered recently that an unauthorized external party had accessed a database containing user data.The passwords of close to 55,000 affected users were reset as a precautionary measure and they have been notified of the issue, LinkedIn said in a statement over the weekend.The professional network is also notifying about 9.5 million Lynda.com users who “had learner data, but no protected password information,” in the breached database. “We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts,” according to the statement.To read this article in full or to leave a comment, please click here
If you enjoy good security-related reads, then you might like to check out a couple different takes on the latest ShadowBrokers’ NSA-linked Equation Group auction files. One comes from “the grugq,” a security researcher who is well-respected for his infosec and counterintelligence knowledge, and the other is by the cybersecurity researchers at Hacker House out of the UK.The Grugq published a three-part commentary series on the great cyber game – part 1, part 2, part 3. His deep analysis is his contribution since not many are capable of it. He said that the latest by the ShadowBrokers, dropped on Dec. 14, is a “massive” and valuable drop in terms of revealing to the NSA what the Russians know and have obtained.To read this article in full or to leave a comment, please click here
U.S. President Barack Obama pledged to punish Russia for hacking of Democratic groups and figures during the election season with actions that’ll occur in secret and others that’ll be made public.
“Our goal continues to be to send a clear message to Russia or others not to do this to us because we can do stuff to you,” Obama said in a press conference.
The President stopped short of explicitly blaming Russian president Vladimir Putin for directing the alleged hacks, but said that, “not much happens in Russia without Vladimir Putin.”
Obama met Putin during a summit in China in September and told him to "cut it out" and or else "there would be some serious consequences if he didn't," he said. After that meeting, the hacking attempts stopped but Wikileaks had already been given copies of stolen documents.To read this article in full or to leave a comment, please click here
When it comes to the cybersecurity skills shortage, I am somewhat of a “Chicken Little” as I’ve been screaming about this issue for the last 5 years or so. As an example, ESG research conducted in early 2016 indicated that 46% of organizations indicate that they have a problematic shortage of cybersecurity skills today (note: I am an ESG employee).So, ESG and other researchers have indicated that there aren’t enough infosec bodies to go around but what about those that have jobs? How is the cybersecurity skills shortage affecting them and the organizations they work for?Earlier this week, ESG and the Information Systems Security Association (ISSA) published the second report in a two-part research report series investigating these issues. This new report titled, Through the Eyes of Cyber Security Professionals, uncovers a lot more about just how deep the cybersecurity skills shortage cuts. For example:To read this article in full or to leave a comment, please click here
When it comes to the cybersecurity skills shortage, I am somewhat of a “Chicken Little,” as I’ve been screaming about this issue for the last five years or so. As an example, ESG research conducted in early 2016 indicated that 46% of organizations indicate that they have a problematic shortage of cybersecurity skills today (note: I am an ESG employee).
So, ESG and other researchers have indicated that there aren’t enough infosec bodies to go around but what about those that have jobs? How is the cybersecurity skills shortage affecting them and the organizations they work for?
Earlier this week, ESG and the Information Systems Security Association (ISSA) published the second report in a two-part research report series investigating these issues. This new report, titled "Through the Eyes of Cyber Security Professionals," uncovers a lot more about just how deep the cybersecurity skills shortage cuts. For example:To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The massive DDoS attack that was aimed in stages at DNS provider Dyn in October 2016 did more than grab headlines. It also served as a wake-up call to companies that provide the global Internet infrastructure, as well as downstream operators and service providers. Many experts fear this attack could prove to be a tipping point in the battle to maintain stability and availability across the Internet.
Research shows the attack originated from an Internet of Things (IoT) botnet that involved an estimated 100,000 devices. Dyn experienced packet flow bursts 40 to 50 times higher than normal, and unverified reports put the magnitude of the attack in the 1.2Tbps range. The attack used multiple vectors and required a variety of techniques to fight off.To read this article in full or to leave a comment, please click here
Without the macOS update released this week, Apple's disk encryption can be easily defeated by connecting a specially crafted device to a locked Macbook.The attack is possible because devices connected over Thunderbolt can access the computer's RAM directly before the OS is started through the direct memory access (DMA) feature. The DMA mechanism is typically used by disk drive controllers, graphics cards, network cards, and sound cards because accessing the memory through the CPU would otherwise keep the processor busy and unavailable for other tasks.Apple's macOS has DMA protections, but they only kick in when the OS is running. However, the EFI (Extensible Firmware Interface) -- the modern BIOS -- initializes Thunderbolt devices at an early stage in the boot process and this enables them to use DMA before the OS is started, security researcher Ulf Frisk said in a blog post.To read this article in full or to leave a comment, please click here
What is it they say about failing to learn the lessons of history and being doomed to repeat it? However the famous saying goes, I think we can agree that the events of 2016 can be very instructive if we choose to pay attention.Just yesterday, for example, Yahoo disclosed a breach from 2013 involving more than 1 billion user accounts — and those are unrelated to the 2014 breach disclosed in September involving over 500 million user accounts.Among the lessons from the Yahoo breaches is that hackers are very good at what they do and are getting increasingly sophisticated. What can you do to prevent an email-based attack from happening in your organization? Above all, pay attention to the human element.To read this article in full or to leave a comment, please click here(Insider Story)
A giftScam artists see the holidays as an opportunity to rip people off. This year is no different. PhishMe’s Chief Threat Scientist Gary Warner has caught a few to share.Paypal: Suspicious activityImage by PhishMeTo read this article in full or to leave a comment, please click here
A giftScam artists see the holidays as an opportunity to rip people off. This year is no different. PhishMe’s Chief Threat Scientist Gary Warner has caught a few to share.Paypal: Suspicious activityImage by PhishMeTo read this article in full or to leave a comment, please click here
The new Internet communication protocol, HTTP/2, is now being used by 11 percent of websites -- up from just 2.3 percent a year ago, according to W3Techs.The new protocol does offer better performance, but there is no particular rush to upgrade, and it's backwards-compatible with the previous protocol, HTTP/1.1.No security problems have been found in the protocol itself, but there are vulnerabilities in some implementations and the possibility of lower visibility into internet traffic, so it's worth waiting for everything to shake out.The pressure to switch is likely to come from lines of business, said Graham Ahearne, director of product management at security firm Corvil.To read this article in full or to leave a comment, please click here
The Professional Surge Protector CSP300WUR1 safeguards common home and office devices, such as computers and electronics, by absorbing spikes in energy caused by storms and electrical power surges. Designed for convenience, the portable CSP300WUR1 is ideal for travelers. It provides 600 joules of protection, has three surge-protected outlets, and a folding wall tap plug. Two USB ports (2.1 Amp shared) charge personal electronics, including smartphones, digital cameras, MP3 players, and other devices. A Limited-Lifetime Warranty ensures that this surge suppressor has passed high quality standards in design, assembly, material or workmanship and further protection is offered by a $50,000 Connected Equipment Guarantee. It currently averages 4 out of 5 stars on Amazon, where its typical list price of $22 has been reduced 49% to just $11.27. See the discounted CSP300WUR1 on Amazon.To read this article in full or to leave a comment, please click here
The BlackBerry smartphone is dead: Long live the BlackBerry smartphone.A week after it officially pulled out of the smartphone market, BlackBerry has agreed to license its brand to handset manufacturer TCL.The Chinese company will make and market future BlackBerry handsets worldwide except for India, Indonesia, Bangladesh, Sri Lanka and Nepal, where BlackBerry has already struck local licensing deals.This is hardly new territory for TCL, which manufactured BlackBerry's last two handsets, the Android-based DTEK50 and DTEK60.To read this article in full or to leave a comment, please click here
Evernote has reversed proposed changes to its privacy policy that would allow employees to read user notes to help train machine learning algorithms.CEO Chris O’Neill said the company had “messed up, in no uncertain terms.”The move by the note-taking app follows protests from users, some of whom have threatened to drop the service after the company announced that its policy would change to improve its machine learning capabilities by letting a select number of employees, who would assist with the training of the algorithms, view the private information of its users. The company claims 200 million users around the world. To read this article in full or to leave a comment, please click here
A Russian-speaking hacker has been found selling stolen login credentials for a U.S. agency that tests and certifies voting equipment, according to a security firm.The hacker was attempting to sell more than 100 allegedly compromised login credentials belonging to the U.S. Election Assistance Commission (EAC), the security firm Record Future said in a Thursday blog post. The company said it discovered online chatter about the breach on Dec. 1.Some of these credentials included the highest administrative privileges. With such access, an intruder could steal sensitive information from the commission, which the hacker claimed to have done, Recorded Future said.To read this article in full or to leave a comment, please click here
Security pros need to pay attention to malicious activities that don’t rely on actual malware to succeed, according to a study by Carbon Black.Attacks that exploited applications and processes legitimately running on systems – non-malware incidents – have risen from representing about 3% of all attacks in January to about 13% in November, the company’s “Non-malware attacks and ransomware take center stage in 2016” report says.“Non-malware attacks are at the highest levels we have seen and should be a major focus for security defenders during the coming year,” it says.The research included data from more than 1,000 Carbon Black customers that represent 2.5 million-plus endpoints. For measuring the non-malware attacks, the authors considered the malicious use of PowerShell and Windows Management Instrumentation were considered.To read this article in full or to leave a comment, please click here
According to pop culture’s portrayal of cybersecurity, the industry is hot property. Hacks and breaches not only dominate the real-world media, but they can be seen everywhere in TV and movies today.Granted, there have been some early examples of security issues playing a role in pop culture plot lines, such as the 1980s cult-classic Tron. But in recent years, Hollywood seems to have really picked up the mantle when it comes to cybersecurity. If the bright lights of TV and movies are to be believed, hackers are simultaneously the coolest and scariest people on the planet.Let’s take a look at five of the most common cybersecurity misperceptions as portrayed in TV shows and movies:To read this article in full or to leave a comment, please click here
The No More Ransom project, a coalition of law enforcement and security companies, has expanded with 30 new members and added 32 new decryption tools for various ransomware variants.The project, which consists of a website dedicated to fighting ransomware, was originally launched by Europol’s European Cybercrime Centre in partnership with the National High Tech Crime Unit of the Netherlands police, Kaspersky Lab, and Intel Security.The website has a tool that allows users to determine which type of ransomware has affected their files but also contains general information about ransomware, prevention advice, and instruction on reporting incidents to law enforcement.To read this article in full or to leave a comment, please click here
Citrix is a bit like the pachyderm in the proverb about the blind men and the elephant. How customers describe the company depends a lot on which of Citrix’s diverse products they touch. It’s a desktop and app virtualization company. It’s a networking company. A secure file sharing company, a mobility management firm.
Yes, Citrix is all of those and more, and CEO Kirill Tatarinov – one year after taking over from long-time leader Mark Templeton – is working to show how all those pieces play together in making Citrix the focal point of the ‘workspace of the future’ for nimble enterprises. To read this article in full or to leave a comment, please click here(Insider Story)