Big Switch Networks today unraveled a wide-ranging group of products aimed at mitigating security attacks, scrutinizing cloud and container environments and improving its existing SDN-based monitoring software. In the security realm Big Switch rolled out its BigSecure Architecture, a high-performance cyber-defense platform that the company says will help enterprises protect against Terabit-speed attack. +More on Network World: 20 years ago: Hot sci/tech images from 1996+ “What we are seeing is network attack by thousands of IoT devices [like the recent Dyn DNS attack that hit 1.2Tbps] using massive speed and bandwidth to take down resources. To mitigate against that kind of attack can be cost prohibitive but what we have implemented in BigSecure can help mitigate those attacks,” said Prashant Gandhi, vice president and chief product officer.To read this article in full or to leave a comment, please click here
My very first technology article, back in 1987, was about MS-DOS 3.30. Almost 30 years later, I’m still writing, but the last bit of MS-DOS, cmd.exe — the command prompt — is on its way out the door. It’s quite possible that you have been using Microsoft Windows for years — decades, even — without realizing that there’s a direct line to Microsoft’s earliest operating system or that an MS-DOS underpinning has carried over from one Windows version to another — less extensive with every revision, but still there nonetheless. Now we’re about to say goodbye to all of that. Interestingly, though, there was not always an MS-DOS from Microsoft, and it wasn’t even dubbed that at birth. The history is worth reviewing now that the end is nigh.To read this article in full or to leave a comment, please click here
Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version.Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price.One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.To read this article in full or to leave a comment, please click here
Few managers look forward to negotiating contracts. In large companies, there are many stakeholders to consult and it’s easy to make a misstep. And then there’s the expense involved in working with lawyers.Smart contract technology promises to simplify the contract process and provide greater transparency.[ Also on CIO.com: Blockchain: You’ve got questions; we’ve got answers ]What are smart contracts? Early approaches to smart contracts included some that were merely “augmented by technology,” says Houman B. Shadab, professor of law at New York Law School. “In a sense, you could view contract signing and management services like DocuSign as an example of [smart contracts].” Other approaches automated the production of traditional contracts using templates.To read this article in full or to leave a comment, please click here(Insider Story)
A month before Apple is expected to enforce stricter security requirements for app communications in iOS, enterprise developers don't seem ready to embrace them, a new study shows.The study was performed by security firm Appthority on the most common 200 apps installed on iOS devices in enterprise environments. The researchers looked at how well these apps conform to Apple's App Transport Security (ATS) requirements.ATS was first introduced and was enabled by default in iOS 9. It forces all apps to communicate with Internet servers using encrypted HTTPS (HTTP over SSL/TLS) connections and ensures that only industry-standard encryption protocols and ciphers without known weaknesses are used. For example, SSL version 3 is not allowed and neither is the RC4 stream cipher, due to known vulnerabilities.To read this article in full or to leave a comment, please click here
Given recent cybersecurity incidents like the Google Android data breach, the DDoS attack on Dyn and the data breach of the DNC, President-elect Donald Trump will find cybersecurity policy a top priority when he takes office in January.What should Mr. Trump do and what should he avoid? In my last blog, I presented some recommendations for the “do” column. Alternatively, here is a list of things President Trump should eschew in his administration’s cybersecurity agenda. The “don’t” column includes the following: Don’t obsess over cybersecurity intelligence sharing path. Public/private partnerships for cybersecurity cooperation have roots that go back to the Clinton administration’s original PDD-63 for critical infrastructure protection. In more recent times, congress struggled with CISPA then CISA as stand-alone bills before sneaking CISA into a federal spending bill in late 2015. Intelligence sharing is a good step but it’s been beaten to death and most large organizations have figured this out on their own. What’s needed is a concerted effort on best practices and sharing threat intelligence with small businesses. Yes, these things should happen but the feds should do so as part of CISA and not spin up Continue reading
Given recent cybersecurity incidents such as the Google Android data breach, the DDoS attack on Dyn and the data breach of the DNC, President-elect Donald Trump will find cybersecurity policy a top priority when he takes office in January.What should Mr. Trump do and what should he avoid? In my last blog, I presented some recommendations for the “do” column. Alternatively, here is a list of things President Trump should eschew in his administration’s cybersecurity agenda: Don’t obsess over cybersecurity intelligence sharing path. Public/private partnerships for cybersecurity cooperation have roots that go back to the Clinton administration’s original PDD-63 for critical infrastructure protection. In more recent times, Congress struggled with CISPA then CISA as stand-alone bills before sneaking CISA into a federal spending bill in late 2015. Intelligence sharing is a good step but it’s been beaten to death and most large organizations have figured this out on their own. What’s needed is a concerted effort on best practices and sharing threat intelligence with small businesses. Yes, these things should happen, but the feds should do so as part of CISA and not spin up another distracting effort. Remember that threat intelligence sharing is a means Continue reading
Lots of IT techs have access to network credentials to access company files and emails, but it wouldn’t cross the minds of most to abuse that knowledge for a “get-rich-scheme” in the flavor of insider trading. Yet that doesn’t apply to everyone, since a 28-year-old admitted to exploiting his position in order to gain insider knowledge and illegally trade and profit from those secrets.Jonathan Ly, a former IT tech for Expedia, pleaded guilty to securities fraud – something FBI Special Agent in Charge Jay S. Tabb, Jr. called, “Particularly egregious because Mr. Ly abused his special access privileges as an IT administrator. On top of violating the trust of the public and his company, he violated the privacy of fellow employees by surreptitiously accessing their files.”To read this article in full or to leave a comment, please click here
Watson has gone through school and ready for first internship. IBM today said its Watson cognitive computing system continues its path to become part of a full-fledged cybersecurity service by announcing 40 customers have begun beta testing the technology as an enterprise protection tool.+More on Network World: IBM Watson/ XPrize open $5 million AI competition for world-changing applications+Watson has recruited enterprises from auto, banking and insurance realms -- including Sun Life Financial, University of Rochester Medical Center, SCANA Corporation, Sumitomo Mitsui Financial Group, California Polytechnic State University, University of New Brunswick, Avnet and Smarttech – to help research and develop new security applications that will use the systems natural language and machine learning techniques.To read this article in full or to leave a comment, please click here
Whether the disaster is a flood, a power outage or human error, IT departments have the critical role of getting business systems working again. And that requires reliable disaster-recovery software.Four of the top disaster-recovery (DR) software suites are Veeam Backup, Altaro VM Backup, Zerto Virtual Replication and VMware’s Site Recovery Manager (SRM), according to reviews written by users in the IT Central Station community.[ Also on CSO: Lessons from high-profile IT failures ] But what do enterprise users really think about these tools? Here, users give a shout-out for some of their favorite features, but also give the vendors a little tough love.To read this article in full or to leave a comment, please click here(Insider Story)
The U.S. Army ventured into unfamiliar territory last week, the first day of its “Hack the Army” bug bounty program that challenges dozens of invited hackers to infiltrate its computer networks and find vulnerabilities in select, public-facing Army websites."We're not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense," explained Army Secretary Eric Fanning in announcing the plan in mid-November. "We're looking for new ways of doing business," which includes a break from the past when government avoided working with the hacker community.To read this article in full or to leave a comment, please click here
Internet-connected toys subject children to hidden marketing messages and allow strangers to converse with them from a distance, consumer rights groups say.The groups highlighted breaches of security and basic consumer rights in two toys in particular, the i-Que robot and the My Friend Cayla doll.The toys connect via Bluetooth to smartphone apps that record children speaking and transmit the recordings to a voice recognition service provider in the U.S., Nuance Communications, allowing the toys to appear to converse with the children.But, the consumer groups say, there is no authentication or pairing of the Bluetooth connections, allowing strangers within radio range of the toys to detect them and connect with them to carry on a conversation with the children directly. Furthermore, they say, voice recordings that could contain personal information are transmitted to Nuance without explicit consent, and the toys inject messages into their conversations repeatedly endorsing Disney products.To read this article in full or to leave a comment, please click here
Working togetherImage by Rebecca SiegelCollaboration tools have become widely used across organizations today, as people come to rely on these handy tools to work more efficiently. They reduce reliance on email, increase conversation between teams and provide an easy way to share information with colleagues. However, with many workplace applications today, there are so many gaps where security settings can fail, and corporate IT is beginning to take notice. Mike McCamon, president at SpiderOak, recommends staying away from these common security and privacy mistakes.To read this article in full or to leave a comment, please click here
Privacy groups in the U.S. and seven European countries will ask consumer protection agencies to investigate the maker of two internet-connected toys for violations of laws designed to protect children's privacy.The complaints are scheduled to be filed Tuesday against Genesis Toys, maker of the My Friend Cayla and I-Que Intelligence Robot toys, and Nuance Communications, the provider of voice-recognition software for the products.The complaints, to be filed in the U.S., France, Sweden, Greece, Belgium, Ireland, the Netherlands, and Norway, may be only the beginning of actions taken by consumer and privacy groups targeting a lucrative slice of the internet of things market, the so-called internet of toys.To read this article in full or to leave a comment, please click here
Facebook, Twitter, Microsoft and Google's YouTube have agreed to share with one another identifying digital information of violent terror content that they find on their platforms.When they remove "violent terrorist imagery or terrorist recruitment videos or images" from their platforms, the companies will include in a shared industry database the hashes, or unique digital fingerprints, of the content.Other participants can use the shared hashes to help identify matching content on their hosted consumer platforms, review against their respective policies and definitions, and remove the content when appropriate, according to a statement by the companies on Monday.To read this article in full or to leave a comment, please click here
U.S. consumers could one day see cybersecurity ratings on technology products, much like today's EnergyStar ratings, if the findings of a government-sponsored cybersecurity commission are heeded. Although like much in Washington right now, a lot depends on incoming U.S. President Donald Trump and his views on cybersecurity are far from clear.The report, published on Friday by the Commission on Enhancing National Cybersecurity, also suggests usernames and passwords are replaced with something more secure and wants 150,000 cybersecurity experts trained over the next four years to help the U.S. defend against hacking threats. The commission has the support of President Obama and began its work in February this year, with executives at Microsoft, IBM, Uber and former U.S. government officials. However, in releasing its findings, Obama acknowledged it’ll be up to the next president and U.S. Congress to more fully implement what the commission has recommended. To read this article in full or to leave a comment, please click here
Behavior analytics is one of the more recent buzzwords in enterprise cybersecurity, with more than 35 vendors competing for customers, according to security analysts.Behavior analytics in cybersecurity is roughly defined as using software tools to detect patterns of data transmissions in a network that are out of the norm. The theory is that the analytics tool would detect the anomaly and alert IT managers, who would stop the unusual behavior or cyberattack.Enterprises use behavior analytics to detect intrusions that evade preventive technologies such as firewalls, intrusion-prevention systems and antivirus software. Those conventional tools match fingerprints or signatures identified in prior attacks, while behavior analytics tools study and report anomalies that are judged against a baseline of normal behavior. Among the users of behavior analytics is the National Security Agency, which uses the analytics to detect threats to its private cloud system.To read this article in full or to leave a comment, please click here
How do you feel about sharing your location with “trusted contacts”? From Google’s point of view, its new Trusted Contacts app will “help you feel safe and give your friends and family peace of mind.”The “personal safety app” will work even if your phone is offline.Google software engineer Minh Nguyen explained: Here’s how it works: Once you install the Android app, you can assign “trusted” status to your closest friends and family. Your trusted contacts will be able to see your activity status — whether you’ve moved around recently and are online — to quickly know if you're OK. If you find yourself in a situation where you feel unsafe, you can share your actual location with your trusted contacts. And if your trusted contacts are really worried about you, they can request to see your location. If everything’s fine, you can deny the request. But if you’re unable to respond within a reasonable time-frame, your location is shared automatically and your loved ones can determine the best way to help you out. Of course, you can stop sharing your location or change your trusted contacts whenever you want.To read this article in full or Continue reading
If you've encountered errors over the past month when trying to access HTTPS-enabled websites on your computer or Android phone, it might have been due to a bug in Chrome.The bug affected the validation for some SSL certificates issued by Symantec, one of the world's largest certificate authorities, as well as by GeoTrust and Thawte, two CAs that Symantec also controls.The bug was introduced in Chrome version 53, but also affected the Android WebView component that Android apps use to display Web content, said Rick Andrews, senior technical director at Symantec in a blog post Friday.To read this article in full or to leave a comment, please click here
Believe it – you too can become a successful cyber criminal! It’s easy! It’s cheap! It’s short hours for big bucks! No need to spend years on boring things like learning how to write code or develop software.Just download our simple ransomware toolkit and we can have you up and running in hours – stealing hundreds or thousands of dollars from people in other countries, all from the comfort of your home office – or your parents’ basement. Sit back and watch the Bitcoin roll in!OK, that’s not the literal pitch coming from the developers of ransomware. But, given the rise of Ransomware as a Service (RaaS) – a business model in which malware authors enlist “distributors” to spread the infections and then take a cut of the profits – it sounds like it could be a candidate for the kind of “direct-response” TV ads that made the late pitchman Billy Mays famous.To read this article in full or to leave a comment, please click here