Companies were least prepared to assess the security risks of cloud and mobile technologies, according to a survey of cybersecurity professionals released this morning.Around 60 percent of companies were able to assess security risks in cloud environments, down 7 points compared to last year. Mobile devices scored at 57 percent, down by 8 percentage points compared to last year.Overall, the confidence levels of security professionals that their cyber defenses were meeting expectations dropped from 76 percent last year to 70 percent in this year's survey, according to the report, which was produced by Annapolis, M.D.-based CyberEdge Group, and sponsored by Tenable.To read this article in full or to leave a comment, please click here
We experimented and tinkered with numerous bots that are available for Slack, the cloud messaging service meant mainly for business. (You can still use Slack for non-work reasons, particularly under the service’s free option.) Here are 10 that could be most helpful working alongside your Slack team.1. Ace: Saves your to-do list, and conducts your polls and surveysYou can build a to-do list by sending each task item as a message to this bot; it will store them, and show the list to you upon command. A task can be designated to a channel and assigned to a member in your Slack team, and labeled as prioritized (i.e. more important than others). Ace includes other functionalities: you can create simple polls and number ratings surveys with the bot, for which it will tally and provide a summary of the results of your team members’ responses.To read this article in full or to leave a comment, please click here(Insider Story)
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Wyse 5060 Thin ClientImage by DellTo read this article in full or to leave a comment, please click here
Seven years ago, Steve Jobs launched the once-popular Abode Flash into a long, slow death spiral when he announced that Flash would not be installed on any of his cutting-edge products, particularly the iPad and iPhone. Jobs argued that Flash was slow, cumbersome, battery intensive, incompatible with touch-screens, and had massive security issues.Since then, Flash has fallen out of favor for a number of very good reasons. First, it remains a serious security concern. Second, around five years ago, Adobe announced that Flash would not be available for mobile devices, which is where Internet users were headed. And third, HTML5 emerged in 2014 as an adequate replacement for Flash as a development platform for multimedia applications such as animation and games.To read this article in full or to leave a comment, please click here(Insider Story)
Have you ever handed your phone over to someone you didn’t know so that he or she could verify data you have saved in an app? A minister and his wife did and their story is a disturbing cautionary tale as to why you shouldn’t hand your phone over to anyone.The following information comes from a lawsuit (pdf) against Toyota and a specific dealership as well as a Dallas Morning News report.Pastor Tim Gautreaux and his wife, Claire, were interested in buying a Prius from Texas Toyota of Grapevine. They had taken the dealership’s advice and used an app to get pre-approved for financing via Capital One Financial Corporation. An internet car salesman claimed he needed to show the pre-approved financing information in the app to his manager. The pastor unlocked his phone and handed it over.To read this article in full or to leave a comment, please click here
The Russian government claims to have foiled a "large-scale" cyber attack from foreign intelligence services meant to destabilize the country’s financial system.The government’s Federal Security Service made the statement on Friday without blaming a specific country, but said the attack was meant to be carried out on Dec. 5 against a number of major Russian banks.The hack would have also included the use of social media and SMS text messages to circulate posts claiming a crisis in Russia’s financial system. Several dozen cities in the country had been targeted, the Federal Security Service claimed, stating it had already neutralized the threat.To read this article in full or to leave a comment, please click here
What could possibly be creepier than a government organization (such as the NSA) having nearly unlimited access to your private, personal information (including access to your webcam)? Turns out, the answer is: when it gets turned into a video game. And it appears, they have done this. On Dec. 1, 2016, Wikileaks released a collection of documents relating to the German parliament inquiry of the cooperation between the German foreign intelligence agency (the BND) and the United States’ NSA. One particular document (pdf) within that collection caught my attention. It appears to be a report from an official at the European Cryptologic Center (ECC) from April 13, 2012, detailing how they can improve usage of Xkeyscore (XKS) to collect information about people. To read this article in full or to leave a comment, please click here
A new software development technique promises to end destructive exploits from hackers. The concept is to continually, and repeatedly, rearrange the program’s code while it’s running—and do it very quickly. Doing that shuts down the hacker’s “window of opportunity” because he doesn’t know where to find bugs to hit with his poisonous attack. The scrambling occurs over milliseconds.Code reuse attacks are the kind of harmful exploits that can be stopped dead in their tracks, researchers say in an article on Columbia University’s website.To read this article in full or to leave a comment, please click here
Two researchers claim to have found a way to bypass the activation lock feature in iOS that's supposed to prevent anyone from using an iPhone or iPad marked as lost by its owner.The first report came Sunday from an Indian security researcher named Hemanth Joseph, who started investigating possible bypasses after being confronted with a locked iPad he acquired from eBay.The activation lock gets enabled automatically when users turn on the Find My iPhone feature via iCloud. It links the device to their Apple IDs and prevents anyone else from accessing the device without entering the associated password.One of the few things allowed from the activation lock screen is connecting the device to a Wi-Fi network, including manually configuring one. Hemanth had the idea of trying to crash the service that enforces the lock screen by entering very long strings of characters in the WPA2-Enterprise username and password fields.To read this article in full or to leave a comment, please click here
Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app itself.AirDroid has access to a device's contacts, location information, text messages, photos, call logs, dialer, camera, microphone and the contents of the SD card. It can also perform in-app purchases, change system settings, disable the screen lock, change network connectivity and much more.To read this article in full or to leave a comment, please click here
President-elect Donald Trump ran a campaign focused on national security and making America great again through economic reform. Clearly both goals should include policies and programs to bolster the nation’s cybersecurity capabilities. This shouldn’t be an abstract concept to Mr. Trump after an election cycle featuring Russian hacks and WikiLeaks posts. To reinforce this priority, it is also worth noting that in a pre-election survey by ESG research, 49 percent of cybersecurity professionals said cybersecurity is a critical issue and should be the top national security priority for the next President, while 45 percent said cybersecurity is a very important issue and should be one of the top national security priorities for the next President. If those citizens on the front line see cybersecurity as a major priority, this should speak volumes to the President-elect. To read this article in full or to leave a comment, please click here
Add credit card fraud to the list of things that distributed processing can speed up.
An e-commerce site will typically block a credit card number after 10 or 20 failed attempts to enter the corresponding expiry date and CVV (card verification value), making life difficult for fraudsters who don't have a full set of credentials.
But there are plenty of e-commerce sites out there, and it's possible to obtain missing account details by submitting slightly different payment requests to hundreds of them in parallel.
It takes less than six seconds to perform the "distributed guessing attack," according to the researchers at Newcastle University in the U.K. who figured out how to do it.To read this article in full or to leave a comment, please click here
Windows 10’s aggressive data-collection capabilities may concern users about corporate spying, but enterprises have control that consumer-edition Windows users do not: Administrators can decide how much information gets sent back to Microsoft.But enterprises need to think twice before turning off Windows telemetry to increase corporate privacy. That’s because doing so can decrease the effectiveness of Windows 10’s security features.[ InfoWorld’s deep look: Why (and how) you should manage Windows 10 PCs like iPhones. | The essentials for Windows 10 installation: Download the Windows 10 Installation Superguide today. ]
Microsoft isn’t merely hoovering up large amounts of data because it can. The company has repeatedly reiterated its stance that Windows 10 does not collect the user’s personal data, but rather anonymized file data that is then used to improve overall user experience and Windows functionality.To read this article in full or to leave a comment, please click here
Law enforcement agencies have dismantled a major cybercriminal network responsible for malware-based attacks that have been harassing victims across the globe for years.The network, called Avalanche, operated as many as 500,000 infected computers on a daily basis and was responsible for delivering malware through phishing email attacks. Avalanche has been active since at least 2009, but on Thursday, authorities in the U.S. and Europe announced they had arrested five suspects allegedly involved with it.Avalanche has been found distributing more 20 different malware families including GozNym, a banking Trojan designed to steal user credentials, and Teslacrypt, a notorious ransomware. Europol estimated the network has caused hundreds of millions of dollars in damages across the world.To read this article in full or to leave a comment, please click here
Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.With cybersecurity threats on the rise, companies are increasingly taking advantage of cybersecurity insurance. And while cyber insurance can be worth it, it’ll cost you. Last year, U.S. insurers earned $1B in cyber premiums. You can minimize your premiums by showing your insurance company you’re actively mitigating cyber risks, which is a win-win: lower your risk and secure a more cost-effective insurance plan.To read this article in full or to leave a comment, please click here
Saudi Arabia's government agencies were hit with a cyberattack that security researchers are blaming on a worm-like malware that can wipe computer systems, destroying data.Several government bodies and vital installations suffered the attack, disrupting their servers, the country's Saudi Press Agency said on Thursday. The transportation sector was among the agencies hit by an actor from outside the country, the press agency said.Security firms say the attack involved malware called Shamoon or Disttrack that was previously found targeting a Saudi Arabian oil company four years ago. That attack disabled 30,000 computers. To read this article in full or to leave a comment, please click here
According to the 2016 State of Compliance survey conducted by data management and integration provider Liaison Technologies, one-quarter of top executives are unclear who in their organization is responsible for compliance. And nearly half (47 percent) of respondents to the survey of 479 senior and C-level executives said they don't know which compliance standards apply to their organizations.“As leaders in the compliance domain we thought it was important to share our findings on how U.S. companies perceive their regulatory obligations—and examine ways to help improve their compliance postures,” Hmong Vang, chief trust officer with Liaison, said in a statement. “What we found was rather concerning."To read this article in full or to leave a comment, please click here(Insider Story)
One of the big stories in security over the past year has been the rise of devastating distributed denial of service (DDoS) attacks that have hit sites and organizations like DNS provider Dyn, the BBC and the website of security journalist Brian Krebs.Amazon Web Services is trying to help protect its customers with a new service aimed at mitigating DDoS impacts. It's called Shield, and the free entry-level tier is enabled by default for all web applications running on AWS, starting on Wednesday.To read this article in full or to leave a comment, please click here
Got innovation?The Defense Advanced Research Projects Agency this week announced a program it hopes will get the world’s deep-thinkers to collaborate and explore emerging science and technology for advanced applications.+More on Network World: 20 years ago: Hot sci/tech images from 1996+The agency is proposing an online community known as Gamifying the Search for Strategic Surprise (GS3) that would “apply a unique combination of online game and social media technologies and techniques to engage a large number of experts and deep thinkers in a shared analytic process to rapidly identify, understand, and expand upon the potential implications and applications of emerging science and technology. The program will also develop a mechanism to identify and quickly fund research opportunities that emerge from this collaborative process,” DARPA stated.To read this article in full or to leave a comment, please click here
Just as the internet changed everything, a new revolution known as the Internet of Things (IoT) promises to produce even greater disruption. Primarily because IoT sensors will be utilized everywhere—in hospitals to monitor medical devices, in factories to supervise operations, in buildings for controlling temperature and lighting, etc. Data from these sensors will be used for operations management, predictive maintenance and much more. Meanwhile, all of these applications are typically integrated with an enterprise’s IT infrastructure. As such, they are introducing a variety of new security challenges.+ Also on Network World: DDoS attacks using IoT devices follow The Manchurian Candidate model +
Just like in current IT environments, there is no security silver bullet that can protect IoT devices from every possible cyber threat.To read this article in full or to leave a comment, please click here