Google released a new monthly batch of security patches for Android, fixing a dozen critical vulnerabilities that could allow attackers to compromise devices. One of the mitigated issues is a bit-flipping attack against memory chips that could lead to privilege escalation, but a more widespread rooting vulnerability in the Linux kernel remains unpatched.While Google releases firmware updates for its Nexus and Pixel devices on the first Monday of every month, the security patches are shared with third-party device manufacturers one month in advance and are also contributed later to the Android Open Source Project to benefit the entire ecosystem.To read this article in full or to leave a comment, please click here
When the French government quietly announced, in the middle of a holiday weekend, the merging of two files to create a megadatabase holding the biometrics of almost 60 million French citizens, it was clearly hoping to avoid an outcry.
It failed.
Among those lining up to criticize the government's move are its own minister of state for the Digital Sector and Innovation, and the National Digital Council, a body created by the government to provide independent recommendations on all matters relating to the effect of digital technologies on society and the economy.
Minister of State Axelle Lemaire told French journalists the megadatabase used 10-year-old technology and had real security problems.To read this article in full or to leave a comment, please click here
The war against spam has been a long one. Just as we get better filtering, spammers and phishers turn to more sophisticated techniques. We are even seeing ransomware attacks like Cryptolocker and Cryptowall become commonly spread over email. There must be a technical way to stop some of this, right?There is an Internet authentication system -- DomainKeys, and its successor, DKIM -- that tries to mitigate some of the risk of trusting that emails are actually from who they say they are from. Strangely, though, this technology has not made its way into Microsoft Exchange. In this piece, I want to open the curtains on DomainKeys and DKIM, show how they work and why what they do is important, and then demonstrate how to use a free utility to set up DKIM on your on-premises Exchange servers.To read this article in full or to leave a comment, please click here(Insider Story)
Advances in machine learning are making security systems easier to train and more flexible in dealing with changing conditions, but not all use cases are benefitting at the same rate.Machine learning, and artificial intelligence, has been getting a lot of attention lately and there's a lot of justified excitement about the technology.One of the side effects is that pretty much everything is now being relabeled as "machine learning," making the term extremely difficult to pin down. Just as the word "cloud" has come to mean pretty much anything that happens online, so "artificial intelligence" is rapidly moving to the point where almost anything involving a computer is getting that label slapped on it.To read this article in full or to leave a comment, please click here
A new approachImage by ThinkstockVulnerability assessment and identification strategies have evolved to include the concept of crowd sourced security testing through bug bounty programs. While bug bounty programs have been used for over 20 years, widespread adoption by enterprise organizations has just begun to take off within the last few. The bug bounty path, paved by tech giants, is widening, enabling security teams of all sizes to create and manage robust security assessment programs, get ahead of adversaries, and level the cybersecurity playing field. As we are clearly still in the early- to mid-adopter phase of this new market, Paul Ross, senior vice preside of marketing at Bugcrowd, breaks down how to get started with a bug bounty program, and how to prepare your organization for this new approach to vulnerability testing.To read this article in full or to leave a comment, please click here
The most disturbing thing for foreign businesses facing China's new cybersecurity law may just be how vague and broad it is.
Under the new law, adopted on Monday and taking effect next June, it's possible that any major company working in the country might be subject to "security reviews" from the Chinese government.
Any company involved in telecommunications, information services, finance or any sector "where the loss of data can harm the country's security" is subject to a possible review. But what these security reviews actually entail isn't clear in the law.To read this article in full or to leave a comment, please click here
Starting carrier services like routing and security is getting faster and easier thanks to a new way of deploying them that doesn’t require specialized equipment at customer’s sites.The new approach, called virtualized business services, lets various carrier services run on standard infrastructure at either customer sites or service-provider facilities. Because the services are virtual, companies can order and change them quickly, and they won’t get locked into whatever capabilities come with a particular device.On Monday, Orange Business Services launched its virtualized network services program, called Easy Go Network. It joins AT&T, Verizon and other operators that are selling or developing such programs. Easy Go Network is available as a month-to-month subscription and its launch follows a year-long customer trial. Orange Business Services claims more than 3,000 multinational organizations as customers.To read this article in full or to leave a comment, please click here
Just in time for the holiday shopping season, the iOS App Store is seeing a deluge of fake shopping apps branding themselves with designer names in hopes of trapping gullible buyers. Apple is now stepping in to remove the counterfeit apps, which are sneaking in by changing the content after Apple’s approval or by resubmitting apps under different names and credentials after being outed as fraudulent.After reports of apps using reputable companies’ names to shill their fake wares in the App Store surfaced in the New York Times and New York Post, Apple removed hundreds of offenders. But hucksters keep coming back: The Times found that an app called Overstock Inc. was trying to convince shoppers that it was Overstock.com by selling clothes and Ugg boots. Apple killed the app, only to see it return the next day, because sketchy developers are finding new ways to bypass the company’s traditionally tough app review process.To read this article in full or to leave a comment, please click here
Microsoft last week announced that it would support the Enterprise Mitigation Experience Toolkit (EMET) through July 2018, a year-and-a-half extension for the anti-exploit utility.At the same time, the Redmond, Wash. company dismissed EMET as a behind-the-times tool, and again urged customers to upgrade to Windows 10, arguing that the new operating system is much more secure than previous editions when supplemented by EMET."EMET hasn't kept pace," wrote Jeffrey Sutherland, a Microsoft principal program manager lead, in a post to a company blog Nov. 3. "Its effectiveness against modern exploit kits has not been demonstrated, especially in comparison to the many security innovations built into Windows 10."To read this article in full or to leave a comment, please click here
Someone hacked into my main server. I have a small organization, and the server was an old Apple Xserve 10.6.7 chosen because it’s not the usual host. Now it’s time to scratch security through obscurity off the list.So let’s do a rudimentary recover. Forensics will have to wait.I went to a hosting company to spin up httpd and mail. They’re already my registrar. Pretty big organization.And they don’t have 24/7 support.Since this happened on a Saturday, I was already in trouble. I chose one of their hosting plans. It costs a rudimentary $60 for a web server plus mail. It uses the famous CPanel hosting.To read this article in full or to leave a comment, please click here
Don't be surprised if hackers make their presence felt on U.S. Election Day. Distributed denial-of-service attacks and high-profile leaks are among the tactics they might use if they try to influence Tuesday's vote.
Cybersecurity experts stress it would be incredibly difficult to hack the U.S. election. The system itself is distributed across the country over thousands of voting jurisdictions, making it hard to tamper with on a wide scale.
But hackers could still attempt to sow chaos on Election Day in other ways. The tools and infrastructure to do so are already in place.To read this article in full or to leave a comment, please click here
When you travel between countries, the mobile operators that temporarily provide service to your phone need to communicate with your operator back home. This is done over a global interconnection network where most traffic still uses an ageing protocol, called SS7, that's known to be vulnerable to location tracking, eavesdropping, fraud, denial of service (DoS), SMS interception and other attacks.With the advance of Long-Term Evolution (LTE) networks, some roaming traffic is switching to a newer protocol, called Diameter, that's more secure than SS7 in theory, but which still allows for attacks if it's not deployed with additional security mechanisms.To read this article in full or to leave a comment, please click here
The fine details are still murky, but news surfaced in the last day or two that Tesco Bank, a U.K.-based bank owned by the Tesco supermarket chain, suffered some sort of widespread fraud.
The bank’s CEO, Benny Higgins, told Radio 4 that around 40,000 of the bank’s 7 million accounts had seen “some sort of suspicious transactions.” Of those, around 20,000 customers have actually lost money from their bank accounts. In the interview, the CEO told the BBC he was “very hopeful” that customers would be refunded the lost funds. What he didn’t say is that I am sure he is also “very hopeful” that once this all washes up he and his IT team will still have jobs.To read this article in full or to leave a comment, please click here
A hacker armed with a US$25 PCMCIA card can, within a few minutes, change the vote totals on an aging electronic voting machine that is now in limited use in 13 U.S. states, a cybersecurity vendor has demonstrated.The hack by security vendor Cylance, which released a video of it Friday, caught the attention of noted National Security Agency leaker Edward Snowden, but other critics of e-voting security dismissed the vulnerability as nothing new.The Cylance hack demonstrated a theoretical vulnerability described in research going back a decade, the company noted.To read this article in full or to leave a comment, please click here
A virtual private network is a secure tunnel between two or more computers on the internet, allowing them to access each other as if on a local network. In the past, VPNs were mainly used by companies to securely link remote branches together or connect roaming employees to the office network, but today they're an important service for consumers too, protecting them from attacks when they connect to public wireless networks. Given their importance, here's what you need to know about VPNs:VPNs are good for your privacy and securityOpen wireless networks pose a serious risk to users, because attackers sitting on the same networks can use various techniques to sniff web traffic and even hijack accounts on websites that don't use the HTTPS security protocol. In addition, some Wi-Fi network operators intentionally inject ads into web traffic, and these could lead to unwanted tracking.To read this article in full or to leave a comment, please click here
Photoshop trolls can manipulate photos, but in the future we may have a new type of troll … trolls which can easily manipulate spoken words just by typing text into an audio editing program.Last week at the Adobe Max Creativity Conference, Adobe developer Zeyu Jin mentioned that people “having been making weird stuff online” with photo editing software, before adding, now “let’s do something to human speech.”Jin gave a sneak peek of software which is like Photoshop for audio, demonstrating Project VoCo, for voice conversion, by altering a voice clip of comedian Keegan-Michael Key. The voice clip was something Key said after being nominated for an award.To read this article in full or to leave a comment, please click here
The banking arm of U.K. supermarket chain Tesco has suspended online payments for its 136,000 checking account customers following a spate of fraudulent transactions.The bank suspended its payment service for all checking account customers after 40,000 experienced suspicious transactions, bank CEO Benny Higgins told BBC Radio 4 on Monday."Around half of them had money taken from the account," he said.The bank will bear any losses as a result of the fraudulent activity and customers are not at financial risk, he said.But they might be inconvenienced until the bank has secured its systems.To read this article in full or to leave a comment, please click here
Setting up an ecommerce site is easy these days. Keeping your site safe from hacking, fraud and copycats, not so much. And as small business owners know all too well, one major breach – or too many charge backs or someone stealing your business name or copying your products – could mean the end of your business.[ Related: 8 keys to ecommerce success ]Here are seven ways small ecommerce business owners can protect their online stores from hacking, fraud and/or copycats.1. Trademark your company name and logo
“The most important tip for business owners to protect their site and brand is to ensure [their] name is clear for use as a trademark,” says Sonia Lakhany, trademark attorney, Lakhany Law. “Too many entrepreneurs mistakenly think that because a domain name is available or that they were able to form an LLC or corporation with their local Secretary of State that their business name or brand is available as a trademark.”To read this article in full or to leave a comment, please click here
Missile defense is hard.Attacks can come from anywhere. There are seconds to respond. Multiple incoming missiles can overwhelm defenses. Mistakes result in huge damage.There is no margin for error. Military strategists have refined missile defense systems over decades. Early attack visibility and fast countermeasures are essential.When it comes to distributed denial of service (DDoS) attacks, Arbor Networks has found the lessons from missile defense apply. Missile defense
The Department of Defense describes missile defense protection :To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Ruckus Cloudpath ES 5.0Pricing: based on total number of users and is available in 1/3/5 year subscriptions ranging from: $1.50/user for Education on-prem subscription; $1.70/user for Education cloud subscription; $5.00/user for Education on-prem subscription; $5.80/user for Education cloud subscriptionTo read this article in full or to leave a comment, please click here