Following similar decisions by Mozilla and Apple, Google plans to reject new digital certificates issued by two certificate authorities because they violated industry rules and best practices.The ban will go into effect in Chrome version 56, which is currently in the dev release channel, and will apply to all certificates issued by certificate authorities WoSign and StartCom after October 21. Browsers rely on digital certificates to verify the identity of websites and to establish encrypted connections with them.Certificates issued before October 21 will continue to be trusted as long as they're published to the public Certificate Transparency logs or have been issued to a limited set of domains owned by known WoSign and StartCom customers.To read this article in full or to leave a comment, please click here
SafeguardsImage by PexelsWith an ever-expanding mobile workforce, infosec teams are increasingly tasked with extending cybersecurity safeguards beyond the physical and virtual walls of their organizations. With endpoints not only increasing but on the move, the challenge is real. In addition to implementing the appropriate technical defenses, there is an important aspect to protecting corporate data and systems: Asking end users to get involved.To read this article in full or to leave a comment, please click here
For most of us, pagers went out when cell phones came in, but some companies are still using them and when the messages are sent without encryption, attackers can listen in and even interfere with the communications.According to two new reports by Trend Micro, pagers are still in use in hospital settings and in industrial plants.Stephen Hilt, Trend Micro's lead researcher on the project, said they don’t have a concrete percentage on the number of encrypted messages.To read this article in full or to leave a comment, please click here
Retailers, hotels and restaurants have all been victimized through the same Achilles' heel that cybercriminals continue to attack: the point-of-sale system, where customers' payment data is routinely processed. These digital cash registers are often the target of malware designed to steal credit card numbers in the thousands or even millions. This year, fast food vendor Wendy's, clothing retailer Eddie Bauer and Kimpton Hotels have all reported data breaches stemming from such attacks.Security experts, however, are encouraging a variety of approaches to keep businesses secure from point-of-sale-related intrusions. Here are a few to consider:To read this article in full or to leave a comment, please click here
Google and Microsoft are butting heads over the disclosure of vulnerabilities. On Monday, Google revealed a critical flaw in Windows after it gave Microsoft a ten-day window to warn the public about it.Google posted about the zero-day vulnerability on its security blog, saying Microsoft had yet to publish a fix or issue an advisory about the software flaw."This vulnerability is particularly serious because we know it is being actively exploited," Google said. It lets hackers exploit a bug in the Windows kernel, via a win32k.sys system call, to bypass the security sandbox.To read this article in full or to leave a comment, please click here
You want to be more responsible about IT security in your organization, but where do you start? May I suggest your first step be understanding these topics more thoroughly. This is list isn’t exhaustive. It’s only a beginning:1. DNS and DNSSEC: The biggest games in cyber war are hitting DNS providers. DNS can be compromised in many simple ways, but Domain Name System Security Extensions (DNSSEC) thwarts these—at the cost of understanding how it works, how to deploy it and how it’s maintained. There are ways to understand if your own organization is threatened with DDoS attacks. Study them. To read this article in full or to leave a comment, please click here
Behavioral biometrics that uses machine learning is behind new features being added to IBM’s Trusteer Pinpoint Detect platform, which financial institutions use to head off crooks who may have stolen the username and password of legitimate account holders.The new feature looks for anomalies between legitimate users’ normal mouse gestures and those of the current user, and over time refines the accuracy of its analysis, says Brooke Satti Charles, Financial Crime Prevention Strategist for IBM Security.That analysis creates a risk score that banks can use to decide whether an ongoing transaction is fraudulent and trigger an alert. The institutions have to decide what to do about the alerts, but they could cut off the transaction or require further ID before the customer is allowed to continue, she says.To read this article in full or to leave a comment, please click here
The Shadow Brokers hacker group is back, releasing message 5 - trick or treat. This time, instead of releasing Equation Group exploit tools, the group dumped a list of servers allegedly compromised by the NSA-linked Equation Group.As usual, the Shadow Brokers included a slaughtered-English rambling message that primarily focused on the upcoming elections. One portion reads:
TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016.To read this article in full or to leave a comment, please click here
I spent a few days with Trend Micro last week at its Insight event here in Boston. While Trend is a $1 billion + global cybersecurity vendor, too many cybersecurity professionals still think of Trend as an Asian-based AV player. This perception is completely antiquated however, as Trend now offers:
A tightly-integrated next-generation endpoint security suite. There’s a lot of industry rhetoric out there proclaiming Trend as a legacy AV vendor. Don’t believe it! Yes, Trend Micro’s endpoint security product has been around forever but the company has continuously enhanced it technology to keep up with the latest requirements. Most recently, Trend added machine learning for pre- and post-execution prevention/detection of 0-day malware which puts in on par with the next-generation endpoint security crowd. Oh, and Trend also offers its own EDR functionality as well. Armed with its new product, Trend’s layered endpoint defense should meet the security efficacy and operational efficiency requirements of even the most demanding enterprises.
A strong network security defense portfolio. Now that the dust has settled from Trend’s acquisition of TippingPoint a year ago, the company also has robust products for network security. After HP let Continue reading
Make no mistake: Professional and state-sponsored cybercriminals are trying to compromise your identity -- either at home, to steal your money; or at work, to steal your employer’s money, sensitive data, or intellectual property.Most users know the basics of computer privacy and safety when using the internet, including running HTTPS and two-factor authentication whenever possible, and checking haveibeenpwned.com to verify whether their email addresses or user names and passwords have been compromised by a known attack.[ Watch out for 11 signs you've been hacked -- and learn how to fight back, in InfoWorld's PDF special report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]
But these days, computer users should go well beyond tightening their social media account settings. The security elite run a variety of programs, tools, and specialized hardware to ensure their privacy and security is as strong as it can be. Here, we take a look at this set of tools, beginning with those that provide the broadest security coverage down to each specific application for a particular purpose. Use any, or all, of these tools to protect your privacy and have the best computer security possible.To Continue reading
Despite all the news coverage about successful cyberattacks, developers are still writing code full of security vulnerabilities.Of course, nobody is perfect. We all make mistakes, and as software projects get more and more complex, it can be easy to mix potential problems.But that doesn't explain why so much software is full of the most basic errors.According to a report released this month by Veracode, 61 percent of all internally-developed applications failed a basic test of compliance with the OWASP Top 10 list on their first pass. And commercially developed software did even worse, with a 75 percent failure rate.These are basic, well-known problems, like SQL injections and cross-site scripting.To read this article in full or to leave a comment, please click here
HALF MOON BAY, Calif. – Experts at a recent technology conference agreed that blockchain has a bright future, but warned it may be a rocky ride until that future arrives. Blockchain is a distributed database that uses a secure digital ledger of transactions that users can share across a computer network. It’s also the technology behind virtual currency bitcoin. “When you are at the leading edge there will be mistakes. People will get a lot wrong in the next five years. I think of it kind of like running with scissors,” says Constellation Research analyst Steve Wilson at the Oct. 26 Connected Enterprise conference hosted by his company. Constellation Research Connected Enterprise conference
From left to right: Shawn Wiora, CEO of Maxxsure, Silicon Valley Product Exec Chirag Mehta, and Aron Dutta, Global Head of Blockchain at IBMTo read this article in full or to leave a comment, please click here
Attackers are aggressively attacking Joomla-based websites by exploiting two critical vulnerabilities patched last week.The flaws allow the creation of accounts with elevated privileges on websites built with the popular Joomla content management system, even if account registration is disabled. They were patched in Joomla 3.6.4, released Tuesday.Hackers didn't waste any time reverse engineering the patches to understand how the two vulnerabilities can be exploited to compromise websites, according to researchers from Web security firm Sucuri.To read this article in full or to leave a comment, please click here
The best way to get experience with most jobs or tasks is to do them. It’s difficult to learn how to drive a car without getting behind the wheel. Soldiers need to face the enemy in order to gain combat experience. And IT administrators have to experience and mitigate attacks to learn how to best defend their networks.
The problem with these scenarios is that they involve a degree of risk. It’s not all that helpful to learn how to counter a cyberattack if the first one you experience puts your company out of business.
That’s where the SafeBreach continuous security validation platform comes in. Deployed as a service, through the cloud or internally, it can show cybersecurity teams exactly where the network vulnerabilities are and how to plug those holes. It can even run wargames so that IT teams can learn the best ways to respond to attacks on their actual networks.To read this article in full or to leave a comment, please click here(Insider Story)
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Atlantis Workspace Infrastructure integrated with CitrixKey features: Atlantis integrated workspace infrastructure into the Citrix management suite. The combination of applications, management and infrastructure into a single PaaS solution will lower cost and complexity for managing virtual workspaces. More info.To read this article in full or to leave a comment, please click here
After seeing reports that the Justice Department is “furious” at FBI Director Comey for telling Congress about new emails potentially related to Hillary Clinton’s private email server and if she disclosed classified information, the Clinton campaign “made it personal” and accused Comey of a smear campaign. Comey, ironically the same FBI guy who recommended no criminal charges for Clinton, is now being treated like her enemy.“It is pretty strange to put something like that out with such little information right before an election,” Clinton said during a rally at Daytona Beach on Saturday. “In fact, it’s not just strange; it’s unprecedented and deeply troubling.” She added, “So we’ve called on Directory Comey to explain everything right away, put it all out on the table.”To read this article in full or to leave a comment, please click here
An online hackers' forum has deleted a section that allegedly offered paid distributed denial-of-service attacks, following last Friday's massive internet disruption.
HackForums.net will be shutting down the "Server Stress Testing" section, the site's admin Jesse "Omniscient" LaBrocca said in a Friday posting.
"I do need to make sure that we continue to exist and given the recent events I think it's more important that the section be permanently shut down," he wrote.
The section was designed to let members offer so-called stress testing services for websites as a way to check their resiliency. However, security firms claim Hack Forums was actually promoting DDoS-for-hire services that anyone can use to launch cyber attacks.To read this article in full or to leave a comment, please click here
A U.S. banking regulator says an employee downloaded a large amount of data from its computer system a week before he retired and is now unable to locate the thumb drives he stored it on.The Office of the Comptroller of the Currency, which is a part of the Department of the Treasury, said the loss represented "a major information security incident" as it reported the case to Congress on Friday.The data was taken in November 2015, but its loss was only discovered in September this year as the agency reviewed downloads to removable media devices in the last two years.The employee in question used two thumb drives to store the information, both of which he is unable to locate, the agency said.To read this article in full or to leave a comment, please click here
The likelihood that companies will experience a security incident continue to rise every year. While most organizations have put a data breach preparedness plan in place to combat such incidents, most executives aren't updating or practicing the plan regularly, according to study released earlier this month."When it comes to managing a data breach, having a response plan is simply not the same as being prepared," Michael Bruemmer, vice president at Experian Data Breach Resolution (which sponsored the study) said in a statement. "Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills."To read this article in full or to leave a comment, please click here
Last week’s massive distributed denial-of-service attack has prompted an urgent focus on the need for industry-led cybersecurity standards for internet of things devices.U.S. Sen. Mark Warner, (D-Va.) said Thursday that he favors an industry-based approach before seeking some form of government regulation of IoT security.“Last week’s attack does reveal a new level of vulnerability, and I’m trying to make it clear ... that this is not a problem that the government ought to be the first actor in solving,” he said in a telephone interview.To read this article in full or to leave a comment, please click here