Archive

Category Archives for "Network World Security"

FBI to probe new emails related to Clinton’s private server

The FBI has uncovered new emails related to Hillary Clinton's use of a private email server, prompting federal authorities to investigate them. The FBI discovered the emails as part of an "unrelated case," FBI Director James Comey said in a letter to a congressional committee that was later tweeted on Friday. These emails "appear to be pertinent" to the FBI's original investigation into Clinton's private server use, which the agency wrapped up back in July, Comey said. Clinton, now the Democratic nominee for U.S. president, used the privacy server while she served as secretary of state.To read this article in full or to leave a comment, please click here

New Windows code injection method could let malware bypass detection

Security researchers have discovered a new way that allows malware to inject malicious code into other processes without being detected by antivirus programs and other endpoint security systems.The new method was devised by researchers from security firm Ensilo who dubbed it AtomBombing because it relies on the Windows atom tables mechanism. These special tables are provided by the operating system and can be used to share data between applications."What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table," Ensilo researcher Tal Liberman said in a blog post. "We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code."To read this article in full or to leave a comment, please click here

Security apps you need on your new Pixel

Google's new Pixel phoneImage by GoogleAll the brand new features of the Pixel will not protect it from increasingly frequent security threats: each user should take necessary precautions in order to protect their data, passwords or any sensitive online transactions. A new smartphone is also an attractive one-stop location for hackers who'd like to access personal bank account data, credit card passwords, name, address, social media accounts and so on.To read this article in full or to leave a comment, please click here

IDG Contributor Network: How the government can help businesses fight cyber attacks

When a criminal robs a store, the police visit the scene, conduct an investigation and try to bring the perpetrator to justice. What happens when a criminal breaches that same store’s server and makes off with its customer’s credit-card numbers? I’d argue that the response to the physical crime would be much greater and effective than how the cyber crime would be handled, although cyber attacks have the potential to cause more damage than robberies.Blame cyber criminals, not nation-states, for attacks While nation-states are typically blamed for breaches, the culprits are usually cyber criminals who are using nation-state techniques and procedures. Companies likely claim infiltration by nation-state attackers because it provides them with some cover from lawsuits and preserves business deals and partnerships. (Yahoo is using this tactic with little success.) The reasoning could look like this: how could our organization protect itself from attackers who have the support and resources of a major government? We’re simply outgunned.To read this article in full or to leave a comment, please click here

IDG Contributor Network: How much does a data breach actually cost?

The American public has become so inured to data breaches that it’s difficult to remember them all. Infamous breaches like the ones at Target and Sony become almost forgettable when confronted with the recently disclosed half-billion accounts compromised at Yahoo in 2014.The numbers are simply staggering. It is estimated over 900,000,000 records of personally identifiable information (PII) have been stolen in the U.S. over the past few years. Keeping a memory of all the hacks and when they happened may require the use of complex data visualization.To read this article in full or to leave a comment, please click here

Pennsylvania man sentenced to 18 months for celeb hacking

A Pennsylvania man was sentenced to 18 months in federal prison on charges of hacking the Google and Apple email accounts of over 100 people including celebrities, and getting access to nude videos and photographs of some people.The sentencing against Ryan Collins, 36, of Lancaster is the offshoot of a Department of Justice investigation into the online leaks of photographs of numerous female celebrities in September 2014, widely referred to as "Celebgate."But DOJ has not found any evidence linking Collins to the actual leaks or the sharing and uploading of the content.Between November 2012 and early September 2014, Collins is said to have sent e-mails to victims that appeared to be from Apple or Google and asked them to provide their usernames and passwords. Having gained access to the email accounts, he got hold of personal information including nude photographs and videos, and in some cases used a software program to download the entire contents of the victims' Apple iCloud backups, according to DOJ.To read this article in full or to leave a comment, please click here

Personal data of 550,000 Red Cross blood donors was breached

The Australian Red Cross said its blood donor service has found that registration information of 550,000 donors had been compromised, which the agency blamed on human error by a third-party contractor.The moot issue at this point, which may decide how the breach unfolds, is that nobody knows how many people have the data. The information from 2010 to 2016 was available on the website from Sept. 5 to Oct. 25. this year.The database backup, consisting of 1.74GB with about 1.3 million records, contains information about blood donors, such as name, gender, physical address, email address, phone number, date of birth, blood type, country of birth, and previous donations, according to security researcher Troy Hunt.To read this article in full or to leave a comment, please click here

Malware from Friday’s DDoS attack continues to harass in short bursts

It's still unclear who pulled off Friday's massive internet disruption, but the malware largely responsible for the cyber attack has since assaulted new targets -- possibly including video gamers.Since last Friday, botnets created by the Mirai malware have been launching distributed denial-of-service attacks at seemingly random targets, in short bursts, according to a security researcher who goes by the name MalwareTech.He has tracked Mirai-powered botnets and helped produce a Twitter feed that monitors their DDoS attacks. On Wednesday alone, the feed posted close to 60 attacks, many of them lasting from 30 seconds to over a minute long.To read this article in full or to leave a comment, please click here

The secret behind the success of Mirai IoT botnets

There’s no magic behind the success of Mirai DDoS botnets that are made up of IoT devices: the software enabling them is publicly available, which makes it easy for relatively inexperienced actors to create them and turn them loose on anyone.Flashpoint speculates that the attacker in the case of the Dyn DDoS, which had an enormous impact on major Web sites, was the work of low-skilled script kiddies – a frightening prospect that contributes to Trend Micro’s assessment that “the Internet of Things ecosystem is completely, and utterly, broken.”+More on Network World: US Senator wants to know why IoT security is so anemic+To read this article in full or to leave a comment, please click here

The FIDO Alliance provides strong authentication for online services  

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  For many security professionals, passwords are the scourge of the authentication world, and their death can't come soon enough. Passwords are too often stolen, shared, forgotten or simply too weak or obvious to be effective. According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involve the use of weak, default or stolen passwords.End users hate passwords too, because they create a bad user experience (UX). We are advised (or forced) to use complex combinations of numbers, characters and symbols that are practically impossible to remember, and we are supposed to have a different password for every system and application we use. Years ago I resorted to a password manager to keep track of my 300+ sets of credentials.To read this article in full or to leave a comment, please click here

A spam-control issue unique to Australia?

A user of Reddit’s section devoted to systems administration yesterday offered up for inspection an F-bomb-laden phishing email that had eluded his company’s spam filter despite the filter having been set to weed out such cursing. Then this exchange ensued: Reddit I also laughed out loud.To read this article in full or to leave a comment, please click here

To solve IoT security, look at the big picture, ARM says

The recent DDoS attacks launched from IoT devices demonstrate that the internet of things spans all parts of IT and that most companies deploying it still need a lot of help.That's the message from ARM, the chip design company behind nearly every smartphone and a big chunk of IoT, at its annual TechCon event this week in Silicon Valley.Small, low-power devices like sensors and security cameras are the most visible part of IoT, and they’re right in ARM’s wheelhouse as the dominant force in low-power chips. But on Wednesday, the company highlighted a cloud-based SaaS offering rather than chips or edge devices themselves. IoT depends on back-end capabilities as much as edge devices, and the company wants to play a role in all of it.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Securing the breach trumps breach prevention

In my prior posts, I discussed both the changing face of data breaches and the reality distortion field surrounding today’s IT security professionals when they talk about effective ways to combat data breaches. Three things we know for certain, though, is that data breaches are not going away, our adversaries are continuing to innovate and attack, and the costs of a breach are becoming more tangible.Just this month, Verizon claimed the massive hack on Yahoo caused irreparable harm to the tech company in terms of customer trust, possibly allowing the wireless provider to withdraw from or renegotiate the terms of its $4.83 billion acquisition agreement. Also, in October, the U.K. Information Commissioner’s Office hit TalkTalk with more than $400,000 in fines for its 2015 cyber attack.To read this article in full or to leave a comment, please click here

FCC tells ISPs to get customer permission before sharing sensitive info

The U.S. Federal Communications Commission has passed rules requiring broadband providers to receive opt-in customer permission to share sensitive personal information, including web-browsing history, geolocation, and financial details with third parties.The FCC on Thursday voted 3-2 to adopt the new broadband privacy rules, which also include requirements that ISPs promptly notify customers of serious data breaches.Broadband customers need transparency and control over how their data is used, said Jessica Rosenworcel, one of three Democratic commissioners voting for the rules. Broadband providers are increasingly sharing customer data with third-party companies such as advertising networks and analytics firms, she said.To read this article in full or to leave a comment, please click here

No need to shoot down drones! Many of them can now be hijacked

A security researcher has devised a method of hijacking a wide variety of radio- controlled airplanes, helicopters, cars, boats and other devices that use a popular wireless transmission technology.The attack was developed by Jonathan Andersson, manager of the Advanced Security Research Group at Trend Micro DVLabs, and targets a "wideband, frequency-agile 2.4GHz signal protocol" called DSMx. This protocol is used in radio-control (R/C) toys, including in drones, that are owned by millions of users.Andersson's attack exploits weaknesses in DSMx and was presented in detail Wednesday at the PacSec security conference in Tokyo. The researcher built a device that he dubbed Icarus, using off-the-shelf electronic components and software-defined radio (SDR). With it, he can take over the control of drones or other R/C devices and lock out their real owners in seconds.To read this article in full or to leave a comment, please click here

DARPA looking to develop drone destroying, personnel protection system

Looking to protect military personnel from a swarming drone attack is the goal behind a new system that the researchers from the Defense Advanced Research Projects Agency are set to develop.The three-phase program, called Mobile Force Protection will in the next few years potentially develop a prototype system that could sense an attack, identify the attacker and then use a number of techniques, from communications jamming to capturing mid-flight any attacking drones. DARPA says it will offer $3 million for each phase 1 developer.To read this article in full or to leave a comment, please click here

DDoS attack overwhelmed Dyn despite mitigation efforts

Dyn says that the DDoS attack that swamped its DNS resolution service last week was backed by far fewer internet of things (IoT) devices than it thought before. Previously it said it was hit by traffic from tens of millions of IP addresses, some of which were likely spoofed, making the actual number of bots involved far fewer. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints,” the company says in a status update. The attacks, which knocked out access to some high-profile Web sites, threw as many packets at Dyn’s infrastructure as it could and the company responded with its own mitigation actions as well as cooperation from upstream internet providers who blocked some of the attack flow. “These techniques included traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of [DNS querying] anycast policies, application of internal filtering and deployment of scrubbing services,” the company says.To read this article in full or to leave a comment, please click here

Lessons learned from the DYN attack

Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.The large scale DDoS attack on DYN last week interrupted access to many major web sites, and while the specifics of the attack have been widely analyzed, here are the important lessons learned:* DDoS attacks are alive and well: A few years ago DDoS attacks were hot news, but reports died down as the focus shifted to news about social engineering attacks, large scale data breachs and insider trading schemes. DDoS attacks seemed like yesterday’s risk but they are very much alive and well.  In fact, they are back and stronger than ever.To read this article in full or to leave a comment, please click here

Friday’s DDoS attack came from 100,000 infected devices

Friday's massive internet disruption came from hackers using an estimated 100,000 devices, many of which have been infected with a notorious malware that can take over cameras and DVRs, said DNS provider Dyn."We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Dyn said in a Wednesday blog post.The malware known as Mirai had already been blamed for causing at least part of Friday's distributed denial-of-service attack, which targeted Dyn and slowed access to many popular sites in the U.S.To read this article in full or to leave a comment, please click here

Robocall Strike Force: Trial of one technique cut IRS scam complaints 90%

An initial progress report by the FCC-sanctioned and industry-led Robocall Strike Force this afternoon was highlighted by the claim that a trial of a single fraud-prevention technique had resulted in a 90 percent reduction in consumer complaints about scams involving automated phone calls falsely claiming to be from the IRS.Since the first meeting of the strike force in August, representatives from 30 companies held more than 100 meetings and produced a 47-page report detailing both their short-term accomplishments and future goals. And while the latter outweighed the former – a point emphasized by FCC Chairman Tom Wheeler – there was a hopefulness expressed throughout the hour-long presentation that relief from the scourge of robocalls is on the way.To read this article in full or to leave a comment, please click here