Archive

Category Archives for "Network World Security"

Schneider Electric PLC simulator flaw exposes workstations to hacking

The software used to program and deploy code to various Schneider Electric industrial controllers has a weakness that could allow hackers to remotely take over engineering workstations.The software, known as Unity Pro, runs on PCs used by engineers and includes a simulator for testing code before deploying it to programmable logic controllers (PLCs). These are the specialized hardware devices that monitor and control mechanical processes -- spinning motors, opening and closing valves, etc. -- inside factories, power stations, gas refineries, public utilities and other industrial installations.Researchers from industrial cybersecurity firm Indegy found that unauthenticated attackers could execute malicious code on Windows computers where the Unity Pro PLC simulator is installed. That code would run with debug privileges leading to a complete system compromise.To read this article in full or to leave a comment, please click here

REVIEW: BIO-key’s plug-in fingerprint readers for Windows 10 computers

A biometric fingerprint reader makes it convenient to sign into your computer, by just pressing or swiping your finger on the reader which scans your fingerprint. It bypasses the need for entering a password while increasing the level of security for the computer -- anyone can enter your password if they get it somehow, but not your finger, after all. It can also be a convenient and secure system to set up on a computer at work that should be accessed by only a specific person or persons.In late September, BIO-key launched three fingerprint reader devices for the business and everyday computer user. Each sells for $40: the EcoID, the SideSwipe, and the SideTouch. You plug these readers into an USB port on your computer. They’re meant to be used with Windows 10 and this OS’ biometric sign-in feature, Windows Hello. (The EcoID and SideSwipe also run on Windows 7.)To read this article in full or to leave a comment, please click here

Cybersecurity staffing issues may be putting you at risk

A study from Spiceworks found that even though 80 percent of organizations experienced a "security incident" in 2015, only 29 percent of companies have a cybersecurity expert working in their IT department and only 7 percent have a cybersecurity expert on their executive team. And a majority -- 55 percent to be exact - said that their business didn't have "regular access" to any IT security experts at all, internal or third-party, with the majority of companies also reporting they had no plans to hire or contract one within the next year.To read this article in full or to leave a comment, please click here

US transport agency guidance on vehicle cybersecurity irks lawmakers

Guidance from the National Highway Traffic Safety Administration for improving motor vehicle cybersecurity has attracted criticism from lawmakers who said that mandatory security standards were required.“This new cybersecurity guidance from the Department of Transportation is like giving a take-home exam on the honor code to failing students,” said Senators Edward J. Markey, a Democrat from Massachusetts, and Richard Blumenthal, a Democrat from Connecticut, who are both members of the Commerce, Science and Transportation Committee.“In this new Internet of Things era, we cannot let safety, cybersecurity, and privacy be an afterthought,” the senators added.To read this article in full or to leave a comment, please click here

Lyft customers face potential hack from recycled phone numbers

Giving up an old cell phone number for a new one may seem harmless. But for Lyft customers, it can potentially expose their accounts to complete strangers.That's what happened to Lara Miller, a media relations specialist living in California. Earlier this month, she discovered two credit card charges made in Las Vegas, over 400 miles away."I thought it was legit fraud on my debit card," Miller said.  But in reality, another woman had accidentally taken over her old Lyft account. It happened because the phone company had recycled the cell phone number Miller had canceled back in April -- opening the door to the hack.The problem involves Lyft's login process. The ride-hailing app does away with the hassle of usernames and passwords, and instead signs up customers with their smartphone's cell number.To read this article in full or to leave a comment, please click here

White House: Small satellites bring “Moore’s Law” into space

Small satellites, sometimes called cubesats or just smallsats are a very popular way of getting inexpensive communications and surveillance into space quickly.Looking to bolster that notion, the White House recently revealed a number of program that it says will help drive the use of smallsats even further. The White House Office of Science and Technology Policy (OSTP) announced what it called the “Harnessing the Small Satellite Revolution” initiative, which basically brings together National Aeronautics and Space Administration (NASA), the Department of Defense, the Department of Commerce, and other Federal agencies, to promote and support government and private use of small satellites for remote sensing, communications, science, and the exploration of space. To read this article in full or to leave a comment, please click here

Answers to ‘Is the internet broken?’ and other Dyn DDoS questions

The massive DDoS attacks that took down internet address-translation service Dyn and its customers last week raise a lot of need-to-know questions about the overall security of online infrastructure and its performance.While the attacks were ultimately mitigated and have subsided, the means for carrying out others are still viable and could crop up at any time with other targets. Here are some questions and answers that address what happened, how it happened, whether it could happen again and what the consequences might be.Is the internet broken?No, or at least not any more than it was before. It’s made up of a system of independent vendors and institutions working cooperatively to provide access to sites around the world. Each works in its own best interests but also cooperates with the others to make the system work for everybody. Like any such system, it’s got flaws and weaknesses. The Dyn attackers targeted some of these vulnerabilities and exploited them for maximum effect.To read this article in full or to leave a comment, please click here

Physical RAM attack can root Android and possibly other devices

Researchers have devised a new way to compromise Android devices without exploiting any software vulnerabilities and instead taking advantage of a physical design weakness in RAM chips. The attack technique could also affect other ARM and x86-based devices and computers. The attack stems from the push over the past decade to pack more DRAM (dynamic random-access memory) capacity onto increasingly smaller chips, which can lead to memory cells on adjacent rows leaking electric charges to one another under certain conditions. For example, repeated and rapid accessing of physical memory locations -- an action now dubbed "hammering" -- can cause the bit values from adjacent locations to flip from 0 to 1 or the other way around.To read this article in full or to leave a comment, please click here

Chinese firm recalls camera products linked to massive DDOS attack

A Chinese electronics component maker is recalling 4.3 million internet-connected camera products from the U.S. market amid claims they may have played a role in Friday's massive internet disruption.On Monday, Hangzhou Xiongmai Technology said it was recalling earlier models of four kinds of cameras due to a security vulnerability that can make them easy to hack."The main security problem is that users aren't changing the device's default passwords," Xiongmai said in a Chinese-language statement posted online.To read this article in full or to leave a comment, please click here

Media fails to tell consumers about device flaws in Friday’s internet outage

Hacked cameras, DVRs and other internet-connected consumer devices were conscripted by perpetrators who installed botnet malware, causing last Friday’s internet outages. The national media reported the event, but it failed to tell consumers what they need to know about buying those types of devices. For example, before making a purchase, consumers need to ask: Does the manufacturer routinely update this device with security patches? Can I change the default passwords when I install the device? The national media could have talked to someone who has first-hand experience with this type of attack, such as Brian Krebs, former Washington Post journalist and now one of the leading security industry bloggers, who would have repeated what he posted on Friday:To read this article in full or to leave a comment, please click here

SnapChat, Skype among worst messaging apps for not respecting users’ right to privacy

Amnesty International set out to determine which technology companies met “their human rights responsibilities in the way they use encryption to protect users’ online security.” The research resulted in ranking messaging apps of 11 tech companies based on the use of encryption to protect users’ privacy.According to the detailed list of Message Privacy Rankings (pdf), Facebook did the best, scoring 73 out of 100 for WhatsApp and Facebook Messenger. Both Apple for iMessage and FaceTime and Telegram for the Telegram Messenger scored 67. Google came in with a score of 53 for Allo, Duo and Hangouts.To read this article in full or to leave a comment, please click here

Does Southwest’s new ‘password’ commercial need to get away?

If you watched any football yesterday, chances are you saw the latest in Southwest Airlines’ “Wanna get away?” commercial series, this one featuring a military general and his comical willingness to surrender his network access password.While funny on its face, the commercial is not exactly a lesson in proper password management. Watch or read the transcript that follows: Transcript:To read this article in full or to leave a comment, please click here

Cybersecurity, Business, and IT Relationships

As the old adage states:  People are the weakest link in the cybersecurity chain.  This is a problem because strong cybersecurity depends upon both individual skills and organizational collaboration between cybersecurity, business, and IT groups. To use another analogy, cybersecurity is a team sport.  If the cybersecurity team doesn’t communicate and collaborate well with other groups within an organization, it will be difficult if not impossible to stay current with what’s needed for security incident prevention, detection, and response.Unfortunately, this is the situation too often today.  According to a new research report from ESG and the Information Systems Security Association (ISSA), 20% of cybersecurity professionals claim that the relationship between cybersecurity and IT teams is “fair or poor” today, while 27% rate the relationship between cybersecurity and business team as “fair or poor” (Note: I am an ESG employee).To read this article in full or to leave a comment, please click here

Bots may be trumping online polls

Politicians are fond of saying that the only poll that matters is the one on election day.That may be especially true this year, especially when it comes to online polls that, like anything in the digital, connected world, are vulnerable to mischief.The mischief is enabled by bots – hundreds to many thousands of computers under the control of an attacker that are more typically used to send out spam, create Distributed Denial of Service (DDoS) attacks and commit various kinds of fraud – but in this case are used to skew poll results. They can make it look like public opinion views one candidate as the winner of a debate when the real vote would show the other candidate did.To read this article in full or to leave a comment, please click here

Better safe than sorry: 5 apps for encrypting and shredding files

While safeguarding personal and business data has always been important, the necessity for maintaining digital privacy has become even more vital as more of our records are digitized.People are starting to realize that passwords alone aren't enough. Even with password protection, anything on your computer can potentially be viewed by an enterprising hacker. And if your computer is lost or stolen, its hard drive can be removed and connected to a new computer, revealing its secrets. To be safer, encryption is the way to go. These days, the accepted standard for encryption is the Advanced Encryption Standard (AES) algorithm with a 256-bit key.To read this article in full or to leave a comment, please click here

French surveillance law is unconstitutional after all, highest court says

The French Constitutional Council has taken another look at a new security law it waved through in July 2015, and found it wanting.A key clause of last year's Surveillance Law essentially allowed security agencies to monitor and control wireless communications without the usual oversight applied to wiretapping operations.This is unconstitutional as the lack of oversight is likely to result in a disproportionate invasion of privacy, the council ruled Friday. It was responding to a complaint filed by La Quadrature du Net (LQDN), an association campaigning for online rights, the ISP French Data Network (FDN) and the Federation of Non-Profit ISPs.To read this article in full or to leave a comment, please click here

New products of the week 10.24.16

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.The Back-UPS battery backupKey features: APC by Schneider Electric’s new Back-UPS battery backup solutions are designed to deliver reliable/secure power protection for wireless networks, computers and other home/business electronics to help users stay connected. More info.To read this article in full or to leave a comment, please click here

WikiLeaks says it doesn’t collaborate with states

WikiLeaks claims to have many thousands of sources but does not collaborate with states in the publication of documents, its editorial board said late Sunday.The statement by the board of the whistleblowing site assumes significance after the  administration of U.S. President Barack Obama charged that it and other sites had released allegedly hacked emails under the direction of Russia. WikiLeaks has leaked mails from the Democratic National Committee that showed that the Democratic Party’s national strategy and fund-raising committee had favored Hillary Clinton over her rival Senator Bernie Sanders for the Democratic Party nomination. The website has also published mails from the account of John Podesta, chairman of Clinton's campaign for the presidential election, which could prove to be embarrassing to the candidate.To read this article in full or to leave a comment, please click here

Chinese firm admits its hacked products were behind Friday’s massive DDOS attack

A Chinese electronics component manufacturer says its products inadvertently played a role in a massive cyberattack that disrupted major internet sites in the U.S. on Friday.Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.According to security researchers, malware known as Mirai has been taking advantage of these vulnerabilities by infecting the devices and using them to launch huge distributed denial-of service attacks, including Friday’s outage.To read this article in full or to leave a comment, please click here

IoT botnets used in unprecedented DDoS against Dyn DNS; FBI, DHS investigating

Infected IoT devices turned into botnets, at least some controlled by Mirai, were used in multiple DDoS attacks against New Hampshire-based internet infrastructure company Dyn. The attacks against Dyn DNS were similar to some thugs shredding an internet address book, since addresses of thousands of websites couldn’t be looked up and users couldn’t be connected to the right servers; by the third wave of attacks, users across the globe had been affected by the massive disruptions.The FBI and the Department of Homeland Security are investigating the attack on Dyn, one provider of DNS services. A spokeswoman told The New York Times that the FBI and DHS “were looking into the incident and all potential causes, including criminal activity and a nation-state attack.”To read this article in full or to leave a comment, please click here