Stiff competition for talent and a limited pool of security specialists make information security staffing a perennial challenge. Complicating this is the fact that security has not yet adapted to its changing role as organizations digitize. Now more than ever, information security leaders need to understand the new business environment and adapt how they hire, compete for and manage talent for the digital era.+ Also on Network World: High-demand cybersecurity skill sets +Digitization is transforming organizations’ products, channels and operations. While this change comes with the potential for higher profit margins through enhanced efficiency, it also brings an increase in the number and variety of advanced threats, board oversight and regulatory compliance issues.To read this article in full or to leave a comment, please click here
If you are a federal Chief Information Security Officers – or even if you are not, you face some serious trials just to do your difficult job.Federal agencies in particular lack clarity on how to ensure that their CISOs have adequate authority to effectively carry out their duties in the face of numerous challenges, a report out this week form the watchdogs at the Government Accountability Office stated.+More on Network World: The 7 most common challenges to cloud computing+The GAO said that 13 of the 24 agencies it reviewed – including the Departments of Defense, Commerce Energy, Justice and State-- for its report “had not fully defined the role of their CISO in accordance with these requirements. For example, these agencies did not always identify a role for the CISO in ensuring that security controls are periodically tested; procedures are in place for detecting, reporting, and responding to security incidents; or contingency plans and procedures for agency information systems are in place. Thus, CISOs' ability to effectively oversee these agencies' information security activities can be limited,” the GAO stated.To read this article in full or to leave a comment, please click here
Companies will now be able to cryptographically validate the identity of Chrome OS devices connecting to their networks and verify that those devices conform to their security policies.On Thursday, Google announced a new feature and administration API called Verified Access. The API relies on digital certificates stored in the hardware-based Trusted Platform Modules (TPMs) present in every Chrome OS device to certify that the security state of those devices has not been altered.Many organizations have access controls in place to ensure that only authorized users are allowed to access sensitive resources and they do so from enterprise-managed devices conforming to their security policies.To read this article in full or to leave a comment, please click here
Security researchers have found a malicious application on Google Play that had over 500,000 downloads and was designed to gain complete control over Android devices.The application masqueraded as a guide for the popular Pokémon Go game and used multiple layers of obfuscation to bypass Google Play's malware detection mechanisms, researchers from Kaspersky Lab said in a blog post.The app contains a malicious module that doesn't execute immediately. Instead, the app waits for another application to be installed or uninstalled in order to determine if it's running on a real device or in an emulated environment, like the ones used to detect malware.To read this article in full or to leave a comment, please click here
Tech luminaries Steve Wozniak, co-founder of Apple, and Jimmy Wales, founder of Wikipedia, have joined a new campaign pushing for a pardon of National Security Agency leaker Edward Snowden.Other supporters of the PardonSnowden.org campaign, launched Wednesday, are Harvard law professor and tech policy author Lawrence Lessig; tech investor Esther Dyson; noted cryptographer and MIT professor Ron Rivest; and Electronic Frontier Foundation co-founder John Perry Barlow.The campaign, supported by the American Civil Liberties Union, Amnesty International, and Human Rights Watch, asks supporters to sign a letter asking President Barack Obama to pardon the former NSA contractor. "Snowden’s actions ... set in motion the most important debate about government surveillance in decades, and brought about reforms that continue to benefit our security and democracy," the letter says.To read this article in full or to leave a comment, please click here
The following statement was made by FCC Chairman Tom Wheeler before the Committee on Commerce, Science and Transportation of the United States Senate during a hearing on "Oversight of the Federal Communications Commission" on Sept. 15.Chairman Thune, Ranking Member Nelson, and Members of the Committee, thank you for this opportunity to discuss our work at the Federal Communications Commission. Since we last met six months ago, the Commission has continued to make strong progress on our policy agenda. While I am pleased with this progress, our work is far from done. With each passing day, communications technology grows more important to our economy and quality of life. That means there’s no letting up at the Commission. We must continue to promote core values like universal access, public safety, consumer protection, and competition at the same bold pace we have consistently maintained. To read this article in full or to leave a comment, please click here
There is a growing consciousness about the desire to keep one’s messages private. Some are concerned about hackers, or worry about the government spying on them, but most people just agree with the general principle that what you say in your chat conversations ought to stay between you and the people you chat with.It’s not a pleasant idea to think that your messages could be archived for perpetuity on a large company’s server or analyzed by some algorithm. The quest for privacy has birthed a whole generation of apps that promise to give you exactly that. Services like Telegram and Signal have turned the phrase “end-to-end encryption” into a popular discussion. We're here to help you figure out what this is all about and which apps to try.To read this article in full or to leave a comment, please click here
Sophos is coming out with Intercept X, its new name for endpoint protection that’s based on technology acquired when it bought SurfRight last year to broaden its endpoint strategy.The product uses behavior-based screening to detect malicious behavior on endpoints rather than signature-based protection that requires constant updating and can lag behind attackers’ efforts to create new versions.The software looks at the behavior of processes, specifically watching for 24 techniques that malware uses as part of attacks, says Dan Schiappa, senior vice president of the Enduser Security Group at Sophos. That boosts the chances of finding zero-day attacks that use a common set of techniques.To read this article in full or to leave a comment, please click here
Hackers are becoming a major source of political leaks in this year’s presidential race.Case in point: On Tuesday, stolen emails from former secretary of state Colin Powell became headline news after a mysterious site with possible ties to Russian cyber spies gave them to the press. Since then, media outlets have been pointing out juicy details found in the emails. For example, Powell called Clinton “greedy” and her rival Donald Trump a “national disgrace.”The incident has security experts worried that hackers are manipulating U.S. media outlets to influence this year’s election.To read this article in full or to leave a comment, please click here
As cars become more computerized, they're also facing a greater risk of being hacked. That’s why Volkswagen is founding a new cyber security company devoted to protecting next-generation vehicles.On Wednesday, the automaker said it would partner with a former Israeli intelligence agency director to jointly establish a new company, called Cymotive Technologies.It’s unclear how much Volkswagen is investing in the new firm, but security experts have been warning that internet-connected cars and self-driving vehicles could one day be a major target for hackers.Even older cars from Volkswagen are vulnerable. Last month, researchers said that millions of vehicles from the automaker can be broken into by exploiting the remote control key systems.To read this article in full or to leave a comment, please click here
Adobe Systems has fixed more than 30 vulnerabilities in its Flash Player and Digital Editions products, most of which could be exploited to remotely install malware on computers.The bulk of the flaws, 26, were patched in Flash Player on all supported platforms: Windows, Mac and Linux.Twenty-three of those vulnerabilities can lead to remote code execution and the remaining three can be used for information disclosure or to bypass security features, Adobe said in an advisory.Adobe advises users to update Flash Player version 23.0.0.162 on Windows and Mac or version 11.2.202.635 on Linux. The new version of the Flash Player extended support release, which only receives security patches, is now 18.0.0.375.To read this article in full or to leave a comment, please click here
Microsoft released one of its biggest security updates this year, fixing 50 vulnerabilities in its products and 26 more in Flash Player, which is bundled with its Edge browser.The patches are split into 14 security bulletins, including the one dedicated to Flash Player, seven of which are rated critical. They address vulnerabilities in Windows, Internet Explorer, Microsoft Edge, Microsoft Exchange, Microsoft Office and Microsoft Office web services and apps.For desktop deployments, administrators should prioritize the fixes for Internet Explorer, which are covered in the MS16-104 bulletin, Microsoft Edge (MS16-105), Microsoft Office (MS16-107), Microsoft Graphics Component (MS16-106), OLE Automation for VBScript Scripting Engine (MS16-116) and Adobe Flash Player (MS16-117).To read this article in full or to leave a comment, please click here
The World Anti-Doping Agency (WADA) was hacked and confidential medical files of US Olympic athletes Simone Biles, Serena and Venus Williams and Elena Delle Donne were leaked online. The hackers dubbed the dump as “just the tip of the iceberg.”A group claiming to be the Fancy Bears' Hack Team took credit for the attack and accused American Olympic athletes of doping, of using “dirty methods to win.” Furthermore, the hackers claimed that although the US Olympic team had "played well but not fair,” it had “disgraced its name by tainted victories.”To read this article in full or to leave a comment, please click here
The World Anti-Doping Agency (WADA) was hacked and confidential medical files of U.S. Olympic athletes Simone Biles, Serena and Venus Williams, and Elena Delle Donne were leaked online. The hackers said the dump is “just the tip of the iceberg.”A group claiming to be the Fancy Bears' Hack Team took credit for the attack and accused American Olympic athletes of doping, of using “dirty methods to win.” Furthermore, the hackers claimed that although the U.S. Olympic team "played well but not fair,” it had “disgraced its name by tainted victories.”To read this article in full or to leave a comment, please click here
We’ve all heard tales of foreign intelligence entities breaking into hotel rooms and cloning a person’s hard drive while he or she is in the bar downstairs.You might dismiss it as the stuff of urban legend or Jason Bourne movies, but this style of attack does highlight one of the most basic weaknesses of today’s PCs: Their data is extremely vulnerable once an attacker has physical access to a machine. Cold boot attacks, USB exploits,or DMA attacks over FireWire, among other breaches, are all possible if a bad actor can get his or her hands on the hardware.To read this article in full or to leave a comment, please click here
Apple Pay on websites launched on Tuesday with the release of iOS 10 for the iPhone and iPad -- and will hit Mac desktops when macOS Sierra launches next Tuesday.More than 200,000 websites -- including small and large retailers -- plan to support Apple Pay on their sites in coming weeks, Apple said Tuesday. Many of the sites include online retailers using e-commerce platforms run by Shopify, Demandware and IBM.The move means that online shoppers with iPhones, iPads and Macs updated with the latest operating systems can save time when finishing an online purchase through the Apple's Safari browser. Retailers that have signed up for the service are expected to see an uptick in the number of customers that finish a web purchase, instead of giving up because typing in credit information was considered too complicated, awkward or time-consuming.To read this article in full or to leave a comment, please click here
Google yesterday announced a six-month bug contest that will pay up to $200,000 for an Android "bug chain," one or more successful exploits of previously unknown vulnerabilities.Dubbed "Project Zero Prize," it differed from hacking contests that take place over one or two days: Researchers can submit entries from now until March 14, 2017. In that regard, Google's contest resembled the limited-time bug bounties that rival Microsoft has offered to focus on, among other areas and applications, in Windows 10's Edge browser.In the case of multi-exploit entries, Google also departed from the usual contest or bounty rules by encouraging researchers to submit each link in the bug chain as the flaws were uncovered, rather than wait until all were in place and exploitable.To read this article in full or to leave a comment, please click here
Microsoft announced late Tuesday that it has joined Google's Android for Work program and will support Google's container technology for mobile application management in a future release of Intune, Microsoft's own enterprise mobility management (EMM) server. The Microsoft blog post gave no timeline.Android for Work, initially released in winter 2015 as part of an Android 5.0 Lollipop update, brought to Android the same level of enterprise-grade protection for mobile apps that had previously been available only to Apple's iOS devices or Samsung's Android devices running Samsung's own Knox technology.To read this article in full or to leave a comment, please click here
A single ransomware author and distributor was able to collect $121 million in ransomware payments during the first half of this year, netting $94 million after expenses, according to a report released today."Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs.Weafer estimated that total ransomware revenues could be in the hundreds of millions."And that's on the conservative side," he said.WHAT SHOULD YOU DO: How to respond to ransomware threats
Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.To read this article in full or to leave a comment, please click here
Hackers are trying to tarnish the U.S. Olympic team by releasing documents they claim show athletes including gymnast Simone Biles and tennis players Venus and Serena Williams used illegal substances during the Rio Games.The medical files, allegedly from the World Anti-Doping Agency, were posted Tuesday on a site bearing the name of the hacking group Fancy Bears. “Today we'd like to tell you about the U.S. Olympic team and their dirty methods to win,” said a message on the hackers' site.The World Anti-Doping Agency confirmed it had been hacked and blamed Fancy Bears, a Russian state-sponsored cyber espionage team that is also known as APT 28 -- the very same group that may have recently breached the Democratic National Committee.To read this article in full or to leave a comment, please click here