Privacy groups in the U.S. have complained to the Federal Trade Commission that changes last week in WhatsApp’s terms and privacy policy breaks its previous promise that user data collected would not be used or disclosed for marketing purposes.The Electronic Privacy Information Center and the Center for Digital Democracy have described the changes as unfair and deceptive trade practice, subject to an investigation and injunction by the FTC, in their complaint Monday.WhatsApp said last week it will be sharing some account information of users with Facebook and its companies, including the mobile phone numbers they verified when they registered with WhatsApp. The sharing of information will enable users to see better friend suggestions and more relevant ads on Facebook, it added.To read this article in full or to leave a comment, please click here
A U.S. cybersecurity monitor on Monday described another breach of a voter election system just after after a leaked FBI report revealed two similar attacks.In June, anonymous hackers stole administrative login credentials in an unnamed county that would have let them delete voter registration records and prevent citizens from casting ballots.The information comes from the Multi-State Information Sharing and Analysis Center (MS-ISAC), which monitors cyber attacks against state and local governments and shares information with the FBI. MS-ISAC is supported by the Department of Homeland Security.The attack in June targeted a county election official through a phishing email, according to Brian Calkin, vice president of operations for the Center of Internet Security, which runs MS-ISAC.To read this article in full or to leave a comment, please click here
This very realistic looking book cleverly conceals a solid steel locking safe. Designed to look simply like a dictionary, the diversion safe is a good consideration for a college student or anyone looking for a creative way to hide electronics, money, documents and more. You could argue that this is safer than a real safe -- thieves just won't spend their limited time looking through your books. The dictionary safe averages 4 out of 5 stars from over 140 people (read reviews). It's typical list price of $32.99 has been reduced 45% to just $17.99.To read this article in full or to leave a comment, please click here
With memories of Black Hat still in my head, I’m back in Las Vegas for VMworld. I’m sure there will be plenty of generic VMware and partner announcements but I’m here to assess how VMware is addressing enterprise security requirements with its technologies and partner relationships. I will be focusing on a few key areas:1. NSX penetration. Last year, VMware talked a lot about emerging demand for NSX but I’ve seen a lot of momentum over the past 12 months. From a security perspective, large organizations adopt NSX to do a better job of segmenting workloads and network traffic, as well as network security operations. I’m interested to see how VMware security use cases are maturing and how VMware customers are moving toward building additional security controls and monitoring on top of NSX capabilities.To read this article in full or to leave a comment, please click here
The FBI has reportedly found evidence that foreign hackers breached two state election databases in recent weeks.An FBI alert warning election officials about the breach was leaked, and it was posted in a report by Yahoo News on Monday. Voter registration databases from both Illinois and Arizona were targeted in the hacks, according to the report.In the Illinois case, personal data on 200,000 voters was stolen. In July, an official with the state’s board of elections warned on Facebook that the voting system had fallen to a cyberattack, forcing a shutdown.To read this article in full or to leave a comment, please click here
After MedSec revealed remotely exploitable flaws in St. Jude pacemakers and defibrillators to financial research firm Muddy Waters, choosing to profit by how far St. Jude stock fell after the report (pdf) was made public instead of taking a “responsible disclosure” path, St. Jude struck back by basically calling Muddy Waters’ claims a bunch of lies.To read this article in full or to leave a comment, please click here
File sharing and the control over the data within file sharing sits on a continuum. On one end are the consumer offerings that are incredibly easy to use and come with enough, but not too much, functionality.
That is the world Box, Dropbox and Google started with. And while these vendors have been moving towards higher-level features, it's fair to say that their start was in the ease-of-use court.
At the other end, we have the solutions that are enterprise-focused. These solutions tend towards big, heavy, monolithic structures and myriad levels of control. They're all about ticking the boxes for enterprise security departments, and while they're certainly robust, they're not exactly known for user-friendliness. Indeed, the so-called "Dropbox problem" where enterprises see high levels of nonmandated solution use, came about largely because enterprise solutions are often so awful to use.To read this article in full or to leave a comment, please click here
Security researchers have found a sophisticated malware program that may have been used recently by a gang of hackers to steal more than US$350,000 from ATMs in Thailand.A sample of the new malware, dubbed Ripper, was uploaded to the VirusTotal database from an Internet Protocol address in Thailand last week, shortly before local media reported that hackers used malware to steal 12.29 million Baht from 21 ATMs in the country.The incident forced the state-owned Government Savings Bank to temporarily shut down all of its ATMs made by one vendor so they could be checked for malware, the Bangkok Post reported last week.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.ASG-Mobius 6.0Key features: ASG-Mobius 6.0 is a purpose-built content management system with proven scalability supporting platform, device and data independence. New AWS support enables cloud based solutions, on premise or hybrid implementations. More info.To read this article in full or to leave a comment, please click here
Data loss prevention toolsImage by ThinkstockWe tested data loss prevention (DLP) tools from Comodo, Digital Guardian and Forcepoint. These products are designed to stop protected data from being shared in multiple ways, everything from e-mail attachments to printing to even screen captures. Forcepoint Triton was the most mature, easiest to setup and had the most features. Digital Guardian DLP was able to eliminate almost all false positives and would be a good choice for organizations with huge amounts of intellectual property. Comodo DLP offered a lot of flexibility as well as extras like a VPN, firewall, patch and mobile device manager, making it a good choice for organizations getting up to speed with their overall cybersecurity defenses. Read the full review.To read this article in full or to leave a comment, please click here
Most security tools are focused on keeping external attackers at bay. But what about the sensitive data that lives inside your network? How do you make sure it doesn’t get out, either intentionally or by accident?That’s where Data Loss Prevention (DLP) comes into play. DLP tools are designed to block protected data from being shared in various ways, everything from e-mail attachments to printing to even screen captures. DLP can protect core network stores as well as connected endpoints which might have confidential information.We looked at DLP solutions from Comodo, Digital Guardian and Forcepoint. Symantec was invited to participate, but declined.To read this article in full or to leave a comment, please click here(Insider Story)
About 350 million people use the Opera browser. Of those, 1.7 million received an email from Opera, warning that attackers breached Opera’s cloud Sync service server. Even if a person didn’t check their email, they would have known something was up since Opera forced a password reset for Sync users.Opera announced the breach on Friday. The company said it detected and then “quickly blocked” an attack last week, but “some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.”To read this article in full or to leave a comment, please click here
One security research company is taking a controversial approach to disclosing vulnerabilities: It’s publicizing the flaws as a way to tank a company’s stock.The security firm, MedSec, made news on Thursday when it claimed that pacemakers and other health care products from St. Jude Medical contain vulnerabilities that expose them to hacks.However, MedSec is also cashing in on the disclosure by partnering with an investment firm that’s betting against St. Jude Medical’s stock.The whole affair is raising eyebrows around the security community. It may be the first time someone has tried to get compensated for discovering vulnerabilities by shorting a stock, said Casey Ellis, CEO of Bugcrowd, a bug bounty platform.To read this article in full or to leave a comment, please click here
Big data is best known for its volume, variety, and velocity -- collectively referred to as the "3 Vs" -- and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance on Friday released a new report offering 100 best practices.As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; corporate members include VMware, Microsoft, AWS, and Red Hat. In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Who's that coming to your website? Is it friend or foe? Is it a customer wanting to buy your products, or someone or something wanting to steal your web content? Is it a community member that wants to post a relevant comment, or a spammer intent on planting junk links and content in your open comments section? Is it a real person clicking on an ad, or a web bot driving up fraudulent clicks?Web applications are increasingly being subjected to automated threats such as click fraud, comment spam, content scraping, abusive account creation, and more. These and other illicit or unwanted activities are described in detail in the OWASP Automated Threat Handbook for Web Applications.To read this article in full or to leave a comment, please click here
Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed more than 250 attendees who self-identified as hackers (respondents remained anonymous). Eighty-four percent of respondents identified as white hat hackers — security researchers that help organizations uncover and remediate vulnerabilities. And 15 percent identified as black hat hackers, who penetrate networks with criminal intent.To read this article in full or to leave a comment, please click here
In order to help webmasters better protect their websites and users, Mozilla has built an online scanner that can check if web servers have the best security settings in place.Dubbed Observatory, the tool was initially built for in-house use by Mozilla security engineer April King, who was then encouraged to expand it and make it available to the whole world.She took inspiration from the SSL Server Test from Qualys' SSL Labs, a widely appreciated scanner that rates a website's SSL/TLS configuration and highlights potential weaknesses. Like Qualys' scanner, Observatory uses a scoring system from 0 to 100 -- with the possibility of extra bonus points -- which translates into grades from F to A+.To read this article in full or to leave a comment, please click here
Are you ready?While 83 percent of respondents say cyberattacks are among the top three threats facing organizations, only 38 percent say they are prepared to experience one, according to ISACA’s 2015 Global Cybersecurity Status Report.Incident response is still largely a human response. Multiply an outdated response plan by the many human errors that can innocently occur during response and you have a recipe for potentially cataclysmic results in the threat event aftermath.Use the following tabletop exercises based on today’s most disconcerting threats to update your response plan for live action.To read this article in full or to leave a comment, please click here(Insider Story)
There are now 200 companies standing behind Privacy Shield, the framework agreement allowing businesses to process the personal information of European Union citizens on servers in the U.S.Companies must register with the International Trade Administration of the U.S. Department of Commerce to be covered. It's a self-certification process, so the ITA is only checking that the forms are filled in correctly, not that companies are necessarily complying with all 13,894 words of the rules. The Privacy Shield rules are needed to ensure that EU citizens' personal information is afforded the same legal protection in the U.S. as required under EU law.To read this article in full or to leave a comment, please click here
Dropbox is asking users who signed up before mid-2012 to change their passwords if they haven’t done so since then.
The cloud storage service said it was asking users to change their passwords as a preventive measure, and not because there is any indication that their accounts were improperly accessed.
Dropbox said it was taking the measure because its security teams learned about an old set of Dropbox user credentials, consisting of email addresses and hashed and salted passwords, which it believes were obtained in 2012 and could be linked to an incident the company reported around the time.
In July 2012, Dropbox said its investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of of Dropbox accounts. It said it had contacted the users affected to help them protect their accounts.To read this article in full or to leave a comment, please click here