Bugs in several password managers, including the vulnerabilities discovered in LastPass in late July, have scared away some users. But such fears go too far. Millions of users rely on password managers to keep track of passwords for applications and online services, and by all indications, they work better than trying to do it on your own.Security victories should be embraced -- including password managers, which automatically generate complex strings of characters as passwords and deploy a unique password for each site or application. Password managers solve several authentication problems, including easily-cracked passwords and password reuse.To read this article in full or to leave a comment, please click here
Clothing retailer Eddie Bauer has informed customers that point-of-sale systems at its stores were hit by malware, enabling the theft of payment card information.
All the retailer’s stores in the U.S. and Canada, numbering about 350, were affected, a company spokesman disclosed Thursday. He added that the retailer is not disclosing the number of customers affected. The card information harvested included cardholder name, payment card number, security code and expiration date.
The retailer said that information of payment cards used at its stores on various dates between Jan. 2 and July 17, 2016 may have been accessed, but added that not all cardholder transactions were affected. Payment card information that was used for online purchases at its website was not affected.To read this article in full or to leave a comment, please click here
The disclosure this week of a cache of files supposedly stolen from the National Security Agency has put a spotlight on secret cyber weapons the NSA has been holding -- and whether they should be disclosed.Security researchers have been poring over a sample set of hacking tools that may have been stolen from the NSA.An anonymous group called the Shadow Brokers has posted the samples online and is auctioning off the rest, claiming they contain cyber weapons that rival the Stuxnet computer worm.Experts say the whole matter points to the danger of the NSA hoarding cyber weapons: they could fall into the wrong hands.To read this article in full or to leave a comment, please click here
It's long been known that secret messages can be included in music through techniques such as backmasking, but now a Polish researcher has developed an entirely new approach. By subtly varying the tempo of a particular type of dance music, he's managed to encode information in a way that's completely inaudible to human listeners.StegIbiza is an algorithm for hiding information in a type of dance music known as Ibiza, which originates on the island by the same name in the western Mediterranean Sea. Ibiza music is characterized by its trance-like beat, and that's what Krzysztof Szczypiorski, a professor at Poland's Warsaw University of Technology, made use of.To read this article in full or to leave a comment, please click here
This full-featured camera broadcasts over wifi, allowing you to view live from multiple mobile devices at once. Its footage records to micro SD where it is stored and accessible remotely as well. Remote pan/tilt/zoom, 2-way voice, motion-detection alert, and night vision capabilities are all onboard. This model averages 4 out of 5 stars on Amazon from over 4,100 people (read reviews). Amazon indicates that its typical list price of $200 has been reduced 50% to $100.To read this article in full or to leave a comment, please click here
A suspect in a recent data breach at Sage, a U.K. provider of business software, has been arrested. On Wednesday, police in London detained a company employee.The 32-year-old woman was held for alleged fraud against the company, London City Police said. She has since been released on bail.It’s still unclear what information, if any, may have been leaked. However, Sage, a supplier of accounting and payroll software, began notifying customers about the breach last week.Between 200 and 300 business clients in the U.K. may have been affected. At the time, Sage said the breach had come from unauthorized access to internal login data.Security firm the Antisocial Engineer has been in contact with Sage and said a company insider was the prime suspect.To read this article in full or to leave a comment, please click here
The government has another public balancing act on its hands with the disclosure this week of exploits against commercial security products that were purportedly cooked up by the NSA.These attack tools revealed by a group called Shadow Brokers date from sometime before June 2013 and some of them were still effective this week, which means the NSA never told the vendors about them.That helps flesh out what the Obama administration meant two years ago when it said that under most circumstances the NSA would tell vendors if it exploits vulnerabilities in their security products. The exception: the disclosure policy wouldn’t apply if there were a clear national security or law enforcement need.To read this article in full or to leave a comment, please click here
When you hear the phrase "getting ahead of shadow IT," it typically comes from a CIO who is implementing new technologies so that employs won’t take it upon themselves to purchase tools. But you don't expect such proactive practices from an enterprise's information security team, which a CIO often enlists to place a moat around corporate assets.
Mike Bartholomy, Western Union's senior manager for information security
Mike Bartholomy takes a different tack at Western Union. The financial services firm's senior manager for information security says that companies that try to block everything may see it backfire. "What we've seen happen in other organizations is that when you take something away that is a great enablement tool that may be moderately risky, you run the risk of pushing users towards something that is very risky," Bartholomy says.To read this article in full or to leave a comment, please click here
In the fight against shadow IT, CIOs have faced for more significant challenges than modern consumer messaging apps. And the popularity of apps such as WhatsApp, Facebook Messenger, iMessage and Google Hangouts has, in many cases, led to a more open IT approach to consumer communication tools in enterprise. When IT leaders let employees use their personal devices for work, it's a safe assumption that multiple consumer messaging apps will also come into play. The onus is on the CIO and the IT team to mitigate potential problems that could come from the careless use of such apps at work, according to Adam Preset, research director at Gartner. CIOs should realize consumer messaging apps can increase staff efficiency, but they should also try to empower workers to make choices that don't threaten their organizations, he says. To read this article in full or to leave a comment, please click here
A stolen cache of files that may belong to the National Security Agency contains genuine hacking tools that not only work, but show a level of sophistication rarely seen, according to security researchers.That includes malware that can infect a device’s firmware and persist, even if the operating system is reinstalled. “It's terrifying because it demonstrates a serious level of expertise and technical ability,” said Brendan Dolan-Gavitt, an assistant professor at New York University’s school of engineering.He’s been among the researchers going over the sample files from the cache, after an anonymous group called the Shadow Brokers posted them online.To read this article in full or to leave a comment, please click here
Customers of certain Cisco and Fortinet security gear need to patch exploits made public this week after a purported hack of NSA malware.Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.Other exploits may affect WatchGuard and TOPSEC products, but those companies did not immediately respond to inquiries. When they do this story will be updated.To read this article in full or to leave a comment, please click here
Industry watcher CB Insights earlier this month showed that venture capital funding of internet of things companies is actually on the decline after years of growth. But we've still seen enough fresh funding in the months since we rounded up 10 Internet of Things companies to watch back in April, to justify doing this follow-up with 7 additional firms, most of them startups.As always, we’ve narrowed down our list -- which is not intended to be all-inclusive -- by restricting it to those vendors that have announced venture funding over the past few months and that have an enterprise focus.To read this article in full or to leave a comment, please click here
Donald Trump’s call for "extreme vetting" of visa applications, as well as the temporary suspension of immigration from certain countries, would raise fees and add delays for anyone seeking a visa, including H-1B visas, immigration experts said.In particular, a plan by Trump, the Republican presidential candidate, to stop issuing visas -- at least temporarily -- "from some of the most dangerous and volatile regions of the world" may make it difficult for a significant number of people to get visas.Data assembled by Computerworld through a Freedom of Information Act request shows foreign workers come from all corners of the world, including "dangerous and volatile regions." Trump outlined his immigration enforcement plan in a speech Monday.To read this article in full or to leave a comment, please click here
Let's face it, a data breach at your organization seems inevitable. And the response should be managed "in such a way as to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs," according to a Harvard Business Review article.In partnership with IDG Enterprise, training company Logical Operations Inc. presents a free online course on this timely topic, "Responding to Cybersecurity Incidents." It's a key part of the company’s full "CyberSec First Responder" certification course.In three one-hour sessions, you'll learn skills such as how to set up an incident-handling team, secure data systems at the "crime scene," assess the damage, and prepare for the forensic investigation.To read this article in full or to leave a comment, please click here(Insider Story)
Have you ever wanted to order something online, perhaps from a dark web marketplace, but didn’t want to give your real name? Someone claiming to be an attorney addressed the subject during an OPSEC discussion on Reddit’s DarkNetMarkets.A computer science professor of mine once advised the class to never use your real name online. He wasn’t suggesting for us to go all out with fake names, but to continually tweak your ‘real’ name such as changing the spelling, shortening it, using nicknames, adding A through Z as a middle initial, etc. That way you see who is tracking you and who is selling your information. If Joey Z Doe gets snail mail or email after registering to purchase something from an online marketplace, then you know that site is selling your information. If you get too wild with the naming convention, then the transaction cannot go through a traditional credit card payment since it’s too far from a match.To read this article in full or to leave a comment, please click here
The maker of so-called spyware program WebWatcher can be sued for violating state and federal wiretap laws, a U.S. appeals court has ruled, in a case that may have broader implications for online monitoring software and software as a service.The U.S. Court of Appeals for the Sixth Circuit rejected WebWatcher vendor Awareness Technologies' motion to dismiss a lawsuit against the company. The appeals court overturned a lower court ruling granting the motion to dismiss.The appeals court, in a 2-1 decision Tuesday, rejected Awareness' claims that WebWatcher does not intercept communications in real time, in violation of the U.S. wiretap act, but instead allows users to review targets' communications. While plaintiff Javier Luis' lawsuit doesn't address real-time interception of communications, his allegations "give rise to a reasonable inference" of that happening, Judge Ronald Lee Gilman wrote.To read this article in full or to leave a comment, please click here
Coming out of Black Hat a few weeks ago, it’s pretty frightening what’s going on with cyber-threats. Overall malware volume is down but the number of variants has gone up precipitously. In fact, according to the Webroot threat report, about 97% of all malware variants are seen only one time. In other words, they are designed to target and attack specific organizations.Yes, enterprise organizations are bolstering defenses with anti-malware gateways and next-generation endpoint security tools but they are also doubling down on threat intelligence. According to ESG research, 27% of enterprise organizations plan to spend significantly more on their threat intelligence programs over the next 12 to 18 months while another 45% say they will spend somewhat more on their threat intelligence programs during this same timeframe (note: I am an ESG employee).To read this article in full or to leave a comment, please click here
Microsoft yesterday announced that beginning in October it will offer only cumulative security updates for Windows 7 and 8.1, ending the decades-old practice of letting customers choose which patches they apply."Historically, we have released individual patches ... which allowed you to be selective with the updates you deployed," wrote Nathan Mercer, a senior product marketing manager, in a post to a company blog. "[But] this resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems."To read this article in full or to leave a comment, please click here
Not even the National Security Agency is immune to carelessness, according to noted leaker Edward Snowden. The agency’s operatives can get lazy, and sometimes they leave behind files inside the servers they’ve hacked.That could explain how an anonymous group managed to obtain hacking tools that may belong to the NSA. The files are up for auction to the highest bidder, and allegedly include cyber weapons that rival the Stuxnet computer worm.Counterhacking
On Tuesday, Snowden, a former NSA contractor, tweeted that it isn’t “unprecedented” for cyberspies to try to hack the agency’s malware staging servers.To read this article in full or to leave a comment, please click here