Black Hat & Def Con provided plenty of fodder for our new installment of Bugs & Bugs, as seen in our Facebook Live stream on the latest news about computer bugs and real insects.Network World's Bob Brown and Tim Greene discussed, as you can see in the saved edition of the video below, new research that shows affluent communities tend to attract more different species of insects and other arthropods -- and that's a good thing. We also explored the DARPA Cyber Grand Challenge that took place in Las Vegas on the eve of Def Con and resulted in a $2M first prize for the grand winner of this computer-on-computer Capture the Flag contest.To read this article in full or to leave a comment, please click here
A security firm is offering up to US$500,000 for information on zero-day vulnerabilities in iOS, surpassing Apple's bug bounty just days after it was announced.On Tuesday, Texas-based Exodus Intelligence said it will give between $5,000 and $500,000 for zero-day vulnerabilities relating to iOS version 9.3 and higher.
These zero-days are software flaws that have gone undetected by Apple, making them potentially very valuable, especially for cyber criminals who can use them to hack iPhones. To read this article in full or to leave a comment, please click here
Encryption backdoors don’t work; the latest proof of that was discovered by security researchers Slipstream and MY123. This time, the security flub-up involves “golden keys” which can unlock Windows devices allegedly protected by Secure Boot.The researchers sounded the alarm, saying Microsoft messed up and accidentally leaked the security key which is supposed to protect Windows devices from attackers as a box boots up. This same flaw could be used by the machine’s owner to jailbreak a locked box and run a different OS like Linux – anything really, so long as it is cryptographically signed.To read this article in full or to leave a comment, please click here
The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.To read this article in full or to leave a comment, please click here
Just like throwing out a fishing line into the water, a phisher waits for just the slightest nibble before pouncing on a network.
Eyal Benishti, CEO of IronScales, says the way to cut off the phishers food supply is to first go to the core of the issue: employee awareness. The CEO notes that cybercriminals by nature are lazy. “If your organization is a tough nut to crack, they will move on to find more low-hanging fruit,” Benishti says.
According to the Verizon data breach investigation report published earlier this year, phishing remains a major data breach weapon of choice. Trend Micro added that ransomware is expected to be one of the biggest threats in 2016 and that a single ransom demand will go much higher, reaching seven figures.To read this article in full or to leave a comment, please click here
Microsoft released another batch of security patches Tuesday, fixing 27 vulnerabilities in Windows, Microsoft Office, Internet Explorer, and its new Edge browser.The patches are organized in nine security bulletins, five of which are rated critical and the rest important, making this Microsoft patch bundle one of the lightest this year in terms of the number of patches.All of the issues resolved this month are in desktop deployments, but Windows servers might also be affected depending on their configuration."For example, Windows servers running Terminal Services tend to act as both desktop and server environments," said Tod Beardsley, security research manager at Rapid7, via email. However, the majority of Windows server admins out there can roll out patches at a fairly leisurely pace, he said.To read this article in full or to leave a comment, please click here
Reduction in sales and damage to brand are potential bottom line impacts that auto manufacturers need to be concerned about when it comes to security risks and connected cars. According to a newly released IOActivereport , "Commonalities in Vehicle Vulnerabilities", authored by senior security consultant Corey Thuen, "39 percent of vulnerabilities are related to the network. This is a general category that includes all network traffic, such as Ethernet or web."Using security best practices publications to design connected cars can mitigate up to 45 percent of vulnerabilities, yet OBD2 adapters, telematics systems and other embedded devices remain security problems in the modern vehicle.To read this article in full or to leave a comment, please click here
For August 2016, Patch Tuesday isn’t too painful. Microsoft released nine security bulletins, five of which were rated critical due to remote code execution (RCE) vulnerabilities.Why so few this month? Michael Gray, VP of Technology at Thrive Networks, suggested, “It stands to reason that Microsoft may have kept things simple so as not to over-shadow the release of their Windows 10 Anniversary update.”CriticalMS16-095 is the cumulative monthly fix for Internet Explorer. It resolves five memory corruption vulnerabilities and four information disclosure flaws.To read this article in full or to leave a comment, please click here
Security researchers used the recent Def Con hackers’ convention to show just how easily some Bluetooth-based smart locks can be opened.Researchers Ben Ramsey and Anthony Rose of Merculite Security took a look at 16 smart locks from companies such as Ceomate, Elecycle, iBlulock, Mesh Motion, Okidokey, Plantraco, Quicklock, and Vians. Ramsey and Rose discovered that of those 16 locks, 12 could be hacked. Several of them could also be hacked with little to no effort. The researchers’ presentation slides are available on GitHub; the presentation was first reported by Tom’s Guide.To read this article in full or to leave a comment, please click here
While some are focused on threats to IT security posed by coming quantum computers, the National Science Foundation is putting $12 million into developing quantum technologies designed to protect data traversing fiber-optic networks.
The NSF will support six interdisciplinary teams consisting of 26 researchers at 15 institutions to perform fundamental research under the Advancing Communication Quantum Information Research in Engineering (ACQUIRE) area within the NSF Directorate for Engineering's Emerging Frontiers in Research and Innovation (EFRI) program. To read this article in full or to leave a comment, please click here
Perhaps one day we’ll see bridges that repair themselves or houses that could restore walls after a fire.Sounds a bit like science fiction yes but a new program announced by the masters of making science fiction fact, the Defense Advanced Research Projects Agency, this week announced a program that would combine the structural properties of traditional building ingredients with attributes of living systems to offer a class of living material that could be grown where needed, self-repair when damaged and respond to changes in their surroundings.To read this article in full or to leave a comment, please click here
Yes, history repeats itself. I’m looking at the July 20-27, 2009, issue of Network World.The front page headlines are:- Black Hat to expose attacks- Microsoft’s embrace of Linux seen as strategic- Data Loss Prevention Clear Choice Test- Burning Questions:1) Are mobile Web apps ever going to grow up?2) How much longer are you going to hang onto that Ethernet cable?3) Do you have any idea how much money you’re wasting on international wireless services?I saw Network World's Tim Greene, author of the 2009 Black Hat article, sitting in the working press area, seven years later, typing furiously.To read this article in full or to leave a comment, please click here
If you've ever downloaded software, chances are you've experienced an all-too-common surprise: ads or other unwanted programs that tagged along for the ride, only to pop up on your PC uninvited. Turns out there's a highly lucrative global industry making it happen, with "layers of deniability" to protect those involved.That's according to researchers from Google and New York University's Tandon School of Engineering, who will present this week what they say is the first analysis of the link between so-called "pay-per-install" (PPI) practices and the distribution of unwanted software.To read this article in full or to leave a comment, please click here
With cyberattacks putting everyone on edge, companies are looking for ethical hackers--IT pros paid handsomely to hack their network, expose security flaws, and fix them before someone else breaks in. Learn the tools of the ethical hacking trade with the Become an Ethical Hacker Bundle, now only $44.99 for a limited time.To read this article in full or to leave a comment, please click here
Russian cybercriminals have infiltrated systems at Micros, an Oracle division that is one of the world's biggest vendors of point of sale payment systems for shops and restaurants, according to an influential security blogger.The hack has affected 700 computer systems at Micros and is thought to have begun with infiltration on a single machine at the company, said Brian Krebs on his Krebs on Security blog on Monday.The incident is worrying for the potential size of the hack and the systems affected. Oracle acquired Micros in 2014, when it said Micros systems are used in more than 330,000 sites in 180 countries.To read this article in full or to leave a comment, please click here
While the big security news was happening in Las Vegas at conferences, security researcher Ivan Kwiatkowski’s story was too funny to pass up – at least if you loathe scareware scams.After only 30 minutes on a new computer, his parents surfed to an online tech support scam which claimed their PC was infected with Zeus. Ivan Kwiatkowski
Fairly atrocious attempt at scareware by tech support scammers.To read this article in full or to leave a comment, please click here
Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying them as high severity.Unfortunately, that doesn’t mean that all devices are yet protected. Due to the fragmentation of the Android ecosystem, many devices run older Android versions and no longer receive firmware updates, or they receive the fixes with months-long delays.To read this article in full or to leave a comment, please click here
The Federal Trade Commission made an appeal at DEF CON in Las Vegas this past week in hopes of getting hackers to help them crack down on manufacturers and service providers that leave customers vulnerable.Top of the list: ransomware, malvertising, networked cars and security for the internet of things.Of particular interest in the case of IoT is preventing one device from compromising a consumer’s entire private network, says Lorrie Cranor, the FTC’s chief technologist.To read this article in full or to leave a comment, please click here