New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Open Threat Exchange (OTX)Key features: AlienVault OTX is an open threat intelligence community where security practitioners research and share emerging threat data. Members can create private discussion groups related to specific industries, regions and threats. More info.To read this article in full or to leave a comment, please click here
Pay up?Image by Flickr/Nick O’NeilIn the 2016 Executive Application & Network Security Survey, among those who have not experienced a ransom situation, the majority say they would not pay a ransom. But among the few who have experienced a ransom attack, more than half in the U.S. did not pay. One respondent indicated that paying did not guarantee that the attacker would do their part.To read this article in full or to leave a comment, please click here
The list of ways we can be spied upon seems nearly endless, but you can add one more to that list: active screen snooping via your vulnerable monitor. And that’s just one flavor of attack that can be pulled off by exploiting monitors.You might not agree with everything you read online, but you can usually trust that what you are reading was actually published somewhere by someone. Whether or not you like what the balance is in your banking account, most folks would not expect that number to be faked. The same would be true for a person monitoring critical infrastructure, but the information being displayed on a computer monitor can be manipulated and may not be the truth.To read this article in full or to leave a comment, please click here
Some consumer safes protected with electronic locks are quite easy to hack using basic techniques. Others, though, like those made to store guns, are designed to resist expert manipulation.However, one hacker demonstrated at the DEF CON security conference Friday that even high-security rated electronic safe locks are susceptible to side-channel attacks typically used against cryptosystems.Side-channel attacks involve techniques like analyzing power fluctuations and variations in the time it takes operations to complete on an electronic device. By monitoring these values when the system checks the user's input against a stored value, attackers can incrementally recover encryption keys or, in the case of electronic safe locks, the correct access code.To read this article in full or to leave a comment, please click here
Can a supercomputer beat humans in a hacking contest? We're about to find out.For the first time, a fully automated supercomputer is trying to compete with humans in a major hacking contest, and so far the machine is hanging in there.The supercomputer, known as Mayhem, is among the teams taking part in this year’s Capture the Flag contest at the DEF CON security conference in Las Vegas.The game involves detecting vulnerabilities in software and patching them, and humans have been playing it at DEF CON for years.Now computers are getting in on the act. DARPA, a U.S. defense agency, recently held an all-machine competition, awarding $2 million to the team that did best.To read this article in full or to leave a comment, please click here
Don’t believe everything you see. It turns out even your computer monitor can be hacked.On Friday, researchers at DEF CON presented a way to manipulate the tiny pixels found on a computer display.Ang Cui and Jatin Kataria of Red Balloon Security were curious how Dell monitors worked and ended up reverse-engineering one.They picked apart a Dell U2410 monitor and found that the display controller inside can be used to change and log the pixels across the screen.During their DEF CON presentation, they showed how the hacked monitor could seemingly alter the details on a web page. In one example, they changed a PayPal’s account balance from $0 to $1 million, when in reality the pixels on the monitor had simply been reconfigured.To read this article in full or to leave a comment, please click here
We are truly in the era of all-encompassing analytics. Today, everything you click on, everything you post, where you go, what you purchase, and who you’re connected to are all data points to be captured, categorized, cross-indexed, tabulated, and analyzed. “O! M! G!” you may be muttering “Will surveillance never end?” Sure it will end. When hell freezes over. Nope, the surveillance cat is out of the bag, the monitoring pigeon has flown the coup, and the privacy bridge has been burnt. Welcome to the future. As if to underline that reality, the latest foray into quantifying you, has just been patented by Disney. In a recent filing titled System and method using foot recognition to create a customized guest experience, the company that bought you “a people trap run by a rat” (I kid you with love, Disney) has raised (lowered?) the bar on knowing who you are by proposing that they will track you by looking at ... wait for it ... your footwear.To read this article in full or to leave a comment, please click here
With one of the largest telecommuting communities – over 1 million -- in the country many of the Federal agencies that support it have little information to show about its benefits.Watchdogs at the Government Accountability Office this week issued a report that found that many agencies “had little data to support the benefits or costs associated with their telework programs. All of the selected agencies could provide some supporting documentation for some of the benefits and only two could provide supporting documentation for some of the costs.”+More on Network World: Black Hat: Quick look at hot issues+To read this article in full or to leave a comment, please click here
One of the most popular models for analyzing cyberattacks doesn’t focus enough on what to do after adversaries break into networks successfully, which they inevitable will do, Black Hat 2016 attendees were told this week in Las Vegas.“Every attacker will become an insider if they are persistent enough,” says Sean Malone, a security consultant who spoke at the conference. “We need to operate under a presumption of breach.”MORE: 'Mayhem" wins $2M first prize at DARPA Cyber Grand ChallengeTo read this article in full or to leave a comment, please click here
At the DEFCON hacking conference's Lockpick Village, CSO's Steve Ragan chats with Austin Appel (aka Scorche), from TOOOL, about physical locks, lockpicking and risk management associated with locks.
A group of privacy advocates and internet providers has filed a new challenge to the U.K. government's use of bulk hacking abroad.
U.K.-based Privacy International and five internet and communications providers aim to "bring the government's hacking under the rule of law," they said in a case lodged Friday with the European Court of Human Rights.
Their application challenges the U.K. Investigatory Powers Tribunal's (IPT's) February refusal to rule on whether hacking efforts outside the U.K. by the GCHQ British intelligence service comply with the European Convention on Human Rights. That decision was part of a case brought by Privacy International against GCHQ back in 2014, and it effectively meant that the U.K. government could lawfully conduct bulk hacking of computers, mobile devices, and networks located anywhere outside of the UK, the group said.To read this article in full or to leave a comment, please click here
IDG editors and writers Steve Ragan (CSO), Fahmida Rashid (InfoWorld) and Lucian Constantin (IDG News Service) offer their impressions of this year's Black Hat security conference.
Cyber-reasoning platform Mayhem pulled down the $2 million first prize in a DARPA-sponsored Cyber Grand Challenge competition that pitted entrants against each other in the classic hacking game Capture the Flag, never before played by programs running on supercomputers.A team from Carnegie Mellon University spin-out All Secure entered Mayhem in the competition against six other programs played in front of thousands in the ballroom of the Paris hotel in Las Vegas. Most of the spectators were in town for the DEF CON hacker conference starting Friday at the same site.BLACK HAT: Quick look at hot issuesTo read this article in full or to leave a comment, please click here
A new technique allows attackers to hide malicious code inside digitally signed files without breaking their signatures and then to load that code directly into the memory of another process.The attack method, developed by Tom Nipravsky, a researcher with cybersecurity firm Deep Instinct, might prove to be a valuable tool for criminals and espionage groups in the future, allowing them to get malware past antivirus scanners and other security products.The first part of Nipravsky's research, which was presented at the Black Hat security conference in Las Vegas this week, has to do with file steganography -- the practice of hiding data inside a legitimate file.To read this article in full or to leave a comment, please click here
The enterprise is facing a dangerous combination of mounting cybersecurity threats of increasing subtlety—and a widening gap in the skills required to identify and combat them. Having someone who knows how to lead the charge in identifying and analyzing threats, creating strategic security plans and ensuring compliance requires the right level of expertise.+ Also on Network World: Why you need a CSO/CISO +The Information Systems Security Association spoke of a “missing generation” in information security, pointing to an estimated 300,000 to 1 million vacant cybersecurity jobs. To further complicate the labor shortfall, security professionals at enterprises understand they are in demand, and it is understood that employees will be receiving offers from other companies. According to a Ponemon study, senior security executives on average leave after 30 months on the job.To read this article in full or to leave a comment, please click here
The first all-machine hacking competition is taking place today in Las Vegas.Seven teams, each running a high-performance computer and autonomous systems, are going head-to-head to see which one can best detect, evaluate and patch software vulnerabilities before adversaries have a chance to exploit them.It’s the first event where machines – with no human involvement – are competing in a round of "capture the flag, according to DARPA (Defense Advanced Research Projects Agency), which is sponsoring and running the event. DARPA is the research arm of the U.S. Defense Department.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords
The teams are vying for a prize pool of $3.75 million, with the winning team receiving $2 million, the runner-up getting $1 million and the third-place team taking home $750,000. The winner will be announced Friday morning.To read this article in full or to leave a comment, please click here
Illinois' largest hospital chain today agreed to pay a $5.5 million fine by the government for lax data security that led to the exposure of more than 4 million electronic patient records.The fine against Advocate Health Care Network, the largest ever levied under Health Insurance Portability and Accountability Act (HIPAA) regulations, is a result of the "extent and duration of the alleged noncompliance."The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) began its investigation in 2013, when the healthcare chain submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (AMG).To read this article in full or to leave a comment, please click here
Staying secure online is an essential concern, for individual users, businesses, and cybercriminals alike. That’s right: Basic IT security applies whether you’re protecting sensitive data at an upstanding, ethical organization, or you’re in the business of stealing data from those same organizations.After all, the business may be cybercrime, but cybercriminals are still operating a business, with all the associated worries. Criminals rely on operations security (opsec) to stay ahead of law enforcement and security researchers intent on dismantling their operations, but also to protect their criminal enterprises from competitors planning on sabotage.To read this article in full or to leave a comment, please click here
Giant refrigerator-sized supercomputers battled each other on Thursday in a virtual contest to show that machines can find software vulnerabilities.
The result: the supercomputers time and time again detected simulated flaws in software.
It represents a technological achievement in vulnerability detection, at a time when it can take human researchers on an average a year to find software flaws. The hope is that computers can do a better job and perhaps detect and patch the flaws within months, weeks or even days.
Thursday’s contest, called the Cyber Grand Challenge, was a step in that direction. The final round of the competition pitted computers from seven teams to play the hacking game “Capture the Flag,” which revolves around detecting software vulnerabilities.To read this article in full or to leave a comment, please click here
After years of reluctance to pay researchers for exploits, Apple has given in and is ready to hand out up to US$200,000 for critical vulnerabilities found in the latest version of iOS and the newest iPhones.Apple announced the program Thursday at the Black Hat security conference in Las Vegas. It starts in September, and unlike bounty programs run by other large technology companies it will be invite only.The program will start with a few dozen researchers hand-picked by Apple, though any outsider who submits a flaw that qualifies can receive a reward and be invited to join the program, said Ivan Krstić, the head of Apple Security Engineering and Architecture.To read this article in full or to leave a comment, please click here