After years of reluctance to pay researchers for exploits, Apple has given in and is ready to hand out up to US$200,000 for critical vulnerabilities found in the latest version of iOS and the newest iPhones.
Apple announced the program Thursday at the Black Hat security conference in Las Vegas. It starts in September, and unlike bounty programs run by other large technology companies it will be invite only.
The program will start with a few dozen researchers hand-picked by Apple, though any outsider who submits a flaw that qualifies can receive a reward and be invited to join the program, said Ivan Krstić, the head of Apple Security Engineering and Architecture.To read this article in full or to leave a comment, please click here
Security subjectsImage by Reuters/David BeckerBlack Hat includes a variety of security topics from how USB drives are a menace and how drones are fast becoming a threat you need to pay attention to and much more. Here we take a look at just a few of the hot topics presented at the conference.To read this article in full or to leave a comment, please click here
At the Black Hat conference in Las Vegas, CSO’s Steve Ragan chats with Itzik Kotler, CTO and co-founder of SafeBreach, about why many companies end up failing in their security risk assessments, as well as how some companies are tackling these failures to improve their overall security.
High-flying salaries in some unexpected placesImage by Greg GjerdingenBefore moving to this top city for InfoSec pay, you might want to read the latest John Sanford novel, brace for a bitter cold winter and develop a taste for tater tot hot dish. Yes, that's right, if you want to get the most bang for your InfoSec salary buck, a move to Minneapolis might be in your future.To read this article in full or to leave a comment, please click here(Insider Story)
At the Black Hat conference in Las Vegas, CSO’s Steve Ragan talks with Stephanie Carruthers, owner of Snow Offensive Security, about why business email compromise (aka CEO fraud) works so well against companies. She also discusses several tricks that phishers will use to gain trust among corporate employees when preparing for an attack.
At the Black Hat conference in Las Vegas, CSO’s Steve Ragan chats with Steven Grossman of Bay Dynamics about how companies can survive the avalanche of information security hype and buzzwords when speaking with vendors who are promising everything.
At the Black Hat conference in Las Vegas, CSO's Steve Ragan speaks with Israel Barak, CISO at Cybereason, about the commoditization of cybercrime, the market for compromised servers and endpoints, and what makes one target more valuable than another.
When a computer connects to a public Wi-Fi network or an untrusted LAN, a malicious actor could potentially compromise a browser’s HTTPS connection and eavesdrop on URLs such as Dropbox, Google Drive URLs or Password reset URLs.The fix is easy for a consumer: un-checking the automatic detect setting. But an enterprise user might need to ask the IT department to eliminate this risk. Windows, Mac and Linux computers are all at risk.Windows: How to reduce the risk of URL hijack To prevent this HTTPS URL hijack on a Windows computer, open the Control Panel and select Internet Properties. Then select the Connections Tab, and in it the LAN settings button. Un-check Automatically detect settings.To read this article in full or to leave a comment, please click here
At the Black Hat convention in Las Vegas, CSO’s Steve Ragan sits down with Lior Div, CEO and co-founder of Cybereason, about threat actors, their methods and motives. Instead of worrying about nation-state hackers like China or Russia, Div argues that companies prepare for low-level attacks that can escalate to larger ones, because the cost of entry for many of these attacks are constantly getting lower.
USB keys were famously used as part of the Stuxnet attack on the Iranian nuclear program and for good reason: it’s got a high rate of effectiveness, according to a researcher at Black Hat 2016.Of 297 keys spread around the University of Illinois Urbana Champaign 45% were not only plugged into victims’ computers but the victims then clicked on links in files that connected them to more malware, says Elie Burstzein, a Google researcher who presented the results.+More on Network World: Black Hat: 9 free security tools for defense & attacking | Follow all the stories from Black Hat 2016 +To read this article in full or to leave a comment, please click here
We’ve been told that EMV (Europay, MasterCard and Visa) chip-equipped cards have an added layer of security, making them more secure and harder to clone that cards with only a magnetic stripe. But Rapid7 security research manager Tod Beardsley said, “The state of chip and pin security is that it’s a little oversold.”Black Hat USA attendees who watched an ATM spit out hundreds of dollars might tend to agree. The demonstration was part of Hacking Next-Gen ATMs: From Capture to Cashout which was presented by Rapid7’s Weston Hecker. The abstract of his talk said the system he devised could “cash out around $20,000/$50,000 in 15 minutes.”To read this article in full or to leave a comment, please click here
Stop right thereAttendees mill about the Black Hat 2016 trade show floor seeking tools they need to do their work. See how vendors make every effort to have them stop by.BeerAlways a favorite, Kaspersky doles out cases of it during the opening conference reception.To read this article in full or to leave a comment, please click here
F5 Networks held its annual industry analyst conference this week within its user conference, Agility in Chicago. One of the main messages F5 tried to get across to its customer base is that it’s time to rethink security.I agree with that thesis wholeheartedly, and it is consistent with many of the posts I have written in the past year, including one I wrote about defining the new rules of security in a digital world.+ Also on Network World: Review: 5 application security testing tools compared +To read this article in full or to leave a comment, please click here
Marc Tarabella wants to swipe left on Tinder's privacy policy.The company's terms of use breach European Union privacy laws, according to Tarabella, a member of the European Parliament.Tarabella particularly dislikes the way the company gives itself the right to swipe the personal information and photos of its users, and to continue using it even if they deactivate their accounts.It's not just Tinder: Tarabella is also unhappy about how much personal information Runkeeper keeps about runners' movements, even when the app is inactive. He has the same concerns about Happn, a sort of missed-connections dating service.The lawmaker wants the European Commission to root out abusive clauses in the terms of use of a number of mobile apps, and to penalize their developers.To read this article in full or to leave a comment, please click here
The country needs a federal agency akin to the National Institutes of Health in order to fix the problems with the internet, keynoter Dan Kaminsky yesterday told a record crowd of more than 6,400 at Black Hat 2016.Private companies are dealing with the security problems they face without sharing the solutions or pushing for the underlying engineering changes that are needed to make the internet more secure, says Kaminsky, who famously discovered a serious vulnerability in DNS, which underpins the internet.The solution is a central agency to address those engineering challenges. He says all the money that is spent piecemeal on battling security needs to be channeled to this agency so it has the resources and bureaucratic bulk to escape being derailed by transient public officeholders whose policies can change dramatically and quickly.To read this article in full or to leave a comment, please click here
Over the years, developers have been dogged by a reputation for placing security as an afterthought. Get a slick, full-featured experience up and running fast, and figure out how to deal with whatever holes crop up once QA gets its hands on the code.Organizations may have had a significant hand in fostering developers' laissez-faire attitude toward security by siloing teams in separate domains and giving development, QA, ops, and security operations isolated opportunities to levy their expertise on the code.[ Learn how to be a more security-minded developer with our 17 security tips for developers. | Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
But with security and privacy increasingly top of mind among users and with companies moving more toward a devops approach to software development, developers need to shed that reputation and consider security concerns as an integral part of the development process.To read this article in full or to leave a comment, please click here
Microsoft has released .Net Framework 4.6.2, tightening security in multiple areas, including the BCL (Base Class Library). The new version also makes improvements to the SQL client, Windows Communication Foundation, the CLR (Common Language Runtime), and the ASP.Net web framework.The security focus in the BCL impacts PKI capabilities, and X.509 certificates now support the FIPS 186-3 digital signature algorithm. "This support enables X.509 certificates with keys that exceed 1024-bit," Microsoft's Stacey Haffner said. "It also enables computing signatures with the SHA-2 family of hash algorithms (SHA256, SHA384, and SHA512)."To read this article in full or to leave a comment, please click here
Fair Isaac Corp., the company that issues credit scores for individuals, was tired of other analytics companies developing security scoring tools for businesses and then proclaiming themselves “the FICO of security scores.”So in May, FICO upped its own scoring game. It acquired cybersecurity firm QuadMetrics to create its own brand of enterprise security scores for enterprises. The new scoring tool, available in August, uses predictive analytics and security risk assessment tools to issue scores and predict a company’s likelihood of a significant breach compared to other firms within the next 12 months.“Our own cyber breach insurance underwriters commented how great it would be if there was really a FICO score on this for the underwriting process,” says Doug Clare, vice president of cybersecurity solutions. The company had already invested in cybersecurity detection technology that assesses network traffic, and it saw the addition of QuadMetrics as “the right opportunity at the right time,” he adds.To read this article in full or to leave a comment, please click here