Faced with increasingly troubling attacks on its cyber infrastructure, the United States has outlined new measures intended to help it respond more effectively to attacks that might compromise public safety or its national security interests.On Tuesday, President Obama approved a directive that lays out how federal agencies will respond to “significant cyber incidents," with the FBI to be formally in charge of investigating.To read this article in full or to leave a comment, please click here
SMS messaging for two-factor authentication might become a thing of the past. A U.S. federal agency is discouraging its use.The National Institute of Standards and Technology is pushing for the change. Its latest draft of its Digital Authentication Guideline, updated on Monday, warns that SMS messages can be intercepted or redirected, making them vulnerable to hacking.Many companies, including Twitter, Facebook, and Google, as well as banks, already use the phone-based text messaging to add an extra layer of security to user accounts.It works like this: To access the accounts, the user not only needs the password, but also a secret code sent by the company by text message. Ideally, these one-time passcodes are sent to a designated phone number to ensure no one else will read them.To read this article in full or to leave a comment, please click here
Smart fitness device makers Xiaomi and Microsoft are among those making products that are susceptible to man-in-the-middle (MiM) attacks, says AV-Test, the German independent IT security institute.MiM attacks are where a hacker intercepts and changes communications between parties who think they are communicating with each other.“Some manufacturers are continuing to make disappointing errors,” the lab, which tested seven fitness bands and the Apple watch, says in its report, published last week.To read this article in full or to leave a comment, please click here
The White House last week launched a number of steps it hopes will spur the development and further adoption of electric vehicles – including $4.5 billion to help build-out the country’s electric charging grid.“In the past eight years the number of plug-in electric vehicle models increased from one to more than 20, battery costs have decreased 70%, and we have increased the number of electric vehicle charging stations from less than 500 in 2008 to more than 16,000 today – a 40 fold increase,” the DOE stated.+More on Network World: What’s hot in driverless cars?+To read this article in full or to leave a comment, please click here
Kimpton Hotels, operator of boutique hotels across the U.S., is investigating reports of a possible payment card data breach. If confirmed, it would become the latest in a string of successful attacks on hotel chain operators in the last year.The San Francisco-based company said it was "recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton properties."As a result, it has hired a computer security firm to investigate whether its systems were compromised and guest data stolen. In the meantime, it advised guests to monitor their card statements for unauthorized charges.To read this article in full or to leave a comment, please click here
Verizon's planned US$4.8 billion acquisition of Yahoo is likely to create an international consumer tracking powerhouse, and that's raising serious privacy concerns.Combined with other recent acquisitions, the Yahoo deal will allow Verizon to track consumers not only on the web, but also at their physical locations, said Jeffrey Chester, executive director of the Center for Digital Democracy, a privacy advocacy group.Verizon's acquisition of Yahoo's core digital advertising business, "when combined with the capability to gather information from its wireless devices, broadband networks, and set-top boxes, gives it control over the key screens that Americans use today," Chester said by email. To read this article in full or to leave a comment, please click here
A cyberespionage group known for targeting diplomatic and government institutions has branched out into many other industries, including aviation, broadcasting, and finance, researchers warn.Known as Patchwork, or Dropping Elephant, the group stands out not only through its use of simple scripts and ready-made attack tools, but also through its interest in Chinese foreign relations.The group's activities were documented earlier this month by researchers from Kaspersky Lab, who noted in their analysis that China's foreign relations efforts appear to represent the main interest of the attackers.To read this article in full or to leave a comment, please click here
A vulnerability across at least eight brands of wireless keyboards lets hackers read keystrokes from 250 feet away, according to wireless security vendor Bastille.The problem is that the keyboards transmit to their associated PCs without encryption, and it’s just a matter of reverse engineering the signals to figure out how to read what keys are being hit, say Bastille researchers. An attacker could inject keystrokes while the keyboard is idle and the machine is logged in, they say, using a dongle that can be fashioned for less than $100.To read this article in full or to leave a comment, please click here
Health care organizations were 114 times more likely to hit by ransomware infections than financial firms, and 21 times more likely than educational institutions, according to a new research report by Solutionary.The Omaha-based security firm detects millions of attacks a year, according to threat intelligence analyst Terrance DeJesus. But while health care accounts for just 7.4 percent of the company's client base, it saw 88 percent of all ransomware attacks during the first half of this year."These numbers do not count all of the email delivery or exploit kit activity that happens pre-infection and would be attempts to deliver ransomware," he said. "These are confirmed ransomware outbreaks on directly affected systems."To read this article in full or to leave a comment, please click here
Security firm SentinelOne is confident it can beat any of today’s ransomware -- and is willing to put money behind that claim.
The company is offering a new service that will cover up to US$1 million in damages for any customers infected by ransomware.
SentinelOne is calling it the “Cyber Threat Guarantee” and treating it like an extended warranty that customers can buy starting Tuesday.
However, the company is convinced it won’t have to make any pay outs, said Jeremiah Grossman, its chief of security strategy. SentinelOne’s failure rate in stopping ransomware attacks is “way less than 1 percent,” he said in an interview.To read this article in full or to leave a comment, please click here
SentinelOne is offering a to pay customers $1,000 per endpoint for customers’ machines that get infected by ransomware if its products don’t either block or remediate the problem.The deal is for customers who use the company’s Endpoint Protection Platform in a mandatory configuration running on computers with fully patched operating systems and applications, and that have volume shadow copy service enabled, the Microsoft service that backs up files in use.Customers must also be quick to respond to alerts about infections by adding threats to a blacklist and to remediate and rollback within an hour.The $1,000 per machine offer only applies to payment of ransom, not for costs related to the disruptions ransomware causes. SentinelOne also won’t pay if the ransom doesn’t lead to successful recovery of the encrypted data.To read this article in full or to leave a comment, please click here
The FBI has launched an investigation into the hacking of the Democratic National Committee’s computers, even as more evidence surfaced of possible Russian involvement in the attack.The data breach was first disclosed last month, when hackers published confidential DNC files, including opposition research on Republican presidential candidate Donald Trump.Then on Friday, Wikileaks published over 19,000 emails that were stolen from the DNC, some of which now threaten to damage the campaign of Democratic presidential candidate Hillary Clinton.To read this article in full or to leave a comment, please click here
While there's a lot of talk about Windows 10's new features for consumers, the forthcoming Anniversary Update also adds a pair of advanced security capabilities aimed at helping IT managers better lock down the computers in their organization.Windows Information Protection aims to make it possible for organizations to compartmentalize business and personal data on the same device. It comes alongside the general release of Windows Defender Advanced Threat Protection, a system that uses machine learning and Microsoft's cloud to better protect businesses after their security has been breached.To read this article in full or to leave a comment, please click here
Most companies fail to secure the "keys to the kingdom," according to a new benchmark survey .Last week, privileged account management (PAM) specialist Thycotic and research firm Cybersecurity Ventures released their 2016 State of Privileged Account Management security report, based on the responses of more than 500 IT security professionals who have participated in the Privileged Password Vulnerability Benchmark survey to date.High priority, low compliance
While 80 percent of respondents indicated PAM security is a high priority for their organizations, and 60 percent said PAM security is required to demonstrate compliance with government regulations, 52 percent of participants received a failing grade on enforcement of proper privileged credential controls.To read this article in full or to leave a comment, please click here
Despite initial concerns, smartphones equipped with Qualcomm modems are not vulnerable to a recently announced vulnerability that could potentially allow attackers to take over cellular network gear and consumer mobile devices.
The vulnerability was discovered in ASN1C, a popular compiler that produces C code for parsing ASN.1 encoded data. Abstract Syntax Notation One (ASN.1) is a standard for representing, encoding, transmitting, and decoding data in telecommunications and computer networking.
Many devices, from mobile phones to switching equipment inside cellular infrastructure parse ASN.1 data and do so using programs that were created by compilers such as ASN1C, which is developed by U.S.-based Objective Systems.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Sophos SafeGuard Encryption 8Key features: Sophos SafeGuard Encryption 8 is a new synchronized encryption solution that protects data against theft from malware, attackers or accidental leaks. All organizations can now choose to adopt the best practice of “always-on” file-level encryption to protect data by default. More info. To read this article in full or to leave a comment, please click here
The media is delving into the digital life of the teenage shooter who opened fire at McDonald’s in Munich Germany’s Olympia Mall. Nine people were killed and 27 others were injured in the tragic rampage. In the end, he killed himself. So far, it’s been reported that he hacked Facebook to lure victims, bought a gun on the ‘dark net’ and played the ‘violent’ video game Counter-Strike.Shooter hacked a girl’s Facebook account to target and social engineer victims18-year-old mass shooting gunman Ali David Sonboly purportedly used Facebook to social engineer, aka “lure,” victims to McDonald’s. The Telegraph reported that the shooter, who had dual German-Iranian citizenship, had hacked into a “pretty teenage” girl’s Facebook account.To read this article in full or to leave a comment, please click here
In the stock market, electronic trading (AKA “etrading”) originally started so people could buy and sell stocks and other financial instruments more easily. No more hanging out on the floor of a stock exchange or calling your orders into your broker; you could do it all from your desktop. This was good because it made markets more accessible and reduced costs.Then, in the 1980’s, because the electronic trading platforms had application programming interfaces to allow new client-side interfaces to be developed, the inevitable happened, the next generation of electronic trading appeared. Algorithmic trading (AKA “algo trading” or “black box trading”) removed humans from the equation and exploded as the latest, greatest stock market money-making strategy. To read this article in full or to leave a comment, please click here
Tinder users beware. The popular dating app generally doesn’t verify most user accounts, but that hasn’t stopped spammers from pretending to offer the service.In recent weeks, automated bots masquerading as Tinder profiles have been telling real users to get “verified,” as part of a clever scam to sell them porn, security firm Symantec said on Thursday.The spam bots first send off flirty messages, like “Wanna eat cookie dough together some time?” only to then ask whether Tinder has verified the user.It’s a free service, the spam bot will claim, and done “to verify the person you wanna meet isn’t a serial killer lol.”To read this article in full or to leave a comment, please click here
As the U.S. heads toward an especially contentious national election in November, 15 states are still clinging to outdated electronic voting machines that don't support paper printouts used to audit their internal vote counts.
E-voting machines without attached printers are still being used in a handful of presidential swing states, leading some voting security advocates to worry about the potential of a hacked election.
Some makers of e-voting machines, often called direct-recording electronic machines or DREs, are now focusing on other sorts of voting technology, including optical scanners. They seem reluctant to talk about DREs; three major DRE vendors didn't respond to questions about security.To read this article in full or to leave a comment, please click here