In the latest attack that shows how hard it is for users to identify phone numbers with premium call charges, a researcher has found that he could have earned millions by abusing the online phone verification systems used by Google, Microsoft, and Instagram.Many websites and mobile apps allow users to associate a phone number with their account. This can be used for two-factor authentication or as an account recovery and verification option. Many of these systems rely on codes sent via text messages, but also offer the option to call the user and dictate such codes.Last year, a Belgian IT security consultant named Arne Swinnen started wondering if such systems test if the numbers entered by users have premium charges attached to them and set out to test several popular services.To read this article in full or to leave a comment, please click here
Technology is not a bad thing; it’s not inherently scary. Sometimes new technology gets misused or tainted with mission creep. Most of the time, tech actually makes our lives easier and better. Here are two tales about “new” tech that could potentially predict the future. One seems scarier than the other.Algorithm to predict at birth if a person will be a criminalAlgorithms control aspects of your life whether you are aware of it or not. They are used to come up with risk scores and even predict the future. But how would you feel about an algorithm that seems to be ripped straight from Minority Report? It would identify criminals far before they could commit a crime since it would “predict at the time of someone’s birth how likely she is to commit a crime by the time she turns 18.”To read this article in full or to leave a comment, please click here
A tech leader's day can be unpredictable, but Ginny Davis, CIO at entertainment services company Technicolor, can rely on one thing: She's guaranteed to get an email from a new security provider urging her to check out its latest and greatest technology.
Davis says she values "the evolution in the fight against hackers" and considers the many new options a positive trend, "but it's mind-numbing how quickly [the security landscape] is changing."
Bob Lamendola, general manager of infrastructure services at IT services provider Mindshift, agrees. "The number of security-related products and services coming at you is almost frightening. The [security] marketplace is evolving at a frantic rate, making a complex situation even more complex to navigate."To read this article in full or to leave a comment, please click here(Insider Story)
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Built.io FlowKey features: Built.io Flow makes building enterprise integrations easier. The Activity Builder allows organizations to instantly add new services to their integration library. The Data Mapper enables data transformation between heterogeneous systems. More info.To read this article in full or to leave a comment, please click here
Ubuntu support forums users should be on the lookout for dodgy emails after the website's database of 2 million email addresses was stolen.Canonical announced the security breach on Friday after being notified that someone was claiming to have a copy of the UbuntuForums.org database. An investigation revealed that an attacker did get access to the website's user records through a vulnerability.The exploited SQL injection flaw was located in the Forum Runner add-on for vBulletin, commercial web forum software that powers over 100,000 community websites on the Internet and is especially popular with companies. The vulnerability was known, but the Canonical IS team had failed to apply the patch for it in a timely manner.To read this article in full or to leave a comment, please click here
Shortly after Pokemon Go launched in 26 new countries, the servers crashed; while sluggish and/or unresponsive servers shouldn’t surprise anyone, given the app’s popularity even before the added audience from countries across the globe, a hacking collective took credit for the attack.A group of hackers going by “PoodleCorp,” a collective which took credit for hacking popular YouTube channels last month, took to Twitter to claim responsibility for DDoSing the Pokemon Go servers.To read this article in full or to leave a comment, please click here
Shortly after Pokémon launched in 26 new countries, the servers crashed. While sluggish and/or unresponsive servers shouldn’t surprise anyone, given the app’s popularity even before the added audience from countries across the globe, a hacking collective took credit for the attack.
A group of hackers going by “PoodleCorp,” a collective that took credit for hacking popular YouTube channels last month, took to Twitter to claim responsibility for DDoS-ing the Pokémon Go servers.To read this article in full or to leave a comment, please click here
Privacy-minded people have long relied on Tor for anonymity online, but a new system from MIT promises better protection and faster performance.Dubbed Riffle, the new system taps the same onion encryption technique after which Tor is named, but it adds two others as well. First is what's called a mixnet, a series of servers that each permute the order in which messages are received before passing them on to the next server.To read this article in full or to leave a comment, please click here
A newly discovered fake Pokemon Go game will actually lock your phone and then secretly run in the background, clicking on porn ads.Security firm ESET found it on Google Play and its called Pokemon Go Ultimate. However, once downloaded, the app itself doesn’t even pretend to offer anything remotely like the hit game.Instead, it simply appears as an app called “PI Network.” Once it runs, the app will then freeze the phone with a screen lock of a Pokemon Go image, forcing the user to restart the device, ESET said on a blog post on Friday.To read this article in full or to leave a comment, please click here
MicroStrategy, a veteran of the business intelligence and analytics market that is currently littered with so many startups, has plenty to boast about and isn’t shy about doing it.Its revenue comes in at more than half a billion dollars, the company is profitable, and it serves giant customers like eBay and the U.S. Postal Service. A competitor of vendors such as SAP and Tableau, MicroStrategy gushes over how Gartner analysts rate it. And according to globetrotting CEO and Co-Founder Michael Saylor, Version 10 of MicroStrategy's flagship product is “the most powerful software ever released” -- so much so that a customer could feel secure including "a nuclear order of battle into an [encrypted and geolocked] application, put it on an iPad and hand it to the President of the United States."To read this article in full or to leave a comment, please click here
How ants decide where to move their nests may hold lessons for computer scientists seeking efficient ways to gather data from distributed networks of sensors, according to MIT researchers.It turns out that the frequency with which explorer ants bump into each other as they wander around looking for a new home for their colony is a pretty good indicator of how many other explorer ants are investigating the same site.+More on Network World: What’s hot at Cisco Live | Hungry ants knock out FiOS service … again +To read this article in full or to leave a comment, please click here
"Take cover," the French government warned people in Nice via its official terror alert app.But the alert came almost three hours after police shot the driver of a truck as he plowed through crowds gathered on the waterfront late Thursday to watch a firework display celebrating France's national holiday.The System to Alert and Inform Populations (SAIP) app, introduced last month, is supposed to provide more timely and informative warnings than the existing nationwide network of sirens and radio messages. The ministry began working on the app after the terrorist attacks in Paris in November 2015, finally putting it into service on June 8.To read this article in full or to leave a comment, please click here
Cisco Systems released patches this week for several vulnerabilities in its IOS software for networking devices and the Cisco and WebEx conferencing servers.The most serious vulnerability affects the Cisco IOS XR software for the Cisco Network Convergence System (NCS) 6000 Series Routers. It can lead to a denial-of-service condition, leaving affected devices in a nonoperational state.Unauthenticated, remote attackers can exploit the vulnerability by initiating a number of management connections to an affected device over the Secure Shell (SSH), Secure Copy Protocol (SCP) or Secure FTP (SFTP).To read this article in full or to leave a comment, please click here
A new Trojan that can steal your payment data will also try to stymie you from alerting your bank.Security vendor Symantec has noticed a “call-barring” function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user from canceling any payment cards that have been compromised, the company said in a blog post.Fakebank was originally detected in 2013. It pretends to be an Android app, when in reality, it will try to steal the user’s money.The malware works by first scanning the phone for specific banking apps. When it finds them, the Trojan will prompt the user to delete them and install malicious versions of those same apps.To read this article in full or to leave a comment, please click here
Privacy advocates, especially those outside the U.S., can rest a little easier now. A federal court has rebuked the U.S. government’s attempt to access emails stored on a Microsoft server in Ireland.But the legal battle may be far from over. Thursday’s ruling could affect how the U.S. conducts surveillance over suspected criminals and terrorists overseas, so expect the government to appeal, said Roy Hadley, a lawyer at Thompson Hine who studies cybersecurity issues.“There’s a fine line between privacy and national security,” he said. “And it’s a difficult line to walk.”To read this article in full or to leave a comment, please click here
If you’re looking to enter a rapidly growing field, snag this course bundle in IT Security & Ethical Hacking. Instructors walk you through training for three industry-recognized certification exams:
CompTIA Security+
Cisco’s CCNA Security
Certified Ethical Hacker
For a limited time, the bundle of courses is only $29.99--a steal considering it’s jam-packed with over 48 hours of courses and 50 hours of advanced training. If you wanted, you could finish all the material in only 4 to 6 weeks, and pass all your exams in record time.To read this article in full or to leave a comment, please click here
With the presidential nominating conventions looming, the candidates are getting ready to add to the hundreds of millions they’ve already spent to tell you about themselves – but only what they want you to know about themselves.Meanwhile, they have also been spending millions of dollars collecting information about you – and you have no say in what is collected.Which means that, in the era of Big Data, if you’re a potential voter, they know a lot more about you than you know about them.[ ALSO ON CSO: When tech trips up presidential candidates ]To read this article in full or to leave a comment, please click here
Many 3D printers lack cybersecurity features, which presents opportunities to introduce defects as components are being built, a new study shows.The study, performed by a team of cybersecurity and materials engineers at New York University, concluded that with the growth of cloud-based and decentralized 3D printer production supply chains, there can be "significant risk to the reliability of the product."Additive manufacturing (3D printing) is creating a globally distributed manufacturing process and supply chain spanning multiple services, and therefore raises concerns about the reliability of the manufactured product, the study stated.To read this article in full or to leave a comment, please click here
The creators of the widespread Locky ransomware have added a fallback mechanism in the latest version of their program for situations where the malware can't reach their command-and-control servers.
Security researchers from antivirus vendor Avira have found a new Locky variant that starts encrypting files even when it cannot request a unique encryption key from the attacker's servers because the computer is offline or a firewall blocks the communication.
Calling home to a server is important for ransomware programs that use public key cryptography. In fact, if they're unable to report back to a server after they infect a new computer, most such programs don't start encrypting files.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Michael Bruemmer's team is busy these days, and that's both good news and bad news for companies like yours. Bruemmer heads up the Data Breach Resolution group at Experian. This team provides the call center, notification and identity theft protection services to clients following a data breach.Over a span of 12 years, this arm of Experian has serviced nearly 17,000 breaches. In 2015, the group serviced 3,550 different incidents, from small breaches that affected just a few hundred people, to the headline-making breaches that affected tens of millions. The fact that Experian has been involved in responding to so many breaches is the bad news I alluded to.To read this article in full or to leave a comment, please click here