Archive

Category Archives for "Network World Security"

Fiat Chrysler launches bug bounty program for connected vehicles

Fiat Chrysler Automobiles has launched a bug bounty program to attract white-hat hackers to spot out cybersecurity flaws in its products and connected services.The program is focused on FCA's connected vehicles, including systems within them and external services and applications that link to them.The move follows the remote hack and control of a Jeep Cherokee, one of the company’s products, by security researchers. That breach led to the recall of 1.4 million vehicles last year. Fiat Chrysler is also moving quite aggressively in the area of autonomous vehicles, announcing earlier this year the joint development of self-driven minivans with Alphabet's Google Self-Driving Car Project.To read this article in full or to leave a comment, please click here

US Senator has privacy concerns about Pokémon Go’s data collection

The popularity of augmented reality smartphone game Pokémon Go has raised a variety of concerns, including a warning by the National Safety Council, urging drivers not to play the game behind the wheel and asking pedestrians to be careful while playing it.U.S. Senator Al Franken, a strong privacy advocate, has raised the inevitable question about the privacy of the extensive data the game collects from its users, including children, and whether the data is used for other purposes.“I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent,” Franken, a Democrat from Minnesota, wrote in a letter Tuesday to John Hanke, the CEO of Niantic, the developer of the game.To read this article in full or to leave a comment, please click here

An online market that offered cheap hacked servers returns

A website that offered access to hacked servers for as little as $6 is back online.The market, called xDedic, went down last month on June 15 right after security firm Kaspersky Lab publicly exposed it. Access to more than 70,000 compromised servers from governments, businesses and universities had been sold through the site, in the two years it was in operation.Kaspersky Lab, however, reported its finding to law enforcement agencies and said that “several major” internet service providers helped shut the site down.  To read this article in full or to leave a comment, please click here

Hacked 3D printers could commit industrial sabotage

3D printers can churn out toys, clothing and even food. But the technology also shows potential for use in industrial sabotage, researchers warn.Imagine a car maker using 3D printers to manufacture components, only to have the parts contain defects that are undetectable until it’s too late.A hacker with access to the 3D printers could make that happen, a team of researchers wrote in a recent paper. This could result in a "devastating impact" for users and lead to product recalls and lawsuits, said New York University professor Nikhil Gupta, the lead author of the paper. To read this article in full or to leave a comment, please click here

July 2016 Patch Tuesday: Microsoft releases 11 security updates, 6 rated critical

For July, Microsoft released 11 security bulletins, six of which were rated critical due to remote code execution (RCE) vulnerabilities.CriticalMS16-084 is the cumulative patch for Internet Explorer, fixing a plethora of RCE problems that an attacker could exploit if a victim viewed a maliciously crafted webpage using IE. The security update also addresses spoofing vulnerabilities, security feature bypass and information disclosure flaws.MS16-085 is the monthly cumulative security update for Microsoft’s Edge browser. The most severe vulnerabilities could allow RCE. The patch also resolves security feature bypass issues, information disclosure problems and many memory corruption flaws.To read this article in full or to leave a comment, please click here

Stealthy cyberespionage malware targets energy companies

Security researchers have discovered a new malware threat that goes to great lengths to remain undetected while targeting energy companies.The malware program, which researchers from security firm SentinelOne have dubbed Furtim’s Parent, is a so-called dropper -- a program designed to download and install additional malware components and tools. The researchers believe it was released in May and was created by state-sponsored attackers.The goal of droppers is to prepare the field for the installation of other malware components that can perform specialized tasks. Their priority is to remain undetected, gain privileged access, and disable existing protections. These are all tasks that Furtim’s Parent does well.To read this article in full or to leave a comment, please click here

Amazon Prime Day is Today: Over 100,000 Products Currently Discounted – Prime Day Deal Alert

Today is Amazon's biggest event of the year – Prime Day. As you read this, over 100,000 products have been dramatically discounted for today only. Laptops, cell phones, gadgets, gear, and everything in-between has been slashed up to 40% or more. You need to be a Prime member to access the deals, but a free trial of Prime - Sign up here - gets you access just the same. Jump over to Amazon and explore the seemingly endless list of products on sale right now.To read this article in full or to leave a comment, please click here

Privacy Shield transatlantic data sharing agreement enters effect

After months of uncertainty, businesses will once again have a simple, legal way to export the personal information of European Union citizens to the U.S. for processing from Aug. 1.Privacy Shield, the replacement for the defunct Safe Harbor Agreement, ensures an adequate level of protection for personal data transferred from the EU to self-certified organisations in the U.S., the European Commission ruled Tuesday morning. It plans to notify the governments of the EU's 28 member states of its adequacy decision later in the day, at which point Privacy Shield will enter effect, although it will still be a few more weeks before companies can register their compliance with it.To read this article in full or to leave a comment, please click here

6 high-tech ways thieves can steal connected cars

On the internet superhighwayImage by Henrik SchnabelOur vehicles contain critical personal information such as our personal contacts, registration and insurance details, financial information and even the address to our home – making entry, theft and further damage even more of a possibility. Our vehicles are truly an extension of one’s connected self and the technology associated with them offers substantial benefits.To read this article in full or to leave a comment, please click here

VPN provider cuts of service to Russia after servers seized

Private Internet Access, a provider of virtual private network services, has shut down its Russian gateways and won’t do business in the region any longer, as it believes that some of its Russian servers were seized by the government for not following new internet surveillance rules.The provider, which holds that it does not log traffic or session data, said it had likely fallen foul of new Russian rules that require that providers must log local traffic for up to a year.“We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process,” the provider’s team said in a blog post Monday.To read this article in full or to leave a comment, please click here

VPN provider cuts off service to Russia after servers seized

Private Internet Access, a provider of virtual private network services, has shut down its Russian gateways and won’t do business there any longer, as it believes some of its servers were seized by the government for not following new internet surveillance rules.The company said it had likely fallen foul of new rules that require providers to log local traffic for up to a year. Private Internet Access says it does not log traffic or session data.“We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process,” the provider said in a blog post Monday.To read this article in full or to leave a comment, please click here

Cisco Live: Cisco bolsters, integrates security products and services

At Cisco Live today the company is rolling out a set of new services and cloud-based security features that better integrate existing Cisco gear with products it acquired through acquisition. These products essentially grow the features of some existing gear and expand security coverage to devices not connected to the corporate network. +More on Network World: Cisco will need to tackle these high-tech issues in 2016+ The Cisco mantra is that there are too many point security products for businesses to effectively manage and that generate too much unanalyzed data to be used effectively. The company contends that adding one more security product can add just a small percentage of new capabilities but a vast amount of complexity and work to integrate the new product.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Auto thieves adopting cybercrime-like tactics

In addition to recently publicized hacks of electronic auto ignitions with laptops, car thieves have several other high-tech techniques they’ve put to use—or will soon unleash upon their victims, according to stolen vehicle recovery firm CalAmp LoJack Corp.The lawlessness includes portable scanner boxes that exploit electronic key fobs; identity theft, where the Personally Identifiable Information data stored within the vehicle and in the vehicle computer is stolen; and car cloning, which is when a Vehicle Identification Number (VIN) is faked, allowing new documents to be produced.To read this article in full or to leave a comment, please click here

Serious flaw fixed in widely used WordPress plug-in

If you're running a WordPress website and you have the hugely popular All in One SEO Pack plug-in installed, it's a good idea to update it as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the site's admin account.The vulnerability is in the plug-in's Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.The Bot Blocker feature is designed to detect and block spam bots based on their user agent and referer header values, according to security researcher David Vaartjes, who found and reported the issue.If the Track Blocked Bots setting is enabled -- it's not by default -- the plug-in will log all requests that were blocked and will display them on an HTML page inside the site's admin panel.To read this article in full or to leave a comment, please click here

Victims of terrorist attacks in Israel sue Facebook for $1 billion

The families of victims of five recent attacks in Israel are suing Facebook for more than US$1 billion, saying the social media site helps terrorists plan their violence. The lawsuit, filed in a New York court, accuses Facebook of helping Palestinian group Hamas recruit members, communicate, and plan attacks. The U.S. government designated Hamas a terrorist organization in 1995. Plaintiffs in the lawsuit are family members of five terrorist attacks in Israel in the past two years, the most recent being a March 8 stabbing attack in Tel Aviv that killed 29-year-old U.S. citizen Taylor Force. Four of the people who died in the attacks were U.S. citizens, and another U.S. citizen was injured.To read this article in full or to leave a comment, please click here

SWIFT brings in external support as it fights wave of bank hacks

SWIFT is bringing in additional security support after a series of high-profile bank heists and attempted bank heists conducted via its financial transaction network.The company has hired two security firms, UK-based BAE Systems and Fox-IT Security of the Netherlands, to help its customers strengthen their security, it said Monday.SWIFT's network itself has not been breached in the recent attacks, but bank systems connected to it have been hacked in a number of high-profile incidents over the last year, the most spectacular of which almost led to the loss of US$1 billion from Bangladesh Bank.To read this article in full or to leave a comment, please click here

Armed crooks use Pokemon Go to lure and rob victims

It’s not only cyber thugs interested in the Pokemon Go app, but crooks in real life as well. Armed robbers were reportedly using the app’s geolocation feature to lure victims to secluded locations.The “robbery part made sense” to the cops, but not the augmented reality game in which players walk around in the real world searching for Pokemon. Players can drop a Lure model in a real world location which last for 30 minutes to attract players to that location. O’Fallon Missouri Police Sgt. Phil Hardin told the St. Louis Post-Dispatch “that ‘younger, geeky officers’ had to fill in their colleagues about some of what the victim was describing.”To read this article in full or to leave a comment, please click here

Enterprise software developers continue to use flawed code in apps

Companies that develop enterprise applications download over 200,000 open-source components on average every year and one in every 16 of those components has security vulnerabilities.This is indicative of the poor state of the software supply chain, a problem that's only getting worse with the increased reliance on third-party code combined with bad software inventory practices.According to software development lifecycle firm Sonatype, third-party components account for 80 percent to 90 percent of the code found in a typical enterprise application today.The number of downloads from the largest largest public repository of open-source Java components reached 31 billion last year, a 82 percent increase over 2014, the company found.To read this article in full or to leave a comment, please click here

Muggers used Pokemon Go to lure victims, police say

With the launch of Pokemon Go last week, it's not just players but police that "gotta catch 'em all."Police in O'Fallon, Missouri, believe muggers may have tracked or lured victims through the Pokemon Go mobile game, in which players follow their phones' directions to real-world places to "catch" Pokemon characters."The way we believe it was used is you can add a beacon to a Pokestop to lure more players. Apparently they were using the app to locate people standing around in the middle of a parking lot or whatever other location they were in," O'Fallon Police Department explained on its official Facebook page.To read this article in full or to leave a comment, please click here

New products of the week 7.11.16

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.ONLYOFFICE Сommunity EditionKey features - A free and open source office and productivity suite that offers a feature-rich online editors integrated with Mail, CRM, Project and Document Management systems, Calendar. More info.To read this article in full or to leave a comment, please click here