Archive

Category Archives for "Network World Security"

‘Trojan horse’ stalks security conference

The creation pictured above, dubbed “Cyber Horse,” greets attendees of the ongoing Cyber Week 2016 conference being held at Tel Aviv University. This short video shows a time-lapse of the final assemblage with a narration devoted to a history lesson. And here’s another close-up video taken by a conference attendee: “Cyber Horse” was conceived and built by No, No, No, No, No, Yes, an agency based in New York City. Gideon Amichay, founder and chief creative officer, explains in a blog post.To read this article in full or to leave a comment, please click here

Tech jobs report: Security, devops, and big data stay hot

If you're wondering what IT skill sets to acquire, security and devops are doing well in the job market. Pay for cloud skills, however, is eroding.Research firm Foote Partners' latest quarterly IT Skills and Certifications Pay Index determined that the market value for 404 of the 450 IT certifications it tracks had increased for 12 consecutive quarters. Market values rose for noncertified IT skills for the fifth consecutive quarter.[ Don't get left behind -- download the Devops Digital Spotlight, and learn all about the game-changer in app development and deployment. | Get a digest of the day's top tech stories in the InfoWorld Daily newsletter. ] Foote's report is based on data provided by 2,845 North American private and public sector employers, with data compiled from January to April 1. (Noncertified skills include skills that are in demand but for which there is no official certification, Foote spokesman Ted Lane noted.)To read this article in full or to leave a comment, please click here

Severe flaws in widely used archive library put many projects at risk

In a world where any new software project is built in large part on existing third-party code, finding and patching vulnerabilities in popular open-source libraries is vital to creating reliable and secure applications.For example, three severe flaws in libarchive, recently found by researchers from Cisco Systems' Talos group, could affect a large number of software products.Libarchive is an open-source library first created for FreeBSD, but since ported to all major operating systems. It provides real-time access to files compressed with a variety of algorithms, including tar, pax, cpio, ISO9660, zip, lha/lzh, rar, cab and 7-Zip.The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS. Developers can also include the library's code in their own projects, so it's hard to know how many other applications or firmware packages contain it.To read this article in full or to leave a comment, please click here

Microsoft invokes Supreme Court opinion in Ireland email case

Microsoft believes its refusal to turn over email held in Ireland to the U.S. government got a boost from an opinion of the Supreme Court on Monday, which upheld that U.S. laws cannot apply extraterritorially unless Congress has explicitly provided for it.In a decision Monday in a separate case on the extraterritorial application of a provision of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Supreme Court set out the ground rules for its analysis, pointing out that “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The court was applying a canon of statutory construction known as the presumption against extraterritoriality.To read this article in full or to leave a comment, please click here

This Android malware can secretly root your phone and install programs

Android users beware: a new type of malware has been found in legitimate-looking apps that can “root” your phone and secretly install unwanted programs.The malware, dubbed Godless, has been found lurking on app stores including Google Play, and it targets devices running Android 5.1 (Lollipop) and earlier, which accounts for more than 90 percent of Android devices, Trend Micro said Tuesday in a blog post.Godless hides inside an app and uses exploits to try to root the OS on your phone. This basically creates admin access to a device, allowing unauthorized apps to be installed.To read this article in full or to leave a comment, please click here

Top website domains are vulnerable to email spoofing

Don’t be surprised if you see spam coming from the top websites in the world. Lax security standards are allowing anyone to "spoof" emails from some of the most-visited domains, according to new research.Email spoofing — a common tactic of spammers — basically involves forging the sender’s address. Messages can appear as if they came from Google, a bank, or a best friend, even though the email never came from the actual source. The spammer simply altered the email’s "from" address.Authentication systems have stepped in to try and solve the problem. But many of the top website domains are failing to properly use them, opening the door for spoofing, according to Sweden-based Detectify, a security firm.To read this article in full or to leave a comment, please click here

A FireEye Chat with Kevin Mandia

In early May, FireEye announced that company president Kevin Mandia would replace industry veteran Dave DeWalt as CEO.  My colleague Doug Cahill had a chance to catch up with Kevin yesterday to get his perspectives on FireEye, enterprise security, and the threat landscape amongst others.  Here are a few highlights:On FireEye’s direction:  In spite of lots of distraction, Mandia is focused on driving “engineering innovation” at FireEye.  Normally, this vision would be equated with security products alone but Kevin’s believes that products can anchor services as well.  This involves installing FireEye’s endpoint and network security products on a customer network, collecting telemetry, comparing it to current threat intelligence, detecting malicious activities, and then working with customers on remediation.  To accomplish this, FireEye products must be “best-in-class” for threat detection on a stand-alone basis.  The FireEye staff is then available to add brain power and muscle to help product customers as needed.To read this article in full or to leave a comment, please click here

Security of “high-impact” federal systems not exactly rock-solid

In the face of relentless attacks – via malware, DDOS and malicious email – the defenses that protect the nation’s most “high impact” systems are spotty at best and could leave important programs open to nefarious activities, according to a new report from the Government Accountability Office.+More on Network World: Not dead yet: 7 of the oldest federal IT systems still wheezing away+At issue here the GAO wrote is the weakness of “high impact” system protection because the government describes those “that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm,” and as such should be getting increased security to protect them.To read this article in full or to leave a comment, please click here

Hackers sold access to 170,000 compromised servers, many in the US

The market for hacked servers might be much larger than previously thought, with new evidence suggesting that hackers sold access to over 170,000 compromised servers since 2014, a third of them located in the U.S.The new revelation comes from antivirus firm Kaspersky Lab, whose researchers reported last week that a black market website called xDedic was selling remote access to more than 70,000 compromised servers for as little as US$6.Following the report, a user with the moniker AngryBirds shared several Pastebin lists of IP addresses along with dates that allegedly represented hacked servers sold on xDedic since Oct. 2014.To read this article in full or to leave a comment, please click here

Tech groups say FBI shouldn’t be allowed to do mass hacking

Congress should block proposed changes to rules governing U.S. law enforcement investigations that could give law enforcement agencies new authority to hack thousands of computers, several tech and advocacy groups said. Congress should stop the proposed changes, approved by the Supreme Court in April, that would allow judges to issue warrants for hacking and surveillance in cases where investigators don't know the target computer's location, a coalition of 50 tech trade groups, digital rights groups, and tech companies said in a letter sent Tuesday to congressional leaders.To read this article in full or to leave a comment, please click here

FireEye: China still spies on U.S. companies, but maybe less

The United States and China forged an agreement last year not to conduct cyber espionage against corporations, but it seems pretty likely that groups based in China have continued to do so. However, it might not all be the fault of the government there, according to a report from security company FireEye. Of 72 groups that FireEye suspects of operating in China or in China’s interests, 13 of them compromised corporate networks in the U.S., Europe and Japan between last fall - when the agreement was reached - and this month, according the report, “Redline Drawn: China Recalculates Its Use of Cyber Espionage”.To read this article in full or to leave a comment, please click here

Top US states and cities with unsecured security cameras

In 2014, Insecam listed over 73,000 unsecured security cameras worldwide, with 11,046 of those open security cameras in the U.S. That number is constantly fluctuating; Today, for example, there are 5,064 unsecured cameras in the U.S. In December 2015 over a span of two days, the unprotected cameras in the U.S. changed from 4,104 to 5,604. A fact that does not change is that the U.S. is still number one for unsecured security cameras – having more than any other nation in the world.To read this article in full or to leave a comment, please click here

Top U.S. states and cities with unsecured security cameras

In 2014, Insecam listed over 73,000 unsecured security cameras worldwide, with 11,046 of those open security cameras in the U.S. That number is constantly fluctuating. Today, for example, there are 5,064 unsecured cameras in the U.S. In December 2015, over a span of two days, the unprotected cameras in the U.S. changed from 4,104 to 5,604. A fact that does not change is that the U.S. is still number one for unsecured security cameras – having more than any other nation in the world.To read this article in full or to leave a comment, please click here

Apple fixes serious flaw in AirPort wireless routers

Apple has released firmware updates for its AirPort wireless base stations in order to fix a vulnerability that could put the devices at risk of hacking.According to Apple security, the flaw is a memory corruption issue stemming from DNS (Domain Name System) data parsing that could lead to arbitrary code execution.The company released firmware updates 7.6.7 and 7.7.7 for AirPort Express, AirPort Extreme and AirPort Time Capsule base stations with 802.11n Wi-Fi, as well as AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Wi-Fi.The AirPort Utility 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS can be used to install the new firmware versions on AirPort devices, the company said in an advisory.To read this article in full or to leave a comment, please click here

Tech’s biggest CEO raises and pay cuts

Ups and downs of CEO payMedian pay among 62 tech CEOs was $10.6 million last year, down from $11.5 million in 2014. Some tech leaders netted big gains while others saw their compensation slashed. Here are the six most drastic pay raises and six largest losses.RELATED: 20 highest paid tech CEOs | single-page chart of 62 tech CEOs' total payTo read this article in full or to leave a comment, please click here

20 highest paid tech CEOs

Meet the highest paid tech CEOsLarry Ellison often topped our tallies of the highest paid tech CEOs. Ellison gave up the Oracle CEO job in 2014, and now his successors – who made $53 million apiece last year – share the distinction of highest paid tech CEO. See who else made the top 20.RELATED: Biggest raises and pay cuts | single-page chart of 62 tech CEOs' total pay |To read this article in full or to leave a comment, please click here

Chinese hacking slows down after public scrutiny and US pressure

U.S. warnings and public scrutiny of hacks by groups believed to be China-based may have led to an overall decrease in intrusions by these groups against targets in the U.S. and 25 other countries, a security firm said.From mid-2014, after the U.S. Government took punitive measures against China, including indicting members of the Chinese People’s Liberation Army for computer hacking, economic espionage and other charges, and raised the possibility of sanctions, FireEye has seen a notable decline in successful network compromises by China-based groups in these countries.To read this article in full or to leave a comment, please click here

Russian hackers were indeed behind DNC breach, claims another security firm

One lone hacker has tried to take credit for the recent breach of the Democratic National Committee, calling it “easy.” But some security researchers aren’t convinced.On Monday, security company Fidelis Cybersecurity came forward, and agreed that expert hacking groups from Russia were indeed behind the attack.The malware involved was advanced, and at times identical to malware the Russian hacking groups have used in the past, Fidelis said in a blog post on Monday.“This wasn’t ‘Script Kiddie’ stuff,” the company added.It backs the conclusion that security firm CrowdStrike made last week, when the company said two Russia-based hacking groups were behind the breach.To read this article in full or to leave a comment, please click here

Ticketmaster free tickets website off to rough start

Those outrageous Ticketmaster fees you've perhaps grudgingly been paying for years have indeed been found to be outrageous, and now the company has been forced to dole out $400M in vouchers that can be used to buy new tickets.For people like me, who have bought many Red Sox, Celtics and concert tickets over the years, this could be quite a windfall. Or not.As you can read on the FAQ page for Schlesinger et. al. vs. Ticketmaster, the ticket brokerage firm was found to have used an unclear fee system and overcharged those who had tickets shipped to them between Oct. 21, 1999 and Feb. 27, 2013.To read this article in full or to leave a comment, please click here

Do third-party vendors have a bullseye on their backs?

Because there are so many different kinds of third parties, identifying whether they do or don’t have the right infrastructure or security protocols can be a challenge. Moreover, doing the proper due diligence needed to vet third-party vendors can be costly and time consuming.As so many organizations rely on a variety of different providers, third parties can become the gateways to the network. In order to mitigate the risk of a breach from a third party, enterprises need to design a vetting process and understand the language of the service-level agreemen in order to best evaluate their contracts.[ ALSO ON CSO: How to achieve better third-party security: Let us count the ways ]To read this article in full or to leave a comment, please click here