Password policies don't prevent problems, they cause them. Humans are predictable, and generic password policies help attackers crack (or guess) passwords faster.
Three models of Cisco wireless VPN firewalls and routers from the small business RV series contain a critical unpatched vulnerability that attackers can exploit remotely to take control of devices.
The vulnerability is located in the Web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router and RV215W Wireless-N VPN Router.
It can be easily exploited if the affected devices are configured for remote management since attackers only need to send an unauthenticated HTTP request with custom user data. This will result in remote code execution as root, the highest privileged account on the system, and can lead to a complete compromise.To read this article in full or to leave a comment, please click here
Way back in February, I wrote a blog about President Obama’s proposed Cybersecurity National Action Plan (CNAP). As part of this plan, the President called for $19 billion for cybersecurity as part of the 2017 fiscal year federal budget, a 35% increase over 2016 spending. While CNAP has a lot of thoughtful and positive proposals, I’m troubled by the fact that federal cybersecurity programs seem to have a life of their own with little oversight or ROI benefits. I often cite DHS’s Einstein project as an example of this type of government cybersecurity waste. In my humble opinion, the feds are spending hundreds of millions of dollars on custom research and development for Einstein when commercial off-the-shelf (COTS) network security products could do the same job at a fraction of the cost.To read this article in full or to leave a comment, please click here
In the latest episode of Security Sessions, Hexadite CEO Eran Barak joins CSO Editor-in-Chief Joan Goodchild to discuss the problem of security alert fatigue, in which a company receives so many alerts from their systems that they end up potentially ignoring or missing critical alerts.
Tim Greene
Jie Zhang
NATIONAL HARBOR, Md. -- Jie Zhang says that as a child in China she played a game picking up marbles with chopsticks and performing the delicate task of carrying them to another room without dropping them. That’s what doing business in China is like for Westerners, she told a breakfast gathering today at Gartner’s Security and Risk Management Summit.They have to get used to long-standing customs and practices that violate some basic business principles respected outside of China and some new ones that deal specifically with technology.To read this article in full or to leave a comment, please click here
In a sea of vulnerabilities clamoring for attention, it’s almost impossible to know which IT security issues to address first. Vendor advisories provide a tried-and-true means for keeping on top of known attack vectors. But there’s a more expedient option: Eavesdrop on attackers themselves.
Given their increasingly large attack surfaces, most organizations tie their vulnerability management cycle to vendor announcements. But initial disclosure of security vulnerabilities doesn’t always come from vendors, and waiting for official announcements can put you days, or even weeks, behind attackers, who discuss and share tutorials within hours of a vulnerability becoming known.To read this article in full or to leave a comment, please click here(Insider Story)
A hacker claiming responsibility for the recent data breach of the Democractic National Committee apparently has posted the stolen files online.The hacker, who goes by the name Guccifer 2.0, leaked the files on Wednesday following a breach of DNC computers that has been blamed on Russian hackers. The posted files include a 231-page dossier containing opposition research on presumptive Republican presidential nominee Donald Trump. They also include documents concerning expected Democratic nominee Hillary Clinton’s election strategy, items on U.S. foreign policy, and donor lists.To read this article in full or to leave a comment, please click here
Email scammers, often pretending to be CEOs, have duped businesses into giving away at least $3.1 billion, according to new data from the FBI.The email schemes, which trick companies into wiring funds to the hacker, continue to bedevil companies across the world, the FBI warned in a posting on Tuesday.The amount of money they've tried to steal has grown by 1,300 percent since January 2015, it said.In the U.S. alone, victims have lost $960 million to the schemes over approximately the past three years, FBI figures show. That figure reaches $3.1 billion when global data from international law enforcement and financial groups is included. The number of victims: 22,143.To read this article in full or to leave a comment, please click here
An IT worker at Mossak Fonseca, the company at the heart of the "Panama Papers" leak, was arrested Wednesday in Geneva.The arrest was made as part of the investigation into the leak, which saw 11.5 million documents from the law firm leaked to the German newspaper Süddeutsche Zeitung.The documents detailed thousands of offshore companies set up by Mossak Fonseca on behalf of rich clients, sometimes for the purpose of tax avoidance.The identity of the worker has not been released, and the Süddeutsche Zeitung reporter who led a year-long investigation into the documents said he did not believe the arrested worker was his source.To read this article in full or to leave a comment, please click here
The FBI has fallen short on assessing the privacy risks and accuracy of a huge facial recognition database used by several law enforcement agencies, a government auditor has said.A new report, released by the U.S. Government Accountability Office Wednesday, shows the FBI's use of facial recognition technology is "far greater" than previously understood, said Senator Al Franken, the Minnesota Democrat who requested the GAO report.The FBI's Next Generation Identification-Interstate Photo System (NGI-IPS), which allows law enforcement agencies to search a database of more than 30 million photos of 16.9 million people, raises serious privacy concerns, Franken added in a press release.To read this article in full or to leave a comment, please click here
Want access to a government server? An online black market is selling access to thousands of hacked servers for as little as US$6.Known as xDedic, the market has a catalog of over 70,000 compromised servers for sale, Kaspersky Lab said Wednesday.The servers are in 173 countries and used by governments, businesses and universities. The owners likely have no idea they’ve been hacked, the security firm said.Hackers at xDedic breached many of the servers through trial-and-error using different passwords. They catalogued the servers' software, browsing history and other details buyers might like to know.To read this article in full or to leave a comment, please click here
Two different reports reveal details about three government-backed hacker groups, two from Russia and one from China.Russian government hacker groups Cozy Bear and Fancy Bear
Not one, but two groups of Russian government hackers broke into the computer network of the Democratic National Committee (DNC), spying on internal communications and stealing opposition research on Republican presidential candidate Donald Trump.CrowdStrike said it kicked out the adversary groups “Cozy Bear” and “Fancy Bear” over the weekend.Cozy Bear, which had successfully penetrated the unclassified networks of the White House, State Department and Joint Chiefs of Staff in 2014, infiltrated the DNC last summer and had been monitoring email and chat communications. CrowdStrike believes Cozy Bear may work for Russia’s Federal Security Service (FSB).To read this article in full or to leave a comment, please click here
Distributed denial-of-service attacks have been getting bigger and lasting longer, and for the past few years defenses haven’t kept pace, but that seems to be changing, Gartner analysts explained at the firm’s Security and Risk Management Summit.Gartner tracks the progress of new technologies as they pass through five stages from the trigger that gets them started to the final stage where they mature and are productive. The continuum is known as the Hype Cycle. Gartner
Gartner analyst Lawrence OransTo read this article in full or to leave a comment, please click here
Microsoft has fixed more than 40 vulnerabilities in its products Tuesday, including critical ones in Windows, Internet Explorer, Edge, and Office.The vulnerabilities are covered in 16 security bulletins, six of which are marked as critical and the rest as important. This puts the total number of Microsoft security bulletins for the past six months to more than 160, a six-month record during the past decade.Companies running Windows servers should prioritize a patch for a critical remote code execution vulnerability in the Microsoft DNS Server component, covered in the MS16-071 bulletin.To read this article in full or to leave a comment, please click here
Large cities could crash to a halt “with the click of a button,” the Telegraph newspaper has reported. The head of spying for the United Kingdom has apparently warned that Internet of Things (IoT) adoptation increases the risk of hackers bringing “major cities to a standstill.”Robert Hannighan, the director of Government Communications Headquarters (GCHQ), the British equivalent of the National Security Agency (NSA) in the United States, made the warning at a science festival in the U.K. recently, the Telegraph writes.To read this article in full or to leave a comment, please click here
Self-styled spam king Sanford Wallace was sentenced to two-and-a-half years in prison on Tuesday for a phishing scam that resulted in the sending of over 27 million messages to Facebook users.Last August, Wallace admitted to compromising around 500,000 Facebook accounts, using them to send over 27 million spam messages through Facebook's servers, between November 2008 and March 2009.Sentencing had been scheduled for last December, but it has taken the court almost a year to reach a sentencing decision.To read this article in full or to leave a comment, please click here
The bad news is that data breaches are becoming ever more common. The worse news is that the cost they represent for companies is going through the roof.Those are two conclusions from a study released Wednesday by IBM Security and the Ponemon Institute, which found that the average cost of a data breach has grown to US $4 million. That's a hefty jump compared with last year's $3.79 million, and it represents an increase of almost 30 percent since 2013."Data breaches are now a consistent 'cost of doing business' in the cybercrime era," said Larry Ponemon, chairman and founder of the Ponemon Institute, a research firm focused on security. "The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”To read this article in full or to leave a comment, please click here
Adobe Systems warned users Tuesday that an unpatched Flash Player vulnerability is currently being exploited in targeted attacks. The company expects to deliver a patch as soon as Thursday.
The exploit was discovered by researchers from antivirus vendor Kaspersky Lab in attacks attributed to a cyberespionage group known in the security industry as ScarCruft.
The group is relatively new, but is apparently quite resourceful, as this is possibly the second zero-day -- previously unknown and unpatched -- exploit that it used this year.
The other exploit targeted a critical remote code execution vulnerability in Microsoft XML Core Services that was tracked as CVE-2016-0147 and was patched by Microsoft in April.To read this article in full or to leave a comment, please click here
Apple's Safari is driving another nail in the coffin of Adobe Flash by no longer telling websites that offer both Flash and HTML5 that the plug-in is installed on users' Macs.
The Mac maker is planning similar measures with other plug-ins like Java, Silverlight and QuickTime. This move will force websites with both plug-in and HTML5-based media implementations to use their HTML5, it said.
When Safari 10, the new version of its browser, ships this fall, it will by default behave as though common legacy plug-ins on users’ Macs are not installed, wrote Apple software engineer Ricky Mondello in a post.To read this article in full or to leave a comment, please click here
The U.S. has charged a Chinese national, Xu Jiaqiang, with economic espionage and theft of the source code of a clustered file system belonging to his former U.S. employer, which he is alleged to have stolen for his own benefit and that of the National Health and Family Planning Commission in China.The charges against Xu highlight the intellectual property risks faced in other countries by development operations of U.S. companies, particularly in those countries the U.S. suspects could be involved in economic espionage.Xu, who was initially arrested by the Federal Bureau of Investigation in December and was charged with one count of theft of trade secrets, is scheduled to be arraigned on a superseding indictment of charges of economic espionage on Thursday in a federal court in New York, the Department of Justice said.To read this article in full or to leave a comment, please click here