Twitter said it had locked down and called for a password reset of some accounts after an unconfirmed claim of a leak of nearly 33 million usernames and passwords to the social network.The company said the information was not obtained from a hack of its servers, and speculated that the information may have been gathered from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both.“In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner,” Twitter’s Trust & Information Security Officer, Michael Coates said in a blog post on Friday. To read this article in full or to leave a comment, please click here
A new Mozilla fund, called Secure Open Source, aims to provide security audits of open-source code, following the discovery of critical security bugs like Heartbleed and Shellshock in key pieces of the software.Mozilla has set up a US$500,000 initial fund that will be used for paying professional security firms to audit project code. The foundation will also work with the people maintaining the project to support and implement fixes and manage disclosures, while also paying for the verification of the remediation to ensure that identified bugs have been fixed.The initial fund will cover audits of some widely-used open source libraries and programs. To read this article in full or to leave a comment, please click here
Sometimes a great offense is much better than a stout defense, especially when it comes to protecting enterprise assets.This week the advanced technology developers from the Intelligence Advance Research Projects Activity (IARPA) office put out a Request For Information about how to best develop better denial and deception technologies – such as honeypots or deception servers for example -- that would bolster cyber security.To read this article in full or to leave a comment, please click here
Here's a Facebook hack straight from the pages of the novel 1984: A way to rewrite the record of the past."Who controls the past controls the future: who controls the present controls the past," went the ruling party's slogan in George Orwell's dystopian novel.Security researchers have found a way to control the past, by altering Facebook's logs of online chats conducted through its website and Messenger App.Such modified logs could be used to control the future, the researchers suggest, by using them to commit fraud, to falsify evidence in legal investigations, or to introduce malware onto a PC or phone.Roman Zaikin of Check Point Software Technologies discovered a flaw in Facebook's chat system that made it possible for an attacker to modify or remove any sent message, photo, file or link in a conversation they were part of.To read this article in full or to leave a comment, please click here
Many organizations that run industrial control systems strive to isolate them from the Internet, but sometimes forget to disallow Domain Name System (DNS) traffic, which provides a stealthy way for malware to exfiltrate data.Sometimes referred to as supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS) are notoriously insecure. Not only is their firmware full of flaws, but the communication protocols many of them use lack authentication or encryption.Since most ICS systems are typically meant to last over a decade once deployed, they're not easily replaceable without considerable costs. As such, ICS operators tend to focus on securing the perimeter around control systems instead of patching the devices themselves, which is not always possible. This is done by isolating ICS environments from corporate networks and the larger Internet, an action sometimes referred to as airgapping.To read this article in full or to leave a comment, please click here
My colleagues Doug Cahill, Kyle Prigmore and I recently completed a research project on next-generation endpoint security. We determined that there are actually two distinct product categories within next-generation endpoint security: advanced prevention and advanced detection and response (EDR). While most firms seem to be gravitating toward advanced prevention, massive enterprise organizations tend to move in the opposite direction by evaluating, testing and deploying EDR products. Why? These organizations have large cybersecurity teams with lots of experience, so they are willing to dedicate resources toward more complex projects.Furthermore, many of these enterprise organizations are already investing in security analytics by collecting, processing and analyzing data from numerous disparate sources (i.e., network forensics, events/logs, threat intelligence, etc.). Endpoint forensic data is a natural extension of these cybersecurity analytics efforts. To read this article in full or to leave a comment, please click here
As deadlines go, Jan. 1, 2017, isn’t far away, yet many organizations still haven’t switched their digital certificates and signing infrastructure to use SHA-2, the set of cryptographic hash functions succeeding the weaker SHA-1 algorithm. SHA-1 deprecation must happen; otherwise, organizations will find their sites blocked by browsers and their devices unable to access HTTPS sites or run applications.All digital certificates -- to guarantee the website accepting payment card information is secure, software is authentic, and the message was sent by a person and not an impersonator -- are signed by a hashing algorithm. The most common is currently SHA-1, despite significant cryptographic weaknesses that render the certificates vulnerable to collision attacks.To read this article in full or to leave a comment, please click here(Insider Story)
A modern car has dozens of computers with as much as 100 million lines of code -- and for every 1,000 lines there are as many as 15 bugs that are potential doors for would-be hackers.With vehicles becoming more automated and connected to the Internet, to other cars and even roadway infrastructure, the number of potential intrusion points is growing exponentially, according to Navigant Research.While cybersecurity became a top priority for carmakers after a 2015 Jeep Cherokee was hacked last year, the lead time for developing a new car is three to five years and with a service life of 20 years or more, most vehicles have systems that bare vastly outdated compared to the latest consumer electronics devices.To read this article in full or to leave a comment, please click here
Let that vulnerability sit for a bitImage by ThinkstockThe word “vulnerability” typically comes with a “must fix now” response. However, not all vulnerabilities should be treated equally because not all of them pose a risk. It all depends on what the data represents. In fact, some vulnerabilities are OK to deprioritize, depending on associated threats and the value of the asset at risk. For example, a lock on a 20th floor window of a building is not as important as one on the ground level, unless the contents of the room are so valuable that a thief would take the effort to access such an unreachable place. Scans reveal thousands of vulnerabilities across all assets – networks, applications, systems and devices – but they do not show which ones could lead to a damaging compromise if not fixed immediately. It is not about ignoring vulnerabilities; it is about prioritizing how you apply your resources to remediate them. Bay Dynamics provides some examples of vulnerabilities that are OK to put on the back burner.To read this article in full or to leave a comment, please click here
The Internet of Things (IoT) offers many possible benefits for organizations and consumers—with unprecedented connectivity of countless products, appliances and assets that can share all sorts of information. IoT also presents a number of potential security threats that organizations need to address.“There is no doubt the levels of risk are set to increase alongside the growth in deployment of IoT devices,” says Ruggero Contu, research director at Gartner. IoT will introduce thousands of new threat vectors simply by increasing the number of networked points, Contu says.While IoT offers great opportunities, in interconnected environments “the security risks increase exponentially and the attack vector or surface is—in theory—potentially limitless,” says Laura DiDio, director enterprise research, Systems Research & Consulting at Strategy Analytics.To read this article in full or to leave a comment, please click here
Bob Brown/NetworkWorld
SplunkLive! in Boston
With a company and product name like Splunk, you’ve gotta hang a bit loose, as I found upon sitting in at the company’s SplunkLive! event in Boston this week. The first customer speaker of the day gave a frank assessment of his organization’s implementation (“the on-premises solution, we struggled with it…”) and his frustrations with the licensing model. You have to give Splunk credit for having enough confidence in its offerings to showcase such a kick-off case study.To read this article in full or to leave a comment, please click here
While mobile payment systems like Apple Pay and Samsung Pay are growing, they haven't lived up to the hype that surrounded their arrival in 2014.But newer biometrics security technologies beyond the use of fingerprint scans could boost adoption rates when purchases are made in-store with smartphones. Those technologies include palm vein sensors or even sensors that assess a person's typing patterns or movements.INSIDER: 5 ways to prepare for Internet of Things security threats
For online purchases, iris scans could help authenticate buyers. And while SMS (Short Messaging Service) is an option, banks want greater security when using SMS payments. That's where a multimodal approach -- integrating facial, voice and behavorial scans into what's required for a purchase -- might help.To read this article in full or to leave a comment, please click here
D-Link is working to fix a weakness that allows attackers to take over remote control of one of its cameras so they can eavesdrop, and the company is checking whether others of its products have similar vulnerabilities.The vulnerability allows for the injection of malicious code and forces a password reset, which means attackers can gain remote access to the camera’s feed, thereby enabling eavesdropping, according to Senrio, a startup that monitors devices, scores how vulnerable they are and alerts when it detects suspicious behavior.It also means that regardless of how strong a password users set up, it can be overridden.The camera – D-Link DCS-930L Network Cloud Camera – might not be the only device affected by the vulnerability, a spokesperson for Senrio says. “Senrio has also agreed to evaluate a number of additional D-link products to assess if the vulnerability can be found in the firmware in those items,” the spokesperson said in an email.To read this article in full or to leave a comment, please click here
An ounce of prevention is worth a pound of cure, as the old saying goes, and that's just as true in cybersecurity as it is in health. So believes Cylance, a startup that uses AI to detect and prevent cyberattacks.On Wednesday, Cylance announced that it just raised a whopping US $100 million in Series D funding. It will use the new infusion to expand its sales, marketing, and engineering programs.Dubbed CylanceProtect, the company's flagship product promises AI-based endpoint security while using a fraction of the system resources required by the approaches used in most enterprises today. Enabling that are technologies including machine learning.To read this article in full or to leave a comment, please click here
Getting a handle on cloud-based virtual operations is no easy task. Next month researchers from the Intelligence Advance Research Projects Activity (IARPA) will introduce a new program that looks to address that management concern by developing better technology to manage and secure Virtual Desktop Infrastructure (VDI) environments.+More on Network World: Intelligence agency wants computer scientists to develop brain-like computers+IARPA, the radical research arm of the of the Office of the Director of National Intelligence will introduce the Virtuous User Environment (VirtUE) which it says aims to “creatively define and develop user environments that are more dynamic, secure, auditable, transferrable, and efficient than the current offerings provided by traditional physical workstations and commercial VDI; develop innovative, dynamic analytics and infrastructures that can leverage these newly developed user environments to both automatically detect and deter security threats that IC user environments will be subject to in the new cloud infrastructure.”To read this article in full or to leave a comment, please click here
The rise in global cyberattacks and the “critical deficit of security talent” helped bug bounty programs grow in the last year and to diversify from those offered by “tech giants” to more traditional industries.One trend over the last year has been for payouts to increase, according to the 2016 State of Bug Bounty report (pdf). Last year, the average bug reward on Bugcrowd’s platform was $200.81; this second annual report shows an increase of 47%, with the average reward rising to $294.70.To read this article in full or to leave a comment, please click here
Here's a Facebook hack straight from the pages of the novel 1984: A way to rewrite the record of the past."Who controls the past controls the future: who controls the present controls the past," went the ruling party's slogan in George Orwell's dystopian novel.Security researchers have found a way to control the past, by altering Facebook's logs of online chats conducted through its website and Messenger App.Such modified logs could be used to control the future, the researchers suggest, by using them to commit fraud, to falsify evidence in legal investigations, or to introduce malware onto a PC or phone.Roman Zaikin of Check Point Software Technologies discovered a flaw in Facebook's chat system that made it possible for an attacker to modify or remove any sent message, photo, file or link in a conversation they were part of.To read this article in full or to leave a comment, please click here
Demand for security information and event management (SIEM) technology is high, but that doesn’t mean businesses are running these products and services smoothly.According to a report from Gartner, large companies are reevaluating SIEM vendors due to partial, marginal or failed deployments. While the core technology has changed little in the last decade, its use cases and the pace at which businesses have adopted it have prompted a transformation, experts say.“SIEM was a complex technology for the most entrenched, smartest companies, but today we see it adopted by less-mature organizations,” says Anton Chuvakin, research VP at Gartner. “That’s caused the evolution in the tech that we’ve witnessed recently. It’s getting more brain power.”To read this article in full or to leave a comment, please click here(Insider Story)
Theater of the absurdImage by REUTERS/Mario AnzuoniThe term "security theater" was coined to describe the array of security measures at U.S. airports -- taking off shoes, patting down children and the elderly -- that project an image of toughness without making commercial aviation any safer. But the man who came up with the phrase is famous cybersecurity expert Bruce Schneier, and it could just as easily apply to a number of common tech security measures. We talked to an array of tech experts to discover what security technologies are often just for show.To read this article in full or to leave a comment, please click here
Blockchain has been touted by venture capitalists, technophiles and pundits as the Next Big Thing in computer science. The reality, however, is that the digital ledger software at the heart of Bitcoin and other cryptocurrencies has a long way to go before it gains mainstream adoption.That was a key takeaway from a blockchain panel at last month’s MIT Sloan CIO Symposium. Noting that blockchain enables parties to ferry financial transactions, contracts and other digital records over the Internet, MIT professor Christian Catalini asked the panel about potential enterprise applications for the technology.To read this article in full or to leave a comment, please click here