The U.S. Federal Reserve, the nation's central bank, detected more than 50 cybersecurity breaches between 2011 and 2015, including a handful attributed to espionage.The Fed's Washington-based Board of Governors identified 51 information disclosures during the five-year period, according to information obtained through a Freedom of Information Act request by Reuters.The breaches reported include only those at the Fed's Washington location and don't include any at its 12 privately owned regional branches.To read this article in full or to leave a comment, please click here
Enterprises using Microsoft's Office 365 have a new security product that they can use to better lock down their organizations -- for a price. The company introduced a new Advanced Security Management service on Wednesday that gives companies a trio of tools aimed at helping detect security threats, provide granular controls and let IT administrators track if people in their organization are using unauthorized services.It's another part of Microsoft's push to lure businesses over to its subscription-based productivity suite. By providing more advanced security capabilities, Microsoft may be able to convince security-conscious businesses to buy into Office 365, rather than avoid a subscription or choose one of Office's competitors like Google Apps for Work.To read this article in full or to leave a comment, please click here
Ever wonder how much an exploit for a previously unknown vulnerability that affects all Windows versions costs on the black market? The answer, according to a recent offer seen on a cybercrime forum, is $90,000.The offer was observed by researchers from security firm Trustwave on an underground market for Russian-speaking cybercriminals, where users hire malware coders, lease exploit kits, buy access to compromised websites or rent botnets.Zero-day exploits -- exploits for unpatched vulnerabilities -- are typically used for cyberespionage. Hackers sell them to governments and large corporations, under strict non-disclosure agreements, often through specialized brokers, so it's uncommon to see them traded on cybercrime forums.To read this article in full or to leave a comment, please click here
On the Russian underground forum exploit.in, seller “BuggiCorp” has a zero-day for sale that purportedly works against all versions of Windows. The price tag is $90,000.In the words of the email alerting me to this zero-day, this vulnerability “could affect almost all Windows machines on the planet.” If the local privilege escalation (LPE) vulnerability truly does exit in all versions of Microsoft Windows, from Windows 2000 up to Windows 10, then it could potentially impact “over 1.5 billion Windows users.”According to SpiderLabs security researchers at Trustwave, who found the post on a cybercriminal underground forum, “It seems the seller has put in the effort to present himself/herself as a trustworthy seller with a valid offering. One of the main indicators for this is the fact that the seller insists on conducting the deal using the forum's admin as the escrow.”To read this article in full or to leave a comment, please click here
As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today by PhishMe.That was up from 56 percent in December, and less than 10 percent every other month of last year.And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789 percent increase over the last quarter of 2015.RELATED: How to respond to ransomware threats
The anti-phishing vendor also counted the number of different variants of phishing emails that it saw. Ransomware accounted for 51 percent of all variants in March, up from just 29 percent in February and 15 percent in January.To read this article in full or to leave a comment, please click here
Employees are often considered the weakest link in organizations' efforts to create a strong security posture. Even organizations with security awareness programs in place struggle to instill strong security behaviors. Steve Conrad, managing director of MediaPro, a learning services company that specializes in information security, data privacy and compliance, says organizations can and should do better.To read this article in full or to leave a comment, please click here
Serious vulnerabilities have crept into the software tools that PC manufacturers preload on Windows computers, but the full extent of the problem is much worse than previously thought.Researchers from security firm Duo Security have tested the software updaters that come installed by default on laptops from five PC OEMs (original equipment manufacturers) -- Acer, ASUSTeK Computer, Lenovo, Dell and HP -- and all of them had at least one serious vulnerability. The flaws could have allowed attackers to remotely execute code with system privileges, leading to a full system compromise.In most cases, the problems resulted from the OEM software updaters not using encrypted HTTPS connections when checking for or downloading updates. In addition, some updaters didn't verify that the downloaded files were digitally signed by the OEM before executing them.To read this article in full or to leave a comment, please click here
Shadow IT, a term that loosely refers to any technology that is used in a company without the oversight of the IT department, isn't a new concept. But companies don't seem to have a better handle on it now than they did when we first started writing about it.Today, about a third of a company's tech purchases take place outside of IT. And a survey by Cisco found that while IT departments assumed their companies used 51 cloud service, employees in fact used 730 cloud services. Now consider that the average organization has 19.6 cloud-related security incidents each month. Suddenly, you've got a big problem on your hands.[ Also on CSO: How to prevent shadow IT ]
This infographic from cloud file management and storage provider SmartFile offers insight into the Shadow IT phenomenon, the hidden costs to your organization, and why it isn't likely to go away anytime soon.To read this article in full or to leave a comment, please click here(Insider Story)
Tor Browser 6.0 is out. If you have been using Tor, you can upgrade it via its built-in updater. The Tor Project said the “updater is not relying on the signature alone, but is checking the hash of the downloaded update file as well before applying it.” Additionally, the Tor Browser Windows installer is no longer vulnerable to DLL hijacking.DuckDuckGo for default search resultsThe Tor Browser Team is still using Disconnect as its search provider, but it switched to DuckDuckGo to provide the default search results. In short, the reason is that Bing search results were simply not cutting it. The team explained:To read this article in full or to leave a comment, please click here
Smartphones can indeed be hacked via public USB-charging ports found around public facilities such as airports, parks and coffee shops, says a computer security firm. Additionally, any PC used for charging can perform the exploit.Hacks of this kind, first publicly written about in 2011, and called "juice-hacking" then, are not a myth, Kaspersky Lab says. That’s despite an apparent lack of reported cases.The security company, known for its antivirus products, says it has proven that forms of the hack can variously make illicit calls, suck files off a device and in its simplest rendition, capture a phone’s unique identifiers, such as a serial number.To read this article in full or to leave a comment, please click here
When you get paid to assess computer security practices, you get a lot of visibility into what does and doesn’t work across the corporate spectrum. I’ve been fortunate enough to do exactly that as a security consultant for more than 20 years, analyzing anywhere between 20 to 50 companies of varying sizes each year. If there’s a single conclusion I can draw from that experience, it’s that successful security strategies are not about tools -- it's about teams.
With very good people in the right places, supportive management, and well-executed protective processes, you have the makings of a very secure company, regardless of the tools you use. Companies that have an understanding of the importance and value of computer security as a crucial part of the business, not merely as a necessary evil, are those least likely to suffer catastrophic breaches. Every company thinks they have this culture; few do.To read this article in full or to leave a comment, please click here
A recent test of pre-installed updater software on 10 laptops showed that every single one had security problems."We went and bought about 10 laptops," said Darren Kemp, security researcher at Duo Security. "And every single vendor had their own piece of software to perform software updates, including the Microsoft Signature Editions, and they were all pretty terrible."For example, some laptop manufacturers weren't using encryption in their updaters."We found exploitable vulnerabilities in every vendor," he said.We found exploitable vulnerabilities in every vendor.
Darren Kemp, security researcher at Duo SecurityTo read this article in full or to leave a comment, please click here
A few weeks ago, Tumblr notified users of a data breach that resulted in the theft of user email addresses and hashed passwords. The company did not say how many accounts were affected, but recently someone put the data up for sale and the number is: 65 million records.The data is being sold on a Tor dark market website called TheRealDeal by a user named peace_of_mind who also sold 167 million user records stolen from LinkedIn. Recently he also posted offers for 360 million accounts allegedly stolen from MySpace and 40 million from adult dating website Fling.com.To read this article in full or to leave a comment, please click here
Lurking insideImage by Flickr/Dennis SkleyWe tested three products, each concentrating on a different aspect of the insider threat problem. Fortscale did an amazing job protecting a traditional network. Its machine learning capabilities and concentration on access and authentication logs gives it an extremely high accuracy rate. Cloud-based insider threats can be even harder to detect, yet Avanan uniquely protects against threats related to trusted insiders within the cloud. PFU Systems applies insider threat security to mobile devices with their iNetSec system. (Read the full review.) Here are the individual reviews:To read this article in full or to leave a comment, please click here
In the 1979 film When a Stranger Calls, the horror is provided when police tell a young babysitter that the harassing phone calls she has been receiving are coming from inside the house. It was terrifying for viewers because the intruder had already gotten inside, and was presumably free to wreak whatever havoc he wanted, unimpeded by locked doors or other perimeter defenses. In 2016, that same level of fear is being rightfully felt towards a similar danger in cybersecurity: the insider threat.An entire industry has sprung up to provide a defense against insider threats. We tested products from Fortscale, Avanan, and PFU Systems, with each one concentrating on a different aspect of the problem.To read this article in full or to leave a comment, please click here(Insider Story)
Meet Stealth Falcon, a sophisticated and likely state-sponsored cyberespionage group, which is hell bent on conducting targeted spyware attacks “against Emriati journalists, activists and dissidents.” The digital attacks started in 2012 and are still being carried out against United Arab Emirates (UAE) dissidents. It’s not “just” spying with custom spyware that leads to dissidents being “arbitrarily detained;” once identified as criticizing the authorities, UAE dissidents can be forcibly disappeared.“The UAE has gotten much more sophisticated since we first caught them using Hacking Team software in 2012,” Bill Marczak, a senior researcher at Citizen Lab told the New York Times. “They've clearly upped their game. They're not on the level of the United States or the Russians, but they're clearly moving up the chain.”To read this article in full or to leave a comment, please click here
Owners of WordPress-based websites should update the Jetpack plug-in as soon as possible because of a serious flaw that could expose their users to attacks.Jetpack is a popular plug-in that offers free website optimization, management and security features. It was developed by Automattic, the company behind WordPress.com and the WordPress open-source project, and has over 1 million active installations.Researchers from Web security firm Sucuri have found a stored cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, starting with version 2.0.The issue is located in the Shortcode Embeds Jetpack module which allows users to embed external videos, images, documents, tweets and other resources into their content. It can be easily exploited to inject malicious JavaScript code into comments.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Actiance Platform for the healthcare and pharmaceutical industriesKey features: The Actiance Platform addresses communications challenges for healthcare and pharmaceutical organizations in the midst of changing regulations by ensuring companies meet industry-specific data retention and security requirements. With the Actiance Platform for the healthcare and pharmaceutical industries, organizations can embrace new communications channels while protecting data and ensuring compliance. More info.To read this article in full or to leave a comment, please click here
Iran has ordered foreign messaging apps to transfer data and activity records of Iranian users to local servers within a year, a move that will give the country a greater ability to monitor and censor the online activity of its people.The country’s Supreme Council of Cyberspace has issued instructions to foreign messaging companies active in the country, requiring them “to transfer all data and activity linked to Iranian citizens into the country in order to ensure their continued activity," news reports said quoting state-run media.Social media platforms such as Twitter and Facebook are already blocked in the country whose government holds a tight control over Internet access by its people.To read this article in full or to leave a comment, please click here
What does a security researcher get for responsibly disclosing a dental database vulnerability exposing the sensitive information of tens of thousands of patients? Not a bug bounty monetary reward. Not even a “thank you” from the company. He gets raided by a least a dozen armed FBI agents and may be charged under CFAA (Computer Fraud and Abuse Act).Justin Shafer, who is described as a 36-year-old security researcher and dental computer technician, reported a vulnerability in Eaglesoft practice management software to the manufacturer Patterson Dental back in February.To read this article in full or to leave a comment, please click here