Archive

Category Archives for "Network World Security"

FBI raids home of researcher who reported unsecured patient data on a public server

What does a security researcher get for responsibly disclosing a dental database vulnerability that is exposing the sensitive information of tens of thousands of patients? Not a bug bounty monetary reward. Not even a “thank you” from the company. He gets raided by a least a dozen armed FBI agents and may be charged under Computer Fraud and Abuse Act (CFAA).Justin Shafer, who is described as a 36-year-old security researcher and dental computer technician, reported a vulnerability in Eaglesoft practice management software to the manufacturer Patterson Dental back in February.To read this article in full or to leave a comment, please click here

The shocking truth of how you’ll be tracked online and why

A recent study, Online tracking: A 1-million-site measurement and analysis, conducted by researchers at Princeton University discovered that Google is tracking users on nearly 80 percent of all of the Top 1 Million Domains. How are they doing this? Not surprisingly, they’re using a variety of tracking and identification techniques and they’re doing it for the obvious reason: To manipulate you. In the beginning tracking you was just about getting you to buy stuff; now, it’s evolving, and in the future, it will be all about subtle, insidious manipulation.To read this article in full or to leave a comment, please click here

Shared malware code links SWIFT-related breaches at banks and North Korean hackers

Malware links suggest that North Korean hackers might be behind recent attacks against several Asian banks, including the theft of US$81 million from the Bangladesh central bank earlier this year.Security researchers from Symantec have found evidence that the malware used in the Bangladesh Bank cyberheist was used in targeted attacks against an unnamed bank in the Philippines. The same malware was also previously linked to an attempted theft of $1 million from Tien Phong Bank in Vietnam.Symantec confirmed the earlier findings of researchers from BAE Systems who found code similarities between the Bangladesh Bank malware, which was used to modify SWIFT transfers, and the malicious program used in attacks against Sony Pictures Entertainment in December 2014.To read this article in full or to leave a comment, please click here

Senate proposal to require encryption workarounds may be dead

A proposal in the U.S. Senate to require smartphone OS developers and other tech vendors to break their own encryption at the request of law enforcement may be dead on arrival.The proposal, released as a discussion draft last month, may not be formally introduced this year because of strong opposition, according to a Reuters report.The draft bill, pushed by Senators Richard Burr and Dianne Feinstein, would allow judges to order tech companies to comply with requests from the FBI and other law enforcement agencies to help them defeat security measures and break into devices.To read this article in full or to leave a comment, please click here

New JavaScript spam wave distributes Locky ransomware

Over the past week, computers throughout Europe and other places have been hit by a massive email spam campaign carrying malicious JavaScript attachments that install the Locky ransomware program.Antivirus firm ESET has observed a spike in detections of JS/Danger.ScriptAttachment, a malware downloader written in JavaScript that started on May 22 and peaked on May 25.Many countries in Europe have been affected, with the highest detection rates being observed in Luxembourg (67 percent), the Czech Republic (60 percent), Austria (57 percent), the Netherlands (54 percent) and the U.K. (51 percent). The company's telemetry data also showed significant detection rates for this threat in Canada and the U.S.To read this article in full or to leave a comment, please click here

DARPA wants to find the vital limitations of machine learning

What are the fundamental limitations inherent in machine learning systems?That’s the central question of a potential new DARPA program known as the Fundamental Limits of Learning (Fun LoL) which according to the researchers will address how the quest for the ultimate learning machine can be measured and tracked in a systematic and principled way.+More on Network World: Not dead yet: 7 of the oldest federal IT systems still wheezing away+To read this article in full or to leave a comment, please click here

Up to a dozen banks are reportedly investigating potential SWIFT breaches

More banks have reportedly launched investigations into potential security breaches on their networks after hackers stole US$81 million from the Bangladesh central bank earlier this year through rogue SWIFT transfers.Security firm FireEye, which was hired to investigate the Bangladesh bank attack, was also called in to look for possible compromises at up to 12 additional banks, Bloomberg reported Thursday, citing an unnamed source familiar with the investigations.Most of the banks are from Southeast Asia but include banks in the Philippines and New Zealand, Bloomberg reported.To read this article in full or to leave a comment, please click here

Euro agencies on encryption backdoors: Create ‘decryption without weakening’

The two major international security agencies in Europe agree that building backdoors into encryption platforms is not the best way to secure systems because of the collateral damage it would do to privacy and the security of communications.“While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society,” says a joint statement by European Police Office (Europol) and European Network and Information Security Agency (ENISA), which focuses on cyber security.To read this article in full or to leave a comment, please click here

Senators want warrant protections for US email stored overseas

A new bill in Congress would require U.S. law enforcement agencies to obtain court-ordered warrants before demanding the emails of the country's residents when they are stored overseas.The International Communications Privacy Act, introduced Wednesday by three senators, would close a loophole that allows law enforcement agencies to request emails and other electronic documents without warrants. Congress has been working since 2010 to rework the 1986 Electronic Communications Privacy Act (ECPA), a law that sets down rules for law enforcement access to electronic communications, but the focus has been on requiring warrants for emails and other communications stored in the cloud for longer than 180 days.To read this article in full or to leave a comment, please click here

Celebrity hacker Guccifer’s confession gives us all a lesson in security

The activity of Romanian hacker Guccifer, who has admitted to compromising almost 100 email and social media accounts belonging to U.S. government officials, politicians and other high-profile individuals, is the latest proof that humans are the weakest link in computer security.Marcel Lehel Lazar, 44, is not a hacker in the technical sense of the word. He's a social engineer: a clever and persistent individual with a lot of patience who a Romanian prosecutor once described as "the obsessive-compulsive type."By his own admission, Lazar has no programming skills. He didn't find vulnerabilities or write exploits. Instead, he's good at investigating, finding information online and making connections.To read this article in full or to leave a comment, please click here

Google alums rollout Simility fraud-detection platform

A team from Google’s fraud-detection group has started its own software as a service venture for spotting transaction fraud quickly based on rule sets and that also learns as it goes to improve its hit rate.Simility examines online transactions to identify indicators of foul play and assigns them risk scores from 0 to 1. Customers can use the information to shut down transactions it deems suspect.The Simility Fraud Prevention Platform service is available starting next week after a six-month private beta. Rahul PangamTo read this article in full or to leave a comment, please click here

State Department argues against ‘cyber arms’ treaty

Even as top U.S. diplomats press issues of cybersecurity and Internet freedom in virtually every top-level meeting with their foreign counterparts, it's too soon to begin contemplating a formal, multilateral treaty laying out parameters for digital rules of the road, according to a senior State Department official.That's in part because it remains early days in cyber-diplomacy, but also because the U.S. approach of framing Internet issues within the context of existing international law and pushing to develop generally accepted norms is netting some encouraging results, Christopher Painter, the State Department's coordinator for cyber issues, testified Wednesday during a Senate hearing.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Most CMS-run websites have obsolete software and are vulnerable to attack

If you’ve been putting off software updates on websites that you’ve developed, been bamboozled into managing, or somehow become inexplicably responsible for, you’re not alone. All of the major content management systems (CMS) website brands are out of date much of the time.Magento-built websites are running on aging software 97 percent of the time, according to a security firm that handles clean-ups of attacked website. Magento was the worst of the bunch, but WordPress-, Joomla- and Drupal-driven websites also are not being updated, reveals Sucuri in its first Website Hacked Report (PDF), covering 2016 Q1.To read this article in full or to leave a comment, please click here

IoT security is getting its own crash tests

The thousands of endpoints in IoT systems may have to protect themselves against thousands of dangers. A decades-old IT lab wants to tell you if they’re up to the task.On Wednesday, ICSA Labs announced a program to test the security features of IoT devices and sensors. If the products pass, ICSA will give them a seal of approval. It can also keep testing them periodically to make sure they’re still safe.Consumers and enterprises are wary about security in the Internet of Things, where hardware, software and even use cases are brand new in many cases. Tiny connected devices that run all the time in the background could be vulnerable to completely new kinds of attacks.To read this article in full or to leave a comment, please click here

Google’s Trust API: Bye-bye passwords, hello biometrics?

Bye-bye passwords. We’ve heard that a lot over the years, but Google has a plan to kill off passwords by the end of this year by replacing passwords with biometrics.“We have a phone, and these phones have all these sensors in them,” Daniel Kaufman, said at Google I/O 2016 last week. “Why couldn’t it just know who I was, so I don’t need a password? It should just be able to work.” Kaufman heads up Google’s Advanced Technology and Projects (ATAP) research unit.You may recall Project Abacus (video) being mentioned at Google I/O last year. It was tested across 28 states in 33 universities, so now Google intends to “get rid of the awkwardness” of two-factor authentication, as well as passwords. Instead, you will be authenticated by how you use your Android.To read this article in full or to leave a comment, please click here

5 active mobile threats spoofing enterprise apps

Impersonating appsEnterprise employees use mobile apps every day to get their jobs done, but when malicious actors start impersonating those apps, it spells trouble for IT departments.  David Richardson, director of product at Lookout, and his team recently researched five families of malware doing just that: spoofing real enterprise apps to lure people to download their malware. The dataset of mobile code shows that these five, active mobile malware families often impersonate enterprise apps by ripping off the legitimate app’s name and package name. These apps include Cisco’s Business Class Email app, ADP, Dropbox, FedEx Mobile, Zendesk, VMware’s Horizon Client, Blackboard’s Mobile Learn app, and others.To read this article in full or to leave a comment, please click here

Regulators: cybersecurity poses biggest risk to global financial system

Last week, the chair of the Securities and Exchange Commission called cybersecurity the biggest risk facing the global financial industry."Cyber risks can produce far-reaching impacts," said SEC chair Mary Jo White.For example, cybercriminals recently stole $81 million from a bank in Bangladesh by using Swift, the global money transfer network.The SEC promises to step up regulation and Swift itself is expected to launch a new cyber security initiative this week that includes independent security audits of its customers. Meanwhile, top finance officials from G-7 nations met in Japan to discuss plans to improve global cybersecurity coordination.To read this article in full or to leave a comment, please click here

IDG Contributor Network: How to use Anycast to provide high availability to a RADIUS server

After months of issues, they have finally restored my access to my blog! After such a hiatus, it is my pleasure to bring this particular post. I'm certain many will find it at the very least cool in an "I'm a network geek" kind of a way, or even better: you will find it very educational and even leverage it in your own world.  This is a solution I have been wanting to write about for a long time now, and let's be clear—it is not mine. This entire post is owed to a long-time personal friend of mine who is also one of the most talented and gifted technologists roaming the earth today. His name is Epaminondas Peter Karelis, CCIE #8068 (Pete). Pete designed this particular high-availability solution for a small ISE deployment that had two data centers, as is crudely illustrated by me in the below figure. To read this article in full or to leave a comment, please click here

Top-level domain expansion is a security risk for business computers

The explosion of new generic top-level domains (gTLDs) in recent years can put enterprise computers at risk due to name conflicts between internal domain names used inside corporate networks and those that can now be registered on the public Internet.Many companies have configured their networks to use domain names, in many cases with made-up TLDs that a few years ago didn't use to exist on the Internet, such as .office, .global, .network, .group, .school and many others. Having an internal domain-based namespace makes it easier to locate, manage and access systems.The problem is that over the past two years, the Internet Corporation for Assigned Names and Numbers (ICANN) has approved over 900 gTLDs for public use as part of an expansion effort. This can have unexpected security implications for applications and protocols used on domain-based corporate networks.To read this article in full or to leave a comment, please click here

Five arrested for impersonating the IRS, listen to a recorded scam in progress

Five people have been arrested in Miami who are said to be responsible for scamming 1,500 people out of more than $2 million by impersonating IRS agents. Their scams centered on contacting individual taxpayers out of the blue and demanding payments under the threat of jail time.News of the arrests circulated Tuesday after the Associated Press reported on them. Sources in the Treasury Department said that the five individuals - all Cuban nationals - demanded money from their victims, threatening arrest if the payments were not wired immediately.In recent months, the scammers demanded payment via iTunes gift cards.Scams such as this, Deputy Inspector General Tim Camus told the Washington Post, have become the "largest and most pervasive" the IRS has faced over the last three decades. Some 6,400 victims have reported more than $36 million in losses, some paying up to $5,700 on average.To read this article in full or to leave a comment, please click here