Archive

Category Archives for "Network World Security"

FTC orders Apple, Google, Microsoft, Blackberry, Samsung to divulge mobile security practices

The Federal Trade Commission today said it issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.+More on Network World: FTC: Best Practices for businesses facing Internet of Things onslaught+To read this article in full or to leave a comment, please click here

Lenovo software has a major security risk

Just as the dust has settled on the Superfish controversy, another piece of software installed on Lenovo PCs is causing problems. This time it's due to a major malware exploit.The problem is with Lenovo Solution Center (LSC) software, which the company describes as "a central hub for monitoring system health and security." LSC is supposed to monitor your system's virus and firewall status, update your software, perform backups, check battery health, and get registration and warranty information.Unfortunately, it also has a vulnerability that allows a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context, according to researchers at Trustwave SpiderLabs.To read this article in full or to leave a comment, please click here

Aruba fixes networking device flaws that could open doors for hackers

Wireless networking device manufacturer Aruba Networks has fixed multiple vulnerabilities in its software that could, under certain circumstances, allow attackers to compromise devices.The vulnerabilities were discovered by Sven Blumenstein from the Google Security Team and affect ArubaOS, Aruba's AirWave Management Platform (AMP) and Aruba Instant (IAP).There are 26 different issues, ranging from privileged remote code execution to information disclosure, insecure updating mechanism and insecure storage of credentials and private keys. However, Aruba combined them all under two CVE tracking IDs: CVE-2016-2031 and CVE-2016-2032.Common issues that are shared by all of the affected software packages have to do with design flaws in an Aruba proprietary management and control protocol dubbed PAPI.To read this article in full or to leave a comment, please click here

Windows 10 free upgrade will not end July 29 for people with accessibility needs

After announcing that 300 million devices are running Windows 10, Microsoft said its free upgrade offer ends on July 29. If you want Windows 10 after that date, then you can purchase the $119 Windows 10 Home version or buy a new device running Windows 10.The free upgrade offer will not end, however, for Windows customers who have accessibility issues. The Microsoft Accessibility Blog wrote:To read this article in full or to leave a comment, please click here

Bangladeshi police accuse SWIFT technicians of leaving central bank vulnerable to hack

Technicians from the SWIFT global financial network connecting it to Bangladesh's central bank made it easier for hackers to attack the bank, Bangladeshi police and a bank official have told Reuters.The technicians worked on Bangladesh's Real-time Gross Settlement (RTGS) system, used to transfer money among Bangladeshi banks, three months before hackers attempted to steal US$951 million from the central bank. The work opened up "a lot of loopholes" in bank computer systems, said the head of the criminal investigation department leading the investigation.Bangladeshi police want to interview the SWIFT technicians to find out whether their actions were intentional or negligent, Mohammad Shah Alam told Reuters.To read this article in full or to leave a comment, please click here

Founder of Liberty Reserve virtual currency sentenced to 20 years in prison

The founder of now defunct virtual currency Liberty Reserve has been sentenced to 20 years in prison for using his company to run a huge money laundering scheme catering to cybercriminals.Arthur Budovsky, 42, was sentenced Friday in U.S. District Court for the Southern District of New York, with Judge Denise Cote also ordering him to pay a US $500,000 fine.In January, Budovsky pleaded guilty to one count of conspiring to commit money laundering.  During sentencing, Cote noted Budovsky ran an "extraordinarily successful" and "large-scale international money laundering operation."The long sentence shows that "money laundering through the use of virtual currencies is still money laundering, and that online crime is still crime," Leslie Caldwell, assistant attorney general for the U.S. Department of Justice's Criminal Division, said in a press release.To read this article in full or to leave a comment, please click here

New products of the week 5.9.16

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow. Absolute Endpoint Data Discovery (EDD)Key features: Endpoint Data Discovery (EDD) allows organizations to identify and protect sensitive data stored on an endpoint. More info.To read this article in full or to leave a comment, please click here

Twitter blocks access to analytics around its data for US intelligence agencies

Twitter has blocked Dataminr from offering analytics around real-time tweets from the social networking site to U.S. intelligence agencies, according to a newspaper report.The social networking company, which provides Dataminr with real-time access to public tweets, seems to be trying to distance itself from appearing to aid government surveillance, a controversial issue after former National Security Agency contractor Edward Snowden revealed that the government was collecting information on users through Internet and telecommunications companies.Executives of Dataminr told intelligence agencies recently that Twitter, which holds around 5 percent of the equity in the startup and provides the data feed, did not the want the company to continue providing the service to the agencies, reported The Wall Street Journal on Sunday, quoting a person familiar with the matter.To read this article in full or to leave a comment, please click here

How Microsoft keeps the bad guys out of Azure

Microsoft has published its latest Security Intelligence Report (SIR), which it does twice a year, covering security issues for the prior six months. This latest edition covers the second half of 2015, analyzing the threat landscape of exploits, vulnerabilities and malware using data from Internet services and over 600 million computers worldwide.It is a massive effort, with dozens of Microsoft staff from different groups contributing. For the first time, they looked at not only PC malware but threats to its Azure cloud service as well, which the company says "reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers."To read this article in full or to leave a comment, please click here

That massive reported ‘data breach’ was just hype, Mail.ru says

Hold Security made quite a splash in the security world on Wednesday when it claimed to have recovered 272 million stolen email credentials from a much larger trove, but on Friday the email provider most strongly affected called the report an effort to create media hype.Hold suggested that nearly 57 million of the stolen email accounts uncovered were from the popular Russian service Mail.ru. But more than 99.9 percent of the Mail.ru account credentials in a sample examined by the provider are invalid, the Russian company said.To read this article in full or to leave a comment, please click here

Lenovo patches serious flaw in pre-installed support tool

Lenovo has fixed a vulnerability in its Lenovo Solution Center support tool that could allow attackers to execute code with system privileges and take over computers.The Lenovo Solution Center (LSC) is an application that comes pre-installed on many Lenovo laptops and desktops. It allows users to check their system’s virus and firewall status, update their software, perform backups, check battery health, get registration and warranty information and run hardware tests.The tool has two components: a graphical user interface and a service called LSCTaskService that runs in the background at all times even if the user interface is not started.To read this article in full or to leave a comment, please click here

Virtual environments make it easy to deploy deception technology

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  Cyber attackers use deception to try to get inside your network by doing everything from spoofing email addresses in spear phishing attacks to hiding malware on legitimate websites.  So, if deception is standard operating procedure for the bad guys, perhaps it's time to fight back with some deception of your own.  In fact, Gartner says it's a good complement to your existing security infrastructure.Deception technology designed to lure and trap malicious actors has been around since at least 1999 when Lance Spitzner, founder of the Honeynet Project, published a paper on how to build a honeypot. Early honeynets were pretty resource intensive and they had to be maintained to ensure the honeynet wasn't turned against the host organization. Since then, the advent of virtual machines has helped ease the deployment and use of deception technology.To read this article in full or to leave a comment, please click here

Interop: Ransomware should haunt you all the time

When the ransomware demands come in it’s really too late to come up with a good response plan, so do that as soon as you can, an Interop audience was told.“You need to decide beforehand whether you will pay and under what circumstances,” John Pironti, president of IP Architects, says. “It’s a cost benefit decision in the end.”+More on Network World: FBI: Ransomware threat at all-time high; how to protect company jewels | See all the stories from Interop +To read this article in full or to leave a comment, please click here

Qualcomm flaw puts millions of Android devices at risk

A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users' text messages and call history at risk of theft.The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because they're no longer supported by their manufacturers.The vulnerability, which is tracked as CVE-2016-2060, is located on an Android component called "netd" that Qualcomm modified in order to provide additional tethering capabilities. Malicious applications could exploit the flaw in order to execute commands as the "radio" system user, which has special privileges.To read this article in full or to leave a comment, please click here

Ethernet: Are there worlds left to conquer?

LAS VEGAS -- Apparently Ethernet isn’t all THAT ubiquitous. That is judging by the number of new applications, speed changes and future options for the networking standard that were discussed at the Interop symposium here.“We are now beyond the ‘let’s just go faster’ development of Ethernet and are now looking at developing Ethernet for specific applications,” said David Chalupsky, Ethernet Alliance BASE-T subcommittee chair and principal engineer at Intel.+More on Network World: Ethernet everywhere!+That’s not to say Ethernet won’t continue to get faster – it is. There is currently work to develop 50Gbps, 200Gbps and 400Gbps Ethernet in the next three years. But perhaps more telling, the Ethernet community is also looking to standardize on slower speeds 2.5Gbps, 5Gbps and 25Gbps.To read this article in full or to leave a comment, please click here

Meet EMILY, the robotic life-guard that may save you from drowning some day

It might be the fastest, most important water buoy ever invented. That would be the Emergency Integrated Lifesaving Lanyard or EMILY – a 25lb, 4ft-long, bright orange, red and yellow colored cylindrical buoy powered by a jet engine similar to a mini jet ski, and travels up to 22 MPH.+More on Network World: 26 of the craziest and scariest things the TSA has found on travelers+“EMILY is made of Kevlar and aircraft-grade composites and is virtually indestructible,” said inventor Tony Mulligan, CEO of Hydronalix, a maritime robotics company that developed EMILY along with the Office of Naval Research. “The devices can be thrown off a helicopter or bridge and then driven via remote control to whoever needs to be rescued.”To read this article in full or to leave a comment, please click here

State of EMV report: Fraud rises before a fall

The switchover to EMV (Europay, MasterCard, and Visa) chipped credit cards is well underway. According to a new report from research and advisory firm Aite Group, sponsored by device intelligence and fraud prevention company iovation, 81% of credit cards in the U.S. will be EMV capable by the end of 2016. And the increased adoption of the more secure cards is fueling an increase in counterfeit fraud.Wait. What?You read it right. “As the U.S. migration to EMV progresses, the combination of continued strong growth in e-commerce, ready availability of consumer data and credentials in the underweb, and disappearing counterfeit fraud opportunity will create a perfect storm that will result in a sharp rise in CNP (card-not-present) fraud,” said Julie Conroy, research director at Aite Group. Conroy went on to say, “CNP fraud is already on the rise, and the problem will get worse before it gets better."To read this article in full or to leave a comment, please click here(Insider Story)

10 companies that can help you fight phishing

According to the most recent Verizon data breach report, a phishing email is often the first phase of an attack. That's because it works well, with 30 percent of phishing messages opened, but only 3 percent reported to management.But when employees are trained on how to spot phishing emails, and then get tested with mock phishing emails, the percent who fall victim decreases with each round.Of course, it's impossible to get to a zero response rate. The criminals are becoming extremely clever with their messages. Fortunately, it's not necessary. If enough employees forward phishing emails to security, then the company becomes aware that it is the target of a campaign, and be prepared to deal with those messages that do slip through.To read this article in full or to leave a comment, please click here