At the 2016 Interop show, Network World got a quick demo of Keeper Security's password management and vault app. The company's CEO, Darren Guccione, also explained why most password methods fail end users, and whether biometrics (beyond the fingerprint) will ever catch on as an authentication method.
At 2016 Interop, Cloudmark Engineering Director Angela Knox talks with Network World about several different ways that hackers go after DNS as part of other malicious attacks. Knox explains the methods for DNS ID hacking, spoofing, cache poisoning, exfiltration/tunneling, and DNS amplification.
U.S. presidential candidates should embrace encryption and narrow government access to Internet users' data as part of a comprehensive technology agenda, IT trade groups say.While the FBI and some lawmakers have pushed in recent months for encryption workarounds in criminal investigations, presidential candidates should "recognize encryption as a critical security tool," 13 tech trade organizations said in a set of tech policy recommendations released late Wednesday.By narrowly targeting governments' access to consumer data, the next president can promote global trust in digital goods and services, said the groups, representing hundreds of tech companies. Trade groups signing the letter included the Telecommunications Industry Association, the Consumer Technology Association, and BSA.To read this article in full or to leave a comment, please click here
Cisco Systems has fixed a critical vulnerability that could allow attackers to take over TelePresence systems, and patched other high-severity flaws in Cisco FirePOWER and Adaptive Security Appliance devices.The TelePresence software vulnerability stems from an improper authentication mechanism for the XML application programming interface (API). Attackers could exploit it by sending crafted HTTP requests to the XML API in order to bypass authentication and execute unauthorized configuration changes and commands on the system.To read this article in full or to leave a comment, please click here
Okay, the presidential primaries are winding down, and while I expect lots of name calling, insults and general sophomoric behavior this summer and fall, it’s time for both parties to step up with a strong plan for cybersecurity.Cybersecurity? You’d really never know that it’s a national issue based upon the proceedings so far. Governor Bush put out a two-page overview while Dr. Ben Carson’s team drafted a high-level proposal. Neither one of these documents really dug into existing policies, domestic challenges, or International issues. With the exception of John McAfee, no one has gotten into any detail on this topic.Now I know that cybersecurity can be the geekiest of geeky topics so the Presidential candidates need to address it at the right level. The best plan will appeal to voters’ personal interests, offer financial incentives and opportunities, and demonstrate U.S. leadership in International affairs. Additionally, the plan should align cybersecurity issues with technology innovation and a changing economy.To read this article in full or to leave a comment, please click here
Target on youImage by Andreas DantzAccording to the Institute for Critical Infrastructure Technology, ransomware campaigns only care about the payout rather than the individual target. Ransomware, whether purchased or developed, is relatively cheap and delivery is virtually free.To read this article in full or to leave a comment, please click here
Peak-time distributed denial-of-service attacks cost organizations more than $100,000 per hour, said half of the respondents to a new survey of mid-sized and large corporations in the U.S. and Europe.And for a third of respondents, the average peak hourly revenue loss was more than $250,000.However, shutting down attacks took time. Only 26 percent said it took them less than an hour, while 33 percent said it took between one and two hours, and 40 percent said it took more than three hours.MORE ON CSO: How to respond to ransomware threats
By comparison, a year ago, only 32 percent of companies said that they would lose more than $100,000 an hour, and 68 percent said it took them less than two hours to respond to an attack.To read this article in full or to leave a comment, please click here
LAS VEGAS -- Cyber insurance can pay out millions of dollars to cover the cost of data breach liability, but buying the policies can be a nightmare for info security pros, and premiums for similar coverage can vary wildly, an Interop audience was told.
On the flip side, the insurance companies lack underwriters with IT knowledge, a good model for assessing risk, a common vocabulary to discuss policies clearly, and face a looming threat that a single successful attack of just the wrong kind could mean a major financial hit, says Dave Bradford, co-founder and chief strategy officer at Advisens.To read this article in full or to leave a comment, please click here
Apple has released a new version of its Xcode development tool in order to patch two critical vulnerabilities in the Git source code management client.The Git vulnerabilities, CVE‑2016‑2324 and CVE‑2016‑2315, have been known since mid-March and can be exploited when cloning a repository with a specially crafted file structure. This allows attackers to execute malicious code on systems where such cloning operations were initiated.Xcode is an integrated development environment (IDE) used by a large number of developers to write applications for OS X and iOS. It includes a package called the OS X Command Line Tools for Xcode that contains the open-source Git client.To read this article in full or to leave a comment, please click here
Tens of millions of stolen credentials for Gmail, Microsoft and Yahoo email accounts are being shared online by a young Russian hacker known as "the Collector" as part of a supposed larger trove of 1.17 billion records.That's according to Hold Security, which says it has looked at more than 272 million unique credentials so far, including 42.5 million it had never seen before. A majority of the accounts reportedly were stolen from users of Mail.ru, Russia's most popular email service, but credentials for other services apparently were also included.Hold discovered the breach when its researchers came across the hacker bragging in an online forum. Though the hacker initially asked Hold for 50 rubles for the initial 10GB stash -- that's equivalent to about 75 cents -- he eventually turned it over to them in exchange for likes and votes for him on social media.To read this article in full or to leave a comment, please click here
Tens of millions of stolen credentials for Gmail, Microsoft and Yahoo email accounts are being shared online by a young Russian hacker known as "the Collector" as part of a supposed larger trove of 1.17 billion records.That's according to Hold Security, which says it has looked at more than 272 million unique credentials so far, including 42.5 million it had never seen before. A majority of the accounts reportedly were stolen from users of Mail.ru, Russia's most popular email service, but credentials for other services apparently were also included.Hold discovered the breach when its researchers came across the hacker bragging in an online forum. Though the hacker initially asked Hold for 50 rubles for the initial 10GB stash -- that's equivalent to about 75 cents -- he eventually turned it over to them in exchange for likes and votes for him on social media.To read this article in full or to leave a comment, please click here
You thought it was buried. You forgot. Someone didn’t document it. A ping sweep didn’t find it. It lay there, dead. No one found it. But there was a pulse:It’s still running, and it’s alive. And it’s probably unpatched.Something probed it long ago. Found port 443 open. Jacked it like a Porsche 911 on on Sunset Boulevard on a rainy Saturday night. How did it get jacked? Let me count the ways.Now it’s a zombie living inside your asset realm.It doesn’t matter that it’s part of your power bill. It’s slowly eating your lunch.It doesn’t matter that you can’t find it because it’s finding you.It’s listening quietly to your traffic, looking for the easy, unencrypted stuff. It probably has a few decent passwords to your router core. That NAS share using MSChapV2? Yeah, that was easy to digest. Too bad the password is the same as the one for every NAS at every branch from the same vendor. Too bad the NAS devices don’t encrypt traffic.To read this article in full or to leave a comment, please click here
Over the past seven years, the federal government has established a set of incentives and fines — carrots and sticks — to promote and expand the use of healthcare information technology, particularly the meaningful use of electronic health record (EHR) systems.In a recent report, PwC's Advanced Risk & Compliance Analytics practice found that due to the government's carrot and stick, EHR implementation initiatives usually concentrated on the core challenge of meeting tight timelines while managing costs. After all, these initiatives are often the largest projects these organizations undertake.To read this article in full or to leave a comment, please click here
NASA said that for the first time it has demonstrated that a wireless system can communicate – sending route options and weather information for example -- with a jet on the ground.NASA said it tested a demonstration system known as Aircraft Access to System Wide Information Management (SWIM), to wirelessly send aviation information to an FAA Bombardier Global 5000 test aircraft taxiing 60 to 70 miles per hour on the Cleveland Hopkins International Airport runway. They sent the information over a prototype wireless system called Aeronautical Mobile Airport Communications System, or AeroMACS, developed by Hitachi.To read this article in full or to leave a comment, please click here
LAS VEGAS -- Visibility is key to troubleshooting network woes, but getting such access can be expensive. To help out, a veteran networking pro shared with attendees of the Interop conference in Las Vegas his list of a dozen mostly free “killer” tools.
Network Protocol Specialists owner Mike Pennacchi: Free tools can be customized to fit your needs
“There are commercial tools that do most of these functions,” says Mike Pennacchi, owner and lead network analyst at Network Protocol Specialists. “If you don’t have any budget, this gives you the tools without spending a lot of money.”To read this article in full or to leave a comment, please click here
All blogs hosted on Google's blogspot.com domain can now be accessed over an encrypted HTTPS connection. This puts more control into the hands of blog readers who value privacy.Google started offering users of its Blogger service the option to switch their blogspot.com sites to HTTPS in September, but now that setting was removed and all blogs received an HTTPS version that users can access.Instead of the "HTTPS Availability" option, blog owners can now use a setting called "HTTPS Redirect," which will redirect all visitors to the HTTPS version of their blogs automatically. If the setting is not used, users will still be able to access the non-encrypted HTTP version.To read this article in full or to leave a comment, please click here
We know how it goes: You mean to practice safe computing habits, really you do. But when you fire up your computer, you just want to get stuff done -- and that's when even savvy users begin to cut security corners.We'd all do well to take a lesson from truly paranoid PC users, who don't let impatience or laziness stand in the way of protecting their data. Let's take a look at some of their security habits that you may want to practice regularly.After all, staying safe online doesn't have to be onerous or time-consuming. Invest an hour or two this weekend to put a few safeguards in place, consciously start to practice a few good habits -- and before you know it, your good intentions will become a daily reality.To read this article in full or to leave a comment, please click here
Thursday, May 5, is World Password Day 2016. For the fourth year, you’ll surely see plenty of articles reminding you why you should change all of your passwords—a strong and unique password for every site where you login—and to start using a password manager if you don’t do so yet. I still highly encourage you to get 2FA for Mother’s Day.Intel/McAfee is again trying to persuade people to tweet a password confession. While I’m not encouraging you to do so, I would like to pick two as examples.World Password Day is as good a day as any to talk about password sharing.To read this article in full or to leave a comment, please click here
A tool used by millions of websites to process images has several critical vulnerabilities that could allow attackers to compromise Web servers. To make things worse, there's no official patch yet and exploits are already available.The vulnerabilities were discovered by Nikolay Ermishkin from the Mail.Ru security team and were reported to the ImageMagick developers who attempted a fix in version 6.9.3-9, released on April 30. However, the fix is incomplete and the vulnerabilities can still be exploited.Furthermore, there is evidence that people aside from security researchers and ImageMagick developers know about the flaws, which is why their existence was publicly disclosed Tuesday. The flaws can be exploited by uploading specially crafted images to Web applications that rely on ImageMagick to process them.To read this article in full or to leave a comment, please click here
The Federal Aviation Administration has granted approval for more than 5,000 so-called Section 333 exemptions to operate commercial drones over the past year, and among those getting the go ahead are familiar names in the enterprise IT and networking market. Apple, Microsoft, Motorola Solutions and Qualcomm are among those tech vendors we found in the approved petitions database, with stated operations/missions for commercial drones -- also known as unmanned aircraft systems (UAS) or unmanned aerial vehicles (UAV) -- that include photography/videography, aerial mapping/surveying, research and development, and security.To read this article in full or to leave a comment, please click here