Archive

Category Archives for "Network World Security"

4 ways to apply SLAs to shadow IT

The risks and costs of shadow IT have been always been a concern for IT organizations. Yet the business clearly values the capability to procure certain IT services to rapidly meet its changing business needs — so much so that these informal IT capabilities are springing up even more often than IT leaders realize. One 2015 report by Cisco indicated that the number of unauthorized cloud applications being used in the enterprise, for example, was 15 to 10 times higher than CIOs estimated.[ Related: CIOs vastly underestimate extent of shadow IT ]To read this article in full or to leave a comment, please click here

Treasury Department took over 8 weeks to fully patch Juniper security vulnerability

The secret backdoor in Juniper firewalls which automatically decrypted VPN traffic has been compared to “stealing a master key to get into any government building.” The security hole, which existed for at least three years, was publicly announced in December. The whodunit for installing the backdoor is still unknown, but some people believe it was repackaged from a tool originally created by the NSA.To read this article in full or to leave a comment, please click here

New point-of-sale malware Multigrain steals card data over DNS

Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS).Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments.That's because unlike other PoS malware programs that look for card data in the memory of many processes, Multigrain targets a single process called multi.exe that's associated with a popular back-end card authorization and PoS server. If this process is not running on the compromised machine, the infection routine exists and the malware deletes itself.To read this article in full or to leave a comment, please click here

Illumio’s cyber assessment program helps find new attack surfaces ASAP

Earlier this week, I wrote a post discussing how visibility can be used to reverse the security asymmetry challenge. On Tuesday, hot security startup Illumio proved my point by announcing a cyber assessment program that uses granular visibility to identify new attack surfaces.Illumio’s Attack Surface Assessment Program (ASAP) was led by Nathaniel Gleicher, former Director of Cybersecurity Policy for the National Security Council at the White House and now the Head of Cybersecurity Strategy for Illumio. The White House obviously has the strictest of security policies, giving Gleicher the necessary level of paranoia to put together a program like this. Now, any company can benefit from his experience.To read this article in full or to leave a comment, please click here

Oracle releases 136 security patches for wide range of products

Oracle has released another monster quarterly security update containing 136 fixes for flaws in a wide range of products including Oracle Database Server, E-Business Suite, Fusion Middleware, Oracle Sun Products, Java and MySQL.The biggest change is Oracle's adoption of the Common Vulnerability Scoring System (CVSS) version 3.0, which more accurately reflects the impact of flaws than CVSS 2.0. This Oracle Critical Patch Update (CPU) has both CVSS 3.0 and CVSS 2.0 scores for vulnerabilities, providing a chance to compare how the new rating system might affect Oracle patch prioritization inside organizations.To read this article in full or to leave a comment, please click here

IDG Contributor Network: BugCrowd raises cash because of the power of the people

News today from security testing vendor Bugcrowd highlights an increasing trend towards leveraging an outside community to do good things for organizations.First, the news: Bugcrowd is investing a $15 million Series B led by Blackbird Ventures along with existing investors Costanoa Venture Capital, Industry Ventures, Paladin Capital Group and Rally Ventures. Not one to miss out on a funding opportunity, Salesforce Ventures also joined the round. The company has now raised $24 million since its founding at the Startmate accelerator in Sydney, Australia.What Bugcrowd does is pretty simple. Its flagship product, Crowdcontrol, is used by a bunch of high-profile brands, including reditKarma, Fitbit, Motorola, Tesla, TripAdvisor and Western Union, to resolve security bugs in their products. But this isn't any magic bullet “apply our advanced platform and resolve your bugs automatically” kind of science fiction. Instead, Crowdcontrol leverages that most ancient of resources—the crowd. Bugcrowd has built a vetted community of over 27,000 security researchers, all of whom helps Bugcrowd's customers reveal the holes in their software.To read this article in full or to leave a comment, please click here

EFF sues to uncover government demands to decrypt communications

The Electronic Frontier Foundation is suing the U.S. Department of Justice over its failure to disclose if Internet companies have been compelled to decrypt user data and communications.The EFF action targets applications to and decisions by the Foreign Intelligence Surveillance Court (FISC), a Washington, D.C., based court that meets in secret to consider cases related to government surveillance and national security.The court's decisions are classified, and Internet companies are prohibited from disclosing any details about warrants received as a result of arguments in front of the court.The result is that little is known about the extent of the court's activities. In October, the EFF filed a freedom-of-information request seeking more information but, according to its lawsuit, the DOJ said it couldn't find any documents relating to the issue.To read this article in full or to leave a comment, please click here

‎DARPA: Researchers develop chip part that could double wireless frequency capacity

A DARPA-funded research team said recently it had developed a tiny component for silicon-based circuitry that could double the radio-frequency (RF) capacity for wireless communications—offering faster web-searching as well as the development of smaller, less expensive and more readily upgraded antenna arrays for radar, signals intelligence, and other applications.+More on Network World: Einstein was right: Gravitational waves exist!+The work was led by Columbia University electrical engineers Harish Krishnaswamy and Negar Reiskarimian and funded under DARPA’s Arrays at Commercial Timescales (ACT) program, which is looking to develop wireless electronic components that can be integrated into larger, more advanced systems quickly. DARPA said ACT products aim to “shorten design cycles and in-field updates and push past the traditional barriers that lead to 10-year array development cycles, 20- to 30-year static life cycles and costly service-life extension programs.”To read this article in full or to leave a comment, please click here

Outdated Git version in OS X puts developers at risk

The OS X command line developer tools include an old version of the Git source code management system that exposes Mac users to remote code execution attacks.The Git client allows developers to interact with source code repositories. It is not installed by default on Mac OS X, but it is included in the Command Line Tools package for Xcode, Apple's integrated development environment (IDE).Software developers who create applications for OS X or iOS are likely to use Xcode and to have Apple's Command Line Tools package installed on their Macs. The latest version of this package includes Git version 2.6.4, released in December.To read this article in full or to leave a comment, please click here

Lawmakers call for middle ground on law enforcement access to encryption

Technology vendors and law enforcement agencies need to look for a compromise that allows police to gain access to encrypted devices during criminal investigations, lawmakers say.Many tech vendors and privacy advocates have suggested there is no available compromise between strong security for device users and police access to encrypted communications. But members of a congressional committee on Tuesday pushed both sides in the ongoing encryption debate to look again for a possible middle ground.As Apple and the FBI continue to argue in court about whether the company should assist the agency with unlocking iPhones, "it's time to begin a new chapter in this battle, one which I hope can ultimately bring some resolution to the war," said Representative Tim Murphy, a Pennsylvania Republican.To read this article in full or to leave a comment, please click here

NYPD hijacks #UnlockJustice to bash encryption, but its hashtag gets hijacked

A coalition, including the New York Police Department and Manhattan District Attorney Cyrus Vance, launched an anti-encryption campaign along with a hashtag of #UnlockJustice because “crime victims are entitled to stronger protections than criminals.”“The debate over encryption is often referred to in terms of privacy and security, with little regard for the impact on crime victims,” the press release stated. The Manhattan DA complained about the 230 inaccessible Apple devices running iOS 8 or higher that it can’t unlock and how unfair encryption and “warrant-proof” devices are to crime victims. Companies, according to Vance, should not be permitted “to provide criminals with unprecedented, evidence-free zones.”To read this article in full or to leave a comment, please click here

Viber follows WhatsApp in adding end-to-end encryption to its messaging service

Viber, a popular instant messaging and Voice-over-IP service provider with more than 700 million users, has implemented end-to-end encryption to protect its customers' communications against snooping.The move comes after Facebook-owned WhatsApp turned on full end-to-end encryption earlier this month, bringing secure and private instant messaging into the mainstream.The majority of IM apps have long encrypted the communications between users' devices and their own servers. However, in such a configuration, the service providers themselves can still read communications as they pass through their servers to get routed to the intended recipients.To read this article in full or to leave a comment, please click here

CEO targeted by fraud twice a month

Every couple of weeks or so, Tom Kemp's company gets hit by ever-more-sophisticated attempts to trick them out of large sums of money.It started two years ago, before business email compromise -- also known as CEO fraud -- became as widely-known as it is today.The email came in addressed directly to the company's controller, asking for a wire transfer of more than $350,000. The email seemed to come from the CFO and was part of a longer chain of emails between the CFO and the CEO discussing the transfer."If you looked at the email thread, it looked legitimate," said Kemp, CEO at security firm Centrify. "And there was a real bank account and a real company name associated with it."To read this article in full or to leave a comment, please click here

Palo Alto Networks working to share threat intelligence

Palo Alto Networks is on board with industry-wide efforts to share threat intelligence and disseminate it so the collective knowledge businesses gather about threats can be quickly turned into defenses against new types of attacks.Its efforts include support for the new federal Cybersecurity Information Sharing Act that lifts some of the liability businesses are exposed to if they share data about security incidents. If the data inadvertently reveals personal information but was submitted in accordance with the law, the contributor would not be legally liable.The company is also hammering out the details of the Cyber Threat Alliance it formed last year to gather threat information from security vendors and researchers that can rapidly and thoroughly unmask current threats. The goal is to shorten the useful lives of attacks and put a heavier burden on attackers who want to stay in business.To read this article in full or to leave a comment, please click here

Microsoft cites new EU personal data rules in support of email dispute

Microsoft has cited new European data protection rules in support of its claim that the U.S. government should use inter-governmental agreements rather than a warrant to force the technology company to provide emails stored in Ireland that are required for an investigation.The General Data Protection Regulation was adopted last week by the European Parliament with an aim to provide an unified data protection regime across member states. It was earlier adopted by the Council of the EU, and is to come into effect in a little over two years after its publication in the EU Official Journal. The legislation will replace the EU Data Protection Directive, which dates back to 1995.To read this article in full or to leave a comment, please click here

NASA: Top 10 space junk missions

While many of the usual suspects are still the top space junk producers, much more debris is now floating around Earth’s atmosphere since the six years NASA last looked a the top 10 space junk missions. NASA' s Orbital Debris Program Office said that by far the source of the greatest amount of   orbital   debris   remains   the   Fengyun-1C   spacecraft, which was the target of   a People’s Republic of China anti-satellite test in January 2007. +More on Network World: 13 awesome and scary things in near Earth space+To read this article in full or to leave a comment, please click here

Location data from 2 apps can ID you across domains even if you use fake names

If you think that making up a bogus name or using a fake age on a profile actually makes you harder to link to your profiles on other sites, then think again as researchers have determined how to use location data to link users across domains. You also should not be comforted when you learn that big data has been stripped of names and personal details; researchers say it is “no guarantee of privacy.”Columbia University computer science researchers Chris Riederer, Yunsung Kim, and Augustin Chaintreau, along with Google researchers Nitish Korula and Silvio Lattanzi, combined their considerable brain power to come up with an algorithm that only needs location data from two apps to identify someone. The researchers recently presented their paper, “Linking Users Across Domains with Location Data: Theory and Validation” (pdf), at the 25th International World Wide Web Conference.To read this article in full or to leave a comment, please click here

AI + humans = kick-ass cybersecurity

Neither humans nor AI has proven overwhelmingly successful at maintaining cybersecurity on their own, so why not see what happens when you combine the two? That's exactly the premise of a new project from MIT, and it's achieved some pretty impressive results. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and machine-learning startup PatternEx have developed a new platform called AI2 that can detect 85 percent of attacks. It also reduces the number of "false positives" -- nonthreats mistakenly identified as threats -- by a factor of five, the researchers said.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Personal data is exposed by older, shortened URLs

Services that convert long, cumbersome URLs, such as those found in mapping directions, to short URLs are publicly exposing the original URL.Original addresses can be obtained through brute-force scanning, researchers say. And that vulnerability allows foes to track an individual’s possibly sensitive movements, as well as see perceived-of-as-private documents.Additionally, the brute force-exposed cloud documents could allow “adversaries” to “inject arbitrary malicious content into unlocked accounts, which is then automatically copied into all of the account owner’s devices,” say Vitaly Shmatikov, of Cornell Tech, and Martin Georgiev, an independent researcher, in their paper (PDF). They made the discovery.To read this article in full or to leave a comment, please click here

Hacker: This is how I broke into Hacking Team

Almost a year after Italian surveillance software maker Hacking Team had its internal emails and files leaked online, the hacker responsible for the breach published a full account of how he infiltrated the company's network.The document published Saturday by the hacker known online as Phineas Fisher is intended as a guide for other hacktivists, but also shines a light on how hard it is for any company to defend itself against a determined and skillful attacker.The hacker linked to Spanish and English versions of his write-up from a parody Twitter account called @GammaGroupPR that he set up in 2014 to promote his breach of Gamma International, another surveillance software vendor. He used the same account to promote the Hacking Team attack in July 2015.To read this article in full or to leave a comment, please click here