Archive

Category Archives for "Network World Security"

Siemens and Airbus to push electric aviation engines

Siemens and Airbus teamed up today to develop electric and hybrid electric/combustion engines for commercial and private aircraft.The companies said they would amass a joint development team of about 200 employees that would jointly develop prototypes for various propulsion systems with power classes ranging from a few 100 kilowatts up to 10 and more megawatts, for short, local trips with aircraft below 100 seats, helicopters or unmanned aircraft up to classic short and medium-range flights.+More on Network World: The most magnificent high-tech flying machines+To read this article in full or to leave a comment, please click here

The latest Flash zero-day was used to spread Cerber ransomware

The latest zero-day vulnerability in Adobe Systems' Flash player has been used over the last few days to distribute ransomware called Cerber, email security vendor Proofpoint said.Adobe said it would patch the flaw, CVE-2016-1019, on Thursday. The vulnerability affects all versions of Flash Player on Windows, Mac, Linux and Chrome OS.Ryan Kalember, senior vice president of cybersecurity at Proofpoint, said his company detected an attack trying to exploit the flaw on Saturday.One of Proofpoint's customers received an email with a document that contained a malicious macro that led victims through a series of redirects that eventually reached an exploit kit.To read this article in full or to leave a comment, please click here

Hyperconverged infrastructure requires policy-based security

Hyperconverged infrastructure (HCI) is one of the key building blocks of next-generation data centers. Originally, HCI was deployed primarily by small and medium-sized businesses that wanted a faster, easier way to deploy data center technology such as servers, storage and networks. Over the past few years, HCI adoption has skyrocketed and is now being deployed by large enterprises looking to shift to a software-defined model.Initially, HCI was driven by start-ups, most notably SimpliVity and Nutanix. But recently Cisco, VCE and Hewlett Packard Enterprise (HPE) have jumped into the market, and Juniper and Lenovo have formed a partnership that will likely lead to a combined HCI solution.To read this article in full or to leave a comment, please click here

Obama won’t advocate to crack encryption

President Obama won’t push for legislation that forces encryption vendors to decrypt when ordered to do so by a court, Reuters is reporting, essentially choosing to sit on the fence, at least for now.Combined with his comments earlier this year at South by Southwest Interactive, it seems that Obama, like many others, is torn between privacy and law enforcement’s desire to crack encryption to further investigations.White House sources say he will withhold public support for draft legislation that would force encryption vendors to help law enforcement to decrypt messages protected by their technology, Reuters says.To read this article in full or to leave a comment, please click here

The birth of IT: The IBM System/360 turns 52

IT can trace its roots back to arguably the most important computer introduction made 52 years ago today. April 7, 1964 was the day IBM introduced its System/360, the first true mainframe for the masses, or at least that’s what it hoped on that day.IBM said on that day that it announced the S/360 to over 100,000 people gathered in cities across the country.+More on Network World: The (mostly) cool history of the IBM mainframe+It told them: "System/360 represents a sharp departure from concepts of the past in designing and building computers. It is the product of an international effort in IBM's laboratories and plants and is the first time IBM has redesigned the basic internal architecture of its computers in a decade. The result will be more computer productivity at lower cost than ever before. This is the beginning of a new generation - - not only of computers - - but of their application in business, science and government."To read this article in full or to leave a comment, please click here

White House won’t support encryption unlocking legislation

President Barack Obama's administration won't support legislation to force device makers to help law enforcement agencies defeat encryption, according to a news report. Two senior members of the Senate Intelligence Committee have been floating draft legislation to require device makers and other tech companies to provide workarounds for encryption and other security features, but the White House won't offer public support for the proposal, according to a report from Reuters. FBI Director James Comey has long pushed for encryption workarounds, and just last month, Obama called for tech companies and the government to work together to allow police access to suspects' smartphones protected by encryption.To read this article in full or to leave a comment, please click here

Cloud Security Challenges

Large organizations are embracing public and private cloud computing at a rapid pace.  According to ESG research, one-third of organizations have been using public and private cloud infrastructure for more than 3 years and more than half of organizations (57%) have production workloads running on cloud computing infrastructure (note: I am an ESG employee).Of course, cloud computing is very different than physical or virtual servers which translates into a different cybersecurity model as well.  And these differences lead to a variety of security challenges. ESG recently surveyed 303 cybersecurity and IT professionals working at enterprise organizations (i.e. more than 1,000 employees) and posed a series of questions about cloud computing and cloud security.  When asked to identify their top challenges with cloud security:To read this article in full or to leave a comment, please click here

Your car’s computers might soon get malware protection

Modern cars contain tens of specialized computers that control everything from infotainment functions to steering and brakes. The pressing need to protect these computers from hackers will likely open up a new market for car-related software security products.Karamba Security, a start-up based in Ann Arbor, Michigan, is one of the companies that has stepped up to answer this demand. The company's anti-malware technology, unveiled Thursday, is designed to protect externally accessible electronic control units (ECUs) found in connected cars.These controllers, like those that handle handle telematics, infotainment and on-board diagnostics, can be accessed via Wi-Fi, Bluetooth or even the Internet, so they can serve as entry points for hackers into a car's network.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Home IoT devices are wide open, security provider discovers

Reverse-engineering a password in a Wi-Fi-driven WeMo light switch by using the decryption code from the device is among the security debacles uncovered by IoT security hardware solution firm Bitdefender.To add insult to injury, Bitdefender told the device maker about the discovered vulnerability last fall, when it discovered the problem, and as of February, it still hadn’t been fixed, Bitdefender says in its study Risks in the Connected Home.And the WeMo wasn’t the only IoT device Bitdefender found lacking.To read this article in full or to leave a comment, please click here

FBI says hack tool only works on iPhone 5c

Only the iPhone 5c running iOS 9 can be unlocked by the tool the FBI bought to crack the iPhone used by one of the San Bernardino killers.The tool does not work on the iPhone 5s or 6, so it only addresses a "narrow slice" of iPhones, Federal Bureau of Investigation Director James Comey said late Wednesday at Kenyon College.The government is considering whether it should disclose to Apple the flaw that aided the hack: "We just haven't decided yet," he said at the Ohio college's Center for the Study of American Democracy.A court in California ordered Apple to help the FBI to hack by brute force the passcode of the iPhone 5c. The government was concerned that, if an auto-erase feature was activated on the phone, the data that the FBI was looking for would be automatically erased after 10 unsuccessful attempts, so it wanted a workaround from Apple.To read this article in full or to leave a comment, please click here

Apple believes it can patch the iOS security exploit used by the FBI

After a multi-week battle that saw Apple and the FBI duke it out both in court and in the court of public opinion, the FBI finally managed to access a locked iPhone used by one of the San Bernardino shooters. Ultimately, the FBI reportedly relied upon an exploit from an Israeli software forensics company called Cellebrite to bypass the iPhone's built-in security mechanisms.While one might reasonably assume that this spells the end for what proved to be a contentious issue, that couldn't be farther from the truth. For starters, the DOJ has indicated that it won't think twice about seeking help from device manufacturers in future cases.A DOJ statement on the matter reads:To read this article in full or to leave a comment, please click here

Want a meteorite? Christie’s set to auction unique space rocks

It’s not everyday you could have the opportunity to buy a piece of space – but Christie’s London auction house will on April 20 offer about 80 meteorite pieces and a bunch of space rock paraphernalia to go along with them.+More on Network World: 13 awesome and scary things in near Earth space+The meteorite collection is made up of a variety of sample space rocks from private and public collections with some items expected to fetch over a million dollars at the auction.To read this article in full or to leave a comment, please click here

New Azure tool helps IT tame SaaS apps

More organizations are moving their data out of their data centers and into the cloud, which complicates IT’s efforts to keep track of applications in use. With the new Microsoft Cloud App Security within Microsoft Azure, IT and security teams can step up application discovery and apply controls in line with existing security, privacy, and compliance policies.Most enterprises rely on cloud applications, whether or not they are officially sanctioned. Shadow IT is pervasive, with employees signing up for SaaS applications on their own without first going through IT. According to Microsoft’s statistics, an employee uses 17 cloud applications on average, and an organization shares 13 percent of its files externally, of which a quarter are shared publicly. Business units do what they must to get the job done, but IT is left in the dark about what applications employees use and where corporate data is stored.To read this article in full or to leave a comment, please click here

Hacking Team lost its license to sell surveillance malware outside Europe

Oh man, what a shame, Italy’s Hacking Team had its global export license revoked and now it can’t sell its spyware outside of Europe without getting special approval.It’s not even been a year since the Hacking Team became the Hacked Team, but after being pwned the company apparently didn’t crawl off and die. The Hacking Team’s newest woes, which were first reported by the Italian newspaper Il Fatto Quotidiano, means the company can’t easily conduct business as usual by selling its Remote Control Software to just anyone who wants it.To read this article in full or to leave a comment, please click here

Massive application-layer attacks could defeat hybrid DDoS protection

Security researchers have recently observed a large application-layer distributed denial-of-service attack using a new technique that could foil DDoS defenses and be a sign of things to come for Web application operators.The attack, which targeted a Chinese lottery website that used DDoS protection services from Imperva, peaked at 8.7Gbps. In a time when DDoS attacks frequently pass the 100Gbps mark, 8.7Gbps might not seem much, but it's actually unprecedented for application-layer attacks.DDoS attacks target either the network layer or the application layer. With network-layer attacks, the goal is to send malicious packets over different network protocols in order to consume all of the target's available bandwidth, essentially clogging its Internet pipes.To read this article in full or to leave a comment, please click here

Tech-support scammers claim your email has been hacked

The Federal Trade Commission is warning of “a new twist” on the old tech-support scam.From an FTC blog post: Lately, we’ve heard reports that people are getting calls from someone claiming to be from the Global Privacy Enforcement Network. Their claim? That your email account has been hacked and is sending fraudulent messages. They say they’ll have to take legal action against you, unless you let them fix the problem right away.If you raise questions, the scammers turn up the pressure – but they’ve also given out phone numbers of actual Federal Trade Commission staff (who have been surprised to get calls). The scammers also have sent people to the actual website for the Global Privacy Enforcement Network. (It’s a real thing: it’s an organization that helps governments work together on cross-border privacy cooperation.)To read this article in full or to leave a comment, please click here

Apple fixes iOS lock screen bypass that gives access to photos, contacts

Apple has reportedly fixed a vulnerability that could have allowed hackers to bypass the passcode on iPhone 6s and 6s Plus running iOS 9.3.1 in order to access the address book and photos.The bypass technique was discovered by researchers from German security firm Evolution Security and takes advantage of Siri's integration with apps like Twitter or Facebook and the new 3D Touch feature that's only available on the iPhone 6s and 6s Plus models.On a locked device, attackers can call up Siri and ask to search for items that contain @ tags using Twitter, Facebook or Yahoo. Then they can locate a string like an email address and use the 3D Touch hard push to bring out the context menu for it.To read this article in full or to leave a comment, please click here

WhatsApp: The FBI’s worst nightmare

If encryption is something to be feared in the hands of terrorists, WhatsApp just delivered them a tool that will give the FBI nightmares much worse than the encryption on iPhones. WhatsApp enlisted the help of Open Whisper Systems to implement the encryption, and according to that company’s blog, “This includes chats, group chats, attachments, voice notes, and voice calls across Android, iPhone, Windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10.” This will likely drive law enforcement crazy, the FBI in particular, because it makes it impossible for WhatsApp to obey court orders to decrypt specified communications. Even if it wanted to comply, it couldn’t. The encryption is set up between the endpoints in the communication and WhatsApp just moves the traffic.To read this article in full or to leave a comment, please click here

How to build cybersecurity into outsourcing contracts

Any time a company shares data or provides access to third-parties, it increases its vulnerability to unauthorized access or breach. So in today’s IT environment in which enterprises partner with multiple IT service providers, who in turn may have multiple subcontracters, cyber risks increase exponentially.[ Related: Why CIOs can’t wait to renegotiate their outsourcing contracts ]“Customer data and systems are only as secure as the weakest link in the vendor ecosystem,” says Paul Roy, a partner in the business and technology sourcing practice of Mayer Brown. “The risks for customers are twofold: not only does the customer increase its risk of a data breach, it also increases the risk that it will be in breach of its regulatory or contractual obligations if its vendors fail to comply with such obligations.”To read this article in full or to leave a comment, please click here(Insider Story)

Adobe to issue emergency patch for Flash vulnerability

Adobe is working on an emergency patch for its Flash Player after attackers are reportedly exploiting a critical flaw.The vulnerability, CVE-2016-1019, affects Flash Player version 21.0.0.197 on Windows, Mac, Linux and Chrome OS, according to an advisory published on Tuesday.The flaw is being actively exploited on Windows XP and 7 systems running Flash Player versions 20.0.0.306 and earlier."Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," it said.A patch could be released as soon as Thursday.To read this article in full or to leave a comment, please click here