An alternate method for infecting computers with ransomware signals a shift in tactics by cybercriminals that could put businesses at greater risk, according to Symantec.A type of ransomware called Samsam has been infecting organizations but is not installed in the usual way."Samsam is another variant in a growing number of variants of ransomware, but what sets it apart from other ransomware is how it reaches its intended targets by way of unpatched server-side software," Symantec wrote.The perpetrators behind Samsam use a legitimate penetration tool called Jexboss to exploit servers running Red Hat's JBoss enterprise application server.To read this article in full or to leave a comment, please click here
Facebook-owned WhatsApp has strengthened the encryption of its widely used instant messaging app, a development that in theory makes it harder for law enforcement to gain access to communications.WhatsApp's founders said Tuesday that the application now implements end-to-end encryption, which means only authorized users can decrypt messages."The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to," Jan Koum and Brian Acton wrote in a blog post. "No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us."To read this article in full or to leave a comment, please click here
Today, Underwriters Laboratory announced the UL CyberSecurity Assurance Program. I won’t call it an oxymoron, but I’m deeply worried about it. While I have faith in UL, I’m not sure if they realize the breadth and depth of what they’re getting into.UL is the reason there are only small holes in appliances and CE gear. Why? So an average toddler can’t stick something inside and become electrocuted. UL helps product vendors have liability insurance within sane ranges. They promulgate standards that vendors are responsible to adhere to for insurance sake. Test labs do the rest, ensuring that First Article Samples (and then, perhaps subsequent production samples) of products adhere to a bevy of standards—all designed to make products safer but at least insurable.To read this article in full or to leave a comment, please click here
Security researchers have found that a patch released by IBM three years ago for a critical vulnerability in its own Java implementation is ineffective and can be easily bypassed to exploit the flaw again.The broken patch was discovered by researchers from Polish firm Security Explorations who found the vulnerability and reported it to IBM in May 2013. IBM issued a fix in a July 2013 update for its Java development kit.IBM maintains its own implementation of the Java virtual machine and runtime. This version of Java is included in some of the company's enterprise software products, as well as in the IBM Software Developer Kit, which is available for platforms like AIX, Linux, z/OS and IBM i.To read this article in full or to leave a comment, please click here
The Department of Defense is unclear about who would take charge and work with civilian authorities during a large-scale cyber attack on the US.There are a number of plans and directions for how the government would respond to a cyber attack on the nation’s electric grid or other large entity but tons of clarification and specific directions need to be ironed out to respond effectively, according to a Government Accountability Office report out this week.+More on Network World: IRS: Top 10 2015 identity theft busts+To read this article in full or to leave a comment, please click here
Underwriters Laboratories (UL) today announced a new Cybersecurity Assurance Program (CAP) that uses a new set of standards to test network-connected products for software vulnerabilities.The new UL certification will be for both vendors of Internet of Things (IoT) products and for buyers of products who want to mitigate risks.The testing standards were developed as part of a voluntary program involving industry officials as well as academics and the U.S. government.INSIDER: 5 ways to prepare for Internet of Things security threats
President Obama's broad Cybersecurity National Action Plan, released in February, details a long-term strategy to improve cybersecurity awareness and protections. Obama's plan specifically notes that UL worked with the Department of Homeland Security to develop CAP to test and certify networked devices "whether they be refrigerators or medical infusion pumps, so that when you buy a new product, you can be sure it has been certified to meet security standards."To read this article in full or to leave a comment, please click here
A data breach at Panamanian law firm Mossack Fonseca is being touted as the largest ever, at least in terms of the sheer volume of information leaked.
The leaked information allegedly details the ways dozens of high-ranking politicians, their relatives or close associates in more than 40 countries, including the U.K., France, Russia, China, and India, have used offshore companies to hide income and avoid paying taxes. Starting on Sunday, more than 100 news organizations filed reports based on the leaked information.
The numbers: The leaks reportedly cover 11.5 million confidential documents dating from the 1970s through late 2015. The 2.6 terabytes of leaked data include 4.8 million emails, 3 million database format files, 2.2 million PDFs, 1.1 million images, and 320,000 text documents.To read this article in full or to leave a comment, please click here
Google has released one of the largest Android monthly security updates, fixing a total of 39 vulnerabilities — 15 rated critical, including four that can lead to a complete device compromise.The patches, which are included in new firmware images that were released Monday for the company's Nexus devices, will also be published to the Android Open Source Project over the next 24 hours.They include a fix for a vulnerability that Google warned about two weeks ago and which is already being exploited by a publicly available rooting application. Tracked as CVE-2015-1805, the privilege escalation flaw was originally fixed in the Linux kernel in April 2014, but it didn't become clear until February this year that it also affects Android.To read this article in full or to leave a comment, please click here
Most people say they care about their online security and privacy. Poll after poll confirm what one would expect: They don’t want their identities stolen, phones hacked, credit cards compromised or bank accounts drained. They don’t welcome government or anyone else conducting surveillance on them, especially in their private lives.But those polls also show that an alarmingly small percentage of those same people don’t seem to be willing to make much effort to do what they say they want – protect their privacy and security.To read this article in full or to leave a comment, please click here
How do you know your network is safe from attacks and failures? Veriflow, a startup with backing from the U.S. Defense Department, says it can make sure.Veriflow applies a practice called formal verification, used in preparing Mars missions and military gear, to figure out ahead of time what could go wrong on a network. Using that information, it helps enterprises apply policies to prevent problems from starting or spreading.If this sounds more at home in a lab than in a data center, it may be because that's where it came from. Veriflow's CTO, CSO and principal engineer are all longtime academics who worked on the problem together at the University of Illinois, and the National Science Foundation is a funder.To read this article in full or to leave a comment, please click here
The Trump Hotel Collection said on Monday it is working with the Secret Service and FBI to investigate a possible payment card breach, its second one in less than a year.The luxury hotel group is run by Republican presidential candidate Donald Trump and his family. "Like virtually every other company these days, we are routinely targeted by cyber terrorists whose only focus is to inflict harm on great American businesses," said Eric Trump, one of the candidate's sons, in an email statement. "We are committed to safeguarding all guests' personal information and will continue to do so vigilantly."News of the breach was first reported by computer security writer Brian Krebs, citing three unnamed sources in the financial sector.To read this article in full or to leave a comment, please click here
The Internet will eventually be secured from hackers by a technology called quantum photonics, say researchers.
Single light particles will ultimately be used to exchange information in secure systems, they think. The technique is part of quantum computing. And now that a limitation has been overcome, the scientists at the University of Sydney say that the ultra-secure system is one step closer to realization.
It’s been guessed at that photonics will be the future of security, however figuring out how to create a single photon has been holding back the forward movement in the research, the team says in a news release on the university’s website. They now think they’ve figured out how to do it.To read this article in full or to leave a comment, please click here
TU Braunschweig, Institute for Operating Systems and Computer Networks, Professors Dominik Schürmann and Lars Wolf are warning about a “Surreptitious Sharing” vulnerability which is present in many Android communication apps. Their pre-published research paper, Surreptitious Sharing on Android (pdf), is to be presented at the security conference GI Sicherheit 2016.To read this article in full or to leave a comment, please click here
Security researchers have expanded and improved a three-year-old attack that exploits the compression mechanism used to speed up browsing in order to recover sensitive information from encrypted Web traffic.The attack, known as BREACH, takes advantage of the gzip/DEFLATE algorithm used by many Web servers to reduce latency when responding to HTTP requests. This compression mechanism leaks information about encrypted connections and allows man-in-the-middle attackers to recover authentication cookies and other sensitive information.The BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) attack was first presented at the Black Hat USA security conference in August 2013 by security researchers Angelo Prado, Neal Harris and Yoel Gluck. While it theoretically affects all SSL/TLS ciphers, their version of the attack was most effective against connections encrypted with stream ciphers, such as RC4.To read this article in full or to leave a comment, please click here
CISOs tend to spend the bulk of their cybersecurity technology budgets on endpoint, server, and network security controls. Okay, this makes sense from a historical perspective but these IT assets are in a state of flux today. Endpoints are often mobile devices rather than Windows PCs while servers are virtual or cloud-based workloads. Meanwhile, networks are also moving to a virtual model composed of public and private network segments.It’s clear that organizations embracing new cloud and mobile infrastructure have less control of some IT assets than they did in the past. What does this mean for security? One CISO I spoke with a while ago gave me a very succinct answer to this question: “As I lose control over IT infrastructure, I better make sure I have tight control over two other areas – sensitive data and user identity.” In this security executive’s mind, data security and identity and access management (IAM) are rapidly becoming new security perimeters.To read this article in full or to leave a comment, please click here
Of all the high-demand areas in IT, security stands out at the top. According to DICE, the number of security jobs skyrocketed by more than 40% from 2014 to 2015, to 50,000 openings, compared with 16.8% growth the year before.
“Security jobs are growing at a far more rapid pace than other areas of technology, which are also growing rapidly,” says Bob Melk, president at DICE.
Meanwhile, in a 2015 survey by ISC2, 62% of respondents said they lacked adequate security staff, and 45% cannot find qualified candidates. In five years, the organization says, the shortfall in the global information security workforce will reach 1.5 million.To read this article in full or to leave a comment, please click here(Insider Story)
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.kiteworks (Microsoft Office 365 Enhancements)Key features: Accellion’s content platform, kiteworks, now extends Microsoft Office Online to content stored on-premise and in the cloud without having to duplicate files. These capabilities are largely enabled by Accellion’s ongoing collaboration with Microsoft and reflect a common interest in making enterprise employees productive and more secure. Features include full text search for documents (folder, name and contents), real-time collaboration editing / co-authoring for Office Online documents stored across the cloud and on-premise systems, and office online integration with access to files stored on SharePoint, Documentum, OpenText, Microsoft OneDrive, Box, Dropbox and other content systems. More info.To read this article in full or to leave a comment, please click here
The FBI has promised to help local law enforcement authorities crack encrypted devices, in a letter that refers to the federal agency’s success in accessing the data on an iPhone 5c running iOS 9 that was used by one of the San Bernardino terrorists.The agency did not, however, explicitly promise investigators that it would deploy the same tool, said to have been developed by an outside organization, on other iPhones.The FBI had earlier demanded in court that Apple should assist it in its attempts to crack by brute force the passcode of the iPhone used by the terrorist, without triggering an auto-erase feature that could be activated after 10 unsuccessful tries.To read this article in full or to leave a comment, please click here
Doors that provide access into secure areas in airports, hospitals, government facilities and other organizations can easily be opened by hackers due to a vulnerability into a popular brand of networked door controllers.The flaw exists in the widely used VertX and Edge lines of door controllers from HID Global, one of the world's largest manufacturers of smartcards, card readers and access control systems.HID's VertX and Edge controllers can be remotely managed over the network and have a service called discoveryd (discovery daemon) that listens to UDP probe packets on port 4070, according to Ricky Lawshae, a researcher with Trend Micro's newly acquired DVLabs division.To read this article in full or to leave a comment, please click here
The App Store and Google Play stores are awash in home security apps. How do you choose?
Some of the features you should look for are the "ability to save CCTV footage to your mobile device, view live CCTV footage through your mobile device, store recordings on your cloud, control your security system from your mobile device and activate a 'call to action'," says James McCann of JMC Technologies, a UK-based supplier of CCTV equipment. In addition, all of the best apps offer instant notification whenever unusual activity is detected, says McCann.
McCann has rounded up 10 of the best mobile home security apps for iOS and Android — all free to download and all worth a try. These apps come recommended by industry experts and have (mostly) positive reviews on their respective app stores, says McCann. And he personally vouches for every last one of them.To read this article in full or to leave a comment, please click here(Insider Story)