Archive

Category Archives for "Network World Security"

US has asked Apple, Google to help unlock devices in more than 70 cases

U.S. government agencies have filed more than 70 orders requiring Apple or Google to help law enforcement agencies unlock mobile devices since 2008, despite the agency insisting its fight with Apple in a recent terrorism case was limited in scope.The Department of Justice dropped its California case against Apple after the FBI found a way to break into one of the San Bernardino shooters' iPhone without assistance.But the American Civil Liberties Union has identified 64 cases where representatives of the DOJ have filed All Writs Act orders seeking assistance from Apple or Google to unlock mobile devices. The ACLU's numbers are on top of 12 cases identified by Apple lawyer Marc Zwillinger in mid-February, the group said. To read this article in full or to leave a comment, please click here

Custom developed Dripion backdoor used in highly targeted attacks in Asia, US

A new custom developed backdoor program has been used in highly targeted attacks against organizations from Taiwan, Japan, South Korea and the U.S. over the past year.Malware researchers from Symantec first came across the program, which they've named Dripion, in August 2015. However, due to its custom nature and sparse use, it has managed to fly under the radar since as early as November 2013.When their analysis began, the Symantec researchers believed Dripion was a local threat used against organizations in Taiwan, where most of its victims were found. However, since then, they have found computers infected with the backdoor in other countries as well.To read this article in full or to leave a comment, please click here

How to set up a portable, non-cloud-based password manager

Nothing helps strong passwords become a central tenet of your electronic life than conscientious use of a password manager. However, the compromise of at least one cloud-based password manager last year and recent actions by a government agency may have given you second thoughts about using the cloud for something that instinctively feels like it should be managed locally.Those incidents aside, password managers remain the best way to avoid reusing weak passwords which is as commonplace as the number of password leaks that happen every year, even on large, reputable websites. And, if you don’t mind putting in a modicum of effort, you can still establish a non-cloud-based password manager that can be utilized across multiple devices.To read this article in full or to leave a comment, please click here

Expert: Comprehensive software security for cars will take years

Software security for automobiles is improving but it will take another three or four years until manufacturers can put overarching security architecture in place, says Stefan Savage, winner of the 2015 ACM-Infosys Foundation Award in the Computing Sciences.“We’re at a point where the industry has to recognize that this is a real issue for them,” says Savage, a professor in the Computer Science and Engineering department at the UC San Diego Jacobs School of Engineering.+ MORE CAR SECURITY: Car hackers urge you to patch your Chrysler, Ram, Durango, or Jeep +To read this article in full or to leave a comment, please click here

Most managed security tools will be cloud based by 2020, IHS predicts

Even as security remains a concern for cloud users, research firm IHS says managed security vendors are increasingly delivering their security products via the cloud.And by 2020, most managed security services will be delivered via the cloud, IHS predicts.+MORE AT NETWORK WORLD: IT is getting cloud storage security all wrong +  IHS IHS predicts that by 2020, more managed security vendors will deliver their products via the cloud than on-premises. To read this article in full or to leave a comment, please click here

Court vacates iPhone hack order against Apple, focus shifts to New York

A judge in California vacated on Tuesday an earlier order asking Apple to assist the FBI in cracking the passcode of an iPhone 5c running iOS 9 that was used by one of the San Bernardino terrorists.The focus of the dispute between Apple and the government over whether it can be compelled to help agencies access data on iPhones now shifts to a court in Brooklyn, New York, where Apple is contesting an order to extract data from the passcode-locked iPhone 5s of an alleged drug dealer.The FBI had requested the California court on Monday to vacate the order as the government had successfully accessed the data stored on the iPhone used by Syed Rizwan Farook and no longer required Apple’s assistance.To read this article in full or to leave a comment, please click here

CNBC just collected your password and shared it with marketers

CNBC inadvertently exposed peoples' passwords after it ran an article Tuesday that ironically was intended to promote secure password practices. The story was removed from CNBC's website shortly after it ran following a flurry of criticism from security experts. Vice's Motherboard posted a link to the archived version. Embedded within the story was a tool in which people could enter their passwords. The tool would then evaluate a password and estimate how long it would take to crack it. A note said the tool was for "entertainment and educational purposes" and would not store the passwords. That turned out not to be accurate, as well as having other problems.To read this article in full or to leave a comment, please click here

IDG Contributor Network: What terrorism investigations can teach us about investigating cyber attacks

Having a military background, I tend to look at all security issues with the perspective of someone who’s served in the armed forces. That means using a thorough investigation process that doesn’t treat any action as accidental or an attack as a stand-alone incident and looking for links between seemingly unconnected events.This method is used by law enforcement agencies to investigate acts of terrorism, which, sadly, are happening more frequently. While terror attacks that have occurred in the physical world are making headlines, the virtual world is also under attack by sophisticated hackers. However, not much is said about the similarities between investigating both types of attacks or what security researchers can learn from their law enforcement counterparts. I’ve had this thought for awhile and, fearing that I’d be seen as insensitive to recent events, debated whether to write this blog. After much thought, I decided that the stakes are too high to remain silent and continue treating each breach as a one-off event without greater security implications.To read this article in full or to leave a comment, please click here

FAA doubles altitude limits for business drones

Looking to remove a little red tape from businesses and utilities that may want to use unmanned aircraft systems, the FAA today doubled the “blanket” altitude for certain drones to 400ft from 200 ft.Specifically the altitude increase is for FAA Section 333 exemption holders, or potential holders, which have typically been businesses, governmental or utilities looking to explore the drone applications.+More on Network World: DARPA: Show us how to weaponize benign technologies+Under the new blanket “Certificate of Waiver or Authorization,” the FAA will permit flights at or below 400ft for drone operators with a Section 333 exemption for aircraft weighing less than 55 pounds and for government unmanned operations. Operators must fly under existing daytime Visual Flight Rules, keep the drone within visual line of sight of the pilot and stay certain distances away from airports or heliports:To read this article in full or to leave a comment, please click here

If you care about your encrypted data, get rid of your iPhone 5c

If the FBI can hack the iPhone, others can, too, which means the encrypted content on countless phones is no longer secure. Owners of these phones who care about securing their content should think about upgrading to something else. Newer iPhones, for example, might not have the same weakness and so would be less vulnerable, at least for a while. The FBI has dropped its court action that might have forced Apple to help undermine security that blocked a brute-force attack against the passcode on the iPhone 5c used by a terrorist in San Bernardino. That’s because the FBI found someone else - reportedly Israeli mobile-forensics company Cellebrite – to do it for them.To read this article in full or to leave a comment, please click here

Georgia Tech awarded patent for dragonfly-inspired MAV

Well it’s springtime and if you are the type to embrace nature and hang out near freshwater, then you may see dragonflies. The next time you see one, consider that its robotic counterpart has finally been granted a patent.Wait, haven’t you seen dragonfly-like MAVs for years now? Probably. Georgia Tech Research Corporation filed the patent in 2012. At any rate, the patent says that in order for DARPA to consider an aerial vehicle as a MAV, it must be “smaller than 6 inches in any direction or must not have a gross takeoff weight greater than 100 grams” (about .22 pounds or roughly the same weight as 100 Skittles.)To read this article in full or to leave a comment, please click here

US Federal Courts warn of aggressive scammers

The fraud and scam war rages. This week the Federal Courts warned of swindles involving people posing as federal court officials and U.S. Marshals targeting citizens, threatening them with arrest unless they pay some fake fine for failing to show up for jury duty .+More on Network World: What are grand technology and scientific challenges for the 21st century?+“This year’s scams are more aggressive and sophisticated than we’ve seen in years past,” says Melissa Muir, Director of Administrative Services for the U.S. District Court of Western Washington in a statement. “Scammers are setting up call centers, establishing call-back protocols and using specific names and designated court hearing times.”To read this article in full or to leave a comment, please click here

Apple issues statement regarding DOJ suit: “This case should have never been brought”

The DOJ on Monday filed a brief seeking to vacate a previous court's ruling that would have required Apple to assist the FBI in hacking into a locked iPhone used by one of the San Bernardino shooters. The DOJ's motion seemingly brings to a conclusion a saga that has continued to make headlines since the story burst into the news a few weeks ago.According to the DOJ, the FBI no longer needs Apple's assistance because they managed to access the device's contents with the help of a third-party. While the identity of the third party was not revealed, it's been reported that the FBI received assistance from an Israeli software forensics company called Cellebrite. Whether that is true or not remains unknown, but we do know that the FBI did not receive any outside assistance from other government agencies like the NSA.To read this article in full or to leave a comment, please click here

Free Bitdefender tool prevents Locky, other ransomware infections, for now

Antivirus firm Bitdefender has released a free tool that can prevent computers from being infected with some of the most widespread file-encrypting ransomware programs: Locky, TeslaCrypt and CTB-Locker.The new Bitdefender Anti-Ransomware vaccine is built on the same principle as a previous tool that the company designed to prevent CryptoWall infections. CryptoWall later changed the way in which it operates, rendering that tool ineffective, but the same defense concept still works for other ransomware families.While security experts generally advise against paying ransomware authors for decryption keys, this is based more on ethical grounds than on a perceived risk that the keys won't be delivered.To read this article in full or to leave a comment, please click here

New York company profited by sending state records to India

A New York IT contractor "swelled its profits" by outsourcing government work offshore that should not have left the state. A major part of the work was sent to India in violation of state security rules, New York investigators said.The contractor, Focused Technologies Imaging Services in Albany County, was working under a $3.45 million contract to scan and index 22 million fingerprint cards maintained by the New York State Division of Criminal Justice Services.Focused Technologies, in turn, hired an India-based company that performed about 37% of the work and was paid $82,000.The fingerprint cards are associated with arrests and incarcerations, and with applications for jobs or licenses where a criminal history background check is required. The cards, which were all dated before 2009, contained sensitive data including signatures, Social Security numbers, physical characteristics and dates of birth. Focused Technologies employees were required to pass criminal background checks to work on it.To read this article in full or to leave a comment, please click here

Large US healthcare provider’s network shut down by malware

A large healthcare provider in the Washington, D.C., area said it has resorted to paper transactions after malware crippled part of its network early Monday.MedStar Health, a not-for-profit that runs 10 hospitals, said its clinical facilities were functioning and that it did not appear data had been compromised. The malware prevented "certain users from logging into our system.""MedStar acted quickly to prevent the virus from spreading throughout the organization," it said in a statement posted on Facebook. "We are working with our IT and cybersecurity partners to fully assess and address the situation."To read this article in full or to leave a comment, please click here

FireEye says hackers are racing to compromise POS systems

Cybercriminals are redoubling efforts to steal payment card details from retailers before new defenses are put in place, according to FireEye.More than a dozen types of malware were found last year that target point-of-sale systems, the electronic cash registers the process payments at many retailers.Over the last few years, hackers have successfully breached the systems, targeting weaknesses or software vulnerabilities in order to extract card details to sell on the black market.As of last October, retailers are liable for fraudulent transactions that are not completed using EMV payment cards, which have a microchip and enhanced security defenses that better shield card data.  To read this article in full or to leave a comment, please click here

DOJ cracks San Bernardino shooter’s iPhone

The U.S. government has managed to access the iPhone used by San Bernardino gunman Syed Rizwan Farook, bypassing a passcode that had the FBI stymied for several weeks. "The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple," the Department of Justice said in a court filing on Monday. The filing didn’t detail the method used to access the phone, but U.S. Attorney Eileen M. Decker said in a statement that it had been accomplished with the help of a third party.To read this article in full or to leave a comment, please click here

NAND mirroring proof-of-concept show that FBI could use it to crack iPhone

So NAND mirroring doesn’t work to crack into Syed Farook's work iPhone and grab the contents, huh? Tell that to the security researcher’s proof-of-concept demonstration.iPhone forensics expert Jonathan Zdziarski previously suggested the FBI could use NAND mirroring to get information off the locked San Bernadino shooter’s iPhone; yet FBI Director James Comey claimed that making a copy of the phone’s chip to get around the passcode “doesn’t work” and the solution would be “software-based.”To read this article in full or to leave a comment, please click here