Archive

Category Archives for "Network World Security"

Apple demands delay in NY iPhone case

Apple last week asked a federal magistrate in New York to extend a court filing deadline until after the government decides whether it can unlock a different iPhone in a similar case, documents revealed.The New York case involved an iPhone used by a convicted drug dealer. Last year, the the Department of Justice (DOJ) requested a court order compelling Apple to help authorities crack that phone's security so that investigators could access its data. When Apple contested the motion in October it gave the first hint that it had drawn a line in the sand on assisting authorities.Magistrate Judge James Orenstein refused the government's demand, but the DOJ has appealed.To read this article in full or to leave a comment, please click here

DARPA $2M contest looks to bring AI to wireless spectrum provisioning

Getting mobile devices to more intelligently access and use the ever-tightening wireless spectrum will be the goal of a new public competition from the Defense Advanced Research Projects Agency.The defense research agency recently announced a $2 million Grand Challenge called the Spectrum Collaboration Challenge (SC2) and said the primary goal of the contest was to infuse radios with “advanced machine-learning capabilities so they can collectively develop strategies that optimize use of the wireless spectrum in ways not possible with today’s intrinsically inefficient approach of pre-allocating exclusive access to designated frequencies.”To read this article in full or to leave a comment, please click here

A very cool twist on optical communications

University of Ottawa researchers say their discovery that a twisted optical beam in a vacuum travels more slowly than the speed of light could be a boon for quantum computing and communications, and could benefit enterprise IT shops down the line.Their research, which began in late 2013, is outlined in the paper "Observation of subluminal twisted light in vacuum," published in The Optical Society's Optica journal.MORE: 10 of today's really cool network & IT research projectsTo read this article in full or to leave a comment, please click here

New products of the week 3.28.16

New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow. Harmony Breach AnalyticsKey features: The Harmony Breach Analytics platform reads customer log data to provide contextually-aware threat intelligence and retrospective analysis. This reduces SOC and SIEM workloads by providing threat intelligence customer specific. More info.To read this article in full or to leave a comment, please click here

Petya ransomware overwrites MBRs, locking users out of their computers

It's hard enough for non-technical users to deal with ransomware infections: understanding public-key cryptography, connecting to the Tor anonymity network and paying with Bitcoin cryptocurrency. A new malicious program now makes it even more difficult by completely locking victims out of their computers.The new Petya ransomware overwrites the master boot record (MBR) of the affected PCs, leaving their operating systems in an unbootable state, researchers from antivirus firm Trend Micro said in a blog post.The MBR is the code stored in the first sectors of a hard disk drive. It contains information about the disk's partitions and launches the operating system's boot loader. Without a proper MBR, the computer doesn't know which partitions contain an OS and how to start it.To read this article in full or to leave a comment, please click here

New ransomware abuses Windows PowerShell, Word document macros

A new ransomware program written in Windows PowerShell is being used in attacks against enterprises, including health care organizations, researchers warn.PowerShell is a task automation and configuration management framework that's included in Windows and is commonly used by systems administrators. It has its own powerful scripting language that has been used to create sophisticated malware in the past.The new ransomware program, dubbed PowerWare, was discovered by researchers from security firm Carbon Black and is being distributed to victims via phishing emails containing Word documents with malicious macros, an increasingly common attack technique.To read this article in full or to leave a comment, please click here

10 big announcements from Google’s Cloud Conference

In San Francisco this week at Pier 48, overlooking the Giants’ AT&T Ballpark, Google Cloud Platform (GCP) executives are holding a user conference to introduce products and services they hope will help make the case for choosing Google in the cloud.Sam Charrington, a cloud and big data analyst and advisor, summed up Google executives’ pitch best this week on Twitter: “GCP exec team’s operating thesis: ‘Cloud’s not done. The industry’s just beginning the journey.”+MORE AT NETWORK WORLD: Is Google pushing the cloud envelope too far? +To read this article in full or to leave a comment, please click here

Brussels attacks reinforce that security is everybody’s problem

I’ve had some rather unusual security training over the years. One of my earliest jobs was in security and law enforcement, and my course of study in graduate and undergraduate school included covering some of the largest security disasters in corporate history. Oh, and I was an internal auditor leader for a time when we had a tight emphasis on security. And, I’ve actually been a body guard.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers One of the things I’ve learned is that security is as much a mindset as anything else. Whether you are talking about personal security or securing your firm or country it is a heads-up game. The most successful are those that are constantly looking for abnormalities and are willing to do what is necessary when they see one to discover if there is a problem. Those that simply depend on tools or others to keep them secure likely aren’t. While these folks may lead far less stressful lives, their sense of security is a sham.  To read this article in full or to leave a comment, please click here

Malware authors quickly adopt SHA-2 through stolen code-signing certificates

As the IT industry is working to phase out the aging SHA-1 hashing algorithm it's not just website owners and software developers who are scrambling to replace their digital certificates: Cybercriminals are following suit too.Researchers from Symantec have recently found new samples of the Carberp.B online banking Trojan that were digitally signed with not one, but two stolen certificates: one using a SHA-1 signature and one using a SHA-2 signature."It can be safely surmised that the malware author used certificates containing differing algorithms with the hope of thwarting detection," the Symantec researchers said in a blog post.To read this article in full or to leave a comment, please click here

France fines Google for not being forgetful enough

The French data protection authority has fined Google for failing to implement the so-called right to be forgotten as ordered.Last year, the French National Commission on Computing and Liberty (CNIL) decided that requests to have personal information delisted from search results should apply to all Google properties, not just those in European domains.Google had been removing results from searches performed on domains including google.co.uk and google.fr, but not from its main site, google.com, even though it is accessible from within the EU.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers The CNIL could have fined Google up to €300,000 (US$336,000) for failing to comply with its ruling, but in the end ordered the company to pay just €100,000.To read this article in full or to leave a comment, please click here

Why IT can’t handle data breaches alone

In his keynote address at the CIO Perspectives event in Dallas last month, attorney Matthew Karlyn instructed the crowd about what CIOs and other business leaders need to know about the laws surrounding data breaches and preparing for the worst before a breach happens.Karlyn also addressed some of the myths surrounding security, including the suggestion that companies should “just let the IT department handle it.”“Does human resources have a role to play in information security? Of course they do - they’re storing the most sensitive data on all of your employees," said Karlyn. "Does finance have a role to play in information security? Of course they do - they’re funding the IT infrastructure. If they don’t understand what they’re funding, they’re going to say no… Does legal have a role to play in information security? Of course they do. No, it’s not just an IT department issue.”To read this article in full or to leave a comment, please click here(Insider Story)

Verizon’s breach experts missed one right under their noses

Verizon Enterprise, a bulwark against cyberattacks at many large organizations, has suffered a security breach itself.A flaw in the company's systems allowed an attacker to steal contact information on Verizon Enterprise customers, the company acknowledged Thursday. Verizon said it has fixed the flaw and is notifying those users, but it hasn't disclosed how many were affected. The intruder couldn't get to any customer proprietary network information, Verizon said, referring to data such as call records and billing information.The breach came to light Thursday in a post on the blog Krebs on Security. Krebs reported the hacker stole contact information for about 1.5 million Verizon Enterprise customers and offered it for sale for US$100,000 on a cybercrime forum. Because the data was offered for sale in the MongoDB format, among others it's likely the attacker forced a MongoDB database at Verizon to dump its contents, the blog said.To read this article in full or to leave a comment, please click here

NASA competition could net you $1.5M for next great airship

NASA this week said it was considering a new Centennial Challenge: Build and airship capable of long duration flight for scientific missions.The agency issued a Request For information to see if there was enough industry interest in the challenge and to further develop rules for the competition. You may recall that NASA’s Centennial Challenges Program sets up challenging contests for the public, academia, and industry with an eye towards developing innovative technologies.To read this article in full or to leave a comment, please click here

US accuses 7 Iranians of hacking US banks, New York dam

The U.S. government says seven Iranians working for the country's Islamic Revolutionary Guard Corps are responsible for 187 denial of service attacks aimed at banks across the U.S. between 2011 and 2013.It also says one of the individuals gained access to the control system for the Bowman Avenue Dam, a small dam north of New York City, and would have been able to control flow of water through the system had it not been disconnected for repairs.The accused worked for two Iranian computer companies, ITSecTeam and Mersad, and were contracted by the Iranian government to conduct the attacks, according to a Department of Justice indictment unsealed on Thursday.To read this article in full or to leave a comment, please click here

Justice Department indicts Iran hackers in massive financial cyberattack

The U.S. Department of Justice has indicted seven Iranian hackers in connection with cyberattacks on U.S. banks, the New York Stock Exchange, AT&T and a water facility in New York.The seven live outside the U.S. and it’s questionable whether they will ever be apprehended and tried, according to reports by Reuters, the New York Times and the Washington Post.To read this article in full or to leave a comment, please click here

IDG Contributor Network: User-controlled, private clouds could help with security, think scientists

One of the problems with smartphone apps is that one has no control over where often sensitive permissions and personal content is stored. While we’re allowed a certain amount of input when it comes to downloading the app and installing it: agree to the permissions or else, we have no control over where or how all the data is stored. We know that it’s probably in the cloud somewhere, but it could be anywhere, even on the phone itself. And each app developer has its own idea about how to handle the stuff. That is a problem for security—not the app developers’ but ours. And it doesn’t stop at phones. Anyone know where the password for an IoT oven is located, and how securely? The answer is no and maybe not very.To read this article in full or to leave a comment, please click here

Emergency Java update fixes two-year-old flaw after researchers bypass old patch

Oracle has released an emergency Java security update to fix a critical vulnerability that could allow attackers to compromise computers when they visit specially crafted websites.The company has assigned CVE-2016-0636 as the identifier for the vulnerability, which suggests that it is a new flaw discovered this year, but that's not really the case.Polish security firm Security Explorations confirmed via email that the new Java update actually fixes a broken patch for a vulnerability that was originally reported to Oracle by the company in 2013.Earlier this month Security Explorations announced that a patch released by Oracle in October 2013 for a critical vulnerability tracked as CVE-2013-5838 was ineffective and could be trivially bypassed by changing only four characters in the original exploit. This meant that the vulnerability was still exploitable in the latest versions of Java.To read this article in full or to leave a comment, please click here

IDG Contributor Network: HexaTier secures all those databases in the cloud

Israeli-founded HexaTier, the nattily-named vendor that offers security and compliance solutions for cloud-hosted databases and Database as a Service (DBaaS) platforms, is launching the latest version of its products and focusing squarely at what it perceives are the key enterprises blockers for DBaaS adoption. The Israel connection is interesting, the number of IT security companies to originate from Israel is truly staggering. It is a reflection of the huge amount of investment that the Israeli military makes into cyber security - many of those hyper-smart graduates of the Israel Defence Force's 8200 cyber-security unit go on to form commercial companies.To read this article in full or to leave a comment, please click here

Cybersecurity as a Business Issue

It’s become a cliché in the industry to say that cybersecurity has become a board room-level issue but what evidence do we have to support this claim?  Well, here are a few tidbits from some recent ESG research that certainly lend credibility to the business-driven cybersecurity thesis (note: I am an ESG employee): When asked to identify business initiatives that are driving IT spending, 43% of respondents said, “increasing cybersecurity.”  This was the top business initiative selected followed by “reducing costs” (38%), “improving data analytics for real-time business intelligence” (32%), and “ensuring regulatory compliance” (27%). On a similar vein, survey respondents were asked to identify the most important IT “meta-trend” to their organization.  Forty-two percent of respondents selected, “increasing cybersecurity.”  The next most popular response, “using data analytics for real-time business intelligence,” came in at 17%. 69% of organizations are increasing their spending on cybersecurity in 2016.  These budget increases are being approved by business managers who are now willing to spend more money to improve cybersecurity at their organizations.  As if the ESG data wasn’t enough, we also know that cyber-insurance policies grew by about 35% last year.  So aside from increasing Continue reading

How to make Android a real part of your business

Over the past five years, iPhones and iPads have become the corporate mobile standards, thanks to their wealth of business apps, Exchange compatibility, corporate manageability, and strong security. Android devices, on the other hand, have largely been relegated to "OK for email" status.But there's no longer a reason to keep Android at arm's length. It can now be as integral to your mobile portfolio as Apple's iOS devices are. Sure, Apple devices still lead in business-class apps, manageability, and security, but not by enough to exclude Android from full access at most companies.[ Check out InfoWorld's comparisons of office apps for the iPad and office apps for Android devices. | Read our guide to Exchange-based tools in Windows, OS X, iOS, and Android: mobile Outlook vs. desktop Outlook vs. native apps. | See the  top tips on getting more from iOS for email, contacts, and calendars. ] With that in mind, InfoWorld has put together this guide on how to deploy Android, both for company-issued devices and BYOD scenarios; most companies likely have a mix of both approaches.To read this article in full or to leave a comment, please click here(Insider Story)