A Johns Hopkins team has decrypted iMessage photos by guessing character-by-character the key used to encrypt it, and Apple plans to release a new iOS version today that will fix the flaw.Upgrading to iOS 9.3 should fix the problem for users of the operating system and iMessage, says Matthew Green, a computer science professor at Johns Hopkins who led a team of grad students that broke the encryption, according to a story in the Washington Post.The story says he discovered a flaw in the encryption last fall and told Apple about it, but when months went by and nothing was done to patch it, he turned his team loose. Here’s how the Post describes the attack:To read this article in full or to leave a comment, please click here
In a survey released today, 27 percent of of U.S. office workers at large companies would sell their work password to an outsider, compared to a global average of 20 percent.And despite all the recent media attention on data breaches, password hygiene is actually deteriorating, said Juliette Rizkallah, CMO at SailPoint Technologies, which sponsored the survey.The study itself was conducted by Vanson Bourne, an independent research firm. The same survey was conducted last year as well, but then only one in seven employees were willing to sell their passwords.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Appthority Android AppKey features: Provides customers with comprehensive on-device monitoring and protection for employees and enterprises with the ability to know an app’s risk and compliance status before it ever gets installed on their device. More info.To read this article in full or to leave a comment, please click here
Apple's iMessage system has a cryptography flaw that allowed researchers to decrypt a photo stored in iCloud, the Washington Post reported on Sunday.The researchers, led by cryptography expert Matthew D. Green of Johns Hopkins University, wrote software that mimicked an Apple server and then targeted an encrypted photo stored on iCloud, the publication reported.To read this article in full or to leave a comment, please click here
Sunshine Week 2016 may be over, but the public’s right to access public government information in order to make the government accountable never ends.Before Barack Obama was president, he repeatedly promised many things that never came to fruition such as to provide the “most transparent” administration in history.
But the truth is that the Obama administration has set an all-time new record for failure to provide documents via FOIA requests. The Associated Press analyzed FOIA requests sent to 100 federal government agencies in 2015 – the final figures to be released during Obama’s administration.To read this article in full or to leave a comment, please click here
NSA whistleblower Edward Snowden opened the Free Software Foundation's LibrePlanet 2016 conference on Saturday with a discussion of free software, privacy and security, speaking via video conference from Russia.Snowden credited free software for his ability to help disclose the U.S. government's far-reaching surveillance projects – drawing one of several enthusiastic rounds of applause from the crowd in an MIT lecture hall.+ ALSO ON NETWORK WORLD: Pwn2Own contest highlights renewed hacker focus on kernel issues + Apple engineers could walk away from FBI’s iPhone demandsTo read this article in full or to leave a comment, please click here
Hackers demonstrated 21 new vulnerabilities in attacks against browsers and operating systems during this year's Pwn2Own hacking contest. The complexity of the exploits, though, shows that hackers have to jump through many hoops to gain full system control.On Wednesday and Thursday, five contestants -- four teams and one independent researcher -- demonstrated three successful remote code execution attacks against Safari on OS X, two against Microsoft Edge on Windows, four against Adobe Flash on Windows and one partially successful attack against Google Chrome on Windows. Firefox was not a target in this year's contest.To read this article in full or to leave a comment, please click here
A last-minute request by the FBI to call witnesses to next week's court hearing in the San Bernardino iPhone case indicates the agency might feel some weakness in its legal arguments, Apple says.On Wednesday evening, the FBI asked for an evidentiary hearing, which means the court will hear live testimony from expert witnesses from both sides. Apple agreed to the FBI's request on Thursday.Speaking on Friday with reporters, lawyers for Apple said the FBI's request was a surprise, and they don't understand why the government wants to present witnesses to the court.If lawyers believe they have a strong legal case, they typically want to get up and argue it without bothering with witnesses in these types of hearings, so the request perhaps indicates the FBI isn't as comfortable as it was in relying solely on legal arguments, an Apple lawyer said.To read this article in full or to leave a comment, please click here
An uptick in cyberattacks and greater awareness about government surveillance have prompted calls for tighter security on the Internet, and a big part of that is encrypting the traffic that flows to and from websites. Google, Facebook and Microsoft are among the many companies that have been pushing for wider use of SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption, though it can be tricky and expensive to implement. Here's the basics of what you need to know.To read this article in full or to leave a comment, please click here
Should the FBI prevail in getting Apple to offer a backdoor for an encrypted iPhone, the agency may have trouble getting anyone to build it.At least that’s the word from several current and former Apple employees—including security engineers—who spoke anonymously to the New York Times. Some said they’re refuse to do the work, or quit their jobs if necessary, rather than create what they believe is a major security compromise for all users.+ MORE: Tim Cook to Time: 'I feel like I'm in this bad dream' +To read this article in full or to leave a comment, please click here
The FBI this week warned carmakers and owners that they need to pay much closer attention to automotive cybersecurity.The National Highway Transportation Safety joined with the FBI in warning consumer that the increasing number of computers in the form of electronic control units (ECUs) that control numerous vehicle functions from steering, braking, and acceleration, to the lights and windshield wipers make them vulnerable to potential cybersecurity problems.+More on Network World: World’s coolest concept cars+To read this article in full or to leave a comment, please click here
You're asked to build (or rebuild) a security team at your organization. What are some first steps and tips to keep in mind to maximize talent and efficiency in your new department? Josh Feinblum, VP of Information Security at Rapid7 has some advice.
Look at any industry data and you’ll see a consistent trend – the march toward cloud computing continues to gain momentum. According to ESG research, 75% of organizations are currently using public cloud services (note: I am an ESG employee). This is dominated by the use of SaaS today but ESG research reveals that 38% of organizations use IaaS while 33% use PaaS. The research also indicates that these numbers will continue to increase in the future.Now before you short HP and double-down on AWS, there is also a potential fly in the ointment – the global cybersecurity skills shortage. ESG research indicates that 46% of organizations say that they have a “problematic shortage” of cybersecurity skills in 2016, up from 28% last year. ESG also asked survey respondents to identify the area where they have the biggest cybersecurity skills shortage. Not surprisingly, 33% say that their biggest deficiency was cloud security specialists, followed by 28% who pointed to a deficiency with network security specialists, and 27% who have a shortage of security analysts – pretty scary stuff when you think about cloud security defense along with incident detection and response for cloud-based cyber-threats. Continue reading
"Bring your own device" can easily turn into bring your own disaster for corporate networks, if attackers use a compromised device as a bridgehead into a secure environment.That's one of the reasons Deutsche Telekom is partnering with two security companies to offer services to smaller companies that don't have the resources to install and operate their own MDM (mobile device management) or endpoint security systems.Internet Protect Pro and Mobile Protect Pro are rebranded versions of services from Zscaler and Zimperium, respectively. The CEOs of the two companies joined Deutsche Telekom executives on stage at the Cebit tradeshow in Hanover, Germany, on Thursday to announce the deals.To read this article in full or to leave a comment, please click here
One of the most common methods to configure an office full of Microsoft Windows computers is with group policy. For the most part, group policies are settings pushed into a computer's registry to configure security settings and other operational behaviors. Group policies can be pushed down from Active Directory (actually, pulled down by the client) or configured locally.I've been doing Windows computer security since 1990, so I've seen a lot of group policies. In my work with customers, I scrutinize each group policy setting within each group policy object. With Windows 8.1 and Windows Server 2012 R2, for example, there are more than 3,700 settings for the operating system alone.To read this article in full or to leave a comment, please click here(Insider Story)
The FBI and the National Highway Traffic Safety Administration warned on Thursday that the rising use of computers in vehicles poses increasing risks of cyberattacks.
The warning comes eight months after a high-profile demonstration published by Wired showed how a Jeep Cherokee could be remotely controlled over the Internet. Fiat Chrysler later recalled 1.4 million vulnerable vehicles.
Manufacturers see great promise in designing vehicles with advanced networking capabilities for everything from entertainment to fleet management.
But computer security experts have criticized the industry for not taking stronger steps to prevent software vulnerabilities that could have lethal consequences.To read this article in full or to leave a comment, please click here
Millions of Android devices are at risk yet again after researchers found a new way to exploit an older vulnerability that was previously patched by Google.
NorthBit, based in Herzliya, Israel, published a paper outlining Metaphor, a nickname for a new weakness they found in Stagefright, Android's mediaserver and multimedia library.
The attack is effective against devices running Android versions 2.2 through 4.0 and 5.0 and 5.1, NorthBit said.
The company said its attack works best on Google's Nexus 5 with stock ROM, and with some modifications for HTC's One, LG's G3 and Samsung's S5.
The attack is an extension of other ones developed for CVE-2015-3864, a remote code execution vulnerability which has been patched twice by Google.To read this article in full or to leave a comment, please click here
The U.S. Federal Trade Commission has sent warning letters to 12 smartphone app developers for allegedly compromising users' privacy by packaging audio monitoring software into their products.The software, from an Indian company called SilverPush, allows apps to use the smartphone's microphone to listen to nearby television audio in an effort to deliver more targeted advertisements. SilverPush allows the apps to surreptitiously monitor the television viewing habits of people who downloaded apps with the software included, the FTC said Thursday."This functionality is designed to run silently in the background, even while the user is not actively using the application," the agency said in its letter to the app developers. "Using this technology, SilverPush could generate a detailed log of the television content viewed while a user’s mobile phone was turned on."To read this article in full or to leave a comment, please click here
Last week the Enterprise Connect trade show was held in Orlando, Florida. The show is the collaboration industry’s largest event and because of that, there were dozens of vendors that issued press releases touting the latest and greatest innovations in the market.One announcement that I thought flew under the radar was Cisco’s intent to acquire privately held Synata. Jim Duffy wrote a short article covering the news but the importance of this acquisition hasn’t been discussed.Explaining what Syanta does is fairly simple. It lets user search encrypted files and messages, even if they’re stored in cloud storage drives. Cisco will use this technology to enhance its team-messaging product, Cisco Spark.To read this article in full or to leave a comment, please click here
Security researchers exploited previously unknown vulnerabilities in Apple Safari, Google Chrome and Flash Player to compromise the latest versions of OS X and Windows during the first day of the annual Pwn2Own hacking contest.On Wednesday, four teams and a researcher who competed on his own made six attempts to hack this year's targets: Safari running on OS X, Chrome running on Windows, Microsoft Edge running on Windows and Flash Player on Windows. Four attempts were successful, one was only partially successful and one failed.The 360Vulcan Team from Chinese Internet security company Qihoo 360 combined a remote code execution vulnerability in Flash Player with a vulnerability in the Windows kernel to gain system privileges. For this feat, they received a US$80,000 prize, $60,000 for the Flash Player exploit and a $20,000 bonus for the system-level escalation.To read this article in full or to leave a comment, please click here