Archive

Category Archives for "Network World Security"

Tim Cook to Time: ‘I feel like I’m in this bad dream’

Tim Cook gave a long interview to Time magazine about Apple’s fight with the FBI over its refusal to create “GovtOS,” a more crackable version of iOS to side-load onto the seized iPhone 5c used by San Bernardino shooter Syed Rizwan Farook. The edited version is here, and Time also published the full transcript.+ MORE: Apple cites iPhone, Mac security problems in rebuttal to FBI demands +To read this article in full or to leave a comment, please click here

NASA’s IG tells space agency to bolster space network security

The network NASA uses to deliver telemetry ground-based tracking, data and communications services to a wide range of current and future spacecraft needs a serious bump in security technology.That was the conclusion of the space agency’s Office of Inspector General which stated: “We found that NASA, [NASA’s Goddard Space Flight Center in Greenbelt, MD, which manages the network] failed to comply with fundamental elements of security risk management reflected in Federal and Agency policies. We believe that these deficiencies resulted from inadequate Agency oversight of the network and insufficient coordination between stakeholders. These deficiencies unnecessarily increase the network’s susceptibility to compromise.”To read this article in full or to leave a comment, please click here

Attack campaign uses keylogger to hijack key business email accounts

A new email-based attack campaign is targeting key employees from companies in the U.S., Middle East and Asia with the goal of compromising their computers and email accounts.This type of attack is known as business email compromise (BEC) and involves attackers hijacking the email accounts of business executives or accounting employees who typically authorize financial transactions inside organizations.Their hijacked email accounts can then be used to trick other employees, suppliers or business partners to initiate fraudulent payments to accounts controlled by the attackers.Security researchers from antivirus firm Trend Micro recently detected an attack against companies from 18 countries where key employees were targeted with emails that contained a commercial keylogger program called Olympic Vision.To read this article in full or to leave a comment, please click here

VMware fixes XSS flaws in vRealize for Linux

VMware patched two cross-site scripting issues in several editions of its vRealize cloud software. These flaws could be exploited in stored XSS attacks and could result in the user's workstation being compromised.The input validation error exists in Linux versions of VMware vRealize Automation 6.x prior to 6.2.4 and vRealize Business Advanced and Enterprise 8.x prior to 8.2.5, VMware said in the advisory (VMSA-2016-0003). Linux users running affected versions should update to vRealize Automation 6.2.4 and vRealize Business Advanced and Enterprise 8.2.5 to address the problems. The issues do not affect vRealize Automation 7.x on Linux and 5.x on Windows, and vRealize Business 7.x and 6.x on Linux (vRealize Business Standard).To read this article in full or to leave a comment, please click here

Steve Wozniak chimes in on the Apple/FBI debate

At this point, it seems that there's truly no end in sight for Apple's ongoing legal battle with the FBI. While the FBI and the DOJ have made it clear that they want Apple to create a new version of iOS designed to bypass iOS security mechanisms, Apple has made it clear that it's not even going to entertain the idea. Quite the opposite, Apple CEO Tim Cook even categorized the FBI's request as akin to asking Apple to create the software equivalent of cancer.Over the past few weeks, many tech companies have come out in support of Apple. Indeed, any time a tech figure of any prominence has been interviewed in recent weeks, the topic of discussion invariably turns to mobile encryption.To read this article in full or to leave a comment, please click here

TeslaCrypt ransomware now impossible to crack, researchers say

The latest version of the TeslaCrypt ransomware has tidied up a weakness in previous versions that in some cases allowed victims to recover their files without paying a ransom. Cisco's Talos research group found that TeslaCrypt 3.0.1 has improved its implementation of a cryptographic algorithm making it impossible now to decrypt files.  "We can not say it loud and often enough, ransomware has become the black plague of the internet," wrote Andrea Allievi and Holger Unterbrink, both security researchers with Cisco, in a blog post on Wednesday. "The adversaries are modifying and improving it in every version."To read this article in full or to leave a comment, please click here

Air Force faces challenges managing drone force

As unmanned aircraft become a larger part of the Air Force a number of challenges have surfaced that could impact drone squadron efficiency.A Government Accountability Office report out this week stated that while the Air Force has made efforts to manage its unmanned aircraftpilots but has not fully addressed issues related to: “identifying personnel requirements, recruiting and retention difficulties, the potential use of Department of Defense civilians as pilots, pilots completing their required training and moving pilots through the training pipeline.”+More on Network World: What’s hot at the monster CeBit show?+To read this article in full or to leave a comment, please click here

Attackers exploit Apple DRM weakness to infect non-jailbroken iOS devices

Attackers are exploiting a weakness in Apple's digital rights management technology to install malicious apps on supposedly protected, non-jailbroken iOS devices.In late February, security researchers from Palo Alto Networks found three malicious applications on the official App Store. An analysis revealed the malicious apps were part of a scheme to steal Apple IDs and passwords from Chinese users under the guise of an alternative app store.The more interesting aspect of the apps: In addition to being published on the official app store, they were also silently installed through software running on users' Windows PCs.An iOS device that hasn't been jailbroken, and hasn't had its security restrictions removed, should only be able to run apps downloaded from the App Store or installed through the iTunes software from users' PCs.To read this article in full or to leave a comment, please click here

Steam Stealer malware provides a thriving business for cyber thugs

A new Kaspersky Lab report (pdf) by security researchers Santiago Pontiroli and Bart P looks at the big business of Steam Stealers that “have turned the threat landscape for the entertainment ecosystem into a devil’s playground.”Wannabe cyber crooks might turn to malware which steals Steam credentials because it’s incredibly cheap. The report said $3 will buy usage rights for a Steam platform credential stealer and $7 adds source code and a user manual. Researchers said comparative malicious campaigns usually start at the $500 range. There are Steam Stealers which cost more, but “it would be hard to find any stealer being sold for more than $30.”To read this article in full or to leave a comment, please click here

Digital rights group: Save security, reject FBI’s iPhone unlocking request

Digital rights group Fight for the Future is hoping to give voice to ordinary people concerned with the FBI's attempt to force Apple to help it unlock the iPhone used by a mass shooter.Fight for the Future's new Save Security campaign, launched Wednesday, will collect comments from people worried about the Internet security implications of the FBI's court request. Organizers will display the comments and read them aloud outside a California courthouse before a hearing in the case next Tuesday."We're actually trying to give a voice to people all over the world who are extremely concerned about this," said Evan Greer, campaign director for the group. Fight for the Future is trying to "bring those voices into the conversation so that it's not just a fight between a giant company and the government," Greer added.To read this article in full or to leave a comment, please click here

Cyberespionage groups are stealing digital certificates to sign malware

An increasing number of cyberespionage groups are using stolen code-signing certificates to make their hacking tools and malware look like legitimate applications.The latest example is a China-based hacker group that has launched targeted attacks against government and commercial organizations from around the world over the past two years.The group's activities were uncovered by researchers from Symantec in late 2015 when they detected a digitally signed hacking tool that was used in an attack against one of the company's customers.The tool, a Windows brute-force server message block (SMB) scanner, was signed with a digital certificate that belonged to a South Korean mobile software developer. This immediately raised red flags as a mobile software company would have no reason to sign such an application.To read this article in full or to leave a comment, please click here

A scheme in India to help the poor raises privacy concerns

India’s legislators are on Wednesday debating a law that would allow the government to collect biometric and demographic information from people in return for distributing to them government benefits and subsidies.A number of legislators and civil rights activists are concerned about the absence of strong privacy safeguards in the legislation and a provision in the law that allows the government to access the data collected for national security reasons. There is also concern that such a large centralized database of personal information could be hacked and critical information leaked.Activists are also wary that the program could be extended by the government to make it a mandatory digital ID card for people in the country. Already some telecommunications services and financial services companies use the biometric identity as an optional way for verifying customers.To read this article in full or to leave a comment, please click here

Large advertising-based cyberattack hit BBC, New York Times, MSN

Major websites including the BBC, Newsweek, The New York Times and MSN ran malicious online advertisements on Sunday that attacked users' computers, a campaign that one expert said was the largest seen in two years.The websites weren't at fault. Instead, they are unwitting victims of malvertising, a scheme where cyberattackers upload harmful ads to online advertising companies, which are then distributed to top-tier publishers.Tens of thousands of computers could have been exposed to the harmful advertisements on Sunday, which means some running vulnerable software may have been infected with malware or file-encrypting ransomware.Some bad ads were still appearing on some websites including the BBC on Monday, said Jerome Segura, a senior security researcher with Malwarebytes, in a phone interview Tuesday.To read this article in full or to leave a comment, please click here

Privacy issues hit all branches of government at once

In a rare confluence of events, all three branches of the federal government are weighing changes that would affect when and how personal data is accessed.The approaches are somewhat contradictory: Some moves would protect citizen privacy, while others could result in more access by government agencies to records kept by businesses and smartphone users about personal information. Encryption technology is usually at the center of the discussions, with intelligence officials eager to find ways to detect communications on smartphones used by criminals and terrorists.Various actions are taking place in the federal judiciary, before Congress, as well as the executive branch.To read this article in full or to leave a comment, please click here

Defense Dept. wants your help in imagining the worst

Uncle Sam wants your brain power, technical expertise and imagination to help defend the U.S. No enlistment required.The Department of Defense says it needs to understand how everyday objects and available technologies can be used by terrorists.The range of technologies is so vast that the military's main scientific agency, the Defense Advanced Research Projects Agency (DARPA), says it needs input from as many technical people as possible.The agency has put out an open call for anyone from a credentialed professional to "skilled hobbyist" in all technical areas, including IT.INSIDER: 5 ways to prepare for Internet of Things security threats DARPA, in its announcement, wants people to show it "how easily-accessed hardware, software, processes and methods might be used to create products or systems that could pose a future threat."To read this article in full or to leave a comment, please click here

How far have we come with HTTPS? Google turns on the spotlight

HTTPS is widely considered one of the keys to a safer Internet, but only if it's broadly implemented. Aiming to shed some light on how much progress has been made so far, Google on Tuesday launched a new section of its transparency report dedicated to encryption.Included in the new section is data highlighting the progress of encryption efforts both at Google and on popular third-party sites."Our aim with this project is to hold ourselves accountable and encourage others to encrypt so we can make the Web even safer for everyone," wrote HTTPS evangelists Rutledge Chin Feman and Tim Willis on the Google Security Blog.To read this article in full or to leave a comment, please click here

How far have we come with HTTPS? Google turns on the spotlight

HTTPS is widely considered one of the keys to a safer Internet, but only if it's broadly implemented. Aiming to shed some light on how much progress has been made so far, Google on Tuesday launched a new section of its transparency report dedicated to encryption.Included in the new section is data highlighting the progress of encryption efforts both at Google and on popular third-party sites.MORE: Agony & Ecstasy of Google I/O 2016 Invite Day"Our aim with this project is to hold ourselves accountable and encourage others to encrypt so we can make the Web even safer for everyone," wrote HTTPS evangelists Rutledge Chin Feman and Tim Willis on the Google Security Blog.To read this article in full or to leave a comment, please click here

Ransomware attacks on U.S. companies blamed on state-sponsored Chinese hackers

So what do Chinese government-supported hackers turn to after China backed off on supporting economic espionage? Applying their APT skills to infecting companies with ransomware…at least that is the prevailing theory put forth by several security firms.If China really did pull its previous level of support for economic espionage after its agreement with the US late last year, then those same hackers may be supplementing their income by joining the booming business of ransomware.Security firms involved in investigating ransomware attacks that have not previously been made public told Reuters that Chinese hackers are the most likely suspects behind the attacks. It should be noted that none of the security companies could be positive that plain-old cybercrooks weren’t behind the attacks after upping their game, improving skills and purchasing tools previously used only by governments. At least a half dozen ransomware attacks in the last three months have a level of sophistication that is usually only used in state-sponsored attacks.To read this article in full or to leave a comment, please click here

SWSX highlights bright and dark tech futures

Visions of the future clashed during South By Southwest (SXSW) Interactive in Austin, as some experts saw an uncertain future, some saw an unbounded future and some were frustrated by the present.As for uncertainty, the worlds of big data, AI, and government are just beginning to collide, and public policy decisions made now will cast shadows far into the future, panelists agreed at a session titled, "Data Ethics in the Age of the Quantified Society.""We are at an inflection point," said Nicole Wong, former White House policy advisor. "We are paving the roads for what the future will look like. Will it be a dystopian world like The Hunger Games, or a different world, with health care for millions, precision medicine and equitable distribution of benefits? But how do we build the underlying roads?"To read this article in full or to leave a comment, please click here

How to get started in IT security consulting

IT security consulting is an excellent way to grow as a security professional. In contrast to an corporate role, consultants are exposed to a variety of business situations and industries. Those who succeed in the consulting world find themselves equipped with greater skills and cutting-edge knowledge of new technologies.Before you enter consulting, take note of the field’s current opportunities and challenges. “Migrating security services to the cloud, incident response, forensics and security risk assessments are areas in high demand,” comments Brian Honan, founder of BH Consulting. The Ireland-based IT security consulting firm has grown to 10 consultants and serves clients in Ireland, Europe, the United Kingdom and the US.To read this article in full or to leave a comment, please click here(Insider Story)