Archive

Category Archives for "Network World Security"

Two-year-old Java flaw re-emerges due to broken patch

A patch for a critical Java flaw released by Oracle in 2013 is ineffective and can be easily bypassed, security researchers warn. This makes the vulnerability exploitable again, paving the way for attacks against PCs and servers running the latest versions of Java.The flaw, tracked as CVE-2013-5838 in the Common Vulnerabilities and Exposures (CVE) database, was rated by Oracle 9.3 out of 10 using the Common Vulnerability Scoring System (CVSS). It can be exploited remotely, without authentication, to completely compromise a system's confidentiality, integrity and availability.To read this article in full or to leave a comment, please click here

Justice Department slams Apple’s ‘corrosive’ rhetoric in its latest court filing

UPDATE: March 10, 2016, 3:46 p.m. Pacific—In a conference call Thursday afternoon, Apple’s SVP and chief legal counsel Bruce Sewell said, “The tone of the brief reads like an indictment,” and in 30 years he’s never seen a brief trying so hard “to smear” someone. “It should be deeply offensive to everyone who reads it.”“Corrosive rhetoric” could be this week’s “dormant cyber pathogen,” the latest salvo in the government’s attempt to paint Apple as unreasonable for refusing to craft a new version of iOS so law enforcement can brute-force an iPhone 5c used by San Bernardino shooter Syed Rizwan Farook.To read this article in full or to leave a comment, please click here

The top 12 cloud security threats

Enterprises are no longer sitting on their hands, wondering if they should risk migrating applications and data to the cloud. They're doing it -- but security remains a serious concern.The first step in minimizing risk in the cloud is to identify the top security threats.[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ] As the RSA Conference last week, the CSA (Cloud Security Alliance) listed the “Treacherous 12,” the top 12 cloud computing threats organizations face in 2016. The CSA released the report to help both cloud customers and providers focus their defensive efforts.To read this article in full or to leave a comment, please click here

ICANN stewardship transition plan sent to US government

The Internet Corporation for Assigned Names and Numbers has submitted Thursday a plan for ending U.S. oversight of key technical Internet functions in favor of a global multi-stakeholder governance model.The complex new proposals aim to create an oversight body called the "empowered community" for enforcing community powers and include tighter rules for changes to certain bylaws of the organization. The Governmental Advisory Committee, consisting of representatives of governments, will continue to have an advisory role, though it will be better placed if it works in consensus, according to a document circulated by ICANN.To read this article in full or to leave a comment, please click here

Patch closes security hole in messaging encryption tool

A software component for encrypting instant messaging clients has a flaw that could let attackers take over users' machines, but there's now a patch for the vulnerability.The vulnerability is contained in libotr, short for OTR Messaging Library and Toolkit. The up-to-date version is now 4.1.1.OTR stands for Off-the-Record Messaging. It's a a cryptographic protocol that scrambles messages sent through clients including Pidgin, ChatSecure and Adium.The integer overflow flaw was found by Markus Vervier of the German company X41 D-Sec, which released an advisory. To read this article in full or to leave a comment, please click here

Squiggly lines: The future of smartphone security?

If PINs, passwords and biometrics just aren't making you feel secure about your smartphone contents, researchers at Rutgers University might have a new alternative: free-form gestures.They've conducted a study of such doodling for smartphone security in the field  (initially with Android phones...sorry iPhone fans) and will formally publish this paper on "Free-Form Gesture Authentication in the Wild" in May. The system, which involved installing software on study participants'phones, enabled users to doodle using any number of fingers.To read this article in full or to leave a comment, please click here

Emergency Flash Player patch fixes actively exploited vulnerability

Adobe Systems released new versions of Flash Player in order to fix 18 critical vulnerabilities that could be exploited to take over computers, including one flaw that's already targeted by attackers."Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks," the company said in a security advisory. The flaw stems from a heap overflow condition and was reported to Adobe by researchers from antivirus firm Kaspersky Lab.Kaspersky Lab did not immediately respond to an inquiry seeking more details about the targeted attacks in which the vulnerability is being exploited.To read this article in full or to leave a comment, please click here

FCC wants ISPs to get customer permission before sharing personal data

Broadband providers would often be required to get customer permission to use and share personal data they collect under regulations proposed by the U.S. Federal Communications Commission. Broadband providers have an unrivaled ability to track customers and collect personal data, and there currently are no specific rules covering broadband providers and customer privacy, FCC officials said Thursday. The goal of the rules is to give broadband customers notice, choice and control over their personal data, FCC officials said during a press briefing. "Your ISP handles all of your network traffic," FCC Chairman Tom Wheeler wrote in the Huffington Post. "That means it has a broad view of all of your unencrypted online activity -- when you are online, the websites you visit, and the apps you use."To read this article in full or to leave a comment, please click here

It’s Buddy Week

It’s ecosystem partnership week. And data center stalwart Mellanox, SDN start-up Plexxi and Cisco partner vArmour have all delivered.Mellanox buddied up with Cumulus Networks to add Cumulus Linux NOS to its new Spectrum 10/25, 40/50, and 100 Gbps Ethernet switches. Mellanox itself has made multiple contributions of 10/25, 40/50, & 100G Ethernet switch and Open Compute Platform (OCP) adapter designs.Cumulus Linux has been chosen by several hardware and software vendors as a NOS option when opening up switches to support multiple NOSes. In addition to Cumulus Linux, the Mellanox Spectrum switches can now run OpenSwitch, Metaswitch IP Routing, and Mellanox MLNX-OS through the OCP Switch Abstraction Interface and Linux Switchdev.To read this article in full or to leave a comment, please click here

Before Moving on From RSA…

It’s been a week since my last meetings at RSA and I’m already thinking about travel plans and agendas for Infosec Europe and Black Hat.  Before closing the book on RSA 2016 however, I have a few final thoughts about the industry and cybersecurity professional community.1.       It’s time to go beyond product categorization.  The technology industry has product categorization down to a science – we organize around products, budget for products, and make purchasing decisions on each individual product category.  Heck, my friends at Gartner and NSS Labs have built lucrative businesses around testing products and rating products via magic quadrants. To read this article in full or to leave a comment, please click here

Cisco patches serious flaws in cable modems and home gateways

Cisco Systems has patched high-impact vulnerabilities in several of its cable modem and residential gateway devices that are distributed by some ISPs to their customers.The embedded Web server in the Cisco Cable Modem with Digital Voice models DPC2203 and EPC2203 contains a buffer overflow vulnerability that can be exploited remotely without authentication.The flaw could be exploited by sending specially crafted HTTP requests to the Web server and could result in arbitrary code execution.Customers should contact their service providers to ensure that the software version installed on their devices includes the patch for this issue, Cisco said in an advisory.To read this article in full or to leave a comment, please click here

Is DevOps good or bad for security?

If you think of DevOps as failing fast – as Facebook used to put it, “move fast and break things” – then you might also think of rapid releases, automation and continuous integration and deployment as giving you less time to find security problems. After all, you’re changing code, updating features and adding new capabilities more rapidly. That means more chances to introduce bugs or miss vulnerabilities.With 2016 set to be the year DevOps goes mainstream – Gartner predicts 25 percent of Global 2000 businesses will be using DevOps techniques this year and HP Enterprise is even bolder, claiming that “within five years, DevOps will be the norm when it comes to software development.” Does that mean security problems waiting to happen?To read this article in full or to leave a comment, please click here

Wi-Fi hotspot blocking persists despite FCC crackdown

The FCC has slapped hotels and other organizations with nearly $2.1 million in fines since the fall of 2014 for blocking patrons’ portable Wi-Fi hotspots in the name of IT security, or more likely, to gouge customers for Internet service. But Network World’s examination of more than a year’s worth of consumer complaints to the FCC about Wi-Fi jamming shows that not all venue operators are getting the message (see infographic below).Indeed, more than half of the 50-plus complaints whose contents we pored through following a Freedom of Information Act (FOIA) request to the FCC came within the few months after the FCC’s initial action on this matter, a $600,000 fine on Marriott in October of 2014. Another two dozen complaints trickled in to the FCC in 2015 – a year that began with the FCC serving stern notice that Wi-Fi blocking is prohibited and ended with the agency dishing out a $718,000 fine to big electrical contracting company M.C. Dean for blocking consumers’ Wi-Fi connections and a $25,000 fine to Hilton Worldwide for “apparent obstruction of an investigation” into whether Hilton blocked consumers’ Wi-Fi devices. The spectrum used by Wi-Fi is unlicensed, and therefore available Continue reading

FTC orders nine PCI auditors to share assessment details

The FTC is on a data breach enforcement roll. Last summer, the courts allowed it to fine companies with weak cybersecurity practices. Now, the FTC is taking a closer look at payments processing, checking to see how auditors measure compliance with industry rules.Specifically, the FTC has requested information from PricewaterhouseCoopers, Mandiant, Foresite MSP, Freed Maxick CPAs, GuidePoint Security, NDB, SecurityMetrics, Sword and Shield Enterprise Security, and Verizon Enterprise Solutions, which is also known as CyberTrust.The nine companies, a mixture of large and small compliance vendors, have 45 days to respond to detailed questions about how they measure compliance with the Payment Card Industry Data Security Standards.To read this article in full or to leave a comment, please click here

Locky ransomware activity ticks up

Locky, a new family of ransomware that emerged in the last few weeks, has quickly made a mark for itself.Computer security companies say it has become a commonly seen type of ransomware, which is used to hold a computer’s files hostage pending a ransom payment.Trustwave's SpiderLabs said on Wednesday that 18 percent of 4 million spam messages it collected in the last week were ransomware-related, including many linked to Locky."We are currently seeing extraordinary huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware," wrote Rodel Mendrez, a Trustwave security researcher.To read this article in full or to leave a comment, please click here

Experts say ‘chip off’ procedure to access terrorist’s iPhone is risky

The iPhone 5c at the center of the legal battle between Apple and the FBI might be accessible through a delicate hardware technique, but experts warn it would be difficult.In recent days, the American Civil Liberties Union's technology fellow and former NSA contractor Edward Snowden have suggested a method that would let investigators repeatedly guess the iPhone's password.Federal investigators fear San Bernardino shooter Syed Rizwan Farook may have configured his work phone to use an Apple security feature that erases a key for decrypting data after 10 incorrect guesses of the phone's password. The forensic technique for getting at the data, known as "chip off," involves removing a NAND flash memory chip from a device and copying its data, yielding a decryption key that can be restored if it is erased after incorrect guesses.To read this article in full or to leave a comment, please click here

US national lab advances wireless charging for electric cars

How cool would it be if you could just pull into your garage and park over a special pad and a recharge your electric car for your morning commute?It’s a convenience item that would go a long way to making electric cars more attractive to the average US consumer that’s for sure.+More on Network World: World’s coolest concept cars+This week the US Energy Department’s Vehicle Technologies Office, Oak Ridge National Laboratory (ORNL) and Hyundai America Technical Center Inc. said that technology they have been working on since 2012 could soon make wireless charging for electric cars more widespread.To read this article in full or to leave a comment, please click here

Bill Gates on Apple v. FBI: A balance has to be made between the needs of investigators and privacy rights

Bill Gates thinks new laws are needed to sort out the encryption conflict going on between law enforcement and tech companies.“The sooner we modernize the laws the better,” Gates says in a Reddit “Ask Me Anything” session.+More on Network World: 11 highest paying tech jobs in America+He says it’s clear the government under certain circumstances needs to be able to tap into encrypted communications, but also that there should be oversight so that power isn’t abused. “Right now a lot of people don't think the government has the right checks to make sure information is only used in criminal situations,” he says. “So this case will be viewed as the start of a discussion.”To read this article in full or to leave a comment, please click here

Mizuho Bank speeds international securities transactions using blockchain

Japan's Mizuho Bank is considering using blockchain technology to speed the cross-border transfer of financial instruments. It has just concluded a three-month trial of the technology with Japanese IT company Fujitsu. Mizuho used the Open Assets Protocol in its trial to encapsulate the type and number of financial instruments being traded, the amount due and the currency used, the country of settlement, and the transaction date. The encapsulated data was then added to a blockchain as a new transaction, providing a tamper-resistant record of the trade.To read this article in full or to leave a comment, please click here

Mac ransomware KeRanger has flaws that could let users recover files

The KeRanger file-encrypting ransomware program for Mac OS X contains crypto flaws that could allow users to recover their files without paying cybercriminals.According to researchers from antivirus firm Bitdefender, KeRanger is based on another ransomware program, called Linux.Encoder, that first appeared in November and targeted Linux-based Web servers.The first three versions of Linux.Encoder had flaws in their cryptographic implementations that allowed the Bitdefender researchers to create tools that could be used to decrypt files affected by the malicious program.To read this article in full or to leave a comment, please click here