Archive

Category Archives for "Network World Security"

Microsoft to court: Make Comcast give us the Windows-pirating subscriber’s info

In the legal arena, Microsoft is going after Comcast in order to unmask the person behind an infringing IP address which activated thousands of Microsoft product keys stolen from Microsoft’s supply chain.The Redmond giant wants the court to issue a subpoena which will force Comcast to hand over the pirating subscriber’s info. If the infringing IP address belongs to another ISP which obtained it via Comcast, then Microsoft wants that ISP’s info and the right to subpoena it as well.From 2012 to 2015, Microsoft maintains that an IP addy assigned to Comcast pinged its servers in Washington over 2,000 times during the software activation process. “Detailed information” such as the activation key and IP address activating Microsoft products is transmitted to Microsoft; it’s considered to be “voluntarily provided by users.”To read this article in full or to leave a comment, please click here

Microsoft wants your phone to wirelessly log you into your Windows 10 PC

The slow death of the password continues. Microsoft's following in the footsteps of Google’s Chrome OS with a handy-dandy new Windows 10 feature that eliminates the need to manually log in to your PC.The company's currently testing a refreshed Authenticator app for Windows 10 mobile called Phone Sign-in Beta. It looks like the app will continue to generate codes for multi-factor authentication, but the star feature of the upgraded app is a new feature that unlocks your PC with one tap when your phone is nearby, as The Verge first reported.To read this article in full or to leave a comment, please click here

Microsoft patches remote code execution flaws in Windows, IE, Edge, Office

Microsoft has fixed 39 vulnerabilities in multiple Windows components, Internet Explorer, Edge, Office and .NET Framework, many of which allow for remote code execution.The patches are grouped in 13 security bulletins, five of which are rated critical and the rest as important.According to researchers from security vendor Qualys, systems administrators should prioritize the MS16-023 security bulletin for Internet Explorer, which covers 13 critical vulnerabilities that can be exploited over the Web to fully take control of computers.Windows 10 users who prefer Microsoft Edge to Internet Explorer should prioritize MS16-024 instead, which covers 11 vulnerabilities in Microsoft's new browser, 10 of them critical.To read this article in full or to leave a comment, please click here

Encryption project issues 1 million free digital certificates in three months

Let's Encrypt, an organization set up to encourage broader use of encryption on the Web, has distributed 1 million free digital certificates in just three months.The digital certificates cover 2.5 million domains, most of which had never implemented SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts content exchanged between a system and a user. An encrypted connection is signified in most browsers by "https" and a padlock appearing in the URL bar."Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress," according to a blog post by the Electronic Frontier Foundation, one of Let's Encrypt's supporters.To read this article in full or to leave a comment, please click here

Home Depot will pay up to $19.5 million for massive 2014 data breach

Home Depot has agreed to pay as much as $19.5 million to remedy the giant data breach it suffered in 2014, the company confirmed on Tuesday.Included in that figure is a reported $13 million to reimburse customers for their losses and $6.5 million to provide them with one and a half years of identity protection services.Home Depot was not required to admit any wrongdoing."We’re working to put the litigation behind us," spokesman Stephen Holmes said via email. "This was the most expeditious path, but it’s not an admission of liability."Customers "were not responsible for fraudulent charges, and they’ve been our primary focus throughout," he said.To read this article in full or to leave a comment, please click here

Leaders’ STEM education determines stance on iPhone encryption case

Robert Hannigan head of Britain’s NSA equivalent agency the GCHQ, finally stopped asking for a backdoor to encrypted devices. Instead he called for an end to what he called the “abuse of encryption” by ISIS and other terrorists and criminals at the MIT Internet Policy Research Initiative, according to a report by the MIT Technology Review.Hannigan wasn’t getting what he wanted by calling it a backdoor so he changed the name for building flawed encryption that law enforcement can exploit to “ending the abuse of encryption.” Hannigan’s attempt to use speechwriters and political spin to solve a mathematical problem is a fool’s errand.To read this article in full or to leave a comment, please click here

Cisco security chief: How to beat back security system complexity

Cisco has aggressively bought up security vendors and worked on integrating their software protections into existing Cisco gear, making for a simpler, more secure and flexible network, says Cisco’s security chief. David Goeckeler “The customers we talk to have an average of somewhere around 50 to 60 different vendors in their network to deliver their security posture,” says David Goeckeler, senior vice president and general manager of Cisco’s security business. “What’s happening in the industry is the complexity of managing all those different products is overwhelming the effectiveness of them.”To read this article in full or to leave a comment, please click here

Microsoft released 13 security bulletins, 5 rated critical but 8 patching RCE bugs

For March 2016 Patch Tuesday, Microsoft released 13 security bulletins and rated five of those as critical.Critical patches for RCE flawsMS16-023 is the cumulative patch for IE to stop remote code execution flaws and correct 13 memory corruption vulnerabilities that have not been publicly disclosed.MS16-024 is the monthly fix for Microsoft Edge; it patches 10 memory corruption flaws that could lead to remote code execution and one information disclosure bug – none of which have been publicly disclosed.To read this article in full or to leave a comment, please click here

French legislators want to compel companies to decrypt data, because terrorism

Legislators in France are trying to make the U.S. Federal Bureau of Investigation jealous of its French counterparts.The poor old FBI has to rely on a loosely drafted law two centuries old in its effort to compel Apple to help it unlock data held in a dead terrorist's smartphone.In France, refusing to hand over encrypted information in terrorism cases could lead to a fine of €350,000 (US$385,000) and five years in prison, under proposed legislation.To read this article in full or to leave a comment, please click here

MapR delivers support for containers, security

MapR Technologies today announced the general availability of the MapR Converged Data Platform, which brings Hadoop together with Spark, Web-scale storage, NoSQL and streaming capabilities in a unified cluster, designed to support customers deploying real-time global data applications. The Converged Data Platform features security, data governance and performance features enhancements built to meet enterprise requirements, and adds support for containers, including persistent storage and integrated resource management. + ALSO ON NETWORK WORLD MapR Aims to Take SQL-on-Hadoop to Next Level +To read this article in full or to leave a comment, please click here

IoT makes security and privacy top challenges for wearables

From fitness trackers to connected headwear for soldiers on the battlefield, wearable devices stand as one of the fastest-growing segments of the tech industry.[ Related: Consumers are buying millions and millions of wearable devices ]But with those always-on devices come a slew of considerations for policy makers, in particular the concern that device manufacturers aren't implementing appropriate security and privacy measures.Those worries got an airing at a recent House hearing, where industry witnesses urged lawmakers to tread lightly before developing stringent new privacy rules, while at the same time acknowledging that device and application makers need to be vigilant in how they are handling the data collected from users.To read this article in full or to leave a comment, please click here

Privacy groups want rules for how ISPs can track their customers

Some Internet service providers are building powerful tools to track customers, and the U.S. Federal Communications Commission needs to step in, privacy advocates say.Some privacy advocates are calling on the FCC to create new regulations that limit how ISPs can track their customers across the Internet. The agency could release a proposal for ISP privacy rules as soon as this month, FCC Chairman Tom Wheeler said last week.Some ISPs are deploying "invasive and ubiquitous" tracking practices as a way to deliver targeted advertising to customers, 12 privacy groups said in a letter to the FCC this week. In recent years, large ISPs like Comcast and Verizon have entered into advertising partnerships or launched their own advertising services that take advantage of ISP customer data, the letter said.To read this article in full or to leave a comment, please click here

Google offers app to help companies assess their vendors’ security

Google has published an interactive questionnaire that companies can use to assess the security practices of their suppliers or to review and improve their own security programs.The Vendor Security Assessment Questionnaire (VSAQ) is a Web-based application and was released under an open-source license on GitHub. It contains a collection of questionnaires that Google itself uses to review multiple aspects of a vendor's security.The application has templates for Web application security, infrastructure security, physical and data center security and an organization's overall security and privacy program. The questions cover everything from whether the vendor has processes in place for external researchers to report vulnerabilities to HTTPS implementation details and internal data handling policies.To read this article in full or to leave a comment, please click here

Multi-factor authentication goes mainstream

Fingerprints, rather than passwords, are what more than a million financial services customers at USAA use to get online. Part of a trend toward multi-factor authentication (MFA), there is no stored list of passwords for hackers to steal.In 2014, San Antonio-based USAA became the first financial institution to roll out facial and voice recognition on a mobile app, says Gary McAlum, USAA's chief security officer. Thumbprint recognition followed a few months later. A year after that, USAA had 1.1 million enrolled MFA users, out of a target population of 5 million mobile banking app users.To read this article in full or to leave a comment, please click here(Insider Story)

Reviewing incident response plans for data risk preparedness

Incident response plan reviews are growing in importance with the rapidly increasing numbers and types of information security incidents that enterprises must face. The enterprise must approach these reviews with a view toward effective event response.Yet more than one-quarter of IR professionals (26 percent) are dissatisfied with their current organization’s IR capabilities, calling them ineffective, according to a SANS Institute survey on the state of IR. After initial plan creation, the review is the opportunity to correct that ineffectiveness.To read this article in full or to leave a comment, please click here(Insider Story)

China is working on a big data Minority Report system

Think there’s a limit to how far countries can go to monitor their citizens? Think again. China’s new plan to create software to track a wide variety of data to predict who might commit terrorist acts pushes the envelop into the realm of science fiction, a la Minority Report.Last December, I wrote about China's planned Social Credit System, which takes invasion of privacy to terrifying new levels by going well beyond Western-style credit scores to create a mandatory scheme to "rate the trustworthiness of citizens in all facets of life, from business deals to social behavior,” according to the New Republic. The national database will combine records of Internet data with financial information and government data into a score designed to determine eligibility for all kinds of things, including credit, employment and access to social benefits.To read this article in full or to leave a comment, please click here

DOJ appeals New York court order in favor of Apple

The U.S. Department of Justice has appealed an order by a court in New York that turned down its request that Apple should be compelled to extract data from the iPhone 5s of an alleged drug dealer.The case in New York is seen as having a bearing on another high-profile case in California where Apple is contesting an order that would require the company to assist the FBI, including by providing new software, in its attempts at cracking by brute force the passcode of an iPhone 5c running iOS 9. The phone was used by one of the two terrorists in the San Bernardino killings on Dec. 2 and the FBI wants Apple to disable the auto-erase feature on the phone, which would erase all data after 10 unsuccessful tries of the passcode, if the feature was activated by the terrorist.To read this article in full or to leave a comment, please click here

Google patches remote execution flaws in Android

Google has released 16 patches for Android, including one for a critical remote execution vulnerability in the operating system's mediaserver.The company's Nexus devices will receive an over-the-air update. Google's partners were notified no later than Feb. 1 of the fixes, giving them more than a month to prepare.The vulnerabilities in mediaserver could be exploited if malicious content is displayed or played on a device, such as an MMS, email, or if the browser plays some type of media, Google's advisory said.A string of vulnerabilities has been found in media playback software since last year, most notably the Stagefright bug. To read this article in full or to leave a comment, please click here