The director of the Federal Bureau of Investigation has conceded it was a mistake to ask San Bernardino County to reset the password of an iCloud account that had been used by gunman Syed Farook.
Changing the password to the account prevented the phone from making a backup to an iCloud account, which Apple could have accessed without bypassing the encryption and security settings on the phone.
"As I understand it from the experts, there was a mistake made in that 24 hours after the attack where the county, at the FBI’s request, took steps that made it impossible later to cause the phone to backup again to the iCloud," James Comey told the House Committee on the Judiciary in Washington, D.C., on Tuesday.To read this article in full or to leave a comment, please click here
James Comey, director of the FBI, said his agency made a mistake in asking San Bernardino County to reset an iCloud password. He was speaking in front of the House Committee on the Judiciary in Washington, D.C., on March, 1, 2016.
Application security is arguably the biggest cyber threat, responsible for 90 percent of security incidents, according to the Department of Homeland Security. Yet it suffers from not-my-job syndrome, or, as SANS put it in its 2015 State of Application Security report, "Many information security engineers don’t understand software development — and most software developers don’t understand security."To read this article in full or to leave a comment, please click here(Insider Story)
The inventors of public key cryptography have won the 2015 Turing Award, just as a contentious debate kicks off in Washington over how much protection encryption should really provide.
The Association for Computing Machinery announced Tuesday that Whitfield Diffie and Martin Hellman received the ACM Turing Award for their contributions to cryptography.
The two are credited with the invention of public key cryptography, which is widely used to scramble data so it can be sent securely between users and websites, and to protect information on devices like smartphones and computer hard drives.
“The ability for two parties to communicate privately over a secure channel is fundamental for billions of people around the world,” ACM said in a statement.To read this article in full or to leave a comment, please click here
Whitfield Diffie and Martin Hellman, whose names have been linked since their seminal paper introduced the concepts of public key encryption and digital signatures some 40 years ago, have been named winners of the 2015 ACM A.M. Turing Award (a.k.a., the "Nobel Prize of Computing").The work of MIT grad Diffie, formerly chief security officer of Sun Microsystems, and Hellman, professor emeritus of electrical engineering at Stanford University, has had a huge impact on the secure exchange of information across the Internet, the cloud and email. ACM
Whitfield Diffie and Martin Hellman
The annual Association for Computing Machinery prize carries a $1 million prize, with financial support from Google. Past winners have included the likes of Internet pioneer Vinton Cerf, database visionary Michael Stonebraker and recently deceased AI innovator Marvin Minsky.To read this article in full or to leave a comment, please click here
Microsoft wants to help protect companies from hack attacks, and it's introducing a new Windows 10 feature soon to improve the operating system's security capabilities.Windows Defender Advanced Threat Protection is aimed at helping businesses deal with serious threats by using machine learning to protect Windows 10 devices. The feature builds a profile of how a computer behaves, and then alerts IT managers if it starts acting in a way that's indicative of a security breach. If the system detects an attack, it will provide administrators with recommended steps to remediate it.That's supposed to help IT managers sleep a bit better at night when facing threats powered by undisclosed "zero-day" vulnerabilities, along with social engineering attacks that take advantage of users making mistakes.To read this article in full or to leave a comment, please click here
bugBlast Next-gen AppSec PlatformKey features – bugBlast correlates results from vulnerability testing tools with real-time threat intel for a single view of an application’s security; can massively scale to test mega-apps for software, Web and mobile. More info.To read this article in full or to leave a comment, please click here
Security researchers have identified a new piece of OS X malware that may come from Hacking Team, the controversial Italian company that sells surveillance software to governments.The malware is a "dropper," which is used to plant other software onto a computer. In this case, it appears intended to install Hacking Team's Remote Control System (RCS)."The dropper is using more or less the same techniques as older Hacking Team RCS samples, and its code is more or less the same," wrote Pedro Vilaca, an OS X security expert with SentinelOne, on his blog.To read this article in full or to leave a comment, please click here
Google has expanded the digital loss protection features in Gmail for Work, to help ensure that employees don't share confidential information outside the company they work for.
The service can now use optical character recognition on attachments, so administrators can ensure that employees aren't sharing mounds of confidential data in images (whether intentionally or not). That adds to existing features such as the ability to look inside common attachment types, including documents and spreadsheets.
The OCR capabilities integrate with content detectors, so administrators can do things like prevent members of the accounting department from sending an email with a credit card number in it to someone outside the organization. It's a key feature for businesses worried about confidential information leaving the company, even if employees don't mean to do anything wrong.To read this article in full or to leave a comment, please click here
A New York prosecutor tomorrow plans to urge Congress to write legislation that would require Apple to roll back iPhone security to the model of 2013's iOS 7, according to prepared testimony published today.Cyrus Vance Jr., the District Attorney for New York County, will testify before the House Judiciary Committee tomorrow as one of three witnesses at a hearing to discuss encryption. The others include Bruce Sewell, Apple's general counsel, and Susan Landau, a professor of cybersecurity policy at the Worcester Polytechnic Institute in Worcester, Mass.+ WHAT DO OTHERS THINK? Apple v. FBI – Who’s for, against opening up the terrorist’s iPhone +To read this article in full or to leave a comment, please click here
NASA wants to put a supersonic passenger jet back in the sky that promises to a soft thump or supersonic heartbeat as the agency called it -- rather than the disruptive boom currently associated with such high-speed flight.The “low-boom” aircraft known as Quiet Supersonic Technology (QueSST) will be built by a team led by Lockheed Martin Aeronautics which will get $20 million to develop baseline aircraft requirements and a preliminary aircraft design.+More on Network World: NASA: What cool future passenger aircraft will look like+To read this article in full or to leave a comment, please click here
IBM will acquire Resilient Systems, it announced Monday, and along with the company, it will gain a big name in the security world: Bruce Schneier.Resilient makes an incident-response platform that automates and orchestrates the processes for dealing with cyber incidents such as breaches and lost devices, and enabling companies to respond more quickly. The acquisition will give IBM Security the industry's first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response, the company said.IBM intends to bring Resilient's full staff of roughly 100 on board once the acquisition is completed, including cryptographer and security guru Bruce Schneier, Resilient's CTO.To read this article in full or to leave a comment, please click here
If you’re a physics fan like me, you’ll know the famous Heisenberg Uncertainty Principle that states you cannot know a particle's exact location and velocity at the same time. If you shine a light on the particle to see where it is, you change the speed or direction causing a big problem for particle physicists. Network security has a similar conundrum. Every organization wants the best possible security but often any kind of increase in network visibility to improve security requires a reduction in performance because of the overhead associated with that task. A ZK Research (I am an employee of ZK Research) study last year revealed a couple of interesting but not surprising facts. The first is that almost half the respondents claim they must continually make trade offs between network performance and security. The second one is that a little over a third of the respondents actually turn security features off, that is make the environment less secure, in order to maintain performance. So security professionals are always in a state of juggling performance and security.To read this article in full or to leave a comment, please click here
Apple last week argued that assisting the FBI in the agency's attempt to access an iPhone used by one of the San Bernardino killers would be an undue burden that would require a staff of between six and ten people who would have to dedicate two to four weeks of their time to the task.In a motion filed Friday with a California court, Apple ticked off several constitutional arguments against helping the FBI break into the iPhone used by Syed Rizwan Farook, who along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif., on Dec. 2, 2015, before they died in a shootout with police.To read this article in full or to leave a comment, please click here
Apple’s refusal to help the FBI brute-force the iPhone 5c passcode of the San Bernardino shooter will most likely play out in the courts—the first hearing is scheduled for March 22 in Riverside, California. But Congress has a role to play too.On Tuesday, Apple Senior Vice President and General Counsel Bruce Sewell will testify before the House Judiciary Committee, stressing that while Apple does respect and assist law enforcement, what the FBI wants this time simply goes too far.One of Apple’s strategies is to argue that Congress should pass legislation to cover cases like this, instead of using the more broad All Writs Act, which was first passed in 1789 and last updated in 1946. Apple thinks a more modern statute like the Communications for Assistance for Law Enforcement Act (CALEA) would be more appropriate, although the Department of Justice disagrees that it’s applicable here.To read this article in full or to leave a comment, please click here
Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.It’s a cliché, but “change is the only constant.” Every company periodically reviews and makes changes to their applications, processes and solutions they use to conduct business. And nowhere is this rationalization more important than in the ever-shifting and increasingly perilous arena of cyber security.Companies often begin the security rationalization process after accumulating a portfolio of tools over the years (i.e. penetration testers, web-application, and code scanners) or through mergers and acquisitions or shifting business strategies.To read this article in full or to leave a comment, please click here
A new malicious program that encrypts files on Web servers has affected at least 100 websites over the past few weeks, signaling a new trend in ransomware development.The program, which is written in PHP, is called CTB-Locker, a name also used by one of the most widespread ransomware programs for Windows computers. It's not clear though if there's a relationship between this new Web-based ransomware and the Windows version.Once installed on a Web server, the program replaces the site's index.php and creates a directory called Crypt that contains additional PHP files. It starts to encrypt all the files in the server's Web directory when it receives a specifically crafted request from an attacker.To read this article in full or to leave a comment, please click here
You may have seen movies which feature some evil house that is out to get the occupants, but those usually aren’t smart homes. In real life if you use connected devices to make your home “smart,” then you might expect potential security flaws, but you don’t expect those IoT devices to act like they are possessed and to negatively control your house on their own.While you don’t want to freeze in the winter, there’s a big difference between being toasty in your home and being roasted alive. Yet some British Gas customers who have adopted Hive smart thermostats were at the mercy of the devices which sent temperatures soaring to nearly 90 degrees Fahrenheit (89.6). After the Hive thermostat, which has an app that works as the “remote control,” completely glitched out, some users took to Twitter to express their displeasure.To read this article in full or to leave a comment, please click here
UC Berkeley on Friday revealed that it has alerted 80,000 current and former faculty, staff, students and vendors in the wake of a late December "criminal cyberattack" that could have compromised Social Security and bank account numbers.
We're not talking an epic breach possibly affecting millions of people as did last year's Anthem and Ashley Madison compromises. But the revelation still must be unsettling for an institution that prides itself on cutting-edge cybersecurity research. UC Berkeley was among several big-name schools to receive millions from the Hewlett Foundation for cybersecurity policy research, and the school last year established the Center for Long-Term Cybersecurity.To read this article in full or to leave a comment, please click here
The IT security environment has changed significantly over the past decade. Ten years ago, network security was certainly challenging but straightforward. Most organizations had a single network ingress/egress entry point and protected it with a high performance firewall.
Today, the environment is completely different. Technologies like Internet of Things, cloud computing, software defined networking, BYOD and mobility have made IT much more complicated than ever before. The increase in IT complexity means more attack surfaces and more entry points that need to be protected. IT is now facing an asymmetric challenge where the security team must protect dozens or even hundreds of entry points where hackers merely have to find one way in. Putting a firewall at every possible entry point, which includes branch offices, wireless access points, consumer devices and IoT endpoints would be prohibitively expensive and complicated to manage.To read this article in full or to leave a comment, please click here