“We are breeding the cow and they are milking it” - German Klimenko, Vladimir Putin’s new Internet czar on Google, Microsoft, and Apple doing business in Russia
Keith Weller, USDA / Wikimedia
When it comes to high tech, American companies dominate the Russian market and, perhaps not surprisingly, that doesn’t site well with the Russian government which would prefer to see homegrown offerings such as Yandex and Mail.ru get more market traction. The consequence, according to Bloomberg, is a plan by the Russian government to increase the taxes the American tech giants by 18 percent. To read this article in full or to leave a comment, please click here
If you want to work at Microsoft, then you likely have visited Microsoft Careers. The backend database for the mobile version of Microsoft’s jobs portal was misconfigured, exposing user information and leaving the site vulnerable to attack.Security researcher Chris Vickery has a knack for exposing leaky databases such the one that put 13 million MacKeeper users at risk, another which exposed personal information of 191 million voters, yet another held 18 million voter records with targeted profile data, and one that exposed 140,000 class and student records from Southern New Hampshire University; he also discovered a leaked Hello Kitty database with 3.3 million user accounts, some belonging to kids. This time, Vickery said he found another misconfigured MongoDB database which exposed registered users’ information and had write-access to the contents of the database.To read this article in full or to leave a comment, please click here
While antivirus software pioneer John McAfee garners media attention here for his long-shot Libertarian presidential run, law enforcement authorities in Belize are reportedly continuing to investigate the 2012 murder of McAfee’s American neighbor. That probe prompted McAfee to flee Belize and eventually land back in the United States.McAfee has unequivocally denied any participation in or knowledge of the murder and has maintained that he left Belize because he feared authorities there would imprison or kill him anyway.From a report in The San Pedro Sun: To read this article in full or to leave a comment, please click here
As enterprises struggle to keep up with their internal demand for mobile apps, more are turning to more speedy development workflows, such as the Minimum Viable Product (MVP) , which essentially calls for mobile development teams to focus on the highest return on effort when compared to risk when choosing apps to develop, and features to build within them. That is: focus on apps and capabilities that users are actually going to use and skip those apps and features they won’t.Sounds simple, but what does that mean when it comes to security? We know application security is one of the most important aspects of data security, but if software teams are moving more quickly than ever to push apps out, security and quality assurance needs to be along for the process. To read this article in full or to leave a comment, please click here
Federal bosses admit they're falling behind the tech advances being made in the private sector, says a survey. Consequently, they acknowledge that their stakeholder expectations aren't being met.The leaders appear to know there's a problem, yet they're having problems making the transformations and going digital, according to researchers from the National Academy of Public Administration and ICF International, the two organizations that jointly released the report earlier this month.Problems
Money, security and privacy concerns, and lumbering acquisition procedures are among the issues the "federal leaders" who responded to the survey say are preventing them from making progress.To read this article in full or to leave a comment, please click here
WASHINGTON -- It's a scary prospect, barreling down the highway when a hacker seizes control of your brakes and power-steering system.The specter of hacking a vehicle, potentially a matter of life and death, demands auto makers to elevate security as a priority as they develop ever-more sophisticated in-car technology, a member of the Federal Trade Commission is warning.[ Related: Senators call for investigation of potential safety security threats from connected cars ]To read this article in full or to leave a comment, please click here
Yes, you and I are waaaaay too savvy to fall for the old “I’m calling from the government and you had better pay up” trick.Unfortunately, others are not, especially among the elderly.So the Federal Trade Commission is once again asking for help getting the word out:
We’re hearing from our colleagues that those pesky government imposters are at it again, using the FTC’s name to try to con people into paying them for something. Whether it’s to clean up your credit report, give you a prize, resolve a complaint against you, or pay off a debt you owe, they’re all lies. The message may be a call or an email, but it isn’t from the Federal Trade Commission, or any other federal agency.To read this article in full or to leave a comment, please click here
Add shareholder voting to the list of applications for blockchain technologies.Later this year, Nasdaq plans to record stockholders' electronic votes on its own blockchain system for companies listed on one of its exchanges. By digitizing the entire process, it expects to speed and simplify the proxy voting process.Blockchains -- the best known of which is the public ledger of bitcoin transactions -- are distributed records of events, each block in the record containing a computational "hash" of itself and of the previous block, so that all are connected like links in a chain.A hash, or digest, is a short digital representation of a larger chunk of data. Hash functions are designed so that calculating (or verifying) the hash of a chunk of data takes little computing power, while creating data with a particular hash is computationally expensive.To read this article in full or to leave a comment, please click here
In the early 1900s, Henry Ford was intent on making the Model T an affordable car for the masses. To do so, he had to figure out a way to vastly improve the company’s manufacturing efficiency in order to reduce consumer prices. Ford solved this problem by adopting a modern manufacturing assembly line based upon four principles: interchangeable parts, continuous flow, division of labor, and reducing wasted efforts. While incident response is a bit different from automobile manufacturing, I believe that CISOs should assess their IR processes and take Ford’s four principles to heart. Here’s how I translate each one for IR purposes:
Interchangeable parts. In Ford’s world, interchangeable parts meant that components like steering wheels and bumpers could be used to assemble all types of cars and thus keep the line moving. In IR, interchangeable parts mean that all detection tools should be based on published APIs so that each one can interoperate with all others. It also means embracing standards like STIX and TAXII for threat intelligence exchange so data can be easily consumed or shared. Finally, interchangeable IR parts calls for the creation and adoption of cybersecurity middleware that acts as a higher-level abstraction layer for Continue reading
The Pwn2Own hacking contest will return in March, pitting researchers against the most popular browsers and operating systems. The novelty: Contestants can win a $75,00 prize for escaping a VMware virtual machine.Contestants will be able to exploit Microsoft Edge or Google Chrome on fully patched versions of 64-bit Windows 10 and Apple Safari on OS X El Capitan. System or root-level privilege escalation pays extra, as does escaping from the virtual machine.Every year, Pwn2Own, at the CanSecWest security conference, has slightly modified rules, and 2016 is no different. Adobe Reader, Mozilla Firefox and Internet Explorer are no longer on the contest's target list. Adobe Flash remains, but only the version that comes bundled with Microsoft Edge.To read this article in full or to leave a comment, please click here
Good news, singletons. According to research from device intelligence and fraud prevention company iovation, fraud on online dating sites is lower leading up to Valentine's Day.In February 2015, 1.23 percent of all online dating transactions were fraudulent, compared to 1.39 percent during all of 2015, according to iovation.This doesn't mean that fraudsters are less active around Valentine's day, but rather that there are more legitimate fish in the online dating sea. "The reason that online fraud rates dip at Valentine's Day is simply because there is a disproportionately high volume of legitimate dating site traffic during that time," said iovation’s VP of Operations Molly O’Hearn. "So it's not that the fraudsters are taking a breather, it's that the legitimate users of data services ramp up, causing the ratio of fraud in the mix to temporarily decline."To read this article in full or to leave a comment, please click here(Insider Story)
One of four congressional sponsors of the ENCRYPT Act of 2016, which would preempt state and local laws banning encryption on smartphones, cut her teeth in mobile communications for Microsoft.U.S. Rep. Suzan DelBene (D-Wash.) worked as vice president of mobile communications at Microsoft from 2004 to 2007. That was her second stint at Microsoft; her first was from 1989 to 1998 after receiving an MBA when she worked on Windows 95, email and embedded systems. In between, she helped start Drugstore.com.To read this article in full or to leave a comment, please click here
This isn't your typical Android security story.Most articles about Android security tools focus on malware-scanning suites like Lookout, Norton and AVG. But with the layers of protection already built into the platform, those sorts of apps are arguably unnecessary and often counterproductive -- or even needlessly expensive.INSIDER: 5 ways to prepare for Internet of Things security threats
For most Android users, the seven tools below should cover all the important bases of device and data security. Some are third-party apps, while others are native parts of the Android operating system. They all, however, will protect your personal info in meaningful ways -- and without compromising your phone's performance. Plus, all but two of them are free.To read this article in full or to leave a comment, please click here
The attackers who crippled Ukrainian power operators in December probably committed attacks shortly before against a mining company and a railway operator, Trend Micro said Thursday.The security company said its latest technical research shows that the same malware -- dubbed BlackEnergy and KillDisk -- were probably used in the earlier actions. It didn't name the targets of those attacks, which took place in November and December."There is remarkable overlap between the malware used, infrastructure, naming conventions, and to some degree, the timing of use for this malware," wrote Kyle Wilhoit, a senior threat researcher.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. In October 2012, then-U.S. Secretary of Defense Leon Panetta gave a speech in which he warned that the United States was facing the possibility of a “cyber Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government. According to Panetta, the nation's adversaries have been acquiring technologies that could allow an aggressor nation or extremist group to gain control of critical infrastructure. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”To read this article in full or to leave a comment, please click here
The launch of cloud security startup Cato Networks by cybersecurity expert Shlomo Kramer reminded me of the episode of USA's Mr. Robot when Elliot Alderson explains why he chose his healthcare provider – limited security budget and limited security staff let him break through the perimeter defenses and change his medical records to cover up his lifestyle. In the real world, though, cyber threats are scaling faster than enterprises can respond. Like Elliot, Kramer is counting on enterprises with limited security staff and budgets turning to his new venture for end-to-end, perimeter-less security.According to a report by Reuters, Cato Networks is different because it asks customers to move all their traffic to its encrypted network. In other words, Cato is the opposite of Check Point Software Technologies, the company Kramer co-founded in 1998 that invented a perimeter defense used by almost all enterprises. The mobile internet has changed how the enterprise works. Large numbers of employees operate outside of the traditional security perimeter, necessitating a new way of looking at cyber defenses.To read this article in full or to leave a comment, please click here
A study shows that if the U.S. mandates backdoors to decrypt secret messages in order to help law enforcement, there would still be hundreds of alternative encryption products made outside the reach of U.S. law that terrorists and criminals could get their hands on.
“Smart criminals and terrorists will easily be able to switch to more secure alternatives,” is the conclusion drawn by the study “A Worldwide Survey of Encryption Products”. The authors were Internet security authority Bruce Schneier of Harvard’s Berkman Center for Internet and Society, independent security researcher Kathleen Seidel, and Saranya Vijayakumar, a Harvard student.To read this article in full or to leave a comment, please click here
Enterprises rely on some security products too much while counting on others too little. One product category that companies place too much faith in is encryption, which has vulnerabilities. The OpenSSL web encryption technology’s infamous Heartbleed vulnerability is one example.Enterprises should assess their information security stance in light of the vulnerabilities that have actually given attackers a foothold and lead to costly breaches, whether for their organization or for their peers. Where an off-kilter reliance on some security products is the crack in these defenses, look at a more effective combination of tools. Don’t ignore tools that are effective yet limit some usability. Security products that enable a lot of usability while masking danger are among those that we do and will continue to count on too much.To read this article in full or to leave a comment, please click here
Israeli startup Indegy monitors devices on industrial control networks to detect when their configurations have changed as a way to know when the machines are compromised, an attack vector exploited by the Stuxnet worm that took down Iranian nuclear centrifuges.The company makes an appliance that attaches to span ports on the switches that industrial control devices are connected to. It monitors the control layers of the devices and traffic they send over the network in order to discover changes.+ ALSO: Stuxnet reached its target via the networks of trusted business partners+To read this article in full or to leave a comment, please click here
Cisco Systems patched a critical vulnerability that could allow remote attackers to take over Cisco Adaptive Security Appliance (ASA) firewalls configured as virtual private network servers by simply sending malformed network packets to them.For devices that are designed to protect private networks from Internet attacks, this is as bad as it gets. That's why Cisco rated the vulnerability with the maximum score of 10 in the Common Vulnerability Scoring System.The flaw is located in the Cisco ASA code that handles the Internet Key Exchange version 1 (IKEv1) and IKE version 2 (IKEv2) protocols. More precisely, it stems from a buffer overflow condition in the function that processes fragmented IKE payloads.To read this article in full or to leave a comment, please click here