After being caught off guard by the disclosure of a serious flaw in the Linux kernel this week, Google has quickly developed a patch for Android and shared it with device manufacturers.It might take weeks for device makers to start releasing firmware updates that include the fix, but that's not a huge problem since, according to Google's assessment, the flaw doesn't affect many Android devices to begin with.The privilege escalation vulnerability allows attackers to gain full control over Linux-based systems if they have access to a limited account or trick users into running a malicious application. It was found by researchers from Israeli threat defense start-up Perception Point.To read this article in full or to leave a comment, please click here
Today, Veracode released "The State of Web and Mobile Application Security in Healthcare," made possible after Veracode, along with the Healthcare Information and Management Systems Society (HIMSS), surveyed 200 healthcare IT executives. The exploitation of vulnerabilities in apps was the greatest concern among those healthcare IT execs.Veracode reported, "Survey respondents cited the potential for loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top fears related to such security breaches."To read this article in full or to leave a comment, please click here
The fight for privacy is moving to U.S. states with 16 states and the District of Columbia introducing legislation on Wednesday that address issues such as requiring permission before student data is shared for non-educational purposes and the requirement of warrants before using cell site simulators to track phone users.“A bipartisan consensus on privacy rights is emerging, and now the states are taking collective action where Congress has been largely asleep at the switch,” said Anthony D. Romero, executive director of the American Civil Liberties Union, which coordinated the initiative, in a statement. To read this article in full or to leave a comment, please click here
A number of Ukrainian power companies are seeing fresh cyberattacks following ones in December that briefly knocked out power for tens of thousands of customers.
Security vendor Eset said on Wednesday that the attacks use a different kind of malware, prompting questions about whether the same group or groups are involved.
"The malware is based on a freely available open-source backdoor – something no one would expect from an alleged state-sponsored malware operator," wrote Robert Lipovsky, a senior malware researcher with Eset.
The new finding deepens the mystery over who is targeting the Ukrainian companies.To read this article in full or to leave a comment, please click here
FireEye has acquired Texas-based iSight Partners for $200 million, a deal that executives say will give FireEye stronger intelligence on cybercriminal and hacking groups before they strike.The transaction, announced Wednesday, closed on Jan. 14.FireEye started with an end-point protection product aimed at filtering out malware before it entered a company's network. But the company has sought to expand its range of services through acquisitions as cybersecurity has become an ever-increasing concern -- and a more lucrative business.In early 2014, it bought Mandiant, a computer security company that specializes in investigating cyberattacks. The victims of some of the largest data breaches in memory, including Target, have retained Mandiant's services.To read this article in full or to leave a comment, please click here
Think housing your servers in a data center rather than squeezing them under your desk is a bulletproof solution?Well, they might be safer in a data center, but believe it or not, some of the same pitfalls that can create trouble in the office can affect those secure data centers too. Namely UPS failure, human error, and cybercrime.'Unplanned'
UPS system failure is still the principal cause of "unplanned data center outages," according to a new report.To read this article in full or to leave a comment, please click here
It looks like a slick Jedi move, but it's actually the Internet of Things: When Hannes Sjöblad wants to pay for coffee, he waves his hand in front of the pay station. When he wants to open a door, he waves his hand in front of the digital lock. When he wants to start his car, he waves his hand in front of the ignition. No, he's not Obi-Wan Kenobi saving two rebel droids; Sjöblad is a famous Swedish bodyhacker who has implanted electronics, including a passive Near-Field Communications (NFC) transmitter, into his own hand. So, instead of using his smartphone or smartwatch to activate a payment terminal, a wave of the hand gets the job done.To read this article in full or to leave a comment, please click here
Facebook has added the option to route traffic from its Android mobile app over the Tor anonymity network. This will come as good news for privacy-conscious users or those living in countries where the service is censored.Users can enable the new feature, which is still experimental, from the Facebook app's settings. However, they first need to install a separate application from Google Play called Orbot that functions as a proxy for routing traffic through Tor.To read this article in full or to leave a comment, please click here
Authorities at the Federal Trade Commission are working overtime to keep up with the ever-changing online privacy landscape, a fast-moving environment that is highly technical but also keys into the core consumer-protection functions of the agency.FTC officials recently hosted a day-long privacy conference that saw a parade of academics present their latest research on the ways that online companies are collecting and using their customers' personal information.FTC Chair Edith Ramirez has made no secret of her worry that some companies may be stepping over the line in their information-gathering practices, deliberately obscuring the details of what data they collect, how long they hold onto it and what they do with it.To read this article in full or to leave a comment, please click here
Intel has quietly built what it calls Authenticate technology into its Skylake with vPro chips for businesses, combining multiple means of authentication for greater security.
Intel has quietly built what it calls Authenticate technology into its Skylake with vPro chips for businesses, combining multiple means of authentication for greater security.
A software utility that helps users download the latest drivers for their Intel hardware components contained a vulnerability that could have allowed man-in-the-middle attackers to execute malicious code on computers.The tool, known as the Intel Driver Update Utility, can be downloaded from Intel's support website. It provides an easy way to find the latest drivers for various Intel chipsets, graphics cards, wireless cards, desktop boards, Intel NUC mini PCs or the Intel Compute Stick.The vulnerability stems from the tool using unencrypted HTTP connections to check for driver updates. Such connections can be intercepted and modified by attackers located on the same local network as affected computers or in control of a router along their Internet connection paths.To read this article in full or to leave a comment, please click here
If all the recent IT hiring surveys are to be believed, chief security officers can expect a pretty sweet year in 2016. Job demand is up. Salaries are way up. And neither trend is expected to slow anytime soon.Yes, good CSOs can pretty much write their own ticket in 2016. That is, if they can write a good resume.Despite the growing demand for IT security leaders, IT recruiters confirm that organizations are still very fussy about whom they will bring on board or promote into this key role. A strong background in technology and IT security is a given. But so are business savvy, solid communication skills, top leadership qualities, and demonstrated value.To read this article in full or to leave a comment, please click here(Insider Story)
Dridex, the banking malware that won't go away, has been improved upon once again.IBM's X-Force researchers have found that the latest version of Dridex uses a DNS (Domain Name System) trick to direct victims to fake banking websites.The technique, known as DNS cache poisoning, involves changing DNS settings to direct someone asking for a legitimate banking website to a fake site.DNS cache poisoning is a powerful attack. Even if a person types in the correct domain name for a bank, the fake website is still shown in the browser."By keeping the victim away from the bank’s site, the fraudster can deceive them into divulging critical authentication codes without the bank knowing that the customer’s session has been compromised," wrote Limor Kessem, a cybersecurity expert with IBM's Trusteer division, in a blog post on Tuesday.To read this article in full or to leave a comment, please click here
Oracle admins will be busy: The company issued 248 patches on Tuesday, its largest-ever release, according to one security vendor.Five of the vulnerabilities have the highest severity rating according to the Common Vulnerability Scoring System (CVSS), wrote ERPScan, a security company that specializes in SAP and Oracle systems.Most of those vulnerabilities related to Java SE, Oracles's platform for running Java applications on servers and desktops.In a long advisory, Oracle recommended that admins patch immediately.To read this article in full or to leave a comment, please click here
A protocol designed and promoted by the British government for encrypting voice calls has a by-design weakness built into it that could allow for mass surveillance, according to a University College London researcher.Steven Murdoch, who works in the university's Information Security Research Group, analyzed a protocol developed by CESG, which is part of the spy agency GCHQ.The MIKEY-SAKKE (Multimedia Internet KEYing-Sakai-KasaharaKey Encryption) protocol calls for a master decryption key to be held by a service provider, he wrote in an analysis published Tuesday.To read this article in full or to leave a comment, please click here
Advocacy group I Am the Cavalry is urging organizations that manufacture and distribute medical devices to adopt a cybersecurity version of the Hippocratic Oath.The group, which advocates for better security in life-impacting computers like those used in modern cars, medical devices or critical infrastructure, has published an open letter to the health-care industry, calling for a commitment to five principles when creating, using and maintaining medical devices.Those principles are security by design, collaboration with security researchers, ensuring that evidence of potential failures is captured and preserved for later analysis, safeguarding critical elements under the assumption that they'll operate in adverse conditions and providing easy-to-install security updates.To read this article in full or to leave a comment, please click here
Depending upon whom you believe, there are roughly 800 to 1200 companies selling cybersecurity products and services to end customers. Yes, the cybersecurity market is forecast to be around $70 billion this year, but that’s still a lot of vendors.Now, there are point product specialists, managed services firms, and enterprise security vendors all competing for the same dollars. So how can any company stand out from the crowd? In my opinion, each security vendor must determine where its products and service fit among four distinct buyer types:
Security-centric buyers. This traditional security buyer evaluates and purchases security products and services based upon discrete needs and budgets. As such, security-centric buyers tend to look for best-of-breed products from vendors with strong cybersecurity experience. Startups with strong cybersecurity chops are welcome to this club but purchasers also maintain a “rip-and-replace” mentality rather than any type of long-term allegiance. Vendors like Bit9 + Carbon Black, Cylance, Check Point, FireEye, Fortinet, Palo Alto Networks, Symantec, and Trend Micro come to mind here. Note that security-centric buyers will have some role to play in EVERY cybersecurity product and services deal.
IT infrastructure-centric buyer. In most cases, IT infrastructure vendors extend their reach into security Continue reading
With the Internet of Things really starting to take off now, especially in the home security / video camera space, I recently had a chance to try out two devices aimed at making your home more secure through motion detection, alerts and audio communications.The scoop: Canary home security video camera, $199 (or a two-pack for $379), by CanaryWhat is it? Here’s another network-connected video camera that you can use to monitor your home for security-related purposes, such as looking for intruders, or non-security purposes, such as watching to see if your dog is jumping on the furniture, or a “babycam” to see if your child is sleeping or awake. The cylindrical device connects via wired ethernet to a home router, or you can use a Wi-Fi network (802.11a/b/g/n). Monitoring of the camera is done via mobile app (Android or iOS supported).To read this article in full or to leave a comment, please click here
Authentication/identity-protection startup Trusona has enlisted the help of former identity thief Frank Abagnale -- the subject of the movie “Catch Me if You Can” -- to advise as it prepares to market what it claims to be an unbreakable cloud platform to make sure imposters don’t login. Wikimedia
Frank Abagnale
Abagnale, now a security consultant, has helped out Trusona’s founder and CEO Ori Eisen before with his previous venture, ad-tracking and fraud prevention firm 41st Parameter, which was bought by Experian in 2013.To read this article in full or to leave a comment, please click here