Bipartisan congressional legislation will be introduced to create a national commission on security and technology that addresses the growing concern over encryption technology used by terrorists.Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Tex. plan to discuss their joint legislative proposal to create a Digital Security Commission later today, according to aides. McCaul is the chairman of the House Homeland Security Committee; Warner is a member of the Senate's Select Committee on Intelligence, among other committees.A major focus of the commission will be encryption technology used in smartphone apps and elsewhere and how intelligence officials can legally monitor encrypted communications used by terrorists to plan attacks. Both lawmakers have written about how encryption poses a paradox for protecting both security and personal privacy.To read this article in full or to leave a comment, please click here
If you have ever tried to get tax help from the IRS over the phone and weren’t able to get any – you are not alone.That’s because the Internal Revenue Service provided the lowest level of telephone service during fiscal year 2015 compared to prior years, with only 38% of callers who wanted to speak with an IRS assistant able to reach one, according to a report this week from the Government Accountability Office. Perhaps worse yet is that the IRS and Department of Treasury have no real plans to improve the situation, the GAO stated.+More on Network World: IRS warns yet again on scam artist trickery+To read this article in full or to leave a comment, please click here
Look on the bright side! There’s one good thing that comes out of all those website breaches every year: Security researchers get to comb through all those lists of usernames and passwords to remind us just how bad most of our passwords are. Now that we’re well into 2016, password management company SplashData just released its annual round-up of the worst passwords of 2015.+ ALSO ON NETWORK WORLD 25 most commonly used and worst passwords of 2014 +To read this article in full or to leave a comment, please click here
The synopsis for Breaking Bulbs Briskly by Bogus Broadcasts mentions the promise of smart energy and building automation, as well as the many unintended vulnerabilities that are introduced in the rush to bring IoT devices to market. The researchers believe “the ability to physically damage hardware by abusing network access is particularly interesting.” I agree.Frustrated by the “lack of functionality in current Z-Wave hacking tools,” ShmooCon presenters Joseph Hall and Ben Ramsey created and released a new, open source EZ-Wave tool. Not only did the duo discuss how to use the tool for pen-testing Z-Wave wireless automation networks, they also discussed “a rapid process for destroying florescent lights.” They added, “Once access is gained to an automated lighting system, regardless of the protocol used, we demonstrate how to destroy florescent lamps rated for 30K hours within a single night of abuse.”To read this article in full or to leave a comment, please click here
For almost three years, a serious vulnerability in the Linux kernel could have allowed attackers to take full control over Linux-based PCs, servers, Android phones and other embedded devices.The flaw, which stems from the kernel's keyring facility, allows applications running under a local user to execute code in the kernel. As a result, an attacker with access to only a limited account on a Linux system can escalate their privileges to root.The vulnerability, tracked as CVE-2016-0728, was found and reported to the Linux kernel security team and several Linux distribution maintainers by researchers from an Israeli threat defense start-up called Perception Point.To read this article in full or to leave a comment, please click here
Keep an eye out for thisImage by ThomasThe best remedies a company can put in place start with education and teaching what to look for and what not to do. Morey Haber, vice president of Technology, BeyondTrust, lists some of the gotchas that should make your employees back away from the incoming email.To read this article in full or to leave a comment, please click here
A new zero-day vulnerability has been discovered that allows Android or Linux applications to escalate privileges and gain root access, according to a report released this morning by Perception Point."This affects all Android phones KitKat and higher," said Yevgeny Pats, co-founder and CEO at security vendor Perception Point.ALSO: A brief history of Linux malware
Any machine with Linux Kernel 3.8 or higher is vulnerable, he said, including tens of millions of Linux PCs and servers, both 32-bit and 64-bit. Although Linux lags in popularity on the desktop, the operating system dominates the Internet, mobile, embedded systems and the Internet of Things, and powers nearly all of the world's supercomputers.To read this article in full or to leave a comment, please click here
Pakistan has lifted a ban on YouTube in the country after Google offered a localized version, which the government claims will allow it to ask for the removal of material considered offensive from the website.YouTube was ordered blocked in Pakistan in 2012 after a controversial video, called the "Innocence of Muslims," created a controversy in many countries for mocking the Prophet Muhammad.Pakistan authorities told a court that they were blocking the whole domain because it was not technically feasible for them to block specific links to the video.To read this article in full or to leave a comment, please click here
Internet-connected industrial devices could be accessible to anyone, with no password, thanks to a coding error by a gateway manufacturer.Taiwanese firm Advantech patched the firmware in some of its serial-to-IP gateway devices in October to remove a hard-coded SSH (Secure Shell) key that would have allowed unauthorized access by remote attackers.But it overlooked an even bigger problem: Any password will unlock the gateways, which are used to connect legacy serial devices to TCP/IP and cellular networks in industrial environments around the world.Researchers from security firm Rapid7 discovered the vulnerability in the revised firmware, version 1.98, released for the Advantech EKI-1322 Internet protocol (IP) gateway which can connect serial and Ethernet devices to a cellular network.To read this article in full or to leave a comment, please click here
If you’re familiar with the film The NeverEnding Story, then you know that the goal of the hero, Atreyu, was to reach the boundaries of Fantasia. He’s disappointed to learn that Fantasia has no boundaries because it’s the land of human fantasy. In some ways, the land of Fantasia is like network security. Where once there existed a fortress around the perimeter of a land that needed to be protected, those boundaries have expanded, leaving security professionals scratching their heads trying to discern how best to protect the enterprise against invaders.The idea that time and resources should be invested in either network security or application security is misguided as both are equally as important to securing the enterprise. To read this article in full or to leave a comment, please click here
Last year began and ended with a series of high-profile cybersecurity attacks, starting with the pilfering of 80 million Social Security records at health insurer Anthem and culminating with infiltrations at Starwood, Hilton and Hyatt hotel chains. Expect digital assaults, -- ranging from standard malware to more sophisticated, clandestine entries -- to continue on leading corporate brands in 2016, according to Raytheon's Websense business. The cybersecurity software maker, which analyzed threat data from 22,000 customers in 155 countries, says hackers will conjure attacks that target emerging technologies, such as mobile payments and top-level domains.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Cloudmark TridentKey features: Cloudmark Trident combines threat intelligence, anomaly detection, context analysis and behavioral learning to intercept spear phishing attacks that evade current solutions. More info.To read this article in full or to leave a comment, please click here
Heads-up if you use LastPass as a security research released LostPass code on GitHub that bad guys could jump on immediately and an attack could be in the wild even now. In essence, if you use LastPass then you could be tricked into handing over the keys – or master password – to your digital kingdom.The LostPass attack works best in Chrome, but if you think you could spot the phishing then think again; Sean Cassidy, CTO of cloud-based cybersecurity firm Praesidio, warned that a user would not be able to tell a difference between a LastPass message displayed in the browser and the fake LostPass message since “it’s pixel-for-pixel the same notification and login screen.”To read this article in full or to leave a comment, please click here
A relatively simple phishing attack could be used to compromise the widely used password manager LastPass, according to new research.
Notifications displayed by LastPass version 4.0 in a browser window can be spoofed, tricking people into divulging their login credentials and even snatching a one-time passcode, according to Sean Cassidy, who gave a presentation at the Shmoocon conference on Saturday.
Cassidy, who is CTO of Praesido Inc., notified LastPass of the issues. In a blog post, LastPass said it has made improvements that should make such an attack harder to pull off without a user knowing.To read this article in full or to leave a comment, please click here
FidSafe is a new online repository for storing digital copies of your important documents such as wills, bank statements, tax returns, etc., so that “the critical files you need are available to you and your family whenever and wherever you need them, even after you’re gone.” And by “gone” XTRAC LLC (a Fidelity Investments company), that offers FidSafe doesn’t mean that you’ve just popped out to get ice cream, they mean “gone” as in having joined the choir invisible.To read this article in full or to leave a comment, please click here
Remember advanced persistent threats (APTs)? This term originated within the United States Air Force around 2006. In my opinion, it gained more widespread recognition after the Google “Operation Aurora” data breach first disclosed in 2010. This cyber-attack is attributed to groups associated with China’s People’s Liberation Army and impacted organizations like Adobe Systems, Juniper Networks, Northrop Grumman, Symantec, and Yahoo in addition to Google.APT visibility got another boost in 2013 when Mandiant released its now famous APT1 report documenting several cyber-attacks emanating from a PLA group known as Unit 61398.To read this article in full or to leave a comment, please click here
Little Rock, Tampa, St. Louis, Orlando and Denver were the five American cities most affected by malware on a per-capita basis in 2015, according to a study released today by Enigma Software.Those five municipalities suffered malware infection rates, the company said, roughly eight or nine times the national average for 2015. Little Rock’s rate was 1,412% above the U.S. average, Tampa’s 842%, while the other three all had rates around 650% of the overall mean.+ ALSO ON NETWORK WORLD: Hyatt hackers hit payment processing systems, scooped cards used at 250 locations + State CIOs agenda targets cybersecurity + To read this article in full or to leave a comment, please click here
Major automakers plan to work with the U.S. government to try to deter hacks of connected cars before they become a major issue.
To date, there haven't been any major cyberattacks on cars, but a number of security researchers demonstrated potentially serious attacks in 2015, and that has the government worried.
So the U.S. Department of Transportation (DOT) is hoping it can get the auto industry to mirror proactive safety work that already takes place in the aviation industry. The agreement has been signed by all major automakers that operate in the U.S.
"Real safety is finding and fixing defects before someone gets hurt, rather than just punishing after the damage is done," U.S. Transportation Secretary Anthony Foxx said Friday when he announced the initiative at the North American International Auto Show in Detroit.To read this article in full or to leave a comment, please click here
The association representing state CIOs has an ambitious policy agenda in the nation's capital this year, when members and their advocates will be appealing to Congress for help in securing critical infrastructure and for relief from a thicket of federal regulations.At the top of the list is cybersecurity, perhaps unsurprising given that members of the National Association of State CIOs (NASCIO) ranked that issue at the top of their own set of operational priorities late last year.[ Related: State CIOs will focus on security and cloud in 2016 ]To read this article in full or to leave a comment, please click here
Hackers managed to compromise payment cards used at 250 Hyatt Hotels locations in around 50 countries after infecting the company's payment processing systems with malware.Hyatt announced the data breach back in December and launched an investigation. On Thursday, it published the full list of affected locations and the time interval during which the payment cards were exposed: Aug 13. to Dec. 8.Most of the potentially compromised cards were used at restaurants in the affected locations, but a small percentage were used at spas, golf shops, parking systems, front desks and sales offices.To read this article in full or to leave a comment, please click here