Imagine getting a call from your company's IT department telling you your workstation has been compromised and you should stop what you're doing immediately. You're stumped: You went through the company's security training and you're sure you didn't open any suspicious email attachments or click on any bad links; you know that your company has a solid patching policy and the software on your computer is up to date; you're also not the type of employee who visits non-work-related websites while on the job. So, how did this happen?
A few days later, an unexpected answer comes down from the security firm that your company hired to investigate the incident: Hackers got in by exploiting a flaw in the corporate antivirus program installed on your computer, the same program that's supposed to protect it from attacks. And all it took was for attackers to send you an email message that you didn't even open.To read this article in full or to leave a comment, please click here
A cyberattack that knocked out power in the Ukraine last month is believed to have been initiated by a hacking group with strong Russian interests.iSight Partners, a cybersecurity firm headquartered in Dallas, wrote on Thursday that a group called Sandworm was likely involved.The link was made after a study of a malware sample called KillDisk and a related one used by Sandworm in the past called BlackEnergy 3, wrote John Hultquist, director of cyberespionage analysis at iSight Partners.To read this article in full or to leave a comment, please click here
Smart TVs running older versions of Android are being targeted by several websites offering apps containing malware, according to Trend Micro.The security vendor wrote on Thursday that it found a handful of app websites targeting people in the U.S. and Canada by offering the malicious apps.The apps are exploiting a flaw in Android that dates to 2014, showing that many smart TVs do not have the latest patches."Most smart TVs today use older versions of Android, which still contain this flaw," wrote Ju Zhu, a mobile threats analyst with Trend. "While most mobile Android devices can easily be upgraded to the latest version, upgrading smart TV sets may be more challenging for users because they are limited by the hardware."To read this article in full or to leave a comment, please click here
Microsoft, Google and Facebook are urging U.K. officials not to undermine encryption as they work on laws that would authorize forcing communications service providers to decrypt customer traffic.In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.To read this article in full or to leave a comment, please click here
A recurring theme undercutting the enthusiasm surrounding the Internet of Things and smart home at CES this week has been how the shortcomings of the technology could hold back the market. How long will consumers put up with products that don't work, fail to connect to the network, or put their privacy at risk?A panel of IoT support experts speaking at CES today explained that, while some of the better-known products, like Google's Nest thermostat, are designed with easy setup and connectivity, many others fall short in important areas. Since consumers aren't always necessarily equipped to resolve these issues on their own, these concerns threaten to hold the IoT market back from reaching its lofty projections.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Does your company do business internationally, and especially with customers within the European Union (EU)? If so, then you need to pay attention to what's happening in the areas of data privacy and data sovereignty. Big changes are underway and they could have an impact on how you manage customer information.
At the end of December, the European Commission (EC) approved the final version of the General Data Protection Regulation (GDPR). It's a massive overhaul of the EU's 1995 data protection rules (Directive 95/46/EC), which were quite out of date given the technology developments and globalization of the last two decades. The EC has been working on the GDPR since 2012 in order to strengthen online privacy rights and boost Europe's digital economy.To read this article in full or to leave a comment, please click here
Not that much is expected of your garden-variety thieves, but stealing a 500-pound snow plow blade from a fire department in the dead of winter requires an elevated level of disregard for the wellbeing of your fellow citizens.Such a brazen theft in this era of ubiquitous surveillance also requires a surprisingly common breed of cluelessness, as the act violates the first rule of security cameras: They are everywhere.I note this particular case of reckless stupidity in part because the occupants of the pickup pictured above victimized the fire department and residents of North Attleboro, Mass., my hometown, when they attached the blade to their truck and drove off. Friends and former neighbors were put at risk.To read this article in full or to leave a comment, please click here
The update mechanism of the popular Drupal content management system is insecure in several ways, allowing attackers to trick administrators into installing malicious updates.Researcher Fernando Arnaboldi from security firm IOActive noticed that Drupal will not inform administrators that an update check has failed, for example due to inability to access the update server. Instead, the back-end panel will continue to report that the CMS is up to date, even if it's not.This can be a problem, considering that hackers are quick to exploit vulnerabilities in popular content management systems like Drupal, WordPress or Joomla, after they appear. In one case in 2014, users had only a seven-hour window to deploy a critical Drupal patch until attackers started exploiting the vulnerability that it fixed.To read this article in full or to leave a comment, please click here
The old and insecure MD5 hashing function hasn't been used to sign SSL/TLS server certificates in many years, but continues to be used in other parts of encrypted communications protocols, including TLS, therefore weakening their security.Researchers from the INRIA institute in France have devised several attacks which prove that the continued support for MD5 in cryptographic protocols is much more dangerous than previously believed.They showed that man-in-the-middle attackers can impersonate clients to servers that use TLS client authentication and still support MD5 hashing for handshake transcripts. Intercepting and forwarding credentials through protocols that use a TLS channel binding mechanism is also possible.To read this article in full or to leave a comment, please click here
The long-held view is that breached companies are cast aside by consumers, investors and shareholders. A breach isn’t just a temporary glitch – it’s a mistake, a faux pas, which you can’t just shake off.This warning that has been used by information security professionals over the course of the last five years and for good reason; nothing gets a CEO or CFO’s attention on security matters more than "this is losing us money".However, on closer inspection, it could be argued that this reputation argument is a falsehood.Over the course of the last 18 months, we’ve seen some of the biggest, most widespread, data breaches in the history of the Internet.To read this article in full or to leave a comment, please click here
Even with the greater awareness for strong security within organizations—and the high-profile hacks that have contributed to that increased awareness—security executives still encounter significant hurdles in doing their jobs to protect data and systems.Clashes with senior business executives as well as those at lower levels of organizations make it more challenging for CSOs and CISOs to create a secure environment, and yet they continue to happen.Many of the conflicts that occur between security and business executives are due to ongoing philosophical differences regarding risk, says Dave Dalva, vice president at Stroz Friedberg, who has worked in the position of CISO for a number of clients.To read this article in full or to leave a comment, please click here
Uber has agreed to pay a penalty of US$20,000 in a settlement with New York Attorney General Eric T. Schneiderman for delaying in reporting to drivers the data breach of their personal information in 2014.The ride-hailing company has also agreed to tighten employee access to geo-location data of passengers, following reports that the company's executives had an aerial "God View" of such data, the office of the attorney general said in a statement Wednesday.Uber notified Schneiderman's office on Feb. 26, 2015 that driver names and license numbers were accessed by an unauthorized third party in a data breach that was discovered as early as September 2014. The fine has been imposed on the company for its delay in providing timely notice of the data breach to the affected drivers and the office of the attorney general.To read this article in full or to leave a comment, please click here
Cybercriminals are taking advantage of an organization that issues free digital certificates, sparking a disagreement over how to deal with such abuse.On Wednesday, Trend Micro wrote that it discovered a cyberattack on Dec. 21 that was designed to install banking malware on computers.The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control, wrote Joseph Chen, a fraud researcher with Trend.If a user went to the site, the subdomain would show a malicious advertisement that would redirect the user to sites hosting the Angler exploit kit, which looks for software vulnerabilities in order to install malware.To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
It is no longer debated that a prevention only security strategy is enough. Security teams must go on the offense and create an environment that provides continuous real-time detection against an ever-changing landscape of cyber threats, and deception tools can play a critical role.
Deception as a strategy has been used for years in war and, notably, by cyber attackers. However, using deception to address threats that have bypassed traditional prevention security measures is an emerging and additional line of defense. Today’s deception-based technology abandons the reliance on known attack patterns and monitoring, and instead uses advanced luring techniques and engagement servers to entice an attacker away from valuable company servers.To read this article in full or to leave a comment, please click here
While Microsoft may not be building its own smart, connected vehicles, can you imagine a world in which Microsoft provides the “ultimate platform for all intelligent cars?” Microsoft certainly can and the company has previously claimed that it invented or invisibly runs nearly everything. Yet several announcements coming from CES 2016 make it seem like Microsoft’s plan to take over the world of intelligent cars is not so far-fetched.“In the near future, the car will be connected to the Internet, as well as to other cars, your mobile phone and your home computer,” said Microsoft’s Peggy Johnson, executive vice president of business development. “The car becomes a companion and an assistant to your digital life. And so our strategy is to be the ultimate platform for all intelligent cars.”To read this article in full or to leave a comment, please click here
Unwanted unmanned aircraft in your airspace? Zap ‘em with a new anti-drone system from Airbus Defense and Space.As the drone world seems to be exploding -- along with increased reports of close calls with other aircraft and privacy invasion complaints -- the inevitable backlash against the unmanned aircraft may also be growing.Perhaps one example of that backlash came in the form of Airbus’ counter-UAV system rolled out at the Consumer Electronics Show in Las Vegas this week.To read this article in full or to leave a comment, please click here
We may welcome in the New Year with open arms, but we must also prepare for the cybersecurity threats ahead of us. The 2015 Cost of Data Breach Study from IBM and the Ponemon Institute put the average cost of a data breach at $3.79 million, and that figure is expected to grow in the year ahead. With the right resolutions, you can drastically reduce your chances of falling prey to cybercriminals.Here are five major trends in cybersecurity that you should have in mind when updating your InfoSec plans for 2016.To read this article in full or to leave a comment, please click here
Getting cryptographic implementations right is difficult. A group of malware creators is currently experiencing that hard truth, to the amusement of security researchers.For the past several months, a group of cybercriminals have been infecting Linux systems -- primarily Web servers -- with a file-encrypting ransomware program that the security industry has dubbed Linux.Encoder.This development is worrying, because Web server infections don't require user interaction as on desktop computers where getting users to open rogue email attachments or visit malicious websites are common attack vectors. Instead, the hackers use automated scanners to find servers that host vulnerable applications or have weak SSH passwords they can guess using brute-force methods.To read this article in full or to leave a comment, please click here
Intralinks launched in the late 1990s to help companies involved in corporate buyouts and mergers maintain control over critical, shared information during the deal-making process. Today, the company is applying its secure collaboration capabilities to a wide variety of new customers and use cases – from CMOs building marketing campaigns to pharmaceutical companies coordinating data for patients, physicians and regulators involved in major drug trials. Under CEO Ron Hovsepian, Intralinks has created a cloud-based platform that empowers an array of customers who need to share content safely with external partners. In this installment of the IDG CEO Interview Series, Hovsepian spoke with Chief Content Officer John Gallant about how changes in privacy and data sovereignty rules are driving Intralinks’s growth and talked about how the technology may replace secure Web sites for confidential communications among businesses and their customers.To read this article in full or to leave a comment, please click here(Insider Story)
A little over two weeks have passed since Adobe strengthened Flash Player with new security defenses, and there's already interest in the commercial exploit market for ways around them.Zerodium, a company that buys unpatched and unreported exploits from third-party researchers, announced on Twitter that it is offering $100,000 for exploits that bypass Flash Player's latest "heap isolation" protection. This memory defense mechanism makes exploiting certain types of security flaws much harder. These account for a large portion of the Flash Player flaws exploited by hackers in recent years to infect computers with malware.To read this article in full or to leave a comment, please click here