Google is considering banning certificates signed with the SHA-1 cryptographic function in Google Chrome starting Jul. 1. This follows similar announcements from Mozilla and Microsoft over the past two months.The browser vendors had previously decided to stop trusting SHA-1-signed certificates presented by HTTPS websites on Jan. 1, 2017, a year after certificate authorities are supposed to stop issuing new ones.However, due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months.To read this article in full or to leave a comment, please click here
Every year, it seems, the threats posed by cybercriminals evolve into new and more dangerous forms while security organizations struggle to keep up.As 2015 draws to a close, we can expect the size, severity and complexity of cyber threats to continue increasing in 2016, says Steve Durbin, managing director the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members."For me, 2016 is probably the year of cyber risk," Durbin says. "I say that because increasingly I think we are seeing a raised level awareness about the fact that operating in cyber brings about its own peculiarities."To read this article in full or to leave a comment, please click here
Juniper revised the list of ScreenOS versions that contain a backdoor allowing attackers to bypass authentication and gain administrative access to NetScreen enterprise firewall devices.The networking equipment manufacturer announced last week that it found, during an internal audit, two instances where rogue code was added to its ScreenOS operating system without authorization. The code could be used by attackers to gain privileged access to NetScreen firewall devices and to decrypt VPN connections.The company said at the time that ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 were vulnerable, but an analysis by researchers from security firm Rapid7 revealed that not all listed versions are vulnerable to both issues.To read this article in full or to leave a comment, please click here
Few people seem to be paying attention, but for me, the scariest tech story of 2015 wasn't any of the many giant hacks afflicting big retailers, shadow IT, the impending doom of many of our favorite tech companies, cockeyed drone delivery schemes, or even the use of social media by terrorists.To read this article in full or to leave a comment, please click here
Ready, set, disrupt!If an overarching conclusion can be drawn from the results of Computerworld's Forecast survey of 182 IT professionals, it's that 2016 is shaping up to be the year of IT as a change agent.IT is poised to move fully to the center of the business in 2016, as digital transformation becomes a top strategic priority. CIOs and their tech organizations are well positioned to drive that change, thanks to IT budget growth, head count increases and a pronounced shift toward strategic spending.To read this article in full or to leave a comment, please click here
In a strong defense of encryption, Apple's CEO Tim Cook said that there was no trade-off between privacy and national security when it comes to encryption."I think that's an overly simplistic view. We're America. We should have both," he told Charlie Rose on CBS' 60 Minutes program on Sunday, according to a transcript of the interview posted online.Cook said that people should be able to protect their personal data on their smartphones, such as health and financial information, intimate conversations with family and co-workers, and possibly business secrets.To read this article in full or to leave a comment, please click here
The discovery of spying code nestled deeply in Juniper's networking equipment, the latest example of a major IT vendor caught up in an damaging cyberattack, raises many questions.Juniper said Thursday that one of its firewall operating systems had been modified to allow secret access, posing a huge threat to companies and organizations using the equipment.Security experts wondered how the modifications could have been made years ago to some of Juniper's most sensitive source code without it knowing until recently. Companies try to vigorously protect their source code, which is an IT company's core intellectual property.But the fact that Juniper's Chief Information Officer, Bob Worrell, came forward with the findings has been met with praise, although there is hope the company will soon provide greater detail.To read this article in full or to leave a comment, please click here
Home automation is now “A Serious Thing”™ with what seems to be a new technology company throwing its hat into the ring just about every day. Today I have yet another entrant to the market, the Sentri, a home monitoring device with a lot of potential but also a lot of problems.
The Sentri is a touchscreen tablet computer that acts primarily as a video home surveillance and environmental monitoring system. It’s roughly tablet-size (9.842" by 9.842" square and 1.18" deep) with a 120-degree, wide-angle camera, night vision, and temperature, humidity, and air quality sensors. At any time and from anywhere you can view the Sentri’s video using the free iOS and Android apps. To read this article in full or to leave a comment, please click here
Juniper Networks’ announcement of discovering “unauthorized code” in its software which could allow attackers to take over machines and decrypt VPN traffic has shaken up more than the security world; the Department of Homeland Security and the FBI are reportedly involved in investigating the backdoor.After Juniper warned that attackers could exploit the “unauthorized code” in order “to gain administrative access to NetScreen devices and to decrypt VPN connections,” and then wipe the logs to remove any trace of a compromise, an unnamed senior official told Reuters that the Department of Homeland Security is involved in Juniper’s investigation.To read this article in full or to leave a comment, please click here
Juniper Networks’ announcement of discovering “unauthorized code” in its software which could allow attackers to take over machines and decrypt VPN traffic has shaken up more than the security world; the Department of Homeland Security and the FBI are reportedly involved in investigating the backdoor.After Juniper warned that attackers could exploit the “unauthorized code” in order “to gain administrative access to NetScreen devices and to decrypt VPN connections,” and then wipe the logs to remove any trace of a compromise, an unnamed senior official told Reuters that the Department of Homeland Security is involved in Juniper’s investigation.To read this article in full or to leave a comment, please click here
It’s amazing what manufacturers have turned into “connected” devices and many of them, for example Bluetooth-enabled toothbrushes, seem more like “me-too” attempts to attract attention rather than real product improvements. Not so today’s product which is a great enhancement of a device I’ve never thought needed to be connected: The good, ol’ fashioned padlock.Dog and Bone, an Australian company that started out making cellphone cases (and obviously enjoys Cockney rhyming slang; “dog and bone” equates to “phone”) have recently started selling LockSmart, a Bluetooth LE-enabled padlock and I’d suggest that it’s a really useful rethink of how to interact with a pretty old technology.To read this article in full or to leave a comment, please click here
Now that Juniper has created a patch for its vulnerable firewall/VPN appliances, bad actors are setting to work reverse engineering the flaw so they can exploit devices that users don’t patch, and also make a profit by selling their exploits to others.“That’s what they do,” says John Pironti, president of IP Architects, who says he spent Friday responding to concerns about the compromised Juniper firewalls with his clients.The pattern cyber criminals follow after vendors patch vulnerabilities is to compare the patched code to the unpatched code, figure out what the flawed code was and figure out how to use it to break into the device and the network it protects, Pironti says.To read this article in full or to leave a comment, please click here
The Democratic National Committee (DNC) has suspended the Bernie Sanders presidential campaign from access to its database of Democratic voter information after a staffer on the Sanders campaign improperly accessed proprietary data belonging to the rival campaign of Hillary Clinton, the Washington Post reported today.
The Sanders campaign announced that it has fired the staffer over the incident. However, the campaign has also gone on the offensive, insisting not only that the software vendor, NGP VAN, was responsible for this incident, but has failed to prevent unauthorized access to campaign data in the past.To read this article in full or to leave a comment, please click here
The Democratic National Committee (DNC) has suspended the Bernie Sanders presidential campaign from access to its database of Democratic voter information after a staffer on the Sanders campaign improperly accessed proprietary data belonging to the rival campaign of Hillary Clinton, the Washington Post reported today.The Sanders campaign announced that it has fired the staffer over the incident. However, the campaign has also insisted that the data in the DNC database had been exposed on other occasions during the campaign.To read this article in full or to leave a comment, please click here
Operators of convention centers and other public assembly venues are joining forces to avoid becoming the next Marriott or Hilton in the eyes of an FCC Enforcement Bureau that’s been cracking down on Wi-Fi blockers.Wi-Fi blocking has become a hot button issue across the hospitality and convention center industry, as well as across the wireless LAN industry, in light of big FCC fines against outfits found to have been blocking use of wireless hotspots by those who have a legal right to access unlicensed spectrum.MORE: Wi-Fi blocking debate far from overTo read this article in full or to leave a comment, please click here
Our last article looked at applying Critical Security Controls 4, 5, and 6 to your organization, covering vulnerability assessment, administrative privileges, and audit logs. Now it’s time to move on to CSCs 7, 8, and 9.Email programs and web browsers are still the most common points of entry for attackers, too many companies have woefully inadequate malware defenses, and a failure to control ports and limit services is like leaving a window open for cybercriminals.Critical Control 7: Email and Web Browser Protections
Human behavior is still the path of least resistance for cybercriminals, and they often employ social engineering techniques to gain access to systems. Despite the rising profile of phishing, 23% of recipients open phishing messages and 11% click on attachments, according to Verizon’s 2015 Data Breach Investigations Report (DBIR).To read this article in full or to leave a comment, please click here
Tens of thousands of secure websites might start to display certificate errors to their visitors in January, when Microsoft plans to stop trusting 20 certificate authorities (CAs) from around the world.The list of certificates that are scheduled to be removed from Microsoft's Trusted Root Certificate Program belong to CAs run by private or state-owned organizations from the U.S., France, the Czech Republic, Japan, Denmark, Chile, Turkey, Luxembourg, Ireland, Slovenia and Brazil.With their removal from Microsoft's program, the CAs will also be removed from the certificate trust list in Windows that's used by browsers such as Google Chrome, Internet Explorer and Microsoft Edge, as well as by email clients and other applications that support secure communications over SSL/TLS.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. Cyber insurance is rapidly becoming an important part of many organizations' risk mitigation strategy. While most businesses have some sort of property or general liability insurance, those policies exclude coverage for cyber liability, so cyber insurance has become its own category, and it's the fastest growing area of insurance for businesses. At least 50 major providers now offer this type of insurance, attracted by the fact that demand for cyber insurance has been rising by double digit percentages for the last few years.To read this article in full or to leave a comment, please click here
Apple CEO Tim Cook staunchly defended personal privacy and the use of encryption on iPhones amidst renewed concerns about terrorists hiding covert electronic messages when they plan deadly attacks.In an interview with Charlie Rose on CBS This Morning that aired Friday, Cook said the supposed tradeoff between privacy and security is "only a simplistic view—we can have both."Cook repeated Apple's stance that it complies specifically with court-ordered warrants to produce information as required by law enforcement, but said of encrypted data on iPhones, "We don't have it to give." That's because Apple's iPhones running versions after iOS 4 keep decryption keys on a user's iPhone and not on a server or some other place, as Apple has pointed out many times before.To read this article in full or to leave a comment, please click here
Juniper Networks is warning customers to patch their NetScreen enterprise firewalls against bad code that enables attackers to take over the machines and decrypt VPN traffic among corporate sites and with mobile employees.The danger is that attackers could exploit the code “to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper says in a security announcement.It would enable smart attackers to exploit the vulnerability and wipe out log files, making compromises untraceable, the company says.To read this article in full or to leave a comment, please click here