Archive

Category Archives for "Network World Security"

To break terrorist encryption, pay off Apple and Google, expert urges

To break encrypted smartphone messages used by terrorists, tech companies such as Apple and Google need to be paid by law enforcement, an expert urged Thursday."If there were a financial incentive for Google and Apple to assist law enforcement, then they would be more willing to change their encryption technology to facilitate law enforcement in possession of a warrant," said Professor Darren Hayes, director of cybersecurity at Pace University, in an interview.Tech companies and wireless carriers currently get reimbursed "quite nicely," he said, for their time and help when faced with a court warrant under the 1994 Communications Assistance for Law Enforcement Act (CALEA), a wiretap law that allows the FBI and others access to some communications, but not encrypted data.To read this article in full or to leave a comment, please click here

Juniper warns of spying code in firewalls

Juniper, a major manufacturer of networking equipment, said on Thursday it found spying code planted in certain models of its firewalls, an alarming discovery that echoes of state-sponsored tampering. The affected products are those running ScreenOS, one of Juniper's operating systems that runs on a range of appliances that act as firewalls and enable VPNs. ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are vulnerable, according to an advisory. The unauthorized code was found during a recent internal review, wrote Bob Worrall, Juniper's chief information officer. He did not indicate where Juniper thinks the code originated.To read this article in full or to leave a comment, please click here

Cyberattack prediction: Hackers will target a US election next year

A major cyberattack next year will target a U.S. election, security expert Bruce Schneier predicts.The attack won't hit the voting system and may not involve the presidential election, but the temptation for hackers is too great, even in state and local races, said Schneier, a computer security pioneer and longtime commentator."There are going to be hacks that affect politics in the United States," Schneier said. Attackers may break into candidates' websites, e-mail or social media accounts to uncover material the campaigns don't want public, he said.Schneier gave the prediction Thursday on a webcast from incident response company Resilient Systems, where he is chief technology officer.To read this article in full or to leave a comment, please click here

How network segmentation provides a path to IoT security

Earlier this month I attended Cisco’s Internet of Things World Forum in Dubai (disclosure: Cisco is a client of ZK Research). One of the things I liked about the event is that it showcased a wide variety of uses cases across a number of different vertical industries. Some were in the ideation phase, some were early stage, and some fully deployed. While many of the use cases were quite different, there was one point of commonality, and that’s the need for security.The Internet of things (IoT) poses quite a different challenge for security and IT professionals. Traditional cybersecurity is becoming increasingly difficult even though most IT devices being connected have some basic security capabilities. Now consider the operational technology (OT) being connected to our company networks to enable IoT. These are devices like medical equipment, factory floor machines, drills, shipping containers, and other things that have no inherent security capabilities and the most basic network functions.To read this article in full or to leave a comment, please click here

Not Tor, MIT’s Vuvuzela messaging system uses ‘noise’ to ensure privacy

As privacy of The Onion Router (Tor) network comes into question, MIT researchers say they have devised a secure system called Vuvuzela that makes text messaging sent through it untraceable and that could be more secure than Tor when it comes to hiding who is talking to whom.While it’s not ready for prime time, the messaging system makes it extremely difficult for attackers to find out which connected users are communicating with which others or whether they are sending or receiving messages at all, the researchers say in “Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis”.To read this article in full or to leave a comment, please click here

NASA offers $15k for your wicked cool air traffic technology

The airspace of the future could get messy, what with drones, aircraft and suborbital spacecraft -- and NASA wants the public’s help in developing technology that will help manage that mélange. +More on Network World: The weirdest, wackiest and coolest sci/tech stories of 2015+ The space agency this week announced a $15,000 public contest -- called the “Sky for All challenge” -- to develop technologies that could be part of what it calls “a clean-slate, revolutionary design and concept of operations for the airspace of the future.” The challenge opens Dec. 21, and participants may pre-register now. The deadline for submissions is Feb. 26, 2016 and is being administered by crowdsourcing site HeroX.To read this article in full or to leave a comment, please click here

Microsoft extends SmartScreen browsing protection to foil malvertising and exploit kits

Microsoft SmartScreen, the phishing and malware filtering technology built into Internet Explorer, Edge and Windows, has now been updated to block Web-based attacks that silently exploit software vulnerabilities to infect computers.Such attacks are known as drive-by downloads, because they don't require user interaction aside from browsing to a malicious website or a legitimate one that has been compromised.To launch such attacks, hackers use tools known as exploit kits that take advantage of vulnerabilities in the OS, the browser, or popular software like Flash Player, Silverlight and Java.While exploit kits typically target vulnerabilities after they have been patched by software vendors, there have been cases when they've exploited previously unknown flaws that are known in the security industry as zero-days. In addition, the time window between when patches are released and when attackers start targeting the fixed flaws has significantly shrunk in recent years, giving users less time to update.To read this article in full or to leave a comment, please click here

IDG Enterprise editors predict IT trends for 2016

As 2015 winds down and we start to focus on 2016, one thing can be predicted quite easily. Analysts, editors and others will start making their own predictions about what we can expect in the upcoming year. We’re no different here at IDG Enterprise – we asked some of the top editors from the IDG enterprise brands (Computerworld, Network World, CIO.com, CSO) to take a few minutes out of their busy day to predict a few trends for enterprise IT in 2016. The video above shows their final predictions, which includes trends in cloud computing, security, the Internet of Things, wireless, big data/analytics, and mobile devices. We even have one prediction about the 2016 presidential election (a campaign issue, not a prediction of who will win).To read this article in full or to leave a comment, please click here

Creating a Cybersecurity Center of Excellence

I’ve been writing about the cybersecurity skills shortage for many years and, unfortunately, things seem to be getting worse. Here are a few data points: According to ESG research, 28% of organizations claim that they have a “problematic shortage” of IT security skills (disclosure: I am an ESG employee).  Job market analytics vendor Burning Glass states that cybersecurity job postings grew 74% from 2007 to 2013, more than twice the growth rate of all IT jobs. Prospective employers posted more than 50,000 jobs requesting Certified Information Systems Security Professional (CISSP) certification. Unfortunately, there are only about 65,000 CISSPs in the world, and many are gainfully employed.  ISC2, the organization that certifies CISSPs believes that there will be a deficit of 1.5 million cybersecurity professionals by 2020. The UK House of Lords is even more bearish, predicting a shortage of 2 million cybersecurity professionals by 2017.  A 2015 report from the Information Systems Audit and Control Association (ISACA) states that 86% of business and IT professionals globally believe there is a shortage of cyber security professionals. In this case, perception is reality.  A Raytheon/National Cyber Security Alliance report indicates that 64% of high school Continue reading

Open source unleashes blockchain’s enterprise potential

Blockchain technology makes cryptocurrency like bitcoin possible, but it has a lot of potential beyond tracking currency transactions. The Linux Foundation wants to tap into that potential and is spearheading a collaborative effort to develop an enterprise-grade open source distributed ledger called Hyperledger.At its core, blockchain is a record-keeping system running across a global network of independent computers. The distributed ledger, which records and verifies transactions, is write-only -- that is, transactions cannot be tampered with or modified after the fact, so virtually anything of value can be tracked and traded using this system.To read this article in full or to leave a comment, please click here

Experience matters

The end of the year always brings about thoughts of what changes should occur in the coming year. If a change of job is in your thoughts, security executives say they look  at prospective employees’ experience before they even take a step through the door. “Certifications are a good shorthand for acquired knowledge, but experience is critical,” said Geoff Webb, vice president of solution strategy for NetIQ, the security portfolio of Micro Focus.  According to Dice’s latest hiring survey, finding highly-skilled tech talent will be a top hiring priority for companies in 2016. A record 78 percent of hiring managers anticipate more hiring in the first half of 2016 compared to the second half of 2015, Dice notes.To read this article in full or to leave a comment, please click here(Insider Story)

IoT startup Afero goes end to end for security

Internet of Things startup Afero says it can secure small and large IoT devices with a Bluetooth radio module and a cloud service.Afero's platform is just the latest approach to building an infrastructure that ties together a variety of connected devices. The company says its system can be applied to both the home and enterprise realms of IoT and encrypts data all the way from devices to the cloud.The Internet of Things is widely expected to blossom into billions of devices for consumers, cities and businesses in the next few years. Along with those connected objects in the field, software, networks and analytics will be critical components of IoT. Bringing all those components together may pose a steep challenge for consumer electronics makers, as well as for enterprises that want to reap benefits in efficiency, savings and profits.To read this article in full or to leave a comment, please click here

Over 650 terabytes of data up for grabs due to publicly exposed MongoDB databases

There are at least 35,000 publicly accessible and insecure MongoDB databases on the Internet, and their number appears to be growing. Combined they expose 684.8 terabytes of data to potential theft.This is the result of a scan performed over the past few days by John Matherly, the creator of the Shodan search engine for Internet-connected devices.Matherly originally sounded the alarm about this issue back in July, when he found nearly 30,000 unauthenticated MongoDB instances. He decided to revisit the issue after a security researcher named Chris Vickery recently found information exposed in such databases that was associated with 25 million user accounts from various apps and services, including 13 million users of the controversial OS X optimization program MacKeeper.To read this article in full or to leave a comment, please click here

Rapid7 disclosed 6 XSS and SQLi flaws in 4 Network Management Systems, 2 unpatched

Rapid7 disclosed six vulnerabilities affecting four Network Management Systems, two of which are not patched. The vendors are Opsview, Spiceworks, Ipswitch, and Castle Rock, with the latter having neither issued a security bulletin nor a fix for two vulnerabilities in its NMS.An “an array of cross-site scripting (XSS) and SQL injection (SQLi)” vulnerabilities found in NMS products were discovered by Rapid7’s Deral Heiland, aka Percent_X, and independent researcher Matthew Kienow, aka HacksForProfit. The flaws were responsibly disclosed to the vendors and CERT.To read this article in full or to leave a comment, please click here

Acts of terrorism could push Congress toward encryption backdoors in 2016

Despite the risks to online commerce, international high-tech sales, security of trade secrets and the fact that it won’t actually make encryption useless to criminals, decryption backdoors to let law enforcement access encrypted communications could become U.S. law in 2016 – and a nightmare to enterprises – especially if terrorists succeed in carrying out major acts of violence.So far the arguments against such a law have prevailed, but that could change if public opinion turns strongly in favor of it, which is more likely in the wake of events that generate fear.+More on Network World: 20 years ago: Hot sci/tech images from 1995 | Read all the stories that predict what is to come in 2016 +To read this article in full or to leave a comment, please click here

Vulnerability in popular bootloader puts locked-down Linux computers at risk

Pressing the backspace key 28 times can bypass the Grub2 bootloader's password protection and allow a hacker to install malware on a locked-down Linux system.GRUB, which stands for the Grand Unified Bootloader, is used by most Linux distributions to initialize the operating system when the computer starts. It has a password feature that can restrict access to boot entries, for example on computers with multiple operating systems installed.This protection is particularly important within organizations, where it is also common to disable CD-ROM, USB and network boot options and to set a password for the BIOS/UEFI firmware in order to secure computers from attackers who might gain physical access to the machines.To read this article in full or to leave a comment, please click here

Encryption used by terrorists provides lively GOP debate fodder

The ongoing political discourse over encrypted Internet communications used by potential terrorists sparked some major fireworks in last night's GOP presidential debate.Republican frontrunner Donald Trump was booed by some in the Las Vegas crowd when he called for "getting our smartest minds to infiltrate [ISIS's] Internet." In reaction to the boos, Trump told the crowd, "You're objecting to infiltrating their communications -- I don't get that."It wasn't only some in the crowd that objected to Trump's view. U.S. Sen. Rand Paul (R-Ky.) took Trump to task, saying Trump had argued to "close the Internet, which defies the First Amendment...Are you going to change the Constitution?"To read this article in full or to leave a comment, please click here

Three men arrested in alleged wide-ranging spam operation

Three men have been charged over a hacking scheme that allegedly collected tens of millions of personal records for use in spam campaigns.U.S. prosecutors say the trio broke into the networks of three companies and improperly accessed the network of a fourth one where one of the men was employed.Their primary goals revolved around obtaining email addresses for consumers in order to advertise insurance companies or online sites that sold narcotics without prescriptions, according to a news release.They also used used the email systems of some hacked companies to send spam in an attempt to avoid antispam security filters.To read this article in full or to leave a comment, please click here

Google researchers find remote execution bug in FireEye appliances

Google researchers found a software flaw in several models of FireEye's security appliances that they say could give a cyberattacker full access to a company's network.It's not unheard of to find security flaws in security software, but the latest discovery highlights once again how no technology is immune to such problems.FireEye issued a statement on Tuesday saying it had issued a patch for the flaw, which affects its NX, EX, FX and AX Series appliances. The appliances passively monitor network traffic and pluck out suspicious files for study away from the live network.To read this article in full or to leave a comment, please click here

Why the FAA’s new drone rules fall short

The Federal Aviation Administration (FAA) released rules governing the registration of drones yesterday that left me slack-jawed – first with disbelief, then with fear. The rules show that the FAA is oblivious to either the risks of drones or the technological measures that could mitigate the risks, or both.The rules are simple and apply to drones that weigh between 0.55 pounds (250 grams) and less than 56 pounds (approximately 25 kilograms) including payloads. Beginning on December 21, drone owners must voluntarily register their drones with the FAA and pay a $5 fee, which will be waived for the first 30 days. Drone owners who fail to register face stiff penalties: a fine of up to $27,500 for civil violations, and a fine of up to $250,000 and up to three years in prison for a criminal violation.To read this article in full or to leave a comment, please click here