The OpenSSL Software Foundation has released new patches for the popular open-source cryptographic library, but for two of its older branches they will likely be the last security updates.This could spell trouble for some enterprise applications that bundle the 0.9.8 or 1.0.0 versions of OpenSSL and for older systems -- embedded devices in particular -- where updates are rare.OpenSSL 1.0.0t and 0.9.8zh, which were released Thursday, are expected to be the last updates because support for these these two branches will end on Dec. 31, as listed in the organization's release strategy document.To read this article in full or to leave a comment, please click here
A group of sophisticated attackers are repurposing penetration testing tools to break into the networks of small and medium-size businesses worldwide with the goal of infecting point-of-sale systems with malware.The new attack campaign started in September and has been dubbed operation Black Atlas by researchers from antivirus vendor Trend Micro. The attackers use a wide set of tools to scan the Internet and identify potential weak spots in the networks of various organizations, the researchers said.Their toolset includes port scanners, brute-force password guessing tools, SMTP (Simple Mail Transfer Protocol) scanners, remote desktop viewers and other attack applications that are easy to find on the Internet.To read this article in full or to leave a comment, please click here
I had the pleasure of attending a presentation given by Dr. Ron Ross, a fellow at the National Institute of Standards and Technology (NIST). Ron’s areas of specialization include information security, risk management, and systems security engineering.In his presentation, Dr. Ross delivered a bit of a counterintuitive message on cybersecurity by stating, "We have to stop obsessing about threats and start focusing on asset protection." To drive home this point, Dr. Ross added, "If 90% of our bridges were failing, we’d mobilize teams of engineers right away. Yet when 90% of our IT systems are insecure, we focus a good part of our attention on external threats."To read this article in full or to leave a comment, please click here
The author has written 29 technical books and is Managing Partner of Ascent Solutions, which provides marketing services to tech sector companies In the aftermath of the Paris attacks, one of the memes being perpetuated by “security professionals” is that the terrorists used encrypted communications, enabling them to plan and coordinate their activities without raising suspicion among the intelligence community.Now there is a knee-jerk reaction among politicians in Washington to force encryption providers to build “backdoors” into their software that would allow government agencies to easily decode communications in their effort to identify potential terrorists. They say this is essential to keeping us all safe and that we must stop crying about the loss of personal privacy.To read this article in full or to leave a comment, please click here
A new bill introduced in the Senate aims to let the U.S. National Security Agency hold on for five years to phone records collected by the agency, while also making permanent some anti-terrorist provisions that have been criticized by civil rights groups.Senator Tom Cotton, a Republican from Arkansas, said Wednesday he would introduce the "Liberty Through Strength Act II" to require the federal government to hold on to the legacy phone metadata of Americans for five years and authorize its use for queries.INSIDER: Traditional anti-virus is dead: Long live the new and improved AV
The Senator introduced last month legislation, also called the Liberty Through Strength Act, that would delay the end of the bulk collection of phone metadata of Americans by the NSA to Jan. 31, 2017, in the wake of security concerns after the terror attacks in Paris. The bill was introduced a little before the Thanksgiving break.To read this article in full or to leave a comment, please click here
Distributed denial-of-service attacks have increased in complexity so that they are no longer just an annoyance causing a disruption in service. Criminals are using these attacks as a distraction while targeting sensitive data, leaving enterprises to pay for lost business and breach recovery.Any conversation that involved breaches this year included the statement, “It’s not if but when.” The expectation has become, as IDC’s Christina Richmond, program director, security services, said, “Breach is a foregone conclusion.”For many companies, the attacks are frequent and more advanced. Richmond said, "Distributed-denial-of-service attacks are no longer an isolated event. Sophisticated attacks hit companies of all sizes, in all industries.”To read this article in full or to leave a comment, please click here
Federal government incentives worth about $30 billion have persuaded the majority of physicians and hospitals to adopt electronic health record (EHR) systems over the past few years. However, most physicians do not find EHRs easy to use. Physicians often have difficulty entering structured data in EHRs, especially during patient encounters. The records are hard to read because they're full of irrelevant boilerplates generated by the software and lack individualized information about the patient. Alerts frequently fire for inconsequential reasons, leading to alert fatigue. EHRs from different vendors are not interoperable with each other, making it impossible to exchange information without expensive interfaces or the use of secure messaging systems. To read this article in full or to leave a comment, please click here
The U.S. and China have reached an agreement on how to begin cooperating on cybersecurity, an issue that has caused high tension between the two nations over the last few years.The agreement, reached in the first high-level meeting of its kind, calls for guidelines on sharing computer security information, a hotline to discuss issues, a so-called tabletop cybersecurity exercise and further dialog on concerns such as the theft of trade secrets. The U.S. and China have had a combative relationship on cybersecurity, which escalated in 2010 when Google directly accused China-based hackers of stealing its intellectual property.To read this article in full or to leave a comment, please click here
The much-lauded encryption app Signal has launched a beta program for a desktop version of the app, which will run through Google's Chrome browser.Signal Desktop is Chrome app that will sync messages transmitted between it and an Android device, wrote Moxie Marlinspike, a cryptography expert who had helped develop Signal, in a blog post on Wednesday.The app comes from Open Whisper Systems, which developed Signal's predecessors, Redphone and TextSecure, which were two Android applications that encrypt calls and messages. Both have been consolidated into Signal.Signal Desktop won't be able to sync messages with iPhone just yet, although there are plans for iOS compatibility, Marlinspike wrote. It also won't support voice initially.To read this article in full or to leave a comment, please click here
Whoa, Five Eyes, you're slipping again with your almighty surveillance machine, as Australia's Bureau of Meteorology (BoM) was the victim of a "massive" cyberattack.Whodunit and how?
The Australian Broadcasting Corporation (ABC) first reported BoM being hacked, which was immediately blamed on China. Unsurprisingly, China denied the "groundless accusations." Oh what fun it must be at the global climate talks, as the nations' head honchos must play nice.To read this article in full or to leave a comment, please click here
How to stay ahead of the criminalsImage by RobbieAttackers make unverified claims of compromised PayPal accounts on Pastebin. Here are seven security habits and maneuvers enterprises and consumers can use to stay ahead of password exposures.To read this article in full or to leave a comment, please click here
Cisco has fixed a vulnerability in its WebEx Meetings application for Android that allowed potentially rogue applications to hijack its permissions.The issue, which affected all versions of the app older than 8.5.1, stemmed from the way custom application permissions were implemented and assigned at initialization time.In addition to the default permissions defined by the OS, applications can declare and request custom permissions, a feature that the Android developers recommend be used only if absolutely necessary. It is also possible for apps to request to use custom permissions declared by another application.To read this article in full or to leave a comment, please click here
Cisco has fixed a vulnerability in its WebEx Meetings application for Android that allowed potentially rogue applications to hijack its permissions.The issue, which affected all versions of the app older than 8.5.1, stemmed from the way custom application permissions were implemented and assigned at initialization time.In addition to the default permissions defined by the OS, applications can declare and request custom permissions, a feature that the Android developers recommend be used only if absolutely necessary. It is also possible for apps to request to use custom permissions declared by another application.To read this article in full or to leave a comment, please click here
Google has been collecting information about schoolchildren's browsing habits despite signing a pledge saying it was committed to their privacy, the Electronic Frontier Foundation said in a complaint filed Tuesday.The digital rights group said Google's use of the data, collected through its Google for Education program, puts the company in breach of Section 5 of the Federal Communications Act and asked the Federal Trade Commission to investigate.“Despite publicly promising not to, Google mines students’ browsing data and other information, and uses it for the company’s own purposes," the EFF said.To read this article in full or to leave a comment, please click here
The U.S. Internal Revenue Service is drafting a policy to restrict the use without a warrant of cell-site simulator technology to snoop on the location and other information from mobile phones.The head of the IRS, John Koskinen, wrote in a letter that the agency was drafting a policy that would mirror an earlier Department of Justice rule, which requires a search warrant supported by probable cause before using the technology, except in exigent or exceptional circumstances.INSIDER: 5 ways to prepare for Internet of Things security threats
Cell-site simulators, also referred to as stingrays or 'IMSI catchers,' track the location and other information from mobile phones by mimicking cellphone towers. The use of the technology without a warrant by law enforcement has been criticized by civil rights groups.To read this article in full or to leave a comment, please click here
Symantec has seen a curious fusing of two pernicious online threats, which would cause a big headache if encountered by users.Some websites offering questionable tech support services are also dishing up ransomware, which locks up a users files until they pay a fee to decrypt them.The support scams involve trying to convince users they have a computer problem and then selling them overpriced software or support services to fix it. It's often done via a pop-up message that urges people to call a number or download software.To read this article in full or to leave a comment, please click here
Educational toy maker VTech has said 11.6 million accounts were compromised in a cyberattack last month, including those of 6.4 million children.The total number of accounts affected is nearly double that reported last week by the security news site Motherboard, which interviewed a hacker who claimed credit for the breach.Most of the account holders were in the U.S., including 2.2 million parents and 2.8 million children, VTech said Wednesday in Hong King, where the company is based. France, the U.K., Germany and Canada round out the top five countries hit, VTech said in an updated FAQ.To read this article in full or to leave a comment, please click here
One of the services at the heart of Windows 10's user information gathering (otherwise known as spying) that many thought was removed in the latest update to the operating system is, in fact, still there, doing what it always did.The Diagnostics Tracking Service, aka DiagTrack, was one of the main culprits in telemetry and other user activity gathering in Windows 10. It has been identified as a keylogger, although some people dispute that. Given the concerns around spying in Windows 10, just the accusation is damaging enough.See also: Windows 10 update deep dive: Big changes, minor tweaks, and common problems
With the release of Build 10586, or Threshold 2, DiagTrack disappeared and there was much rejoicing. However, the white hat hackers at Tweakhound (and confirmed by BetaNews) have discovered that Microsoft merely renamed it to the Connected User Experiences and Telemetry service, which throws people off, along with all the utilities to turn off these services, like DoNotSpy10.To read this article in full or to leave a comment, please click here
Lawyers advise enterprises to establish preemptive legal protection before suffering a cyberattack. While one might expect lawyers to say that, there are some reasons to take this advice.Namely, a federal district court in Minnesota found in October that "certain documents created during Target's internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine," according to the Cybersecurity Law Report.Investigation
The court told Target that it didn't have to produce certain documents that the plaintiffs wanted to see. The reason: they were part of the investigation.To read this article in full or to leave a comment, please click here
GCHQ, the British signals intelligence service, is in the dock accused of hacking computers without individual warrants in order to tap communications.The allegations, made by messaging providers and campaign groups GreenNet, RiseUp Networks, Chaos Computer Club and Privacy International, among others, concern the use by the U.K. Government Communications Headquarters of "thematic warrants" to hack computers. They began making their cases to the U.K.'s Investigatory Powers Tribunal in London on Tuesday, in hearings scheduled to run through Friday.GCHQ first admitted to hacking in February following Privacy International's initial legal challenge.To read this article in full or to leave a comment, please click here