Cox Communications has agreed to pay US$595,000 and submit to seven years of computer security compliance monitoring by the Federal Communications Commission to settle an investigation into whether the cable TV and Internet operator failed to safeguard the personal information of its customers.The investigation relates to a hack of Cox in 2014 by "EvilJordie," a member of the "Lizard Squad" hacker collective, and is the FCC's first privacy and data security enforcement action against a cable operator.The FCC's investigation found that by posing as a Cox IT staffer, the hacker convinced a Cox customer service representative and contractor to enter their account IDs and passwords into a fake website, the FCC said Thursday.To read this article in full or to leave a comment, please click here
The European Union put the onus firmly on the U.S. to make the next move in negotiating a replacement for the now-defunct Safe Harbor Agreement on privacy protection for transatlantic personal data transfers.
"We need a new transatlantic framework for data transfers," said Vĕra Jourová, the European Commissioner for Justice and Consumers, emphasizing the urgency of the situation. However, she said at a news conference in Brussels on Friday, "It is now for the U.S. to come back with their answers."
EU law requires that companies guarantee the same privacy protection for the personal information of EU citizens that they hold, wherever in the world they process it.To read this article in full or to leave a comment, please click here
The last few days have not been easy for ProtonMail, the Geneva-based encrypted email service that launched last year.
Earlier this week, the service was extorted by one group of attackers, then taken offline in a large distributed denial-of-service (DDoS) attack by a second group that it suspects may be state sponsored.
ProtonMail offers a full, end-to-end encrypted email service. It raised more than US$500,000 last year after a blockbuster crowdfunding campaign that sought just $100,000.
Now, it bills itself as the largest secure email provider, with more than 500,000 users. Creating an account is free, although ProtonMail plans to eventually introduce a paid-for service with additional features.To read this article in full or to leave a comment, please click here
Nick Arnott couldn't figure out recently why Apple kept rejecting an update to a mobile app his company developed.It turned out the problem was a ghost in the machine.His company, Possible Mobile, is well versed in the App Store submission rules and has built apps for JetBlue, Better Homes & Gardens and the Major League Soccer.The rejection came after it was discovered in mid-September that thousands of apps in the App Store had been built with a counterfeit version of an Apple development tool, Xcode.The fake version, dubbed XcodeGhost and probably developed in China, had been downloaded by many developers from third-party sources, apparently because getting the 4GB code from Apple took too long.To read this article in full or to leave a comment, please click here
As James Bond has shown, even a sophisticated MI6 operative with a nearly limitless budget and an array of hi-tech gadgets has to take into account existing security measures when formulating a plan to infiltrate a building or system. And while online criminal organizations don’t have Bond’s resources, they are sophisticated and well funded, which means you have to continually up your efforts to reduce the threat surface of your business.As you begin planning for 2016, here are 007 tips for bringing your business closer to an MI6 level of security, without a nation-state budget:1. Auto expiring credentials for new recruits: While we hope your corporate hiring process isn’t as intense as that of a secret agent, at the end of the day not everyone who signs up ends up making the final cut. To minimize your risk of rogue access, implement a policy that requires system admins to always create expiring credentials for new hires. It’s best practice to implement this for any temporary hires, but if your company offers an employment grace period, consider applying the expiration for the end of that time period, just in case. It’s always easier to re-implement than revoke once things Continue reading
One of the fundamental best practices of cyber supply chain security is IT vendor risk management. When organizations purchase and deploy application software, routers, servers, and storage devices, they are in essence placing their trust in the IT vendors that develop and sell these products. Unfortunately, this trust can be misplaced. Some IT vendors (especially startups) focus on feature/functionality rather than security when they develop products resulting in buggy vulnerable products. In other cases, hardware vendors unknowingly build systems using malicious components sourced through their own supply chain. IT products are also often purchased through global networks of third-party distributors that have ample opportunity to turn innocent IT products into malicious confederates for cybercrime.To read this article in full or to leave a comment, please click here
The National Institute of Standards and Technology (NIST) is funding creation of a heat map visualization tool that will show where cybersecurity jobs are open across the country. The first rendition should be out late next year.The project, funded through NIST’s National Initiative for Cybersecurity Education (NICE), will provide data to help employers, job seekers, policy makers and others sync up. NETWORK JOBS ARE HOT: Salaries expected to rise in 2016Some 230,000 cybersecurity jobs are open across the U.S., according to the Department of Commerce, and the number of openings has roughly doubled over the past 4 or 5 years.To read this article in full or to leave a comment, please click here
Ransomware creators have taken their extortion one step further: in addition to encrypting people's private files and asking for money before releasing a key, they now threaten to publish those files on the Internet if they're not paid.This worrying development has recently been observed in a new ransomware program dubbed Chimera that was documented by the Anti-Botnet Advisory Centre, a service of the German Association of the Internet Industry.The attackers behind this new threat target mainly businesses by sending rogue emails to specific employees that masquerade as job applications or business offers. The emails contain a link to a malicious file hosted on Dropbox.To read this article in full or to leave a comment, please click here
Companies are increasingly reliant on digital spaces and the continuing stream of high-profile data breaches means cybersecurity topics – often in the form of cyber liability questions – are now a part of board and senior management discussions instead of only being discussed at the IT level. Security, following “ethical issues,” is the second-leading risk to a company’s brand.Although getting hacked has a huge impact on the bottom line, NYSE Governance Services and Vercode found that “the extent of the brand damage caused by breaches is often linked to boards’ level of preparedness. It is therefore a board’s fiduciary duty to ask the right questions to ensure due care has been followed.”To read this article in full or to leave a comment, please click here
Analyzing 200,000 records may not seem like a big task. But when those records are security incidents with potentially hundreds of attributes each -- types of bad actors, assets affected, category of organization and more -- it starts getting a little complex for a spreadsheet. So Verizon's annual security report, which was initially done in Excel, is now generated "soup to nuts" in R.In fact, the Verizon Data Breach Report is somewhat of "a love letter to R," Bob Rudis, managing principal and senior data scientist at Verizon Enterprise Solutions, told the EARL (Effective Applications of the R Language) Boston conference earlier today.To read this article in full or to leave a comment, please click here
Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.To read this article in full or to leave a comment, please click here
Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.
Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.
While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so.
Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.To read this article in full or to leave a comment, please click here
Microsoft is considering advancing the blocking of the SHA-1 hashing algorithm on Windows to as early as June next year, taking a cue from a similar decision by Mozilla.
The Redmond-based software maker had earlier said that Windows would block SHA-1 signed TLS (Transport Layer Security) certificates from Jan. 1, 2017, but is now mulling moving up the date in view of recent advances in attacks on the SHA-1 algorithm, a cryptographic hash function designed by the U.S. National Security Agency.
There have been concerns about the security of the algorithm, which led Microsoft, Google and Mozilla to announce that their browsers would stop accepting SHA-1 SSL (Secure Sockets Layer) certificates.To read this article in full or to leave a comment, please click here
Looking to counter the threat unmanned aircraft might bring to Federal prison guards and prisoners, the Federal Bureau of Prisons is looking at what types of technology could be used to defeat the drones.The group, which is an agency of the Department of Justice issued a Request for Information specifically targeting what it called a fully integrated systems that will allow for the detection, tracking, interdiction, engagement and neutralization of small -- less the 55lb -- unmanned aerial system.+More on Network World: The International Space Station: Reveling at 15+To read this article in full or to leave a comment, please click here
Donald Trump isn't much of a technophile. The surprise frontrunner for the Republican nomination in the 2016 U.S. Presidential election said he hadn't adopted email as late as 2007, and was only using it "very rarely" by 2013, according to The New York Times, which published these admissions among many other revealing statements Trump has made under oath in depositions over the past decade.Trump still reads hard-copy news and magazine articles, and even dictates his oft-controversial Tweets to a team of PR underlings who send them out on his account, according to The Washington Post.To read this article in full or to leave a comment, please click here
Attackers are creating rogue versions of popular Android applications that compromise the security of devices and are extremely hard to remove.Researchers from mobile security firm Lookout have found more than 20,000 samples of such trojanized apps. They're typically fully functional copies of top Android applications like Candy Crush, Facebook, Google Now, NYTimes, Okta, SnapChat, Twitter or WhatsApp, but with malicious code added to them.The goal of these rogue apps is to aggressively display advertisements on devices. A scary development though is that, unlike traditional adware, they root the devices where they get installed in order to prevent users from removing them.To read this article in full or to leave a comment, please click here
VBulletin Solutions has reset the passwords for over 300,000 accounts on its website following a security breach, and also released emergency security patches. The company's Internet forum software is used on tens of thousands of websites.It's not clear if the patches were prompted by the security breach, but the hacker who claimed to have compromised the vBulletin.com database put a zero-day vBulletin exploit -- an exploit for an unpatched vulnerability -- up for sale on Monday.VBulletin Solutions did not immediately respond to an inquiry seeking more details about the patches and their relationship to the breach.To read this article in full or to leave a comment, please click here
VBulletin Solutions has reset the passwords for over 300,000 accounts on its website following a security breach, and also released emergency security patches. The company's Internet forum software is used on tens of thousands of websites.
It's not clear if the patches were prompted by the security breach, but the hacker who claimed to have compromised the vBulletin.com database put a zero-day vBulletin exploit -- an exploit for an unpatched vulnerability -- up for sale on Monday.
VBulletin Solutions did not immediately respond to an inquiry seeking more details about the patches and their relationship to the breach.To read this article in full or to leave a comment, please click here
Police investigating the data breach at U.K. telecommunications operator TalkTalk made their fourth arrest late Tuesday, as lawmakers launched their own inquiry into the case.The Metropolitan Police Cyber Crime Unit and the National Crime Agency arrested a 16-year-old boy at an address in Norwich, England, after visiting it with a search warrant.Police had previously arrested a 15-year-old boy from County Antrim, Northern Ireland, on Oct. 26, a 16-year-old boy in Feltham, England, on Oct. 29, and a 20-year-old man in Staffordshire on Oct. 31.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers
All four were arrested on suspicion of offenses under the Computer Misuse Act, and all have now been released on bail without charge while police continue their investigation.To read this article in full or to leave a comment, please click here
A new crop of products is emerging that aim to implant security best practices and compliance checks as early and often as possible when new infrastructure is spun up in the cloud or when new applications are launched in a rapid development environment.The idea behind these products is that security should be incorporated into the entire life cycle of resources being used or applications being developed. Some vendors contend that too often security assessments are either not performed, or they’re done too late in the process of managing resources and apps. Tools from companies like Amazon Web Services, Microsoft and Chef are all aiming to ensure security best practices are automatically enforced as early on in the process as possible.To read this article in full or to leave a comment, please click here