The Internet of Things and wearable technology are becoming more integrated into our everyday lives. If you haven't already, now is the time to begin planning for their security implications in the enterprise. According to research firm IHS Technology, more than 200 million wearables will be in use by 2018. That's 200 million more chances of a security issue within your organization. If that number doesn't startle you, Gartner further predicts that 30% of these devices will be invisible to the eye. Devices like smart contact lenses and smart jewelry will be making their way into your workplace. Will you be ready to keep them secure even if you can't see them?To read this article in full or to leave a comment, please click here
Despite aggressive law enforcement and Federal Trade Commission actions to battle it, the scourge known as the “Tech Support Scam” is growing – with older individuals a rising target.The tech support scam basically involves tricking people into believing their computer has problems, and then charging them hundreds of dollars for unnecessary, worthless, and in some cases destructive applications such as malware, spyware, adware, keystroke loggers, and other harmful applications.+More on Network World: What’s hot in driverless cars?+To read this article in full or to leave a comment, please click here
Security experts regularly exhort organizations to improve their security not just internally but externally as well, in their business relationships with third parties.In many cases, it is more than an exhortation – it’s a mandate. Last year’s updated standards for the payment card industry (PCI) made a point of addressing third-party risks.But some evidence suggests an area of third-party relationships where security still lags is mergers and acquisitions (M&A).In a survey of, “214 global deal-makers from corporates, financial institutions, investors and legal services providers,” the London-based law firm Freshfields Bruckhaus Deringer found that while there is plenty of awareness (74 percent of acquirers and 60 percent of sellers) about the effect that cyber security risks can have on a pending deal, a large majority of respondents – 78 percent – “believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”To read this article in full or to leave a comment, please click here
We've reached a point that security researchers have long warned is coming: insecure embedded devices connected to the Internet are routinely being hacked and used in attacks.The latest example is a distributed denial-of-service (DDoS) attack detected recently by security firm Imperva. It was a traditional HTTP flood aimed at overloading a resource on a cloud service, but the malicious requests came from surveillance cameras protecting businesses around the world instead of a typical computer botnet.The attack peaked at 20,000 requests per second and originated from around 900 closed-circuit television (CCTV) cameras running embedded versions of Linux and the BusyBox toolkit, researchers from Imperva's Incapsula team said in a blog post Wednesday.To read this article in full or to leave a comment, please click here
Microsoft has started a three-month bug bounty program for two tools that are part of Visual Studio 2015.The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Both are open source."The more secure we can make our frameworks, the more secure your software can be," wrote Barry Dorrans, security lead for ASP.NET, in a blog post on Tuesday.All supported platforms that .NET Core and ASP.NET run on will be eligible for bounties except for beta 8, which will exclude the networking stack for Linux and OS X, Dorrans wrote.To read this article in full or to leave a comment, please click here
In 2012, two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000.The servers were very important: they're part of a worldwide network that helps computers keep the right time using the Network Time Protocol (NTP).Computers that checked in with the Navy's servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems.The incident underscored the serious problems that can occur when using NTP, one of the oldest Internet protocols published in 1985.The protocol is fairly robust, but researchers from Boston University said on Wednesday they've found several flaws in NTP that could undermine encrypted communications and even jam up bitcoin transactions.To read this article in full or to leave a comment, please click here
In 2012, two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000.The servers were very important: they're part of a worldwide network that helps computers keep the right time using the Network Time Protocol (NTP).MORE: 10 Cool Network & Computing Research ProjectsComputers that checked in with the Navy's servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems.To read this article in full or to leave a comment, please click here
Synack, a security company that uses crowdsourcing for penetration testing, has built an intelligence platform that it says will narrow down weak points in a company's network.
Based in Redwood City, California, Synack uses a network of freelance security analysts in 35 countries to probe the networks of companies who've signed up to its subscription service.
The analysts, who are closely vetted by Synack, get paid based on the vulnerabilities and security problems they find, ranging from $100 up to thousands. The subscription offering means companies are continually analyzed.
Jay Kaplan, Synack's co-founder and CEO, said they wanted to build platform that would help its analysts quickly focus their attention on potential trouble spots. Called Hydra, the platform spots vulnerabilities in networks and applications, looks for out-of-date software and other issues.To read this article in full or to leave a comment, please click here
Examples of the different kinds of personal data available online, as well as its value on the black market, is available in a new report (PDF) from Intel Security's McAfee Labs. The report looks at pricing for credit cards, bank account login details, and other stolen personal information.$5 credit card numbers
U.S. credit card account numbers complete with date of birth typically run $15, the report says. Basic card numbers without the extra data costs as little as $5."A digital equivalent of physical card would let a criminal buy things until the victim contacts the card issuer and challenge the charges," Raj Samani, CTO for Intel Security in Europe, the Middle East, and Africa, said in a McAfee blog post about the report.To read this article in full or to leave a comment, please click here
It isn’t hard for just about anyone to change or alter an image these days -- and that can be a problem.It’s an issue researchers at the Defense Advanced Research Projects Agency want top put to rest with a new program called Media Forensics or MediFor, which looks to build an algorithmic-based platform that can detect image manipulation.+More on Network World: Gartner: Get onboard the algorithm train!“The forensic tools used today lack robustness and scalability and address only some aspects of media authentication; an end‐to‐end platform to perform a complete and automated forensic analysis does not exist. Although there are a few applications for image manipulation detection in the commercial sector, they are typically limited to a yes/no decision about the source being an “original” asset, obtained directly from an imaging device. As a result, media authentication is typically performed manually using a variety of ad hoc methods that are often more art than science, and forensics analysts rely heavily on their own background and experience,” DARPA stated.To read this article in full or to leave a comment, please click here
Smart TVs in conference rooms. Brainy heating and air-conditioning systems. Internet-connected light bulbs. Intelligent devices controlling manufacturing processes. Smart watches and fitness devices everywhere.
These are just a few of the things you’ll find in the enterprise Internet of Things (IoT) landscape, a landscape in which almost every physical object, it seems, has plenty of smarts and connects to networks -- and leaves enterprises vulnerable to hacks and data breaches.
Also in this series...
- Surveys Say: IoT dangers are here, they're real, and they're widespread
- IoT Bookshelf: Essential reading for Internet of Things securityTo read this article in full or to leave a comment, please click here(Insider Story)
Two studies, one from HP, and one from DNS and security vendor OpenDNS, took a look at the dangers IoT devices pose, and both concluded the same thing: They’re real, they’re here, and they’re more widespread than you might imagine. Following are summaries of each study.
Also in this series... - IoT security threats and how to handle them - IoT Bookshelf: Essential reading for Internet of Things securityTo read this article in full or to leave a comment, please click here(Insider Story)
An escalation in the frequency, severity and impact of cybersecurity attacks damaging corporate operations, finances and reputations is forcing boards of directors to take more active roles in their company's defensive posture. However, the level of participation in their companies' risk mitigation strategy remains lacking, according to new research from PwC.Forty-five percent of 10,000 CEOs, CFOs, CIOs and other executives PwC polled said that their boards participated in corporate cybersecurity strategy, up from 42 percent when PwC conducted a similar survey for 2014, according to David Burg, PwC's global cybersecurity practice leader. But given the glut of cybersecurity attacks Burg says the numbers are lower than they should be. "It is surprising that this number isn't north of 75 percent,” says Burg, who published the data in a new report. “In a world of connected business ecosystems, you’re only as strong as your weakest link.”To read this article in full or to leave a comment, please click here
In light of recent advances in attacks against the SHA-1 cryptographic function, Mozilla is considering banning digital certificates signed with the algorithm sooner than expected.The CA/Browser Forum, a group of certificate authorities and browser makers that sets guidelines for the issuance and use of digital certificates, had previously decided that new SHA-1-signed certificates should not be issued after Jan. 1, 2016.Browser makers have also decided that existing SHA-1 certificates will no longer be trusted in their software starting Jan. 1, 2017, even if they're technically set to expire after that date.On Tuesday, Mozilla announced that it's re-evaluating the cutoff date and is considering the feasibility of pushing it forward by six months, on July 1, 2016. The decision is guided by recent research that improves the practicality of attacks against SHA-1.To read this article in full or to leave a comment, please click here
Many of the world's top tech companies want to put a stop to the fundamentally flawed Cybersecurity Information Sharing Act (CISA) bill which is on the Senate floor.Put another way on "Decide the future of the Internet," the corporate scorecard lists companies against CISA as "Team Internet," while "Team NSA" is "collaborating with the government to control the Internet." Decide the Future
CISA will automate sharing with the following government agencies:To read this article in full or to leave a comment, please click here
Oracle has fixed a vulnerability in Java that a Russian cyberespionage group used to launch stealthy attacks earlier this year.At the same time, Oracle fixed 153 other security flaws in Java and a wide range of its other products, it said Tuesday.The Java vulnerability can be used to bypass the user confirmation requirement before a Web-based Java application is executed by the Java browser plug-in. This type of protection mechanism is commonly referred to as click-to-play.The flaw was reported to Oracle by security researchers from Trend Micro, who first spotted the vulnerability in July in attacks launched by a Russian hacker group dubbed Pawn Storm that commonly targets military and governmental institutions from NATO member countries.To read this article in full or to leave a comment, please click here
Malvertising is the latest way for criminals to infect your computer with malware – and the only thing you need to do to allow it is to visit your favorite website that relies on advertising. That's because they're slipping bad code into ads that are put onto those websites through advertising networks. Big name websites like Forbes, Huffington Post and the Daily Mail have been the focus of attacks.In a recent report by Cyphort found that malvertising has spiked 325 percent in 2014. A more recent report shows that malvertising reached record levels this past summer. To read this article in full or to leave a comment, please click here
Google and Yahoo are expanding their use of a successful system for identifying spam.The move is part of years-long effort to implement a series of checks designed to figure out if an email really has been sent by the domain it purports to come from.Email spoofing has long been a problem since its easy to forge the "from" address, making it more likely the receiver will believe it came from a legitimate source.By Nov. 2, Yahoo plans to being using DMARC (Domain-based Message Authentication, Reporting & Conformance) for its ymail.com and rocketmail.com services. Next year, Google also plans to move Gmail to a strict DMARC policy, according to a news release.To read this article in full or to leave a comment, please click here
Magento said Tuesday there does not appear to be a new vulnerability in its e-commerce platform that is causing some websites to become infected with the Neutrino exploit kit.
Some of the affected websites appear to not have patched a code execution vulnerability nicknamed the Shoplift Bug Patch, Magento's security team wrote in a blog post. A patch was released in February.
Other Magento-powered sites have not applied other patches, making them vulnerable.
The latest attack against Magento was highlighted by Malwarebytes and Sucuri, two security companies, who noticed attacks on the client and server sides.To read this article in full or to leave a comment, please click here
The hardware-based encryption built into popular Western Digital external hard disk drives has flaws that could allow attackers to recover data without knowing the user password.A team of three security researchers investigated how the self-encryption feature was implemented in several popular Western Digital My Passport and My Book models. Depending on the type of microchip used for the encryption operation, they found design flaws and backdoor-like features that enable brute-force password guessing attacks or even decryption of the data without knowing the password.In some cases they found that the encryption is performed by the chip that bridges the USB and SATA interfaces. In other cases the encryption is done by the HDD's own SATA controller, with the USB bridge handling only the password validation.To read this article in full or to leave a comment, please click here