Archive

Category Archives for "Network World Security"

Cisco dedicates security project to ‘pissing off the bad guys’

Following its disruption of a major distributor of Angler ransomware, Cisco is offering up free security consulting for hosting providers that’s aimed at wiping out persistent attacks that abuse providers’ services and threaten the rest of the Internet.Cisco’s Talos security intelligence and research group has launched Project Aspis, which hosting providers can sign up for to work with Talos and in return receive help including systems forensics, reverse engineering, threat intelligence sharing and, in the right circumstances, dedicated research engineers to work with, according to Cisco’s security blog.To read this article in full or to leave a comment, please click here

October 2015 Patch Tuesday: Microsoft releases 3 critical and 3 important patches

For October 2015 Patch Tuesday, Microsoft released only six security bulletins with three being rated as critical.3 rated CriticalThe three bulletins rated critical deal with remote code execution.MS15-106 is a cumulative fix for Internet Explorer, patching multiple memory corruption, scripting engine memory corruption, elevation of privilege, and information disclosure vulnerabilities as well as a security feature bypass involving VBScript and Jscript ASLR, and a scripting engine information disclosure bug. The most severe flaws could allow for remote code execution if an attacker tricks a user into visiting a maliciously crafted site. If successfully exploited, an attacker could gain the same user rights as the current user.To read this article in full or to leave a comment, please click here

DARPA wants vanishing drones

It’s a description right out of a James Bond or Mission: Impossible script: Create a flock of unmanned aircraft that can be dropped from a larger mothership to take on a mission, then actually vanish once the mission is carried out. +More on Network World: World’s craziest Halloween coffins+ Engineers at the Defense Advanced Research Projects Agency envision the disappearing drones as ideal for a number of missions, including the delivery of humanitarian or military aid to people or military personnel in rough terrain or hard-to reach-places.To read this article in full or to leave a comment, please click here

Google adopts single sign-on for more desktop, mobile apps

Google is expanding its identity service to provide single sign-on for more desktop and mobile applications.With enhanced OpenID Connect Identity Provider support, Google Apps administrators will be able to add single sign-on capabilities to mobile apps and to SaaS (software-as-a-service) apps available through the Google Apps Marketplace, said Shashank Gupta, product manager for Google Apps for Work. Google also added support for SAML (Security Assertion Markup Language) 2.0 for popular SaaS providers and made it easier for administrators to add custom SAML app integrations.[ Simplify your security with six password managers for PCs, Macs, and mobile devices. Find out which one prevails in InfoWorld's review. | Discover how to secure your systems with InfoWorld's Security newsletter. ] Organizations are increasingly adopting single sign-on because it improves corporate application security. Employees don't have to remember complex passwords for each application as they just use their Google Apps credentials to sign in.To read this article in full or to leave a comment, please click here

SANS: 20 critical security controls you need to add

Prioritizing security measures is the first step toward accomplishing them, and the SANS Institute has created a list of the top 20 critical security controls businesses should implement.They include some obvious steps, such as getting a comprehensive inventory of all network devices and software, implementing secure hardware configurations and providing for data recovery, but also gets into areas that are less evident.+More on Network World: Gartner: IT should simplify security to fight inescapable hackers+To read this article in full or to leave a comment, please click here

To scare people better, Android ransomware gets a snazzy UI

Hackers are like any other coders: they want to built better software, even if it's a program that merely aims to extract a ransom from a hapless Android user.Symantec said it has seen a new version of the Porn Droid ransomware that uses Google's custom-built design language, Material Design, to create more intimidating warnings.Discovered last year, Porn Droid purports to be an adult content viewer. If installed, it locks a device and warns that users have viewed illicit pornography and demands a ransom. The app has been seen on third-party Android application marketplaces or forums for pirated software.To read this article in full or to leave a comment, please click here

Fake LinkedIn profiles lure unsuspecting users

No doubt you've received a LinkedIn invition from someone you don't know -- or you're not sure you know. Next time, you might want to think a little harder before accepting. Researchers from Dell SecureWorks Counter Threat Unit have identified a network of at least 25 well-developed LinkedIn profiles as part of a targeted social engineering campaign against individuals in the Middle East, North Africa, and South Asia. The fake profiles were linked to 204 legitimate profiles belonging to individuals working in defense, telecommunications, government, and utility sectors. A quarter of the victims worked in the telecommunications sector in the Middle East and North Africa. Fortunately, the fake profiles have already been removed from LinkedIn.To read this article in full or to leave a comment, please click here

Judge does not order Apple to disable security on encrypted device

Well, well, well…a federal magistrate of the U.S. District Court for the Eastern District of New York has so far refused to order Apple to disable security on a customer’s encrypted mobile device even though the government assured the judge that doing so “is not likely to place any unreasonable burden on Apple.”According to the court document (pdf), available on Cryptome which recently admitted to a leaking users’ IP addresses in a separate tech drama, the government filed a sealed application on Oct. 8; it asked the court “to issue an order pursuant to the All Writs Act,” and thereby force Apple “to assist in the execution of a federal search warrant by disabling the security of an Apple device that the government has lawfully seized pursuant to a warrant issued by this court. Law enforcement agents have discovered the device to be locked, and have tried and failed to bypass the lock.”To read this article in full or to leave a comment, please click here

California governor vetoes bill punishing irresponsible drone users

After several incidents where irresponsible drone users interfered with firefighting planes, California looked poised to pass harsher penalties for the idiots who were endangering the planes. It seemed a no-brainer. Well, Governor Jerry Brown doesn't seem to have a brain.In three days, he signed a climate change bill, a gender pay equity law, a bill to combat racial profiling, and one legalizing assisted suicide. But he vetoed three bills that would have prohibited civilians from flying aerial drones over wildfires, schools, prisons, and jails.To read this article in full or to leave a comment, please click here

Why Verizon’s ‘zombie cookies’ are scarier than ever

Like the Walking Dead lurching across your TV screen, Verizon's "zombie cookies" never give up. These hard-to-kill bits of code that track your mobile surfing habits are about to be shared with Verizon's newest acquisition, AOL, and that means additional advertisers will learn even more about you.Beginning in November, if you access the Web via Verizon’'s network, data on "your gender, age range and interests," (according to a Verizon FAQ page on its Relevant Mobile Advertising program) will be pushed to AOL's extensive network of advertisers.To read this article in full or to leave a comment, please click here

Dancing on the grave of Flash

I’ll be honest. I hate Flash. I loathe Flash. I abhor Flash. And these are educated feelings. Flash is tremendously insecure, has no way of managing updates across a fleet of computers, is needlessly inefficient, chews up battery life, is as proprietary and closed a system as they come in an era where we have rich and stable open Web standards, and in general is a tax on the Web experience. I could not be happier to see Flash go.Opinions vary about exactly when Flash died. A minor but vocal group, consisting largely of Web advertisers, still says it’s alive. (Think again, folks.) Some attribute the final nail in Flash’s coffin to the decision by video giant YouTube in September to stop delivering video content to users of modern browsers with Flash and instead use the cross-platform open standard HTML5. (YouTube had to wait until better buffering technology arrived in the HTML 5 standard so that the provider could switch bit rates for streaming video on demand for less buffering as the traffic shape required.) Others say it’s when Google disabled Flash-based advertising in Chrome and developed a tool that let AdWords, its advertising platform, automatically convert Continue reading

Apple draws cloudy line on use of root certs in mobile apps

Apple's removal of several apps from its mobile store on Thursday shows the challenges iOS developers can face when app guidelines shift.Among the apps removed was Choice, developed by the Palo Alto-based company Been. The app interrupted encrypted traffic streams sent to a handful of companies, including Facebook, Google, Yahoo and Pinterest, in order to block in-app ads.Apple said the apps, which it did not name, used root digital certificates that could expose data to untrusted sources.To read this article in full or to leave a comment, please click here

TPP will outlaw security research done without permission, lead to destroyed devices

If you don’t have a DVD or Blu-ray ripper and you want one, then you should consider buying one immediately because tools that assist in the circumvention of DRM could be banned if the Trans-Pacific Partnership (TPP) is ratified. Of course if the finalized TPP text, leaked by WikiLeaks, is ratified, then you could be criminally liable if you circumvent Digital Rights Management. While a worse-case scenario might involve copyright infringement as the TPP sets a copyright term to life plus 70 years, the judicial authorities could also “order the destruction of devices and products found to be involved in the prohibited activity.” The TPP is “all we feared,” according to the EFF.To read this article in full or to leave a comment, please click here

Why is double opt-in still not used by everyone?!

Out there in the big wide world there are, beside me, unfortunately, a few other people named “Mark Gibbs” and a number of these individuals don’t know their Gmail addresses. This is a problem as I am the proud owner of “[email protected]” and have been since the start of Gmail while they are not. The trouble with these people is they keep giving my Gmail address to organizations they deal with and more than a few of these organizations fail to do the one thing that they should be doing when it comes to building an email relationship with a customer: Verifying the customer’s email address.To read this article in full or to leave a comment, please click here

Dow Jones & Co. discloses breach, incident likely related to Scottrade

On Friday, in a letter to customers, the CEO of Dow Jones & Co. disclosed a data breach affecting 3,500 people. Based on public details, the incident seems similar to a breach reported by Scottrade last week that impacted 4.6 million investors. In his letter, Dow Jones Chief Executive William Lewis said that law enforcement officials informed the company about the potential breach in late July. After bringing in outside help, an investigation turned up a confirmation that the systems housing the customer data was accessed – but there is no proof that data was exfiltrated. The investigators also determined that the attackers had access to the system between August 2012 and July 2015.To read this article in full or to leave a comment, please click here

Can $1M in damages be accurate in a website defacement?

Corporate security pros should note that journalist Matthew Keys was convicted this week of changing a headline on the LA Times Web site, a case that may help define what can be included when a toting up damages caused by hackers. The bill cited in court came to $929,977 for the cost of changing back the altered headline, which stayed live for less than an hour, but also the cost of assessing what other damage was done and fixing it, which took months. You can read details about the case here and here.To read this article in full or to leave a comment, please click here

US won’t seek legislation against encryption

The U.S. administration will not seek legislation at this point to counter the encryption of communications by many technology services and product vendors, but will work on a compromise with industry, a senior U.S. official said Thursday. "The administration is not seeking legislation at this time," Federal Bureau of Investigation Director James Comey said in a statement before a Senate Committee on Homeland Security and Governmental Affairs. Comey had previously asked for a "robust debate" on encryption of communications, saying that the technology could come in the way of his doing his job to keep people safe.To read this article in full or to leave a comment, please click here

Apple removes apps from store that could spy on your data traffic

Apple on Thursday removed several apps from its store that it said could pose a security risk by exposing a person's Web traffic to untrusted sources.The company recommended deleting the apps but did not name them, which may make it hard for people to know which apps put their data at risk.The apps in question installed their own digital certificates on a person's Apple mobile device. It would enable the apps to terminate an encrypted connection between a device and a service and view the traffic, which is a potential security risk.Most websites and many apps use SSL/TLS (Secure Socket Layer/Transport Security Layer), a protocol that encrypts data traffic exchanged with a user. SSL/TLS is a cornerstone of Web security, ensuring data traffic that is intercepted is unreadable.To read this article in full or to leave a comment, please click here

Many vulnerabilities in older Huawei 3G routers won’t get patched

Huawei doesn't plan to patch more than a dozen models of 3G routers that have severe software vulnerabilities.The flaws could allow an attacker to change DNS (Domain Name System) settings, upload new firmware without logging into the device and conduct a denial-of-service attack.The models of affected routers, distributed by ISPs in 21 countries, are now considered out of Huawei's support cycle, said Pierre Kim, a security researcher who found the issues and listed the models on his blog.To read this article in full or to leave a comment, please click here

IDG Contributor Network: ‘Culture of denial’: Nuclear industry’s cybersecurity shortcomings revealed in new report

Many nuclear power facilities aren't air-gapped from the Internet, and many "critical infrastructure components" can be identified via search engines. These are just two of the graphic warnings made in a recent report on the nuclear power industry by think tank Chatham House.The international policy institute has just released a report (PDF) on cybersecurity at civil nuclear facilities worldwide, including those in the U.S. The report is scathing.To read this article in full or to leave a comment, please click here