Archive

Category Archives for "Network World Security"

IP was Middle School, Named Data Networking is College

Named Data Networking Project Van Jacobson: "In vocabulary terms, IP is like a good middle school education. There’s a lot of things you can say and communicate in society but it’s not so great for writing a poetry volume or a thesis... The real goal of NDN was to get us into college." Much of the Named Data Networking (NDN) project codebase is still at the Version zero-dot-something level. But things are nevertheless starting to get real for this content-centric architecture designed to blast past today’s host-based and point-to-point Internet scheme to one more suited for accessing applications across hugely scalable networks that are mobile and extend to all sorts of sensor-equipped things.To read this article in full or to leave a comment, please click here

SHA-1 hashing algorithm could succumb to $75K attack, researchers say

Researchers have found a new way to attack the SHA-1 hashing algorithm, still used to sign almost one in three SSL certificates that secure major websites, making it more urgent than ever to retire it, they said Thursday.SHA-1 is a cryptographic hashing function designed to produce a fingerprint of a document, making it easy to tell if a document has been modified after the fingerprint was calculated.Weaknesses had already been identified in SHA-1, and most modern Web browsers will no longer accept SSL certificates signed with it after Jan. 1, 2017. That date was chosen based on the ever-decreasing cost of the computing power required to attack the algorithm.To read this article in full or to leave a comment, please click here

Lyft’s CTO accused of hacking Uber

Uber recently submitted new court filings seeking more information on an IP address believed to be involved in a hack that was made public in February, in which the names and email addresses of 50,000 of its drivers were stolen. And two anonymous sources reportedly told Reuters that the IP address points to Chris Lambert, the chief technology officer of Uber's main competitor, Lyft.In court papers, Uber claims the Comcast IP address was used to access a security key in the breach, and is seeking more information to identify who was using the address. U.S. Magistrate Judge Laurel Beeler has said that the information Uber is seeking with the subpoena is "'reasonably likely' to help reveal the 'bad actor' responsible for the hack," according to Reuters.To read this article in full or to leave a comment, please click here

Why have most merchants missed the EMV deadline?

Last Friday’s Oct. 1 deadline for so-called EMV or “chip-and-PIN” credit card technology to replace the 1960s-vintage “swipe-and-signature” magnetic stripe card system should not have been a surprise to any of the major players in the payment card industry (PCI) – merchants, card issuers and banks.Visa, one of the three developers of the EMV standard (along with Europay and MasterCard) announced in August 2011 – more than four years ago – that it would be moving to EMV in the U.S. (it has been in use in Europe for more than a decade). The EMV Migration Forum was created by the Smart Card Alliance in July 2012.To read this article in full or to leave a comment, please click here

Journalist convicted of helping Anonymous hack the LA Times

A journalist accused of helping a rogue hacking group briefly take control of the LA Times' website was convicted by a federal jury in California on Wednesday.Matthew Keys, 28, of Vacaville, California, was convicted of conspiracy to make unauthorized changes to a computer, transmitting malicious code and attempted transmission of malicious code, according to the Department of Justice.One of Keys' attorneys, Jay Leiderman, wrote on Twitter that "we'll proceed forward to sentencing and look forward to appealing this verdict."To read this article in full or to leave a comment, please click here

Android malware hammers phones with unwanted ads

Android users in more than 20 countries have been infected with a particularly aggressive malware program that bombards devices with unwanted advertisements.Researchers from FireEye found that the malicious component, nicknamed Kemoge, has been seeded inside what appear to be legitimate apps offered on third-party application stores."This is another malicious adware family, possibly written by Chinese developers or controlled by Chinese hackers, spreading on a global scale that represents a significant threat," wrote Yulong Zhang, a staff research scientist with FireEye.To read this article in full or to leave a comment, please click here

Amazon makes it easier to lock down the cloud

If there's a common refrain in enterprise security these days, it's that nobody wants to become the next Sony, Experian, Scottrade, Target or Home Depot. Moving workloads to a public cloud service means that companies can leave some of the day-to-day work of securing their infrastructure to professionals who manage those services. To read this article in full or to leave a comment, please click here

Amazon makes it easier to lock down the cloud

If there's a common refrain in enterprise security these days, it's that nobody wants to become the next Sony, Experian, Scottrade, Target or Home Depot. Moving workloads to a public cloud service means that companies can leave some of the day-to-day work of securing their infrastructure to professionals who manage those services. To read this article in full or to leave a comment, please click here

Hackers who targeted Samsung Pay may be looking to track individuals

The security breach at Samsung subsidiary LoopPay was probably more about spying than about gathering consumer data for profit, and the worst could be yet to come, a security analyst said Wednesday. Samsung acknowledged the attack on LoopPay, which it acquired in February for technology that it uses in its Samsung Pay service. It said hackers only breached LoopPay's office network, not systems used by Samsung Pay. The affected servers have been isolated and no personal payment information was put at risk, according to Samsung.To read this article in full or to leave a comment, please click here

They’re baaaack! Verizon’s zombie cookies to track users across massive AOL ad network

Remember Verizon’s zombie cookies, hidden super-cookie identifiers that tracked users across the Internet? They’re baaaack! moviemaniacsDE Poltergeist screenshot Verizon was previously caught manipulating users’ traffic by inserting supercookies. “By attaching a Unique Identifier Header to all traffic that passes through their network, Verizon could effectively build profiles about users habits, the sites they visit, and deliver targeted advertisements based on this tracking,” explained EVDO. “This Unique Identifier Header was then popularly renamed the ‘Zombie Cookie’ since even after being deleted, the tracking cookie would be added back to the network and users would be tracked again.”To read this article in full or to leave a comment, please click here

Former NSA chief undercuts FBI’s desire for encryption backdoors

The former head of the NSA says the U.S. is better served by strong encryption than it would be by encryption schemes with backdoors that allow law enforcement to decrypt the content of communications, according to reports, and he should know.Under Michael Hayden’s watch as director of the NSA, the agency exploited back doors into phone switches in Greece in order to spy on calls including those made by the Greek prime minister and the mayor of Athens.The legal-intercept capabilities baked into the switches are supposed to be used only under strict legal supervision, but they can be abused. According to a story by James Bamford for The Intercept, documents stolen by Edward Snowden help show that the NSA took unauthorized advantage of legal-intercept backdoors in the Greek phone system to eavesdrop on what calling parties assumed would be private communications.To read this article in full or to leave a comment, please click here

Non-technical manager’s guide to protecting energy ICS/SCADA

Sophisticated cyber-attacks known as Advanced Persistent Threats (APT) are a growing challenge to the energy sector of our nation’s critical infrastructure. These attacks can largely be attributed to well-funded, dedicated nation-state actors.APT attacks against Industrial Control Systems (ICS) and to Supervisory Control and Data Acquisition (SCADA) systems are increasing; the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited ICS/SCADA and control system networks as one of the top two targets for hackers and viruses. These vulnerabilities begin with the human interface (13% of vulnerabilities required local access) and end with the actual Internet-facing ICS/SCADA hardware (87% of vulnerabilities are web-accessible).To read this article in full or to leave a comment, please click here

Attackers target OWA for domain credentials

A targeted attack against Outlook Web Application (OWA) illustrates how far adversaries will go to establish persistent control over the organization's entire network.As seen in recent breaches, attackers typically use stolen credentials or malware to get a foothold on the network, and then target the domain controller. Once attackers successfully compromise the domain controller, they can impersonate any user and move freely throughout the enterprise network. Since the OWA server, which provides companies with a Web interface for accessing Outlook and Microsoft Exchange, depends on the domain controller for authentication, whoever gains access to the OWA server automatically wins the domain credentials prize.To read this article in full or to leave a comment, please click here

IoT will become a matter of life or death for security pros

Orlando, Fla. -- Internet of Things means different things to different people; self-driving cars, smart cities, connected homes, health and fitness apps, etc. But for security professionals, IoT will become a safety issue. Christian Byrnes That’s the stark assessment of analyst Christian Byrnes, who delivered Gartner’s scenario for cyber-security looking out toward the year 2020.Gartner is all-in on IoT, predicting that we’re moving inexorably toward “the universal connectivity of everything,’’ according to Byrnes. The impact cannot be overestimated.To read this article in full or to leave a comment, please click here(Insider Story)

Gartner: Risk, relentless data center demand, open source and other tech trends IT needs to know

ORLANDO --It’s not a surprise to most in IT that the info/tech world is fraught with risk, change, and disruption but most of the time all of those issues aren’t laid out in front of them in nice, neat fashion like they are at Gartner Symposium/ITxpo.There are a number of key themes echoing around the Symposium this week many having to do the smart algorithms and how that kind of technology is going to change the world forever. Another is the move to an all-digital world – a trend well underway and mostly understood by most large companies.+More on Network World: Gartner: Top 10 strategic predictions that could shake up IT+To read this article in full or to leave a comment, please click here

McAfee plans to be elected president in a landslide on the backs of 40 million tatooed voters

It has been a whirlwind few years for John McAfee, the man noted for developing the first commercial anti-virus program. It was only a few years ago when rumors were frantically flying around in following an incredibly sensational story of McAfee as a murder suspect. With all of that seemingly behind him, he now turns his attention to taking up residency in the White House.McAfee, 70, who founded the McAfee security brand, which was later sold to Intel in 2010, recently filed papers as a candidate for president as a member of the Cyber Party. McAfee’s political views are likely to be viewed by many as out of the mainstream, and he believes that if the government is not working for the people, then the citizens have the right to abolish it. He believes that the government has gotten too big and unwieldy. He often cites how it would take 600 years to read all of the laws Congress has passed through the years.To read this article in full or to leave a comment, please click here

Apple’s new two-factor authentication bumps up security and ease of use

Apple has a new, easier-to-use, and more robust system to protect your login if you’re running the latest major OS release and the latest iTunes on every device connected to the same iCloud account. But you may have to wait for it: the system started rolling out in testing this summer for early public beta testers and developers, and started its full rollout a few days ago with the release of El Capitan.The new two-factor authentication (2FA) system requires that whenever you log in to a new device or browser, you have to enter not just your password but a confirmation code from another piece of equipment you’ve established is under your control. A second factor prevents someone from stealing or guessing your password and gaining access to your account, which can be done remotely or through a security breach. In addition, they have to have a token that can only be generated by or sent to equipment under your control, which means they typically need physical access to a computer, mobile device, or SIM.To read this article in full or to leave a comment, please click here

Right back at you tech vendors: OUR independent study of YOUR independent research

While not as useless as PR pitches about technology companies cracking some other publication's Top 10 list, "independent" research reports commissioned by vendors are right up there.  Why last week we even got a pitch about two vendors that "revealed the findings of a joint independent study." Reminded me of this line from Hermey the dentist/elf in the Rudolph the Red-Nosed Reindeer TV classic: I've lost count of how many times of late I've shot down pitches on such self-serving research, but in an attempt to try quantifying the scope of this issue I asked colleagues to forward me any such solicitations that they received last week, including for canned infographics. Some of my co-workers, unfortunately, had already jettisoned the pitches and emptied their trash before receiving my request, but the combined two dozen that they did send or that I received from publicity-hungry companies will at least give you a feel for this (I'm not including reports sent to us by research firms, not that I'm under any illusions of their work always being pure.)To read this article in full or to leave a comment, please click here

Digital Guardian buys Code Green to gain data-loss prevention tech

Endpoint security vendor Digital Guardian has bought Code Green Networks, which makes data loss prevention appliances for businesses.The purchase gives Digital Guardian a DLP offering that, rolled in with the company’s existing products, will provide endpoint, network and cloud data protection overseen by a single console, the company says. This will enable applying policies that will be enforced regardless of where the data is located and regardless of who accessed it and with what device.+ MORE MERGERS: 2015 Tech M&A Tracker +To read this article in full or to leave a comment, please click here

Cisco disrupts $60M ransomware biz

Cisco this week says it disabled a distributor of the Angler ransomware exploit kit, a program that holds victim machines hostage via encryption.The catch disrupted a global ransomware operation that netted $60 million annually for the perpetrators, Cisco states in a blog post.+MORE ON NETWORK WORLD: Jane Austen lets the boogie man in: Cisco report+To read this article in full or to leave a comment, please click here