In a cybersecurity survey of 485 large colleges and universities, the Massachusetts Institute of Technology came in at the bottom of the list.In a report released today, SecurityScorecard analyzed the educational institutions based on web application security, network security, endpoint security, IP reputation, patching, and other security indicators.SecurityScorecard's chief research officer Alex Heid said they have a feeling that MIT's low scores were due in part to its cybersecurity research efforts.MORE ON CSO: What is wrong with this picture? The NEW clean desk test
"They do their own malware research," he said. "They run honeypots. They're running TOR exit nodes."To read this article in full or to leave a comment, please click here
A spat between two security companies shows just how sensitive reporting software vulnerabilities can be, particularly when it involves a popular product.The kerfuffle between FireEye and ERNW, a consultancy in Germany, started after an ERNW researcher found five software flaws in FireEye's Malware Protection System (MPS) earlier this year.One of the flaws, found by researcher Felix Wilhelm, could be exploited to gain access to the host system, according to an advisory published by ERNW. To read this article in full or to leave a comment, please click here
Researchers at security company ESET have found a type of malware that changes an Android device's PIN, the first of its kind in an ever-evolving landscape of ransomware attacks.
For most users, the only option to get rid of the malware is to reset the phone to its factory settings, which unfortunately also deletes all the data on the device.
The malware calls itself "Porn Droid" and bills itself as a viewer for adult content. It has only been seen on third-party Android application marketplaces or forums for pirated software, wrote Lukas Stefanko, an ESET malware analyst.
But after it's installed, users see a warning supposedly from the FBI that they've allegedly viewed "prohibited pornography." It asks for a US$500 fine to be paid within three days.To read this article in full or to leave a comment, please click here
The head of the nation's primary consumer protection agency on Wednesday paid a visit to San Francisco, where she called on technology startups to do a better job of incorporating security protections as they race to bring new applications into the market.Federal Trade Commission Chairwoman Edith Ramirez's comments amplified the agency's "Start With Security" initiative, a program that aims to encourage businesses to prioritize cybersecurity as an integral part of their product development.[ Related: The 7 deadly sins of startup security ]To read this article in full or to leave a comment, please click here
Attackers successfully infiltrated computer systems at the Department of Energy more than 150 times between 2010 and 2014, according to a review of federal documents by USA Today that were obtained as a result of a Freedom of Information Act request. In all, DoE networks were targeted 1,131 times over the four-year span.While this sounds worrying -- the DoE oversees the country's power grid and nuclear weapons stockpile, after all -- there are a few things missing from the report. The attacks appear to be against the DoE's office systems and not the real-time systems that control the power grid. Those systems are typically operated by utilities and aren't directly connected to DoE's networks. The attacks in the USA Today report are equivalent to the kind universities, corporations, and other organizations regularly face.To read this article in full or to leave a comment, please click here
Hackers have penetrated the IT systems of U.S. health insurer Excellus BlueCross BlueShield and gained access to personal, financial and medical information of more than 10 million people, the company disclosed Thursday.The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.To read this article in full or to leave a comment, please click here
For those of you old enough to remember the TV comedy series "Get Smart" featuring a spy that used his shoe for a phone, the good guys belonged to an agency called "Control," and the bad guys were affiliated with "Chaos." This month "Get Smart" celebrates its 50th anniversary, yet CIOs continue to struggle in a seemingly never-ending battle to restore control in a chaotic, cloudy world in which data security is less than transparent.Much like the BYOD trend, the use of cloud-based services for sharing files is widespread and it's likely that if you're a CIO, your employees are already using them, whether they are officially sanctioned or not. Dropbox has led the charge to offer cross-platform file syncing for your personal files, and all the major players have followed suit, from Google (Google Drive), to Microsoft (SkyDrive), to Apple (iCloud). There's also Box, Sugarsync, and many others. For consumers, they are perfect, providing easy instant access to photos and documents from any device. That familiarity and accessibility is why they've crept into the enterprise.To read this article in full or to leave a comment, please click here
Engineers at Xerox PARC have developed a chip that will self-destruct upon command, providing a potentially revolutionary tool for high-security applications.The chip, developed as part of DARPA’s vanishing programmable resources project, could be used to store data such as encryption keys and, on command, shatter into thousands of pieces so small, reconstruction is impossible.It was demonstrated at DARPA’s Wait, What? event in St. Louis on Thursday.“The applications we are interested in are data security and things like that,” said Gregory Whiting, a senior scientist at PARC in Palo Alto, California. “We really wanted to come up with a system that was very rapid and compatible with commercial electronics.”To read this article in full or to leave a comment, please click here
Until today, the creators of the hacked AshleyMadison.com infidelity website appeared to have done at least one thing well: protect user passwords with a strong hashing algorithm. That belief, however, was painfully disproved by a group of hobbyist password crackers.The 16-man team, called CynoSure Prime, sifted through the Ashley Madison source code that was posted online by hackers and found a major error in how passwords were handled on the website.They claim that this allowed them to crack over 11 million of the 36 million password hashes stored in the website's database, which has also been leaked.A few weeks ago such a feat seemed impossible because security experts quickly observed from the leaked data that Ashley Madison stored passwords in hashed form -- a common security practice -- using a cryptographic function called bcrypt.To read this article in full or to leave a comment, please click here
This fall, the Senate is expected to take another look at the Cybersecurity Information Sharing Act, or CISA, but many security experts and privacy advocates are opposed.Cybersecurity has been in the news a lot this summer, and not just with several new high-profile breaches in government and the in private sector.Last month alone, the Pentagon began requiring defense contractors to report breaches, the White House Office of Management and Budget proposed new cybersecurity rules for contractor supply chains, and a court agreed that the Federal Trade Commission has the authority to enforce cybersecurity standards.MORE ON CSO:Millions of records compromised in these data breaches
And many security experts agree that it's important for companies to share cybersecurity information, in real time, without risk of being publicly embarrassed, fined, or sued.To read this article in full or to leave a comment, please click here
Whether you’re in the office, at home, in school, or at coffee shops and hotels around the world, laptops are everywhere. The portable computer allows you to stay in touch and do productive work regardless of where you may be physically – especially when you factor in the extended battery life and cloud-based computing applications and services.On the other hand, the sheer portability of the laptop also makes it vulnerable to unauthorized access or outright theft or lost. Gartner recently estimated that a laptop is lost every 53 seconds.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords
While nobody plans to lose a laptop, there are some things that you can do to reduce both the risk and the potential legal repercussions should your laptop ever be misplaced or stolen. As with most security measures, the best defense is a good offense. Here are 10 things to do before you lose your laptop.To read this article in full or to leave a comment, please click here
I hadn’t come to room 3301 of the Sands Expo to see Zoltan Istvan speak. I had come because the official CTIA Super Mobility 2015 conference app had pinged a notification to me that Mike Tyson – a boxer of some repute – was due to participate in a panel discussion and I wanted to startle my editors by landing a quote from Iron Mike.What I found, instead – I have no notion where Tyson was at the appointed time – was Zoltan Istvan, who is running for president. He is polished, polite and friendly. He was also gracious and patient with a reporter who bumbled into his speech by accident and essentially asked, “What the heck is going on here?”For those unfamiliar with his work, Istvan is a columnist for Vice, former reporter for National Geographic and author of a novel called The Transhumanist Wager, which lays out his hyper-futurist philosophy. In essence, he believes that humanity’s goal must be to create technology so advanced that we become immortal – conquering death with the infinitely sharp sword of logic. Through advances in medical science, the gentle melding of humans and machines and various other technological Continue reading
North Korea is likely behind cyberattacks that have focused on exploiting a word processing program widely used in South Korea, security firm FireEye said Thursday in a report.The proprietary program, called Hangul Word Processor, is used primarily in the south by the government and public institutions.The vulnerability, CVE-2015-6585, was patched three days ago by its developer Hancom.FireEye's conclusion is interesting because only a handful of attacks have been publicly attributed to the secretive nation, which is known to have well-developed cyber capabilities.To read this article in full or to leave a comment, please click here
The U.S. Department of Defense is considering offering rapid seed funding to private companies as a way to encourage more work on technology projects with the commercial sector, Secretary of Defense Ashton Carter said Wednesday.The push for greater cooperation with tech companies has been a big theme for the DOD in the last year as it faces a growing and unprecedented threat from private and state actors on the Internet and beyond.That was demonstrated late last year when Sony Pictures suffered a devastating hack of its corporate email system that the U.S. government attributed to North Korea. Hackers based overseas have also been blamed for high-profile attacks on the Department of State and the Office of Personnel Management, the latter of which resulted in personal data on millions of government employees being lost.To read this article in full or to leave a comment, please click here
The U.S. Department of Defense is considering offering rapid seed funding to private companies as a way to encourage more work on technology projects with the commercial sector, Secretary of Defense Ashton Carter said Wednesday.
The push for greater cooperation with tech companies has been a big theme for the DOD in the last year as it faces a growing and unprecedented threat from private and state actors on the Internet and beyond.
That was demonstrated late last year when Sony Pictures suffered a devastating hack of its corporate email system that the U.S. government attributed to North Korea. Hackers based overseas have also been blamed for high-profile attacks on the Department of State and the Office of Personnel Management, the latter of which resulted in personal data on millions of government employees being lost.To read this article in full or to leave a comment, please click here
A key theme at this year's VMworld conference was the virtualization of the data center, and specifically the network.+MORE AT NETWORK WORLD: Containers key to Cisco's "open" data center OS +VMware entered into the networking market two years ago when it purchased Nicira for more than $1 billion. Since then VMware has rolled out NSX, it’s virtual networking product. Officials say there are already 700 NSX deployments, including 65 customers that have $1 million+ NSX deployments.In the video below, check out what VMware’s Chris King says have been some of the driving factors behind virtual networking, and learn how virtual networking is being used as a security tool, and not just network agility software.To read this article in full or to leave a comment, please click here
A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.To read this article in full or to leave a comment, please click here
Over two months after Italian surveillance software maker Hacking Team had its internal data leaked by hackers, vendors are apparently still fixing zero-day exploits from the company's arsenal.On Tuesday, Microsoft published 12 security bulletins covering 56 vulnerabilities in the new Edge browser, Internet Explorer, Windows, Office, Skype for Business, .NET Framework and some of its other software products.To read this article in full or to leave a comment, please click here
The California assembly has passed a digital privacy bill that aims to prevent government access without warrant to private electronic communications, while providing some exceptions for law enforcement in emergencies or for other public safety requirements.California is home to a large number of tech companies who face regularly requests for data on their customers from both state and federal law enforcement agencies. Twitter, for example, reported 273 requests for account information in California from January to June this year.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords
The bill, which would require a judge's approval for access to a person’s private information, including data from personal electronic devices, email, digital documents, text messages and location information, had been passed in June by the state senate and will now return there for concurrence before heading to state Governor Jerry Brown for approval.To read this article in full or to leave a comment, please click here
Some unlucky individuals thought they had downloaded the Android app Adult Player to watch porn videos, but the app silently takes a photo of users while they use the app and then displays the image on the home screen, along with a ransom note demanding $500.Researchers from Zscaler's ThreatLab first discovered the "new mobile ransomware variant that leverages pornography to lure victims into downloading and installing it." Perhaps the desire for viewing porn is stronger than common sense, as the permissions asked to be activated as device admin. It asks for the right to monitor screen-unlock attempts and to "lock the phone or erase all the phone's data if too many incorrect passwords are typed."To read this article in full or to leave a comment, please click here