Uber snapped up car hackers Charlie Miller and Chris Valasek. Miller, who had worked on Twitter's security team, and Valasek, who had been working as Director of Vehicle Security Research at IOActive, will now join "dozens of autonomous vehicle experts hired from Carnegie Mellon University" working at Uber's Advanced Technologies Center.To read this article in full or to leave a comment, please click here
The FBI this week said an e-mail scam that tricks businesses into paying invoices from what looks like established partners is growing exponentially.The FBI last year even gave the scam its own name -- business e-mail compromise (BEC) – which is a variant of the timeworn “man-in-the-middle” scam and usually involves chief technology officers, chief financial officers, or comptrollers, receiving an e-mail via their business accounts purportedly from a vendor requesting a wire transfer to a designated bank account, the FBI said.To read this article in full or to leave a comment, please click here
The real cause of the talent shortage in the information security field isn't a lack of new people entering the profession, but retention and churn at the highest levels, according to a new report by IDC.
"It's a fairly common theme to suggest that we have better training in colleges, certificate courses, and all that sort of thing for entry-level folks," said IDC analyst and report author Pete Lindstrom.
But in fact, at the entry level, expectations are basic and companies are willing to be flexible, are open to diverse backgrounds, and can train new hires.
Jobs that require less than five years of experience are filled within just three months 85 percent of the time, and 99 percent are filled within six months, according to the IDC survey of senior infosec executives.To read this article in full or to leave a comment, please click here
According to '70s hippie comics Cheech & Chong, “Everybody shares stuff, man.”Maybe if it’s weed. But, apparently not if it’s cyber threat information.Supposedly, creation of a federal framework for that kind of sharing among industries and government has been a priority for years for all parties involved – President Obama Congress and private sector enterprises that are under constant, ever-more-sophisticated attacks.But after years of proposals, there are still no results. And if privacy and civil liberties advocates prevail in the current dustup, there won’t be any results this year either.The latest effort – several bills on both the House and Senate side – have had varied success. Two House bills – the Protecting Cyber Networks Act, or PCNA (H.R. 1560) and the National Cybersecurity Protection Advancement Act of 2015, or NCPAA (H.R. 1731) – easily passed and were combined into one labeled H.R. 1560.To read this article in full or to leave a comment, please click here
If you're a Linux user, especially a systems administrator, the Linux Foundation has some security tips to share with you, and they're quite good.
Konstantin Ryabitsev, the Foundation's director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.
The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered. They also have different severity levels: critical, moderate, low and paranoid.To read this article in full or to leave a comment, please click here
Amazon will stop accepting Flash ads on its advertising network on Tuesday, and it will help make the entire Web more secure, security experts say.
According to Amazon, the move was prompted by a recent update from Google Chrome that limited how Flash was displayed on Web pages. Mozilla Firefox and Apple Safari already had similar limitations in place.
"his change ensures customers continue to have a positive, consistent experience on Amazon, and that ads displayed across the site function properly for optimal performance," the company said in its announcement.
Bad, bad FlashTo read this article in full or to leave a comment, please click here
Qualcomm is promising to improve security and privacy on high-end smartphones with Snapdragon Smart Protect, which uses on-device machine learning to help detect zero-day malware.The popularity of smartphones has started to catch the imagination of hackers, resulting in the need for better protection. Qualcomm’s latest contribution is Snapdragon Smart Protect, which the company announced on Monday.Smart Protect looks at what’s going on in the smartphone and warns about what it thinks are abnormal behaviors to protect users. At its most basic, that could be an application that takes a photo even though the display is off or an application sending an SMS without any user interaction. To read this article in full or to leave a comment, please click here
The small, camera-equipped drone hovers unobtrusively outside your office window, quietly photographing the confidential documents on your desk and on your computer screen. A dumpster diver retrieves your shredded printouts, scans them into a computer and uses jigsaw-puzzle-solving software to reform the shreds into legible documents.
An innocent-looking but virus-infected computer uses nothing more than heat signatures to glean data from your air-gapped (non-networked), “off-the-grid” machines that you thought were perfectly safe from prying eyes. And an industrial spy has tapped into your network links to make copies of private documents as they flow around your company.To read this article in full or to leave a comment, please click here(Insider Story)
Credentials for more than 225,000 Apple accounts have been stolen by sophisticated malware that targets modified iOS devices, according to Palo Alto Networks.The malware, which is nicknamed KeyRaider, enables attackers to download applications from Apple's App Store without paying or to lock devices in lieu of a ransom.“We believe this to be the largest known Apple account theft caused by malware,” wrote Claud Xiao of Palo Alto Networks in a blog post.Palo Alto Networks notified Apple of KeyRaider on Aug. 26 and provided the stolen account information, Xiao wrote. Apple officials in Sydney couldn't be immediately reached on Monday.To read this article in full or to leave a comment, please click here
Russian-speaking hackers have breached 97 websites, mostly dating-related, and stolen login credentials, putting hundreds of thousands of users at risk.Many of the websites are niche dating ones similar to Ashley Madison, according to a list compiled by Hold Security, a Wisconsin-based company that specializes in analyzing data breaches. A few are job-related sites.Batches of stolen information were found on a server by the company’s analysts, said Alex Holden, Hold Security’s founder and CTO. The server, for some reason, was not password protected, allowing analysis of its contents, he said.None of the dating sites are nearly as prominent as Ashley Madison, which saw sensitive company information, emails, internal documents and details of 30 million registered users released in a devastating data breach. Holden said this Russian-speaking group is not related to Impact Team, which claimed credit for the intrusion into Ashley Madison.To read this article in full or to leave a comment, please click here
The National Crime Agency (NCA), which is like a British version of the FBI, arrested six UK teenagers for allegedly using a DDoS-for-hire service to attack corporate websites. During Operation Vivarium, warrants were executed for six male teenagers – ages 15, 16, 17 and three 18-year-olds – accused of using the hacking group Lizard Squad’s Lizard Stresser tool which is capable of knocking websites offline for up to eight hours at a time.Lizard Squad took down Microsoft Xbox and Sony PlayStation networks on Christmas day; shortly thereafter, Lizard Squad released its Lizard Stresser service. According to Krebs on Security, the Lizard Stresser service “draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.”To read this article in full or to leave a comment, please click here
IT administrators may get more information than originally planned about Windows 10 patches, as Microsoft ponders how much to tell business customers about modifications to the new OS."We've heard that feedback from enterprise customers so we're actively working on how we provide them with information about what's changing and what new capabilities and new value they're getting," Jim Alkove, a vice president in the Windows group, said during a press briefing. It's a change in tone for the company, which previously said that it wouldn't provide detailed information about most Windows 10 patches. That original plan was bad news for IT managers and users who want to know what an update does before they install it. This is more of an issue now that Microsoft is supposed to release more frequent updates over the lifetime of Windows 10, as part of its "Windows as a service" plans, than it did for previous editions of Windows.To read this article in full or to leave a comment, please click here
A U.S. agency hopes to gather security researchers, software vendors and other interested people to reach consensus on the sticky topic of how to disclose cybersecurity vulnerabilities.Beginning in September, the U.S. National Telecommunications and Information Administration (NTIA) will host a series of meetings intended to improve collaboration among security researchers, software vendors and IT system operators on the disclosure of, and response to, vulnerabilities.The first NTIA-hosted meeting will be Sept. 29 at the University of California, Berkeley, School of Law. Registration is open to all who want to participate, and the meeting will also be webcast, NTIA said.To read this article in full or to leave a comment, please click here
With Internet of Things penetration set for a trillion devices by 2025, according to recent McKinsey numbers, our thoughts are, or should be, turning to security.One question that could be posed is: Just how could a future IoT attack play out? What route could it take?A security company reckons it has an answer.'Terror in the kitchen'
One World Labs, a security outfit that specializes in penetration testing, forensics, and security code review, presented a session at San Francisco's RSA Conference in April, where it attempted to address the question.To read this article in full or to leave a comment, please click here
A major corporation is misusing grsecurity’s trademarks and tarnishing its brand – and as a consequence, the leader of the project said Wednesday, grsecurity will stop making its stable patches available to the general public.In an official announcement, grsecurity project leader Brad Spengler said that it was unfair to the project’s sponsors to allow the companies in the embedded Linux industry – which he declined to name, citing legal advice – to dilute grsecurity’s trademarks.+ALSO ON NETWORK WORLD: Massachusetts boarding school sued over Wi-Fi sickness + Access points with 802.11ac are taking over enterprise WLANsTo read this article in full or to leave a comment, please click here
FTC
The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates.The FTC’s PrivacyCon will include brief privacy and security research presentations, along with expert panel discussions on the latest privacy and security challenges facing consumers. Whitehat researchers and academics will discuss the latest security vulnerabilities, explain how they can be exploited to harm consumers, and highlight research affecting consumer privacy and data security. During panel discussions, participants will discuss the research presentations and the latest policy initiatives to address consumer privacy and security, develop suggestions for further collaboration between researchers and policymakers, and highlight steps that companies and consumers can and should take to protect themselves and their data, the FTC stated.To read this article in full or to leave a comment, please click here
Following the FCC’s warning in January that it would no longer tolerate the Marriotts of the world blocking visitors’ WiFi hotspots, I set a reminder on my calendar to revisit the topic six months later. After all, the issue of WiFi blocking sparked strong reactions from IT pros, end users and vendors of wireless LAN products early in the year, and I figured it wasn’t over yet. So I started by making an inquiry directly to Marriott Global CIO Bruce Hoffmeister, who foisted me on to a company spokesman, who “respectfully declined” to connect me with anyone for an update on how Marriott is now dealing with perceived threats to its network. He simply directed me back to Marriott’s statement from January that it would behave itself, no doubt hoping the hotel chain could further distance itself from the $600K fine that the FCC hit it with, as well as the rest of the bad publicity. I also inquired at the FCC, which in Marriott-like fashion, referred me back to the agency’s last statement on the matter from January, and in a follow up, said it can’t comment on whether any new investigations are underway. Continue reading
Security researchers from Symantec have identified 49 more modules of the sophisticated Regin cyberespionage platform that many believe is used by the U.S. National Security Agency and its close allies.This brings the total number of modules known so far to 75, each of them responsible for implementing specific functionality and giving attackers a lot of flexibility in how they exploit individual targets.Regin came to light in November last year, but it has been in use since at least 2008 and antivirus companies have known about it since 2013.To read this article in full or to leave a comment, please click here
Google will stop some Flash content from automatically playing starting Sept. 1, a move it decided on earlier this year to improve browser performance.Flash, made by Adobe Systems, is still widely used for multimedia content, but security and performance issues have prompted calls to move away from it.In June, Google said it planned to pause Flash content that wasn’t central to a Web page but allow other content such as videos to autoplay. Flash, it said, can drain a user’s laptop battery faster.There are also security implications that Google didn’t mention. Vulnerabilities in Flash are one of the most common ways that malware ends up on computers.To read this article in full or to leave a comment, please click here
The development of an automated system that can help take care of flying an aircraft -- even perhaps helping pilots overcome in-flight system failures got another big boost this week when the Defense Advanced Research Projects Agency (DARPA) awarded Aurora Flight Sciences $15.3 million to move development of the software into a second phase.DARPA says the Aircrew Labor In-Cockpit Automation System or ALIAS program, which was announced in 2014 envisions a tailorable, drop-in, removable software kit that allows the addition of high levels of automation into existing aircraft. “Specifically, ALIAS intends to control sufficient features to enable management of all flight activities, including failure of aircraft systems, and permit an operator to act as a monitor with the ability to intervene, allowing the operator to focus on higher level mission objectives,” DARPA stated.To read this article in full or to leave a comment, please click here