BitTorrent fixed a vulnerability that would have allowed attackers to hijack BitTorrent applications used by hundreds of millions of users in order to amplify distributed denial-of-service (DDoS) attacks.The vulnerability was located in libuTP, a reference implementation of the Micro Transport Protocol (uTP) that's used by many popular BitTorrent clients including uTorrent, Vuze, Transmission and the BitTorrent mainline client.The flaw was disclosed earlier this month in a paper presented at the 9th USENIX Workshop on Offensive Technologies by four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid.To read this article in full or to leave a comment, please click here
Several DSL routers from different manufacturers contain a guessable hard-coded password that allows accessing the devices with a hidden administrator account.According to an alert issued Tuesday by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, the affected device models are: ASUS DSL-N12E, DIGICOM DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and ZTE ZXV10 W300.All of the devices have an admin password in the form "XXXXairocon" where XXXX are the last four characters of the device's physical MAC address, CERT/CC said.To read this article in full or to leave a comment, please click here
Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG.The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said.The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans.To read this article in full or to leave a comment, please click here
A team of hackers recently discovered a man-in-the-middle vulnerability in a Samsung smart refrigerator that can be exploited to steal Gmail users' login credentials, The Register reported this week.Hackers from security company Pen Test Partners discovered the flaw while participating in an Internet of Things (IoT) hacking challenge at the Def Con security conference earlier this month. The smart refrigerator, Samsung model RF28HMELBSR, is designed to integrate the user's Gmail Calendar with its display. Samsung implemented SSL to secure the Gmail integration, but the hackers found that the device does not validate SSL certificates, opening the opportunity for hackers to access the network and monitor activity for the user name and password used to link the refrigerator to Gmail.To read this article in full or to leave a comment, please click here
Agora, the Tor network's largest black marketplace, has been temporarily shut down because its administrators worry the website is vulnerable to recent methods of exposing Tor Hidden Services.Hidden services are websites that can only be accessed from within the Tor network, which is specifically designed to hide the IP address of both servers and users. The built-in anonymity safeguards have made Tor Hidden Services the preferred method for running online marketplaces that allow buying and selling illegal goods like drugs, guns, stolen credit card details and more.The largest of these so-called dark markets was Silk Road, which was eventually shut down by the FBI in 2013. Many similar websites have appeared since then and some were targeted in subsequent international law enforcement raids, but Agora survived and surpassed even Silk Road in size and popularity.To read this article in full or to leave a comment, please click here
As security gains greater visibility in boardrooms and C-suites, security professionals are increasingly asked to provide metrics to track the current state of a company's defenses. But which numbers really matter?More often than not, senior management doesn't know what kind of questions it should be asking -- and may concentrate too much on prevention and too little on mitigation. Metrics like the mean cost to respond to an incident or the number of attacks stopped by the firewall seem reasonable to a nonsecurity person, but they don't really advance an organization's security program.[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
Instead, experts recommend focusing on metrics that influence behavior or change strategy.To read this article in full or to leave a comment, please click here
Managing the daily updates and upgrades needed to keep the website secure demands a highly skilled administration team. A third party website management company provides both managed hosting and security, but the security of the site depends largely upon the provider.Larger enterprises come to website hosting providers because they have regulatory requirements that they can’t meet on their own. Commodity providers from AWS to Azure and Rackspace, provide infrastructure, but the enterprise monitors the security of the site themselves.Self-monitoring with a highly skilled team can be as reliable as entrusting their site to the security team of a web hosting provider, but not every organization has a staff with the expertise and flexibility needed to build a strong security platform program.To read this article in full or to leave a comment, please click here
Just 1 percent of employees are responsible for 75 percent of cloud-related enterprise security risk, and companies can dramatically reduce their exposure at very little additional cost by paying extra attention to these users.According to newly-released research by CloudLock, which analyzed the behavior of 10 million users during the second quarter of this year, these users are sending out plain-text passwords, sharing files, accidentally downloading malware, clicking on phishing links, using risky applications, reusing passwords, and engaging in other types of dangerous behaviors.MORE ON CSO: The things end users do that drive security teams crazy
These users include both rank-and-file employees as well as super-privileged users, software architects, and non-human accounts used to perform automated tasks.To read this article in full or to leave a comment, please click here
Stanford University computer scientist Jonathan Mayer was recently Web browsing at a U.S. airport when he noticed there were too many online advertisements.The website for Stanford, for example, displayed a pop-up ad for a 60 percent discount on jewelry. The Federal Communications Commission website appeared to be advertising ladies' boots. ScreenshotAn example of an ad said to be injected over the FCC's website while on an AT&T free airport Wi-Fi hotspot.To read this article in full or to leave a comment, please click here
There’s a continuing shift among the top security appliance vendors that has Cisco remaining at the top of the sales heap but with Check Point Software, Fortinet and Palo Alto Networks making gains and pressuring Juniper Networks, according to new research from Dell’Oro Group.The research - which includes new data from the second quarter of this year as well as projections for next year and historical data going back to 2012 - has Cisco, with 24.9% of the network security appliance market as measured by manufacturer’s revenue, solidly in first place during the latest quarter. It is followed by Check Point (9.3%), Fortinet (8%), Palo Alto (5.2%) and Juniper (4.8%) to round out the top five.To read this article in full or to leave a comment, please click here
Researchers with the Defense Advanced Research Projects Agency (DARPA) will next month detail a new program they hope will ratchet-up the way the military, public and private enterprise protect their networks from distributed denial-of-service DDoS attacks.+More on network World: DARPA wants to toughen-up WAN edge networking, security+The need for such new defenses is obvious: The number of distributed denial-of-service (DDoS) attacks in first quarter of 2015 more than doubled the number of attacks in Q1 of 2014 and attack sites are growing more dangerous, and more capable of launching attacks in excess of 100 Gbps, according to a recent Akamai Technologies State of the Internet Security report.To read this article in full or to leave a comment, please click here
U.S. electric utilities should pay close attention to their authentication systems and access controls to reduce data breaches, a government agency says in a new cybersecurity guide.About 5 percent of all cybersecurity incidents that the U.S. Department of Homeland Security's industrial control cyber team responded to in 2014 were tied to weak authentication, said the U.S. National Institute of Standards and Technology (NIST). Another four percent of industrial control incidents were related to abuses of access authority, the agency said.The new cybersecurity guide, released in draft form by NIST's National Cybersecurity Center of Excellence (NCCoE) Tuesday, focuses on helping energy companies reduce their cybersecurity risks by showing them how they can control access to facilities and devices from a single console.To read this article in full or to leave a comment, please click here
A team of University of Maryland Institute for Advanced Computer Studies (UMIACS) researchers developed "provable avoidance routing" that they call Alibi Routing; it's an overlay routing protocol that provides Internet users with a method to avoid sending their data through countries known for their censorship. Users specify where they want their packets NOT to go and Alibi Routing can provide "concrete proof" that users' data did not pass through "undesired geographic regions."The researchers unveiled Alibi Routing at the 2015 Association for Computing Machinery Special Interest Group on Data Communication (ACM SIGCOMM) conference. The research paper (pdf) "introduces a primitive, provable avoidance routing that, when given a destination and region to avoid, provides 'proof' after the fact that a packet and its response did not traverse the forbidden region. We rely on the insight that a packet could provide an 'alibi'—a place and time where it was—to prove that it must have avoided the forbidden region in transit from source to destination."To read this article in full or to leave a comment, please click here
Corporate security executives need to meet with their legal teams to find out whether the way they protect customer data will keep them out of trouble with the Federal Trade Commission should that information be compromised in a data breach.Based on a U.S. Circuit Court of Appeals decision yesterday, the best course of action is to learn what kinds of actions the FTC has taken in the past – and why - against companies whose defenses are cracked and whose customer data is stolen.
Lisa SottoTo read this article in full or to leave a comment, please click here
An application available in the Google Play store until yesterday took advantage for months of a flaw in the TeamViewer remote support tool for Android in order to enable screen recording on older devices.The app's developer discovered the vulnerability independently from security researchers from Check Point Software Technologies who presented it earlier this month at the Black Hat security conference along with similar flaws in other mobile remote support tools.The Check Point researchers dubbed the issues Certifi-gate because they stem from failures to properly validate the digital certificates of remote support apps that are supposed to communicate with privileged plug-ins installed in the system.To read this article in full or to leave a comment, please click here
A global high-tech manufacturer had reached its boiling point after several of its sales reps left the company unexpectedly and took with them sales leads and other data to their new employers.The company needed to stop the thefts before they happened. So the company hired several security analysts who manually looked at the behavior patterns for all sales reps working on its cloud-based CRM system, and then matched them with the behaviors of those who ultimately quit their jobs. What they were able to correlate was startling.Sales reps that had shown a spike in abnormal system activity between weeks nine and 12 of a financial quarter generally quit at the end of week 13 – in many cases because they knew they weren’t going to meet their sales quotas, says Rohit Gupta, president of cloud security automation firm Palerra, which now works with the manufacturer.To read this article in full or to leave a comment, please click here
Vint Cerf is known as a "father of the Internet," and like any good parent, he worries about his offspring -- most recently, the IoT."Sometimes I'm terrified by it," he said in a news briefing Monday at the Heidelberg Laureate Forum in Germany. "It's a combination of appliances and software, and I'm always nervous about software -- software has bugs."The Internet of Things will offer the ability to manage many of the appliances we depend on, acknowledged Cerf, who won the Turing Award in 2004. With its ability to continuously monitor such devices, it also promises new insight into our use of resources, he said.INSIDER: 5 ways to prepare for Internet of Things security threats
Devices such as Google's Nest thermostat, for instance, can "help me decide how well or poorly I've chosen my lifestyle to minimize cost and my use of resources -- it can be an important tool," he said.To read this article in full or to leave a comment, please click here
Vint Cerf is known as a "father of the Internet," and like any good parent, he worries about his offspring -- most recently, the IoT.
"Sometimes I'm terrified by it," he said in a news briefing Monday at the Heidelberg Laureate Forum in Germany. "It's a combination of appliances and software, and I'm always nervous about software -- software has bugs."
The Internet of Things will offer the ability to manage many of the appliances we depend on, acknowledged Cerf, who won the Turing Award in 2004. With its ability to continuously monitor such devices, it also promises new insight into our use of resources, he said.
Devices such as Google's Nest thermostat, for instance, can "help me decide how well or poorly I've chosen my lifestyle to minimize cost and my use of resources -- it can be an important tool," he said.To read this article in full or to leave a comment, please click here
Legal pressure on Ashley Madison and its parent company is picking up with more class-action lawsuits filed this week in the U.S. against the extramarital hookup site, alleging its negligence in protecting confidential user data.Suits filed in federal courts in California and Texas by people using John Doe as a pseudonym, claim for damages, alleging that Avid Life Media, the parent company based in Toronto, did not have adequate and reasonable measures to secure the data of users from being compromised, and failed to notify users in time of the breach.Avid Life Media said it had been made aware of an attack on its systems. Hacker group, Impact Team, released data last week that it claimed it had obtained from the website.To read this article in full or to leave a comment, please click here
A small Washington, D.C.-based startup accused of crude marketing centered around the Ashley Madison data breach said Monday it is changing its tactics amid criticism.Trustify, a 10-person company that launched in March, runs a web-based service for connecting people with private investigators for $67 an hour.Last week, it created an online tool that lets people check if their email address was in the large dump of stolen user information from the extramarital hookup site.The tool was one of many that were created after hackers released information on more than 30 million registered users of the website, one of the largest and most sensitive data breaches on record.To read this article in full or to leave a comment, please click here