It would be a heck of time to be shopping for a new set of wheels. The theme of digitally beating up cars continued by two teams of security researchers at the 24th USENIX Security Symposium.After two years of having their research suppressed by Volkswagen and a UK court, Flavio Garcia, Roel Verdult and Baris Ege were finally able to present their research (pdf) at USENIX. The researcher paper details “how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.”To read this article in full or to leave a comment, please click here
BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else’s IP address as the source, causing the service to send the response to that address.To read this article in full or to leave a comment, please click here
Midsized companies with revenues from $100 million to $1 billion spent an average of $3 million on information security as of 2014 per “The Global State of Information Security Survey 2015” from PwC.“I promise you, bad guys are not spending $3 million to break into your organization,” says Allen Harper, chief hacker, Tangible Security. Still information burglars are getting through.And since 92 percent of IT and security professionals surveyed globally use signature-based antivirus software on their servers, despite AV’s inability to stop advanced threats and targeted attacks, according to Bit9’s 2013 Server Security Survey, exploits such as zero-days, which have no signatures give attackers the upper hand.To read this article in full or to leave a comment, please click here
It’s possible for companies to design their encryption systems to allow law enforcement agencies to access customer data with court-ordered warrants while still offering solid security, U.S. Department of Justice officials said.When DOJ and FBI officials raised recent concerns over end-to-end encryption on Android and iOS mobile phones, some security experts suggested it was difficult or unsafe to build in provider access to encrypted consumer data. But many companies already offer encryption while retaining some access to user information, two senior DOJ officials said Wednesday.To read this article in full or to leave a comment, please click here
BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else’s IP address as the source, causing the service to send the response to that address.To read this article in full or to leave a comment, please click here
Perhaps nothing, not even the weather, changes as fast as computer technology. With that brisk pace of progress comes a grave responsibility: securing it.Every wave of new tech, no matter how small or esoteric, brings with it new threats. The security community slaves to keep up and, all things considered, does a pretty good job against hackers, who shift technologies and methodologies rapidly, leaving last year’s well-recognized attacks to the dustbin.[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]
Have you had to enable the write-protect notch on your floppy disk lately to prevent boot viruses or malicious overwriting? Have you had to turn off your modem to prevent hackers from dialing it at night? Have you had to unload your ansi.sys driver to prevent malicious text files from remapping your keyboard to make your next keystroke reformat your hard drive? Did you review your autoexec.bat and config.sys files to make sure no malicious entries were inserted to autostart malware?To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Absolute Data and Device Security adds Microsoft SCCM and SIEM integrationKey features: Absolute has introduced new security functionality that extends IT oversight to include Microsoft SCCM and SIEM integration. More info.To read this article in full or to leave a comment, please click here
An Italian teenager has found two zero-day vulnerabilities in Apple’s OS X operating system that could be used to gain remote access to a computer.The finding comes after Apple patched last week a local privilege escalation vulnerability that was used by some miscreants to load questionable programs onto computers.Luca Todesco, 18, posted details of the exploit he developed on GitHub. The exploit uses two bugs to cause a memory corruption in OS X’s kernel, he wrote via email.To read this article in full or to leave a comment, please click here
A fresh analysis of documents disclosed by former U.S. intelligence contractor Edward Snowden shows that AT&T has been a much closer and eager partner for the National Security Agency’s Internet spying activities than was previously known.AT&T has been by far the most critical telecom player in the NSA’s surveillance efforts and its willing participation in mass spying on both foreign and U.S. citizens has apparently been crucial in helping the U.S. agency take advantage of bulk record collection laws, according to a joint report in ProPublica and the New York Times.To read this article in full or to leave a comment, please click here
Mozilla wants to make private browsing truly private.The company is testing enhancements to private browsing in Firefox designed to block website elements that could be used by third parties to track browsing behavior across sites. Most major browsers, Firefox included, have a “Do Not Track” option, though many companies do not honor it.Mozilla’s experimental tool is designed to block outside parties like ad networks or analytics companies from tracking users through cookies and browser fingerprinting.To read this article in full or to leave a comment, please click here
The Federal Aviation Administration this week said that a record number of drone sightings reported by airline pilots and others has increased dramatically this year -- from a total of 238 sightings in all of 2014, to more than 650 by August 9.The FAA said pilots of a variety of different types of aircraft – including many large, commercial air carriers – reported spotting 16 unmanned aircraft in June of 2014, and 36 the following month. This year, 138 pilots reported seeing drones at altitudes of up to 10,000 feet during the month of June, and another 137 in July.+More on Network World: Hot stuff: The coolest drones+To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.Advancements in attack evasion techniques are making new threats extremely difficult to detect. The recent Duqu 2.0 malware, which was used to hack the Iranian nuclear pact discussions, Kaspersky Lab, and an ICS/SCADA hardware vendor, is a prime example. To keep up, a new security model that uses a different approach to the traditional “evidence of compromise” process is needed.To read this article in full or to leave a comment, please click here
Responding to allegations from anonymous ex-employees, security firm Kaspersky Lab has denied planting misleading information in its public virus reports as a way to foil competitors.“Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing,” reads an email statement from the company. “Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false.”MORE: 13 Big Data & Analytics Startups to WatchTo read this article in full or to leave a comment, please click here
An unpatched vulnerability in the Google Admin application for Android can allow rogue applications to steal credentials that could be used to access Google for Work acccounts.One of the main aspects of the Android security model is that apps run in their own sandboxes and cannot read each other’s sensitive data through the file system. There are APIs for applications to interact with each other and exchange data, but this requires mutual agreement.But researchers from security consultancy firm MWR InfoSecurity in the U.K. discovered a flaw in the Google Admin app that could be exploited by potentially malicious applications to break into the app’s sandbox and read its files.To read this article in full or to leave a comment, please click here
Google has released another patch for the Stagefright vulnerability after a security firm said the first one didn’t fix it.Hundreds of millions of Android devices are vulnerable to Stagefright. A device can be compromised merely through the receipt of a specially crafted multimedia message (MMS), so an attacker needs only the victim’s phone number.The flaw was found by Joshua Drake at mobile security firm Zimperium, which submitted a set of patches along with its big report. Google released its first patch for Stagefright last week.To read this article in full or to leave a comment, please click here
The US Naval Research Lab is developing an unmanned aircraft that can fly, land in the water and swim like a fish.The Navy calls its flying/swimmer FLIMMER and says it is a combination airplane/submarine that at first flies to a location, then lands on the water and submerges. After that it can swim like a fish.
+More on Network World: Hot stuff: The coolest drones+To read this article in full or to leave a comment, please click here
After being accepted for an internship at Facebook, Harvard University student Aran Khanna continued to embrace the same entrepreneurial spirit that helped launch the site on the very same campus over a decade ago. Ironically, his efforts cost him his chance at working at the company.Khanna discovered a privacy flaw in the default settings of Facebook's Messenger app for Android that automatically shared users' detailed location data. To draw attention to the flaw, Khanna launched an Android app called Marauder's Map that mapped Facebook users' locations based on their activity on Messenger in May, according to Boston.com. The app showed that the location sharing was accurate to within a three-foot distance and shared users' location data even with Facebook users they were not Friends with.To read this article in full or to leave a comment, please click here
Installing rogue firmware on embedded devices has long been a concern for security researchers, and it seems that such attacks have started to gain ground with hackers.In an advisory Tuesday, Cisco Systems warned customers that it is aware of a limited number of cases where attackers have replaced the boot firmware on devices running its IOS operating system. IOS runs on most Cisco routers and switches and provides a complex set of networking tools and features.MEET CISCO'S NEW CEO: The Real Chuck RobbinsTo read this article in full or to leave a comment, please click here