Patch Tuesday, contrary to expectations earlier this year, survived after Microsoft yesterday delivered security updates not only for the legacy editions of Windows, but also for the new Windows 10.For now, Patch Tuesday -- Microsoft prefers "Update Tuesday" for some reason -- lives.In a large release yesterday, Microsoft issued 14 security updates for Windows PCs, distributed individually to older OSes like Windows 7 and 8.1, and as a six-bulletin bundle for Windows 10.To read this article in full or to leave a comment, please click here
The Swedish Prosecution Authority has dropped the investigation of WikiLeaks front-man Julian Assange for sexual molestation and two unlawful coercion allegations, but it still has a rape allegation to investigate.The charges were dropped because the statute of limitations will run out on in the next week, Marianne Ny, director of public prosecution said in a statement. Assange can be prosecuted for the rape allegation until August 2020.[ ALSO ON CSO: Was LulzSec bust part of a play against Julian Assange? ]To read this article in full or to leave a comment, please click here
Security teams are overwhelmed with a massive amount of threat data. While a decade ago no one was talking about threat intelligence except government agencies, organizations are now bombarded with threat data leaving them challenged with identifying what is relevant.Aggregating that data requires a shift in mindset and a maturing of threat intelligence in order to better mitigate risks.Experts say that collecting data for the purposes of having data does no good and can actually detract from a security intelligence program by using up time and man power to analyze data that is most often noise rather than real indicators of threat.MORE ON CSO:10 tips to make sure you are ready when a disaster strikes
If the long-term goal of enterprises is to have mature threat intelligence programs, they need to conduct an internal risk assessment and design a plan of action.To read this article in full or to leave a comment, please click here
Security updates are being distributed for a telematics control unit (TCU) that security researchers showed could be manipulated to remotely apply the brakes of a Corvette, according to the device’s French manufacturer.The device is a small dongle that plugs into the On-Board Diagnostics II (OBD-II) port on a vehicle, usually located under the driver’s side dashboard. TCUs with cellular connections are increasingly being used in vehicles by insurance companies to monitor drivers or for fleet management.At the USENIX security conference this week in Washington, D.C., academics from the University of California demonstrated how a C4E family dongle from Paris-based Mobile Devices Ingenierie could be remotely accessed.To read this article in full or to leave a comment, please click here
Three high risk vulnerabilities in SAP Mobile could give attackers access to encrypted information stored in mobile devices, security firm Onapsis reported Wednesday.All three vulnerabilities were recently fixed by SAP, but systems are only safe if the patches are applied.“SAP runs so many of the world’s largest enterprises that any vulnerability must be taken very seriously,” said Nicholas Taylor, CEO of Netlogx, another security provider.One of the flaws enables keystream recovery and could allow an attacker with access to a vulnerable device to decrypt credentials and other sensitive information stored within, Onapsis said. The attacker could then potentially connect to other business systems to access additional data.To read this article in full or to leave a comment, please click here
It’s possible for companies to design their encryption systems to allow law enforcement agencies to access customer data with court-ordered warrants while still offering solid security, U.S. Department of Justice officials said.When DOJ and FBI officials raised recent concerns over end-to-end encryption on Android and iOS mobile phones, some security experts suggested it was difficult or unsafe to build in provider access to encrypted consumer data. But many companies already offer encryption while retaining some access to user information, two senior DOJ officials said Wednesday.To read this article in full or to leave a comment, please click here
Two-factor authentication is often held up as a best practice for security in the online world, but Dropbox on Wednesday announced a new feature that’s designed to make it even tougher.Whereas two-step verification most commonly involves the user’s phone for the second authentication method, Dropbox’s new U2F support adds a new means of authenticating the user via Universal 2nd Factor (U2F) security keys instead.What that means is that users can now use a USB key as an additional means to prove who they are.“This is a very good advancement and adds extra security over mobile notifications for two-factor authentication,” said Rich Mogull, CEO with Securosis.To read this article in full or to leave a comment, please click here
Security researchers and hackers gathered in Las Vegas over the past week to show off and learn about the latest vulnerabilities that affect devices and software that the world relies on every day. Black Hat and DEF CON, the world’s top security conferences, did not disappoint.Hackers can mess with the music in your car, and then cause you to crashThe highlight of this year’s Black Hat conference was a remote hack of the Jeep Cherokee and other Fiat Chrysler vehicles demonstrated by security researches Charlie Miller and Chris Valasek.To read this article in full or to leave a comment, please click here
The U.S. Securities and Exchange Commission has charged 32 defendants with fraud in an international scheme that used stolen, yet-to-be-published press releases from hacked websites to conduct stock trades.The SEC’s charges are on top of wire fraud conspiracy and other charges announced by the U.S. Department of Justice on Tuesday. The nine DOJ defendants also face SEC charges. The other SEC defendants are eight people and 15 companies.Indictments unsealed Tuesday in the district courts for New Jersey and Eastern New York accused the DOJ defendants of stealing approximately 150,000 confidential press releases from the servers of Marketwired, PR Newswire Association and Business Wire.To read this article in full or to leave a comment, please click here
As if recent research on car hacking wasn’t frightening enough, a new study shows yet another danger to increasingly networked vehicles.This time around, academics with the University of California analyzed small, third-party devices that are sometimes plugged into a car’s dashboard, known as telematic control units (TCUs).Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.In order to collect vehicle data, TCUs have access to the electronic brain of an automobile, the CAN (Controller Area Network) bus, which transmits and receives messages from many vehicle systems. The TCUs also have SIM cards, which give them cellular network connectivity in order to send information.To read this article in full or to leave a comment, please click here
The developing world is increasingly using mobile banking apps to move money, but new research shows those apps are often poorly coded and pose security risks.Researchers with the University of Florida looked at dozens of apps used for mobile money systems but extensively analyzed seven that have millions of users in Brazil, India, Indonesia, Thailand, and the Philippines.The problems they found represent a large attack surface, including SSL/TLS issues, botched cryptography, information leakage and opportunities to manipulate transactions and modify financial records.The impact of the problems is unknown, but “it is possible that these apps are already being exploited in the wild, leaving consumers with no recourse to dispute financial transactions,” according to their research paper, to be presented on Wednesday at the 24th USENIX Security Symposium in Washington, D.C.To read this article in full or to leave a comment, please click here
Well, well, Patch Tuesday is not yet dead as Microsoft released 14 security bulletins, four of which are rated critical for remote code execution vulnerabilities; the August 2015 security updates are aimed at Windows, Microsoft Office, Internet Explorer, Edge, Microsoft Lync, Microsoft Silverlight and .Net Framework. One of the patches rated critical (MS15-081) and one rated important (MS15-085) are fixes for exploits detected in the wild.To read this article in full or to leave a comment, please click here
Released almost two weeks ago, the new Windows 10 operating system already has its first set of security patches.For August, Microsoft’s monthly round of security patches contains five bulletins that cover Windows 10, as well as a bulletin that covers the new Edge browser that runs on Windows 10.Overall, Microsoft released 14 security bulletins for this month’s Patch Tuesday—which occurs on the second Tuesday of each month.Three of the bulletins were marked as critical, meaning that they should be patched as quickly as possible. A bulletin typically contains a set of patches for a single set of software products, such as all the supported versions of Windows.To read this article in full or to leave a comment, please click here
The notion of vacuum electronics may sound ancient in high-tech terms but a new program from the scientists at the Defense Advanced Research Projects Agency aims to transform the widely-used equipment into the next century.According to DARPA, vacuum electron devices (VEDs) are critical components for defense and civilian systems that require high power, wide bandwidth, and high efficiency, and there are over 200,000 VEDs currently in service.+More on Network World: DARPA wants to make complex 3D printing trustworthy, dependable, safe+To read this article in full or to leave a comment, please click here
Nine people face criminal charges in the U.S. for allegedly hacking three press release distributors and stealing yet-to-be-published announcements in a stock trading scheme that authorities say generated about US$30 million in illegal profits.Indictments unsealed Tuesday in the district courts for New Jersey and Eastern New York accused the defendants of stealing approximately 150,000 confidential press releases from the servers of Marketwired, PR Newswire Association and Business Wire. The defendants allegedly used the information from more than 800 stolen press releases to conduct stock trades, according to the U.S. Department of Justice.To read this article in full or to leave a comment, please click here
WASHINGTON—You’re probably one of the 91 percent of American adults who think they’ve lost control over how their personal information is collected and used by companies (according to a Pew Research study in early 2015). But big data collection brings benefits that outweigh the potential downsides, contended Ben Wittes, a senior fellow at the Brookings Institution, in a recent panel discussion held by the Software and Information Industry Association at the U.S. Capitol Visitor Center.Consumer concern about online privacy is at all-time high due to e-commerce and mobile devices, which both collect wide swathes of consumer data, the Pew Research study says.To read this article in full or to leave a comment, please click here
If you have an Internet of Things device, then it’s highly likely that you are using ZigBee whether you know it or not. There are other possibilities, including that your IoT devices use the Z-Wave protocol, which was beat up a couple ago by security researchers who used it to attack automated homes. ZigBee is a wireless standard used for connectivity to controls IoT devices. It’s used in “tens of millions of smart meters” and there are 1,088 items listed as ZigBee Certified products. It depends who you listen to, I suppose, as to whether you believe ZigBee is great or if ZigBee is a great threat to the Internet of Things due to critical wireless security flaws that can be exploited to compromise smart lights, door locks, motion sensors, smart switches, temperature sensors, HVAC systems and other “smart” home devices.To read this article in full or to leave a comment, please click here
Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company’s proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.The missive, entitled “No, You Really Can’t,” was issued Monday on Davidson’s corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post.To read this article in full or to leave a comment, please click here
If you’re worried about Big Brother monitoring you from security cameras, Japan has developed eyewear that can keep you anonymous.The Privacy Visor consists of a lightweight, wraparound, semitransparent plastic sheet fitted over eyewear frames. It’s bulky and not exactly stylish, but it could have customized designs.It’s meant to thwart face-recognition camera systems through a very simple trick. It reflects overhead light into the camera lens, causing the area around the eyes to appear much brighter than it normally does.That’s enough to trick standard face-recognition systems, such as the Viola-Jones object detection framework, according to the National Institute of Informatics (NII), which has been developing the visor for years.To read this article in full or to leave a comment, please click here
Retailer Fred’s said Monday it found malware that collected payment card details on two of its servers, but it doesn’t appear the data was removed from its systems.The malware was on the servers since March 23, operating through April 8 on one and through April 24 on the other, the company said in a statement. It has since been removed.The malware was designed to collect so-called track 2 data contained on the magnetic stripe of payment cards, which Fred’s said contained the card number, expiration date and verification code. No other customer information is at risk.“During this time period, track 2 data was at risk of disclosure; however, the third-party cyber-security firm did not find evidence that track 2 data was removed from the company’s system,” the retailer said. Law enforcement is also investigating.To read this article in full or to leave a comment, please click here