Republican presidential candidate and former tech-executive Carly Fiorina has called on Apple and Google to provide greater access to information about their users to the FBI and law enforcement in order to aid investigations.Speaking Thursday in a televised debate in Cleveland organized by Fox News Channel, the former CEO of Hewlett-Packard said restrictions that prevent private companies and law enforcement from working together need to be changed.“I certainly support that we need to tear down cyber walls, not on a mass basis but on a targeted basis,” she said in response to a question from a moderator.“I do not believe that we need to wholesale destroy every American citizen’s privacy in order to go after those that we know are suspect or already a problem, but yes, there is more collaboration required between private sector companies and the public sector and specifically we know that we could have detected and repelled some of these cyber attacks if that collaboration had been permitted,” she said.To read this article in full or to leave a comment, please click here
Tesla has issued a security update to its Model S car after security researchers discovered six flaws that allowed them to control its entertainment software and hijack the vehicle.With access to the entertainment software, Kevin Mahaffey, CTO of security startup Lookout, and Marc Rogers, a security researcher at CloudFlare, turned off the engine while a person was driving, changed the speed and map information displayed on the touchscreen, opened and closed the trunk and controlled the radio.The pair, who will discuss their findings Friday at the DEF CON hacking conference in Las Vegas, also uploaded a remote access application that allowed them to lock and unlock the car using an iPhone.To read this article in full or to leave a comment, please click here
Dr. John Halamka has taken to his "Life as a Healthcare CIO" blog to sound the alarm on medical device threats in the wake of the FDA late last week issuing its first cybersecurity warning about a specific medical device.The Food and Drug Administration urged healthcare facilities to stop using Hospira's Symbiq Infusion System, a common device for dispensing fluids/drugs to patients that the manufacturer says is being removed from the market. The warning spells out that the devices could be accessed via a hospital network and rejiggered to mess up a patient's dosage. The FDA said it's not aware of any hacking incidents involving the pumps, whose vulnerability was initially warned of on the US-CERT site in June and then the Industrial Control Systems CERT site in mid-July.To read this article in full or to leave a comment, please click here
LAS VEGAS – Telesign, a mobile identity solutions provider, continued to educate the public about its free “Turn It On” Campaign – a step-by-step instructional guide to two-factor authentication (2FA) on some of the most visited websites – at this year’s Black Hat security conference. Co-founder Ryan Disraeli says that based on Telesign’s “Consumer Account Security Report,” it’s clear consumers want more security but don’t know much – if anything – about 2FA.The report, a study of the changing attitudes and behavior of consumers around their online security, found that “80 percent of consumers worry about online security and 45 percent are extremely or very concerned about their accounts being hacked.”To read this article in full or to leave a comment, please click here
Many smart phone manufacturers preload remote support tools on their Android devices in an insecure way, providing a method for hackers to take control of the devices through rogue apps or even SMS messages.The vulnerability was discovered by researchers from security firm Check Point Software Technologies, who presented it Thursday at the Black Hat security conference in Las Vegas. According to them, it affects hundreds of millions of Android devices from many manufacturers including Samsung Electronics, LG Electronics, HTC, Huawei Technologies and ZTE.Most of the flagship phones from different vendors come preloaded with remote support tools, Check Point researchers Ohad Bobrov and Avi Bashan said. In some cases they are installed by the manufacturers themselves, while in other cases by mobile carriers, they said.To read this article in full or to leave a comment, please click here
It’s possible to get a printer and other inexpensive network and Internet of Things devices to transmit radio signals that are detectable far enough away that they could be used to steal data from compromised networks, a researcher tells the Black Hat 2015 conference.By rapidly turning on and off the outputs from I/O pins on chips within the printer, it’s possible to generate a signal strong enough to pass through a concrete wall and beyond to a receiver, says Ang Cui, a researcher who works at Red Balloon Security and did the research at Columbia University.+ Follow all the stories out of Black Hat 2015 +To read this article in full or to leave a comment, please click here
Since Joshua Drake of Zimperium announced his talk at the Black Hat conference on Twitter, speculation in the blogosphere has been rampant.
BLACKHAT USA 2015 Stagefright: Scary Code in the Heart of Android: https://t.co/oBZpiBFx1x by @jduck— Mobile Security (@Mobile_Sec) July 23, 2015
If some of the claims were true, Android phones would be exploding into flames. Since the introduction of version 4.1 Jelly Bean, Android has been protected from buffer-overflow vulnerabilities such as Stagefright with Address Space Layout Randomization (ASLR). A glance at the chart below reveals that 90% of the Android devices are protected by ASLR. Drake's estimate of one billion Android devices affected by this vulnerability was inflated.To read this article in full or to leave a comment, please click here
It’s been 25 years since two thieves, dressed as Boston police officers made off with $500 million worth of art from the Isabella Stewart Gardner Museum in Boston.The FBI this week released new video it says was captured by Museum security cameras 24 hours before the Gardner heist which the agency hopes might trigger some new leads in the very cold case.+More on Network World: The weirdest, wackiest and coolest sci/tech stories of 2015 (so far!)+To read this article in full or to leave a comment, please click here
Globalstar satellite transmissions used for tracking truck fleets and wilderness hikers can be hacked to alter messages being sent with possibly dire consequences for pilots, shipping lines, war correspondents and businesses that use the system to keep an eye on their remote assets.The technique, described at Black Hat 2015, can’t affect control of the Globalstar satellites themselves, just the messages they relay, but that could mean altering the apparent location of assets the system tracks. So a cargo container with a satellite location device in it could be made to seemingly disappear, or an airplane could be made to seem to veer off course, according to a briefing by Colby Moore, a security staffer at Synack.To read this article in full or to leave a comment, please click here
Las Vegas -- Security researchers need to fight for the rights to study, modify and reverse engineer Internet hardware and software or the general population risks losing Internet freedom, the Black Hat 2015 conference was told.
Jennifer Granick
“The dream of Internet freedom is dying,” warned Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society during the conference keynote. Four things are killing it: centralization, regulation, globalization and loss of “the freedom to tinker,” she says.To read this article in full or to leave a comment, please click here
Powerful tech industry groups have asked the U.S. Senate to drop a plan to require Internet companies to report terrorist activity on their platforms, as the provision could potentially raise privacy issues for users.Section 603 of the Intelligence Authorization Act for Fiscal Year 2016 would require Internet services companies, who obtain ”actual knowledge of any terrorist activity,” to provide to the appropriate authorities the “facts or circumstances” of the alleged activities.Describing “any terrorist activity” as a vague and overbroad term, the Internet Association, Reform Government Surveillance and Internet Infrastructure Coalition have in a letter Wednesday warned that the provision could result in “overbroad reporting to the government, swamping law enforcement with useless information, and potentially raising First Amendment and privacy concerns for the user who posted the item.”To read this article in full or to leave a comment, please click here
The overseer of the Internet’s addressing system said Wednesday that someone obtained information related to user accounts for its public website, although no financial information was divulged.ICANN, short for the Internet Corporation for Assigned Names and Numbers, said user names, email addresses, encrypted passwords and other data, such as bios, interests and newsletter subscriptions, were contained in the accounts.Despite the breach, the accounts as well as internal ICANN systems do not appear to have been accessed, the organization said in a post on its website.Although an investigation continues, ICANN said the “encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider.” It did not name that provider.To read this article in full or to leave a comment, please click here
Inherent insecurity in the routing protocol that links networks on the Internet poses a direct threat to the infrastructure that secures communications between users and websites.The Border Gateway Protocol (BGP), which is used by computer network operators to exchange information about which Internet Protocol (IP) addresses they own and how they should be routed, was designed at a time when the Internet was small and operators trusted each other implicitly, without any form of validation.If one operator, or autonomous system (AS), advertises routes for a block of IP addresses that it doesn’t own and its upstream provider passes on the information to others, the traffic intended for those addresses might get sent to the rogue operator.To read this article in full or to leave a comment, please click here
Google, Samsung and LG will start to issue monthly security patches for Android devices, taking a cue from the PC industry after critical vulnerabilities put hundreds of millions of smartphone users at risk.Security experts have warned for years that Android devices receive critical updates from manufacturers either too slowly or not at all. Phones and tablets have been increasingly targeted by hackers looking to steal data or defraud users.Google’s Nexus devices will get monthly over-the-air security patches, said Adrian Ludwig, lead engineer for Android security, at the Black Hat security conference in Las Vegas.“Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability, or 18 months from last sale of the device via the Google Store, he wrote in a blog post.To read this article in full or to leave a comment, please click here
China’s control over the Internet is set to expand. In a bid to better police local websites, the country’s security forces are establishing offices at the biggest online firms in the country.The country’s Ministry of Public Security announced the new measures on Tuesday, at a time when authorities have been increasingly concerned also about cyberthreats.Websites based in China already have to abide by strict provisions for online censorship, and will often delete any content deemed offensive by government censors.To read this article in full or to leave a comment, please click here
An improved attack on the firmware in Apple computers makes them vulnerable to hard-to-detect malware without even being connected to a network, according to a Black Hat conference presentation due to be given later this week.The new research highlights ongoing weaknesses in the low-level software that runs on every computer before an operating system is loaded.It comes from researchers Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments. They showed earlier this year how they could infect a Mac’s firmware with malware by connecting malicious devices to them using Thunderbolt, Apple’s high-speed data transfer interface. The attack was dubbed Thunderstrike.To read this article in full or to leave a comment, please click here
For as cool as it might be to use Microsoft's virtual assistance Cortana, she is also a big reason why the Windows 10 settings are so unfriendly to privacy. Start typing in the "Search Windows" box on the taskbar and Cortana wants to help…or to be turned on. It may be a bummer to lose so many features in Windows 10, but you have to choose if you want as much privacy as possible or if you want as many Windows 10 features as possible. Sorry, but you can't have both.
Settings>Privacy>To read this article in full or to leave a comment, please click here
The FBI said there has been a significant uptick in the number of businesses being hit with extortion schemes where a company receive an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom, usually in varying amounts of Bitcoin.The report comes from the FBI’s partner, the Internet Crime Complaint Center (IC3) which stated that victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution.“Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, Wordpress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit,” the IC3 stated in the warning.To read this article in full or to leave a comment, please click here
IT security firm Qualys has unveiled a free inventory service that can help organizations keep track of all their computers and virtual machines.The service, called Qualys AssetView, provides an inventory of an organization’s computers and their software.Administrators can use the service to run reports that compile asset information, or to run search queries to find out which of their computers are running outdated or unlicensed software, for instance.Qualys AssetView gives IT and security staff a “simple and quick way” of figuring out what assets they have and what software is on them, said Sumedh Thakar, Qualys chief product officer.To read this article in full or to leave a comment, please click here
If you can't think like a hacker, it's difficult to defend against them. Such is the premise of this free, nine-part online course, presented by Computerworld and training company Pluralsight, about how to go on the cyber-offensive by using some of the same techniques and tools the bad guys do.This course comes at security from the view of the attacker in that their entry point is typically the browser. They have a website they want to probe for security risks -- and now you can learn how they go about it. This approach helps IT managers and staffers, developers and others to begin immediately assessing their applications even when the apps are already running in a live environment without access to the source. After all, that's what the attackers are doing.To read this article in full or to leave a comment, please click here(Insider Story)