Archive

Category Archives for "Network World Security"

HP study finds smartwatches could do more to keep user data safe

Smartwatches are failing people at keeping their data safe and protecting them from hackers.Those are the findings of a study from Hewlett-Packard, whose Fortify on Demand security division tested 10 popular smartwatches. The company is in the process of alerting vendors about the flaws and can’t disclose the watches it tested, said Daniel Miessler, practice principal at HP.HP also examined the security around the Web interfaces and mobile apps that accompany smartwatches and allow a person to access the device as well as how data gathered by watch apps is protected and used.The study found vulnerabilities with each of the watches and raised concerns over user authentication methods, data encryption and data privacy, among other issues.To read this article in full or to leave a comment, please click here

Blackberry delves deeper into security with AtHoc purchase

BlackBerry continues to shift its focus from selling mobile phones to securing them—as well as other portable devices, and increasingly connected items that are part of the Internet of things.“All of our investments and acquisitions go to one thing, to make the most secure mobile platform that the industry has to offer,” said John Chen, BlackBerry executive chairman and CEO, kicking off a morning of presentations at the company-sponsored BlackBerry Security Summit, held Thursday in New York.BlackBerry still sells handsets, but, to judge from the day’s presentations, it clearly sees a brighter future now in enterprise mobile security, where it can best leverage its remaining strengths in the market.To read this article in full or to leave a comment, please click here

Researchers disclose four unpatched vulnerabilities in Internet Explorer

Security researchers published limited details about four unpatched vulnerabilities in Internet Explorer because Microsoft has not moved quickly enough to fix them.The flaws could potentially be exploited to execute malicious code on computers when users visit compromised websites or open specially crafted documents. They were reported through Hewlett-Packard’s Zero Day Initiative (ZDI) program.HP’s TippingPoint division, which sells network security products, pays researchers for information on unpatched high-risk vulnerabilities in popular software. The company uses the information to create detection signatures, giving it a competitive advantage, but also reports the flaws to the affected vendors so they can be fixed.To read this article in full or to leave a comment, please click here

Google: Users still aren’t getting message about online security

Google researchers say that experts and non-experts go about protecting their digital privacy in very different ways, according to survey results they plan to present at the upcoming Symposium on Usable Privacy and Security.The importance of regular software updates is apparently lost on a large proportion of Internet users who aren’t security experts, the survey found. Just 2% of non-experts said that routinely patching software was high on their list of security priorities, compared to 35% of experts.+ ALSO ON NETWORK WORLD: Hacker: 'Hundreds of thousands' of vehicles are at risk of attack | How to check if you've been attacked by Hacking Team intrusion malware +To read this article in full or to leave a comment, please click here

WordPress gets patch for critical XSS flaw

Developers of the popular WordPress blogging platform have released a critical security update to fix a vulnerability that can be exploited to take over websites.WordPress 4.2.3, released Thursday, resolves a cross-site scripting (XSS) vulnerability that could allow users with the Contributor or Author roles to compromise a website, said Gary Pendergast, a member of the WordPress team, in a blog post.While this is not as critical as a flaw that can be exploited without authentication, it still poses a high risk for many websites because the compromise of a single non-administrator user account can turn into a complete website takeover.To read this article in full or to leave a comment, please click here

IDG Contributor Network: 4 steps to make DevOps safe, secure, and reliable

DevOps is one of the hottest trends in software development. It's all about helping businesses achieve agile service delivery – that is, moving applications from development to test to deployment as quickly as possible.Fast application deployment may seem at odds with robust security practices, which often take a go-slow approach to new or changed applications in order to verify that the applications are safe before letting them touch live data or business networks — or be exposed to the Internet or customers.Fortunately, there's nothing inherently risky or dangerous about DevOps and agile service delivery, as long as the right security policies are created and followed, and if automation eliminates unnecessary delay in ensuring compliance.To read this article in full or to leave a comment, please click here

Hacker: ‘Hundreds of thousands’ of vehicles are at risk of attack

A security expert who recently demonstrated he could hack into a Jeep and control its most vital functions said the same could be done with hundreds of thousands of other vehicles on the road today. Security experts Charlie Miller and Chris Valasek collaborated with Wired magazine to demonstrate how they could remotely hack into and control the entertainment system as well as more vital functions of a 2015 Jeep Cherokee. Both hackers are experienced IT security researchers. Miller is a former NAS hacker and security researcher for Twitter and Valasek is the director of security research at IOActive, a consultancy.To read this article in full or to leave a comment, please click here

Nigerian scammers buy exploit kits to defraud Asian businesses

A small group of Nigerian scammers is using more sophisticated methods to defraud mostly Asian businesses, including buying exploit kits and malware from experienced coders, according to a new report from FireEye.The security company said the group performs deep reconnaissance of its potential victims, jumping inside financial transactions in order to try to divert payments to their own accounts.The schemes are much more complex than so-called 419 or advance fee fraud scams, where random victims are induced to send funds in order to get a non-existent but much larger payoff.To read this article in full or to leave a comment, please click here

Microsoft follows Google to crack down on revenge porn

Microsoft will make it easier for people to request the removal of links to intimate images or videos from the company's Bing search engine if such content was posted online without their consent. This move comes in response to an increasingly prevalent phenomenon dubbed "revenge porn," where jilted former partners or extortionists upload sexually explicit content depicting the victims in an embarrassing light. "Unfortunately, revenge porn is on the rise across the globe," said Jacqueline Beauchere, Microsoft's chief online safety officer, in a blog post. "It can damage nearly every aspect of a victim's life: relationships, career, social activities. In the most severe and tragic cases, it has even led to suicide."To read this article in full or to leave a comment, please click here

How to check if you’ve been attacked by Hacking Team intrusion malware

Hacking Team malware has been attacking computers and smartphones --- and you may be infected without knowing it. Here's how to find out if you're infected. Hacking Team is an Italian-based company that sells surveillance and intrusion software to government agencies and law enforcement groups across the world. Earlier this month its systems were broken into and the Hacking Team's intrusion software was released to the world. That means that hackers could grab hold of it for their own purposes and attack computers and smartphone. Since then, Microsoft has released a patch for Windows designed to close a security hole that could be exploited by Hacking Team Software. Adobe has released a patch for Flash Player, which is vulnerable as well.To read this article in full or to leave a comment, please click here

US court says ‘pocket-dialed’ calls are not private

A federal appeals court in Ohio has ruled that a person who accidentally “pocket dials” someone shouldn’t expect any overheard conversation to be considered private.The case involves the chairman of the Airport Board in Kenton, Kentucky, which oversees the Cincinnati/Northern Kentucky International Airport. The chairman, James Huff, was on a business trip in Italy with his wife and a colleague when he accidentally pocket-dialed the secretary of the airport’s CEO back in the U.S.The secretary, Carol Spaw, said “hello” a few times and soon figured out the call wasn’t meant for her. But she overheard Huff and his colleague talking about personnel matters, including the possibility that the airport’s CEO—Spaw’s boss—might be replaced. The inadvertent call continued after Huff got back to his hotel room with his wife.To read this article in full or to leave a comment, please click here

8 most in-demand IT security certifications

In-demand IT security certifications Image by ThinkstockAs high-profile security breaches (e.g., Target, Sony, Adobe and most recently, Ashley Madison) continue to dominate headlines, companies are doubling down on pay to hire the best and the brightest IT security professionals. The most recent IT Skills and Certifications Pay Index (ITSCPI) from research and analysis firm Foote Partners confirms that IT pros holding security certifications can expect premium pay. Market values for 69 information security and cybersecurity certifications in the ITSCPI have been on a slow and steady upward path for two years, up 8 percent in average market value during this time, states co-founder, chief analyst and research officer David Foote in the report.To read this article in full or to leave a comment, please click here

Belgian government phishing test goes off-track

An IT security drill went off the tracks in Belgium, prompting a regional government office to apologize to European high-speed train operator Thalys for involving it without warning.Belgium’s Flemish regional government sent a mock phishing email to about 20,000 of its employees to see how they would react.The email purported to be a booking confirmation from Thalys for a trip from Brussels to Paris, including a stay in a fancy hotel. The cost—almost €20,000 (about US$22,000)—would be charged to the recipient’s credit card unless the person cancelled within three days, the email said. To cancel the trip, the email instructed recipients to send their credit card information to Thalys, Belgian media reported.To read this article in full or to leave a comment, please click here

Belgian government phishing test goes off-track

An IT security drill went off the tracks in Belgium, prompting a regional government office to apologize to European high-speed train operator Thalys for involving it without warning.Belgium’s Flemish regional government sent a mock phishing email to about 20,000 of its employees to see how they would react.SLAPPED! Tech industry's biggest FINE$ of 2015The email purported to be a booking confirmation from Thalys for a trip from Brussels to Paris, including a stay in a fancy hotel. The cost—almost €20,000 (about US$22,000)—would be charged to the recipient’s credit card unless the person cancelled within three days, the email said. To cancel the trip, the email instructed recipients to send their credit card information to Thalys, Belgian media reported.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Druva aims to deliver complete data protection and compliance for the enterprise

With a product announcement this week, data protection company Druva aims to give enterprises assistance with managing the sometimes-conflicting aims of leveraging new technology for greater efficiency, while still remaining safe and secure in terms of data protection. So what has Druva got in the pipeline now?Utilized by more than 3,000 organizations around the world and protecting data on a reported 3 million devices, Druva is all about data protection for the mobile workforce. What that means is that Druva takes care of backup and availability of data, alongside broad governance. Druva's product aims to ensure that specific data remains within the confines of your organization, while other data can be shared externally. Druva then sits in two camps - both the data backup and recovery space and the endpoint security space. These two worlds are increasingly coming together, and Druva is an example of this trend.To read this article in full or to leave a comment, please click here

Bug exposes OpenSSH servers to brute-force password guessing attacks

A bug in OpenSSH, the most popular software for secure remote access to UNIX-based systems, could allow attackers to bypass authentication retry restrictions and execute many password guesses.A security researcher who uses the online alias Kingcope disclosed the issue on his blog last week, but he only requested a public vulnerability ID to be assigned Tuesday.By default, OpenSSH servers allow six authentication retries before closing a connection and the OpenSSH client allows three incorrect password entries, Kingcope said.To read this article in full or to leave a comment, please click here

EFF: Modify DMCA to protect independent research into car hacking

Car owners – in other words, almost everyone – were buzzing in a bad way yesterday about a report in Wired that showed two security experts demonstrating the ability to remotely commandeer and control a Jeep that was traveling on a highway.It was harrowing just to read about this sophisticated hack, never mind imagining the reality of finding oneself in such a situation.Whether coincidental or not, lawmakers are responding with calls to hold the auto industry to task.To read this article in full or to leave a comment, please click here

Senators propose bill to tighten vehicle security, privacy standards

Two U.S. senators today filed a bill that would require the federal government to establish standards to ensure automakers secure a driver against vehicle cyber attacks. The Security and Privacy in Your Car (SPY Car) Act, filed by Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.), also establishes a rating system — or "cyber dashboard"— that informs consumers about how well the vehicle protects drivers' security and privacy beyond the proposed federal minimum standards. "Drivers shouldn't have to choose between being connected and being protected," Sen. Markey said in a statement. "We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles."To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Wednesday, July 22

Carmakers emerge winners in the bidding for Nokia HereNokia’s much-sought-after mapping assets, called Here, have apparently been won by a coalition of carmakers. Audi, BMW and Daimler will jointly purchase Nokia’s Here digital mapping service for roughly $2.7 billion, and they plan to invite other auto makers to take a stake in the company as well, multiple reports said on Tuesday. Uber reportedly dropped out of the bidding several weeks ago.Senators propose bill to establish cyber security standard for carsTo read this article in full or to leave a comment, please click here