A sophisticated group of hackers known for targeting military, government and media organizations is currently using an exploit for a vulnerability in Java that hasn’t been patched by Oracle.The zero-day exploit was recently observed by researchers from antivirus vendor Trend Micro in attacks against the armed forces of an unnamed NATO country and a U.S. defense organization. Those targets received spear-phishing emails that contained links to Web pages hosting the exploit.The cyberespionage group, known as APT28 and Pawn Storm, has been active since at least 2007. Some security vendors believe that it operates out of Russia and has ties to that country’s intelligence services.To read this article in full or to leave a comment, please click here
The recently disclosed data breach at the U.S. government's Office of Personnel Management follows a long history of lax security at the agency, according to the inspector general's office.In testimony before a joint House subcommittee hearing, Michael Esser, OPM's assistant inspector general for audits, told lawmakers that the agency's "long history of systemic failures to properly manage its IT infrastructure" may have invited a pair of related hacking incidents that compromised more than 21 million current and former government employees' personal information.[ Related: The OPM lawsuit will only make the lawyers rich ]To read this article in full or to leave a comment, please click here
The Internet of Things is talked about a lot and many people are unsure what it really is, but at DEF CON 23 this summer in Las Vegas, that should become a lot more clear as attendees compete to hack IoT devices.“Pwning IoT via Hardware Attacks” is a competition starting this year as part of IoT Village, a new sector of the conference focusing on security of proliferating device such as sensors, meters, industrial controls and smart appliances.A LOOK BACK: Leftovers of Black Hat, Defcon
As part of the village attendees can enter their successful compromises against IoT devices in an attempt to win prizes. The entries will be judged on the severity of the compromise – how thoroughly a machine is taken over – and how it can be accessed, such as remotely or without being detectable, says Chase Schultz, a security researcher for Independent Security Evaluators (ISE), which is organizing the competition.To read this article in full or to leave a comment, please click here
Recently breached surveillance software maker, Hacking Team, had access to three different exploits for previously unknown vulnerabilities in Flash Player. All of them are now out in the open, putting Internet users at risk.Milan-based Hacking Team develops and sells surveillance software to government agencies from around the world. On July 5, a hacker released over 400GB of data stolen from the company on the Internet, including email communications, business documents, source code and other internal files.On Tuesday, researchers found a proof-of-concept exploit among Hacking Team’s files that worked against the latest version of Flash Player. Cybercriminals were quick to adopt it and were already using it in large-scale attacks by the time Adobe Systems released a patch for it on Wednesday.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Unified Communications Command Suite 8.1Key features: UCCS 8.1 helps gain insights into workforce activity, email usage and trends, and communication consumption across multiple UC platforms. It also drives cross-platform adoption and usage to realize maximum ROI. More info.To read this article in full or to leave a comment, please click here
“Developing the U.S. market. Well done,” reads an email from Hacking Team CEO David Vincenzetti dated on May 22. That comment was in regards to the Hacking Team meeting with the Florida Metropolitan Bureau of Investigation (MBI) in Orlando after the police agency expressed an interest in purchasing surveillance malware. MBI is a “a multi-agency task force that covers Orange and Osceola counties” and includes members from DEA, FBI, ICE, Secret Service and other agencies.To read this article in full or to leave a comment, please click here
The huge cache of files recently leaked from Italian surveillance software maker Hacking Team is the gift that keeps on giving for attackers. Researchers sifting through the data found a new exploit for a previously unknown vulnerability in Adobe’s Flash Player.This is the second Flash Player zero-day exploit discovered among the files and the third overall—researchers also found a zero-day exploit for a vulnerability in Windows.A zero-day exploit is a previously unknown vulnerability for which a patch does not exist.To read this article in full or to leave a comment, please click here
Microsoft’s Windows Server 2003 has its Windows XP moment coming very soon, and that’s bad news for IT leaders who have been dragging their feet.The company will end extended support for the 12-year-old operating system on July 14. That will leave users without security patches and other updates for any applications still running on the OS, which went out to manufacturers just weeks after the start of the second Iraq war. Microsoft says there were almost 24 million instances of Windows Server 2003 running in July 2014, though it hasn’t released more recent numbers as the end-of-support date has loomed.According to Mike Schutz, Microsoft’s general manager of cloud platform marketing, the good news is that most of the customers Microsoft has spoken with have moved “the vast percentage” of their server workloads off Windows Server 2003. But that still means that there are holdouts who will be left to protect their own servers as Microsoft cuts off security improvements.To read this article in full or to leave a comment, please click here
The director of the U.S. Office of Personnel Management resigned on Friday, a day after her agency announced hackers had stolen information on 21.5 million current, former and prospective government employees and their families.Katherine Archuleta said she had informed President Barack Obama of her plans to step down, and he had accepted her resignation.“I conveyed to the President that I believe it is best for me to step aside and allow new leadership to step in, enabling the agency to move beyond the current challenges and allowing the employees at OPM to continue their important work,” she said in an email to employees.Archuleta had been at the agency for less than two years, joining in November 2013 at about the time the agency began an upgrade of its cyberdefenses. It was as part of that upgrade that it discovered two separate ongoing breaches that, investigators concluded, were unprecedented in their size and seriousness.To read this article in full or to leave a comment, please click here
A push to allow Internet voting in elections is growing stronger along with advances in the underlying technology, but systems are not yet secure enough to use with relative certainty that the vote counts will be accurate, according to a new report.
Still, while "no existing system guarantees voter privacy or the correct election outcomes," election officials could take several steps to significantly improve the security and transparency of Internet voting systems, said the report, commissioned by the U.S. Vote Foundation, an organization that helps U.S. residents vote.
+ A LOOK BACK: Voting groups release guidelines for e-voting checks +To read this article in full or to leave a comment, please click here
VMware released patches for serious vulnerabilities in several of its products that could lead to arbitrary code execution, privilege escalation on the host OS and denial of service.VMware Workstation and Horizon View Client for the Windows platform had multiple memory manipulation issues that could allow a guest to execute code on the host OS or to trigger a denial-of-service condition. Workstation, Player, and Fusion also had a flaw that could enable a denial-of-service attack against the guest or host operating systems.To address the code execution issue, VMware released Workstation 11.1.1 and 10.0.6; VMware Player 7.1.1 and 6.0.6; and Horizon Client for Windows 3.4.0, 3.2.1 and 5.4.2 (with local mode). The company also fixed the separate denial-of-service issue in VMware Workstation 10.0.5 and VMware Player 6.0.6 for all platforms and Fusion 7.0.1 and 6.0.6 for OS X.To read this article in full or to leave a comment, please click here
The best 'smart luggage'Luggage is long overdue for some serious innovation. The last big breakthrough — wheeled suitcases — rolled out in 1970. Crowdfunded startups and established luggage companies seem to have suddenly realized the market opportunity, and they are adding Wi-Fi hot spots, Bluetooth, SIM cards, GPS and built-in batteries to their products.To read this article in full or to leave a comment, please click here
Power to the people: Facebook news feed tool lets users prioritize postsDespite all that it knows about us, Facebook has conceded that it can’t do such a good job of guessing which items we’d like to see in our news feeds. It’s adding a tool that will let users pick the content they see first. It’s a minor victory for users who want to wrest control from algorithms and have greater influence over the information they get from social networking sites. Selected posts from friends or pages belonging to organizations and businesses will show up with a star in the top right corner.To read this article in full or to leave a comment, please click here
Google has reduced spam reaching inboxes to a fraction of a percent, but in the process sometimes misclassifies bulk-mailed messages like monthly statements and ticket receipts.It’s a big problem for large bulk emailers of legitimate messages. To deal with it, Google has created a toolset to help those mailers figure out what’s happening to their messages.Postmaster Tools is designed for administrators and provides information on delivery errors, spam reports and reputation, wrote Sri Harsha Somanchi, a Google product manager, in a blog post.Google is also try to make its spam filter for consumer accounts more customizable. Although people can already classify messages by specifically labeling one as spam, what is spam to one person may be considered a desired communication by another.To read this article in full or to leave a comment, please click here
Two sister mobile and telecom service providers will pay a combined US$3.5 million after the U.S. Federal Communications Commission found that they were storing customers’ personal data on unprotected servers accessible over the Internet.TerraCom and YourTel America failed to adequately protect the personal information of more than 300,000 customers, the FCC said. The settlement stems from a 2013 incident when an investigative reporter found customer records from the companies’ low-income Lifeline programs online, the agency said in an October 2014 proposal to fine the companies.To read this article in full or to leave a comment, please click here
Investigators have tallied up the number of records stolen in an attack on the U.S. Office of Personnel Management (OPM), and it’s bigger than anyone thought.The agency has concluded “with high confidence” that hackers got away with sensitive information including Social Security numbers on 21.5 million people—almost everyone who underwent a background security investigation for a government job through OPM since 2000.The majority of records, some 19.7 million, were for background investigation applicants while an additional 1.8 million were from nonapplicants—friends and family of applicants who would also be investigated as part of the process.To read this article in full or to leave a comment, please click here
When it comes to the government protecting all manner of state and personal information, the feds can use all the help it can get.
One of the most effective tools the government has is the National Cybersecurity Protection System (NCPS), known as “EINSTEIN.” In a nutshell EINSTEIN is a suite of technologies intended to detect and prevent malicious network traffic from entering and exiting federal civilian government networks.
+More on Network World: NASA’s cool, radical and visionary concepts+To read this article in full or to leave a comment, please click here
Bitglass has boosted the protection it offers cloud-based applications, now supporting fully searchable AES 256 encryption without degrading the speed of searches.The company has received a U.S. patent on the technology it is using to deliver the searchable encryption and that is now available through its security-brokering service.The service is designed for corporate customers who want to use cloud software as a service (SaaS) but who don’t want their data stored unsecured in the cloud.A gateway on customers’ sites encrypts data that is headed to the cloud, then uploads only an encryption prefix or handle to the cloud itself. When an authorized person wants to use the cloud app, the app sends down the handle to the gateway. The gateway uses the handle as an index to find the full version of the encrypted data and decrypts it.To read this article in full or to leave a comment, please click here
A flaw in the widely used OpenSSL library could allow man-in-the-middle attackers to impersonate HTTPS servers and snoop on encrypted traffic. Most browsers are not affected, but other applications and embedded devices could be.The OpenSSL 1.0.1p and 1.0.2d versions released Thursday fix an issue that could be used to bypass certain checks and trick OpenSSL to treat any valid certificates as belonging to certificate authorities. Attackers could exploit this to generate rogue certificates for any website that would be accepted by OpenSSL.“This vulnerability is really only useful to an active attacker, who is already capable of performing a man-in-the-middle (MITM) attack, either locally or upstream from the victim,” said Tod Beardsley, security engineering manager at Rapid7, via email. “This limits the feasibility of attacks to actors who are already in a privileged position on one of the hops between the client and the server, or is on the same LAN and can impersonate DNS or gateways.”To read this article in full or to leave a comment, please click here
In early June, Apple said two-factor authentication would be tightly integrated into OS X 10.11 El Capitan and iOS 9, but provided little detail as to what that means. The current setup is scattered across sites and methods in order to deliver a second one-time use, time-limited code or other method of verification when a user logs in to an Apple site or on an Apple device with an Apple ID set up for it.Apple today posted a detailed explanation about how two-factor authentication works starting with the public betas of iOS 9 and El Capitan.6 simple tricks for protecting your passwords
Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.To read this article in full or to leave a comment, please click here