Archive

Category Archives for "Network World Security"

Netflix open-sources security incident management tool

Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents.Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones.MORE: New Cisco CEO: Meet the Real Chuck RobbinsNetflix started developing FIDO four years ago after finding it took from a few days to more than a week to resolve issues that were entered into its help-desk ticketing system, the company wrote in a blog post Monday.To read this article in full or to leave a comment, please click here

Sally Beauty investigates possible second card breach

Sally Beauty Holdings said it is investigating another possible payment card breach, about a year after it reported a similar cyberattack.The retail chain, which runs nearly 2,800 stores in the U.S., said it has received reports of ”unusual activity” involving payment cards used at some of its stores during the last week of April. Law enforcement has been contacted, the company said Monday.It did not say if the second incident is related to last year’s attack. “Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident,” it said.To read this article in full or to leave a comment, please click here

Rombertik malware destroys computers if detected

A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims.The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco’s Talos Group blog on Monday.Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.To read this article in full or to leave a comment, please click here

Microsoft picks security for the enterprise win

Microsoft is betting that good security support will be key to keeping its enterprise customers from straying to rivals.At the kickoff of the company’s Ignite conference for IT professionals, Microsoft executives unveiled a number of advanced security services, and took jabs at competitor Google for not being as mindful of security.“Google takes no responsibility to update their customers’ devices, leaving end-users and businesses increasingly exposed every day they use their Android devices,” said Terry Myerson, Microsoft’s executive vice president of operating systems. “Google just ships a big pile of code, and then leaves you exposed with no commitments.”To read this article in full or to leave a comment, please click here

Cerf thinks encryption back doors would be ‘super risky’

Internet pioneer Vinton Cerf argued Monday that more users should encrypt their data, and that the encryption back doors the U.S. FBI and other law enforcement agencies are asking for will weaken online security.The Internet has numerous security challenges, and it needs more users and ISPs to adopt strong measures like encryption, two-factor authentication and HTTP over SSL, said Cerf, chief Internet evangelist at Google, in a speech at the National Press Club in Washington, D.C.Recent calls by the FBI and other government officials for technology vendors to build encryption workarounds into their products is a bad idea, said Cerf, co-creator of TCP/IP. “If you have a back door, somebody will find it, and that somebody may be a bad guy,” he said. “Creating this kind of technology is super, super risky.”To read this article in full or to leave a comment, please click here

Researchers play cat and mouse with Google’s anti-phishing Chrome extension

For the past several days security researchers have raced to demonstrate that phishing protections added by a new Google Chrome extension can be bypassed with ease.The Password Alert extension, developed by Google and released Wednesday, is designed to alert Chrome users when they input their Gmail passwords on websites that don’t belong to Google and are therefore part of phishing attacks.By Thursday, an information security consultant named Paul Moore had already devised a method that attackers could use to block the extension’s alerts.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Monday, May 4

Facebook opens Internet.org platform to (almost) any content serviceStung by criticism that its Internet.org platform is a closed-off, private web masquerading as a philanthropic effort to bridge the digital divide, Facebook is opening the service to developers who meet its technical guidelines. CEO Mark Zuckerberg said in a video that although the company started with just a few content partners, “we’ll work with anyone who wants to join us.” Facebook posted a version of the video subtitled in Hindi, aiming to reach its audience in India where the company was seen by some as trampling principles of net neutrality with Internet.org.To read this article in full or to leave a comment, please click here

US reviews use of cellphone spying technology

Faced with criticism from lawmakers and civil rights groups, the U.S. Department of Justice has begun a review of the secretive use of cellphone surveillance technology that mimics cellphone towers, and will get more open on its use, according to a newspaper report.The cell-site simulators, also referred to by other names such as “IMSI catchers” or Stingrays, operate by fooling mobile phones into believing that they are communicating with a legitimate cellphone tower, while harvesting data from the phone including its identity, location, metadata and even content of phone transmissions, according to the American Civil Liberties Union.One of the complaints of civil rights groups is that even when targeting a single phone, the technology can collect data on other phones in the area that connect to the simulator, raising privacy issues.To read this article in full or to leave a comment, please click here

ACLU: NSA phone dragnet should be killed not amended

The U.S. Congress should kill the section of the Patriot Act that has allowed the National Security Agency to collect millions of phone records from the nation’s residents, instead of trying to amend it, a civil liberties advocate said Friday.Section 215 of the Patriot Act, which allows the NSA to collect phone records, business records and any other “tangible things” related to an anti-terrorism investigation, expires in June, and lawmakers should let it die, said Neema Singh Guliani, legislative counsel for the American Civil Liberties Union.The House of Representatives Judiciary Committee on Thursday voted to approve a bill to amend that section of the anti-terrorism law. The USA Freedom Act would end the NSA’s bulk collection of U.S. phone records by narrowing the scope of the agency’s searches, backers of the bill said.To read this article in full or to leave a comment, please click here

Mozilla may offer new browser features only on secure websites

Mozilla is planning to gradually favor HTTPS (HTTP Secure) connections over non-secure HTTP connections by making some new features on its browser available only to secured sites.The browser developer decided after a discussion on its community mailing list that it will set a date after which all new features will be available only to secure websites, wrote Firefox security lead Richard Barnes in a blog post. Mozilla also plans to gradually phase out access to browser features for non-secure websites, particularly features that could present risks to users’ security and privacy, he added.To read this article in full or to leave a comment, please click here

Malware campaign inflated views of pro-Russia videos

A botnet designed for Web advertising fraud was also used to nudge up the number of views of some pro-Russian videos on the website DailyMotion, according to security vendor Trustwave.An investigation into what appeared to be strictly ad fraud turned out to have a surprising political angle, wrote Rami Kogan of Trustwave’s SpiderLabs, in a blog post on Thursday.“We can’t know for sure who’s behind the fraudulent promotion of video clips, but it appears to be politically motivated,” he wrote.To read this article in full or to leave a comment, please click here

Startup launches subscription model for buying SSL certificates

A Utah-based startup has launched a subscription model for buying SSL certificates, an essential but at times onerous task.SSL and its successor, TLS (Transport Layer Security), are cornerstones of Web security, encrypting data exchanged between two machines. It underpins virtually every kind of transaction that requires privacy on the Web, from email to e-commerce. It’s signified by “https” in the URL bar of a browser.Companies and organizations are using more and more SSL certificates as the need for secure machine-to-machine communication has increased with cloud computing, virtualization and mobile devices.To read this article in full or to leave a comment, please click here

Facebook change will give you control over data sharing with apps

Users are getting greater choice over what information is shared with websites and apps when they log in using their Facebook ID.A new version of Facebook Login, which begins its wide roll out this week, will present users with a prompt to “Edit the info you provide.” Clicking that will let users grant or deny access to different types of information. The login now also highlights who will see content posted by the app in Facebook, for apps that request the ability to do so.Facebook first announced this system during its F8 developers conference in April 2014. Many of the most popular apps, like Pinterest and Netflix, are already using it and over the next few weeks, Facebook will turn on the system for every app that uses the Facebook Login.To read this article in full or to leave a comment, please click here

House committee approves bill to end NSA phone records program

A U.S. Congress committee has overwhelmingly approved legislation designed to stop the bulk collection of U.S. phone records by the National Security Agency.The 25-2 vote in the House of Representatives Judiciary Committee sends the USA Freedom Act to the House floor for a vote. The two votes against the bill came from lawmakers who had argued for stronger protections for civil liberties.The legislation is a stronger version of a similar bill that passed the House last May but stalled in the Senate, sponsors said. However, several efforts to further strengthen privacy protections by amending the bill failed in committee. Opponents said changes would upend a carefully crafted compromise with House Republican leaders who have threatened to kill an amended bill.To read this article in full or to leave a comment, please click here

WordPress e-commerce plug-in puts over 5,000 websites at risk

TheCartPress, an e-commerce plug-in used on thousands of WordPress-based websites, has several high-risk vulnerabilities.There are currently no fixes available for the flaws and, according to its developer, support for the plug-in will be discontinued on June 1st.The vulnerabilities could allow attackers to “execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting [XSS] attacks against users of WordPress installations with the vulnerable plug-in,” researchers from security firm High-Tech Bridge said in an advisory Wednesday.There are factors that limit the exploitation of some of the flaws, but they still pose a significant risk.To read this article in full or to leave a comment, please click here

Google develops new defense against phishing

Google has developed a new extension for its Chrome browser that aims to stop people from falling prey to phishing sites.The free Password Alert extension stores an encrypted version of a person’s password and warns if it is typed into a site that isn’t a Google sign-in page, according to a blog post on Wednesday. It will then prompt a person to change their password.Although security companies collaborate to detect and blacklist phishing sites, such attacks are commonly used by hackers to capture valuable sign-in details. Phishing sites may only be active for a short time before they’re blacklisted, but it’s still a window of risk.To read this article in full or to leave a comment, please click here

RSA president questions government’s role in cybersecurity

The president of one of the world’s biggest computer security vendors says he is skeptical that a stronger government role in cyberdefense will abate the growing number of attacks.In an interview with IDG News Service, Amit Yoran, president of RSA, also rejected calls by U.S. intelligence chiefs for industry to tread carefully in deploying more encryption in case it cuts off their ability to eavesdrop on communications by suspected criminals.“The government is not the answer here,” he said, when asked about White House proposals for sharing of cybersecurity information. Despite the growing severity of attacks and a feeling that the government should “do something,” the issue is best left to private companies, because they are the ones developing networks and the technology that defends them, he said.To read this article in full or to leave a comment, please click here

Lawmakers criticize FBI’s request for encryption back doors

U.S. lawmakers are skeptical of an FBI request for Congress to mandate encryption workarounds in smartphones, with critics saying Wednesday that back doors would create new vulnerabilities that bad guys can exploit.It’s currently impossible for smartphone makers to build in back doors that allow law enforcement agencies access to encrypted communications but also keep out cybercriminals, witnesses and lawmakers said during a hearing before the IT subcommittee of the House of Representatives’ Oversight and Government Reform Committee.Law enforcement representatives called on lawmakers to find a way to allow access to encrypted data as a way to prevent serious crime. Late last year, FBI Director James Comey called for a public debate on encryption after Apple and Google announced they would offer new encryption tools on their smartphone OSes.To read this article in full or to leave a comment, please click here

Secret, an app for anonymous posts, shuts down

Secret, an app for anonymous posts that initially attracted buzz but drew criticism after a redesign, is shutting down.The company, also named Secret, formally launched its app last year and is said to have raised between US$33 million and $35 million in funding. “After a lot of thought and consultation with our board, I’ve decided to shut down Secret,” CEO David Byttow said Wednesday in a blog post, who noted that the app does not represent the vision he had when starting the company.Secret had attracted over 15 million users, he said in the post. Byttow will spend the next couple weeks winding down Secret, he said. Funding will be returned to investors.To read this article in full or to leave a comment, please click here

Facebook, under siege, slams European privacy regulators

Facebook has warned that overlapping national probes into its privacy policy could severely endanger the European Union’s economy if such a fragmented strategy is continued and applied to other businesses.The social networking company also warned that the high cost of compliance with multiple national laws, rather than with an overarching EU regime, could cause it to introduce new features more slowly or not at all.Data protection authorities from Belgium, the Netherlands and Germany in February formed a task force to deal with Facebook’s new privacy policy, introduced late January. They suspect that the new policy violates EU privacy laws. French, Spanish and Italian authorities later joined the group.To read this article in full or to leave a comment, please click here