If you can’t wait for that critical patch to secure your system from some just-discovered bug, IT security firm Qualys may have an answer, through new security software that can secure the trouble spot until the patch arrives.The feature, called virtual patching, comes with the newly released version 2 of the company’s Web Application Firewall, a set of software for securing Web applications against malicious behavior.Virtual patching can address one of the most thorny problems in enterprise IT security, that of protecting against a recently discovered software flaw. Sometimes attackers can start misusing a software bug as soon as it is discovered —- this is called a zero day flaw.To read this article in full or to leave a comment, please click here
A flaw in iOS 8 would allow attackers to render devices running the mobile OS useless if they’re within range of a fake wireless hotspot, according to researchers from security firm Skycure.The vulnerability exploits an issue in how iOS 8 handles SSL certificates. By manipulating the certificates, researchers found they were able to get apps running on iPads, iPhone and iPods as well as the OS to crash. In other instances, the researchers placed the devices in a constant reboot cycle.Yair Amit and Adi Sharabani, Skycure’s CTO and CEO, respectively, discussed the flaw, called “No iOS Zone,” Tuesday during a session at the RSA conference and talked about their findings in a blog post on Wednesday.To read this article in full or to leave a comment, please click here
The majority leader of the U.S. Senate has introduced a bill that would extend the surveillance provisions of the Patriot Act until 2020, instead of expiring on June 1.The bill, introduced by Senator Mitch McConnell Tuesday night, would extend section 215 of the Patriot Act, the controversial part of the law that the U.S. National Security Agency has used to collect U.S. telephone records in bulk. Many digital and civil rights groups have protested the NSA phone records collection program, saying it violates the Fourth Amendment of the U.S. Constitution protecting the country’s residents against unreasonable searches and seizures.To read this article in full or to leave a comment, please click here
Some enterprises that are happy to put their data in a public cloud prefer to keep the keys to that data under their own control. That’s the message online file sync and sharing services are sending lately.On Wednesday, EMC’s Syncplicity division announced Customer Managed Keys, a feature that lets enterprises store the encryption keys for their Syncplicity shared data on a rights management server on their own premises. It’s a new option in addition to having the keys stored in Syncplicity’s cloud.The announcement came just a couple of months after rival Box released its own private key-management feature into beta testing. That system, called EKM (Enterprise Key Management), may become generally available on Wednesday at the Box Dev conference in San Francisco. EKM likewise was added as an alternative to keeping keys in the vendor’s cloud.To read this article in full or to leave a comment, please click here
Cryptography experts at the RSA security conference on Tuesday picked holes in U.S. plans to require that law enforcers be given a way to break encryption to exercise lawful intercept rights.U.S. government officials have been increasingly hostile over the past year to the widespread use of encryption on mobile phones and online communications, arguing that a way needs to be found to provide law enforcement and intelligence agencies with lawful interception capabilities.In response, security experts warned that building “back doors” into cryptographic systems in order to provide governments with access to data would be dangerous because it would create vulnerabilities that could later be exploited by hackers too.To read this article in full or to leave a comment, please click here
US warns airlines about onboard Wi-Fi hackingHere’s one more thing for nervous flyers to worry about: Two U.S. federal agencies are advising airlines to look out for signs that passengers may be trying to hack into planes’ navigation systems via Wi-Fi or onboard entertainment systems, Wired reports. The FBI and TSA apparently don’t have evidence that this is happening, but are taking seriously claims that it can be done, and issued a list of things to be on the lookout for.Drone lands on Japanese Prime Minister’s roofTo read this article in full or to leave a comment, please click here
Hewlett-Packard is partnering with computer security company FireEye to give it a technological edge in detecting and investigating cyberattacks.FireEye’s threat detection and incident response capabilities will be incorporated into HP’s Enterprise Services. The companies are planning to offer an “industry standard reference architecture” centered around advanced threat protection and incident response, according to a news release Tuesday from the RSA security conference in San Francisco.To read this article in full or to leave a comment, please click here
Microsoft is working on new features for its Office 365 cloud service designed to give customers more control over their data and more visibility into how it’s being accessed.The company will expand Office 365’s logging capabilities to include user, administrator and policy related actions for Exchange Online and SharePoint Online. This will give cloud companies better insight into how their employees interact with content hosted on those services and whether those actions pose security or regulatory compliance concerns.The logs will be available through a new Office 365 Management Activity API (application programming interface) that can be tapped by monitoring, analysis and data visualization products. The API has been available to a select number of Microsoft partners already—security vendor Rapid7 announced today that its UserInsight intruder analytics product integrates with the new feature—and will be made available more broadly this summer as part of a private preview program.To read this article in full or to leave a comment, please click here
Ambiguous WordPress documentation led many plug-in and theme developers to make an error that exposed websites to cross-site scripting (XSS) attacks.Such attacks involve tricking a site’s users into clicking on specially crafted URLs that execute rogue JavaScript code in their browsers in the context of that website.The impact depends on the user’s role on the website. For example, if victims have administrative privileges, attackers could trigger rogue administrative actions. If victims are regular users, attackers could steal their authentication cookies and hijack their accounts.The vulnerability stems from insecure use of two WordPress functions called add_query_arg and remove_query_arg and was discovered recently by researchers from code auditing company Scrutinizer.To read this article in full or to leave a comment, please click here
For CIOs worried about access to shared resources in the cloud and the data center, Centrify has launched an identity-management service that aims to improve protection for IT management accountsAs enterprises embrace cloud-based apps, access to privileged accounts used to manage the most sensitive parts of the supporting infrastructure increasingly lie outside the corporate perimeter. In addition, the accounts are frequently shared by both internal IT and third parties such as contractors. The entire scenario makes important accounts more vulnerable to attacks, according to Centrify.To address this issue the company on Tuesday launched CPS (Centrify Privilege Service), a cloud-based identity management offering that can be used to manage access to cloud and on-site systems by remote employees and third parties. It can be used to protect access to shared servers in the data center or in the cloud, along with routers, switches and social media accounts, for example.To read this article in full or to leave a comment, please click here
Apps used by millions of iPhone and iPad owners became vulnerable to snooping when a flaw was introduced into third-party code they used to establish HTTPS connections.The flaw was located in an open-source library called AFNetworking that’s used by hundreds of thousands of iOS and Mac OS X applications for communicating with Web services. The bug disabled the validation of digital certificates presented by servers when establishing secure HTTPS (HTTP over SSL/TLS) connections.This means that attackers in a position to intercept encrypted traffic between affected applications and HTTPS servers could decrypt and modify the data by presenting the app with a fake certificate. This is known as a man-in-the-middle attack and can be launched over insecure wireless networks, by hacking into routers and through other methods.To read this article in full or to leave a comment, please click here
Computers in more than 50 countries are infected with a new version of Pushdo, a spamming botnet that has been around since 2007 and survived several attempts to shut it down.At one time, Pushdo-infected computers sent as many as 7.7 billion spam messages per day. Security analysts have tried to kill it four times by commandeering its infrastructure, but a new version of the malware has emerged once again, with high concentrations of infections in countries such as India, Indonesia, Turkey and Vietnam.“Pushdo was very successful in what it did, so coming up with various revisions or versions of it makes a lot of sense for the bad guys,” said Mike Buratowski, vice president of cybersecurity services at Fidelis Cybersecurity, based in Austin, Texas.To read this article in full or to leave a comment, please click here
Google plans to serve most of its ads over encrypted HTTPS connections by the end of June, a move that will protect against some ad hijacking attacks and will encourage website owners to enable encryption on their Web properties.However, malicious advertising attacks that direct users to Web-based exploits will still be possible and, because of the new encryption, it will be harder for security researchers to pinpoint their source.Last year, Google announced that it will give more weight to HTTPS-enabled websites in search rankings in order to encourage the adoption of encryption across the Web. HTTPS (HTTP Secure) allows Web communication over a channel encrypted with the TLS (Transport Layer Security) protocol.To read this article in full or to leave a comment, please click here
Twitter revised its privacy policy over the weekend, changing where it handles the account information of users outside the U.S. and clarifying some points.As of Saturday, account information for Twitter users outside the U.S. is handled by Twitter International in Dublin, Ireland. This means that all account information will be subject to Irish privacy and data protection law, which is based on the European Union’s Data Protection Directive, Twitter said on its site.The accounts of U.S. users will still be handled by Twitter’s head office in San Francisco under U.S. law.Dublin is popular with U.S. tech companies, which often base their international and EU operations there. The country’s favorable corporation tax regime is often seen as a reason for IT companies to settle there—as is the small staff of its privacy regulator, which has a staff of just 29 to tackle domestic and international companies.To read this article in full or to leave a comment, please click here
A fresh attack by a long-known hacking group suspected to be linked with Russia did little to mask its activity in an attack a week ago.The computer security firm FireEye wrote on Saturday that the group—called APT 28—attacked an “international government entity” on April 13, using two recently disclosed software flaws, one of which has not been patched.The attack sought to trick victims into clicking on a link that led to a website which attacked their computer. It first used a vulnerability in Adobe Systems’ Flash player, CVE-2015-3043, then used a still unpatched Microsoft vulnerability, CVE-2015-1701, to gain higher privileges on a computer.To read this article in full or to leave a comment, please click here
Effectively managing your own passwords under any circumstances is hard work but managing your users’ passwords on a WordPress installation can become the job from hell. Say you’re the admin of a WordPress site and you have a variety of users with accounts on your system. You immediately have a problem because WordPress is insanely popular (it’s used on almost one quarter of all Websites) and has roughly three times more bugs identified than the next largest content management system. Not surprisingly, WordPress is the most attacked CMS. So, unless you like having your WordPress installation hacked you’d better get serious about security.While you can enforce user compliance to password standards through the use of plugins such as No Weak Passwords or Force Strong Passwords, users can still choose passwords that are weaker than you'd like. So, how do you check whether their passwords are “good”? You use the Wordfence plugin published by Feedjit Inc.To read this article in full or to leave a comment, please click here
Even though its activities were exposed last year, a cyberespionage group dubbed Pawn Storm has ramped up its efforts over the past few months, targeting NATO members and potentially the White House.The first quarter of this year “has seen a great deal of activity from the group,” researchers from antivirus firm Trend Micro said Thursday in a blog post. “Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.”To read this article in full or to leave a comment, please click here
Wikileaks goes to HollywoodWikiLeaks won plaudits from people who want to see the workings of government exposed to daylight, by publishing a vast trove of U.S. data several years ago. Now, it’s decided to expose another cache of purloined information that has decidedly less obvious benefit for the public interest. It’s put up a searchable database of the documents stolen from Sony Pictures last year in a high-profile hack, using the rationalization that basically, big companies should have their dirty washing hung out just because (insert reference to military-industrial complex here). Those who can’t wait to read a Hollywood executive’s true feelings about a certain famous actress would probably agree.To read this article in full or to leave a comment, please click here
More than two dozen U.S. government websites should be urgently upgraded to use encryption, as whistleblowers are potentially at risk, according to the American Civil Liberties Union.At least 29 websites that can be used for reporting abuse and fraud don’t use encryption, the ACLU said in a letter sent on Tuesday to the U.S.’s top technology chief, CIO Tony Scott.There has been a broad push recently to move websites to using SSL/TLS (secure sockets layer/transport security layer) encryption. Most e-commerce sites use SSL/TLS, but the case has grown stronger for its broader adoption because of a surge in state-sponsored espionage and cybercriminal activity.To read this article in full or to leave a comment, please click here
IBM has joined an increasing number of vendors who are pushing for real-time cybersecurity information sharing among private and public organizations, researchers and other network defenders.On Thursday, the company opened up over 700 terabytes of data about vulnerabilities, attacks and other threats through a new cloud-based threat intelligence sharing platform called IBM X-Force Exchange. Other organizations can use the platform to share or confirm their own data, so they can more efficiently respond to security incidents.The information that IBM made available through the X-Force Exchange includes one of the largest catalogs of vulnerabilities in the world, according to the company. The information also includes threat information based on monitoring of more than 15 billion security events per day, malware threat intelligence from a network of 270 million endpoints, and threat information based on more than 25 billion Web pages and images.To read this article in full or to leave a comment, please click here