Archive

Category Archives for "Network World Security"

Data breach notification bill could weaken consumer protections

Legislation that would require businesses across the U.S. to notify affected customers after a data breach is headed toward a vote on the floor of the House of Representatives even though some digital rights groups say the bill will actually weaken protections for consumers.The Data Security and Breach Notification Act, approved by the House Energy and Commerce Committee Wednesday, would pre-empt stronger breach notification laws in several states and would eliminate data protections of telecom account records, several consumer and digital rights groups said.To read this article in full or to leave a comment, please click here

New malware program Punkey targets point-of-sale systems

Point-of-Sale (PoS) terminals have become an attractive target for hackers over the past year, reflected in the increasing number of RAM-scraping programs that steal payment card information from the memory of such systems.Last month security researchers from Cisco Systems issued a warning about a new PoS threat dubbed PoSeidon and on Wednesday security blogger Brian Krebs reported that the program has already infected PoS terminals at restaurants, bars and hotels in the U.S.To read this article in full or to leave a comment, please click here

YouTube flaw allowed copying comments from one video to another

An Egypt-based security researcher said Google has fixed an interesting vulnerability he and a colleague found in YouTube.Ahmed Aboul-Ela wrote on his blog that he and a fellow researcher, Ibrahim Mosaad, wanted to find a problem in a feature on YouTube “that not many bug hunters have tested.”They focused on a setting in YouTube that holds comments for review before they’re published. If that feature is enabled, comments are then listed in a control panel labeled “held for review.”Aboul-Ela wrote he intercepted the http request that is sent to Google when a comment is approved. The request contains two parameters: “comment_id” and “video_id.”To read this article in full or to leave a comment, please click here

Dropbox to pay security researchers for bugs

Dropbox said Wednesday it will pay rewards to independent researchers who find software flaws in its applications, joining a growing list companies who see merit in crowdsourcing parts of their security testing.The popular file storage service previously publicly recognized researchers, but did not pay a reward, also sometimes referred to as a bug bounty.“In addition to hiring world class experts, we believe it’s important to get all the help we can from the security research community, too,” wrote Devdatta Akhawe, a Dropbox security engineer.Facebook, Google, Yahoo and many other large companies pay researchers rewards that are often determined by the seriousness of the software flaw. Running such programs are more efficient than hiring more security engineers since a company’s applications are analyzed by a larger number of people with diverse security skills.To read this article in full or to leave a comment, please click here

AirDroid app fixes severe authentication vulnerability

AirDroid, a popular management tool for Android devices, has fixed a severe authentication software flaw in its Web interface that could give a hacker complete control over a mobile phone.The problem was fixed in an update released last month, wrote Matt Bryant, a consultant with the security company Bishop Fox, who discovered the flaw. Versions 3.0.4 and earlier of the tool are affected.AirDroid lets people manage their phone from a Windows or Mac tablet or through a Web interface. To do that, it asks for a lot of permissions, such as the ability to send text messages, turn on a camera and have access to the phone, among many others.To read this article in full or to leave a comment, please click here

Don’t look now, but ATMs are about to get a cloud makeover

Automated teller machines have been around for decades, but surprisingly few changes have been made to the technologies that run them. That’s about to change.NCR on Wednesday rolled out new software that will transform ATMs to use the cloud with Android and a thin-client model of computing. The result, it says, will be a big boost in security as well as dramatically lower costs.Most of the world’s 2.2 million or so ATMs today are essentially thick-client PCs, and the vast majority of them—as much as 75 percent—run Windows XP, NCR says. It’s perhaps no wonder that security is an issue, yet banks typically must still administer updates manually to each ATM in their network.To read this article in full or to leave a comment, please click here

VMware helps CIOs tunnel their way to more secure mobile apps

VMware is combining iOS and Android encryption features with its own network virtualization platform to offer more secure access to enterprise applications and resources.Today, organizations typically provide mobile users access through a secure VPN gateway connection into the data center where applications and data reside.But while this perimeter-based approach secures the communication, it doesn’t protect against attacks that hack remote employees and use their secure connections. Once inside, hackers can move between workloads in the data center with few controls to block propagation, according to VMware.VMware contends it can solve this problem in a way that’s easier to manage than VLANs through what the company calls network micro-segmentation in the data center. That means that at the network level users can only access their own resources from a smartphone or tablet, limiting what they as well an enterprising hacker can do.To read this article in full or to leave a comment, please click here

Microsoft Patch Tuesday: The patches just keep coming

For Microsoft, the vulnerabilities just keep popping up, and appear to be surfacing more quickly than ever before.Like last month, Microsoft issued a fairly large number of security bulletins for April Patch Tuesday—11 bulletins addressing 26 vulnerabilities. Last month brought 14 bulletins from Microsoft, covering 43 vulnerabilities.A year ago, Microsoft’s monthly bulletins tended to be fewer in number, usually in the single digits, noted Wolfgang Kandek, chief technology officer for IT security firm Qualys.To read this article in full or to leave a comment, please click here

Web app attacks, PoS intrusions and cyberespionage leading causes of data breaches

Web application attacks, point-of-sale intrusions, cyberespionage and crimeware were the leading causes of confirmed data breaches last year.The findings are based on data collected by Verizon Enterprise Solutions and 70 other organizations from almost 80,000 security incidents and over 2,000 confirmed data breaches in 61 countries.According to Verizon’s 2015 Data Breach Investigations Report, which analyzes security incidents that happened last year, the top five affected industries by number of confirmed data breaches were: public administration, financial services, manufacturing, accommodations and retail.Humans were again the weak link that led to many of the compromises. The data shows that phishing—whether used to trick users into opening infected email attachments, click on malicious links, or input their credentials on rogue websites—remains the weapon of choice for many criminals and spies.To read this article in full or to leave a comment, please click here

U.S. business group urges China to loosen data-storage policies

Chinese security policies are threatening to push foreign businesses out of the country’s IT sector by restricting the way data is stored, according to a U.S. lobbying group.On Tuesday, the American Chamber of Commerce in China issued a report urging the country to change the policies. Increasingly, the Chinese government is enacting regulations to address national security concerns at the cost of hampering its own economy, the lobbying group warned.China has been recently reviewing an antiterror law that could require tech companies to give up encryption keys to the authorities.To read this article in full or to leave a comment, please click here

8 reasons to use 1Password that don’t involve storing passwords

Available for Mac, iOS, Windows, and Android, 1Password is a must-have for desktop and mobile users seeking equal parts online security and convenience. But there’s far more to this software than its single-purpose name might imply.MORE ON NETWORK WORLD: Free security tools you should try 1Password owners managing only logins and passwords are missing out on tons of other goodies already bundled inside the desktop versions. (The mobile versions require a paid Pro upgrade to unlock some additional features.) Read on and learn how to make your old password manager perform a few new tricks!To read this article in full or to leave a comment, please click here

Deterrence will keep a lid on cyberwar, former spy chief says

Major sponsors of cyberwarfare forces are reaching a state of deterrence resembling the mutually assured destruction in nuclear weapons standoffs, former U.S. national intelligence director Dennis Blair said Tuesday.All nation states would suffer if countries engaged in cyberattacks against civilians, and world leaders including those in China and Russia are reluctant to unleash such forces, Blair, a retired U.S. Navy admiral who oversaw U.S. intelligence from 2009 to 2010, told a news conference in Tokyo.Military and civilian systems are often intertwined, Blair said, pointing to GPS as an example of a military technology that is now used in widespread civilian applications from navigation to financial transactions.To read this article in full or to leave a comment, please click here

RadioShack presses ahead plan for sale of customer data

RadioShack will press on with its plan to sell its customer data, despite opposition from a number of U.S. states.The company has asked a bankruptcy court for approval for a second auction of its assets, which includes the consumer data.The state of Texas, which is leading the action by the states, has opposed the sale of personally identifiable information (PII), citing the online and in-store privacy policies of the bankrupt consumer electronics retailer.The state claimed that it found from a RadioShack deposition that PII of 117 million customers could be involved. But it learned later from testimony in court that the number of customer files offered for sale might be reduced to around 67 million.To read this article in full or to leave a comment, please click here

Windows vulnerability can compromise credentials

A vulnerability found in the late 1990s in Microsoft Windows can still be used to steal login credentials, according to a security advisory released Monday.A researcher with security vendor Cylance, Brian Wallace, found a new way to exploit a flaw originally found in 1997. Wallace wrote on Monday the flaw affects any PC, tablet or server running Windows and could compromise as many as 31 software programs.He wrote the flaw was not resolved long ago, but that “we hope that our research will compel Microsoft to reconsider the vulnerabilities.”The vulnerability, called Redirect to SMB, can be exploited if an attacker can intercept communications with a Web server using a man-in-the-middle attack.To read this article in full or to leave a comment, please click here

Windows vulnerability can compromise credentials

A vulnerability found in the late 1990s in Microsoft Windows can still be used to steal login credentials, according to a security advisory released Monday.A researcher with security vendor Cylance, Brian Wallace, found a new way to exploit a flaw originally found in 1997. Wallace wrote on Monday the flaw affects any PC, tablet or server running Windows and could compromise as many as 31 software programs.He wrote the flaw was not resolved long ago, but that “we hope that our research will compel Microsoft to reconsider the vulnerabilities.”The vulnerability, called Redirect to SMB, can be exploited if an attacker can intercept communications with a Web server using a man-in-the-middle attack.To read this article in full or to leave a comment, please click here

New cyberthreat information sharing bill may be more friendly to privacy

A new bill designed to encourage businesses and government agencies to share information about cyberthreats with each other may go farther toward protecting the privacy of Internet users than other recent legislation in the U.S. Congress.The National Cybersecurity Protection Advancement NCPA Act, introduced Monday in the House of Representatives by two Texas Republicans, appears to do a “much better job” at protecting privacy than two bills that have passed through the House and Senate Intelligence Committees, said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute.To read this article in full or to leave a comment, please click here

Files encrypted by CoinVault ransomware? New free tool may decrypt them

Victims of the CoinVault ransomware might be able to decrypt their files with a free tool released by Kaspersky Lab together with the Dutch police.The tool can be found at https://noransom.kaspersky.com. The application uses decryption keys found by the Dutch police as part of an investigation.Ransomware like CoinVault encrypts data on a disk or blocks access to a computer system. It is usually installed by exploiting a vulnerability on victims’ computers via phishing emails or links to malicious websites.Unlike other ransomware, CoinVault lets victims see a list of the files it encrypted and decrypt one for free to try to get people to pay up.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Monday, April 13

Transforming robot gets stuck in nuclear reactorThe ability to change shape hasn’t saved a robot probe from getting stuck inside a crippled Japanese nuclear reactor. On Friday, the utility sent in the pipe-crawling, snake-like robot, which can transform itself into several configurations depending on the terrain, to determine the state and location of melted-down fuel in the reactor.Microsoft, robot firm demo industrial IoT based on WindowsTo read this article in full or to leave a comment, please click here

Chinese hacker group among first to target networks isolated from Internet

An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye.The computer security firm released a 69-page technical report on Sunday on the group, which it calls APT (Advanced Persistent Threat) 30, which targeted organizations in southeast Asia and India.FireEye picked up on it after some of the malware used by the group was found to have infected defense-related clients in the U.S., said Jen Weedon, manager of strategic analysis with FireEye.To read this article in full or to leave a comment, please click here

China’s ‘Great Cannon’ DDoS tool enforces Internet censorship

China is deploying a tool that can be used to launch huge distributed denial-of-service (DDoS) attacks to enforce censorship. Researchers have dubbed it “the Great Cannon.”The first time the tool was seen in action was during the massive DDoS attacks that hit software development platform GitHub last month. The attack sent large amounts of traffic to the site, targeting Chinese anti-censorship projects hosted there. It was the largest attack the site has endured in its history.That attack was first thought to have been orchestrated using China’s “Great Firewall,” a sophisticated ring of networking equipment and filtering software used by the government to exert strict control over Internet access in the country. The firewall is used to block sites like Facebook and Twitter as well as several media outlets.To read this article in full or to leave a comment, please click here