Archive

Category Archives for "Network World Security"

HP tells cybersecurity customers to focus on people and processes

To protect themselves against cyberattacks, organizations should focus more on training their employees and improving their internal processes instead of buying new technology, according to one tech vendor.Yet, businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error, said Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products.“This is hard for a product guy to say out loud to an audience, but invest in your people and process,” Gilliland said at HP’s Software Government Summit in Washington, D.C. “The first thing that always gets negotiated out of every [security software] contract is the training and the services.”To read this article in full or to leave a comment, please click here

Researchers show that IoT devices are not designed with security in mind

In the latest blow to Internet of Things (IoT) security, an analysis of smart home devices has found flaws that could give attackers access to sensitive data or allow them to control door locks and sensors.The research was performed by a team from application security firm Veracode for six up-to-date devices acquired in December and found serious issues in five of them. The tested devices were the Chamberlain MyQ Garage, the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Ubi from Unified Computer Intelligence Corporation, the Wink Hub and the Wink Relay.All of these devices enable remote control and monitoring over the Internet of various home automation devices and sensors, including door locks, interior switches and power outlets. Most of them connect to cloud-based services and users can interact with them through Web portals or smartphone applications.To read this article in full or to leave a comment, please click here

Complaint alleges YouTube Kids pushes advertising content

The six-week-old YouTube Kids service is a “hyper-commercialized” environment that intermixes advertising and other programming in a way that deceives its target audience, a coalition of privacy and children’s advocacy groups said in a complaint to the U.S. Federal Trade Commission.Joining in giving YouTube Kids the big thumbs-down are the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood and the American Academy of Child and Adolescent Psychiatry. They say the video app, targeted toward preschool children, blurs the lines between advertising and other programming using methods that are prohibited by federal regulations on commercial television.To read this article in full or to leave a comment, please click here

Linux Australia breached, personal details leaked

The open-source and free software user group Linux Australia said personal information for attendees of two conferences it hosts may have been leaked after malware was found on one of its servers.The information may have included first and last names, postal and email addresses, phone numbers and hashed passwords, wrote Joshua Hesketh, Linux Australia’s president, on a message board. Financial data was not affected, he wrote.The breach affects those who registered for the group’s Linux conference over the last three years and for python programming conference Pycon Australia in 2013 and 2014, he wrote. Attendee data for those conferences was held on the compromised server.To read this article in full or to leave a comment, please click here

Edward Snowden: Don’t censor your d**k pics

People shouldn’t hold back on sending racy photos of themselves online for fear the images might be scooped up by government spies, former NSA contractor Edward Snowden has said.Snowden appeared for a sit-down interview Sunday night on HBO’s “Last Week Tonight with John Oliver.” The host traveled to Russia to do the interview in person.To make the issue hit home for his TV audience, Oliver asked Snowden which government programs might allow spies to access people’s “d**k pics.”Many of the programs would, Snowden said, but that shouldn’t cause people to hold back.“You shouldn’t change your behavior because a government agency somewhere is doing the wrong thing,” he said. “If we sacrifice our values because we’re afraid, we don’t care about those values very much.”To read this article in full or to leave a comment, please click here

Turkey blocks Twitter, YouTube over hostage photo

A Turkish court blocked access to numerous sites including Twitter and YouTube on Monday, over their hosting of images of an Istanbul prosecutor held at gunpoint by militants last week.An Istanbul court issued the ruling blocking Twitter and YouTube, as well as 166 other sites that had distributed the photograph, a report in The New York Times said. It also blocked the pages of several newspapers in Turkey that had printed the photo.Turkey’s Prime Minister, Ahmet Davutoglu, called outlets that had circulated the image “tools of terrorist propaganda,” the Times reported.To read this article in full or to leave a comment, please click here

Vulnerable Dell support tool now detected as risky software

Security vendor Malwarebytes has flagged the Dell System Detect tool as a potentially unwanted application after older versions of the program were found to put computers at risk.Last month a security researcher named Tom Forbes warned that attackers can exploit a weakness in older versions of Dell System Detect to remotely install malware on computers when users visit specially crafted websites.The program allows Dell’s support website to automatically detect the service tags of users’ PCs, so it can offer the corresponding drivers. The tool is offered for download when users click the “Detect Product” button on the website for the first time and continues to run in the background after installation.To read this article in full or to leave a comment, please click here

Under one percent of Android devices affected by potentially harmful applications

Based on data collected by Google, less than one percent of Android devices had a potentially harmful application installed last year. This includes devices on which users have installed applications from outside the official Google Play store.The data was collected through a feature called Verify Apps that was first introduced in Android 4.2 back in 2012. The feature, which was also backported to Android 2.3 and higher in 2013, checks locally installed applications for potentially harmful behavior regardless of whether they were downloaded from Google Play or other sources.Verify Apps initially scanned applications only at installation time, but since March 2014 it also performs background scans, so it can later detect malicious applications that weren’t flagged when they were initially installed.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Friday, April 3

Uber poaches Facebook’s Joe Sullivan for security chiefIn an indication that the ride-hailing app company is aware that it had better get security right, Uber Technologies has hired away Facebook’s head of security, Joe Sullivan, to be its first CSO. Sullivan has been fairly high profile as Facebook’s CSO for the last five years, and besides time spent at PayPal and eBay, he has a background prosecuting cyber crime, re/code reports. Sullivan has his work cut out for him, with Uber facing challenges ranging from data privacy to its riders’ physical security.To read this article in full or to leave a comment, please click here

Uber knuckles down on security, poaches exec from Facebook

Although it started off as a smartphone app to connect passengers with drivers, Uber Technologies is encountering the same real-world security issues as the taxi industry, includng the need for driver background checks and local regulatory compliance.On top of this there are the risks involved in handling masses of customer and driver data, which became evident earlier this year when the company admitted driver data had been compromised.On Thursday, Uber moved a step forward in its bid to fend off criticism of its security practices by appointing as its first chief security officer Joe Sullivan, a former U.S. Department of Justice prosecutor and, more recently, Facebook’s security chief.To read this article in full or to leave a comment, please click here

Snapchat tallies government data requests for the first time

Snapchat’s service featuring disappearing messages is known for its popularity among teens. Now it’s becoming popular with law enforcement.Snapchat, for the first time, has disclosed the number of requests for user information it has received from governments in the U.S. and in other countries. These requests may come in the form of subpoenas, court orders, search warrants or other legal processes, seeking a variety of user information like usernames, email addresses and phone numbers.Authorities may also seek the content of messages. They have a tight window, though—Snapchat says it deletes people’s messages from its servers after all recipients have viewed them, or 30 days after an unopened message is sent. Governments can also seek logs containing the metadata of messages, which Snapchat retains.To read this article in full or to leave a comment, please click here

Obama cyberattacker sanctions raise due process, attribution concerns

New U.S. government sanctions targeting the bank accounts of suspected cyberattackers raise questions about due process for people who feel they’re wrongly accused and about how agencies will identify the source of attacks.The new sanctions, announced by President Barack Obama’s administration Wednesday, would allow the U.S. Department of the Treasury to freeze the funds held in U.S. banks of people and organizations suspected of engaging in malicious cyberattacks that pose a “significant threat to the national security, foreign policy, economic health, or financial stability” of the U.S., according to information released by the White House.To read this article in full or to leave a comment, please click here

Like Google, Mozilla set to punish Chinese agency for certificate debacle

The Mozilla Foundation plans to reject new digital certificates issued by the China Internet Network Information Center (CNNIC) in its products, but will continue to trust certificates that already exist.The move will follow a similar decision announced Wednesday by Google and is the result of CNNIC, a certificate authority (CA) trusted in most browsers and operating systems, issuing an unrestricted intermediary certificate to an Egyptian company called MCS Holdings.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Thursday, April 2

Obama authorizes sanctions against hackersThe White House has added another weapon to the U.S. government’s arsenal in its fight against hackers, with an executive order signed by President Obama authorizing sanctions against hackers who harm critical infrastructure, or expose personal information and trade secrets. The order allows the government to block a person or organization’s access to U.S. financial institutions and any property they have in the country.Facebook Riffs on Snapchat with video appTo read this article in full or to leave a comment, please click here

Chinese Internet authority clashes with Google over digital certificates

A Chinese Internet administrator blasted Google on Thursday, after the U.S. search giant decided to stop recognizing digital certificates issued by the group following a security lapse.“The decision that Google has made is unacceptable and unintelligible,” China’s Internet Network Information Center (CNNIC) said in an online posting.Google’s decision means that its Chrome browser could end up clashing with sites served by the Chinese Internet agency.On Wednesday, Google explained the move in an update to an earlier blog posting. The company is still concerned by the way CNNIC issued a certificate to an IT company based in Egypt that misused it in a botched security test.To read this article in full or to leave a comment, please click here

Texas wants RadioShack to specify what customer information would be for sale

The dispute between U.S. states and RadioShack over the sale of customer information continues, with the state of Texas requesting a bankruptcy court to ask RadioShack to specify in any motion for sale what information would be included and the number of people likely to be affected.Texas Attorney General Ken Paxton is concerned that although the personally identifiable information (PII) was not sold in a recently concluded auction, in argument and testimony during the sale hearing, RadioShack “has indicated that PII remains available for sale and will likely be sold in the future, attendant to the sale of trademarks and/or intellectual property,” according to a filing Wednesday.To read this article in full or to leave a comment, please click here

Salesforce acquires mobile authentication firm Toopher

Salesforce.com has acquired Toopher, the developer of a mobile two-factor authentication app that uses location-awareness.Toopher in Austin, Texas, said on its website that it will no longer sell its current products, but is “thrilled to join Salesforce, where we’ll work on delivering the Toopher vision on a much larger scale as part of the world’s #1 Cloud Platform.”It did not disclose the financial terms of the acquisition.Salesforce spokeswoman Karly Bolton confirmed the purchase but did not provide further details. Toopher’s website is now inaccessible, except for the notice announcing the acquisition.To read this article in full or to leave a comment, please click here

Wider use of HTTPS could have prevented attack against GitHub

The unique attack method used to disrupt the code-sharing site GitHub over the last week could have been prevented if more websites enabled encryption, the Electronic Frontier Foundation (EFF) said Wednesday.The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu.Somewhere on China’s network perimeter, that analytics code was swapped out for code that transparently sent data traffic to GitHub, at times crippling parts of the popular website, particularly two projects that specialize in anti-censorship tools. It was also particularly insidious since the users whose traffic was modified didn’t know they had been roped into the attack.To read this article in full or to leave a comment, please click here

Over 100,000 devices can be used to amplify DDoS attacks via multicast DNS

Over 100,000 devices have a misconfigured service called multicast DNS that accepts requests from the Internet and can potentially be abused to amplify distributed denial-of-service (DDoS) attacks.The multicast Domain Name System (mDNS) is a protocol that allows devices on a local network to discover each other and their services. It is used both by PCs and embedded devices like network attached storage (NAS) systems, printers and others.The mDNS protocol allows queries to be sent to a specific machine using its unicast address. However, the official specification recommends that when receiving such queries, the mDNS service should check before responding that the address that made the request is located in the same local subnet. If it’s not, the request should be ignored.To read this article in full or to leave a comment, please click here

Obama authorizes sanctions against hackers

U.S. President Barack Obama has signed an executive order authorizing the U.S. government to impose sanctions on people, organizations and governments that partake in “malicious cyber-enabled activities” that harm the country.“The same technologies that help keep our military strong are used by hackers in China and Russia to target our defense contractors and systems that support our troops,” Obama said in a statement.The sanctions would target activities that harm critical infrastructure, disrupt computer networks, expose personal information and trade secrets, and entities that profit from information stolen in cyberattacks. The administration will focus on threats from outside the U.S.To read this article in full or to leave a comment, please click here