The number of Windows computers infected with NSA backdoor malware continues to rise since Shadow Brokers leaked the hacking tools on April 14.DoublePulsar infection rate climbing
Two different sets of researchers scanning for the DoublePulsar implant saw a significant bump in the number of infected Windows PCs over the weekend.For example, Dan Tentler, CEO of the Phobos Group, suggested that Monday would not be a good day for many people, as his newest scan showed about 25 percent of all vulnerable and publicly exposed SMB machines are infected.To read this article in full or to leave a comment, please click here
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.Seeing the success of the Bring Your Own Device movement, a cadre of leading companies are starting to explore if a similar approach can be used to address the authentication challenge. If BYOD essentially makes the device a proxy for the work environment, can that same device serve as a proxy for customers online?This new movement, known as Bring Your Own Authentication (BYOA), holds the same promise of reimagining the way we think of authentication, putting the consumer (and device) front and center in the interaction, and relegating passwords to the background or eliminating them completely. But there are challenges to overcome in order for mass adoption.To read this article in full or to leave a comment, please click here
A 32-year-old Russian hacker was sentenced to 27 years in prison in the U.S. for stealing millions of payment card details from businesses by infecting their point-of-sale systems with malware.The sentence is the longest ever handed out in the U.S. for computer crimes, surpassing the 20-year jail term imposed on American hacker and former U.S. Secret Service informant Albert Gonzalez in 2010 for similar credit card theft activities.Roman Valeryevich Seleznev, a Russian citizen from Vladivostok, was sentenced Friday in the Western District of Washington after he was found guilty in August of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft.To read this article in full or to leave a comment, please click here
New and evolving technologies are rapidly reshaping how we work—offering creative opportunities for developers who are willing to pivot and adopt new skills. We took a look at 11 tech trends experts say are likely to disrupt current IT approaches and create demand for engineers with an eye on the future.It isn’t all about The Next Big Thing. Future opportunities for developers are emerging from a confluence of cutting-edge technologies, such as AI, VR. augmented reality, IoT, and cloud technology ... and, of course, dealing with the security issues that are evolving from these convergences.[ Find out how to get ahead with our career development guide for developers. | The art of programming is changing rapidly. We help you navigate what's hot in programming and what's going cold. | Keep up with hot topics in programming with InfoWorld's App Dev Report newsletter. ]
If you're interested in expanding your developer’s toolkit, check out these trending domains—and our tips on how to get ahead by getting started with them.To read this article in full or to leave a comment, please click here
Blockchain sounds like a way to keep boats anchored, which isn't a bad analogy, considering what the technology purports to do.While some IT experts herald it as a groundbreaking way of creating a distributed, unchangeable record of transactions, others question the nascent technology's usefulness in the enterprise, which has traditionally relied on centrally-administered databases to secure digital records.Even so, companies are moving fast to try and figure out how they can use it to save time and money. And IT vendors are responding to customers calls for info, with some already looking to include it as part of their services.To read this article in full or to leave a comment, please click here
Last August a Baltimore substance abuse treatment facility had its database hacked. Patient records subsequently found their way onto the Dark Web, according to DataBreaches.net. The group noticed such things as dates of admission, whether the patients are on methadone, their doctors and counselors, and dosing information.In the DataBreaches.net blog, the hacker “Return,” who they think is Russian, described how he compromised the Man Alive clinic: “With the help of the social engineer, applied to one of the employees. Word file with malicious code was downloaded.”To read this article in full or to leave a comment, please click here
Data packets travel to and from numbered network ports associated with particular IP addresses and endpoints, using the TCP or UDP transport layer protocols. All ports are potentially at risk of attack. No port is natively secure.“Each port and underlying service has its risks. The risk comes from the version of the service, whether someone has configured it correctly, and, if there are passwords for the service, whether these are strong? There are many more factors that determine whether a port or service is safe,” explains Kurt Muhl, lead security consultant at RedTeam Security. Other factors include whether the port is simply one that attackers have selected to slip their attacks and malware through and whether you leave the port open.To read this article in full or to leave a comment, please click here
New products of the weekImage by AcalvioOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.To read this article in full or to leave a comment, please click here
Employees are often the weakest link in your company's security chain. But with a little knowledge and foresight you can mitigate the risks. In this video, CIO.com senior writer Sharon Florentine explains the anatomy of a phishing scam and how you and your workers can avoid becoming a victim.
If you had been living under a rock, then you might actually believe that President Trump plans to protect the environment and support science.Trump’s Earth Day statement began:
Our Nation is blessed with abundant natural resources and awe-inspiring beauty. Americans are rightly grateful for these God-given gifts and have an obligation to safeguard them for future generations. My Administration is committed to keeping our air and water clean, to preserving our forests, lakes, and open spaces, and to protecting endangered species.To read this article in full or to leave a comment, please click here
Has your computer been infected with a suspected NSA spying implant? A security researcher has come up with a free tool that can tell.Luke Jennings of security firm Countercept wrote a script in response to last week’s high-profile leak of cyberweapons that some researchers believe are from the U.S. National Security Agency. It's designed to detect an implant called Doublepulsar, which is delivered by many of the Windows-based exploits found in the leak and can be used to load other malware.To read this article in full or to leave a comment, please click here
The latest version of Google Chrome, released earlier this week, restricts how domain names that use non-Latin characters are displayed in the browser. This change is in response to a recently disclosed technique that could allow attackers to create highly credible phishing websites.The ability to register domain names made up of characters like those found in the Arabic, Chinese, Cyrillic, Hebrew and other non-Latin alphabets dates back over a decade. Since 2009, the Internet Corporation for Assigned Names and Numbers (ICANN) has also approved a large number of internationalized top-level domains (TLDs) -- domain extensions -- written with such characters.To read this article in full or to leave a comment, please click here
DARPA today said it the opened unique and massive testbed it will use as a battleground for researchers to build and test autonomous, intelligent and collaborative wireless technologies.Calling it a “magnificent electronic arena” The Colosseum will be primarily used to host the Defense Advanced Research Projects Agency’s $3.75 million three-year Spectrum Collaboration Challenge (SC2), which will pit researchers against each other to develop what the agency calls radically new technologies for “using and managing access to the electromagnetic spectrum in both military and civilian domains.”To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. The notion of detecting malware by looking for malicious file signatures is obsolete. Depending on which source is cited, anywhere from 300,000 to one million new malware files are identified every day.Kaspersky Lab says it finds 323,000 files daily, AV-TEST claims to discover more than 390,000 new malicious programs every day, and Symantec says it uncovers almost a million new threats per day. No matter how you count it, that’s a lot of malicious software being unleased into the wild day after day.To read this article in full or to leave a comment, please click here
Investing in security technologies is a given for most companies today, and with stories of breaches and hacks making headlines every week, the importance of these tools has risen to prominence.While there’s no shortage of security technologies to choose from, the big question that remains is: How does a company choose the right security investments? Many organizations struggle to implement the right tools to manage and mitigate risk, and getting all of these solutions to actually work together often presents an even bigger challenge.With that in mind, here are three considerations that can help companies make the right decisions when it comes to investing in security technology:To read this article in full or to leave a comment, please click here
If the financial services industry is banking on blockchain as the basis for new service innovation, it will be sorely disappointed. Blockchain's design principles are completely at odds with those of the industry, and the technology is fraught with flaws that could be catastrophic for financial institutions.I’ll come on to why in a moment. Clearly, there is a lot of hype and momentum around blockchain. WANdisco sees this first hand: We’re increasingly being approached by banks that think this is the kind of thing we do (it isn’t). And why are they interested? Because senior directors and investors have heard the buzz and concluded that this is something they need—that if they don’t seize the opportunity, they’ll miss out. They’re wrong. Banks need blockchain like a hole in the head.To read this article in full or to leave a comment, please click here
Each year, respondents ESG's annual global survey of IT and cybersecurity professionals are asked to identify the area where their organizations have a problematic shortage of skills. For the sixth year in a row, cybersecurity skills topped the list—this year, 45% of the 641 respondents said their organization has a problematic shortage of cybersecurity skills. Now, the cybersecurity skill shortage isn’t picky; it impacts all organizations across industries, organizational size, geography, etc. Nevertheless, global cybersecurity may be especially problematic for organizations in the mid-market, from 100 to 999 employees.Keep in mind that the skills shortage isn’t limited to headcount. Rather, it also includes skills deficiencies—situations where security staff members don’t have the right skills to address the dynamic and sophisticated threat landscape. To read this article in full or to leave a comment, please click here
Sign on the bottom lineImage by ThinkstockDisaster-recovery solutions require several complex, moving parts coordinated between your production site and the recovery site. Service-level agreements are ultimately the most accurate way to determine where responsibility is held for disaster-recovery process and execution. It’s important to have SLA documentation around these critical aspects of recovery so that customers have commitments from their vendor. It’s also important that a service provider’s agreements contain service-credit backed SLAs for additional accountability. When considering DRaaS vendors, ask your potential partner how far they are willing to go in protecting your business and your data, and if these promises will be reimbursable if not met. Bluelock's Brandon Jeffress reviews what is essential to be in an ironclad SLA.To read this article in full or to leave a comment, please click here
The Drupal project has released a patch to fix a critical access bypass vulnerability that could put websites at risk of hacking.The vulnerability does not have the highest severity level based on Drupal's rating system, but is serious enough that the platform's developers decided to also release a patch for a version of the content management system that's no longer officially supported.Successful exploitation of the vulnerability can lead to a complete compromise of data confidentiality and website integrity, but only Drupal-based websites with certain configurations are affected.To be vulnerable, a website needs to have the RESTful Web Services enabled and to allow PATCH requests. Furthermore, the attacker needs to be able to register a new account on the website or to gain access to an existing one, regardless of its privileges.To read this article in full or to leave a comment, please click here
Users that run unpatched software beware. Hackers have been relying on an old software bug tied to the Stuxnet worm to carry out their attacks.Microsoft may have initially patched the flaw in 2010, but it's nevertheless become the most widespread software exploit, according to security firm Kaspersky Lab.On Thursday, Kaspersky posted research examining the use of exploits, or malicious programs designed to take advantage of certain software flaws. Once an exploit goes to work, it can typically pave the way for other malicious programs to install onto a computer.To read this article in full or to leave a comment, please click here