After spending 13 years working in systems administration and network and desktop support, Simeon Holloway had reached a crossroads in his career.“I had capped out on the knowledge” required for the positions, Holloway says. “Salary-wise, I was capping out, too. I wanted to move in a different direction — something challenging and that was in high demand.” Cybersecurity was at the top of his list. In 2014, he set out on a self-guided journey toward a new career. Today, Holloway is an information assurance analyst for the Georgia Lottery in Atlanta. download What it takes to become an information assurance analyst CSO Online Getting serious about security While still a senior systems administrator for the Centers for Disease Control, Holloway kicked into overdrive, spending his evenings and weekends researching cybersecurity online. “I watched YouTube videos, joined webinars, things like that,” Holloway says. He spent four months studying for and earning his CompTIA Security+ certification, and attended a five-day Certified Ethical Hacker Bootcamp course that helped him get his CEH certification six months later. “I also built my own virtual lab — taking some of the free cyber tools available online, like BackTrack and Kali Linux, and practiced pen testing,” Continue reading
The state of online security is darn dreadful. At least if you look at the results from the IBM Security’s 2017 IBM X-Force Threat Intelligence Index released today which contains myriad depressing nuggets such as: The number of records compromised grew a historic 566% in 2016 from 600 million to more than 4 billion -- more than the combined total from the two previous years. In one case, a single source leaked more than 1.5 billion records [see Yahoo breach]. In the first three months of 2016, the FBI estimated cybercriminals were paid a reported $209 million via ransomware. This would put criminals on pace to make nearly $1 billion from their use of the malware just last year. In 2016, many significant breaches related to unstructured data such as email archives, business documents, intellectual property and source code were also compromised. The most popular types of malcode we observed in 2016 were Android malware, banking Trojans, ransomware offerings and DDoS-as-a-service vendors. Since DDoS tools are mostly sold as a service and not as malware per se, we will focus here on banking Trojans, Android malware and ransomware. In December 2016, a malware developer with an ongoing banking Trojan Continue reading
Against my better judgment, I'm going to share a few tidbits from a vendor survey — one of those marketing schemes that have become the bane of my existence as a tech journalist (See: "Right back at you vendors: OUR independent study of YOUR independent research")But I figured you'd want to know what superpowers your peers desire, since I'm sure that's a discussion you and your colleagues have had at some point or another (my superpower would be to dodge vendor survey pitches).To read this article in full or to leave a comment, please click here
Lookout researchers warned of a campaign involving fake ransomware attacks that attempt to extort money from users of mobile Safari. Victims are accused of accessing illegal pornography and the browser appears to be locked up unless a “ransom” is paid.“Your device has been locked for illegal pornography,” the message stated on a site with security agency icons such as NSA and Interpol at the bottom of the page. An overlay pop-up warned that Safari “cannot open page” with “OK” underneath the message. However, the dialog would not go away no matter how many times the victim tapped “OK.”Lookout said, “Each time he tapped ‘OK’ he would be prompted to tap ‘OK’ again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.”To read this article in full or to leave a comment, please click here
Privacy advocates haven't given up the fight after the U.S. Congress voted to allow ISPs to sell customers' browsing histories and other personal information without their permission.On Tuesday, the House of Representatives voted 215 to 205 to strike down ISP privacy regulations approved by the Federal Communications Commission only months ago. House's passage of a resolution of disapproval followed a Senate vote to pass the same resolution days earlier. President Donald Trump is expected to sign the Republican-pushed bill. But Senator Ed Markey, a Massachusetts Democrat, said he will introduce new legislation to require the FCC to pass new ISP privacy rules.To read this article in full or to leave a comment, please click here
Apple yesterday patched a bug in the iOS version of Safari that had been used by criminals to spook users into paying $125 or more because they assumed the browser was broken.The flaw, fixed in Monday's iOS 10.3 update, had been reported to Apple a month ago by researchers at San Francisco-based mobile security firm Lookout."One of our users alerted us to this campaign, and said he had lost control of Safari on his iPhone," Andrew Blaich, a Lookout security researcher, said in a Tuesday interview. "He said, 'I can't use my browser anymore.'"The criminal campaign, Blaich and two colleagues reported in a Monday post to Lookout's blog, exploited a bug in how Safari displayed JavaScript pop-ups. When the browser reached a malicious site implanted with the attack code, the browser went into an endless loop of dialogs that refused to close no matter who many times "OK" was tapped. The result: Safari was unusable.To read this article in full or to leave a comment, please click here
The risks from corporate use of activity trackers and other wearables is low, some experts say -- especially in comparison to all the other security and privacy risks CISOs, CIOs and IT folks must worry about.That said, as with any connected device, there is risk potential. For example, recent research suggests that devices such as Fitbits can be hacked (when the hacker is within close proximity). By focusing on accelerometers and other motion sensors, researchers at the University of Michigan and the University of South Carolina found that it’s possible to, among other things, use sound waves at different frequencies to add thousands of steps to a Fitbit. (Scroll down to read Fitbit’s response to the research results.)To read this article in full or to leave a comment, please click here(Insider Story)
Although it dates as far back as the 1950s, Artificial Intelligence (AI) is the hottest thing in technology today.An overarching term used to describe a set of technologies such as text-to-speech, natural language processing (NLP) and computer vision, AI essentially enables computers to do things normally done by people.Machine learning, the most prominent subset of AI, is about recognizing patterns in data and computer learning from them like a human. These algorithms draw inferences without being explicitly programmed to do so. The idea is the more data you collect, the smarter the machine becomes.To read this article in full or to leave a comment, please click here
For the federal government to better secure its information systems and support cybersecurity in the private sector, departments and agencies will need to dramatically improve the way they collect, analyze and share information about emerging threats, current and former government officials are cautioning.At a government IT conference convened by Akamai, a content delivery and cloud service provider, officials stressed the importance of casting a wide net for gathering information about cyberthreats, calling for the advancement of new standards and protocols to automate information sharing across the public and private sectors."The more participants we have in our process, the better that process is going to be," said Danny Toler, acting assistant secretary at the Department of Homeland Security's Office of Cybersecurity and Communications.To read this article in full or to leave a comment, please click here
New York reported a record high number of breaches last year, just after a new set of cybersecurity regulations went into effect in the state."In 2016, New Yorkers were the victims of one of the highest data exposure rates in our state’s history," said Attorney General Eric Schneiderman in a statement released last week. "The total annual number of reported security breaches increased by 60% and the number of exposed personal records tripled."According to the report, the stolen data consisted overwhelmingly of Social Security numbers and financial account information, and hacking was the leading cause of the breaches. The 1,300 breaches involved the private data of 1.6 million state residents, and 81 percent of the breaches involved the loss of Social Security numbers or financial information.To read this article in full or to leave a comment, please click here
The Internet of Things (IoT) is an incredibly diverse space, encompassing a large variety of hardware form factors and software ecosystems unlike anything we have seen in technology. Smartwatches, connected cameras, drones, thermostats, voice-enabled speakers, smart appliances and more—they all live together within the IoT.RELATED: 8 tips for building a cost-effective IoT sensor network But the diversity and innovation that excites many IoT fans is a big challenge not just for manufacturers and developers, but also (and most importantly) consumers. Which technology options should be used when designing or deploying IoT devices? How do they keep up with updated or new operating systems? What about new software and connectivity technologies coming up? Those are just some of today’s challenges.To read this article in full or to leave a comment, please click here
It’s really hard to come up with good startup names, especially names for which the URL is still available, so it is interesting to see startups go back, way back, to find names. One of those is San Francisco security startup Smyte.Smyte's reason for being is to smite (see what I did there?) bad online actors. Its SaaS software is already used by a number of peer-to-peer marketplaces and social apps to combat spam, scam, online harassment and credit card fraud. In other words, Smyte fights pretty much everything social media has, alas, come to be known for. Smyte is a graduate of Y Combinator’s Winter 2015 program.To read this article in full or to leave a comment, please click here
The U.S. House of Representatives has followed the Senate in voting to repeal privacy rules that can prevent broadband providers from selling customers’ internet-browsing histories and other data without their permission.On Tuesday, the House voted 215-205 to do away with the privacy rules that the U.S. Federal Communications Commission passed last year. The rules had yet to come into effect.They require broadband carriers to first obtain opt-in approval from customers before using and sharing their sensitive personal information, such as web browsing history, geo-location data and what applications they've used.To read this article in full or to leave a comment, please click here
The Professional Surge Protector CSP300WUR1 safeguards common home and office devices, such as computers and electronics, by absorbing spikes in energy caused by storms and electrical power surges. Designed for convenience, the portable CSP300WUR1 is ideal for travelers. It provides 600 joules of protection, has three surge-protected outlets, and a folding wall tap plug. Two USB ports (2.1 Amp shared) charge personal electronics, including smartphones, digital cameras, MP3 players, and other devices. A Limited-Lifetime Warranty ensures that this surge suppressor has passed high quality standards in design, assembly, material or workmanship and further protection is offered by a $50,000 Connected Equipment Guarantee. It currently averages 4 out of 5 stars on Amazon, where its typical list price of $21.955 has been reduced 46% to just $11.88. See the discounted CSP300WUR1 on Amazon.To read this article in full or to leave a comment, please click here
The FBI warns that attackers are targeting vulnerable FTP servers used by small medical and dental offices as a way to obtain medical records and other sensitive personal information.While the dangers of placing sensitive data on these servers is well known, smaller businesses may not have the expertise or motivation to upgrade.The attackers can use the stolen data to harass, intimidate and blackmail these businesses, the FBI says, and may also include using the stolen information to commit fraud.The attackers could also write to the servers in order to store malware and launch attacks, the FBI says.The remedy is to remove any personally identifiable information or protected health information from these servers and replace FTP with something more secure.To read this article in full or to leave a comment, please click here
Raimund Genes I learned this past Saturday that my good friend and Trend Micro CTO, Raimund Genes, passed away suddenly last week. Raimund was only 54.If you were lucky enough to cross paths with Raimund, you probably share my profound sorrow at his passing. For those who never had the pleasure of a meeting, allow me to provide a few thoughts about him: I first met Raimund at an industry event where he was supposed to go through a PowerPoint presentation with me. Upon shaking my hand, he said something like, “Let’s skip the formalities of a canned presentation, go to the bar, get a drink, and just talk.” We did have a drink at the bar that day, but what I remember most was an hour of insightful and entertaining banter. He was both informal and informative simultaneously, and we immediately connected. One of the things that I love about my job is that I get to speak to some of the smartest cybersecurity people—professionals, researchers, technology vendors, legislators, etc.—on a regular basis. Out of this exceptional population, however, some people stand out. I call these folks my “beacons” in that I’m more engaged when I Continue reading
The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that researches and analyzes security and risk management issues on behalf of its members — puts out its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year period. What follows are the nine biggest threats on the horizon through 2019 that your organization may have to manage and mitigate.Theme 1: Disruption from an over-reliance on fragile connectivity Organizations today depend of instant and uninterrupted connectivity, smart physical devices and trustworthy people. But that dependence makes them vulnerable to attacks on core internet infrastructure, devices used in daily business and key people with access to mission-critical information.To read this article in full or to leave a comment, please click here
A friend asked me to list all of the cybersecurity things that bug me and what he should be diligent about regarding user security. We talked about access control lists, MAC layer spoofing, and a bunch of other topics and why they mattered. You should come up with a list of head-desk things.After a bit of thought, here’s a list. It’s by NO means comprehensive, and it’s not an organized best practices document. Instead, these are marbles that roll around in my head and bother me a lot.1. Ban and route to null t.co, bit.ly, and other URL shorteners Why? Especially in phishing emails, a user has no idea where the link is going, what’s behind that link, or what kind of benevolent or conversely malicious payload is going to load in the default browser. Sure, your anti-malware or antivirus tool, or even the browser’s own instinct, might prevent a page load that opens a back door into your network. Maybe.To read this article in full or to leave a comment, please click here
For the second time in two weeks developers of the popular LastPass password manager are working to fix a serious vulnerability that could allow malicious websites to steal user passwords or infect computers with malware.Like the LastPass flaws patched last week, the new issue was discovered and reported to LastPass by Tavis Ormandy, a researcher with Google's Project Zero team. The researcher revealed the vulnerability's existence in a message on Twitter, but didn't publish any technical details about it that could allow attackers to exploit it.To read this article in full or to leave a comment, please click here
Smartphones are by far the most popular target of mobile malware, and the infection rate is soaring, according to new research by Nokia.During the second half of 2016, the increase in smartphone infections was 83% following on the heels of a 96% increase during the first half of the year, according to Nokia’s latest Mobile Threat Intelligence Report gathered from devices on which Nokia NetGuard Endpoint Security is deployed in Europe, North America, Asia Pacific and the Middle East.+More on Network World: Cisco Talos warns of Apple iOS and MacOS X.509 certificate flaw+To read this article in full or to leave a comment, please click here