As an individual, you might have an old smartphone or tablet sitting around your house collecting dust. Before recycling it, you hire a company to wipe the drive clean of any personally identifiable information. With the storage on today’s smartphones, there could be credit card information sitting in the background.You feel relieved as you pass off the device to be cleaned. A load off your shoulders, you have taken another item out of your house that was cluttering up the living room. Right? Well the device might be gone, but the data might still live on.The National Association for Information Destruction (NAID) found such in a recent study that revealed 40 percent of the devices the group bought on secondhand markets had PII on them. NAID, which is an international watchdog trade and non-profit trade association for the secure destruction industry, conducting the study in the first quarter of this year.To read this article in full or to leave a comment, please click here
If you were required to wear an ankle bracelet tracking device for electronic monitoring purposes, can you imagine how the conversation with police or probation officers would go if the device falsely notified them that you had tried to tamper with the strap to remove it?It’s doubtful you would be believed if you tried to blame it on glitchy or defective technology. Yet in the U.K., some offenders may have been wrongly sent back to prison after defective ankle bracelets alerted the authorities that they had been tampered with.The U.K. government admitted that ankle bracelets “used to electronically monitor offenders and suspects with a curfew” may have given false tamper reports to authorities and resulted in some people being wrongly imprisoned.To read this article in full or to leave a comment, please click here
Earlier on Monday, my wife let me know that “Apple Support” had called about iCloud security. She was dubious, and rightly so. “Apple” then called five more times (and counting). Suffice it to say, it wasn’t Apple, but fraudsters trying to piggyback on reports that a major breach of iCloud credentials could render hundreds of millions of accounts vulnerable.Apple says no such breach occurred, and security researchers, like Troy Hunt of HaveIBeenPwned.com, say the group trying to extort Apple likely has reused credentials from other sites’ password leaks. (We recommend turning on two-factor authentication at iCloud regardless.)To read this article in full or to leave a comment, please click here
It’s bad enough when black hat hackers insert malicious backdoors into systems and software after vendors/makers have sold these into the marketplace. It is another matter when the vendors who create these devices and programs unwittingly or purposely leave backdoors inside their products.With IHS forecasting an influx of 30.7 billion IoT devices by 2020 and 75.4 billion by 2025, additional products that could house vendor backdoors will flood the enterprise, multiplying the risks of these kinds of security holes.To read this article in full or to leave a comment, please click here(Insider Story)
The recent document leak detailing CIA spying campaigns and hacking techniques has fostered conversations and news stories on how to balance intelligence gathering with privacy, as well as discussions on the agency’s extensive spying capabilities. What hasn’t been discussed as much is what enterprises (and governments in one case) can learn from the WikiLeaks Vault 7 leak.To me, three key takeaways are that leaks can happen to any organization, figuring out what entity carried out an attack is difficult to do, and we’re in an era when nation-state weapons end up in the hands of criminals. Collectively, these development make practicing information security more complex than ever. Now, let’s explore each one in more detail.To read this article in full or to leave a comment, please click here
Cisco Talos today warned of a flaw in the X.509 certificate validation feature of Apple macOS and iOS that could let an attacker remotely execute code and steal information.X.509 security certificates are widely used and integral to many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure web browsing protocol.+More on Network World: 5 burning questions with new IETF Chair and Cisco Fellow Alissa Cooper+“For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are. This process includes certificate validation, or making sure that the servers that users are connecting to present “identification” showing they are legitimate. This helps to protect users from fraudulent servers that might otherwise steal sensitive information,” Talos wrote.To read this article in full or to leave a comment, please click here
The industry’s largest collaboration show, Enterprise Connect, gets underway this week in Orlando, Florida. The show has become the place for vendors to show off the latest and greatest, and the week started off with Cisco announcing some new products and updates to existing ones. Cisco’s collaboration business has been on quite a roll of late, as it has released a number of new solutions, including the game-changing Spark Board, which was unveiled earlier this year. To read this article in full or to leave a comment, please click here
Carnegie Mellon University this week launches its third annual online capture the flag (CTF) contest aimed at introducing middle and high school students to the world of IT security — and just maybe attract some of them into a segment of the job market hungry for talent.Anyone can register to play the free picoCTF online hacking contest beginning on March 31 and ending April 14, but only U.S. students in grades 6-12 are eligible for some $30K in prizes. CMU says about 30,000 people have partaken in picoCTF, a game in which participants must reverse engineer, hack, decrypt and do whatever it takes to solve a challenge.To read this article in full or to leave a comment, please click here
Apple has made iOS 10.3 publicly available and the software update for its iPhones and iPads is packed with a Find-My-AirPod feature as well as a slew of Siri, CarPlay and other additions.You probably know the routine by now: Head over to the General icon on your device, then hit Software Update and you'll be given the option to grab iOS 10.3 (a bit over 611MB on my iPhone) either over the air or via iTunes on a Mac or Windows PC. Unless you want to wait it out a bit and make sure Apple hasn't mucked anything up. Bob Brown/NetworkWorld
Bob Brown/NetworkWorld
Not to be overlooked in iOS 10.3, even though it works behind the scenes, is support for the Apple File System (APFS) that the company introduced last year at its Worldwide Developers Conference. APFS is designed to work better with flash storage and has improved encryption support.To read this article in full or to leave a comment, please click here
In 2015, ESG did an in-depth research project on cyber threat intelligence usage at enterprise organizations (i.e. more than 1,000 employees). The goal of this project was to determine how large firms were using threat intelligence, what challenges they faced, how they were addressing these challenges and what their strategies were moving forward.The research revealed that many threat intelligence programs were relatively immature—40 percent of threat intelligence programs had been in place fewer than two years at that time. Cybersecurity professionals were also asked to identify the top objectives for their organization’s threat intelligence program. The top results were as follows:To read this article in full or to leave a comment, please click here
If you use Microsoft’s Docs.com to store personal documents, stop reading this and make sure you aren’t inadvertently leaking your private information to the world.Microsoft sets any documents uploaded to the document sharing site as public by default—though it appears that many users aren’t aware of it. That means anyone can search Docs.com for sensitive personal information that wasn’t manually set private. PCWorld found social security numbers, health insurance ID numbers, bank records, job applications, personal contact details, legal correspondence, and drivers license numbers with just a few minutes of searching.To read this article in full or to leave a comment, please click here
Earlier this year Fortinet hired its first chief information security officer (CISO). The timing makes sense, as the company has grown into a leading security vendor with an integrated, security fabric vision that few competitors can match.As Fortinet continues to expand its presence in the federal and critical infrastructure markets, CISO Philip Quade brings the credentials and background needed to help lead the strategy. Prior to joining Fortinet, Quade was the NSA director’s special assistant for cyber and chief of the NSA Cyber Task Force. Before that, he was chief operating officer of the Information Assurance Directorate at the NSA.I recently talked with Quade regarding his new role and the challenges the United States and businesses in general face with respect to security.To read this article in full or to leave a comment, please click here
Hitachi announced it has developed a new image analysis system that uses artificial intelligence (AI) for real-time people tracking and detection. The AI can detect an individual in real time by combining over 100 external characteristics and then track that person using wide-area security and surveillance systems.Systems that capture facial images and color of clothing have previously been deployed in public areas, but according to Hitachi, it is difficult for security staff to find and track a person based on an eyewitness account or poor surveillance camera footage.To read this article in full or to leave a comment, please click here
As the digital enterprise struggles to find the best security solutions to defend their ever-expanding networks, many are looking to next generation tools that offer interoperability capabilities.Software defined networking (SDN) holds lots of promises. By consolidating the control planes of multiple devices into a single controller, that controller becomes the omnipotent decision maker over the entire network.That's a lot of power, yet developers still don't have security at the forefront of their minds when building SDN products, which is why there are weaknesses in SDN that can compromise enterprise security.To read this article in full or to leave a comment, please click here
New products of the weekImage by Array NetworksOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.NetCrunch Tools 2.0Image by adremTo read this article in full or to leave a comment, please click here
A senior U.K. official is asking that law enforcement should be given access to encrypted messages on WhatsApp and similar services, a demand that is likely to fuel an ongoing debate over whether companies should create backdoors into their encryption technologies for investigators.Khalid Masood, the terrorist who killed four people outside Parliament on Wednesday, had sent a message on WhatsApp a little before the attack, according to reports.“We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other,” Home Secretary Amber Rudd said on BBC One's Andrew Marr Show on Sunday.To read this article in full or to leave a comment, please click here
Docs.com, Microsoft’s site which is described as “showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway and PDF document for free,” came under fire over the weekend as Twitter users started complaining that users of the site had inadvertently shared private and sensitive information with the world.The site had a search functionality which would allow anyone to search through millions of files. When some users had uploaded private information, they had not changed the permissions from the default setting to share content publicly. Yet after people started tweeting screenshots of sensitive information, Microsoft quietly removed the search functionality on Saturday.To read this article in full or to leave a comment, please click here
CSO Online's Steve Ragan and Joan Goodchild chat about the hot security news of the week, including their take on the recent WikiLeaks revelations around the CIA, and how Cisco, Samsung and Apple have responded to the information.
When ransomware criminals lock up files and demand payment to decrypt them, don’t pay, was the advice a consultant gave to a group at SecureWorld.When there’s no risk of losing crucial data, that’s easy to say, and to make is possible requires planning, says Michael Corby, executive consultant for CGI.“Plan to have data available in a form that won’t be affected by ransomware – encrypted and stored separately from the production network,” he says. “You need a clean copy of the data in a restorable form. Test that the backups work.”Restore and recover are the key words, and they should be done keeping in mind that the malware has to be removed before recovering.To read this article in full or to leave a comment, please click here
The Mac and iPhone exploits described in new documents attributed to the U.S. Central Intelligence Agency were patched years ago, according to Apple.WikiLeaks released a new set of files Thursday that supposedly came from the CIA. They contain details about the agency’s alleged malware and attack capabilities against iPhones and Mac computers.The documents, dated 2012 and earlier, describe several “implants” that the CIA can install in the low-level extensible firmware interface (EFI) of Mac laptop and desktop computers. These EFI rootkits allow the agency's macOS spying malware to persist even after the OS is reinstalled.To read this article in full or to leave a comment, please click here