Watch what leaves the officeImage by ThinkstockEmployee turnover is common, as is the practice of employees taking sensitive and confidential data with them when they leave, particularly data that they were involved in generating. This creates a significant risk for employers whose data was misappropriated, resulting in potential data breaches that can trigger regulatory actions or legal actions, as well as a variety of other consequences. Most employers are not adequately prepared to deal with the aftermath of employee data theft and many do not take the steps necessary to mitigate these risks before they occur.To read this article in full or to leave a comment, please click here
Last week, the Trump administration announced the appointment of a White House cybersecurity coordinator. That's a good first step, security experts say, but the government also needs to have a federal CISO."It's a big leadership vacancy," said Sanjay Beri, CEO and co-founder at cloud security vendor Netskope.The job of a federal CISO is very new -- it was only created last year and filled in September with the appointment of retired brigadier general Gregory Touhill. He was previously the deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security.To read this article in full or to leave a comment, please click here
Most technologies go through a stage when everything seems possible. Personal computers in the early 1980s, the internet in the late 1990s and mobile apps around the beginning of this decade were like that.But so was the first unboxing of a Galaxy Note 7. In time, either suddenly or gradually, reality sets in.The internet of things still looks promising, with vendors and analysts forecasting billions of connected devices that will solve all sorts of problems in homes and enterprises. But the seams are starting to show on this one, too. As promising as the technology is, it has some shortcomings. Here are a few.BAD DATAIoT systems are only as good as the data they capture, and some of it is not great.To read this article in full or to leave a comment, please click here
Developers of the popular LastPass password manager rushed to push out a fix to solve a serious vulnerability that could have allowed attackers to steal users' passwords or execute malicious code on their computers.The vulnerability was discovered by Google security researcher Tavis Ormandy and was reported to LastPass on Monday. It affected the browser extensions installed by the service's users for Google Chrome, Mozilla Firefox and Microsoft Edge.According to a description in the Google Project Zero bug tracker, the vulnerability could have given attackers access to internal commands inside the LastPass extension. Those are the commands used by the extension to copy passwords or fill in web forms using information stored in the user's secure vault.To read this article in full or to leave a comment, please click here
Hackers claiming to have hundreds of millions of iCloud credentials have threatened to wipe date from iPhones, iPads and Macs if Apple does not fork over $150,000 within two weeks."This group is known for getting accounts and credentials, they have gotten credentials in the past," said Lamar Bailey, director of security research and development at Tripwire, of the purported hackers. "But whether they have that many ... who knows?"There's another reason for not panicking, Bailey said: People can quickly make their accounts more secure, assuming the criminals have only collected, not actually compromised the iCloud accounts by changing millions of passwords.To read this article in full or to leave a comment, please click here
Cisco is warning IOS and IOS EXE users of five security vulnerabilities it rates as “High” that could lead to denial of service attacks or allow an invader to execute arbitrary code on an particular system.The warnings – which include Cisco’s DHCP client, L2TP, Zero Touch Provisioning, HTTP server and Web user interface -- are part of what Cisco says are a twice-yearly bundle of IOS security advisories it issues to keep those users up-to-date on current IOS security issues.To read this article in full or to leave a comment, please click here
The chances of you encountering malware on your Android phone is incredibly small, according to Google.By the end of last year, less than 0.71 percent of Android devices had installed a "potentially harmful application," such as spyware, a Trojan, or other malicious software.That figure was even lower, at 0.05 percent, for Android phones that downloaded apps exclusively from the Google Play store.The internet giant revealed the figures in a new report detailing its efforts to making the Android OS secure. Thanks to better app review systems, the company is detecting and cracking down on more malware.To read this article in full or to leave a comment, please click here
As The 21st Century Encryption Wars continue with no end in sight, security experts Bruce Schneier and Orin Kerr have collaborated on a paper that seeks to establish a common understanding of one aspect of the clash: encryption workarounds. The authors consciously avoid policy recommendations, but rather hope to better the understanding of those who will do so in our political and law enforcement arenas.From the paper’s abstract:
The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target's data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use.To read this article in full or to leave a comment, please click here
A group of hackers is threatening to wipe data from millions of Apple devices in two weeks if the company doesn’t pay them US$150,000.
The group, which calls itself Turkish Crime Family, claims to have login credentials for more than 627 million icloud.com, me.com and mac.com email addresses. These are email domains that Apple has allowed for users creating iCloud accounts over the years.
Even though the Turkish Crime Family hasn't been in the media spotlight before, its members claim that they've been involved in selling stolen online databases in private circles for the past few years.
The group said via email that it has had a database of about 519 million iCloud credentials for some time, but did not attempt to sell it until now. The interest for such accounts on the black market has been low due to security measures Apple has put in place in recent years, it said.To read this article in full or to leave a comment, please click here
Cisco today closed its approximately $3.7 billion deal for application analytics specialist AppDynamics giving the networking giant a nice revenue stream and bolstering its software strategy.The nine-year-old company – which Cisco bought Jan. 24, days before it was to go IPO -- and its almost 1,250 employees become part of Cisco as the 17th acquisition since Chuck Robbins took the CEO reins in 2015.+More on Cisco software from Network World: Has Cisco broken out of the network hardware box?+To read this article in full or to leave a comment, please click here
When you gotta go, you gotta go, but there may be a line in public restrooms. Usually those lines don’t have anything to do with surveillance. Let’s hope a new biometric authentication trial in China doesn’t roll out here, or else you would have to stop in public bathrooms in front of a device that uses facial recognition and wait for your allotted amount of toilet paper to be dispensed.
Too bad, so sad if the 24-inch strip of toilet paper isn’t enough. The dispenser will not spit out more paper to the same person until after nine minutes have passed.
Why would this creepy type of surveillance be deployed in public restrooms? To combat toilet paper theft.To read this article in full or to leave a comment, please click here
Reacting to concerns about the mass collection of photographs in police databases, U.S. lawmakers plan to introduce legislation to limit the use of facial recognition technology by the FBI and other law enforcement organizations.The FBI and police departments across the country can search a group of databases containing more than 400 million photographs, many of them from the drivers' licenses of people who have never committed a crime. The photos of more than half of U.S adults are contained in a series of FBI and state databases, according to one study released in October.To read this article in full or to leave a comment, please click here
It's been over a year since I presented on LostPass at ShmooCon, and in that time, many more bugs have been found in password managers. The most severe of which are in browser-based password managers extensions such as LastPass. Tavis Ormandy yesterday demonstrated a remote code execution on the latest LastPass version. This isn't the first extremely severe bug he's found in LastPass, either; there've been so many extremely severe bugs in LastPass it would be tedious to list them out. But LastPass isn't alone: Keeper, Dashlane and even 1Password have had severe vulnerabilities that allowed attackers to steal all of the passwords in a user's account without their knowledge.To read this article in full or to leave a comment, please click here
A zero-day attack called Double Agent can take over antivirus software on Windows machines and turn it into malware that encrypts files for ransom, exfiltrates data or formats the hard drives.Based on a 15-year-old feature in Windows from XP through Windows 10, the attack is effective against all 14 antivirus products tested by security vendor Cybellum – and would also be effective against pretty much every other process running on the machines.Double Agent was discovered by Cybellum researchers and has not been seen in the wild.“The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch,” according to a Cybellum blog. All the vendors were notified more than 90 days ago, which is the standard length of time for responsibly disclosing vulnerabilities and giving vendors time to fix them.To read this article in full or to leave a comment, please click here
In the latest episode of Security Sessions, CSO Editor-in-Chief Joan Goodchild sits down with Jeff Fagnan from Accomplice, a venture capital and private equity firm in Cambridge, Mass. The two discuss the current state of VC funding in security companies and where the money is going (and not going), and why CSOs should "follow the money."
Internal threatsImage by ThinkstockLast year was the worst on record for information security incidents, and the majority of those were due to inside sources, many studies agree. Prime suspects are employees and contractors with privileged user access, says Sam Elliott, director of security product management at Bomgar. Elliott warns that these 10 employees could be your greatest internal security threat.To read this article in full or to leave a comment, please click here
The debate over the chances of a catastrophic cyber attack taking down a major part of the nation’s critical infrastructure (CI) has been ongoing for a generation.But it hasn’t been settled – in some ways it is more intense now than ever.On one side are those, including high government officials, who warn of a “cyber Pearl Harbor” that could leave swaths of the country in darkness and cold – without electric power – for months.Retired Adm. James Stavridis, dean at Tufts Fletcher School and a former NATO supreme allied commander, used that term just three months ago, saying such an attack would be aimed either at the electrical grid or the financial sector.To read this article in full or to leave a comment, please click here
The theft of unstructured data is extremely common. It can be very difficult to safeguard emails and files when a lot of people have access. Even the CIA is not immune, judging by the recent exposure of its hacking tools via WikiLeaks. It’s ironic that the CIA’s hacking guides have been hacked, but it just goes to show how difficult it can be to prevent.Carelessly handled unstructured data is an easy target, and it can prove very valuable for hackers. Since unstructured data may not be monitored, attacks and successful exfiltrations often go unnoticed for long periods.To read this article in full or to leave a comment, please click here
When Scott Copeland got his associate degree in network administration back in 2004, the community college he attended didn’t offer IT security courses, “but it gave me the foundation to learn more about network security,” he says. His determination and thirst for learning led him to his current job as an IT security engineer at FedEx Services in Memphis, Tenn. download
What it takes to become an IT security engineer | PDF download
CSO Online
Getting started
After being laid off in 2008 from his first IT job in tech support and systems administration, friends encouraged Copeland to use his networking talents to get a certification that would boost his career. He studied for three months and earned his Cisco Certified Network Associate (CCNA) certification in routing and switching. “CCNA was the biggest helper [for my security career path],” says Copeland. “It’s one of the hardest network certifications in the industry.” Also, he notes, “because it ties networking for firewalls and VPN, it has security components to it.” He also scoured daily posts on Reddit, the news aggregation and discussion website, to learn as much as he could about network and IT security, and to keep up with Continue reading
A newfound vulnerability in smartphones could let hackers remotely control the devices.With the acoustic injection attack, “attackers that deliver high intensity acoustic interference in close proximity” can interfere with a device accelerometer and get the sensor to send “attacker–chosen” data to the smartphone’s processor, say researchers from the University of Michigan and University of South Carolina in a paper.Accelerometers measure changes of speed in a device, and they are used industrially to sense vibration for machinery health. In a smartphone, the accelerometer sensor can be used to detect screen orientation, for example.To read this article in full or to leave a comment, please click here