It's almost four years since Edward Snowden leaked U.S. National Security Agency documents revealing the extent of the organization's surveillance of global internet traffic, but he's still making the headlines in Germany.At the Cebit trade show in Hannover, Germany, he'll be looking back at that period in live video interview from Moscow on Tuesday evening.There have been a lot of changes on the internet in those four years, but one of the biggest is the growth in the use of encryption.In 2013, the NSA had free rein and could listen in on almost any communication it wanted. Now, it's commonplace to encrypt traffic to webmail services and even popular websites such as Microsoft.com or Google.com using the https protocol. And you don't have to be an enemy of the state to use an end-to-end encrypted messaging system such as WhatsApp simply to chat with friends.To read this article in full or to leave a comment, please click here
McDonald’s India operation asked users to update their McDelivery app as a 'precautionary measure' after a security firm said it had found that it was leaking personal data of over 2.2 million users.The Indian operation of the food chain, which is owned and managed by franchisees, said in posts on Facebook and Twitter over the weekend that its website and app do not store any sensitive financial data of users.The operation did not admit or deny that there had been a breach, but urged users to update the online ordering app as a precautionary measure. “The website and app has always been safe to use, and we update security measure on regular basis,” according to the post.To read this article in full or to leave a comment, please click here
Apple just might whet our appetites for a September unveiling of the iPhone 8 (or iPhone X) with an event later this month or early in April regarding some new iPads and maybe some low-end iPhones. But we won’t be distracted: On to the iPhone 8 rumors! KINDER, GENTLER CURVES The word is that Apple and Samsung are going to hogging up most of the shiny, energy-efficient OLED displays being pumped out this year, leaving poor Huawei and others on the outs. And after all that, it turns out that Apple’s OLED displays on its anticipated 5.8-inch iPhone 8 will have a “gentler” curved screen than that found on the rival Samsung Galaxy S7 (and likely, the S8). To read this article in full or to leave a comment, please click here
Secusmart, the BlackBerry subsidiary that secures the German Chancellor Angela Merkel's smartphone, will roll out a version of its SecuSuite security software compatible with Samsung Electronics' Knox platform later this year.That means that organizations looking for smartphones offering government-grade security will be able to buy the Samsung Galaxy S7 or, soon, the S8 rather than the now-discontinued BlackBerry OS smartphones like the one Merkel uses.In addition to encrypting communications and data stored on the device, the new SecuSuite also secures voice calls using the SNS standard set by Germany's Federal Office for Information Security (BSI). Organizational app traffic is passed through an IPsec VPN, while data from personal apps can go straight to the internet. Encrypted voice calls go through a different gateway, not the VPN.To read this article in full or to leave a comment, please click here
While you may want to live long and prosper, you don’t want to be “kirked” – an extension added to files encrypted by the new Star Trek-themed Kirk ransomware.Kirk ransomware, which was discovered by Avast malware researcher Jakub Kroustek, doesn’t want the ransom to be paid in bitcoin; Bleeping Computer said it “may be the first ransomware to utilize Monero as the ransom payment of choice.”It is not known how the ransomware is being distributed, but researchers know that Kirk ransomware masquerades as the Low Orbital Ion Cannon network stress tool; LOIC was once favored for denial of service attacks. The fake version sports the LOIC slogan, “When harpoons, air strikes and nukes fail,” and claims to be initializing once executed.To read this article in full or to leave a comment, please click here
Companies that use security products to inspect HTTPS traffic might inadvertently make their users' encrypted connections less secure and expose them to man-in-the-middle attacks, the U.S. Computer Emergency Readiness Team warns.US-CERT, a division of the Department of Homeland Security, published an advisory after a recent survey showed that HTTPS inspection products don't mirror the security attributes of the original connections between clients and servers.HTTPS inspection checks the encrypted traffic coming from an HTTPS site to make sure it doesn't contain threats or malware. It's performed by intercepting a client's connection to an HTTPS server, establishing the connection on the client's behalf and then re-encrypting the traffic sent to the client with a different, locally generated certificate. Products that do this essentially act as man-in-the-middle proxies.To read this article in full or to leave a comment, please click here
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe. As of mid-February, the plan for Verizon Communications to acquire a majority of Yahoo’s web assets is still on, despite the announcement of Yahoo having suffered two massive breaches of customer data in 2013 and 2014. The sale price, however, has been discounted by $350 million, and Verizon and Altaba Inc. have agreed to share any ongoing legal responsibilities related to the breaches. Altaba is the entity that will own the portion of Yahoo that Verizon is not acquiring.To read this article in full or to leave a comment, please click here
Several attacks observed over the past few months that rely heavily on PowerShell, open-source tools, and fileless malware techniques might be the work of a single group of hackers.An investigation started by security researchers from Morphisec into a recent email phishing attack against high-profile enterprises pointed to a group that uses techniques documented by several security companies in seemingly unconnected reports over the past two months."During the course of the investigation, we uncovered a sophisticated fileless attack framework that appears to be connected to various recent, much-discussed attack campaigns," Michael Gorelik, Morphisec's vice president of research and development, said in a blog post. "Based on our findings, a single group of threat actors is responsible for many of the most sophisticated attacks on financial institutions, government organizations, and enterprises over the past few months."To read this article in full or to leave a comment, please click here
Researchers with the Defense Advanced Research Projects Agency will this month present a program that looks to develop a new generation of radiofrequency (RF) and millimeter-wave transistors to address the power and range requirements for billions of wirelessly communicating devices in everything from unmanned aircraft and home appliances to sensors and smartphones. +More on Network World: DARPA plan would reinvent not-so-clever machine learning systems+ “The same basic transistor types have been dominant since their invention and we have been engineering the heck out of them for 50 years,” said Dan Green, a program manager in DARPA’s Microsystems Technology Office (MTO) and the overseer of the forthcoming Dynamic Range-enhanced Electronics and Materials (DREaM) program. “We’ve gotten a lot out of that approach, but the focus on so few types of transistor technologies and just a few semiconductor materials also has fundamentally limited us in the RF world.”To read this article in full or to leave a comment, please click here
Businesses that allow the Ask.com toolbar in their environments might want to rethink that after endpoints equipped with the browser add-on were compromised last November and then again the very next month using pretty much the same attack methods.In both cases attackers managed to infiltrate the Ask.com updater infrastructure to the point that they used legitimate Ask signing certificates to authenticate malware that was masquerading as software updates.And in both cases Ask Partner Network (APN), which distributes the Ask.com toolbar, told the security vendors who discovered the incidents that it had fixed the problem. The first one was discovered by security vendor Red Canary, and the second was caught by Carbon Black, whose researchers just wrote about it in their company blog.To read this article in full or to leave a comment, please click here
New research is turning on its head the idea that legacy systems -- such as Cobol and Fortran -- are more secure because hackers are unfamiliar with the technology.New research found that these outdated systems, which may not be encrypted or even documented, were more susceptible to threats.By analyzing publicly available federal spending and security breach data, the researchers found that a 1% increase in the share of new IT development spending is associated with a 5% decrease in security breaches."In other words, federal agencies that spend more in maintenance of legacy systems experience more frequent security incidents, a result that contradicts a widespread notion that legacy systems are more secure," the paper found. The research paper was written by Min-Seok Pang, an assistant professor of management information systems at Temple University, and Huseyin Tanriverdi, an associate professor in the Information, Risk and Operations Department at the University of Texas at Austin.To read this article in full or to leave a comment, please click here
Details matter when developing an incident response (IR) plan. But, even the most successful IR plans can lack critical information, impeding how quickly normal business operations are restored.This guide from Cybereason takes a closer look at nine of the often forgotten, but important steps that you should incorporate into your IR plan.Preparation across the entire companyGood security leaders should be able to get people from across the company to help develop the IR plan. While CISOs will most likely manage the team that handles the threat, dealing with the fallout from a breach requires the efforts of the entire company.To read this article in full or to leave a comment, please click here(Insider Story)
This past weekend at SXSW, two Congressmen suggested that the U.S. create a cybersecurity reserves system, similar to the National Guard, but the idea has received a mixed welcome from the cybersecurity community.According to House Rep. Will Hurd, a Republican from Texas, a national cybersecurity reserve could help strengthen national security and bring in a diversity of experience. Hurd, who has a degree in computer science from Texas A&M, has served as an undercover CIA officer and has worked as a partner at cybersecurity firm FusionX.He has been pitching the idea of a Cyber National Guard for a while, and has suggested that the government could forgive student loan debt for those who serve. It would also help ensure a cross-pollination of experience between government and industry.To read this article in full or to leave a comment, please click here
When governments turn to private hackers to carry out state-sponsored attacks, as the FBI alleges Russia did in the 2014 breach of Yahoo, they're taking a big risk. On the one hand, it gives them a bit of plausible deniability while reaping the potential spoils of each attack, but if the hackers aren't kept on a tight leash things can turn bad. Karim Baratov, the 22-year-old Canadian hacker who the FBI alleges Russia's state security agency hired to carry out the Yahoo breach, didn't care much for a low profile. His Facebook and Instagram posts boasted of the million-dollar house he bought in a Toronto suburb and there were numerous pictures of him with expensive sports cars -- the latest an Aston Martin DB9 with the license plate "MR KARIM."To read this article in full or to leave a comment, please click here
An unpatched command injection vulnerability could allow hackers to take over enterprise networking products from Ubiquiti Networks.The vulnerability was discovered by researchers from SEC Consult and allows authenticated users to inject arbitrary commands into the web-based administration interface of affected devices. These commands would be executed on the underlying operating system as root, the highest privileged account.Because it requires authentication, the vulnerability's impact is somewhat reduced, but it can still be exploited remotely through cross-site request forgery (CSRF). This is an attack technique that involves forcing a user's browser to send unauthorized requests to specifically crafted URLs in the background when they visit attacker-controlled websites.To read this article in full or to leave a comment, please click here
To make our lives easier, digital experiences have become much more interconnected and the volume of personal data captured in the cloud is growing exponentially. While these trends make us more productive, they can also make security breaches much more damaging. Once a hacker gains access to one aspect of your digital life, he can easily reach across multiple applications and accounts, laying a path of destruction and heartache.Today’s mobile and digital experiences need authentication strategies that keep up with the constantly changing digital ecosystem, and simple passwords are not enough.Authentication must be fast, easy to use Multifactor authentication strategies are growing in popularity, but the tradeoff of usability and security is a constant balancing act. If authentication solutions are not simple, quick and easy, users will find ways around them. And if they are not secure, hackers will quickly exploit weaknesses. Sophisticated smart authentication strategies are coming to market that are less visible and easier to use than messaging-based two-factor authentication approaches or biometrics. Approaches such as behavioral biometrics and adaptive authentication are leveraging data and sophisticated algorithms to create more secure and easier-to-use experiences.To read this article in full or to leave a comment, please Continue reading
Bug hunters have gathered again to test their skills against some of the most popular and mature software programs during the Pwn2Own hacking contest. During the first day, they successfully demonstrated exploits against Microsoft Edge, Apple's Safari, Adobe Reader, and Ubuntu Desktop.The Pwn2Own contest runs every year during the CanSecWest security conference in Vancouver, Canada. It's organized and sponsored by the Zero Day Initiative (ZDI), an exploit acquisition program operated by Trend Micro after its acquisition of TippingPoint.This year the contest has a prize pool of US$1 million for exploits in five categories: virtual machines (VMware Workstation and Microsoft Hyper-V); web browser and plugins (Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari, and Flash Player running in Edge); local escalation of privilege (Windows, macOS, and Ubuntu Desktop); enterprise applications (Adobe Reader, Word, Excel, and PowerPoint) and server side (Apache Web Server on Ubuntu Server).To read this article in full or to leave a comment, please click here
Machine learning systems maybe be smart but they have a lot to discover.Innovative researchers with DARPA hope to achieve superior machine learning systems with a new program called Lifelong Learning Machines (L2M) which has as its primary goal to develop next-generation machine learning technologies that can learn from new situations and apply that learning to become better and more reliable than current constrained systems.+More on Network World: DARPA fortifies early warning system for power-grid cyber assault+To read this article in full or to leave a comment, please click here
I couldn’t attend the RSA Conference this year, but many cybersecurity professionals and my ESG colleagues told me that incident response (IR) automation and orchestration was one of the hottest topics in the halls of the Moscone Center—through the bar at the W hotel and even at the teahouse on the garden at Yerba Buena. Was this rhetoric just industry hype? Nope. This buzz is driven by the demand side rather than suppliers. In truth, cybersecurity professionals need immediate IR help for several reasons:1. IR is dominated by manual processes. Let’s face it, IR tasks such as fetching data, tracking events or collaborating with colleagues depend upon the organizational, communications and technical skills of individuals within the security operations team. These manual processes ultimately get in the way of overall IR productivity.To read this article in full or to leave a comment, please click here
It’s a bad week for all things network security as Cisco spewed out 20 Security Advisories and Alerts – two critical and three high-impact – that customers should be aware of and implement patches where they can.Cisco, like other big enterprise vendors, regularly issues security warnings but 20 in one day is an unusual amount for the networking giant. Others like Microsoft and Oracle issue tons of security bulletins monthly mostly without much fanfare – for example Microsoft for March, released 18 security bulletins split into nine critical and nine important security updates.To read this article in full or to leave a comment, please click here