Consumer Reports, a major source for gadget and appliance reviews in the U.S., plans to start rating products on data security and privacy.On Monday, the non-profit publication unveiled a set of new testing standards it hopes will push the tech industry to create safer products."The goal is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data," the publication said.Already, cybersecurity experts are constantly finding new tech products, whether they be cars or smart teddy bears, that are often poorly secured and easy to hack. To read this article in full or to leave a comment, please click here
A mounting list of robot-related accidents has experts questioning whether the devices will be prone to more dangerous malfunctions or even programmed attacks.Notable mishaps that have been documented include a robotic security guard knocking over a child at a California shopping mall, a demonstration robot smashing a window at a Chinese conference—it caused a bystander to get injured, and 144 deaths in the United States caused by robotic surgery. All this according to security firm IOActive.+ Also on Network World: How secure are home robots? + These incidents “clearly demonstrate the serious potential consequences of robot malfunctions,” the consultancy says in a white paper it recently published about existing robot security (PDF).To read this article in full or to leave a comment, please click here
First off, I have to issue something of a correction regarding last week's blog post on Intel price cuts. As it turns out, I have been informed that Intel didn't cut the prices, Micro Center cut them as a loss leader, something it frequently does. It doesn't change the bargain prices, just the motivation. So, I wanted to set the record straight on that. Onward. Microsoft is looking for a few good bugs. And people who will keep it quiet. OK, so I have no evidence of direct causality, but it seems convenient. Over the past few weeks, Google has embarrassed Microsoft twice by publicly disclosing security vulnerabilities in Windows 10 that still have not been patched after 90 days. Google has no mercy with its Zero Day disclosures and plays no favorites. Any company that does not fix a bug by 90 days after Google informs them of it will be hung out to dry. To read this article in full or to leave a comment, please click here
DNA is supposed to be the answer for solving cold cases. For example, Wisconsin police have turned to DNA to help solve a 42-year-old cold case of “Baby Sarah.” Recently in Niagara Falls, cops found the man responsible for a smash and grab robbery committed 11 years ago, in 2006, via DNA which the man had been ordered to submit for unrelated offences. But it takes some state labs a year-and-a-half to process DNA, so some police departments are bypassing the state labs and creating their own DNA databases to track criminals.To read this article in full or to leave a comment, please click here
The U.S. Department of Justice is asking a federal court to dismiss its indictment in a case that involves a child porn site known as Playpen after a judge asked the government to disclose the hacking technique it used to gather evidence."The government must now choose between disclosure of classified information and dismissal of its indictment," the DOJ said in a court filing Friday. "Disclosure is not currently an option."The case involves Jay Michaud, a school administrator from Vancouver, Washington, who was arrested in July 2015 for allegedly viewing child porn images on Playpen. Michaud's case was one of at least 137 cases brought throughout the U.S. in relation to Playpen, a website that operated on the Tor anonymity network and which the FBI managed to seize in 2015.To read this article in full or to leave a comment, please click here
Okta has acquired Stormpath, a company that provides authentication services for developers. The deal should help the identity provider improve its developer-facing capabilities.Stormpath offered developers a set of tools for managing user logins for their apps. Rather than building a login system from scratch, developers could call the Stormpath API and have the company take care of it for them. Frederic Kerrest, Okta’s co-founder and Chief Operating Officer, said that the acquisition should help his company build self-service capabilities for developers.While Okta is probably best known for its identity and access management products aimed at businesses’ internal use, the company also operates a developer platform aimed at helping app developers handle user identity. Kerrest said that the developer capabilities are a fast-growing part of Okta’s business, but that its functionality could use some help. That’s where this acquisition comes in.To read this article in full or to leave a comment, please click here
New products of the weekImage by CertaOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.A10 Networks Thunder CFW, with integrated Gi/SGi firewall capabilitiesImage by a10To read this article in full or to leave a comment, please click here
Almost every cybersecurity program these days does some sort of scanning, sandboxing or traffic examination to look for anomalies that might indicate the presence of malware. We’ve even reviewed dedicated threat-hunting tools that ferret out malware that’s already active inside a network. However, what if there were a different way to approach security? Instead of searching for behaviors that might indicate a threat, what if you could define everything that is allowed within a network? If every process, application and workflow needed to conduct business could be defined, then by default everything outside of those definitions could be flagged as illegal. At the very least, critical programs could be identified and all interactions with them could be tightly defined and monitored. It’s a different way of looking at security, called segmentation.To read this article in full or to leave a comment, please click here(Insider Story)
Almost every cybersecurity program these days does some sort of scanning, sandboxing or traffic examination to look for anomalies that might indicate the presence of malware. We’ve even reviewed dedicated threat-hunting tools that ferret out malware that’s already active inside a network. However, what if there were a different way to approach security? Instead of searching for behaviors that might indicate a threat, what if you could define everything that is allowed within a network? If every process, application and workflow needed to conduct business could be defined, then by default everything outside of those definitions could be flagged as illegal. At the very least, critical programs could be identified and all interactions with them could be tightly defined and monitored. It’s a different way of looking at security, called segmentation.To read this article in full or to leave a comment, please click here(Insider Story)
The Pennsylvania Senate Democratic Caucus was hit with a ransomware attack, locking 16 Democratic senators and their staff out of their computer network.The attack was discovered on Friday morning; at the time of publishing on Sunday, the site was still down and displayed an “error establishing a database connection” message. The same error displays when trying to view each Democratic senator’s website.“Officials from the caucus have been in contact with law enforcement to investigate the incident and are working with Microsoft to restore the IT system,” according to a written statement text-messaged to reporters and obtained by The Hill. It was sent via text since the caucus could not use its email. “There is currently no indication that the caucus system was targeted or that any data has been compromised.”To read this article in full or to leave a comment, please click here
The Pennsylvania Senate Democratic Caucus was hit with a ransomware attack, locking 16 Democratic senators and their staff out of their computer network.The attack was discovered on Friday morning; at the time of publishing, the Pennsylvania Senate Democratic Caucus website was still down and displayed an “error establishing a database connection” message. The same error displays when trying to view each Democratic senator’s website.“Officials from the caucus have been in contact with law enforcement to investigate the incident and are working with Microsoft to restore the IT system,” according to a written statement text-messaged to reporters and obtained by The Hill. It was sent via text, since the caucus could not use its email. “There is currently no indication that the caucus system was targeted or that any data has been compromised.”To read this article in full or to leave a comment, please click here
Email is great; it’s transformed business, enabled geographically dispersed families and friends to stay in touch, redefined news distribution, transformed sales pipelines … the list of good stuff about email is endless. But, as many people have discovered to their cost, keeping control of your email account requires effort, effort like not using dumb, easy-to-guess passwords, and making sure your email hosting service is reliable and not, for example, Yahoo or AOL. And these issues aren’t anything like new, recent discoveries; we’ve all known for over a decade where the risks lie … well, all of us except, apparently, for the government.I don’t know about you, but during the 2016 election I was fairly surprised when the Democratic National Committee email system was hacked after which the email account of John Podesta, the DNC chairperson, was hacked. You’d have thought that the folks who manage IT for these people would have known the risks and done more to minimize exposure but when simple phishing and malware intrusions that should never of happened and which went undetected were successful, then you have to wonder where the disconnect lies.To read this article in full or to leave a comment, Continue reading
HackerOne, the company behind one of the most popular vulnerability coordination and bug bounty platforms, has decided to make its professional service available to open-source projects for free."Here at HackerOne, open source runs through our veins," the company's representatives said in a blog post. "Our company, product, and approach is built on, inspired by, and driven by open source and a culture of collaborative software development. As such, we want to give something back."HackerOne is a platform that makes it easier for companies to interact with security researchers, triage their reports, and reward them. Very few companies have the necessary resources to build and maintain bug bounty programs on their own with all the logistics that such efforts involve, much less so open-source projects that are mostly funded through donations.To read this article in full or to leave a comment, please click here
When it comes to incident detection and response, enterprise organizations are collecting, processing and analyzing more security data through an assortment of new analytics tools—endpoint detection and response (EDR) tools, network analytics tools, threat intelligence platforms (TIPs), etc.When each of threat management or security analytics tools sees something suspicious, it generates a security alert, and therein lies the problem: Enterprise organizations are getting buried by an avalanche of security alerts. According to ESG research: When asked to identify their top incident response challenges, 36 percent of the cybersecurity professionals surveyed said, “keeping up with the volume of security alerts.” Forty-two percent of cybersecurity professionals say their organization ignores a significant number of security alerts because they can’t keep up with the volume. When asked to estimate the percentage of security alerts ignored at their organization, 34 percent say between 26 percent and 50 percent, 20 percent of cybersecurity professionals say their organization ignores between 50 percent and 75 percent of security alerts, and 11 percent say their organization ignores more than 75 percent of security alerts. Mama Mia, that’s a lot of security alerts left on the cutting room floor. All told, the ESG data indicates Continue reading
Going viralImage by IDGReddit isn’t just about viral news stories and viral memes or heated thread debates, although there is always plenty of that on the sharing and social media site. For security professionals, as well as those interested in pursuing the field of cybersecurity, there is a wealth of advice, content, and conversation from deep and dirty forensics work to the latest on cyberlaw and everything in-between — if you know where to look.To read this article in full or to leave a comment, please click here
The U.S Marshals are warning the public not to respond to two recent scams involving people fraudulently posing as Marshals making calls across the country.The first is a warning about a scam where the fraudster calls members of the public and alleging they, or their family members, have an active federal arrest warrant and demanding payment of fines.+More on Network World: Avaya wants out of S.F. stadium suite, not too impressed with 49ers on-field performance either+“Recently, there were reported attempts of a fraudulent caller who identified himself as a Deputy United States Marshal. This phony law enforcement officer informed the potential victims that warrants were being issued for them or their family member due to being absent from a federal grand jury they were previously summoned to appear before. The potential victims were then informed they could avoid arrest by paying a fine by electronic fund transfer or cashier’s check. The Marshals Service became aware of the scam after receiving information from several calls from alert citizens,” the service wrote.To read this article in full or to leave a comment, please click here
Targeted attacks are moving away from traditional malware to stealthier techniques that involve abusing standard system tools and protocols, some of which are not always monitored.The latest example is an attack dubbed DNSMessenger, which was analyzed by researchers from Cisco Systems' Talos team. The attack starts with a malicious Microsoft Word document distributed through an email phishing campaign.When opened, the file masquerades as a "protected document" secured by McAfee, an antivirus brand now owned by Intel Security. The user is asked to click on the enable content button in order to view the document's content, but doing so will actually execute malicious scripting embedded within.To read this article in full or to leave a comment, please click here
Howard Schmidt advised both President Brack Obama and George W. Bush on cybersecurity. He was a CSO at Microsoft and a CISO at eBay. He led several industry groups, and wrote books on cybersecurity.But when security professionals remember him, it is not so much for his technical accomplishments as for the impact he had on the people around him. He is remembered as a mentor, a communicator, and an educator."He does have a very storied path of accomplishment," said Mary Ann Davidson, CSO at Redwood City, Calif.-based Oracle Corp. "From a security standpoint, he had a tremendous impact, the many roles he played, the work in the white house."To read this article in full or to leave a comment, please click here
U.S. Vice President Mike Pence reportedly used a private email account to transact state business when he was governor of Indiana, and his AOL account was hacked once, according to a news report. Emails released to the Indianapolis Star following a public records request are said to show that Pence used his personal AOL account to communicate with his top advisers on issues ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. A hacker seems to have got access to his email account in June last year and sent a fake mail to people on the former governor’s contact list, claiming that Pence and his wife had been attacked on their way back to their hotel in the Philippines, according to the report. Pence subsequently changed his AOL account.To read this article in full or to leave a comment, please click here
One bug in Slack, the popular work chat application, was enough for a security researcher to design a hack that could trick users into handing over access to their accounts.Bug bounty hunter Frans Rosen noticed he could steal Slack access tokens to user accounts due to a flaw in the way the application communicates data in an internet browser.“Slack missed an important step when using a technology called postMessage,” Rosen said on Wednesday in an email. PostMessage is a kind of command that can let separate browser windows communicate with each other. In Slack, it’s used whenever the chat application opens a new window to enable a voice call.To read this article in full or to leave a comment, please click here