In moments of optimism, I’d like to believe there is still some common ground upon which liberals and conservatives – even supporters of President Trump – can stand with firm resolve. One such patch should be ensuring privacy protections for the digital devices and sensitive personal information of all U.S. citizens when they pass through border checkpoints.Toward that end, U.S. Sen. Ron Wyden, D-Ore., has signaled his intention to file legislation that would require customs and law enforcement agencies to acquire a warrant before compelling access to a U.S. traveler’s electronic device and also prohibit the growing practice of demanding social media identities and passwords. In a letter to John Kelly, director of homeland security, Wyden poses the following questions:To read this article in full or to leave a comment, please click here
Microsoft released MS17-005 to patch critical flaws in Adobe Flash Player, but that’s it. Microsoft didn’t release the fix for the two zero-day exploits disclosed this month.After the company said patches would be delayed in February, it clarified that security updates would instead be released on Patch Tuesday in March. Yet InfoWorld’s Woody Leonhard reported that Microsoft emailed its largest customers on Monday with a heads-up about the Flash patches for Internet Explorer and Edge.To read this article in full or to leave a comment, please click here
After deciding to postpone its February patches for a month, Microsoft released one critical security update for Windows on Tuesday that contains Flash Player patches released by Adobe Systems last week.The new security bulletin, identified as MS17-005, is rated critical for Windows 8.1, Windows RT 8.1, Windows 10 and Windows Server 2016, and moderate for Windows Server 2012 and Windows Server 2012 R2. On these Windows versions, Flash Player is bundled by default with Internet Explorer 11 and Microsoft Edge, so Microsoft delivers patches for it through Windows Update.This month's Flash Player patches were released by Adobe on February 14 and address 13 vulnerabilities that could lead to remote code execution. Typically Adobe releases patches on the same day as Microsoft, a day known in the industry as Patch Tuesday. This month, though, Microsoft postponed its updates at the last minute due to an unspecified issue that, it said, could have affected customers.To read this article in full or to leave a comment, please click here
No one wants to believe they'd fall for a phishing scam. Yet, according to Verizon's 2016 Data Breach Investigations Report, 30 percent of phishing emails get opened. Yes, that's right -- 30 percent. That incredible click-through rate explains why these attacks remain so popular: it just works.Phishing works because cybercriminals take great pains to camouflage their "bait" as legitimate email communication, hoping to convince targets to reveal login and password information and/or download malware, but there are still a number of ways to identify phishing emails. Here are five of the most common elements to look for.To read this article in full or to leave a comment, please click here
To keep private Wi-Fi networks secure, encryption is a must-have -- and using strong passwords or passphrases is necessary to prevent the encryption from being cracked. But don’t stop there! Many other settings, features and situations can make your Wi-Fi network as much or even more insecure as when you use a weak password. Make sure you’re not leaving your network vulnerable by doing any of the following.1. Using a default SSID or password
Your Wi-Fi network’s name, called the service set identifier (SSID), can make your network less secure. If you leave the default SSID for your router or wireless access point (AP), such as linksys or dlink, it can increase the chances of someone successfully cracking the Wi-Fi password. This is because dictionary-based cracking depends upon the SSID, and a default or common SSID makes it a bit easier. So do not use any default SSID; instead, carefully choose your own.To read this article in full or to leave a comment, please click here(Insider Story)
Just what the world needs, another Linux distro. But does the fact it came from a top anti-malware vendor give it a competitive edge in the quest for security?Eugene Kaspersky, CEO of the antivirus company that bears his name, took to his blog to announce KasperskyOS, a project that has been in the works for 14 years. Talk about slow development time. KasperskyOS is available for both x86 and ARM processors. It takes concepts from the Flux Advanced Security Kernel (FLASK) architecture, which was used in SELinux and SEBSD, but builds a new OS from scratch with security in mind, enabling what he calls "global Default Deny at the process level." To read this article in full or to leave a comment, please click here
Microsoft has launched Project Sangam, a cloud service integrated with LinkedIn that will help train and generate employment for middle and low-skilled workers.The professional network that was acquired by Microsoft in December has been generally associated with educated urban professionals but the company is now planning to extend its reach to semi-skilled people in India.Having connected white-collared professionals around the world with the right job opportunities and training through LinkedIn Learning, the platform is now developing a new set of products that extends this service to low- and semi-skilled workers, said Microsoft CEO Satya Nadella at an event on digital transformation in Mumbai on Wednesday.To read this article in full or to leave a comment, please click here
The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails.XXE vulnerabilities can be exploited by tricking applications to parse specially crafted XML files that would force the XML parser to disclose sensitive information such as files, directory listings, or even information about processes running on the server.Klink showed that the same type of vulnerabilities can be used to trick the Java runtime to initiate FTP connections to remote servers by feeding it FTP URLs in the form of ftp://user:password@host:port/file.ext.To read this article in full or to leave a comment, please click here
Cisco today announced a variety of hardware, software and services designed to increase network virtualization and bolster security for campus, branch office and cloud customers.The products, which include a Network Functions Virtualization branch office device and improved security network segmentation software, fall under Cisco’s overarching Digital Network Architecture plan. DNA offers integrated networking software—virtualization, automation, analytics, cloud service management and security under a single suite.+More Cisco News on Network World: Cisco reserves $125 million to pay for faulty clock component in switches, routers+To read this article in full or to leave a comment, please click here
Many of the readers of this blog are aware that ever since Cisco acquired SourceFire, and cybersecurity industry legends such as Marty Roesch took leadership roles within the company, Cisco's initiative is for all security products to be open and to interoperate with other products.Another very large acquisition was OpenDNS, and the CEO from OpenDNS now leads all of the security business at Cisco. The culture is all about Cisco products, as well as non-Cisco products, working better together. + Also on Network World: Cisco ONE simplifies security purchasing +
For many, it's shocking to think about Cisco as a vendor pushing for openness and standards. I'm not sure why because Cisco has spent its life creating networking protocols and then helping them to become standards available to all. But I digress.To read this article in full or to leave a comment, please click here
A homeowner reports a robbery. His IoT-enabled pacemaker doesn’t indicate any change in heart rate during the robbery? Can investigators obtain that information from the service provider? Should they?+ Also on Network World: Cops use pacemaker data to charge homeowner with arson, insurance fraud +
Issues of privacy increase as IoT sensors collect more information about us. What rights do individuals have over the information collected about them? Can the accuracy of sensor data be trusted?To read this article in full or to leave a comment, please click here
While the cybersecurity industry was knee-deep in vision, rhetoric, and endless cocktail parties at the RSA Conference, the State of New York introduced new cybersecurity regulations for the financial services industry. The DFS regulations (23 NYCRR 500) go into effect next week on March 1, 2017. Here’s a link to a pdf document describing the regulations. Anyone who has reviewed similar cybersecurity regulations will find requirements in 23 NYCRR 500, so while the regulations are somewhat broader than other similar stipulations, there are obvious common threads. In reviewing the document however, section 500.10 caught my eye. Here is the text from this section:To read this article in full or to leave a comment, please click here
While the cybersecurity industry was knee-deep in vision, rhetoric and endless cocktail parties at the RSA Conference, the State of New York introduced new cybersecurity regulations for the financial services industry. The Department of Financial Services (DFS) rules (23 NYCRR 500) go into effect next week on March 1, 2017.Anyone who has reviewed similar cybersecurity regulations will find requirements in 23 NYCRR 500 familiar, so while the regulations are somewhat broader than others, there are obvious common threads. In reviewing the document, however, section 500.10 caught my eye. Here is the text from this section:To read this article in full or to leave a comment, please click here
“When you go online you reveal a tremendous amount of private information about yourself,” wrote the EFF. “What you browse, what you purchase, who you communicate with—all reveal something personal about you.” These are examples of what your ISP knows about you.But it’s more than that for people with smart connected devices. Think about a smart refrigerator. As former FCC Chairman Tom Wheeler asked, “Who would have ever imagined that what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your network provider is?” Who would have thought they could sell that type of information?The FCC did something about that last year by putting privacy protections in place for when you use your broadband provider.To read this article in full or to leave a comment, please click here
“When you go online you reveal a tremendous amount of private information about yourself,” wrote the Electronics Frontier Foundation (EFF). “What you browse, what you purchase, who you communicate with—all reveal something personal about you.” These are examples of what your ISP knows about you.But it’s more than that for people with smart connected devices. Think about a smart refrigerator. As former FCC Chairman Tom Wheeler asked, “Who would have ever imagined that what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your network provider is?” Who would have thought they could sell that type of information?To read this article in full or to leave a comment, please click here
For many in the cybersecurity space, the world revolves around the attack vector. Many security vendors narrowly focus on their version of the prevent, defend and respond paradigm—focusing on their purported supremacy and on making their case to get a piece of the enterprise security budget pie.
At the recent RSA Conference in San Francisco, however, there were some hopeful signs that this narrow view and myopic perspective is evolving—at least for some.
“Don't draw lines that separate different fields. Draw connections that bring them together,” implored RSA CTO Dr. Zulfikar Ramzan in the opening keynote as he called for business-driven security. “In my experience, today's security professionals must also draw connections between security details and business objectives.”To read this article in full or to leave a comment, please click here
Everyone knows corporate data breaches can be expensive, but does anyone really know exactly how expensive? Recent estimates for the average cost have landed all over the map, ranging from $4 million to $7 million. But when it comes to the top end of the scale, those appraisals turn out to be laughably small.+ Also on Network World: Everything you know about cyberwar is wrong +
The massive Yahoo data breaches of 2013 and 2014 now have a real cost attached to them, and it’s a couple orders of magnitude larger than those piddly estimates. Simply put, the breaches forced Yahoo to renegotiate its sale to Verizon, cutting the price by $350 million. To read this article in full or to leave a comment, please click here
Verizon Communications will pay US$350 million less for Yahoo after two major data breaches reported by the struggling internet pioneer.Verizon will pay about $4.48 billion for Yahoo's operating business, and the two companies will share any potential legal and regulatory liabilities arising from two major data breaches announced in late 2016. The companies announced the amended terms of the deal Tuesday.Back in October, one news report had Verizon seeking a $1 billion discount after the first breach was announced.To read this article in full or to leave a comment, please click here
Securitywise, the internet of things is going as badly as most computer security experts predicted. In fact, most vendors don’t fully appreciate the potential threats IoT devices pose. Anything connected to the internet and running code can be taken over for malicious purposes. Given the accelerating proliferation of internet-connected devices, we could be hurtling toward catastrophe. Personal security cameras, for example, are being used to conduct the largest denial-of-service attacks the world has ever seen, not to mention allowing strangers to spy on the very people the cameras are supposed to protect.To read this article in full or to leave a comment, please click here
In the last few years, the attack surface has changed from defending the perimeter to protecting applications in the cloud, leaving CISOs wondering how they can best allocate funds to stay ahead of attacks.Misha Govshteyn, co-founder and CISO at Alert Logic, said, "For a long time, when people thought about defensive strategies it was about their enterprise or their perimeters, where the infrastructure ends and the outside world begins."According to Earl Perkins, research vice president, digital security, the IoT group at Gartner, "We now embrace multiple forms of wireless networks as an enterprise. We distribute smaller, fit-for-purpose devices that have some processor and memory function, but aren’t general-purpose platforms in the sense of traditional IT. All of these are now ingress points and vulnerable assets if they are inadequately protected."To read this article in full or to leave a comment, please click here(Insider Story)