How to approach keeping your IoT devices safe

Nothing is safeImage by Shardayyy With the recent take down of DYN and Brian Krebs’ web site, cybercriminals have found a way to use your own devices to bring the Internet to its knees. Portnox’s CEO Ofer Amitai provides some ways to keep those devices safe from these attacks.To read this article in full or to leave a comment, please click here

Financial experts forecast more bad news for Apple

Later today Apple will once again announce a sales decline for its biggest product lines, including the iPhone, the company's financial powerhouse, according to more than two dozen analysts.The September quarter results will be highlighted by a 6% year-over-year reduction in iPhone sales, making the third consecutive quarter of smartphone slump. The good news? The contraction will be less than half of the two previous quarters.Apple's continued problems were spelled out by Philip Elmer-DeWitt, who runs the subscription-based Apple 3.0 website. Elmer-DeWitt has been collecting data from financial analysts for years -- starting when he blogged for Fortune -- and the seven independent and 21 institutional experts he queried forecast a drop in unit sales of the iPhone, iPad and Mac, and another decline in total revenue.To read this article in full or to leave a comment, please click here

IBM looks into the future of A.I. at World of Watson

LAS VEGAS -- In the past five years, IBM's artificial-intelligence-fueled Watson has gone from being a game show champion to operating in such industries as finance, retail, health care and pure research.In another five years, Watson will be helping a doctor diagnose a patient's symptoms and a company CEO calculate whether to buy a competitor.That's the word coming from IBM executives speaking Tuesday at the opening of the IBM World of Watson conference here."The technology is not even moving fast. It's accelerating. It's moving faster and faster every day," said John Kelly III, senior vice president of Cognitive Solutions and IBM Research. "Honestly, it blows my mind and I'm an optimist."To read this article in full or to leave a comment, please click here

Rise of the IoT machines

Friday’s distributed denial-of-service attack on domain name service provider Dyn may have seemed like the end of the world for millions of Netflix, Twitter and Spotify users, but security professionals say the service disruption was merely a nuisance attack – although an eye opening one – compared to the potential damage that can be unleashed by billions of unsecure IoT devices.“It’s really just the tip of the iceberg,” says Nicholas Evans, vice president and general manager within the Office of the CTO at Unisys, where he leads its worldwide applied innovation program. “You can grade the threat intensity as the IoT devices become more autonomous, like self-driving cars, or more controllable, like some of factory-type devices that actually manipulate the physical environment. That’s where the real threat is.”To read this article in full or to leave a comment, please click here

Rise of the IoT machines

Friday’s distributed denial-of-service attack on domain name service provider Dyn may have seemed like the end of the world for millions of Netflix, Twitter and Spotify users, but security professionals say the service disruption was merely a nuisance attack – although an eye opening one – compared to the potential damage that can be unleashed by billions of unsecure IoT devices.“It’s really just the tip of the iceberg,” says Nicholas Evans, vice president and general manager within the Office of the CTO at Unisys, where he leads its worldwide applied innovation program. “You can grade the threat intensity as the IoT devices become more autonomous, like self-driving cars, or more controllable, like some of factory-type devices that actually manipulate the physical environment. That’s where the real threat is.”To read this article in full or to leave a comment, please click here

Microsoft expands laptop trade-in program to cover Macs

Perhaps Microsoft smells blood in the water because it's getting more aggressive with its laptop trade-in program. A while back it launched a program to trade in old laptops incapable of being upgraded to Windows 10. Now it has a new program, this time targeting old MacBooks.According to the trade-in page, users can send in almost any type of MacBook Air or MacBook Pro and they will be eligible for the discount. You might not get very much, and you might be better off selling the thing yourself on Craigslist. Then again, a lot of people are nervous about doing sales like that.To read this article in full or to leave a comment, please click here

Reaction: DevOps and Security

Over at TechBeacon, my friend Chris Romeo has an article up about DevOps and security. It’s interesting to me because this is actually an area I’d never thought about before, even though it makes sense. Given DevOps is essentially writing software to control infrastructure (like routers, compute, and storage), and software needs to be written in a way that is secure, then it should be obvious that DevOps software should be developed with good security principles gleaned from software development as part of the foundation.

And here we face a challenge, as Chris says—

There is no standard that defines security for DevOps, and the chances of a standard ever developing is small because different organizations are doing things their own way, and can’t even agree on a standard name. And while there is a standard for the secure development lifecycle (ISO/IEC 27034-1), few organizations are ever validated against it.

The key point in here is that every organization is doing things their own way. This isn’t wrong, of course, because every organization must have some “snowflakiness” to justify its existence, and that “snowflakiness” is often likely to show up, in a large way, in something like handling resources within Continue reading

DoJ: What does it take to prosecute federal computer crimes?

The need for vigorous criminal enforcement of cybercrime laws will only become more important as networked computers and the criminals who target them grow.That was how the Department of Justice started a blog post this week that defined how it decides whether or not to prosecute a federal computer-related crime.+More on Network World:  Gartner: Artificial intelligence, algorithms and smart software at the heart of big network changes+To read this article in full or to leave a comment, please click here

IDG Contributor Network: Residential routers easy to hack

The infamous “admin” user ID and hackable, weak passwords are prevalent on large numbers of home routers, says a security firm. That’s despite the public's increasing awareness of vulnerabilities and associated hacking.Researchers at ESET recently tested more than 12,000 home routers and found that many of the devices are insecure. Firmware was flawed in some cases.+ Also on Network World: Answers to ‘Is the internet broken?’ and other Dyn DDoS questions +“Approximately 7 percent of the routers tested show vulnerabilities of high or medium severity,” ESET says in an article on its Welivesecurity editorial website. “Fifteen percent of the tested routers used weak passwords, with ‘admin’ left as the username in most cases.”To read this article in full or to leave a comment, please click here

Robocall Strike Force set to take wraps off battle plan

Two months after accepting its marching orders, the federal Robocall Strike Force chaired by AT&T CEO Randall Stephenson and featuring industry heavyweights such as Verizon, Google and Apple, will tomorrow make public its plan for dramatically reducing the torrent of automated phone calls.“The Robocall Strike Force is an industry-led group which has been working to develop comprehensive solutions to prevent, detect, and filter unwanted robocalls,” says the FCC.  “Robocalls and telemarketing calls are the number one source of consumer complaints received by the FCC.  However, giving consumers meaningful control over the calls and texts they receive requires collective action by the industry.”To read this article in full or to leave a comment, please click here

Robocall Strike Force set to take wraps off battle plan

Two months after accepting its marching orders, the federal Robocall Strike Force chaired by AT&T CEO Randall Stephenson and featuring industry heavyweights such as Verizon, Google and Apple, will tomorrow make public its plan for dramatically reducing the torrent of automated phone calls.“The Robocall Strike Force is an industry-led group which has been working to develop comprehensive solutions to prevent, detect, and filter unwanted robocalls,” says the FCC.  “Robocalls and telemarketing calls are the number one source of consumer complaints received by the FCC.  However, giving consumers meaningful control over the calls and texts they receive requires collective action by the industry.”To read this article in full or to leave a comment, please click here

Workstation software flaw exposes industrial control systems to hacking

The software used to program and deploy code to various Schneider Electric industrial controllers has a weakness that could allow hackers to remotely take over engineering workstations.The software, known as Unity Pro, runs on PCs used by engineers and includes a simulator for testing code before deploying it to programmable logic controllers (PLCs). These are the specialized hardware devices that monitor and control mechanical processes -- spinning motors, opening and closing valves, etc. -- inside factories, power stations, gas refineries, public utilities and other industrial installations.Researchers from industrial cybersecurity firm Indegy found that unauthenticated attackers could execute malicious code on Windows computers where the Unity Pro PLC simulator is installed. That code would run with debug privileges leading to a complete system compromise.To read this article in full or to leave a comment, please click here

Workstation software flaw exposes industrial control systems to hacking

The software used to program and deploy code to various Schneider Electric industrial controllers has a weakness that could allow hackers to remotely take over engineering workstations.The software, known as Unity Pro, runs on PCs used by engineers and includes a simulator for testing code before deploying it to programmable logic controllers (PLCs). These are the specialized hardware devices that monitor and control mechanical processes -- spinning motors, opening and closing valves, etc. -- inside factories, power stations, gas refineries, public utilities and other industrial installations.Researchers from industrial cybersecurity firm Indegy found that unauthenticated attackers could execute malicious code on Windows computers where the Unity Pro PLC simulator is installed. That code would run with debug privileges leading to a complete system compromise.To read this article in full or to leave a comment, please click here

Critical account creation flaws patched in popular Joomla CMS

The Joomla developers are warning website administrators to apply an update for the popular content management system that fixes two critical vulnerabilities.The flaws are serious enough that the Joomla project released a prenotification about the planned update on Friday, urging everyone to be prepared to install it as soon as possible. This suggests that attacks targeting these vulnerabilities are expected to follow shortly.Joomla 3.6.4, released Tuesday, fixes a high-priority flaw in the account creation component that could be exploited to create accounts on a Joomla-based website even if user registration has been disabled on it.To read this article in full or to leave a comment, please click here

Critical account creation flaws patched in popular Joomla CMS

The Joomla developers are warning website administrators to apply an update for the popular content management system that fixes two critical vulnerabilities.The flaws are serious enough that the Joomla project released a prenotification about the planned update on Friday, urging everyone to be prepared to install it as soon as possible. This suggests that attacks targeting these vulnerabilities are expected to follow shortly.Joomla 3.6.4, released Tuesday, fixes a high-priority flaw in the account creation component that could be exploited to create accounts on a Joomla-based website even if user registration has been disabled on it.To read this article in full or to leave a comment, please click here