On the hunt for merger or acquisition? Make sure your target is secure

Security experts regularly exhort organizations to improve their security not just internally but externally as well, in their business relationships with third parties.In many cases, it is more than an exhortation – it’s a mandate. Last year’s updated standards for the payment card industry (PCI) made a point of addressing third-party risks.But some evidence suggests an area of third-party relationships where security still lags is mergers and acquisitions (M&A).In a survey of, “214 global deal-makers from corporates, financial institutions, investors and legal services providers,” the London-based law firm Freshfields Bruckhaus Deringer found that while there is plenty of awareness (74 percent of acquirers and 60 percent of sellers) about the effect that cyber security risks can have on a pending deal, a large majority of respondents – 78 percent – “believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”To read this article in full or to leave a comment, please click here

Attackers hijack CCTV cameras and network-attached storage devices to launch DDoS attacks

We've reached a point that security researchers have long warned is coming: insecure embedded devices connected to the Internet are routinely being hacked and used in attacks.The latest example is a distributed denial-of-service (DDoS) attack detected recently by security firm Imperva. It was a traditional HTTP flood aimed at overloading a resource on a cloud service, but the malicious requests came from surveillance cameras protecting businesses around the world instead of a typical computer botnet.The attack peaked at 20,000 requests per second and originated from around 900 closed-circuit television (CCTV) cameras running embedded versions of Linux and the BusyBox toolkit, researchers from Imperva's Incapsula team said in a blog post Wednesday.To read this article in full or to leave a comment, please click here

Finding a Needle in a Galaxy of Roles

We are really excited to announce the release of Galaxy 1.1. It’s only been a few short weeks since Galaxy 1.0 debuted, and here we are again!

This time we added some powerful enhancements to make searching Ansible roles a much better experience. With over 3,500 roles in Galaxy and more being added every day, it can be a real challenge to sift through platforms, categories and descriptions to find exactly what you need. In Galaxy 1.1 we solved this problem.

Galaxy Tags

As the author of a role, you know better than we do how to describe the role and what terms users will search to discover the role. So to make describing roles better for authors and users, we replaced our limited set a categories with Galaxy Tags, allowing the author to add a list of free-form search terms to a role.

Let’s take a quick look at creating a role with Galaxy and using the new Galaxy Tags feature. We start by creating a role using the ansible-galaxy command line utility that comes installed with Ansible:

ansible-galaxy init ansible-role-myrole

 This creates the following directory structure and some supporting files for the new role:

ansible-role-myrole/
 Continue reading

Was CLNP Really Broken?

One of my readers sent me this question after listening to the podcast with Douglas Comer:

Professor Comer mentioned that IP choose a network attachment address model over an endpoint model because of scalability. He said if you did endpoint addressing it wouldn’t scale. I remember reading a bunch of your blog posts about CNLP (I hope I’m remembering the right acronym) and I believe you liked endpoint addressing better than network attachment point addressing.

As always, the answer is “it depends” (aka “we’re both right” ;).

Read more ...

Microsoft to pay up to US$15K for bugs in two Visual Studio tools

Microsoft has started a three-month bug bounty program for two tools that are part of Visual Studio 2015.The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Both are open source."The more secure we can make our frameworks, the more secure your software can be," wrote Barry Dorrans, security lead for ASP.NET, in a blog post on Tuesday.All supported platforms that .NET Core and ASP.NET run on will be eligible for bounties except for beta 8, which will exclude the networking stack for Linux and OS X, Dorrans wrote.To read this article in full or to leave a comment, please click here

Researchers warn computer clocks can be easily scrambled

In 2012, two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000.The servers were very important: they're part of a worldwide network that helps computers keep the right time using the Network Time Protocol (NTP).Computers that checked in with the Navy's servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems.The incident underscored the serious problems that can occur when using NTP, one of the oldest Internet protocols published in 1985.The protocol is fairly robust, but researchers from Boston University said on Wednesday they've found several flaws in NTP that could undermine encrypted communications and even jam up bitcoin transactions.To read this article in full or to leave a comment, please click here

Researchers warn computer clocks can be easily scrambled

In 2012, two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000.The servers were very important: they're part of a worldwide network that helps computers keep the right time using the Network Time Protocol (NTP).MORE: 10 Cool Network & Computing Research ProjectsComputers that checked in with the Navy's servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems.To read this article in full or to leave a comment, please click here

Biden vs Risk Analysis

What we try to do in cybersecurity is "risk analysis". Most people get this wrong.

An example of this is today's announcement by vice president Joe Biden that he won't run for president. Many pundits have opined that it's because he can't beat Hillary Clinton. This is wrong.

The phrase "can't beat Hillary" makes no sense. It imagines a world were risk is binary, you either can or you can't. That's not how it work. Instead, we calculate the odds of beating Hillary. That number is not 0%. For one thing, a meteor might hit the earth and strike Hillary dead, so there's always some chance of beating her.

Responsible risk analysts ignore the rhetoric and try to calculate the odds. The easiest way of doing this are on the many betting websites, which have variously given Biden a 5% to 10% of winning the presidency. Given that the presidency is easily worth a billion dollars, and you don't spend your own money (just donations), these are great odds. Everybody who believes their chance is greater than 5% runs -- which is why we have over 20 candidates right now.

In other words, would you pay $10 for a 5% Continue reading

Synack builds intel platform for its penetration testers

Synack, a security company that uses crowdsourcing for penetration testing, has built an intelligence platform that it says will narrow down weak points in a company's network. Based in Redwood City, California, Synack uses a network of freelance security analysts in 35 countries to probe the networks of companies who've signed up to its subscription service. The analysts, who are closely vetted by Synack, get paid based on the vulnerabilities and security problems they find, ranging from $100 up to thousands. The subscription offering means companies are continually analyzed. Jay Kaplan, Synack's co-founder and CEO, said they wanted to build platform that would help its analysts quickly focus their attention on potential trouble spots. Called Hydra, the platform spots vulnerabilities in networks and applications, looks for out-of-date software and other issues.To read this article in full or to leave a comment, please click here

IDG Contributor Network: How much is your stolen personal data worth?

Examples of the different kinds of personal data available online, as well as its value on the black market, is available in a new report (PDF) from Intel Security's McAfee Labs. The report looks at pricing for credit cards, bank account login details, and other stolen personal information.$5 credit card numbers U.S. credit card account numbers complete with date of birth typically run $15, the report says. Basic card numbers without the extra data costs as little as $5."A digital equivalent of physical card would let a criminal buy things until the victim contacts the card issuer and challenge the charges," Raj Samani, CTO for Intel Security in Europe, the Middle East, and Africa, said in a McAfee blog post about the report.To read this article in full or to leave a comment, please click here

Image too good to be true? DARPA program targets image doctoring

It isn’t hard for just about anyone to change or alter an image these days -- and that can be a problem.It’s an issue researchers at the Defense Advanced Research Projects Agency want top put to rest with a new program called Media Forensics or MediFor, which looks to build an algorithmic-based platform that can detect image manipulation.+More on Network World: Gartner: Get onboard the algorithm train!“The forensic tools used today lack robustness and scalability and address only some aspects of media authentication; an end‐to‐end platform to perform a complete and automated forensic analysis does not exist. Although there are a few applications for image manipulation detection in the commercial sector, they are typically limited to a yes/no decision about the source being an “original” asset, obtained directly from an imaging device. As a result, media authentication is typically performed manually using a variety of ad hoc methods that are often more art than science, and forensics analysts rely heavily on their own background and experience,” DARPA stated.To read this article in full or to leave a comment, please click here

1 3,243 3,244 3,245 3,246 3,247 3,808