Preview: A Security Port Blog
A Security Port Blog
Security related news, security information, virus warnings, alerts and security tips posted daily.
Published: Wed, 19 Sep 2007 01:00:00 -0400
Last Build Date: Wed, 4 Jan 2017 20:21:14 -0500
People are The Biggest Security Risk
Fri, 3 Feb 2017 09:00:00 -0500
Social Engineering Is Often Overlooked
Kevin Mitnick is a criminal-turned-security-expert, kind of like a cybersecurity version of Frank Abagnale. He still hacks for a living, but these days it is in the name of legal penetration testing. His number one piece of advice to clients is to never forget that people are the weakest security link.
Protecting your cybersecurity in 2017
Wed, 1 Feb 2017 09:00:00 -0500
Two weeks ago I made cybersecurity predictions for 2017, and it didn’t take long for one of my predictions to be realized. In fact, it occurred before 2016 was even over.
Earlier this week federal indictments were brought against three Chinese nationals on charges of hacking into at least seven law firms and stealing inside information about mergers and acquisitions involving clients of the law firm. Prosecutors say this inside information was used by the hackers to make stock trades before the public was aware of the impending mergers or takeovers and to make illegal profits of more than four million dollars on the transactions.
This cybercrime is noteworthy not just because it represents a relatively new development in cybercrime but also because it points out that for us as individuals, our own cybersecurity is dependent on the cybersecurity of the many companies and institutions that hold personal information about us. So, one resolution that you should make for the new year is to limit the companies and governmental agencies to which you provide personal information as much as you can.
Naive employees driving cyber security concerns
Mon, 30 Jan 2017 09:00:53 -0500
Despite the perception that hackers are an organization’s biggest cyber security threat, insiders, including careless or naive employees, are now viewed as an equally important problem, according to new research conducted by Dimensional Research on behalf of Preempt.
The growing security threat from insiders report found that 49% of IT security professionals surveyed were more concerned about internal threats than external threats, with the majority (87%) most concerned about naive individuals or employees who bend the rules to get their job done. Only 13% were more concerned about malicious insiders who intend to do harm.
Malware unintentionally installed by employees ranked as the top internal security concern with 73% of respondents claiming they were worried about it, ahead of stolen or compromised credentials (66%), snatched data (65%) and abuse of admin privileges (63%).
The Real Cybersecurity Issues Behind the Overhyped Russia Hacks the Grid Story
Fri, 27 Jan 2017 09:00:00 -0500
Over the past few days, we have seen a story about Russian agents hacking the U.S. power grid spread like wildfire across the internet -- only to be debunked as a wild overstatement of the facts at hand.
Yes, a single laptop belonging to Vermont utility Burlington Electric was found to have visited an IP address cited by the Department of Homeland Security and the FBI as being associated with a Russian hacking operation, dubbed Grizzly Steppe, that also hacked the U.S government during the election.
But there is no evidence that this amounted to anything other than a utility employee checking his or her Yahoo email account, as the Washington Post reported Monday in what amounts to an extensive retraction of its Friday story that started the firestorm.
Wed, 25 Jan 2017 09:00:00 -0500
Presidential Election hacks
The last clamorous even of 2016 is the executive order of the President Barack Obama that ejected 35 people in retaliation for the cyber-attacks against the numerous cyber-attacks against politicians involved in the Presidential Election. Russian hackers broke into the systems of the Democratic National Committee, Democratic Congressional Campaign Committee, and Podesta Emails.
Shadow Brokers hacked the NSA-linked group Equation Group
Last summer a mysterious hacker group calling themselves the Shadow Brokers hacked into “Equation Group” arsenal. In February 2015, security researchers at Kaspersky revealed the existence of a hacker group, called Equation Group, that has been active since 2001 and that targeted practically every industry with sophisticated zero-day malware. Researchers linked the Equation Group to the NSA Agency.
YAHOO Data breach
In 2016, security experts discovered two data breaches suffered by Yahoo in 2012 and 2014. The second one occurred in fall 2013 is the biggest one regarding sheer magnitude, experts estimated it has impacted one billion accounts. Personal users’ information was compromised, including names, email addresses, phone numbers, birthdays, hashed passwords, and security questions and answers. No financial data was exposed.
Weaponizing the Internet of Things – The DYN DNS hack
In 2016, we assisted in massive DDoS attacks powered by Internet of Things devices that created serious problems.
Mon, 23 Jan 2017 09:00:00 -0500
Last year consumer, corporate, and political targets were hammered by ransomware extortion attempts, phishing excursions, and DDoS attacks. Driven by this slew of high-profile attacks, cybersecurity has rapidly emerged as a priority in 2017 for enterprise companies and SMBs.
To visualize emerging cybersecurity issues, TechRepublic and data firm Affinio sampled and diagrammed social media data from influential communities. TechRepublic previously used Affinio technology to better understand digital business trends, including voter priorities during the 2016 presidential campaign, how tech groups talk about Edward Snowden, and web media related to the Russian cyberattack.
Affinio extracts insights from web, mobile, and social media data. The companys algorithm grabs snapshots of naturally-forming user clumps and communities, then visualizes how each group is connected. For example, unsurprisingly, health care experts tend to communicate online with other health care experts. Affinio analysis shows that health care experts also communicate with information experts, tech news consumers, and digital marketers.
This Wi-Fi router will protect your smart fridge from hackers
Fri, 20 Jan 2017 09:00:00 -0500
A new batch of routers seeks to ward off hacks that leverage your smart homes computing power for nefarious purposes.
This added protection responds to a growing security threat for households. In October, hackers used a code called Mirai to hijack home devices like DVRs and routers and create a botnet that then took down many popular websites.
Amid the outcry, security firms have seen a need and a market. Multiple devices that offer home protection from hacks are set to hit store shelves beginning in the spring.
The Download on the DNC Hack
Wed, 18 Jan 2017 09:00:41 -0500
Over the past few days, several longtime readers have asked why I have not written about two stories that have consumed the news media of late: The alleged Russian hacking attacks against the U.S. Democratic National Committee (DNC) and, more recently, the discovery of malware on a laptop at a Vermont power utility that has been attributed to Russian hacker groups.
I have avoided covering these stories mainly because I do not have any original reporting to add to them, and because I generally avoid chasing the story of the day — preferring instead to focus on producing original journalism on cybercrime and computer security.
Your New IT Hard Target: Printer Security
Mon, 16 Jan 2017 09:00:00 -0500
Printers being hacked is nothing new. It’s even hit the headlines a few times with one being used to store pirated files, then another being programmed to display a paperclip on every page it printed. It seemed harmless at first. But then Columbia University discovered you could actually cause a printer’s fuser to continually heat up, potentially burning up more than your maintenance budget.
The real page turner happened when it was revealed that someone outside your organization could use it as a weak point to attack your network. But that’s not all. Someone invading your printer’s memory can retrieve documents, set it so they’re sent a copy of everything you print and scan, and more.
IoT predictions: IoT security in 2017
Fri, 13 Jan 2017 09:00:00 -0500
Nobody doubted that IoT security was a disaster when, well, disaster struck — the Mirai botnet took down swaths of the internet through a fairly simple, preventable attack.
But experts believe there are going to be more susceptible devices in 2017 than ever — and hackers will be on the lookout.
Sometime during 2017 we should anticipate the release of an automatically propagating IoT worm that installs a small, persistent malicious payload that not only continues to infect and propagate amongst other vulnerable IoT devices, but automatically changes all the passwords necessary to remotely manage the device itself,
said Gunter Ollman, CSO at Vectra Networks.
Amazon Alexa is stepping into home security automation with ADT
Wed, 11 Jan 2017 09:00:00 -0500
At the 2017 CES in Las Vegas, home security company ADT announced that it was adding support for the Amazon Echo and Echo Dot.
ADT customers will soon be able to control their home security system through the Amazon Alexa voice service. On Wednesday, at the 2017 Consumer Electronics Show (CES), ADT announced that its Pulse ecosystem will now support the Amazon Echo and Echo Dot products.
Pulse gives ADT customers remote access to their security system and offers some home automation features. With the integration of Amazon Alexa, ADT customers will now be able to arm and disarm their security system using voice commands and a secure PIN, according to a press release.
Call to Centralize Security in Germany Broaches a Postwar Taboo
Mon, 9 Jan 2017 09:00:00 -0500
As Germany struggles to respond to worsening attacks inspired by Islamic terrorists, the country’s top security official on Tuesday strongly advocated consolidating greater intelligence and security powers with the federal government, a taboo since World War II.
Thomas de Maizière, Germanys interior minister and a close ally of Chancellor Angela Merkel, argued that such a step was needed to steel the country against modern threats posed by terrorism, cyberattacks and an increased number of migrants seeking to enter the country.
The federal governments of Germany’s European partners and other established democracies already hold such powers, he noted, stressing that It is time
to re-examine Germany’s security setup.
5 easy steps to better online security
Fri, 6 Jan 2017 09:00:00 -0500
A finger tap is the most common and necessary action we take on our computers and devices. It’s also the most dangerous.
Cybersecurity — the personal behaviors and actions you take to protect yourself in the online world from identity thefts, frauds and other crimes aimed at stealing your personal information and data — is a serious personal issue. So we all need to know how to protect ourselves. Below are five action steps to do it; most take 10 minutes or less. (The book has 13 more.)
Action step 1: Create a secret email address
Estimated completion time: Less than 10 minutes
Creating a secret email address will boost your security by reducing the number of places hackers may find the email you use for your financial accounts.
Email address: Avoid using any personal information about yourself when you create your email address — the portion that comes before the @ sign.
Action step 2: Get a password manager
Estimated completion time: Less than 30 minutes
A password manager will enhance your safety and make your online life easier by eliminating the need to clog your brain remembering weak passwords. It lets you store your passwords in an encrypted file on your computer or in the cloud,
Drones in homes: Flying cameras map security threats, warn homeowners
Wed, 4 Jan 2017 19:39:51 -0500
Armies of drones could soon help protect homeowners from unwanted visitors as part of a newly-developed smart security plan being mooted at the Consumer Electronics Show (CES) in Las Vegas.
A collaborative effort using products designed by Alarm.com and Quallcom Technology Inc, the system involves drones mapping out complex activity patterns
of a property and responding to unexpected events such as a home invasion.
The development essentially allows a computer and drones to understand patterns of movement within a building and update people on anomalies that could potentially be a threat.
New Scanners and Conveyors Could Make Airline Security Faster and Safer
Mon, 5 Dec 2016 01:59:00 -0400
Instead of queuing up in order of arrival, travelers take an open spot alongside a conveyor belt. They then put their shoes, luggage, keys, and other items into tubs and push them onto the belt—skipping past slow pokes having trouble removing their shoes. Suspicious luggage is automatically diverted to a special area so it can be searched without having to stop the conveyor belt.
Do Not Let A Lack of Resources Compromise Your Cyber Security
Fri, 2 Dec 2016 13:59:42 -0400
For a company with limited resources, employees can be tremendously valuable watch dogs
if they’re given the proper tools and education. Very few of us are experts on cyber security, and employees often expect their work files and information to be automatically protected through antivirus or company filters. Providing rudimentary information about cyber safety and best practices – and arming employees with a few quick tips like the following – can help prevent avoidable security incidents.
How security flaws work: SQL injection
Wed, 30 Nov 2016 09:00:00 -0400
SQL injection attacks exist at the opposite end of the complexity spectrum from buffer overflows, the subject of our last in-depth security analysis. Rather than manipulating the low-level details of how processors call functions, SQL injection attacks are generally used against high-level languages like PHP and Java, along with the database libraries that applications in these languages use. Where buffer overflows require all sorts of knowledge about processors and assemblers, SQL injection requires nothing more than fiddling with a URL.
As with buffer overflows, SQL injection flaws have a long history and continue to be widely used in real-world attacks. But unlike buffer overflows, theres really no excuse for the continued prevalence of SQL injection attacks: the tools to robustly protect against them are widely known. The problem is, many developers just don't bother to use them.
Simple Cyber Security Tips to Protect Your Online Accounts Against Hackers
Mon, 28 Nov 2016 12:00:00 -0400
At the end of the day, it all boils down to having a healthy sense of skepticism about the emails you receive, along with making and protecting strong passwords for all of your accounts, experts say.
Or, if you have the money, you could plunk down $14,000 or so for a military-grade smartphone to help thwart hackers — but a little cyber savvy will certainly cost a lot less.
Why security is really all about trust
Fri, 25 Nov 2016 09:00:51 -0400
Security is not black and white. It is not a choice between full security and no security -- it is a continuum with a lot of gray in between.
Full security, even if achievable, would secure
things beyond the realm of reasonable usability. But even then hackers would find a way in.
The base component of trust in the security world is, of course, good security. Customers want to be assured that a product will not open the door to random hacking, harassment, and unauthorized activity. When a piece of software or hardware gets hacked too many times, customers look elsewhere.
FBI, Homeland Security sued for records on surveillance of Black Lives Matter activits
Wed, 23 Nov 2016 14:02:00 -0400
Human rights attorneys filed a lawsuit against the Federal Bureau of Investigation and Department of Homeland Security on Thursday for failing to release documents on the agencies’ surveillance of Black Lives Matter protests and activists.
The lawsuit was filed by the Center for Constitutional Rights and the Milton A. Kramer Law Clinic Center at Case Western Reserve University School of Law.
Federal surveillance of activists started when the Movement for Black Lives began during protests against the police killing of an unarmed black teenager, Michael Brown, in Ferguson, Missouri. A July 2015 Intercept report by journalist George Joseph revealed that, according to documents obtained through a Freedom of Information Act request, the Department of Homeland Security has collected information, including location data, on peaceful Black Lives Matter protests.
How tech like security cameras brought down Twitter, Amazon, and Netflix
Mon, 21 Nov 2016 09:00:00 -0400
Billions of devices are connected to the internet in some way, shape, or fashion. It is simply inevitable. They need it for maintenance, updates, convenience, and functionality. Some devices connect to the internet and you probably barely even knew, if at all. Things like Security Cameras, Smart Door locks, Your TV’s DVR, and some more obvious things like Smart TV’s, and Streaming Devices.
Now the stunning part, all of those devices were used to bring down the sites you love like Twitter, Amazon, and Netflix. Yep. Things like security cameras brought Twitter to its knees. But how?
There was a massive siege on Dyn, a New Hampshire-based company that monitors and routes Internet traffic. This devastating attack proved that the devices made to keep you secure aren’t secure themselves. That would be similar to having a depressed counselor. It doesn’t make sense, does it?
But that is how the Internet of Things (IoT) is. There really is barely anything stopping someone taking control of these devices, because no one ever thought they could be used to bring down billion-dollar companies.
Dyn was hit by something called a Distributed Denial of Service attack, or a DDoS attack. What happens in one of these attacks is that a barrage of devices send fake requests to the servers for information. This prevents real requests from getting through to the server, either severely slowing down services or totally taking them offline.
Right now there is no idea who performed the attack. It could be one very determined person, a group of people, or a government even (but probably not).
Microsoft Cloud Security
Sat, 19 Nov 2016 09:00:00 -0400
Microsoft Cloud App Security is a component of Microsoft Enterprise Mobility + Security E5, and enables customers to discover and secure all the cloud apps in use within their organizations. Once the apps are discovered, customers can put comprehensive controls in place for management and monitoring. Microsoft Cloud App Security helps you do three things:
Gain visibility into what cloud applications are being used in your organization today
Implement data control over those applications
Leverage ongoing behavioral analytics as a part of the threat protection model
The architecture for how Cloud App Security accomplishes this is shown in the image below. In most cases, Step 1 is already being done. Users are going about their daily work and using cloud apps. Step 2 is where cloud traffic logs are analyzed by Cloud App Security to determine which apps are in use. In Step 3, an administrator reviews the apps, and either sanctions or restricts them. Finally, Step 4 leverages the APIs of the cloud apps to implement connections, controls, and ongoing monitoring for compliance and threat analysis. This process happens as a repeating cycle.
Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
Thu, 17 Nov 2016 09:00:00 -0400
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.
At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.
Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.
According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet.
Record Immigrant Numbers Force Homeland Security to Search for New Jail Space
Tue, 15 Nov 2016 09:00:38 -0400
U.S. officials expect number of undocumented immigrants awaiting deportation to reach 45,000 in the coming months.
Homeland Security officials are quietly scrambling to find 5,000 more prison and jail beds to handle a record number of undocumented immigrants being detained in the U.S., according to officials familiar with the discussions.
Homeland Security Secretary Jeh Johnson met Tuesday with senior leaders at the Immigration and Customs Enforcement agency and the Customs and Border Protection agency—both of which are in his department—so officials could review their plans to handle thousands more people expected to cross the southwest border with Mexico in coming weeks, the officials said.
ICE is currently holding more than 40,000 people in detention centers—more than it has ever had in custody before—and has warned budget officials that it needs a quick infusion of $136 million more just to keep running detention centers until early December, according to internal Department of Homeland Security documents and officials.
3 ways Windows Server 2016 is tackling security
Sun, 13 Nov 2016 13:32:18 -0400
Every version of Windows — client and server — has promised improved security. But with Windows 10 and Windows Server 2016, Microsoft is going beyond the usual incremental improvements and closing of loopholes and giving you the tools to reduce the dangers of phished credentials, over-privileged admins and untrustworthy binaries.
Fri, 11 Nov 2016 09:00:00 -0400
Geofeedia marketed its abilities to law enforcement agencies and has signed up more than 500 such clients, according to an email obtained by the American Civil Liberties Union. In one document posted by the organization, as part of a report released on Tuesday, the company appears to point to how officials in Baltimore, with Geofeedias help, were able to monitor and respond to the violent protests that broke out after Freddie Gray died in police custody in April 2015.
Geofeedia appears to have used programs that Facebook, Twitter and other social media companies offered that allow app makers or advertising companies to create third-party tools, like ways for publishers to see where their stories are being shared on social media.
Facebook, Twitter and Instagram say they have cut off Geofeedia’s access to their information. But civil liberties advocates criticized the companies for lax oversight and challenged them to create better mechanisms to monitor how their data is being used.
After massive cyberattack, shoddy smart device security comes back to haunt
Wed, 9 Nov 2016 09:00:00 -0400
Almost everyone affected by the cyberattack had a part to play — from shipping shoddy devices to a consumer apathy towards security.
Friday morning saw the largest internet blackout in US history. Almost every corner of the web was affected in some way -- streaming services like Spotify, social sites like Twitter and Reddit, and news sites like Wired and Vox appeared offline to vast swathes of the eastern seaboard.
After suffering three separate distributed denial-of-service (DDoS) attacks, Dyn, the domain name system provider for hundreds of major websites, recovered and the web started to spring back to life.
The flooding attack was designed to overload systems and prevent people from accessing the sites they want on a scale never seen before this.
All signs point to a massive botnet utilizing the Internet of Things, powered by malware known as Mirai, which allows the botnets operator to turn a large number of internet-connected devices -- surveillance cameras, smart home devices, and even baby monitors -- against a single target.
Happy Cyber Security Awareness Month
Sun, 23 Oct 2016 13:44:25 -0400
Although not an official part of the holiday season, October being National Cyber Security Awareness Month is still a good thing. If people can take an awareness of cyber security and turn it into positive actions, maybe the good guys can win the war for the Internet.
Homeland Security increases focus on cybersecurity at the polls
Mon, 7 Nov 2016 09:00:00 -0400
Department of Homeland Security officials may not expect malicious hackers to sway November's election, but the agency is offering more protections to help states secure voting systems.
After this summers Democratic National Committee breach, and a recent FBI warning of digital tampering with state election boards, Homeland Security has stepped up efforts bolster cybersecurity at the polls and for state election boards.
Make Sure You are Recording People With Your Home Security Cameras Legally
Fri, 4 Nov 2016 09:00:00 -0400
It has never been easier to set up your own home security system. However, if your cameras can record audio, depending on your state you run afoul of wiretapping laws if you don’t have consent from people who visit your home.
As product review site The Wirecutter points out, setting up cameras to keep an eye on your home is perfectly fine. Recording, on the other hand, can introduce some legal complications. Especially if you are recording audio in a state that requires dual consent.
Video and audio recordings have different legal guidelines and there are worlds of nuance to navigate.
Uber to use driver selfies to enhance security
Wed, 2 Nov 2016 09:00:00 -0400
Uber rolled out a new feature Friday that requires some drivers to confirm their identities via a selfie photo before each shift.
Real-Time ID Check is aimed at both preventing fraudulent use of a drivers account and providing consumers with a greater degree of confidence in the ride-sharing company.
What Consumers Need to Know About the Yahoo Security Breach
Mon, 31 Oct 2016 09:00:00 -0400
What was taken?
The stolen information could include names, email addresses, dates of birth, telephone numbers, password information and possibly the question-answer combinations for security questions, which are often used to reset passwords, said Yahoo in a statement.
However, Yahoo said that the passwords that were compromised were hashed, a way of encrypting data.
The stolen information did not include unprotected passwords, payment card data or bank account information, according to Yahoo.
7 Ways Cloud Alters The Security Equation
Fri, 28 Oct 2016 09:00:00 -0400
By now, the pitch for cloud-based services is familiar to anyone in IT: They are cheaper, more efficient, and will free up in-house infosec professionals for more value-added tasks (yes, everyone's really going to miss reviewing log management data).
The promises of highly automated functionality and trouble-free operations may be slightly overstated, at least where cloud-based security is concerned. But most infosec professionals are already masters of due diligence, and cloud is like any other external service provider: seasoned security pros know to ask a lot of questions, perform their own testing and audits, and get customer references for the real skinny on how cloud-based security goes.
iPhone Hackers Say Apple Weakened Backup Security With iOS 10
Wed, 26 Oct 2016 09:00:00 -0400
Professional iPhone hackers say that Apple AAPL -1.72% has dropped the ball on password security with its latest iPhone operating system, making the task of cracking the logins for backups stored on a Mac or PC considerably easier.
7 Days Before Obama Gives Away Internet & National Security
Mon, 24 Oct 2016 09:59:00 -0400
In one week, President Obama will allow what remains of the United States control over the Internet to pass to a California non-profit organization, the Internet Corporation for Assigned Names and Numbers (ICANN). This is a reckless and dangerous decision that has serious national security consequences that have not been fully considered.
Currently, ICANN has a contract with the Department of Commerces National Telecommunications and Information Administration (NTIA) to manage the naming and numbering functions associated with the Internet. The most important of these is the assignment of Internet Protocol Addresses (IP Addresses) to domain names.
Cyber Security Controls That Actually Make You More Efficient
Sat, 22 Oct 2016 09:00:00 -0400
1. Install Firewalls on your computer systems
You must install firewalls and routers on your systems. This will prevent your system from external attacks. Firewalls are programmed to trigger off alarms whenever there is a potential breach of a computer system.
2. Don’t Just Install Antivirus Software programs on your Systems; Scan them Regularly
The installation of antivirus software programs is one of the effective methods that will guarantee the security of your computer systems. Contrary to the general belief, antivirus programs are not designed exclusively for the prevention of virus attacks. They are also effective means of preventing attacks by Trojans, Keyloggers, and some other harmful programs.
3. Use Anti-spy Software programs
There are some computer software programs that perform the functions of human spies. These programs steal information from computer systems without the consciousness and consent of the users. The pieces of information that they steal are used by others to harm the organizations or individuals that are using these systems.
4. Use complex passwords on your systems
Homeland Security Secretary Warns of New Terror Environment Post 9/11
Thu, 20 Oct 2016 09:00:00 -0400
Fifteen years after the 9-11 attacks, U.S. Secretary of Homeland Security Jeh Johnson said the U.S. is in a new environment,
with the nations greatest risk from lone-wolf attacks and self-radicalized
Johnson said on ABCs This Week
that there is no credible evidence of an imminent terrorist threat to the United States -- but there are still risks.
Cyber Security Unicorn
Tue, 18 Oct 2016 09:00:00 -0400
The first cybersecurity unicorn kernel popped in late 2013 with the announcement of CloudFlares $50 million Series C investment. Today, 10 privately held companies hold membership in the ultra-exclusive cybersecurity unicorn club.
With the addition of each new member, eyebrows are raised and questions are asked. What underlying data supports such valuations? Would there ever be sufficient revenue in the cybersecurity market to sustain unicorn valuations? Are cybersecurity unicorns outliers or are we at the start of a sustainable trend?
Google fixes two serious Android security flaws
Sun, 16 Oct 2016 09:05:56 -0400
Google's mobile security team has definitely been busy cleaning house this week. The company has released an Android update that closes two security holes that could pose a major threat if intruders found a way to exploit them. The first was only designed for research purposes
and would only have been malicious if modified, Google tells Ars Technica, but it wouldn't have been hard to detect or weaponize.
Fri, 14 Oct 2016 09:00:00 -0400
Ninety-one percent of ISPs in the UK are concerned that government surveillance efforts will compromise or weaken the security of their networks.
While most internet and managed service providers see cyber-attacks on a weekly basis, the most common concern among the companies is that government surveillance will weaken network security and make providers a target of attackers, according to a report released by the UK Internet Services Providers Association (ISPA).
The report, released Sept. 6, found that 54 percent of respondents were attacked at least every week. Currently, denial-of-service attacks and SQL injection attacks are the main types of cyber-threats Internet and managed service providers face, with 91 percent of respondents suffering a denial-of-service attack, 64 percent an SQL injection attack and 36 percent a phishing attack, the study found.
Security of Self Driving Cars
Wed, 12 Oct 2016 09:00:00 -0400
The U.S. Justice Department has formed a threat analysis team to study potential national security challenges posed by self-driving cars, medical devices and other Internet-connected tools, a senior official said.
Privacy and Security in the Age of the Driverless Car
Mon, 10 Oct 2016 11:39:50 -0400
Driverless cars are coming. After testing prototypes for years, companies are poised to roll out self-driving vehicles for consumer use. The future is here. But, are we ready for it?
The existing law is clearly not. There are currently no federal statutes governing driverless cars, and only eight states (i.e., California, Florida, Louisiana, Michigan, Nevada, North Dakota, Tennessee, and Utah) and the District of Columbia have enacted laws addressing driverless cars. These state statutes typically define autonomous vehicles, or autonomous technology,
establish parameters and guidelines for their testing, and or require that the vehicles have either manual override or a licensed driver in a position to assume control of the vehicle.
The Challenge of Internet of Things Security
Sat, 8 Oct 2016 11:38:30 -0400
IoT is one of the most significant technology shifts since the creation of the internet with projections of up to 100 billion devices connected by 2025. This scale is enormous and the value of both consumer and enterprise IoT connecting wearables, cars and trucks, highways and entire cities has been measured in the trillions of dollars by 2025. IoT literally has the potential to transform the way humans work, live and play.
With this value and transformational potential comes inherent risks and none more serious than a car being hacked or as catastrophic as a country’s power grid being compromised. Both these scenarios have already been demonstrated and is further exacerbated by the overall lack of legal policy, guidelines and standards. Simply put, IoT scale, diversity and adoption is outstripping our ability to create laws to govern and guidelines to standardise it’s adoption.
Sorry Robocop: AI security guards do NOT stop people from stealing
Thu, 6 Oct 2016 11:36:30 -0400
While the robot is not designed to look particularly menacing or authoritative, it has cameras that enable it to see
what people around it are doing.
The behaviour of hundreds of students was captured by a hidden GoPro action camera, reports New Scientist.
The results showed that a disappointing seven per cent snaffled reserved food from the table, despite the robot guards presence.
This was only very slightly lower then the eight per cent who took supplies when the table of food was not guarded at all.
Tue, 4 Oct 2016 11:35:27 -0400
In perusing the web and taking stock, as well as talking to my constituents in business and IT, several things become clear:
Most employees steal proprietary data when quitting or getting fired from an organization.
Nearly all employees are vulnerable to exploit kits.
Four out of five breaches go undetected for a week or more. Some take up to a year.
Just over a third of global organizations feel they are prepared for a sophisticated cyberattack.
Generally, when an organization is targeted for attack, the attackers need only minutes to bring about a compromise.
Most organizations lack the means to track and control their most sensitive data.
Most organizations lack clear security guidelines, policies, and reinforcement through training.
What does the modern organization do?
Why identity protection is the next phase in security
Sun, 2 Oct 2016 11:33:29 -0400
If the chances of an organisation being hacked on a long enough timeline eventually hits 100 percent, then as a user with personal information stashed in silos all over the internet, on the same timeline the user is likely facing a percentage of information leakage that is in multiples of hundreds.
While as an industry we appear to have accepted the pragmatic security arguments of this scenario, the situation for privacy and the individual is quite the reverse.
Three Easy Tricks to Improve Your Online Security
Fri, 30 Sep 2016 09:00:00 -0400
There is a helpful website for checking to see if your email address has been included in a database dump, but it does not include every dump. If you use unique passwords for each service, you know that if one of them gets breached, all of your other accounts will be safe.
Hackers Playground: Security Lapse Cited By 82% Of Firms, Says Intel
Wed, 28 Sep 2016 09:00:00 -0400
The median salary for a cybersecurity job is 2.7 times that of average wages in Australia, France, Germany, Israel, Japan, the U.K. and the U.S., yet 82% of organizations in those countries are experiencing a shortage in skilled cybersecurity workers, chipmaker Intel (INTC) found in a poll by its Intel Security business.
More than half (53%) of respondents say the cybersecurity skills shortage is worse than talent deficits in other IT professions.
5 Strategies For Enhancing Targeted Security Monitoring
Mon, 26 Sep 2016 09:00:34 -0400
These examples will help you improve early incident detection results.
Crime scenes -- in both the physical and digital sense -- exist where investigators must work quickly to gather and process evidence before it is no longer available or has been modified. In both cases, investigators set up a large perimeter around the crime scene and work to narrow it down by establishing credible, evidence-based conclusions.
In the digital realm, the most common collection of security incident and event information occurs in sources where large volumes of data can be gathered in support of investigations. However, this large volume of data can easily lead to analysis paralysis
, making it more difficult to find the proverbial needle in the haystack.
Security Experts Agree: The NSA Was Hacked
Fri, 23 Sep 2016 09:00:00 -0400
A group of hackers known as the Shadow Brokers is currently selling off cyber-spying tools, which it claims belong to the U.S. government, in an online auction. Now, analysis of software that the group made freely available to prove its legitimacy suggests that it’s authentic, and likely to belong to the National Security Agency.
Top 10 Security Predictions Through 2020
Wed, 21 Sep 2016 09:00:37 -0400
1. Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.
2. By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
3. By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.
4. By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.
5. By 2020, 80% of new deals for cloud-based access security brokers (CASBs) will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.
6. By 2018, enterprises that leverage native mobile containment rather than third-party options will rise from 20% to 60%.
7. By 2019, 40% of Identity of as a Service (IDaaS) implementations will replace on-premises identity and access management (IAM) implementations, up from 10% today.
8. By 2019, use of passwords and tokens in medium-risk use cases will drop 55%, due to the introduction of recognition technologies.
9. Through 2018, more than 50% of Internet of Things (IoT) device manufacturers will not be able to address threats from weak authentication practices.
10. By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.
Top 6 Trends that Impact Your Security Posture
Mon, 19 Sep 2016 09:00:00 -0400
In the same way endpoints are proliferating, so are the networks to which these devices connect. Just a few years ago, the corporate network and the home network were the predominant connection points. Today people often connect to multiple networks over the span of a few hours. We wake up and check our work email on the home broadband network; we do a little work at the local coffee house via guest Wi-Fi; we tap into the enterprise network when we arrive on-site at work; we switch to another guest network at the airport, even on the airplane. And, (gasp!) perhaps we even glance at email while stopped at a light over 4G wireless.
All of these networks add a new layer of complexity to the attack surface. To provide adequate security across all of them, what's needed is location-agnostic security technology that follows the user across his or her daily journey, wherever that might be. You need a unified, seamless blanket of protection.
3D faces based on Facebook photos can fool security systems
Fri, 16 Sep 2016 09:00:00 -0400
Facial recognition systems are not quite perfect yet and can still make mistakes especially when they are assessing the faces of people of color. Now, a team of researchers from the University of North Carolina showed that companies developing security systems based on the tech really do have a lot of work ahead of them. They proved that a number of existing systems can be fooled by the VR-like, computer-rendered faces they created. Further, they made their 3D models, which they showed the security systems on a phone, using only photos taken from social networks like Facebook.
Election security as a national security issue
Wed, 14 Sep 2016 09:00:00 -0400
We recently learned that Russian state actors may have been responsible for the DNC emails recently leaked to Wikileaks. As we understand the facts, the Democratic National Committee’s email system was hacked. Earlier this spring, once they became aware of the hack, the DNC hired Crowdstrike, an incident response firm. The New York Times reports:
Preliminary conclusions were discussed last week at a weekly cyberintelligence meeting for senior officials. The Crowdstrike report, supported by several other firms that have examined the same bits of code and telltale “metadata” left on documents that were released before WikiLeaks’ publication of the larger trove, concludes that the Federal Security Service, known as the F.S.B., entered the committee’s networks last summer.
Mobile Security Problems
Mon, 12 Sep 2016 09:00:00 -0400
When it comes to security, most mobile devices are a target waiting to be attacked. That's pretty much the conclusion of a report to Congress on the status of the security of mobile devices this week by watchdogs at the Government Accountability Office.
Combine the lack of security with the fact that mobile devices are being targeted by cybercriminals and you have a bad situation. For example, the number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year, the GAO stated.
Traveling Security Risks
Fri, 9 Sep 2016 09:00:00 -0400
Frequently travelers who are not prepared for the security risks associated with staying in hotels put potentially sensitive information and their own personal safety at risk. Here's how to spot common threats, and protect your data while on the road.
Hotels are digitally dangerous places these days. And that is not idle speculation. Security researchers have been sounding the alarm on sophisticated attacks directed at hotel users for years.
Most of the earliest reports pointed to surgical strikes on high-profile executives or representatives of government agencies, but they could prove to be precursors for more wide-ranging attacks on the general public. Modern business travelers, with their treasure troves of files and personal information, will be prime targets, and they are also more likely to let their guard down after an exhausting journey.
Frequent password changes are the enemy of security, FTC technologist says
Wed, 7 Sep 2016 09:00:00 -0400
Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: Encourage your loved ones to change passwords often, making them long, strong, and unique.
Cranor wasted no time challenging it.
Understanding iOS passcode security
Mon, 5 Sep 2016 09:00:00 -0400
Ah, the eternal question: Should you protect your iOS device with a passcode? On one hand, the knowledge that your data is presumably safe from prying eyes makes carrying around your phone and tablet less worrying; on the other, having to tap in a code every time you want to check your email or make a phone call can quickly become annoying.
Apple, for its part, is not helping make this choice easier for consumers: Methods for bypassing the passcode screen or circumventing it altogether keep getting discovered, and though the company typically provides patches fairly quickly, these security holes don’t instill confidence in iOSs ability to keep our data safe.
Besides, passcodes seem inflexible and at times even incompatible with the way we use our devices.
Rio Beefs Up Security Measures as Summer Olympic Games Are Set to Begin
Fri, 2 Sep 2016 09:00:00 -0400
Rio is ramping up security for the Summer Olympics, top officers in the state police force announced at a news conference on Monday.
However, state officials said Monday that an additional 634 officers will be added to the police units that monitor areas that commonly have shootouts, 24-hour supervision of the iconic Christ the Redeemer statue will begin on Tuesday, and three surveillance blimps will be in Rio's north, south and west zones, according to USA Today.
$67 Billion North America Cyber Security Market 2016: Analysis and Forecasts to 2022 - Research and Markets
Wed, 31 Aug 2016 09:00:00 -0400
The North America cyber security market is estimated to grow over $67.28 billion by the end of 2022. Currently, cyber security solutions are acquiring a major share of the market because of increasing cyber attacks in this region. The U.S. is acquiring a major market value because of continuous cyber attacks on application verticals such as healthcare, banking and financial services and manufacturing, among others.
This market study includes an extensive overview and analysis of the North America Cyber Security market by solutions and services, application verticals and countries, along with developing a comprehensive outlook of the market. The report provides extensive insights of the different developments, trends and key participants.
Cyber crimes cost have reached around $100 billion in the country. Canada and Mexico globally stands at the 13th and 17th position respectively as major sources of cyber crimes. North America needs to build a strong resilience system for managing cyber crimes.
Various forms of cyber crimes such as ransom ware are rapidly increasing in North America which can further lead to business interruptions and financial losses.
Homeland Security chief weighs plan to protect voting from hackers
Mon, 29 Aug 2016 09:00:00 -0400
Secretary of Homeland Security Jeh Johnson said hes considering whether to designate the US election system as critical infrastructure, which could trigger greater cybersecurity at the ballot box.
On the heels of the Democratic National Convention hack and the political fallout that is ensuing months before the presidential election, the countrys Homeland Security chief said he is considering measures that would strengthen cybersecurity protections for voting.
Cybersecurity: Tiny Cybersecurity Stock on Cusp of Triple-Digit Gains?
Fri, 26 Aug 2016 09:00:00 -0400
Cybersecurity revenue advanced from 2013 to 2015 and is predicted to continue at a healthy rate that could help jumpstart IMPV stock. Imperva is estimated to grow its revenue 29.7% to $303.96 million this year and another 24.2% to $377.44 million in 2017. These are terrific growth metrics if IMPV stock can deliver what Wall Street expects.
Cybersecurity blind spots: Vulnerabilities and risks
Wed, 24 Aug 2016 09:00:00 -0400
How should companies deal with vulnerabilities? It may depend on the specific vertical industry an organization is in, according to Pavel Slavin, technical director of medical device cybersecurity at healthcare firm Baxter International. We can not just take a Microsoft patch on Tuesday and apply it -- medical devices can not be patched before the patch is validated as it could kill the patient,
he said. We need to be able to adapt how we respond to vulnerabilities that could cause more harm than good.
Feds to hire 3,500 cybersecurity pros by years end
Mon, 22 Aug 2016 09:00:00 -0400
Last October, the U.S. government began hiring 6,500 new cybersecurity IT professionals. It has hired 3,000 so far, and plans to hire another 3,500 by January 2017, the White House said Tuesday.
The government is now trying to improve its recruiting and retention of cybersecurity professionals. This includes finding ways to improve government pay, which can be well below the private sector.
This strategy was detailed Tuesday in a White House memo. The U.S. plans to do more to reach women, in particular, who comprise less than 25% of the government's cybersecurity workforce.
DARPA Challenge Tests AI as Cybersecurity Defenders
Fri, 19 Aug 2016 16:25:25 -0400
This summer, seven finalist teams in the Cyber Grand Challenge the U.S. Defense Advanced Research Projects Agency (DARPA) will do battle with AI systems that can autonomously scan rivals’ network servers for exploits and protect their own servers by actively finding and fixing software flaws. The immediate rewards comes in the form of a US $2 million prize for first place, $1 million for second place, and $750,000 for third place. But in the long run, DARPA hopes the challenge results will prove autonomous AI systems have become capable enough to help humans in the never ending struggle to protect computer software and networks.
How to train new grads on corporate security
Wed, 17 Aug 2016 16:20:38 -0400
Millennials bring a lot to the workplace, whether they're pushing the boundaries of company culture or forcing companies to modernize. But there are a few risks associated with hiring recent grads -- especially if it is their first job in the industry -- and one of those risks is data security.
In a recent study from the Ponemon Institute in partnership with Experian, which surveyed over 16,000 people at companies with data protection and privacy training programs, 66 percent of respondents cited employees as the biggest security threat to their company. And 55 percent said that their organization had, at some point, experienced a security incident or data breach due to a malicious or negligent employee, according to the report.
With new grads entering the workforce, it is time to make your security policies a priority in the hiring and onboarding process. According to David Wagner, CEO of ZixCorp and Bradon Rogers, Senior Vice President of Product Strategy and Operations at Blue Coat, companies need to take a multi-step approach to help prevent their employees -- especially new hires -- from becoming their biggest security threat.
Auto Industry Bug Bounty Programs Point to Our Security Future
Mon, 15 Aug 2016 09:00:00 -0400
Go ahead: Hack me if you can.
That was the message this week from Chrysler, as they announced their new bug bounty program. If you report a security hole, you can get paid up to $1,500 in cash. Fiat Chrysler (FCA) has decided to partner with Bugcrowd on this new security program.
Chryslers new endeavor is to crowdsource the process of uncovering and fixing security vulnerabilities associated with automobiles. And the focus is not just on your cars engine, gas pedal or brakes:
Here are the CIAs Possible Security Guidelines For Pokémon Go
Fri, 12 Aug 2016 09:00:00 -0400
It is 2016, Pokémon are (augmentedly) real, and everyone is losing their minds. After a week of traffic accidents, cliff accidents, trespassing, and mobs descending on public spaces, it is time for cooler heads to prevail, and various governments and nonprofit organizations are stepping in to provide some level-headed guidelines for catching ‘em all.
Including, it seems, the U.S. Department of Defense.
Within the U.S. government, operations security (OPSEC) refers to the process intelligence officers and other government workers follow to protect unclassified information that could be used by adversaries to cause harm. Generally, it means being aware of what you’re posting on social media, writing in emails, or talking about in public, keeping in mind that such information could make its way into an adversarys hands.
New York State ramps up security following Nice attack
Thu, 11 Aug 2016 09:00:00 -0400
While New York has not been home to a terrorist attack since September 11, 2001, Cuomo said that “The Department of Homeland Security and Emergency Services Office of Emergency Management Watch Center will be on heightened alert, monitoring world events.”
The horrific rampage in Nice is a direct attack on the universal values our two countries have long championed and upheld,”Cuomo said, adding, This is not only an attack on France, but an attack on democracy.
The increased security follows a terrorist attack in Southern France late Thursday, when a man drove a delivery truck for about a mile through a crowd of people celebrating Bastille Day.
More code deploys means fewer security headaches
Tue, 9 Aug 2016 09:00:00 -0400
Organizations with high rates of code deployments spend half as much time fixing security issues as organizations without such frequent code updates, according to a newly released study.
In its latest annual state-of-the-developer report, Devops software provider Puppet found that by better integrating security objectives into daily work, teams in "high-performing organizations
build more secure systems. The report, which surveyed 4,600 technical professionals worldwide, defines high IT performers as offering on-demand, multiple code deploys per day, with lead times for changes of less than one hour. Puppet has been publishing its annual report for five years.
Google Ventures invests $20 million to rate enterprise security threats
Sun, 7 Aug 2016 09:00:00 -0400
GV, formerly Google Ventures, is investing $20 million to help the enterprise analyze security weakness which may result in successful data breaches hurting itself or suppliers.
Announced on Thursday, New York-based SecurityScorecard said a Series B funding round led by GV has raised $20 million which will be used to fuel SecurityScorecards continued scale and innovation delivering cybersecurity ratings.
Additional partners in the investment round include Sequoia Capital, Evolution Equity Partners, Boldstart Ventures and Two Sigma Ventures.
Concerns about security, information sharing up among industrial control system security pros
Fri, 5 Aug 2016 09:00:00 -0400
Security managers working with industrial control systems are increasingly concerned about security, and worried about insufficient information sharing in the industry, according to a new survey.
This year, 67 percent of respondents said that the threats to the control systems were moderate to severe, up from 43 percent last year, said Derek Harp, director of ISC global programs at Bethesda, MD-based SANS Institute, one of the authors of the report.
Why APIs beat proxies for cloud security
Wed, 3 Aug 2016 09:00:00 -0400
While many businesses laud the benefits of cloud computing, some feel less than 100 percent confident in their ability to fully secure their cloud resources.
Is it any wonder? Your corporate network might link to multiple cloud services, run by different operators. Mobile users might be accessing cloud resources simultaneously over dissimilar WANs and device types. Some users and devices fall under your management domain; others do not.
Maybe You Should Borrow This Security Trick From Zuckerberg
Mon, 1 Aug 2016 09:00:38 -0400
It was meant solely to be a celebratory post by Mark Zuckerberg about Instagram reaching the milestone of 500 million users. But as CNET reports, the Internet was far more interested in what Zuckerberg revealed inadvertently: His laptop is in the background, and it shows that Zuckerberg puts a piece of tape over its camera as an apparent security measure—to ward off hackers who might gain control of it remotely to spy on him. A Twitter user named Chris Olson seemed to be the first to spot it, tweeting on Tuesday that Zuckerberg also tapes over his microphone jack and uses a rather obscure email client from Mozilla called Thunderbird.
Trend Micro unveils ransomware security suite
Sat, 30 Jul 2016 09:00:00 -0400
New software and services are tailored for ransom attacks. Will more security vendors follow suit or build anti-ransomware functionality into existing malware tools?
Trend Micro announced security software and services to help organizations avoid and eradicate ransomware as such attacks are becoming more frequent in the healthcare industry.
Whereas security software rivals Fortinet, Intel McAfee, Kaspersky, Sophos and Symantec have long-standing anti-malware programs and all offer various utilities for combatting ransomware, Trend Micro said its new offerings are tailored specifically for the malicious code that encrypts data so hackers can demand a ransom to unlock it.
To that end, Trend Micro’s suite includes ransomware readiness assessment, ransomware removal tools, enhancements to existing software that help better fight ransomware, and hotlines that customers can call for advice.
Why Brexit Will Promote European, British, and American Security
Thu, 28 Jul 2016 09:00:38 -0400
On June 23, Britain will hold a referendum on its membership in the European Union. Opponents of a British exit from the EU assert that a Brexit
would be bad for both British security and the peace of Europe. Indeed, on May 9, British Prime Minister David Cameron, a supporter of Britains EU membership, implied that Brexit risks causing a European war.
This argument rests on bad history and a worse understanding of the risks to peace in Europe today. If Britain exits the EU, it will ensure that it retains control of its foreign, security, and alliance policies. This will allow it to continue to play a leading role in the NATO alliance, and ensure that it remains a vital security and intelligence ally of the United States. It is the United States and NATO—not the EU—that have brought peace to Europe.
10 Data Security Mistakes Startups Can Not Afford to Make
Tue, 26 Jul 2016 09:00:00 -0400
Startups are usually in a rush, and they often forget about data security as they try to get an MVP out.
With new businesses, a data breach can result in the company closing down. To address the mistakes most commonly made, I asked ten YEC entrepreneurs the following:
What is the one crucial mistake that tech startups seem to make when it comes to data security nowadays and why?
1. Personal and professional borders.
Bring your own device (BYOD) has become increasingly popular during the past years, even more so in the startup scene.
Gartners top 10 security predictions
Sun, 24 Jul 2016 09:00:00 -0400
One overriding recommendation is that businesses must be aware that delaying security measures in an effort to avoid disrupting business can be a false economy.
He recommends that security pros should make decisions about protecting networks and resources based on the range of risks that known weaknesses represent to the business and its goals. Rather than thinking about their role purely as protecting, they should look at it as facilitating successful business outcomes.
Here are the predictions and recommendations:
Threat and vulnerability management
Prediction: Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.
Prediction: By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
Prediction: By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.
Prediction: By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.
Prediction: By 2020, 80% of new deals for cloud-based cloud-access security brokers (CASB) will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.
Prediction: By 2019, 40% of identity as a service (IDaaS) implementations will replace on-premises IAM implementations, up from 10% today.
Prediction: By 2019, use of passwords and tokens in medium-risk use cases will drop 55%, due to the introduction of recognition technologies.
Chrome 51 serves up 42 security fixes, $65K in bug bounties
Fri, 22 Jul 2016 09:00:00 -0400
Not only did Google add a Credential Manager API to Chrome 51 for Windows and Mac that lets developers go beyond simply creating passwords, it served up 42 security fixes, including 23 from outside researchers resulting in a more than $65,000 pay out in bug bounties.
With the new Credential Management API, developers can more easily store and retrieve passwords meaning that users to sign on in a single tap. And they will be signed back in after a session expires. The federated account employed by the user to sign will be remembered as well.
Google noted that some of the vulnerabilities fixed by the latest Chrome release carried a high-severity rating.
In a release, Google provided the following information on the bugs and credited the researchers responsible for finding them, as well as the bounties they received:
How to toughen your LinkedIn accounts security in light of hack
Wed, 20 Jul 2016 09:00:00 -0400
On May 18, the professional-networking site said that more than 100 million members email and password combinations hacked during a 2012 data breach had just been posted online. In the same breach, hackers stole and publicly released a separate set of 6.5 million encrypted passwords that year.
Debunking seven fundamental cyber-security myths
Mon, 18 Jul 2016 09:00:13 -0400
If we look at the world of cyber security through the eyes of the media, it is a pretty frightening view. We hear story after story of security breaches hitting major companies and the next data leaks that follows affecting thousands of people. It’s enough to fill any business with trepidation.
With cyber security such a big talking point, we tend to see a lot of information floating around -- some of which is not in the least bit true. If a company wants to enhance its IT security it is imperative to be able to separate facts from fiction.
It’s these fundamental security myths that cause organizations to incorrectly assess threats, misallocate resources and set inappropriate goals. Dispelling those myths is key to developing a sophisticated and appropriate approach to information security.
No stars for Internet of Things security
Sat, 16 Jul 2016 09:00:00 -0400
Deliberate threats, such as back doors and remote data transmission, you fix with code reviews.
Ignorant threats, such as poor security configurations or bad design choices, you find through penetration testing.
Security evaluations take time, cost money, and always fail to find every possible problem,
DarkMatter Cyber Security Poll Reveals 48% of Respondents Organisations Still Lack Key Cyber Security Personnel
Thu, 14 Jul 2016 09:00:00 -0400
DarkMatter, an international cyber security firm headquartered in the UAE, has found that 48% of respondents to its DarkMatter Cyber Security Poll say their organisations do not have a senior management executive assigned to oversee cyber security, while 46% of respondents said their organisations did not have a Board-level representative responsible for cyber security.
The statistics are extracted from a poll conducted by DarkMatter during the Gulf Information Security Expo & Conference (GISEC) 2016 held in Dubai, at which the company was the Cyber Security Innovation Partner. DarkMatter was able to poll the answers of over 200 information and communication technology (ICT) visitors present at the event, with the aim of the exercise being to identify attitudes held by enlightened ICT professionals towards the role of cyber security in modern, highly digitised economies, and the state of their organisations' cyber threat resilience.
The poll identified that 23% of respondents believe that their organisations have been victim to an internal cyber security breach, while 32% believe their organisations have fallen victim to an external attack. This suggests external threats pose a greater threat to organisations' digital assets than internal ones, with a further poll result indicating 46% of respondents believe cyber security breaches are most often the result of human factors.
Five most common myths about web security
Tue, 12 Jul 2016 09:00:00 -0400
Protection of corporate crown jewels is more important than web apps
No, you cannot secure one part of your network and ignore another one. Information security shall be comprehensive and holistic: you shall analyze all threats, vulnerabilities and thus attack vectors in their integrity. Today, no cybercriminals will try to steal your crown jewels directly wherever they are [securely] stored.
Breaking in via your web applications in pair with spear phishing will probably be one of the cheapest, reliable and silent ways to get into your corporate network and bypass your defense-in-depth.
Delta Is Trying To Innovate Faster Security Lanes For The TSA
Sun, 10 Jul 2016 09:00:00 -0400
U.S. airlines are starting to provide supplemental support at checkpoints around the country this spring thanks to a flagging TSA. Earlier this month, that effort came in the form of airlines hiring supplemental staff to direct traffic at checkpoints and enhance the customer experience, though no actual screeners were hired. Now, Delta Air Lines has gone so far as to design and install its own checkpoints into Atlanta Hartsfield Jackson International Airport and gift them to the TSA.
Waiting in Line for the Illusion of Security
Fri, 8 Jul 2016 09:00:00 -0400
Interminable lines at airport security checkpoints have caused a great deal of unnecessary misery.
Many people have missed their planes, and some flights have been delayed because too few passengers made it to the gate on time. A video of a two-hour security delay at Chicago’s Midway International Airport generated millions of views.
There are many explanations for what has been happening at the airports, but, as economists, we naturally prefer a basic, economic one: When something is free, it is likely to be wasted.
Hackers showed us how easy it is to secretly clone a security badge
Wed, 6 Jul 2016 09:00:00 -0400
Almost everyone uses an RFID badge to get into their office or apartment, and it's a lot easier than you might think for someone to steal the data on your card to gain access. A group of white hat hackers called RedTeam Security cloned one of our work IDs to show us just how quickly they can do it from as far as 3-6 feet away.
Brainjacking: the future of software security for neural implants
Mon, 4 Jul 2016 09:00:00 -0400
In a new scientific review paper published in World Neurosurgery, a group of Oxford neurosurgeons and scientists round up a set of dire, terrifying warnings about the way that neural implants are vulnerable to networked attacks.
Most of the article turns on deep brain stimulation devices, which can be used to stimulate or suppress activity in different parts of the brain, already used to treat some forms of mental illness, chronic pain and other disorders.
Cyber security Q&A: Insurance, the Skills Gap and Gender Diversity
Sat, 2 Jul 2016 09:00:00 -0400
From a security point of view, what lessons have been learned from 2015?
The main lesson from 2015 is that the adversaries are persistent and we are not as secure as we thought we were. With so many prominent data breaches last year – from the likes of Ashley Maddison to TalkTalk – more and more organisations are finally giving cyber security the attention it deserves.
How do you see the security landscape developing over the next 12 months?
Security is more on the agenda than ever before, and this is showing no sign of relenting. I recently visited a global financial services company and every one of their board meetings now has a three-hour itinerary dedicated specifically to cyber security. A couple of years ago this was unheard of, but because of the increasing threat landscape we face today, it is an issue organisations of all sizes realise they have to address. .
Want a security clearance? Feds will now check your Facebook and Twitter first
Thu, 30 Jun 2016 09:00:00 -0400
The government will start scanning Facebook, Twitter, Instagram and other social media accounts of thousands of federal employees and contractors applying and re-applying for security clearances in a first-ever policy released Friday.
Federal investigators looking at applicants’ backgrounds to determine their trustworthiness will not ask for passwords or log in to private accounts, limiting their searches to public postings. And when they find information that has no relevance to whether they should have access to classified information, it will be wiped from government servers, the policy promises.
Manufacturers beef up cyber security
Tue, 28 Jun 2016 09:00:00 -0400
One thing that helps modern manufacturers stand out in the marketplace — their intellectual property — also makes them an attractive target for hackers.
Take United States Steel Corp., for example. The steelmaker last month filed a formal complaint with the U.S. International Trade Commission, asking the organization to investigate Chinas biggest steel producers for unfair trade practices. One that stands out? The allegation that China hacked into U.S. Steel’s systems and stole information on how to make advanced, high-strength steel.
Companies Get Creative to Relieve Shortage of Security Professionals
Sun, 26 Jun 2016 09:00:00 -0400
While many companies offer heftier salaries and better benefits, others are trying fractional IT security positions and more intelligent systems to ease the shortage of security professionals.
Bluelock, an Indianapolis-based cloud provider of disaster recovery services, has had to struggle to attract the right security staff to help the company develop and manage its cloud service.
Being based in the Midwest, the company has to compete against both the West Coast and East Coast for talent. As Indianapolis becomes more of a tech hub, they compete with other local companies, as well.
3 ways startups are fighting for digital and physical security
Fri, 24 Jun 2016 09:00:00 -0400
Internet accessibility for all people, of all ages and in all places has unleashed unprecedented resources and opportunities. It also unlocked our digital and physical security. The sacrifice of safety is an unintended consequence of the Internet age. Can the tools that caused this vulnerability be reappropriated to make us safer?
Manchester United home finale postponed due to security concerns
Wed, 22 Jun 2016 09:00:00 -0400
Fans were evacuated from the stadium, as thousands flooded into the streets amid the security concern. The match was first delayed, but something, which was not yet clear, prompted security officials to have the match called off. It turns out, per the Greater Manchester police, bomb disposal experts carried out a controlled explosion within the stadium. Neil Ashton of The Sun said on the NBC Sports telecast that Bournemouth's coach and players were at one point stuck inside the stadium and weren't cleared to leave.
Whose Fault Is It Security Lines are So Long?
Mon, 20 Jun 2016 09:00:00 -0400
Modal Trigger It is your fault security lines take forever, according to the TSA
New Yorkers can blame themselves for unbearably long lines at area airports, the Transportation Security Administration said in response to criticism from the Port Authority.
The TSA admitted that waiting times at Newark, JFK and LaGuardia airport security checkpoints had increased since last year — hitting a high of 55 minutes this spring — but blamed the spike on passengers who clog up checkpoints with too many carry-on bags.
Security Should be a Top Priority
Sat, 18 Jun 2016 09:00:00 -0400
Security is a constantly moving target, but few IT departments have the resources to do security thoroughly. PC security is something of a thankless job, to boot. Do it right, no one says a word. Do it wrong, you’re on the firing line.
Surprisingly, security is not always a top factor when IT looks to replace aging PCs, according to IDC. Of the top five considerations cited when making PC brand decisions, security ranked fourth below overall performance (priority no. 1), overall costs (no. 2), and overall specs (no. 3).
IT typically adds security to laptops via software such as anti-virus, anti-malware, firewalls, and intrusion detection. They’re all certainly important and should be a part of your overall security strategy.
Security Think Tank: Identifying, attracting and keeping the right IT security talent
Thu, 16 Jun 2016 09:00:00 -0400
Attracting security talent
If you want the best cyber security resource, you need to make a compelling offer.
It is not about the money. As a seasoned consultant myself, I like a challenge. I like to work on new, emerging things and stay on top of my game.
I do not want a job governing security on legacy Windows 2003 systems and supporting a company that puts cyber security last on its list of priorities.
That is bad for two reasons: I am unchallenged and my name is in tatters when these systems get breached.
A look inside the Department of Homeland Securitys Cyberhub
Tue, 14 Jun 2016 09:00:00 -0400
The building where the Department of Homeland Security tracks every cyber attack against the US is surprisingly bland. With its neutral exterior and circular drive, I was not even sure we were at the right place until I saw our press liaison standing in the lobby. There are no signs to distinguish it from the generic office park that surrounds it, and the doorman would not even confirm if DHS had an office inside.
The National Cybersecurity and Communications Integration Center, better known by the abbreviated NCCIC, opened in 2009 to serve as a place where DHS could monitor cyber threats across government agencies and critical infrastructure, such as power grids and dams.
Digital Vulnerability: Cyber security expert on preventing your social media from being hacked
Sun, 12 Jun 2016 09:00:00 -0400
At least ten characters, including: upper case letters, lower case letters, special characters and numbers.
Second form passwords: Most people find them annoying, but are key to keeping your password and account hack free. Facebook and other social media sites allow you to use your cell phone as a second means of authentication. For example, when you log into your Facebook you will receive a text message with a special number password you have to enter in order to access your account
Change password every 30-45 days: Many people find changing their password annoying, but keeping your new passwords in a secure electronic wallet is a great way to keep track of them in case you forget.