What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2016-10-04 11:04:00 | War stories: the vulnerability scanning argument (lien direct) | Over the last couple of decades I have had all sort of different jobs. I have to count myself as rather fortunate for the experiences I have had along the way. They really went a long way to teach me some valuable lessons. Also, in some cases, they taught me how to hold my tongue.In one such job years ago, I was working on implementing a company wide vulnerability scanning platform. As you might imagine, especially if you have done this sort of project before, there was some land mines I had to contend with in due course.At this particular job there were all sorts of different business units who acted as individual fiefdoms and had little interest in having their system scanned by anyone. “We have a firewall, we're fine†one team lead had grouched at me. “We have detection capabilities and we'll know if you scan our systems."To read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-10-04 10:41:00 | 4 questions for Virtual Health\'s Dan Bart (lien direct) | Dan Bart has joined cloud-based health care technology startup Virtual Health in the newly-created role of executive vice president of information security and implementation, reporting to CEO Adam Sabloff.This role is Bart's first foray into the private sector, and he will be responsible for leading all of Virtual Health's information security efforts, overseeing cybersecurity policies and procedures, as well as optimizing the implementation of the company's solutions to best support client needs and protect sensitive client data.Prior to joining Virtual Health, Bart served more than 13 years at the Defense Information Systems Agency where he was was responsible for the implementation and operation of information systems designed to defend the DoD information network and protect classified data of critical value to national security. He held numerous management positions at DISA overseeing and optimizing cyber situational awareness systems, field communications, NetOps, secure configuration management systems and other critical infrastructure for the Defense Information Systems Agency.To read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-10-04 10:13:00 | A nudge from ransomware (lien direct) | Just a couple of months ago, I discussed two of my current challenges: securing a remote workforce when most of the applications that folks use are cloud-based software as a service (SaaS), and having employees who, thanks to those SaaS apps, have no reason to connect to the corporate network and therefore rarely access the IT infrastructure. Trouble Ticket At issue: A user who hasn't backed up his PC in months just saw his documents get encrypted by ransomware.Action plan: Find out how it happened, but more importantly, use this event as leverage to address an ongoing problem.To read this article in full or to leave a comment, please click here | |||
|
2016-10-04 08:34:00 | 27% off AUKEY SoundTank Bluetooth Water Resistant Speaker with 30-Hour Playtime - DealPost (lien direct) | Weighing in at just over a pound, the AUKEY Sountank is the ideal lightweight, water resistant companion speaker for your all your adventures. The dual 5 watt speaker drivers  are powered by a 2600mAh rechargeable battery delivering up to 30 continuous hours of wireless audio.  Utilizing the latest in Bluetooth audio with A2DP, improved connection stability, faster pairing, lower latency, and lower power consumption from connected devices when wirelessly streaming audio across distances up to 33ft.  This speaker has a durable silicone casing providing a rugged layer of protection from daily wear and tear.  This speaker recently received a 4 out of 5 star rating (read review).  The Aukey's list price of $54.99 has been reduced 27% to $39.99. (See it on Amazon)To read this article in full or to leave a comment, please click here | |||
|
2016-10-04 08:16:00 | IDG Contributor Network: National cyber incident response plan: We need your input (lien direct) | As I explained last month, President Obama issued Presidential Policy Directive 41: United States Cyber Incident Coordination this past July in order to define federal agencies' roles and responsibilities in regards to cyber incident response.Recognizing that cybersecurity is a shared responsibility and effective cyber incident response must involve all levels of government as well as the private sector, PPD-41 also directs the Department of Homeland Security (DHS) to develop a National Cyber Incident Response Plan (NCIRP) to outline both the private sector and the government's cyber incident response roles and responsibilities.To read this article in full or to leave a comment, please click here | |||
|
2016-10-04 06:40:00 | BrandPost: Out of the Shadows (lien direct) | On any given day – with a quick spot-check – you'll probably find that up to half of your company's IT usage is basically hidden in the shadows of various business units. Marketing, finance, sales, human resources, and engineering are using file sharing services with customers, online collaboration tools with contractors and suppliers, and multiple SaaS solutions in addition to on-demand IaaS compute resources. Business areas oftentimes make swift decisions to keep their business operations running. As departments look for the best way to do their jobs and efficiently meet their business objectives, they opt for immediate solutions that often operate outside of corporate IT security policies and guidelines.To read this article in full or to leave a comment, please click here | |||
|
2016-10-04 03:30:00 | 7 ways DevOps benefits CISOs and their security programs (lien direct) | DevOps can be beneficial Image by ThinkstockOrganizational culture and its processes and technology are evolving at a pace we have never experienced before. As a result, we can't just sit back and wait for the “DevOps fad†to fade away because it isn't going to. It's not a fad – it's an evolved way of software development. Furthermore, security cannot be the elephant in the room that everyone avoids because it gets too complicated. Security must evolve, as well, segueing into SecDevOps.To read this article in full or to leave a comment, please click here |
|||
|
2016-10-03 18:37:00 | Hutton Hotel removes unwanted malware guest (lien direct) | The long sorted list of companies that have had their payment systems has added a new victim to it's ranks. This past Friday the upscale Hutton Hotel, a stones throw from Vanderbilt University in Nashville, disclosed that their payment processing systems in their hotel had been compromised by ne'er do wells. I think we have arrived at the point where companies that have payment systems that have not been reviewed should assume that they're compromised until proven otherwise. A dour assessment of things. But, when you consider that companies like Hard Rock, Target and even Trump Hotels (twice) suffered similar compromises it really leads one to assume that this is an activity required for any information security team. If you are responsible for a paymentTo read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-10-03 18:15:00 | IDG Contributor Network: Attracting female talent: How to tackle the cybersecurity gender gap head on (lien direct) | For generations, there has always been a gender gap in multiple fields, but this gender gap is growing wider in technology. For example, Melinda Gates noted during this year's Code Conference, “When I graduated 34% of undergraduates in computer science were women… we're now down to 17%.â€If this problem sets off alarm bells for the technology industry as a whole, it should be a code-red alert for the cyber security industry where there are currently 1 million jobs unfilled. This problem is expected to get a lot worse before it starts to get any better; in 2019 there is predicted to be 1.5 million cyber security jobs unfilled. If we don't tackle the cybersecurity gender gap then attracting and retaining cyber security talent is going to go from bad to worse and then stay there for a long, long time.To read this article in full or to leave a comment, please click here | |||
|
2016-10-03 13:02:00 | Here are the 61 passwords that powered the Mirai IoT botnet (lien direct) | Default usernames and passwords have always been a massive problem in IT. These days, the consumer technology that envelops the Internet of Things (IoT) has only made the problem larger.Default credentials, which are ignored or too difficult for some people to change, behind the development of a botnet that took part in the largest DDoS attack on record.The usernames and passwords below were used to enable the Mirai botnet, which is powered by IoT technology. The botnet hit Brian Krebs with traffic topping out at 620Gbps, but it's also been linked to a DDoS against OVH (799Gbps).To read this article in full or to leave a comment, please click here | |||
|
2016-10-03 10:20:00 | IDG Contributor Network: Man in the middle attacks on mobile apps (lien direct) | Man in the middle attacks (MiTM) are a popular method for hackers to get between a sender and a receiver. MiTM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks.As part of a series on mobile security I've written about other mobile-based attacks here: Mobile phishing Mobile pharming Mobile malware Mobile encryption Mobile reversing and tampering Man in the middle attacks OWASP has one of the simplest and best definitions of a MiTM attack. “The man-in-the middle attack intercepts a communication between two systems.†You might also hear this referenced as a malicious proxy. Edward J. Zaborowski gave a presentation on this topic at DEF CON titled: Malicious Proxies.To read this article in full or to leave a comment, please click here | |||
|
2016-10-03 06:00:00 | Data leaks evolving into weapons of business destruction (lien direct) | Most of the recent data breaches involve customer information such as user names and passwords, credit card numbers, and medical histories. The companies hacked are hurt -- they have to contact victims, pay for credit monitoring services and fines, and may lose customers, brand reputation, and market value -- but that is collateral damage.Or it has been.Increasingly, attackers are using data leaks to target the companies themselves, going after proprietary or embarrassing information and releasing it in such a way as to do the most harm.That's a change that companies need to be aware of, said Andrew Serwin, co-chair of the global privacy and data security group at San Francisco-based law firm Morrison & Foerster.To read this article in full or to leave a comment, please click here | |||
|
2016-10-03 05:22:00 | A first: ICANN will generate new DNSSec key (lien direct) | Rotating cryptographic keys is a security best practice, so it's good news that ICANN has begun the process to change the root key pair underpinning the security of the DNS. While the chances of a misstep is small, the fact remains that changing the root key pair has never been done before. A mistake can potentially -- temporarily -- break the Internet.No pressure, ICANN.[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security newsletter. ] As the phone book of the Internet, DNS translates easy-to-remember domain names into IP addresses so that users don't have to remember strings of numbers in order to access web applications and services. However, attackers can hijack legitimate DNS requests to divert users to fraudulent sites through DNS cache poisoning or DNS spoofing.To read this article in full or to leave a comment, please click here | |||
|
2016-10-03 04:00:00 | Five tips for protecting your brand on social media (lien direct) | This summer, online payment service giant Paypal learned that bad guys had set up a fake Paypal Support page on Twitter, and then monitored the real Paypal Support page for remarks from customers. The bad guys responded to those inquiries and pointed users to the fake site where they would ask for, and sometimes receive, personal and account information – an attack called angler phishing. Paypal's Information Security Director Trent Adams likens the ongoing battle to protect its brand to a game of whack-a–mole, and with new social media threats popping up daily, it's becoming more like “whack-an-ant-hill†because while one account may be shut down, others are probably still at work.To read this article in full or to leave a comment, please click here | |||
|
2016-09-30 09:35:00 | How analytics can protect you from Amy Schumer (malware) (lien direct) | This was interesting in so many ways, this week McAfee issued a report showing how malware delivery using compromised websites and gaming Google search analytics has suddenly become a lot smarter. What these criminals are doing is they are watching trends and then positioning their assets against the trends to the sites that pop to the top when you are searching on celebrities.[ Related: Most dangerous cyber celebrities of 2016 ]To read this article in full or to leave a comment, please click here | |||
|
2016-09-30 09:19:00 | Jive Software misses a beat on security (lien direct) | Data breaches happen for all manner of reasons. Whether it happens to be because of a software misconfiguration, a missing security patch or the odd zero day exploit, they are unavoidable in today's digital landscape. But, most of them do not have to be so. There are errors that happen that illustrate that security issues will always exist as long as there are people touching keyboards.This week the software company Jive published a data breach disclosure that their task management platform Producteev had suffered an exposure. This was pertaining to an incident that took place in August of this year. The problem was due to some usernames and passwords were not stored in a secure fashion.To read this article in full or to leave a comment, please click here | |||
|
2016-09-30 09:07:00 | IDG Contributor Network: Treasures attackers look for in the sea of email (lien direct) | As we dive into October, cybersecurity awareness month, there are lots of strategies to help us all become stronger swimmers in the digital waters. Given that there are 112 billion business emails sent around the world every day, that is one huge ocean that everyone can learn how to better navigate.Since its inception, email has become mission critical, and so many necessities beyond mail service have grown up along with it. Enterprises have become burdened by the complexities of email, which additionally requires the added protections of encryption gateways, spam filters, phishing protections, and much more.In order to attack all of the issues of email security in the age of digital disruption, you first have to know what is beneath the rough seas.To read this article in full or to leave a comment, please click here | Guideline | APT 32 | |
|
2016-09-30 07:09:00 | IDG Contributor Network: Management lessons from the espionage of Ana Montes (lien direct) | The recurring media coverage of cyber attacks on the U.S. public and private sectors have undoubtedly advanced the rapid growth of IT security industry solutions for predicting, preventing, and responding to cyber threats. Reliable IT systems and infrastructure are crucial to the successful management, stability, and growth of most American companies. A major data compromise can be damaging to profits, prestige, and strategy, not to mention disastrous to a company's competitive edge and downright embarrassing. Add the risk of a potential Snowden insider to the threat of a cyber attack, and American businesses can hardly be blamed for perceiving computer vulnerabilities to be the biggest risk to company security and in turn focusing their risk management efforts and spending on IT security.To read this article in full or to leave a comment, please click here | |||
|
2016-09-29 15:00:00 | (Déjà vu) BrandPost: Automating the Threat Defense Lifecycle What the Heck does THAT Mean? (lien direct) | When we introduced our strategy at FOCUS '15, at its core a simple concept: create integrated security systems to automate the threat defense lifecycle so you can address more threats, faster, with fewer resources. With the recent announcement of our strategic partnership with TPG we want to further define our strategy and show how we are uniquely leading the market, making IT security as dynamic and responsive as today's most dangerous threats.[1]To read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-09-29 10:36:00 | IDG Contributor Network: Anatomy of an insider attack (lien direct) | Insider threats are often addressed in blogs, articles, and books. But it isn't always easy to tell the story to business leaders and their employees. An episode of one of my favorite shows included a character taking steps any employee can complete in an unprepared organization. Let's run through the plot (a good scenario for management) and then take a look at what would have prevented each step in the attack.The attack Chris was tasked by an external attacker, one who had leverage over her, to steal legal documents related to a civil action. The attacker-we'll call him Bill-provided Chris with a USB drive loaded with malware. The malware was designed to extract login information from a target system.To read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-09-29 09:59:00 | (Déjà vu) Why your employees are still a huge security risk (lien direct) | Despite an increase in security awareness training, and concern about awareness by top-level management at companies, data breaches continue to happen through employee negligence, whether malicious or not. In the latest episode of Security Sessions, I spoke with Michael Bruemmer, vice president at Experian Data Breach Resolution, about a recent survey that said companies are unprepared to stop employee-caused data breaches. Among the highlights of the video are the following sections: 1:15 Why it's surprising that employees are still responsible for data breaches and additional discussion from the Experian survey. 2:18 Where awareness training is failing, and what companies can do to improve. 3:26 Are granular awareness programs (specific training for specific job roles) on the rise? 4:57 Should employees be fired if they fail to become more aware about security? 5:45 Why are CEOs and other C-level executives often exempted from security training? 07:04 How can CSOs motivate employees positively in thinking about security?To read this article in full or to leave a comment, please click here | |||
|
2016-09-29 07:31:00 | These ransomware tricks fool the most hardened security pro (lien direct) | Ransomware quite often target businesses (for example hospitals) rather than individuals. Corporations have more valuable data and more money for ransom (ransom increases from roughly $500 per computer to $15,000 for the entire enterprise).Cyphort has examined different variants of ransomware to help users get an idea of what might be coming down the Internet pipeline. So keep an eye out for these characteristics before your network is taken hostage.RELATED: Who is a target for ransomware? 1. JigsawDeleting files at regular intervals to increase the urgency to pay ransom faster. Jigsaw ransomware operates like this: for every hour that passes in which victims have not paid the ransom, another encrypted file is deleted from the computer, making it unrecoverable even if the ransom is paid or files decrypted via another method. The malware also deletes an extra 1,000 files every time victims restart their computers and log into Windows.To read this article in full or to leave a comment, please click here | |||
|
2016-09-29 05:00:00 | Diversified supply chain helps \'Vendetta Brothers\' succeed in criminal business (lien direct) | Even smaller criminal groups are using smart business tactics to help insulate them from risk, such as the Vendetta World online shop, which sells credit card numbers.According to a report released today by FireEye, the two criminals behind this operation are using relatively sophisticated business practices to evade prosecution and diversify their product supply."Criminals are typically more direct," said Will Glass, threat analyst at FireEye. "They'll see the cards themselves. You don't usually have what we see here, which is a well-organized network."To read this article in full or to leave a comment, please click here | |||
|
2016-09-29 03:10:00 | Security myths that can make you laugh… or cry (lien direct) | Not so true anymore Image by ThinkstockIt is sort of like those commercials that stated it must be true because I read it on the internet. There are long held beliefs that have gone unchallenged and accepted. Then there are those who put their head in the sand with such statements as “I don't need to protect my network, there is nothing worth stealing.â€To read this article in full or to leave a comment, please click here |
|||
|
2016-09-29 03:00:00 | IP Expo Nordic and getting Popp\'d by ransomware (lien direct) | Ransomware has become all the rage in the security field these days. Both from the perspective of the writers and the defenders. The media is lousy with these articles and I'm apparently not above writing about it myself. This has been grabbing the headlines in a big way simply because of the insidious nature of it. This is a problem that won't go away anytime soon as there is a significant revenue potential here for the criminals that leverage this sort of software. Think of the reduced risk level and the amount of the reward. The risk for a criminal to walk in to a bank with a gun and a sack with a dollar sign on the side are not trifling. There are all sorts of variables to take into account.To read this article in full or to leave a comment, please click here | |||
|
2016-09-28 07:41:00 | IDG Contributor Network: IT audits must consider the cyber kill chain and much more (lien direct) | Many articles have been written regarding the cyber kill chain as it pertains to threat intelligence. By understanding the cyber kill chain we have the chance to take defensive action against an adversary.But first we need a solid network that is 100 percent in compliance with its mandatory IT controls. We often perform IT audits on client's enterprise networks and see less than 100 percent compliance achieved. So I want to discuss how IT controls help us to have the proper framework in place to build that threat intelligence. Â To read this article in full or to leave a comment, please click here | |||
|
2016-09-28 05:47:00 | Former Microsoft CISO joins bio-electronics company board of directors (lien direct) | Charles McNerney, general manager of retail technology at Microsoft, and former CISO in its online services division, has been appointed to the board of directors of Nativis, Inc., a Seattle-based clinical stage bio-electronic company. Founded in 2002, Nativis has invented and patented a technology that uses precisely targeted, ultra-low radio frequency energy (ulRFE) to specifically regulate metabolic pathways on the molecular and genetic levels - without chemicals, radiation or drugs – delivered via a simple-to-use non-invasive device called Nativis Voyager®. (Watch the video below for an explanation of the Nativis technology.) Nativis' initial focus is on the treatment of patients with brain cancer, and in the spring of 2015 Nativis partnered with Swedish Neuroscience Institute on a clinical trial to investigate the safety and efficacy of the Nativis Voyager RFE medical device in humans with recurrent glioblastoma multiforme, an aggressive brain tumor with a high rate of recurrence and a mortality rate of nearly 100 percent.To read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-09-28 05:07:00 | 73% of companies using vulnerable end-of-life networking devices (lien direct) | Seventy-three percent of companies are using vulnerable, end-of-life networking equipment, up from 60 percent last year, according to a new analysis of more than 212,000 Cisco networking devices at 350 organizations across North America."It's amazing how many folks have this issue in their environment," said David Vigna, Cisco practice director at Softchoice, the company that conducted the analysis.Meanwhile, the share of devices that are end-of-life rose from 4 percent in 2015 to 6 percent this year.To read this article in full or to leave a comment, please click here | |||
|
2016-09-28 04:57:00 | IDG Contributor Network: Will iot folks learn from DDoS attack on Krebs\' Web site? (lien direct) | Brian Krebs did a simple thing. He reported on the take-down of a distributed denial of service (DDoS) for hire group, vDOS, and the arrest of two of its Israeli teenage operators. The ensuing cyber temper tantrum, which was forensically linked to one of the teenagers, resulted in the largest DDoS attack on record and affected hundreds of businesses and thousands of users. Let's look at the implications beyond Krebs.[ALSO ON CSO: The DDoS attack on Krebs]On Sept. 20, Krebs was the victim of the largest Distributed Denial of Service (DDoS) attack in the history of the internet. Krebs' pro-bono host, content delivery network (CDN) services provider Akamai, reported the amount of data fired against them in the attack reached 665Gbps. Until then the largest attack Akamai had experienced reached only half that rate, 363Gbps. Akamai successfully fought off the attack and Krebs' site remained up but the loss of functionality for Akamai's other business resulted in significant financial losses. Akamai ultimately decided to drop Krebs' blog.To read this article in full or to leave a comment, please click here | |||
|
2016-09-28 03:41:00 | IDG Contributor Network: What has Mr. Robot done for the security industry? (lien direct) | Yes, it's just a TV show, but television plays a huge role in creating cultural phenomenons, and Mr. Robot has certainly found its place in pop culture. Anti-hero Elliot, a hacker whose ambition is to save the world from E Corp, struggles with mental illness. The voices inside his head are constantly in a conflict of good vs evil. As a result, Elliot's good intentions have paved his road to hell.Where does that leave the rest of us, though? By definition the anti-hero is heroic but lacks the qualities of strength, courage, integrity, and virtue of those celebrated heroes we know and love. But, the anti-hero isn't all bad. As was the case with Tony Soprano or Nurse Jackie, they do possess some endearing character traits that prevent us from hating them all together. Thus, the viewers grow to love the dark hero. To read this article in full or to leave a comment, please click here | |||
|
2016-09-28 03:16:00 | HackerOne CEO: \'We\'re building the world\'s biggest security talent agency\' (lien direct) | Marten Mickos, a veteran executive with companies from MySQL to Sun, Nokia and HP, was not particularly excited about his meeting to explore a leadership role with HackerOne, a fledgling security company. Security is hard, it's unpleasant, it doesn't work very well. But he perked up fast after learning about HackerOne's crowdsourced model of finding and fixing security flaws – a model in which HackerOne plays a key matchmaking role between companies and ethical hackers in a rapidly growing marketplace of skills and needs. Those are still conducted through your platform, those private bounty programs?With increasing organization in the world, increasing internet access, good STEM education in many countries in the world, there is no practical limit to how many hackers we can find. We get them from India, Pakistan, Bangladesh, Russia, all the Russian-speaking countries, Western Europe, the U.S.A., Chile, Argentina. It's fantastic to see them because you suddenly realize that there are all these mostly young people who have a burning desire to make the world safer and, of course, make some money at the same time. They have such great intent and instincts about this. I don't think we'll run out of hackers ever. Just like in open source software, we have never run out of contributors.To read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-09-28 01:19:00 | Information security and the flaming sword of justice (lien direct) | There have been times in my career where I found it almost necessary for me to breathe into a paper bag after hearing some asinine positions on what security should be. I have encountered what I like to refer as the “flaming sword of justice†far too often over the years. There are security practitioners who have a rather fractured view of our place in the corporate food chain. There was a huge push by security folks years ago, less so now, that wanted to have the ability to fire people for the most trivial infractions. This attempt to grasp for what they perceived as power was a disturbing trend that I saw play out several times in particular.To read this article in full or to leave a comment, please click here | |||
|
2016-09-27 08:13:00 | IDG Contributor Network: Advancing cybersecurity through automated indicator sharing (lien direct) | [Note: This article is coauthored by Ann Beauchesne and Dr. Andy Ozment. Ms. Beauchesne is Senior Vice President of the National Security and Emergency Preparedness Department at the U.S. Chamber of Commerce.]Cyber attacks are increasing every day, and we're constantly inundated by news reports detailing data breaches, ransomware attacks, and other system intrusions that cost businesses time and money and erode consumer confidence. Both the government and the private sector recognize the gravity of these incidents and are working together to address cyber threats through a novel information-sharing effort.To read this article in full or to leave a comment, please click here | |||
|
2016-09-27 06:13:00 | IDG Contributor Network: Cybersecurity: is it really a question of when, not if? (lien direct) | Last week I had a pleasure of speaking at the Financial Times Cybersecurity Summit in London about the origins of global cybercrime and the current challenges of the cybersecurity industry. The week before, I attended Gartner Security & Risk Management Summit, where Gartner's security experts and industry analysts presented a lot of exciting talks and reports about the current state of cybersecurity in the world.According to Gartner's Top 10 Security Predictions 2016, through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year. Meanwhile, many companies and organizations spend huge amounts fighting mysterious APTs and zero-days. To better understand the subject, let's walk through some quick numbers and statistics about cybersecurity and cybercrime first.To read this article in full or to leave a comment, please click here | Guideline | ||
|
2016-09-27 04:24:00 | After Tesla: why cybersecurity is central to the car industry\'s future (lien direct) | The news that a Tesla car was hacked from 12 miles away tells us that the explosive growth in automotive connectivity may be rapidly outpacing automotive security.This story is illustrative of two persistent problems afflicting many connected industries: the continuing proliferation of vulnerabilities in new software, and the misguided view that cybersecurity is separate from concept, design, engineering and production.This leads to a 'fire brigade approach' to cybersecurity where security is not baked in at the design stage for either hardware or software but added in after vulnerabilities are discovered by cybersecurity specialists once the product is already on the market.To read this article in full or to leave a comment, please click here | Guideline | Tesla | |
|
2016-09-27 04:19:00 | Your users have porous passwords? Blame yourself, IT. (lien direct) | Maybe IT needs to tone down its security awareness efforts. New research by psychologists into password strength delivered the non-intuitive conclusion that users who are well briefed on the severity of security threats will not, as IT had hoped, create stronger passwords to better protect themselves.They actually tend to create much weaker passwords because the briefings make them feel helpless, as if any efforts to defend against these threats are pointless.The research, from a Montclair State University study - detailed here in a story from The Atlantic - suggests that IT staffers need to make sure that they emphasize how powerful a defense passwords, PINs and secure phrases can be in defending against threats, at least until we are able to deploy better authenticators.To read this article in full or to leave a comment, please click here | |||
|
2016-09-27 04:00:00 | Donald Trump actually made a valid point, securing the internet is hard (lien direct) | During the debates on Monday evening Donald Trump said something that wasn't completely insane or laughable – securing the internet is hard work. He's not wrong, and his comment is a point that both the government and private sector should remember.The debates on Monday were a mess. Both sides were tossing around some questionable statements, or outright lies - and both came off looking so disconnected from the average voter, it's hard to imagine either one of them as POTUS – but one of them will get into office. Let that sink in for a moment, one of them will be the next President of the United States.Jobs were a big topic early on, and Trump started in with unemployment examples from Michigan and Ohio, where the actual unemployment rates in each state are lower than the national average according to the Local Area Unemployment Statistics at the U.S. Bureau of Labor Statistics.To read this article in full or to leave a comment, please click here | |||
|
2016-09-27 03:45:00 | How to mitigate hackers who farm their victims (lien direct) | Nation-states and savvy criminal hackers don't pull uninformed, spur-of-the-moment smash-and-grab jobs on data networks. They reconnoiter and position themselves to slowly implement precise surgical maneuvers to exfiltrate your information treasures. Most of these attackers are capable of ensuring you remain unaware of their movements until it is to their benefit for you to know. High-profile attacks that leveraged extended dwell time inside the networks of large retail chains such as Target are examples of how hackers farm or manage victim organizations in this manner. Hackers farm their targets by maintaining a veiled presence in sensitive places in and around government and enterprise networks, revealing their position in a calculated way at an optimal time to achieve some strategic goal, says Danny Rogers, CEO at Terbium Labs.To read this article in full or to leave a comment, please click here | |||
|
2016-09-27 03:37:00 | 10 ways to secure a mobile workforce (lien direct) | Super mobile worker Image by ThinkstockWe are entering the age of “supermobility,†in which mobile devices will provide all of the tools and technology that employees need to be productive on the go. And while workplace flexibility and convenience are at an all-time high, super-mobile employees are actually putting enormous amounts of company data at risk.To read this article in full or to leave a comment, please click here |
|||
|
2016-09-27 01:20:00 | Meteors, disasters and the diesel generators (lien direct) | In August of 2003 it was just after 4 pm and I was leaving a vendor event where I was watching a professional tennis match. I was looking forward to the weekend ahead with a light Friday on the schedule. I could not have known how wrong I was and then my cell phone began to ring. My boss was on the phone. The street lights ahead of me had gone out. That wasn't the harbinger that in retrospect it should have been.Boss: “Get in to the office. The power has gone out."Me: "For the office?"Boss: “Worse"Me: “Toronto?"Boss: “Worse"Me: “Ontario?â€Boss: “All of it"The phone then went dead and with it the northeastern part of North America went dark. The lights out. It would be a good seven hours before any lights would come back on again.To read this article in full or to leave a comment, please click here | |||
|
2016-09-27 00:28:00 | Survey says men bothered more about retail breaches than women (lien direct) | Alertsec, the cloud-based encryption company, today released findings from their recent Brand Perception Study that reveal significant concern about data breaches. The study, fielded among 1,200 Americans, determined that data breaches “unsettle†American consumers and result in negative brand perception. Customers who are affected by data breaches suffer a significant loss of trust, and this is particularly true of men. According to the survey results, nearly one in three Americans (29 percent) said it would take them several months to begin trusting a company again following a data breach. Twenty-two percent said it would only take them a month to forgive, but 17 percent of men and 11 percent of women said their trust would be permanently lost. Men (16 percent) are also more likely to switch to a competitor following a data breach than are women (6 percent).To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 21:29:00 | BrandPost: Where manufacturers could lose cybercontrol (lien direct) | Even though the U.S. hasn't suffered an attack to manufacturing, power production or public transit, the risk is growing. Indeed, the number of IC-related cybersecurity incidents reported to U.S. authorities rose 20 percent in the last year.ICS solutions and protocols were originally designed to work within isolated environments. They monitor and control industrial processes in critical infrastructure sectors such as electric grids and water treatment facilities, as well as in heavy industry. As more organizations connect their infrastructures to the Internet, companies are retrofitting this older equipment to work in modern networked environments.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 20:58:00 | BrandPost: Why red teams should be part of your team (lien direct) | Hiring red teams - good-guy hackers that probe both the physical and virtual security of a company - are an increasingly popular method that many organizations use to test their cyberdefense posture.These penetration tests, or pen tests as they are also known, have been a staple of planning since the Cold War. Governments and militaries would enlist what were designated as red teams to identify blind spots in their security routines. (The term came into vogue because U.S. officers took the Soviet or “red†perspective.) Fast forward to the present and a host of organizations ranging from the U.S. Department of Justice to Palantir Technologies are turning to red teams to conduct pen tests to help improve their security.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 20:43:00 | BrandPost: Cost of a breach: Why some global industries are more expensive (lien direct) | Calculating the costs of data breaches to the organizations victimized is no simple matter. Those costs can include everything from direct expenses for mitigating the attack to lost customers to legal fees and regulatory fines. Once all those variables are taken into account, it's possible to rank the cost of breaches by industry sector. Sitting at the top of the “most-expensive†list worldwide are two somewhat surprising sectors: healthcare and education.This finding was recently published by the Ponemon Institute in a global report on the cost of data breaches. While the average data breach cost across all industries was $158 per lost or stolen record, the average cost per lost healthcare record was $355, and was $246 for each education record lost. At the other end of the spectrum, the average cost of a lost public sector record was just $80, and that of a lost research industry record just $112.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 10:14:00 | IDG Contributor Network: DDoS takedown powered by IoT devices (lien direct) | DDoS attacks are nothing new, nor is it new for Krebs on Security to be a target, but the recent attack that forced the site off the network is reported to have been powered entirely by internet of things devices.Former U.S. Defense offensive security researcher and founder of IoT cybersecurity company, Senrio, Stephen A. Ridley said that's no surprise. "This should serve as a serious wake up call that IoT has a serious security problem," Ridley said.The world of IoT has caught a lot of attention for the vulnerabilities that occur within network-embedded devices, often referred to as 'inherent' vulnerabilities.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 09:58:00 | IDG Contributor Network: Friend or foe? Bank regulator issues new information security exam procedures (lien direct) | If you are involved with a financial institution subject to federal regulatory exams or a technology service provider that serves these institutions (like a technology start-up company), you probably have experienced the joy of preparing for or experiencing a regulatory compliance review.And now you will have the opportunity to spend more time preparing for these reviews. A new Information Security IT Examination Handbook (“Handbookâ€) was just released by the Federal Financial Institutions Examination Council (FFIEC) – and it will definitely keep many CSOs occupied during the coming months.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 04:38:00 | Companies say IoT matters but don\'t agree how to secure it (lien direct) | A majority of enterprises say the internet of things is strategic to their business, but most still take a piecemeal approach to IoT security.Those results from a global IDC survey conducted in July and August reveal both the promise and the growing pains of IoT, a set of technologies that may help many industries but can't simply be plugged in. The 27-country survey had more than 4,500 respondents, all from organizations with 100 or more employees.For 56 percent of enterprises, IoT is part of their strategic plans for the next two or three years, IDC analyst Carrie MacGillivray said on a webcast about the results. But the state of adoption varies widely among industries. Manufacturing companies are investing the most in the technology, with retail and financial services – especially insurance – also on the cutting edge.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 04:30:00 | The best online backup service for securely encrypting your data (lien direct) | Many people resist backing up their data to an online backup service like MozyHome, Carbonite, or Backblaze because they worry their data will be poked through by company employees, hijacked by criminals, or provided to law enforcement or government agents without due process. The sanctity of your data boils down to whether the encryption key used to scramble your data can be recovered by anyone other than yourself. Below I outline the various methods and levels of encryption that can be employed by these services, and then evaluate six of the best options for home users. Several give subscribers full control of their encryption. If you're already using a service, it's possible you can even upgrade to take advantage of greater ownership options.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 04:09:00 | Ransomware from Stoned to pwned (lien direct) | When I was in the trenches as a defender I saw all manner of malicious software. The first one I ever encountered back in the late 80s was the Stoned virus. This was a simple program that was lobbying the infected computer operator on the subject of legalizing marijuana. It was spread through the use of infected floppy disks.Years later I found myself standing in the office of one senior staff member when he received an email from a student. He also moonlighted as a university professor. The student professed her love for him and he was moved by the moment and clicked open the email. I lurched forward in a vain attempt to stop him but, the damage was already done.To read this article in full or to leave a comment, please click here | |||
|
2016-09-26 03:44:00 | Hillary Clinton\'s email has vanished but why can\'t yours? (lien direct) | The warnings about the longevity of email are regular and ominous: Don't be careless with it. Email is forever. Indeed, in some very high-profile cases it seems that way. Former CIA director and retired US Army General David Petraeus lost his job and his reputation, and "gained" a criminal record in 2012, when emails from an account he thought was private exposed his mishandling of classified information and an affair with his biographer. Much more recently – just in the past couple of weeks – a trove of embarrassing correspondence from the email account of former secretary of state Colin Powell was posted on the website DCLeaks.com. In the words of an anonymous television anchor, they upended the perception of Powell, also a retired four-star US Army general, as a stoic diplomat and revealed him to be, “just as gossipy as everyone else.â€To read this article in full or to leave a comment, please click here |
To see everything:
Our RSS (filtrered)
