What's new arround internet

Src Date (GMT) Titre Description Tags Stories Notes
itsecurityguru.png 2019-01-14 16:53:01 Multiple Zero-Day Vulnerabilities Discovered By Tenable Research In Building Access Technology. (lien direct)

Tenable®, Inc., the Cyber Exposure company, today announced that Tenable Research has discovered several zero-day vulnerabilities in the PremiSysâ„¢access control system developed by IDenticard. When exploited, the most severe vulnerability would give an attacker unfettered access to the badge system database, allowing him/her to covertly enter buildings by creating fraudulent badges and disabling building locks. […]

The post Multiple Zero-Day Vulnerabilities Discovered By Tenable Research In Building Access Technology. appeared first on IT Security Guru.

bleepingcomputer.png 2019-01-14 16:50:01 First Windows 10 Build for Microsoft\'s Foldable Devices Appears Online (lien direct)

BuildFeed, a site that keeps track of the latest Windows 10 and Window Insider builds, has found a new build that may indicate that Microsoft is internally testing builds for foldable Windows 10 devices. This new build has a version of 18313.1004 on Microsoft\'s servers and comes from the Windows 10 19H1 development. [...]

MalwarebytesLabs.png 2019-01-14 16:45:03 A week in security (January 7 – 13) (lien direct) A roundup of last week\'s security news from January 7 to 13, including breaches, takedowns, bug fixes, and social media issues.

Categories:

Security world Week in security

Tags:

(Read more...)

The post A week in security (January 7 – 13) appeared first on Malwarebytes Labs.

AlienVault.png 2019-01-14 16:28:00 Software Bill of Materials (SBoM) - Does It Work for DevSecOps? (lien direct)

There has been much discussion of a “software bill of materials” (SBoM) lately, for use when addressing security vulnerabilities. Many are curious, wanting to learn more. Googling the term gives lots of positive descriptions. This post will go negative, describing problems with the concept.

Rather than cover the entire concept, I want focus on a narrow part of it, so I asked Kate Brew to write a short blurb why she’s interested in SBoMs. Her response was:

“I am an Industrial Engineer by training. So when I heard of the concept of software BoM I was intrigued. Being able to quickly see all the components, open source or not, incorporated into an application appears like a valuable way to determine needed actions in the case of vulnerabilities found in a component. It seems efficient and helpful to me to have a clear view of components in an application.”

Software is never built wholly from scratch these days. Instead, software is built combining components, development frameworks, libraries, operating system features, and so on. It has a “bill of materials” describing the bits that make it up every much as hardware does.

When vulnerabilities happen, knowing this information can help. Good examples are the high profile Apache Struts bugs, where customers don’t know they are vulnerable because they are unaware that products they own include Struts. If only product vendors provided a list of sub-components, then customers would quickly know if they are vulnerable, and be able to act accordingly.

Some claim this sort of thing already exists in narrow industries, like medical and energy. They are pushing the concept for use everywhere because it’s already being used successfully somewhere.

This is a great story, but it isn’t true.

Software Bill of Materials Is a Misguided Concept for DevSecOps

Proponents are being deliberately vague defining exactly what should be in included in a software BoM. For hardware BoMs, you don’t list the ingredients of the circuit board, where you sourced the silica for glass fibers, or the recipe of the epoxy that binds them together. Hardware BoMs aren’t that granular because it’s not necessary. They include an indented list of components and sub-components. Hardware is basic. But when tracking software vulnerabilities, such granularity is important: you need to track every line of source code.

There are four levels of details for SBoMs:

  • Licenses
  • Modules
  • Patch levels
  • Backports

Most of the discussion about SBoMs is roughly at the license level. The makers of software already track this, even when they don’t disclose it to customers. Commercial products track this for legal reasons, for compliance with legal contracts they have with suppliers. Open-source products track this for practical reasons, since you often have to hunt down install the dependencies yourself in order to make open-source work -- importing open-source implicitly means importing the license.

You see the artifacts of this everywhere. My parents just bought a new Subaru, which like most new cars contains a small screen for the maps and backup camera. On one of the pages on the screen I find something that lists a number of embedded components. Displaying this information is often a requirement of the license.

Software Bills of Materials Aren’t That Great for Tracking Vulnerabilities

SBoMs aren’t as useful as you’d think for tracking vulnerabilities, because it’s not granular enough. Take Linux, for example. The entire thing is licensed under the GPL. This hides the complexity that the kernel is around 20 million lines of code, and the GNU userland components are millions more. An SBoM saying this IoT product uses “Linux” hides a lot of the complexity of what may or may not exist in the product.

A new Linux vuln is discovered at th

TechRepublic.png 2019-01-14 16:26:03 Raspberry Pi touchscreen round-up: From cheap tiny displays to tablet-sized panels (lien direct)

A selection of touchscreens available for the Raspberry Pi, and one eInk screen you might like to try.

bleepingcomputer.png 2019-01-14 16:20:03 Massachusetts Amends Law Protecting Consumers From Security Breaches (lien direct)

Massachusetts Governor Charlie Baker signed a new law on January 10 that amends the state\'s data breach law removing the fees imposed by credit reporting agencies for security disclosures and freezes of consumer credit reports [...]

ZDNet.png 2019-01-14 16:16:03 Details published about vulnerabilities in popular building access system (lien direct)

Vulnerabilities can be used to shut down building access systems to aid theft and unauthorized access.

itsecurityguru.png 2019-01-14 16:01:02 Deadline To Take Part In Cybersecurity Training Programme Cyber Discovery Extended To 31st January 2019. (lien direct)

Due to demand, the deadline for registration and completion of the initial assessment phase of the UK government\'s landmark cybersecurity training programme, Cyber Discovery, has been extended to the 31st January. Funded by the Department for Digital, Media, Culture & Sport (DCMS) and delivered by global IT training company SANS Institute, Cyber Discovery is a […]

The post Deadline To Take Part In Cybersecurity Training Programme Cyber Discovery Extended To 31st January 2019. appeared first on IT Security Guru.

MalwarebytesLabs.png 2019-01-14 16:00:00 Government shutdown impacts .gov websites, puts Americans in danger (lien direct) Today, TechCrunch posted a concerning story about the shutdown and most importantly, they covered the reporting of NetCraft, a U.K. internet service company, about how numerous US government websites are now inaccessible due to expired security certificates. This is going to be a quick post to help explain what happened and more importantly, how cyber criminals will use this situation to their advantage.

Categories:

Government Security world

Tags:

(Read more...)

The post Government shutdown impacts .gov websites, puts Americans in danger appeared first on Malwarebytes Labs.

WiredThreatLevel.png 2019-01-14 16:00:00 Screens Might Be as Bad for Mental Health as ... Potatoes (lien direct)

The science of how technology affects happiness needs a huge statistical upgrade. A new paper charts a path toward better research.

WiredThreatLevel.png 2019-01-14 16:00:00 Bio-Printers Are Churning out Living Fixes to Broken Spines (lien direct)

A new study shows that 3D-printing a section of spinal cord, living cells and all, restored movement in injured rats.

TechRepublic.png 2019-01-14 15:41:03 500 robots infiltrate US grocery stores to identify safety hazards (lien direct)

The in-store robots test safety measures like liquid, powder, and bulk food-item spills, according to Retail Business Services.

Checkpoint.png 2019-01-14 15:40:05 December 2018\'s Most Wanted Malware: Where there\'s SmokeLoader, there\'s Fire (lien direct)

Check Point\'s researchers saw SmokeLoader rise to the top 10 \'Most Wanted\' Malware list in December after a sudden boost in activity. Mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker, the second-stage downloader had been known to researchers since 2011, but entered the top 10 for the first…

The post December 2018\'s Most Wanted Malware: Where there\'s SmokeLoader, there\'s Fire appeared first on Check Point Software Blog.

TechRepublic.png 2019-01-14 15:27:01 CES 2019: Cyberlink develops FaceMe facial recognition AI (lien direct)

Why Cyberlink believes that facial recognition AI will be used regularly at home, work, and retail locations.

securityintelligence.png 2019-01-14 15:25:01 Need a Sounding Board for Your Incident Response Plan? Join a Security Community (lien direct)

>Joining a security community is a great way to get advice and feedback on your incident response plan from like-minded peers.

The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.

ZDNet.png 2019-01-14 15:23:03 Radware acquires ShieldSquare in botnet, cloud security push (lien direct)

The acquisition is central to improving anti-bot solutions and separating fake from genuine traffic.

Korben.png 2019-01-14 15:16:05 Événement Bug Bounty – Rendez-vous au FIC (Lille) la semaine prochaine ! (lien direct)

Petite question : Que faites-vous les 22 et 23 janvier prochain ? Si la réponse est " Pas grand-chose mon capitaine" , alors pourquoi ne pas sauter dans un train direction Lille pour assister au FIC, le Forum International de la Cybersécurité ? Bonne ambiance assurée, gens sympas, autocollants et goodies partout, … Suite

WiredThreatLevel.png 2019-01-14 15:00:00 Desalination Is Booming. But What About All That Toxic Brine? (lien direct)

Desalination plants turn seawater into drinking water, but also pump hypersaline water back into the environment. That\'s especially troubling because desal has become extremely popular.

TechRepublic.png 2019-01-14 14:42:00 GoDaddy injecting site-breaking JavaScript into customer websites, here\'s a fix (lien direct)

GoDaddy is injecting analytics scripts into websites hosted on their systems to track users. Here\'s how to opt-out.

itsecurityguru.png 2019-01-14 14:39:02 Surfshark Triumphs At BestVPN.com Awards 2019 Ceremony In Las Vegas. (lien direct)

With the CES 2019 coming to an end, at an Award Ceremony in Las Vegas, specialized VPN review website BestVPN.com announced winners of the annual BestVPN.com Awards 2019. For its fast development and market stirring innovation, privacy service provider Surfshark received an award as the Best VPN 2019 in the Newcomer category. “Such acknowledgment from […]

The post Surfshark Triumphs At BestVPN.com Awards 2019 Ceremony In Las Vegas. appeared first on IT Security Guru.

DarkReading.png 2019-01-14 14:30:00 Radiflow: New Approach for Classifying OT Attack Flaws (lien direct)

The firm says risk assessment should begin with understanding attacker taxonomy and continue with vulnerability analysis.

Korben.png 2019-01-14 14:26:04 Edito du 14/01/2018 (lien direct)

Vous ne l’avez sans doute pas remarqué, mais la semaine dernière j’ai fait un webencéphalocardiogramme plat. En gros, j’ai disparu des tuyaux durant une interminable semaine en raison d’un combo gastro-bronchite assez destructeur. Mon énergie étant au plus bas, j’ai passé la semaine au lit et aujourd’hui même si je … Suite

Kaspersky.png 2019-01-14 14:18:02 Data Exposed in OXO, Amazon and MongoDB Leaks (lien direct)

Dual data exposures and a wide-scale data leak due to a vulnerable MongoDB database have kicked off 2019 so far.

Korben.png 2019-01-14 14:09:03 Des maquettes iPhone XS et X pour vos designs d\'app (lien direct)

Si vous êtes développeur d’application ou porteur d’un projet web, peut-être avez-vous envie de mettre en avant votre création dans un magnifique iPhone X ou XS afin de donner envie aux visiteurs de votre site d’essayer votre application. Malheureusement, si vous n’avez aucun talent de designer, et bien ce n’est … Suite

bleepingcomputer.png 2019-01-14 14:00:00 Microsoft Awarded Five-Year $1.76 Billion IDIQ Contract by DoD (lien direct)

[...]

TechRepublic.png 2019-01-14 14:00:00 90% of companies undergoing digital transformation facing \'significant obstacles\' (lien direct)

Customers want more digital products and services, but businesses struggle with culture change and legacy system costs, according to an AppDirect survey.

WiredThreatLevel.png 2019-01-14 14:00:00 Tech Workers Unite to Fight Forced Arbitration (lien direct)

A social media campaign against forced arbitration clauses in employment contracts is a rare example of employees from different companies joining together.

TechRepublic.png 2019-01-14 13:54:01 How to install Ansible on Ubuntu Server 18.04 (lien direct)

Jack Wallen walks you through the steps for installing Ansible and connecting a node.

TechRepublic.png 2019-01-14 13:54:00 Verizon\'s new AI platform will help businesses improve customer service 24/7 (lien direct)

The telecom giant is expanding their portfolio of managed services with an AI-powered toolkit for improving customer experience outcomes.

bleepingcomputer.png 2019-01-14 13:30:00 Hundreds of Cybersecurity Risks Still Affecting the Pentagon (lien direct)

Although the vast majority of open cybersecurity issues are from 2018, there are a handful of cybersecurity gaps left open for about a decade, with two recommendations unaddressed since 2008 [...]

TechRepublic.png 2019-01-14 13:26:03 Overcoming imposter syndrome: How managers can boost employee confidence (lien direct)

Imposter syndrome can be a huge obstacle for employees. Here\'s how managers can save the day-and the business.

securityintelligence.png 2019-01-14 13:00:04 Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces (lien direct)

>Security leaders face more challenges to protect critical assets than ever. The evolving enterprise landscape has created a need for new frameworks and solutions to achieve visibility and control.

The post Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces appeared first on Security Intelligence.

bleepingcomputer.png 2019-01-14 12:56:05 Escaping Containers to Execute Commands on Play with Docker Servers (lien direct)

Improperly secured privileged containers on the Play with Docker testing platform offered security researchers a way to escape Linux containers and run arbitrary code on the host system. [...]

securityintelligence.png 2019-01-14 12:50:02 When It Comes to Cyber Risks, A Confident Board Isn\'t Always a Good Thing (lien direct)

While board directors have been concerned with cybersecurity for some time, we\'re now seeing reports that they are improving their understanding of cyber risks and how those risks can impact business.

The post When It Comes to Cyber Risks, A Confident Board Isn’t Always a Good Thing appeared first on Security Intelligence.

ZDNet.png 2019-01-14 12:49:04 51 percent Ethereum Classic hacker returns $100,000 in stolen cryptocurrency (lien direct)

An exchange has mulled over the possibility of the hacker being white-hat, but $1 million is still unaccounted for.

ZDNet.png 2019-01-14 12:39:00 Liberian ISP sues rival for hiring hacker to attack its network (lien direct)

Lawsuit comes after British authorities sentenced the hacker to two years and eight months in prison for the same attacks.

ESET.png 2019-01-14 12:05:01 CES: Smart cities and the challenge of securing the neighborhood (lien direct)

In our final report from CES we take a look at smart city initiatives

Pirate.png 2019-01-14 12:02:04 Les 10 prévisions d\'Avira pour 2019 (lien direct)
La nouvelle année vient de commencer. Et si l\'on peut être sûr d\'une chose, c\'est bien que les menaces ne sont pas près de s\'arrêter. Au contraire, elles vont augmenter et se multiplier. Avira a étudié les schémas, les chiffres et les tendances de l\'année dernière et a dressé une liste de prévisions auxquelles on pourrait s\'attendre cette année.
Kaspersky.png 2019-01-14 12:00:01 Podcast: Emotet Grows With Fast-Evolving Tactics (lien direct)

Threatpost discusses the future of the Emotet banking trojan with Cylance.

WiredThreatLevel.png 2019-01-14 12:00:00 As Self-Driving Cars Stall, Players Revive an Old Approach (lien direct)

With true autonomy proving harder than we hoped, some companies are refocusing on systems that split the work between human and machine.

ZDNet.png 2019-01-14 11:34:02 Ransomware attack sends City of Del Rio back to the days of pen and paper (lien direct)

Servers at City Hall were rendered useless due to the outbreak.

itsecurityguru.png 2019-01-14 10:59:03 2019 Predictions And The Start Of 5G. (lien direct)

By Ronald Sens, EMEA Director at A10 Networks With 2019 well underway, the hype of 5G and the growth of IoT are filling my thoughts, with both – especially the fifth generation of mobile networks – in a relatively early stage. So, how will 5G and IoT develop in the New Year? First Operational 5G […]

The post 2019 Predictions And The Start Of 5G. appeared first on IT Security Guru.

itsecurityguru.png 2019-01-14 10:57:00 If Cybersecurity Breaches Are Inevitable What Should Organisations Do About It? (lien direct)

By Maxim Frolov, Vice President of Global Sales at Kaspersky Lab There\'s an inconvenient truth in the business community. As many business decision-makers are only too aware, hardly a week seems to go by without a data breach of some form being reported to press, and this year alone has witnessed some major breaches which […]

The post If Cybersecurity Breaches Are Inevitable What Should Organisations Do About It? appeared first on IT Security Guru.

itsecurityguru.png 2019-01-14 10:49:01 Goldman Sachs Leads $8m Investment In Immersive Labs Cyber Security Skills Platform. (lien direct)

Immersive Labs today announced that Goldman Sachs has led an $8m Series A investment round in its fast-growing cyber security skills platform. The funding, made alongside smaller private investors, will grow an offering which arms enterprise IT and cyber security teams with the latest skills by combining threat data with gamified learning. The award-winning Immersive […]

The post Goldman Sachs Leads $8m Investment In Immersive Labs Cyber Security Skills Platform. appeared first on IT Security Guru.

itsecurityguru.png 2019-01-14 10:42:03 Cryptocurrency Mining Protection. (lien direct)

By Darren Williams, CEO and Founder of BlackFog Whilst the future use and viability of Cryptocurrencies may still be up for debate, the influence Bitcoin (the most famous cryptocurrency) has had on the market is clear– with its valuation peaking at just shy of $20,000 in December 2017. In fact, the global market for Blockchain […]

The post Cryptocurrency Mining Protection. appeared first on IT Security Guru.

grahamcluley.png 2019-01-14 10:07:00 The DDoS attacker rescued by a Disney cruise ship is sentenced to over 10 years in prison (lien direct)
The DDoS attacker rescued by a Disney cruise ship is sentenced to over 10 years in prison

A 34-year old man has been jailed after being found guilty of launching a massive denial-of-service attack against Boston Children\'s Hospital.

Read more in my article on the Hot for Security blog.

SecurityAffairs.png 2019-01-14 10:03:01 Zurich refuses to pay Mondelez for NotPetya damages because it\'s \'an act of war\' (lien direct)

Zurich American Insurance Company is refusing to refund its client because consider the attack as “an act of war” that is not covered by its policy. The US food giant Mondelez is suing Zurich for $100 Million after the insurance company rejected its claim to restore normal operations following the massive NotPetya ransomware attack. On […]

The post Zurich refuses to pay Mondelez for NotPetya damages because it’s ‘an act of war’ appeared first on Security Affairs.

Blog.png 2019-01-14 08:43:00 Q&A: Here\'s why robust \'privileged access management\' has never been more vital (lien direct)

Malicious intruders have long recognized that getting their hands on privileged credentials equates to possessing the keys to the kingdom. This is because privileged accounts are widely deployed all across modern business networks — on-premises, in the cloud, across DevOps environments and on endpoints. Related: California enacts pioneering privacy law However, lacking robust protection, privileged accounts, […]

SecurityAffairs.png 2019-01-14 08:37:02 Computers at the City Hall of Del Rio were infected by ransomware (lien direct)

The City Hall of Del Rio, a city in and the county seat of Val Verde County, Texas, was hit by a ransomware attack, operations were suspended. Last week, the City Hall of Del Rio, a city in and the county seat of Val Verde County, Texas, was hit by a ransomware attack. On Thursday, tens of computers at […]

The post Computers at the City Hall of Del Rio were infected by ransomware appeared first on Security Affairs.

bleepingcomputer.png 2019-01-14 08:24:04 Godaddy Injecting JavaScript That May Break Customer Sites (lien direct)

Domain registrar GoDaddy is injecting JavaScript into US customer websites that could impact the overall performance of the website or even render it inoperable. [...]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

Information mise à jours le: 2019-01-19 06:03:28
Voir la liste des sources.

Mon email:

Vous souhaitez ne rien manquer: Notre RSS (filtré) Twitter