12 C
Saturday, September 23, 2017

Second crowdfunding campaign for SC police officer suspended [Updated]

Supporters for alleged murderer of Walter Scott try IndieGoGo, want "a fair trial."

Latest version of OS X closes Backdoor-like bug that gives attackers...

Privilege escalation bug remains active in versions prior to Yosemite.

Amazon drops the hammer on website that sells 5-star reviews

SoCal Web designer's reviews-for-sale biz is illegal, Amazon lawyers say.

Let’s Encrypt Becomes Linux Foundation Collaborative Project

The Linux Foundation has a track record in helping build open-source communities around projects like Let's Encrypt, which aims to make Internet use more secure. The Let's Encrypt initiative today announced that it is becoming a Linux Foundation Collaborative Project. The Linux Foundation is well-known as the home of Linux development, but it has also expanded in recent years to host multiple open-source collaborative efforts, including the Xen hypervisor, OpenDaylight software-defined networking and Dronecode projects. Secure Socket Layer/Transport Layer Security (SSL/TLS) is a critical component of modern Internet security, but it's not always as easy to deploy as it should or could be. That's where the Let's Encrypt effort is aiming to help—to make it easier to encrypt, by providing users with freely available SSL/TLS certificates, backed by a certificate authority (CA). Let's Encrypt was first announced in November 2014. The effort includes the participation of Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan, joined with the Internet Security Research Group (ISRG). As to why Let's Encrypt decided to become a Linux Foundation-backed effort, Josh Aas, ISRG executive director, explained that the Linux Foundation has a track record in helping build open-source communities around important projects. He added that the Linux Foundation provides a number of ancillary services to let developers focus on development. "Our collaboration will allow the folks working on Let's Encrypt to focus on its service while the Linux Foundation provides organizational management," Aas told eWEEK. A core part of the Let's Encrypt effort is the creation of a new CA that will be trusted by both users and browsers. In the SSL/TLS system, any user can simply choose to self-sign a digital certificate, though self-signed certificates provide no integrity or ownership assurance. Self-signed certificates will also trigger browser alert warnings and are generally untrusted by default in modern Web browsers.  When a CA issues and signs an SSL/TLS certificate, the certificate is validated by the CA and trusted by all browsers that accept the CA in their root chain of trust. "The group is hard at work building the CA, aiming for general availability around midyear," Aas said. "Most of the work relates to getting physical infrastructure in place, software development and policy development." As a free CA, Let's Encrypt potentially represents a risk to the existing CAs, which are not free and have commercial models in place to sell SSL/TLS certificates. Aas emphasized that the Let's Encrypt project would like to work with existing CAs, not against them. "We talk with other CAs on a regular basis, and many share our enthusiasm for increasing TLS usage and improving the CA system in general," Aas said. "We look forward to continuing to work with other CAs, and we'll be joining the CA/Browser Forum as soon as we're able." The CA Browser Forum (CAB) is one of the leading organizations for CAs. In recent weeks, the issue of SSL/TLS certificate mis-issuance has once again made the news. On March 23, Google reported that the China Internet Network Information Center (CNNIC) CA had improperly issued Google SSL/TLS certificates. Security of the certificate issuance process is top-of-mind for Let's Encrypt. "On a technical level, we're working hard to meet or exceed best practices when it comes to security," Aas said. "On a policy level, we're putting a lot of effort into developing issuance policies that make sense, and we intend to follow those policies carefully. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.  

French TV network blames “an Islamist group” for 11-station blackout

Websites, Facebook page defaced; TV stations still not fully operational.

Apple Patches Critical Backdoor Flaw in OS X 10.10.3

In addition to a number of updates in OS X 10.10.3, Apple is fixing vulnerabilities across its OS X operating system. For months, Apple has been previewing the new Photos App, which has now officially landed in the new OSX 10.10.3 Yosemite update that first became generally available on April 8. The OS X 10.10.3 update also includes new emoji characters and improves WiFi performance.  Perhaps even more noteworthy, though, is the volume of security updates that are included in the 10.10.3 milestone.  Apple is patching a long list of vulnerabilities across its OS X operating system that were found by both internal Apple resources and external security researchers. Among the security issues patched in OS X 10.10.3 is a security vulnerability in its administration framework. The issue, identified as CVE-2015-1130, was reported by security researcher Emile Kvarnhammar, CEO at TrueSec. "The admin framework in Apple OS X contains a hidden backdoor API to root privileges," Kvarnhammar wrote in a blog post. "It's been there for several years (at least since 2011), I found it in October 2014, and it can be exploited to escalate privileges to root from any user account in the system." While Apple has now fixed the CVE-2015-1130 in the 10.10.3 update for users of Apple's Yosemite OS 10.10 operating system, older OS X systems are also at risk. Kvarnhammar noted that Apple told him the fix required a substantial amount of changes and a patch would not likely be back-ported for OS X 10.9 and older. "Our recommendation to all OS X users out there: Upgrade to 10.10.3 (or later)," Kvarnhammar wrote. Apple also has nine patches in OS X 10.10.3 for various OS X kernel vulnerabilities. Among the patched kernel flaws is CVE-2015-1103, which was discovered by Zimperium Mobile Security Labs. According to Apple's advisory, the flaw could have enabled an attacker to redirect user traffic to arbitrary hosts. "ICMP (Internet Control Message Protocol) redirects were enabled by default on OS X," Apple's advisory states. "This issue was addressed by disabling ICMP redirects." Google's Project Zero security research team is also well-represented on the Apple OS X 10.10.3 patch list and is credited with reporting seven vulnerabilities. Five of the Google Project Zero vulnerabilities are found in the Apple Type Service (ATS) component of OS X. The impact of the issues is that arbitrary code could have been executed. The other two of the Google Project Zero issues are found in the IOHIDFamily, a library of human interface interactions.  The IOHDFamily is being patched for six different vulnerabilities. Apple is now providing its users with an updated version of the open-source OpenSSL cryptographic library for Secure Sockets Layer/Transport Layer Security (SSL/TLS). The new OpenSSL version 0.9.8zd fixes six vulnerabilities. Apple is also providing its OS X users with the Safari 8.0.5 update. Seven security updates in the Safari browser are specifically for the WebKit rendering engine. One particularly nasty flaw fixed in Safari is CVE-2015-1129, an SSL/TLS tracking issue. According to Apple, the vulnerability could have enabled users to be tracked by malicious Websites using client certificates. "An issue existed in Safari's client certificate matching for SSL authentication," Apple warned in its advisory. "This issue was addressed by improved matching of valid client certificates." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.  

US, European police take down highly elusive botnet known as Beebone

Botnet provided a captive audience of backdoored PCs to online criminals.

Pepper-spraying drones will be used on Indian protesters

When not spraying protesters, drones will be used for aerial surveillance.

Security Think Tank: Internal audit an essential component of data security

Internal audit often undertakes a crucial assurance role in an organisation, with particular attention to risk management and control, writes Steven Babb.  Given the connected world we live and conduct business in, cyber security typically holds a key spot in an organisation’s risks profile and consequently it is a key area of focus for internal audit. It should be seen – and treated – as a business partner, with increased reliance on it to make a significant contribution to governance. Given the rapid rate of change we operate in, this requires that security professionals regularly assess and mitigate risk. The truths often uncovered can be wide ranging: from faulty processes; legacy infrastructure and end of life systems; the lack of patching and ineffective supplier management programmes; through to weaknesses in managing customer and employee data. The industry is witnessing increased demand for information security professionals with recognised security certifications, such as CISM and CRISC, which provide a strong level of assurance that the certificate holder has an appropriate level of both professional experience and knowledge – a key differentiator for certificate holders. Audits and the role of security professionals The role of information security professionals continues to evolve, with increased demands placed on them to act as business leaders. The expectation is that security risks are identified, assessed and that plans are put in place to appropriately mitigate; but this requires investment, with CIOs and the board often having to balance investment in security maintenance programmes, as opposed to investment in more direct revenue generating activities. The key is to articulate these risks in clear, business-focused language. The reality is that both functions need to work closely together, supporting each other in ensuring that key security related messages are presented appropriately and at the right level, thus ensuring the necessary levels of support and buy-in are achieved.  The oversight role of internal audit should however not be overlooked. It has the remit, and should not shy away from holding the security function to account when it is not effectively protecting sensitive information, critical data and business assets. Steven Babb is international vice-president of Isaca and technology risk, compliance and assurance leader at Vodafone. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in April 2015

Linux Foundation to host open encryption project

The Linux Foundation is to host an open encryption project aimed at providing a free and easy way to protect the huge amount of data passed over the internet every day. This data includes usernames and passwords, credit card data, cookies, and other types of sensitive or personal information.   While encryption can help protect this information, the secure sockets layer (SSL) certificates required for encryption on the internet have to date been difficult to obtain. The non-profit Linux Foundation is to host the Let’s Encrypt project set up by the Internet Security Research Group (ISRG), a Californian public benefit organisation. The Linux Foundation also hosts the Core Infrastructure Initiative that was set up a year ago in response to the Heartbleed OpenSSL flaw.   The Linux Foundation is dedicated to improving internet security and has a track record in helping build open-source communities around important projects, while ISRG’s mission is to reduce financial, technological and education barriers to secure communication over the internet. Let’s Encrypt is a free, automated and open security certificate authority that enables website owners to obtain security certificates in minutes to help protect online transactions. The project is sponsored by Akamai, Cisco, Electronic Frontier Foundation, Mozilla, IdenTrust and Automattic. ISRG and Let’s Encrypt will be hosted as a Linux Foundation Collaborative Project, which are independently funded software projects designed to tap into the power of collaborative development. These projects span the enterprise, mobile, embedded and life sciences markets and are backed by some of the largest technology companies. “While the web has been a part of our lives for decades now, the data shared across networks is still at risk,” said Linux Foundation executive director Jim Zemlin.  “By hosting this important encryption project in a neutral forum we can accelerate the work towards a free, automated and easy security certification process that benefits millions of people.” ISRG executive director Josh Aas said encryption should be the default for the web. “The web is a complicated place these days; it’s difficult for consumers to be in control of their data. The only reliable strategy for making sure that everyone’s private data and information is protected while in transit over the web is to encrypt everything. Let’s Encrypt simplifies this,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

How CIO Ed Garcez is putting his stamp on the Tri-borough...

Register FREE to continue reading Access to this premium content is for registered users only. Registration is completely free, quick, and gives you immediate access to our premium online content, magazine and iPad edition. Find out more Already registered? Sign in using the log in area toward the top right of your screen. Computing is the UK’s leading information resource for UK Technology decision makers. Register in two minutes for unlimited access to premium subscriber content including an industry-leading magazine, special reports and market research data, expert analysis and reviews and the industry’s top resource library.

French TV station TV5 Monde taken off-air by pro-ISIS hack

French television station TV5 Monde was taken off the air following a hack by attackers identifying themselves with ISIS, the Middle Eastern Islamist terrorist group. The hack also revealed personal information, with the attackers posting identify cards and curriculum vitae of relatives of French soldiers purportedly involved in military action against ISIS in Syria and Iraq. TV5 Monde is broadcast in more than 200 countries worldwide. The attack happened last night at around 10pm, and broadcasts were not resumed until 1am after a three-hour blackout. The hack underlines the risks facing media organisations, especially television channels, from going to all-digital, online-based operations. "We are no longer able to broadcast any of our channels. Our websites and social media sites are no longer under our control and are all displaying claims of responsibility by Islamic State," admitted the network's director Yves Bigot, later adding that its systems had been "severely damaged" by an "unprecedented attack". The hackers accused French president Francois Hollande of having made "an unforgivable mistake" involving France in "a war that serves no purpose". The message on the TV station's Facebook page continued: "That's why the French received the gifts of Charlie Hebdo and Hyper Cacher in January." Charlie Hebdo and Hyper Cacher refer to the terrorist attacks in January in which a total of 17 people were murdered by Islamist gunmen. However, while news is only now filtering out about the attack, there are very little details about how the hackers were able to penetrate the organisation's IT security - whether it was down to a lapse in security controls and procedures, or the attackers had some form of inside information or help to aid them.  The attack comes in the same week that Lloyd's insurer Aegis London warned that it expected a cyber attack to cause an organisation to fail this year.  "These attacks are now increasingly destructive as we have seen with the recent attack on Sony Entertainment and statistics from the Organisation of American States," said Joe Hancock, cyber security specialist at Aegis London.