News

Who’s getting FAA approval to fly drones? A Kansas town, among...

Sure, military and cops have them, but some small towns want them, too.

Google has removed 170,000-plus URLs under “right to be forgotten” edict

Google weighs public interest, accuracy and relevance.

Police given automatic access to mobile phone records – web browsing...

Three of Britain's four mobile phone networks - EE, Vodafone and Three - are providing call records to police forces across the UK on request at the click of a mouse, according to a new investigation. The data is handed over without a warrant or any other safeguards under the Regulation of Investigatory Powers Act (RIPA), which was introduced in 2000. RIPA is also the enabling act that allows GCHQ to conduct mass surveillance of people's web activity. The law has called into question after police used it to identify journalists' sources in the story over former Liberal Democrat MP Chris Huhne's speeding fine. Mobile operators are legally obliged to store one year of call records of all of their customers, which police forces and other agencies can then access without a warrant under RIPA. The proposed Communications Data Bill, which is an implementation of a 2006 EU directive, would extend this to internet activity and, therefore, make people's web browsing available to police under RIPA without a warrant. The Communications Data Bill was put forward by Home Secretary Theresa May at the Conservative Party conference in September as an essential tool in the "war against terrorism" - although attempts to introduce it have already been twice defeated in the House of Commons after vociferous protests by privacy campaigners. Documents from software providers and interviews with mobile phone company staff by The Guardian newspaper, however, have revealed how easy it has become for police to access any phone record held by EE, Vodafone or Three. The "vast majority" of records demand by the police, according to The Guardian, are delivered via an automated system without staff even needing to vet the requests. "In the automated systems used by the phone companies, police officers seeking phone records must gain permission from another officer on the same force, who then enters the details into an online form. That mirrors the US Prism programme, revealed by Edward Snowden, which in effect created a backdoor into the products of US tech corporations. In the vast majority of cases, the information is then delivered without any further human role," claims The Guardian. Software for the systems used by police forces is provided by a company called Charter Systems. The company's software enables police to access data from multiple phone operators with just one request. Eric King, deputy director of Privacy International, warned that the telecoms operators were "essentially already provid[ing] law enforcement with the joined-up databases they claimed they didn't have when pushing for the ‘snooper's charter'." The three mobile phone operators have all admitted that they offer the police this automated access to their customers' call records, with O2 the only operator handling the requests manually on a case-by-case basis. A spokesperson for Three claimed that it was obliged to provide such access to the police by law. The big question is, of course, whether the same kind of automatic computer access will be provided to the police when the government passes the Communications Data Bill. That will oblige all internet service providers in the UK to retain all web-surfing records of all of their customers so that the police can access the details.

Poor punctuation leads to Windows shell vulnerability

An attack on Windows scripts shows that quotation marks aren't just for writers.

For HP, Symantec, Others, Breaking Up Can Be Hard to Do

For the past few years, Hewlett-Packard CEO Meg Whitman had resisted calls for her to split up the venerable tech giant by shedding the stagnant PC business. Whitman pushed back, saying the company was "better together." However, on Oct. 5, the CEO announced that HP indeed would break in two, with one company selling printers and PCs, the other enterprise IT solutions and services. In doing so, HP also became the poster child of the trend in the IT industry of vendors splitting in two or shedding businesses in hopes of becoming more focused, streamlined and profitable. HP's announcement came days after eBay said it was splitting off its PayPal business, and days before Symantec said it was separating its security software and storage businesses. Other businesses—like EMC—are under pressure from investors to ditch business units. Still, there are others—like Cisco Systems and Dell—that are going in the other direction, continuing to broaden their product portfolios and capabilities through in-house development and acquisitions. In this slide show, eWEEK takes a look at some of those companies breaking up, others that are at least under pressure to break up and some that are still building rather than splitting up.

HP accidentally signed malware, will revoke certificate

Trojan infected a developer's machine, got signed by mistake.

Azure CTO Mark Russinovich’s top ten public cloud security risks

Security on the public cloud is one of the most important concerns for CIOs. Microsoft Azure cloud CTO Mark Russinovich identified ten key security risks of public cloud services, including malicious insiders, shared technology, data breaches, artificial intelligence and data loss. He also outlined strategies and best practices for users and service providers to beat these risks. “We are in the third era of computing – the cloud and mobile era – but security considerations on cloud are still not widely understood. It is important to address the public cloud security concerns to facilitate its adoption,” Russinovich told delegates at the annual IP Expo 2014 in London.  “This is important because there is no cloud without trust.” Drawing from Cloud Security Alliance’s top nine cloud computing threats, Russinovich listed ten security concerns – listed below – that are typical to public cloud services and explained the measures taken by public cloud service providers, such as Microsoft Azure and AWS, to address those security risks. 1. Shared technology vulnerabilities: The cloud risk A vulnerability in publicly accessible software enables an attacker to puncture the cloud and expose data of other customers using the same service. Shared technology vulnerability can affect the security of enterprise datacentres too, but the cloud services are at higher risk of exploitation because data from many customers makes it a rich target and the cloud APIs are easier to access than enterprise APIs, said Russinovich.  But cloud providers are responding to these threats by automating software deployment and rolling out patches quickly and at scale. 2. Insufficient due-diligence and shadow IT “Many companies are side-stepping IT processes and storing data on the cloud (Shadow IT), Russinovich said.  “This is happening even as IT is designing management, auditing, forensics and access control systems for on-premises servers and applications." He said enterprises must take responsibility for the risks shadow IT exposes them to on the public cloud platform. “IT must determine how to enable business units while enforcing corporate governance and it must promote responsible adoption,” Russinovich advised delegates at IP Expo. 3. Abuse of cloud services Some of the flagship features of cloud computing, such as agility, scalability and flexibility, are useful to attackers too, Russinovich explained. Attackers are using infrastructure as a service (IaaS) as malware platform or, for doing tasks such as mining digital currencies, and are using cloud storage to store illegal content.  “Cloud abuse is possible because of stolen credit cards, hijacked accounts and free cloud trials. Every month Azure shuts down about 70,000 virtual machines for security reasons.” 4. Malicious insiders Showing a picture of NSA surveillance whistleblower Edward Snowden, Russinovich said cloud service provider employees who have access to cloud can be a security threat.  Malicious insiders also include developers writing cloud codes that can be exploited by outsiders, operators that deploy code less securely and those who have access to cloud datacentres. Cloud use may result in unmanaged credentials and publicly accessible applications or services may allow for brute forcing Some of the mitigation steps the Azure CTO outlined for enterprises included: employee background checks, and limited or monitored access to servers. 5. Denial of service (DOS) “Cloud outages are a form of DOS, and it is a significant threat to public cloud computing,” Russinovich said.  Cloud providers such as Azure are investing heavily in DDOS prevention, he said, by isolating non-public applications from the internet and providing local resiliency against cloud outages. 6. Insecure interfaces and APIs Cloud is new and rapidly evolving, so lots of new, insecure APIs surface, according to him. This includes weak TLS crypto or incomplete verification of encrypted content. The responsibility to address this threat lies with both cloud providers and users, Russinovich said.  “Cloud providers must follow SDL. And uustomers should validate API behavior,” he said. 7. Unauthorised access to an enterprise user’s cloud account Explaining this threat, Russinovich blamed weak passwords, stolen passwords and password reuse as the key reason for cloud account hijacks. Cloud providers must establish physical controls on datacentre premises “Cloud use may result in unmanaged credentials and publicly accessible applications or services may allow for brute forcing,” he said. Russinovich advised enterprises to mitigate this risk by taking steps such as turning off unneeded endpoints, encouraging the use of strong passwords, creating two-factor authentication and detecting breach at the onset. 8. Data loss There are multiple ways to lose cloud data, according to Russinovich: “Customer or cloud provider accidentally deletes or modifies it, or attacker deletes or modifies it, or when a natural disaster destroys the cloud datacentre." To mitigate cloud data loss, customers must take steps such as point-in-time backups and geo-redundant storage while cloud providers must have services such as deleted resource tombstoning. 9. Data breach This represents a collection of threats such as insider threat, vulnerability in shared technology, etc. “Ultimately, a company’s main asset is its data,” he said. “How does a company ensure its data is protected even in the face of successful breach?” Physical threats that result in data breach include attackers gaining access to storage devices removed from datacentre, he explained.  “Cloud providers must establish physical controls on datacentre premises and deploy audit and monitoring tools while users can encrypt data at rest and have third-party certifications," Russinovich said. CIOs need to get past the hype and check-box mentality and have a strategy to mitigate cloud security risks But data breaches can occur even during data transfer, he warned. To beat this risk, cloud providers must encrypts inter-datacentre links and customers must encrypt outside of cloud. 10. Self-awareness or artificial intelligence A self-aware cloud topped Russinovich's list of public cloud security risks. “As with any new technology, there are new risks. It is our responsibility to educate our businesses and customers and we can also develop tools and processes to mitigate risk. But it is also a shared responsibility of cloud users,” he said. “CIOs need to get past the hype and check-box mentality and have a strategy to mitigate cloud security risks.” “They need to come into the cloud in a responsible way.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Dairy Queen Confirms Backoff Malware Breach

After a month of speculation and investigation, restaurant chain International Dairy Queen officially confirmed on Oct. 9 that its stores had been the victim of a data breach. International Dairy Queen has both the Dairy Queen ice cream chain and Ora...

Google finally wrests Rockstar patent suit out of East Texas

A risky move gets Google's case away from a "made-for-litigation" Plano office.

Obama: I want the FCC to ban paid Internet fast lanes

President is “unequivocally committed to net neutrality.”

Juniper Lowers Third-Quarter Earnings Forecast

Juniper Networks officials, pointing to softer demand from service providers for the company's products than expected, said third-quarter financial numbers will come in lower than originally forecast. The company said Oct. 9 that revenues will come in between $1.11 billion and $1.12 billion, below the networking vendor's previous guidance of $1.15 billion to $1.2 billion. Juniper will announce its third-quarter financial numbers Oct. 23. The lowered guidance comes after what was a strong second quarter, when revenues hit $1.23 billion, a 7 percent increase from the same period in 2013. It also comes as the company continues to execute on a restructuring plan CEO Shaygan Kheradpir laid out in March that includes focusing on high-growth markets; consolidate much of its networking, security and management software into a single portfolio; pare R&D costs and return $3 billion to investors. As part of the plan, Juniper announced in April that it was cutting 6 percent of its workforce—about 560 jobs—and this month closed a $250 million deal to sell its Junos Pulse mobile security business to private equity firm Siris Capital. The business is now an independent company called PulseSecure. In its announcement regarding the third-quarter financial numbers, Juniper officials noted the ongoing cost-cutting efforts at the company. Juniper has been under pressure from investors Jana Partners and Elliott Management to streamline the business, reduce expenses and return more money to investors. The investors have touted Juniper's products, but have argued that the company is undervalued and needed to make some changes. Elliott Management also has been an outspoken investor at other companies, including Riverbed Technology and data storage giant EMC. Elliott officials want EMC to sell off its 80 percent stake in virtualization pioneer VMware.

LANDESK bring new mobile security possibilities to enterprise apps with latest...

New Application Wrapping Feature Brings Increased Security and Ease of Use for CustomersLONDON — October 10, 2014 — LANDESK, a global leader in delivering user-oriented IT solutions that solve systems, assets, security, mobility and IT service management challenges, today announced the release of new features and upgrades to its Enterprise Mobility Management platform, including an application wrapping feature. This new feature will allow IT departments to add another layer of security to the enterprise apps they supply to their users."We strive to provide users with the most intuitive and easy-to-understand products available," said Stephen Brown, director of product management at LANDESK. "While most application wrapping software is quite cumbersome, our solution allows an IT administrator to wrap an application in one step and deploy it to users. We know this simplicity will improve the productivity of the IT managers and their user base to help them focus on the important tasks they need to accomplish."LANDESK application wrapping makes it easy to incorporate mobile application security into corporate bring-your-own-device (BYOD) policies. It uses single sign-on authentication to make access to the enterprise applications simple and to foster increased user productivity. It also encrypts data, preventing it from moving to applications not provided by the enterprise. This feature also makes it easy for IT to add security features and can be used for any Android app and enterprise iOS apps.LANDESK® Mobility Manager helps IT managers balance users' needs to be productive anywhere with IT's charter to provide secure mobility. With the BYOD-friendly LANDESK approach, IT teams gain confidence that 1) security measures are in place to consistently safeguard corporate data enterprise-wide and 2) mobile users benefit from a solution that respects the personal nature of their devices.About LANDESK Software LANDESK, the global authority on user-oriented IT, enables users to be their most productive while helping IT embrace the speed of change. Through the integration and automation of IT systems management, endpoint security management, service management, IT asset management, and mobile device management, LANDESK empowers IT to balance rapidly evolving user requirements with the need to secure critical assets and data. With offices located across the globe, LANDESK is headquartered in Salt Lake City. For more information, visit www.landesk.com. Source: RealWire