Security News

Google Chrome to Support Windows XP Users Until 2015

Microsoft may be planning to end Windows XP support in April 2014, but Chrome is planning to help users extend their investments for a while longer. Google is going after one of its biggest competitors with a ca...

NSA chief Keith Alexander and top deputy will abdicate in coming...

The changeover could create a shift in the way the US spy agency does business.    

Hackers hit PR Newswire, data shows up alongside recently stolen Adobe...

Krebs on Security hints these aren't the only companies with hacked data on the servers.    

NSA chief tightens up retirement plans

Gen. Keith Alexander, the head of America's national spying agency, and his civilian deputy, John "Chris" Inglis, are expected to resign from their positions in the coming months. October 16, 2013 2:26 PM PDT General Keith Alexander of the Natio...

To pay off webcam spies, Detroit kid pawns $100k in family...

Video was so embarrassing, theft seemed the better option.    

Researchers uncover holes that open power stations to hacking

Hacks could cause power outages and don't need physical access to substations.    

Secret court argues (again) that it’s not a rubber stamp for...

FISC judge tells Senate Committee that the court required "substantial changes."    

Oracle Plugs 51 Java Vulnerabilities

Oracle's October Critical Patch Update tackles 127 new fixes in total across multiple software applications. Oracle is out with one of the largest patch updates in the company's history.

The Oracle October Critical Patch Update (CPU) released on Oct. 15 deals with a staggering 127 security vulnerabilities, including 51 that are specific to Java. The Oracle CPU is a quarterly update that patches Oracle's core software applications, including its database, Fusion middleware, WebLogic server and Solaris. With the October CPU, Oracle now for the first time ever is also including Java fixes into the CPU mix. The Java updates in the CPU are mostly critical issues that need to be addressed by users immediately. Eric Maurice, manager for Oracle's global technology business unit, blogged that 50 of the Java vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication.  "The maximum CVSS (Common Vulnerability Scoring System) Base Score for these Java vulnerabilities is 10.0, which denotes a complete takeover of the targeted system (down to the operating system) in instances where Java executes with administrative privileges (i.e. system privileges)," Maurice blogged. Six of the Java vulnerabilities fixed in the October CPU were discovered by Hewlett-Packard's Security Research team. Brian Gorenc, manager of vulnerability research for the Zero Day Initiative at HP Security Research, explained to eWEEK that all of the vulnerabilities his group reported allow attackers to bypass applicable sandboxes and execute attacker-controlled code. Gorenc recommends that users update Java as soon as possible. "Remember, end users are not the only people analyzing the patches released yesterday," Gorenc said. "Attackers have likely begun reverse-engineering the patches and writing proof-of-concepts to trigger the corrected vulnerabilities." 51 Java Flaws Having 51 flaws in a patch update might seem like a high number, but when it comes to Java, the unfortunate reality is that it's not. Wolfgang Kandek, CTO of security vendor Qualys, told eWEEK that he's not surprised by the high volume of Java flaws fixed in the October CPU. "Java updates have been big for the last year addressing 30-50 vulnerabilities, when before they were in the 10-20 range," Kandek said. "I think it reflects that both attackers and security researchers have focused much of their attention on the product." While Java is getting 51 fixes, Oracle's namesake database is only receiving two fixes in the October CPU. Oracle's Fusion middleware is not as lucky—receiving 17 security fixes, 12 of which patch vulnerabilities that are remotely exploitable without authentication. The Oracle and Sun Systems Products Suite is being updated with 12 patches, with five of the issues being vulnerabilities that are remotely exploitable without authentication.  The size of the overall Oracle October CPU is cause for concern for some security experts. Kandek noted that he's not certain if having the Java patches as part of the regular Oracle CPU is a good thing. "Normally I would say yes, because it is good to have as much predictability as possible, but on the other hand, the bigger the CPU becomes, the more likely IT admins will feel overwhelmed," Kandek said. "It is formally the right thing to do; let's see how it will work out workload-wise for IT." Tyler Reguly, technical manager of security research and development for Tripwire, is somewhat less optimistic. "This quarter's October CPU serves as another reminder that Oracle needs to consider a monthly release cycle," Reguly said. "They're patching 127 issues, 51 of which apply to Java.

At this point, users everywhere should be outraged that Oracle feels a quarterly patch cycle is sufficient to keep them safe." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Security Issues Frustrate Federal IT Workers: MeriTalk

Cyber-security professionals estimated that almost half (49 percent) of all agency security breaches are caused by a lack of user compliance.  Federal agencies often fail to take the user experience into account when deploying cyber-security solutions, and as a direct result, users often circumvent security measures and open up their agencies to data theft, data loss and denial-of-service attacks, according to a report from Meritalk, a public-private partnership focused on IT. The study, underwritten by Akamai Technologies, compared what cyber-security professionals report about their agency's security with what users, in this case, federal workers, actually experience. Users said cyber-security measures hinder their productivity, and as a result admit to breaking protocol.

A full two-thirds (66 percent) of users believe the security protocols at their agencies are burdensome and time-consuming, and 69 percent say at least some portion of their work takes longer than it should due to security measures. Cyber-security professionals estimated that almost half (49 percent) of all agency security breaches are caused by a lack of user compliance.

These breaches are frequent with half of cyber-security professionals reporting they witness a breach in their agency's security policies at least once a week.   The survey also revealed nearly one in five users can recall an instance where they were unable to complete a work assignment on time because of a security measure.

As a result, 31 percent of users say they use some type of security workaround at least once a week. "More security rules, more security tasks and more security delays have done little to drive more user buy-in for cyber-security," Tom Ruff, vice president public sector for Akamai, said in a statement. "Without question, federal cyber-security pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security." According to cyber-security professionals, the most challenging user applications to secure are email, external Websites and the Internet from agency work stations.

These are the same tools that more than 80 percent of users rely on daily. Despite frustrations, users and cyber-security professionals agree that cyber-security should be a top priority for federal agencies. Nearly all (95 percent of cyber-security professionals and users agree that the deployment of cyber-security measures is an absolute necessity to protect agencies from cyber-threats such as data loss, data theft and denial-of-service attacks.

The vast majority (98 percent) said keeping agency networks and data secure is everyone's responsibility. However, the report found that the activities cyber-security professionals say are the most likely to cause a security breach are the same activities where users run into the most frustrating security measures.

The top areas for cyber-security professionals' concern and users' frustration are surfing the Internet, downloading files, accessing networks and transferring files.   

Case study: Richard Branson’s Virgin Management moves to IaaS platform

Virgin Management, a management services company and subsidiary of Virgin Group, has migrated its IT infrastructure to a cloud-based infrastructure as a service (IaaS) platform to reduce IT costs and provide users with bring your own device (BYOD) capabilities. When the company relocated its head office from Brook Green to Paddington six months ago, the IT team had an opportunity to evaluate its technology infrastructure.  The team concluded that its existing infrastructure was restrictive, distributive and non-scalable. It also found that its physical infrastructure was reaching the end of its warranty period and lacked a robust disaster recover strategy. To maintain the current infrastructure, the IT department would have to increase its operating costs and management capabilities, as well as upgrade local users’ machines and make client updates. Desktop virtualisation So the team started researching cloud delivery options to assess whether a virtual desktop infrastructure (VDI) strategy would help it deliver a faster, consistent and more mobile-friendly desktop to users. Virgin Management users are extremely mobile and need to access the network from company and personal devices, thin clients and tablets in any location. It therefore needed a fully flexible solution that would allow it to scale IT resources with limited upfront costs and maximum agility while providing secure “anytime, anywhere access” to data for its users, according to the IT team. The aim was to provide the company’s 200 users with a centralised, resilient and scalable platform with a disaster recovery (DR) plan and lower management costs. Virgin Management picked infrastructure and SAP cloud application provider Codestone’s cloud-based IaaS platform, built on Dell servers, EMC SANs and VMware vSphere hypervisor technology. The cloud platform gives the company high-performance computing and reserved compute power on a shared or dedicated basis, helping it save costs. It also gained a 99.99% uptime, helping to sustain multiple points of simultaneous failure without causing system downtime to Virgin Management users. The “full cloud” option has removed the need for any dedicated hardware in the company’s regional offices as all services are delivered from the Codestone IaaS platform. The cloud platform provides Virgin Management’s users with a centralised, resilient and scalable platform via Citrix XenDesktop, with a full failover DR plan, deliverable to any device or user, expanding flexibility and reducing management costs. Virgin Management’s BYOD strategy To enable users of any supported device to use instant messaging, video-conferencing and IP telephony, Virgin Management’s IT team selected Codestone to implement new Microsoft Lync server platform. Codestone helped the company migrate its Blackberry Enterprise Server to the new system for ongoing device management. The cloud IaaS platform has centralised and stabilised application deployment, enabling Virgin Management users to access their entire desktop from any device, in any location and over any connection “The transition has fully supported our strategy to move to a flexible working environment,” says Terrie Kennedy, IT director at Virgin Management. “There were no major disruptions to our systems during the migration of our mailboxes and enterprise vault, or during the implementation of new services such as MS Lync for our telephone systems, which was essential for the business to continue operating at the required level.” As a result of the new mobile device strategy, Virgin Management’s data is now replicated to a resilient datacentre and key workloads are protected by VMware’s Site Recovery Manager (SRM). Codestone has also replaced the existing Dropbox solution with Citrix ShareFile, allowing users to access their files from anywhere and work on or offline. It additionally provides file-sharing capabilities for group collaboration, enables offline caching of files, and helps with auditing and reporting, which is essential to the organisation. As an additional security layer, the IT team has integrated two-factor authentication to ensure that any compromise of a user’s password does not compromise security. The IT team also selected fully managed support services from Codestone, as security of its global users and IT management of its central systems in the UK were the company’s top priorities. Stable and robust IT infrastructure The cloud and BYOD project has helped the IT team develop a stable and robust IT infrastructure and enabled it to focus more on strategy and business rather than worrying about day-to-day IT operations. The cloud IaaS platform has centralised and stabilised application deployment, enabling users to move between sites and access their entire desktop from any device, in any location and over any connection.

This has increased flexibility, reduced downtime associated with device failures, reduced costs in configuration of devices and increased the amount of time users spend connected and working. “Our approach was designed to mitigate risk with the office move, as the platform could be built in parallel to the office refurbishment and so minimise disruption to the business by keeping all legacy systems in service during the build phase,” says Jeremy Bucknell, managing director of Codestone.  “We carried out a staged approach to the cloud migration project, making it achievable in manageable steps and using a single desktop image to deliver all user applications and services,” he says. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Enterprises struggle with security challenge of BYOD, study shows

Organisations are struggling to solve the security problems created by personal devices accessing corporate data, a study has revealed. Only 32% of organisations polled have conducted security audits of the systems being accessed by employee-owned devices, according to Dimension Data's Secure Enterprise Mobility Report. But in the UK, the figure was 2% lower than the global average. Some 35% of UK organisations do not have a mobility roadmap, compared with 31% globally; only 18% of UK organisations have well-defined policies around mobility (27% globally), and only 40% of UK employees are unable to access business applications using personal devices (61% globally). The report said an alarming 90% of all survey participants said they do not have the capability to stop employees using their personal mobile devices to access enterprise systems. This suggests that IT leaders are struggling to solve the security problems stemming from supporting BYOD (bring your own device) and enterprise mobility amid an explosion of personal devices and applications accessing the network, the report said. Dimension Data surveyed more than 1,600 IT and security professionals in organisations with more than 250 employees in 22 countries across Asia, Europe, Middle East & Africa, and the Americas. According to Matthew Gyde, Dimension Data’s group general manager for security solutions, the lack of visibility into what is sitting on the corporate network raises major data security risks for organisations. He said unknowns significantly increase the opportunity for intrusion, and only when organisations know what mobile devices are on their networks and what applications they are accessing, will they be able to identify rogue devices and track new applications coming into their enterprise. The study found that where IT departments are able to exert control to protect corporate data, while managing the introduction of personal devices, many fail to do so. More than 70% of survey respondents said that their business leaders view employee use of personal mobile devices as potentially dangerous, costly and not business critical. “From a security perspective, this negative view of BYOD is understandable, considering the extent and depth of the risk has not adequately been measured against business policy,” said Gyde. “That’s because many organisations have yet to evaluate the impact of mobility beyond the device itself,” he said. According to Tim Boyd, security solutions specialist at Dimension Data, having rogue, inadequately protected, and unknown devices on the network is just one element of the risk landscape. “In addition to information security risk, server and application infrastructures are also under greater pressure as users, data and devices traverse the network,” he said. Failure to consider the entire enterprise mobility landscape has led to an assumption of risk that is often grossly miscalculated, leaving organisations exposed to financial and reputational threats, said Gyde. “Security experts should be involved in the development of an organisation’s mobility strategy, a key part of which is an audit of applications accessed by mobile devices,” he said. Boyd said that with the correct policy and measures, it is possible to support BYOD and enterprise mobility without compromising security. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Microsoft-DS no longer hackers’ top target

For the first time, Port 445, aka Microsoft-DS, is not the port that hackers target the most. October 16, 2013 6:11 AM PDT (Credit: Akamai) For the first time since Akamai started data-gathering in 2008, Microsoft-DS -- aka Port 445 -- is not the...