Wednesday, December 13, 2017

Accused Zuckerberg scammer is AWOL; only ankle bracelet found ahead of...

Marshals went to check on Paul Ceglia and discovered he had vanished.

‘Regardless of how good your security is, you’re going to get...

'You’re going to be susceptible to your weakest link, which is your people,' Dan Lamorena, senior director in HP Enterprise Security group tells Computing

Apple Patches FREAK, Fixes Other Vulnerabilities

The FREAK SSL/TLS vulnerability and four other issues get patched in Mac OS X security update. While many Apple watchers were busy learning about the new Apple Watch on March 9, the company was busy patching its existing products. Apple released Security Update 2015-002, fixing five vulnerabilities in the Mac OS X operating system. The company also released iOS 8.2, which provides users with Apple Watch capabilities, as well as six security updates. The most notable of the updates is one for the so-called FREAK vulnerability (factoring attack on RSA-EXPORT Keys) that was first publicly disclosed on March 3. In Apple's security update, the fix for FREAK is identified as an update for Apple's Secure Transport mechanism. The FREAK flaw fix is included in both the OS X and iOS 8.2 security updates. "Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites," Apple warned in its advisory. "This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys." In addition to the FREAK fix, there are two patches for vulnerabilities that were reported to Apple by way of the Google Project Zero research effort.  One of those issues is identified as CVE-2015-1061 and is a vulnerability in the IOSurface framework that affects both iOS and OS X. The impact of the flaw could have potentially enabled a malicious application to execute arbitrary code. Google Project Zero is also credited with reporting CVE-2015-1066 in the IOAcceleratorFamily component in OS X, which also could have potentially led to arbitrary code execution. Additionally, the Mac OS X kernel is getting patched for a vulnerability identified as CVE-2014-4496 that could have allowed malicious applications to determine addresses in the kernel. "The mach_port_kobject kernel interface leaked kernel addresses and heap permutation value, which may aid in bypassing address space layout randomization protection," Apple warned in its advisory. Both OS X and iOS are also being patched for a vulnerability in the iCloud Keychain, which is a feature that is used to safely store usernames and passwords. "Multiple buffer overflows existed in the handling of data during iCloud Keychain recovery," Apple warned. "These issues were addressed through improved bounds checking:" iOS 8.2 also includes a patch for a flaw in the CoreTelephony library identified as CVE-2015-1063, which could have potentially enabled a remote attacker to trigger an iOS device to restart, after receiving a malicious short Message Service (SMS) text. Another fix is in the MobileStorageMounter component in iOS 8.2, which is being updated to protect against the CVE-2015-1062 vulnerability that could have potentially enabled a malicious application to create folders in trusted locations in the file system. The last security patch in the iOS 8.2 update is for the CVE-2015-1064 vulnerability that impacts the home screen on iOS devices. "A person with physical access to the device may be able to see the home screen of the device, even if the device is not activated," Apple warned. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Security professionals look to workload security in the cloud

Information security professionals are moving away from perimeter-based security models to support adoption of cloud-based services, a study has revealed. Nearly two-thirds of the 1,000-plus LinkedIn Information Security Group members polled said that moving focus to the workload is at least somewhat effective, according to the first LinkedIn Cloud Security Spotlight Report. This finding confirms the shift from focusing on attack prevention and perimeter security towards advanced data protection methods such as encryption, the report said. Some 68% of respondents said perimeter-based security is not the whole answer to securing cloud infrastructure, according to the report, commissioned by security firm CloudPassage. Only 15% believe perimeter-based security is effective in the cloud, while 18% said they are not sure. The increasing frequency and success of attacks bypassing the network perimeter and the fact that corporate data is increasingly residing outside of the perimeter underscores the need for additional layers of defence, the report said. Encryption of data at rest (65%) and in motion (57%) tops the list of most effective security controls for data protection in the cloud. This is followed by access control (48%), intrusion detection and prevention (48%) and security training and awareness (45%). The study confirmed that while there is broad cloud adoption by organisations seeking to cut costs and increase agility, security remains a top concern. Some 71% of all respondents said they are investing in cloud infrastructure, 77% are investing in public cloud services and 71% are investing in hybrid cloud models, but 90% said they have moderate to severe security concerns regarding their cloud deployments. For most security professionals, protecting cloud-based applications and systems remains a major concern and a critical barrier to faster adoption of cloud infrastructure. General security concerns (45%), data loss and leakage risks (41%) and loss of control (31%) continue to top the list of barriers holding back further cloud adoption. When asked to name the most important factor for protecting cloud infrastructure, 60% of respondents said “consistency across IT infrastructure” and 58% said “continuous protection”. To address companies’ security needs when moving to the cloud, partnering with managed service providers ranks highest (34%), followed by using security software (33%) and adding IT staff to deal with cloud security issues (31%). The number one method of closing the security gap for cloud computing and building confidence in cloud cited is the ability to enforce consistent, continuous security policies. This was followed by application programming interfaces (APIs) for reporting, auditing and alerting on security events (45%) and effective mapping of security controls for internally hosted applications to the cloud infrastructure (41%). Next came the isolation or protection of virtual machines (39%) and the ability to compare security levels across cloud providers (38%). “This cloud survey represents a first glimpse into exactly what types of concerns are keeping security professionals up at night,” said Holger Schulze, group founder of the Information Security Community on LinkedIn. “It’s clear from the survey results that a vast majority of organisations are investing aggressively in cloud computing technologies, while at the same time have not figured out the complete security model to give them continuous, consistent protection in these environments,” he said. But the results of the survey also show that a broad range of security professionals know what to do to protect investments in cloud infrastructure, said Carson Sweet, chief executive of CloudPassage.  “They are seeking to deploy continuous, consistent security policies,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Drones – taking off or staying grounded?

Consumer and commercial operators unveiled a panoply of unmanned flying devices at the CES conference in Las Vegas in January. From advanced parcel carriers to machines designed to fit in the palm of your hand, drones took centre stage. Remotely piloted aviation systems (RPAS), or drones, open up the skies like never before, enabling businesses to profit from inexpensive and easy-to-use technology to make their operations more efficient. But while excitement grows in anticipation of potential mass adoption of drones, the industry has to overcome hurdles in the form of regulation. Journalists were early adopters of drones. RPAS enable them to capture unfolding political or environmental events from a position of safety, delivering an objective perspective never seen before. Most drones are therefore now fitted with high-resolution cameras and other pieces of sophisticated data-capture equipment, allowing them to collect a huge amount of personal visual data. Naturally, this has led to serious concerns that individual privacy will be jeopardised. Yet EU regulators have not yet considered this privacy issue to be worthy of new legislation. In October 2014, a large number of the representative National Ministers for Transport and Infrastructure expressed the view that existing data privacy laws were sufficient, with the Data Protection Supervisor confirming that RPAS have to obey the existing European data protection framework.  Journalists, for instance, may not publish in the media any personal data collected through a drone, unless it is directly in the public interest. National security The matter becomes more urgent when discussing questions of national security. When does an unidentified flying device become a terrorist threat? Given the current tense political climate, there are growing calls to regulate and monitor the use and users of drones to minimise the risk of criminal or terrorist activity.  Eyebrows were raised last year when mysterious objects were spotted hovering above French nuclear power plants. Neither the offending drones nor their pilots could be identified. Regulators currently see the most viable option to be the introduction of an air traffic management system for smaller craft, monitoring all 4D trajectories. Although challenging to manage, this would force both manufacturers and individual users to adhere to incoming legislation, and would pave the way for the identical treatment of manned and unmanned vehicles.   Personal safety Regulators also realise the need to make drones safe to use, both for pilots and the general public. This safety-first approach means that drones will soon be forced to exhibit an equivalent level of safety to manned aviation operations through internationally adopted rules. Nevertheless, this will always be challenging to implement. Some have suggested that traditional airworthiness certifications and pilot licensing should be complemented by forms of light-touch regulation and, in some cases, the mere identification of civil drone operators could be sufficient.  Whatever happens, it will provide food for thought both for manufacturers and prospective users, because they will be required to know how, and to what extent, they are liable for the use of their products. State of play So what is the current state of play? Drone regulation remains governed by the restrictive aircraft regulation of individual EU member states. About 10 states have introduced limited regulation enabling the use of commercial drones, but flights must be conducted at an altitude below 100 metres, the drone must weigh less than 25kg and the operator must be in sight of the machine.   However, the European Commission has now expressed its intention to develop common rules that should progressively replace national law from 2016 onwards, eventually allowing for more flexibility in commercial use and pan-European operations. But there remain concerns that technological advances will progress at a faster pace than the regulators. It is vital that this does not happen, from the standpoint of both business development and international security. Christoph Wagner is a partner at Morrison & Foerster and co-chair of the firm’s global media group Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in March 2015

IT security still immature, says HP security exec

Enterprise IT security is still relatively immature, according to HP enterprise security group senior director of products and services marketing, Dan Lamorena. “The latest HP Cyber Risk Report shows that most organisations are still not achieving basic IT security hygiene,” he told Computer Weekly. Lamorena is in London to discuss the findings of the report at the 2015 e-Crime & Information Security Congress. According to the report, most businesses that experienced a cyber security incident in 2014 were hit with well-known security threats and system configuration faults. In fact, the top 10 threats in 2014 exploited known weaknesses in systems implemented years or even decades ago, and 44% of breaches were linked to vulnerabilities that were between two and four years old. “This shows these old techniques still work, and that is because many organisations are still failing to patch systems to ensure they have the latest security updates,” said Lamorena. “Patching is not easy, especially in decentralised networks, but organisations should be paying more attention to these basics.” Commenting on the recent spate of compromises of point-of-sale systems at US retailers, Lamorena said many of these vulnerabilities could have been eliminated through better patching processes. “Retailers should be re-evaluating their encryption policies and systems configurations, and improving their monitoring capabilties in the light of recent breaches,” he said. However, Lamorena said HP is seeing a lot of retail organisations looking to overhaul their card payments systems and set up some form of a security operations centre. “Even smaller organisations are realising the need for improved monitoring of operations, even if that is in the form of a managed service,” he said. Another exacerbating factor is that instead of investing in things like basic system management technologies, companies are focusing on things like cloud computing, mobile computing and online apps. “Many organisations also still tend to see IT security as the people who say no and they consider security as a cost or insurance that often hinders the business,” said Lamorena. The report identified misconfigurations of web servers as the top category of vulnerabilities in 2014, providing attackers with unnecessary access to files that leave organisations vulnerable to attack. “This includes things like cross-site scripting and SQL injection attacks, which are all enabled by configurations that give apps access to more files and folders than necessary,” said Lamorena. By tightening configurations on web servers, he said organisations can reduce the number of avenues of attack, thereby raising the overall security posture of the organisation. Exploitation of web server misconfigurations underlines the value of using standard builds and things like automatic provisioning to ensure everything is done in a standard way according to best practice. “Routine penetration testing is also extremely helpful in ensuring that there are no weaknesses in web server configurations that have been overlooked,” said Lamorena. “But all the best security technologies in the world will not help if organisations are not getting the basics right – it is still very much about aligning people, process and technology,” he said. Organisations should not neglect users in security strategy According to Lamorena, organisations should not neglect users in their security strategy and provide as much security training as possible to reduce user error and encourage users to report anything suspicious to IT security teams. “Users are often the weakest link, and with all the information people are putting on social media, it is getting easier for attackers to compromise credentials to get around traditional perimeter defences," he said. It is useful for organisations to know who is using apps and consuming data so that they can identify anomalies Dan Lamorena, HP Overall, HP is advocating that organisations seek to improve their security capabilities by assuming they have been breached. “In the past, organisations have tended to over-invest in technologies to block adversaries, but now they should be investing in monitoring their IT environments,” said Lamorena. “It is useful for organisations to know who is using apps and consuming data so that they can identify anomalies even if attackers are able to steal administrator usernames and passwords.” Lamorena said that by assuming they will be breached, organisations are also more likely to monitor their networks and protect data more closely through using things like encryption. “Organisations have tended to shy away from encryption in the past, but the technology has evolved to enable companies to analyse and manipulate data even though it is encrypted,” he said. As well as a move to greater network visibility and monitoring, HP expects the IT security industry to move to greater collaboration around identifying threats and bad actors. “We are looking at enabling the concept of crowdsourcing security intelligence through the use of open standards to make it easier to share what we are seeing with our peers,” said Lamorena. “The security industry is still largely made up of point tools, but we expect to see greater integration and interoperability to enable more automated responses a better view of threats and bad actors.” Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

One apartment complex’s rule: You write a bad review, we fine...

Windermere Cay's "Social Media Addendum" claimed copyright of tenants' photos, too.

Zylpha Partnership With LDM Global Unites eDisclosure And Electronic Bundling Solutions...

Zylpha (www.zylpha.com), the UK's leading legal systems innovator, has signed a partnership agreement with international eDisclosure group LDM Global (www.ldmglobal.com). The resultant fusion of eDisclosure services and court bundling solutions will pr...

Piper continues smart home innovation with the introduction of Piper nv

Piper nv boasts 180-degree night vision, the widest field of view on the market, and advanced camera resolution London, 10th March 2015 - Icontrol Networks, a leader in connected home technology and innovation, today announces general availability in Europe for Piper nv, the only security system that can be easily tailored to what matters most. Building on the launch of the original Piper last year, the all-in-one home security, video monitoring and automation device has been engineered for reliability and built frustration free, making it easier than ever to connect via mobile device for peace of mind.Over the last year, Piper has ushered in a new approach to home monitoring, security and automation and continues to deliver users a new and smart way to interact with their homes. With the DIY smart home market projected to reach $7.8 billion in the US alone by 2019, according to NextMarket Insights, the connected home is becoming more easily accessible to consumers than ever before and Piper continues to be at the forefront of the movement with Piper nv. In addition to the already comprehensive Piper feature set, Piper nv boasts: Night Vision: Featuring the widest field of view available in the market, Piper nv's 180-degree day/night vision offers a clear and complete view of your home no matter the time of day. Night vision kicks in automatically once the room starts getting dark.Advanced camera resolution: The 3.4 megapixel camera sensor ensures you don't miss any details!"Being aware of events in your home has never been easier with Piper," said Russell Ure, creator of Piper and an executive vice president and GM at Icontrol Networks. "Piper nv provides homeowners with unsurpassed visibility into their homes and ensures places and loved ones are always protected and safe. It sets a new standard for the optimal video experience in the smart home marketplace."Piper has been recognised for its innovative technology and broad consumer appeal, and is powered by Icontrol Networks, a leader in the connected home marketplace. In addition to night vision and advanced camera resolution, Piper nv has been designed for maximum customisation and includes the core Piper features:Security: Customise three security modes (home, away and vacation), motion detector and piercing, 105-decibel siren. Automation: Integrate Z-Wave accessories into Piper's security modes, control them remotely, on a schedule, or using environmental data. HD Panoramic camera: 180° fisheye lens, electronic pan, tilt, and zoom, 1080p camera sensor.Customised alerts: Phone call, text message, email, and push notifications to users and their trusted circle when security rules are triggered. Environmental sensors: Monitor and control home temperature, humidity, ambient light and sound. Elegant Design: Simple, intuitive app. Stunning, compact, two-toned form with brushed metal legs.Smart Hardware: ARM processor, battery backup, internal memory for video storage, 802.11b/g/n Wi-Fi.Android & iOS support: Available on Android and iOS smartphones and tablets.Two-way audio: Talk directly to occupants through Piper through its app on your mobile device.Multi-Piper functionality: Support up to five different Pipers within a home so you always have visibility and control over your different spaces.Bedside mode: Featuring an active panic button, Bedside mode lets users manually turn on a siren in case of an emergency. Easy to reach and quick to access for fast action, users can now set Piper to Bedside mode before going to sleep for a more secure environment at night.Piper nv can now be purchased at getpiper.com starting at €299.00 (£217.00) and Piper will continue to be sold for €199.00 (£145.00)*. The free Piper application is also available for download in the iTunes App Store and in the Google Play Store. Notes to editorsGBP prices based on 1 Euro equaling 0.73 GBP.About PiperPiper was created by Russell Ure, and made available through Blacksumac, a company Russell co-founded with John Criswick in 2012. Blacksumac and the Piper brand were acquired by Icontrol Networks in April 2014. About Icontrol NetworksIcontrol Networks' vision is to provide a connected home solution for every household, so people worldwide spend less time managing their lives and more time living them. Icontrol is making the connected home a reality through its software platforms, which are deployed by home security companies and service providers, and the all-in-one Piper home security, video monitoring and automation device for consumers. Icontrol is further pioneering the next generation of connected living through its OpenHome™ Developer Program, the first community for application and device makers to partner on a common platform. Venture investors in Icontrol include Charles River Ventures, the Kleiner Perkins Caufield & Byers iFund, and Intel Capital, with strategic investments from a variety of service providers including ADT, Comcast Ventures, Comporium and Rogers Communications. For more information about Icontrol Networks and Piper visit icontrol.com and getpiper.com.Contact InformationFinn Partners for PiperJames RoweJames.rowe@finnpartners.com +44 (0) 207 655 0403 Source: RealWire

Revealed: CIA plot to break Apple iPhone and iPad security –...

The US Central Intelligence Agency (CIA) has been running a sustained campaign to break the security of Apple iPhones and iPads, according to new documents from the trove leaked by National Security Agency (NSA) whistleblower Edward Snowden. The CIA even ran its own conference, called the Jamboree, sponsored by the CIA's Information Operations Center, which carries out covert cyber attacks, where attendees shared their strategies and tips for exploiting security flaws in a range of electronic devices - with the first Jamboree held in 2007, a year before Apple's first iPhone was released. The documents, revealed today in a report by The Intercept, indicate that the CIA was keen not just to crack the security of popular smartphones and other communications devices, but to uncover flaws in a wide range of electronic devices and to devise exploits that they could use. However, the popularity of Apple's iPhone quickly made it the CIA's number one target. Its aim was to break the devices' encryption in order to gain access to data held on the devices. "Studying both 'physical' and 'non-invasive' techniques, US government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple's encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption," claims The Intercept.  It continues: "The security researchers also claimed they had created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple's App Store." Apple Mac computers were also targeted, with the CIA claiming to have successfully modified the OSX update in order to install key-stroke loggers onto Mac desktop and laptop PCs. The subversion of the updater app is potentially highly damaging and raises the question of whether it - and similar applications, such as Microsoft's Windows Update - have, or could be, compromised in a similar way. Other presentations at the CIA conference have focused on the products of Apple's competitors, including Microsoft's BitLocker encryption system, which is used widely on laptop and desktop computers running premium editions of Windows, claims The Intercept. Both Apple and the CIA declined to comment on the story. Security researchers, though, were critical over the lack of detail provided by the reports. Ken Westin, a senior security analyst at Tripwire, said that it would be naïve to think that such programmes don't exist: "The story provided by The Intercept unfortunately does not tell us a whole lot that most security researchers did not already know or assume. The one document that The Intercept provides only reveals the existence of a CIA-sponsored event where security researchers met to discuss methods and techniques to compromise Trusted Computing systems. "The article also mentions that the documents they have do not show any evidence of actual successful compromise or active exploits. There have been a number of similar programmes such as the NSA's Dropout Jeep where the goal was to find ways to compromise devices. I think it is a bit naïve to think that these types of programmes don't exist either by the US government or other government agencies for that matter. "The question arises, however, if vulnerabilities were discovered that were not disclosed to Apple or other companies whose systems were potentially exploited, this is where the definition of security research and high-tech espionage diverge," said Westin.  The new revelations follow claims that the NSA has been subverting hard-disk firmware in order to plant malware that is both difficult to detect and hard to eradicate from people's PCs. 

How small cable companies say they get screwed by their larger...

Small cable operators have to pay the big ones for access to TV programming.

Courion Explores How to Identify and Remediate Access Risk in March...

Courion to Discuss How Continuous Monitoring is Made Possible Through the Use of Identity and Access AnalyticsLONDON, UK, 10th March 2015 - Courion, a leading provider of intelligent identity and access management (IAM) solutions, today announced that ...