Security News

Judge denies Boston TV station’s attempt to shut down Aereo

Station "has not demonstrated a sufficient likelihood of success on the merits."    

Do not overlook the weak link in IT security

We are all aware of the threat of cyber attacks. In November 2012, the US Department of Defense identified them as one of the top five threats to national security in the coming decade.  IT companies are working frantically to produce technology that is one step ahead of the enemy – and organisations are spending millions in buying it.  Yet one of the most vulnerable points in any organisation is still frequently overlooked: the human. Security technology is abundant. We have chip and pin for credit card payments, passwords for almost everything, firewalls to protect our data and anti-virus software that updates every day to find new ways to keep out the hackers.  Most large organisations have extensive documents outlining IT security policies and usage rules. Yet few, if any, have worked out how to persuade employees to take these seriously and how to stop people from making mistakes. Human nature introduces security risk The first problem is that many IT rules do not take into account key aspects of human nature, such as curiosity and a profound belief that many rules are just silly.  In 2011, Bloomberg carried out an experiment.

The company scattered unauthorised USB drives and disks in the car parks of US government agencies and private contractors. Some 60% of workers who found these devices plugged them into their office computers.

This percentage rose to 90% when an official logo was printed on the device.  On average, internet users have 25 password-protected applications they manage, but only six (or fewer) unique passwords Andrew McLean, AppLayer All of these agencies had policies strictly forbidding the unauthorised introduction of USBs, but the employees plugged them in anyway. The second problem, which is unquestionably the largest, is simple human error.  The highest-specification security software failed to protect GCHQ from losing 35 laptops in 2010, or to prevent Stella Rimington, the former head of MI5, from mislaying her own data-rich laptop in 2012.

The list goes on – government departments, police forces, the health service.  At a more mundane level, how many of us genuinely have the brain power to remember a different password for every subscription we set up? Or even every credit and debit card. On average, internet users have 25 password-protected applications they manage, but only six (or fewer) unique passwords. The third problem is that cyber criminals are often aware of this human vulnerability and take advantage of it by behaving like any good, old-fashioned con man.  Phishing works.

If you email enough people to tell them that they have been the victim of a fraud attack and that they must re-enter their security details at once, one of them is going to believe you.

The unfortunate newbie on the IT helpdesk may be intimidated by a cross-sounding “senior manager” into revealing passwords without following the official authorisation procedure, just as the receptionist may be tricked by a convincing “customer” on the phone. Security is a shared responsibility We need to take some of the blame. Too often, communication between the IT department and the rest of an organisation is less than perfect. Yes the geeky techie unable to cope with people is a ridiculous stereotype, but there is perhaps a grain of truth in it.  In the IT industry we want to believe that a technical problem will have a technical solution, and we really do not want to have to explain it all to someone who probably will not understand the details anyway.  The rest of the organisation would just like the IT department to sort it all out so that it works with as little hassle as possible. This gap has to close.  A survey published in April of this year on behalf of the department of Business, Innovation and Skills revealed that in spite of the fact that 36% of the worst breaches of information security in business are due to inadvertent human error, 42% of large organisations do not provide any ongoing security awareness training for their staff. Without this, it is hopeless to believe that employees will grasp the importance of adhering to inconvenient procedures or creating unmemorable passwords.  People are at the heart of any security policy.

They have to know what the real risks are, what the consequences might be, and what sensible precautions they should take to minimise them.

They also need to understand the limitations of IT.  This is not just the responsibility of the IT department – it is down to the senior management team to ensure that everyone, from the cleaner to the marketing director, is properly briefed, and that security procedures are proportionate and realistic.  There has to be a balance between the IT department’s desire for an inviolable password policy and the reality of making it work in practice.

The term “social engineering” is sometimes used by the industry in this context, but it is really much simpler than that. Just talk to the users.  Andrew McLean is the chief executive officer of security firm AppLayer. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in October 2013

Google pays coders to improve open-source security

A new program aims to build deeper security mechanisms into open-source software. Perhaps it will keep security experts from contracting with nefarious hackers or the NSA instead. October 10, 2013 2:36 AM PDT Pushed both by corporate desires fo...

Google to reward open source security fixes

Google has announced plans to reward developers for proactive security improvements for select open source projects. Initially, these include core infrastructure network services such as OpenSSH, core infrastructure image parsers such as Libjpeg, open source foundations of Google Chrome, high-impact libraries such as OpenSSL and security-critical components of the Linux kernel. The internet firm said the initiative aims to improve the security of key third-party software critical to the health of the internet. Google said the reward scheme complements and extends its long-running vulnerability reward programmes for Google web applications and Google Chrome. The new scheme offers rewards of between $500 and $3,000 for any patch that has “a demonstrable, significant, and proactive impact” on the security of one of the in-scope projects. Adjudicators will be looking for things such as improvements to privilege separation, memory allocator hardening and the elimination of error-prone design patterns. But Google said reactive patches that merely address a single, previously discovered vulnerability will not be eligible for rewards. To qualify, patches must first be submitted directly to the maintainers of the project, and developers must work with them to have it accepted into the repository and incorporated into the program. Google decided against creating a bounty programme for finding bugs in open source code because of fears of being overwhelmed by “spurious traffic”, said Michal Zalewski of Google's security team. “We decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” he wrote in Google’s security blog. Although Google has limited the scope of the qualifying open source project to begin with, the firm plans to extend the initiative to include web servers such as Apache, SMTP services such as Sendmail and virtual private network software such as OpenVPN. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Blackhole and Cool exploit kit suspect arrested

Russian police have arrested a man suspected of creating the Blackhole and Cool exploit kits that enable criminals with little technical knowledge to create, distribute and manage malware. Russian authorities have not confirmed the details, but IT security firms have reported a decline in the use of both kits designed to enable criminals to exploit security vulnerabilities, according to the BBC. Sources in the security industry also claim that the daily updates of the kits have come to a halt. First released in 2010, the Blackhole kit is among the most popular exploit kits available to cyber criminals, costing just $1,500 a year or $200 a week and providing online support. The web-based application has typically incorporated the latest exploits, including several zero-day or near zero-day exploits. The kit enables criminals to exploit a range of vulnerabilities in Java, Adobe’s Flash media player, Adobe Reader and Microsoft Windows software to install malware designed to extort money, steal financial records, record keystrokes and hijack PCs for use in botnets. Independent security analyst Graham Cluley said if it turns out to be true that the creator of Blackhole and Cool is under arrest, it is a “real coup” for cyber crime-fighting authorities. “Hopefully [the arrest] will cause disruption to the development of one of the most notorious exploit kits the web has ever seen,” he wrote in a blog post. However, Cluley said it was worth remembering that nature abhors a vacuum, and there would surely be other online criminals waiting to take the place of Blackhole and Cool. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

PayPal: You Can Trust Mobile Security–Really

A new PayPal-sponsored study shows where the gaps are in mobile security, and one exec refutes industry hype about mobile malware. Are mobile devices actually safe? That's the question a new PayPal and National Cyber Security Alliance study is aiming to help answer. The study, based on a survey of 1,000 U.S.

Adults about their views on mobile device security and usage, shows where the shortfalls are in mobile security. Nearly two-thirds (63 percent) of respondents did not actually know what types of financial data are stored on their own mobile devices, Andy Steingruebl, director of ecosystem security at PayPal, told eWEEK. Nearly half the survey respondents were nervous about losing their devices and whatever data might be on them, he added. While respondents were concerned about device loss or theft, Steingruebl noted that most users aren't taking even the most basic steps to actually protect their devices. More than half the survey respondents admitted to not using any type of device lock, Steingruebl said. Nearly all mobile devices on the market today offer some form of screen-lock functionality.

The screen lock can be a PIN number, a lock pattern or in the case of the Apple iPhone 5S—a fingerprint. "So the disconnect is that more than half of people are worried what happens if their device gets stolen, yet roughly that same percentage aren't doing one of the easiest things they should be to doing  to keep themselves protected," Steingruebl said. As to why most people don't set up a screen-lock PIN, Steingruebl said it's all about convenience. "Most people don't want to constantly be typing a passcode into their device," Steingruebl said.  That's why he recommends making the passcode approach easier through the use of biometrics, like fingerprints, he said. Threats Despite the constant stream of reports about mobile, particularly Android, malware becoming an increasing problem, Steingruebl doesn't see mobile malware as an impediment to mobile device adoption and use. "The threat is vastly overstated," Steingruebl said. "The actual prevalence of mobile malware on people's devices is actually quite low." One area that is often cited as a mobile best practice is to not allow users to root their phones. By "rooting" a phone, the user gets full administrative access to the device, which could potentially enable some form of malware to infect the user.

While Steingruebl doesn't necessarily encourage users to root their devices, he suggests that it's not entirely evil either. "On a traditional desktop or laptop platform, you could always install any application you wanted that could access any of your data, and we've kept our consumers safe on that for many years now," Steingruebl said. "While you can stay safer if you don't root your device, I don't want to say it's the be-all and end-all, since we already live in that world with desktops, and we do a pretty good job of keeping people safe there." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Google offers “leet” cash prizes for updates to Linux and other...

Rewards designed to improve security of software critical to Internet's health.    

‘Hackproof’ Quasar IV Android smartphone gets the go-ahead

A company claiming to make the most secure smartphone software on the market announces that it's on schedule to make the phones for real. by Jessica Dolcourt October 9, 2013 3:12 PM PDT The self-funded Quasar IV "ciperphone" promises to rebuff hack...

Cisco Execs: Sourcefire Deal Bolsters Security Portolio

As the tech vendor closes the $2.7 billion Sourcefire deal, Cisco officials say it gives their firewall and intrusion-detection capabilities a boost. Cisco Systems’ $2.7 billion acquisition of cyber-security company Sourcefire on Oct. 7 could significantly boost its growing security business, a key part of the tech vendor’s efforts to expand its networking roots to become an enterprise IT solutions and services provider. The deal, which was first announced in July, came several months after the company’s purchase of Cognitive Security in January. Deals like these are not new to Cisco, but company executives have been vocal about the significance of the Sourcefire buy. The deal greatly expands Cisco’s capabilities in areas such as next-generation firewalls, next-generation intrusion-preventions systems and advanced malware protection, according to Bret Hartman, chief technology officer of Cisco’s Security Group. It also dovetails with Cisco’s efforts to expand its reach throughout the data center. “The goal that [Cisco CEO] John Chambers has stated is for Cisco to be the number-one IT company,” Hartman said in an interview with eWEEK. “Security is a very crucial component, and enterprises expect that. … You can’t be considered a credible [IT vendor] without this security.” Security concerns should only increase as more devices and systems becomes connected to the Internet and more workloads find their way into the cloud. Hartman said that what companies are looking for are flexible and simple security solutions that protect them from the edge to the data center, which Sourcefire will enable Cisco to do. Cisco has been aggressive over the past year in building up its security capabilities.

The company in 2012 hired Hartman, who at the time was CTO at RSA Security, the security business for storage giant EMC. In January came the Cognitive acquisition, which brought with it a real-time behavioral analytics solution that Cisco has been integrating with its cloud-based global threat intelligence technology.

These changes may help enhance security in distributed networks and reduce cyber-threats, both crucial capabilities during a time of increasing cloud computing and mobility. With Sourcefire, Cisco is gaining security technologies that complement what it already offers with little overlap, Hartman said.

The first step will be to integrate Sourcefire into Cisco, and to begin moving the products closer together. Customers should immediately be able to access Sourcefire products through Cisco, but enterprises will see tighter integration between Sourcefire and Cisco solutions occur over the next few months, he said. For example, Cisco will continue innovating both its ASA firewall technology and the FirePower platform from Sourcefire, looking for ways to incorporate both in future security solutions.

The result will be a wider range of security capabilities for Cisco, according to Chris Young, senior vice president of Cisco’s Security Group. “The single network perimeter has been replaced by a constantly morphing set of users, locations, access methods and devices creating the dual challenge of defending a dynamic perimeter and creating a near infinite number of points of vulnerability,” Young wrote in a post on Cisco’s blog. “To address these customer concerns, Cisco will provide a deep and broad portfolio of integrated solutions that deliver unmatched visibility and continuous advanced threat protection across the entire attack continuum, allowing customers to act smarter and more quickly—before, during, and after an attack.” ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}

Critical WhatsApp crypto flaw threatens user privacy, researchers warn

Messages sent over Wi-Fi and other public channels can be decrypted using known methods.    

Chelsea Manning speaks from prison for the first time, rejects “pacifist”...

In new two-page letter, famed leaker writes: "l'm a transparency advocate."    

Alleged Silk Road boss agrees to move his case to New...

Ross Ulbricht's lawyer says his client will make his case for bail once in NYC.