Thursday, December 14, 2017
Home Tags Software

Tag: software

Adults ages 50 to 75 are overconfident in their tech skills but not as careful as they should be regarding security and social media use, a new study shows. Adults ages 50 to 75 are spending a great deal of time online these days—an average of five hours a day, a new study shows. However, their confidence in their use of technology may be causing them to overlook crucial security measures, according to a survey from security specialist McAfee. Some 88 percent of participants consider themselves equally or more tech-savvy compared with others their age, according to the report titled "Fifty-Plus Blooms Online." About 80 percent of smartphone users and 43 percent of tablet users post mobile photos online. Somewhat surprisingly, 24 percent admit to using their devices to send personal or intimate messages in the form of text, email, or photo messages. Despite this, 33 percent of smartphone users and 38 percent of tablet users admit to having no password protection on their devices to safeguard these private conversations from reaching the public. Worse still, while 93 percent say their laptops and desktops have updated security software, only 56 percent of smartphone users and 59 percent of tablet users say their devices are protected from viruses and malware. Baby Boomers' comfort with using the Web is also leading them to other risky behavior online when using social media, and they are exposing themselves to reproach and dangerous security risks, including sharing personal information with strangers. "The use of social networks among people 50-plus is trending now that it’s become more commonplace across all age groups," Michelle Dennedy, vice president and chief privacy officer at McAfee, said in a statement. "It seems counterintuitive that sharing personal information with strangers would not concern them, however.

This further highlights their need to better understand the difference between the real and perceived dangers online and how to best protect themselves." Overall, 57 percent of respondents said they have shared information or posted personal information online.

This includes 52 percent who have shared their email addresses, 27 percent who have shared their cell phone numbers and 26 percent who have shared their home addresses. The survey also indicated the 50-plus group is also feeling the effects of social media angst: Eight in ten use social media networks, 36 percent of which log in daily, opening the doors to the possibilities of social media drama. Sixteen percent admitted to experiencing negative situations while logged into their social media accounts.

These rifts lead to 19 percent of claims that the incident was severe enough to end a friendship. Other results from those who had negative experiences include inappropriate posts from friends (23 percent) and having a fight with a friend, spouse or partner (9 percent).  
The new "Reset Browser Settings" controls allow users to regain control of their browser if malicious apps change settings without permission. Google has added a reset button in the latest updates for its Chrome Web browser to help users recover their browser settings when malicious apps load themselves and add toolbars or new settings or make other undesired changes. "Online criminals have been increasing their use of malicious software that can silently hijack your browser settings," wrote Linus Upson, a Google vice president, in an Oct. 31 post on the Google Chrome Blog. "This has become a top issue in the Chrome help forums; we're listening and are here to help." The problem most commonly occurs when online miscreants "trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or—ironically—a supposed security update," wrote Upson. "These malicious programs disguise themselves so you won't know they're there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state." To help users take that control back if their Chrome browser is hijacked in the future, Google has added a "reset browser settings" button in its latest Chrome update.

The reset button "lets you easily return your Chrome to a factory-fresh state," wrote Upson. The reset button can be found in the "Advanced Settings" section of Chrome's settings page. Google's Chrome team has also made another security change to help protect users by automatically blocking downloads of malware as they are detected by Google, wrote Upton.

A blocked download will issue a message on the user's screen advising him or her of the situation.

The message will give the file name of the malicious application that is trying to download and then will tell the user that Chrome has blocked it, according to Upton. The new reset button and automatic malicious download blocking are more tools that Google is using to help protect online users from fraud, hijackings and other problems, wrote Upton. "This is in addition to the 10,000 new websites we flag per day with Safe Browsing, which is used by Chrome and other browsers to keep more than 1 billion web users safe. Keeping you secure is a top priority, which is why we're working on additional means to stop malicious software installs as well." In October, Google announced that it is testing new parental controls in the latest beta version of Chrome.

The new beta Chrome browser includes settings that now allow parents to designate their youngsters as "supervised users" so they can oversee their browsing and other online activities.

The beta browser version is being refined as the next eventual stable release of the open-source Web browser. In September, the Chrome browser celebrated its fifth birthday. Launched in 2008 as a desktop or laptop application, Chrome today is widely used as a mobile browser on many different devices by users to browse the Web and conduct searches whether they are at home, at work, traveling or vacationing. Chrome has had quite a ride since its birth. In June 2012, it surpassed Microsoft's Internet Explorer as the world's most used browser for the first time, and it added lots of useful features over the years to encourage even more users to adopt it. Earlier in October, Chrome's latest iteration, Version 30, was released and included some 50 security patches and fixes, as well as easier search capabilities for finding images. In September, Google announced that the Chrome Web browser will no longer work with a series of older, formerly popular Netscape-era Web browser plug-ins starting in January 2014, as the company works to shed the plug-ins to make its modern Chrome browsers even more reliable.

The benefit of such a move will be that users will experience fewer glitches and crashes.

The Netscape Plug-in API (NPAPI) had ushered in an early era of Web innovation by offering the first standard mechanism to extend the browser, according to Google.

The move is being made now because NPAPI isn't used or supported on mobile devices, which includes a rapidly growing segment of Web users, and because the Mozilla Foundation is also planning to block NPAPI plug-ins in December 2013.
Security researchers poke holes in Obamacare sites and expect them to be juicy targets for attackers. The Obama administration hasn't had the easiest of times in the rollout of its Affordable Health Care for America Act (commonly referred to as Obamacare) and its associated Websites led by Heathcare.gov. In addition, to site accessibility delays that have plagued Obamacare Websites since day one, security researchers are now also warning about potential risks. Obamacare Websites include the primary U.S. government site at Healthcare.gov as well as individual state Websites. Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks, told eWEEK that he has concerns about many of the Obamacare sites and expects them to be juicy targets for attackers. Adams stressed that he did not complete a comprehensive penetration testing exercise against any Obamacare site, as he did not have permission from the sites. However, he was able to passively ascertain security posture via a number of noninvasive activities. At a high level, Adams said that the core Healthcare.gov site is built mostly on a Java stack and doesn't have any obvious security red flags. When it comes to individual states, however, Adams has some concerns about the Kentucky health care site which he referred to as being "fairly buggy." "The biggest indicator is they expose a whole lot of information about how the back end is implemented through the client interface," Adams said. "They're also passing around implementation details like the private object names that are used throughout the application." The state of Vermont also exposes back-end details, and the state of Maryland was found in Adams' analysis to not be using Secure Sockets Layer (SSL) encryption for some of its traffic.

The use of SSL is critical as it limits the risk of data being read in the open by anyone. XSS and SQL Injection Two of the most common forms of Web attack today are cross-site scripting (XSS) and SQL injection,  and Obamacare sites might well be at risk from both.

Adams said that while he didn't conduct a full analysis, he did throw some invalid inputs into the Obamacare sites to see what would happen. An example of the invalid input is the use of letters instead numbers in a form field for phone numbers. Security researchers can learn a lot from how a system responds to invalid inputs. "I got some strange error messages back that would indicate that things aren't being validated properly," Adams said. "If you see signs of bad input validation in one place, it's usually an indicator that bad input validation exists elsewhere across the site." Without proper input validation, an attacker could potentially perform a SQL injection attack.

Adams said he found evidence of bad input validation for the Vermont Obamacare site as well as the main Healthcare.gov site. The error that Adams got on the Healthcare.gov site to the bad input was an "unhandled exception" error. "If you can throw something at an application and it results in an error, then there is a good chance that if you craft the input value correctly, you can get the application to handle it improperly," Adams said. The Big Picture Eric Cowperthwaite, vice president of advanced security and strategy at CORE Security (and former CISO at Providence Health) told eWEEK that healthcare.gov either maintains a significant amount of personally identifiable information or it is the gateway or interface to systems that do. "Any system that contains large amounts of personally identifiable information could be the source of a massive breach," Cowperthwaite said. "And the more complex the system is, the more likely there are significant vulnerabilities that can breached." In Cowperthwaite's view, the even bigger smoking gun about Obamacare Website security is the various glitches, bugs and issues that are impacting system functionality today. "Security is often defined as the confidentiality, integrity and availability of systems and data," Cowperthwaite said. "Healthcare.gov has had quite well-documented problems with both availability and integrity." Issues with Healthcare.gov site availability however might also potentially be a good thing for security. Craig Carpenter, vice president of strategy at AccessData, told eWEEK that he would be surprised if the site's security hadn't already been compromised, perhaps many times over—even with a small population of users actually being able to get in.  "In fact, the site's stability issues and lack of usability to this point may be its best security: Even hackers haven't been able to get in long enough to make it work," Carpenter said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
An attacker broke into database service MongoHQ and used an "impersonate" support feature to access a limited number of users' data. Using the compromised username and password of an administrator, attackers breached the network of database-as-a-service firm MongoHQ, accessing the data of a "limited number" of users, the firm said in a detailed description of the attack published on Oct. 29. MongoHQ, which provides managed access to instances of that unstructured database software MongoDB, discovered the attack on Oct. 28 and immediately shut down access to internal applications until each team member had reset his or her credentials.

The attackers gained access to the company's support application, which in turn gave them access to customers' account information, including databases, email addresses and encrypted user credentials, CEO and co-founder Jason McCay said in a detailed post. "In handling security incidents, MongoHQ's priorities are to halt the attack, eliminate the control failures that allowed the attack to occur, and to report the incident candidly and accurately to our customers," he said. An audit of the attackers actions on the system showed that some customers' accounts were accessed using the "impersonate" support feature that allows support personnel to view accounts as if they were the customer.

The company has contacted the affected customers, McCay said. The attackers had gained access using a username and password that had been compromised in a separate breach. Most users memorize a small list of passwords that they use on different sites, even though the reuse of passwords puts linked accounts in danger. To offset the risk in the future, the company has implemented two-factor authentication for internal applications, McCay said. The company should be commended for the openness of its account of the attack, said Geoff Webb, director of solutions strategy for security-as-a-service provider NetIQ. However, by using only a password for internal account security, MongoHQ left itself open to an outsider gaining elevated privileges inside its network, Webb said. "If someone is inside, whether they are the employee or someone masquerading as an employee, then I need to find a way to deal with that," he said. A common way to prevent outsiders from accessing internal resources is to use network segmentation to add another layer of security, according to Chris Hinkley, a senior security architect with FireHost, a secure hosting provider. "This is a worrying lack of segmentation regarding the administrative applications and other portions of the network, which meant a breach was always in the cards," Hinkley said in a statement. "The support applications should have not been publicly accessible at all and a VPN, preferably with two-factor authentication, should have been in place to prevent damage from compromised passwords." Scalable databases capable of handling large datasets, such as MongoDB, have become very popular as so-called "big data" analytics have caught on with enterprises. MongoHQ, which offers access to scalable databases in the cloud, has quickly grown and now handles some 6 billion database transactions every day, according to the firm.  
Reports that the carrier provided phone data to the NSA could hamper its chances of getting European approval for acquisitions, says The Wall Street Journal. October 31, 2013 8:44 AM PDT (Credit: AT&T) AT&T may face a tougher time convin...
Adobe has confirmed that a recent cyber attack compromised more than ten times the number of accounts than initially reported and also involved source code for Photoshop. Just after the breach, Adobe chief security officer Brad Arkin said in a blog post that 2.9 million accounts had been affected, but the firm now says the figure is around 38 million active accounts. The company said its initial statement was based on information it could validate at the time, according to the BBC. However, the bulk of the compromise relates only to customer IDs and encrypted passwords, while the 2.9 million figure relates to encrypted payment card details and other customer order information. Adobe has also now revealed the attackers accessed details from an unspecified number of accounts that had been dormant for two or more years and stole some source code for Photoshop. Initial reports said the attackers had accessed the source code of Adobe’s Acrobat PDF document-editing software and ColdFusion web application creation products. In May, Adobe moved several products to a subscription model, requiring customers to register an account and provide payment card details to qualify for upgrades. The company said it had notified all customers that might have been affected and reset their passwords as a precautionary measure. Adobe also said there had been no indication so far of unauthorised activity on any of the accounts involved in the breach. The breach is a major embarrassment for the company, which had been promoting its Creative Cloud subscription services heavily since switching to the new business model. In 2012, Adobe's servers were breached due to a configuration error. In response to that attack, Arkin made major changes to internal security. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities: Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability Cisco IO...
Site shares identifying data with analytics vendors, might expose more to attackers.    
The fifth iteration of these best practices for security frameworks adds a critical new component that few organizations have today. How do some of the best organizations in the world deliver and provide security for their own enterprises? That's a question that the annual Building Security in Maturity Model (BSIMM) aims to answer.

The fifth iteration of the model is now out and adds just a single new practice to what last year's BSIMM advocated. Jacob West, CTO for enterprise security products at Hewlett-Packard, is a co-author of the 2013 BSIMM and explained to eWEEK that the new 2013 model includes 112 best-practice activities for security.

The single new activity added this year is a recommendation for organizations to have a bug-bounty program.

These bug-bounty programs encourage security researchers to responsibly disclose software vulnerabilities, and in return, vendors provide rewards. HP is no stranger to the world of bug-bounty programs as it runs the Zero-Day Initiative (ZDI), which buys vulnerabilities from researchers. ZDI also runs the annual Pwn2own competition, which rewards researchers for demonstrated zero-day flaws during a live event. While the ZDI effort is vendor-agnostic, internal vendor programs are a complementary effort, West said, adding that the real challenge is the large gray market in which vulnerabilities are not responsibly disclosed to vendors and instead are sold on the open market. "Vendor-led bug-bounty programs are an important counter-balance to the gray market," West said. "As an industry, we need to keep as many unknown vulnerabilities out of the hands of the potential bad guys as possible." The BSIMM isn't just a checklist of security items that an organization should have, it also attempts to measure the maturity level of security practices. West said that simply having a bug-bounty program is a relatively mature practice to begin with. "The purview of the bug-bounty program is one sign of maturity," West said. "Some vendors will create a bug-bounty program for a single product and don't apply the program to other programs, so scope is a key indicator of maturity." Another key attribute of a mature bug-bounty program is that it is well-funded. Researchers are spending a lot of time to find vulnerabilities, and it's important that they are rewarded properly, West said. Yahoo recently was publicly berated for offering security researchers T-shirts as a reward for vulnerability disclosures. Yahoo is now moving toward a fully funded bug-bounty program. It's also important for organizations to have an internal ability to actually understand and analyze the submissions that are coming in from security researchers. "You really need to have folks on your team that are used to reverse-engineering and vulnerability discovery," West said.  "Having the internal expertise to fill in the other half of the equation for the security researchers is critical, or else you won't get the maximum value out of the bug-bounty program." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.  
Public sector data protection constraints are "artificial and kneejerk", and are holding the sector back from "effective customer service", Eastbourne Borough Council's deputy CEO, Julian Osgathorpe, has told Computing. While discussing the council's ...
While the potential security and legal aspects of bring your own device (BYOD) are frequently mentioned by vendors – especially as a good reason to buy their mobile device management software – the plain truth is that there haven’t been many, if any, clear cut cases related to BYOD. Yet. But as Frances Barker, a partner at Blocks Solicitors, is quick to point out, almost all employment law cases these days do involve IT in some capacity, even if it is just an email sent from a work PC, so it is almost inevitable that one day soon, someone’s personally owned BlackBerry or iPhone will be required to give evidence in court. And many organisations are clearly concerned – as reflected in the number of enquiries that law firms such as Blocks is receiving. In broad terms, though, BYOD is already well covered by existing laws and conventions, even if they were not originally written with BYOD in mind. “The laws relevant to BYOD would be the general context of employment law, which will be the Employment Rights Act 1996; the ACAS code of practice on disciplinary and grievance procedures; and, the Data Protection Act,” says Barker. She continues: “Specifically, in relation to BYOD, it will also depend on the contractual terms under which a person uses their own device – that’s the ‘deal’ between employer and employee.” That is why organisations have been urged to develop their own policies on BYOD: in order to cover themselves under the terms and conditions of employment that govern their relationships with staff. Generally speaking, she adds, employers ought to set similar boundaries on staff using BYOD devices that they would expect if staff were using company supplied kit. “Although obviously the member of staff can use it for private use as well,” she adds, and this private use needs to be respected by the employer. She continues: “The employer is also going to have to – and this is the intrusive bit – reserve the right to monitor and to inspect the device in order to investigate potential problems.

They are going to have to impose what security they want in relation to their own applications or data, both in terms of use of that device, but also that device interacting with their own systems.” Put like that, and suddenly it doesn’t sound quite so enticing. Indeed, many software vendors also promote such capabilities as the ability to remote wipe some or all of the storage of a smartphone or tablet computer should the member of staff lose the device or, worse still, go to work for a bitter rival. “And the device is almost certainly mobile, so you will have security implications related to that, too,” she adds. “What is key is, what happens when they leave or you suspend them?” While current laws and regulations that encompass BYOD are quite flexible, one of the big problems surrounding it, adds Kathryn Wynn, a senior associate with law firm Pinsent Masons, is that there is no specific legislation relating to it. “Most of the laws [relating to BYOD] were written over 10 years ago and never really envisaged the concept of BYOD,” says Wynn. Even so, a first step is to draw up a reasonable, binding policy on BYOD based on rights and responsibilities under existing laws. Practical Law, the online legal advisory service run by Thomson Reuters and widely used in business, has even drawn up a draft BYOD policy document that subscribers can consider. It is intended both to explain to staff the risks that the company is exposed to when it adopts BYOD, as well as to prescribe a code of behaviour.
Microsoft has lifted the veil on how it maintains security for more than 200 cloud services, including Office 365, Windows Azure and Outlook.com. Just as the company uses security development lifecycle (SDL) in its production of software, Microsoft has developed an operational security assurance (OSA) methodology. “OSA builds on Microsoft’s experience with operating cloud services at scale,” said Mike Reavey, general manager, Trustworthy Computing at Microsoft. Like the SDL, it is a proven and scalable methodology that complements industry standards, it has clear and specific requirements, and it is updated continually, he told the RSA Europe 2013 conference in Amsterdam. And just as SDL is mandatory for all software development, OSA is mandatory for all online services alongside SDL and is applied from the start of the design phase onwards. Within Microsoft, OSA is supported by a team of policy creators, an OSA advisor, operations security lead, an SDL security champion, and subject matter experts in areas such as public key infrastructure (PKI). “The OSA advisory function brings together the security leaders for operations and software, which is important for any business – large or small – that has developers for applications or services,” said Reavey. “The trick is to get software and service development teams together with those in charge of operational security to talk about the right things and carry out threat modeling." Although one of the most difficult things to do at scale, Reavey said threat modeling is vital to test assumptions and make the connection between development and operations. Microsoft has learned the importance of making this connection through bitter experience.

The company was forced to change its Windows update process with the discovery of the Flame malware in May 2012. Flame exploited an assumption by the Microsoft development team that it was safe for the Windows Update client to trust newer, digitally signed versions of itself. By working out how to exploit weaknesses in operational security to sign malware, the creators of Flame were able to bypass security controls. “OSA is designed to catch the operational security impact of design decisions by bringing development and operational security teams together at the right time,” said Reavey. Flame provided valuable lessons in the importance of operational security for Microsoft and the software industry as a whole, he said. Microsoft’s OSA has multiple inputs, including the best that security standards such as ISO27001 have to offer on securing online services and feedback from security incidents. “We believe that a crisis should never be wasted; that there is always something to be learned, which is why the OSA is tightly coupled to the Microsoft security response centre (MSRC),” said Reavey. Security success stories across the organisation are also fed into OSA to ensure the most effective security processes are incorporated. Inputs from security technologies, threat intelligence, industry associations, international standards, incidents and organisational learnings are continually consolidated into OSA requirements. “This is an ongoing process that gets continually reviewed and updated,” said Reavey. He challenged all businesses that do any in-house development of software and services to question just how well those development teams communicate with operational security teams. “Ask if they are doing adequate threat modeling and if they are ensuring that no crises, internally or externally, are going by without lessons being drawn from them,” he said. Reavey also challenged businesses to ask their current or prospective cloud service providers if their development decisions are based on operational security considerations and to give examples. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com