News, Analysis and Opinion for Security - Page 19

March 23, 2015 23 Mar'15

Open source security tool indicates Android app vulnerability spike

A new open source security tool from CERT, dubbed 'Tapioca,' shows that Android app vulnerabilities are ubiquitous, according to new research from IBM.

March 23, 2015 23 Mar'15

Cisco IP phones vulnerable to eavesdropping; no patch available yet

Cisco says a vulnerability in some of its IP phones for SMBs could allow eavesdropping. A fix is not yet available, but Cisco has offered mitigation techniques.

March 20, 2015 20 Mar'15

At 2015 Pwn2Own competition, browser exploits in the spotlight

News roundup: Researchers at the 2015 Pwn2Own exploited every major Web browser, casting doubt on browser security once again. Plus: high-severity OpenSSL update; IE being phased-out in Windows 10; Americans dodging online surveillance.

March 18, 2015 18 Mar'15

Experts: Consumer Privacy Bill of Rights may ease privacy compliance

The Consumer Privacy Bill of Rights proposed by the Obama administration is a good first step, according to experts, and may simplify privacy compliance for enterprises currently dealing with many different state laws.

March 17, 2015 17 Mar'15

Yahoo’s attempt to kill off passwords raises security concerns

Yahoo’s attempt to kill off passwords by introducing an on-demand one-time passcode option for its email services has raised security concerns

March 17, 2015 17 Mar'15

Microsoft warns of fake SSL certificate for Windows Live

Microsoft has warned that a fake security certificate has been issued for the Windows Live domain that could be abused by attackers

March 16, 2015 16 Mar'15

Microsoft re-releases EMET 5.2 to fix IE bug

Update: Microsoft has re-released Enhanced Mitigation Experience Toolkit version 5.2 to correct a bug involving IE 11.

March 13, 2015 13 Mar'15

Hillary Clinton email debate highlighted by security mistakes

News roundup: Hillary Clinton's decision to use a private email domain and server has created a firestorm over her email security mistakes. Plus: OpenSSL audit, Blue Coat acquisition, more Equation details emerge.

March 13, 2015 13 Mar'15

Does Rowhammer mark a new wave of hardware vulnerabilities?

Experts agree that the Rowhammer vulnerability likely isn't an immediate threat to enterprises, but disagree on whether hardware vulnerabilities are about to reach a tipping point.

March 11, 2015 11 Mar'15

Verizon 2015 PCI report: More achieve PCI compliance, but fail to keep it

The 2015 edition of the Verizon PCI report shows enterprises are, on the whole, getting better at achieving full PCI compliance. Unfortunately, few can sustain it.

March 11, 2015 11 Mar'15

Study warns security certificates, cryptographic keys are in peril

A growing number of cryptographic keys and security certificates are being abused, according to a new study from cybersecurity firm Venafi and the Ponemon Institute.

March 11, 2015 11 Mar'15

HP enterprise security: Can acquisitions lead to cohesive strategy?

Through acquisitions Hewlett-Packard has built a formidable lineup of enterprise security offerings, but experts question whether a strong brand can overcome legacy technology and a lacking endpoint strategy.

March 10, 2015 10 Mar'15

March 2015 Patch Tuesday: Microsoft offers quick FREAK fix

Microsoft's March 2015 Patch Tuesday bulletins include a fix for the FREAK vulnerability, as well as five critical fixes, but surprisingly, an expert says one of the fixes deemed non-critical actually demands immediate attention.

March 10, 2015 10 Mar'15

Venmo struggles put spotlight on mobile payment security

The mobile payment app maker responds to criticism by stepping up security with better verifications and notifications for email and phone number changes.

March 10, 2015 10 Mar'15

Rowhammer takes a big swing at DRAM memory security

Google's Project Zero has detailed a new proof-of-concept exploiting the "rowhammer" DRAM flaw to allow for root access on various operating systems.

March 09, 2015 09 Mar'15

For threat intelligence programs, ROI evaluation proves tricky

Threat intelligence programs are taking root in many enterprises, but experts say variables like disparate service offerings, pricing models and response capabilities make ROI evaluation a vexing proposition.

March 09, 2015 09 Mar'15

Group claiming links to Isis hacks small business websites

The FBI is investigating the hacking of a number of SME websites in the US and Europe by people claiming affiliation with Islamic State

March 06, 2015 06 Mar'15

Adobe's new twist on bug bounty programs: No cash for bug hunters

News roundup: Bug bounty programs can offer big rewards to researchers, unless Adobe is handing out the prizes. Plus: Signal 2.0 encryption app; app cloning risk increasing; Angler adopts 'domain shadowing' capability.

March 05, 2015 05 Mar'15

Microsoft confirms Windows vulnerable to FREAK attack

The serious HTTPS FREAK exploit was thought to only affect Android, iOS, and MacOS, but Microsoft has confirmed that it also affects all supported versions of Windows.

March 05, 2015 05 Mar'15

Emerging cyberthreats exploit battle between compliance and security

While regulatory compliance is valuable and necessary for enterprises, cyberthreat experts say a compliance-centric security strategy may leave organizations with few resources to ward off emerging cyberthreats.

March 05, 2015 05 Mar'15

China and US cross swords over software backdoors

Barack Obama criticises Chinese plans to force tech firms trading in China to share encryption keys and put backdoors in software

March 04, 2015 04 Mar'15

Big data security analytics: Can it revolutionize information security?

Demetrios Lazarikos describes the security big data system he implemented at retail giant Sears, as well as how it helped thwart retail fraud activity and how he convinced executives to support the implementation.

March 04, 2015 04 Mar'15

Why Hillary can't mail

Reporting by The New York Times notwithstanding, it appears to this non-lawyer that Hillary Clinton probably didn't break any laws by using a personal email account to conduct state business. But ...

March 04, 2015 04 Mar'15

Maturing NoSQL database security is key to big data analytics

NoSQL database security has taken a backseat to performance in Hadoop-based security big data analytics systems, but that may soon change thanks to growing demand and maturing NoSQL security products.

March 02, 2015 02 Mar'15

Q&A: Marcus Ranum chats with AT&T's CSO Ed Amoroso

There's no shortage of new security technology, but enterprise integration is still a major hang-up, says AT&T's chief of security.

March 02, 2015 02 Mar'15

Uber database breach source of stolen driver information

Following the theft of data affecting about 50,000 of its drivers, Uber says it has filed a subpoena to obtain GitHub data that may pinpoint the source of its data breach.

March 02, 2015 02 Mar'15

New scrutiny on bug bounties: Is there strength in numbers?

Bug bounty programs are a cool idea and often work, so why haven't they taken off for non-tech companies?

March 02, 2015 02 Mar'15

Is the bug bounty program concept flawed?

Looking for security vulnerabilities? Tread lightly. The benefits of vulnerability rewards programs are great, but so are the risks.

March 02, 2015 02 Mar'15

US retailer Natural Grocers investigates data breach

Natural Grocers is the latest US retailer to announce it is investigating a possible data breach involving customer payment cards

February 27, 2015 27 Feb'15

Data breach consequences: Get breached, make money?

News roundup: Data breaches aren't associated with soaring stock prices, but recent examples show breaches may boost stocks. Plus: Gemalto confirms possibility of GHCQ/NSA hack; Target breach costs company $162 million; Superfish swims on.

February 26, 2015 26 Feb'15

HP: Threat intelligence sources need vetting, regression testing

According to HP Security Research, threat intelligence best practices can be difficult to implement, and even the most trustworthy sources must be tested for fidelity.

February 25, 2015 25 Feb'15

Google Project Zero changes fuel new vulnerability disclosures debate

Google's Project Zero has added more leeway to its vulnerability disclosure policy, but industry observers are split on whether 90 days is enough time to fix software flaws, or not enough time to manage a sensitive, resource-intensive process.

February 25, 2015 25 Feb'15

3G and 4G phones not affected by NSA and GCHQ hack, says Gemalto

The world’s largest maker of Sim cards, Gemalto, says it has “reasonable grounds” to believe it was hacked by UK and US spy agencies in 2010 and 2011

February 24, 2015 24 Feb'15

Macro viruses reemerge in Word, Excel files

Macro viruses haven't been popular since the early 2000s, but recent malware discoveries indicate that macro-infected Word and Excel files are on the rise.

February 24, 2015 24 Feb'15

Business disruption cyber attacks set to spur defence plans, says Gartner

By 2018, 40% of organisations will have plans to address cyber-security business disruption attacks, up from 0% in 2015, says Gartner

February 23, 2015 23 Feb'15

Slow adoption of DMARC policy leaves email vulnerable, vendor says

A new study finds that enterprises, especially healthcare companies, are slow to adopt the DMARC email authentication standard, making them vulnerable to malicious emailers.

February 23, 2015 23 Feb'15

Cisco touts OpenAppID for internal application traffic visibility

Use of Cisco's OpenAppID application-layer traffic-detection tool is still modest compared to Snort, but the networking giant says it can help enterprises improve traffic visibility on internal applications.

February 23, 2015 23 Feb'15

Lenovo faces lawsuit for pre-installing Superfish adware

A class action lawsuit has been filed against Lenovo after it was found to have pre-installed adware vulnerable to cyber attacks

February 20, 2015 20 Feb'15

Maintaining vendor trust proves tough for Lenovo, Microsoft

News roundup: Amid hidden add-ons, discontinued services and walled gardens, vendor trust proves elusive for several high-profile tech firms. Plus: Evidence ties North Korea to Sony Pictures hack; card brands boost cybersecurity; and cookies that ...

February 20, 2015 20 Feb'15

Flaws in alternative Android browsers pose underestimated risk

Exclusive: VerSprite research on 10 alternative Android browsers has found at least one major security vulnerability in all of them, posing a significant security risk for enterprise Android users.

February 20, 2015 20 Feb'15

Gemalto denies knowledge of GCHQ and NSA Sim card hack

Gemalto says it cannot verify a report that it was hacked by the NSA and GCHQ to steal encryption keys

February 18, 2015 18 Feb'15

Password reuse and password sharing prevalent in enterprises

The high percentage of password reuse and sharing by employees leaves enterprises vulnerable to breaches, according to a recent survey from SailPoint Technologies.

February 18, 2015 18 Feb'15

When is an ISAC not an ISAC?

A lot of what went on at the White House Summit on Cybersecurity and Consumer Protection, held at Stanford University last week was for show — a reaction in particular to the attacks allegedly ...

February 17, 2015 17 Feb'15

UTM vs. NGFW: Unique products or advertising semantics?

In comparing UTM vs. NGFW, organizations find it difficult to see if there are differences between the two products or if it is just marketing semantics.

February 17, 2015 17 Feb'15

International spyware operation linked to NSA

The US National Security Agency has reportedly hidden surveillance software in the hard drives of several top computer makers

February 13, 2015 13 Feb'15

Security information sharing: A double-edged sword

News roundup: While data sharing can boost intelligence and improve security, recent events show the benefits don't always outweigh the pitfalls. Plus: Chip-enabled POS systems coming quickly; MongoDB databases exposed; sophisticated phishing scams.

February 13, 2015 13 Feb'15

Prevoty offers context-aware, automatic RASP

Though I’ll admit to a bit of skepticism about Runtime Application Self Protection (RASP), I was nevertheless impressed with a recent look at Prevoty. The two-year-old company’s product, which ...

February 12, 2015 12 Feb'15

Report: Firewall policy management is a hot mess

A new report from FireMon finds that firewalls are still a critical security component, but firewall policy management is a major pain point for admins.

February 10, 2015 10 Feb'15

February 2015 Patch Tuesday: Group Policy flaw tops three critical fixes

Microsoft's February 2015 Patch Tuesday release offers three critical fixes, including one for a dangerous Group Policy vulnerability, but does not patch a recently revealed IE XSS zero-day flaw.

February 10, 2015 10 Feb'15

Will Chip and PIN technology boost payment card transaction security?

Visa and MasterCard are putting pressure on merchants to implement Chip and PIN technology, and while it will improve transaction security, it won't make PCI compliance any easier.

February 10, 2015 10 Feb'15

Voltage Security acquisition to bolster HP's data protection offerings

HP has agreed to acquire encryption vendor Voltage Security. Gartner says the move will bolster HP's data protection and cloud security products.

February 09, 2015 09 Feb'15

Security professionals warn against relying on cyber insurance

Security professionals have warned businesses not to rely on cyber insurance in the face of increased cyber attacks.

February 06, 2015 06 Feb'15

Same-origin policy IE vulnerability may signal new attack trend

A new IE vulnerability has led to a proof-of-concept same-origin policy exploit, and some experts say it highlights a technique that may soon become popular among attackers.

February 06, 2015 06 Feb'15

Budget, breach law highlight growing federal cybersecurity awareness

News roundup: With the proposed 2016 federal budget and push for a national data breach law, Washington may finally care about cybersecurity. Plus: Coviello to retire; Flash patched again; Sony Pictures breached by Russians and loses its co-chair.

February 06, 2015 06 Feb'15

Report: Most enterprise security operations centers ineffective

A new report by HP shows most enterprise security operations centers fail to meet recommended maturity levels needed to detect and manage cybersecurity threats.

February 05, 2015 05 Feb'15

Digitally signed malware risk on the rise, Kaspersky finds

Kaspersky reports digitally signed malware -- malicious files using legitimate digital certificates -- is a growing threat to enterprises, increasing four-fold in the past six years.

February 05, 2015 05 Feb'15

US health insurer Anthem hacked, exposing up to 80 million records

Hackers have broken into a database at US health insurer Anthem said to contain the personal data of up to 80 million people

February 04, 2015 04 Feb'15

Sony says cyber attack will cost $15m

Sony expects the investigation and remediation costs of the November 2014 cyber attack on its movie subsidiary will amount to $15m

February 02, 2015 02 Feb'15

Adobe Flash patch promised this week for new zero-day bug

Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.

January 30, 2015 30 Jan'15

GHOST Linux bug update: WordPress, other PHP applications vulnerable

PHP applications, including WordPress, are vulnerable to the GHOST Linux exploit, but overall the flaw may not be as dangerous as first thought.

January 30, 2015 30 Jan'15

Will YouTube HTML5 transition mean the end of Flash security issues?

News roundup: YouTube announced it has stopped using Flash by default in favor of HTML5. Is this the long-awaited end for Flash? Plus: Java was the riskiest software in 2014; BEC scam cost $215 last year; NFL data interceptions.

January 29, 2015 29 Jan'15

The politics of DDoS response

Reports of a 'hack back' DDoS attack by Sony stirred up acceptable use questions.

January 27, 2015 27 Jan'15

Qualys finds GHOST: Critical Linux remote code execution flaw

A critical Linux vulnerability, called GHOST, has been found to affect glibc versions released since 2000, and could pose a remote exploit risk on many Linux systems.

January 23, 2015 23 Jan'15

Detection vs. prevention: Ponemon report points to controversial trend

A Ponemon Institute report highlights the biggest risks to endpoint security, and what IT professionals plan to do to fight back, including one controversial tactic in malware protection.

January 23, 2015 23 Jan'15

Patchapalooza: In 2015, software patches, software security flaws surge

News roundup: An of onslaught Adobe, Oracle, OpenSSL, Chrome and Firefox patches highlights the sad state of software security in 2015. Plus, security budgets increasing; HealthCare.gov security woes; false-positive alerts cost millions annually.

January 23, 2015 23 Jan'15

CryptoWall 3.0: Ransomware returns, adopts I2P

Shortly after CryptoWall began using TOR to conduct transcations, a new version of the ransomware, dubbed CryptoWall 3.0, has begun using I2P.

January 22, 2015 22 Jan'15

Report: Popularity of biometric authentication set to spike

Juniper Research claims that the popularity of biometric authentication will rise dramatically in the next five years, incorporating innovative technology beyond today's fingerprint sensors and voice authentication systems.

January 21, 2015 21 Jan'15

Report: More than 90% of 2014 data breaches could have been prevented

The Online Trust Alliance finds that over 90% of data breaches resulting in data loss could have been prevented.

January 21, 2015 21 Jan'15

Wasted spending on security shelfware affects small businesses more

Osterman Research and Trustwave report that organizations waste money on underutilized security software because IT often doesn't have enough time or resources to use it.

January 20, 2015 20 Jan'15

ISACA: Majority of enterprises report cybersecurity workforce shortage

In its new 2015 Global Cybersecurity Status Report, ISACA finds that most organizations are aware of cyberattack risk, but few believe they have the capability to thwart a sophisticated attack.

January 19, 2015 19 Jan'15

Android vulnerability highlights Google's controversial patch policy

WebView vulnerabilities in older versions of Android are putting the majority of Android devices at risk. Google will not provide patches, forcing enterprises to determine the risk posed by unpatched Android devices.

January 19, 2015 19 Jan'15

Google's Project Zero reveals another Windows zero-day vulnerability

For the third time in one month, Microsoft couldn't meet Google's 90-day public disclosure deadline, leading to Project Zero's disclosure, though experts say this Windows zero-day vulnerability may have little value to attackers.

January 16, 2015 16 Jan'15

Hardware security issues prove tough to find, harder to fix

News roundup: Recently discovered firmware flaws highlight the challenges posed by hardware security. Plus: Heartland's breach warranty; RSA's overhaul; and Download.com's app (in)security.

January 16, 2015 16 Jan'15

Preview of 2015 Verizon PCI report hints at firewall compliance issues

In a sneak preview of its 2015 PCI Compliance Report, Verizon says improper firewall maintenance is among the leading causes of PCI DSS compliance failures.

January 15, 2015 15 Jan'15

Cybersecurity training needed to raise number of skilled workers

A survey by ESG finds that IT has an ongoing problematic shortage of enterprise cybersecurity skills, and the problem is getting worse.

January 14, 2015 14 Jan'15

Cybersecurity awareness can reduce infection risk up to 70%

A new study from Wombat Security and Aberdeen Group shows that boosting cybersecurity awareness and education among employees can reduce enterprise security risks and cost.

January 13, 2015 13 Jan'15

Light January 2015 Patch Tuesday delivers one critical Windows fix

Microsoft's January 2015 Patch Tuesday updates include a critical Windows update for Telnet, and a fix for a controversial Windows 8.1 flaw disclosed two weeks ago. Plus: An expert says Adobe's critical Flash Player fix demands immediate attention.

January 13, 2015 13 Jan'15

Cisco releases multiple WebEx security patches

The most important of the seven fixes for the WebEx Meeting Server platform remedies a flaw that could allow a cross-site request forgery attack.

January 09, 2015 09 Jan'15

Fake SSL certificates enable variety of security threats, say experts

Experts say the security industry's 'blind trust' may result in a new wave of security threats caused by fake SSL certificates, including man-in-the-middle and DNS attacks.

January 09, 2015 09 Jan'15

Sony Pictures hack recap: Experts debate North Korea's role

News roundup: The FBI maintains North Korea was behind the Sony Pictures hack, in spite of naysayers. Plus: Malware campaign attributed to Russia; new Mac OS X bootkit; cyberattack causes physical damage.

January 09, 2015 09 Jan'15

Expert: Mobile malware risk rising, but still largely Android malware

Video: Mobile malware expert Chester Wisniewski of Sophos says most enterprises need not fear mobile malware today, but Android malware is a growing threat.

January 08, 2015 08 Jan'15

Password security issues show case for privileged identity management

Video: Lieberman Software CEO Philip Lieberman explains how privileged identity management can shore up the many weaknesses of password-based authentication.

January 06, 2015 06 Jan'15

IBM: Retail cyberattacks become less frequent, but more effective

Research from IBM indicates cyberattackers are going after retailers with surgical precision, using fewer attack attempts yet frequently compromising vulnerable databases.

January 05, 2015 05 Jan'15

Evolving mobile security management thwarts unified endpoint management

Experts say unified endpoint management for mobile devices, laptops and desktops will take more time due to the complex, evolving demands of mobile security management.

December 31, 2014 31 Dec'14

Report: Chick-Fil-A data breach affects locations nationwide

The popular fast-food chain has suffered what may be a massive, months-long payment card data breach that likely dates back as far as December 2013.

December 30, 2014 30 Dec'14

As PCI DSS 3.0 deadline looms, QSAs urge 'continuous compliance'

As PCI DSS 3.0 becomes mandatory on Jan. 1, QSAs say struggling merchants will find that a continuous approach to PCI compliance eases the long-term compliance burden.

December 22, 2014 22 Dec'14

Staples data breach update: 1.16 million cards, 1,400 stores affected

An update from the office-supply giant shows that 1.16 million cards and point-of-sale systems at more than 1,400 stores may have been affected.

December 22, 2014 22 Dec'14

Researchers uncover serious NTP security flaws

According to researchers, the most severe of several newly discovered Network Time Protocol security flaws can be exploited remotely with a single packet.

December 19, 2014 19 Dec'14

Home router security vulnerability exposes 12 million devices

Check Point has uncovered a widespread home router security vulnerability, dubbed Misfortune Cookie, that could allow attackers to gain control over millions of devices.

December 19, 2014 19 Dec'14

FBI connects Sony Pictures hack to North Korean government

The investigative U.S. government agency said it found overlap between the malware and infrastructure used in the Sony Pictures hack and other North Korean operations.

December 19, 2014 19 Dec'14

Surviving the Sony Pictures hack: Is the company's future in jeopardy?

News roundup: As it copes with a devastating, unprecedented cyberattack, Sony Pictures' future as a company could be on the line. Plus: "Operation Cleaver"; labeling HTTP websites "insecure"; and a surge in phishing with malicious links.

December 18, 2014 18 Dec'14

Survey: Guest network security lacking at many businesses

According to WatchGuard, seven out of 10 restaurants, hotels and other businesses don't take the necessary steps to secure their guest Wi-Fi networks.

December 17, 2014 17 Dec'14

Sony Pictures data breach update: Hackers threaten film premiere

The New York opening of Sony Pictures' upcoming comedy The Interview was canceled after threats emerged from the attackers responsible for its recent data breach.

December 12, 2014 12 Dec'14

Sony Pictures hacking back: The ethics of obfuscation

News roundup: Amid a devastating breach incident Sony Pictures is fighting back, raising legal and ethical questions. Plus: A big week in security acquisitions; Comcast sued over open Wi-Fi; and Yahoo announces vulnerability disclosure policy.

December 10, 2014 10 Dec'14

Sony data breach update: Executives received extortion emails

Among the new details uncovered this week, Sony executives received extortion emails just days before troves of the company's data were released online as part of a massive breach.

December 09, 2014 09 Dec'14

December 2014 Patch Tuesday features three critical fixes

Capping a busy year of software updates, Microsoft's December 2014 Patch Tuesday release delivers three critical bulletins; separately Adobe offers a pair of critical fixes.

December 09, 2014 09 Dec'14

Many SMBs still lack controls to limit sensitive data exposure

Trustwave says one out of every five organizations has no controls in place to prevent sensitive data exposure, despite growing criminal interest.

December 09, 2014 09 Dec'14

FIDO Alliance releases 1.0 specifications for passwordless authentication

Amid growing fears of stolen credentials and data breaches, the FIDO Alliance released its long-awaited 1.0 specifications for passwordless and multifactor authentication systems.

December 05, 2014 05 Dec'14

How to find malware? It's hidden malware here, there and everywhere

News roundup: The industry is losing the battle against hidden malware, finding it in unlikely places from sandboxes to e-cigarettes. Plus: Richard Clarke's security tips for CEOs; data loss and downtime cost companies big; and are cheap tablets ...

December 03, 2014 03 Dec'14

Expert: FIN4 phishing attacks show new operational sophistication

According to one expert, the FIN4 attack group's successful advanced phishing operations prove that phishing attacks can't be thwarted solely with user awareness training.