Monday, February 29, 2016

Kaspersky Labs rolls out targeted threat detection platform for enterprises

The platform monitors and analyzes data collected from different points of the corporate IT infrastructure, including network activity from web and email.










from Latest topics for ZDNet in Security http://ift.tt/1oUNGlS

Bugtraq: Microsoft PowerPointViewer Code Execution

Microsoft PowerPointViewer Code Execution

from SecurityFocus Vulnerabilities http://ift.tt/1QoMnWk

Bugtraq: [security bulletin] HPSBUX03552 SSRT102983 rev.1 - HP-UX BIND running Named, Remote Denial of Service (DoS)

[security bulletin] HPSBUX03552 SSRT102983 rev.1 - HP-UX BIND running Named, Remote Denial of Service (DoS)

from SecurityFocus Vulnerabilities http://ift.tt/1neuNIQ

Apple scores a win in All Writs Act fight against US government

Apple's battle against being made to unlock its phones for law enforcement has been given a boost by a New York magistrate judge.










from Latest topics for ZDNet in Security http://ift.tt/1OK1TXd

SecaaS Working Group Releases Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring

By John Yeoh, Senior Research Analyst, Global, Cloud Security Alliance Numerous security vendors are now leveraging cloud-based Security as a Service (SecaaS) models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. However, these SecaaS offerings can take many forms causing market […]

The post SecaaS Working Group Releases Preview of Security as a Service Functional Domain Definitions – Including Continuous Monitoring appeared first on Cloud Security Alliance Blog.



from Cloud Security Alliance Blog http://ift.tt/1Uv33NA

Cryptomathic Joins PCI Security Standards Council

The move is interesting given that the PCI SSC released a special bulletin last year dropping SSL from its list of acceptable crypto solutions.

from http://ift.tt/1XWdWaV

US report confirms Ukraine power outage caused by cyberattack

A Homeland Security unit said the cyberattack was "synchronized and coordinated," and was likely carried out "following extensive reconnaissance of the victim networks."










from Latest topics for ZDNet in Security http://ift.tt/1oTOyXO

Mobile Users Blissfully Unaware of IoT Dangers

Nearly one in 10 smartphone users say there isn’t a single thing a hacker could take from their phone that would upset them.

from http://ift.tt/1UuU5Ql

CISOs Still Frozen Out of the Boardroom

82% of boards are concerned about cybersecurity, but only 14% of CISOs report to the CEO.

from http://ift.tt/1nd9wz2

Cisco and NATO expand cyber security partnership

Today NATO and Cisco, two long-time cyber defense partners, are formalizing a key piece of our cooperation – information sharing.

from Security – Cisco Blog http://ift.tt/1RB1sDd

Internet of Things — or Internet of Cyber Crime?

The Internet of Things needs effective cyber security solutions, too.

Gartner estimated that at the end of 2016, there will be around 6.4 billion connected objects in use — things like smart refrigerators, smart thermostats, wearable fitness gadgets and even dog collars that let consumers know how their pets are doing. By 2025, there will be 20.8 billion objects making up the IoT. In addition, the Industrial IoT is enhancing efficiency and productivity, effectively transforming the way companies do work.

These smart technologies are keeping people connected and helping to make business easier for the industrial sector. However, no matter how useful the IoT may be, there are still those who would try to exploit vulnerabilities within the system. There are several important ways the IoT is behind in terms of cyber security. Targeted attacks against devices within the IoT are entirely possible.

The problem with smart TVs

These vulnerabilities can exist anywhere within the IoT — even consumers' own living rooms. Trend Micro researchers found earlier this year that some Android-based smart televisions are susceptible to attack via third-party apps that people download onto their devices. These apps contain a backdoor that allows hackers to install other malicious apps and malware onto the system. Since most smart TVs operate using an older version of Android, they still contain the fatal flaw that allows this to take place.

The easy solution to this problem is to avoid installing third-party apps and to invest in effective security software. Since hackers rely on their ability to lure consumers to downloading these apps directly onto their smart TVs, it's important to remember not to fall for these types of social engineering tricks.

Another issue with smart tech: Passwords

A problem that arises within the IoT space is the question of authentication and password use. According to Dark Reading contributor Marilyn Cohodas, it may be possible to have mutual authentication between devices and users, but the solution to this issue may be complex.

"Context-aware security, new gateways and middleware were three measures [LG Mobile Research] said could help facilitate the 'chain of trust' necessary to support IoT," Cohodas wrote.

However, the solution isn't going to be simple. Passwords and authentication issues continue to plague the IoT. Most recently, the app for the popular electric car the Nissan Leaf had to be deactivated due to its inherent vulnerabilities. The NissanConnect EV app allows car owners to control the atmosphere within their vehicles, along with other capabilities. According to Wired, the app's susceptibility was first disclosed by security researcher Troy Hunt, who was able to remotely control a car's heated seating and steering wheel, along with air conditioning and fans.

The issue here is that the app doesn't hide usernames, and the passwords associated with the accounts are more often than not the VIN number that is easily locatable on the vehicle. In other words, it's a simple task for hackers to crack into the app and potentially take charge of the car.

"Anyone could potentially enumerate vehicle identification numbers and control the physical function of any vehicles that responded," Hunt wrote.

This is a troubling consideration. There are tools in the works that will hopefully help to curb the ability of hackers to gain access to the increasingly smarter vehicles that line the roadways.

IIoT security

Yet another area for concern lies in the Industrial Internet of Things. This is the counterpart to the consumer-driven IoT: the connected web of devices that manufacturers and distributors use to streamline supply chain management and develop their businesses. It also encompasses critical national infrastructure, including the power grid, hospitals and the transportation sector.

"The Industrial IoT is much more demanding than the consumer IoT, and breaches are more consequential," said Gerardo Pardo-Castellote, Chief Technology Officer at Real-Time Innovations, a company that focuses on . "In the IIoT the volume of data is larger and the systems require protecting real-time data in motion. This task gets increasingly harder as the systems grow in size and complexity."

In other words, security of the IIoT is almost more important than that of the devices utilized by consumers, because the global economy and marketplace – not to mention health care and the power grid – is beginning to rely on these technologies to function in the most efficient manner. If the devices were to be compromised in any way, the consequences could be catastrophic. It all comes down to the need for effective cyber security within these areas and making sure vulnerabilities are patched up.

Smart TVs, consumer vehicles and the Industrial Internet of Things are all important applications of smart technologies. Malware and other malicious apps that could potentially cause vulnerability within the Internet of Things will no doubt increase as the IoT continues to grow. Security solutions that can negate these kinds of targeted attacks are more important than ever.



from Trend Micro Simply Security http://ift.tt/1oTwmNT
via IFTTT

Uber data breach shows apps may not be able to protect your information

Are your apps as secure as you think they are?

The world has gone mobile. With 68 percent of Americans owning a smartphone of some kind according to the Pew Research Center, staying connected on the go has obviously become a major part of everyday life. But there is a dark side to the mobile revolution.

Apps, which have moved themselves to the center of smartphone engagement, aren't as secure as some people might think. In fact, Uber's trouble with the state of New York has highlighted the security woes many modern apps face. The ride sharing giant was ordered to pay a $20,000 penalty for a data breach that leaked the names and license plate numbers of more than 50,000 drivers. 

Many apps just aren't secure enough

Trend Micro researchers have known for some time many apps don't offer the data security most people thing they do. To begin, many free apps collect information from the user such as their contact lists and location. This data is sold to advertisers, who then place ads on the app when the person attempts to use it. 

While this is bothersome enough on its own, the real problem stems from the fact that these third party advertisers can't exactly be trusted when it comes to the security of your data. You don't know who they are, and if a data breach ever occurs at one of these organization that has access to your information, it can be incredibly hard to follow the bread crumbs back to the advertiser. 

It's not all bad news

Thankfully, there is a good section of the population that knows just how dangerous having their data flapping in the wind can be. A study posted on eMarketer found that 52 percent of mobile device users have deleted an app due to a lack of security or privacy.

While this isn't a wide majority, what it shows is that people are beginning to grasp the gravity of the situation. It would certainly be better to see that number grow in the coming years, but at least a large portion of users know that their data is incredibly valuable.

What all this means is that it's on the user to make sure that their information is kept safe. If a person wishes to download a free app, they should take the time to read over the terms and conditions to make sure their data isn't up for grabs the moment they hit accept. 

Security experts recommend that users educate themselves about their data, especially through programs such as PrivacyGrade.org. This organization works to teach people about the kind of information different apps require, even giving grades to popular apps based on what data is required from their users. 

What's more, smartphone users now have the unique opportunity to download an app that actually monitors other apps used on the device. MyPermissions allows people to receive an alert whenever an app accesses sensitive data on their phone. When this message pops up, the user then has the ability to "revoke permissions immediately," meaning the person can instantly stop the trouble maker from ever accessing their private information again. MyPermissions has done extremely well on both the iTunes store as well as on Google Play. Considering the fact that it's completely free and never stores or uses personal data, apps like this should play a major role in every person's privacy strategy. 

Trend Micro has also developed the Mobile Security system for Android users worried about the security of their device. Aside from backing up contact lists and helping the user find his or her lost device, Mobile Security also has a Privacy Scanner. Much like MyPermissions, this application scans activity to determine if an apps is accessing information that it shouldn't.

A gaming app certainly doesn't need access to your contact list, and such an event would trigger a Privacy Scanner warning for the user. What's more, the app also categorizes threats into three warning labels; high, medium and low risk. This lets the user know exactly how concerned they should be about a certain app's activity. 

Staying informed and knowing where your data is located is the best way to protect sensitive information. There are simply too many people out there trying to utilize private data to their advantage to ignore the risk, and forgetting a smartphone is just as much a computer as a desktop is a dangerous mistake to make. 



from Trend Micro Simply Security http://ift.tt/1RAVLVJ
via IFTTT

IBM Plans Resilient Acquisition

IBM has announced plans to acquire Resilient Systems to add incident response capabilities to its services.

from http://ift.tt/1T4m4qB

Bugtraq: Fing v3.3.0 iOS - Persistent Mail Encoding Vulnerability

Fing v3.3.0 iOS - Persistent Mail Encoding Vulnerability

from SecurityFocus Vulnerabilities http://ift.tt/1XVQYkc

Bugtraq: [SYSS-2015-073] perfact::mpa - URL Redirection to Untrusted Site

[SYSS-2015-073] perfact::mpa - URL Redirection to Untrusted Site

from SecurityFocus Vulnerabilities http://ift.tt/1XVQVVw

Bugtraq: [SYSS-2015-072] perfact::mpa - Insecure Direct Object References

[SYSS-2015-072] perfact::mpa - Insecure Direct Object References

from SecurityFocus Vulnerabilities http://ift.tt/1XVQVVv

Bugtraq: [SYSS-2015-071] perfact::mpa - Cross-Site Request Forgery

[SYSS-2015-071] perfact::mpa - Cross-Site Request Forgery

from SecurityFocus Vulnerabilities http://ift.tt/1XVQY3Q

Apple lawyer says meeting FBI demand would help hackers 'wreak havoc'

The FBI's demands would "set a dangerous precedent for government intrusion."










from Latest topics for ZDNet in Security http://ift.tt/1ScZhb1

Keeping Your Sanity Securing IaaS, PaaS, and SaaS Cloud Services – Part I

Defending multiple cloud service types as one

In most organizations today, cloud services are a fact of life. Whether you’re deploying and managing servers in the cloud, building on top of a globally distributed platform, or consuming constantly updated services, the cloud is a fundamental part of your IT service delivery…whether you know it or not.

And why wouldn’t you move to the cloud? The business advantages are clear. You can greatly reduce the time to deploy new services, decrease your operational burned and costs, and rapidly iterate on new ideas.

It may require a cultural shift in your organization to accept extending trust to your cloud service providers (CSP). Top tier CSPs understand that they live and die on their reputation. It’s in their best interests to deliver a secure service to you.

Shared Responsibility

But that’s not to say that you don’t have responsibilities for security as well. All cloud services (regardless of SPI model; IaaS, PaaS, or SaaS) use this simple model.

Of the main areas of security, the CSP is always responsible for:

  • physical
  • infrastructure
  • network
  • virtualization

Depending on the service, you may be responsible for securing the:

  • operating system
  • application

And you are always responsible for:

  • data
  • service configuration

Put these areas together across all three SPI methods and you get figure 1, “Shared Responsibility Model”.

Shared Responsibility Model for cloud security

Figure 1, Shared Responsibility Model

 

Straightforward Strategy

Looking at cloud security in this manner brings clarity. You can take each type of service (IaaS, PaaS, SaaS) and apply reasonable security controls in order to fulfill your day-to-day responsibilities

It’s important to note that we’re talking about day-to-day responsibilities here. You’re always responsible for the security of your deployments. However you delegate some of the day-to-day work to your CSP. In these cases, you have to trust but verify the work your CSP is doing.

 

IaaS

When dealing with IaaS, most of the controls you are used to from the datacenter are still applicable. They’re just delivered in a different manner in order to optimize for the attributes of a cloud environment.

You see this with controls like intrusion prevent and filtering. Traditionally gateway controls, it is now much more effective to deploy them directly on an instance or virtual machine. This maintains the scalability and flexibility of the cloud without sacrificing security.

PaaS

Platform deployments can be tricky to secure because of how intertwined your application is with the platform itself. This is a service type where secure design, a strong understanding of the CSP’s role, and programmable security controls are critical to a successful, secure deployment.

SaaS

Securing software delivered as a service is typically accomplished using a combination of a CASB (cloud access service broker) and configuring the native service controls in order to meet your security needs.

 

Not So Fast…Please?

While the plan for securing each service type is clear, the pace of change in this space is a major challenge.

Cloud services (of all types) are readily available. It’s never been easier to stand up a new application or service.

This rapid pace of innovation is a huge boon to business. IT is finally a consistent enabler within the organizations.

The challenge is for security to keep pace. Innovation is at an all-time high in the security space, but even with current levels of investment and effort, it’s difficult for security controls to keep pace with the new services being developed.

This rapid pace of change is leading to more and more security solutions being required to properly secure the vast number of services that each organization is using.

 

Putting It Together

The average organization uses a lot of services. Ok, I’m sure there’s an actual number but it’s hard to nail down. Depending on the source, the average is somewhere between 5 and 700 hundred. So let’s settle on “lots”.

Solid guidance exists on how best to secure each of these services according to your needs. The challenge is stitching the security of each of these services together into a cohesive whole.

 

The Roadmap

The industry (lead by organizations like the Cloud Security Alliance, of which Trend Micro is a member) is working towards a common goal to help address this challenge.

The goal is to provide tools that organizations can access to easily and work together (regardless of vendor) in order to provide a comprehensive security solution around cloud services.

The strategic vision and guidance is already in place with the Cloud Control Matrix (the CCM, a living document currently at version 3.0.1). This document lays out the types of controls that should be applied to various cloud services.

In addition to the CCM, there are a number of efforts in place to help organizations combine the right tools for their security needs. The Cloud Security Open API shows a lot of promise in helping make this a reality.

Separate from these efforts are the individual roadmaps for each cloud security tool. This is a very active and innovative space (yes, I realize I have a bit of bias here but just look around at the number of cybersecurity startups and established companies efforts, I think you’ll agree).

But each of these efforts are a medium term solution at best. Stay tuned to learn what organizations can do to address this problem. Looking forward to you comments below or on Twitter (where I’m @marknca).

 



from Trend Micro Simply Security http://ift.tt/1oJHX1A
via IFTTT

Tax Scams Gone International

Tax time in the US is quickly approaching. Everyone should be on the lookout for scams that are designed to trick you out of your money and personal information. The IRS is warning users about an increase in the number of email scams being used this year. However, these attacks are no longer limited to just the United States.  Earlier this year we notice tax phishing campaigns targeting Ireland. Therefore, we decided to take a look back over the last year [...]

from Security – Cisco Blog http://ift.tt/1ncn5yO

IBM buys Resilient Systems, aims to offer response 'playbooks' to security incidents

Resilient brings a platform to orchestrate and automate responses to security incidents. IBM will integrate it across its security portfolio.










from Latest topics for ZDNet in Security http://ift.tt/1T4dHeN

RSA Conference Brings Privacy out of the Shadows

As RSA Conference 2016 draws near, I’m excited to see that privacy is at last getting its day in the sun. This topic has often seemed like an after-market add-on at the conference in previous years. Last year, in fact, most of the booths at RSAC were touting the fact that they had security AND privacy, but when pressed, privacy usually meant encryption. Fortunately, that has changed. Why? The huge data breaches of last year, particularly those affecting the healthcare industry and the [...]

from Security – Cisco Blog http://ift.tt/1QGS0uB

IBM buys Resilient Systems, aims to offer response 'playbooks' to security incidents

Resilient brings a platform to orchestrate and automate responses to security incidents. IBM will integrate it across its security portfolio.










from Latest topics for ZDNet in Security http://ift.tt/1T4dHeN

CSA’S Virtualization Working Group Publishes New Position Paper on Network Function Virtualization

With the broad adoption of virtualized infrastructure, many security teams are now struggling with how to best secure these vital assets from targeted attacks. And because almost anyone can now easily virtualize resources such as compute, storage, networking and applications, the velocity and impact of security threats have increased significantly. In response to these trends, […]

The post CSA’S Virtualization Working Group Publishes New Position Paper on Network Function Virtualization appeared first on Cloud Security Alliance Blog.



from Cloud Security Alliance Blog http://ift.tt/1ScXfHO

IBM Security Bulletin: A vulnerability in the GSKit component of Tivoli Network Manager IP Edition (CVE-2016-0201)

A vulnerability has been addressed in the GSKit component of Tivoli Network Manager IP Edition. CVE(s): CVE-2016-0201 Affected product(s) and affected version(s): IBM Tivoli Network Manager 3.8 is not affected by GSKit advisory. IBM Tivoli Network Manager...

from IBM Product Security Incident Response Team http://ift.tt/1ScO4qR

CSA’s Consensus Assessments Initiative Releases Minor Update to Version 3.0.1

CSA’s Consensus Assessments Initiative Working Group has released an update to version 3.0.1 of the Consensus Assessments Initiative Questionnaire (CAIQ) that included minor updates and corrections. A tab was created in the spreadsheet titled “CAIQ Change Log” to capture the details of each update. This will be the location where all updates/corrections are logged until the […]

The post CSA’s Consensus Assessments Initiative Releases Minor Update to Version 3.0.1 appeared first on Cloud Security Alliance Blog.



from Cloud Security Alliance Blog http://ift.tt/1RfMiAD

Cisco Videoscape Distribution Suite for Internet Streaming TCP Session Handling Denial of Service Vulnerability

A vulnerability in TCP connection handling when TCP sessions are terminated via a TCP FIN packet for the Cisco Videoscape Distribution Suite for Internet Streaming (VDS-IS) could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition.

The vulnerability is due to improper TCP session management when a TCP session is in TCP FIN waiting state. The device could fail to respond properly to a new TCP SYN packet to start a new TCP connection. An attacker could exploit this vulnerability by sending TCP traffic streams that could terminate the connection with a TCP FIN. An exploit could allow the attacker to cause a partial DoS condition. When a TCP session is in a TCP FIN waiting state, it is possible that new incoming TCP SYN packets will be dropped silently.

Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/1LQ0BKn A vulnerability in TCP connection handling when TCP sessions are terminated via a TCP FIN packet for the Cisco Videoscape Distribution Suite for Internet Streaming (VDS-IS) could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition.

The vulnerability is due to improper TCP session management when a TCP session is in TCP FIN waiting state. The device could fail to respond properly to a new TCP SYN packet to start a new TCP connection. An attacker could exploit this vulnerability by sending TCP traffic streams that could terminate the connection with a TCP FIN. An exploit could allow the attacker to cause a partial DoS condition. When a TCP session is in a TCP FIN waiting state, it is possible that new incoming TCP SYN packets will be dropped silently.

Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/1LQ0BKn
Security Impact Rating: Medium
CVE: CVE-2016-1353

from Cisco Security Advisory http://ift.tt/1LQ0BKn

Data breaches exposed over 707 million records in 2015

But the good news is that the total number of breaches dropped by 3.4 percent from 2014.










from Latest topics for ZDNet in Security http://ift.tt/1OIejPl

California Auditor General calls out SANS Top 20 as a good path to more secure data

3d rendering of a server room with black servers

We live in interesting times—or, if you are the victim of a data breach, maybe you don’t really feel that way! For the past several years there have been continuous ‘expert’ statements like “this is the year of the data breach” … and yet we continue to have major incidents in the news regularly. In 2015, high profile incidents like VTech, Anthem, Ashley Madison, the United States Internal Revenue Service, Experian (T-Mobile), and the Hacking Team all illustrate that there is still some work to be done around how corporate and consumer data is protected.

 

With this in mind, last week the California Auditor General released the latest California Data Breach report. The report analyzes the 657 data breaches reported to the Attorney General’s office from 2012 to 2015, and interestingly, highlights that the majority of the reported breaches were the result of security failures. Based on this, the report makes specific recommendations to organizations, including leveraging the SANS Top 20 Critical Security Controls to apply what the Attorney General believes constitutes “reasonable security measures” to protect personal information under California law.

 

The Critical Security Controls (CSC) are a framework for implementing effective security in enterprise and government organizations. In fact, the controls have been mapped against major frameworks (ex: NIST 800-53, ISO 27002, and NSA Top 10) as well as major industry regulations (ex: PCI DSS 3.1, HIPAA, and NERC). With modern deployments that may include both virtualized data centers and cloud workloads (often called hybrid cloud), organizations are faced with significant challenges to consistently apply the CSC, especially using legacy security approaches.

 

With this in mind, we have put together a quick summary of how Trend Micro Deep Security can help across 14 of the 20 requirements. Unlike single purpose security offerings, having a single product that can address multiple requirements can significantly reduce the cost and complexity of applying the CSC framework, and, importantly, make an organization more secure through an ability to centrally control and report across all deployment types (physical, virtual, cloud). Delivered with tight integration to leading environments including VMware, AWS, and Microsoft Azure, Deep Security is at the heart of our Hybrid Cloud Security Solution, and is helping thousands of organizations secure millions of servers around the world today.  You can find out more about how Deep Security can help, in the words of the California Auditor General, apply “reasonable security measures” to your organization here: http://ift.tt/1SOCkvI.

 

 



from Trend Micro Simply Security http://ift.tt/1T49esr
via IFTTT

Raspberry Pi 3 — New $35 MicroComputer with Built-in Wi-Fi and Bluetooth

While celebrating its computer's fourth birthday, the Raspberry Pi Foundation has launched a brand new Raspberry Pi today. Great news for all Micro-computing fans – A new, powerful Raspberry Pi 3 Model B in town. Months after introducing just $5 Raspberry Pi Zero, Raspberry Pi Foundation has introduced its third major version of the Raspberry Pi, the successor of the Raspberry Pi 2


from The Hacker News http://ift.tt/1XVhKJJ