Standards can be a way to get organizations to do things you want them to do, but oftentimes they don't get them to do much more.The writers of payment-card standards appear to have been acutely aware of that phenomenon when the PCI Security Standards Council previewed their new PCI DSS 3.0 standard earlier this month."The existing PCI standard focuses clients on specific elements that are to be secured at a point in time -- when the auditor is there -- to get a PCI signoff for another year," Philip Lieberman, CEO of Lieberman Software, told TechNewsWorld. "For most merchants, the existing PCI standard is a one-time pain per year where things are cleaned up, and the bad security practices return almost immediately after the auditor leaves."The new PCI standard won't be music to the ears for security hands who worship notion of the inviolate perimeter: "The new standard recognizes that perimeter breaches are a regular occurrence and outsiders regularly have access to credit card … [Read more...] about SPOTLIGHT ON SECURITY New Payment Card Standards Go Beyond Compliance
Apply social security disability
Google appears to be heeding warnings of security experts who say Android users need better control over what apps do with information from their phones.At I/O, its worldwide shindig for developers held last week, the company announced that the next version of its mobile operating system, Android M, would take a more granular approach to permissions for data requested by apps.Recent versions of Android allows applications to make a block of permission requests as they're installed."Unlike iOS, where you have granular control over permissions, in Android, you're all-in or you don't have access to the application at all," Bitdefender Senior E-Threat Analyst Bogdan Botezatu told TechNewsWorld.That's changing with Android M."With app permissions, we're giving users meaningful choice and control over the data they care about," said Dave Burke, vice president of engineering at Google, during a keynote address at the developers forum."You don't have to agree to permissions that don't make … [Read more...] about SPOTLIGHT ON SECURITY Google’s Android Permissions Get Granular
A new attack has the potential to steal everything from email addresses to social security numbers — and security experts have found it running free in the wild. It works by manipulating the way HTTPS responses are delivered across the transmission control protocol (TCP), allowing nefarious actors to decrypt hidden information to extract personal data on targeted users.The exploit is known as HEIST, which loosely stands for HTTP Encrypted Information can be Stolen Through TCP-Windows (as per Ars) and it’s especially dangerous because it’s capable and simple. When a web user encounters the malicious coding on a web page, it is able to query a number of pages, measuring the sizes of the data that is transmitted when the response comes in.Although that data is protected by HTTPS, using older exploits, nefarious actors may be able to decrypt the data in those packets and thereby discover quite personal data about the individuals affected.Fortunately the technique was … [Read more...] about Security researchers find yet another leak in HTTPS, and it won’t be easy to patch
Facebook has apparently become a choice distribution channel for several malicious applications and a new variant of a pernicious piece of malware originally detected in 2008. The popular social networking site has been hit by at least three separate security issues in the last week -- two phony applications and the latest variety of the Koobface worm, according to security research firm Trend Micro.Rik Ferguson, a security researcher at Trend Micro, first noticed the Koobface threat after he received a message via Facebook from a friend. Nothing distinguished the message from any other; however, the included link to a YouTube page led Ferguson to a "very familiar looking spoofed version of YouTube, complete with a bogus comments from 'viewers,'" he wrote in a post on the TrendLabs Malware blog.The two hoax applications, "The Error Check System" and "Facebook -- closing down!!!" were reported within a few days of one another, just before reports of the Koobface worm surfaced. The … [Read more...] about Social Disease: Worm Writhes Its Way Through Facebook
Security is one of the fastest growing areas in technology today. Internet scams and hackers are more malicious and widespread than ever. For example, TJX recently announced that its computer system that stores and processes customer information was breached.T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico and Winners and HomeSense stores in Canada were affected, as was information dating back to 2003.The threat of hackers is so great that even the Department of Homeland Security conducted its own test cyberattack, called "Cyber Storm," to determine reaction, recovery and coordination in response to a technical security breach.This is a testament to a large and growing concern about computer and data security across all industries in the U.S.Organizations are constantly under attack and none can afford the risk of an unsecured network. Security breaches can be detrimental to customer relations, but they are also damaging to a company's … [Read more...] about What Are You Doing to Stop Security Saboteurs?
Microsoft had to temporarily disable Skype's password reset feature last week after a Russian hacker revealed a simple way to lock users out of their accounts.All an attacker needed to know was an email address associated with an account in order to hijack it. That address could be used to create a new account, which could then be used to reset the password and lock out the original user.Ironically, Skype's robust security features are one reason some organizations bar it from their networks, said Tom Nichols, vice president for corporate marketing for Endace. "Skype is a risk because it's deeply encrypted and it can be used to transfer information out of an organization without anybody knowing what's going on," he told TechNewsWorld.Skype is one of many applications running on corporate networks in defiance of company security policies, a study by Endace released last week revealed. Of the more than 100 senior network IT professionals from Fortune 500 companies, 53 percent confessed … [Read more...] about SPOTLIGHT ON SECURITY Skype Takes Heat for Security – Both Too Little and Too Much
When Russian authorities nabbed the alleged master hacker behind the Blackhole malware kit last week, they sent a shockwave through the digital underground.As soon as news spread that Blackhole's author, known as "Paunch," and his partners had been arrested, the malware apparently began to suffer. Blackhole, typically updated once or twice a day, wasn't updated for four days.What's more, the service used to encrypt the Blackhole kit went offline almost as soon as the first tweet about the pinch of Paunch hit Twitter."Paunch is a big deal," Mikko Hypponen, chief research officer at F-Secure, told TechNewsWorld."According to our statistics, Paunch has been the biggest provider of exploit packs for the past two years," he said."Blackhole and Cool Exploit Kit -- both from Paunch -- have fueled the underground economy," added Hypponen. "Now that Paunch is off the market, we're probably going to see a fight on who will take his place."Paunch's departure likely will hurt the Blackhole … [Read more...] about SPOTLIGHT ON SECURITY ‘Paunch’ Arrest Puts Blackhole Hackers on Data Diet
With so many cybersecurity pros drowning in an ever-rising tide of hack attacks on their computer systems, an emerging approach to defending those systems may be the life preserver they've been looking for.The approach doesn't involve beefing up perimeter defenses, carefully scrutinizing network traffic, or applying analytics to employee behavior -- but it's aimed at the biggest security threat to all organizations: the Internet."Every security vendor in the world tries to figure out if something is good or bad," explained Kowsik Guruswamy, CTO of Menlo Security. "If it's good, we let it through. If it's bad, we try to block it."However, that approach -- as the day-to-day reports of data breaches show -- hasn't been working."We need something very different -- something that will take the malware problem off the table," Guruswamy told TechNewsWorld.One approach is essentially to isolate an organization's systems from the Internet, as Menlo does. Its Menlo Security Isolation Platform … [Read more...] about SPOTLIGHT ON SECURITY Is Isolating the Internet Key to Bulletproof Security?
A zero-day flaw in Oracle's Java programming language could make as many as 100 million computers connected to the Internet vulnerable to attack by cybercriminals.The threat posed by the Java vulnerability was considered so serious that the U.S. Department of Homeland Security urged computer users to turn off Java on their machines.The vulnerability discovered last week by security researchers exploits a flaw in version 7 rev. 10 and has already begun appearing in major kits used to create malware packages. It can be exploited to plant malware on PCs.Of the 3 billion devices running Java, about 13 percent are running the flawed version of the software, said Bogdan Botezatu, senior e-threat analyst with Bitdefender. Of those systems, he estimates some 100 million are running Microsoft Windows and are connected to the Internet."Given the next patch cycle for Java is scheduled for February 15th, there's a large window for end users to be unprotected," Botezatu told TechNewsworld.Oracle … [Read more...] about SPOTLIGHT ON SECURITY 100 Million Systems Vulnerable to Java Flaw
The use of smartphones as business tools has reached a tipping point. Soon, mobile phones will overtake PCs as the most common Web access devices worldwide. As a result, employees will look less to corporate IT as a source for technical leadership. As mobile phones provide cutting-edge smartphone technology, employees will look to consumer-oriented vendors that cater to their own personal needs, rather than those of their employers.The issue is that consumer smartphone platforms are inherently insecure, as mobile network endpoint devices are exposed to the threats of the Web. Whether corporate-issued or personally owned, smartphones easily move in and out of the network, traversing internal and external firewalls. It is harder for IT to control what users do with their smartphone devices -- and consequently, to keep them from exposing business data to security threats.A smartphone that can access the network via a wireless access point represents the same kind of threat as any other … [Read more...] about EXPERT ADVICE 10 Best IT Practices for Smartphone Security