Skip to main content

Security

Security industry 'very close' to losing cyber war - WatchGuard

posted onMay 2, 2014
by l33tdawg

The security industry is "very close" to losing its war against cybercriminals as bugs and malware such as Cryptolocker and Heartbleed threaten to alienate everyday users from the internet.

That is the stark warning of Alex Thurber, vice president of sales at WatchGuard, a 20-year veteran of the security industry.

Talking to CRN yesterday at Infosecurity Europe, Thurber admitted the industry had failed to keep pace with the new breed of threats that have been able to bypass traditional defences. "At some point, we risk losing the everyday user," he said.

Internet of things set to shake up corporate security says Gartner

posted onMay 2, 2014
by l33tdawg

Gartner predicts that IoT (internet of things) security requirements will "reshape and expand" over half of all global enterprise IT security programmes by 2020.

IoT devices are smart and programmable devices that can be remotely controlled and linked to other devices, ranging from utility smart meters and kitchen fridges to vehicle telematics.

Not to be outdone by Microsoft, Adobe announces zero-day exploit patch for Flash

posted onApril 29, 2014
by l33tdawg

Adobe Systems released emergency security updates for Flash Player in order to fix a vulnerability that has been exploited in attacks against users since earlier this month.

The attacks were discovered by security researchers from Kaspersky Lab and were launched from a website set up by the Syrian Ministry of Justice to receive complaints about law violations. It’s not clear who was behind the attack, but the site had been compromised in the past by hackers.

Solving cybercrime starts with reporting

posted onApril 29, 2014
by l33tdawg

Police are often the last people an organisation wants to speak to when a security breach costs it intellectual property, sensitive data or even cold hard cash - but that needs to change, according to a commercial crime detective with WA Police.

“I’ve heard it said that there are two types of businesses in the world: those who know they have been compromised and those who don’t,” Detective Inspector Tim Thomas told iTnews.

White House on Heartbleed: 'Transparency is complicated'

posted onApril 29, 2014
by l33tdawg

When President Truman created the National Security Agency in 1952, its very existence was not publicly disclosed. Earlier this month, the NSA sent out a Tweet making clear that it did not know about the recently discovered vulnerability in OpenSSL known as Heartbleed. For an agency whose acronym was once said to stand for “No Such Agency,” this step was unusual but consistent with NSA’s efforts to appropriately inform the ongoing discussion related to how it conducts its missions.

Give IE the heave-ho until Microsoft patches zero-day

posted onApril 29, 2014
by l33tdawg

The U.S. government's top cyber-security agency is telling Internet Explorer (IE) users they should consider running a different browser until Microsoft fixes a critical vulnerability.

The U.S. Computer Emergency Readiness Team (US-CERT) added its voice to the growing chorus of security organizations and companies that have warned people of the flaw, which affects IE6, IE7, IE8, IE9, IE10 and IE11.

Hacker claim about bug in fixed OpenSSL likely a scam

posted onApril 28, 2014
by l33tdawg

Security experts have expressed doubts about a hacker claim that there’s a new vulnerability in the patched version of OpenSSL, the widely used cryptographic library repaired in early April.

A group of five hackers writes in a posting on Pastebin that they worked for two weeks to find the bug and developed code to exploit it. They’ve offered the code for the price of 2.5 bitcoins, around US$870.

How I used Heartbleed to steal a site's private crypto key

posted onApril 28, 2014
by l33tdawg

By now everyone knows about the OpenSSL Heartbleed vulnerability: a missing bounds check in one of the most popular TLS implementations has made millions of Web servers (and more) leak all sorts of sensitive information from memory. This can leak login credentials, authentication cookies, and Web traffic to attackers. But could it be used to recover the site’s TLS private key? This would enable complete decryption of previously-recorded traffic if perfect forward secrecy was not negotiated at the time and otherwise Man-in-The-Middle attacks to all future TLS sessions.