• Tweet
• 
  
• 

Government-mandated program vulnerabilities would make computers and a Internet a lot reduction safe, warned a bloc of 20 computer-security experts.

The FBI has warned of a “Going Dark” problem for several years, a unfolding underneath that law coercion loses a ability to electronically lane rapist suspects since of unsound authorised collection as good as a miss of team-work from use providers.

The sovereign supervision is looking for ways to pill this problem.

The origination of mandated vulnerabilities — holes, fundamentally — in a consumer-facing program of companies like Facebook would concede sovereign law coercion to guard suspects.

Staking their explain in a report (.pdf) released during a finish of final week, a confidence experts argued that these vulnerabilities would also be exploited by criminals and unfamiliar agents, withdrawal people, companies and supervision agencies during risk of fraud, burglary and all demeanour of critical exploitation.

In a nutshell, hackers demeanour for vulnerabilities by that they can enter and take control of a mechanism system, and a supervision would need accurately such vulnerabilities.

The reports authors hailed from The Tor Project, Princeton University, Silent Circle, and so forth.

“Requiring program vendors to build prevent functionality into their products is foolish and will be ineffective, with a outcome being critical consequences for a mercantile contentment and inhabitant confidence of a United States,” they wrote.

“These experts are on a front lines perplexing to make a Internet some-more secure,” pronounced Center for Democracy Technology President Leslie Harris.

“When they contend a FBI offer would open adult confidence vulnerabilities, Washington should listen,” pronounced Harris. “At a really time a republic is so disturbed about cybersecurity,” she said, “we should not be origination computers, software, and networks weaker.”

The FBI declined The Daily Caller’s ask for comment.

Follow Josh on Twitter

Article source: http://dailycaller.com/2013/05/20/security-experts-warn-government-is-making-the-internet-unsafe/

IBM pronounced it found startling improvements in Internet security such as a rebate in focus confidence vulnerabilities, feat formula and spam, though it also remarkable that those improvements come with a price: Attackers have been forced to rethink their tactics.

BACKGROUND: From Anonymous to Hackerazzi: The year in confidence mischief-making

OTHER STUFF: All hail: Inside a Museum of Nonsense

IBM’s confidence group, X-Force, expelled a 2011 Trend and Risk Report that surveys some 4,000 customers, and a news showed a following:

• Spam out: a 50% decrease in spam email compared to 2010.

• Better patching: Only 36% of program vulnerabilities remaining unpatched in 2011 compared to 43% in 2010. Some confidence vulnerabilities are never patched, though a commission of unpatched vulnerabilities has been dwindling usually over a past few years. 

• Higher peculiarity of program focus code: Web-application vulnerabilities called cross-site scripting (XSS) are half as expected to exist in clients’ program as they were 4 years ago, IBM stated. However, XSS vulnerabilities still seem in about 40% of a applications IBM scans.

• Fewer exploits: When confidence vulnerabilities are disclosed, feat formula is infrequently expelled that enemy can download and use to mangle into computers. Approximately 30% fewer exploits were expelled in 2011 than were seen on normal over a past 4 years.

Of march there is a dim side. These are new confidence problem trends IBM reported:

• Shell authority injection vulnerabilities some-more than doubled: For years, SQL injection attacks opposite Web applications have been a renouned matrix for enemy of all types. SQL injection vulnerabilities concede an assailant to manipulate a database behind a website. As swell has been done to tighten those vulnerabilities — a series of SQL injection vulnerabilities in publicly confirmed Web applications forsaken by 46% in 2011– some enemy have now started to aim bombard authority injection vulnerabilities instead. These vulnerabilities concede a assailant to govern commands directly on a Web server. Shell authority injection attacks rose by dual to 3 times over a march of 2011.

• Automated cue guessing: Poor passwords and cue policies have played a purpose in a series of high-profile breaches during 2011. There is also a lot of programmed conflict activity on a Internet in that attacks indicate a ‘Net for systems with diseased login passwords. IBM celebrated a vast spike in this arrange of cue guessing activity destined during secure bombard servers in a latter half of 2011.

• Increase in phishing attacks that burlesque amicable networking sites and mail parcel services: The volume of email attributed to phishing was comparatively tiny over a march of 2010 and a initial half of 2011, though phishing came behind with a reprisal in a second half, reaching volumes that haven’t been seen given 2008. Many of these emails burlesque renouned amicable networking sites and mail parcel services, and tempt victims to click on links to Web pages that might try to taint their PCs with malware. Some of this activity can also be attributed to promotion click fraud, where spammers use dubious emails to expostulate trade to sell websites.

• Publicly expelled mobile exploits adult 19% in 2011: This year’s IBM X-Force news focused on a series of rising trends and best practices to conduct a flourishing trend of “bring your possess device,” or BYOD, in a enterprise. IBM X-Force reported a 19% boost over a before year in a series of exploits publicly expelled that can be used to aim mobile devices.

• Cloud computing presents new challenges: In 2011, there were many high-profile cloud breaches inspiring obvious organizations and vast populations of their customers. IT confidence staff should delicately cruise that workloads are sent to third-party cloud providers and what should be kept in-house due to a attraction of data, IBM said. The IBM X-Force news records that a many effective means for handling confidence in a cloud might be by Service Level Agreements (SLAs) since of a singular impact that an classification can practically practice over a cloud computing service. Therefore, clever care should be given to ownership, entrance management, governance and stop when crafting SLAs, IBM stated.

Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.

Read some-more about far-reaching area network in Network World’s Wide Area Network section.

Article source: http://www.computerworld.com.au/article/419525/internet_security_better_foul_exploits_grow_ibm_says/?fp=4&fpid=1398720840

2011-08-27 20:30

Washington – A 19-year-old New York man, who combined a module that allows iPhone users to “jailbreak” a device to run unapproved applications, claims to have landed an internship during Apple.

Nicholas Allegra, creator of a site JailBreakMe, announced a news on Thursday on his Twitter feed @comex.

“The week after subsequent we will be starting an internship with Apple,” Allegra said.

Graham Cluley, a comparison record consultant during mechanism confidence organisation Sophos, pronounced in a blog post that Allegra has “given Apple copiousness of headaches in a final integrate of years” anticipating confidence vulnerabilities in a iPhone.

“Each time Allegra has found a smirch in Apple’s software, a association has been forced to rush out a confidence patch,” Cluley said.

Commenting on an internship for Apple’s nemesis, he said: “From Apple’s indicate of perspective it’s a box of: If we can’t kick them, get them to join you.”

In June, Facebook hired George Hotz, a hacker famous as “GeoHot” who was sued by Sony for hacking a PlayStation 3 diversion console and is credited with being a initial chairman to go open with a approach to penetrate into an iPhone.

Article source: http://www.news24.com/SciTech/News/JailBreakMe-creator-lands-internship-at-Apple-20110827

JailBreakMe creator lands internship during Apple

Nicholas Allegra, creator of a site JailBreakMe, announced a news on Thursday on his Twitter feed @comex.

“The week after subsequent we will be starting an internship with Apple,” Allegra said.

Graham Cluley, a comparison record consultant during mechanism confidence organisation Sophos, pronounced in a blog post that Allegra has “given Apple copiousness of headaches in a final integrate of years” anticipating confidence vulnerabilities in a iPhone.

“Each time Allegra has found a smirch in Apple’s software, a association has been forced to rush out a confidence patch,” Cluley said.

Commenting on an internship for Apple’s nemesis, he said: “From Apple’s indicate of perspective it’s a box of: If we can’t kick them, get them to join you.”

In June, Facebook hired George Hotz, a hacker famous as “GeoHot” who was sued by Sony for hacking a PlayStation 3 diversion console and is credited with being a initial chairman to go open with a approach to penetrate into an iPhone.

Article source: http://news.ph.msn.com/sci-tech/article.aspx?cp-documentid=5204790

The Western Australia Auditor General, Colin Murphy, has identified poignant vulnerabilities to cyber threats in all of a agencies examined for his 2011 Information Systems Audit Report.

According to the report (PDF) “benign cyber attacks” were carried out on 15 exam agencies — including a Department of a Attorney General, a Department of Education, and a Department of Health —via a internet while USB inclination containing program that would ‘phone home’ and send network specific information opposite a Internet if plugged in and activated were also sparse opposite a agencies to exam their staff.

The Auditor General’s office, that also assessed either a 15 agencies had configured their IT systems and had ancillary policies and processes in place to detect, control and reasonably respond to cyber attacks, found critical weaknesses in security.

“None of a agencies we tested had adequate systems or processes in place to detect, control or reasonably respond to a cyber attack,” a news reads.

“Only one group rescued a attacks. The disaster of many agencies to detect a attacks was a sold regard given that a collection and methods we used in a tests were unsophisticated.”

The review also found 14 of a 15 agencies tested unsuccessful to detect, forestall or respond to a office’s antagonistic scans of their internet sites. These scans identified countless vulnerabilities that could be exploited to benefit entrance to their inner networks and information.

“We accessed a inner networks of 3 agencies but detection, regulating identified vulnerabilities from a scans,” a news reads. “We were afterwards in a position to read, change or undo trusted information and manipulate or close down systems. We did not exam a identified vulnerabilities during a other 12 agencies.”

The news also remarkable that 8 agencies plugged in and activated a USBs a Auditor General bureau had placed. These inclination subsequently sent information behind to a bureau around a Internet.

“This form of conflict can yield ongoing unapproved entrance to an agency
network and is intensely formidable to detect once it has been established,” a news reads. “Failure to take a risk-based proceed to identifying and handling cyber threats and to accommodate or exercise good use superintendence and standards for mechanism confidence has left all 15 agencies vulnerable.”

The news serve records that a bureau was means to crack a confidence of these agencies notwithstanding a infancy of them recently profitable confidence contractors adult to $75 000 to control invasion tests on their infrastructure.

“Some agencies were doing these tests adult to 4 times a year,” a news reads. “In a deficiency of a broader comment of vulnerabilities, invasion tests alone are of singular value, as a contrast demonstrated.”

Follow Tim Lohman on Twitter: @Tlohman

Follow Computerworld Australia on Twitter: @ComputerworldAU

Article source: http://www.computerworld.com.au/article/390248/wa_auditor_general_finds_significant_security_vulnerabilities_governemnt_agencies_/

CBR Staff Writer
Published 10 Jun 2011

Department of Health denies claim

Hacker organisation Lulz Security (LulzSec) has sent an email to National Health Service (NHS) in a UK warning it of vulnerabilities in a mechanism network.

The email pronounced that a hacker organisation had entrance to several admin passwords of a network.

The hackers called themselves ‘pirate ninjas’ and are a partial of a organisation that recently hacked into SonyPictures, Nintendo and InfraGard — a US private associate of a Federal Bureau of Investigation (FBI).

The hackers pronounced in their summary that their goal was not to feat a confidence loophole though to assistance a use urge a confidence of a networks.

“While we aren’t deliberate an rivalry – your work is of march shining – we did event on several of your admin passwords,” a e-mail read.

“We meant we no mistreat and usually wish to assistance we repair your tech issues.”

However, a Department of Health has denied any confidence vulnerabilities in a network, adding that studious information was safe.

A Department of Health orator told a BBC, “This is a internal emanate inspiring a really tiny series of website administrators. No studious information has been compromised.”

“No inhabitant NHS information systems have been affected. The Department has released superintendence to a internal NHS about how to strengthen and secure all their information assets.”

• Share:
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  
• 
  

Article source: http://security.cbronline.com/news/lulzsec-finds-security-hole-in-nhs-computer-network-100611

Over a new years, amicable media sites have grown in recognition and usage. Professionals and businesses are also leveraging a advantages offering by these sites to foster their veteran and business interests. However, a recognition and loads of information accessible on these sites has done them one of a favorite targets for cybercriminals. Attackers take advantage of user loosening and confidence vulnerabilities on a sites to advantage entrance to trusted information, widespread spam and trick users. Recently, a confidence researcher identified confidence vulnerabilities on LinkedIn’s website. LinkedIn is one of a renouned networking sites used by professionals. The disadvantage could concede enemy to advantage entrance to user accounts though providing login credentials. Reuters initial reported a confidence flaw, identified by Rishi Narang, an eccentric confidence researcher formed in India. The disadvantage is compared with cookie supervision by LinkedIn. Cookies are files placed on a user’s mechanism complement by websites. These files might enclose information per a sites visited by Internet users. Usually, event cookies end within a reasonable generation depending on a record in activity, while determined cookies sojourn for a longer generation on a user’s mechanism system. In a box of LinkedIn, a researcher identified that cookies do not end for a generation of one year from their creation. If enemy advantage entrance to cookies stored for user authentication, they might injustice a same for gaining unapproved to user accounts on a website. A user comment might enclose supportive information such as names, date of births, photographs, e-mail addresses, and hit numbers, list of friends, hobbies or areas of imagination and practice details. Attackers might remove or change essence of a compromised user account, send capricious messages impersonating as a legitimate user, remove sum from accounts of user’s friends listed on a site, widespread spam messages and antagonistic links.

Social media sites are disposed to unchanging attacks by cybercriminals. Facebook and Twitter, in sold have been a favorite targets of attackers. With boost in recognition of other sites, cybercriminals might try to feat weaknesses and confidence flaws to deceive users. As such, amicable media sites contingency be active in identifying and mitigating hazard vectors by unchanging confidence audits by professionals competent in invasion contrast and masters of confidence science.

Internet users contingency use clever and singular passwords, and be heedful of divulging personal and financial information on amicable media sites. Social media sites might inspire protected use of a sites by users by promulgation e-flyers, confidence alerts, fraud alerts, and formulating recognition on remoteness threats, and correct use of remoteness settings.

Organizations contingency advise employees on a precautions to be adhered while accessing amicable media sites on work computers. They might extent a information emitted on a veteran networking sites as cybercriminals might use amicable engineering techniques to remove absolved business information from employees. Mandatory e-learning and online degree programs on cyber confidence might assistance employees know confidence threats and exercise protected online computing practices.

Security professionals might advantage from online university degree programs to refurbish themselves on best information confidence and website confidence mechanisms and strengthen a defenses of a organizations opposite colourful threats emanating from a cyber space.

Contact Press

EC-Council
Website: http://www.eccuni.us
Email: iclass@eccouncil.org
Tel: 505-341-3228

EC-Council University is formed in Albuquerque, New Mexico and offers Master of Security Science (MSS) grade to students from several backgrounds such as graduates, IT Professionals, and troops students among several others. The MSS is offering as a 100% online grade module and allows EC-Council University to strech students from not usually a United States, though from all around a world.

EC-Council is a member-based classification that certifies people in cybersecurity and e-commerce skills. It is a owners and developer of 16 confidence certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offering in over 60 countries around a world.

EC-Council has lerned over 80,000 people and approved some-more than 30,000 members, by some-more than 450 training partners globally. These certifications are famous worldwide and have perceived endorsements from several supervision agencies including a U.S. sovereign supervision around a Montgomery GI Bill, Department of Defense around DoD 8570.01-M, National Security Agency (NSA) and a Committee on National Security Systems (CNSS). EC-Council also operates a tellurian array of Hacker Halted confidence conferences.

Article source: http://www.mycompanypr.com/security-researcher-detects-flaw-on-professional-networking-website/pr/8795/

Microsoft skeleton to have a still Patch Tuesday this month:  Just dual bulletins covering confidence vulnerabilities in a Windows handling complement and Office capability suite.

According to an advance notice from Redmond, a Windows refurbish will be rated “critical” since of a risk of remote formula execution attacks.  This patch usually affects Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

The Microsoft Office patch will lift an “important” rating and will also cover flaws that can be exploited in remote formula execution attacks.

The rags are approaching to be expelled on May 10, 2011 during 1:00 PM Eastern.

Microsoft also announced skeleton to modify a Exploitability Index to yield some-more sum for Windows users using a newest program versions.

The Exploitability Index assesses a odds of organic feat formula being grown for a sold vulnerability. By providing a index information month over month, we’re assisting business prioritize a confidence updates that matter to them. The Exploitability Index will continue to yield an total exploitability rating opposite all influenced products, and a improvements done to Exploitability Index will now offer additional information to assistance business prioritize bulletins, privately for a many new platforms, e.g. Windows 7 Service Pack 1 and Office 2010.

The changes effectively means that Microsoft will split out a Exploitability Index into a rating for a many new chronicle of a software, and an total rating for all comparison versions.

Article source: http://www.zdnet.com/blog/security/ms-patch-tuesday-heads-up-critical-windows-update-on-deck/8622