Doug Vitale Tech Blog

January – February 2016 News Archive

How To Not Get Hacked, According To Expert Hackers

Digg, 27 Feb 2016 – Recently, I got hacked. My hack was so bad that several security experts have told me it’s the worst one they’ve ever seen. For two weeks, a group of expert hackers burrowed into my digital life and stole everything — all my passwords, my credit cards, bank accounts, personal emails, work emails, access to my social media accounts, my Dropcam, my wireless account. They installed malware on my computer that secretly took photos of me out of my own webcam every 2 minutes, and uploaded them to a remote server. [More]

Google, Red Hat discover critical DNS security flaw enables malware to infect entire Internet

International Business Times, 24 Feb 2016 – Google engineers and Red Hat researchers both independently discovered the DNS bug within the GNU C standard library (glibc) called CVE-2015-7547, and then worked together to create a patch. The security vulnerability works by tricking browsers into looking up suspicious domains, which causes servers to reply with DNS names that are far too long, thus causing a buffer overflow in the victim’s software. [More]

Can We Really Blame DNSSEC for Larger-Volume DDoS attacks?

Internet Society, 23 Feb 2016 – In its security bulletin, Akamai’s Security Intelligence Response Team (SIRT) reported on abuse of DNS Security Extensions (DNSSEC) when mounting a volumetric reflection-amplification attack. [More]

Confessions of a social engineer

Daily Dot, 21 Feb 2016 – Part theater and part science, social engineering is the method by which hackers, for lack of a better term, exploit vulnerabilities in human psychology; for Jonah, it was a key to getting anything he wanted, from televisions and laptops to smartphones and expensive wines. One of his largest takes netted him around $60,000 worth of product, he says. He showed me a Rolex Daytona watch—part of a gallery of stolen goods he’d photographed in his bedroom—which retails on Amazon for around $26,000. [More]

Apple vs. the FBI Is Really Complicated

Harvard Business Review, 19 Feb 2016 – Apple’s Tim Cook appears to be mad as hell. His open letter to customers — in which he scoffed at a court order that would compel Apple (under a 227-year-old law) to write code to help unlock a phone that’s part of a terrorist investigation — put the Internet’s hot take machine into overdrive. Depending on the take, either the government wants to set a precedent that would allow it to get master keys to all our devices, or Apple supports terrorists because it won’t help a government investigation. [More]

Judge Demands that Apple Backdoor an iPhone

Scneier, 17 Feb 2016 – A judge has ordered that Apple bypass iPhone security in order for the FBI to attempt a brute-force password attack on an iPhone 5c used by one of the San Bernardino killers. Apple is refusing. [More]

Ransomware takes hospital offline, $3.6M demanded

CSO Online, 14 Feb 2016 – The computers at Hollywood Presbyterian Medical Center have been down for more than a week as the Southern California hospital works to recover from a Ransomware attack. According to officials HPMC, they’re cooperating fully with the LAPD and FBI, as law enforcement attempts to discover the identity of the attackers. However, in the meantime the network is offline and staff are struggling to deal with the loss of email and access to some patient data. [More]

200 Companies, Organisations Worldwide Promote Stronger Encryption

Intellectual Property Watch, 4 Feb 2016 – Nearly 200 organisations, companies and others from 42 countries have signed an open letter to the international community demanding that stronger encryption tools be allowed to be developed and used. The letter describes encryption tools and services as vital components of maintaining a secure digital environment, where if users are allowed to use the strongest forms of encryption it can allow for the safest and most efficient ways to communicate across borders. [More]

Decrypt SSL traffic to detect hidden threats

CSO Online, 2 Feb 2016 – The percentage of encrypted Internet traffic continues to grow, creating a space where not only private information but also criminals can travel about undetected. While the exchange of information via the Internet is secured, bad guys can also linger unnoticed. Criminals, of course, know this and use it to their advantage, cloaking their attacks within Transport Layer Security (TLS) or Secure Sockets Layer (SSL) traffic. [More]

Cloud Security: It’s Become A People Problem

Dark Reading, 29 Jan 2016 – Times have changed and even former hold-outs in regulated industries have warmed to cloud technology. Last year, US Chief Information Officer Tony Scott called for organizations to “get to the cloud as fast as [they] can” for better security, and a recent survey from the Cloud Security Alliance confirmed this attitude among rank and file IT professionals, with 64.9% of respondents describing cloud software as a service as secure or more secure than on-premises software. [More]

Panda Security Spotted Over 80 Million New Malware Samples in 2015

InfoSecurity Magazine, 28 Jan 2016 – Over a quarter of all the malware ever recorded appeared in 2015, according to startling new statistics from Panda Security. PandaLabs researchers claimed to have seen a staggering 84 million new malware samples last year, which equates to a daily average of 230,000 and marks an increase of nine million from 2014. [More]

Cybersecurity much more than a compliance exercise

CSO Online, 21 Jan 2016 – In a poll of more than 1,100 security executives around the world, 91 percent of respondents consider their organization to be vulnerable to internal or external data threats. And yet, 64 percent of respondents express the view that compliance is a “very” or “extremely” effective strategy in staving off data breaches, up six percentage points from last year’s survey. [More]

The five big lies of the encryption debate

TheVerge, 12 Jan 2016 – The FBI loves to talk about criminals and terrorists “going dark” — a scary way of saying “talking in a manner not accessible by court order.” If only Apple and Google would stop them from going so dark! The phrasing is important: “going dark” suggests they weren’t in the dark already. We used to be able to listen in, and now we can’t. [More]

The cloud and the Internet of Things are inseparable

InfoWorld, 12 Jan 2016 – The annual Consumer Electronics Show (CES) last week featured plenty of cloud-related announcements from a wide variety of companies. Indeed, most new devices, from refrigerators to cars, have a massive cloud-based back end. The cloud components of these technologies are becoming more systemic. Indeed, the cloud is assumed. More and more, people expect everything to be connected. No matter if it’s a washer and dryer, a refrigerator, or a car, they all communicate or will communicate with cloud servers. [More]

Could a Privacy Breach be Deadly?

Eradium, 9 Jan 2016 – How dangerous are potential consequences of a privacy breach? So far we heard about cases with multi-million dollar financial losses, damage to a brand reputation, and executive career crashes. Could a privacy breach lead to a loss of human life? [More]

602 Gbps – Possible Largest DDoS Attack in History

Hacker News, 9 Jan 2016 – The group calling itself New World Hacking claimed responsibility for taking down both the BBC’s global website and Donald Trump’s website last week. The group targeted all BBC sites, including its iPlayer on-demand service, and took them down for at least three hours on New Year’s Eve. [More]

And the cloud provider with the best uptime in 2015 is…

NetworkWorld, 9 Jan 2016 – An analysis of downtime at IaaS public cloud providers in 2015 by CloudHarmony reveals that despite having the largest cloud offering on the market, Amazon Web Services had the least amount of outages among major vendors. CloudHarmony, which is owned by Gartner, monitors the health status of providers by spinning up workload instances in the public cloud and constantly pinging them. [More]

Antivirus software could make your company more vulnerable

CIO, 8 Jan 2016 – Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications. [More]

Dutch govt. says no to backdoors, slides $540k to OpenSSL

The Register, 4 Jan 2016 – The Dutch government has formally opposed the introduction of backdoors in encryption products. A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that “the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands.” [More]

Cybersecurity as a Competitive Advantage

Bank Info Security, 4 Jan 2016 – Cybersecurity strategies must align with business objectives, but that’s difficult because most boards of directors don’t understand security, says Lance Hayden, managing director at the consultancy Berkeley Research Group. As organizations develop a better understanding of cybersecurity, they’ll “start realizing there is so much more to this in terms of what we can do with it strategically than just making sure that things don’t break on our watch,” Hayden says. “Boards that get ahead of that curve and figure out how to leverage it as an asset are going to see themselves … pulling ahead of their competitors, because they’re going to use cybersecurity as part of their portfolio of strategic assets. [More]

Human Behavior as the “Biggest Threat to Company Security”

Information Security Buzz, 4 Jan 2016 – Global security intelligence and information management technology company Nuix has released the findings from a new survey of corporate information security practitioners that indicates a move toward a stronger focus on insider threats and more understanding of cybersecurity issues at the board level. The report found that there’s a greater focus on insider threats since the first report was conducted in 2014. Nearly three-quarters (71%) of respondents reported that they have an insider threat program or policy, and 14% said that they allocate 40% or more of their budget to insider threats. [More]

The Biggest Security Threats We’ll Face in 2016

Wired, 1 Jan 2016 – Hackers are nothing if not persistent. Where others see obstacles and quit, hackers brute-force their way through barriers or find ways to game or bypass them. And they’ll patiently invest weeks and months devising new methods to do so. Here’s our take on what to expect in 2016: extortion hacks, attacks that change or manipulate data, chip-and-pin attacks, the rise of the IoT zombie botnet, and more backdoors. [More]

Written by Doug Vitale

April 7, 2016 at 5:17 PM

%d bloggers like this: