Rapid7 Uncovers Shocking Flaws in Universal Plug and Play

Computer security firm Rapid7 has discovered and outlined three sets of security flaws in Universal Plug and Play (UPnP), a component that allows devices to connect and communicate on networks. “The flaws would allow hackers to steal passwords and documents or take remote control of webcams, printers, security systems, and other devices that are connected to the Internet,” reports Wired. Continue reading Rapid7 Uncovers Shocking Flaws in Universal Plug and Play

Internet Of Things Has Arrived, So Have Security Concerns

The “Internet of Things” has arrived and companies across multiple industries are developing means of linking smartphones, vehicles, household appliances and more to industrial-strength sensors, the Internet and each other. Wired notes that while it may seem to be resulting in somewhat mundane technical features as of now, “the potential benefits to lifestyles and businesses are huge” — in both good and bad ways. Continue reading Internet Of Things Has Arrived, So Have Security Concerns

CES 2013: NSM Group Forms LLC for Secure Memory Tech

A consortium first launched in 2011 to address secure memory needs has established an LLC. Formed January 2, NSM Initiatives LLC is making its first appearance at CES. NSM, or Next Generation Secure Memory, is a developing content protection technology that will enable the transfer and viewing of HD content into a mobile environment. A consortium including Panasonic, Samsung, Sony and Toshiba is developing the technology. Continue reading CES 2013: NSM Group Forms LLC for Secure Memory Tech

Malware Shift: Android Overtakes Windows as Top Security Threat

  • In the 2013 Security Threat Report from security firm Sophos, it’s been revealed that Android is now the top market for hackers, beating out previous frontrunner Microsoft’s Windows OS.
  • “The security firm found that during a three-month period this year, 10 percent of Android-based devices experienced some form of malware attack. Just 6 percent of Windows PCs, meanwhile, were hit by an attack,” according to Technology Review.
  • Cybercriminals understand more than ever that the technological future is in mobile, making this an issue of high concern considering over 100 million Android devices shipped worldwide in the second quarter of 2012, notes the report.
  • Because Android is fairly new, especially when compared to Windows OS, users are not yet conditioned to security concerns and will click on links or open unknown apps.
  • “To make matters worse, the anti-malware tools available in the Android ecosystem just aren’t as strong as they could be,” explains the article. “Security firms are behind the times a bit. And until they catch up, we’re all at risk.”
  • According to the Saphos report, in order to stay safe, users should only surf the Web to known sites and should not download anything that could be dangerous.

Safe Internet Coalition Established in Europe Aimed at Protecting Children

  • Apple, Google, LG, Nintendo, Nokia, Samsung and Facebook are among 28 tech and media companies that are joining forces to “deliver a better Internet for our children,” reports TheNextWeb.
  • “The group was put together by the European Commission (EC) and the priority actions set out include making it easier to report harmful content, ensuring privacy settings are age-appropriate, and offering wider options for parental control,” according to TNW.
  • “This new coalition should provide both children and parents with transparent and consistent protection tools to make the most of the online world”, says Neelie Kroes, vice president of the EC. “The founding coalition members are already leaders in children’s safety online. Working together we will be setting the pace for the whole industry and have a great basis for fully empowering children online.”
  • The coalition has created a statement of purpose covering five key areas: create effective reporting with simple, robust tools; enable age-appropriate privacy settings; develop age-rating through widespread content classification; extend parental control; and effectively remove child abuse material through improved cooperation with law enforcement.

Surveillance Catalog: Government Uses New Monitoring Techniques

  • Take a look at the toolkit for governments to legally monitor what people are doing on the Web. It’s an impressive catalog that includes hacking, intercept, data analysis, Web scraping and anonymity products. It makes one aware that nothing is safe from surveillance.
  • Hacking tools use techniques commonly used in malware.
  • Intercept tools can filter all traffic from the Internet backbone and determine which to forward to law enforcement.
  • Data analysis sorts, stores and analyzes information from a variety of sources including wired and wireless networks, surveillance, domestic and foreign agencies, tactical operations, etc. to build a complete profile of suspects or identify patterns across data sets.
  • Web scraping gathers and analyzes data from publicly available sources.
  • Anonymity hides the identity of investigators.
  • If governments are already using these tools, how long will it be before anyone can obtain them? WIll this imperil the confidence people have online?

Vengeful Librarians: Is the CIA Monitoring Your Tweets Every Day?

  • In an effort to strengthen its counterterrorism and counterproliferation measures, the U.S. Central Intelligence Agency actively monitors over 5 million of the 140 million tweets posted daily.
  • The CIA monitors Twitter and Facebook daily, regularly briefing President Obama on popular posts and trends.
  • The McLean, Virginia-based monitoring team — called the “Vengeful Librarians” — tracks news and social media sources, using language to pinpoint origin.
  • “The CIA team has also used Twitter to monitor reports of real-time events, and can focus on a few Tweeters who are publishing accurate reports,” reports Digital Trends. “The team found that, in these situations, other Twitter users actively stamp out erroneous information when it is reported, which proves the usefulness of Twitter as a primary source for breaking news.”

iPhone is Safer Than Android and BlackBerry, but For How Long?

  • Malware has grown dramatically on Android’s open operating system compared to Apple’s closed iOS.
  • “Juniper Networks says Android malware traffic rose by 400 percent between June 2010 and January 2011,” reports Forbes. “Lookout Mobile Security reported a 250 percent jump in smartphone malware from January to June 2011.”
  • QR malware codes are becoming increasingly popular. Hackers are looking to acquire personal information, especially banking info.
  • “Apple has a walled garden, with its curating of apps for its App Store, so it’s had far fewer instances of malware, but Android is far more porous,” John Dasher, McAfee senior director of mobile security, told the Financial Times. “There are more than a dozen apps sites, it’s very easy to download apps and ‘sideload’ apps on to a device, and so it’s far easier for a hacker to get an app published that contains malware.”

Convenience vs. Security: Google Chrome Syncs Multiple Browser Profiles

  • Google announced this week the beta release of Chrome, which “enables users to sync different accounts across multiple computers,” reports ReadWriteWeb. “This allows more than one person to sign into Chrome on a shared computer and have access to all their browser data. It also enables one person to have different Chrome profiles with different email addresses, e.g. work and personal, that can all be accessed from any computer by logging in.”
  • Chrome already syncs personal settings such as bookmarks, extensions and passwords to a user’s account, but the new beta “makes it possible to use multiple Chrome accounts on any copy of the browser.”
  • Google acknowledges this feature provides convenience at the cost of privacy.
  • The Google blog notes that it “isn’t intended to secure your data against other people using your computer,” since “all it takes is a couple of clicks to switch between users.”

Security: Facebook Pays $40,000 to Hackers in Bug Bounty Scheme

  • Facebook has already paid out $40,000 to hackers for identifying flaws in its website, just three weeks after the social networker launched its “Bug Bounty” program that offers compensation for finding vulnerabilities in the site’s code.
  • “Schemes such as Facebook’s illustrate the push towards greater disclosure of security weaknesses and hacking incidents, as the technology industry strives to pool its resources to protect itself better,” reports The Financial Times. “The approach has won praise from digital advocacy groups such as the Electronic Frontier Foundation.”
  • “The program has also been great because it has made our site more secure — by surfacing issues large and small, introducing us to novel attack vectors, and helping us improve lots of corners in our code,” explained Joe Sullivan, Facebook’s chief security officer.
  • Facebook joins others such as Google, Mozilla and HP that have programs in place to offer payments to outsiders who identify vulnerabilities.

McAfee Researchers Claim to Discover Massive Hacking Attack

  • McAfee researchers say they have uncovered the biggest hacker attack ever, involving 72 governments and organizations around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some dating back as far as 2006. Data compromised amounts to several petabytes of information.
  • The attack uses compromised remote access tools, or RATs, which allow system administrators to access systems from around the world and would allow an attacker to view and download confidential information. Some of those organizations and companies compromised still do not know it.
  • The attacker was not a hacker group but likely a “state actor” with very high skill levels (China is the “leading candidate”).
  • According to a blog post from Dmitri Alperovitch, McAfee’s VP Threat Research: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”

Hacker Group Anonymous Targets Apple Online Data

  • Apple has joined Sony and Fox News in the growing list of companies experiencing recent security breaches.
  • In what appears to be a warning salvo, 27 user names and encrypted passwords from an Apple website were reportedly posted online over the weekend along with a warning of future attacks from hacker group Anonymous.
  • The hacker group posted a list of data supposedly taken from an Apple Business Intelligence website. Apple has not commented on this.
  • Anonymous hacker group, which linked to this leak in a Twitter post, threatens that Apple could be a target of its attacks.
  • Anonymous is running “antisec,” an operation that threatens government, law enforcement and corporations.

WSJ Speaks with Bruce McConnell about Cybersecurity

  • Bruce McConnell is a senior cybersecurity official with the Department of Homeland Security.
  • He recently discussed how companies have a new focus on protecting their communications networks and databases – and what role the government should play in the effort to combat the theft of intellectual property.
  • Department of Homeland Security helps companies protect themselves.
  • It is providing defense companies with the same security as military networks.
  • Legislation is being proposed to require cybersecurity planning for critical-infrastructure companies.