Tumblr adds “nuclear defense system” (well, 2FA) to shield users | foodonia

Popular blogging service Tumblr has become the latest web giant to add two-factor authentication as an “extra layer” of security for users – describing its new measure as a “nuclear defense system” armed with twin keys.

It’s an option accessible via the site’s settings menu, and which means Tumblr joins the ranks of other social sites such as Facebook, Twitter and Evernote in offering the feature to users who fear they might be a target for hackers.

IT Pro Portal reports that the new measure was introduced after a mysterious “breach” eight months previously.

The new option is available to all users via the Settings page – users toggle the “two-factor authentication” button, then verify their phone number. The site texts users a six-digit confirmation code, which expires within two minutes.

TechRadar comments, “Whether the new measures will be welcome by the community on Tumblr is yet to be seen. Traditionally extra steps on sign-in screens have been cited as tiresome and repetitive to websites using them.”

TechCrunch points out that while the new security measure remains optional, it brings Tumblr on par with other tech giants such as Facebook and Google. Users can opt to verify their phone using either a code delivered by SMS or via an app.

Tumblr said in a blog post, “The smile of a loved one. Your childhood blanket. A handsome bodyguard to take you in his arms. “Security” can mean a lot of things in this crazy life, but nothing says “security” like Tumblr’s two-factor authentication. It’s available as an option in your Settings page as of right now.”

“You know how you need two keys to launch a nuclear missile? Two-factor authentication works like that. One key is your password, the other key is your cellular phone, and you need both to access your Tumblr Dashboard.”

Banks and online gaming services already use “authenticators” extensively – but online services such as Twitter, Evernote and Dropbox have added two-factor systems to boost security. The mass adoption of smartphones has meant that 2FA apps have become a cheaper security measure for business

Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happpened if a 2FA system had been in place.

ESET’s experts offer an in-depth guide to the advantages of two-factor authentication – and when it’s not necesssary – in this how-to guide.

The post Tumblr adds “nuclear defense system” (well, 2FA) to shield users appeared first on We Live Security.

Brought by: http://foodonia.com

Google encrypts ALL Gmail to keep snoopers out | foodonia

Starting today, Gmail will use an encrypted HTTPS connection to check or send email, regardless of what platform users employ to access the service – and there is no longer an opt-out for Gmail users to use a less secure connection instead.

The search giant also announced that all emails will be encrypted while moving internally between Google’s data centres, as reported by IDG News Service.

Writing on the official Google Blog Nicholas Lizborski, Gmail’s Engineering Security Lead writes, “Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet.”

Geekwire points out that ordinary Gmail users will not experience a huge difference in the service – Google has supported HTTPS connections since 2008, and turned the service on for all users in 2010. At that point, though, users still had the option of switching it off. Google has removed that option today, Geekwire reports.

Citing concerns about government spying on emails, and referrring obliquely to Edward Snowden, Google’s Lizborski wrote, “In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers – something we made a top priority after last summer’s revelations.”

PC World reported that a Google spokesperson admitted that the additional security afforded by HTTPS was achieved at a cost of a certain amount of latency (ie a slower connection speed). Speaking to PC World, the spokesperson said that Google’s engineers had taken steps to mitigate the effects on speed, and that the company believes it makes no sense to allow any user to continue using an unencrypted HTTP connection.

The post Google encrypts ALL Gmail to keep snoopers out appeared first on We Live Security.

Brought by: http://foodonia.com

Master of Mavericks: How to secure your Mac using Apple’s latest update | foodonia

Apple’s Mavericks update was the first free update to Mac OS X – itself a big step forward for security, as all Mac users can update to the latest version freely (providing their machine is up to the new software – which Apple allows you to check here).

But under the bonnet of Mavericks lurk an impressive number of additional security features – some of which are automatic, but some of which you have to hunt out and fine-tune for yourself

Mastering these can help ensure your new Mac has the defenses to rebuff rogue apps, store passwords safely, and – finally – deal with the scourge of unwanted ‘friends’ on iMessage.

Don’t forget there’s a free built-in password manager

Storing passwords in the cloud – anyone’s cloud – might not immediately seem like a safe idea, but Apple’s iCloud is protected with 256-bit AES encryption, and offers far more protection than other, risky practices such as storing passwords in some internet browsers. iCloud Keychain allows you to share your (encrypted) details across PCs, iPhones and iPads, generate strong passwords, and autofill credit card information. It’s all password protected, and encrypted, so even if you lose a machine, or a handset, the criminals will not be able to see your plain text password.

Java and Flash are kept at arms’ length

Java and Flash were made to feel a little unwelcome in Mavericks – and that’s good news for the security-conscious. Even users who had installed versions of Java and Flash on the Mac found that, during the update from Mountain Lion to Mavericks, the two programs (often the bane of security professionals’ lives due to the frequency they were targeted by attackers) were uninstalled by default. You can, of course, install both – but Mavericks is very insistent on users having the latest version (which makes them both slightly more secure), and the apps are ‘sandboxed’, so that it’s more difficult for bad actors to misuse the software to run executable files and damage your machine.

Installing apps? Choose the right option – safe-ish, safer, or REALLY safe

The most secure option for Mavericks users is to only accept apps downloaded from Apple’s Mac App Store – which is policed for malware and offensive content, in much the same way as App Store for iPhone is. Even approved appps CAN turn out to be malicious, but this is by far the safest option, and any rogue apps are swiftly removed by Apple when found.

For novice Mac users, this is a very safe option – although it can lock off some interesting software. It’s not enabled by default, but you can switch it on if you visit System Preferences, General, then change settings to “allow apps downloaded from Mac App Store”, you’ll only allow apps which have passed Apple’s approval process.

Weed out ‘bad’ apps with Gatekeeper

For a slightly more inclusive – but still safe – approach, you can also choose to allow only apps with a Developer ID (a policed list of known Apple developers which blocks known malware authors). Again, this is fairly safe. It can be overridden – by control-clicking the app and choosing to open it – but it’s a useful alert system.

“There are a bevy of new permission prompts in Mavericks,” says ESET’s Cameron Camp. “It wasn’t always the case before the upgrade. It’s more difficult to run executable stuff that’s not from the app store – there is a workaround, but it’s not obvious.”

It’s finally possible to cull your iMessage ‘friends’

Apple’s iMessage – which blends chat services and SMS – can be full of annoying ‘friends’ who know either your email or phone number, and never stop popping up. Now you can put a halt to this, with a ‘block’ systtem, where you have two options:

• Opt to Block a single user (Messages > Preferences, and then click Accounts, and “Block Specific Users”. You can then add names to the list using the + button. You can also do this direct from your Buddies list by pressing the + button.


• For a more fire-and-the-sword approach, you can do the same in reverse from the same menu, but instead whitelist people who WILL be able to talk to you. Everyone else will be locked out.

The post Master of Mavericks: How to secure your Mac using Apple’s latest update appeared first on We Live Security.

Brought by: http://foodonia.com

10 years of Mac OS X malware | foodonia

Before we begin, let’s make one thing really clear.

The malware problem on Mac OS X is nothing like as bad as it is on Windows.

If Windows malware is a thunderstorm (with something like 200,000 new malware variants being discovered for the platform each day), the threat on Mac is a water pistol.

That said, malware does exist that can infect your precious iMac or MacBook.

And if your Apple computer is unlucky enough to fall victim you’re not going to feel any better than your PC-owning friends who are struggling to remove a backdoor Trojan or a pernicious browser toolbar from their copy of Windows.

Also, it’s worth bearing in mind that Mac malware is not a new phenomenon.

Malware for Apple devices actually predates the Macintosh *and* the PC, with the first example being the Elk Cloner worm written by Rich Skrenta, and designed to infect Apple II devices way back in 1982.

But threats on Apple II and Apple computers running Mac OS 9 and earlier aren’t really relevant anymore to anyone aside from historians.

What modern Mac users care about are what malware threats exist for Mac OS X.

And, it turns out, that 2014 will see the tenth anniversary of Mac OS X malware. Here are some of the more notable examples of worms and Trojan horses that have been seen for the platform in the last ten years.

Renepo (2004)

As ESET’s Mac malware facts webpage illustrates, the first malware specifically written for Mac OS X emerged in 2004.

Renepo (also known as “Opener”) was a shell script worm, and contained an arsenal of backdoor and spyware functionality in order to allow snoopers to steal information from compromised computers, turn off updates, disable the computer’s firewall, and crack passwords.

Renepo was never going to be a serious problem for the vast majority of Mac users, as it didn’t travel over the internet and required the attacker to have access to your computer to install it. Nevertheless, it was an indicator that Apple Macs weren’t somehow magically protected against malicious code.

Leap (2006)

Leap represented, for many people watching observing Apple security, the first real worm for the Mac OS X operating system.

Leap could spread to other Mac users by sending poisoned iChat instant messages – making it comparable to an email or instant messaging worm.

At the time, some Mac enthusiasts leapt (geddit?) to Apple’s defence and argued that Leap “wasn’t really a virus”, but claimed it was a Trojan instead. But – in my opinion – they were wrong.

The argument typically went that because Leap required user interaction in order to infect a computer (the user had to manually open the malicious file sent to them via iChat), then it couldn’t be a virus or a worm

But then commonly discovered examples of Windows malware encountered at the time either, like the MyDoom or Sobig, also required manual intervention (the user clicking on a file attachment). And yet, Mac users seemed very keen to call those examples of Windows malware “viruses” at every opportunity.

In my opinion, viruses is a superset consisting of other groups of malware, including internet worms, email worms, parasitic file viruses, companion viruses, boot sector viruses and so forth. Trojans are in an entirely different class of malware because – unlike viruses and worms – they cannot replicate themselves and cannot travel under their own steam.

Leap was rapidly followed by another piece of malware, a proof-of-concept worm called Inqtana which spread via a Bluetooth vulnerability.

So, next time someone tells you that there are no viruses for Mac OS X – you can now speak with authority and tell them, oh yes there are!

Jahlav (2007)

Things took a more serious turn with Jahlav (also known as RSPlug), a family of malware which deployed a trick commonly seen on Windows-based threats by changing an infected computer’s DNS settings. There were many versions of Jahlav, which was often disguised as a fake video codec required to watch pornographic videos.

Of course, the criminals behind the attacks knew that such a disguise was a highly effective example of how social engineering could trick many people into giving an application permission to run on their computer.

The truth was that many Mac users, just like their Windows-loving counterparts, could easily let their guard down if they believed it would help them see X-rated content.

MacSweep (2008)

An early example of Mac OS X scareware, MacSweep would trick users into believing it was finding security and privacy issues on their computers – but in fact any alerts it displayed were designed simply to trick unsuspecting users into purchasing the full version of the software.

Snow Leopard (2009)

Snow Leopard isn’t malware, of course. It was version 10.6 of Mac OS X, released in August 2009.

And the reason why it is included in this history of Mac OS X malware is because it was the first version of the operating system to include some built-in anti-virus protection (albeit of a very rudimentary nature).

Apple, rattled perhaps by the widespread headline-making infections caused by the likes of the Jahlav malware family, had decided it needed to do something.

However, as its anti-virus functionality only detected malware under certain situations (and initially only covered two malware families) it was clear that security-conscious Mac users might need something better.

Boonana (2010)

This Java-based Trojan showed that multi-platform malware had well and truly arrived, attacking Macs, Linux and Windows systems.

The threat spread via messages on social networking sites. pretending to be a video and asking the enticing question “Is this you in this video?”.

MacDefender (2011)

MacDefender saw Mac malware infections reach new heights, as many users began to report seeing bogus security warnings on their computer.

Using blackhat search engine optimisation techniques, malicious hackers managed to drive traffic to boobytrapped websites containing their rogue anti-virus scans, when users searched for particular images.

The danger, of course, was that users were being duped into handing over their credit cards in order to purchase a “solution” to the alarming messages.

Tens of thousands of people contacted Apple’s technical support lines, requesting assistance.

Flashback (2011/2012)

The Flashback malware outbreak of 2011/2012 was the most widespread attack seen on the Mac platform to date, hitting more than 600,000 Mac computers.

The attack posed as a bogus installer for Adobe Flash and exploited an unpatched vulnerability in Java, with the intention of stealing data (such as passwords and banking information) from compromised Mac computers, and redirecting search engine results to defraud users and direct them to other malicious content.

In September 2012, ESET researchers published a comprehensive technical analysis of the Flashback threat which is well worth a read, if you want to know more.

Lamadai, Kitm and Hackback (2013)

In recent years, Macs have also been used for espionage – and naturally suspicious fingers have begun to point towards intelligence agencies and government-backed hackers when very specific victims are targeted.

The Lamadai backdoor trojan, for instance, targeted Tibetan NGOs (Non-Governmental Organizations), exploiting a Java vulnerability to drop further malware code onto infected users’ computers,

Kitm and Hackback, meanwhile, spied on victims at rge Oslo Freedom Forum, giving the malicious hacker the ability to remotely run commands at will.

LaoShu, Appetite and Coin Thief (2014)

So, what of 2014? Has the 10th anniversary been a notable year so far for Mac OS X malware?

Well, according to researchers at ESET, new Mac malware variants continue to be seen every week, putting Mac users who don’t defend their computers at risk of data loss or having their computer compromised by an attack.

State-sponsored espionage continues to make its presence felt, with the discovery of Appetite, a Mac OS X Trojan that has been used in a number of targeted attacks against government departments, diplomatic offices, and corporations.

LaoShu meanwhile, has been widely spread via spam messages – posing as an undelivered partial notification from FedEx, and scooping up documents of interest that have not been appropriately secured.

CoinThief, however, has probably received the most attention recently as it is distributed in cracked versions of Angry Birds, Pixelmator and other top apps, duping users into infection.

What made CoinThief most interesting, however, was that investigators found the malware was designed to to steal login credentials related to various Bitcoin-related exchanges and wallet sites via malicious browser add-ons.

In summary – protect yourself

This has just been a short history of Mac OS X malware. If you want to learn more about any of these threats, or are interested in any of the other Mac malware that ESET has seen in the last 10 years, be sure to check out the company’s “Straight facts about Mac malware” webpage and consider taking the free trial of ESET Cybersecurity for Mac.

Because, even though there isn’t as much malware for Mac than there is for Windows, the situation is getting worse. Take steps now to protect your Mac from infection, or risk becoming a statistic.

Further reading:

• Straight facts about Mac malware, threats and responses


• Social engineers don’t care about your OS: and nor should you


• Free trial of ESET Cybersecurity for Mac.

The post 10 years of Mac OS X malware appeared first on We Live Security.

Brought by: http://foodonia.com

Target breach optioned as Sony feature film | foodonia

The Target breach, and in particular the role of respected security blogger Brian Krebs in breaking the story, has been optioned as a feature film by Sony. The studio has bought the rights to the New York Times article, “Reporting From the Web’s Underbelly,” which told Krebs’ story in the wake of his exclusive revelations about the data breach at Target.

The Hollywood Reporter writes that the studio envisions the story as a “cyber thriller” set in the “high stakes world” of cybercrime.

Mashable reports that the studio has recruited Richard Wenk, writer of its recent version of The Equalizer, and action sequel The Expendables 2, to write the script.

Krebs’ blog, Krebs on Security, broke the story of the Target breach late last year, revealing that a large number of American debit and credit card details had been leaked from the retailer. The story had been leaked to Krebs, a former reporter at the Washington post, via officials at American credit card issuers.

In February this year, Nicole Perlroth’s profile article for the New York Times offered a portrait of Krebs, describing incidents such as Russian cybercriminals attempting to frame him with heroin purchased from the Silk Road “online drug market” (reported by We Live Security here), and describing how Krebs landed a string of exclusive stories, including several key revelations about the Target breach.

Perlroth described Krebs as, “A former reporter at The Washington Post who taught himself to read Russian while jogging on his treadmill and who blogs with a 12-gauge shotgun by his side.”

The post Target breach optioned as Sony feature film appeared first on We Live Security.

Brought by: http://foodonia.com

Google Glass spyware lets snoopers “see through wearer’s eyes” | foodonia

Spyware which stealthily takes photographs using Google Glass’s built-in camera and uploads them to a remote server without the user being aware has been demonstrated successfully on the eyepiece – despite Google’s policies explicitly forbidding programs which disable the screen while the camera is in use.

The spyware was designed by two California Polytechnic students, Mike Lady and Kim Paterson, who disguised their program as a note-taking app (albeit with a name that offers a clue to its actual function, Malnotes), and successfully loaded the app, which takes a photo every ten seconds and uploads it to the internet, according to Ars Technica’s report.

Google’s policies forbid programs which take pictures when its wearable Glass eyepieces are turned off – but there is nothing to stop users doing so, Forbes reported.

“The scary thing for us is that while it’s a policy that you can’t turn off the display when you use the camera, there’s nothing that actually prevents you from doing it,” Paterson told Forbes’ Andy Greenberg.

“As someone who owns Glass and wants to install more apps, I’d feel a lot better if it were simply impossible to do that. Policies don’t really protect us.”

The pair were able to upload Malnotes successfully to Google’s Play store, but were unable to sneak the app into the curated MyGlass store for Google Glass, Ars reports. Paterson noted that many Glass apps are currently “sideloaded” – ie not installed via official stores, but installed using developer tools in debug mode – as Glass is still in prototype.

“A lot of Glass developers are just hosting their apps from sites just to let other people try it. It’s sort of a wild-wild west atmosphere since very few apps are being released through the MyGlass store,” Paterson told Forbes. Paterson warned that if a user left Glass unattended, it would be easy to install such software without the wearer even being aware of its presence.

Google’s Glass eyepieces remain a hot topic for privacy advocates. Speaking to Business Insider, Daen de Leon, a software engineer, says that 13 bars and restaurants in San Francisco have an explicit “no Glass” policy, as well as others in Seattle, and Oakland, California.

After an incident where a Google Glass wearer was allegedly assaulted in a bar in Lower Haight for wearing the eyepieces, de Leon spoke to regulars and says that he, “”found her assumption that, as a complete stranger, she could enter a bar and just start recording regular customers without their permission quite disturbing.”

The post Google Glass spyware lets snoopers “see through wearer’s eyes” appeared first on We Live Security.

Brought by: http://foodonia.com

Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo | foodonia

If you run a website on a Linux server or are responsible for the security of your company’s Unix servers, there’s something very important you should do right now.

Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers.

And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed.

The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines.

That would be bad enough, normally.

But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users.

Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals.

ESET’s security research team has published a detailed technical paper into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years.

“Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

In its attempt to hijack servers and infect computers, Windigo uses a complex knot of sophisticated malware components including Linux/Ebury (an OpenSSH backdoor and credential stealer that was the subject of a detailed investigation by ESET researchers earlier this month), Linux/Cdorked, Perl/Calfbot, Linux/Onimiki, Win32/Glubteba.M, and Win32/Boaxxe.G.

During a single weekend, ESET researchers observed more than 1.1 million different IP addresses going through part of Windigo’s infrastructure, before being redirected to servers hosting exploit kits.

An analysis of the visiting computers revealed a wide range of operating systems being used.

This in itself threw up some light relief, as researchers discovered that “23 people apparently still browse the Internet on Windows 98, and one person even does it on Windows 95.”

Léveillé and his fellow researchers are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

That single Unix command should quickly tell you if your system is seriously compromised or not by Windigo, and whether you need to take steps to clean-up and better protect your servers in future. Further details on how to tell if your server has been compromised are available included in ESET’s technical white paper on Operation Windigo [PDF].

Learn more now:

Download ESET’s detailed technical paper about “Operation Windigo”

Image of Windigo, by doctorserone (Creative Commons).

The post Over 500,000 PCs attacked every day after 25,000 UNIX servers hijacked by Operation Windigo appeared first on We Live Security.

Brought by: http://foodonia.com

More than 80% of business leaders feel “unprepared” for cyber incidents | foodonia

More than 80% of business leaders do not feel fully prepared for the effects of a cyber attack, according to a new survey by the Economist Intelligence Unit.

Despite 77% of companies having faced a major cyber incident in the past two years, according to the survey of 360 senior business leaders in the U.S. and around the world, 38% of companies still have no plan in place for such events, according to CIOL‘s report.

The report, which surveyed 360 executives of whom 73% are C-level (ie holding titles such as CEO, CIO or CFO), referenced the data breaches affecting Target and Adobe last year, saying, “Data breaches and denial of service attacks are now so commonplace that only the biggest breaches make the headlines. Yet systems errors and outages are also a major threat. Whatever form it takes,the likelihood of a company experiencing an incident is more a question of when, not if.”

The report, sponsored by DDoS prevention specialist Arbor Networks, points out that in the previous year, the most common form of cyber incidents were accidental systems outages, which formed 29% of major cyber incidents, and the loss of senstive data by employees, which formed 27%.

IT ProPortal reports that nearly three-quarters (73%) of companies feel at least partially prepared for an incident, according to the survey. Two-thirds of executives said that responding well to an incident could actually enhance a company’s relationship.

As a result of this, the report notes, 60% of companies now have an incident response team and plan in place – and that figure is expected to rise to 80% within “the next few years”, according to the executives surveyed.

Having such a formal plan in place had a “significant effect on the feeling of preparedness among executives,” the report noted. The researchers found that executives wished for a greater understanding of the threats they faced, which most felt would help with the areas they felt least confident about – detecting incidents rapidly (ie within 24 hours of occurrence), and predicting their likely impact.

The post More than 80% of business leaders feel “unprepared” for cyber incidents appeared first on We Live Security.

Brought by: http://foodonia.com

New wearable from makers of Pine smartwatch aims to be “key to everything” | foodonia

A new wearable authenticator built to be the key to “everything” will be designed by some of the hottest new talents in wearable technology, including the creators of the Neptune Pine smartwatch – one of the only wearable devices to work independently of smartphones.

Neptune Computers is to pair up with Pearl, designers of the Shine fitness tracker, to create a line of wearable computing devices, according to an interview with GigaOm.

One of these will be an authenticator device, built, according to Neptune’s 20-year-old CEO, SImon Tian to be “a key to everything in your life”. Neptune’s Pine is one of the few “smartwatch” devices which works without pairing with a smartphone via Bluetooth, in contrast to devices made by Samsung, Sony and other technology giant – it has its own aerial built in, and runs a version of Android 4.1.

The Pine raised more than eight times its funding goal on KickStarter, and the company now plans to raise between $10 and $15 million in Series A funding this Spring. Tian says that the partnership, with design consultants Pearl, will not focus on fitness trackers, as the market for these is already crowded.

The partnership is to be officially announced at London’s Wearable Technology http://ift.tt/1fQa8o5 this Monday. Neptune says via its website, “The Neptune Pine smartwatch, to be released in January 2014, is the first of many consumer products to come.”

Pearl’s Shine offered a stylish take on fitness tracking which won praise from websites for its stripped-down take on fitness tracking. Livescience wrote, “The Shine stands out from other trackers because it can be worn in the water, and has a long battery life.”

Tian remained tight-lipped on the details of the proposed authenticator device, but Twitter, Google, LinkedIn and Dropbox, as well as many others already offer “two-factor authentication” systems, where users enter a code delivered to a mobile device via an app, as an optional ‘extra’ security add-on. Other devices, such as the Myris dongle unveiled at CES this year, use biometric signals such as iris scans, to add extra security.

A We Live Security guide to two-factor authentication explains, “Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happpened if a 2FA system had been in place. Even if a hacker places malware on a PC and steals a password, they are still locked out.”

The post New wearable from makers of Pine smartwatch aims to be “key to everything” appeared first on We Live Security.

Brought by: http://foodonia.com

Fake video of Malaysia Airlines flight MH370 rescue is ‘callous’ cyber scam | foodonia

A post promising a video of a plane landing on water has been circulating on Facebook, with a title suggesting that it contains news footage showing the rescue of passengers on board the missing Malaysia Airlines flight MH370 – but the video is a ‘callous’ cyber scam, according to Hoax-Slayer, and in fact shows a plane landing on water in Bali in 2013.

IT Pro Portal reports that one variant of the scam is a ‘video’ titled, “Malaysia Plane MH370 Has Been Spotted Somewhere Near Bermuda Triangle. Shocking Videos Release Today”, and that the video is being used to spread malware. Other reports say that variants of the scam are used to direct users to spread the video via Facebook, and complete bogus surveys, used by cybercriminals to harvest personal details from their victims.

IT Pro Portal points out that the Bermuda Triangle is 10,000 miles from the last point of contact with the flight.

The Epoch Times reports that the images show a plane crash near Bali in Indonesia in 2013, where 100 passengers were rescued after a plane landed on water. In all reported variants of the scam, there is no video to click through to – just surveys designed to steal personal information, or bogus downloads which are in fact malware.

Hoax-Slayer describe the scam as a ‘callous’ variant on a common cybercriminal trick of using posts which promise ‘sensational’ viral videos to harvest personal information or spread malware.

“The image used in the scam post shows a Lion Air passenger plane that crashed into the sea, when landing on Bali in April 2013. While there were some injuries in the crash, there were no fatalities. The picture has no connection whatsoever with flight MH370,” the site reports. “Once they have shared [on Facebook] as requested, users will then be taken to another fake page that supposedly hosts the video. However, a popup ‘Security Check’ window will appear that claims that they must prove that they are human by clicking a link and participating in an online survey or offer. But, no matter how many surveys or offers they complete, they will never get to see the promised video.”

Scammers often target Facebook with copies of viral content – or entirely fake, sensational videos, such as ‘Giant Snake Swallows Zookeeper’, as reported by We Live Security this year.

ESET researcher Stephen Cobb offers a We Live Security Guide to spotting Facebook scams, “Can we trust our friends not to make questionable decisions on social media? Apparently not, because our friends might actually be scammers in disguise, or just not well-informed.”

In many cases, scam videos will install a ‘rogue’ Facebook app to spread rapidly via the network – but as reported by We Live Security here, such scams can, in the worst case scenario, lead to tainted sites which infect users with malware.

The post Fake video of Malaysia Airlines flight MH370 rescue is ‘callous’ cyber scam appeared first on We Live Security.

Brought by: http://foodonia.com

Hidden backdoor in top Samsung Galaxy models ‘allows remote spying on users’ | foodonia

A hidden backdoor in the modified version of Android run by nine Samsung Galaxy models could allow attackers to spy remotely on user data – and even snoop on users using hardware such as the GPS system, camera and microphone, according to the Replicant Project, which makes its own, free version of Android.

While working on Replicant, the developers found that the affected models of Galaxy handset – including popular smartphones such as the Galaxy Note 2, Galaxy S3 and Nexus S – shipped with a program that allowed the modem free rein to perform remote operations including remotely monitoring users, and even modifying user data, according to PC World’s report

In a blog post on the Free Software Foundation, Replicant developer Paul Kocialkowski said, “This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone’s storage. On several phone models, this program runs with sufficient rights to access and modify the user’s personal data.”

He said that programs of this sort, “make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device’s microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator’s network, making the backdoors nearly always accessible.”

Kocialkowski said that the nine models of Samsung device may not be the only ones affected by the backdoor, according to Information Week’s report. Replicant demonstrated the backdoor via a patch which can instruct modems on affected devices to open, read and close a file. It’s not as yet clear what purpose, if any, the backdoor is meant to serve. Replicant claim it would be “relatively easy” for an attacker to exploit.

“We discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back door that lets the modem perform remote file I/O operations on the file system,” said Kocialowski. Kocialowski urged Galaxy users to complain directly to Samsung about the backdoor.

At time of writing, Samsung has not released an official statement about the software.

The post Hidden backdoor in top Samsung Galaxy models ‘allows remote spying on users’ appeared first on We Live Security.

Brought by: http://foodonia.com

Fridge attacks “raise big questions” says Microsoft security chief | foodonia

The emerging ‘internet of things’ raises big security questions, and vulnerabilities in connected devices such as ‘smart’ fridges may force companies to work together in a way never previously seen, according to Microsoft’s Director of Cybersecurity Policy EMEA, Jan Neutze, speaking at CeBIT in Germany this year.

In a wide-ranging keynote speech, reported by V3 Neutze asked, “What happens when somebody attacks your refrigerator? Who’s going to patch your fridge?”

“Is it the energy company that runs your smartgrid, is it the software company, is it the manufacturer of the device? We’re going to have to look at new models of collaboration that have never existed before.”

Neutze said that the sheer amount of data generated by connected devices may pose its own problems, “With autonomous systems comes the question: all this data that’s generated, who owns this data and how is that data controlled? Many of those questions aren’t fully resolved,” he said.

Also at CeBIT, British Prime Minister David Cameron earmarked £45m ($74.8m) for research into the ‘internet of things’, as reported by The Inquirer.

The ‘internet of things’ hit headlines recently after Belkin’s Popular WeMo smart home system was found to have security flaws which could allow attackers to switch off lights in homes remotely, deactivate motion sensors, and even start fires, as reported by We Live Security here.

Veteran security researcher and writer Graham Cluley said this week that producers of ‘connected’ devices need to ensure that security is a major consideration in their design processes. “To produce such devices without paying proper attention to security could backfire when users realize they are leaking personal information,” Cluley said, as reported by Computer Weekly.

Earlier this year, networking giant Cisco has launched a “grand challenge” to invent a security solution for the “internet of things”, as reported by We Live Security here.

Chris Young, senior VP of security at Cisco, said in a blog post, ““We’re connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. … It is, unfortunately, too easy to imagine how these world-changing developments could go terribly wrong when attacked or corrupted by bad actors.”

ZDNet comments that for many businesses, connecting devices is desirable as a way to build up large amounts of data, but that, thus far, security has been weak, saying, “If a cyberattacker is able to break in to one such system, they potentially can harm thousands of people with little effort,” citing the example of connected door locks as a potential risk.”

At this year’s Consumer Electronics Show (CES) in Las Vegas, ‘smart homes’ were clearly a big trend on the show floor – and much debate was ignited about their security.

The normally sober BBC warned, “In the future, it might not just be your smartphone that leaks personal and private data, it might be your smart fridge too.”

But ESET Senior Research Fellow David Harley said in a commentary post at the time, “It may be a little early to worry too much about what your fridge or your medicine cupboard is able to reveal to a hacker about your eating habits and the state of your health,” Harley says.

“After all, there are all too many more direct ways for retailers, insurance companies, and pharmaceutical companies to get that sort of information. (And those are issues more people should be worried about.)”

The post Fridge attacks “raise big questions” says Microsoft security chief appeared first on We Live Security.

Brought by: http://foodonia.com

Whatsapp security fears over rogue apps ‘reading’ user chats | foodonia

Hit messaging app Whatsapp may not be as secure as its 450 million users believe – after an independent security consultant revealed a loophole which rogue app developers could use to steal Android users’ entire Whatsapp history.

“Facebook didn’t need to buy WhatsApp to read your chats,” says Dutch consultant Bas Bosschert in a blog post this week.

Bosschert says that Whatsapp saves its database on the SD card in Android smartphones, potentially allowing rogue apps to upload users’ entire Whatsapp database to remote web sites, according to Mashable’s report.

“People would only see a loading screen when they started the game,” Bosschert said in an email interview with Business Insider. “They wouldn’t notice that their WhatsApp database has been uploaded.”

Bosschert says that while Whatsapp stores its database in encrypted form, it can be decrypted using a Python script. All an attacker would need to do would be to add the code from Bosschert’s post to an Android game, then they could steal the entire database and decrypt and read it remotely, providing the user allowed the app permission to read data from the SD card.

“The Whatsapp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem,” says Bosschert.

Whatsapp has a history of security concerns, as discussed by ESET Distinguished Researcher Aryeh Goretsky in an in-depth article on the messaging service in the wake of Facebook’s purchase of the company for $19 billion.

“One of the main attractions to users of WhatsApp has been claims of its ability to offer secure, private communications between people. However, if that is the case, security and privacy have gotten off to a slow start in WhatsApp,” Goretsky writes, noting that governments on three continents have taken note of privacy concerns relating to the messaging service.

The post Whatsapp security fears over rogue apps ‘reading’ user chats appeared first on We Live Security.

Brought by: http://foodonia.com

Critical Internet Explorer zero-day vulnerability patched by Microsoft | foodonia

For this month’s Patch Tuesday, Microsoft has released five bulletins, tackling a total of 23 different security holes in Microsoft Windows, Internet Explorer and Silverlight.

The most important security update is undoubtedly the one for Internet Explorer, applicable for virtually all versions of the browser, which includes a fix for a zero-day vulnerability (CVE-2014-0322) that has already been exploited by hackers in targeted attacks against some organisations.

Last month, Microsoft released a temporary fix it tool for the problem, so a proper patch has been keenly anticipated.

Details of how to take advantage of the security weakness have already been publicised on the net, increasing the chances of further attacks if computer owners do not take action.

So, what’s the danger if you leave your computer unpatched?

Well, if you visit a boobytrapped website with a vulnerable version of Internet Explorer it can be tricked into allowing the remote hacker’s code to execute on your PC, gaining the same rights as the user you are logged in as on Windows. In the blink of an eye, your computer could be infected by malware – delivered via an exploit kit.

In Microsoft Security Bulletin MS14-012, isn’t shy about underlining the importance of the security update – giving it the highest critical rating for Internet Explorer 6, 7, 8, 9, 10, and 11 on affected Windows clients, and “moderate” for the same versions of Internet Explorer on affected Windows servers.

Of course, if you’re still using a version of Internet Explorer as old as version 6, this is just one of many many problems your organisation may be facing…

And, this is probably as good a time as any, to remind organisations and home users that are still using creaky old Windows XP that the ageing operating system will no longer be receiving security updates after next month.

If at all possible, it’s extremely important that you update your operating system as soon as you can, rather than wait until malicious hackers have free reign to exploit it. More details of the end of support for Windows XP can be found on Microsoft’s website.

Most Windows home users will hopefully be taking advantage of the automatic security updates which will be rolled out to them, but companies often prefer to do some internal testing before distributing patches across their network in case there are any niggles.

Whatever type of user you are, my advice is to not delay – but install the security updates at your earliest opportunity to better protect your computers and the data stored upon them.

To learn more about the latest security patches from Microsoft, including the ones for Windows and Silverlight as well as Internet Explorer, be sure to check out Microsoft’s March 2014 Patch Tuesday summary.

The post Critical Internet Explorer zero-day vulnerability patched by Microsoft appeared first on We Live Security.

Brought by: http://foodonia.com

Justin Bieber is the latest celebrity to have his Twitter account hacked | foodonia

A few years ago I joked that the only reason I followed Britney Spears on Twitter was to get an early heads-up on when she next had her account hacked.

Actually, thinking back, I wasn’t joking.

It felt like barely a month went by without the singer having her account compromised.

And if her high profile account was exploited, chances were that plenty of her adoring fans were also likely to blindly click on the links without thinking of the possible consequences (too obvious ones being a phishing attack or a malware infection).

Here’s an example from January 2009, when Britney Spears had a lowly 14,000 followers. (Today she has over 36 million. Wow, hasn’t time moved on?)

Well, time has moved on and Britney’s superstar status has diminished a little. After all, there are new kids on the block like Justin Bieber.

Bieber, who like the Britney of old appears to be going through a public car-crash for the benefit of the paparazzi, has an astonishing 50 million followers on Twitter.

And anyone with that kind of social media audience becomes an obvious attraction to social media scammers and online criminals.

Sure enough, this weekend, Justin Bieber appeared to be no longer in charge of his Twitter account – at least for a short time – as messages appeared in Indonesian linking to an Android app called Shooting Star Pro.

Within seconds, Bieber’s fanatical followers were favoriting and retweeting his message regardless, one assumes, of whether they were able to understand them.

Cemberut, by the way, is an Indonesian word meaning sullen or grumpy, and is sometimes used by social media users alongside downcast selfies of themselves.

What isn’t clear is how Bieber’s account was compromised. Did he, or whoever manages his social media accounts, authorise a rogue third party app to post on the Twitter account without thinking of the possible consequences, was he specifically targeted or was someone careless with their password?

Whatever the reason for the unexpected tweets, a warning was quickly posted on the account advising followers not to click on the links.

That link from earlier. dont click it. virus. going to erase this now. spread the word. thanks

Later that message was deleted, and replaced with another claiming that everything was now under control:

all good now. we handled it.

Scammers, spammers and online criminals love to take advantage of innocent people’s social media accounts, because it’s a very effective launchpad for their money-making campaigns.

It’s not just celebrities like Britney Spears, Justin Bieber and Kevin Bacon who fall victim. Many regular members of the public have their social networking accounts compromised every day, and it’s their online friends and family who are duped as a result into visiting dangerous links, believing it is their pal or loved one who shared them.

Always be sure to take care over your passwords (ensuring you only enter them on the legitimate site for which they were designed, and not reusing the same password), be cautious over what third-party apps you grant access to your account, and take advantage of features like two factor authentication to better control access to your accounts.

And maybe it’s time to think twice before rushing to click on a link, next time your favourite celebrity says something bizarre on Twitter.

The post Justin Bieber is the latest celebrity to have his Twitter account hacked appeared first on We Live Security.

Brought by: http://foodonia.com

How cybercriminals ‘market’ email attacks – and why LinkedIn lures are today’s prize phish | foodonia

Cybercriminals ‘manage’ phishing emails using techniques similar to those used by marketing agencies, including the use of ‘test audiences’ to see how effective a particular email is, according to Mark Sparshott, executive director at email security firm Proofpoint.

The most successful form of email-borne attack at present is fake LinkedIn invitations, Sparshott said – with click rates double that of attacks such as banking emails and fake order confirmations.

Speaking at the Computing’s IT Leader’s Forum event in London, Sparshott says that criminals send out small bursts of emails to test the response of their audience – testing several formats against one another. The criminals analyse the rate at which the ‘test’ victims click, and then use the most successful in the main email burst.

“Cyber criminals manage the content of their emails to entice clicks,” he said. “It’s the same technique you might find a leading marketing agency using.”

Sparshott based his conclusions on analysis of a number of email-based attacks – and found that, on average, 10% of targeted users clicked, but the rates varied widely between companies, with some firms having a click rate of up to 50%.

“The top three which achieve most success are social network communication, financial account warnings and order confirmation. That preys on human curiosity and desire to broaden one’s network, or to not lose money, or to check something you feel you didn’t order.”

Sparshott says that the most effective attack at present relies on fake LinkedIn invitations sent via email, “The LinkedIn lure is particularly effective, because it can look exactly as if it has come from LinkedIn itself. LinkedIn lures are twice as successful as others, and the most successful is the LinkedIn invitation.”

ESET Senior Research Fellow David Harley says, “Effective email abuse is usually at least partly reliant on social engineering, in the sense of similar techniques for psychological manipulation to those used by legitimate marketers. The three kinds of SE gambit he cites (posing as social media communications, bank phishing, fake order confirmations) are classic lures.

“Malicious emails have indeed gone far beyond the simple malicious attachment posing as a JPEG (or whatever), and infection can be a multi-stage process involving multiple redirects with the payload delivered long after the initial message. Nonetheless, that’s no guarantee of infection: on-access scanning can still work on payload delivery, though – obviously, it depends on whether the malcode is recognized as malicious or even as a variation on a known theme.”

“There’s usually no need to open a LinkedIn message. You can simply use the arrival of such a message as a cue to go to the site to see what, if anything, is waiting. That doesn’t mean you can trust a message just because it really did go through LinkedIn, of course.”

We Live Security offers tips on how to avoid the latest phishing scams in a new how-to here.

The post How cybercriminals ‘market’ email attacks – and why LinkedIn lures are today’s prize phish appeared first on We Live Security.

Brought by: http://foodonia.com

‘Secure’ web browsing can leak private data to employers and ISPs, researchers warn | foodonia

‘Secure’ web browsing using HTTPS may not be as private as most web users hope – as University of Berkeley researchers have revealed a technique for identifying individual web pages visited ‘securely’ by users, with up to 89% accuracy, revealing data such as health conditions, financial details and sexual orientation.

The researchers used a new form of traffic analysis attack against 6,000 web pages hosted on sites including hospital clinics and video-streaming sites such as Netflix and YouTube. The team claim their technique is more than three times more accurate at identifying pages visited than any previous algorithm.

“Our attack identies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation,” the researchers write in the paper I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis.

The technique achieves an accuracy of 89% compared to 60% with previous techniques, the team writes.

The Register comments, “HTTPS may be good at securing financial transactions, but it isn’t much use as a privacy tool.”

The attack uses multiple methods of statistical analysis to yield its results, The Register reports. “Our attack applies clustering techniques to identify patterns in traffic. We then use a Gaussian distribution to determine similarity to each cluster and map traffic samples into a fixed width representation compatible with a wide range of machine learning techniques,” the researchers write.

The attacker has to be able to visit the same websites as the victim, and have access to the victim’s traffic data – but this is data freely available to authorities such as ISPs and employers, the researchers note.

“ISPs are uniquely well positioned to target and sell advertising since they have the most comprehensive view of the consumer. Both ISPs and commercial chains of Wi-Fi access points have shown efforts to mine customer data and/or sell advertising. These vulnerabilities would allow ISPs to conduct data mining despite the presence of encryption,” the researchers say.

The researchers point out that the technique would also allow employers to monitor web pages visited by employees – including, potentially, corporate whistleblowers.

“Analysis would allow employers to remove many of the protections expected by employees using HTTPS to protect their sensitive communications from untrusted parties,” they write.

The researchers write that oppressive regimes could also use the technique to target dissidents.

The paper suggests various techniques that could obscure the browsing habits of users from anyone wishing to intrude on them, reducing the effectiveness of the attack to 27%. The researchers say that more research is needed into how effective the attack is in “real life” browsing situations where users may be using several tabs at once, and different browsers and devices, including mobiles.

The post ‘Secure’ web browsing can leak private data to employers and ISPs, researchers warn appeared first on We Live Security.

Brought by: http://foodonia.com

STEM education, the Target data breach, and the Apple SSL vulnerability | foodonia

Is there a connection between lack of STEM education in America and data breaches like Target or digital security vulnerabilities like the one that recently undermined encryption in Apple products? In my opinion: Yes. In this article I argue that cybersecurity in America, including the trustworthiness of American products and services, is suffering from the current under-production of students qualified in Science, Technology, Engineering, and Mathematics, or STEM. (My first title for this article was “STEM the tide of data breaches” but I decided that was too glib.)

My basic premise is that creating secure information systems, and maintaining their security, requires people who are conversant with Science, Technology, Engineering, and Mathematics. Those disciplines come together in Computer Science, often referred to as CompSci, or just CS.

My second premise is that America’s schools are not teaching enough computer science to enough students. When my colleague, Lysa Myers, wrote about this in January, several of us found it hard to believe how dire things were. But Lysa was right, as confirmed by several shocking data points I recently obtained on a trip to Washington, D.C. For example, in the 2012-2013 school year, computer science counted toward a student’s high school graduation requirements in only nine states. In 2012, just fewer than 3,000 of the country’s 40,000 high schools, less than one in 10, offered the Advanced Placement Computer Science exam. Let me put that a different way: too many kids in too many schools get the impression that Computer Science doesn’t matter.

My third premise is this: if we are not inspiring and enabling our young people to study the science and technology on which much of our economy is based, we cannot hope to achieve and sustain the levels of security that our information systems need in order to retain the trust on which their continued use depends.

Some scary numbers

We already have indications that large numbers of IT jobs in America are going unfilled. For example, throughout the course of 2013, there were anywhere from 300,000 to 600,000 open IT and IT-related jobs in the U.S. (that’s according to Burning Glass Technologies Labor Insights). Couldn’t we just import people to fill them? Not likely, given the current Congressional deadlock over immigration reform. Besides, there are plenty of other countries seeking the same talent. According to the Global Information Security Workforce Study by Frost and Sullivan, global demand for people with cyber security skills is forecast to grow at about 13.2% annually from 2012 to 2017.

As for cybersecurity jobs going unfilled, the evidence is everywhere, starting with a huge number in the Cisco 2014 Annual Security Report: “It’s estimated that by 2014, the industry will still be short more than a million security professionals across the globe.” In the last six months I have heard estimates of the shortfall of qualified cybersecurity workers just in U.S. alone ranging from 50,000 people well into six figures.

For a different perspective, consider the number of U.S. openings listed for “information security” at Indeed.com, a job listing aggregator: 11,669. The site lists 7,867 jobs requiring or preferring CISSP. Given that many of these jobs are well-paid, earning more than many other IT-related jobs, that’s a lot of jobs open. How about a specific case study? Consider the U.S. government’s Department of Homeland Security, where more than one in five mission-critical cybersecurity-related jobs at a key unit could not be filled, according to the Government Accountability Office. Scratch below the surface and you see a phenomenon that could mean things get worse before they get better: the greying of the cybersecurity workforce. Some 32% of DHS cybersecurity employees are eligible for retirement now or within the next three years, and 80% those currently working in cybersecurity are 40 or older, with barely more than more than 5% being 30 or younger.

In broader terms, last year’s (ISC)2 Global Information Security Workforce Study (PDF) found that 56% of organizations surveyed said they don’t have enough security staff to handle their current demands. According to 52% of respondents, the shortage of skilled staff is contributing to the incidence of breaches in their organizations.

Target and Apple and more

Which brings us to the Target data breach and the Apple SSL vulnerability. The full details of how these things happened have not yet been confirmed, but many of those who live security think they can see gaps in Target’s defenses and weakness in Apple’s code review and testing. I think it is reasonable to argue that those gaps might not have existed if the companies’ cyber security IQ was higher. When companies make decisions about technology that are not fully informed by accurate knowledge of the computer security threatscape, one has to ask if a lack of skills and education in this field is to blame.

I’m certainly not suggesting we throw Comp-Sci grads into the breach until the attacks stop and the holes are plugged (that just wouldn’t work). For a start, not all Comp-Sci grads are required to take security courses before they can graduate (which is wrong and needs to be fixed, but that’s a different article). What I am suggesting is that we cannot hope to sustain a rapid rate of digital technology development in America while at the same time defending that technology against abuse, without more people having more knowledge in the realm of science, technology, engineering, and mathematics. And a bunch of those people need to understand the core concepts of computer science and computer security.

Here’s the how the big picture is painted by Chicago-based CompTIA, the world’s largest computing industry trade association, which recently lobbied Washington for greater support of STEM education:

The U.S. is rapidly falling behind in the Science, Technology, Engineering, and Math (STEM) race on multiple fronts. The World Economic Forum ranks the U.S. 52nd in the quality of mathematics and science education and 5th in overall competitiveness. Over two-thirds of the engineers who receive their PhDs from U.S. universities are foreign born. The key to improving our standing is by focusing on STEM at the elementary and secondary education levels. As a nation, we have a responsibility to help to drive domestic students into these fields and to provide them with the necessary tools they will need for success at a global level.

On the bright side

As part of that lobbying effort, CompTIA presented a panel that featured two innovative approaches to improving STEM education. The first was Project Lead the Way, represented by David Dimmett, the organization’s Senior Vice President and Chief Engagement Officer. According to Dimmett, Project Lead The Way (PLTW) is the nation’s leading provider of STEM programs. On its website, PLTW states:

“Our world-class curriculum and high-quality teacher professional development model, combined with an engaged network of educators and corporate and community partners, help students develop the skills necessary to succeed in our global economy….As a 501(c)(3) nonprofit organization, we deliver PLTW programs to more than 5,000 elementary, middle, and high schools in all 50 states and the District of Columbia.”

I found a tour of the website to be quite inspiring, and there are plenty of opportunities for professionals and businesses to get involved.

The other private sector initiative represented on the panel was LifeJourney LLC, which describes itself as “an online career simulation experience that empowers students and individuals to test-drive future career opportunities relating to STEM and gain exposure to the skills they’ll need to achieve the future they want.” Founded by Rick Geritz who is now its CEO, LifeJourney is developing some impressive corporate partnerships and using some very cool technology to make a career in technology more broadly appealing.

One more ray of hope for STEM improvement is specific to Comp-Sci, and it comes from within our government: bipartisan legislation known as the Computer Science Education Act. This bill has no costs associated with it because it simply amends the definition of “core academic subjects” in the Elementary and Secondary Education Act (ESEA) to add computer science. This simple act would clarify that existing and currently funded federal programs could support computer science and local and state educators who want to put more computer science curriculum and teachers in schools. (Big hat tip to Lumay Wang from co-sponsor Rep. Scott Peters’ office for sending me details of the bill.)

The Computer Science Education Act (HR 2536) makes a lot of sense to me because it would unleash the enthusiasm of American students and teachers for computer science that is currently constrained by the fact that it is not considered core curriculum. Fortunately, the bill has widespread support from some serious organizations, notably code.org and Computing in the Core, which has a lot more info on CSEA, and whose members include: Anita Borg Institute for Women and Technology, Association for Computing Machinery, College Board, Computer Science Teachers Association, Computing Research Association, Google, IEEE Computer Society, Microsoft, National Center for Women and Information Technology, National Council of Teachers of Mathematics, National Science Teachers Association, Oracle and SAS.

So, there are efforts underway to improve the STEM and Comp-Sci situation, from broad grassroots initiatives like Securing Our eCity, through focused efforts like PLTW and LifeJourney, to legislation that could be passed this year. All positive signs and I hope they all succeed, because the threats show no sign of abating and the skills gap is real.

The post STEM education, the Target data breach, and the Apple SSL vulnerability appeared first on We Live Security.

Brought by: http://foodonia.com

Cisco offers $300,000 for “visionary” solutions to defend ‘Internet of Things’ | foodonia

Networking giant Cisco has launched a “grand challenge” to invent a security solution for the “internet of things” – a broad term used to describe connected devices from industrial equipment to cars to smart home appliances.

The Internet of Things Security Challenge offers a prize pot of $300,000 to “visionaries, innovators and implementers”, with up to six awards ranging from $70,000 to $50,000, as described in a Cisco blog post here.

The ‘internet of things’ hit headlines recently after Belkin’s Popular WeMo smart home system was found to have security flaws which could allow attackers to switch off lights in homes remotely, deactivate motion sensors, and even start fires, as reported by We Live Security here.

Chris Young, senior VP of security at Cisco, said in a blog post, ““We’re connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. These new connected devices are offering new ways to share information and are changing the way we live. For example, in the healthcare sector, it’s easy to imagine how Internet-connected devices and systems are revolutionizing patient care. In the transportation sector, technologists are already connecting vehicles and their subsystems to the Internet. It is also, unfortunately, too easy to imagine how these world-changing developments could go terribly wrong when attacked or corrupted by bad actors.”

The winning entries will be announced at the Internet of Things World Forum later this year – a Cisco-hosted event which premiered last year. Entrants will be ranked on whether their solutions can apply across fields as diverese as manufacturing, transport, healthcare and energy, as well as the feasibility and performance of their entries.

ZDNet comments that for many businesses, connecting devices is desirable as a way to build up large amounts of data, but that, thus far, security has been weak, saying, “If a cyberattacker is able to break in to one such system, they potentially can harm thousands of people with little effort,” citing the example of connected door locks as a potential risk.

In a speech last week, CIA Director John Brennan said that connected appliances and networked vehicles will make the agency’s job harder, as reported by We Live Security here – with more systems to protect, and more platforms which could be used to launch attacks.

Brennan, speaking at President Barack Obama’s Associates Dinner at the University of Oklahoma said that cyber issues were becoming increasingly central to the CIA’s mission, and that Brennan said, “We also are concerned that new vulnerabilities will develop as cars, home appliances, and other physical objects become more integrated into information networks.”

“As we move closer to what some are calling an “Internet of Things,” there will be more devices and systems to protect—and, equally worrisome, more that can be used to launch attacks.”

Several security researchers have shown off ‘hacks’ which can remotely take over the software in vehicles – and CNBC described such attacks as potentially forming a new “global cybercrime wave.”

At this year’s Consumer Electronics Show (CES) in Las Vegas, ‘smart homes’ were clearly a big trend on the show floor – and much debate was ignited about their security.

The normally sober BBC warned, “In the future, it might not just be your smartphone that leaks personal and private data, it might be your smart fridge too.”

But ESET Senior Research Fellow David Harley said in a commentary post at the time, “It may be a little early to worry too much about what your fridge or your medicine cupboard is able to reveal to a hacker about your eating habits and the state of your health,” Harley says.

“After all, there are all too many more direct ways for retailers, insurance companies, and pharmaceutical companies to get that sort of information. (And those are issues more people should be worried about.)”

The post Cisco offers $300,000 for “visionary” solutions to defend ‘Internet of Things’ appeared first on We Live Security.

Brought by: http://foodonia.com