Nishang: Using PowerShell for penetration testing

Nishang is a framework, and a collection of scripts and payloads which enables PowerShell usage for offensive security, penetration testing and red teaming.

The tool is the brainchild of information security researcher Nikhil Mittal, who created it after realizing he needed something custom for his penetration testing engagements, and later decided to share it with the community through GitHub.

“The wide use of Windows as server and user desktop in the enterprise made PowerShell an attractive target. I was taken aback with the ease with which various penetration testing tasks can be performed with PowerShell,” Mittal told Help Net Security.

Nishang future plans

Mittal is currently working on bypassing various restrictions like Applocker whitelisting, and Windows 10 AMSI. Nishang user’s will soon see scripts related to Active Directory and SQL Server.

“In the long term, I would like the tool to be able to handle multiple connect backs (reverse shells) from a PowerShell console,” says Mittal.

If you’re at Black Hat USA 2016 in Las Vegas this week, you can see Nishang in action at the Arsenal.

from Help Net Security http://ift.tt/2anH7Xa

Needle iOS security testing tool to be unveiled at Black Hat Arsenal

In a session at Black Hat USA 2016 on Wednesday, Marco Lancini, Security Consultant at MWR InfoSecurity, will demonstrate publicly for the first time a new iOS security testing tool.

Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of Python scripts.

“Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. In 2013 MWR released Drozer for the Android ecosystem, however iOS did not have an equivalent – until now,” says Lancini.

Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device.

“During my session at Black Hat Arsenal, I will describe Needle’s architecture, capabilities and roadmap. I will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided),” says Lancini.

from Help Net Security http://ift.tt/2aEhno2

Visibility and assessment of vulnerable attack paths

Attivo Networks announced that its ThreatMatrix Deception and Response Platform has been enhanced to provide an organization’s visibility and assessment of vulnerable attack paths.

It provides insight into how an attacker would target misconfigured systems or misused credentials and then automating the response actions to isolate these systems from causing additional infection, exfiltrating data or harming critical infrastructure.

The software has also enhanced its deception technology to misdirect and detect attackers seeking to begin their attack by targeting Microsoft Active Directory, which is a favored target for attackers seeking credentials for attack escalation. The new release also includes an expansion of the ThreatMatrix Platform to support routed networks, for micro-segmented datacenters and enterprises networked across multiple locations and branch offices.

The platform provides real-time threat detection and attack forensic analysis for accelerated incident response and remediation. The platform is designed to provide early detection of cyberattacks from all threat vectors including zero-day, stolen credential, ransomware and phishing attacks that are renowned for bypassing traditional prevention systems.

ThreatPath

Provides an attack path vulnerability assessment based on likely attack paths that an attacker would have traversed through misconfigured systems or credential misuse. Visual illustrations of attacker paths based on penetration techniques provide insight into risks and clickable drill downs provide the details of weaknesses and IP addresses for systems needing to be isolated and/or fixed.

Active Directory deception and detection

Organizations running the Microsoft Windows Server platform are susceptible to attacks where attackers exploit and gain un-authorized access to Active Directory. Attivo ThreatMatrix BOTsink integrates deception into the organization’s Active Directory Infrastructure to deceive and identify attackers seeking to gain escalation privileges.

Routed network support

ThreatMatrix BOTsink engagement servers can now engage with deceptive IP addresses and networks on routers over Layer 3 GRE tunnels, which is ideal for micro-segmented datacenters, enterprises networked across multiple locations and branch offices. The solution will also support sending Darknet IP traffic to the deception servers, which will dynamically engage attackers and deceive them into revealing themselves.

from Help Net Security http://ift.tt/2anXb5c

Week in review: Snooping Tor nodes, Wi-Fi keyboards open to keystroke sniffing

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Industry collaborates on automotive cybersecurity best practices
More than 50 automotive cybersecurity experts from around the world have participated in the development of these best practices to advance automotive cybersecurity capabilities. The effort began in early 2016 when the 15 automaker members of the Auto-ISAC formed a working group to examine all cybersecurity aspects of the motor vehicle ecosystem.

SpyNote Android RAT builder has been leaked
SpyNote is capable of viewing messages on the infected device, listening to calls made from it, collecting device information and GPS location, exfiltrating contacts and files, turning on the device’s microphone for real-type spying purposes, activating the camera, but also making calls from the device, installing new (malicious) APKs, and updating itself.

Researchers discover 110 snooping Tor nodes
In a period spanning 72 days, two researchers from Northeastern University have discovered at least 110 “misbehaving” and potentially malicious hidden services directories (HSDirs) on the Tor anonymity network.

Review: True Key for iOS
When choosing a password manager, there are a couple of things to take into consideration: ease of use, expected functionality, authentication methods, and the overall look and feel of the application. True Key excels at all of these things.

IoT: A hacker’s dream come true?
Most “things” will likely operate safely and securely without interference, but there will be some portion of the IoT that will attract the attention of the very same people and organizations who build botnets, steal IP, and carry out pay-for-DDOS attacks using the far less extensive internet we see now.

Low-cost wireless keyboards open to keystroke sniffing and injection attacks
Bastille Networks researcher Marc Newlin has discovered a set of security vulnerabilities in low-cost wireless keyboards that could be exploited to collect all passwords, security questions, sensitive personal, bank account and payment card info users input through them.

European privacy advisor wants encryption without backdoors
The confidentiality of online communications by individuals and businesses is essential for the functioning of modern societies and economies. The EU rules designed to protect privacy in electronic communications need to reflect the world that exists today.

50+ vulnerabilities found in popular home gateway modems/routers
Researcher Gergely Eberhardt with Hungarian security testing outfit SEARCH Laboratory has unearthed over fifty vulnerabilities in five home gateway modems/routers used by Hungarian Cable TV operator UPC Magyarország, but also by many ISPs around the world.

Pwnie Express open sources IoT and Bluetooth security tools
Pwnie Express announced the availability of open sourced versions of its Blue Hydra and Android build system software. The release of these tools enable comprehensive Bluetooth detection and community based development of penetration testing Android devices.

UAC bypass attack on Windows 10 allows malicious DLL loading
Security researchers Matt Graeber and Matt Nelson have discovered a way to run a malicious DLL on Windows 10 without the User Account Control springing into action and alerting users of the potential danger.

What a Chief Strategy Officer does, and why you need one
Seasoned IT security expert and former Gartner analyst Richard Stiennon recently became the Chief Strategy Officer for the Blancco Technology Group. It was the perfect opportunity to talk with him, and explore the challenges that come with filling this pivotal information security role.

88% of all ransomware is detected in the healthcare industry
Healthcare has been a target for ransomware campaigns because the industry has often paid ransom to retrieve vital customer data quickly.

Media-stealing Android app targets developers
Symantec researchers have unearthed another app on Google Play that secretly steals photos and videos from victims’ mobile devices. But the curious thing is that it’s not an app that would attract a massive number of random users, but a very specific subset: web and app developers.

As voice interaction increases, what will security look like in the next 5 years?
Things are getting chatty – everywhere.

Obama defines how the US government will respond to cyber incidents
The Presidential Policy Directive on United States Cyber Incident Coordination is especially geared towards defining the Federal government’s response to “significant” cyber incidents.

Investigating the supply on 17 underground hacker markets
Have you ever wondered what kind of malicious offerings can be found on dark web “hacker markets,” who sells them and how widely they are available?

Cybersecurity talent crisis continues, technical skills in high demand
In 2015, 209,000 cybersecurity jobs went unfilled in the United States alone. Despite 1 in 4 respondents confirming their organizations have lost proprietary data as a result of their cybersecurity skills gap, there are no signs of this workforce shortage abating in the near-term.

Infection Monkey: Test a network from an attacker’s point of view
Infection Monkey, a tool designed to test the resiliency of modern data centers against cyber attacks, was developed as an open source tool by GuardiCore’s research group.

LastPass zero-day can lead to account compromise
A zero-day flaw in the popular password manager LastPass can be triggered by users visiting a malicious site, allowing attackers to compromise the users’s account and all the sensitive information in it.

DDoS attacks increase 83%, Russia top victim
The newest report shows that Russia has become the No. 1 victim country. Starlink – a Russian ISP supporting small, medium and large enterprises – received more than 40 percent of the DDoS attacks measured over a two-day period.

Law enforcement and IT security companies join forces to fight ransomware
The Dutch National Police, Europol, Intel Security and Kaspersky Lab launched the No More Ransom initiative, a new step in the cooperation between law enforcement and the private sector to fight ransomware together.

Is your business still HIPAA complaint after the 2016 federal changes?
The US Department of Health and Human Services’ Office for Civil Rights (OCR) warned healthcare professionals and their business associates of its intention to launch a series of random HIPAA compliance audits throughout 2016.

from Help Net Security http://ift.tt/2aVpxW7

Spiral-Cut Pool Noodles Make Great All-Purpose Cushions

Create a Voice Controlled Scoreboard with Alexa and IFTTT

Giving “dead man’s handle” a whole new meaning [Chet Chat Podcast 248]

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Follow him on Twitter: @duckblog

from Naked Security http://ift.tt/2aBbLcu

GoldenHour.One Tells You the Perfect Time and Place to Take Photos

Use the AIM Method to Take Control of Your Happiness

The Scientific Reason Some Couples Always Post Sugary-Sweet Status Updates

Pokevision And Other Pokémon Go Trackers Shut Down For Unclear Reasons

Sunscreen Showdown: Creams vs. Sprays

Sunday's Best Deals: Robotic Vacuum, Kindle Ebooks, Lodge Skillet

Go Incognito Opens Your Current Tab in Incognito Mode, Scrubs It from Your Browser History

This Week's Top Downloads

Make a "Caveman Ziptie" In the Wild With a Palmetto Plant

Learn All Kind of Coding Skills Using a Raspberry Pi and Minecraft With This Free Book

Baby Food Makes a Pretty Good Bellini

You Can Still Get Windows 10 For Free If You Use Assistive Technologies

This Exercise Chart Is Full of Travel-Friendly, Resistance Band Exercises

Top 10 Ways to Bring a Garden into Your Small Space

Google Maps for iOS Can Now Navigate to Multiple Destinations

Saturday's Best Deals: Biscuits, DJI Phantom Bundle, Charging Cables, Knives

Fold a Money Shirt for a Fun Last-Minute Gift

Remains of the Day: SwiftKey Accidentally Revealed Some Private User Data

Poké Assistant Has Eight Useful Pokémon Go Tools All In One Kit

Use a Raspberry Pi to Power a Fancy Clock and Display Panel

Friday Squid Blogging: Glow-in-the-Dark Finger Tentacles

How to Stream All the Biggest Lollapalooza Performances This Weekend

Deadspin Guess How Sexist Texas A&M’s Event For Female Football Fans Was | The Slot Jill Stein T

Deadspin Guess How Sexist Texas A&M’s Event For Female Football Fans Was | The Slot Jill Stein Thinks There Are ‘Real Questions’ About Vaccine Safety, in Case You Were Voting Green | Gizmodo What Happened to WikiLeaks? | Gawker Maybe This Is Bad? |

from Lifehacker http://ift.tt/2aitYhV

This Mini NES Raspberry Pi Case Accepts Micro-Sized Cartridges Too

You Won’t Waste Any More Food or Money with These Discounted Produce Containers

Calculate Your Alcohol Calories For This Weekend, Right Now

Windyty Is an Interactive Weather and Wind Map with Very Precise Data

Move a Box Spring Around Tight Corners by Cutting and Folding It

One of the most frustrating parts of moving into a new home or apartment is the furniture Tetris you have to play in order to squeeze all your big items around tight corners and stairways. Box springs can be particularly pesky, but they’re so simply constructed that you can partially cut them in half.

In this video from This Old House, Tom Silva shows how you can cut a box spring in half and fold it like a book. But it takes a little more finesse than literally just sawing the whole thing in half: After removing the bottom fabric, Tom makes two adjacent cuts on the long side of the outer wooden frame. Then they fold the box spring in half, carefully bending the metal wire that makes up most of the inner structure. When the box spring is moved into it’s final destination, they unfold it back into shape, unbend the metal wires, and carefully screw the wooden structure back together.

It’s a fair amount of work, but you might not have any other option if you want to get that box spring wherever it needs to be. Better than cutting a mattress-shaped hole in the wall.

How to Move a Box Spring Up a Narrow Staircase | This Old House via YouTube

from Lifehacker http://ift.tt/2awMGiQ

Anker's Travel-Friendly PowerPort 2 Charger Is Just $8 Today

Learn the Basics of Good Web Design in Four Minutes with This Tool

This Tiny Router Will Kill All Your Wi-Fi Deadspots

How Altruism Might Have Evolved

WhatsApp may leave deleted chats behind in your iCloud backups

Tumblr users, get ready to see ads everywhere

This Week's Most Popular Posts: July 22nd to 29th

How’d You Do During the July Money Challenge?

Taking a road trip in this week's Hackerspace Open Thread

Today's Best Deals: Over-Ear Headphones, Lodge Dutch Oven, ExOfficio Underwear

This Is the Lifehacker Pack: Essential Apps and Downloads for All Your Devices

Avoid Bitter Cucumbers By Cutting off Their Ends Before You Peel

Prava Makes Organizing Travel with Friends Easy, Even Shares Your Photos Memories

ExOfficio's Uber-Popular Underwear Is Back On Sale

Make Delicious Eggplant Noodles Without Any Special Tools

A Rule of Thumb to Estimate the Value of Your Travel Rewards Miles

Treat Your Ears to AKG Over-Ear Headphones With Today's Amazon Gold Box

Deadspin Vikings Backup QB Out Three Months After Reportedly Trying To Kick His Friend’s Locked Door

Deadspin Vikings Backup QB Out Three Months After Reportedly Trying To Kick His Friend’s Locked Door In | Jezebel This Band Made Shot-For-Shot Remake of Fiona Apple’s ‘Criminal’ Video With a Queer Twist | Gizmodo English Bulldogs Have Reached a Genetic Dead End | Gawker The Father of a Fallen Muslim Soldier Just Humiliated Donald Trump |

from Lifehacker http://ift.tt/2aeQVym

Confront Your Own Omission Bias to Beat Procrastination

Everything You Need to Know About the Commencing Final Day of the DNC

SpyNote Android RAT builder has been leaked

A builder for the capable SpyNote Android RAT is being freely distributed on several underground hacker forums.

SpyNote is capable of viewing messages on the infected device, listening to calls made from it, collecting device information and GPS location, exfiltrating contacts and files, turning on the device’s microphone for real-type spying purposes, activating the camera, but also making calls from the device, installing new (malicious) APKs, and updating itself.

And it is capable of doing all of this without gaining root access to the device, Palo Alto Networks’ researchers warn.

This video demonstrates what an attacker can do with an infected device:

The builder configures the RAT to contact a specific C&C server over a specific port.

Once it is installed, the malware removes its icon in order to pass under the radar.

The malware itself is not difficult for experts to analyze, as its code is neither obfuscated nor protected.

Researchers believe we can almost surely expect an uptick of distribution campaigns delivering this particular piece of malware now that the builder has been leaked, but so far they haven’t spotted any.

The good news – for cautious users, anyway – is that SpyNote requires users to give many permissions to be able to effect all of the actions mentioned above, so it’s not like it can pass unnoticed by all users.

Unfortunately, there are always going to be those who are careless or simply don’t understand what these permissions mean. For those, mobile security solutions are a good investment.

from Help Net Security http://ift.tt/2ajiwju

You Can Now Get Add-Ons For Google Docs and Sheets on Android

Android: Google Drive on the web comes with a ton of awesome and useful add-ons. Now, that power’s coming to Android. When using Docs or Sheets, you can install a selection of add-ons built specifically to extend the mobile apps’ functionality.

There are only a handful of add-ons so far for Docs and Sheets on Android, but they’re useful ones. Above, you can see a video for DocuSign, the service that allows you to sign documents online. You can also check out Google’s collection of add-ons here, including Scanbot, Google Classroom, and more.

Announcing Android add-ons for Docs and Sheets | Google for Work Blog via Android Police

from Lifehacker http://ift.tt/2aDeJwM

The Security of Our Election Systems

My Family’s Strategies for Saving During Back-to-School Season

Sysadmin’s foolproof guide to fixing any computer problem

As a sysadmin you know better than everyone the mind-blowing complexity of the modern corporate network. Your company’s computer systems are a digital riddle, wrapped in a mystery emulator running in a turnkey hybrid cloud enigma.

At any time, on any day, you could find yourself staring at a unique system failure that has never, ever, ever happened anywhere before in the history of the universe. Whatever the alignment of the intermeshed, inadequately logged events that caused the glitch, slowdown, shutdown, failure, failover, fire, disaster or apocalypse, it’s your job to fix it. Now. Against the clock. Backwards. In heels.

Your job is basically impossible.

Well, no more. Today is SysAdmin Day and we’re here to help. We’ve put our heads together and come up with a simple and easy to understand guide to fixing any computer problem on any network, anywhere. Period.

Our foolproof flowchart is yours to cut out and keep:

If you want some advice that might actually help you…

…check out our 5 tips for making life easier this SysAdmin Day.

Follow @NakedSecurity
Follow @MarkStockley

To keep you armed and ready for Sysadmin Day and beyond,
we’re giving away stacks of IT Survival Kits.
All you have to do is tell us a story about your experience of ‘just another day in IT’.

from Naked Security http://ift.tt/2aP4FQg

Couple “driven by greed and a fast buck” jailed for $1.5m IRS scam

European privacy advisor wants encryption without backdoors

“The confidentiality of online communications by individuals and businesses is essential for the functioning of modern societies and economies. The EU rules designed to protect privacy in electronic communications need to reflect the world that exists today,” European Data Protection Supervisor (EDPS) Giovanni Buttarelli opined after reviewing a new proposal on the ePrivacy Directive.

The existing ePrivacy Directive is currently under revision. The European Commission is collecting feedback on the proposal, and should prepare a new, updated version of the legislation by the end of 2016. One of the purposes of the EDPS is to advise EU institutions on policies and legislation that affect privacy.

In his opinion, the EDPS says that the scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used, not only those offered by traditional telephone companies and internet service providers. Individuals must be afforded the same level of protection for all types of communication such as telephone, Voice over IP services, mobile phone messaging app, Internet of Things (machine to machine).

The updated rules should also ensure that the confidentiality of users is protected on all publicly accessible networks, including Wi-Fi services in hotels, coffee shops, shops, airports and networks offered by hospitals to patients, universities to students, and hotspots created by public administrations.

Any interference with the right to confidentiality of communications is contrary to the European Charter of Fundamental Rights.

No communications should be subject to unlawful tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting, or other technological means. Users must also have user-friendly and effective mechanisms to give, or not give, their consent. In order to better protect the confidentiality and security of electronic communications, the current consent requirement for traffic and location data must be strengthened.

The existing rules in the ePrivacy Directive protecting against unsolicited communications, such as advertising or promotional messages, should be updated and strengthened and require prior consent of the recipients for all forms of unsolicited electronic communications.

The new rules should also clearly allow users to use end-to-end encryption (without “backdoors”) to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

A new provision for organisations to periodically disclose aggregate numbers indicating EU and non-EU law enforcement or government requests for information would offer some welcome transparency in the sensitive, complex and often contentious area of government access to communications.

The new rules should complement, and where necessary, specify the protections available under the General Data Protection Regulation (GDPR). They should also maintain the existing, higher level of protection in those instances where the ePrivacy Directive offers more specific safeguards than in the GDPR.

from Help Net Security http://ift.tt/2amoo99

Business and IT decision makers are aligned on key IT trends

Business decision makers’ (BDMs) and IT decision makers’ (ITDMs) understanding of current IT trends are much closer than they are generally perceived to be, according to a new Dell State of IT Trends 2016 global study.

In the past, business and IT leaders had different levels of understanding of IT trends and technologies. However over time, business and IT leaders’ perceptions of technology have evolved and more closely aligned as new technologies have entered the market and become increasingly critical drivers of an organization’s success.

The study reveals a greater sophistication and alignment in understanding of IT trends between the two groups. The results indicate that IT and business leadership are better collaborating and having in-depth conversations about not only how technology works but how it can propel the business forward.

“There is a lingering misperception that business leaders are disconnected during strategic IT discussions, but times have changed,” said Matt Baker, executive director, Enterprise Strategy, Dell. ”This study reveals that there is an increasingly common understanding between business and IT decision makers on the key IT trends and the growth opportunities that IT can deliver.”

Key findings

In today’s data-driven economy, companies need IT that is agile, efficient, scalable and capable of responding to business applications in real time. According to the Dell State of IT Trends 2016 survey, increasing business productivity is the main IT consideration for both ITDMs (81 percent) and BDMs (77 percent), followed by growing the business (71 percent and 69 percent, respectively).

Global decision makers, in companies of all sizes and in both developed and developing markets, are most closely aligned on the following IT trends:

• ITDMs (62 percent) and BDMs (51 percent) agree that cloud computing is the most important technology trend for their companies.
• Eighty-eight percent of ITDMs and 80 percent of BDMs say their organization is considering adopting a software-defined data center (SDDC), is in the process of transitioning, or has already completed the transition to one.
• By 2:1 margins, both ITDMs and BDMs say they will use more open data center technologies in the future.
• Eighty-six percent of ITDMs and 85 percent of BDMs agree that compute-centric is the best approach to gain a flexible, scalable and open data center.

In terms of technology spending for 2016, cloud is the main priority among both ITDMs (67 percent) and BDMs (59 percent). This is followed closely by data storage upgrades or purchase (54 percent and 48 percent, respectively).

from Help Net Security http://ift.tt/2aCLxpu

IoT: A hacker’s dream come true?

There’s a lot more to the web than the cat-video-laden sites we normally see. In fact, according to most sources, the web that we can typically get to via our browser of choice represents only a small fraction of what’s out there.

This deep web is an ocean of content that is not visible to search engines and cannot be easily stumbled over – existing as it does behind locked forms, encrypted connections, and hidden systems. Yet, even within the deep web there are darker corners, where the information isn’t just difficult to find, but actively hidden, and often for good reason.

This is the dark web, the stuff of breathless news reporting and nervous collar-fingering in the halls of power. And on the dark web, along with people who legitimately don’t want the government – *any* government – peering over their shoulders, are those whose stock-in-trade are things best not discussed in polite company.

The dark web is the home of illegal sales and bot-net rental services. It’s a place you don’t get to by accident, and it exists because, if there’s anything we can guarantee about human nature, it’s that for every sunny plaza we build, there’ll be a dark alley around the corner.

And that same tendency towards misuse and misappropriation will inevitably affect that next great technology deployment, the Internet of Things (IoT). The IoT is likely to be the hacker’s dream come true. A massive expansion in technology and systems, with little oversight, no real rules, and rolled out in many cases by companies with little or no history is cybersecurity. The IoT will consist of billions of devices existing in every nook and cranny of our public, work, and private lives, constantly on, and yet without anything in the way of legislative or industry mandates to keep it safe and secure.

Most “things” will likely operate safely and securely without interference, but there will be some portion of the IoT that will attract the attention of the very same people and organizations who build botnets, steal IP, and carry out pay-for-DDOS attacks using the far less extensive internet we see now. If there is an IoT, a “dark IoT” will follow as inevitably as dusk follows dawn.

I suspect that the dark IoT will consist of a body of compromised devices that are either explicitly feeding information to illicit sources, or are perhaps laying dormant for some future use. Whether it’s commercial devices acting as vulnerable Achilles heels to a corporate network, or some city control system doing double time as bot nets, the uses for the dark IoT will evolve in the same way as the purposes for the dark web have changed.

Just like the dark web, the dark IoT will operate quietly, under the radar, without most of us knowing. And just like the dark web, once it exists, the dark IoT will likely be with us for a long, long time. Of course, the better security we build into devices now, and indeed, the better able we are to detect when a device is compromised, the more we can manage the growth of a dark IoT. Rather like weeds in a garden, it’s far easier to control the initial growth than it is to eradicate them once they are established.

The key here, I believe, is to establish a method that enables us to do two things:

1. Monitor the lifecycle and behavior of devices so that we can better understand when and if they have been compromised. This will especially important for IoT devices that are within or around critical infrastructure.

2. Establish method of updating security (or simply taking the device offline) once we can identify that a device has “gone over to the dark side.” This is actually more important than attempting to build in perfect security out the box, since the complexity of the IoT will probably preclude perfect security from the start line.

If we fail to do both, we are back to playing the same fruitless blame game we’ve been playing for the past decade when it comes to general cyber security – only on a much bigger scale.

The IoT will change much about the way we use technology, but if we want to keep some degree of security and privacy, we have to accept that the human tendencies embodied in the dark web represent something too fundamental for us to expect the IoT to change.

from Help Net Security http://ift.tt/2avfiJ7

Virtually all business cloud apps lack enterprise grade security

Blue Coat Systems analyzed apps for their ability to provide compliance, data protection, security controls and more. Of the 15,000 apps analyzed, it was revealed that 99 percent do not provide sufficient security, compliance controls and features to effectively protect enterprise data in the cloud.

Shadow data still a major threat

Their report revealed that shadow data, unmanaged content employees store and share across cloud apps, continues to remain a major threat, with 23 percent of it being broadly shared among employees and external parties. They also found that organizations are running 20 times more cloud apps than they estimate, with most using an average of 841 across their extended networks.

“The vast majority of business cloud apps we analyzed do not meet enterprise standards for security and can put companies at risk for compromise even though virtually every enterprise uses them,” said Aditya Sood, PhD and Director of Security and Elastica Cloud Threat Labs at Blue Coat. “This is troubling when you think about the financial risks faced by enterprises due to insecure or non-compliant apps. Understanding which cloud applications your employees are adopting and using is an important step to identifying which apps are business ready and which apps need to be replaced with more secure alternatives.”

GDPR: A global concern

With the adoption of the General Data Protection Regulation (GDPR), the European Commission has provided a standard for cloud application security and compliance. With the rapid adoption of cloud apps around the globe, there is heightened concern with regard to the business readiness of many apps in the European sector.

Additional findigs

• 12 percent of broadly shared documents and files contain regulated information and confidential data such as source code and legal information.
• 95 percent of enterprise-class cloud apps are not SOC 2 compliant.
• 63 percent of risky user activity in the cloud indicates attempts to exfiltrate data.
• 37 percent of suspicious cloud activity indicates attempts to hack into user cloud accounts.
• 71 percent of business cloud apps do not provide multi factor authentication.
• 11 percent of enterprise cloud apps are still vulnerable to one or more major exploits such as FREAK, Logjam, Heartbleed, Poodle SSLv3, Poodle TLS, and CRIME.

“Adopting new cloud applications can increase a business’s productivity and enable organizations to become more agile, but with rapid migration to the cloud comes a significant number of security and regulation challenges,” said Mike Fey, President and COO at Blue Coat Systems. “An effective and comprehensive security solution must provide granular visibility and control over cloud apps and meet new cloud security regulations like the EU’s GDPR to qualify as enterprise-grade for organizations doing business in the cloud.”

from Help Net Security http://ift.tt/2aefGL0

Businesses need to protect data, not just devices

As organizations embrace the digital transformation of their business, they are increasingly facing new security concerns. More companies are moving away from device-centric, platform-specific endpoint security technologies toward an approach that secures their applications and data everywhere.

A new Citrix Qualtrics survey revealed that:

• More than half of Citrix customers reported that they are changing the way their SecOps teams are operated because of the increase in ransomware, targeted malware and phishing attacks.
• Just over 48 percent said that end-to-end protection of applications and data was most important to protecting their always-on business.
• And 56 percent are looking more closely at how to simplify management and monitoring of SSL certificates.

In addition to the Citrix survey, a July 2016 Forrester Security Business Technographics report fielded between March-May, 2016, found that:

• 62 percent of security decision makers report that they would like to accelerate their digital business in the next twelve months.
• And 65 percent say they would like to improve application security capabilities and services.
• 47 percent say they’re implementing or expanding IoT security in the next 12 months, but 30 percent are challenged by privacy concerns.
• 20 percent are challenged by the compromise of sensitive data.

Secure delivery of apps and data

Physical assets are disposable. The secure delivery of apps and data is critical for businesses to ensure the safety of their sensitive information.

As more organizations embrace the digital transformation of their business and face challenges presented by emerging trends such as cloud, IoT and analytics, they will need to shift thinking away from protecting each device to securing sensitive applications and data.

Security cannot stand in the way of business

Security fears from the increase in targeted business attacks are changing the way companies conduct business. Devices are accessing information all the time – over public networks, across geographic boundaries and from the cloud – requiring IT to rethink their security and compliance approach. In fact, sixty four percent of Citrix customers reported that their top priority as they move more data to a cloud environment is policy enforcement to meet compliance regulations.

Businesses want to adopt new technology, but are still stuck catching up on compliance regulations. By shifting away from device-level, platform-specific endpoint security solutions, businesses can more easily achieve compliance and focus on adopting new technology to improve employee productivity and reduce risk to sensitive business information.

from Help Net Security http://ift.tt/2aednba

Pwnie Express open sources IoT and Bluetooth security tools

Pwnie Express announced the availability of open sourced versions of its Blue Hydra and Android build system software. The release of these tools enable comprehensive Bluetooth detection and community based development of penetration testing Android devices.

Bluetooth detection is critical for effective device threat detection and must cover both Low energy (LE) and Classic Bluetooth standards. Blue Hydra has also been integrated into Pwnie’s monitoring platform, Pulse, to provide continuous Bluetooth visibility and threat detection for security teams.

The Android Open Pwn Project (AOPP) is the first Android ROM built for the purpose of penetration testing. This fully open sourced project gives users the ability to build their own mobile penetration testing platforms, based on the industry-leading Pwn Phone and Pwn Pad platforms, on almost any Android-based device from Kindles to mobile phones.

Blue Hydra

• Continuous assessment and threat characterization of Bluetooth devices through the Pulse Platform
• Enrichment of device personas in wired, wireless asset correlations (Pulse Platform)
• Airodump-ng like display for nearby Bluetooth and Bluetooth low energy devices
• Discover and track Bluetooth and Bluetooth Low Energy devices in the area, regardless of discoverability mode.

AOPP

• Based on the Android Open Source Project (AOSP) and various community-developed ROMS, including CyanogenMod and others
• Functionality and installation are easier for newer InfoSec users
• Community developers can contribute to the project and port the platform to new devices

“Pwnie Express’ roots are in the open source community,” said Rick Farina, Pwnie Express Director of R&D, and co-inventor of Blue Hydra. “Developing and releasing open source tools reinforces our commitment to give back to the security community and make it easier for security teams to address the growing device threat landscape. These tools will help security professionals with Bluetooth detection which is key to effective mobile device detection in our increasingly connected and IoT world.”

from Help Net Security http://ift.tt/2azaaoJ

Amazon's Offering One of the Best Nespresso Discounts We've Ever Seen

The Beach Party Playlist

5 tips for making life easier this Sysadmin Day

A Guide To Choosing The Right Engagement Ring

What It Actually Takes to Get a Flat Stomach

Hooray for Sysadmin Day!

We’ve waited a whole 12 months but finally Sysadmin Appreciation Day is here again!

Today we are celebrating the awesomeness of all the IT superheroes who keep networks secure, printers printing and those would-be-tech-disasters at bay.

To keep you armed and ready for Sysadmin Day and beyond, Sophos is giving away stacks of IT Survival Kits.

Yes, you could find yourself with a Somewhat Sarcastic Notepad, some Borderline Sarcastic IT Business Cards, and a set of Vaguely Sarcastic Tip Jar Stickers that you can leave on your desk in the hope that someone, someday, might thank you for your hard work.

All you have to do is tell us a story about your experience of ‘just another day in IT’. (And you really should watch the video while you’re there – it’s worth it just to see the dancing!)

And, for any non-sysadmins out there who aren’t quite sure what this is all about, take a tour through a typical day in the life of a Sophos sysadmin and learn the lingo so you know what you really sound like to a sysadmin.

Follow @NakedSecurity

from Naked Security http://ift.tt/2a3cepF

Remains of the Day: Twitter Stickers Finally Available to All Users

io9 In All Seriousness, Was the Suicide Squad Set an Actual Circle of Hell?

io9 In All Seriousness, Was the Suicide Squad Set an Actual Circle of Hell? | The Slot Ashley Judd Tells Us Donald Trump Is a Known ‘Breast Gazer’ | Gizmodo Meet the Guys Who Cracked Pokémon Go Wide Open | Gawker Cory Booker’s Name Has Become a Synonym for “Sellout” |

from Lifehacker http://ift.tt/2azSBq8

Quickly Pickle a Batch of Onions With a Red Wine Vinegar Bath

Filler Words Like "Um" Aren't All Bad, and Can Be Used to Your Advantange

Don't Let Your Professional Shortcomings Hold You Back at Work

Pocket Casts for iOS Gets a New Look, Adds Volume Boost, Dark Theme, and More

The Speedtest Chrome Extension Tests Your Internet Speed without Leaving the Page You're On

Wait Out the Summer With This Discounted Cuisinart Soft Serve Machine

TimeResQ Saves You Time, Brings You Groceries and Supplies While You're On Vacation

Here Is Exactly How To File Your Diesel Buyback Claim With Volkswagen

Win10 Widgets Brings System Monitors and Other Native-Looking Tools to Your Desktop

Transform Leftover Fried Chicken Into a Super Flavorful Salad

Anker's $24 Charging Hub Comes With a Bunch of Free Cables

Avis Now Lets You Browse and Exchange Car Rentals in Real Time

The Xen “bunker buster” bug – what you need to know

An Easy Way to Make Oatmeal In the Microwave Without It Exploding

Chimera ransomware keys leaked by rival malware developers

Today's Best Deals: LED Bulbs, Survival Gear, Irrigation Controllers

All the Best Movies Coming to and Leaving Netflix in August 2016

Airlines Will Soon Have to Refund Baggage Fees When They Lose Your Luggage

Survive The Coming Apocalypse With This $7 Survival Grenade

IOActive offers offensive security approach to risk assessment

IOActive launched its Advisory Services practice, offering strategic security consulting that leverages IOActive’s testing and research expertise to help customers better align their security programs with business objectives.

While most risk management services are based primarily on legal, accounting, or audit/compliance pedigrees, IOActive is in a distinctive position to assess security programs from the perspective of actual attackers. The company’s offensive security experience provides insight to customers well before threats, countermeasures, and best practices make their way into the legal or compliance standards that form the basis for conventional advisory services.

“The launch of our new Advisory Services practice, with its adversary-based approach, gives us the ability to measure risk and provide weighted recommendations in a way that other companies are simply not equipped to provide,” explained Daniel Miessler, Director of Advisory Services at IOActive. “This approach allows organizations to allocate their limited resources in the most practical and efficient manner possible, and based on real-word risks, as opposed to compliance or published best practices.”

IOActive Advisory Services key offerings

Program efficacy assessment: A look at the real-world efficacy of an organization’s security program from the perspective of its most likely attackers. After completion of the Program Efficacy Assessment, clients receive ratings for each area of the program, with weighted recommendations for improving their real-world security posture.

Threat scenario analysis: A tabletop exercise focused on prevention, detection, and response to the most likely and dangerous scenarios. Results of this exercise highlight methods for handling these scenarios, with actionable next-step recommendations prioritized by risk.

Data security mapping: A consulting engagement that identifies and classifies company data and then maps its movement through the organization using standard business practices. This process then overlays likely threat actor methods for attacking the organization, and provides weighted recommendations for the prevention, detection, and response to these attacks.

Secure product development: A look at the complete development lifecycle of a company’s primary products. Including requirements, design, implementation, and maintenance, Advisory Services looks at the many considerations that go into creating and maintaining the security of a flagship technology product. This offering also includes multi-dimensional considerations, such as supply chain security, public vulnerability management, and more.

Adversary emulation services: A unique approach to Red Team services that focuses on reproducing the techniques, tactics, and procedures used by the threat actors an organization is likely to face in the real world, as opposed to internal, vendor preferred, or compliance-based techniques. This offering also evaluates internal Red Teams in the key areas of Organizational Independence, Defensive Coordination, Continuous Operation, Adversary Emulation, and Efficacy.

from Help Net Security http://ift.tt/2azI6ms

Investigating the supply on 17 underground hacker markets

Did you ever wonder what kind of malicious offerings can be found on dark web “hacker markets,” who sells them and how widely they are available?

Three researchers from Arizona State University have wondered as well, and have scraped 17 such markets for six months for information about the tools and services offered, to create a general picture of the supply and demand in this particular industry.

A combination of automated (scraping and data clustering) and manual (labeling) labor that concentrated on the product title/name for indication about its capabilities and features has revealed that many items are cross-posted and nearly identical.

All in all, they found a total of 16122 products sold by 1332 vendors.

They identified 34 distinct categories of offerings – from email hacking tools to data dumps, PoS malware to physical layer hacking services, exploit kits and invitations to hacking groups to access to RDP servers and RATs.

Here is the complete list, including a calculation of market and vendor entropy:

A low marketplace entropy for a given cluster means these types of products were mainly found in a particular marketplace. Likewise, a low vendor entropy means the cluster’s products were mainly sold by a particular vendor.

These numbers allowed the researchers to come to some interesting conclusions.

They posited that:

• The low market entropy for the Links cluster likely means that many markets “discourage the re-selling of lists of links, as much of this information can be found on dark web Wiki’s for free.”
• The low vendor entropy for the Hacking Tools cluster indicates that only a few vendors sell them. “Specifically, only 2 vendors author 416 (50%) of this type of products. At first glance, this may be surprising as this appears to be a very general group. However, upon inspection of the contents, we find that many authors of these products are actually organizations,” the researchers shared. “We also note one of the most prominent vendor in this cluster was itself a marketplace – which is also reflected in the low marketplace entropy.”
• The high market and vendor entropy for the Facebook and Keylogger clusters indicate that there are many vendors selling these types of malware on most of the scraped markets. While the widespread prevalence of keyloggers is not surprising, they say, the similarity in those two clusters’ trends might indicate an “increase in demand for Facebook-directed social media hacking products and information.”

The group acknowledged the limitations of their current research, and is planning further research with other methods that should make the picture clearer, including a investigation into the underlying social network of vendors.

from Help Net Security http://ift.tt/2aeuJc3

Defuse Arguments with Your Partner Through Mindfulness

How to Copy and Paste Like a Boss

Macerate Fruit Before Baking to Keep Pies From Getting Too Juicy

Things to Consider When Buying Your First Home Gym Equipment

Mr. Robot eps2.2init1.asec.mkv – the security review

This episode starts with the origin stories of Mr. Robot and the big hack against Evil Corp, and it was a pretty psychological episode overall.

As is the hallmark of this series, it was hard to know when and where we were, and if what we were seeing was actually reality. I do my best to keep accurate notes while the show airs, but if I get a detail wrong – the show is confusing enough! – please let me know in the comments.

In the meantime, there were a few winks to security concepts here that are worth mentioning, if only to acknowledge them. As always, this post is spoiler-riffic, so proceed with caution.

[SPOILER ALERT]

 
 
 
 
 
 
 
 
 
 
 

“I’m going to hack the FBI”

The last few seconds of this episode, Elliot says these foreboding words, and we see on his screen a news headline: “FBI gives up Blackberry for Android.”

The US Federal government indeed started to back away from using Blackberry over the past few years, so using Android as a theoretical attack vector against the FBI is at least plausible.

No doubt Elliot would use a vulnerability in Android to make his hack happen. Keep in mind that phone operating systems aren’t something corporations or individuals can update – they’re at the mercy of the carrier to roll out updates, and many carriers are notoriously slow to send patches out to their customers. (Motorola just confirmed it won’t roll out monthly security updates.)

And yes, the Android OS has some significant vulnerabilities, so Elliot theoretically has a number of opportunities to find something he could exploit.

But it wouldn’t be surprising if the government has its own way of rolling out security updates to federal employees, circumventing the carriers completely. (I would imagine it’s a requirement!) So that could be a bit of a roadblock for our anti-hero.

Nonetheless, the title of this episode, eps2.2init1.asec, is probably a hint at how Elliot might go about with a hack: An .asec file is an encrypted Android package. A vulnerability that allows privilege escalation attacks via Android OSes that support .asec was disclosed in 2014, so perhaps we’ll see Elliot exploit a similar vulnerability in an upcoming episode.

Elliot and the red team

We knew back in season one that Elliot worked as an information security professional as his day job for some time. In this episode we heard him define his work in an interesting way – his job was to “keep hacking until it’s hacker-proof.”

This was a nice, succinct way to explain penetration testing, which might sound a bit naughty, but it’s a grouping of security practices where a “good guy” attacks an organization in the same ways a criminal might to uncover the organization’s defensive weak spots.

Colloquially, offensive security professionals (including penetration testers) are called the red team, whereas their counterparts that focus on the defensive side of security are the blue team. It’s not a surprise that Elliot used his hacking prowess for legitimate employment; in fact, I’m sure it made him very good at his job!

Attacker attribution is a tricky business

Mid-episode, Darlene tries to determine who’s responsible for recent attacks – one of the theories is that the Chinese hacker group DarkArmy might be responsible. But the idea is quickly shot down, as the attacks had no clear financial benefit for this money-motivated group.

True to life, trying to find out who’s behind a major cyberattack is never as straightforward as it seems – attacker attribution is notoriously difficult. Sometimes when the motivation is clear – like making a bundle of cash quickly – it can be a bit more straightforward, but attackers work hard to cover their tracks and even attempt to make another party look guilty.

Other references of note

• At the beginning of the episode, Darlene mentions she hacked the proxy for Postmates in order to basically get free food for life. The Verge dives into this in some detail about how it would work if you’re curious[auto-play video warning].
• The title of this episode references a bit of dialog we hear towards the end, about one of the first commands Elliot apparently taught Darlene: init1. This UNIX command is a run level command, meaning it defines what the operating system will run. Init1 is called “single-user mode,” and in this mode the computer will only run the most basic, barebones programs. It’s an administrative mode, but it’s also what you’d run when you are trying to do maintenance on a machine that needs serious fixing. It will be interesting to see if this concept echoes in further episodes, given how broken Elliot seems to be right now.
• It was quite nostalgic to see Elliot SSHing in to an IRC channel. IRC is a chat and file-sharing system that was especially popular in the 90s, but it hasn’t gone away by a long shot – it’s still quite popular with programmers, hackers, geeks and the like as a versatile and powerful alternative to mainstream social networks.

What did you think of this episode? Are you following along or are all the jumps getting a bit confusing? (Do you think “Operation Berenstain” is a reference to the Berenstein/Berenstain “parallel universe” theory?)

Follow @mvarmazis
Follow @NakedSecurity

Image courtesy of USA Network.

from Naked Security http://ift.tt/2a21CqY

Upgrade Your Home to LED Lighting All At Once With These Discounted 16-Packs

Self-Deprivation Is Not a Required Element of a Good Budget

Deadspin The Stone Cold Stunner Is The Most Important Wrestling Move Of All Time | Jezebel Democrati

Deadspin The Stone Cold Stunner Is The Most Important Wrestling Move Of All Time | Jezebel Democratic VP Nominee Tim Kaine Proves to Be the DNC’s Increasingly Charming Dad | Gizmodo A Crazy New Species of Beaked Whale Has Been Discovered in the Pacific | Gawker We Found the Email Hacker |

from Lifehacker http://ift.tt/2asVaY3

Everything You Need to Know About the Third Day at the DNC

Eat a Lobster the Right Way With This Handy Chart

Five Fun Science Experiments You Can Do at Home With Your Kids

Phone companies to allow users to switch off anti-theft tracking

Real-World Security and the Internet of Things

Media-stealing Android app targets developers

Symantec researchers have unearthed another app on Google Play that secretly steals photos and videos from victims’ mobile devices.

But the curious thing is that it’s not an app that would attract a massive number of random users, but a very specific subset: web and app developers.

The app, named HTML Source Code Viewer and created by Sunuba Gaming, requests, among other things, permissions to access the device’s external storage.

Before being flagged as malicious and removed by Google from the app store, it was downloaded by at least 1,000 and possibly up to 5,000 users.

It targets all versions of Android after and including Gingerbread.

The researchers discovered that the app “posts files stored on the device in /DCIM/Camera/ and /DCIM/100LGDSC” (standard photo and video storage locations) to a web server hosted on proqnoz.info.”

“A look on this server revealed a wealth of personal media files dating as far back as March, 2015,” they noted, and posited that the collected media files could, at one point in the future, be used “for blackmailing, ransomware attacks, identity theft, pornography, and other forms of victimization.”

As per usual, users are advised to be careful when downloading apps, even from official, well-protected app stores like Google Play. A critical look at the permissions they ask is supremely important.

from Help Net Security http://ift.tt/2aMgoiD

How Google protects the Android kernel, and future plans

On Wednesday, Jeff Vander Stoep of Google’s Android Security team took to the official Android Developers blog and shared some information about the defenses they have already implemented in Android, and some that they are currently working on.

Memory protections that they have introduced include:

• Segmentation of kernel memory and equipping the segments with restrictive page access permissions, the marking of code as read only + execute, and marking the data sections as no-execute and further segmenting into read-only and read-write sections,
• Prevention of the kernel directly acccessing userspace memory, and
• Improved protection against stack buffer overflows.

The attack surface reduction solutions they opted for encompass the removal of default access to debug features, an additional sandboxing mechanism that allows a process to restrict system calls, and restricting apps from accessing a set of commands.

And, as a testament to the fact that Google is not underestimating the attackers’ capabilities of coming up with ways to exploit and bypass already present protections, the Android Security team is already working on:

• Improvements to existing defenses (further sandbox tightening)
• Completely new ones (runtime and compiler defenses for the upstream kernel), as well as
• Projects that will ultimately help them with the bug hunting process.

I don’t know about you, but for me it’s always good to hear about the concrete measures the manufacturers of the devices we use daily are taking to protect us.

from Help Net Security http://ift.tt/2asrIla

Review: True Key for iOS

I’ve been using 1Password for years – both their desktop and mobile products. Altough it works fine, I was curious to see what are the alternatives I can use on my iPhone. After some hits and misses, I’ve installed the True Key personal password manager, which is developed by Intel Security and offered for free.

True Key in action

I am not what you would call an avid user of iOS applications. I’ve tried and/or tested hundreds of apps, but on a daily basis I use maybe 5 or 6 of them.

Most developers don’t put much thought into the aesthetics and core functionality of their mobile apps, but True Key for iOS is one of the best looking applications I’ve came across for a long time.

As far as bugs are concerned, I only discovered a small issue with filling Pinterest credentials into Safari when I tested random predefined password templates – everything else worked as intended.

True Key for iOS is very easy to use and its graphical user interface is clean and intuitive. It works great whether you are browsing and filling passwords from inside the app, or you are using the Add feature from Safari.

The app’s launchpad comes with a predefined set of 30 popular web applications templates, but you can always add a new login combination from the extensive search for list, or set up a new one.

Other functionality includes generating complex passwords, managing secure notes, and adding personal data inside the application’s wallet.

Multi-factor authentication

By default, every True Key account has a master password that is used to log into the application. Intel Security calls this Basic authentication and encourages users to increase security by switching to Advanced authentication, for which they can choose one of the following combos: face biometrics & master password, master password & Touch ID, and Face & Touch ID.

Face recognition is used by a number of iOS security applications and, in my opinion, it’s a very bad idea to use it as the only form of authentication, as printing a headshot of the user and placing it in front of the camera will always fool the system. Aside from the standard Face option, True Key can also record what they call Enhanced Face. This requires a turn of your head left and right so more unique physical spots can be detected, automatically enhancing the security of the authentication process.

Expanding True Key on other devices

While I was just interested in the iOS application, there is also a desktop version of True Key. It can be run on Windows and Mac OS X and, as can be seen on the product homepage, it has the same slick look and feel of the mobile app.

The (desktop) product can be used free of charge for up to 15 saved logins – a premium subscription is needed if you need to surpass that number. I’ve created 17 logins within True Key for iOS without needing to upgrade, so I presume that the mobile version is free without any restrictions.

When choosing a password manager, there are a couple of things to take into consideration: ease of use, expected functionality, authentication methods, and the overall look and feel of the application. True Key excels at all of these things.

from Help Net Security http://ift.tt/2agjk8G

Cybersecurity talent crisis continues, technical skills in high demand

Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), has released a global report outlining the talent shortage crisis impacting the cybersecurity industry across both companies and nations. 82 percent of respondents admit to a shortage of cybersecurity skills, with 71 percent of respondents citing this shortage as responsible for direct and measureable damage to organizations whose lack of talent makes them more desirable hacking targets.

Cybersecurity workforce shortages by country and skillset

“A shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP,” said James A Lewis, senior vice president and director of the Strategic Technologies Program at CSIS. “This is a global problem. A majority of respondents in all countries surveyed could link their workforce shortage to damage to their organization.”

Workforce shortage

In 2015, 209,000 cybersecurity jobs went unfilled in the United States alone. Despite 1 in 4 respondents confirming their organizations have lost proprietary data as a result of their cybersecurity skills gap, there are no signs of this workforce shortage abating in the near-term. Respondents surveyed estimate an average of 15 percent of cybersecurity positions in their company will go unfilled by 2020. With the increase in cloud, mobile computing and the Internet of Things, as well as advanced targeted cyberattacks and cyberterrorism across the globe, the need for a stronger cybersecurity workforce is critical.

“The security industry has talked at length about how to address the storm of hacks and breaches, but government and the private sector haven’t brought enough urgency to solving the cybersecurity talent shortage,” said Chris Young, senior vice president and general manager of Intel Security Group. “To address this workforce crisis, we need to foster new education models, accelerate the availability of training opportunities, and we need to deliver deeper automation so that talent is put to its best use on the frontline. Finally, we absolutely must diversify our ranks.”

Demand for cybersecurity professionals still high

The demand for cybersecurity professionals is outpacing the supply of qualified workers, with highly technical skills the most in need across all countries surveyed. In fact, skills such as intrusion detection, secure software development and attack mitigation were found to be far more valued than softer skills including collaboration, leadership and effective communication.

Cybersecurity salary premium (annual average salary from survey compared to OECD average annual wages)

This report studies four dimensions that comprise the cybersecurity talent shortage, which include:

1. Cybersecurity spending: The size and growth of cybersecurity budgets reveals how countries and companies prioritize cybersecurity. Unsurprisingly, countries and industry sectors that spend more on cybersecurity are better placed to deal with the workforce shortage, which according to 71 percent of respondents, has resulted in direct and measureable damage to their organization’s security networks.

2. Education and training: Only 23 percent of respondents say education programs are preparing students to enter the industry. This report reveals non-traditional methods of practical learning, such as hands-on training, gaming and technology exercises and hackathons, may be a more effective way to acquire and grow cybersecurity skills. More than half of respondents believe that the cybersecurity skills shortage is worse than talent deficits in other IT professions, placing an emphasis on continuous education and training opportunities.

3. Employer dynamics: While salary is unsurprisingly the top motivating factor in recruitment, other incentives are important in recruiting and retaining top talent, such as training, growth opportunities and reputation of the employer’s IT department. Almost half of respondents cite lack of training or qualification sponsorship as common reasons for talent departure.

4. Government policies: More than three-quarters (76 percent) of respondents say their governments are not investing enough in building cybersecurity talent. This shortage has become a prominent political issue as heads of state in the U.S., U.K., Israel and Australia have called for increased support for the cybersecurity workforce in the last year.

Recommendations for moving forward

• Redefine minimum credentials for entry-level cybersecurity jobs: accept non-traditional sources of education
• Diversify the cybersecurity field
• Provide more opportunities for external training
• Identify technology that can provide intelligent security automation
• Collect attack data and develop better metrics to quickly identify threats.

from Help Net Security http://ift.tt/2asbatA

Infection Monkey: Test a network from an attacker’s point of view

Infection Monkey, a tool designed to test the resiliency of modern data centers against cyber attacks, was developed as an open source tool by GuardiCore’s research group.

“Traditional testing tools are no longer able to effectively detect vulnerabilities in today’s data center networks as they cannot continuously exploit the weakest link and propagate in-depth, resulting in a very partial view of network vulnerabilities,” said Pavel Gurvich, CEO of GuardiCore.

How Infection Monkey works

Infection Monkey is a self-propagating testing tool that is able to identify and visualize the path of least resistance in the data center network. It scans the network, checking for open ports and fingerprinting machines using multiple network protocols.

After detecting accessible machines, it attempts to attack every single machine using methods such as intelligent password guessing and safe exploits. It does this by leveraging available data on systems it has breached, such as stolen credentials, to automatically spread and infect other machines, clearly highlighting all vulnerable systems in its path.

Infection Monkey provides detailed information about the specific vulnerability exploited and the effect vulnerable segments can have on the entire network, giving security teams the insights they need to make informed decisions and enforce tighter security policies. It is designed to be 100 percent safe, with no reconnaissance or propagation features that can impact server or network stability.

Infection Monkey at Black Hat USA 2016

GuardiCore’s research group leader Ofri Ziv will present “Unleash the Infection Monkey: A Modern Alternative to Pen-Tests” at Black Hat USA 2016 on August 3. During his session Ziv will discuss the shortcomings of current approaches and address how Infection Monkey can be of value to today’s security teams, provide a glimpse of the tool running in an unsecured environment and offer use cases for real-world security testing scenarios.

from Help Net Security http://ift.tt/2a1kqGJ

Global network shares phishing attack intelligence in real-time

IRONSCALES, a multi-layered phishing mitigation solution that combines human intelligence with machine learning, today announced the launch of Federation, a product that will automatically and anonymously share phishing attack intelligence with organizations worldwide.

“Instantaneous sharing of phishing attack intelligence will make it substantially easier for enterprises and organizations to consistently remain secure and in control,” said Eyal Benishti, CEO of IRONSCALES.

IRONSCALES’ employee-based intrusion prevention system is the first phishing solution with an automatic one-click mitigation response. This functionality makes it possible for IRONSCALES to expedite the time from attack to remediation from weeks to seconds, without ever needing the SOC team’s involvement.

IRONSCALES first challenges all users with a series of staged, real-world email attacks in order to evaluate their individual level of awareness. Based on an analysis of performance, a tailored phishing training campaign, using advanced simulation and gamification, is created to maximize individual awareness and responsiveness to social engineering techniques.

Once trained, vigilant employees, upon suspicion of a phishing attack, can trigger a real-time automated forensic review through the click of just one button, without requiring active SOC team participation.

Within minutes, forensics is completed, and an intrusion signature is sent directly to both endpoints, email servers and the SIEM, which then triggers an immediate enterprise-wide automatic mitigation response, such as quarantines, disabling of links and attachments, and even permanent removal of email, protecting the entire organization from the attack.

Important event information is then automatically and anonymously shared via Federation to ensure the same attack won’t hit any other company under IRONSCALES protection.

from Help Net Security http://ift.tt/2abwWjp

The Momentum Inspired Desktop

The Truth About The Warranty Expiration Notices You Get In The Mail

Brine Corn Before Grilling for Tender Ears and Tons of Flavor

Remains of the Day: Microsoft to Fix Surface Pro 3 Battery Issues With a Software Update

The Best Way to Remove a Leech and Treat the Wound

Plan Worthwhile Day Trips by Minding Your Travel Time

Instead of Work-Life Balance, Try Focusing on Boundaries

Adequate Man Which Kid Foods Still Hold Up For Adults?

Adequate Man Which Kid Foods Still Hold Up For Adults? | Jezebel What the Hell Is Going On With This Beauty Blogger? | Sploid The Main Reason Batman v Superman Sucked Isn’t What You Think It Is | Gawker Desperate-For-Attention Trump Is The Only Authentic Trump |

from Lifehacker http://ift.tt/2a0lAlW

See If a Pokémon Is Worth Evolving In Pokémon Go With This CP Calculator

Bad Performance Reviews Are Probably More Common Than You Think

Here Are Three Different Ways to Diagnose Check Engine Lights For Under $15

Microsoft Pix for iOS Automatically Snaps and Edits Photos for the Best Possible Picture

iOS: Microsoft released a camera app for the iPhone thats main goal is to make it a little easier to take better photos without any extra effort from you.

Microsoft Pix is all about automatically taking the best photo. When you snap a picture, it looks at what’s in frame, then adjusts focus, color, and exposure. It also snaps a burst of shots before and after you tap the shutter button, so if you’re shooting a moving object you’ll have a selection of images to choose from. This burst method also helps if you’re a little shaky with the photo, as it’ll pick the most stable image from the bunch. Speaking of motion, Pix automatically creates a short looping video much like Apple’s Live Photos anytime it detects motion.

Pix is not exactly a magic worker, but with moving objects or simple photography problems like rear lighting, Pix seems to do a good job of correcting photos. Seasoned photographers don’t really need this, but for the everyday user, Pix is useful to have around.

Microsoft Pix (Free) | iTunes App Store via Gizmodo

from Lifehacker http://ift.tt/2a5ePuP

Lightning Deal: Your Favorite Dash Cam Is Just $39 Right Now

Google Play Family Library Shares Your Apps, Movies, and TV Shows with Six Accounts

Google’s launching a new family feature for Google Play today called Family Library. With it, you can share your purchased movies, books, tv shows, music, and apps across multiple devices.

Once you sign up for the plan, you can select which family members get access to the account and begin sharing right away. You will get granular control too, so you can choose your own credit card for select purchases, only share specific content, and set the default sharing behavior.

The rollout starts in the U.S. and will be available in Australia, Brazil, Canada, Germany, France, Japan, Ireland, Mexico, New Zealand, and the United Kingdom.

Google Play Family Library

from Lifehacker http://ift.tt/2a08XqM

Add Potato Chips to 7-Layer Bars for a Salty-Sweet Treat

Detecting When a Smartphone Has Been Compromised

VisualRuler Uses Your Camera to Measure Real World Objects

Buy Yourself a Smoker For Just $64

KeySniffer – here’s what you need to know

A few months ago, US startup Bastille Networks announced research that showed how some wireless computer mice could be hacked by intercepting and manipulating the signals between the devices and your computer.

Now, Bastille has focused its efforts on wireless keyboards, and found that the situation was, well, worse.

Last time, they dubbed their attack Mousejacking. They’re branding this one KeySniffer.

Similar to Bastille’s previous Bug With An Impressive Name (or BWAINs, as we call them), keyboards that have the KeySniffer vulnerability transmit information unencrypted.

This means all keystrokes sent are in plaintext and can be easily read and recorded by anyone with the right eavesdropping hardware.

This means that while you log in to your bank account and type away on your wireless keyboard, an attacker hundreds of feet away could find out what your credentials are, just by using inexpensive equipment (such as the $30 Crazyradio PA dongle) to intercept the wireless traffic between your keyboard and your computer.

Note that this is a passive attack – the attackers only need to listen in, and not to transmit at all – so you would have absolutely no way of knowing this was happening.

How widespread is the KeySniffer problem?

The Bastille research team found that eight of the twelve manufacturers whose keyboards they tested had this vulnerability. That may not sound like a large sample size, but these were all fairly common keyboards made by well-known manufacturers, such as HP.

Unfortunately the researchers also found that the vulnerable keyboards also can’t be patched or updated, meaning there’s no fix or update to install to secure a wireless keyboard that is vulnerable to KeySniffer. The only fix for a vulnerable keyboard is to stop using it.

This isn’t the first time that wireless keyboards have been found vulnerable to their traffic being “sniffed” by attackers. That almost makes it worse, since this isn’t anything new at all, so the fact that manufacturers are still making keyboards with this problem is worrisome indeed.

What to do?

• Does your wireless keyboard require a USB dongle? (If not, and it’s a Bluetooth keyboard, then the KeySniffer research doesn’t apply to you at all.)
• Is your keyboard on Bastille’s list of affected devices?

If “Yes” and “Yes,” it looks as though you aren’t going to be able to download an update or patch.

If you want to avoid the vulnerability you will have to switch to a different sort of keyboard, or one that isn’t on Bastille’s list.

Follow @NakedSecurity

from Naked Security http://ift.tt/2abXYvK

YouTube star asks for fans’ passwords to hijack their Twitter accounts

The Amazon Rewards for Your Chase Card Are About to Get Worse

Today's Best Deals: Bias Lighting, Lenovo Notebooks, Waterproof Speakers

How I Found the Perfect Running Shoes

How White, Pink, and Brown Noise Help You Sleep and Focus

Vansky's Eyestrain-Mitigating Bias Lights Are Back On Sale For Under $20

Make a List of Your Personal “Big Wins” to Stay Motivated

Dyson’s First Robovac Sucks Up All Your Dirt and Cash

Add Subtle, Sexy Flavor to Food and Beverages With Blossom Waters

Obama defines how the US government will respond to cyber incidents

US president Barack Obama approved on Tuesday the Presidential Policy Directive on United States Cyber Incident Coordination (PPD-41).

What’s the PPD-41 all about?

It’s not a secret that the US has been faced with managing increasingly significant cyber incidents affecting both the private sector and Federal government, and the private sector has been clamouring for more clarity and guidance about the Federal government’s roles and responsibilities.

The PPD-41 is especially geared towards defining the Federal government’s response to “significant” cyber incidents, i.e. incidents that can “result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

The directive is based on five principles that will guide the government during any cyber incident response:

• Shared responsibility (between individuals, the private sector, and government agencies)
• Risk-based response
• Respect of affected entities (both their privacy and civil liberties)
• Unity of effort (whichever agency first becomes aware of a cyber incident notifies the others, and then a choice is made as to which one will respond to that particular incident), and
• Enabling restoration and recovery (be mindful of the need of the affected entity to return to normal operations as quickly as possible).

But it is the “unity of effort” and “shared responsibility” principles that are most covered with this directive, as it essentially defines how the various agencies are expected to work together when responding to such incidents.

For example, it defines that “Departments of Homeland Security and Justice shall maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant Federal agencies about a cyber incident.”

Or, that “the Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force, shall be the Federal lead agency for threat response activities,” and “the Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, shall be the Federal lead agency for asset response activities.”

More details about the directive can also be found in this fact sheet.

Why is the directive a good idea?

“It may seem procedural, but it’s a big deal to clearly lay out roles for law enforcement, DHS, and the IC – that will make responding to breaches smoother and faster. It’s not easy to work through dividing responsibilities like this, so it’s great that they got it out the door,” Nathaniel Gleicher​, ​Head of Cybersecurity Strategy at Illumio, commented the release of the directive for Help Net Security.

“But the most interesting part for me is the severity schema that they create for assessing the impact of cybersecurity incidents,” he pointed out.

“We tend to have a hard time judging how serious intrusions are because there’s no consistent framework to judge them. What’s more serious – a breach that costs a company millions of dollars, a breach that exposes the personal information of thousands of people, or a breach that exposes an organization to massive embarrassment? Without a single baseline, you’ll get different organizations reacting in very different ways, which undermines our ability to mitigate and deter major intrusions.”

“This schema is only one way of judging this – from the perspective of the US government – but having a framework begins to create that common baseline for judging future intrusions,” he noted. “Depending on how the facts play out, the DNC hack is probably a level 3 intrusion on the schema. Which is useful for putting it in perspective.”

from Help Net Security http://ift.tt/2a9pEgQ

Save On a Convertible Lenovo Notebook In Today's Amazon Gold Box

Runkeeper Now Lets You Create Running Groups to Keep Each Other Accountable

iOS/Android: When you’re the only one paying attention to your workout, it’s easy to slip and let your habits drop. Runkeeper aims to fix this by letting you create groups to help you and your friends challenge each other.

In the new app, you can invite your friends to create a running group and add a challenge for everyone. You can choose challenges for things like total distance over a month or runs per week. Everyone in the group will get notifications when you complete runs, and there’s a built-in chat to keep groups communicating.

Runkeeper | Google Play Store via Runkeeper

Runkeeper | iTunes App Store

from Lifehacker http://ift.tt/2awzVqZ

Deadspin Washington State Football Players Brawl At House Party | The Slot Watch a Woman Older Than

Deadspin Washington State Football Players Brawl At House Party | The Slot Watch a Woman Older Than Her Right to Vote Pledge Arizona’s Delegates to Hillary Clinton | Gizmodo Olympics Committee Says Non-Sponsors Are Banned From Tweeting About the Olympics | Gawker Bill O’Reilly: Actually, the Slaves Who Built the White House Had It Pretty Good |

from Lifehacker http://ift.tt/2apVNSk

LastPass password manager “zero-day” bug hits the news

Everything You Need to Know About the Second Day at the DNC

Is Bitcoin real money? Florida judge says no

Plug.dj Is Back With a New Owner, All Your Old Playlists Still In Place

The NSA and "Intelligence Legalism"

Google adds robocall warnings to Phone app

The Normal Person's Guide to Alternative Investments

Osram’s intelligent home lighting system is riddled with flaws

“Intelligent” home lighting system Osram Lightify sports a number of security vulnerabilities, some of which could lead to compromise of the product and the users’ home or office network, Rapid7 researcher Deral Heiland has found.

How does Osram Lightify work?

“This lighting system begins with a wireless gateway that can be plugged into your standard wall outlet anywhere in your home or business and syncs wirelessly with your existing Wi-Fi network. The gateway connects to Lightify devices up to 50 per each gateway via the standard ZigBee home automation protocols,” it is explained.

“The free Lightify application runs on devices with Apple iOS7 or above and Android 4.1 or above. You can also use other useful home apps such as SmartThings Nest and Wink to control this lightbulb.”

What’s the problem?

The nine vulnerabilities Heiland found affect both the Home and Pro versions of the system. Some affect the mobile app, some the gateway, some the web management console, and some affect all of the devices that make the system.

They could allow attackers to discover the WiFi WPA pre-shared key of the user’s home WiFi, as well as the network’s password, launch browser-based attacks against the authenticated user’s workstation, access confidential data, and fiddle with the light installations.

More details about each of the flaws can be found in this blog post.

“At the time of this disclosure’s publication, the vendor has indicated that all but the lack of SSL pinning and the issues related to ZigBee rekeying have been addressed in the latest patch set,” Heiland shared.

Why is this important?

Aside from annoying us when they fail in the most inopportune moment for some (to most of us) arcane reason, smart office and home devices can introduce new avenues for potential remote exploitation and permanent compromise of enterprise and home networks.

And if we, and the infosec industry in general, talk a lot about the insecurity of the so-called Internet of Things, it’s because we’re becoming more and more surrounded and dependent on it.

We owe a lot to security researchers who take the time and effort to test the security of these devices, as most manufacturers don’t seem to yet consider it a very important thing. Why? Well, mostly because consumers still don’t.

from Help Net Security http://ift.tt/2aJNyPP

Amazon to start testing drone deliveries

LastPass zero-day can lead to account compromise

A zero-day flaw in the popular password manager LastPass can be triggered by users visiting a malicious site, allowing attackers to compromise the users’s account and all the sensitive information in it.

The discovery was made by Google Project Zero researcher Tavis Ormandy who, after probing a slew of AV solutions and finding serious security holes in them, has apparently set his sights on widely used password management solutions.

Aside from that flaw, he also found “a bunch of obvious critical problems,” but responsibly chose not share publicly any more details about any of the flaws until the developers have a chance to fix them.

The full report on the issues has been sent to LastPass, and now it remains to see if they are quick at patching the holes as users expect them to be.

According toThe Register, there is no news of in-the-wild attacks exploiting the flaw that can lead to remote compromise of LastPass accounts.

About LastPass

LastPass was acquired by LogMeIn in 2015, and the company has plans to bring capabilities of its early identity management investments, including those of Meldium, which it acquired in September 2014, into LastPass.

“In the near-term, both the Meldium and LastPass product lines will continue to be supported, with longer-term plans to centre around a singular identity management offering based on the LastPass service and brand,” the company noted at the time.

Being receptive to the type of research Ormandy is performing and doing its own security testing should be of great importance to the company. Keeping attackers out of their networks and away from users’ data should also be a priority.

What’s next for Ormandy?

The Twitter comments to the revelation show that many security-minded users steer clear of LastPass, as they don’t trust a service that stores passwords in the cloud, and some have previously found bugs in the software that they believe have never been fixed.

Judging by the comments, many use 1Password as their password manager of choice, and asked Ormandy to analyze it (he promised he would). Others have nominated Enpass, KeePass, PasswordSafe, and Dashlane Password Manager.

from Help Net Security http://ift.tt/2ad8RYm

Sophisticated ransomware: New tactics to maximize profit

Organizations are unprepared for future strains of more sophisticated ransomware, according to the Cisco 2016 Midyear Cybersecurity Report. Fragile infrastructure, poor network hygiene, and slow detection rates are providing ample time and air cover for adversaries to operate.

Top 10 malware families detected by month

So far in 2016, ransomware has become the most profitable malware type in history. Cisco expects to see this trend continue with even more destructive ransomware that can spread by itself and hold entire networks, and therefore companies, hostage. New modular strains of ransomware will be able to quickly switch tactics to maximize efficiency. For example, future ransomware attacks will evade detection by being able to limit CPU usage and refrain from command-and-control actions. These new ransomware strains will spread faster and self-replicate within organizations before coordinating ransom activities.

“The truth is that many organisations probably don’t see themselves as ‘high value targets’ for attackers and it’s likely that they have very minimal protection or staff training and awareness. However, many malicious actors will consider these businesses as easy targets and will look to hold organisations to ransom through a ‘soft attack’ that compromises its data,” Rob Norris, Director of Enterprise & Cyber Security in EMEIA at Fujitsu, told Help Net Security.

Visibility challenges

Visibility across the network and endpoints remains a primary challenge. On average, organizations take up to 200 days to identify new threats. Cisco’s median time to detection (TTD) continues to outpace the industry, hitting a new low of approximately 13 hours to detect previously unknown compromises for the six months ending in April 2016.

This result is down from 17.5 hours for the period ending in October 2015. Faster time to detection of threats is critical to constrain attackers’ operational space and minimize damage from intrusions. This figure is based on opt-in security telemetry gathered from Cisco security products deployed worldwide.

The underground continues to innovate

As attackers innovate, many defenders continue to struggle with maintaining the security of their devices and systems. Unsupported and unpatched systems create additional opportunities for attackers to easily gain access, remain undetected, and maximize damage and profits. The Cisco 2016 Midyear Cybersecurity Report shows that this challenge persists on a global scale

While organizations in critical industries such as healthcare have experienced a significant uptick in attacks over the past several months, the report’s findings indicate that all vertical markets and global regions are being targeted. Clubs and organizations, charities and non-governmental organization (NGOs), and electronics businesses have all experienced an increase in attacks in the first half of 2016. On the world stage, geopolitical concerns include regulatory complexity and contradictory cybersecurity policies by country. The need to control or access data may limit and conflict with international commerce in a sophisticated threat landscape.

“Cyber-criminals continue to be incredibly innovative, and more often than not have access to the same defensive technology as the networks they are attacking, so it is imperative for organisations to leverage their human security resources to proactively identify threats. This is key to decreasing time to detection, and can be the difference between stopping an attack in its tracks or sacrificing valuable data,” says Richard Brown, Director EMEA Channels & Alliances at Arbor Networks.

Attacker profits skyrocket

For attackers, more time to operate undetected results in more profits. In the first half of 2016, Cisco reports, attacker profits have skyrocketed due to the following:

Expanding focus: Attackers are broadening their focus from client-side to server-side exploits, avoiding detection and maximizing potential damage and profits.

• Adobe Flash vulnerabilities continue to be one of the top targets for malvertising and exploit kits. In the popular Nuclear exploit kit, Flash accounted for 80 percent of successful exploit attempts.
• Cisco also saw a new trend in ransomware attacks exploiting server vulnerabilities – specifically within JBoss servers – of which, 10 percent of Internet-connected JBoss servers worldwide were found to be compromised. Many of the JBoss vulnerabilities used to compromise these systems were identified five years ago, meaning that basic patching and vendor updates could have easily prevented such attacks.

Evolving attack methods: During the first half of 2016, adversaries continued to evolve their attack methods to capitalize on defenders’ lack of visibility.

• Windows Binary exploits rose to become the top web attack method over the last six months. This method provides a strong foothold into network infrastructures and makes these attacks harder to identify and remove.
• During this same timeframe, social engineering via Facebook scams dropped to second from the top spot in 2015.

Covering tracks: Contributing to defenders’ visibility challenges, adversaries are increasing their use of encryption as a method of masking various components of their operations.

• Cisco saw an increased use of cryptocurrency, Transport Layer Security and Tor, which enables anonymous communication across the web.
• Significantly, HTTPS-encrypted malware used in malvertising campaigns increased by 300 percent from December 2015 through March 2016. Encrypted malware further enables adversaries to conceal their web activity and expand their time to operate.

Software hygiene overview

Defenders struggle to reduce vulnerabilities, close gaps

In the face of sophisticated attacks, limited resources and aging infrastructure, defenders are struggling to keep pace with their adversaries. Data suggests defenders are less likely to address adequate network hygiene, such as patching, the more critical the technology is to business operations. For example:

• In the browser space, Google Chrome, which employs auto-updates, has 75 to 80 percent of users using the newest version of the browser, or one version behind.
• When we shift from looking at browsers to software, Java sees slow migrations with one-third of the systems examined running Java SE 6, which is being phased out by Oracle (the current version is SE 10).
• In Microsoft Office 2013, version 15x, 10 percent or less of the population of a major version are using the newest service pack version.

In addition, Cisco found that much of their infrastructure was unsupported or operating with known vulnerabilities. This problem is systemic across vendors and endpoints. Specifically, Cisco researchers examined 103,121 Cisco devices connected to the Internet and found that:

• Each device on average was running 28 known vulnerabilities.
• Devices were actively running known vulnerabilities for an average of 5.64 years.
• More than 9 percent have known vulnerabilities older than 10 years.

In comparison, Cisco also looked across software infrastructure at a sample of over 3 million installations. The majority were Apache and OpenSSH with an average number of 16 known vulnerabilities, running for an average of 5.05 years.

Browser updates are the lightest-weight updates for endpoints, while enterprise applications and server-side infrastructure are harder to update and can cause business continuity problems. In essence, the more critical an application is to business operations, the less likely it is to be addressed frequently, creating gaps and opportunities for attackers.

from Help Net Security http://ift.tt/2aawDtW