Software

Update: ShellShock’s Long Tail in the Enterprise

The recently disclosed vulnerability in the Linux Bash function dubbed “ShellShock” is creating a firestorm of coverage – and rightly so. The 22 year-old security hole is remotely exploitable and affects Linux based web servers and an unknown number of other devices that might run on linux and contain vulnerable services. However, unlike the recent “Heartbleed” OpenSSL vulnerability, identifying systems vulnerable to Shellshock won’t be easy. Shellshocked first came to light on Wednesday, when Linux vendors including Red Hat began warning about the security hole. The vulnerability allows a malicious actor to take advantage of built in Bash functions, wrapping them in environmental variables and then appending malicious code to the end of function definitions within the variable. In a blog post, Redhat said that any application that runs a shell script using Bash as the command interpreter, or that is hooked onto a shell is vulnerable to attack. Paul Venezia, writing over at InfoWorld, gives one […]

Continue Reading

MITRE Gets $29m For First Cybersecurity Center of Excellence

MITRE Corporation has been awarded $29 million from the U.S. Commerce Department for the nation’s first federally funded National Cybersecurity Center of Excellence (NCCoE), according to a statement by the Commerce Department’s National Institute of Standards and Technology (or NIST). The contract charges MITRE with the job of operating the federally funded research and development center (FFRDC) in the areas of research, development, engineering and technical support; operations management; and facilities management. This is the first FFRDC dedicated to enhancing the security of the nation’s information systems, NIST said.  The NCCoE was established in 2012 in partnership with NIST, the state of Maryland and Montgomery County, Md.  It brings together experts from industry, government and academia to develop  integrated cyber security solutions using existing, commercially available technology. “As the principal champion of the digital economy in the federal government, the Commerce Department is committed to defending our nation’s digital infrastructure from cyberattacks and helping American companies strengthen […]

Continue Reading

Infographic: Possible Attacks on The Internet of Things

The folks over at Trend Micro have put together a nice infographic that reminds us that all those smart devices connected to the Internet communicate through some well worn channels, namely: standard communications protocols like Wi-Fi, Ethernet and Bluetooth that connect devices to each other and the global Internet, as well as HTTP that are used to transmit data to and from cloud based resources like management interfaces. Of course those standard protocols also leave IoT devices vulnerable to a wide range of commodity attacks: from brute force password cracking on web based management consoles to Man in the Middle attacks that can sniff out authentication credentials and hijack sessions. Trend’s infographic does a good job of depicting the various layers in the IoT stack and some of the likely attack vectors for each layer. It also gives advice on how to protect yourself (use encryption, patch software vulnerabilities, disable unused ports). Nothing ground breaking […]

Continue Reading

FDA Seeks Collaboration on Medical Device Security

The U.S. Food and Drug Administration (FDA) on Tuesday put out a call for ideas and input on how best to secure medical devices and the healthcare system from cyber attack. In a federal notice, the FDA announced that it will hold an October workshop entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.” It also solicited input from stakeholders within the government and from the public health sector on medical device and healthcare cyber security. The workshop is scheduled for October 21 and 22 and will run from 9:00 AM to 5:00PM at the National Intellectual Property Rights Coordination Center Auditorium in Arlington, Virginia. [Read more Security Ledger coverage of connected medical devices here.] The Department of Health and Human Services (HHS) is looking for ideas about how best to implement aspects of both Executive Order 13636 for“Improving Critical Infrastructure” and follow-on guidance like the National Institute of Standards and Technology’s (NIST’s) “Framework for Improving […]

Continue Reading

Online Authentication Group FIDO Alliance Grabs A Big Bone: Alibaba

The FIDO Alliance, an up-and-coming industry consortium aimed at simplifying online identity and doing away with passwords added IPO darling Alibaba to its Board of Directors, according to a statement on Tuesday. The FIDO (or “Fast IDentity Online”) Alliance announced that Alibaba Group’s payments business, Alipay will be among the first to deploy FIDO technology for secure payments authentication. On September 17, the company announced that it will use Nok Nok Labs’ FIDO-compliant  NNL™ S3 Authentication Suite to enable secure online payments via the Fingerprint Sensor (FPS) technology on the Samsung Galaxy S5. Alipay customers will be able to make payments and transfers using Alipay’s mobile application, Alipay Wallet by applying their fingerprint to the Galxy’s fingerprint sensor. “We look forward to participating on the FIDO Alliance board, and assuring that commerce and authentication are uniquely cooperative and seamlessly compatible,” said Ni Liang, Alibaba group, senior director, department of security, in a statement. Mobile payments […]

Continue Reading
1 72 73 74 75 76 123