Articles about Security

The best value breach detection systems

Breach detection

Given the current threat landscape and the fact that attackers are finding new ways to bypass traditional security, it's no surprise that many companies are turning to the use of breach detection to protect their systems.

Independent testing organization NSS Labs has evaluated eight of the leading BDS vendors -- BlueCoat, CheckPoint, Cisco, Fidelis, FireEye, Fortinet, Lastline, and Trend Micro -- for security effectiveness, performance, and total cost of ownership.

Continue reading

Lenovo BIOS tool prevents clean installs of Windows by downloading crapware


Lenovo is no stranger to bloatware, but the latest crapware calamity is cut from a slightly different cloth. In a bid to ensure that its software is installed on its computers, Lenovo BIOSes feature a tool that automatically downloads and installs bloatware even after a clean installation of Windows.

The issue is not entirely new, having been brought to light on Ars Technica's forums, but there is renewed interest in the topic following the launch of Windows 10. Lenovo is making use of a little-known feature called the Window Platform Binary Table which can be used by manufacturers to stealthily install software via the BIOS. The 'feature' is seen by many as amounting to little more than a rootkit, and blame has been laid at the doors of both Lenovo and Microsoft.

Continue reading

Script injection vulnerability leaves Salesforce users open to phishing attacks


A script injection vulnerability in the popular Salesforce cloud CRM system could have left users open to attack from phishing emails that appear to come from within a trusted domain.

Cloud application security specialist Elastica has released details of the vulnerability -- disclosed to Salesforce in early July -- which opened the door for attackers to use a trusted Salesforce application as a platform to conduct phishing attacks to steal end-users' login credentials and hijack accounts.

Continue reading

Malvertising becomes a billion dollar problem

Scam advert

According to a new report by endpoint security specialist Invincea malvertising is causing more than $1 billion worth of damage each year.

Based on data gathered in the first six months of this year the company detected and blocked approximately 2,100 malvertising attacks against its customers, representing 2.1 million malicious advertisements. Invincea estimates this caused $525 million of damage in repair and recovery expense, excluding the impact of any data breaches.

Continue reading

LastPass switches to freemium model to encourage take up


With increasing numbers of credentials being stolen in data breaches it makes sense to use a password manager to protect your online accounts.

Popular password manager LastPass is encouraging users to make the leap by making its service available free on mobile devices, including smartphones and tablets from today.

Continue reading

84 percent of enterprises have considered encrypting all sensitive data

Data encryption

Security professionals are naturally concerned with protecting sensitive data within their organization and elsewhere, particularly given the increasing numbers of threats.

A new survey of more than 100 information security professionals by data security specialist Vormetric and risk management research organization IANS reveals that 84 percent of respondents had considered a security strategy of encrypting all their sensitive data.

Continue reading

HTC and Samsung phones storing unencrypted fingerprints


HTC is having trouble keeping investors happy, reporting its worst quarter in history earlier this month. If that wasn’t enough to contend with, FireEye researchers have found a way to steal fingerprint information from the HTC One Max and Samsung's Galaxy S5.

Fingerprints were stored in an image file named dbgraw.bmp in an open, readable folder. This means anyone that gains access to these files is capable of editing the fingerprints, deleting them and even forcing fake fingerprint scans to pay for items. Malicious apps can utilize the fingerprint files by asking for them in start-up.

Continue reading

Facebook's privacy settings allow for harvesting data through mobile numbers


If you've added your mobile number to your Facebook account, you might want to reconsider in light of a new security exploit. A software engineer was able to access user data just by entering their mobile number. Profile pictures, names and locations were all accessible even for users who had not made their number public.

There is potential for such harvested data to be misused by malicious parties, as it provides an easy way to link a mobile number to an individual. Reza Moaiandin was able to use a special tool to quickly generate tens of thousands of numbers which, when passed through a Facebook API, fed back the associated user profiles.

Continue reading

Security is weakened because random numbers are not random enough


A lot of security systems are based on random numbers, prime numbers, or a combination of the two. But generating random numbers is not as random as you might expect -- or hope -- and it relies on sources of broadly random data that can be used as a starting point. The problem is that these sources of data are not large enough.

The entropy of data generated by Linux servers -- which are the backbone of much of the internet -- is, says security expert Bruce Potter, too low. Speaking at Black Hat USA 2015 -- an event which has already seen the unveiling of the Thunderstrike 2 firmware malware and the Stagefright-beating Certifi-Gate Android vulnerability -- Potter warns that the low entropy problem means that seemingly random numbers could in fact be easier to guess or crack than first thought.

Continue reading

Forget Stagefright, Certifi-Gate vulnerability allows for complete remote control of Android phones


There have been numerous stories in recent days about the threat posed by Stagefright to Android users. A more serious threat has been revealed at Black Hat USA 2015, however -- one that affects hundreds of millions of Android devices. Known as Certifi-gate, a vulnerability has been found in Remote Support Tools which could allow for hackers to take full control of phones.

The security issue was discovered by Check Point, who has notified handset manufacturers of the vulnerability, and launched an app that you can use to see if your handset is affected. Stagefright led to many handset manufacturers announcing a switch to monthly security updates, and some have already issued a fix for Certifi-gate. However, it seems that HTC is a little slow off the mark this time around, particularly when it comes to patching newer phones.

Continue reading

Update Firefox right now to squash file stealing bug


Firefox users are being encouraged to upgrade to the latest version of the browser as soon as possible after the discovery of a serious security flaw in the software. Mozilla was quick to patch the security hole which could result in users' personal files being uploaded to a remote server.

Affecting the Windows and Linux versions of Firefox, the security vulnerability stems from the browser's PDF viewer. It allows for the injection of JavaScript that could be used to locate sensitive files and transfer them to a remote server.

Continue reading

Will Stagefright force all mobile makers to release monthly security updates?


Stagefright took the Android world rather by surprise. As well as catching the industry with its pants down, it highlights a problem of mobile security: it's just not taken seriously enough. In response to the Stagefright vulnerability, both Samsung and Google announced new monthly security update cycles.

Not to be outdone, LG has now followed suit, and it would be surprising if we didn’t see more manufacturers of Android handsets doing exactly the same in the coming weeks. But in announcing its own monthly security update schedule, LG has highlighted another stumbling block for mobile security. Carriers.

Continue reading

Over half of UK smaller businesses spend less than 2 percent of their IT budget on security

Boardroom security

Smaller businesses often have a limited budget for securing their IT systems which can leave them uniquely vulnerable. Antivirus company Avast launched its free Avast for Business cloud offering aimed at SMBs earlier this year and has been surveying users to find out how they handle their security.

Among the findings are that almost three-quarters of respondents say that all of their employees use the internet. Yet despite the high number of data breaches 57 percent of SMBs in the UK invest only between zero and two percent of their IT budget on security.

Continue reading

Microsoft doubles budget for bug bounty program


You might think you have the best programmers in the world, but chances are there’s a kid in his parents’ basement somewhere who’s smarter than all your engineers combined.

That’s why bounty hunting for bugs has become hugely popular among software makers, employing pretty much every hacker worldwide in their search for overlooked bugs. Microsoft is one of such companies, and it’s using the Black Hat conference to promote its new bug bounty program, which sees the bounty doubled.

Continue reading

Lookout launches Stagefright detector

Stage =fright detector

Stagefright detectors seem to be flavor of the month at the moment, not surprising when the vulnerability could affect around 95 percent of Android devices. We reported yesterday on Zimperium's version and now mobile security specialist Lookout has launched its own detector.

The app will tell users whether or not their Android device is vulnerable to Stagefright. If it is affected, it provide a run-down on how to reduce the risk of being attacked. Uses will also be able to check back in after receiving a security patch to confirm it contained the fix for Stagefright.

Continue reading

© 1998-2015 BetaNews, Inc. All Rights Reserved. Privacy Policy.