Articles about Security

With little fanfare, Intel has revealed that some processors will simply never receive microcode updates that will patch against the Meltdown and Spectre vulnerabilities.

In a document entitled Microcode Revision Guidelines, the chip-maker says that a wide range of processor families -- equating to over 200 CPUs -- will not receive any more updates. While the majority of the affected chips were on sale between 2007 and 2011, it's safe to assume that a large proportion of them are still in use, meaning that a lot of systems will remain unprotected.

Continue reading →

Serverless computing is increasingly popular because it eliminates infrastructure concerns. However, a new report raises worries about its security.

According to an audit by serverless security company PureSec, more than one in five serverless applications has critical security vulnerabilities.

Continue reading →

Lax policies and a lack of control is giving far too many employees access to sensitive data according to the latest Global Data Risk Report from data security specialist Varonis.

The report, based on analysis of Data Risk Assessments conducted by Varonis in 2017 for customers and potential customers on their file systems, uncovers some startling figures, with 58 percent of organizations found to have more than 100,000 folders open to all employees.

Continue reading →

A new survey from McAfee says that IT security staff report needing to increase their workforces by 24 percent to adequately manage their organization's cyber threats.

Yet a skills crisis means 84 percent admit it's difficult to attract staff and 31 percent say they don't actively do anything to attract new talent. However, 72 percent of respondents say hiring experienced video gamers into the IT department seems like a good way to plug the cyber security skills gap.

Continue reading →

Huawei is being shunned by the US because of the perception that its hardware could be compromised and used by the Chinese government for espionage. The FCC has blocked US mobile carriers from using federal money to purchase products or services from the company on security grounds, and Huawei is understandably unhappy about this.

The smartphone maker has dismissed security claims as "simply not true" and says that it is "no security threat in any country". The Chinese company says that it is disappointed with the FCC's proposal, pointing out that it would give rural operators -- and, in turn, customers -- fewer options to choose from.

Continue reading →

Infrastructure and development practices are changing as companies move towards cloud computing, DevOps, and on-demand SaaS delivery models.

This means security and operations teams must integrate their approach to securing systems. Cloud security company Threat Stack is launching a Cloud SecOps Program to help companies integrate security and operations initiatives and reduce risk.

Continue reading →

Amid growing concern about a disregard for Chrome Web Store policies, Google is slapping a ban on extensions that mine for cryptocurrencies.

With immediate effect, no more cryptomining extensions will be added to the Store, and as of July 2018, any existing mining tools will be removed. Google says that an astonishing 90 percent of mining extensions ignore rules that state cryptomining must be the extension's sole purpose, and users need to be fully informed about the mining.

Continue reading →

Last week there was an outcry after it was revealed that it was relatively simple to determine the location of Grindr users because of a security flaw. The company has now also admitted that it shared information from users' profiles with third parties -- specifically the analytics companies Apptimize and Localytics -- including their HIV status.

Grindr was quick to point out that, firstly, the information was sent via HTTPS, secondly, that the data was not sold to the analytics companies (it was provided free of charge) and, thirdly, that the data was public anyway. All three of these points will come as little comfort to Grindr users, but the company has said that it will now stop the practice of sharing HIV-related information.

Continue reading →

A new study from independent testing lab AV-Comparatives reveals that of over 200 Android security apps tested the majority are dubious, unsafe or ineffective.

The company downloaded 204 apps from the Google Play store in January this year and found 84 of the apps detected over 30 percent of malicious samples, and had zero false alarms. 79 detected under 30 percent of malware samples and/or had a high false alarm rate.

Continue reading →

Correctly calculating the probability of risk is becoming critical to organizations. And it’s not just because it is essential and fundamental to good Risk Management practice, but also because new laws such as GDPR are mandating it. Security measures must be appropriate to the risk, and the risk is suffering a data breach. So, calculating the probability of a data breach happening, regardless of scope, is vital to determining appropriate security measures.

ISACA, previously known as the Information Systems Audit and Control Association but now known solely by its acronym, talks about the probability of risk as:

Continue reading →

It feels like almost every week, we hear of a new breach, and each week, we’re thankful it wasn’t our company. But how long can we dodge the breach bullet? No one wants to be the next headline, but what can we do to ensure that we aren’t?

The common denominator in virtually every breach is that somehow, someone who shouldn’t have access to your company’s system and data sources has found a way in. The bad guys are smart, creative and motivated, and can use even the smallest opening.

Continue reading →

As if the Meltdown and Spectre chip vulnerabilities weren't bad enough in their own right, the patches designed to fix them caused a further series of problems. A Swedish researcher recently discovered that Microsoft's Meltdown fixes lowered security in Windows 7 and Windows Server 2008 R2, and now the company has issued a fix.

As the new patch is being released outside of the usual schedule, it is indicative of the importance of the security update. KB4100480 is a kernel update for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 that addresses CVE-2018-1038 problems.

Continue reading →

The higher education sector has seen a big increase in cryptocurrency mining activity according to a new report from AI security company Vectra.

Vectra used its Cognito platform to monitor traffic and collect metadata from more than 4.5 million devices and workloads from customer cloud, data center and enterprise environments. It discovered that, of all the cryptocurrency mining detections, 60 percent occurred in higher education.

Continue reading →

According to new research, 79 percent of healthcare professionals say they are concerned about the cyber security of their own healthcare information.

At the same time, 68 percent believe their organizations are doing enough to protect patient privacy and personal information from cyber attackers.

Continue reading →

Data breach checking website Have I Been Pwned (HIBP) -- used by governments and individuals around the world -- has announced a new partnership with 1Password.

The arrangement is a first for Troy Hunt's site, but it comes just over a month after 1Password started using a password-checker he developed. Hunt says that he has turned down numerous offers to sponsor Have I Been Pwned, but feels that teaming up with 1Password makes sense.

Continue reading →