[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Apple, Google and Microsoft: weakening encryption lets the bad guys in
Apple, Microsoft, Google, Samsung, Twitter, Facebook and 56 other technology companies have joined together to reject calls for weakening encryption saying it would be “exploited by the bad guys”.
After Apple’s chief executive Tim Cook’s claims that “any backdoor is a backdoor for everyone”, the Information Technology Industry Council, which represents 62 of the largest technology companies worldwide, said: “Encryption is a security tool we rely on everyday to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks, and to otherwise preserve our security and safety.”
Governments, including the UK’s, have said that backdoors – holes in the security software powering various forms of encryption – should be created through which security services could view communications.
Should technology companies refuse to include means through which governments and security agencies can break encryption, banning would only impact the lawful as it will be very hard to stop terrorists or other groups from using software that uses encryption.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=634fa13ef9&e=20056c7556
Reboots Keep Security Officers Busy
In Microsoft’s November Patch Tuesday, there are 12 security bulletins that resolve more than 80 individual vulnerabilities.
Four of these updates are “Critical” with the remaining eight marked as “Important.”
Security officers beware.
This baseline contains numerous updates that have a vulnerability impact of Remote Code Execution or Elevation of Privilege, which are often exposed by users rather than seen as a failure in technology.
It is critical to pay close attention to the number of reboots required in this release.
James Rowney, service manager, Verismic Software, adds, “The number of reboots is significantly high in this public release.
If you deploy these patches to the systems in your network, you must reboot.
Otherwise, the vulnerability remains a problem.
In this process, remember, communication is vital to minimize user impact.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e3f40a35a0&e=20056c7556
8 issues that will derail IT in 2016
To find out IT’s major pain points, a recent survey polled 2,685 IT professionals around the globe, asking what their biggest challenge would be in the year ahead.
The research, conducted by Ipswitch, uncovered that there are eight key issues holding IT teams back that should be prioritised in 2016.
1) Security – IT teams indicated that security was the top challenge, receiving 25 per cent of the overall responses. General security issues like breaches, malware, vulnerabilities and zero-day attacks were the biggest concern in this category, as stated by 55 per cent of respondents. File transfer was the second-leading response, with 39 per cent of respondents noting that moving data safely and efficiently inside and outside the organisation was setting them back.
2) Infrastructure and network monitoring – Nineteen per cent of those surveyed cited IT infrastructure and application performance monitoring as their top concern heading into 2016.
3) New technology, updates and deployment – Keeping up with new technology was the third-largest category, securing 14 per cent of the overall responses.
Two-thirds (67 per cent) of the respondents in this category said that making necessary updates and deploying new technology was the biggest issue facing their IT department.
4) Time, budget and resource constraints – 4 per cent of responses indicated that time, budget and resource constraints were the biggest hurdle facing IT.
Nearly half (46 per cent) of the respondents in this category said that a lack of time and internal resources hindered their ability to do their jobs.
5) Business issues – Seven per cent of survey respondents said general business issues were a barrier to achieving IT goals.
6) Data management and storage.
How to manage, protect and store big data was on the mind of six per cent of respondents who named it their largest IT challenge to overcome in 2016.
7) Device management and end user issues – Five per cent of survey responses fell into the device management and end user issues category.
8) Automation and reporting – Four percent of survey responses fell under automation and reporting.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8df84bff26&e=20056c7556
The new Nmap 7 version just released
After 3.5 years, Fyodor has released the new version of the popular network-exploration tool Nmap 7.
Nmap is one of the most popular open-source network mapper, the principal changes announced for this release are:
– 3,200 code commits since Nmap 6
– expanded capabilities for its scripting engine including 171 new NSE scripts
– Mature IPv6 support from host discovery, port scanning and OS detection
Serious vulnerabilities like Heartbleed, POODLE, and FREAK could be easily detected by using the automated scanners implemented by Nmap 7.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b0d79aa846&e=20056c7556
A Look at What Security Vulnerabilities Are Worth
This week, vulnerability acquisition firm Zerodium published its list for what it will pay for security vulnerabilities.
Zerodium has achieved a degree of notoriety this month for claiming to pay out a $1 million bug bounty for an Apple IOS 9 exploit chain.
Chaouki Bekrar, founder of Zerodium, told me in September that his firm was acquiring various zero-day exploits and was spending “$400,000 to $600,000 per month for vulnerability acquisitions.”
Hewlett-Packard’s Zero Day Initiative (ZDI) similarly paid $30,000 to researchers for each Firefox exploit publicly demonstrated at the 2015 Pwn2own hacking challenge.
ZDI however awarded those that could exploit Microsoft’s Internet Explorer $65,000, while a Google Chrome exploit was valued at $75,000.
A remote jailbreak of Android or Windows Phone is valued at up to $100,000, while a remote jailbreak on Apple iOS is now valued at $500,000.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a05945e40c&e=20056c7556
XL Catlin Launches CyberRiskIQ.com, an Online Portal To Help Clients Address Data Breaches
NEW YORK, Nov. 23, 2015 /PRNewswire/ — XL Catlin’s Cyber & Technology insurance business just launched a new online resource – CyberRiskIQ.com, providing clients with easily accessible support for cybersecurity readiness and incident response services.
“CyberRiskIQ.com is an online portal of information, tools and insights designed to help our clients learn more about cyber threats and network security perils.
It provides resources dedicated to helping our clients understand their risks and learning materials to lessen the severity of a cyber-security incident, if encountered,” said Elissa Doroff, Underwriting and Product Manager for Cyber & Technology insurance. “Our intention is to keep our clients well-informed about the latest developments and trends and well-equipped to respond, should they experience their own cyber incident.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=28bbbc9969&e=20056c7556
NERC’s security exercise GridEx III involves 350 organisations
In North America, more than 350 organisations and 3,000 participants from across the electric utility industry and federal and state governments participated in the North American Reliability Corporation’s (NERC’s) industry-wide grid security and incident response exercise GridEx III.
The two-day exercise that took place on 18-19 November was designed to enhance the coordination of cyber and physical security resources, as well as communication with government partners and other stakeholders, including those in Canada and Mexico.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7a002bafa1&e=20056c7556
Mostly harmless: Berlin boffins bleat post epic TrueCrypt audit feat
Ten auditors from the lauded Fraunhofer Institute for Secure Information Technology have given TrueCrypt a security tick after completing a comprehensive six-month audit under contract from the German Government.
The 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient to undermine the jettisoned software.
“Overall, the analysis did not identify any evidence that the guaranteed encryption characteristics are not fulfilled in the implementation of TrueCrypt.
In particular, a comparison of the cryptographic functions with reference implementations or test vectors did not identify any deviations.
The application of cryptography in TrueCrypt is not optimal.
The AES implementation is not timing-resistant, key files are not used in a cryptographically secure way and the integrity of volume headers is not properly protected.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7bec7e8f60&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d83cc87059)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)