[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Apple, Google and Microsoft: weakening encryption lets the bad guys in
\nApple, Microsoft, Google, Samsung, Twitter, Facebook and 56 other technology companies have joined together to reject calls for weakening encryption saying it would be \u201cexploited by the bad guys\u201d.
\nAfter Apple\u2019s chief executive Tim Cook\u2019s claims that \u201cany backdoor is a backdoor for everyone\u201d, the Information Technology Industry Council, which represents 62 of the largest technology companies worldwide, said: \u201cEncryption is a security tool we rely on everyday to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks, and to otherwise preserve our security and safety.\u201d
\nGovernments, including the UK\u2019s, have said that backdoors \u2013 holes in the security software powering various forms of encryption \u2013 should be created through which security services could view communications.
\nShould technology companies refuse to include means through which governments and security agencies can break encryption, banning would only impact the lawful as it will be very hard to stop terrorists or other groups from using software that uses encryption.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=634fa13ef9&e=20056c7556<\/p>\n
Reboots Keep Security Officers Busy
\nIn Microsoft\u2019s November Patch Tuesday, there are 12 security bulletins that resolve more than 80 individual vulnerabilities.
\nFour of these updates are \u201cCritical” with the remaining eight marked as \u201cImportant.”
\nSecurity officers beware.
\nThis baseline contains numerous updates that have a vulnerability impact of Remote Code Execution or Elevation of Privilege, which are often exposed by users rather than seen as a failure in technology.
\nIt is critical to pay close attention to the number of reboots required in this release.
\nJames Rowney, service manager, Verismic Software, adds, \u201cThe number of reboots is significantly high in this public release.
\nIf you deploy these patches to the systems in your network, you must reboot.
\nOtherwise, the vulnerability remains a problem.
\nIn this process, remember, communication is vital to minimize user impact.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e3f40a35a0&e=20056c7556<\/p>\n
8 issues that will derail IT in 2016
\nTo find out IT\u2019s major pain points, a recent survey polled 2,685 IT professionals around the globe, asking what their biggest challenge would be in the year ahead.
\nThe research, conducted by Ipswitch, uncovered that there are eight key issues holding IT teams back that should be prioritised in 2016.
\n1) Security – IT teams indicated that security was the top challenge, receiving 25 per cent of the overall responses. General security issues like breaches, malware, vulnerabilities and zero-day attacks were the biggest concern in this category, as stated by 55 per cent of respondents. File transfer was the second-leading response, with 39 per cent of respondents noting that moving data safely and efficiently inside and outside the organisation was setting them back.
\n2) Infrastructure and network monitoring – Nineteen per cent of those surveyed cited IT infrastructure and application performance monitoring as their top concern heading into 2016.
\n3) New technology, updates and deployment – Keeping up with new technology was the third-largest category, securing 14 per cent of the overall responses.
\nTwo-thirds (67 per cent) of the respondents in this category said that making necessary updates and deploying new technology was the biggest issue facing their IT department.
\n4) Time, budget and resource constraints – 4 per cent of responses indicated that time, budget and resource constraints were the biggest hurdle facing IT.
\nNearly half (46 per cent) of the respondents in this category said that a lack of time and internal resources hindered their ability to do their jobs.
\n5) Business issues – Seven per cent of survey respondents said general business issues were a barrier to achieving IT goals.
\n6) Data management and storage.
\nHow to manage, protect and store big data was on the mind of six per cent of respondents who named it their largest IT challenge to overcome in 2016.
\n7) Device management and end user issues – Five per cent of survey responses fell into the device management and end user issues category.
\n8) Automation and reporting – Four percent of survey responses fell under automation and reporting.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8df84bff26&e=20056c7556<\/p>\n
The new Nmap 7 version just released
\nAfter 3.5 years, Fyodor has released the new version of the popular network-exploration tool Nmap 7.
\nNmap is one of the most popular open-source network mapper, the principal changes announced for this release are:
\n\u2013 3,200 code commits since Nmap 6
\n\u2013 expanded capabilities for its scripting engine including 171 new NSE scripts
\n\u2013 Mature IPv6 support from host discovery, port scanning and OS detection
\nSerious vulnerabilities like Heartbleed, POODLE, and FREAK could be easily detected by using the automated scanners implemented by Nmap 7.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b0d79aa846&e=20056c7556<\/p>\n
A Look at What Security Vulnerabilities Are Worth
\nThis week, vulnerability acquisition firm Zerodium published its list for what it will pay for security vulnerabilities.
\nZerodium has achieved a degree of notoriety this month for claiming to pay out a $1 million bug bounty for an Apple IOS 9 exploit chain.
\nChaouki Bekrar, founder of Zerodium, told me in September that his firm was acquiring various zero-day exploits and was spending “$400,000 to $600,000 per month for vulnerability acquisitions.”
\nHewlett-Packard’s Zero Day Initiative (ZDI) similarly paid $30,000 to researchers for each Firefox exploit publicly demonstrated at the 2015 Pwn2own hacking challenge.
\nZDI however awarded those that could exploit Microsoft’s Internet Explorer $65,000, while a Google Chrome exploit was valued at $75,000.
\nA remote jailbreak of Android or Windows Phone is valued at up to $100,000, while a remote jailbreak on Apple iOS is now valued at $500,000.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a05945e40c&e=20056c7556<\/p>\n
XL Catlin Launches CyberRiskIQ.com, an Online Portal To Help Clients Address Data Breaches
\nNEW YORK, Nov. 23, 2015 \/PRNewswire\/ — XL Catlin’s Cyber & Technology insurance business just launched a new online resource \u2013 CyberRiskIQ.com, providing clients with easily accessible support for cybersecurity readiness and incident response services.
\n“CyberRiskIQ.com is an online portal of information, tools and insights designed to help our clients learn more about cyber threats and network security perils.
\nIt provides resources dedicated to helping our clients understand their risks and learning materials to lessen the severity of a cyber-security incident, if encountered,” said Elissa Doroff, Underwriting and Product Manager for Cyber & Technology insurance. “Our intention is to keep our clients well-informed about the latest developments and trends and well-equipped to respond, should they experience their own cyber incident.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=28bbbc9969&e=20056c7556<\/p>\n
NERC\u2019s security exercise GridEx III involves 350 organisations
\nIn North America, more than 350 organisations and 3,000 participants from across the electric utility industry and federal and state governments participated in the North American Reliability Corporation’s (NERC’s) industry-wide grid security and incident response exercise GridEx III.
\nThe two-day exercise that took place on 18-19 November was designed to enhance the coordination of cyber and physical security resources, as well as communication with government partners and other stakeholders, including those in Canada and Mexico.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7a002bafa1&e=20056c7556<\/p>\n
Mostly harmless: Berlin boffins bleat post epic TrueCrypt audit feat
\nTen auditors from the lauded Fraunhofer Institute for Secure Information Technology have given TrueCrypt a security tick after completing a comprehensive six-month audit under contract from the German Government.
\nThe 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient to undermine the jettisoned software.
\n“Overall, the analysis did not identify any evidence that the guaranteed encryption characteristics are not fulfilled in the implementation of TrueCrypt.
\nIn particular, a comparison of the cryptographic functions with reference implementations or test vectors did not identify any deviations.
\nThe application of cryptography in TrueCrypt is not optimal.
\nThe AES implementation is not timing-resistant, key files are not used in a cryptographically secure way and the integrity of volume headers is not properly protected.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7bec7e8f60&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d83cc87059)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Apple, Google and Microsoft: weakening encryption lets the bad guys in Apple, Microsoft, Google, Samsung, Twitter, Facebook and 56 other technology companies have joined together to reject calls…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1173","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1173"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1173\/revisions"}],"predecessor-version":[{"id":3660,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1173\/revisions\/3660"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}