itwbennett writes: The maintainers of Linux distributions are rushing to patch a privilege escalation vulnerability, tracked as CVE-2016-5195, that has has existed in the Linux kernel for the past nine years and is already being exploited in the wild. The Red Hat security team describes the flaw as a 'race' condition, 'in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.' This allows an attacker who gains access to a limited user account to obtain root privileges and therefore take complete control over the system. The vulnerability was fixed last week by the Linux kernel developers and patches for Linux distributions, including Red Hat, Debian, Ubuntu, Gentoo and Suse, have been released or are in the process of being released.
itwbennett writes: Photographs of nearly half of all U.S. adults — 117 million people — are collected in police facial recognition databases across the country with little regulation over how the networks are searched and used, according to a new study from the Center on Privacy & Technology at Georgetown Law. About 20 states, including Texas, Florida, Illinois, Ohio, and Pennsylvania allow police to search drivers license photo databases. Police in a handful of other states and cities San Fransisco, Los Angeles, San Diego, and Chicago can search criminal mug shots, the report said. Police agencies don't need a search warrant to search facial recognition databases, the report said. 'We are not aware of any agency that requires warrants for searches or limits them to serious crimes,' the authors wrote. 'This has consequences.'
itwbennett writes: If you needed more proof about the dangers of default passwords, take a minute to browse through this list of passwords that allowed the Mirai botnet to take control of nearly 400,000 IoT devices. (Mirai was one of two botnets behind the largest DDoS attack on record.) The passwords come form the botnet's source code, which was released by the author last week.
itwbennett writes: After Yahoo raised eyebrows in the security community with its claim that state-sponsored hackers were responsible for the history-making breach, security firm InfoArmor now says it has evidence to the contrary. InfoArmor claims to have acquired some of the stolen information as part of its investigation into 'Group E,' a team of five professional hackers-for-hire believed to be from Eastern Europe. The database that InfoArmor has contains only 'millions' of accounts, but it includes the users' login IDs, hashed passwords, mobile phone numbers and zip codes, said Andrew Komarov, InfoArmor's chief intelligence officer. Earlier this week, Chase Cunningham, director of cyber operations at security provider A10 Networks called Yahoo's claim of state-sponsored actors a convenient, if trumped up, excuse: 'If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat.'
itwbennett writes: You know that bit in every episode of Inspector Gadget when the Inspector takes credit for Penny's problem-solving suggestions? It's meant for laughs, but the insidious effect is not escaping notice of young children, says CIO.com's Sharon Florentine, whose son called out the mansplaining, suggesting that the Inspector needs to put on his 'listening ears'. Silencing women in the workplace is so deeply ingrained that the women of the Obama administration developed an elaborate strategy to make sure they got credit for their ideas, wrote Juliet Eilperin in the Washington Post. That strategy worked, but they had to do it purposefully every day in every meeting. Sounds exhausting. Maybe the better approach is root out the boorish behavior before it takes hold — and that means starting with children's entertainment.
itwbennett writes: 'Yahoo has blamed its massive data breach on a 'state-sponsored actor.' But the company isn't saying why it arrived at that conclusion. Nor has it provided any evidence,' writes Michael Kan. This despite claiming in a December 2015 blog post that the company has protocols in place that can detect state-sponsored hacking and a policy of warning users 'when we have a high degree of confidence.' It's this reluctance to share details that has security experts suspecting it's a convenient, if trumped up, excuse. 'If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat,' said Chase Cunningham, director of cyber operations at security provider A10 Networks.
itwbennett writes: Trump Hotel Collection has agreed to pay $50,000 in penalties over hacks that are said to have led to the exposure of over 70,000 credit card numbers and other personal data. The key charges apparently against Trump Hotel Collection (THC) are that it didn’t have adequate protection and even after the attacks became known, did not quickly inform the people affected, in breach of New York law.
itwbennett writes: Without quite suggesting that Russia could be involved in recent hacks of Democratic party organizations, U.S. Director of National Intelligence James R. Clapper said Tuesday in an interview with the Washington Post that 'there’s a tradition in Russia of interfering with elections, their own and others' going back to the 1960s and the Cold War. What's not clear, Clapper said, is the reason for the interference — whether it has been to cast doubt on the democratic process or to favor a particular candidate.
itwbennett writes: The Industrial Internet Consortium (IIC), a group formed in 2014 by IBM, Cisco, GE, AT&T and Intel, this week released an IoT security framework that, lays out 'a systematic way to implement security in IoT and a common language for talking about it,' writes Stephen Lawson. 'The framework prescribes best practices in four areas: endpoints, communications, monitoring and configuration. They’re addressed to component builders, system builders and users. IIC plans to use the best practices in testbed projects.'
itwbennett writes: In 2015, $3.8 billion in venture funding went into cybersecurity companies — a 235% increase over 2011. But now the market is cooling just a little: The first 2 quarters of this year showed a slowdown and CB Insights expects funding for cybersecurity companies to surpass $3 billion by the end of 2016. The reason for this: 'VCs are holding out for companies that are merging to offer more unified-security platforms,' says William Altman, tech industry analyst at CB Insights.
itwbennett writes: In March, Wall Street technology firm SS&C started receiving fraudulent transfer requests targeting its client Tillage Commodities Fund. What happened next defied common sense and corporate policy. Over twenty-one days, SS&C processed six fraudulent transactions, draining the Tillage fund of $5.9 million. Tillage is now seeking $10 million in damages in a lawsuit filed late last week.
itwbennett writes: Google took another step forward in its push for business use of Chrome OS devices with the announcement on Thursday of a new API that provides cryptographic guarantees about the identify and security state of those devices. The new API, called Verified Access, will allow companies to cryptographically validate the identity of Chrome OS devices connecting to their networks and verify that those devices conform to their security policies. Lucian Constantin gets into how it works in an article on CSO.
itwbennett writes: According to the researcher who found the vulnerability, it affects 'all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions,' as well as the MySQL-derived databases MariaDB and Percona DB. Lucian Constantin explains that the flaw 'can be exploited to modify the MySQL configuration file (my.cnf) and cause an attacker-controlled library to be executed with root privileges.' MariaDB and Percona DB have received patches, but Oracle, which has known about the flaw since July 29, has not yet released a patch for MySQL. CSO's Steve Ragan takes the view held by some in the security community that the flaw has more to do with permissions than with remote code execution. 'While the flaw is a bit over-hyped, the underlying problems are legit concerns for organizations that just slap a web server together and toss it into production,' says Ragan
itwbennett writes: While UK lawmakers are still debating a new Investigatory Powers Bill, a report compiled by the Interception of Communications Commissioner's Office (IOCCO) finds that warrants for the interception of communications rose 9 percent last year and that authorities continued to hoover up communications metadata. One-ninth of the metadata collection was approved without any paperwork, an option that is only available 'where there is an immediate threat to life or an urgent operational requirement and there is no time to complete the normal written process,' according to the report. 'That could be a sign that the other eight-ninths of the collections aren't exactly helping them figure out what's going on,' writes Peter Sayer. 'The report minimizes the impact of the surveillance, using innocuous terms like 'item of communications data' to refer to a whole month of incoming and outgoing call records for a mobile phone.'