Cisco Announces Intentions to Purchase Neophasis

Cisco announced that it intends to acquire Neohapsis, a company which offers network, cloud, and app security, as well as IT risk and compliance services.

Cisco says it will use the acquisition to help customers build security capabilities and overcome operational and technical vulnerabilities, as well as “achieve a comprehensive view of their risks, take advantage of new business models, and define structured approaches for better protection.”

Neohapsis President and CEO James Mobley had this to say:

As our clients and friends in the industry know, Neohapsis has been a key player in the security, risk and compliance market. Today, we are excited to announce plans to join Cisco, who we believe will be the perfect strategic match for us, given our services and research mission.

We share with Cisco a global enterprise customer base, and a commitment to help our customers address their most challenging threats, especially in the rapidly evolving mobile and cloud arenas. Because of Neohapsis’ and Cisco’s shared focus on the Internet of Everything, the opportunity to do groundbreaking work together is enormous. Together, what we bring to enterprise customers, IoT device manufacturers, and associated service providers will be unique in the market.

“Today, businesses are looking at security in a strategic, comprehensive way to protect mission critical processes and assets,” said Hilton Romanski, who leads corporate development at Cisco. “There has never been a greater need to understand the impact that security threats can have on a company’s bottom line. For these reasons, experienced security advice is now among the table stakes required to assess and address the threat landscape that faces enterprises today. The skills and capabilities companies need to maintain a strong security posture, keep pace with rapidly evolving threats and take full advantage of new technologies that can protect their businesses are rare and difficult to retain. The right advisory service can change all of that.”

The Chicago-based Neohapsis team will join Cisco’s Security Services organization led by SVP and GM Bryan Palma. Cisco expects the deal to close in the second quarter of fiscal year 2015. Terms weren’t disclosed.

The post Cisco Announces Intentions to Purchase Neophasis appeared first on SecurityProNews.

Read more here:: Security Pro News

Messaging Apps Are Terribly Insecure

It’s likely that every single day, you use a messaging app to communicate with friends and family. It’s also likely that the messaging app you’re using is unequipped to protect your privacy.

The Electronic Frontier Foundation (EFF) has just released a scorecard featuring 39 messaging apps ranging in popularity from the relatively small Silent Phone and CryptoCat to the ubiquitous iMessage and Facebook Messenger. The scorecard measures the security of each app using seven different criteria.

That includes the questions … Is your communication encrypted in transit? Is your communication encrypted with a key the provider doesn’t have access to? Can you independently verify your correspondent’s identity? Are past communications secure if your keys are stolen? Is the code open to independent review? Is the crypto design well-documented? and Has there been an independent security audit?

Spoiler alert – it’s not good. The messaging landscape is woefully insecure.

In fact, only six applications garnered a perfect score: ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text, and TextSecure.

Every other app failed in at least one of the aforementioned areas.

“The revelations from Edward Snowden confirm that governments are spying on our digital lives, devouring all communications that aren’t protected by encryption,” said EFF Technology Projects Director Peter Eckersley. “Many new tools claim to protect you, but don’t include critical features like end-to-end encryption or secure deletion. This scorecard gives you the facts you need to choose the right technology to send your message.”

Out of the most popular apps to be rated, Apple’s iMessage and FaceTime had the best security score (five out of seven).

Services like AIM, Blackberry Messenger, Secret, and Yahoo Messenger were only able to garner one check mark – for messages being encrypted in transit.

Popular apps like WhatsApp, Snapchat, Skype, and Facebook Messenger only grabbed two checks.

“We’re focused on improving the tools that everyday users need to communicate with friends, family members, and colleagues,” said EFF Staff Attorney Nate Cardozo. “We hope the Secure Messaging Scorecard will start a race-to-the-top, spurring innovation in stronger and more usable cryptography.”

Eckersley told Ars Technica that even a perfect score on the EFF’s security scorecard did mean the apps are 100 percent recommended.

“Getting a perfect score here is more the first step than final victory. We still need usability studies, metadata protection, independently commissioned audits, and other measures of security before we try to get the whole network to switch to one of these options,” he said.

He went on to say that “good cryptographic design should not cause significant inconvenience.”

Check out the full report here.

The post Messaging Apps Are Terribly Insecure appeared first on SecurityProNews.

Read more here:: Security Pro News

Dropbox Says They Haven’t Been Hacked

According to reports, hundreds of Dropbox usernames and passwords were leaked online as a preview to a larger alleged leak of 7 million accounts.

As The Next Web reports, a thread appeared on reddit pointing to files with the leaked account details, saying, “Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts. To see plenty more, just search on [redacted] for the term Dropbox hack. More to come, keep showing your support.”

According to Dropbox, it hasn’t been hacked, and any such account details have been obtained from third-party services. The company addressed the situation on its blog, saying that it wasn’t hacked:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

In a update to the post, it added:

A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.

Long story short, it’s probably a good time to reset your passwords across the various online services you use, and to make them all different this time.

The post Dropbox Says They Haven’t Been Hacked appeared first on SecurityProNews.

Read more here:: Security Pro News

‘Shellshock’ Bug Scaring Experts as Much as Bash Heartbleed

It feels like major security vulnerabilities are more common than ever, and there’s a big one freaking out the blogosphere being referred to as “shellshock”. It was discovered by a Red Hat security team in the Bash shell.

Security expert Robert Graham at Errata Security has been blogging about the bug saying that it is “as big as Heartbleed,” and also that it’s twenty years old. He says it’s as big a deal as Heartbleed because it interacts with other software in unexpected ways, and that unknown systems remain unpatched. He writes:

We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.

I’d suggest keeping up with his blog for analysis on the issue, as it appears to be the go-to spot at this point.

Here’s an “everything you need to know about it” post from Troy Hunt, which you should probably also check out if this concerns you.

The post ‘Shellshock’ Bug Scaring Experts as Much as Bash Heartbleed appeared first on SecurityProNews.

Read more here:: Security Pro News

Study Suggests a Large Majority of Mobile Apps Fail Basic Security Tests

In general, we shouldn’t consider mobile apps particularly secure for the foreseeable future. That is if Gartner is correct in its latest analysis.

The firm said this week that over 75% of mobile apps will fail basic security tests through 2015. This is not particularly comforting for businesses.

Gartner notes that enterprise employees download from app stores, and use mobile apps that can access enterprise assets or perform business functions, and that the apps have “little to no security assurances”.

“Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance,” said Dionisio Zumerle, principal research analyst at Gartner. “Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.”

“Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied,” said Zumerle. “App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors.”

Gartner looks even further into the future, and says that by 2017, the focus of endpoint breaches will shift to tablets and smartphones. Through that year, it predicts, over 75% of mobile security breaches will be the result of mobile app misconfigurations as opposed to “deeply technical” attacks.

Read more here:: Security Pro News

Gmail Promises Security Precautions Regarding Non-Latin Character Support

Last week, Google announced that it started recognizing non-Latin characters in email addresses, opening up the ability for users to send and receive emails in more languages. By doing this, however, they were potentially opening the door to more spam slipping through the cracks courtesy of bad actors using sneak character combinations.

Google isn’t letting this happen though. The company announced in a blog post that they have taken measures to prevent this type of thing. Mark Risher of the Spam & Abuse Team writes:

Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims. Can you imagine the risk of clicking “ShဝppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyBɑnk”?

To stay one step ahead of spammers, the Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” designation—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.

These changes began rolling out on Tuesday. Google says it hopes others in the industry will “follow suit”.

Read more here:: Security Pro News

ClarityRay, An Ad Security Company Acquired By Yahoo

Yahoo has acquired ClairtyRay, a company that has in the past dealt with getting around ad blockers, but has since been more about ad security and fraud detection.

In a message on its homepage, ClarityRaysays:

Our vision has always been making the eco-system safe, compliant and sustainable for consumers, publishers and advertisers. We helped the online advertising industry take a big step towards that direction by identifying, measuring, and solving many of its unseen hurdles inhibiting that. We brought traffic clarity to an amazing roster of clients, with our findings becoming an industry standard.

Joining Yahoo now will allow us to make use of that momentum and take the next steps (or rather, leaps) towards that vision, and we couldn’t be more excited. This once-in-a-lifetime opportunity enables the mass scaling of our technology, impact and ideas to the absolute forefront of our field, while working with an amazing team who shares our passion. We’re proud to call Yahoo ‘home’.

We would like to thank our customers, employees, partners and investors. You’ve made this voyage fulfilling, challenging, successful and fun.

TechCrunch shares this statement from Yahoo:

We’ve been working on building up security capabilities and making Yahoo a safer place for users and partners. Advertising is an essential part of our business here at Yahoo, and we’re committed to getting it right. ClarityRay is a company with deep expertise in ad-malware detection and prevention. The bottom line for Yahoo is that search is going to get better and safer for users, and advertising will become more reliable and profitable for partners.

Terms of the deal were not disclosed.

Read more here:: Security Pro News

The Ins and Outs of Social Security Number Scams

It’s a bit of a dichotomy. We’ve been told many times to be careful about giving out our Social Security numbers, but it seems like we’re being asked for all or part of it in almost every business transaction. I once saw a video rental store — back when there were such things — requiring a customer’s SSN before allowing them to rent a video. One guy refused to give it. They told him to get lost.

But why is it such a big deal? Everyone knows that the answer is “identity theft,” but how?

Your Credit Identity

The most common thing you hear about is someone applying for a loan, only to learn that someone else has opened credit cards in their name and had a spending spree. All it takes to do that is your SSN, and maybe a pre-approved credit card offer in some junk mail you’ve thrown away. These problems are solvable, but not without some incredibly inconvenient process.

And this whole scam can get very easy. Some department stores will have you fill out a one or two page form for a credit card application. They key your SSN into the computer, and give you credit that can be used in the store right away. A thief can load up on clothing, tools, electronics, and leave you holding the bill.

Your Employment Identity

The most commonly-heard form of this is when employers use stolen Social Security Numbers for undocumented workers. Why would this hurt you? At the end of the year, when you file your taxes, your information will not match what the IRS has on file for you. Suddenly, you tax refund is reduced, and there goes that car you were hoping to put a down payment on.

Your Political Identity

There is an unbelievable number of people who subscribe to the conspiracy theory that President Obama is using a stolen Connecticut Social Security Number. There have been three different variations on this, all of which have explanations. The notion has been long disproven, but that doesn’t stop it from spinning around the interwebs.

Read more here: Security Pro News

Security Improvements on Chrome for Windows

Google announced back in November that it would start requiring all Chrome extensions to be hosted in the Chrome Web Store for its Windows stable and beta channels (starting in January). Google announced today that it is now enforcing this.

Extensions will only be able to be installed if they’re hosted on the Chrome Web Store. Previously installed extensions may be automatically disabled, and will have to be re-installed if they become hosted on the Chrome Web Store.

“We’re constantly working to keep Chrome users safe as they browse, with built-in features like Safe Browsing, which blocks many types of malicious websites and downloads,” says Erik Kay, Engineering Director in a post on the Chrome blog. “In the case that malicious software has managed to hijack your settings, we’ve added a “reset browser settings” button, so you can get things back to normal. But since the bad guys continue to come up with new ways to cause our users headaches, we are always taking additional measures.”

“Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity,” Kay adds. “If you notice strange ads, broken web pages or sluggish browsing after installing some new software or plugins, you could be affected.”

Hence the changes.

Google says it will continue to support local extension installs during development for developers as well as installs via Enterprise policy. More on that here.

Chrome users on the Windows developer channel and other operating systems are not affected by the changes.

Read more here: Security Pro News

Malware Attacks On Internet Explorer Increasing

Everyone has a favorite Internet browser. If yours happens to be Internet Explorer, you may want to switch to a different one.

Internet Explorer has numerous problems, but one of the worst is the current weakness in its security.

Hackers are taking advantage of this weakness and are creating new attacks that can put malware and viruses on your computer with just one accidental click of your mouse.

The hackers create websites that install the malware on your computer automatically. If you are using Internet Explorer and accidentally click on a wrong link that takes you to one of these websites, your computer could be infected in a matter of seconds.

Malware can slow your computer down, cause popups and use up your storage space. It can also be hard to identify and remove. In some cases, you might not notice the malware, which might not seem so bad until you realize the hackers have used it to steal your identity and access your email, social networks and other important websites.

“I’d say someone taking control of your computer is just the beginning of the worst case scenario,” said Adrian Sanabria, a security expert with 451research.com. “Because then they steal your info, get access to your email, etc.”

Some malware programs allow the hackers to access anything on your computer or Internet network. That means they can find your passwords, look up your credit card numbers and even operate your computer’s webcam to spy on you while you are using your computer or leave it on.

So what can you do to protect yourself from this type of malware?

According to the U.S. Department of Homeland Security, the best thing to do is stop using Internet Explorer completely, at least until the bug has been fixed. You can also disable your Adobe Flash plugin to prevent the malware from automatically downloading.

Microsoft is working to fix the problem but is not sure how long it could take.

What Internet browser do you use?

Image via Wikimedia Commons

Read more here: Security Pro News