iTWire - iTWire - Security iTWire - Technology news, trends, reviews, jobs Thu, 02 Jul 2015 02:51:41 +1000 Joomla! - Open Source Content Management en-gb Bumper bundle of security updates for OS X Bumper bundle of security updates for OS X

Apple has release multiple security updates for its Mac system software, along with a new version of iTunes.

Alongside iOS 8.4, Apple has released security updates for OS X, the Safari web browser, and the QuickTime multimedia software.

OS X Yosemite v10.10.4 and Security Update 2015-005 (for OS X 10.8 Mountain Lion and OS X 10.9 Mavericks), both available from the Mac App Store, address a wide range of security issues.

They include multiple privilege escalation issues, remote attack via AFP, an Apache misconfiguration, multiple PHP issues, multiple examples of kernel memory layout disclosure, multiple memory corruption issues that could be used to execute arbitrary code (including some variously related to fonts, Bluetooth, URL handling, text files, QuickTime, and certain types of signed or encrypted objects), sometimes with system privileges.

{loadposition stephen08}QuickTime 7.7.7 for Windows 7 and Vista has also been released to provide the relevant patches.

Back to OS X, changes to the graphics drivers for Nvidia and Intel perform improved bounds checks to address buffer overflow issues that could allow arbitrary code execution with system privileges.

The certificate trust policy has also been updated, the 'Logjam' SSL/TLS issue has been addressed, the locking of EFI flash memory when waking from sleep has been improved (the EFI patches are available separately as Mac EFI Security Update 2015-001 for Mountain Lion and Mavericks), and certain issues around code signing have been rectified.

A Yosemite-specific change addresses a flaw that allowed unsigned kernel extensions to be loaded under certain conditions.

One of the more curious issues concerns Mail. The version included in Yosemite 10.10.0 to 10.10.3 allowed the content of an HTML message to be replaced with an arbitrary web page.

Another concerns Spotlight, where "A command injection vulnerability existed in the handling of filenames of photos added to the local photo library."

Open source components that have been updated but not already mentioned include libtiff, OpenSSL, SQLite and unzip.

All told, more that 75 distinct vulnerabilities are addressed by OS X Yosemite v10.10.4 and Security Update 2015-005.

The latest version of Safari - 8.0.7 - is included in the OS X Yosemite 10.10.4 update. It is also available separately from the Mac App Store, along with Safari 7.1.7 and 6.2.7 for Mavericks and Mountain Lion respectively.

Changes include improved checking to prevent one site accessing another's WebSQL databases, and better protection against cross-site request forgeries and malicious links in embedded PDFs.

This latest set of updates is consistent with Apple's unstated but apparent policy of only releasing security updates for the current version of OS X and its two most recent predecessors.

In related news, Apple has also released iTunes 12.2 with support for the new Apple Music service. It is available from the Mac App Store.

]]> (Stephen Withers) Security Wed, 01 Jul 2015 09:41:57 +1000
Australian organisations slipping on security: Dell

Australian organisations are falling behind their US and European counterparts when it comes to IT security, according to Dell SecureWorks.

"Breach notification laws have been highly effective at forcing organisations to review IT security in countries such as the USA and Europe," said Dell SecureWorks principal consultant for APJ Phillip Simpson.

"Australia is behind these aforementioned countries, when it comes to security, and this is becoming more apparent every day."

Apart from any other considerations, Simpson is concerned that a reputation for slack security will mean the Bad Guys pay more attention to Australia.

{loadposition stephen08}"Hackers are like water they take the path of least resistance, if threat actors are finding information of value in Australia they are going to do what is necessary to take it," he said.

Examples include the theft by Chinese hackers of intellectual property which is then used to manufacture counterfeit products, and the high incidence of Cryptolocker cases. "Australia was ranked third in the globe" for the number of devices encrypted by Cryptolocker, he observed.

Simpson's top six tips are:

  1. Test your environment and know your weaknesses so you can fix them, this include policies around IT security
  2. Understand the threats and prepare, be pro-active not reactive
  3. Understand your access controls and make sure the right people have the appropriate access.
  4. Monitor network traffic.
  5. Have a quality patch management process.
  6. Train your staff and end users so that they are aware of the importance of IT security.
]]> (Stephen Withers) Security Tue, 30 Jun 2015 16:59:24 +1000
HP boosts security product lineup HP boosts security product lineup

New products, partnerships and acquisitions have boosted HP's security capability.

"We've had a phenomenal portfolio of capability," HP South Pacific's general manager of software enterprise security products Shane Bellos told iTWire, and new products and partnerships mean the company is even better placed to address IT security challenges facing organisations.

Attention is increasingly being paid to preventing the exfiltration of data, he said. There is a realisation that it is practically impossible to prevent bad guys getting into a system, so stopping them from getting data out is "a key focus for anyone in information technology."

"It's about protecting our assets," he explained. Even if a system is compromised, it is possible to keep the data safe using encryption and other protection technologies.

{loadposition stephen08}This extends to SaaS as well as conventional on-premises software. HP's Voltage products provide data-centric encryption "wherever it lives," even in services such as Google Apps and Office 365, Bellos told iTWire.

Application security is also important, he said, and HP's Fortify app-testing tools can scan in-house and commercial applications for weaknesses. Its recently added reputational feeds can warn if an application being scanned calls risky internet services, as well as providing a source of security intelligence about services being considered by customers.

User behaviour analytics is another area receiving growing attention. The idea is to monitor IT assets and watch for user behaviour that doesn't match the role or access rights. When security staff receive reports of anomalous behaviour they can take action to mitigate the problem, and frequently occurring patterns of abnormal behaviour indicate a need to enforce controls or deliver additional training. "Education is still a fundamental," said Bellos.

User behaviour analytics "is a very valuable tool" and the recent release of HP's ArcSight User Behavior Analytics (pictured) means organisations can apply the technology without requiring their own data scientists, he said.

]]> (Stephen Withers) Security Fri, 26 Jun 2015 08:41:56 +1000
Microsoft – “We won’t spy on users”–-“we-won’t-spy-on-users”–-“we-won’t-spy-on-users” Microsoft – “We won’t spy on users”

With so much happening in time for the launch of Windows 10 on 29 July, it is easy to overlook some other interesting issues.

Microsoft will, now by default, encrypt all search traffic via Bing – providing additional security and discretion for searches. Hackers and advertisers trying to see what you search on will be frustrated. HTTPS stands for Hypertext Transfer Protocol Secure and a small padlock icon shows in most browsers.

Its great news for users and lousy for search engine optimisation as web sites will not know what query terms – keywords - were used.

Microsoft says, “Microsoft has a long-history and deep commitment to helping protect our customers’ data and the security of their systems. While this change may impact marketers and webmasters, we believe that providing a more secure search experience for our users is important.”

What this means is that Bing by default will be more secure and that matches CEO Satya Nadella’s new more transparent and open Microsoft. Microsoft has to tread the fine line between pleasing its advertisers and protecting the security and privacy of its users. The company promises that the limited data available to advertisers will not compromise the security of its users.

{loadposition ray}

Google will also encrypt searches but only if you use its encypted site – and this feature is not well known.

Unlike Google, Bing gives no rankings boost for encrypted websites. Last year Google’s chair, Eric Schmidt declared that the solution to [NSA security] is to encrypt everything. Since then it gives HTTPS sites a ranking boost.

What this means is that Bing should take a more dominant position in the search engine stakes.

]]> (Ray Shaw) Security Sun, 21 Jun 2015 15:32:17 +1000
Kaspersky secures Department of Prime Minister & Cabinet Kaspersky secures Department of Prime Minister & Cabinet

Devices used by the Department of Prime Minister & Cabinet are now secured by Kaspersky, under a new contract with the security firm.

Kaspersky has announced is delivering its security offerings to protect devices used by the department’s staff across Australia.

The PM&C has around 2,500 employees a cross the country.

Kaspersky says the announcement reflects the “strong confidence” placed in its security solutions, products, and services by a broad cross section of the Australian market.

{loadposition peter}“Kaspersky Lab is proud to be protecting the Department of the Prime Minister & Cabinet, including its almost 2,500 employees across Australia,” said Kaspersky Lab’s Australia & NZ managing director, Andrew Mamonitis.

“It is testament to the strong confidence key players on a national level have in our robust portfolio of security offerings.”

Mamonitis said that since opening its offices in Australia 6 years ago, Kaspersky has been directly engaging with the local information security and business communities across Australia.

As an example of that engagement, Mamonitis cites Kaspersky’s Chairman and CEO, Eugene Kaspersky, visiting Australia earlier this month for the AusCERT information security conference, as well as for industry and business events across the country.  Eugene Kaspersky spoke at a lunch in Sydney attended by iTWire when he was in Australia – to read Ray Shaw’s report on Kaspersky's luncheon address click here.

Mamonitis says Kaspersky Lab's Australia strategy has been geared towards a collaboration with government agencies and delivering to Australia its global cyberthreat intelligence services, including the provision of policy and technological proposals to deal with the cyberthreats to Australia.

“We are and remain at the forefront of the IT security space. Our extensive role in working with international agencies both globally and across our region means we are able to effectively respond to the impact of the global cybersecurity landscape on Australia.

Kaspersky Lab’s local strategy culminated in today’s announcement of securing the Department of the Prime Minister & Cabinet across Australia.

]]> (Peter Dinham) Security Wed, 17 Jun 2015 17:55:36 +1000
AVG launches Centre of Excellence for mobile AVG launches Centre of Excellence for mobile

Security firm AVG has established a global Centre of Excellence for mobile in the Israel capital of Tel Aviv.

The new offices comprises a 3,200 square metre facility, supporting more than 120 employees working across state-of-the-art mobile innovation, emerging mobile threats research, and Internet of Things technology development.

AVG Israel Country manager Hael Tayeb said Israel has emerged as a “hotbed for mobile innovation, resulting in unparalleled opportunities to partner with innovative start-ups and develop cutting-edge mobile technologies”.

“AVG’s rapidly growing mobile customer base makes this a critical time to build robust, future-proof offerings, supporting the multiple mobile platforms and services that are so popular today.

{loadposition peter}“The historical success of our investments in this market has laid a strong foundation for the development of our signature AVG Zen platform, growing our global mobile user base, and delivering on our mobile monetisation strategy.”

AVG says Tayeb will lead the program of “mobile momentum” for Israel. An entrepreneur himself, who has founded and run several mobile-oriented start-ups in the Israel market, Tayeb also previously served as vice-president of Conduit’s Mobile Business Unit, and headed up its spin-off, Como, prior to becoming a start-ups advisor.

Tayeb said the development of AVG’s most popular mobile product, AVG AntiVirus for Android, was driven by the acquisition of Israeli start-up, DroidSecurity, and quickly became the first mobile security product to enter the 100-500 million downloads category on the Google Play store.

According to Tayeb, with over 100 million mobile users worldwide today, and growing, AVG is focused on enhancing and innovating on its mobile portfolio through a dedicated program of industry partnerships, top talent recruitment and discerning investment.

On the back of the new office opening, AVG commenced a roadshow in which 15 innovative Israeli start-ups were invited to meet with AVG’s global senior management team, including Todd Simpson, AVG’s Chief Strategy Officer, and Judith Bitterli, AVG’s Chief Marketing Officer, to discuss and debate Israel’s hottest innovations in the mobile market.

]]> (Peter Dinham) Security Wed, 17 Jun 2015 16:56:58 +1000
Protecting against cybercrime costs, but are the measures effective? Protecting against cybercrime costs, but are the measures effective?

Protecting businesses and organisations against increasing threats from cybercrime is a costly business, and now there are concerns that much of the spending on cybersecurity tools may not even be making the infrastructure of those companies secure.

According to an in-depth report released by Juniper and leading economic and cybersecurity experts at the non-profit RAND Corporation, information security officers (CISOs) often face a “chaotic and confusing landscape” when deciding the most efficient and cost-effective way to manage the risks posed by security to their business.

Juniper says that most troubling is that the research indicates that many companies are spending increasing amounts on cybersecurity tools, “but are not confident that these investments are making their infrastructure secure”.

And, according to Sherry Ryan, chief information security officer at Juniper, this dynamic is due to a lack of solid calculus that considers “both the cost of security tools and resources, and the potential cost of a breach, which by definition is neither certain nor predictable”.

{loadposition peter}“The security industry has struggled to understand the dynamics that influence the true cost of security risks to business. Through Juniper Networks’ work with the RAND Corporation, we hope to bring new perspectives and insights to this continuous challenge. What’s clear is that in order for organisations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats.”

With RAND’s model projecting the cost to businesses in managing cybersecurity risk set to increase 38%over the next 10 years, Juniper believes that the time is now for organisations to start managing security spending and risk management as a discrete business function.

According to Juniper, just as there are established models that help organisations understand and achieve their strategic marketing or sales goals and objectives, security teams need a way to help better understand the economics of managinsecurity risk, the range of variables implicated, and what investments should be made to more efficiently protect

Ryan says Juniper believes that CISOs need a way to better understand the variables that most influence the cost of managing cybersecurity risk holistically and the different decisions they can make to protect their organisations, and to address this need, RAND developed a heuristic economic model that for the first time maps the major factors and decisions that influence the cost of cyber-risk to organisations – as discussed in “The Defender’s Dilemma: Charting a Course Toward Cybersecurity,” the second report of a two-part series.

Juniper Networks believes there are five major factors confirmed by RAND’s model that companies should strongly consider as they evolve their security postures, and here’s what the company says about each of those factors:

•    Many Security Tools Have a Half-Life and Lose Value: Attackers are constantly developing countermeasures to new detection systems such as sandboxing or anti-virus technologies. This dynamic ultimately drives up the amount companies must spend on security technologies to maintain the same level of protection. RAND’s model projects that over 10 years the effectiveness of these technologies that face countermeasures falls by 65%. Companies must carefully evaluate the new tools they invest in, choosing those not prone to countermeasures, and focus on improving security management, automation and policy enforcement across the corporate network

•     The Internet of Things (IoT) is at a Crossroads: According to RAND, IoT will have an impact on overall security costs; however, it’s unclear if it will be positive or negative. If security technologies and management are properly applied to IoT, companies could actually see savings in the long run. On the other hand, if companies struggle to apply security
controls effectively, RAND’s model suggests that the introduction of IoT would increase the losses that companies experience due to cyber-attacks by 30% over the course of 10 years

•    Investing in the Workforce Leads to Fewer Costs Over Time: Companies can benefit greatly in making people-centric security investments, such as technologies that help automate security management and processes, advanced security training for employees, and hiring additional security staff. According to the RAND model, organisations with very high levels of security diligence are able to curb the costs of managing security risk by 19% in the first year and 28% by the tenth year when compared to organisations with very low diligence

•    There is No One-Size-Fits-All: Companies are likely not taking the optimal economic strategy with their investments, which should vary greatly from company to company based on their size, type of information that exists and the diligence of security staff. Specifically, RAND found small to medium-sized businesses benefit most from basic tools and policies, while large organisations and high-value targets require investments in a full range of policies and tools given the likelihood that they will be targeted by an advanced attack

•    Eliminating Software Vulnerabilities Leads to Major Cost Reductions: RAND’s model found that one of the most significant security issues that increases the cost to businesses is the number of vulnerabilities in the software and applications being used. RAND’s model found that if the frequency of software vulnerabilities could be reduced by half, the
overall cost of cybersecurity to companies would decrease by 25%.To bring the RAND economic model to life, Juniper Networks is releasing an interactive interpretation – to see that click here.   This new tool provides businesses with general guidance on where the model suggests they should invest their time and resources across the major areas that they can control in order to reduce the potential costs.

]]> (Peter Dinham) Security Fri, 12 Jun 2015 00:41:11 +1000
CHOICE bawls out politicians over support for Internet filter Bill CHOICE bawls out politicians over support for Internet filter Bill

Consumer advocacy group CHOICE has delivered a harsh rebuke to the two major political parties for uniting to support the Internet filter Bill, accusing them of opposing ‘online competition’.

Slamming the ‘historic’ decision by the Labor and Liberal parties to support the Internet filter Bill, CHOICE says the move will limit access to international websites that offer consumers a greater range of more affordable products and services.

Now, CHOICE wants the two parties to reverse their decisions to support what it calls the “anti-consumer” Bill.

The consumer group was reacting to today’s report from the Senate’s Legal and Constitutional Affairs Legislation Committee supporting the Federal Government’s plan to introduce an industry-run internet filter by passing the Copyright Amendment (Online Infringement) Bill 2015.

{loadposition peter}CHOICE claims introduction of the filter will block VPNs, drive up prices and just hurt consumers.

“Today’s decision is an attempt to kill VPNs and entrench the ‘Australia Tax’, driving up the cost of living for ordinary Australians,” says CHOICE Campaigns Manager Erin Turner

“At its heart, this is about protecting uncompetitive local industries who have failed to provide timely and affordable content and services.

“If this Bill goes ahead it will allow companies to force internet service providers to block access to overseas websites they consider to be infringing their copyright.

“But this isn’t just about stopping access to Pirate Bay - it also covers sites for online tools like VPNs that help Australian consumers pay for legitimate content, for example from US or UK services.”

Turner acknowledges the pressure on the politicians from ‘rights holders” over the Internet filter, but suggests they have given up the ghost on the issue.

“We know both sides of politics are under a lot of pressure from big rights holders to support this new law and it looks like they have given in.

“Today CHOICE has launched a campaign targeting Opposition MPs and Senators and asking them to reverse their decision to support this anti-consumer Bill.”

CHOICE has also called on Parliament to ensure the Bill, if passed, provides adequate safeguards for the public interest, including:      

•    Exclusion of websites that merely “facilitate” online copyright infringement

•    Assurance that using a VPN to circumvent a geoblock and access legitimate content does not infringe copyright; and

•    Provisions to enable public interest and consumer advocates to effectively take part in injunction proceedings, including in applications to revoke or vary an order.

]]> (Peter Dinham) Security Fri, 12 Jun 2015 00:26:32 +1000
Comms Alliance ups pressure over costs of website blocking measures Comms Alliance ups pressure over costs of website blocking measures

The federal government’s planned website blocking regime continues to draw vigorous debate from opponents and supporters of the introduction of the measures through use of the proposed copyright online infringement legislation.

The Communications Alliance, which says it continues its “guarded support” for the legislation, has again demanded clarification on the cost implications of the planned website blocking regime.

The alliance was commenting on the release of the report of the inquiry by the Senate Standing Committee on Legal and Constitutional Affairs into the Copyright Amendment Online Infringement) Bill 2015, which if passed by parliament would usher in the introduction of an Internet filter in Australia.

Alliance CEO John Stanton has called on the Attorney-General, Senator George Brandis, to heed the Parliamentary Committee’s call for the Government to clarify the cost implications of the website blocking regime.

{loadposition peter}“The Government’s policy proposal, in July 2014, stated categorically that ‘Rights holders would be required to meet any reasonable costs associated with an ISP giving effect to an order (to block a website)........ ‘’, Stanton said.

“But this core commitment by Government – which is important to minimise the costs on internet consumers -‘went missing’ when it drafted the legislation.

“The Committee has rightly pointed out that the Government has left cost issues opaque in the legislation and told the Government to clarify that service providers should not have to bear the cost of implementing orders to assist copyright holders.”

The alliance welcomed the recommendation that the effectiveness of the Bill be reviewed after two years of operation, “given the conflicting international evidence as to whether site-blocking can make a material difference to the frequency of online copyright infringement”.

Stanton also welcomed the Committee’s enthusiasm for the creation of a ‘landing page’ at the blocked online location, specifying that the site has been blocked by a court order.

“This is a good and practical step, but the landing page should be hosted and paid for by the relevant rights holder – as happens today when Interpol seeks the blocking of offensive or illegal websites.”

Stanton congratulated the Committee on resisting pressure from right holders to abandon the “primary purpose” test in the legislation, but supported the Government position as to requirement for Courts to take account of the factors specified in the s115A (5) of the Bill when deciding whether to grant an injunction.

“Communications Alliance continues to give guarded support to the legislation but urges Parliament to amend it before passage, to provide greater clarity, promote effectiveness and help avoid unintended costs and consequences for law-abiding Australian internet users.”

]]> (Peter Dinham) Security Fri, 12 Jun 2015 00:15:53 +1000
Cybercrime initiative aimed at solving crimes faster Cybercrime initiative aimed at solving crimes faster

Motorola is partnering with crime analytics provider Wynyard Group on a big data analysis initiative which it claims will help solve crimes faster and more efficiently.

The joint initiative by Motorola and Wynyard Group has been launched against a backdrop of data from video, social media and other sources which Motorola says has public safety turning to advanced technology to help make data actionable for faster-than-ever crime detection, prevention and resolution.

The initiative will see the integration of next-generation crime analytics to help law enforcement agencies connect disparate data sources such as criminal history, social media networks, property records, field notes and other types of evidence.

The Wynyard Group analytics software helps identify criminal patterns and explore relationships by analysing data in minutes rather than days, freeing up agency resources to investigate leads and solve cases.

{loadposition peter}And, with the partnership, Motorola says public safety agencies of all sizes will be able to do more with less by upgrading their intelligence and investigative capabilities at a fraction of the cost with the “Software as a Service” (SaaS) solution. Motorola Solutions’ Intelligence-Led Public Safety platform makes it fast and easy for agencies to share data regionally or nationally to help deter crimes that extend across jurisdictions.

“The acquisitions, partnerships and investments Motorola Solutions continues to make this year are significantly strengthening our customers’ ability to prevent, detect and solve crimes with more information at their fingertips than ever before,” said Bob Schassler, executive vice president, Motorola Solutions.

“Motorola Solutions’ Smart Public Safety Solutions and Wynyard Group’s analytics software will help public safety quickly gain actionable intelligence from an increasing volume of available data.”

Schassler said the Wynyard Group software enhances CommandCentral by connecting the dots between multiple databases and evidence libraries to help investigators quickly prevent and solve crime.

]]> (Peter Dinham) Security Thu, 11 Jun 2015 18:40:58 +1000