/ By Fahmida Y. Rashid / 0 Comments

Broken authentication, improperly secured configuration files, and poor certificate management: Attackers could have exploited these issues to compromise any RHEL (Red Hat Enterprise Linux) instance on Microsoft Azure.

Ian Duffy, an Irish software engineer with the e-commerce company Zalando, discovered these flaws when creating a machine image of RHEL that was compliant with the Security Technical Implementation Guide defined by the Department of Defense. Microsoft has since fixed these problems, but they offer an object lesson in the hazards of poorly implemented cloud security.

To read this article in full or to leave a comment, please click here

/ By Serdar Yegulalp / 0 Comments

With the PC market tapped out and in a perpetual slump and the cloud market a tough fight for customers, Microsoft's on the prowl for new frontiers.

In that spirit, the company announced last week an effort to create a quantum computer, an amalgam of exotic hardware and specialized software that will allow parallel computations at speeds orders of magnitude beyond what conventional silicon can provide.

An announcement like this would once have been easy to blow off as a science-fiction self-indulgence. But in the last couple of years, quantum computing has become a field of serious study for big-name enterprise IT companies. Here are four big takeaways from Microsoft's plunge into what may prove to be a very deep pool.

To read this article in full or to leave a comment, please click here

/ By John Ribeiro / 0 Comments

San Francisco’s Muni transit system was reportedly hit by ransomware since Friday, leading to the message “You Hacked, ALL Data Encrypted” being displayed on the computer screens at stations, according to newspaper reports.

The message asked that cryptom27 at yandex.com should be contacted for the key to unlock the data.

Fare payment machines at stations also displayed that they were “out of service,” and San Francisco's Municipal Railway, widely known as Muni, was allowing free rides on its light-rail vehicles as it was unable to charge customers, according to the Examiner.

To read this article in full or to leave a comment, please click here

/ By InfoWorld Security / 0 Comments
CSO Editor-in-Chief Joan Goodchild sits down with Kevin O'Brien, founder and CEO of GreatHorn, to discuss ways that security leaders can fend off spear phishing attempts aimed at the executives at their companies.
/ By Fahmida Y. Rashid / 0 Comments

There are two types of open source projects: those with corporate sponsorship and those that fall under the “labor of love” category. Actually, there’s a third variety: projects that get some support but have to keep looking ahead for the next sponsor.

Some open source projects are so widely used that if anything goes wrong, everyone feels the ripple effects. OpenSSL is one such project; when the Heartbleed flaw was discovered in the open source cryptography library, organizations scrambled to identify and fix all their vulnerable networking devices and software. Network Time Protocol (NTP) arguably plays as critical a role in modern computing, if not more; the open source protocol is used to synchronize clocks on servers and devices to make sure they all have the same time. Yet, the fact remains that NTP is woefully underfunded and undersupported.

To read this article in full or to leave a comment, please click here

/ By Fahmida Y. Rashid / 0 Comments

The Network Time Foundation's Network Time Protocol Project has patched multiple denial-of-service vulnerabilities with the release of ntp-4.2.8p9. The last update to the open source protocol used to synchronize computer clocks was in June.  

"NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in DDoS (distributed denial-of-service) attacks," the project maintainers wrote in the security advisory.

NTP is a widely used protocol, and has been hijacked several times over the past two years in distributed denial-of-service attacks. Attackers harness the power of the servers running NTP and amplify the amount of traffic -- as much as 1,000 times the size of the initial query -- sent to victim systems. Research from network security company Arbor Networks estimated that 85 percent of volumetric DDoS attacks exceeding 100Gbps in size were NTP reflection attacks.

To read this article in full or to leave a comment, please click here

/ By Roger A. Grimes / 0 Comments

The long-awaited SHA-1 deprecation deadline of Jan. 1, 2017, is almost here. At that point, we’ll all be expected to use SHA-2 instead. So the question is: What is your browser going to do when it encounters a SHA-1 signed digital certificate?

We’ll delve into the answers in a minute. But first, let’s review what the move from SHA-1 to SHA-2 is all about.

Getting from SHA-1 to SHA-2

SHA-1 is a cryptographic hash officially recommended by NIST. It’s used to verify digital content, as well as digital certificates and certificate revocation lists (CRLs). Whenever a PKI certification authority (CA) issues a certificate or CRL, it signs it with a hash to assist “consuming” applications and devices with trust verification. 

To read this article in full or to leave a comment, please click here

/ By Fahmida Y. Rashid / 0 Comments

Despite months of reminders and warnings, more than one-third of websites will become inaccessible come 2017. There is barely a month left before major browsers start blocking websites using certificates signed with the SHA-1 hash, but 60 million-plus websites still rely on the insecure encryption algorithm, according to the latest estimates from security company Venafi.

Starting Jan. 1, Mozilla's Firefox browser will show an "Untrusted Connection" error for sites using a SHA-1 certificate, and Google's Chrome browser will drop all support for SHA-1 and completely block sites using SHA-1 certificates. Microsoft has said its Edge and Internet Explorer browsers will start blocking the sites outright on Feb. 1, 2017.

To read this article in full or to leave a comment, please click here