2018-06-09T07:41:00-11:00Saturday, June 09, 2018Mohit Kumar
In its years-long efforts to censor the Internet by blocking access to a large number of websites in the country, Russia has now approved a new bill introducing fines for search engines that provide links to banned sites, VPN services, and anonymization tools.
VPNs, or Virtual Private Networks, are third-party services that help users access block banned websites by encrypting users' Internet traffic and routing it through a distant connection, hiding their location data and access sites that are usually restricted or censored by a specific country.
According to the amendments to the Code of Administrative Offenses of the Russian Federation, besides introducing fines for providing links to banned resources, the lower house of Russian parliament, the State Duma, will also impose fines on search engines if they fail to stop issuing links to resources providing up-to-date database of blocked domains upon users request.
According to the bill, individuals who break the law will face fine of 3,000 to 5,000 rubles (approx. $48 to $80), officials will face fines up to 50,000 rubles (approx. $800), and legal entities could be fined 500,000 to 700,000 (nearly $8,019 to $11,227), reports Russian State Duma Government site.
The bill to the Code of Administrative Offenses is associated with the law on anonymizers adopted at the end of the spring session of the State Duma in 2017.
Many Russian citizens use VPNs and other Internet proxy services to access blocked content by routing their traffic through servers outside the country.
However, Russian authorities have begun to crack down on Internet freedoms by tighten controls on online services in recent years, citing concerns about the spread of extremist materials.
As a result, last year, Russian authorities made it mandatory for VPN and anonymizer services operating in the country to register themselves with the state.
However, many VPNs and anonymizers have still not registered themselves, which is why the country has introduced fines for search engines that provide links to banned sites, VPNs, and anonymization tools.
The Russian communications watchdog Roskomnadzor will also provide a Federal State Information System (FGIS) containing an up-to-date list of banned websites and services in the country, and search engines will be required to connect to FGIS within 30 days.
Those who fail to connect to this system will also face fines similar to those detailed above.
Late last month, Roskomnadzor also threatened Apple to face the consequences for not removing secure messaging app Telegram from its App Store and blocking it from sending push notifications to local users who have already downloaded the app.
2018-05-27T21:30:00-11:00Sunday, May 27, 2018Mohit Kumar
German security researchers claim to have found a new practical attack against virtual machines (VMs) protected using AMD's Secure Encrypted Virtualization (SEV) technology that could allow attackers to recover plaintext memory data from guest VMs.
AMD's Secure Encrypted Virtualization (SEV) technology, which comes with EPYC line of processors, is a hardware feature that encrypts the memory of each VM in a way that only the guest itself can access the data, protecting it from other VMs/containers and even from an untrusted hypervisor.
Discovered by researchers from the Fraunhofer Institute for Applied and Integrated Security in Munich, the page-fault side channel attack, dubbed SEVered, takes advantage of lack in the integrity protection of the page-wise encryption of the main memory, allowing a malicious hypervisor to extract the full content of the main memory in plaintext from SEV-encrypted VMs.
Here's the outline of the SEVered attack, as briefed in the paper:
"While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.
"This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside."
"We first identify the encrypted pages in memory corresponding to the resource, which the service returns as a response to a specific request. By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM's memory in plaintext."
During their tests, the team was able to extract a test server's entire 2GB memory data, which also included data from another guest VM.
In their experimental setup, the researchers used a with the Linux-based system powered by an AMD Epyc 7251 processor with SEV enabled, running web services—the Apache and Nginx web servers—as well as an SSH server, OpenSSH web server in separate VMs.
As malicious HV, the researchers used the system's Kernel-based Virtual Machine (KVM) and modified it to observe when software within a guest accessed physical RAM.
While Apache and Nginx web servers the extraction of memory data was high (at a speed of 79.4 KB/sec), OpenSSH had a higher response time which reduced the extraction speed to only 41.6 KB/sec.
"Our evaluation shows that SEVered is feasible in practice and that it can be used to extract the entire memory from an SEV-protected VM within a reasonable time," the researchers said. "The results specifically show that critical aspects, such as noise during the identification and the resource stickiness are managed well by SEVered."
The researchers also recommended a few steps AMD could take to isolate the transition process between the host and Guest Physical Address (GPA) to mitigate the SEVered attack.
The best solution is to provide "a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX. However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves."
However, securely combine the hash of the page’s content with the guest-assigned GPA could be a low-cost, efficient solution, which ensures "pages cannot easily be swapped by changing the GPA to HPA mapping."
The research was carried out by four Fraunhofer AISEC researchers—Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel—which has been published in their paper [PDF] titled, "SEVered: Subverting AMD’s Virtual Machine Encryption."
2018-05-24T05:36:00-11:00Thursday, May 24, 2018Wang Wei
PornHub wants you to keep your porn viewing activities private, and it is ready to help you out with its all-new VPN service.
Yes, you heard that right.
Adult entertainment giant PornHub has launched its very own VPN service today with "free and unlimited bandwidth" to help you keep prying eyes away from your browsing activity.
Dubbed VPNhub, the VPN service by PornHub is available for both mobile as well as desktop platform, including Android, iOS, MacOS, and Windows.
VPN, or Virtual Private Network, allows users to transmit data anonymously, avoids ISP-level website blocking or tracking and keeps your browsing activity private by encrypting your data, even when you are on public Wi-Fi connections.
VPNhub promises never to store, collect, sell, or share your personal information with any third parties for their marketing, advertising or research purposes.
However, in its privacy policy under the heading, "How We Use Your Information," the company says it can sell "aggregate or non-personally identifiable information with non-affiliated third parties for advertising, marketing or research purposes."
Since some government, including that of United Kingdom, are regulating adult content online, launching a VPN service by Pornhub makes sense.
VPNhub is available in countries across the globe except for Burma/Myanmar, Cuba, Iran, North Korea, Sudan, and Syria, due to the ban imposed by the U.S. government.
While mobile users (both iOS and Android) can download and use the VPNhub app for free, desktop users (MacOS and Windows) have to purchase a premium account.
You can also upgrade your free account to a premium subscription for $13 a month or $90 for a full year, which eliminates ads, provides faster connection speeds, and opens up "servers from a wide range of countries."
You can give premium VPNhub a try by using its use 7-day free trial.
Apple is making it easier for its users to download their data the company has collected about them so far.
On Wednesday, Apple just launched a new Data and Privacy website that allows you to download everything that the company knows about you, from Apple ID info, device info, App Store activity, AppleCare history, your online shopping habits to all of your data stored in its iCloud.
A similar feature was recently offered by Facebook, enabling its users to download all of their data, not only what they have posted, but also information like facial recognition and location data, following the Cambridge Analytica scandal.
Apple has currently made this feature only available for people having accounts in European Union (along with Iceland, Liechtenstein, Norway and Switzerland), to comply with the General Data Protection Regulation (GDPR) act, which goes into effect on May 25.
However, Apple is planning to roll out this feature worldwide in the coming months. "We intend to provide these capabilities to customers around the world in the coming months," the company wrote.
The new GDPR act was passed with an aim to completely transform the way companies handle its users' personal data, giving users more control over their data. The act applies to all companies that collect the data of EU people, regardless of where they are based.
The GDPR will replace the British Data Protection Act 1998 from 25 May 2018.
The government has also warned businesses that if they fail to make changes in their policies before Friday, they could face fines of up to £17 Million (more than $22 Million), or 4% of their global turnover—whichever amount is higher.
That's why big companies like Apple have decided to inform their European customers about the new privacy policies.
Here's How to Download Your Data:
You can download all your data with a few simple clicks on the privacy portal.
Select the Get started link under the "Obtain a copy of your data" heading in Manage your data.
You can press 'Select All' to download everything or tick the boxes of the data categories you want to download. iCloud data are provided into a separate list as this data may be large and can take a long time to download.
Apple splits up the data into chunks, which ranges from 1 GB up to a maximum of 25 GB, letting you select your preferred maximum file size. Select a size and hit 'Continue.'
Your download is now in progress, and Apple will send you an email when the files are available to download, which can take up to a week. Your downloaded data is then automatically deleted after 2 weeks.
Here's the List of Data that You can Download:
App Store, iTunes Store, iBooks Store and Apple Music activity
Apple ID account and device information
Apple Online Store and Retail Store activity
AppleCare support history, repair requests and more
Game Center activity
iCloud Bookmarks and Reading List
iCloud Calendars and Reminders
iCloud Contacts
iCloud Notes
Maps Report an Issue
Marketing subscriptions, downloads, and other activity
Other data
iCloud Drive files and documents
iCloud Mail
iCloud Photos
Besides data download feature, Apple is also providing an option of permanently deleting all of your data, which has been made available globally starting today. Once you initiate the data delete option, the company can take up to 7 days to approve the request.
But keep in mind: Once deleted, there is no way you can retrieve your data.
2017-11-27T02:45:00-11:00Monday, January 01, 2018 Exclusive Deals
Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!
2017-11-01T04:54:00-11:00Wednesday, November 01, 2017Mohit Kumar
The Hacker News (THN), the widely-read cybersecurity news source for hackers and technologists, is celebrating its 7th Anniversary today.
This is a huge milestone for THN and our team, but this day really belongs to you—our readers. Without you, we would not be here, and we appreciate you for reading, commenting, and sharing our content every day.
7-years ago today we started this website with an aim to provide a dedicated platform to deliver latest cybersecurity news and threat updates for everyone, including students, enthusiasts, technologists, security researchers and hackers as well.
Times flies when you are having fun!
"Over 6,700 Posts, 33,500 Comments And 293 Million Pageviews"
We have always admitted that we do not cover everything, never did, never could, we just cover things that are important to our readers and impact a broader audience.
So this is the actual difference between The Hacker News and a full-fledged media outlet.
Since November 1, 2010, we have brought you more than 6,700 news articles with 33,500 comments and attracted over 293 million page views.
The Hacker News is so much more than just a blog—we are a community. If you are reading this, you are already part of our family!
The Hacker News has become one of the popular and trusted hacking news channel that attracts more than 10 million monthly readers—all because of readers high enthusiasm.
"Over 2 Million Facebook, 412,000 Twitter, 1.6 Million Google+ Followers And 250,000 Email Subscribers."
When I look back at where The Hacker News started, I am in awe of how far we have come.
Starting a website is always easy, every day thousands of sites launch, but the real challenge is to be consistent, keep it always up-to-date, converting readers into a loyal readership and followers.
Regardless of how frequent you visit our site, whether you are a regular reader or just come occasionally, whether you support our website by sharing articles, or are a silent reader, The Hacker News would not be there if you were not there.
Last year we also launched an exclusive deals store with an aim to offer things that you need to take your potential to the next level.
Packed with great deals at incredibly low prices, our deal store offers everything from online training courses to gear and gadgets, downloadable security products, privacy services and even drones.
What Next?
We are in the process (beta testing) and working hard to fulfil a promise we did to our readers last year of a new platform that will completely transform the way THN reports and engage with infosec community today.
As things are changing so quickly on the Internet, next version (launch is coming soon) of our website will offer much more up-to-date interactive content and opportunities.
This is just the beginning, as there are many many more exciting years ahead!
Once again, our heartiest thanks to all of you and please let us know if you have any feedback for The Hacker News in the comments below.
2017-08-02T07:05:00-11:00Wednesday, August 02, 2017Mohit Kumar
By this time, almost every one of you owns at least one internet-connected device—better known as the "Internet of things"—at your home, but how secure is your device?
We have recently seen Car hacking that could risk anyone's life, Hoverboard hacking, even hacking of a so-called smart Gun and also the widespread hacks of insecure CCTV cameras, routers and other internet-connected home appliances.
But this did not stop vendors from selling unsecured Internet-connected smart devices, and customers are buying them without giving a sh*t about the security of their smart devices.
However, the massive cyber attack on a popular DNS service provider that shut down a large portion of the Internet last year made us all fear about the innocent-looking IoT devices, which surround us every day, but actually, poses a threat to global cyber security.
Not anymore!
A bipartisan group of senators have now introduced a new bill aimed at securing internet-connected devices by setting industry-wide security standards for the government's purchase and use of IoT devices, including computers, routers and security cameras.
The bill would require suppliers that provide wearables, sensors and other web-connected smart devices to the United States government to adhere to some new industry-wide security practices.
The security standards prohibit the suppliers from including hard-coded (unchangeable) usernames and passwords in their devices, which is a primary vector for hackers and malware to break into the devices and hijack them.
Last year's cyber attack on Dyn DNS provider also involved the use of default credentials to break into hundreds of thousands of internet-connected smart devices and then used them to launch distributed denial of service (DDoS) attacks on Dyn, causing a significant outage to a ton of websites such as Twitter, GitHub, PayPal, Amazon, and Netflix for several hours.
The legislation would also require vendors to ensure that their devices are patchable and are free from already known vulnerabilities when sold.
The bill was drafted with input from technology experts at the Atlantic Council and Harvard University.
The lawmakers are trying to "take the lightest touch possible" to address an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind, Sen. Warner told Reuters.
The legislation would direct the White House Office of Management and Budget (OMB) for permission to buy devices if their network-level security requirements are in place.
2017-01-26T19:21:00-11:00Thursday, January 26, 2017Mohit Kumar
The IT threat landscape has changed dramatically over the last three-four years.
With no shortage of threat actors, from hacktivists to nation-states, criminals to terrorists, all of them are now after something new.
It's no more just about stealing your money, credit cards and defacing websites, as now they are after the intellectual property, mass attacks and most importantly, our critical infrastructures.
We have long-discussed nightmare scenarios of cyber attacks against nation's critical infrastructure, but now these scenarios have come to the real world, and we have seen many such incidents in the past years.
The latest example is cyber attacks against Ukrainian power grid. Just two weeks back, Ukraine's national power company Ukrenergo confirmed that electricity outage on 17-18th December last year was caused by a cyber attack.
Such sophisticated cyber attacks have revealed the extent of vulnerabilities in the systems that are operating the most critical sectors in a country.
Around 13 years ago, the Indian government established the Computer Emergency Response Team (CERT-In), and just like CERTs in other nations; it is responsible for collecting and sharing reports on cyber attacks against non-critical systems.
Every minute, we see about half a million attack attempts that are happening in cyberspace.
But, we are living in a dramatically fast changing world and unfortunately, which now includes threats not only against people, places, and information but also against strategic sectors and critical infrastructure of a nation, for which most organizations were never prepared for.
In order to address cybersecurity of critical infrastructure and evolve related practices, policies, and procedures to protect our most critical properties, the government set up a special body in 2014, named NCIIPC.
NCIIPC — National Critical Information Infrastructure Protection Centre — works under the country's technical Intelligence Agency, NTRO and vowed to work with public and private sectors to identify the nation's most critical assets and systems, and help them to create a foolproof firewall around these networks and overall risk management strategies.
Just last week, NCIIPC organized an event to celebrate its third anniversary of its foundation day, and I got an opportunity to attend the event and represent The Hacker News, among others, including — cyber security experts, policymakers, industry leaders, Academia and Government representatives.
The event aimed to provide a platform for all stakeholders of the CII ecosystem to converge, deliberate and formalize action plans for optimizing and improving protection of the vast array of CII deployed across the nation. Here's a brief of last week's main events, in case you've missed them:
The event was inaugurated with the welcome address from Mr. Alok Joshi, Chairman NTRO, who briefly said that the cybersecurity threats are becoming more severe over time.
Attacks are happening now… but not only this, it is constantly changing and, in the case of cyber, the threats are becoming ever more sophisticated and insidious.
And It’s true, everything is under attack… from highly critical infrastructures to medical devices.
Mr. Joshi’s talk was followed by Dr.Arvind Gupta, Deputy National Security Advisor (NSA), Chief guest for the event, who primarily focused his talk on critical issues originated due to a massive number of unreported cyber-attacks.
He also showed support for the need of developing capabilities to strengthen cybersecurity research and development (R&D) community, which must include researchers, industry experts, and academia.
The event also witnessed insightful keynotes including Dr.Gulshan Rai, India’s first National Cyber Security Coordinator and Dr. Sanjay Bahl, Director General CERT-In.
Both officials collaboratively said that NCIIPC is intended to promote collaboration and information sharing between government and industry to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation.
Moreover, delegates also discussed the security of Internet of Things -- the next generation critical Infrastructure.
Just as critical infrastructure is essential for everyday living, the rapidly growing "Internet of Things" is changing the way we use technology and helping people live more efficiently.
So, it has been concluded that to prevent our critical assets from sophisticated cyber attacks, we and organizations like NCIIPC, need to work together to identify the list of infrastructures that need special protection and know, who are after them.... waiting for opportunities to harm nation's economy and steal our secrets.
2017-01-24T06:24:00-11:00Tuesday, January 24, 2017Mohit Kumar
2017 is the year of Artificial Intelligence (A.I.), Big Data, Virtual Reality (VR) and Cyber Security with major companies like Google, Facebook, Apple, IBM and Salesforce and technology pioneers like SpaceX founder Elon Musk investing in these hot technologies.
Since everyone seems to be talking about the hottest trend — artificial intelligence and machine learning — broadly, 62 percent of large enterprises will be using AI technologies by 2018, says a report from Narrative Science.
But why AI is considered to be the next big technology? Because it can enhance and change everything about the way we think, interact, manufacture and deliver.
Last year, we saw a significant number of high-profile hacks targeting big organizations, governments, small enterprises, and individuals — What's more worrisome?
It’s going to get worse, and we need help.
No doubt, we, the human, can find vulnerabilities but can not analyze millions of programs with billions of lines of codes at once.
But what if we have an autonomous system that finds and fixes vulnerabilities in computer systems before cyber criminals exploit them, without even any involvement of human?
Cloud-AI System That Interacts With Web Just Like Humans
An Indian startup named Cloudsek, Infosec Risk assessment company, is working in the same direction, which aims at providing intelligence machine learning-based solutions to help organizations identify and tackle online threats in real-time.
The company has developed Cloud-AI technology, an artificial Intelligence system based on a semi-supervised learning model that can navigate and interact with the Internet just like an intelligent human being.
Cloud-AI is designed to learn on its own with an ability to automatically gather information about input boxes, buttons, and navigation links with minimal false positives.
"This is because humans have generated a vast amount of data on how they have interacted with the web," Rahul Sasi, Co-Founder and CTO of CloudSek said in its blog post published today.
"We use this data to train our models to achieve our tasks successfully. This method also helps us complete challenging tasks which otherwise is highly time-consuming for the many reinforcement Models."
Cloud-AI technology powers two of the company's product:
CloudMon – a system that monitors various Internet exposed infrastructures, including Cloud-based Applications and websites, for critical security issues.
x-Vigil – a system that monitors various Internet sources,underground/discussion forums, social media platforms, infiltrated data, along with uncovering a broad range of threats and providing real-time alerts without any manual intervention.
Besides this, the security researchers at Cloudsek are also working to up-skill its Cloud-AI technology with an ability to find new vulnerabilities much more quickly than people behind the keyboard.
Cloud-AI Finds Vulnerabilities Like Artificially Intelligent Hacker
An Insecure direct object reference flaw occurs when any application frequently uses the actual name or key of an object while generating web pages, but doesn't always verify if the user is authorized for the target object.
The issues fixed in LinkedIn include:
Leak of any user's Email ID on LinkedIn
Leak of users email and phone number and resume
Deleting every user's LinkedIn request
Downloading every transcript to videos from Lynda
Downloading every Lynda exercise files without a premium membership
To detect such flaws, all an attacker needs to do is manipulate parameter values. But finding such an easily identifiable security flaw is impossible for an automated tool due to the difficulty in reaching the flawed endpoint, whereas manually doing the process is time-consuming.
"Cloud-AI system had to fill multiple forms and follow valid patterns to reach the vulnerable endpoints. These endpoints often get missed by existing automated tools as well as manual analysis," CloudSek explains.
Artificial Intelligence is good at breaking CAPTCHA codes, but I'm wondering, and even believe that this system might soon gain the ability to beat Google's latest reCAPTCHA system, which is also powered by a sophisticated artificial intelligence system to defend websites against bots.
How AI Technology Shaping the Future of CyberSecurity
Cyber security is among the biggest threats in today's world, and it is a known fact that there are not enough skilled cyber security professionals to tackle growing Internet threats.
The Internet has already been struggling to defend against organized crime, state-sponsored hackers, surveillance and, of course, terrorism – but experts believe AI technology can aid us in protecting sensitive data and critical infrastructure from attackers.
Either its Cloud-AI from CloudSec or OpenAI, backed by Tesla and Space X CEO Elon Musk, every player in this domain wants to build a technology that would eventually create digital intelligence in the way to benefit humanity as a whole.
"In near future, Cloud-AI would be upgraded to assist users while ordering anything on the Internet, as well can perform complex tasks to save precious time." Sasi told The Hacker News
Moreover, with the rise of the Internet of Things (IoT) devices, the cyber-security threats have grown exponentially, so extensive research into prevention and detection schemes of these technologies is strongly being considered globally.
Since AI is a fundamental part of the concept of the Internet of Things, where machines and devices communicate with each other to get the work done, it's only AI and machine learning that will be incredibly useful to defend our network before anyone exploits them.
Last year, Security researchers at MIT also developed a new Artificial Intelligence-based cyber security platform, called 'AI2,' which has the ability to predict, detect, and stop 85% of Cyber Attacks with high accuracy.
Isn't it revolutionary idea for Internet Security?
At the same time, we should not forget that smarter technologies do not come without risks. While AI could provide organizations with a valuable weapon in their arsenal, the risk is that the technology would not fall into wrong hands.
China has long been known for its strict censorship policies, which has already made it difficult for foreign companies to do business in the world's most populous country of more than 1.35 Billion people.
Now, the Chinese government has approved a broad new controversial cybersecurity regulations that would further strengthen the country's censorship regime, making it more difficult for technology companies to operate in the country.
Made public on Monday, the legislation, passed by China's rubber-stamp parliament and set to go into effect in June 2017, aims at combating growing threats like hacking and terrorism, but actually comes with data localization, real-name requirements, and surveillance.
The Cybersecurity Law requires instant messaging services and other internet operators to force users to register with their real names and personal information, which restricts anonymity of a user online.
The proposed law also includes requirements for 'Data Localization' that would force "critical information infrastructure operators" to store its users' data within the country's borders – the same law Russian government imposed on foreign tech companies.
Chinese Human Rights Watch (HRW) is opposing the legislation, saying that the new law doesn't include any precise definition of infrastructure operators, and will further extend government control over an already heavily monitored and censored media.
"The law will effectively put China's Internet companies, and hundreds of millions of Internet users, under greater state control," HRW's China director Sophie Richardson said in a statement over the weekend.
"Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes."
Moreover, the new legislation also covers some new requirements for cyber security, forcing companies to provide "technical support" to government agencies for investigations involving national security and crime and to censor contents that are "prohibited."
Although this technical support is not clearly defined in the law, experts believe that authorities could ask companies for encryption backdoors or other surveillance assistance in the name of tech support.
Under this law, companies and network operators should report "security incidents" to the government and inform consumers of data breaches.
Acts that encourages "overthrowing the socialist system," "fabricating or spreading false information to disturb economic order," and inciting "separatism or damage national unity" are categorized as criminal acts under the new law.
Such requirements have raised serious concerns for the users and companies operating in China, where the Internet and online freedom have already heavily censored by the government.
2015-02-15T22:57:00-11:00Sunday, February 15, 2015Mohit Kumar
President Barack Obama signed an executive order on Friday that encourages and promotes sharing of information on cybersecurity threats within the private sector and between the private sector companies and the government agencies as well.
AREAS TO IMPROVE
During his speech at the White House Cybersecurity Summit at Stanford University in California, where many tech leaders and other government officials also assembled, the President highlighted events affecting cybersecurity and the development of the Internet.
The four areas that Obama believes must be improved are listed below:
Development and evolution of the Internet
Cybersecurity
Rights of individuals in regards to the Internet
Cooperation between the Government and private companies
EVERYONE IS VULNERABLE - OBAMA
"The cyber world is sort of the Wild Wild West and to some degree we are asked to be the sheriff," Mr. President told a crowd at the Memorial Auditorium. "When something like Sony happens, people want to know what government can do about it. The technology so often outstrips whatever rules and structures and standards have been put in place."
"Everybody’s online and everybody’s vulnerable," Obama stressed.
White House believes that the primary means of online security shouldn’t depend on passwords, and we must have some new technologies that combine greater security and convenience to the online users. In order to ensures a user’s security online, the technology must move beyond usernames and passwords.
EXECUTIVE ORDER
The Obama ‘Executive order’ is meant to establish a framework in efforts to help businesses and government organizations "prioritize and optimize" their spending, and quickly identify and protect themselves against cyberthreats, carried out by both hackers and foreign nations. The framework will also polish communication across companies and organizations to better manage cyber risks.
"There's only one way to defend America from these cyberthreats, and that is with government and [private] industry working together, sharing appropriate information."
The major companies including Apple, Intel, Bank of America and Pacific Gas & Electric (PG&E) have already committed themselves to the government's new cyberthreat framework.
The executive order added the Department of Homeland Security to the list of government organizations that would be able to approve the sharing of classified information and ensure that proper information is shared between the entities.
CYBERSECURITY FRAMEWORK
Since 2013, the Obama’s administration has been actively working on this issue, when the president signed a previous executive order on Critical Infrastructure Cybersecurity. That, in turn, resulted in the development of the "Cybersecurity Framework."
Obama acknowledged the challenge to protect American citizens from cyber threats, but at the same time protect their right to privacy. He mentioned companies such as Symantec, Intel and Bank of America are going to use the government’s improved Cybersecurity Framework to strengthen their own defenses.
Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google's Larry Page and Eric Schmidt were all invited to the Stanford event, but won't attend, according to the companies. Apple CEO Tim Cook is making an appearance, talking about people's rights to privacy and security.
ONCE AGAIN ONLINE PRIVACY IS IN QUESTION
Of course, the news is not great for everybody because this new executive order will reduce legal liability for companies that share too much information of its users.
Also, no one can guarantee whether the private sector will be willing to offer this information, as many companies are still reeling from Edward Snowden’s revelations about how the government agencies are using users information to spy on their customers in the US and abroad.
A copy of the executive order has yet to be published on the White House website.
CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]
2015-01-23T07:38:00-11:00Friday, January 23, 2015Mohit Kumar
Ransomware malware threat has forced somebody for the terrible suicide and once again has marked its history by somebody’s blood. Sad, but it’s True!
Joseph Edwards, a 17-year-old schoolboy from Windsor, Berkshire, hanged himself after receiving a bogus email appeared to be from police claiming that he'd been spotted browsing illegal websites and that a fine of 100 pound needed to be paid in order to stop the police from pursuing him.
The scam email pushed the well-known Police Ransomware onto the boy’s laptop and also downloaded malware that locked up his system once it was opened.
Edwards was an A-level student with Autism, a developmental disability, that likely made him more susceptible to believing the Internet scam mail, supposedly sent from from Cheshire police, was genuine, a coroner heard on Thursday.
Edwards was so upset and depressed by the accusation and the extortionate demand that he hanged himself hours after falling victim to the crucial threat. He was found hanged at his family home in Windsor by his mother Jacqueline Edwards, who told the coroner that he probably didn't understand the implications of his actions.
"He didn't seem to have any worries known to me. I don't think he really understood," Jacqueline Edwards told the coroner. "Joseph was subjected to a scam on the internet, a threatening, fake police link that was asking for money," his mother said in a statement. "He would have taken it literally because of his autism and he didn't want to upset Georgia [his sister] or me."
As far as we all know, a Police ransomware of this type does not encrypt files and usually asks a victim to pay a small fine that last around $200 or €200. It’s normally much easier to remove the threat from infected systems by using dedicated tools specially designed to remove such infections.
According to Detective Sergeant Peter Wall, it will be almost impossible to trace the fraudsters behind the 'crude' email, but believe it may have originated outside the UK.
This is not first time when Ransomware has become deadly reason to take someone’s life. Over a year ago, a Romanian family faced same Police Ransomware threat and the Romanian victim hanged himself and his four-year-old son, scarring that his young son would pay for his mistake and his life would be spend in the moment of delusion.
Ransomware is one of the most blatant and obvious criminal's money making schemes out there, from which Cryptolocker threat had touched the peak, and cyber criminals have developed many Cryptolocker versions (prisonlocker, linkup, icepole, cryptobit) by which you have to safeguard your system.
THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]
