Articles about Information Security

Symantec director government affairs Brian Fletcher (left) with Microsoft assistant general counsel Cristin Goodwin. Image: Darren Pauli, The Register.

Microsoft and pals re-write arms control pact to save infosec industry

Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document's terms are a threat tot he information security industry. The pitch is the result of brainstorming by the group to redefine …
Darren Pauli, 21 Jul 2016

Governments Googling Google about you more than ever says Google

Google has published its latest “Transparency Report”, the disclosure in which it reveals how many times governments asked it to cough data on users. And this time around there's mixed news. In the “yikes!” column is the fact that governments asked Google for data 40,677 times between July 1 and December 31 of 2015, and asked …
Simon Sharwood, 19 Jul 2016
Mr Robot: Credit USA Network

World's worst exploit kit weaponises white hats' proof of concept code

The new wearer of the crown for World's Worst Exploit Kit is compromising users with exploit code for a dangerous new attack published by a white hat researcher. Neutrino is the new king of for-profit p0wnage packages, a market in which criminals create tools to compromise scores of users through the latest vulnerabilities. …
Darren Pauli, 18 Jul 2016

Symantec, Intel carve out diminishing slice of growing security market

Worldwide security software revenues rose 3.7 per cent to reach $22.1bn in 2015, according to analyst Gartner. Security information and event management (SIEM) remained the fastest-growing sub segment of the cybersecurity biz last year, experiencing 15.8 per cent growth. By contrast, consumer security software recorded a 5.9 …
John Leyden, 14 Jul 2016

Infosec bods NCC walk away from the domain services biz

UK-based infosec consultancy NCC Group is withdrawing from the domain services biz while retaining domain security capability. The tactical switch was announced as NCC reported revenues up 56 per cent to £209.1m in the 12 months to 31 May 2016, compared to £133.7m in its previous financial year. NCC’s adjusted pre-tax profits …
John Leyden, 07 Jul 2016

EU uncorks €1.8bn in cybersecurity investment. Thirsty, UK?

The EU Commission has launched a public-private partnership on cybersecurity that is expected to trigger €1.8bn ($2bn) of investment by 2020. The EU is promising to invest €450m ($502m) in a bid to spur innovation in cybersecurity with the remainder coming from the private sector. Some security commentators reckon the Brexit …
John Leyden, 05 Jul 2016
Image: Lessimol http://www.shutterstock.com/gallery-1612118p1.html

Hopeless Vic agencies have two years to hit infosec best practice

Government agencies in the Australian state of Victoria will have two years to move from near ground zero to stand up fully-fledged and updated information security, risk, and governance policies. The requirements are a big ask for agencies in the southern state, previously described as in information security turmoil after …
Darren Pauli, 30 Jun 2016

Medicos could be world's best security bypassers, study finds

Medicos are so adept at mitigating security controls that their bypassing exploits have become official policy, a university-backed study has revealed. The work finds that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts …
Darren Pauli, 27 Jun 2016

Australia's Defence Department tips AU$12M to seat spies with students

The Department of Defence has tipped A$12 million (£6.1 million, US$9.1 million) into an information security facility to attract new blood by housing signals spooks alongside Australian National University academics. The "unusual" pairing is hoped to attract skilled students into the information security field and the country …
Darren Pauli, 24 Jun 2016
Happy man holds flag of Israel. Pic: Shutterstock

Israeli cybersecurity boom 'sustainable', argues industry’s father

Israel cyber week The "father" of Israel's cybersecurity industry reckons the unprecedented growth in its security startup industry can be sustained. Isaac Ben Israel, who heads the Interdisciplinary Cyber Research Center (ICRC) at Tel Aviv University, estimates there are 400 cybersecurity firms in Israel. Together with more established …
John Leyden, 22 Jun 2016

No watershed: China hacker groups in decline before Xi-Obama deal

The US-China pledge to put an end to state-backed intellectual property theft was made when Middle Kingdom hacking groups had been receding for more than a year, researchers say. Presidents Barack Obama and Xi Jinping agreed September to not "conduct or knowingly support cyber-enabled theft of intellectual property" in a move …
Darren Pauli, 21 Jun 2016

Hack the Pentagon shutters 100 bugs

White hats have found more than 100 vulnerabilities in Pentagon infrastructure under its bug bounty program. Some 1,400 hackers participated in the Hack the Pentagon bug bounty program handing out up to $US14,000 for disclosures of the worst vulnerabilities. US Defense Secretary Ashton Carter told the Defense One conference …
Darren Pauli, 14 Jun 2016
twitter_765456_648

Twitter resets passwords

Twitter has reset an unknown number of accounts following the offer of millions of usernames and passwords for its service for sale on the dark web. Although the social media company continues to insist that its systems were not compromised, in a blog post its Trust & Information Security Officer Michael Coates said the …
Kieren McCarthy, 10 Jun 2016
Hacker cons. Image: Darren Pauli

The rise and rise of Australia's community hacking conferences

Special report In Australia and New Zealand, hackers are doing it for themselves by creating vibrant security conferences that run on their own terms and actively avoid the corporate-speak and fear-mongering that characterises so many vendor-led events. These conferences, or "cons", are booming and showcase security skills that rival the …
Darren Pauli, 06 Jun 2016
Captain Mainwaring

Will you get reimbursed if you're a bank fraud victim? Brits think not

Bank customers worldwide are often in the dark about whether or not they’ll be reimbursed for fraudulent transactions. Customers’ understanding of bank terms and conditions is often sketchy, according to a international study by academics. The researchers found that there is significant variation worldwide, and even within …
John Leyden, 06 Jun 2016

The least stressful job in the US? Information security analyst, duh

Everyone knows that being an infosec analyst is a cushy job – but did you know quite how much? Because according to job website CareerCast, it is literally the least stressful job in the country. The company measured 11 stress factors, including the amount of travel, deadlines, competitiveness, physical demands, risk to your …
Kieren McCarthy, 02 Jun 2016
Ben Mezrich, Once Upon a Time in Russia: The Rise of the Oligarchs and the Greatest Wealth in History

Infosec newbie looking for entry level training? So is SWIFT

International payments clearing-house SWIFT wants extra hands to keep its stable doors closed. In a job ad that inexplicably fails to mention the hundreds of millions of dollars missing, in a variety of currencies because of astonishingly-lax security, it seeks an information security trainee. As previously documented, SWIFT' …

Blighty's National Cyber Security Centre cyber-reveals cyber-blueprints

The UK government has released the prospectus for its National Cyber Security Centre (NCSC), ahead of the launch of the facility this Autumn. The blueprint [PDF] outlines that the NCSC will act as a hub for sharing best practices in security between public and private sectors, and will tackle cyber incident response. As …
John Leyden, 26 May 2016
Frustrated accountant puts head in hands. Photo by Shutterstock

Insure against a cyberwhat now? How the heck do we crunch those numbers?

The head of a UK industry insurance organisation has called for the government to create a database where companies would be obliged to “record details of cyber attacks”. Insurers are struggling to assess premiums for newly introduced cyber insurance policies in the absence of background info, according to the head of the …
John Leyden, 24 May 2016
Janus

ENISA / Europol almost argue against crypto backdoors

While the FBI, in the person of James Comey, continues its campaign to persuade the tech sector that mathematics isn't that big a thing and therefore backdoors are feasible, The European Union Agency for Network and Information Security (ENISA) and Europol have tip-toed around the issue, issuing a joint statement that both …

Europe adopts new cybersecurity rules for key players

The European Council has adopted new cybersecurity rules to make networks and information services across the European Union safer and more secure. The network and information security (NIS) directive [PDF] will require providers of essential services – such as energy, transport, health and finance – and "digital service …
Kieren McCarthy, 18 May 2016
Furnace by https://www.flickr.com/photos/changeable_fate/ cc 2l0 attribution generic https://creativecommons.org/licenses/by/2.0/

Hackers tear shreds off Verizon's data breach report top 10 bug list

Information security boffins have pilloried Verizon's latest data breach report, suggesting its list of top security vulnerabilities do not represent reality. The 2016 Data Breach Investigations report [PDF] is Verizon's ninth in the series drawing on a wider pool of data including some 100,000 security incidents and 2260 data …
Darren Pauli, 12 May 2016
German battleship sinking at Scapa Flow

Defence bankrolls Oz Govt's infosec threat sharing strategy

Budget 2016 The Department of Defence will haemorrhage A$122.2 million and the National Innovation and Science Agenda A$38 million to implement the Federal Government's A$230 Cyber Security Strategy, budget papers reveal. The funding Strategy announced last month was welcomed by many in security circles and seated information security …
Darren Pauli, 04 May 2016

Do you know where your trade secrets are?

Information security (infosec) is no longer a nice-to-have. It is a matter of corporate survival. Even the smallest company can be weakened by the simple loss of a customer list, ruined by the fallout from the loss of protected customer information. There's a lot more to infosec than merely hunkering down behind a firewall. As …
Trevor Pott, 03 May 2016
spy_eye_648

Azure, la nube segura

Azure has won Spain's highest security certification. Microsoft says its cloud passed the requirements required for the Esquema Nacional de Seguridad. Scoring the certification requires applicants to prove security governance, information security, physical security and personnel security. The certification applies to all …
Simon Sharwood, 03 May 2016
Perth bus. Image Nim https://commons.wikimedia.org/wiki/User:EurovisionNim

Perth SmartRider public transport cards popped by student researchers

WAHckon University students in the Australian city of Perth have landed in hot water, with one charged by Police, after finding and exploiting severe holes to rewind travel charges incurred using the city's SmartRider public transport smart card. The Murdoch University students reported the flaws to SmartRider operator TransPerth and …
Darren Pauli, 02 May 2016
Internet anonymity

US govt quietly tweaks rules to let cops, Feds hack computers anywhere, anytime

On Thursday, the US Supreme Court approved a change to Rule 41 of the Federal Rules of Criminal Procedure. It sounds innocuous, but the effects will be felt around the world. Under today's rules, US cops and FBI agents need to know where a computer is before they can get a warrant to directly hack the machine – because they …
Iain Thomson, 29 Apr 2016

Mozilla slings Firefox patches at flaw found by GCHQ's infosec arm

In version 46 of its popular Firefox web browser, Mozilla has patched 10 vulnerabilities, some rated either critical or high severity, that permitted remote code execution. One of the patched high-severity flaws was burned reported by the Communications-Electronics Security Group (CESG), the information security limb of the UK …
Team Register, 28 Apr 2016

Hackers so far ahead of defenders it's not even a game

Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches. The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still …
John Leyden, 26 Apr 2016

Lock-hackers crack restricted keys used to secure data centres

Bsides Canberra A group of Melbourne lock-pickers have forged a creative method for popping so-called restricted locks by 3D printing keys found on freely available designs on patent sites. The feat demonstrated at the BSides Canberra security conference last week is a combination of opportunistic ingenuity and lock-picking mastery, and will …
Darren Pauli, 21 Apr 2016

Australia admits to running offensive cyber-ops team

The Australian Government has today launched an information security strategy under which AU$230 million will be spent over four years to improve critical infrastructure defences through private and public sector information sharing, innovation security centres, and by bankrolling support for 5000 security tests for businesses …
Darren Pauli, 21 Apr 2016

Defence in depth: Don't let your firm's security become a boondoggle

Information security (infosec) isn’t a game for amateurs. No one solution will do. Proper information security requires defence in depth: layers of technologies, techniques, best practices and incident response woven together into the tapestry of everyday operations. Unfortunately, hiring professionals is no guarantee that …
Trevor Pott, 15 Apr 2016

Cutting edge security: Expensive kit won't save you

We all want to protect our customer and employee data, but as the threat landscape changes and the publicly disclosed data breaches get increasingly larger, our approach may need to change. What constitutes "state of the art" information security in 2016? It’s tempting to create a listicle of 10 shiny new security tools that …
Danny Bradbury, 13 Apr 2016

Plotting 'mass damage' in Australia? SMBs' crappy login hygiene really helps – hacker

Bsides Sydney hacker Edward Farrell says scores of small and medium businesses in Australia and some Fortune 500 companies are open to attack through running ancient Windows operating systems and unauthenticated servers. The director of Mercury Information Security Services ran tests from the position of an attacker who would plan …
Darren Pauli, 12 Apr 2016
petya

Infected with Petya ransomware? This tool will rescue your data

An anonymous security researcher has published code that can unlock the encryption used by the Petya ransomware that surfaced last month. The ransomware – first spotted hitting German computer users – reboots the infected Windows PC, pretends to run a CHKDSK program while encrypting the hard drive's file system tables, …
Iain Thomson, 12 Apr 2016
wham_bang by Roy Lichtenstein

Cyberthreat: How to respond...and when

Spotting threats in cyberspace is like star gazing. There are lots of them out there, but telling them apart and working out which ones are about to go supernova takes experience and skill. You don’t want to pour the same resource into protecting yourself against every single perceived threat, because no budget can support …
Danny Bradbury, 23 Mar 2016

New UK cyber security centre to work with Bank of England

The UK's new national cyber centre will collaborate with the Bank of England on new cyber security guidance for financial firms when it opens later this year, the government has said. The Cabinet Office announced that the National Cyber Security Centre (NCSC) will be based in London and start operating in October. It said one …
OUT-LAW.COM, 23 Mar 2016
Moments of perspiration

Cyberthreat: Learning to live with the risk

Cyberthreats are like the common cold or some other infectious virus; eventually you’re going to get sick. It’s a part of life. They’re always there, lurking just around the corner, waiting to make your life that little bit harder. At the same time, you can’t focus entirely on potential risks to your business at the expense of …
Danny Bradbury, 18 Mar 2016

The bill for Home Depot after its sales registers were hacked: $19.5m

Home Depot will pay at least $19.5m in compensation to the 50 million customers hit by hackers who infiltrated the chain's sales tills in 2014. The US home improvement warehouse will create a $13m fund to reimburse shoppers and spend a further $6.5m providing a year's worth of identity protection for those impacted. Those are …
Kieren McCarthy, 17 Mar 2016

Infosec bods pop mobile money crypto by 'sniffing' e-mag radiation

Researchers have broken the encryption schemes used in mobile money transfers by “sniffing” electromagnetic radiation from smartphones. The work, by researchers from the Check Point Institute for Information Security at Tel Aviv University and the University of Adelaide, offers further evidence that TEMPEST-style side channel …
John Leyden, 17 Mar 2016
Hacker with face obscured, wearing a hoodie,  works in front of a bank of monitors. photo by Shutterstock

Is this Romanian man really 'GhostShell'? If so, he risks arrest

Members of the security community are nonplussed by claims that a Romanian hacker “GhostShell” has seemingly risked arrest by doxxing himself in a bid to get a job in information security. The man claiming to be a one-time Anonymous-affiliated hacktivist avoided identification and arrest for four years before apparently outing …
John Leyden, 15 Mar 2016

Hackers turn to angr for automated exploit discovery and patching

Nullcon A team of researchers are battling to trouser the US Defense Advanced Research Projects Agency's US$2m prize to build a system that aims to best human offensive and defensive security personnel at exploitation discovery and patching. The Shellphish team, with hackers in the US, France, China, Brazil, and Senegal, is big in the …
Darren Pauli, 13 Mar 2016

Security market to exceed $170 billion by 2020, analysts say

The information security market will hit US$170 billion (£120 billion, AU$227 billion) by 2020, a growth projection of some US$100 billion (£70 billion, A$134 billion) from current figures according to analyst firms. India-based firm MarketsandMarkets says the 2020 total includes security technologies like data leak prevention …
Darren Pauli, 10 Mar 2016
Amazon CEO Jeff Bezos

Jeff Bezos to give forth at US space symposium

Jeff Bezos, founder of Amazon and Blue Origin, will speak at the Space Foundation's 32nd Space Symposium in Colorado Springs on 12 April, sandwiched between appearances by the Air Force Space Command's top man General John E. Hyten, and Deputy Secretary of Defense Robert O Work. The four-day shindig, running from 11-14 April, …
Lester Haines, 09 Mar 2016

Sexism isn't getting better in Silicon Valley, it's getting worse

Analysis In the technology field, many people like to think that they are at the forefront of human development, but it is becoming clear that the industry is failing when it comes to dealing with sexism against women. In January, a survey from Stanford University of women who'd spent at least ten years in the tech industry found that …
Iain Thomson, 09 Mar 2016

What are you doing to spot a breach?

Technology moves quickly, not just in legitimate business, but in the cybercriminal world too. Advanced attack tools are now available on the black market, lowering the barrier to entry for the average online lowlife. They are happy to target large and small organizations alike, and they only have to be lucky once. Security …
Robin Birtstone, 08 Mar 2016

Hack the planet, er, Pentagon: US Dept of Defense puts bounties on bugs

The Pentagon will next month launch the US government's first bug bounty program encouraging hackers to break into its websites in what could lead to a broader invitation to hack state assets for cash. Details on the cash rewards offered under the 'Hack the Pentagon' program have not yet been released. it will use "commercial …
Darren Pauli, 03 Mar 2016

Learn things? DROWN HTTPS flaw proves we don't even test things

In the wake of the DROWN vulnerability, organisations like the Australian Signals Directorate that offer security incident mitigation strategies might consider adding another item to their lists: test your configuration to make sure it's what you expected. The DROWN flaw in HTTPS would not be anything to worry about, except …
recruitment_hired

Poor recruitment processes are causing the great security talent drought

RSA 2016 It's a refrain at this and past RSA conferences, that companies can't hire enough top-notch talent, but it's addressable if companies hire smartly and applicants learn how to play the game. "Far too many hackers have expectations that are unrealistic," said Tim O'Brien, director of threat research at Palerra – who has been on …
Iain Thomson, 29 Feb 2016

Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

Developers behind the widely used OpenSSL encryption library have warned that they will issue fixes for a mix of bugs next Tuesday (1 March). The patches will land right in the middle of the RSA Conference, infosec marketing's version of the Superbowl. It's understood the bugs are significant (as in, patch as soon as you can …
John Leyden, 25 Feb 2016