Tuesday, December 12, 2017

Is the World Ready for the New Generation of Self-Propagating Ransomware?

Self-propagating threats such as WannaCry and Petya were only the tips of the iceberg. The success hackers enjoyed with WannaCry and Petya makes it quite likely others will try to replicate the tactics used by deploying ransomware as a worm. The propagation mechanisms employed by both ransomware families enabled the threats to spread quickly across an entire computer network. In this article, we will see how do they work and what are organizations doing to prepare themselves for the likelihood of the more pronounced threat.

The post Is the World Ready for the New Generation of Self-Propagating Ransomware? appeared first on Security Boulevard.



from Is the World Ready for the New Generation of Self-Propagating Ransomware?

XKCD, Self-Driving Car Milestones

self_driving_car_milestones.png

via the autonomously sarcastic cerebrum of Randall Munroe at XKCD.

Permalink

The post XKCD, Self-Driving Car Milestones appeared first on Security Boulevard.



from XKCD, Self-Driving Car Milestones

Tutorial Video: Manage Users and Groups with AD Bridge

Are you interested in learning about how JumpCloud’s AD Bridge functionality can make it easy to manage users and groups? If so, then you should check out our tutorial video...

The post Tutorial Video: Manage Users and Groups with AD Bridge appeared first on JumpCloud.

The post Tutorial Video: Manage Users and Groups with AD Bridge appeared first on Security Boulevard.



from Tutorial Video: Manage Users and Groups with AD Bridge

iOS jailbreaking: still in the building?

Further to an earlier article here - iOS Jailbreaking – on the Way Out… - it seems that commentators at that tme might have been over-optimistic.

The post iOS jailbreaking: still in the building? appeared first on Security Boulevard.



from iOS jailbreaking: still in the building?

VERT Threat Alert: December 2017 Patch Tuesday Analysis

Today’s VERT Alert addresses the Microsoft December 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-756 on Wednesday, December 13th. In-The-Wild & Disclosed CVEs This month, no Microsoft vulnerabilities have been publicly disclosed or are being actively exploited. There are, however, a couple of vulnerabilities that are […]… Read More

The post VERT Threat Alert: December 2017 Patch Tuesday Analysis appeared first on The State of Security.

The post VERT Threat Alert: December 2017 Patch Tuesday Analysis appeared first on Security Boulevard.



from VERT Threat Alert: December 2017 Patch Tuesday Analysis

Microsoft Fixes 34 Security Flaws in Windows, Office, IE and Edge

Microsoft’s security patches for December fix 34 vulnerabilities across the company’s products, including in Internet Explorer, Edge, Office and Windows. The largest number of vulnerabilities were fixed in the scripting engine used in the company’s Internet Explorer and Edge browsers. Most of them are memory corruption issues that can result in remote code execution and..

The post Microsoft Fixes 34 Security Flaws in Windows, Office, IE and Edge appeared first on Security Boulevard.



from Microsoft Fixes 34 Security Flaws in Windows, Office, IE and Edge

Contending with Cybersecurity in the Age of AI vs. AI

As cyberdefenders in a war where every battle can mean winner takes all, enterprise IT departments must level the AI playing field. Twenty-five years ago, people in the cybersecurity space weren’t really talking much about artificial intelligence (AI). Back then, the InfoSec conversation almost always started with the premise of “when somebody does this,” or..

The post Contending with Cybersecurity in the Age of AI vs. AI appeared first on Security Boulevard.



from Contending with Cybersecurity in the Age of AI vs. AI

Socratic Authorship

My personal work is the Dynamic Views inside the macOS word processor Author, which is essentially a mind map of your document.    What we are discussing at The University of Southampton is how to provide useful computer magic when publishing a document, loosing as little of the richness of the process of producing the […]

The post Socratic Authorship appeared first on Security Boulevard.



from Socratic Authorship

Getting Control of Your Cloud: 10 Predictions for 2018

Organizations that use public clouds are adopting an increasingly sophisticated approach to security. While they have become comfortable with their sensitive workloads operating in the cloud over the past few years, they also have gained a better understanding of what’s required to apply security best practices across the entirety of their cloud framework. There is... Read more »

The post Getting Control of Your Cloud: 10 Predictions for 2018 appeared first on Cloud Sentry Blog.

The post Getting Control of Your Cloud: 10 Predictions for 2018 appeared first on Security Boulevard.



from Getting Control of Your Cloud: 10 Predictions for 2018

December Patch Tuesday: Quiet End to the Year

This December Patch Tuesday is considerably lighter than last month’s patch releases.  While only three of the fixes were for Windows operating systems, the majority of the vulnerabilities to pay attention to are Browser/Scripting Engine-based. Overall, this month’s updates address are fixes for 32 unique CVEs, 19 of which are critical, and 24 of which […]

The post December Patch Tuesday: Quiet End to the Year appeared first on Security Boulevard.



from December Patch Tuesday: Quiet End to the Year

Remote Hack of a Boeing 757

Last month, the DHS announced that it was able to remotely hack a Boeing 757:

"We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration," said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

"[Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft.



from Remote Hack of a Boeing 757

10 Cybersecurity Predictions for 2018

It has been a turbulent year of devastating ransomware attacks (e.g. NotPetya) and gut-wrenching breaches (e.g. Equifax). Undoubtedly, the question on everyone’s mind is, “what’s in store for us in the New Year?”...read more

The post 10 Cybersecurity Predictions for 2018 appeared first on Webroot Threat Blog.

The post 10 Cybersecurity Predictions for 2018 appeared first on Security Boulevard.



from 10 Cybersecurity Predictions for 2018

Spies are watching… on LinkedIn

The young professionals portrayed in the LinkedIn listings are hot, enticing, and fictitious.

The post Spies are watching… on LinkedIn appeared first on Security Boulevard.



from Spies are watching… on LinkedIn

Exchange Online – Are You Ready?

Are you looking to implement a new email system or to migrate from an old version of Exchange to the most current? If so, you may want to look at implementing it in Exchange Online. Exchange online, not to be confused with Office 365, or Microsoft 365, would be the online version of Exchange hosted…

The post Exchange Online – Are You Ready? appeared first on CCSI.

The post Exchange Online – Are You Ready? appeared first on Security Boulevard.



from Exchange Online – Are You Ready?

Supreme Court and Private (Privacy) Property

The U.S. Supreme Court heard oral arguments Nov. 29 in a case that could radically transform not only privacy law and the way we look at the Fourth Amendment, but also could restructure the way cloud providers, IoT companies, data analytics firms and even your doctor, lawyer and accountant keeps their records. The case is..

The post Supreme Court and Private (Privacy) Property appeared first on Security Boulevard.



from Supreme Court and Private (Privacy) Property

Women in Information Security: Jelena Milosevic

Last time, I had a chat with Kristen Kozinski. She’s an expert on web development security, and she also has a pretty cool website for end user security education called Don’t Click on That. This time, I have a very special interview with Jelena Milosevic. She’s a nurse who has made it her mission to […]… Read More

The post Women in Information Security: Jelena Milosevic appeared first on The State of Security.

The post Women in Information Security: Jelena Milosevic appeared first on Security Boulevard.



from Women in Information Security: Jelena Milosevic

HP leaves accidental keylogger in laptop keyboard driver

HP didnt beat around the bush - when a researcher found a left-over keylogger, the company fessed up and fixed it fast. Result!

The post HP leaves accidental keylogger in laptop keyboard driver appeared first on Security Boulevard.



from HP leaves accidental keylogger in laptop keyboard driver

Breaking and Evading the Local Browser Sandbox (1)

Does 'sandboxing' make the local browser more secure? An overview of browser sandbox exploits and evasion techniques affecting regular browsers.

The post Breaking and Evading the Local Browser Sandbox (1) appeared first on Security Boulevard.



from Breaking and Evading the Local Browser Sandbox (1)

Training Methods: Internal vs. External – What’s Best For You?

Business and organization requirements evolve at a rapid pace and technology has been advancing at an even faster pace. However, the fast pace doesn’t stop companies from re-evaluating their training methods and strategies. In actuality, it may even encourage a need for training. According to Benjamin Franklin, “An investment in knowledge pays the best interest.” […]

The post Training Methods: Internal vs. External – What’s Best For You? appeared first on Phoenix TS.

The post Training Methods: Internal vs. External – What’s Best For You? appeared first on Security Boulevard.



from Training Methods: Internal vs. External – What’s Best For You?

Monday, December 11, 2017

The Joy of Tech®, ‘The Killer App’

2471.gif

Via the stupendpous badassery of Nitrozac and Snaggy at The Joy of Tech®.

Permalink

The post The Joy of Tech®, ‘The Killer App’ appeared first on Security Boulevard.



from The Joy of Tech®, ‘The Killer App’

SaaS System Management

The idea that we’ll all use dumb terminals and connect to the cloud has been parroted by a large number of analysts and so called experts. These theories are largely...

The post SaaS System Management appeared first on JumpCloud.

The post SaaS System Management appeared first on Security Boulevard.



from SaaS System Management

Mailsploit: using emails to attack mail software

Mailsploit bugs allow attackers to bypass anti-spam protections and, in some cases, run hostile code

The post Mailsploit: using emails to attack mail software appeared first on Security Boulevard.



from Mailsploit: using emails to attack mail software

A week in security (December 04 – December 10)

A compilation of notable security news and blog posts from December 04 to December 10, including Botnets, hacked toys, ransom demands and jailbreaks gone horribly wrong.

Categories:

Tags:

(Read more...)

The post A week in security (December 04 – December 10) appeared first on Malwarebytes Labs.

The post A week in security (December 04 – December 10) appeared first on Security Boulevard.



from A week in security (December 04 – December 10)

Email Security: 2017 in Review

In 2017, Statista estimated that, globally, people sent about 269 billion emails per day. Email’s staying power continues to showcase its ability to adapt to the ever-changing landscape of personal and business communications. However, as with any good thing, there’s always a chance of corruption. While 2017 brought with it data breaches and privacy issues, [...]

The post Email Security: 2017 in Review appeared first on TechSpective.

The post Email Security: 2017 in Review appeared first on Security Boulevard.



from Email Security: 2017 in Review

DerbyCon 2017, Daniel Brown’s ‘Retail Store POS Penetration Testing’

Permalink

The post DerbyCon 2017, Daniel Brown’s ‘Retail Store POS Penetration Testing’ appeared first on Security Boulevard.



from DerbyCon 2017, Daniel Brown’s ‘Retail Store POS Penetration Testing’

‘Spider’ ransomware – apparently targeting Bosnia & Herzegovina?

Amit Malik for Netskope: Spider: A New Thread in the Ransomware Web Extract: “Netskope Threat Research labs has detected new ransomware named Spider propagating in a mid-scale campaign. This ongoing campaign, identified on the 10th December,  uses decoy Office documents which usually arrive as email attachments. These attachments are auto-synced to the enterprise cloud storage and […]

The post ‘Spider’ ransomware – apparently targeting Bosnia & Herzegovina? appeared first on Security Boulevard.



from ‘Spider’ ransomware – apparently targeting Bosnia & Herzegovina?

Cyber News Rundown: 2017 Year in Review

As 2017 comes to a close, we’re looking back at the 10 most significant (or simply the most devastating) cybersecurity stories of the year. Read through the list below to see which attacks,...read more

The post Cyber News Rundown: 2017 Year in Review appeared first on Webroot Threat Blog.

The post Cyber News Rundown: 2017 Year in Review appeared first on Security Boulevard.



from Cyber News Rundown: 2017 Year in Review

Banking Trojans on Google Play

Lukas Stefanko, for ESET, tells us how Banking malware on Google Play targets Polish banks 

The post Banking Trojans on Google Play appeared first on Security Boulevard.



from Banking Trojans on Google Play

Startup Marketing

You are an enterprise software startup. You are in the security space. Your company is still early, trying to sign its first 10, maybe 40 customers. What should you be doing for marketing? What works? What doesn’t? What approaches yield the biggest return for your investment? These are some questions that I have been pondering […]

The post Startup Marketing appeared first on Security Boulevard.



from Startup Marketing

Surveillance inside the Body

The FDA has approved a pill with an embedded sensor that can report when it is swallowed. The pill transmits information to a wearable patch, which in turn transmits information to a smartphone.



from Surveillance inside the Body

SSD安全公告-Linux内核XFRM权限提升漏洞

漏洞概要 以下安全公告描述了在Linux内核中发现的一个UAF漏洞,成功利用此漏洞的攻击者可以提升权限。漏洞存在于Netlink 套接字子系统 – XFRM. Netlink用于在内核和用户空间进程之间传输信息。 它由用户空间进程的标准基于套接字的接口和内核模块的内部内核API组成。 漏洞提交者 一位独立的安全研究员Mohamed Ghannam向Beyond Security的SSD报告了该漏洞 厂商响应 该漏洞已在补丁1137b5e中被修复(“ipsec:修复中止xfrm策略转储崩溃”) CVE: CVE-2017-16939 [crayon-5a2e498b90407277832096/] 漏洞详细信息 非特权用户可以更改Netlink 套接字子系统 XFRM sk-> sk_rcvbuf的值(sk ==sock结构体对象)。 可以通过setsockopt(SO_RCVBUF)更改sk-> sk_rcvbuf的值为特定的范围。通过recvmsg/recv/read接收数据时,sk_rcvbuf表示接收缓冲区的大小。 sk_rcvbuf值是内核为skb(sk_buff结构体对象)分配的大小。 skb-> trusize是一个变量,它保持对已使用内存的追踪,为了避免内存浪费,方便管理,内核可以在运行时改变skb的大小。 例如,如果我们分配一个大的套接字缓冲区(skb),而我们只接收到1字节大小的数据包,内核将通过调用skb_set_owner_r来调整skb-> trusize的大小。 通过调用skb_set_owner_r修改sk-> sk_rmem_alloc(引用自原子变量sk-> sk_backlog.rmem_alloc)。 当创建XFRM netlink 套接字时,会调用xfrm_dump_policy函数,当我们关闭套接字时,xfrm_dump_policy_done会被调用。 当netlink_sock对象的cb_running值为true时调用xfrm_dump_policy_done。 xfrm_dump_policy_done会尝试清理由netlink_callback对象管理的xfrm walk条目。 当调用netlink_skb_set_owner_r(如skb_set_owner_r)时,它会更新sk_rmem_alloc。 netlink_dump(): 在上面的代码中,我们可以看到当sk-> sk_rcvbuf小于sk_rmem_alloc(注意我们可以通过stockpot控制sk-> sk_rcvbuf)时,netlink_dump()验证失败。 当满足sk-> sk_rcvbuf小于sk_rmem_alloc时,会跳转到函数的结尾,然而cb_running的值还没有被更改为false,netlink_dump()函数就返回了。 此时nlk-> cb_running为true,因此会调用xfrm_dump_policy_done()。 nlk-> cb.done指向xfrm_dump_policy_done,值得注意的是这个函数处理一个双向链表,所以如果利用这个漏洞引用一个可控的缓冲区,我们就可以实现任意内存读写。 漏洞证明 下面的代码在Ubuntu 17.04测试。 [crayon-5a2e498b90418989185807/]

The post SSD安全公告-Linux内核XFRM权限提升漏洞 appeared first on Security Boulevard.



from SSD安全公告-Linux内核XFRM权限提升漏洞

Smart Cities: Can My City be Hacked?

Our connected devices make life easier on us as individuals, and the conveniences afforded to us by connecting technology to […]

The post Smart Cities: Can My City be Hacked? appeared first on Checkmarx.

The post Smart Cities: Can My City be Hacked? appeared first on Security Boulevard.



from Smart Cities: Can My City be Hacked?

The Top 5 IT Security Trends for 2018

In 2017, the IT community was primarily focused on mitigating external threats, such as cloud hacks and state-sponsored cyberattacks. However, many of this year’s data breaches—notably Equifax and Anthemwere actually the result of insider misuse or human mistakes. These breaches clearly demonstrate that building even the most robust external defense is not sufficient, since employees..

The post The Top 5 IT Security Trends for 2018 appeared first on Security Boulevard.



from The Top 5 IT Security Trends for 2018

Ep. 100 – Sky Robots vs War Apes with Lucky Yates

Good actors make us believe their characters. How hard is this if the actor is part of an animated series? Join us in the hilarious and informative podcast with Lucky Yates. Dec 11, 2017 Contents Download Get Involved Download Ep. 100 – Sky Robots vs War Apes with Lucky Yates Get Involved Got a great […]

The post Ep. 100 – Sky Robots vs War Apes with Lucky Yates appeared first on Security Through Education.

The post Ep. 100 – Sky Robots vs War Apes with Lucky Yates appeared first on Security Boulevard.



from Ep. 100 – Sky Robots vs War Apes with Lucky Yates

The Living Dead: Securing Legacy Industrial Systems

I’ve spent a lot of time in the depths of aging industrial power plants and the control houses of transmission substations. I’ve walked the aisles of countless steel cabinets taking inventory of the gear used to protect and control what’s been described as the most complex system on earth. Within these cabinets can be found […]… Read More

The post The Living Dead: Securing Legacy Industrial Systems appeared first on The State of Security.

The post The Living Dead: Securing Legacy Industrial Systems appeared first on Security Boulevard.



from The Living Dead: Securing Legacy Industrial Systems

10 of the Most Significant Ransomware Attacks of 2017

Ransomware had a good year in 2017. For the first time ever, we saw several “cryptoworm” variants self-propagate across vulnerable workstations around the world. We also witnessed more traditional ransomware families cause remarkable damage to victimized organizations as well as strains that embraced novel tools and techniques. Here are 10 of the most significant ransomware […]… Read More

The post 10 of the Most Significant Ransomware Attacks of 2017 appeared first on The State of Security.

The post 10 of the Most Significant Ransomware Attacks of 2017 appeared first on Security Boulevard.



from 10 of the Most Significant Ransomware Attacks of 2017

What’s the dominant professional network in your country?

Sunday, December 10, 2017

DerbyCon 2017, Dave Mattingly’s ‘Improv Comedy as a Social Engineering Tool’

Permalink

The post DerbyCon 2017, Dave Mattingly’s ‘Improv Comedy as a Social Engineering Tool’ appeared first on Security Boulevard.



from DerbyCon 2017, Dave Mattingly’s ‘Improv Comedy as a Social Engineering Tool’

MY TAKE: What the Uber hack tells us about fresh attack vectors created by the rise of DevOps

Dissecting the root cause of Uber’s catastrophic data breach is a worthwhile exercise. Diving one level deeper into the scenario that led up to the popular ride-hailing service losing personal data for 50 million passengers and seven million drivers shows us why this particular type of hack is likely to recur many more times in […]

The post MY TAKE: What the Uber hack tells us about fresh attack vectors created by the rise of DevOps appeared first on Security Boulevard.



from MY TAKE: What the Uber hack tells us about fresh attack vectors created by the rise of DevOps

G Suite Directory – Identity and Access Management (IAM)?

As more and more organizations leverage Google services like G Suite and Google Cloud Platform, a common question that arises is whether or not G Suite Directory is an identity...

The post G Suite Directory – Identity and Access Management (IAM)? appeared first on JumpCloud.

The post G Suite Directory – Identity and Access Management (IAM)? appeared first on Security Boulevard.



from G Suite Directory – Identity and Access Management (IAM)?

A Workaround For When Anti-DDoS Also Means Anti-Data

More sites are turning to services like Cloudflare due to just how stupid-easy it is to DDoS a site. Sometimes the DDoS is intentional (malicious). Sometimes it’s because your bot didn’t play nice (stop that, btw). Sadly, at some point, most of us with “vital” sites are going to have to pay protection money to... Continue reading

The post A Workaround For When Anti-DDoS Also Means Anti-Data appeared first on Security Boulevard.



from A Workaround For When Anti-DDoS Also Means Anti-Data

Theories of Everything, Mapped

theories of everything mapped.png

via Quanta Magazine, comes this superb mapping effort, displaying the Theories of Everything. Enjoy!

Permalink

The post Theories of Everything, Mapped appeared first on Security Boulevard.



from Theories of Everything, Mapped

Saturday, December 9, 2017

GDPR: Right to Erasure and Data Portability

Organizations that collect and process personal data from EU citizens are faced with an advancing deadline to get their procedures in line with the General Data Protection Regulation (GDPR). The...

The post GDPR: Right to Erasure and Data Portability appeared first on JumpCloud.

The post GDPR: Right to Erasure and Data Portability appeared first on Security Boulevard.



from GDPR: Right to Erasure and Data Portability

Kasparov talks with Sophia the robot

When a question confuses her, she squints slightly, a dimple creasing between her eyebrows. Mostly, though, she smiles politely and blinks. Today she wears a black short-sleeve shirt, revealing—just above the top button—a camera lens with a red glow. This is Sophia.

The post Kasparov talks with Sophia the robot appeared first on Security Boulevard.



from Kasparov talks with Sophia the robot

Peggy Mcintosh Dissertation About White Freedom Unpacking Your Hidden Knapsack

Do My Customized Paper College assessment papers are all important to compose and perfectly. Especially for term papers you don’t possess choice but choose them up receive done with it only when satisfied light and portable final product. For undertaking any of your project or task, it is acute to make a scheme of your [...]

The post Peggy Mcintosh Dissertation About White Freedom Unpacking Your Hidden Knapsack appeared first on Security Boulevard.



from Peggy Mcintosh Dissertation About White Freedom Unpacking Your Hidden Knapsack

Cloud Security This Week – December 8, 2017

  New from Evident.io More Insight, Better Control: Evident.io Announces Support for Amazon GuardDuty In an effort to improve insight and control over AWS environments, Evident.io announced support for Amazon GuardDuty, which will provide more color and context to risks identified by Evident Security Platform (ESP). ESP @ Work: Continuous Security for Continuous Development “ESP... Read more »

The post Cloud Security This Week – December 8, 2017 appeared first on Cloud Sentry Blog.

The post Cloud Security This Week – December 8, 2017 appeared first on Security Boulevard.



from Cloud Security This Week – December 8, 2017

‘Tis the Season for Security Best Practices for Online Retailers: 4 Tips to Keep Your Cloud Safe

Holiday shopping is in full swing, as evidenced by the two giddy customers sitting next to me at Starbucks the other day. One got a camping tent for 30% off, and the other took advantage of free shipping on a massive bucket of cheese popcorn. While I secretly shared their exuberance, especially for the massive... Read more »

The post ‘Tis the Season for Security Best Practices for Online Retailers: 4 Tips to Keep Your Cloud Safe appeared first on Cloud Sentry Blog.

The post ‘Tis the Season for Security Best Practices for Online Retailers: 4 Tips to Keep Your Cloud Safe appeared first on Security Boulevard.



from ‘Tis the Season for Security Best Practices for Online Retailers: 4 Tips to Keep Your Cloud Safe

XKCD, Interferometry

interferometry.png

Via the measurable comedic talent of Randall Munroe at XKCD.

Permalink

The post XKCD, Interferometry appeared first on Security Boulevard.



from XKCD, Interferometry

Cloud LDAP Solution

The Lightweight Directory Access Protocol (LDAP) is the core authentication protocol leveraged for authenticating virtual user identities in IT organizations. It is the backbone of on-prem identity management solutions like...

The post Cloud LDAP Solution appeared first on JumpCloud.

The post Cloud LDAP Solution appeared first on Security Boulevard.



from Cloud LDAP Solution

Google Chrome Update Focuses on Enterprise Security

Google released Chrome 63 this week and the new version adds several security features aimed at the enterprise, including per-site isolation and permission-based extension blacklisting. Chrome’s process sandboxing mechanism, which was architected into the browser from the beginning, already provides strong security. It isolates the HTML and JavaScript rendering engines into restricted environments where they..

The post Google Chrome Update Focuses on Enterprise Security appeared first on Security Boulevard.



from Google Chrome Update Focuses on Enterprise Security

Mailsploit, Perfect Spoofs and Bypassing DMARC

By now, Mailsploit (www.mailsploit.com) has ruffled the feathers of most in the email security community, and may have even made its way to the ears of many IT admins. While the vulnerability mainly affects email clients, these exploits can effectively bypass DMARC, serving as a thumb-in-the-eye for most email security leaders who have been working
Read more

The post Mailsploit, Perfect Spoofs and Bypassing DMARC appeared first on Vircom | Email Security Experts.

The post Mailsploit, Perfect Spoofs and Bypassing DMARC appeared first on Security Boulevard.



from Mailsploit, Perfect Spoofs and Bypassing DMARC

Eoin Woods’ ‘Secure by Design – The Architect’s Guide to Security Design Principles’

Permalink

The post Eoin Woods’ ‘Secure by Design – The Architect’s Guide to Security Design Principles’ appeared first on Security Boulevard.



from Eoin Woods’ ‘Secure by Design – The Architect’s Guide to Security Design Principles’

Napoleon: a new version of Blind ransomware

The ransomware previously known as Blind has been spotted recently with a .napoleon extension and a bug fix that means files can no longer be decrypted by victims. In this post, we'll analyze the sample for its structure, behavior, and distribution method.

Categories:

Tags:

(Read more...)

The post Napoleon: a new version of Blind ransomware appeared first on Malwarebytes Labs.

The post Napoleon: a new version of Blind ransomware appeared first on Security Boulevard.



from Napoleon: a new version of Blind ransomware

Delivering Security Insights with Data Analytics and Visualization

In early December, I gave the keynote at the ACSAC 2017 conference in Orlando, Florida.

In the presentation I look at a number of topics around using big data for security. I start by showing what big data looks like for security, how the history of using security for big data is tightly linked to the progress in big data itself. I talk about machine learning and artificial intelligence and show some of the limits and dangers of how we currently apply machine learning in security and how we can apply data visualization to help analysts better understand data. I then go on to peek a little bit into my magic 8 ball to see how security big data environments might look in the future and finish the presentation with posing a few challenges to the community about security for big data problems.

The post Delivering Security Insights with Data Analytics and Visualization appeared first on Security Boulevard.



from Delivering Security Insights with Data Analytics and Visualization

Friday, December 8, 2017

Overcoming the Language Barrier Key to DevSecOps Success

As DevOps moves to DevSecOps, there is a significant “people” component involved in the shift. Development and security teams both need to overcome their “language barriers” and understand each other’s processes and priorities. The effort is worth it because we know that (1) the consequences of neglecting software security are getting more damaging and (2) embedding security early and often into dev processes gets results. In fact, our 2017 analysis of the applications we scanned this year revealed that DevOps organizations that tested frequently with sandbox scanning (developer-initiated scans early in the dev process) had a 48 percent better fix rate than those doing policy-only scanning (security-initiated scans late in the dev process). In addition, in a May 2017 report, Best Practices: Strategies for Making the Crucial Shift to DevSecOps, Forrester Research notes that “Recent research on high-performing DevOps teams shows they're spending 50% less time in remediating security issues because security teams are continually working within their DevOps teams to build security into their daily work.”

But getting these two teams to understand each other’s “language” is no easy feat. In the same report, Forrester Research explains, “Security has its own array of terminology and acronyms that are foreign to developers, I&O pros, and line-of-business managers. And each of those disciplines speaks its own language that's equally foreign to the security team. As a result, when these teams try to communicate, it's often unproductive, frustrating, and contentious. This language issue sustains isolation with little hope for resolution.” Here are a few tips to start breaking down these barriers and speaking the same language:

Dev: Understand security

As our Director of Developer Engagement, Pete Chestna, recently noted, “Finding a developer trained in cybersecurity is like finding a needle in a haystack.” Overcome this impossible task with the creation of “security champions” on the dev team. Development managers should identify members of their team who are not necessarily trained in security, but show an interest in the subject. Again, Pete Chestna recommends to identify these champions with questions like, “Do they like to hack or reverse engineer devices, code, and systems? Have they ever participated in a bug bounty program or found a vulnerability? Do they follow security news and thought leaders? Do they participate in hacker culture, watching shows like ‘Mr. Robot’ and attending hackathons?”

Then what do you do with these people? Make them security champions who reduce culture conflict between development and security, help other developers by performing code reviews, and act as the security conscience of the team. They hold feet to the fire to make security a priority during planning and pre-production.

Watch this video to learn more about security champions.

Security: Understand dev

In a DevSecOps environment, developers own the testing of applications in their development environment, fixing flaws to pass policy and continuing to build code. Security, on the other hand, owns setting policies, tracking KPIs and providing security coaching to developers. In addition, security is responsible for providing developers with support in integrating scalable AppSec tools into their SDLC.

In turn, the security function cannot be effective in a DevSecOps world without a thorough grasp of how developers work, the tools they use, the challenges they face and how security fits into this picture.

Bump up your development knowledge by:

Understanding the developer role: Try taking a developer or two to lunch, and have them explain their processes and challenges.

Learning to code: There are numerous free or almost-free software development classes available, such as Coursera and Ed-X.

Experiencing a “day in the life of a developer”: Shadow a developer for a day or part of one to understand their challenges and processes.

Learning about the tools of the trade and how they work – Git, Ansible, etc.: Focus on gaining a high-level understanding of the tools and what they do, rather than details about specific tools, i.e., focus on the “why” not the “what.”

Visiting online developer communities such as StackOverflow or joining development Slack channels: Find out what developers are thinking and talking about. Take it one step further by looking for security-related topics and questions, and contribute to the conversation where you can.

Get more tips and advice on security’s changing role in our new guide, The Security Professional’s Role in a DevSecOps World.

The human side of DevSecOps

In the end, this move to DevSecOps is just as much about people as it is about technology. Learn more about all the factors involved in this changing landscape in Forrester’s Best Practices: Strategies For Making The Crucial Shift To DevSecOps.

The post Overcoming the Language Barrier Key to DevSecOps Success appeared first on Security Boulevard.



from Overcoming the Language Barrier Key to DevSecOps Success

Interesting disguise employed by new Mac malware HiddenLotus

A new piece of Mac malware called HiddenLotus is using a clever new trick to fool users into opening it.

Categories:

Tags:

(Read more...)

The post Interesting disguise employed by new Mac malware HiddenLotus appeared first on Malwarebytes Labs.

The post Interesting disguise employed by new Mac malware HiddenLotus appeared first on Security Boulevard.



from Interesting disguise employed by new Mac malware HiddenLotus

Phishing embraces HTTPS, hoping you’ll “check for the padlock”

HTTPS is one of security’s great love affairs, but it's not all roses.

The post Phishing embraces HTTPS, hoping you’ll “check for the padlock” appeared first on Security Boulevard.



from Phishing embraces HTTPS, hoping you’ll “check for the padlock”

This Week in Security: a New ‘Type’ of Breach Leaks, and a Galaxy Falls

This week in Security: The Andromeda botnet is taken down via a joint effort from international law enforcement agencies; 31 million people have their personal data exposed by a virtual keyboard vendor; and a new bill introduced by the Senate could impose actual jail time on executives for failing to disclose data breaches.

The post This Week in Security: a New ‘Type’ of Breach Leaks, and a Galaxy Falls appeared first on Security Boulevard.



from This Week in Security: a New ‘Type’ of Breach Leaks, and a Galaxy Falls

German Intelligence Agency: Silicon Valley Potentates Are Anti-Democratic

2000px-Bundesamt_für_Verfassungsschutz_Logo.svg.png

News via Reuters Staff details a complaint from the German domestic intelligence agency (the interestingly monikerd Federal Office for the Protection of the Constitution - Bundesamt für Verfassungsschutz) that Silicon Valley interweb-kingpins (think Facebook, Twitter, et cetera) are anti-democratic...

You be the judge.

The post German Intelligence Agency: Silicon Valley Potentates Are Anti-Democratic appeared first on Security Boulevard.



from German Intelligence Agency: Silicon Valley Potentates Are Anti-Democratic

GDPR & JumpCloud: Mandatory Privacy Impact Assessments

Over the last 20 years, technology has changed dramatically. First and foremost, the internet and how people use the internet has completely transformed. More personal data is being used in...

The post GDPR & JumpCloud: Mandatory Privacy Impact Assessments appeared first on JumpCloud.

The post GDPR & JumpCloud: Mandatory Privacy Impact Assessments appeared first on Security Boulevard.



from GDPR & JumpCloud: Mandatory Privacy Impact Assessments

Is CASP Worth It? Examining the Value of Getting Certified

Today, the world is a global village and digital literary has a great contribution to establish connectivity among organizations from different countries. However, this connectivity must be protected and secured from cybersecurity threats. Internal security of enterprises is also essential. The CompTIA Advanced Security Practitioner (CASP) certification is specifically designed to protect organizations from internal […]

The post Is CASP Worth It? Examining the Value of Getting Certified appeared first on Phoenix TS.

The post Is CASP Worth It? Examining the Value of Getting Certified appeared first on Security Boulevard.



from Is CASP Worth It? Examining the Value of Getting Certified

Predictions for 2018: zero-day exploits leaked from security agencies, next-level ransomware

cyber-predictions.png

As 2017 draws to an end, the Bitdefender threat analysis unit is already looking into the upcoming malware developments that will likely emerge in the year to come. Bitdefender experts predict an increase of zero-day exploits leaked from security agencies the world over, and massive changes to the way ransomware operates.

The post Predictions for 2018: zero-day exploits leaked from security agencies, next-level ransomware appeared first on Security Boulevard.



from Predictions for 2018: zero-day exploits leaked from security agencies, next-level ransomware

Friday Squid Blogging: Squid Embryos Coming to Life

Beautiful video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

The post Friday Squid Blogging: Squid Embryos Coming to Life appeared first on Security Boulevard.



from Friday Squid Blogging: Squid Embryos Coming to Life

Fake BSOD, Fake Tech Support

Tara Seals for Infosecurity Magazine: Tech Support Scam Malware Fakes the Blue Screen of Death “The infamous Blue Screen of Death (BSOD) is one of the most-dreaded sights for Windows users. Adding insult to injury, a new malware is making the rounds that fakes a BSOD, and then tries to swindle victims into paying for tech […]

The post Fake BSOD, Fake Tech Support appeared first on Security Boulevard.



from Fake BSOD, Fake Tech Support

Friday Squid Blogging: Squid Embryos Coming to Life

Beautiful video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.



from Friday Squid Blogging: Squid Embryos Coming to Life

Security Vulnerabilities in Certificate Pinning

New research found that many banks offer certificate pinning as a security feature, but fail to authenticate the hostname. This leaves the systems open to man-in-the-middle attacks.

From the paper:

Abstract: Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a high security certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.

News article.



from Security Vulnerabilities in Certificate Pinning

Thursday, December 7, 2017

Drew Sheneman’s ‘Pay Up Serfs’

Sheineman.jpeg

The post Drew Sheneman’s ‘Pay Up Serfs’ appeared first on Security Boulevard.



from Drew Sheneman’s ‘Pay Up Serfs’

Prison Data Breach

Did you ever think that a hacker could spring a prisoner out of jail? A hack like this is no longer an imaginary plot for serial movies like “Mr. Robot” or a potential for “Prison Break”. It fell outside of the fictional world turning into a real-live event. According to the recent news, a Michigan […]

The post Prison Data Breach appeared first on ERPScan.

The post Prison Data Breach appeared first on Security Boulevard.



from Prison Data Breach

Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks

The healthcare sector consists of a wide number of segments: payers, such as insurance companies; providers such as hospitals and doctors; and manufacturers, both pharmaceutical as well as medical device and equipment. Because the industry deals with quality of life issues across the spectrum, access to real-time data, especially sensitive data such as patient records, […]

The post Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks appeared first on Radware Blog.

The post Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks appeared first on Security Boulevard.



from Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks

Predicting Micropolitics, Information Security Implications

computing.jpg

Certainly not particularly prescient in the determination of specific attributes of targeted population with the use of real-world data points, yet, still oddly compelling.

Permalink

The post Predicting Micropolitics, Information Security Implications appeared first on Security Boulevard.



from Predicting Micropolitics, Information Security Implications

How we can stop the New Mafia’s digital footprint from spreading in 2018

Cybercriminals are the New Mafia of today’s world. This new generation of hackers are like traditional Mafia organizations, not just in their professional coordination, but their ability to intimidate and paralyze victims.

Categories:

Tags:

(Read more...)

The post How we can stop the New Mafia’s digital footprint from spreading in 2018 appeared first on Malwarebytes Labs.

The post How we can stop the New Mafia’s digital footprint from spreading in 2018 appeared first on Security Boulevard.



from How we can stop the New Mafia’s digital footprint from spreading in 2018

GDPR: Data Protection Officer

The General Data Protection Regulation (GDPR) is harmonizing data protection law across the European Union (EU). When it takes effect on May 25, 2018, EU citizens will gain more control,...

The post GDPR: Data Protection Officer appeared first on JumpCloud.

The post GDPR: Data Protection Officer appeared first on Security Boulevard.



from GDPR: Data Protection Officer

US gov says it can break your encryption without a court order

The encryption battle between the FBI and apple is all octopus ink, if you go by what the government says

The post US gov says it can break your encryption without a court order appeared first on Security Boulevard.



from US gov says it can break your encryption without a court order

Active Directory User Login History – Audit all Successful and Failed Logon Attempts

The ability to collect, manage and analyze logs of login events has always been a good source of troubleshooting and diagnostic information. Logons are the one common activity across nearly all attack patterns. They provide one of the clearest indicators of compromise to help protect company data and thwart attacks. The need to provide a … Continued

The post Active Directory User Login History – Audit all Successful and Failed Logon Attempts appeared first on Enterprise Network Security Blog from ISDecisions.

The post Active Directory User Login History – Audit all Successful and Failed Logon Attempts appeared first on Security Boulevard.



from Active Directory User Login History – Audit all Successful and Failed Logon Attempts

Good News from Singapore

The IETF had its 100th meeting the week of November 13. It was held in Singapore. I want to report on two pieces of good news....

The post Good News from Singapore appeared first on Security Boulevard.



from Good News from Singapore

OWASP – The Superhero of AppSec

The security industry needs unbiased sources of information who share best practices with an active membership body who advocates for open standards. In the AppSec world, one of the best is the Open Web Application Security Project (or OWASP). Standards and best practices have to evolve over time. Earlier this year, the OWASP community issued […]

The post OWASP – The Superhero of AppSec appeared first on WhiteHat Security.

The post OWASP – The Superhero of AppSec appeared first on Security Boulevard.



from OWASP – The Superhero of AppSec

Four Common Myths about VPNs

A Virtual Private Network (VPN) is a useful tool that encrypts data before it passes across the public Internet and then decrypts it when it reaches its destination. Rather like shutters on the windows of a house, it shields what goes on inside even though the outside can be seen by everyone in the street. The process, often referred to as tunneling, is particularly useful for businesses whose workers have to use the Internet in public places like coffee shops or airports. It is also helpful for those who want to keep confidential customer information or intellectual property safe from the prying eyes of hackers and spies. In 2017, the U.S. Trump administration overturned regulations preventing ISPs from making money from users’ browser data. At the same time in the UK, the Investigatory Powers Act served to increased government surveillance of Internet activity in response to a heightened threat of terrorism. Both led to a surge in interest in VPNs. A VPN is an established technology that has traditionally been seen as the province of technical specialists. Perhaps because of this, and in spite of VPN services becoming easier to deploy, a number of enduring myths persist.

The post Four Common Myths about VPNs appeared first on Security Boulevard.



from Four Common Myths about VPNs

Wednesday, December 6, 2017

Libertarians are against net neutrality

This post claims to be by a libertarian in support of net neutrality. As a libertarian, I need to debunk this. "Net neutrality" is a case of one-hand clapping, you rarely hear the competing side, and thus, that side may sound attractive. This post is about the other side, from a libertarian point of view.

That post just repeats the common, and wrong, left-wing talking points. I mean, there might be a libertarian case for some broadband regulation, but this isn't it.

This thing they call "net neutrality" is just left-wing politics masquerading as some sort of principle. It's no different than how people claim to be "pro-choice", yet demand forced vaccinations. Or, it's no different than how people claim to believe in "traditional marriage" even while they are on their third "traditional marriage".

Properly defined, "net neutrality" means no discrimination of network traffic. But nobody wants that. A classic example is how most internet connections have faster download speeds than uploads. This discriminates against upload traffic, harming innovation in upload-centric applications like DropBox's cloud backup or BitTorrent's peer-to-peer file transfer. Yet activists never mention this, or other types of network traffic discrimination, because they no more care about "net neutrality" than Trump or Gingrich care about "traditional marriage".

Instead, when people say "net neutrality", they mean "government regulation". It's the same old debate between who is the best steward of consumer interest: the free-market or government.

Specifically, in the current debate, they are referring to the Obama-era FCC "Open Internet" order and reclassification of broadband under "Title II" so they can regulate it. Trump's FCC is putting broadband back to "Title I", which means the FCC can't regulate most of its "Open Internet" order.

Don't be tricked into thinking the "Open Internet" order is anything but intensely politically. The premise behind the order is the Democrat's firm believe that it's government who created the Internet, and all innovation, advances, and investment ultimately come from the government. It sees ISPs as inherently deceitful entities who will only serve their own interests, at the expense of consumers, unless the FCC protects consumers.

It says so right in the order itself. It starts with the premise that broadband ISPs are evil, using illegitimate "tactics" to hurt consumers, and continues with similar language throughout the order.

A good contrast to this can be seen in Tim Wu's non-political original paper in 2003 that coined the term "net neutrality". Whereas the FCC sees broadband ISPs as enemies of consumers, Wu saw them as allies. His concern was not that ISPs would do evil things, but that they would do stupid things, such as favoring short-term interests over long-term innovation (such as having faster downloads than uploads).

The political depravity of the FCC's order can be seen in this comment from one of the commissioners who voted for those rules:

FCC Commissioner Jessica Rosenworcel wants to increase the minimum broadband standards far past the new 25Mbps download threshold, up to 100Mbps. "We invented the internet. We can do audacious things if we set big goals, and I think our new threshold, frankly, should be 100Mbps. I think anything short of that shortchanges our children, our future, and our new digital economy," Commissioner Rosenworcel said.

This is indistinguishable from communist rhetoric that credits the Party for everything, as this booklet from North Korea will explain to you.

But what about monopolies? After all, while the free-market may work when there's competition, it breaks down where there are fewer competitors, oligopolies, and monopolies.

There is some truth to this, in individual cities, there's often only only a single credible high-speed broadband provider. But this isn't the issue at stake here. The FCC isn't proposing light-handed regulation to keep monopolies in check, but heavy-handed regulation that regulates every last decision.

Advocates of FCC regulation keep pointing how broadband monopolies can exploit their renting-seeking positions in order to screw the customer. They keep coming up with ever more bizarre and unlikely scenarios what monopoly power grants the ISPs.

But the never mention the most simplest: that broadband monopolies can just charge customers more money. They imagine instead that these companies will pursue a string of outrageous, evil, and less profitable behaviors to exploit their monopoly position.

The FCC's reclassification of broadband under Title II gives it full power to regulate ISPs as utilities, including setting prices. The FCC has stepped back from this, promising it won't go so far as to set prices, that it's only regulating these evil conspiracy theories. This is kind of bizarre: either broadband ISPs are evilly exploiting their monopoly power or they aren't. Why stop at regulating only half the evil?

The answer is that the claim "monopoly" power is a deception. It starts with overstating how many monopolies there are to begin with. When it issued its 2015 "Open Internet" order the FCC simultaneously redefined what they meant by "broadband", upping the speed from 5-mbps to 25-mbps. That's because while most consumers have multiple choices at 5-mbps, fewer consumers have multiple choices at 25-mbps. It's a dirty political trick to convince you there is more of a problem than there is.

In any case, their rules still apply to the slower broadband providers, and equally apply to the mobile (cell phone) providers. The US has four mobile phone providers (AT&T, Verizon, T-Mobile, and Sprint) and plenty of competition between them. That it's monopolistic power that the FCC cares about here is a lie. As their Open Internet order clearly shows, the fundamental principle that animates the document is that all corporations, monopolies or not, are treacherous and must be regulated.

"But corporations are indeed evil", people argue, "see here's a list of evil things they have done in the past!"

No, those things weren't evil. They were done because they benefited the customers, not as some sort of secret rent seeking behavior.

For example, one of the more common "net neutrality abuses" that people mention is AT&T's blocking of FaceTime. I've debunked this elsewhere on this blog, but the summary is this: there was no network blocking involved (not a "net neutrality" issue), and the FCC analyzed it and decided it was in the best interests of the consumer. It's disingenuous to claim it's an evil that justifies FCC actions when the FCC itself declared it not evil and took no action. It's disingenuous to cite the "net neutrality" principle that all network traffic must be treated when, in fact, the network did treat all the traffic equally.

Another frequently cited abuse is Comcast's throttling of BitTorrent.Comcast did this because Netflix users were complaining. Like all streaming video, Netflix backs off to slower speed (and poorer quality) when it experiences congestion. BitTorrent, uniquely among applications, never backs off. As most applications become slower and slower, BitTorrent just speeds up, consuming all available bandwidth. This is especially problematic when there's limited upload bandwidth available. Thus, Comcast throttled BitTorrent during prime time TV viewing hours when the network was already overloaded by Netflix and other streams. BitTorrent users wouldn't mind this throttling, because it often took days to download a big file anyway.

When the FCC took action, Comcast stopped the throttling and imposed bandwidth caps instead. This was a worse solution for everyone. It penalized heavy Netflix viewers, and prevented BitTorrent users from large downloads. Even though BitTorrent users were seen as the victims of this throttling, they'd vastly prefer the throttling over the bandwidth caps.

In both the FaceTime and BitTorrent cases, the issue was "network management". AT&T had no competing video calling service, Comcast had no competing download service. They were only reacting to the fact their networks were overloaded, and did appropriate things to solve the problem.

Mobile carriers still struggle with the "network management" issue. While their networks are fast, they are still of low capacity, and quickly degrade under heavy use. They are looking for tricks in order to reduce usage while giving consumers maximum utility.

The biggest concern is video. It's problematic because it's designed to consume as much bandwidth as it can, throttling itself only when it experiences congestion. This is what you probably want when watching Netflix at the highest possible quality, but it's bad when confronted with mobile bandwidth caps.

With small mobile devices, you don't want as much quality anyway. You want the video degraded to lower quality, and lower bandwidth, all the time.

That's the reasoning behind T-Mobile's offerings. They offer an unlimited video plan in conjunction with the biggest video providers (Netflix, YouTube, etc.). The catch is that when congestion occurs, they'll throttle it to lower quality. In other words, they give their bandwidth to all the other phones in your area first, then give you as much of the leftover bandwidth as you want for video.

While it sounds like T-Mobile is doing something evil, "zero-rating" certain video providers and degrading video quality, the FCC allows this, because they recognize it's in the customer interest.

Mobile providers especially have great interest in more innovation in this area, in order to conserve precious bandwidth, but they are finding it costly. They can't just innovate, but must ask the FCC permission first. And with the new heavy handed FCC rules, they've become hostile to this innovation. This attitude is highlighted by the statement from the "Open Internet" order:

And consumers must be protected, for example from mobile commercial practices masquerading as “reasonable network management.”

This is a clear declaration that free-market doesn't work and won't correct abuses, and that that mobile companies are treacherous and will do evil things without FCC oversight.

Conclusion

Ignoring the rhetoric for the moment, the debate comes down to simple left-wing authoritarianism and libertarian principles. The Obama administration created a regulatory regime under clear Democrat principles, and the Trump administration is rolling it back to more free-market principles. There is no principle at stake here, certainly nothing to do with a technical definition of "net neutrality".

The 2015 "Open Internet" order is not about "treating network traffic neutrally", because it doesn't do that. Instead, it's purely a left-wing document that claims corporations cannot be trusted, must be regulated, and that innovation and prosperity comes from the regulators and not the free market.

It's not about monopolistic power. The primary targets of regulation are the mobile broadband providers, where there is plenty of competition, and who have the most "network management" issues. Even if it were just about wired broadband (like Comcast), it's still ignoring the primary ways monopolies profit (raising prices) and instead focuses on bizarre and unlikely ways of rent seeking.

If you are a libertarian who nonetheless believes in this "net neutrality" slogan, you've got to do better than mindlessly repeating the arguments of the left-wing. The term itself, "net neutrality", is just a slogan, varying from person to person, from moment to moment. You have to be more specific. If you truly believe in the "net neutrality" technical principle that all traffic should be treated equally, then you'll want a rewrite of the "Open Internet" order.

In the end, while libertarians may still support some form of broadband regulation, it's impossible to reconcile libertarianism with the 2015 "Open Internet", or the vague things people mean by the slogan "net neutrality".

The post Libertarians are against net neutrality appeared first on Security Boulevard.



from Libertarians are against net neutrality

DoD RMF and Security Risk Management Salaries in 2017

Introduction As technology continues to innovate and evolve, so do its security risks. A career in security risk management, therefore, involves continuous learning and the ability to stay one step...

Go on to the site to read the full article

The post DoD RMF and Security Risk Management Salaries in 2017 appeared first on Security Boulevard.



from DoD RMF and Security Risk Management Salaries in 2017

Avnet Releases Upgraded TPM v2.0 Pmod for Advanced IIoT Security

Avnet (NYSE: AVT), a leading global technology distributor, today released the next generation Trusted Platform Module (TPM) Security Peripheral Module (Pmod) enabling advanced hardware root of trust platform integrity, remote attestation and cryptographic services for Industrial Internet of Things (IIoT)–enabled devices for applications including factory automation, smart cities, smart grid and health care.

The post Avnet Releases Upgraded TPM v2.0 Pmod for Advanced IIoT Security appeared first on Trusted Computing Group.

The post Avnet Releases Upgraded TPM v2.0 Pmod for Advanced IIoT Security appeared first on Security Boulevard.



from Avnet Releases Upgraded TPM v2.0 Pmod for Advanced IIoT Security

The Joy of Tech®, ‘A New Expression’

2465.png

Via the stupendpous badassery of Nitrozac and Snaggy at The Joy of Tech®.

The post The Joy of Tech®, ‘A New Expression’ appeared first on Security Boulevard.



from The Joy of Tech®, ‘A New Expression’

SaaS Identities

Identities have historically been hosted and secured on-prem. When all of the resources were located on-prem, this worked perfectly. However, with the emergence of cloud and SaaS applications, users needed...

The post SaaS Identities appeared first on JumpCloud.

The post SaaS Identities appeared first on Security Boulevard.



from SaaS Identities