IBM takes action to secure its data

by Ricardo C
New technologies such as cloud services and Apple’s dictator software Siri might help employees to be more productive but IBM is concern about the company’s security. According to the article, employees are not aware of the risk that these services constitute to the company’s data. Many voice-recognition services like Siri actually transmit the words spoken to them to a database so developers can improve the service, however, this seems to be benign to businesses. Before, companies would manage mobile communications within the company deciding what to get in and out of the company, however, nowadays employees use their own devices to work with company’s data. Because companies do not have access to a person’s individual devices, IBM requires to set up personal devices before accessing IBM’s network to be able to remotely erase its memory if it is lost or stolen. As far as cloud computing services, IBM is aware that employees depend on this services to be productive that is why IBM created their own cloud service called MyMobileHub. IBM also established some guidelines with banned services. read more...

Read more

Facebook Launches Antivirus Marketplace With Free Downloads

by Jonathan N
Facebook has decided to team up with Antivirus giants like Norton, McAfee, Microsoft, Sophos and Trend Micro to launch a Antivirus Marketplace which users will allow to download a 6 month free trial of the companies software. Facebook is adamant in keeping its users safe no matter if they are searching the web or not.  Facebook hosts 901 million users. These users can downlaod free copies of MCAfee Internet Security, Norton, Microsoft Security Essentials, Sophos- for mac users, and trend Micro Security. The Antivirus giants will also contribute posts to Facebook’s security blogs with great tips and information on how to stay sage on the social network. Facebook claims that they have less than 4% of spam on their site compared to emails which consist of 90% spam. read more...

Read more

Cloud Security Problems

by Renee L
In his article “Addressing Cloud Computing Security Issues,” Dimitrios Zissis explains some of the risks when dealing with cloud computing. Despite all of the great features that cloud computing offers, your data may not be safe. Some of the issues involve privacy, especially when numerous parties, devices, and applications are all accessed to the cloud. For example, instead of your data being stored on a server that you know, it could be stored on a service provider’s server, in which it could be stored anywhere from all over the world. Another threat would be the cloud’s infrastructure. The cloud’s architectural design brings many risks because of its security, redundancy, and high availability. In addition, since data is traveled through a network, network traffic may occur, which could lead to data modification and data interruption. read more...

Read more

Security Implementation in Visual Studio

by Jorge R
The topic of my article this week talks about the security implementation in Visual Studio has in place to counter security threats. The author explains that the most common attack on website is the buffer overflow. Which is done by overwriting the buffer storing return address with the substring of source code. This attack changes the control flow by the attack which is then given full control over the software. In a attempt to stop these attacks researchers have designs new defensive techniques to stop hacker. These techniques include boundary checking, source backup, memory access control, address randomization, modification detecting, and instruction scrambling. The GS tool in Visual studio for C/C++ compiler is a useful tool for developers to write secure software. The problem upon using GS is the fact that it only defeats half the problem with buffer overflows. It cannot prevent a called function from manipulating the callers frame pointer. With these issues at hand Microsoft has taken the step to address these issues and help developers writer secure programs. With Visual Studios new updates, it has the ability to, “protect the caller’s frame pointer from callee’s  tampering at no additional cost”. It also has the ability to generate higher security strength while alleviating the denial of service attack by analyzing the indirect function call by the prologue pattern. read more...

Read more

Security Company Gets Hacked

by Edwin T
The article i chose for this week is titled “Security Firm Barracuda Networks Embarrassed by Hacker Database Break-in”. Barracuda took down their firewall for maintenance for no more than a few hours before an attacker was able to infiltrate it. According to barracuda, the attacker discovered an SQL injection flaw in a PHP script used to display customer case studies. The attacker was able to get employee passwords that were encrypted using MD5 hashing algorithm, which is considered outdated by today’s standards. Jason Reed, director of security and compliance at SystemExperts states “Security companies don’t always practice what they preach, leaving themselves vulnerable to attacks like this.”. According to the article, the attacker used a blind SQL injection attack which means “the errors and results from the malicious SQL queries are not displayed directly to the attacker. Instead, the attacker has to write complicated code to expose little bits of the data at a time and then recreate the information.”. Barracuda apologized for the incident in the blog post and said it was notifying affected individuals. read more...

Read more

Security Testing of Voting Systems

by Edwin T
The peer reviewed article i choose for this week was about security testing voting systems. The authors discussed a few vulnerabilities for the DRE or direct-recording electronic voting machine and how they can affect election day. The authors found buffer overflows in the DRE system and by exploiting them it was very easy to completely take it over. Also, the DRE systems do not have the necessary means to detect any malicious software or a change in firmware. If malicious firmware is installed in the DRE system, it can activate on election day and modify a subset of ballots so they seem as if they were for the preffered candidate. There’s the “careful voter” scenario, where the voter will submit his ballot and a review screen will appear with the name of the preferred candidate and not the one the voter voted for. If the voter catches the mistake, the firmware will allow the voter to edit the submition. At this point, the firmware will consider itself found and will not change the ballots for a period of time or voters before it starts again. Another of the many scenarios in the article was the “After the Fact Vote”. For this scenario the voter places his vote normally, then the firmware will print a voided ballot and will re-print the ballot with a vote for the preferred candidate. read more...

Read more

Hackers get smarter with Javascript

by Ermie C
This article is about security researchers from ESET are detecting new ways on how new Malware is being inserted into websites. This was discovered in a Russian web space and was really found unexpectedly through the use of mouse cursor movement. However, they reveal that this isn’t a regular attack anymore to just make a program that redirects and installs a program automatically unto a user’s computer, this is actually a rogue js code that installs itself in the head tag in an html page. This makes it so that it’s harder to find. Now that because more and more developers are using JS for their websites, it’s becoming a more common thing to learn and manipulate. A hacker’s use of the mouse movement program to is evade the purpose of web crawlers that companies use for security to detect malware. The researchers in ESET seem impressed because programmers are getting more “proactive” in changing up their game plan to infect user computers. read more...

Read more

Possible AJAX Malware Threats

by Alexander H
Security has always been a major issue for many. Unfortunately, with recent software advancements, it has become even more difficult to maintain and secure potential threats to computers. According to M86 Security, a Web filtering vendor, recent exploitation attacks have been found using AJAX (Asynchronous JavaScript and XML). “These Web exploitation attacks use AJAX to fragment the payload into small pieces of code that are harder to detect by antivirus programs and intrusion prevent systems” (Constantin). The attack initially begins on the page that contains the harmful piece of JavaScript code that resembles those found on legitimate AJAX-using sites. The piece of code retrieves the payload in multiple chunks and assembles it back together on the client before executing. This technique makes it difficult for security programs to detect the attack due to the exploited vulnerability. Malware authors tend to use AJAX due to its ability to write generic attack pages, which often look like normal pages. It is recommended that users stay away from sites or web resources they are not familiar with to avoid any potential threat. read more...

Read more

Another Window for Hackers: QR Codes

by Joshua L
The article I read for this week talks about how susceptible smartphone users are that use QR code reader applications. QR codes are a relatively new technology and they are apparently really easy to make and modify. This poses a problem for mobile phone users because if they scan a code that a hacker designed and stuck over an existing code on an item, they can easily be sent to a url that is malicious. These codes are very useful but it seems as though they can create a serious issue if the design is not improved. If the technology becomes more universal and these issues are not handled now they can really do mass amounts of damage in the future. read more...

Read more

Security vs Privacy

by Miguel V
The article I chose for this week is labeled “Cybersecurity bill passes, Obama threatens veto.” This article talks about a controversial cybersecurity bill that was approved late Thursday, even though President Obama is threatening to veto the bill, citing concerns that the bill’s language doesn’t go far enough to protect citizens’ privacy. This article mentions that “companies would be incentivized to voluntarily share information with the government, and the United States could share crucical attack information with companies.”It also mentions that government’s top cybersecurity advisors widely agree that cyber criminals have the capability to take down the country’s critical financial, energy or communications infrastructure. Cyber attacks are now leveling the playing field, recently attacking Iran in the Stuxnet incident. A worm ordered the centrifuges in an Iranian nuclear facility to spin out of control ultimately destroying it. read more...

Read more