5 things DevOps must do to secure containers
WhatsApp reduces spam, despite end-to-end encryption
Can a spam filter work even without reading the content of your messages?
WhatsApp thinks so. Since last April, the messenger app has been successfully fighting spam abuse, even as it’s been using end-to-end encryption.
That encryption means that no one — not even WhatsApp — can read the content of your messages, except for the recipient.
More privacy, however, can raise issues about spam detection. If WhatsApp can’t scan your messages for suspicious content, say for advertisements peddling cheap Viagra, then how can it effectively filter them out?
To read this article in full or to leave a comment, please click here
In treason case, Russia alleges security experts aided U.S.
Two officers of the Russian Federal Security Service (FSB) and a cybercrime investigator from Kaspersky Lab have reportedly been charged with treason for helping U.S. intelligence services.
The arrests of Ruslan Stoyanov, the head of the computer incidents investigation team at Kaspersky, and Sergei Mikhailov, the deputy head of the Information Security Center at the FSB, happened in early December and were reported in the Russian media last week.
Since then, the arrest of a third FSB officer named Dmitry Dokuchayev, who also worked for the agency’s Information Security Center, came to light, and the investigation is said to have targeted even more people.
To read this article in full or to leave a comment, please click here
Cybersecurity and freedom of speech under President Trump
While President Donald Trump decided not to sign an executive order on cybersecurity (pdf), which would have required a review of the nation’s cyber vulnerabilities to be done in a mere 60 days, he told reporters, “I will hold my cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organization.”
8 months later, vulnerable Pentagon servers still not patched
To read this article in full or to leave a comment, please click here
Mobile security firm offers cash to hackers for their old exploits
Mobile security firm Zimperium has launched an exploit acquisition program that aims to bring undisclosed attack code for already patched vulnerabilities out in the open.
Paying for old exploits might seem like a waste of money, but there are technical and business arguments to justify such an acquisition system and they ultimately have to do with the difference between exploits and vulnerabilities.
A vulnerability is a software defect with potential security implications, while an exploit is the actual code that takes advantage of that bug to achieve a specific malicious goal, often by bypassing other security barriers along the way.
In practice, many vulnerabilities that get reported to vendors are not accompanied by working exploits. Showing that a programming error can lead to memory corruption is typically enough for the vendor to understand its potential implications — for example, arbitrary code execution.
To read this article in full or to leave a comment, please click here
How to make PC security alerts better? Make them twirl, jiggle
Have you ever ignored a security alert on your PC? You’re not the only one.
The warnings are designed to save us from malware infections and hacking risks, but often we’ll neglect them. It could be because we’re too busy or we’ve seen them too many times, and we’ve become conditioned to dismiss them — even the most serious ones, according to Anthony Vance, a professor at Brigham Young University.
Vance has been studying the problem and he’s found that introducing certain small but noticeable changes can make the alerts more useful — and harder to ignore.
“Our security UI (user interface) needs to be designed to be compatible with the way our brains work,” he said at the USENIX Enigma 2017 conference on Tuesday. “Not against it.”
To read this article in full or to leave a comment, please click here
Trump stresses cybersecurity but postpones executive order
U.S. President Donald Trump called on government agencies to better protect their networks, but he delayed signing an executive order to kick-start a government-wide review of cybersecurity policy.
A draft copy of the order, leaked earlier, would give the Department of Defense and the Department of Homeland Security 60 days to submit a list of recommendations to protect U.S. government and private networks.
Trump had been scheduled to sign the executive order Tuesday but canceled shortly before it was due to happen.
To read this article in full or to leave a comment, please click here
Easy-to-exploit authentication bypass flaw puts Netgear routers at risk
For the past half-year, Netgear has been working on fixing a serious and easy-to-exploit vulnerability in many of its routers. And it’s still not done.
While Netgear has worked to fix the issue, the list of affected router models increased to 30, of which only 20 have firmware fixes available to date. A manual workaround is available for the rest.
The vulnerability was discovered by Simon Kenin, a security researcher at Trustwave, and stems from a faulty password recovery implementation in the firmware of many Netgear routers. It is a variation of an older vulnerability that has been publicly known since 2014, but this new version is actually easier to exploit.
To read this article in full or to leave a comment, please click here