• Telegram IM app recalibrates policies after Paris attacks

    Pavel Durov, the creator of the popular instant messaging app Telegram, has said that following the Paris terrorist attacks, his company has blocked dozens of accounts associated with the jihadist Islamic State group. As is the case with other technology companies, Telegram is trying to negotiate the balance between privacy and security: the same privacy-enhancing technology which keeps customers’ communication private, also helps terrorists communicate with each other and plot attacks safe from monitoring and surveillance by intelligence agencies and law enforcement.

  • Automated application whitelisting to prevent intrusions, malware

    Automated application whitelisting regulates what software can load onto an organization’s network. It is one of a number of techniques that can help prevent malware infections, and it complements other security technologies that are part of an enterprise’s defense-in-depth resources. The National Institute of Standards and Technology (NIST) has published a guide to deploying automated application whitelisting to help thwart malicious software from gaining access to organizations’ computer systems.

  • DHS S&T-funded technology protects devices from cyberattacks

    In 2011, a small group of university researchers working on securing embedded devices caught the attention of the Department of Homeland Security (DHS) Science and Technology Directorate (S&T). That effort has since evolved into a one-of-a-kind technology — called Symbiote — which Hewlett-Packard (HP) recently licensed from Red Balloon Security, to protect its printers from cyberattacks.

  • Stealing encryption keys on Amazon’s Cloud servers

    Cloud computing is a service that enables companies and organizations to store information and run computer applications without making their own investments in actual computer hardware or employing IT staff. Researchers have demonstrated that RSA encryption keys, which are used by thousands of companies and organizations to protect the data and processes they entrust to cloud-based services, can be obtained using a sophisticated side-channel attack — despite recent efforts by cloud service providers and cryptography software developers to eliminate such vulnerabilities.

  • Amendment to CISA: U.S. courts could pursue foreigners for crimes abroad against other foreigners

    A controversial amendment to an already-controversial cybersecurity bill will allow U.S. courts to pursue, convict, and jail foreign nationals in cases in which these foreigners committed crimes against other foreigners on foreign soil. The amendment to the Cybersecurity Information Sharing Act (CISA) cleared a key Senate hurdle on Thursday. It aims to lower the barrier for prosecuting crimes committed abroad.

  • EFF leads privacy advocates in opposing CISA

    Privacy advocates have intensified their campaign against the Cybersecurity Information Sharing Act (CISA), which the Senate will vote on sometime next week. The Electronic Frontier Foundation (EFF) says it vehemently opposes the bill, as well as amendments which would expand the Computer Fraud and Abuse Act. EFF says that CISA is fundamentally flawed. The bill’s broad immunity clauses, vague definitions, and what EFF describes as “aggressive spying powers” combine to “make the bill a surveillance bill in disguise.”

  • Ruling shows Europe still vexed over NSA spying, leaving U.S. companies in legal limbo

    For over fifteen years, the Data Transfer Pact between the European Union and the United States, more commonly known as Safe Harbor, had ensured that companies with EU operations could transfer online data about their employees and customers back to the United States despite stark differences between U.S. and European privacy law. Earlier this month, U.S. companies operating in Europe got some unwelcome news: Safe Harbor had been ruled invalid. The European court’s ruling has serious implications for these companies’ business models and profitability, leaving many scrambling to find solutions. But it also exposes a fundamental cultural rift between the U.S. and Europe’s conceptions of privacy – one that a new agreement won’t be able to paper over.

  • Cyberthreats, cyberattattacks will only increase over time: Experts

    The increasing dependency of a growing number of organizations on the Internet has served to increase the number of targets for hackers, particularly those organizations that have not given adequate attention to securing their network as they should. Even those networks not connected to the Internet are not immune from penetration by hackers. This is a threat that shows no sign of ever slowing down. More likely it will only increase over time, as cyber-capabilities are developed by more and more entities.

  • Guarding networks from “insider threats”

    Even the best-protected, most sensitive computer networks resemble castles: They have walls to ward off outside threats, but their interiors are full of weak points. This is why the “insider threat” — someone within a system who, out of malice or naiveté puts a system at risk - -is considered one of the most serious risks in the cybersecurity world. “The insider threat is clearly a challenge for organizations, because most countermeasures were developed for external attacks,” says one researcher.

  • Cybersecurity company licenses ORNL’s Data Diode

    Data Diode, developed by ORNL’s researchers, uses a defense-in-depth computer network strategy to create an environment in which an organization’s approved users can work freely inside an enclave of protected data but restricts file transfers outside the network. Lock Data Solutions has licensed a technology from ORNL. The technology is designed to protect a company’s data from internal and external threats.

  • DHS S&T awards $14 million for developing defenses against DDoS attacks

    Typical DDoS attacks are used to render key resources unavailable, such as disrupting an organization’s Web site and temporarily block a consumer’s ability to access the site. A more strategic attack may render a key resource inaccessible during a critical period. The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) the other day announced the award of eight contracts totaling $14 million for research on technologies to defend against DDoS attacks.

  • A first: Anti-fraud system to use existing credit card readers

    From large-scale data breaches such as the 2013 Target case to local schemes that use skimming devices to steal data at the gas pump, credit card fraud is becoming commonplace. Because existing magnetic card readers use plain text to store confidential information, they are vulnerable to an untrusted card reader or skimming device. Analysts estimate that this vulnerability is adding up to $8 billion in incurred losses per year in the United States. For the first time, researchers have developed an inexpensive, secure method to prevent mass credit card fraud using existing magnetic card readers.

  • Improving cybersecurity, reducing online theft

    NIST the other day announced it will award nearly $3.7 million for three pilot projects designed to make online transactions more secure and privacy-enhancing for healthcare, government services, transportation, and the Internet of Things. The three recipients of the National Strategy for Trusted Identities in Cyberspace (NSTIC) grants will pilot solutions aimed at reducing tax refund theft, improving the security of medical information and providing secure online data storage.

  • Strategic alliance to deliver behavioral analysis cybersecurity to market

    Ernst & Young LLP and Los Alamos National Laboratory have formed a strategic alliance to deliver what they describe as some of the most advanced behavioral cybersecurity tools available to the commercial market. The alliance comes at a watershed moment when increasingly sophisticated cyberattacks are inflicting significant economic, social, and even political damage to U.S. organizations. The tools developed by Los Alamos and delivered to the private sector by Ernst & Young LLP can help counter these threats by detecting them before they do deep and lasting damage.

  • Draft guide to help energy companies reduce cyber risk

    DHS reported that 5 percent of the cybersecurity incidents its Industrial Control Systems Cyber Emergency Response Team responded to in fiscal year 2014 were tied to weak authentication. Four percent were tied to abuse of access authority. The National Cybersecurity Center of Excellence (NCCoE) is requesting comments on a draft guide to help energy companies better control who has access to their networked resources, including buildings, equipment, information technology, and industrial control systems.