Internet of Things security will be imperative as wearables, automobiles and more sign on

A mixture of excitement and danger. No, I’m not talking about a theme-park thrill ride, I’m talking about the future of technology as seen by users surveyed for Intel Security’s Safeguarding the Future of Digital America in 2025. Here’s a peek at some of the things people think will happen within the next decade:

  • Two out of three consumers expect to access work data using facial or voice recognition
  • 60 percent of consumers believe cars will drive completely on autopilot
  • Seven out of ten survey participants think we will all have wearable devices by 2025 that actively monitor our health and vital signs.

Along with these advances, though, there are also security risks. For example, nearly half of those surveyed believe their families will be affected by cyberbullies in the next decade, and 68 percent think cybersecurity will remain a serious concern in 2025. If you consider how technology is rapidly connecting to and interacting with our day-to-day lives, it’s easy to see why security will still be a significant issue.

Read more »


CurrentC is DOA before it’s even launched

CurrentC—a mobile payment system developed by a consortium of major retail chains—has made headlines lately for brazenly blocking Apple Pay transactions. The heat CurrentC faced from that poor strategic move is nothing, though, compared to the trouble the embryonic payment system is in now, thanks to news of a data breach.

CurrentC isn’t even officially launched yet. It's currently pilot testing with a handful of early adopters, and it's projected to be available to the masses sometime in 2015. Merchants Customer Exchange (MCX)—the organization behind CurrentC—confirmed Wednesday that it was the victim of a hack, though, compromising the email addresses of the early adopters.

No financial information was exposed, and attackers did not intercept transaction data, so it could definitely have been worse. Tim Erlin, director of IT risk and security strategy for Tripwire, says, “As long as this incident is constrained to the loss of email addresses, I wouldn’t expect it to be material to their business plans. There are enough big name retailers involved to weather that kind of an incident.”

Read more »


Report: Many Windows automatic updates are thwarted by user inaction

You can't have good security unless you keep your operating system and applications current, with all of the latest patches and updates. Microsoft makes it easy for Windows users with its automatic updates, and yet a new report finds that many PCs with automatic updates enabled are nevertheless not actually up to date.

The OPSWAT Market Share Analysis of Antivirus & Operating Systems report, released Tuesday, is based on data gathered from users of OPSWAT GEARS security monitoring tools. The information used represents approximately 4,500 users who were surveyed between May 1 and October 1 of 2014.

The primary focus of the study—as the title implies—is to analyze the relative market share of different antivirus solutions by region, or operating system platform. The data that stands out the most in the report, though, is this: Even though 89 percent of the Windows systems surveyed have automatic updates enabled (96 percent among Windows 8.1 devices in the survey), less than 30 percent of them are actually current with all updates and patches.

Read more »


What you need to know about new zero day that hits most supported Windows versions

Microsoft issued a security advisory this week with details of a zero day vulnerability that affects every supported version of the Windows operating system with the exception of Windows Server 2003. The flaw is very similar to the OLE vulnerability patched earlier this month, which was linked to the Sandworm cyber espionage campaign.

Like the vulnerability in MS14-060, this new flaw is exploited through the use of a malicious Microsoft Office file that contains an OLE object. If successfully exploited, the flaw could allow an attacker to execute malicious code remotely on the vulnerable system, with the rights and privileges of the currently logged in user.

McAfee is credited with helping to identify the new vulnerability while investigating Sandworm. A McAfee blog post explains, “During our investigation, we found that the Microsoft’s official patch is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.”

Read more »


How a USB key drive could remove the hassles from two-factor authentication

We've had enough malware campaigns and data breaches to confirm the need for better data protection online. The Universal 2nd Factor (U2F) standard is a step in the right direction, and the first compatible devices are coming out now.

U2F is an open authentication standard. It was initially developed by Google, but it's now managed by the FIDO (Fast Identity Online) Alliance. The FIDO Alliance also includes household names like Microsoft, Mastercard, Visa, PayPal, Discover, Samsung, and BlackBerry among its members.

Two-factor, or multi-factor authentication has long been promoted as a more effective security mechanism, but it's a hassle, requiring you to juggle passwords with a second factor such as a texted code or an authentication app. U2F proposes to streamline the process using a U2F-enabled USB or NFC key fob, card, or mobile device alongside traditional authentication methods. All you have to do is use a Web browser with built-in support and native drivers.

Read more »


POODLE’s bark is bigger than its bite

Google researchers revealed a major flaw in the SSL encryption protocol—SSLv3 to be precise—which has been affectionately named “POODLE.” The vulnerability is more serious than the silly name might suggest, and the news has garnered a lot of attention because of the potentially broad implications. But security experts assure us the sky is not falling.


POODLE is actually an acronym for “Padding Oracle On Downgraded Legacy Encryption.” SSLv3 is rarely used today, but most Web browsers will negotiate a compatible encryption protocol when connecting to a site or server, and are capable of downgrading to SSLv3 if necessary. The POODLE attack relies in part on forcing the target browser to fall back to the legacy protocol, which has inherent weaknesses that can be exploited to allow the attacker to access the encrypted information.

Read more »


3 simple ways two-factor authentication can protect you when no one else will

It seems like consumer data is compromised in some massive data breach every other week. You should expect the companies you do business with to do everything possible to prevent data breaches and protect your data, but it’s unreasonable to believe it will never happen. It’s up to you to take additional steps to protect your own data, and minimize the potential fallout from a breach as much as you can. One of the best ways to do that is with two-factor authentication.

Dairy Queen and Kmart are just two of the more current examples of major retail chains that have had their point-of-sale systems compromised—resulting in attackers’ capturing sensitive customer data. Target, Home Depot, and UPS have also been victims of recent data breaches. Personal information and credit card data from tens of millions of consumers is now in the hands of criminals, and at risk of being used for fraudulent activity or identity theft.

2factorauth infographic final Image: Wave Systems Corp.
Read more »