Report: Attackers have their sights set on the cloud

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

If you want to catch trout, you have to fish where the trout swim. That same logic applies for cyber criminals—they will focus their efforts wherever there is a fair chance of finding targets to prey on. This is underscored by a new report from Alert Logic that reveals a dramatic rise in cloud-based attacks as more businesses and individuals migrate applications and data to the cloud.

Alert Logic deployed honeypots in the cloud to collect information about emerging malware, identify the sources of attacks, and determine common or unique attack vectors. The results of this research combined with data collected from AlertLogic customers around the world were used to create the Spring 2014 Alert Logic Cloud Security Report.

The report was compiled from 232,364 verified security incidents, identified from more than a billion events observed by Alert Logic between April 1 and Sept. 30, 2013. The data was gathered from more than 2,200 organizations across a variety of industries around the world. Cloud environments account for 80 percent of the data collected, while the remaining 20 percent comes from on-premise datacenters.

Read more »

2

Spam turns 20 and is still going strong

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

We recently passed an Internet milestone: April 12 marked the 20-year anniversary of commercialized spam. But even with two decades and trillions of unsolicited messages behind us, it seems there is still no end in sight.

There were certainly unsolicited messages sent before April 11, 1994, but that's the day two lawyers pitched a green card lottery to the vast Usenet News audience. It’s been mostly downhill since.

You’ve probably been emailed by your fair share of African “royalty” or other foreign nationals seeking your assistance in transferring millions of dollars of wealth to the United States. Perhaps you’ve received email ads for Viagra or unsolicited pitches to for a low-interest mortgage or other loan.

Read more »

4

Twitter app downloads could put users at risk

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Twitter announced that it is putting its MoPub acquisition to use by enabling Twitter marketers to promote and distribute mobile apps. There is a potential opportunity there, though, for attackers to exploit the system if users become conditioned to download apps from their Twitter feed without thinking.

At face value, the move seems a good one for companies that market through the social media platform. According to a blog post from Twitter, the MoPub Marketplace reaches over a billion unique devices and serves over 130 billion ads within Android and iOS apps every month. Now, MoPub Marketplace advertisers will be able to simultaneously market to 241 million active Twitter users.

apppromo twitter

Malicious apps can take advantage of users conditioned to download apps from Twitter.

Read more »

1

Microsoft takes fight to Google’s home turf with Office Online Apps

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Microsoft has adopted a new strategy for its Office productivity tools. Rather than holding Office hostage on Windows devices in an effort to attract customers, it will try and make the suite the default productivity choice no matter what platform or device people are using—including Chrome OS and Chromebooks.

When Microsoft rolled out new and improved Office Online apps this week, it also published them in Google’s Chrome Web Store. The Office apps already worked in the Chrome browser and on Chromebooks, but pushing them in the Chrome OS outlet is a much more aggressive attempt to capture the attention of loyal Google users and drive the point that Google Docs isn’t the only available productivity suite.

Some see this turnabout as Microsoft’s admission that Chromebooks are more capable than the “Scroogled” marketing campaign implies. But Microsoft isn’t conceding that Chromebooks are work-worthy. It is merely admitting that the tech landscape has shifted, and it recognizes that it can’t rely on maintaining a virtual monopoly of the desktop OS market to drive Office sales or vice versa. The move is part of a larger strategy that began with Office Mobile for iPhone and Android and the recent addition of Office for iPad.

Read more »

4

Reverse Heartbleed puts your PC and devices at risk of OpenSSL attack

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

The Internet has been abuzz for the last week or so in response to the Heartbleed vulnerability in OpenSSL. While almost all of the attention has centered on patching Web servers and advising users to change their passwords, security researchers have discovered that individual client PCs and devices are also at risk thanks to "Reverse Heartbleed."

Meldium, a cloud identity and access management service, shared details of the Reverse Heartbleed threat in a blog post. An attacker can exploit Heartbleed to expose sensitive data on vulnerable servers, but that's not the only attack possible using this flaw. The "heartbeat" used in the Heartbleed attack can be initiated by either the client or the server, so a malicious server can also send bad heartbeat packets to an OpenSSL client to extract data.

“It’s the popularity and pervasiveness of the OpenSSL library that makes this vulnerability difficult to remediate fully,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “While popular Web applications may be already patched, the myriad of appliances, embedded devices, and network infrastructure that may be vulnerable will take a lot longer to address. You can’t just disable the Internet for maintenance.”

Read more »

2

HP report: 80 percent of app vulnerabilities are really your fault

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

Let's be clear: There is no such thing as an invulnerable application. Some have more critical vulnerabilities than others as we discovered this week with the Heartbleed bug, but any application can be exploited given a dedicated attacker. According to the HP 2013 Cyber Risk Report, though, the application itself is not to blame for most vulnerabilities—you are.

HP compiled data from 2,200 applications scanned by HP Fortify on Demand and reports that 80 percent of the vulnerabilities discovered were not the fault of the application code itself.

“Many vulnerabilities were related to server misconfiguration, improper file settings, sample content, outdated software versions, and other items related to insecure deployment,” the report states.

Read more »

2

Is open source to blame for the Heartbleed bug?

Tony Bradley , PCWorld Follow me on Google+

Tony is principal analyst with the Bradley Strategy Group, providing analysis and insight on tech trends. He is a prolific writer on a range of technology topics, has authored a number of books, and is a frequent speaker at industry events.
More by

By now you've likely heard about the Heartbleed bug, a critical vulnerability that exposes potentially millions of passwords to attack and undermines the very security of the Internet. Because the flaw exists in OpenSSL—which is an open source implementation of SSL encryption—many will question whether the nature of open source development is in some way at fault. I touched based with security experts to get their thoughts. 

Closed vs. Open Source

First, let’s explain the distinction between closed source and open source. Source refers to the source code of a program—the actual text commands that make the application do whatever it does.

Read more »

10