Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
As the explosive growth of IoT tech continues; businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic consequences. The central problem with IoT security is that there is no central problem – IoT is a more complicated stack than traditional IT infrastructure and is much more likely to be made up of hardware and software from different sources.
Read the Full Article here: >Computer Security News
Google’s parent company Alphabet today announced the launch of Chronicle, a new cybersecurity company that aims to give companies a better chance at detecting and fighting off hackers. "Chronicle is graduating out of Alphabet’s X moonshot group and is now a standalone company under the Alphabet umbrella, just like Google," TechCrunch reports. From the report: Stephen Gillett, who joined X from Google Ventures and was previously the COO of Symantec, will be the new company’s CEO. To get started, Chronicle will offer two services: a security intelligence and analytics platform for enterprises, and VirusTotal, the online malware and virus scanner that Google acquired in 2012. Gillett writes that the general idea behind Chronicle is to eliminate a company’s security blind spots and allow businesses to get a better picture of their security posture. "We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find," writes Gillett. "We are building our intelligence and analytics platform to solve this problem." What exactly this new platform will look like remains to be seen, though. Gillett notes that it will run on Alphabet’s infrastructure and use machine learning and advanced search capabilities to help businesses analyze their security data. Chronicle also says that it will offer its services in the cloud so that they can "grow with an organization’s needs and don’t add yet another piece of security software to implement and manage."
Read more of this story at Slashdot.
Read the Full Article here: >Slashdot: News for nerds, stuff that matters
The PCI Security Standards Council has announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf (COTS) devices such as smartphones and tablets.
Stores that offer customers the possibility to purchase things with their payment card usually have a hardware terminal and PIN entry device. But this can be too pricey an option for small merchants in markets that require EMV chip-and-PIN acceptance.
A cheaper option is to get a cost-efficient card reader and connect it to a smartphone or tablet equipped with a secure PIN entry application.
But securing the PIN and account data is of crucial importance, and that’s why the PCI Council has developed this new standard.
The SPoC Standard actually consists of two documents: the Security Requirements and the Test Requirements.
The former document has already been published, and is aimed at entities developing PIN CVM (cardholder verification method) applications, evaluator labs, assessors and organizations managing and deploying PIN CVM solutions.
The Test Requirements, scheduled to be published next month, provide validation mechanisms for payment security laboratories to evaluate the security of software-based PIN Entry solutions.
Solutions that pass the tests will be listed on the PCI SSC website for merchant use.
There are several:
“For the SPoC Standard, we have introduced the requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies,” adds PCI SSC Chief Technology Officer Troy Leach.
“More and more businesses are now accepting payments with smartphones, tablets and other COTS devices, especially within the small business community. The PCI SSC Software-Based PIN Entry Solution listing will provide these merchants with a resource for selecting PIN entry solutions that have been evaluated and tested by payment security laboratories, and their customers will benefit by having the best available protection for their payment data.”
Read the Full Article here: >Help Net Security – News
Today’s attacks are spreading faster, evolving quicker, and evading even the most widely used security solutions. But that doesn’t mean you can’t fight back. Get practical recommendations for preventing and mitigating the latest attacks with this free checklist.
Get actionable suggestions on how to:
Read the Full Article here: >Help Net Security – News
test blog 2 test blog 2
– –
Mahesh Balan
Director
Mob:+91 94440 19237
test blog as usual
—
Mahesh Balan
Director
Mob:+91 94440 19237
Cybercriminals have stolen a massive trove of Norway’s healthcare data in a recent data breach, which likely impacts more than half of the nation’s population.
An unknown hacker or group of hackers managed to breach the systems of Health South-East Regional Health Authority (RHF) and reportedly stolen personal info and health records of some 2.9 million Norwegians out of the country’s total 5.2 million inhabitants.
Health South-East RHA is a healthcare organisation that manages hospitals in Norway’s southeast region, including Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder.
Read more at https://thehackernews.com/2018/01/healthcare-data-breach.html
—
Mahesh Balan
Director
Mob:+91 94440 19237
A critical remote code execution vulnerability has been reported in
—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
"Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API," Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
"If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options," the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.
Read the Full Article here: >The Hacker News [ THN ]
A critical remote code execution vulnerability has been reported in
—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API,” Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
“If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options,” the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.
Read the Full Article here: >The Hacker News [ THN ]
A critical remote code execution vulnerability has been reported in
—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API,” Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
“If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options,” the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.
Read the Full Article here: >The Hacker News [ THN ]