Editor's News

Applications will not have to over keys to secure communications, as keys are generated on the device.   Talking to IT Security Guru, Brian Spector, CEO of CertiVox, said that if it is not physically possible to hand over the keys, then it’s not physically possible for Government to demand access to secure communications.   Earlier this week, Prime Minister David Cameron said that he would stop the use of methods of communication that cannot...

Microsoft released nine patches last night, with one rated as critical.   After the company announced that is to not give advance notifications to anyone but premium customers, the announcement came as a surprise to many. Ross Barrett, senior manager of security engineering at Rapid7, said this “marks the start of a new era”.   He said: “It seems that Microsoft’s trend towards openness in security has reversed and the company that was formerly doing...

Following on from his proposed national 30 day breach notification law, President Barack Obama has also announced new cyber security legislative proposal.   The President has unveiled the next steps in his plan to defend the nation’s systems, including a new legislative proposal, building on work done in Congress, solving the challenges of information sharing and including revisions to the 2011 legislative proposal on which Congress has yet to take action.   The administration’s updated...

Airport parking service Park 'N Fly has notified customers of a compromise of payment card data.   In a statement, Park ‘N Fly confirmed that it has been working “continuously” to understand the nature and scope of the incident, and has engaged third-party data forensics experts to assist with its investigation.   A service that allows customers to reserve spots in advance of travel via an internet-based reservation system, the story was originally revealed in...

The Twitter and YouTube channels of the US Military Central Command have been suspended after they were taken over by hackers affiliated to ISIS. According to Washington Post, data was released which did not come from Centcom’s server or social media sites and was already publicly available online. However, the hackers had control long enough to post tweets stating “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK”. The first rogue tweet on Monday was posted...

Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3, better known as Jelly Bean, or below.   According to Rapid7, the core components of Android smartphones running OS 4.3 or previous will not receive any security updates in 2015, meaning two-thirds of users won’t receive cover from Google.   Rapid7 engineering manager Tod Beardsley said that WebView is to Android, just as Internet Explorer...

The PCI Security Standards Council (SSC) has placed a number of PFI level auditors “in remediation” in what is expected to be a step-up in compliance enforcement for 2015.   Andrew Barratt, managing director of Coalfire, told IT Security Guru that two more of the approved forensic investigators (PFIs) have been put in remediation. He said: “It looks like the PCI guys are starting crack down on some of the shoddy investigation work that has...

Microsoft has pointed the finger at Google for its decision to disclose a flaw before Redmond released a fix.   Chris Betz, senior director of Microsoft Trustworthy Computing has said that the company believes in coordinated vulnerability disclosure, and asks that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically.   In a blog, Betz named Google for its release of a vulnerability...

Microsoft has announced that it is to stop offering an advanced notification service (ANS).   The advanced notifications will now only be offered to “premier customers and current organisations involved in our security programs”, and will no longer be made broadly available through a blog post and web page, according to MSRC senior director Chris Betz.   He said: “ANS has always been optimised for large organisations. However, customer feedback indicates that many of our...

The disclosed API vulnerability in Moonpig is indicative of an area that is poorly documented, insufficiently logged, and routinely overlooked in security testing.   According to Trey Ford, global security strategist at Rapid7, APIs have been an area of concern in the cyber security community for years.   “An internet exposed API (Application Program Interface) is serving requests from the public internet,” he said. “This is further complicated by different developers using and expanding the API...