Security Port

Security Forums
Security Articles
Security Port Blog
Security Blogs
Security Books
Security Glossary
Security Definitions
Security Directories
Security Wikis
Security Tradeshows
Security Newsletters
Security Alerts
Buyers Guides
Security Newsgroups
Security Organizations
Submit Security Sites
Security Magazines
Security Feeds
Security News
Security Software
Security Products
Search Databases


Security Port
Contains relevant information that pertains to security related issues and solutions.

Security Port

A Security Port Blog

Legislating Security
12/31/2015

In the United States, three pieces of legislation set the stage for government and national security agencies to access and use private information stored in electronic media. In the United Kingdom, a bill would make national security access easier. The European Union’s new privacy law is set to replace the 28-nation hodgepodge of privacy and security laws, and that new regime carries draconian fines. The three sets of laws have different emphasis and will make tripartite legal compliance often impossible for commercial vendors.  

In June 2015, the USA Freedom Act replaced the Patriot Act and blocked bulk surveillance of American phone calls, but did not block communications vendors from collecting telephone metadata. Now, using court-issued warrants or subpoenas, (especially in the form of a National Security Letter), government and national security agencies can obtain telephone metadata from the vendors.

A bill called the Email Privacy Act would require law enforcement and government agencies to obtain a warrant (not a subpoena) before forcing an email service provider to produce requested emails. The email owner must be notified within a short timeframe, although in special circumstances, a notification can be delayed. The Email Privacy Act is not yet law.

The third law known as Cybersecurity Information Sharing Act (CISA) was buried as part of a 14th rider of a 2,000-page bill. CISA permits private companies to voluntarily hand over customer information to federal agencies and it protects those companies from lawsuits over privacy violation.

TSA Security Checks
12/30/2015

The Transportation Security Administration is increasing random checks of airport and airline employees who hold badges that enable them to bypass security checkpoints.

The decision follows instances in the past two years in which employees used restricted entrances to smuggle guns and launder money. It is also part of a larger push to increase airport security after the Paris terrorist attacks and the crash of a jet flying between Egypt and Russia, believed to have been brought down by a bomb.

Security Gift?
12/29/2015

A hidden threat may be lurking under your Christmas tree this year. From fitness bands to digital photo frames, some seemingly innocuous presents may harbor flaws that can be exploited by hackers.

Balancing Privacy, Security Amid ISIS Threat
12/09/2015

With the murderous and frightful terrorist attacks in Paris last weekend, once again we are reminded of the need for law enforcement and our international intelligence agencies to have the ability to anticipate and prevent such attacks and to protect us.

We in Washington, D.C., feel special fear this week after the Islamic State in Iraq and Syria specifically declared our nation’s capital as its next target.

The question remains: Can we allow our national and international intelligence agencies and law enforcement officials to use all the tools to intercept communications and anticipate attacks, as they have done in the past, without violating our fundamental privacy rights and civil liberties?

Homeland Security Running Hundreds of Sensitive, Top Secret Databases Vulnerable to Attacks
12/08/2015

Leading the agencies operating unsecured databases was the Coast Guard with 26, followed by the Federal Emergency Management Agency with 25, and Customs and Border Protection with 14.

The Department of Homeland Security headquarters is operating 11, and the Transportation Security Administration is running 10 sensitive or secret systems with expired authorizations.

The audit also found that security patches were missing for computers, Internet browsers, and databases, and weak passwords left the agencys information security vulnerable.

69 percent of users would bypass security controls to win a big deal
12/07/2015

When faced with the chance of clinching a major deal people are willing to throw security controls out of the window.

This is according to research by contextual security company Balabit which asked over 380 European IT executives, CIOs, CISOs, auditors and other IT professionals about their thoughts on IT security and business flexibility.

When asked about their preference if they needed to choose between IT security and business flexibility, 71 percent of respondents said that security should be equally or more important than business flexibility.

But show them the money and things change, when the same people were asked if they would take the risk of a potential security threat in order to achieve the biggest deal of their life, 69 percent of respondents say they would take the risk.

4 Simple Ways to Secure your Internet-connected Car
12/04/2015

Contact a car dealer, or your mechanic, and make sure the cars software is up to date. If you do not have the latest software version, update it immediately. In the future, you'll likely be able to download such updates automatically, but most cars don't offer this option quite yet.

Don not jailbreak the software in your car or on the devices that connect to it. Doing so voids the warranty, and could open the door to hacks.

Do not plug random devices into the cars USB ports or OBD2 diagnostic port. (The later is located under the dashboard and is used by mechanics to check the engine and other systems on cars built since the late 1990s.) Clemens says you should avoid devices like the dongles supplied by Progressive and other auto insurance companies, which use the Internet to broadcast data on your driving habits.

If you want to use a connected-car device or app, do some research, or ask the manufacturer, if it has been hardened before using it. If not, think twice about the risks versus benefits.

What The Paris Attacks Have To Do With Your Phone
12/03/2015

Although U.S. or U.K. agencies might require backdoors into various software, apps from other countries — one made in Russia, for example — would no't have to abide by those laws. All criminals would have to do to get private, untracked communication is download one of those apps instead. They could also build their own encryption apps themselves.

As for phones or computers that are encrypted, there are ways authorities can get at that data if they really want to — that's one definition of the word hacking, after all.

And even with encryption, communications often leave a cookie-crumb trail that investigators can follow: metadata. While your exact message may be encrypted, they could still see who you are talking to, the date and time of the communication, and even each individuals location.

How to Crowd Source Security
12/02/2015

The best defense is a good offense, as the saying goes, and nowhere is that more true than in enterprise security. Finding vulnerabilities and exploits before hackers do can prevent devastating breaches, data loss, and prevent crippling hits to your operations and your reputation.

Most enterprises use one of two approaches: manual, by which a human tests for potential weaknesses; or automated, in which a vulnerability scanner screens networks for exploit potential. But neither of these approaches is entirely effective on its own.

Chrome Has a Security Flaw
12/01/2015

Since Google launched the Chrome browser in 2008, it is built a reputation for speed and security not found in other browsers. While the gap has narrowed in both those areas thanks to improvements in Firefox, and Microsoft creating the new Edge browser for Windows 10, Chrome still has the edge in hacking contests.

Thats one reason hundreds of millions around the world have it installed on their computers and mobile gadgets. Unfortunately, a newly discovered security flaw might put that reputation in jeopardy.

When the Chrome browser visited the webpage, a flaw in the JavaScript system let the page download another app that took over the Android gadget completely. Thats scary, but it gets worse.

4 Things To Know About Visa Waivers And Security
11/30/2015

While Congress took steps to pause the Syrian refugee program this week, there is another concern that many say poses a bigger threat of a allowing a potential terrorist into the U.S. It is known as the visa waiver program, and it allowed 20 million travelers into the U.S. last year, with much less screening than refugees receive.

Here are four things to know about that program, and the security concerns that have been raised about it:

1. How does it work?

It used to be that if you were a person living abroad and you wanted to see the U.S., you had to first go to an American embassy and get a visa. You would be interviewed by an embassy official who would ask about your background. But since the 1980s, residents of many countries no longer have to go thru that process. In fact, 38 nations, including most of Europe are visa waiver countries.

BlackBerry Could Solve Android Security Issues
11/27/2015

BlackBerry is still around, though, and that is a good thing. At least it is if you are concerned about security and your privacy. BlackBerry has long been among the most secure devices available.

Google and the University of Cambridge recently noted that around 87% of Android devices are vulnerable to attack. Part of the problem is that many Android devices are made by third-party manufacturers, some of whom do not take security as seriously as others.

BlackBerry now has an Android phone, and pretty stringent plans to make sure they're secure. That starts with being diligent, according to BlackBerrys Chief Security Officer, David Kleidermacher.

Airplane security overhaul after Russian crash likely
11/25/2015

The airport that the doomed Russian plane that crashed in Egypt in late October left from has been revealed to have lax security and a history of aviation scares, but security upgrades may extend well beyond it.

Britains foreign secretary said Sunday airport security in many cities will need to be overhauled if it is confirmed the Russian plane crash in the Sinai was caused by a bomb planted by the Islamic State of Iraq and Syria (ISIS) or someone inspired by the militants.

Foreign Secretary Philip Hammond warned that if those suspicions are true, there needs to be a rethink of security at airports in areas where the extremist group is active.

He told the BBC Sunday that may mean additional costs, it may mean additional delays at airports as people check in.

The Mathematics of Adaptive Security
11/24/2015

Enterprise security teams are charged with maintaining the perfect set of security policies. In their pursuit of the perfect security policy, they are often the department of slow (because the pursuit of perfection takes time). At the same time, to err is human…

As Winston Churchill said, the pursuit of perfection is paralyzing. Even if the perfect security policy is achieved, any application changes, data center changes, migrations, or policy changes erode at that perfection like water flowing over a rock, and eventually a crack will occur. Thanks to virtualization, public cloud, and constant application delivery, the probability of an error getting introduced has never been higher.

With the stakes so high, and jobs on the line, you can bet that every change in security policy is contemplated, scrutinized, re-scrutinized, and planned before finally being executed.

Getting Student Data Security Right—the First Time
11/23/2015

According to a recent survey of public school parents by the Future of Privacy Forum, more than seven in 10 parents are comfortable with a properly protected electronic education record being created for their child as a valuable tool for improving their educational opportunities. Interestingly, almost all are more likely to support collecting and using data in an electronic record—if they know a school or educational service provider is required to ensure proper security.

Cyber Security: How to Protect Your Data Over Wi-Fi
11/20/2015

Because office computers are generally connected to the same network if a hacker is able to gain access to one machine that shares the network connection they can potentially, and sometimes quite easily, gain access to all of the machines and information on the network. What this means is that computers on the same Wi-Fi network can potentially have access to any unencrypted information that pass through that network.

What follows are some simple, but critically important steps to take to protect your information.
Have a Guest Network
Change Your Strong Password Often
Use the Right Security Protocol
Physically Secure Your Router
Change The Default Password of Your Router

In the Dark Over Power Grid Security
11/19/2015

When the lights go out, we usually know why: Mother Nature is at it again.

Most of the time we manage to get through it. But what if the power went out in a number of states affecting millions of people for weeks, even months?

The power grid is the system interconnecting North America's supply of electricity. If one area has particularly heavy demand, power from another region can sometimes serve as back-up.

The downside to all this? If a hacker manages to take down an entire grid, a huge portion of the country -- along with parts of Canada -- could go down with it.

The primary reason? Like so much else these days, the grid relies heavily on the Internet.

5 Information Security Trends That Will Dominate 2015
11/18/2015

Cybercriminals are becoming more sophisticated and collaborative with every coming year. To combat the threat in 2015, information security professionals must understand these five trends.

In information security circles, 2014 has been a year of what seems like a never-ending stream of cyberthreats and data breaches, affecting retailers, banks, gaming networks, governments and more.

The calendar year may be drawing to a close, but we can expect that the size, severity and complexity of cyber threats to continue increasing, says Steve Durbin, managing director of the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members.

Looking ahead to 2015, Durbin says the ISF sees five security trends that will dominate the year.

1. Cybercrime
2. Privacy and Regulation
3. Threats From Third-Party Providers
4. BYOx Trends in the Workplace
5. Engagement With Your People

How Important is Web Security
11/17/2015

The challenges that an organization faces when auditing the security of their website are significant to say the least.

To start off with, it is a tough job trying to find the right people for the job. Web security requires a different set of skills. While there are many who claim that they are proficient in IT Security, they are often only referring to network security, which is a different kind of beast.

A web security auditor needs to keep himself up-to-date with the new web technologies, including updates to HTML, PHP and .NET, new web components that ease development, such as Node.js, updates to CMS and blogging software including WordPress, Drupal and Joomla, and updates to the web servers hosting the web applications.

While new web technology updates are always welcome, since they generally bring in new functionality and ease the development work, they often also include a new set of web threats. In addition to that, vulnerabilities are also often found within the existing components.

Endpoint security trends for 2015: What can we expect?
11/16/2015

Endpoint security is definitely an approach that I favor. Keeping a network secure is an immense challenge that requires constant work and vigilance. Why introduce a client or server to your network before making sure that the device is as security hardened as possible?

Predictions for 2015

The future of security: 11 predictions for 2015
Endpoint security trends for 2015: What can we expect?
In my data center work experience, a very significant percentage of the major network vulnerabilites I have had to fix were caused by the introduction of poorly secured computers. It is a surprisingly common blunder.

Network-based information security attacks have been making the news with increased frequency throughout 2014.

Five ways to Guard your Privacy Against Security Breaches
11/13/2015

This years IRS breach in which a multi-step authentication process, including several personal verification questions, was bypassed to access the private information from 100,000 tax accounts should serve as a clear reminder to take many steps to guard our online privacy. But protection against data breaches such as these requires more than just regularly changing passwords.

When it comes to protecting sensitive business and personal information, including bank accounts, consider the following advice:

~ Treat mobile banking as if it were a credit card.
~ Do not click on that link.
~ Use strong passwords.
~ Know that security questions are not really secure.
~ Monitor your credit on a regular basis.

Physical security: The overlooked domain
11/12/2015

As few as 15 years ago, if you mentioned security to someone in the business world, they would immediately think about alarm systems, badge readers and door locks. Some years back, I visited the Equifax Atlanta data center, entry to which required a retina scan and practically an act of Congress. Today, the focus is on logical security — threat management, breach detection, intrusion prevention, etc. With the threats we face today from all over the world, logical security is very important. Physical security has unfortunately been relegated to the realm of secondary concerns.

Fake Security Certificates: Google Reprimands Symantec Corporation
11/11/2015

When questioned about the same, Symantec said the certificates were only issued for testing purposes by its internal QA team and as such they did not constitute any risk to anybody. This pre-certificate was neither requested nor authorized by Google.

In September, the security firm also fired a number of its employees for errors in issuing certificates.

The Chocolate Factory discovered the rogue cert using its Certificate Transparency project, and it was furious: Google never gave Thawte permission to generate the certificates, and was irked by Symantecs sloppiness.

Following a debacle over misissued certificates, Google published a warning blog post to Symantec, essentially telling the company to step up its game or face further action from the tech giant.

In response, Symantec re-opened the investigation and uncovered an additional 164 test certificates that it issued for 76 domains it did not own and 2,458 certificates issued for domains that had not been registered.

Afghan Security Woes Continue Unabated
11/10/2015

President Obama recently announced a course correction relative to the U.S. troop reduction in Afghanistan. He is now convinced that the woes of the Afghan National Security Forces (ANSF) are far from over. In addition to recommendations from the commanders on the ground, the brazen takeover last month albeit temporary of the fifth largest Afghan city Kunduz undoubtedly influenced his reversal. There is also the issue of a repeat of what happened in Iraq. Many fault the president's decision to completely withdraw from Iraq as reason for the emergence of ISIS. While that decision may have played a small role, ISIS was in the making for some time. President Obama does not want a similar situation in Afghanistan. Unlike Iraq, the Afghan government has signed the Bilateral Security Agreement last year making it possible for our troops to be in Afghanistan indefinitely.

One element of the ANSF is the Afghan Local Police ALP manned by local militias to defend the villages where they live against encroaching Taliban. This idea was tried in 1989 in Afghanistan and failed.

Implications of Cyber Insurance Policy
11/09/2015

The recent cyber-attack on TalkTalk has reinforced a common perception that cyber-attacks are the work of shadowy figures operating from bedrooms or basements, attempting to mimic the work of James Bonds arch rival, Spectre. The reality -- and a lesser known fact -- is that the majority of attacks (55 percent) involve insiders.

These insider-inspired attacks may not grab the headlines in the same way as attacks by 15 year-olds do -- in fact for obvious reputational reasons, they rarely make the newspapers at all -- but they do give the IT departments of the organizations that have suffered the attack just as big a headache.

So spending time building stronger internal defences would be time well spent. Unfortunately, the results of a survey that my company has just carried out would appear to show that this is not the case and that these IT departments could well be putting their own organizations at considerable risk.

For a growing number of companies, that risk could now have been shared with an insurance company, by taking out a cyber insurance policy.

Israel Model for Success
11/06/2015

Israels famed 8200 cyber-security military unit is a crucible for the creation of leading-edge cyber security products. That is hardly surprising; there is unlikely to be any country, organization or enterprise that has a larger attack vector than Israel -- be it physical or virtual. And given that the vast majority of young people in Israel need to perform compulsory military service, you have a massive amount of talent coming through the unit. At the other end of that many 8200 veterans go on to become a part of commercial cyber-security companies.

One company that has come out of the broader Israeli cyber-security space is Dome9. Dome9 is a public cloud security and compliance vendor which is focused on the orchestration of security policies, risk visualization and threat remediation. The company covers a number of different public clouds including Amazon Web Services (AWS), Windows Azure, and IBM Softlayer.

How to Release Vulnerabilities
11/04/2015

Security researchers and vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements.

That is the conclusion after a coalition of security vendors, academics, lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how to improve the sometimes-hostile system for reporting software vulnerabilities.

But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs?

Who Will Step Up To Secure The Internet Of Things?
11/03/2015

The Internet of Things (IoT) presents a significant mix of opportunity and risk. Compared to the connected devices of the past, the gazillions of new IoT devices that are being predicted for our homes, transportation, cities, medical devices and elsewhere represent a unique set of security challenges for both companies and their users.

They also offer a host of new and attractive opportunity for attackers.

To start, IoT devices significantly expand the attack surface. Hackers can easily purchase any IoT device, which will often contain the same security features of other, identical devices already deployed in hundreds or even thousands of homes. Unlike servers or networking equipment, which are usually hacked through remote access points and reside in protected and monitored environments, IoT devices are more accessible to malicious threat actors.

The widespread availability and proliferation of these devices means that once a device is compromised, it is very difficult for a company to flip a switch and update the millions of devices just like it sold around the world. It also means that hackers can use one insecure device to leapfrog their way into broader connected networks, allowing a single device to compromise sensitive data ranging from bank and health information to even access to broader corporate assets as the line between work and home continues to blur.

Three Security Best Practices for the Modern Era
11/02/2015

1. Change All Your Default Passwords on Network Infrastructure
Devices such as routers, switches and Web servers need more secure passwords. Chances are pretty good you have probably missed a few units, and now is the time to review your entire portfolio and make sure that you have not left any default passwords unchanged. This is the easiest way for a cybercriminal to enter your enterprise — and also the easiest way to beef up your security.

Make sure you check oddball network-attached devices such as cameras, printers and specialized equipment. If it has an IP address, it should have a unique password. This needs to be done when you acquire new equipment or make major changes to your infrastructure.

2. Do an Audit of Your Wi-Fi Access Points
There are numerous inexpensive tools that audit access points. The SANS Institute offered information on completing network audits using open-source tools, for example.

Chinese iPhone Users Targeted in latest App Store Security Breach
10/30/2015

Following a major attack on the iTunes App Store last month, security researchers have warned that iPhone and iPad users in China and Taiwan are still at risk from malicious software.

According to Palo Alto Networks Unit 42 research team, a new malware family, dubbed YiSpecter, can affect both jailbroken and non-jailbroken Apple devices, meaning that all iOS users are potentially vulnerable.



Current Blog

2015 Security Blog Archive
November / December Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2014 Security Blog Archive
November / December Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
Jan & February Archive

2013 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2012 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2011 Security Blog Archive

December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2010 Securty Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2009 Securty Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2008 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
July-August Archive
May-June Archive
April Archive
March Archive
February Archive
January Archive

2007 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2006 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive


Security Alerts
Locate security alerts, and security feeds via a security rss feed directory.