The FTC’s first Start with Security Conference, directed toward startups and developers, will begin at 10 a.m. PDT Wednesday in San Francisco, and will be webcast, an FTC news release said Tuesday. FTC Chairwoman Edith Ramirez and FTC Western Region Regional Director Tom Dahdouh will open the event, followed by panels on how startups can build a culture of security; how to test and review security applications using automated technology; how to respond to hackers; and how to implement security features like sitewide Secure Sockets Layer, Content Security Policy and multifactor authentication, said the event schedule. FTC Chief Technologist Ashkan Soltani will moderate a "fireside chat" with Accel Partner Arun Mathew on investing in security.
Google released Chrome v 45.0.2454.85 to address multiple vulnerabilities for Linux, Mac and Windows, said a U.S. Computer Emergency Readiness Team alert Tuesday. Exploitation of the vulnerabilities may allow an attacker to take control of an affected system, it said.
The Department of Homeland Security Science and Technology Directorate's fourth technology, a network anomaly-detection tool, has “successfully advanced through the Transition to Practice (TTP) program to the commercial market,” a DHS news release said Tuesday. Known as the PathScan technology, it was developed by Los Alamos National Laboratory, and “quickly detects the movements of hackers once they breach the network and allows operational teams to quickly defend network information,” the agency said. DHS Undersecretary-Science and Technology Reginald Brothers said innovative technology solutions are “key to keeping pace with today’s cyber threats,” and the TTP program bridges the gap between private sector and national labs to help transition lab technology to the commercial market. The technology has been licensed to Ernst & Young, said DHS.
Qualcomm Technologies announced Qualcomm Snapdragon Smart Protect, an app designed to provide real-time, on-device machine learning to detect zero-day malware threats on mobile devices. It will debut on the upcoming Qualcomm Snapdragon 820 processor. Smart Protect also will be the launch vehicle for Qualcomm’s Zeroth technology that works with conventional anti-malware solutions on real-time malware detection, classification and cause analysis using a cognitive computing behavioral engine, the company said Monday. Smart Protect analyzes and identifies new threats before signature updates, Qualcomm said. OEMs and mobile anti-malware app providers can also use Smart Protect’s application programming interface for analysis to receive real-time information on identified threats, it said. With consumers storing an increasing amount of personal information on their devices, data leakage incidents and malware are on the rise, said Asaf Ashkenazi, Qualcomm Technologies director-product management. Qualcomm is able to address the security issues because of its ability to “access lower layers of the software stack and dedicated security hardware to create a device-based, behavioral analysis approach for mobile security," Ashkenazi said. The technology supports "deep on-device monitoring for nearly instantaneous notifications of detected privacy violations and malicious activity,” he said. Qualcomm is working with OEMs and mobile security providers Avast, AVG and Lookout to make Snapdragon Smart Protect capabilities available within commercial anti-malware apps, the company said. Smart Protector can enable operators to reduce incidents of fraudulent charges and network congestion associated with malware-infected devices, while consumers benefit from better protection of personal data, the company said. The technology has minimal impact on battery life, it said.
Despite the recent breach into infidelity site Ashley Madison (see 1508280041) and subsequent online posting of users’ sensitive information “hundreds of thousands of new users signed up for the Ashley Madison platform -- including 87,596 women” last week, Ashley Madison parent Avid Life Media said in a news release Monday. As of Aug. 29, the Ashley Madison app is the 14th highest grossing app in the U.S. social networking category in the Apple App store, it said. About 70 percent of the company’s revenue on any given day is from members making repeat purchases, it said. “Recent media reports predicting the imminent demise of Ashley Madison are greatly exaggerated.” In response to claims there are numerous fake female accounts created on the site to lure men into thinking their odds of having an affair are greater, the company said women sent more than 2.8 million messages within the platform last week, and the ratio of men who communicate with women is 1.2 to 1.
A domain masquerading as an official Electronic Frontier Foundation site has been tricking users into a false sense of trust and has been used in a spear phishing attack, or emails that appear to be from a familiar individual or business, wrote EFF Staff Technologist Cooper Quintin in a blog post Thursday. The domain, ElectronicFrontierFoundation.org, was registered Aug. 4, and it’s suspected of the phishing attacks that began that same day, Quintin said. The domain “seems to be part of a larger campaign, known as ‘Pawn Storm’” that began a little more than a month ago and is thought to be associated with the Russian government, Quintin said. The domain has been reported for abuse, but was still active when Quintin wrote his blog. As part of the phishing attack, an attacker "sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org)," Quintin said. When the user visits the URL, they are redirected to another unique URL that contains a "Java applet which exploits a vulnerable version of Java," he said. "Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts)," Quintin said. "The attacker, now able to run any code on the user's machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target's computer."
Cisco said it completed the purchase of cybersecurity firm OpenDNS. The $635 million deal, announced in late June (see 1506300068), “will advance Cisco's Security Everywhere approach by adding broad visibility, enforcement, and threat intelligence from the OpenDNS cloud-delivered platform,” Cisco said Thursday. The company began integrating OpenDNS’ platforms Thursday via an application programming interface that will allow customers of both companies’ services to immediately benefit from both the OpenDNS Umbrella service and Cisco’s AMP Threat Grid. “By integrating the OpenDNS platform with Cisco's security solutions, customers will receive greater network visibility and threat intelligence for cloud delivered protection against malicious websites and threats,” David Goeckeler, Cisco general manager-Security Business Group, said in a news release. OpenDNS CEO David Ulevitch is now Cisco Security Business Group vice president, Cisco said.
The Department of Defense issued a proposed interim rule on cyber incidents. It would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act for FY 2013 and a section of the National Defense Authorization Act for FY 2015, both of which require contractor reporting on network penetrations, said a DOD notice in Wednesday's Federal Register. “This interim rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support,” the Pentagon said. “Cyber incidents involving classified information on classified contractor systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual.” Comments are due Oct. 26.
Minnesota customers of TerraCom's Lifeline services may be eligible for a year of free credit monitoring due to a data breach at the company, said a Tuesday news release from the Minnesota Department of Commerce and the Minnesota Public Utilities Commission. An investigation after a 2013 data breach found that TerraCom failed to protect consumers' personal information, the release said. The FCC did a similar investigation, finding that TerraCom's vendor stored customers' personal information on unprotected servers that were accessible over the Internet, the release said. The FCC reached a $3.5 million settlement with TerraCom and a related company in July (see 1507090035).
Consumer Watchdog asked the California Department of Motor Vehicles to amend its autonomous vehicle regulation to require police to investigate any crashes of robot cars being tested on public roads, a CW news release said Thursday. “Robot car accident reports are prepared and filed by the company doing the testing,” Consumer Watchdog Privacy Project Director John Simpson wrote in a letter to DMV Director Jean Shiomoto. “Relying solely on the word of the testing company is not adequate to protect the legitimate public interest in ensuring robot cars are tested safely.” The DMV also should require any data and video gathered by a robot car before and during a crash to be provided to the department, CW said. After personally identifying information is redacted, the video and data should be released to the public, it said. CW has been criticizing Google over the safety of autonomous cars (see 1406110040), with the company saying it's open to releasing driverless car accident reports (see 1506030036).