| |
|
|
| |
| Teleconferencing vendors defend product security features |
 |
Teleconferencing vendors say they're trying to strike the right balance between security and usability after security researchers found they could dial in to the conference lines of major companies and manipulate video cameras to spy on boardrooms. H.D. Moore and Mike Tuchen revealed their research for security company Rapid7 on Monday, detailing how easily attackers can secretly spy on boardrooms where conferencing systems have been left open to receive calls from anyone by default.The problem boils down to auto-answer, a feature in products from companies such as Cisco, LifeSize and Polycom that automatically connects incoming video or audio calls. Moore, who is chief security officer at Rapid7, wrote a program to scan for teleconferencing systems in which administrators left this feature enabled, a major security issue.Moore's scan covered about 3 percent of the addressable internet and found 250,000 systems using the H.323 protocol, a specification for audio and video calls. Moore said he found more than 5,000 organizations had left auto-answer enabled in products from vendors including Polycom, Cisco, LifeSize and Sony. Overall, the findings mean up to 150,000 systems across the internet could be vulnerable, according to Rapid7.Once inside a conference room, Rapid7 said that even cheap videoconferencing systems could allow a person to "read a six-digit password from a sticky note over 20 feet away from the camera.""In an otherwise quiet environment, it was possible to clearly hear conversations down the hallway from the video conferencing systems," Moore wrote on Rapid7's blog. "A separate test confirmed the ability to monitor a user's keyboard and accurately capture their password, simply by aiming the camera and using a high-level zoom."But if all of the security features of the various teleconferencing systems were enabled, Moore "couldn't imagine anyone would use the product to make a phone call" due to the complexity, he said in an interview.Companies often set up the systems outside their corporate firewall to make it easier, but that poses security risks. Deploying the systems inside a firewall can be difficult, as teleconferencing systems can use up to 30 different protocols in order to set up a call, which means firewalls have to be adjusted in order to let the calls come through, Moore said. [ Learn More ... ] |
|
| |
| U.S. government online security website hacked |
 |
Hackers under the AntiSec banner appeared to have hacked late Monday the website of OnGuardOnline.gov, the U.S. federal government's online security website, in protest against controversial legislation.In a message on the OnGuardOnline website and on Pastebin, the hackers threatened "a relentless war against the corporate internet", destroying what it said would be "dozens upon dozens" of government and company websites, if the Stop Online Privacy Act (SOPA), Protect IP Act (PIPA) and Anti-Counterfeiting Trade Agreement (ACTA) are passed.It also threatened to dump emails, passwords, bank accounts, and other information from the hacked websites. "We are sitting on hundreds of rooted servers getting ready to drop all your mysql dumps and mail spools," the Anonymous-affiliated hacker group said.OnGuardOnline.gov is a partnership of fourteen federal agencies managed by the U.S. Federal Trade Commission (FTC).FTC could not be immediately reached for comment on the hack of the security website. The website of web defacement archive, Zone-H was also defaced Monday, but it wasn't clear who was responsible.Earlier on Monday a video purported to be from Anonymous asked for people's support to launch a DDoS (distributed denial of service) attack using the Low Orbit Ion Cannon tool on Jan 28 on Facebook. AnonOps, an Anonymous account on Twitter, however said the threat to shut down Facebook was a fake. A similar threat against Facebook was made last year.Anonymous last week claimed responsibility for attacks on some government and company websites including those of Universal Music, the U.S. Department of Justice and the Recording Industry Association of America in retaliation for the government's removal of the Megaupload online storage and file-sharing websites. [ Learn More ... ]
|
|
| |
| How to profit from new domain name rules |
 |
A new era in Web site naming has begun, providing a golden opportunity for savvy IT professionals to go on the offensive with new domains that can capture additional Web traffic and generate new revenue.Under today's rules, names are available in 280 well-known categories, such as .com, .gov or country codes, like .de for Germany. Under the new rules, the Internet Corporation for Assigned Names and Numbers (ICANN) is accepting (between now and April 12) applications for new generic top-level domains (gTLDs), possibly as many as 1,000. Examples of possible new domains are: cities and regions (.paris), domains tied to specific interests (.music) or domains tied to companies and brands (.motorola).New era for Web site names beginsAccording to Jeremiah Johnston, general counsel at domain name re-seller Sedo.com, "Savvy network administrators can demonstrate added value to their company because they know how to have ancillary domain names forward captured traffic to the primary domain name and how to track that traffic. When the company then sees thousands of people coming to these other domains who are then forwarded to pages where they can actually take an action that generates revenue for the company, the company sees the profit in this remarkably underleveraged strategy."Known as a domain name portfolio, this use of a collection of domain names enables the capture of Internet traffic that would not normally make it to the organization’s web site. It is the 21st century version of adding stores in other towns to capture street traffic that doesn’t go near the original site. [ Learn More ... ] |
|
| |
|
|
|
|
