Friday, August 31, 2018
Upcoming Speaking Engagements
This is a current list of where and when I am scheduled to speak:
- I'm giving a book talk on Click Here to Kill Everybody at the Ford Foundation in New York City, on September 5, 2018.
- The Aspen Institute's Cybersecurity & Technology Program is holding a book launch for Click Here to Kill Everybody on September 10, 2018 in Washington, DC.
- I'm speaking about my book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World at the Harvard Book Store in Cambridge, Massachusetts on September 11, 2018.
- I'm giving a keynote on supply chain security at Tehama's "De-Risking Your Global Workforce" event in New York City on September 12, 2018.
- I'll be appearing at an Atlantic event in Washington, DC on September 13, 2018.
- I'll be speaking at the 2018 TTI/Vanguard Conference in Washington, DC on September 13, 2018.
- I'm giving a book talk at Fordham Law School in New York City on September 17, 2018.
- I'm giving an InfoGuard Talk in Zug, Switzerland on September 19, 2018.
- I'm speaking at the IBM Security Summit in Stockholm on September 20, 2018.
- I'm giving a talk on "Securing a World of Physically Capable Computers" at the University of Rochester in Rochester, New York on October 5, 2018.
- I'm keynoting at SpiceWorld in Austin, Texas on October 9, 2018.
- I'm speaking at Cyber Security Nordic in Helsinki on October 10, 2018.
- I'm speaking at the Cyber Security Summit in Minneapolis, Minnesota on October 24, 2018.
- I'm speaking at ISF's 29th Annual World Congress in Las Vegas, Nevada on October 30, 2018.
- I'm speaking at Kiwicon in Wellington, New Zealand on November 16, 2018.
- I'm speaking at the The Digital Society Conference 2018: Empowering Ecosystems on December 11, 2018.
- I'm speaking at the Hyperledger Forum in Basel, Switzerland on December 13, 2018.
The list is maintained on this page.
from Schneier on Security https://ift.tt/2C5FdHL
0patch releases micropatch for Windows Task Scheduler zero-day
Earlier this week a security researcher that goes by “SandboxEscaper” published details and a PoC exploit for a zero-day local privilege escalation vulnerability affecting Windows.
Microsoft has, so far, been cagey about when they will push a fix for it. In the meantime, those who don’t want to wait have one other option: implement a temporary micropatch (a tiny security patch that’s implemented in memory, while the software is running).
Get a micropatch
Acros Security, the company behind 0patch, has released a micropatch for the flaw that can be applied to fully updated 64bit Windows 10 version 1803 and 64bit Windows Server 2016.
“As far as we know at this point, the vulnerability was confirmed to also be present and exploitable on 32bit Windows 10 and 32bit Windows 7, so it’s safe to assume that at least all Windows versions from Windows 7 and Windows Server 2008 are likely affected. We can quickly port the micropatch to other affected versions but we’ll only do that on request,” noted Mitja Kolsek, the company’s CEO.
The micropatch will be effective even if the exploit is modified, he explained, as it changes the code to close the hole.
Still, he noted, this should be considered only a temporary fix. Microsoft’s update will not only fix this issue in a more informed way, but will also bring fixes for other vulnerabilities.
“When Microsoft makes their official fix available, you simply apply it as you would if you had never heard of 0patch. Applying it will automatically obsolete this micropatch on your computer as the update will replace a vulnerable executable with a fixed one, thereby changing its cryptographic hash. Since our micropatches are associated with specific hashes, this will make the micropatch inapplicable without intervention on either your end or ours,” he explained.
To implement the micropatch, users must download and launch the 0patch Agent installer, create a free 0patch account and register the agent to that account. “You will immediately receive all micropatches including this one, and it will automatically get applied to Task Scheduler,” he added.
What’s the deal with micropatching?
Creating patches is a long and complex process.
They have to be comprehensive and they have to be ported to all supported software versions. They also have to be extensively tested before being deployed. Finally, they can still result in problems after deployment and the changes may be difficult to revoke.
Creating micropatches is a much quicker and focused process and disruptions to regular operations is minimized.
With 0patch, Acros Security aims to fix 0days, unpatched vulnerabilities, end-of-life and unsupported products, provide patches for legacy operating systems, as well as vulnerable third party components and customized software.
from Help Net Security https://ift.tt/2PYwI4a
The Root Holding History Hostage: One Family’s Quiet Attempt to Erase Their Father’s Part in Emmett
The Root Holding History Hostage: One Family’s Quiet Attempt to Erase Their Father’s Part in Emmett Till’s Story | Jezebel London Cop Cleared After Ordering Strip Search of Woman Who Refused to Give Him Her Name | Deadspin BREAKING: College Football Programs Juice Their Attendance Numbers | Splinter Here’s Sarah Huckabee Sanders in a Pathetic Nutshell | The A.V. Club David Alan Grier on The Carmichael Show, the prescience of Blankman, and repeatedly turning down In Living Color |
from Lifehacker https://ift.tt/2ww9gTI
How lucrative is web-based cryptojacking?
1 out of 500 of the one million most visited websites according to Alexa contains a web-based cryptominer that starts mining as soon as the website has been opened in the browser, researchers from the Braunschweig University of Technology have found.
Still, despite not being rare, web-based cryptojacking is not hugely lucrative.
“Based on the configuration of typical desktop computers and statistics about website visits, we estimate the revenue generated by individual miners in the Alexa ranking at a range of a few cents up to 340 USD per day under the current price of the respective cryptocurrencies,” they say.
The rise of cryptojacking
Memory-bound cryptocurrencies like Monero, Bytecoin and Electroneum don’t require dedicated mining rigs – they can be easily and profitably mined on regular computer systems.
But cryptojackers don’t want to use their own computers and pay for the tech and electricity and, since the advent of CoinHive and similar web-based cryptominers, they don’t have to.
These cryptominers work on all major browsers and the mining script can even be injected into web pages on the fly through compromised routers.
Is it worth it?
Revenue of a cryptojacking campaign depends on how aggressive the miner occupies the visitor’s CPU cores. But if the mining is too aggressive, users are bound to notice and put a stop to it (e.g., by leaving the website).
By taking as an example the 10 most profitable sites that hold mining code, the researchers estimated that they are able to generate between 0.53 and 1.51 Monero per day, i.e., between 119 to 340 USD (at the time).
While it’s not much, given that the revenue is achieved without any cost to the miner, this is still a notable profit.
“However, we conclude that current cryptojacking is not as profitable as one might expect and the overall revenue is moderate,” the researchers noted.
How to stop it?
The researchers found that existing blacklist-based approaches used by web browsers are trivial to evade and the actual lists outdate fast.
Instead of static blacklists, they leveraged a set of heuristic indicators for candidate selection and a dedicated performance measurement step for precise miner identification. But, however suitable this approach is, they pointed out that it likely works well only because today’s mining operators don’t anticipate it.
As the only reliable indicator of active mining is prolonged and excessive CPU usage, their advice for browser makers is to implement CPU allotments for tabs.
“As soon as a tab runs out of its quota, the browser could take actions, such as throttling the tab’s scripts or warning the user,” they explained.
from Help Net Security https://ift.tt/2wupuwn
New infosec products of the week: August 31, 2018
Moogsoft announces Observe expanding its AIOps platform capabilities
Moogsoft Observe ingests time-series and metrics data in real-time and applies AI to detect incidents at the source of the problem. Observe stores anomalous and contextual data, giving IT teams knowledge to improve their online services and applications while lowering data transport, ingestion, and storage costs.
Inseego launches new IoT cloud solution for Industrial IoT applications
Inseego announced the availability of its all-new, enterprise-grade Inseego IoT Connect solution. The intelligent device-to-cloud management platform optimizes Industrial Internet of Things (IIoT) use cases. Its user-friendly, service provider agnostic design allows IT managers and systems integrators to simplify management of assets across an enterprise.
TP-Link introduces AC2600 Wi-Fi router with enhanced security
TP-Link announced the upcoming launch of the Archer C2700, a next level AC2600 Dual-Band WiFi Router that utilizes Intel technology to provide WiFi at speeds up to 1733Mbps on the 5GHz band and 800Mbps on the 2.4GHz band. TP-Link HomeCare comes with antivirus, parental controls and QoS, helping to protect data and IoT devices from intruders. A security database updates automatically to keep the home safe from the latest cyber threats.
SevOne expands SD-WAN Monitoring Solution by adding support for VMware NSX SD-WAN
Based on the SevOne Data Platform, the SD-WAN Monitoring Solution, released earlier this year, increases operational agility of MSPs offering network services over their networks. The SevOne solution, scheduled for release in calendar Q4, will deliver the visibility into enterprise and service provider networks with dashboards for network operations/engineering, product owners and business executives.
from Help Net Security https://ift.tt/2onFGLA
Wireshark can be crashed via malicious packet trace files
The Wireshark team has plugged three serious vulnerabilities that could allow an unauthenticated, remote attacker to crash vulnerable installations.
According to Cisco researchers, proof-of-concept (PoC) code that demonstrates an exploit of each of the vulnerabilities is publicly available.
About the Wireshark DoS vulnerabilities
Wireshark is the world’s most popular network protocol analyzer. The software is free and open source.
The vulnerabilities – CVE-2018-16056, CVE-2018-16057 and CVE-2018-16058 – affect three components of Wireshark: the Bluetooth Attribute Protocol (ATT) dissector, the Radiotap dissector, and the Audio/Video Distribution Transport Protocol (AVDTP) dissector, respectively.
All three vulnerabilities can be exploited by an attacker by injecting a malformed packet into a network, to be processed by the affected application, or by convincing a targeted user to open a malicious packet trace file.
“The attacker may use misleading language and instructions to convince a user to open a malicious packet trace file. To inject malformed packets that the Wireshark application may attempt to parse, the attacker may need access to the trusted, internal network where the targeted system resides,” Cisco researchers have noted, and added that this access requirement may reduce the likelihood of a successful exploit.
Wireshark users are urged to upgrade to one of the fixed versions: 2.6.3, 2.4.9, or 2.2.17 (available for download here).
Cisco also advises them to use firewalls and antivirus apps to minimize the potential of inbound and outbound threats, and to allow only trusted users to have network access and trusted systems to access the affected systems.
from Help Net Security https://ift.tt/2NCXtcC
EU telecoms suffered 169 major security incidents in 2017
ENISA, EU’s agency for network and information security, has released a report on major telecom security incidents that occurred in the EU in 2017.
About the report
Electronic communication providers in the EU have to report significant security incidents to the national telecom regulatory authorities (NRAs) in 28 EU Member States, Norway and Switzerland.
The providers are currently required to report incidents causing disruptions to fixed and mobile telephony, fixed and mobile Internet access, and other services, but will soon also be required to report other security breaches (e.g., confidentiality breaches).
Every year, the NRAs report summaries about the most significant incidents, based on a set of agreed thresholds. ENISA’s report gives an aggregated overview of these summaries.
Key findings
There have been 169 major telecom security incidents in 2017. Of these:
- 62,1% were due to system failures (hardware failures, software bugs or faulty software updates).
- 18,3% were caused by human errors
- 17,2% were caused by natural phenomena
- 2,4% were caused by malicious actions (e.g., DoS attack disrupting the service, cable theft).
Most incidents have an impact on mobile telephony and internet, and this incidents impact, on average, most users.
In 2017 human errors was the root cause category involving most users affected per incident (around 1.2 million user connections on average), and incidents caused by natural phenomena had by far the longest average recovery time (96 hours vs 13 hours for human errors and system failures) and the highest number of user hours lost.
These extraordinary results for incidents due to natural phenomena is an exception, the agency says, as it’s due to the last year’s wildfires. But natural phenomena will definitely continue to be a concern for telecom providers across the EU, with extreme weather becoming more common due to climate change.
Incidents caused by malicious actions are rare. Only a small percentage of reported incidents (2.5% in 2017) was categorized as caused by malicious actions. This percentage reduced by half compared to the previous year (5.1% in 2016).
How incident reporting helps providers
“The incident reporting that you see in this report is the tip of the iceberg – in a positive sense. The fine-grained incident reporting that happens at a national level is really what is driving supervision,” say Ilias Bakatsis and Marnix Dekker, the authors of the report.
“Incident reports trigger a conversation between the national regulator and the sector, about what causes outages and what can be done to prevent them. Of course, the bulk of the incidents, the daily issues, are often uninteresting: something broke, a software bug, etc. Telecom providers deal with such issues on a daily basis. But sometimes you do see interesting issues pop up. Like for instance the issue with accidental cable cuts by machinery which was reported frequently some years ago. Many EU countries now have platforms and tools that help to avoid such cable cuts, often set up as public-private partnerships.”
Steve Purser, head of the operations department at ENISA, says that the report shows that when you strike the right balance, breach reporting can be very useful, not only for the regulatory authorities and the policy makers but also for the private sector itself.
“Of course the incident reporting in itself does not solve any problems, but it does give a good indication of where effort needs to go in terms of preventing future incidents. One of the major learning points from this report (and previous reports) is that the causes of major outages are rarely malicious but are due to more mundane issues such as poorly written software or incorrect configuration,” he notes.
from Help Net Security https://ift.tt/2LHxmQc
Lenovo and Pivot3 optimize smart city security
Lenovo and Pivot3 announced a strategic partnership to develop, market and sell a new set of edge computing solutions optimized for mission-critical smart city security.
The integrated appliances feature Lenovo Data Center Group (DCG) ThinkSystem servers powered by Pivot3 HCI software.
Much of the smart city market growth is being driven by mission-critical security initiatives which rely on information collated from an array of city sensors and databases combined with video data and analytics including facial recognition, behavioral analysis, license plate recognition and other intelligence.
According to IHS Markit, the global market for security equipment in the city surveillance sector has surpassed $3 billion in 2017 and is expected to grow at an average rate of 14.6 percent through 2021.
Collecting, analyzing, storing and acting on all this information in real-time relies on the latest advances in edge computing.
The Lenovo/Pivot3 solution provides this growing market with resilient, cost effective and easy-to-manage edge computing.
“Together Lenovo and Pivot3 are enabling the next generation of edge computing, where governments and organizations can leverage machine learning and analytics to better protect the people they serve,” said Wilfredo Sotolongo, vice president and general manager of IoT at Lenovo Data Center Group.
“Through this partnership, we provide customers a solution to centrally manage their distributed edge devices – with faster video ingest rates, higher resiliency and smaller, space conscious appliances.”
“We are thrilled to team up with Lenovo, a partner and industry leader that shares our commitment to supporting the evolving data center,” said Bruce Milne, chief marketing officer and general manager, Lenovo Alliance, Pivot3.
“Pivot3 and Lenovo support customers with streamlined service delivery, automation and efficiency. Customers are seeing incredible impact from our HCI solutions that are optimized for mission-critical safe city, IoT and edge computing, and we’re pleased to further expand that impact with Lenovo’s market influence, distribution and accelerated go-to-market strategies.”
Among the growing customer base is the City of Bogotá, Colombia, that needed to refresh its monitoring system of over 1000 cameras of different vendors.
The City of Bogotá is deploying a Lenovo/Pivot3 edge computing solution to achieve infrastructure efficiency and scale the entire security network into a central control center, out of which at least four visualization locations operated by police will be served.
With this new deployment in edge computing, the City of Bogotá is now able to scale performance requirements as surveillance needs grow.
Following this initial deployment for the City of Bogotá, the suburbs of Bogotá chose the combined Pivot3-Lenovo technology for another 2,000 cameras located along the city’s 18 boroughs.
“With this new scalable edge computing solution, the city’s security team can view any camera, regardless of brand across the city from a single location, which will greatly simplify operations,” said Rafael Padilla, systems integrator, City of Bogotá Safe City Project.
The new Lenovo/Pivot3 solution is currently available and installed in markets across the globe.
Testing is also available at Lenovo’s Innovation Centers, where customers and partners can gain real-time insight into how the IoT solutions can perform within their environments, workloads and data.
from Help Net Security https://ift.tt/2CazsZ4
Vault, QuintessenceLabs and Ziroh Labs to create encryption to secure government data
Vault will collaborate with QuintessenceLabs and Ziroh Labs with the aim of creating secure and scalable package for enterprise file synchronisation and sharing (EFSS) systems hosted in an secure environment.
Vault and QuintessenceLabs, based in Canberra, were recently awarded a slice of the $3 million 2017–18 Project Fund from AustCyber to advance Australia’s position in innovation and cybersecurity.
The consortium will bring together QuintessenceLabs’ quantum key generation and management with Vault’s ‘protected’ cloud.
Vault is also bringing on board Ziroh Labs’ homomorphic encryption technology, which will be a critical piece of a collaborative solution and will support an always encrypted paradigm.
“Cyber security is a strategic priority for Australia, as much for our national security as our economic prosperity. By supporting cyber security projects led by innovative Australian companies, we are raising the benchmark of capability development in the country and giving the Australian community increased confidence that their information is safe and secure,” Michelle Price, CEO, AustCyber.
“It’s positive to see the Australian Government investing in the future of technology and cybersecurity by supporting the collaboration of three Australian companies,” said Tony Marceddo, General Manager at Vault.
“It’s critical that we continue to research new ways in which we can protect and secure Australians’ personal data. By combining Ziroh’s homomorphic encryption, QuintessenceLabs’ quantum key generation and Vault’s protected cloud we plan to create a unique solution for the global security landscape.”
Ziroh’s homomorphic encryption secures files while they are at rest ensuring they are encrypted all the time.
QuintessenceLabs is using quantum key generation to create keys that will secure the homomorphic encrypted files.
Quantum key generation addresses computers’ lack of ability to randomise passwords and keys. To add another layer of security, the file is then stored on Vault’s ASD certified ‘protected’ cloud.
Aninda Sen, Co-founder and VP for ANZ at Ziroh Labs said, “Organisations and individuals are constantly sharing critical information, whether that be a username and password or mobile banking information. In every interaction, protection of people’s data must be a priority. If we can integrate homomorphic encryption, quantum key generation and secure cloud we can guarantee that Government and businesses will have the most secure system available.”
“Through our quantum key generation we are able to create a key that has the highest standards of security possible. Vault, Ziroh Labs and QuintessenceLabs have three outstanding security solutions that work really well on their own. Bringing them together will be a great achievement for the Australian technology sector. We are creating a solution that has three levels of some of the most advanced security solutions available,” said Vikram Sharma, Founder and CEO at QuintessenceLabs.
Through its Projects Fund, AustCyber funds collaborative cyber security projects that address the Industry Knowledge Priorities from its Sector Competitiveness Plan.
from Help Net Security https://ift.tt/2wtwOIK
Moogsoft announces Observe expanding its AIOps platform capabilities
Moogsoft announced the launch of Moogsoft Observe. This technology extends Moogsoft’s core AIOps platform capabilities from centralized analytics outwards to the data source, providing IT teams with visibility and observability of customer-impacting problems wherever they occur.
Moogsoft Observe is the technology that ingests time-series and metrics data in real-time and applies AI to detect incidents at the source of the problem.
Observe stores anomalous and contextual data, giving IT teams knowledge to improve their online services and applications while lowering data transport, ingestion, and storage costs.
Without requiring data lakes or data scientists to operate, Observe can be used by IT generalists including site reliability engineers and DevOps.
“With Observe, we’re advancing the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferation and decentralization of data,” said Phil Tee, CEO of Moogsoft.
“Unlike other tools, Observe enables IT and DevOps teams to detect problems wherever their customers are, and allows them to identify the root cause for service disruptions sooner without the cost, complexity, and delays of collecting and analyzing all the data in a centralized location.”
Moogsoft Observe is powered by a new suite of algorithms developed for the IT use cases in the world’s enterprise environments.
By ingesting and analyzing data at the source and storing anomalous and contextual data centrally, Observe enables analysis of data but at a lower cost and with reduced latency — reducing the time to detect a problem by up to 60 percent and cutting nearly 90 percent of the storage and communication costs per bit of information.
“In our pure cloud and agile environments, we need a solution that could perform anomaly detection and proactively notify us that something’s wrong — putting people in front of dashboards isn’t an option anymore,” said Eli Chen, CTO of UJET, which beta-tested Observe.
“Moogsoft’s AI-centric approach to the problem and extending it to time-series data analysis with its Observe offering is exactly the right approach to that problem.”
Built for the enterprise, Observe is a single-agent technology that can operate across all environments, including cloud instances, workloads, and containers, as well as on-premises systems and applications.
Observe is an extension of the Moogsoft AIOps platform but can be deployed independently. An early access beta program will be available this November.
Additionally, Moogsoft announced that version 7.0 of the Moogsoft AIOps platform will be available this October.
This release introduces Vertex Entropy and Situation Topology Visualization — two AI-based technologies that help IT teams understand the root cause of any problem through a system topology map.
Together, Vertex Entropy and Situation Topology Visualization provide insights into the root cause of any problem and visibility into the relationships across IT processes, applications, and devices.
from Help Net Security https://ift.tt/2PTqB0T
Thursday, August 30, 2018
The anatomy of fake news: Rise of the bots
Spreading misinformation has become a mainstream topic to the extent that even the term ‘Twitter bot’ is a well-recognised term establishing itself into the modern lexicon. Whilst the term is well known, it can be argued that the development and inner workings of Twitter bots are less well understood.
Indeed, even identifying accounts that are attributed to being a bot is considerably more difficult, and with good reason since their objective to appear as legitimate interactions require constant refinement. This continuous innovation from botnet operators are necessary as social media companies get better at identifying automated accounts.
A recent study conducted by Social Safeguard analysed the impact and techniques leveraged by such bots, and in particular looked at bots attributed to Russian disinformation campaigns on Twitter. The concept of bot armies is challenged in the research, of the 320,000 accounts identified the bots were divided into thematic categories presenting both sides of the story.
These bot battalions were activated wherever insertion or manipulation of a particular message was needed, but perhaps more fascinating is their effectiveness. Assumptions that a particular account would simply flood the conversation are not necessarily true.
Whilst the bots often will take both sides of the story to spur debate, their effectiveness is remarkable. Leveraging a system of amplification nodes, as well as testing of messaging (including hashtags) to determine success rates the botnet operators demonstrate a real understanding on manipulating popular opinion on critical issues.
In one example, an account that was only two weeks old with 279 followers most of which were bots themselves began a harassment campaign against an organization. By leveraging a model of amplification, the account had generated 1,500 followers in only four weeks by simply tweeting malicious content about their target. Whilst their activities to manipulate popular opinion has been well documented, a recent campaign shows that cybercriminals can use this expertise to extort companies into protecting themselves from such practices.
Ransomware has been considered extortion by criminals to hold data hostage, this new trend demonstrates that reputations are now firmly in their sights. With existing battalions of bots already well versed in manipulating conversations related to driving political agendas, it is clear that turning their attentions to individual company trends represents a very concerning practice.
from Help Net Security https://ift.tt/2PnE13Z
80% of enterprises struggle to protect machine identities
Ninety-six percent of companies believe that effective protection of machine and human identities are equally important to the long-term security and viability of their companies, according to a new study conducted by Forrester Consulting. However, eighty percent of respondents struggle with the delivery of important machine identity protection capabilities.
The study focused on enterprise machine identity protection challenges and included responses from 350 senior IT security professionals who are responsible for their organizations’ identity and access management from the U.S., U.K., Germany, France and Australia.
“It is shocking that so many companies don’t understand the importance of protecting their machine identities,” said Jeff Hudson, CEO of Venafi. “We spend billions of dollars protecting user names and passwords but almost nothing protecting the keys and certificates that machines use to identify and authenticate themselves. The number of machines on enterprise networks is skyrocketing and most organizations haven’t invested in the intelligence or automation necessary to protect these critical security assets. The bad guys know this, and they are targeting them because they are incredibly valuable assets across a wide range of cyber-attacks.”
Nearly half (forty-seven percent) believe protecting machine identities and human identities will be equally important to their organizations over the next 12 to 24 months, while nearly as many (forty-three percent) think machine identity protection will be more important.
Seventy percent admit they are tracking fewer than half of the most common types of machine identities found on their networks. When asked which specific machine identities they track:
- Just fifty-six percent say cloud platform instance machine identities
- Only forty-nine percent say mobile device machine identities
- Only forty-nine percent say physical server machine identities
- Only twenty-nine percent say SSH keys
- Only a quarter (twenty-five percent) say machine identities of microservices and containers.
Sixty-one percent say their biggest concern regarding poor machine identity protection management is internal data theft or loss.
Managing user and machine identities and privileged access to business data and applications is an enormous undertaking that has serious security ramifications. Traditionally, the focus for identity and access management (IAM) programs has been people-centric, but recent increases in the number of machines on enterprise networks, shifts in technology and new computing capabilities have created a set of challenges that require increased focus on protecting machine identities.
from Help Net Security https://ift.tt/2wDgXa2
How to Do Laundry If You Are Bad at Laundry
So you’re bad at laundry. Maybe you’ve been able to come home from college every weekend lugging a bag of dirty clothes like Santa, or maybe you never fully recovered from that lipstick-in-the-dryer incident of ‘08. We’re not here to judge. We’re here to help. In this final episode of Lifehacker’s Summer of Adulting series, we go over some laundry basics.
Find out:
- How to know if something is dirty enough to be washed
- When to separate whites and brights
- What water temperature to choose
- A dryer trick to make your clothes fluffier
- How to put your clean clothes away so that you maximize closet and drawer space
If you missed our episodes on kitchen essentials, home decorating or emergencies, check them out. Thanks for tuning into the series! And welcome to the real world.
from Lifehacker https://ift.tt/2LGg1Ho
Jezebel The Story of a Gun | Deadspin Pitcher’s HR After A Foul Bunt Non-Call Was The Nuttiest Part
Jezebel The Story of a Gun | Deadspin Pitcher’s HR After A Foul Bunt Non-Call Was The Nuttiest Part Of A Very Nutty Brewers-Reds Game | The A.V. Club Stephen Colbert is a beautiful dork | Splinter Trump’s Constant Whining Is Reportedly Turning Senators Against Jeff Sessions | The Root Ex-Cop Convicted in Murder of 15-Year-Old Jordan Edwards Sentenced to 15 Years in Prison |
from Lifehacker https://ift.tt/2NwB298
Yahoo woos advertisers with email scanning for targeted ad delivery
While most tech companies that offer free email services are moving away from email scanning as a source of information for advertisers to target users more efficiently, Oath – the Verizon subsidiary that manages AOL and Yahoo and its webmail offerings – plans to continue with the practice.
In fact, as Doug Sharp, Oath’s VP of data, measurements and insights told The Wall Street Journal, the practice “has become one of the company’s most effective methods for improving ad targeting.”
About the email scanning
Oath scans only commercial and promotional emails, he said, and uses the information to profile people by interests and place appropriate cookies on their computers, which then allow advertisers to target users who visit websites owned by Oath (Endgaget, HuffPost, TechCrunch, Yahoo! News, etc.).
For example: if users receive in their inbox receipts for Netflix or other streaming services, they will likely be right target for ads for new movies or shows. Or, if they receive confirmations for airplane tickets they bought, they can be targeted with ads for hotels or other offerings at that destination.
This shouldn’t come as a surprise to AOL Mail and Yahoo Mail users, as Oath has noted in their updated privacy policy earlier this year that they will be scanning and analyzing emails, instant messages, attachments, and other communications so that they can “deliver, personalize and develop relevant features, content, advertising and Services.”
The scanning is performed by automated systems, which strip out personally identifying information before humans can look at user data.
It’s good to note that the scanning is not limited to the free email offerings – paying customers’ inboxes are also fair game. But, if they wish to, users can opt out of the scanning.
Privacy controls for legacy Yahoo and AOL products can be found here. Go to Ad Interest Manager > Your Advertising Choices > On Yahoo > choose “Opt Out” for Yahoo and “Opt-Out of interest-based advertising” for AOL.
(By the by, privacy dashboards for Oath’s various digital offerings can be found here.)
Will the choice pay off?
Tech-based privacy scandals have been coming thick and fast in the last couple of years, and tech companies are under increased scrutiny when it comes to protecting user privacy and that of their communications.
Google has moved away from email scanning for ad-serving purposes a year ago, as it can collect similar information through Google Search and YouTube.
Oath (and Verizon) are obviously not too worried about getting it wrong, but it remains to be see whether advertisers will find Oath’s offer enticing.
After all, Yahoo Mail hosts only 200 million accounts, a rather small number when compared to the 1.4 billion Gmail users, and the number of AOL Mail users is smaller still: in 2017, it was apparently around 25 million.
from Help Net Security https://ift.tt/2MAIx2p
Inseego launches new IoT cloud solution for Industrial IoT applications
Inseego announced the availability of its all-new, enterprise-grade Inseego IoT Connect Solution.
The intelligent device-to-cloud management platform optimizes Industrial Internet of Things (IIoT) use cases.
Its user-friendly, service provider agnostic design allows IT managers and systems integrators to simplify management of assets across an enterprise.
Inseego’s recently launched Skyus portfolio, coupled with Inseego IoT Connect and enterprise-level support, creates the all-in-one IIoT solution offering for demanding enterprise use cases including SD-WAN failover environments, digital signage and kiosk connectivity, and utilities infrastructure management.
Inseego IoT Connect: Deep insight, customizable, secure
- The enterprise-grade platform supports millions of devices, sensors and machines, connecting them with plug-and-play simplicity in an IT and user-friendly interface.
- Inseego IoT Connect is engineered with the latest intelligence features that are designed for easy integration into both present and future IT/IOT environments, such as customizable dashboards, remote updates from one dashboard, secure configuration management, and customizable alerts.
- Distributed architecture and edge: Managers have the flexibility to create, deploy and manage IoT in the cloud and at the edge. Elastic distributed architectures may be adjusted as needed.
- Visibility: Managers enjoy secure end-to-end visibility to a full view of all connections, including connected sensors, across an entire enterprise with customizable permissions.
- Remote management: Every connected device may be remotely configured – from routing, security and alert settings and more.
- Simplicity is king: Easy account creation and onboarding, and a simplified overall user experience with a configurable interface.
“We purposefully designed Inseego IoT Connect as a true device-to-cloud solution with the aim of making the lives of IT managers, systems integrators and project managers easier as various industries move toward IoT-centric operations to streamline workflows,” said Ashish Sharma, Executive Vice President, IoT & Mobile Solutions of Inseego.
“Our intelligent cloud-based platform provides real-time visibility into customer operations and use cases, while our Skyus portfolio of IoT devices and gateways deliver best-in-class connectivity at the edge. This creates the most robust combination of IoT devices and software in the industry.”
The Inseego IoT Connect solution packages with Skyus routers and gateways are commercially available now.
from Help Net Security https://ift.tt/2on6HPd
Air Canada confirms mobile app data breach, passport numbers were accessed
Air Canada has suffered a data breach and is forcing a password reset on all 1.7 million users of its mobile app, though apparently only 20,000 of the mobile app accounts were accessed by the attackers.
How did it happen?
“We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018,” the company announced on Wednesday.
“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data.”
They did not say – and perhaps they still don’t know – whether the breached accounts were accessed by attackers who attempted to reuse previously compromised login credentials found or sold on underground markets, or whether it was the result of a hack of the company’s systems.
In the meantime, they have invalidated the passwords on all mobile app accounts and sent out email alerts to potentially affected users.
(Aircanada.com accounts are not linked to Air Canada mobile app accounts, so those passwords don’t have to be changed.)
What type of information was compromised?
A Canada mobile app account contains the user’s name, email address, telephone number, payment card number, as well as additional information the user chose to add to his or her profile: Aeroplan number, passport number, passport expiration date, passport country of issuance and country of residence, NEXUS number, Known Traveler Number, gender, birthdate, and nationality.
The company assured users that the payment card numbers saved to the users’ profile are encrypted and stored in compliance with PCI standards, so they are safe.
But, as Seamus Bellamy sarcastically pointed out, “Oh good: my credit card is totally safe, but all the stuff that can be used to pretend to be me and get more of my money is at risk. What a relief.”
Air Canada says that, according to the Government of Canada’s passport website, the risk of a third party getting a passport in a person’s name is low if they still have their passport, proof of citizenship, and supporting identity documents, and that the Government of Canada “cannot issue a new passport to anyone based on only the information found in a passport.”
It’s likely that other countries have a similarly difficult-to-game process for issuing new passwords.
Unfortunately, depending on where you are in the world, the stolen information might be used by fraudsters to set up different types of accounts or obtain other genuine documents (e.g., driving license).
Action Fraud, the UK’s national fraud reporting centre, told the BBC that banks, insurance firms and mobile phone providers do not always require sight of the physical document in order to open accounts.
What to do?
“If you did not receive an email from Air Canada specifically advising you that your Air Canada mobile App account may have been improperly accessed, we are confident your account was unaffected during this period,” the company has stated.
Nevertheless, all Air Canada mobile app users will have to reset their passwords and have been advised to use a “robust” one (i.e., long, complex, unique).
Affected users are urged to regularly review their financial transactions and keep an eye on their credit rating.
from Help Net Security https://ift.tt/2MYOJ3C
Why pushback on the CCPA is wrong
Since GDPR was implemented on May 25th, 2018 one big question has been lurking in the U.S.: When will the U.S. Federal Government follow suit?
With the spate of breaches over the past year coupled with the implementation of GDPR and the passage of the California Consumer Privacy Act (CCPA) it is clear that momentum is building towards a federal data protection law sooner rather than later. Unfortunately, as we advance toward the much-needed and inevitable federal law, we are seeing the dark influences of big tech and deep pockets begin to creep forward. Tech giants like Facebook, Amazon, and Microsoft are already applying pressure to overturn CCPA and put in place a federal law with more leniency around how personal data is handled at the expense of individuals.
While it is impossible to keep big companies and lobbyists away from bills that will impact them, there are a few absolutely critical elements any data protection law needs in order for it to have any impact:
1. Data protection requirements must be mandatory. There can’t be voluntary guidelines that companies can choose to follow. Rather, there must be minimum best security practices put in place for any company that is collecting or storing personal information.
2. Companies need to be able to justify why they are collecting data. We are currently operating in a world where companies collect all the information they can and then figure out how to use it later. Collecting more data than needed puts unnecessary risk on consumers. Identity data is not needed to understand consumer behavior or track product trends, so if companies are collecting identity data, they should explain why.
3. Meaningful penalties must be associated with PII data breaches. When a company like Equifax or T-Mobile has its consumers’ PII breached the real victims are the consumers, not the company. Consumers face unwanted exposure to identity theft, fraud and embarrassing information being revealed. This can lead to tens of thousands of dollars in costs for individuals, hours of lost time, and social consequences. People should not suffer consequences for corporate misbehavior, while corporations get a pass.
4. People have rights. Individuals always deserve the right to know what information is being collected, why it’s being collected, how it’s being used, and who has access. And, individuals also need the right to have their information deleted without penalty.
5. If we’re not sure, err on the side of caution. Companies have been collecting data functionally without regulation for years and they have been able to prioritize profits over data protection. This can’t happen anymore.
Looking at this list, any company putting profit first will start thinking about the cost and resources involved in implementing a policy that addresses each of these five points and begin to think about ways to narrow down the scope of any such a law.
But, in doing so, we would be going down the same concerning series of justifications that got us to this point. If we were to treat PII more securely it would have a short-term impact on a company’s bottom line as resources are invested in complying with the new practices. But, once the initial investment is made, organizations would have re-architected the way they handle data in such a way to both operate successfully and earn customer loyalty.
The one exception to the ‘profitable today and tomorrow’ projection is companies who currently use data in way customers aren’t aware of, and wouldn’t be happy about. With a transparent data protection law in place, these companies would have to tell consumers how their data is being used so consumers can decide if they are comfortable with it or not. In other words, once a new law is implemented, the market will indicate how comfortable people are with companies collecting their information.
And, in the end, isn’t that what we want?
As the internet becomes increasingly personal, a new class of law protecting PII is absolutely critical. These laws don’t necessarily need to restrict what type of personal data can be collected. Rather, they should require companies to be transparent about what is being collected, how each collected data is used, and who has access to the collected data. And, it should require that PII be treated differently than other types of information with an elevated level of security built around them. Because let’s face it – PII is the most important type of information.
from Help Net Security https://ift.tt/2NuqHuo
Wednesday, August 29, 2018
Healthcare CISOs: Manage infosec risks and safeguard patient safety
Prominent CISOs from leading health systems and providers throughout the country have come together to establish the Provider Third Party Risk Management Council to develop, recommend and promote a series of practices to manage their information security-related risks in their supply chain and to safeguard patient safety and information.
Members of the Council observed their supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources. Through innovation and industry leadership, the council are developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.
“Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care,” says Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children. “The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”
Lehmann says third parties may have a small number of customers or possibly hundreds or thousands to serve. For third parties, this challenge has resulted in lost time and resources in attempting to comply with each organization’s risk management requirements and ensure efficiency for both parties.
The council is working with the HITRUST CSF and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months. The HITRUST CSF Certification will serve as their standard for third parties providing services that require access to patient or sensitive information and will be accepted by all the council’s organizations.
Goal of the Provider Third-Party Risk Management Council
The Provider Third Party Risk Management Council recognizes that a more efficient approach to third-party assurance is necessary and strives to improve how the industry approaches assessing, monitoring, and responding to risks posed by third parties. By choosing to adopt a single assessment and certification program, healthcare organizations represented by the council are prioritizing the safety, care, and privacy of their patients by providing clarity and adopting best practices that their vendors can also adopt, while providing vendors the expectation of what it takes to do business with their organizations.
“We believe the healthcare industry as a whole, our organizations and our third parties will benefit from a common set of information security requirements with a standardized assessment and reporting process,” says John Houston, Vice President, Privacy and Information Security & Associate Counsel, UPMC. “We are strongly encouraging other provider organizations to follow suit and adopt these principles.”
The founding member organizations for the Provider Third Party Risk Management Council include:
- Allegheny Health Network
- Cleveland Clinic
- University of Rochester Medical Center
- UPMC
- Vanderbilt University Medical Center
- Wellforce/Tufts University.
from Help Net Security https://ift.tt/2NziDZ5
SnapLogic eXtreme accelerates cloud data lake initiatives
SnapLogic eXtreme extends the company’s Enterprise Integration Cloud platform to eliminate technical barriers associated with creating cloud-based data lakes, equipping businesses with compute power, cost efficiencies, and faster time-to-value.
As companies reach the power limits of on-premise systems and look to the cloud for greater scale, they face cost-prohibitive obstacles to modernizing their data architectures.
The majority of cloud data lake projects are delayed or over-budget, and on average, enterprises are using only half the data they collect or generate.
To help enterprises harness data as an asset, SnapLogic eXtreme allows big data engineers and technical business users alike to process volumes of data without complex code.
“Data-driven insights top every business leader’s priority list, but most data lake projects fail to progress beyond the pilot phase due to technical complexity, high costs, and shortage of talent,” said Vaikom Krishnan, Senior Vice President of Engineering at SnapLogic.
“With SnapLogic eXtreme, we are eliminating the technical and cost barriers to big data services just as we democratized application and data integration with the Enterprise Integration Cloud and Iris AI.”
Following its beta launch in May, SnapLogic eXtreme has demonstrated success with bringing data transformation to enterprise customers.
Using eXtreme, digital systems integrator Agilisium has piloted a project with a pharmaceutical brand where operating expense savings are estimated at as much as 35 percent and Apache Spark pipeline development time is reduced from weeks to hours.
“Effective big data processing and management has long represented a prohibitively expensive pipe dream for our customers. The introduction of SnapLogic eXtreme means we can now help them achieve their data-driven goals, with far fewer resources and at a fraction of the cost,” said Raj Babu, CEO at Agilisium.
“Our early adopter customers are all set to realize potential cost savings, accelerated time to insights, and sustainable competitive advantage.”
SnapLogic eXtreme provides a serverless, cloud-based runtime environment for data transformations.
Benefits include:
- Managed data architecture in the cloud: Automated, managed cloud-based big data runtime environment includes integration (iPaaS), processing (BDaaS), and data storage. SnapLogic eXtreme is easy to manage.
- Self-service: A drag-and-drop interface empowers technical business users, or citizen integrators, to save time and eliminate the IT bottleneck.
- Scale: The SnapLogic platform populates the data lake in the cloud by leveraging 450+ pre-built, intelligent connectors (Snaps) for Hadoop, Kafka, Cassandra, MongoDB, AWS Redshift, and other applications and data stores.
- Accelerated time-to-value: Move big data to the cloud to generate business value faster.
- Compatibility: Connect managed Hadoop services like Amazon Elastic MapReduce (EMR), Microsoft Azure HDInsight, and more.
All SnapLogic customers can access eXtreme from their existing Enterprise Integration Cloud platform today.
from Help Net Security https://ift.tt/2wtcBSE
Veeam Intelligent Data Management combines with Cisco HyperFlex to deliver new Availability solution
Veeam Software announced that it has expanded its collaboration with Cisco to deliver Veeam Availability on Cisco HyperFlex – a new data management platform that provides scalability, ease of management, and support for multi-cloud environments through Cisco support services.
As enterprises recognize the need to update legacy data protection solutions to multi-cloud solutions, they look to deliver modern data protection solutions that are reliable, scalable, easy to manage, and support multi-site and multi-cloud environments.
Now they can make this critical in one, single motion, reducing the complexity of purchase, implementation and support.
“Our partnership with Cisco has only continued to strengthen and expand,” said Peter McKay, Co-CEO and President at Veeam.
“We are Cisco’s ISV Partner of the Year and have had strong market success winning together, and now we are collaborating on this new solution to meet customer demand for even more innovative ways to modernize their data centers. Veeam Availability on Cisco HyperFlex responds to feedback from large enterprise customers and service provider partners who have asked for additional integrated solutions with Cisco. Customers will have the benefit of purchasing from one vendor as this solution will be offered directly from Cisco. We look forward to working closely with the Cisco team to serve large IT environments that are seeking better ways to ensure the resiliency of their IT systems.”
The new solution combines the Veeam Hyper-Availability Platform with Cisco’s Hyperconverged Infrastructure (HCI) solution, HyperFlex, to meet the needs of enterprise IT organizations that are struggling with legacy technologies that cannot scale and are unable to provide the hyper-availability today’s enterprises require.
“As the data protection market evolves to more software defined and scale-out, the need for a scalable Enterprise-ready platform and feature rich software stack is critical to ensure customer success,” said Siva Sivakumar, Sr. Director of Data Center Solutions at Cisco.
“Veeam’s intelligent data management capabilities combined with the industry-leading performance, flexibility and easy deployment of Cisco HyperFlex provide the perfect solution to address this need. Our joint goal is to continue expanding the solution with new capabilities that address modern IT recovery, retention and resiliency requirements.”
This data availability platform provides enterprise IT with a scale-out solution stack that can not only be used as a Veeam repository, but can also run the entire Veeam Availability Platform.
Benefits include:
- Availability for all workloads — virtual, physical and cloud,
- Scalability and reduced operational costs,
- Reduced risk and accelerated time to value,
- Simplified and optimized deployment: a single Cisco SKU that includes all installed software and right-sized hardware,
- Single point of acquisition and support from Cisco.
The new Veeam Availability on Cisco HyperFlex will be offered through Cisco and is backed by Cisco Solution Support, which provides support for the entire solution stack, enabling customers to deploy with confidence and peace of mind.
Veeam Availability on Cisco HyperFlex is expected to be generally available in the fourth quarter of 2018.
“In a 451 Research – Voice of the Enterprise: Storage, Budgets and Outlook poll at the end of 2017, we found that the majority HCI customers want integrated DR/BC and Data Backup capabilities to be part of their next-generation infrastructure. The increasing adoption of scale-out, software defined storage provides an opportunity to redefine and simplify data protection and sets the stage for close partnerships—like this new one between Cisco and Veeam–to deliver HCI systems offering evolved and seamless DR/BC capabilities.”, said Steven Hill, Senior Analyst of Storage Technologies at 451 Research
“We’ve been implementing Veeam software on top of various Cisco hardware for years. So, seeing the two companies working together on a solution stack with Cisco hardware and Veeam software is very exciting. As easy as the Veeam software is to implement for SMBs, larger organizations need additional architecture and deployment services as well as scalability-planning following the initial deployment. By further simplifying the acquisition and deployment processes for providing hyper-availability, we’ll be able to focus more of our expertise and service delivery on the strategic capabilities enabled through the Veeam software, which will, of course, also be running on Cisco hardware.”, said Raphael Meyerowitz, Vice President, Office of the CTO at Presidio, a Platinum Veeam ProPartner and Veeam Cloud & Service Provider (VCSP) partner
from Help Net Security https://ift.tt/2onqjCY
NICE launches Proactive Fraudster Exposure solution, driving a leap in identity theft prevention
NICE unveiled a new Proactive Fraudster Exposure capability in its NICE Real-Time Authentication (RTA) solution that empowers contact centers to expand and augment their defense against fraud.
Based on machine learning technology, the new capability allows contact centers to prevent fraud before it happens by identifying fraudsters and blocking them from committing fraud.
This feature allows contact centers to take proactive steps in protecting their consumers by stopping fraud in its tracks immediately upon deployment.
NICE RTA’s new Proactive Fraudster Exposure capability reduces fraud losses by automating the process of exposing new fraudsters and blocking them before they commit wrong doing.
The machine learning technology that drives the capability scans hundreds of thousands of existing call recordings identifying abnormal caller behavior associated with fraudsters.
The identified suspected fraudsters are then sent for further investigation, added to a watch list of fraudster voiceprints and blocked when calls are made in the future.
The entire process happens automatically, eliminating manual, expensive and time consuming manual checks.
Miki Migdal, President of NICE Enterprise Product Group said: “This new capability demonstrates once again that our RTA offering remains at the cutting edge of innovative technology. It also reinforces our commitment to helping customers protect their consumers against identify theft together with the tools they need to provide excellent customer experiences. This capability, like many other unique features in our RTA offering, demonstrates NICE’s domain expertise in delivering voice biometrics applications that innovatively meet the specific needs of contact centers.”
NICE Real-Time Authentication (RTA) is a customer authentication solution for contact centers.
Based on voice biometrics combined with a range of additional authentication factors, NICE RTA is used by organizations worldwide to authenticate millions of customers and prevent fraud across multiple channels including live agent calls, IVR and mobile app.
from Help Net Security https://ift.tt/2PfzAbE
Jezebel Michael Che Has Unleashed His Bad Opinions About Louis C.K.’s Potential Comeback | Deadspin
Jezebel Michael Che Has Unleashed His Bad Opinions About Louis C.K.’s Potential Comeback | Deadspin How Maple Bats Kicked Ash And Conquered Baseball | Splinter The View Is Coming BACK With More Feisty Nepotism Than Ever and I Am HERE for It!! | The Root Biographer: Mike Pence Believes God Wants Him to Be President | The A.V. Club Jonathan Pryce on working with Glenn Close, playing Bond and Bradbury villains, and the many sides of Terry Gilliam |
from Lifehacker https://ift.tt/2wvksit
Old “Misfortune Cookie” flaw opens medical gateway and devices to attack
A vulnerability in Qualcomm Life Capsule Datacaptor Terminal Server (DTS) can be easily exploited to allow attackers to execute unauthorized code to obtain administrator-level privileges on the device.
The vulnerability was flagged by Elad Luz, Head of Research at CyberMDX, and Qualcomm Life and Capsule Technologies SAS have pushed out firmware that plugs the hole.
About the Capsule’s DTS
Capsule DTS is a medical gateway device used by hospitals to connect their medical devices – usually bedside devices such as monitors, respirators, anesthesia, and infusion pumps – to the network.
Datacaptor has an embedded web management server/interface used for configuration and it uses a software component named “RomPager” from AllegroSoft.
About the vulnerability (CVE-2014-9222)
As it turned out, the RomPager versions (4.01 through 4.34) used by the DTS sport a vulnerability discovered in 2014 by Checkpoint researchers. “Back then, researchers primarily focused on home routers when searching affected devices,” the researchers noted.
CVE-2014-9222, a.k.a. “Misfortune Cookie”, allows attackers to write data to an arbitrarily address in the device memory by simply sending a specially crafted HTTP cookie to the web management portal.
“This action can be performed with no authentication and the arbitrary write may be used to login without credentials, gain administrator-level privileges on the terminal server, or simply crash them. This may result in harm to the device availability as well as the network connectivity of the serial medical devices connected to it,” they explained.
Patching and mitigation
Qualcomm Life and Capsule Technologies SAS say that the vulnerability does not affect any other Capsule Technologies products and that they have no knowledge of it being exploited in the wild.
ICS-CERT also says that there are no known public exploits that specifically target this vulnerability.
They have released a firmware update to fix this vulnerability on the Single Board version of the DTS (originally released mid-2009) but, due to technical limitations, the Dual Board versions, Capsule Digi Connect ES converted to DTS, and Capsule Digi Connect ES won’t be receiving the update.
But they can mitigate the risk of exploitation by disabling the embedded webserver. “The webserver is only utilized for configuration during the initial deployment and is not necessary for continued remote support of the device,” they explained.
from Help Net Security https://ift.tt/2MFjQli
Pivot3 launches Intelligent Edge Command and Control solution for severe environments
Pivot3 announced a new hybrid cloud solution to support the infrastructure needs of defense, intelligence and other operations at the “tactical edge.”
Optimized for analytics, virtual desktop infrastructure and IoT uses cases, Pivot3’s Intelligent Edge Command and Control solution allows customers with mission-critical requirements to capture, process and act on data immediately in the field.
“Whether you’re navigating uncertainty on the battlefield or facing austere environments, effective tactical operations require an IT solution that can weather any storm without compromising performance and ease of use,” said Jeff Forte, VP of Federal, Pivot3.
“Pivot3’s Intelligent Edge Command and Control solution allows agencies to reimagine their capabilities in the field and achieve new levels of control and data utilization, no matter the environment.”
As defense, intelligence and other agencies deploy more IoT-enabled intelligent devices in the field – from body cameras and sensors to virtual desktops – a solution is required that can withstand the elements of all environments.
Designed for extreme conditions, Pivot3’s Intelligent Edge Command and Control solution is a self-contained computing infrastructure platform that transforms vehicles, ships and planes into micro-datacenters with scalability.
It provides a common platform across tactical and traditional datacenter environments for all workloads, no matter where they live.
With Pivot3, agencies can add compute and capacity as needed to grow with the needs of the mission.
Powered by Pivot3’s Intelligence Engine, the solution provides NVMe flash performance, security, scale and resilience in a space, weight and power (SWaP)-optimized form factor capable of supporting multiple mission-critical workloads.
The Intelligence Engine features automation for “set-and-forget” policy-based management, which enables customers to guarantee performance to critical applications and automate data placement across private and public clouds.
The Intelligent Edge Command and Control solution enables policy-based replication, workload mobility and disaster recovery for complementary cloud services.
“With the Department of Defense placing a greater emphasis on coalition partners in the battle against global terrorism, tactical hyperconvergence and hybrid cloud platforms are becoming vital weapons in the arsenal of the intelligence community,” said Scott Hornsby, principal architect at Trace Systems, a leading provider of telecommunications, networking, cybersecurity and information technology services to the United States Department of Defense, the Intelligence Community and the Department of Homeland Security.
“Pivot3 Intelligent Edge Command and Control is architected to help agencies support a multi-tenant, consolidated and secure platform, and we’re proud to be a partner in helping multiple agencies incorporate this architecture to collaborate and share intelligence in the global fight for freedom.”
from Help Net Security https://ift.tt/2wu64Hi
Indegy raises $18 million Series B round of financing and hires key executives
Indegy announced it has closed an $18 million Series B round of financing led by Liberty Technology Venture Capital with participation from international energy and services firm Centrica plc, O.G. Tech Ventures and existing investors Shlomo Kramer, Magma Venture Partners, Vertex Ventures and Aspect Ventures.
The funds will be used to accelerate growth and expand global go-to-market initiatives for the Indegy industrial cybersecurity suite which helps protect systems used in manufacturing, energy, water, pharmaceuticals, and other infrastructures from cyber attacks.
In conjunction with the financing, Indegy also announced the appointment of two new executives to its management team: Joe Scotto from BAE Systems joins as Chief Marketing Officer and Todd Warwick from Imperva takes over as Vice President of Sales, Americas.
“Recent reports by the DHS and FBI regarding attacks against critical infrastructures have created a greater sense of urgency among industrial organizations to shore up their defenses, and produced a major spike in new business for Indegy,” said Barak Perelman, CEO of Indegy.
“This capital infusion provides the financial resources required to scale up the company and capitalize on this market opportunity. On the management front, the addition of Joe Scotto as CMO and Todd Warwick as VP Sales, Americas, gives us the experienced leadership we need to escalate our growth and market expansion.”
Centrica plc supplies energy and services to over 25 million customer accounts mainly in the UK, Ireland and North America through brands such as British Gas, Direct Energy and Bord Gáis Energy.
The investment from Centrica has been made by the company’s innovations arm, established last year to identify and accelerate new technology and ideas for homes and business.
“With a growing customer portfolio that spans 35 countries, we’re working to bring businesses world-leading energy management solutions that will allow customers to take greater control of their energy,” said Christophe Defert, VP Ventures for Centrica Innovations.
“In an increasingly connected world, we’re looking forward to working with Indegy as we explore ways to deploy distributed energy resources with the optimal security solution.”
Joe Scotto joins Indegy from BAE Systems, where he served as Vice President, Americas Marketing. Previously, Joe held positions with organizations including KPMG, Avaya and Time Warner, where he led Product and Solutions Marketing for their multi-channel global SMB business.
Todd Warwick joins Indegy from Imperva, a global provider of cyber security solutions, where he served as AVP of Sales. He has held sales management positions at Check Point Software and Alcatel-Lucent which was acquired by Nokia in 2016.
from Help Net Security https://ift.tt/2olY0ow
WhatsApp warns that Google Drive backups are not encrypted
Facebook-owned WhatsApp has recently announced that, starting on November 12, 2018, Android users will be able to store their WhatsApp backups on Google Drive without the backup being counted toward Google Drive’s storage quota.
But, the company warns, those backups won’t be encrypted. That means that the chats, photos and videos sent via the app and backed up on Google Drive are accessible to Google, but also to hackers that manage to compromise users’ Google Drive account.
According to the new agreement, WhatsApp backups that haven’t been updated in more than one year will also be automatically removed from Google Drive storage.
Explicit confirmation
WhatsApp has long allowed people to store their messages in Google Drive, but they counted towards users’ Google Drive storage limit.
Users who take advantage of the option have to have a Google account activated on their phone and Google Play services installed on it.
“You can back up your chats and media to Google Drive, so if you change Android phones or get a new one, your chats and media are transferrable,” the company explains in its FAQ document.
The fact that these backups are not encrypted was not unknown, but WhatsApp thought it wise to add the confirmation – “Media and messages you back up aren’t protected by WhatsApp end-to-end encryption while in Google Drive.” – to the FAQ and to explicitly point it out as important.
To protect their backups on Google Drive, users are advised to set up a strong (long, complex and unique) password for the account and to take advantage of the two-factor authentication option provided by Google.
WhatsApp implemented message encryption in August 2012 and it had its faults.
In 2016, with the help of Open Whisper Systems, the company integrated the open source, forward secure Signal Protocol for asynchronous messaging systems into the app, and turned end-to-end encryption on by default. Still, flaws in the implementation are occasionally discovered.
from Help Net Security https://ift.tt/2PgSdvF
Vera welcomes Carlos Delatorre as CEO
Vera announced that Carlos Delatorre has been appointed as CEO. Delatorre most recently served as Chief Revenue Officer at MongoDB, where he led the company to achieve 4X growth in less than 4 years, enabling MongoDB to be the first database company to IPO in over two decades.
Ajay Arora, Vera’s co-founder and founding CEO, will transition to serve as Chief Strategy Officer to help Delatorre scale the business, drive corporate strategy and continue to serve on the company’s Board of Directors.
Additionally, today Vera announced a capital investment by BMW i Ventures led by the firm’s partner, Zach Barasz.
“Carlos brings top notch go-to-market knowledge along with strong operational expertise, and I am thrilled to welcome him to the team,” said Arora.
“When it comes to finding your successor, I wanted the transition to be smooth, transparent and exciting for employees and customers. Carlos checked all the right boxes. He understands the compelling value Vera brings to the market, given the current and growing focus on data protection and privacy. I’m confident Vera will continue to innovate to allow organizations to collaborate freely and share information securely.”
“From documents to CAD files, photos to emails, data moves more freely than ever, and Vera’s leading technology allows people and organizations to share all kinds of information, safely,” said Zach Barasz, Partner at BMW i Ventures.
“We believe that Vera is at an important inflection point in its growth curve and with the addition of Carlos, we’re excited to join the journey.”
Prior to his role at MongoDB, Delatorre served several leadership roles including SVP of Sales at DynamicOps, where his team delivered 300% growth, culminating in an acquisition by VMware, in 2013 and BladeLogic, which enjoyed an IPO and was later acquired by BMC.
Delatorre also held leadership roles at ClearSlide, IMlogic, Oblix and Parametric Technology Corporation.
“I’m excited to join Vera at this pivotal point in the company’s evolution,” said Delatorre.
“In a very short period of time, it’s become evident that Vera’s focus on privacy and protecting sensitive data resonates loudly in the marketplace. The company enjoys significant, patented product advantage and has assembled a fantastic team. I’m confident that the ingredients are in place to rapidly expand our customer base and grow the business. The future is bright for Vera!”
Over the past year, Vera has been focused on scaling its data-centric security platform and enhancing users’ ability to access secure files across devices, operations systems and repositories by providing its customers with an agentless experience.
The newly introduced browser-based editing capabilities follow the release of Vera for Mail in November 2017, which introduced the data security platform that protects both email and enterprise content with dynamic encryption and granular control.
An evolution of its Vera for Files offering, Vera for Mail spurred business performance as the company closed the year by announcing GE as Vera’s largest customer win to date.
from Help Net Security https://ift.tt/2LAaPom
Andreessen Horowitz leads $8.5 million investment in Very Good Security
Very Good Security (VGS) announced that it has raised $8.5 million via a Series A funding round led by Andreessen Horowitz.
The funding will allow VGS to further scale its security product, which lets companies collect, secure and exchange data without the risk or liability associated with storing it on their own systems.
By reducing or eliminating data security scope, VGS’ customers can achieve compliance certifications (e.g. PCI, SOC2, EI3PA, HIPAA) and accelerate their time to market. NYCA, Vertex Ventures, Slow Ventures and Max Levchin also participated in the round.
“Data security and compliance shouldn’t hold companies back from getting to market safely and quickly,”, said Mahmoud Abdelkader, CEO and co-founder of VGS.
“This investment fuels our mission to securely power the world’s sensitive data and transform data security from a business obstacle into a competitive advantage.”
VGS is built on the premise that you can’t hack what isn’t there, allowing companies to preserve the functionality of their data without having to store that data on their own systems.
VGS instead collects and stores the data in its own secure vaults, freeing customers from the costs and liability of building and maintaining their own compliant security systems.
When customer applications require data, VGS identifies that data in transit and swaps it—in real time—for surrogate values that retain the same functionality of the original data.
Integrating VGS requires no changes to existing products or legacy architecture, and the service starts working instantly.
Because VGS maintains multiple compliances and isolates customers from sensitive data, it enables businesses to achieve regulatory compliance.
“We appreciate VGS’ approach to compliance and security, as it aligns well with our philosophy of protecting cardholder data,”, said Venkat Udayasankar, architect for LendUp Card Services.
“Together, we’ve been able to quickly craft a PCI Level 1 solution that fits our business needs. VGS integrations were seamless, fast and easy, allowing us to focus on LendUp’s core business.”
By removing the constraints posed by digital security and compliance, VGS allows customers to scale without having to worry about data breaches, regulatory issues, or service provider security requirements that could slow a company’s growth.
This latest round of funding will allow VGS to scale its own operations as it works to simplify data security for a growing number of companies.
“VGS ensures that businesses and services requiring identification ‘keys’—e.g. credit card or Social Security numbers—for their customers will not have to worry about compliance around the storing of confidential or private data, and frees them from vendor lock-in,” said Alex Rampell, general partner at Andreessen Horowitz.
“We are incredibly excited to partner with Mahmoud and team to build a category-defining enterprise platform.”
from Help Net Security https://ift.tt/2oqmaON
Tool and resources to help small merchants improve payment card data security
Small merchants continue to be a primary target for cybercriminals. According to the Verizon Data Breach Investigations Report, 61% of breached organizations surveyed were small businesses.
These highly-targeted businesses often do not have the technical knowledge needed to effectively manage security against these attacks – which is why the PCI Security Standards Council launched updated educational resources and a new tool aimed at helping small business owners protect their customer’s payment card data.
The PCI Data Security Essentials Evaluation Tool was born from the need to create a simpler way for small merchants to evaluate how they are addressing critical security risks for their specific payment environment. This online tool and accompanying evaluation forms provide a preliminary evaluation of a small merchant’s security posture.
“Faced with rapid advancements in payment technologies, small merchants have to first select the right payment acceptance method to meet the needs of their customer and then have confidence that they, or more likely, their payment service provider are doing enough to protect their customer’s information,” said PCI Security Standards Council Chief Technology Officer Troy Leach. “This new evaluation tool provides small businesses with awareness of the most common, critical risks for their environments and the proper resources to address potential threats. Additionally, the PCI Data Security Essentials Resources provide the right questions to ask their payment partners to have a dialogue on payment security. That conversation can only improve a small business owner’s understanding of proper payment security.”
Also launching are updated versions of the PCI Data Security Essentials Resources for Small Merchants. These resources provide easy-to-use information as a starting point for small businesses to understand how to protect themselves and their customers and have been updated to address the current and evolving threats small merchants face.
The PCI Small Merchant Taskforce, a global, cross-industry consortium launched by the Council in 2015, developed these educational materials to help small merchants protect payment card data from potential compromise.
“The PCI Small Merchant Taskforce is a collaborative effort to provide resources to help small merchants secure their payment card data,” said Barclaycard Third Party Risk Manager, Payment Security Product Michael Christodoulides, who’s co-chairing the taskforce. “From global payment security experts, to merchant associations and merchant banks working directly with small businesses, each member of the taskforce brings their own perspective and expertise to help small merchants address threats in an approachable and effective manner.”
These resources are available on PCI SSC’s Merchant Resource Page:
- Guide to Safe Payments – Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help.
- Common Payment Systems – Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.
- Questions to Ask Your Vendors – A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.
- Glossary of Payment and Information Security Terms – Easy-to-understand explanations of technical terms used in payment security.
- PCI Firewall Basics – A one-page infographic on firewall configuration basics.
- Data Security Essentials Evaluation Tool – An online tool with accompanying evaluation forms which provides a way for merchants conduct a preliminary evaluation of their security posture.
from Help Net Security https://ift.tt/2NsX3FN
Tuesday, August 28, 2018
Half of Alexa Top 1 Million sites now use HTTPS
Slowly but surely, the Internet is on its way to being 100% encrypted.
According Scott Helme’s latest analysis of the one million most visited websites according to Alexa, 51.8% are actively redirecting to HTTPS. To compare: that percentage was at 38.4 only six months ago.
“The growth (…) is unrivaled in any other security mechanism and if you think about the effort required to achieve this, how impressive it is becomes crystal clear,” he pointed out.
Reasons behind wider HTTPS adoption
There has been a sustained push by the likes of Google to “encrypt the web” and at least part of these results is owed to them. The company has made it clear that HTTPS sites will achieve better ranking on Google Search and its Chrome browser was recently made to label all HTTP sites as “Not secure”.
Helme, along with fellow security pro Troy Hunt, also recently launched a website that shows which of the world most visited websites still load over an insecure connection and offers resources for going the HTTPS route.
Another thing that made it easier for site administrators to encrypt one’s site is the advent of the Let’s Encrypt certificate authority, which offers free security certificates and makes the whole process of getting them and setting them up much easier than it was before.
Let’s Encrypt is currently at the top of the list of certificate issuers that helped all of these sites “go HTTPS”.
Other findings
Helme’s analysis also showed that:
- The use of HTTP Public Key Pinning (a HTTP header/security mechanism that instructs web clients to associate a specific cryptographic public key with a certain web server) is failing. Part of the reason is that Chrome has removed support for it, another is that HPKP is difficult to deploy perfectly and can be misused by attackers.
- There has been a marked increase in CSP (Content Security Policy) and HSTS (HTTP Strict Transport Security) use: 40% and 23%, respectively.
- Security.txt – a file that informs security researchers how to contact the site/company if they want to responsibly disclose vulnerabilities – is gaining popularity.
- RSA crypto keys are still the most popular choice by far, even though ECDSA (elliptic curve digital sgnature algorithm) keys are the more secure option.
from Help Net Security https://ift.tt/2PfwuV8