surveillance security cameras: September 2019

Monday, September 30, 2019

Assessing risk: Measuring the health of your infosec environment

There is an uncomfortable truth that many organizations are not conducting comprehensive assessments of their information security risk; or those that do aren’t getting much value out of assessment exercises — because they simply don’t know how.

Given the massive amounts of data organizations hold, accurately assessing these risks is difficult. So is determining how to best control them once they are identified. That’s especially needed for businesses in highly regulated industries that can face stiff penalties for security violations.

Most organizations are subject to some regulation, whether over-arching directives like PCI for credit card data, GDPR for personal data about European citizens or the pending CCPA for personal data about California residents; while certain industries may have unique regulations like HIPAA for health care or GLBA for financial services.

Many of these specifically require an organization to perform risk assessments on a periodic basis. But by and large those assessments are done as a tick-the-box compliance exercise focused on the regulated data only. That falls far short of assessing risks to the many other kinds of data organizations hold, and highlights the need to examine information security risks more broadly.

Commonly available frameworks from standards organizations like NIST, ISO and CIS can help an information security team take that broader look. These frameworks provide an excellent starting point for identifying the state of an information security environment’s maturity and the risks that may exist in its current data management processes.

Regardless of the framework you choose, the first step is always to identify the scope of your assessment effort. Start by establishing the context for why you’re undertaking the assessment. Think in terms of Data, People, Process and Technology.

For Data, what information do you have that you’re trying to protect? The scope can be as broad including all of your “crown jewels”, or as limited as only credit card information.
For People, who are the users of the data? Who should/not have access? Who are we sharing data with? Who should be responsible for safeguarding it?
Process is essential, as governance would set the tone at the top. How mature are your processes? Do you have documented SOPs? Do you outsource some IT processes? If so, do they have proper documented policies and procedures? Are your Information Security Policies up to date and relevant?
Technology includes characterizing all of the systems to be included. That can be a huge task in and of itself, given the number of data-centric systems in play. What applications are receiving, transmitting, storing or using the data in the scope of the assessment?

Don’t limit this exercise to inputs. Rather, think about the “lifecycle” of each data element. For example, if you collect a credit card number, follow it through collection, transfer, users of the data element, how is it shared, where is it stored and where and how it is disposed; note all applications involved in each step. Then note supporting infrastructure for each application, such as the underlying operating system and hardware, including its location (datacenter, Platform as a Service, under a person’s desk…), network infrastructure, public access, and if it is cloud-based. Because each application may be allocated to different networks or locations, the impact of each threat will vary depending on these factors.

Once your framework is established, get clear on scope – what you want out of the risk assessment? Just to tick the box? Something more? You will gather a significant amount of information through this process, so be as direct and truthful about your goals as possible, because this is going to drive change in your organization.

That underscores the need for information security teams to stay current on mapping organizational data, including what lines of business may share with shadow IT providers, data at rest, and data in motion. Without this insight, your risk assessment will not be meaningful. Done correctly, it will help articulate how current security initiatives are mapped to applicable threats and vulnerabilities.

The next step is to identify threats to which your systems are subject, such as fraud, brute force attacks, phishing, or even physical theft. Keeping a relevant inventory of threats requires significant effort; it’s important to not only identify the relevant threats to your organization and risk appetite, but also to keep reviewing your list as new threats may be created, threats may change, or some may no longer be applicable.

Determining the degree of risk each of those threats pose is where many organizations start to struggle. Degree can be subjective, so the challenge is minimizing any bias and then using the business to identify remediation activities. A good approach is to score each risk based on impact. Think through how to determine what a threat impact will look like to your organization. You could also separate the risk of the threat into confidentiality, availability and integrity impacts. That way you can further reduce the subjective nature of the exercise.

Also consider likelihood – what’s the probability of a threat actually affecting your organization? For example, if your data is located in Florida, the likelihood of a natural disaster (i.e., hurricane) is very high compared to other locations. A web-based code injection attack to a web application that is not public in the internet is much lower than if the web application is on the internet.

This thorough examination of your assessment scope, potential threats, possible impacts and likelihood of occurrence will yield a list of risks with different ratings. That very useful data will arm information security teams for approaching leadership with an objective view of the organization’s threat footprint, and make the case for why and where investment is needed. The assessment effort will also help information security groups demonstrate their value to their organizations, and fulfill their mission of truly securing data, the crown jewels of the modern enterprise.

from Help Net Security https://ift.tt/2n9n7hq

Managing and monitoring privileged access to cloud ecosystems

Cloud data breaches are on the rise, demonstrating time and again the need for a different approach and strategy when it comes to managing and monitoring privileged access to cloud ecosystems.

Privilege access management (PAM) should:

Be risk-aware and intelligent
Reduce sprawl of infrastructure, accounts, access and credentials
Use continuous identity analytics.

Just-in-time management of privileged accounts

According to Gartner’s 2018 Magic Quadrant for PAM report, by 2022 more than 50% of organizations with PAM implementations will choose just-in-time privileged access over long-term privileged access, which is a significantly higher percentage than today’s (under 25%).

Persistent accounts have been the norm when it comes to providing privileged access to users, applications and services in the IT landscape. But persistent accounts come with an overhead of constant management and maintenance, as well as high risk exposure. In the cloud, this exposure becomes multi-fold due to its elasticity and ephemeral nature.

Minimizing persistent accounts not only reduces the attack surface, but also alleviates audit concerns. Just-in-time account provisioning for privileged access is key to an effective and secure strategy for reducing the sprawl of privileged accounts across cloud systems.

Temporal and granular access assignment with in-session access elevation using roles or IDs

Traditional mechanisms employ separate accounts/IDs for regular vs privileged access. On cloud platforms, especially SaaS (software as a service) applications, this increases user license costs and also adds an overhead to the lifecycle management of additional accounts.

In-session elevation of access works seamlessly in cloud and can be achieved either using role/access elevation or assigning temporal access to privileged accounts.

Identity analytics must be the central theme of a PAM strategy

Achieving continuous visibility of privileged access on cloud assets is imperative. The inherent challenge with determining the user’s access on cloud assets/platforms lies within thousands of native JSON based policies, permissions and roles objects. Knowing who has access to what requires continuous crunching, sifting and calculating of the native cloud IAM objects.

Continuous identity analytics provides the right and detailed insights on risky access violations and toxic access combinations. It also serves as an intelligent hub to PAM workflows, in turn making the PAM workflows well versed with access risks and providing the necessary triggers for additional checks (if deemed necessary).

Risk and governance need to be a part of PAM processes from the start

When implementing PAM solutions, organizations often implement the bare minimum. Rapid time to market and adding continuous business value are the key business objectives of PAM implementations. However, integration dependencies on identity governance and administration (IGA) platforms often become the long pole in these implementations.

Converging IGA and PAM technologies in a single platform solves these issues in multiple dimensions. The element of risk is core to an intelligent IGA platform and converging the same with PAM platform allows PAM processes to be “risk-aware” and “intelligent”. The risk score can be a multi-dimensional attribute comprised of user’s risk, endpoint risk, infrastructure misconfigurations, access-plane and control-plane risks. Converging these parameters/risk models and bringing the same in one platform allows PAM processes and PAM actors to make more informed, better decisions.

With the convergence, privileged identity governance becomes implicit to the PAM workflows and processes. Getting visibility on toxic access combinations, performing detective and preventive separation of duties, intelligent and risk based access reviews, privileged account ownership and management and succession management of privileged IDs become available seamlessly in the converged IGA and PAM platform and organizations do not have to invest time and effort in integrating or solving these.

Identify the conduits/interfaces that could provide privileged access to underlying platforms

Securing privileged access to the cloud requires a different approach than securing a traditional on-premises environment. It requires an understanding of the various conduits or channels through which privileged access can be gained, as well as the challenges in securing each of those conduits.

These range from management portals, workloads, CLIs and APIs to serverless functions, short/long term access keys, instance profiles, service accounts, instance metadata, DevOps tools and continuous integration/continuous deployment (CI/CD) processes. Each of these interfaces consumes/interacts with the underlying cloud services in a different way and therefore requires a distinct and focused strategy for managing and monitoring privileged access.

The key aspect is to identify all possible conduits/channels in an organization’s cloud ecosystem to avoid access leaks.

Implementing identity analytics serves as an extremely effective way to determine the various privileged access contexts and becomes a great starting point to understand the access exposure in the ecosystem. Integration with the cloud platform’s native security or IAM framework is a must-have to determine access scope, access proliferation, out of band access, rogue access and explicit access (broken access inheritance).

Bring DevOps and CI/CD tools under PAM purview

Jenkins, Chef, Puppet, Ansible, etc. are some of the most widely adopted DevOps tools by organizations moving their workloads to cloud. While some help in managing drift, others help in workload orchestration. Most of these tools consume native cloud services under the context of a privileged service account. A PAM strategy for the cloud is incomplete unless it also covers DevOps and CI/CD processes.

Managing privileged access should not be confined to native cloud entities – every DevOps and CI/CD tool or process interacting with or consuming cloud services should fall under the purview of privileged access management.

Understanding organizations responsibilities according to the shared responsibility model

Despite significant efforts by public cloud providers such as Amazon, Microsoft and Google to raise awareness of the shared responsibility model, organizations are unable to grasp the concept and have made mistakes in understanding the responsibilities. In the context of PAM, this becomes even more important: organizations must be aware of and accept their responsibility for rotating/refreshing credentials, resetting access keys, temporal assignment of credentials to privileged accounts, etc.

To begin with, a responsibility matrix of compliance requirements/objectives for PAM across all cloud computing layers should be mapped between cloud service providers and organizations. The mapping matrix not only helps show a clear delineation of responsibilities, but also sets the right expectations for the organization teams’ roles and responsibilities.

Cloud-architected and available as a service

Managing privileged access on cloud requires the PAM solution to be resilient and scalable, capable of handling the scale, volume and velocity demands of the cloud. Lifting and shifting a traditional PAM solution to the cloud is not the right approach, because it is hosted in the cloud by not architected for it.

PAM for cloud must be built using native cloud technologies and must be made available as a service – this is key to reducing the infrastructure sprawl and waste of compute resources.

The model also allows rapid deployments, faster upgrades resulting in constant addition to business value, and significant cost savings (infrastructure, operational costs).

from Help Net Security https://ift.tt/2mymDB2

38% of the Fortune 500 do not have a CISO

To uncover whether the world’s leading companies are committed to enhancing their cybersecurity initiatives, Bitglass researched the members of the 2019 Fortune 500 and analyzed public-facing information such as what is available on their websites.

Fortune 500 CISO

77% of the Fortune 500 make no indication on their websites about who is responsible for their security strategy. Additionally, 52% do not have any language on their websites about how they protect the data of customers and partners (beyond a legally required privacy notice).

The results demonstrate that most organizations lack an authentic, lasting commitment to cybersecurity, with certain industries being less security-conscious than others.

As breaches continue to cost brands millions, incite executive turnover, decrease stock prices, and harm countless stakeholders, it is crucial that organizations appoint relevant leadership and prioritize proper cybersecurity.

Other key findings

38% of the 2019 Fortune 500 do not have a chief information security officer (CISO).
Of this 38%, only 16% have another executive that is listed as responsible for cybersecurity strategy, such as a vice president of security.
Of the 62% that do have a CISO, only 4% have them listed on their company leadership pages.

Most security-conscious industries in the Fortune 500

The transportation industry is the most security-conscious vertical, with 57% of its companies listing an executive as responsible for cybersecurity strategy. The aerospace industry (33%) and the insurance industry (30%) come in second and third, respectively.
89% of organizations in the aerospace industry have information available on their websites about how they are protecting the data of customers and partners. Aerospace is followed by finance (72%) and technology (66%).

Least security-conscious industries in the Fortune 500

No hospitality companies list an executive who is responsible for cybersecurity strategy. The manufacturing and telecommunications industries follow closely behind at 8% and 9%, respectively.
Within each of the construction, oil and gas, and hospitality industries, only 25% of organizations have information on their websites about how they protect customer and partner data.

“Corporate social responsibility initiatives have made it onto the websites of the Fortune 500, but research has shown that the same level of importance is not being given to publicly demonstrating commitment to cybersecurity initiatives,” said Anurag Kahol, CTO at Bitglass.

“Lax security and its resulting breaches have long-term repercussions for organizations as well as their customers, shareholders, partners, and other stakeholders. Members of the Fortune 500 should be focused just as much on protecting personal data and consumer privacy as they are on other areas of social responsibility.”

from Help Net Security https://ift.tt/2mtu0cR

Email is an open door for malicious actors looking to exploit businesses

There’s an alarming scale of risks businesses are up against in a time when email is proving an open door for cybercriminals and malicious actors looking to disrupt, exploit and destroy businesses, according to Wire.

relentless risk

The report is developed in collaboration with global poker champion and astrophysicist, Liv Boeree. Poker is a game of making calculated, strategic decisions in high-stakes situations. As such, Liv is able to draw parallels between the poker table and the business world.

Within the report, she shares the odds of risk in the context of cybersecurity. Key findings include the odds of falling prey to cyberattack, the business cost of such an account, and the ‘best bet’ of future-proofing against an attack.

Email and people are the weakest link

In one of its central findings, the report identifies email as a company’s greatest cybersecurity vulnerability. Email offers the most significant access point for criminals by exploiting a human fallibility – the inability to spot malicious emails.

Just as with gambling, the outcomes are influenced by people and their judgement. The fact that employees are unable to discern malicious emails from safe ones, points to the inherent vulnerability of email. Per the report:

An employee is three times more likely to infect a colleague with a malicious email than they are to spread the flu to their partner
An employee’s chances of spotting a phishing email are as slim as hitting a specific number on the roulette wheel

Relentless risk

‘Odds on a Bad Bet’ goes on to underscore relentlessness of cyber attacks leading to heightened odds of a business falling victim:

The chances of your business avoiding a malware attack are as unlikely as pulling the Ace of Spades from a shuffled deck
A company has a 50/50 chance of suffering a costly DoS (denial of service) attack — effectively the same chances as a flip of a coin
A company is over ten times more likely to suffer a week-long downtime from a ransomware attack than you are to suffer a house fire

Given these odds, failing to future-proof is not a risk business owners should be willing to take. When cyber attacks prevail, the resulting impact is has the potential to cause huge damage to the company.

Investigating the likelihood and impact of cyberattacks on a business, the report also considers the following comparison odds:

Your business is five times more likely to suffer a debilitating ransomware attack than you are likely to be involved in a car accident
The chances of your business suffering a costly ransomware attack are the same as a hurricane hitting Florida next year
You’re almost as likely to go out of business due to a cyber-attack as your startup is to fail because it didn’t get the next round of funding

The odds of risk demonstrate the clear necessity of implementing future-proofing methods across business. There’s simply too much at risk not to. And the business benefits of implementing heightened cybersecurity methods are equally clear:

The average ROI for future-proofing your business with end-to-end encryption is twice as high as investing in the S&P 500
Cyber-security costs are rising so fast that waiting another year to invest in cyber-security is the same as letting ten years’ worth of inflation erode the value of your cash

Cybercrime is not going away

With the stakes so high, and the benefit of investing in preventative measures so apparent, businesses have every reason to play their hand carefully.

“When playing global poker series against the world’s best, it pays to understand the odds to reduce the risk, as any miscalculation could mean losing millions of dollars,” said Liv Boeree, global poker champion and contributor to the report.

“To see businesses fail to put the best cybersecurity measures in place, such as a secure alternative to email, when the return on investment is so clearly beneficial, is the opposite of good risk management. It’s more akin to the behaviour of a delusional problem gambler.”

Wire CEO Morten Brøgger comments: “People’s use and reliance on email is businesses’ greatest security vulnerability. More secure modes of communication and collaboration with end-to-end encryption need to become the standard as email recedes into the past.

“Especially since the average return on investment for such measures is twice that of investing in the S&P 500. Any business that fails to prepare is betting against the house, and the house always wins.”

‘Odds of a Bad Bet’ also features contributions from a number of leading cybersecurity experts, including Edward Whittingham, Founder & CEO of The Defence Works.

Whittingham commented on the report’s findings: “Cybercrime continues to plague businesses but it’s a problem that isn’t going anywhere, anytime soon. Emails in particular, are a huge risk area for business as it’s the main vehicle through which cybercriminals are attacking business.

“Businesses can dramatically increase their defences by considering what technical measures they have in place, reducing those risk areas – including email usage – and implementing security awareness training for their employees.”

from Help Net Security https://ift.tt/2mxIatC

Employee negligence can be a leading contributor to data breaches

Two thirds (68%) of businesses reported their organization has experienced at least one data breach in the past 12 months, and nearly three in four (69%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information, according to the Shred-it report conducted by the Ponemon Institute.

workplace data breaches risk

According to the report, typical workplace occurrences may be at the root of the problem as 65% of managers are concerned their employees or contractors have printed and left behind a document that could lead to a data breach.

Those fears have been confirmed as seven in 10 (71%) managers have seen or picked up confidential documents left in the printer. This seemingly innocent workplace mistake isn’t the only thing threatening information security, over three in four (77%) managers admit they have accidentally sent an email containing sensitive information to the wrong person.

What’s more, nearly nine in 10 (88%) have received an email containing sensitive information from someone within or outside of their organization they were not intended to receive.

“The report reveals two key factors about information security in North American businesses– employee negligence, intentional or not, can be a leading contributor to data breaches and that businesses should equally consider the needs for cybersecurity and physical information security within their organization,” said Ann Nickolas, Senior VP, Stericycle.

“Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches”

When exploring physical security versus cybersecurity, the report found that less than two in five (39%) managers believe the protection of paper documents is just as important as the protection of electronic records. This may be why more than half (51%) of managers say their organization does not have a process for disposing of paper documents containing sensitive information.

Tech and business managers are not aligned on security responsibilities and protocols

A quarter (25%) of technology managers believe that CISOs are most responsible for granting access to paper documents or electronic devices containing sensitive or confidential information, compared to 1% of business managers
22% of business managers believe no one function is most responsible, compared to 16% of technology managers.
Sixteen percent of business managers believe the business owner is most responsible, compared to 6% of technology managers.
Fewer (32%) tech managers than business managers (42%) believe the protection of paper documents is just as important as the protection of electronic records.
Less than half (45%) of tech managers and more than half (53%) of business managers say their organization does not have a process for disposing of paper documents containing sensitive or confidential information after they’re no longer needed.
After reviewing paper documents, more tech managers (41%) than business managers (30%) shred the documents, and more business managers (22%) than tech managers (19%) throw the documents in the garbage.

Employees may be gaining access to sensitive or confidential information

Organizations may not be taking all precautions to restrict employees from accessing physical paper documents they should not have access to:

Only a third (33%) use physical security to prevent unauthorized access to document storage facilities
Nearly two in five (38%) use filing cabinets or locked desks to store these documents
Less than a third (31%) enforce a clean desk policy
Half (50%) of managers say their organization does not take any of these steps

Nearly two thirds (60%) of managers agree employees, temporary employees and contractors have access to paper documents that are not pertinent to their role or responsibility.

Managers are also guilty of neglecting sensitive and confidential information

More than half (51%) of managers have no process for disposing of paper documents containing sensitive or confidential information after they are no longer needed
After reviewing a paper document, more than a fifth (21%) throw the document in the garbage
The majority (54%) of managers have been targeted by a phishing email or social engineering scam at work, but only 39% of managers contacted their supervisor

from Help Net Security https://ift.tt/2nYIMJ3

Tolly report: Evaluating the evolution of network traffic analysis technology

Network Traffic Analysis has been rapidly evolving to counter the increased sophistication of threats experienced by organizations worldwide. Test methodologies and tools are not yet available which provide security professionals with the ability to test how well the products currently on the market perform.

Awake Security has partnered with the Tolly Group and a current Darktrace customer to develop and execute just such a test and has published a report detailing the methodology and the results.

The test report is focused on the following areas:

Details of the test methodology and tools used to evaluate an NTA solution.
The accuracy of the solutions at detecting post-exploit malicious behavior.
The ratio of accurate and actionable alerts to noisy, generic alerts.
An evaluation of the tools provided to validate that alerts are truly malicious.

The results of the report provide a revealing snapshot into how different approaches to the problem of detecting malicious activity deliver different results. Equally as important is the examination and presentation of the challenges involved with accurately testing intelligent, self-learning behavioral solutions in the real-world.

from Help Net Security https://ift.tt/2n7NQuN

Anomali Altitude automates detection, analysis, and threat response

Anomali, a leader in intelligence-driven cybersecurity solutions, unveiled the Anomali Altitude platform.

Anomali Altitude

The Anomali Altitude platform delivers Anomali Lens, Anomali ThreatStream, and Anomali Match. The integrated product suite allows customers to automate detection, analysis, and response for high-priority external and internal threats.

Anomali Lens

This first-of-its-kind technology allows anyone, from security operations staff to board members, to automatically and immediately know if their organizations are being attacked, who adversaries are, and if the attacks have been successful. With these key security questions answered, users can make effective decisions about how to respond.

With one click, Anomali Lens scans web-based content, detects and highlights all threats identified within, provides easy-to-understand details about the threats, and tells users if any threats are already present in their networks.

Web content Anomali Lens scans includes news, blogs, research, bulletins, SIEM logs, other security logs, IR reports, Twitter and other social networks.

Automated threat bulletins created by Anomali Lens are added to Anomali ThreatStream. These can then be shared across organizations, among trusted circles, and ISACs. Bulletins can be directly integrated into security controls for immediate blocking, detection, and mitigation.

Anomali Lens is supported by advanced natural language processing (NLP) and context-aware detection. Currently deployed as a browser plugin, it will soon be available for mobile devices.

Anomali Match

Anomali Match integrates cyber threat intelligence, MISP data, OSINT, SIEM logs, vulnerability assessment tools, and other big data sources to match billions of IOCs and threats against any that are present in customers’ networks.

By providing automated, retrospective analysis for extended periods, users detect threats and compromises that have been present for short and long durations. Anomali Match replaces Anomali Enterprise and includes all of that solution’s former capabilities. Several new features and benefits include:

Enhanced machine learning for DGA – New deep learning capabilities enable 90 percent-plus accuracy for Domain Generation Algorithm (DGA) detection
Big data support with Elasticsearch – Integration provides retrospective analysis for high volumes of threat data spanning a year or more
Anomali Match analysis dashboard – New visual representations optimize the use of multiple threat feeds
Anomali Match stand alone – Automated, direct importation of data from MISP and other sources improves threat scoring and enrichment
Anomali lens – Integration provides immediate confirmation of when threats are present in networks

Anomali ThreatStream

Our threat intelligence platform (TIP) integrates threat data from the widest range of feeds to create actionable threat intelligence.

Anomali ThreatStream is the foundation for the new Anomali Preferred Partner Program. Six partners that have joined the program are now providing complementary threat feeds. These include Flashpoint, ReversingLabs, DomainTools, Farsight, Intel471, and Sixgill.

“Any business that can find answers hidden in massive volumes of data has a competitive advantage. When it comes to cybersecurity, organizations that can make sense of what billions of cyber threat indicators mean can make decisions that will give them a defensive edge,” said Hugh Njemanze, CEO, Anomali.

“We’ve brought a platform to market that allows customers to harness threat data, information and intelligence to drive effective cybersecurity decisions, a capability that tips the scales in their favor.”

“The most sure-fire way to lose a battle is to go into it without knowing anything about your enemy. Organizations that aren’t using advanced levels of cyber threat intelligence are going to continually fall short in their efforts to defend their networks,” said Richard Stiennon, IT-Harvest chief research analyst and noted cybersecurity author.

“As a pioneer of cyber threat intelligence, Anomali helped take the practice mainstream with its early platform. It is now introducing a new generation of solutions to the market that will allow its customers to effectively leverage adversarial intelligence.”

from Help Net Security https://ift.tt/2o5P6i8

BlackBerry creates BlackBerry Advanced Technology Development Labs

BlackBerry announced the creation of BlackBerry Advanced Technology Development Labs (BlackBerry Labs), a new business unit operating at the forefront of research and development in the cybersecurity space.

Led by CTO Charles Eagan, BlackBerry Labs will include a team of over 120 software developers, architects, researchers, product leads and security experts, each working toward the common goal of identifying, exploring and creating new technologies to ensure BlackBerry is on the cutting edge of security innovation.

The rise of the Internet of Things (IoT) alongside a dynamic threat landscape fosters a climate where organizations have to guard against new threats and breaches at all times.

With a strong focus on data science and machine learning, BlackBerry Labs’ innovation funnel will investigate, incubate and facilitate technologies specifically designed to further the company’s commitment to safety, security and data privacy for its customers.

Initial projects from BlackBerry Labs will focus on machine learning approaches to security in partnership with BlackBerry’s existing Cylance, Enterprise, and QNX business units.

“The establishment of BlackBerry Labs is the latest in a series of strategic moves we’ve taken to ensure our customers are protected across all endpoints and verticals in the new IoT,” said Charles Eagan, BlackBerry CTO.

“Today’s cybersecurity industry is rapidly advancing and BlackBerry Labs will operate as its own business unit solely focused on innovating and developing the technologies of tomorrow that will be necessary for our sustained competitive success, from A to Z; Artificial Intelligence to Zero-Trust environments.

“We believe this highly experienced team will allow us to remain nimble, engaged and, above all else, proactive in our efforts to be the most trusted security software leader in the market.”

from Help Net Security https://ift.tt/2o0zXP3

Red Hat shares rising interest for hybrid cloud in APAC

Red Hat, the world’s leading provider of open source solutions, shared that there is a rising interest for hybrid cloud in Asia Pacific (APAC), evident from the increasing number of cloud and managed services providers joining the Red Hat Certified Cloud and Service Providers program in Australia, China, India, Japan, Korea, Singapore, Thailand, The Philippines and Vietnam.

The Red Hat Certified Cloud and Service Provider program includes more than 300 cloud, system integrator and managed service providers in Asia Pacific —along with software developers and hardware manufacturers that use Red Hat products and technologies to host physical and virtual machines, set up private and public cloud environments, and provide managed application and container development services.

Some of the cloud and service providers in APAC that have recently enrolled in the program include:

Australia: Bulletproof
China: Shanghai DaoCloud Network; Shanghai Yungoal Infotech
India: Cyfuture India Pvt. Ltd.; Netlabs Global IT Services Pvt Ltd.; GAVS Technologies, Kaar Technologies; Sensiple Software Solutions
Japan: BCC Co, Ltd; i2ts, Inc
Korea: Codefarm
Singapore: Fujitsu Singapore
Thailand: Internet Thailand Public Company Limited
The Philippines: Micro-D International
Vietnam: Sao Bắc Đẩu Telecom JS

Gartner forecasts that the mature APAC market will spend US$13.6 billion on public cloud services by the end of 2019, up from the US$11.7 billion in 2018. Moreover, 75 percent of organizations worldwide are expected to have deployed a multi-cloud or hybrid cloud model by 2020.

However, as cloud adoption gains interest in APAC, not every organization has the expertise or resources to build and maintain such an environment in-house.

The Red Hat Certified Cloud and Service Provider program can help APAC solution providers fill that gap by offering open, cloud-based technologies that can scale and flexibly meet customers’ evolving business needs.

Certified Cloud and Service Providers can gain access to Red Hat solutions that not only offer a more secure, scalable platform for building public and private clouds, but also empower DevOps to develop, deploy, and manage diverse applications seamlessly.

Some of such solutions are Red Hat Enterprise Linux, Red Hat OpenShift Container Platform and Red Hat OpenStack Platform. Providers can use those solutions to improve operational efficiency and flexibility, expand their hybrid cloud service offerings, and offer scalable and highly available third-party ISV applications on Red Hat technologies.

Andrew Habgood, senior director, cloud partners, Asia Pacific, Red Hat: “As innovation and agility become essential to succeed in today’s competitive business environment, organizations in Asia Pacific have shown an increased interest in hybrid cloud.

“To help them harness the full value of hybrid cloud, we are committed to empower our partners to offer solutions that provide a solid foundation for cloud-native strategies. Red Hat Certified Cloud and Service Providers are able to deliver high-quality cloud services using the latest open source technologies and innovation.”

Ghassan Zalaf, head of Customer Enablement, Bulletproof: “Red Hat plays a pivotal role in enabling us to support our customers’ interest in multi-cloud. The Red Hat Certified Cloud and Service Provider program empowers us to offer on-demand provisioning across both public and private cloud environments through tools like Red Hat CloudForms.

“Coupling that with the ongoing operational support provided by Red Hat and Rhipe our regional CCSP distribution partner, we can now more effectively and efficiently address our customers’ changing business needs and deliver a good customer experience.”

from Help Net Security https://ift.tt/2mpAcCD

How to Craft a Perfect Email

Photo: Danny Feld/NBC (Getty Images)

There’s a thing kids do when they write letters or essays. They write “Oh, and...” as if the reader were receiving their words in real time. They don’t know how to hide their stream of consciousness from their writing. If you’re writing in a burst of inspiration, you might do it too. Writing your thoughts out is fine. But before you send, you should edit.

All writing is, at some level, a stream of consciousness. But if you respect your recipients’ time, or if you just want to look like you have your shit together, you should always do a quick edit on any email (or memo or document or blog post) over three sentences long.

This is especially important when you’re writing outside your wheelhouse. If you’re writing a high-stakes email, or a speech you’re not used to giving, you’re more likely to become too self-aware, and to nervously put that self-awareness into your writing. You write about the process of writing, whether you know it or not. You define terms that no one needs defined. Your sentences refer to your other sentences. You turn into Perd Hapley from Parks and Rec: “Issue number one is the first issue we’re going to talk about.” “A slogan is a series of words that have a meaning.” “The statement that this reporter has is a question.” Or, worse, you sound like the Bad President.

Go through your message and strip out all the self-reference, the second-guessing, and the redundancy. Again, it’s not a problem that you wrote all that. It’s only a problem if you don’t edit it out. It’s similar to another basic editing tool: Delete the first paragraph, which you probably spent warming up. Delete the last paragraph, which was repetitive or overreaching. Save your readers time and energy.

This is one tactic in the larger strategy of BLUF: Bottom Line Up Front. Other tactics include putting a tl;dr on the top of your message, and providing context for all requests. This blog post from content marketing agency Animalz describes the full strategy, with examples. It takes the nebulous concept of “editing” and gives it purpose and direction: to make an email that convinces people to do what you want.

from Lifehacker https://ift.tt/2misOZM

Should You Consider a No-Penalty CD?

If you know only one thing about certificates of deposit, you probably know that this type of investment has a fixed period. You might put your money into a CD for nine months, a year, two years or more, but no matter which you choose, you won’t be able to access that money until that period ends—that’s the CD’s maturity date. If you need your money sooner, you’ll pay a fee.

CDs have typically been attractive savings tools because they offer slightly higher interest rates for the inconvenience of having your money locked up for the term.

But no-penalty CDs allow you to withdraw your funds at any time during the term, without charging a fee. You might also see these listed as liquid, risk-free, or access CDs. And their interest rates aren’t too different from traditional CDs.

What rates to expect from a no-penalty CD

CD rates right now range between 2.3% on the high end and 0.25% on the very low end for a one-year term. Those returns aren’t exactly thrilling: If you got a 12-month CD with a $500 deposit at 2.25%, you’d earn a whopping $11. But there’s something wonderful to be said about financial predictability, especially when you’re trying to focus on savings.

No-penalty CDs aren’t as flexible as savings accounts—you usually have to withdraw all the money at once and close that CD instead of taking bits and pieces as you need them—and they can be hard to find. Check online-only banking options if your bank or credit union doesn’t offer a no-penalty CD. Ally and Marcus by Goldman Sachs both offer them with interest rates right at 2%, for example, although Ally requires a $25,000 deposit for theirs. Marcus only requires $500 to get started.

If you’re willing to trade a bit of interest for convenience, it’s worth considering for short term savings you want to keep out of sight and mind.

Who should consider a no-penalty CD

If you have a healthy emergency fund and want to keep saving

It’s a good rule of thumb to save 3-6 months of your expenses in case of an emergency, but you don’t need to keep all that cash handy. Aside from having enough money easily accessible to get you through a car breakdown or an unexpected trip to the vet, you may want to keep that savings in a separate savings account that’s not so easy to access. Interest rates have been dropping for high-yield savings accounts, in line with interest rate reductions from the Federal Reserve. But some no-penalty CDs have rates that are as least as good as those savings accounts.

If you’re saving up for something special

The big family reunion in Hawaii isn’t happening for two years, but you know you should start saving now. Or you know you’ll want to buy a new car in the next year or two, but you’re not in a rush because it’s smooth sailing in your current car. Once you save a good chunk of money—many CDs have a minimum deposit amount like $500 or $1,000—you can stick it in a CD and watch it grow (slowly, but surely) for a year. Save up another considerable amount? You can’t continue to add to a CD like you can with a savings account, but you could open another CD.

If your high yield savings account is bumming you out

If you’ve been watching high-yield interest rates dip after the Federal Reserve adjusts rates, you may be considering jumping ship to a better offer. But a no-penalty CD could give you a competitive interest rate while still keeping your cash accessible. Instead of dealing with fluctuating interest rates that can make your return harder to predict, a CD will offer a fixed interest rate for the entire term.

from Lifehacker https://ift.tt/2oChdFQ

This Picture Frame Is Also a Qi Charger, And It's Never Been Cheaper

Best Tech Deals

Best Tech DealsThe best tech deals from around the web, updated daily.

Qi pads are great, but when they’re not in use, they’re basically just taking up space. Twelve South’s PowerPic though hides all of its charging components inside of a regular picture frame, so it’ll add to your room’s decor even when it’s not juicing up your phone.

The 5x7 frame is constructed from New Zealand pine, and comes in black or white, both of which are down to an all-time low $50 on Amazon right now. Bonus points if you change your phone’s wallpaper to blend in with the photo while it charges.

from Lifehacker https://ift.tt/2ozsCGh

How to Help Pets of Military Service Members on Deployment

When a military service member is deployed, that often means finding a long-term boarding situation for their pet—or face the possibility of surrendering their animal. If you want to help these service members and provide them some comfort while away from home, you can use Dog on Deployment to volunteer as a temporary foster parent for their pets.

As part of the organization’s foster network, they help connect service members with temporary caretakers. (They also help veterans and spouses of members who are dealing with illness or are pregnant and unable to care for a pet.) According to its website, the organization has helped coordinate fosters for almost 1,800 military service members’ pets.

“We fostered a beautiful dog for a wonderful soldier while he was on deployment,” one user wrote on Facebook regarding her experience as a foster parent. “... We sent regular pictures and updates to her dad so he would know she was well cared for.”

To find available pets in need of a foster parent near you, plug in your zip code and listings should appear; as the organization’s website mentions, if you live near a military base, you’re likely to see a greater number of listings available (places like San Diego, for example. In New York City, not so much). Otherwise, expand your radius while browsing so you can see all available pets in your state.

Once you’ve found a pet in need, you’ll have to register and create an account as a “DoD Boarder.” From there, you can reach out to the military service member to discuss foster details. If you don’t see any pets in need in your area, you can create an account anyway so that service members can reach out in the future.

Dogs on Deployment also accepts donations for their efforts. These donations will go toward providing pet-related financial assistance for military service members who are not currently deployed, too. And if you haven’t fostered an animal before, be sure to check out our guide so you can prepare as best as possible.

from Lifehacker https://ift.tt/2mVdO4B

Your Joke's Not Funny Anymore

Don't Make These Dumb Jokes About People's Jobs

“Please don’t say it please don’t say it please don’t say it...”

Photo: Shutterstock

“I serve banquets. I’ve had many middle-aged men say the same exact joke to me when serving their Cream of Chicken with Wild Rice: ‘How do you tame wild rice?’” So says Reddit user Krisperrr, answering the question: “What’s the ‘It didn’t scan, so it must be free hur hur hur’ of your profession?”

If you’ve ever worked a service job, you cringe in sympathy for Krisperrr, and how they must have to smile at this long-dead joke, a joke that may have been funny in some 1950s rom-com. You can imagine Krisperrr, a consummate professional, pretending to each boring old man that he has had an original thought. It’s time for the old men to stop.

Here are the jokes that Redditors have heard too many times. If you’ve never heard them before, a lot of them will be funny! That’s the thing about jokes. “Why did the chicken cross the road” is an excellent joke, but if you expect anyone over the age of five to laugh at it, they will rightly assume that you have brain worms.

TokenFroKid:

I’m obligated to ask those visiting my work place if they have any weapons to declare.

“Just these guns!” flex

leazypeazy2:

Selling lottery tickets. Im like what numbers would you like? Everyone be like “the winning ones.”

Bruh

purplebeeswax:

I’m in ultrasound. We do a hell of a lot more than just scanning pregnant people, but we get a lot of people who ask, “Is it a boy or a girl? HAHAHA” during abdominal and vascular studies.

The-Shaffy:

I work in the Deaf community and people always see the name of the charity I work for and say “Pardon?” then laugh like they’re the funniest person in the world.

Good lord.

See, this one from Redditor brogaant feels funny, but that’s because I don’t have to hear it all day:

Vet tech here. Whenever I take a patient’s temperature: “Aren’t you going to at least buy her dinner first?”

liteultom shows that even your topical jokes are old:

Bike messenger. Every year during the Tour De France: “You’re lost buddy ?” All f*cking day long.

BigDawgWol:

Travel Money Bureau. Every time I’m checking if some notes are legit or not, it’s “They should be fine, I printed them this morning.” Har de har har.

Groovy_Chainsaw:

Mail carrier here. “You can keep the bills!” hur hur hur

Here’s a less-expected one from IT worker BrotherCool:

When you’re sitting at a user’s desk and working on their PC, 99% of the time some asshole co-worker will stop by and say, “Oh, (user who usually sits there)! You’ve changed!”

“Every day of my damn life,” replies ShakCentral.

it5th3m1ckster:

Stripper here. Our version is definitely: “How about I give YOU a lap dance!”

dingleberry85:

Psychologist. “Are you analyzing me now?” The true answer is almost always, I am too apathetic about you to care that much.

Back2Bach:

As a church musician, I’ve heard things like, “How does it feel to have the largest organ in town?”

Pizza deliverers have it hard. sxmanderson says:

If you happen to pass by anyone else at all on your way to the customer, they will say “You can just leave that right here ha ha ha.”

And that’s the best case. Imagine being such a jerk that you’d do this to ginger_whiskers:

Never sure if this was supposed to be funny or just a really stupid scam, but...

Used to deliver pizza. Almost every time I got an order for a public place, someone would jokingly try to claim it. But not just “My pizza! Lolnope who ya looking for?” They’d go through almost the entire transaction. Correct pizza, yep, I pull it out, they ask for cheese and peppers, that’s $21.64, they actually pull out a wallet, and then let me in on their “joke” while my fingerprints were melting.

Then they pile on asking if I have free samples in the car. I no longer work with the public.

No wait, imagine being the kind of dick who made this “joke” to 69schrutebucks:

Cake decorator here- people would come pick up their orders and jokingly tell me I spelled the name on the cake incorrectly. They would watch me get upset with myself and offer to fix it, then tell me they were just kidding.

Really has anyone ever thought for one second before opening their mouth? From WSWOP:

I used to be in the beer industry (selling to supermarkets) and I’d get “you can just load that pallet into my truck” every day.

Now I’m in the elevator industry and about once a week I get “I bet that has its ups and downs.”

OK, not gonna lie, I feel like this one is actually good every time. From d16y8sohc:

Paramedic here, I ALWAYS get the old ladies saying “Oh! My taxi!” Or “You coming back for me later?”

And wowbaggerjules was on the wrong side of the exchange:

I recently went through US Customs and the officer asked me the standard “do you have cash more than $10,000 on you?” question.

I responded: “I wish! HURHURHUR”

Her response: “If I had a penny for everyone who cracked that joke in front of me, I’d have the $10,000 by now.”

...I totally deserved that.

Some dumb jokes cut across all service jobs. Every customer service agent, waitperson, or anyone who has to ask “Can I get you anything else” has heard all your corny answers. “Yeah, a thousand bucks!” Oh you card! Every IT pro, Apple Genius, and repair worker has heard “Guess I get a new one!” Everyone who ever rang up a purchase has heard “Guess it’s free!”

Even CreativeUsernameUser, a teacher, hears “Oh, you can’t find my paper, must mean I get a 100% on it.” At least that one’s coming from actual children.

Next time you’re about to deliver a witticism to someone who’s doing their job—or make a joke about their name, or about their physical appearance or something else they can’t control—ask yourself two things:

Is it conceivable that someone has made this joke before?
If this person doesn’t like your joke, are they at all socially obligated to pretend they did?

If the answer to either is yes, do not make that joke!

It’s not that you’re not allowed to be funny. It’s wonderful to be funny! It’s not wonderful to tell a worn-out joke to someone who can’t give an honest reaction. That’s tedious and a little bullying, and even if they don’t admit it, it makes them like you less. Don’t whine about it. Get some new material.

If you hear the same joke over and over at your job, you probably have a silent retort. A lot of redditors shared theirs. For example, a doctor complained about patients who answer “What’s wrong?” with “You tell me, you’re the doctor!” User1539 suggested this: “Well first off, you’re insufferable.” The Reddit thread has more retorts you can’t say out loud, and some you can.

Krisperrr has their own answer about taming wild rice: “With a very small saddle!”

Quotes have been edited for clarity.

from Lifehacker https://ift.tt/2mhESdL

Social media manipulation as a political tool is spreading

Social media manipulation is getting worse: as more governments use it to manipulate public opinion, it’s becoming a rising threat to democracy, according to a new report from the Oxford Internet Institute.

There’s nothing new about political parties and governments using propaganda, but the new normal includes toxic messaging that’s easy to spread on a global scale with the brawny new tools for targeting and amplification, they said.

According to the University of Oxford’s Computational Propaganda Research Project, the use of algorithms, automation, and big data to shape public opinion – i.e. computational propaganda – is becoming “a pervasive and ubiquitous part of everyday life.”

For its third annual report, the project examined what it calls “cyber troop” activity in 70 countries. Cyber troops is the collective term for government or political party actors that use social media to manipulate public opinion, harass dissidents, attack political opponents or spread polarizing messages meant to divide societies, among other things.

Over the past two years, there’s been a 150% increase in the number of countries using social media to launch manipulation campaigns, the project found.

The use of computational propaganda to shape public attitudes via social media has become mainstream, extending far beyond the actions of a few bad actors. In an information environment characterized by high volumes of information and limited levels of user attention and trust, the tools and techniques of computational propaganda are becoming a common – and arguably essential – part of digital campaigning and public diplomacy.

What accounts for the growth?

Part of the growth can be attributed to observers getting more sophisticated when it comes to identifying and reporting such manipulation campaigns, given digital tools and a more precise vocabulary to describe the cyber troop activity they uncover, the researchers said.

The researchers say that some of the growth also comes from countries new to social media that are experimenting with the tools and techniques of computational propaganda during elections or as a new tool of information control.

Their favorite online platforms

The researchers found evidence that 56 countries are running cyber troop campaigns on Facebook. That makes it once again the No. 1 platform for such activity, the researchers found, due to its market size – it’s one of the world’s largest social network platforms – as well as its reach, with the ability to influence not only target audiences, but also their networks, including close family and friends. Facebook also works well as a propaganda tool due to its dissemination of political news and information, and the ability to form groups and pages.

In response to media inquiries about the report, Facebook said that showing users accurate information is a “major priority” for the company. From a spokesperson:

We’ve developed smarter tools, greater transparency, and stronger partnerships to better identify emerging threats, stop bad actors, and reduce the spread of misinformation on Facebook, Instagram and WhatsApp.

Over the past year, the project has also seen cyber troop activity growing on image- and video-sharing platforms such as Instagram and YouTube, as well as on WhatsApp. The researchers believe that in the next few years, political communications will grow on these visual platforms.

Samantha Bradshaw, one of the report’s authors, told Reuters that on platforms like these, users are seeing fake news that’s delivered in quick, easily digestible hits that don’t strain the brain:

On Instagram and YouTube it’s about the evolving nature of fake news – now there are fewer text-based websites sharing articles and it’s more about video with quick, consumable content.

It’s difficult to police visual content

Bradshaw said that the move to visual content as a propaganda tool will make it tougher for platforms to automatically identify and delete this kind of material. Unfortunately, we can’t rely on users to report even horrific videos, let alone visual content that’s merely misleading or biased.

The Christchurch, New Zealand terrorist attack in March is an example of what type of material can flow freely on social media. Facebook said in a statement that it took 29 minutes and thousands of views before it was finally reported and ultimately removed.

During that time, the video was repeatedly shared and uploaded across even more platforms.

Bradshaw:

It’s easier to automatically analyze words than it is an image. And images are often more powerful than words with more potential to go viral.

Strategies, tools, techniques

Over the past three years, the researchers have been tracking the use of three types of fake accounts used in computational propaganda campaigns: bot, human, and cyborg. Bots, highly automated accounts designed to mimic human behavior online, are often used to amplify narratives or drown out political dissent, they said. They found evidence of bot accounts being used in 50 of the 70 countries they tracked.

They found that humans are behind even more fake accounts, though. Such accounts engage in conversations by posting comments or tweets, or by private messaging people. These accounts were found in 60 out of the 70 countries covered in this year’s report. The third type of fake account, cyborg accounts, is a hybrid that blends automation with human curation.

This year, the project added a fourth type of fake account: hacked or stolen ones. They’re not fake, per se, but high-profile accounts with a wide reach are attractive to hijackers. Such accounts are used strategically to spread pro-government propaganda or to censor freedom of speech by revoking access to the account by its rightful owner, the researchers say.

Some key findings from the report:

87% of countries use human-controlled accounts
80% of countries use bot accounts
11% of countries use cyborg accounts
7% of countries use hacked/stolen accounts
71% of these accounts spread pro-government or pro-party propaganda
89% attack the opposition or mount smear campaigns
34% spread polarizing messages designed to drive divisions within society
75% of countries used disinformation and media manipulation to mislead users
68% of countries use state-sponsored trolling to target political dissidents, the opposition or journalists
73% amplify messages and content by flooding hashtags

As far as communication strategies go, the most common is disinformation or manipulated media – a more nuanced term for what we’ve been referring to as fake news. The report found that in 52 out of the 70 examined countries, cyber propagandists cooked up memes, videos, fake news websites or manipulated media in order to mislead users. In order to target specific communities with the disinformation, they’d buy ads on social media.

Trolling, doxxing and harassment are also a growing problem. In 2018, 27 countries were using state-sponsored trolls to attack political opponents or activists via social media. This year, it’s up to 47 countries.

Other tools of repression include censorship through the mass-reporting of content or accounts.

What to do?

It’s a tough nut to crack. The report doesn’t mention how you might spot, block or ignore manipulation, but it does say that we can’t blame social media for what’s happening. Democracy was starting to fall apart before social media blossomed, the researchers said:

Many of the issues at the heart of computational propaganda – polarization, distrust or the decline of democracy – have existed long before social media and even the Internet itself. The co-option of social media technologies should cause concern for democracies around the world – but so should many of the long-standing challenges facing democratic societies.

For strong democracies to flourish, we need “access to high-quality information and an ability for citizens to come together to debate, discuss, deliberate, empathize, and make concessions,” the researchers assert. In these times, we currently turn to social media to stay current. But are the platforms up to the task?

Are social media platforms really creating a space for public deliberation and democracy? Or are they amplifying content that keeps citizens addicted, disinformed, and angry?

Start them young

While the Oxford University researchers didn’t delve into methods to spot fake news, others are working on it. For example, in June 2019, Google launched an initiative to help train kids to spot fake news.

The lesson plans are designed to keep kids safe and to be better online citizens, teaching them how to scrutinize emails and text messages to try and spot phishers, how to respond to suspicious messages to verify the sender’s identity, and other techniques that come in handy at shielding people from the mental warfare of cyber troops: how to spot and interact with chatbots, how to use criteria like motive and expertise to establish credibility when evaluating sources, spotting fake URLs and evaluating headlines.

Google’s initiative – part of its Be Internet Awesome initiative – is part of a broader effort to stop the spread of fake news. Earlier this year, it also released fact-checking tools for journalists to tag stories that debunk misinformation. Mozilla also has its own fake news-fighting effort.

And if the social media platforms and other internet giants can’t work this out, and if all else fails, at least we have mice.

from Naked Security https://ift.tt/2n7zCd0

What's Coming and Going From Netflix the Week of September 30, 2019

Adapted from the comic book of the same name by Dennis Liu and Jason Piperburg, Raising Dion (Friday) is a child-with-superpowers series that stars both Michael B. Jordan and a ton of fun CGI. MBJ also executive produced, so you’re probably going to want to check this one out, especially if you’re still a little weepy over the breakup of the Netflix/Marvel partnership and need some superhero fodder to fill the void.

Arriving This Week

Monday, September 30

Gotham: Season 5
Mo Gilligan: Momentum — NETFLIX ORIGINAL

Tuesday, October 1

Carmen Sandiego: Season 2 — NETFLIX FAMILY
Nikki Glaser: Bangin’ — NETFLIX ORIGINAL
93 days
A.M.I.
Along Came a Spider
Bad Boys
Bad Boys II
Blow
Bring It On, Ghost: Season 1
Charlie’s Angels
Charlie’s Angels: Full Throttle
Cheese in the Trap: Season 1
Chicago Typewriter: Season 1
Crash
Exit Wounds
Good Burger
Harold & Kumar Escape from Guantanamo Bay
Honey 2
House of the Witch
Lagos Real Fake Life
Men in Black II
Moms at War
No Reservations
Ocean’s Thirteen
Ocean’s Twelve
One Direction: This Is Us
Payday
Rugrats in Paris: The Movie
Scream 2
Senna
Signal: Season 1
Sin City
Sinister Circle
Supergirl
Superman Returns
Surf’s Up
The Bucket List
The Flintstones
The Flintstones in Viva Rock Vegas
The Island
The Pursuit of Happyness
The Rugrats Movie
The Time Traveler’s Wife
Tomorrow with You: Season 1
Trainspotting
Troy
Tunnel: Season 1
Unaccompanied Minors
Walking Out

Wednesday, October 2

Thursday, October 3

Friday, October 4

Saturday, October 5

Leaving This Week

Leaving October 1

A.I. Artificial Intelligence
All the President’s Men
Bonnie and Clyde (1967)
Bring It On: In It to Win It
Cabaret (1972)
Casper
Cat on a Hot Tin Roof
Charlie and the Chocolate Factory (2005)
Cloverfield
Deliverance
Divine Secrets of the Ya-Ya Sisterhood
Empire Records
Evolution
Forks Over Knives
Frances Ha
Free State of Jones
Get Carter
Gremlins
Hoosiers
Impractical Jokers: Season 1
In Bruges
Julie & Julia
Lakeview Terrace
Midsomer Murders: Series 1-19
Obsessed
Pineapple Express
Platoon
Quiz Show
She’s Out of My League
The Dukes of Hazzard
The Nightmare
The Sisterhood of the Traveling Pants
The Sisterhood of the Traveling Pants 2
Who’s Afraid of Virginia Woolf?

Leaving October 5

from Lifehacker https://ift.tt/2mhlCx7

Outlook on the web bans a further 38 file types

News for Outlook on the web users who regularly email attachments: Microsoft is about to put another 38 file extensions on its too risky to receive blocklist.

Once there – implemented through Outlook’s BlockedFileTypes filter – Outlook for the web recipients will no longer be able to receive attachments using these extensions.

Microsoft already restricts 104 file extensions and, in truth, the 38 added to this list aren’t ones most Outlook for the web users will have need to send often, assuming they’ve heard of some of them at all.

The better-known extensions on the latest list are:

Python – .py, .pyc, .pyo, .pyw, .pyz, .pyzw

PowerShell – .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .psd1, .psdm1, .cdxml, .pssc

Java – .jar, .jnlp

Digital certificates – .cer, .crt, .der

And some less well-known ones:

Windows ClickOnce – .appref-ms

Microsoft Data Access Components (MDAC) – .udl

Windows sandbox – .wsb

Vulnerable legacy applications – .appcontent-ms, .settingcontent-ms, .cnt, .hpj, .website, .webpnp, .mcf, .printerexport, .pl, .theme, .vbp, .xbap, .xll, .xnk, .msu, .diagcab, .grp

The reason for the move is security. Attachments, including obscure ones, have long been a popular technique for sneaking malware past inbox security checks when widely used extensions such .docx and .pdf became too obvious.

Outlook’s 142-strong blocklist opens even more clear water between itself and Google whose current Gmail GSuite blocklist contains only the following 44 extensions:

.ade, .adp, .apk, .appx, .appxbundle, .bat, .cab, .chm, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .ins, .isp, .iso, .jar, .js, .jse, .lib, .lnk, .mde, .msc, .msi, .msix, .msixbundle, .msp, .mst, .nsh, .pif, .ps1, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh

The restriction on Java .js and .jse having been implemented as recently as February 2017.

Bypassing blocking

What happens if there is a genuine need to receive files with a banned extension?

Assuming the sender and recipient aren’t able to use a different email system, the easiest way is for Office 365, Exchange Server, or Exchange Online admins to allowlist specific extensions.

In a strange anomaly, one file extension not on the blocklist is .ace, a compressed WinRAR file format which earlier this year was discovered to have a 19-year-old flaw (CVE-2018-20250) cybercriminals had started exploiting.

Although not discovered by Microsoft, the company was prominent in warning users about the threat posed by malicious files using this file extension.

It’s true that admins can configure Exchange/Outlook to this extension, but wouldn’t it have been easier to do it by default?

from Naked Security https://ift.tt/2mRenfH

Supply-Chain Security and Trust

The United States government's continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general: We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy. Solving this problem which is increasingly a national security issue will require us to both make major policy changes and invent new technologies.

The Huawei problem is simple to explain. The company is based in China and subject to the rules and dictates of the Chinese government. The government could require Huawei to install back doors into the 5G routers it sells abroad, allowing the government to eavesdrop on communications or -- even worse -- take control of the routers during wartime. Since the United States will rely on those routers for all of its communications, we become vulnerable by building our 5G backbone on Huawei equipment.

It's obvious that we can't trust computer equipment from a country we don't trust, but the problem is much more pervasive than that. The computers and smartphones you use are not built in the United States. Their chips aren't made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a back door into the final product.

There's more. Open-source software packages are increasingly targeted by groups installing back doors. Fake apps in the Google Play store illustrate vulnerabilities in our software distribution systems. The NotPetya worm was distributed by a fraudulent update to a popular Ukranian accounting package, illustrating vulnerabilities in our update systems. Hardware chips can be back-doored at the point of fabrication, even if the design is secure. The National Security Agency exploited the shipping process to subvert Cisco routers intended for the Syrian telephone company. The overall problem is that of supply-chain security, because every part of the supply chain can be attacked.

And while nation-state threats like China and Huawei -- or Russia and the antivirus company Kaspersky a couple of years earlier -- make the news, many of the vulnerabilities I described above are being exploited by cybercriminals.

Policy solutions involve forcing companies to open their technical details to inspection, including the source code of their products and the designs of their hardware. Huawei and Kaspersky have offered this sort of openness as a way to demonstrate that they are trustworthy. This is not a worthless gesture, and it helps, but it's not nearly enough. Too many back doors can evade this kind of inspection.

Technical solutions fall into two basic categories, both currently beyond our reach. One is to improve the technical inspection processes for products whose designers provide source code and hardware design specifications, and for products that arrive without any transparency information at all. In both cases, we want to verify that the end product is secure and free of back doors. Sometimes we can do this for some classes of back doors: We can inspect source code this is how a Linux back door was discovered and removed in 2003 or the hardware design, which becomes a cleverness battle between attacker and defender.

This is an area that needs more research. Today, the advantage goes to the attacker. It's hard to ensure that the hardware and software you examine is the same as what you get, and it's too easy to create back doors that slip past inspection. And while we can find and correct some of these supply-chain attacks, we won't find them all. It's a needle-in-a-haystack problem, except we don't know what a needle looks like. We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.

The other solution is to build a secure system, even though any of its parts can be subverted. This is what the former Deputy Director of National Intelligence Sue Gordon meant in April when she said about 5G, "You have to presume a dirty network." Or more precisely, can we solve this by building trustworthy systems out of untrustworthy parts?

It sounds ridiculous on its face, but the internet itself was a solution to a similar problem: a reliable network built out of unreliable parts. This was the result of decades of research. That research continues today, and it's how we can have highly resilient distributed systems like Google's network even though none of the individual components are particularly good. It's also the philosophy behind much of the cybersecurity industry today: systems watching one another, looking for vulnerabilities and signs of attack.

Security is a lot harder than reliability. We don't even really know how to build secure systems out of secure parts, let alone out of parts and processes that we can't trust and that are almost certainly being subverted by governments and criminals around the world. Current security technologies are nowhere near good enough, though, to defend against these increasingly sophisticated attacks. So while this is an important part of the solution, and something we need to focus research on, it's not going to solve our near-term problems.

At the same time, all of these problems are getting worse as computers and networks become more critical to personal and national security. The value of 5G isn't for you to watch videos faster; it's for things talking to things without bothering you. These things -- cars, appliances, power plants, smart cities -- increasingly affect the world in a direct physical manner. They're increasingly autonomous, using A.I. and other technologies to make decisions without human intervention. The risk from Chinese back doors into our networks and computers isn't that their government will listen in on our conversations; it's that they'll turn the power off or make all the cars crash into one another.

All of this doesn't leave us with many options for today's supply-chain problems. We still have to presume a dirty network -- as well as back-doored computers and phones -- and we can clean up only a fraction of the vulnerabilities. Citing the lack of non-Chinese alternatives for some of the communications hardware, already some are calling to abandon attempts to secure 5G from Chinese back doors and work on having secure American or European alternatives for 6G networks. It's not nearly enough to solve the problem, but it's a start.

Perhaps these half-solutions are the best we can do. Live with the problem today, and accelerate research to solve the problem for the future. These are research projects on a par with the internet itself. They need government funding, like the internet itself. And, also like the internet, they're critical to national security.

Critically, these systems must be as secure as we can make them. As former FCC Commissioner Tom Wheeler has explained, there's a lot more to securing 5G than keeping Chinese equipment out of the network. This means we have to give up the fantasy that law enforcement can have back doors to aid criminal investigations without also weakening these systems. The world uses one network, and there can only be one answer: Either everyone gets to spy, or no one gets to spy. And as these systems become more critical to national security, a network secure from all eavesdroppers becomes more important.

This essay previously appeared in the New York Times.

from Schneier on Security https://ift.tt/2oBM715

Ransomware attacks against small towns require collective defense

There is a war hitting small-town America. Hackers are not only on our shores, but they’re in our water districts, in our regional hospitals, and in our 911 emergency systems.

The target du jour of ransomware hackers is small towns and they have gone after them with a vengeance. Last month, the governor of Texas, Greg Abbott, declared a “Level 2 Escalated Response” as 22 of Texas’s cities were hit simultaneously with ransomware attacks, crippling local government functions. This is only declared when local authorities and first responders cannot deal with a disaster on their own and is only one step below a Level 1 Disaster declaration used for wide-area natural disasters.

This isn’t the first time ransomware hackers have gone after small governments, and it won’t be the last. According to security experts, these attacks were coordinated to hit the 22 cities at once, and evidence points to a single attacker. Now, it has been reported that the attack came from a managed service provider shared by the victims. Clearly the hackers are getting more sophisticated and brazen, representing the first wave of more virulent cyberattacks impacting the daily lives of average citizens.

Cybercriminals are targeting cities

Why are hackers suddenly interested in Main Street versus Wall Street? It seems that the criminal cyber-gangs have graduated from the old bank robber principle of going after “where the money is” and are now targeting the perfect combination of insurance coverage and vulnerability. And small government and healthcare entities have just that. They host services critical to everyday life in those areas; court records, real estate transactions, utility bills, and emergency services.

Other targeted services, like 911 phone systems, police, or emergency rooms, sit at the center of the dilemma of whether to pay off the criminals quickly or work to thwart their efforts with technology. Many small government entities lack sophisticated cyber-controls and may not have dedicated IT resources on standby. For others, they rely on local contractors who are on-call for “break-fix” type support but are incapable of responding to sophisticated cyberattacks.

Hackers have figured out that. While individual hauls might not be as large as other targets, the likelihood of being paid is high, particularly since most of these smaller entities have insurance to pay out in the event of various disasters, including cyber.

Moving forward: Circle the wagons

Early success has drawn the attention of the hacker beehive to small government and healthcare entities, and every expectation is that attacks will intensify before they abate. Now that the vulnerabilities have been exposed, there is no easy fix to this situation. Even if smaller cities had the resources to pay for top security talent, the prospects for onsite support is limited due to employment shortages of security pros. And as long as insurance companies continue paying, the hackers will keep coming to the trough. Small towns are not going to solve this problem on their own.

One of the most promising ideas being circulated is a coordinated, pooled cyber defense fund. Ideally, this would be organized at the state level, but leverage federal funds earmarked for cyber defense. A proposed model would use a centralized workforce operating a shared Security Operations Center (SOC) for the benefit of multiple small towns.

This arrangement would offer a Fortune 500 level of IT security for a small monthly fee, not unlike the flood insurance pools used for hurricane recovery. The federal government’s participation would also come with a law enforcement investigation component that could deter some cyber thieves. Until our small town cyber defenses stop looking like the infamous Maginot Line, cyber thieves will continue to blitzkrieg them with ransomware.

from Help Net Security https://ift.tt/2n2E397

Is the era of social media Likes over?

Cast your mind back to 2014, and you might recall Mark Zuckerberg mulling the public’s desire to have a “dislike” button on Facebook.

During a public Q&A, the CEO presented button semantics as being something like a Marvel comics battle between good and evil, with the Like button presumably being, to his mind, a “force for good”:

There’s something that’s just so simple about the ‘like’ button’ … but giving people more ways of expressing more emotions would be powerful. We need to figure out the right way to do it so it ends up being a force for good, not a force for bad and demeaning the posts that people are putting out there.

But now, as a mounting body of research points to the number of content Likes – or lack thereof – negatively influencing some users’ self-esteem, it may be time to question whether the Like button might have turned out to be a force for bad.

Recent studies have linked increased depression, poor sleeping habits, and unhealthy body image in children and teens with higher use of social media and digital devices.

To address the mess they’ve made, at this point, Instagram – which a 2017 study found to be the worst social media app for young people’s mental health – and Facebook are taking a serious look at the possibility of doing away with Likes.

In April 2019, Instagram announced that it was running a test in Canada: it was hiding Like counts on some users’ photos and videos as an experiment to try to lessen competitiveness on the platform.

The idea: to make us feel less envious, less ashamed, and more focused on self-expression rather than like we’re vying in a personality competition. It’s all about getting people to focus on the content they share, not the likes, a spokesperson said when news about the test was announced at F8, Facebook’s annual developers conference:

We are testing this because we want your followers to focus on the photos and videos you share, not how many likes they get.

And now, three months later, Facebook itself has begun its own test: it’s removing public visibility of Like, reaction and video view counts from people’s posts and ads across Facebook. The test is only happening in Australia: Facebook told Engadget that it hasn’t decided whether to expand the test to other places in the future. Before it decides what to do next, it wants to see how the Australia test goes, Engadget reports.

While Instagram hasn’t shared the results of its Canada test yet, it can’t have gone all that poorly. In July, it expanded the Like hiding to select users in six additional countries: Australia, Brazil, Ireland, Italy, Japan and New Zealand.

We’re currently running a test that hides the total number of likes and video views for some people in the followin… twitter.com/i/web/status/1…
—
Instagram (@instagram) July 17, 2019

The users selected to be a part of the experiment were presented with a banner notifying them about the test. This is what is says:

We want your followers to focus on what you share, not how many likes your posts get. During this test, only you will be able to see the total number of likes on your posts.

While likes get submerged from public view, they’re still viewable to the users in the test. Instagram shared a sample image with a line below the post that reads “Liked by [user] and others.”

Are these moves signaling an end to the era of social media Likes? If so, will anybody miss them?

Yes. There are influencers who’ve made careers out of posting content that racks up copious Likes. CNN Business points to one such, Sam McAllister: a 23-year-old photographer whose gorgeous photos pull in thousands of Likes. He doesn’t have a huge number of followers, but with well-Liked photos like this aerial view of Venice canals, he’s managed to get paying campaigns for companies such as airline Aer Lingus and an energy drink maker.

The loss of Likes could be a game-changer for talented newcomers who don’t already have big followings. McAllister told CNN Business that it might not work out well for him:

The fact that my posts are massively engaged has paid off for me. My main concern right now is that the number of followers a user has now defaults to be the main metric.

Another group that stands to lose out if Likes die off: companies that make millions by selling fake likes, followers and retweets to celebrities, businesses or anyone who wants to puff themselves up online.

One thing’s for sure: If Likes get to the chopping block, it’s going to be a lot easier to feel for content creators like McAllister. But in the best possible case scenario, there will be ample benefits to offset that: less competition, less posts removed by users too embarrassed to leave them up in the face of scanty Likes, less ruined self-esteem.

Unfortunately, there are plenty of ways to cyberbully on social media. There are many ways to ruin people’s self esteem besides not Liking their posts. But let’s give credit where credit’s due: the platforms are trying to fix at least one aspect of the tangled milieu they created.

After working so hard to get us addicted to the dopamine hits those Likes have been injecting for lo, these 10 years, it’s the least they can do.

I say thumbs-down on the Like button. Readers, are you with me?

from Naked Security https://ift.tt/2nRQFQi