Monthly archives for October, 2017

Homeland Security orders federal agencies to start encrypting sites, emails

Three-quarters of the federal government uses encryption. Homeland Security says that isn’t enough.

Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government.

Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you’re visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks.

Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind.

The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks. Enabling that email policy will prevent spammers from impersonating federal email addresses to send spoofed email.

The agency is also requiring within the next four months for all federal agencies to employ HTTPS.

If you thought the government already had that policy, you’re not wrong.

In 2015, the Obama administration issued a directive that all federal government sites should be HTTPS by default by the end of 2016. More than two years later, about one-quarter of all federal sites still don’t support basic website encryption.

Perhaps ironically, only 70 percent of all Homeland Security domains support HTTPS. Even fewer enforce the encryption by default.

The agency hopes that the remaining non-encrypted sites can get up to speed by early next year.

The order also asks that government agencies use other kinds of encryption, such as STARTTLS, a protocol that sends email over an encrypted channel when it’s available, on their email servers.

News of the announcement was lauded by one privacy-minded senator, who’s been on a crusade to get federal agencies up to speed on security.

Wyden called today’s move a “good, basic step,” in a statement to ZDNet.

“STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys,” he said. “It’s my hope that other government agencies recognize the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security.”

From :

Businesses need to think about a public cyber star rating

How secure is your business and its supply chain, and could it stand up to public scrutiny?

Too often when a company does a cyber boo-boo, it will get off pretty lightly by issuing a statement saying how seriously it takes security concerns, that no financial data was stolen in the breach, and that users should change their passwords to be on the safe side.

Security-minded people are likely to make a note of it in the back of their mind, but in general terms, the population moves on soon afterwards with little or no memory of what occurred.

Despite Yahoo finally confessing earlier this month that every single account was exfiltrated in 2013, the demographic and number of users that still rely on Yahoo services is unlikely to have changed.

And as for Equifax, which managed to have the personal data of around half of all Americans involved in a breach, there are very good questions to ask about how a company that failed at its one job — to keep confidential information confidential — is still in business, but perhaps the plethora of class actions will take care of that issue.

But these examples are massive, mainstream news-making breaches, and there are plenty of smaller ones that fly under the radar with little consequence.

While existing obligations such as data breach notification laws may require companies to inform users of their data being lost, in other circumstances, they may not.

Consider Australia’s upcoming data breach notification laws that only require organisations to inform users when they are at “real risk of serious harm”, alongside the case of Domino’s Australia trying to find out how its customer details have been used for spamming.

Ransomware: An executive guide to one of the biggest menaces on the web | Here’s every patch for KRACK Wi-Fi vulnerability available right now | Governments and nation states are now officially training for cyberwarfare: An inside look | Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you | Research: Companies see mobile devices as big cybersecurity threat

Leaked: Facebook security boss says its corporate network is run “like a college campus”
Ransomware: Security researchers spot emerging new strain of malware
Is spamming serious enough to warrant a disclosure to customers? And even so, how many people outside of technology circles are going to head to a rival pizza store this weekend based on the ongoing spamming incident?

I would suggest that it is not too many, given the pizza chain has been in a holding pattern for the past two weeks and has suffered previous breaches all over the world in recent years, and is nowadays in a stronger position than ever.

Due to the lack of collective memory over these incidents — and the headlong rush to put microphones, cameras, and internet-connected appliances into our homes under the cover of the smart prefix — a move to remind the everyday consumer of the infosec sins that have gone before, or could be permitted, is needed.

Enter the cyber star rating system — dubbed the Cyber Kangaroo in Australia — which would function like an energy star rating, but for the security of devices and organisations.

In a perfect world, not only would a company’s rating be impacted by its own security, but also those of its suppliers. In the Domino’s case, it appears that the pizza chain’s IT systems are free of guilt, but that working with an insecure supplier is the cause of the data leak.

Regardless of where the fault lies, as far as consumers are concerned, the leak is a result of doing business with Domino’s, and, as such, it should be made to carry the can were a rating system to exist.

A cyber rating would more succinctly explain the difference between the Android and iOS patching processes, for instance, than trying to explain to people how Android updates have to pass from Google to manufacturers and finally to carriers, while iOS updates come directly from Apple. Under a cyber rating system, iOS devices could have five stars, and Androids three or four, and consumers would only need to look at the scoreboard to understand why Pixels get updates quicker than Sony or Huawei phones.

As for the Internet of Things, those devices should be handed a zero rating until capable of being proven otherwise.

It is probably beyond the abilities and funding envelopes of governments to properly oversee such a system, so it is likely to fall onto the private sector, specifically those involved in cyber insurance, which seem to be the catch-all for the further maturation of information security.

The key to this information being effective for the general public is have it readily accessible either at the point of purchase or via a portal of some sort. By doing so, it would force organisations to treat security as a first-order concern, something that is viewable and comparable by potential buyers.

In the same way that a vehicle safety rating or an energy rating label is treated by consumers, companies that fail to give cyber its proper priority, or partner with or source from those that also fail to, should be held accountable in order to let the market perform better.

It’s not perfect, but it would be a vast improvement on what we have now.

From :

Leaked: Facebook security boss says its corporate network is run “like a college campus”

The source of the recording said Facebook’s senior management and executives were

apathetic to matters of cybersecurity. Facebook’s security chief said he used one of the remarks “as a figure of speech.”

Facebook’s security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet.

Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company.

“The threats that we are facing have increased significantly and the quality of the adversaries that we are facing,” he said. “Both technically and from a cultural perspective I don’t feel like we have caught up with our responsibility.”

“The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost,” he said.

Stamos added: “We have made intentional decisions to give access to data and systems to engineers to make them ‘move fast’ but that creates other issues for us.”

The security chief also said that the company had issued a report on where the company stands from a security perspective, in what he described as a “very painful process.” He said the report will be updated every six months, when the management team are briefed on its contents.

The comments were part of an internal talk to employees during which he discussed the challenges Facebook had with keeping its networks secure, amid a growing danger of state-sponsored actors and advanced persistent threats, which in some cases have near-limitless resources.

For his part, Stamos, when reached, said that he had used the “college campus” line several times internally to describe challenges that the company faces, and used it as a figure of speech.

“My team runs network security for the company, and of course we secure it thoroughly,” he said Thursday.

Stamos denied that the comments were a criticism of the company’s management. “They care a great deal,” he said. “It’s not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network.”

“Tech companies are famous for providing freedom for engineers to customize their computing environments and to experiment with new tools, frameworks and development processes,” he said. “Allowing for this freedom helps creativity and productivity, but we have to weigh that against the fact that we have become a potential target of advanced threat actors. As a result, we can’t architect our security in the same way a defense contractor can, with extremely limited computing options and no freedom.”

“Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one that I’m happy to accept,” he said.

In fairness, Stamos isn’t wrong. Facebook likely has more citizen data now than most governments, making the social network as much of a target today as defense contractors were ten years ago.

But while Facebook may not be storing plans for spy planes and autonomous drones, private citizen data is a commodity — the social network has billions of people’s data — and nation states are hungry for it.

Stamos, a staunch security and privacy advocate, joined Facebook in June 2015 after a brief stint at Yahoo as chief information security officer. While Stamos had pushed to build out an offensive security “red team” and spearheaded privacy-focused features for Yahoo’s customers, the company had reportedly taken “a back seat” on security during his tenure, largely attributed to then-chief executive Marissa Mayer’s persistent clashes with Stamos over funding for security features and defense. Stamos left after a little more than a year in the job, reportedly after Mayer’s decision to acquiesce to a top-secret classified order to scan emails of Yahoo customers, which the security team is said to have only discovered when it thought the company had been hacked.

The recording’s source, who has intimate knowledge of Facebook’s security systems and internal processes but did not want to be named, said that the threats that the company faces are “way above [Facebook’s] ability to handle.”

But while the source argued that Stamos has internally pushed for stronger cybersecurity, policies, and processes, executives are too busy lobbying lawmakers, and focusing on the company’s vision and products — citing its “move fast” strategy (which has since been partially retired) and not listening enough to the company’s security professionals.

Although Facebook has seen its fair share of privacy scandals over the years, it hasn’t yet fallen victim to a data breach like Yahoo, Equifax, LinkedIn and Myspace.

The source indicated that Facebook was likely on borrowed time. It’s a “painful process to get security across to executives,” the source told ZDNet.

Even though the company has so far escaped the “hacked” headlines, its platform is still open to abuse.

Tech companies, including Facebook, are feeling the heat after admitting that Russian adversaries had used the platform to buy ads to influence the 2016 election. Congress is currently investigating the role that Russia had in the election. Several other companies, including Google and Twitter, have also discovered their ads were bought by the Russians in the months running up to the election.

As adversaries get stronger and more capable, security experts argue that it’s only a matter of time before even the bigger companies get hacked, and the odds are almost never in the defender’s favor.

While companies need to defend against every hack and intrusion, the hackers only have to succeed once.


Cloud vulnerabilities are being ignored by the enterprise

RedLock’s latest cloud security report suggests that organizations are failing in the most basic security practices.

The enterprise is still ignoring the most basic security precautions when using cloud services, researchers claim.

On Thursday, RedLock released its annual cloud security report, which suggests that vulnerabilities in the cloud are being outright ignored, with poor database security and key leaks commonplace.

After analyzing customer environments, the cloud security firm said that roughly 38 percent of organizations in the enterprise have user accounts active which have potentially been compromised, and 37 percent of company databases allow inbound connections from the web, which is generally a poor security practice to implement.

In addition, seven percent of these databases are permitting requests from suspicious IP addresses, which suggests they have been compromised.

Throughout their research, the RedLock team discovered that at least 250 organizations, many of which far beyond the size of SMEs, which were leaking “access keys and secrets” from their cloud computing environments — a similar scenario to the recent Viacom security debacle.

According to the report, a total of 53 percent of companies which use cloud storage services such as the Amazon Simple Storage Service (Amazon S3) have accidentally exposed these services to the public, 45 percent fall short of CIS (Center for Internet Security) security standards and checks, and 46 percent of these violations are “high severity issues” including network configurations which allow inbound SSH connections from the Internet.

In addition, the enterprise players included in the research failed 48 percent of PCI data security standard checks on average, and 19 percent of failures were critical — such as failing to encrypt databases.

Hundreds of organizations are also leaking credentials through misconfigures services such as Kubernetes and Jenkins, the team claims, and a total of 64 percent of enterprise databases are not encrypted.

The researchers also found Kubernetes administrative consoles deployed on AWS, Microsoft Azure, and the Google Cloud Platform which was not password protected, and in some containers, threat actors were deploying illegitimate Bitcoin mining operations. This, in turn, has transformed legitimate business databases into bots generating revenue fraudulently.

In addition, access keys and secret tokens were discovered within Kubernetes instances that were stored in cleartext, granting attackers the opportunity to compromise critical infrastructure.

In total, 81 percent of companies do not manage host vulnerabilities in the cloud effectively. They may utilize vulnerability scanning tools, but fail to map the data from these tools to create a picture of cloud-specific content and threats, which may open the gates to compromise.

“Host vulnerability data needs to be correlated with host configurations in the cloud that can help identify the business purpose of the host and help prioritize patching,” the team says. “For example, is this host a webserver or a database server? Is it running in production or staging? In addition, the network traffic should be monitored to identify whether the vulnerabilities are actually exploitable.”

Awareness of data breaches, patching, and critical security practices may be on the up with the constant stream of security incidents constantly hitting the news, but based on RedLock’s findings, it seems that some areas — such as cloud services — are still not being given the attention they require. Unless the enterprise steps up its game, practices such as storing passwords in cleartext are asking for attackers to strike, and companies will have nothing to blame but itself in the case of compromise.


Do you own your data and have free rein? The answer in an Internet of things, cloud world may surprise you

The great big data land grab is on, and the Internet of Things is going to make ownership even more complicated. Get ready for a few ownership spats as data becomes the new oil.
On encryption, the UK sets a collision course with Europe
End-to-end encryption is still seen as a danger by British politicians but as a useful protection by Europeans.

Is encryption a threat to law and order, or an essential tool for staying secure online? Two events this week show how much disagreement there still is about it.

First, at a meeting at the Conservative party conference earlier this week the UK’s home secretary Amber Rudd said technology experts had been “patronising” and “sneering” at politicians who try to regulate their industry.

She said: “I don’t need to understand how encryption works to understand how it’s helping — end-to-end encryption — the criminals.” She went on: “I will engage with the security services to find the best way to combat that.”

Her comments are in line with those from Conservative politicians over the past few years, who have regularly made loud noises about limiting access to encryption, and have indeed introduced legislation to limit its usage.

Their argument is that end-to-end encrypted messages, which can only be read by the sender and the recipient, are allowing crooks to plot crimes in a way that police cannot monitor.

And while the government has also said it doesn’t want to ban the use of encryption, or force companies to install ‘backdoors’ that police can use to snoop on conversations, there is no obvious way to weaken end-to-end encryption without breaking it, making this an intriguing class of mathematics and politics.

The UK’s recent Investigatory Powers Act legislation requires tech companies based in the UK to be able to remove any encryption they use to protect their customers’ communications when asked to by the authorities.

But the law only applies to companies operating out of the UK, and it’s very unclear what effect it will have on the big tech companies based in the US, like Apple or WhatsApp, which use end-to-end encryption to protect the messages sent by their customers.

However, as the UK continues to call for ways to crack down on the use of end-to-end encryption, politicians in Europe are doing exactly the opposite.

Just days after Rudd’s comments, the European Parliament passed a resolution warning that more must be done to prevent cyberattacks and that individuals and businesses remain at risk because of a lack of knowledge and resources.

It called on member states to promote practical security measures such as encryption and warned governments not to “impose any obligation on encryption providers that would result in the weakening or compromising of the security of their networks or services, such as the creation or facilitation of ‘back doors'”.

That’s not all: back in July the European Parliament published a draft of a report on electronic communications which also urged the use of strong encryption.

It said tech companies should make sure they can protect customers’ communications from unauthorised access or alterations, and that the confidentiality is “guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data”.

It goes on: “Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.”

The final version of the document is due later this month and, according to one report, Europe is not likely to water down its stance on encryption.

The increasing use of end-to-end encryption does make it harder for police to monitor plotters, that’s for sure. But they also still have plenty of ways to access communications.

Most smartphones and PCs are far from secure, which means in many cases police will be able to hack into them and access communications before they are scrambled with encryption. In the UK, police and intelligence agencies already have this power.

That seems to be a much more proportionate and targeted way of accessing data than by banning end-to-end encryption and obliging everyone to communicate in a less secure way, leaving them at greater risk of criminals and fraudsters and nation state-backed hackers.

It’s not clear how this issue is going to be resolved: the UK is unlikely to make much headway in limiting the use of encryption while the rest of Europe’s political class is in favour of it.

From :

Data breaches highlight how Social Security number has to be phased out for blockchain, biometrics

The Social Security number shouldn’t be the keys to verifying identity. As data breaches pile up, alternative authentication and identification technology needs to be considered.

Former CEO of Equifax Richard Smith hasn’t gotten much right of late following his former company’s data breach and fumbling of the aftermath. But one thing Smith has correct is that Social Security numbers need to go.

In testimony before the US House of Representatives Committee on Financial Services, Smith was grilled by legislators, but did garner some agreement when he said the following:

We should consider the creation of a public private partnership to begin a dialogue on replacing the Social Security Number as the touchstone for identity verification in this country. It is time to have identity verification procedures that match the technological age in which we live.
Social Security numbers were hatched as a way for US citizens to get benefits. Over time, these nine-digit identifiers became the primary way a person is identified. With Social Security numbers part of the haul from the Equifax data breach, it’s clear that these identifiers are a single point of failure. The Social Security number is the key to the fraud kingdom and perhaps the ultimate example of legacy infrastructure and processes.

White House Cybersecurity Coordinator Rob Joyce said last week that the Social Security identification system is fatally flawed. Speaking at a Washington Post Cybersecurity Summit, he said “every time we use the Social Security number you pit it at risk.” Joyce has asked departments and agencies to kick around ideas to move away from Social Security numbers and use more secure identifiers.

What’s unclear is what replaces the Social Security number, which launched in 1936 . The Social Security Administration has issued more than 450 million original Social Security numbers.

Matt Devost, Accenture security global cyber defense practice lead, knows how a compromised Social Security number can be a big headache. His Social Security number was compromised 20 years ago.

“The issue we have today is that a Social Security number is kept as a secret to authenticate access and identity,” said Devost. “We need to be moving away from that and add biometrics on top of that or the equivalent of a private wallet with blockchain.”

Devost advocates that the US government would move away from Social Security numbers and replace it with biometrics or a blockchain equivalent. This transition would take years, but in the meantime, industries could use more holistic ways to identify a person. The Social Security number can’t be the primary way to access things like credit and health care benefits.

“The Social Security number is not private, but you can verify relationships based on relationships,” Devost said.

Indeed, Affirm, a financial services company led by former PayPal CTO Max Levchin, aims to bring fair pricing and transparency to consumer credit. To approve loans, Affirm does a “soft” credit check and uses home addresses, mobile phone numbers, email addresses, data of birth and last four digits of your Social Security number to verify identity.

Devost noted that Affirm is an example of how relationships at financial institutions can be used to verify identity. Social identities and scraping known data sources can also verify identity and minimize Social Security numbers.

Other security layers could include personal identification numbers as well as private keys.

One approach to ponder is Estonia’s. The country has created a digital identification system and has courted residents. Some UK businesses see Estonia’s e-residency approach as Brexit insurance.

Estonia has also built an e-residency platform and deployed blockchain technology. The country is also planning a new digital authentication app for Android and iOS called Smart-ID. To wit:

Estonia has 1.3 million people: Here’s how it plans to get 10 million e-residents by 2025
Android, iOS secure ID: Estonia says it’s taking digital authentication to new levels
An end to ID theft? This facial recognition is so smart even twins can’t fool it
What’s suddenly luring Brexit-hit Britons? Estonia’s digital citizenship for anyone
Why ripples from this Estonian blockchain experiment may be felt around the world
Estonia’s plan for anyone to be a citizen, digitally: Here’s why thousands are signing up
While this transition away from Social Security numbers is being hashed out, industries could at least implement two-factor authentication and other security layers. For instance, Devost outlines a scenario where a cybercriminal would try to open a credit account in your name and you’d get an alert in your banking app.

These security layers are easy to implement and use financial institutions and other established accounts to verify a person. “These layered ways would be a great stutter step to something more permanent,” Devost said.

The interim measures will important since phasing out Social Security numbers will take decades to implement. A system built today with biometrics or blockchain would be rolled out for U.S. births. The existing population would be grandfathered in. “The new system would roll out as new people are born,” Devost said.


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.