Biz Blog | LexisNexis®

Original Article Here

F ictional detective Sherlock Holmes is frequently quoted in forums and blogs related to competitive intelligence (CI). After all, he was obsessed with data. In The Boscombe Valley Mystery, for example, Holmes says, “You know my method. It is founded upon the observation of trifles.” He isn’t… Read More

Crisis management is the kind of PR skill where companies learn more from bad examples than good ones. Your department or agency should, therefore, be taking notes concerning United Airlines and the way it handled the forcible removal of a passenger from one of its overbooked flights. We’ve compiled… Read More

Public relations operations are a little different today than in the past, and failing to take the changes into account could harm your agency or department. Skills that were highly relevant only a few years ago could fail you now, and progress in the industry could be tied to your ability to evolve… Read More

The media research you perform as a PR professional has perhaps never been as important as it is today. Getting your message in front of an interested audience is still valuable, but the players on the news landscape are not the same as they have been. The rise of fake news and deliberate misinformation… Read More

When the Academy Awards ceremony takes place, millions tune into the pageantry and excitement of the big night. Of course, as a PR professional, you have your own perspective of Hollywood’s celebration of itself. There are plenty of lessons and useful tactics embedded in the endless campaigns actors… Read More

Below is a guest post from LexisNexis’s Thomas Stoeckle, who heads up the Small Data Forum podcast — a podcast that makes big data less intimidating, more actionable and thus more valuable. Episode 6 of the Small Data Forum podcast continues the discussion from our 2016 year-end edition, which… Read More

“Fake news” – those are the words on the lips of everyone from the president of the United States to other global leaders and citizens around the world. There is confusion about what exactly people mean when they talk about fake news, but it’s indisputable that incorrect information is… Read More

Creating PR campaigns and placing stories that reflect the season or any relevant holiday are tactics pulled right from the public relations playbook. Valentine’s Day provides so many opportunities to connect brands with emotions, and pros shouldn’t let it pass them by. Even when the holiday… Read More

Recently, more than a billion people celebrated the ringing in of the Year of the Rooster, and brands around the world cashed in by promoting their products and services. The geographic reach of Chinese New Year or Spring Festival promotional tie-ins is growing as population spreads, going from China… Read More

Not understanding mistakes often leads to repeating them. This means that one of the most important things public relations departments or agencies can do after a negative story breaks is to carefully go over the event and move forward with a renewed approach to communication. It only takes one slip… Read More

In an already confusing landscape of post-truth and fake news, President Trump’s administration recently added to the quagmire by using the phrase ‘Alternative Facts’. With the public becoming more skeptical by the minute, reputation has never been so valuable nor so easily lost. Building… Read More

When a disaster or bad publicity strikes a company, PR agencies and departments earn their keep. Of course, not every organization will thrive under tough circumstances. These events separate good PR teams that can provide positive return on investment from those that struggle. The media landscape… Read More

With a whole new year stretching out in front of you, it’s time to take stock of what trends and changes your department or company is going to face in the months ahead. The next steps for the Public Relations universe will likely include a few continuing trends from 2016, alongside a few long-gestating… Read More

Every calendar year is full of inspiring successful Public Relations campaigns – and some embarrassing mistakes. While the latter category may be promotions those companies would rather forget, they offer strong educational lessons for the rest of the PR community. Critically looking back Companies… Read More

When you’re working on PR pitches to the media between major events or product launches, you may wish you had a magic spell up your sleeve. Your job is essentially to conjure something valuable – favorable coverage – out of thin air. It’s time to believe in magic. This kind of hype-building… Read More

Coordinating a global PR strategy can sometimes seem like a Sisyphean struggle. When cornerstone ideas of your company’s (or client’s) brand don’t cross international borders, there’s a temptation to either limit your reach or cook up completely different strategies for each territory… Read More

This post was guest written by Brandon Teeple, a junior at Wright State University. The Millennial Generation, those who are born between the early 1980s and early 2000s, have recently become the largest generation in the U.S. They range anywhere from recent high school or college graduates to critical… Read More

The case could certainly be made that no other presidential race in memory or potentially history has received so much media attention—and, let’s face it, felt so much like a reality TV show—as this one. Now that the election is one for the record books, let’s take a look at how… Read More

It’s not enough to only score Public Relations victories when there is a new product to promote or a major news event to link. Keeping excitement for a brand at a simmering level for a long time keeps companies in touch with news providers and the public at large, and there are plenty of actions… Read More

The race is tight, so coloring in the electoral map has proven to be an arduous task. Media monitoring and social media analysis may help to color in some of those states by providing a glimpse into voter sentiment and enthusiasm that polls might not capture. Take a look at a guest blog post brought… Read More

What a difference a year and even a week makes. When we started tracking the presidential election coverage a year and a half ago, we aimed to test a few theories: Higher media coverage would lead to better poll results Social media would play a role in the election Swing states would reign… Read More

The temptation to use Halloween and the entire month of October as a tie-in to new product launches is great for brands, as the season’s themes are wide-ranging, fun and unabashedly commercial. That said, PR firms and departments need to be careful at this time of year. Without a keen and up-to-date… Read More

A new media launch is a PR masterclass. No matter the field you promote in, you can draw inspiration and information from observing how movies, television shows and online media offerings present themselves. With the recent launch of fall TV shows in the U.S., there are plenty of great examples to choose… Read More

Being a PR professional today means bringing news outlets and consumers closer to companies than they’ve ever come before. It’s a social media-powered age wherein people examine the organizations they do business with. This often now means ensuring the company’s values come through loud and… Read More

This post was guest written by Courtney Resnicky, a senior at Wright State University. The battle between who is telling the truth, who is twisting the truth, and who is flat out lying during this Presidential election seems to have become more heated than ever. In both presidential debates we’ve… Read More


Original Article Here

Stay up to date on the latest CSO Online news

About RSS Feeds

Keep up to date effortlessly on the latest technology news, reviews and analyses using our RSS feeds.

You can use an RSS newsreader like Feedly, Flipboard or Pulse to get all our latest headlines, or just the stories about certain topics or by specific authors.

Click on a feed to add it to your favorite reader.

Android 'design shortcomings' allow for Cloak and Dagger series of attacks

Original Article Here

Android 'design shortcomings' allow for Cloak and Dagger series of attacks

A series of “vulnerabilities and design shortcomings” in the Android user interface sets the stage for a new class of attacks called “Cloak and Dagger.”

Discovered by Chenxiong Qian, Simon P. and Chung, Wenke Lee of Georgia Tech and Yanick Fratantonio of UC Santa Barbara, the issues stem from two Android app permissions. The first, SYSTEM_ALERT_WINDOW (“draw on top”), allows an app to draw overlays on top of every other app. The second, BIND_ACCESSIBILITY_SERVICE (“a11y”), is a powerful privilege designed to assist users with disabilities in that it can notify an app of any event that affects the device and access the view tree.

Regarding these app rights, there’s good news and bad news. Both tidbits boil down to Google’s design choices.

First, the good news. Google understands the potential security implications of BIND_ACCESSIBILITY_SERVICE, which explains why the researchers found the privilege requested by only 24 of the top 4,455 apps on Google Play.

But the bad news is that Google grants SYSTEM_ALERT_WINDOW automatically. An attacker can exploit this fact in a malicious app to lure the user into granting a11y, access which they can then leverage to conduct a series of attacks including context-aware clickjacking, security PIN stealing, and the silent installation of a God-mode app.

Here’s a video of one such attack in action.

That’s not even the worst part.

An examination of these so-called “Cloak and Dagger” attacks not only demonstrates their practicality but also reveals most users aren’t the wiser that any malicious activity transpired. As the researchers explain in their paper:

“To test the practicality of these attacks, we performed a user study that consisted of asking a user to first interact with our proof-of-concept app, and then login on Facebook (with our test credentials). For this experiment, we simulated the scenario where a user is lured to install this app from the Play Store: thus, SYSTEM_ALERT_WINDOW is already granted, but BIND_ACCESSIBILITY_SERVICE is not. The results of our study are worrisome: even if the malicious app actually performed clickjacking to lure the user to enable the BIND_ACCESSIBILITY_SERVICE permission, silently installed a God-mode app with all permissions enabled, and stole the user’s Facebook (test) credentials, none of the 20 human subjects even suspected they have been attacked. Even more worrisome is that none of the subjects were able to identify anything unusual even when we told them the app they interacted with was malicious and their devices had been compromised.”

Now that we know the full extent of these attacks, what is Google doing to prevent them?

Well, the tech giant has known about the issues since August 2016. With some of the vulnerabilities, Google has said it simply “won’t fix” them. For some of the other design flaws associated with the Android UI, it could take researchers a while to address them.

According to a statement provided to Softpedia, the company is working on it:

“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”

That’s great…for Android users who receive OS updates on a regular basis. As we know with other Android security issues, most users don’t get those fixes from their manufacturers until weeks, months, or years after their release. For those unlucky many, they won’t see the “new security protections” built into Android O for quite some time.

While they wait for their share of the pie, all Android users can do is go into their device settings and check to see which apps have “draw on top” and “a11y” access. Not all apps that use these privileges will announce it to you. (Thank Google for that.) For those apps that do show up, think long and hard about keeping them installed on your device.

About the author, David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News, Associate Editor for Tripwire’s “The State of Security” blog, and Contributing Author to Carbonite.

Follow @DMBisson

Interested in being a guest contributor to this site like David Bisson? Check out our contributor guidelines.

Apple developing dedicated AI chip for iPhone, iPad: Report

Original Article Here

apple-iphone-6s-rose-2752-008.jpgCNET/CBS Interactive

Apple is developing a dedicated artificial intelligence chip to offload tasks like speech recognition and facial recognition on its mobile devices, according to Bloomberg.

The chip internally known as Apple Neural Engine could help improve battery life and overall performance, the report said.

Apple is looking to include the chip in both the iPhone and iPad. Apple is said to have begun testing future iPhone prototypes with the chip, but it’s not clear when the dedicated chip could arrive or if it will be included in the next iPhone release this fall.

Apple has been rumored to boost its artificial intelligence offerings to more fiercely compete against Google and Amazon, who have seemingly pulled away in the AI market for the time being. The Apple Neural Engine could be included in future Apple products like self-driving cars or AI-powered glasses.

Apple could discuss its AI plans during WWDC in June, Bloomberg said. Its competitor, Google, introduced new AI offerings in May that extend to phones, connected speakers, and cars.

This isn’t the first time Apple has developed a dedicated chip. It included a dedicated M-series chip for motion in the iPhone 6S and a chip for AirPods in the iPhone 7.

Apple has an AR team that is made up of hundreds of engineers working on AR-related features. In March, Bloomberg reported it’s headed by Mike Rockwell, who previously ran the hardware and new technologies groups at Dolby. Rockwell is reporting to Dan Riccio, head of the iPhone and iPad hardware engineering groups.

Apple’s move into AR makes sense. The company has made several large AR-focused acquisitions, including PrimeSense and FlyBy, the maker of AR-camera software. Apple CEO Tim Cook has called AR a better technology than VR and for everyone, not just a niche market.

Hackers De-activating WannaCry Ransomware Kill Switch – Prepare For A New Attack Now! – Komando

Original Article Here

On Friday, May 12, the largest ransomware attack ever recorded began breaking headlines. What started with one unwitting computer user in Europe soon spread to more than 200,000 machines worldwide – ultimately affecting Windows computers in over 150 countries, including South Korea, Germany, China, Japan and Britain.

This new strain of ransomware, called WannaCry or WanaCrypt0r 2.0, was unlike anything ever seen before. By convincing someone to open an email attachment with a compressed zip folder, hackers were able to unleash WannaCry to the world. And stopping it seemed nearly impossible.

Thankfully, a young 22-year-old self-taught programmer named Marcus Hutchins discovered a random kill switch discovered in the code. By registering the domain name,, Hutchins was able to effectively halt the distribution of this rapidly-spreading ransomworm. That’s because WannaCry was programmed to check this address before infecting a new machine to see if the domain was available.

Now, however, Hutchins is reporting that traffic on the domain is picking up. And based on the activity, he believes that the hackers are trying to find a workaround to this kill switch by overwhelming the domain name with a DDoS attack.

A DDoS attack is when hackers infect millions of internet-connected devices with malware that allows them to be manipulated and formed into a gadget army called a “botnet.” These botnets are then used to send simultaneous signals that overwhelm a targeted system. In this case, the target is Hutchins’ domain name. But back in October, a DDoS attack was used to shut down the internet for millions of Americans living on the East Coast.

Another attack is coming

This news is alarming because it means that the hackers are actively trying to launch the attack once again. If successful, the next wave could be even worse. That’s why, if you haven’t already patched your system to fix the flaw WannaCry exploited, you need to do it right now! Here are the steps you need to take to effectively fight back against WannaCry, and other forms of ransomware:

1. Install Microsoft’s patch and system updates

WannaCry ransomware exploited a weakness in Windows called “EternalBlue.” Microsoft knew of this vulnerability months before the attack and sent a patch for it in a Security Update back in March. We now know that systems running Windows 7 are particularly vulnerable and need to be updated. The specific update you’re looking for is MS17-010. To get this patch, simply run a software update on your PC.

To update Windows 10 follow these steps:

  1. On Windows 10, click Start (Windows logo).
  2. Choose Settings.
  3. Select Update & Security.
  4. Then on the Windows Update section, click on Advanced Options. (Note: the “Windows Update” section is also handy for showing you updates that are currently being downloaded or applied.)
  5. Under Advanced Options, just make sure the drop down box is set to Automatic.

To update Windows 7 follow these steps:

  1. Click the Start menu button.
  2. Click All Programs.
  3. Scroll through the list and click Windows Update. The Windows Update window will open.
  4. Click Check for Updates.
  5. Click Install Updates.

To update other versions of Windows:

Unfortunately, some older versions of Windows operating systems are no longer supported and cannot install this Critical Security Update. But, the good news is, Microsoft released an emergency patch specifically for WannaCry since the virus is so wide-spreading.

This means, if you are running Windows XP, Windows 8 or Windows Server 2003, you’ll need a different patch. Click here to download the available Security Update for these older Windows versions.

2. Backup your data

Typically, we’d recommend that you install a strong antivirus software on your computer. But, the truth is, in instances such as this, many antivirus programs fail to catch the virus.

It’s still best if you have an antivirus installed, however, you also need to backup all of the data on each of your devices. This way, if ransomware hits, you’re protected no matter what! Plus, with WannaCry ransomware, experts are saying even if you do pay the ransom there is very little chance you will get your data back which makes backup that much more important.

That’s why we recommend IDrive because it allows you to backup all of your devices to a single account, and all for around $6 per month.

IDrive’s Universal Backup covers all of the operating systems including Windows, Mac OS, iOS, Android and Windows Mobile. Plus, you can take advantage of the social media backup tool, and create a safe archive for the posts, photos and videos you’ve shared on platforms like Instagram and Facebook. And as a Kim Komando listener, you can protect all of your devices at an extremely low cost! Click here to save 50 percent on 1 TB of cloud backup storage. Just be sure to use promo code KIM at checkout!

3. Secure your router

Since hackers are attempting a DDoS attack to get around the WannaCry kill-switch, it’s probably a good idea to take a few minutes to secure your home Wi-Fi network. 

First, check to see if your router is outdated or known to have security issues. Next, update your router’s firmware. And finally, change your router’s password.

Beyond that, you need to be smart with your web-connected devices. The steps it takes to secure these devices vary from product to product, so it’s a good idea to reach out to each of the manufacturers – but, here’s a general place to get started.

What to do if already infected

If your device has already been infected with ransomware like WannaCry, the most important thing to do is disconnect it from the internet. This will prevent the virus from spreading to other machines on your network.

Next, you should report the incident to the authorities so they can try tracking down the person who is responsible.

Ransomware attacks should be reported to your local FBI field office. To find your local office click here.

You should also file a complaint with the Internet Crime Complaint Center, at, with the following details:

  1. Date of Infection
  2. Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  3. Victim Company Information (industry type, business size, etc.)
  4. How the Infection Occurred (link in email, browsing the internet, etc.)
  5. Requested Ransom Amount
  6. Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  7. Ransom Amount Paid (if any)
  8. Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  9. Victim Impact Statement

Once you’ve disconnected your computer and reported the attack, it’s important that you do not pay the ransom! Giving in to the hacker’s demands only rewards the behavior and keeps the scam going.

If you’ve taken the steps mentioned above, you can wipe your gadget and restore it back to the factory settings. This should remove the malware installed on it; however, it will also delete all your files. But, if you’ve backed up your devices with IDrive, you can easily recover all of your files, photos and documents, and install them on your wiped (or new) device. 

This is why we say backing up your gadgets is so important. Click here for more information about IDrive, and save 50 percent when you use promo code KIM at checkout!

More from

Another NSA cyber weapon stolen by hackers! Widespread damage expected

3 cybercrimes affecting your family you need to look out for

Read this before you take a Facebook quiz again

Artificial intelligence and machine learning: How to invest for the enterprise

Original Article Here

Virtually every enterprise software vendor is creating noise in the market about artificial intelligence. Unfortunately, much of that marketing buzz offers little substance and creates confusion for customers about what’s real. Given this FUD, the challenge for business people is deciding where to invest.

Although market confusion is an issue, the underlying reality is that achieving results with AI needs different strategies, skills, and goals than deploying traditional process automation software.

With traditional software like ERP or CRM, for example, managers re-engineer processes like customer service or manufacturing to find repeatable improvements and efficiencies. Although implementation is often complicated, the benefits and risks are well known.

In contrast, investments in AI demand a different kind of analysis than with traditional enterprise software. Not only is AI technology new to most managers, but getting the desired results depends on having sufficiently large and relevant data sets to feed the AI machine.

Because AI can create results that go far beyond process improvement and efficiency, defining investment outcomes and goals can be far more complex than with traditional process automation software.

Making successful investments in AI, therefore, requires experts across a range of disciplines to think in terms of frameworks and models. The activities include:

  • Analyzing the impact on current and future business models
  • Selecting processes and operations in which to invest
  • Examining machine intelligence technology
  • Rigorously applying data science to proposed solutions and outcomes

The skills and activities are significantly different than those needed when buying and implementing traditional enterprise software.

Given the importance, complexity, and risk around AI investment, I invited one of the most experienced AI investors in the world to be a guest on Episode 220 of the CXOTALK series of conversations with innovators.

James Cham is a partner with Bloomberg Beta, a venture capital firm with a strong focus on companies related to machine learning. James and his colleague, Shivon Zillis, created a detailed machine learning market landscape.

I asked James to give enterprise leaders advice on how to invest in AI. During our discussion, Cham addresses points such as:

  • Avoid significant waste on AI projects that offer little value or benefit
  • Creating a useful economic framework for investing in AI
  • Understanding the shift from being data-centric to model-centric
  • Building, managing, testing model-centric AI applications

You can watch the conversation in the video embedded above and read the complete transcript on the CXOTALK site. You can also download the podcast on iTunes. Below is an edited portion of important points from the discussion.

How should business leaders think about the economic, organizational, and managerial aspects of AI?

We see innovation and advancement on the technical side. And what’s lagging is clear thought and understanding on the economic and managerial side.

I think that the biggest risk for most of us right now around machine intelligence is less that the machines will take over and you will no longer have a job.

The biggest risk is that we as managers will make really bad decisions about where to invest, and we’ll end up wasting billions of dollars on stupid projects that nobody ends up caring about. I think that, in some ways, is the immediate, interesting, obvious question ahead of us for the next 5-10 years. This is still a poorly understood and badly researched part of the question.

For the last couple of years, I’ve been asking various economists: “Tell me what is the right microeconomic framework for thinking about how to invest in machine learning or around AI?”

I think in general, most economists and most business school types are still more focused on the large-scale economic implications. But, those larger scale economic implications don’t matter unless we make good decisions at a micro level.

There were three guys out of the University of Toronto, in their business school, who came up with what I think is the best framework for thinking about machine learning in general. I think that for most organizations, the right way to think about machine learning is to think about the cost of predictions. In the same way that if you were to abstract, at a certain level, computation. The history of computation is about reducing the cost of arithmetic. And, when you make it cheap to add and subtract at a certain level of scale, then you end up with digital cameras and whatnot.

And, if you think about AI or machine intelligence as being different, and think about it as reducing the costs of prediction, then you can apply the same mental framework as in normal economic analysis: “If the cost of prediction goes down, then what are the complements and substitutes to me? And what are the ways that I could change my organization at its core?” That’s the microeconomic way of thinking about it.

It’s fine to have a data-centric organization. But if you have all this data and don’t know what to do with it, it’s useless. It’s good to have better workflows, but if the workflows just generally help you do the same thing over and over again, that’s not that useful.

On the other hand, if you as an IT organization thought about yourself as model-centric, then you would consider all the processes you have inside the organization. Which processes are valuable enough that I would want to make predictions and decisions without people involved on a day-to-day basis?”

Those models are going to pervade the entire enterprise. That’s the exciting part. [However,] the scary part is we have no idea how to build and manage them because these models are different than applications.

Building software is difficult, but at least I have some idea how to QA and test it and deploy it in some consistent way. As a culture, we figured out how to do that. On the other hand, we don’t really understand models. For some of these newer models, we don’t understand how to think about or introspect on them.

We don’t really understand how to test them because, even theoretically, if the model were totally testable, you wouldn’t need a model. And then we don’t know how to deploy them in a consistent way.

Most organizations will need to understand where to build, invest, and manage these models.

What are the most interesting AI use cases that you see right now?

I try very hard as an investor not to get either too visionary or too optimistic about things.

It hits everything from things as mundane as looking through people’s expenses to capture examples of lack of compliance. I’m an investor in this company called AppZen, which does this.

On the one hand, you’d say, “Gosh, James! This is a boring problem! Who cares about this?” I said that to the founder first. But then, the moment they look at how many cases of noncompliance you get in expense reports, it’s tens of millions of dollars!

It’s just like this little problem sitting on the floor that was not practical to deal with before because you’d have to hire lots of people or outsource it, which would be complicated.

But now, the little bots scrape through all the data, so the cost of prediction goes down dramatically. Suddenly, one of those nagging little things you were worried about in the back becomes something in the immediate present to solve.

The hard part is that we don’t know, or we don’t have good ways yet of predicting, how much these models, or these bots, will help the organization. We don’t have good intuition around, “If I go after this problem, maybe I’ll save this much money.”

[But then, we can solve problems we were not even aware of] or thought were unsolvable. That’s the exciting part.

In other words, business people need to gain a better understanding of data?

Yeah, we’re also in this migration from a data world to a model world. The companies that do that best, or figure that out sooner, are going to be the ones that are going to be — imagine all the buzzwords you love, like “agile,” or “dynamic,” or whatever ─ those good things.

The ones that are model-centric, and are smart about being model-centric are going to be the ones that are going to be successful.

Thanks to Christopher Michel for introducing me to James Cham and to my colleague, Lisbeth Shaw, for assistance with this column.

CXOTALK brings you the world’s most innovative business leaders, authors, and analysts for in-depth discussion unavailable anywhere else. Enjoy all our episodes and download the podcast from iTunes and Spreaker.

New Trump Executive Order on Cybersecurity: Just the Beginning

Original Article Here

After campaign promises on cyber, months of tough talk about Internet security plans, plenty of anticipation and a missed 90-day deadline to deliver a cybersecurity report, President Donald Trump signed an Executive Order (EO) on cybersecurity this week.

The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure offers three sections, which Tom Bossert, Trump’s homeland security adviser, said were in priority order:

     Section 1.  Cybersecurity of Federal Networks

     Section 2.  Cybersecurity of Critical Infrastructure

     Section 3.  Cybersecurity for the Nation

News media and overall cyberindustry reaction to the EO have been mostly positive. Here are some headlines:

Reuters: Trump signs order aimed at upgrading government cyber defenses — U.S. President Donald Trump signed an executive order on Thursday to bolster the government’s cybersecurity and protect critical infrastructure from cyberattacks, marking his first significant action to address what he has called a top priority.

Wired: Trump’s Cybersecurity Executive Order Looks … Pretty Good! — There’s not much in there that’s actionable yet — much of it comprises deadlines for recommendations — but analysts appreciate the approach. Cybersecurity community lauds executive order — President Trump’s cybersecurity executive order has earned positive reviews from the cybersecurity community, who see it as a valuable starting point toward strengthening cyberdefenses.

The Washington Post: Trump signs order on cybersecurity that holds agency heads accountable for network attacks The order “is a step forward,” said Ari Schwartz, a former White House and Commerce Department cyberpolicy official who worked on the Commerce guidelines. “It shows that there’s consensus on moving ahead on these issues.”

C|NET: Trump’s cybersecurity order: Out with ‘antiquated systems’ — The executive order aims to improve U.S. systems by protecting federal networks, critical infrastructure and Americans online.

SC Magazine: Mixed response from IT security pros following release of Cybersecurity Executive Order — While some praise the directive for its guidance, others say its guidance falls short.

You can watch the Thursday press briefing on the new EO here.

Cyber Executive Order Details

The EO starts with the clear policy that: “The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”  

Next, the findings, which outline inadequate cyberdefenses in federal agencies, also make it clear that the status quo will not be tolerated. An example: “The executive branch has for too long accepted antiquated and difficult–to-defend IT.” Also, “Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.”

More specifically, “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order.” 

While a few experts in the field, including former White House cybersecurity coordinator Michael Daniel, called this EO just “A plan for a plan,” these directives will be difficult risk management reports for agencies to complete in three months.  

The section on critical infrastructure builds on what was done during the Obama administration. The EO starts with this policy: “It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure (as defined in section 5195c(e) of title 42, United States Code) (critical infrastructure entities), as appropriate.”

The president goes on to outline how that protection effort will be done and who will be involved.

Another report is due in 90 days regarding “appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities.”

Within 240 days, a report is due on our “resilience against botnets and other automated, distributed threats.”  

The electric grid is specifically called out with an “assessment of electricity disruption incident response capabilities.” (That is, are we ready for an attack against the electric grid?) This report is due in 90 days as well.

Finally, another report due in 90-days will address cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks and capabilities, and recommendations for mitigating these risks. 

In the area of “cybersecurity of the nation,” the policy reiterates our priorities that “open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” There is also the goal of fostering a next-generation workforce that is skilled in cybersecurity.

My Viewpoint

In many ways, this EO lays out the critical agenda for high-priority action items in cyberspace for the next four years. It offers a mix of different themes and topics that is diverse, from critical infrastructure to a cyberworkforce.

I view this as just the beginning for the Trump administration plans for cyberspace. While some may say that the words and deeds prior to this were actually the opening act, most of those statements were not backed up with an executive order with guidance to various groups to get moving.

These reports and other deliverables will be essential building blocks with much more to come. This is a foundational EO on cyber that continues the momentum that was built in the Obama administration, but also adds much more federal agency director accountability. This is a good thing, since every cyberexpert knows that true management buy-in and support is a critical success factor.

I am hearing that that there is also more going on behind the scenes right now that this EO reveals. For example, Rudy Giuliani is helping draw up cyber doctrine, DNI says, but details are scarce. I also think the international cooperation piece of this cybersecurity EO is essential. The EO directs:

“Within 45 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of the submission of the reports, and in coordination with the agency heads listed in this subsection, and any other agency heads as appropriate, the Secretary of State shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, documenting an engagement strategy for international cooperation in cybersecurity.”

Final Thoughts

The importance of this cyberdefense topic was underlined on Friday, when a new global ransomware attack called WannaCry was unleashed that affected over 100 countries and shut down many hospitals and businesses worldwide. This ongoing situation is one of the largest cyberattacks ever.

It was almost as if the response to the president’s cybersecurity EO from global hackers was, “Our life goes on and we don’t really care what you do.” This is our sad, but scary, online reality.

We all need to be reminded that our individual and corporate (cybersecurity industry) actions have a great ability to influence lives all over the planet — both online and offline. A renewed urgency is required in cyberspace, as our online problems are not going away.

The second chapter in Trump’s cybersecurity plan will begin when those reports and actions steps are due later this year. Meanwhile, our cyberbattles march on.

The Insider Threat: New Report Highlights Problems, Recommendations and Resources

Original Article Here

Earlier this month, I was in Washington, D.C., presenting at ISC2’s annual CyberSecureGov Conference, which has become a top-notch federal government cybersecurity event. As I was looking through the agenda after my session, one title grabbed my attention: “Mitigating Insider Threats to our Nation’s Critical Infrastructures.”

The presentation, which highlighted new research from The Institute for Critical Infrastructure Technology (ICIT), was groundbreaking in many respects. While the report highlights critical infrastructure sectors, the findings and solutions also apply to state and local governments, and other private-sector companies in numerous ways.

ICIT is a leading cybersecurity think tank that “bridges the gap between the legislative community, federal agencies and critical infrastructure leaders.” They do this with a wide variety of legislative briefs, research reports, events and other materials that offer outstanding insights and action steps. Their extensive list of free legislative briefs and research reports can be found here.

The presenter on insider threats was a respected colleague who I’ve known for several years — Mr. Parham Eftekhari, co-founder and senior fellow at ICIT, who has been working with technology and security leaders in the federal government for more than 15 years.  

Describing the insider threat challenges we faced, Mr. Eftekhari said this: “Critical Infrastructure leaders and policy makers are just now beginning to understand the potential for catastrophic digital and cyber-kinetic incidents at the hands of insider threats. As the authors point out, mitigating malicious and non-malicious insiders must be a top priority not only for our government, but for all private-sector organizations. This publication is a powerful asset for any organization looking to build or improve an insider threat mitigation program.”

Insider Threats: A Deep Dive

Starting with definitions, the presentation used a definition by US CERT Common Sense Guide to Mitigating Insider Threats, which states that an insider threat:

  • Has or had authorized access to an organization’s network, system or data
  • Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity or availability of the organization’s information or information systems

Varieties of insider threats include:

  • Careless or Uninformed Users
    • Undertrained Staff
    • Accident-Prone Employees
    • Negligent Workers
    • Mismanaged Third-Party Contractors
    • Overwhelmed Personnel
  • Malicious Users
    • Undertrained Staff
    • Accident-Prone Employees
    • Negligent Workers
    • Mismanaged Third-Party Contractors
    • Overwhelmed Personnel

While none of these definitions is new or surprising, the real examples shown were much more eye-opening. For example, look at these real screen shots from the deep Web:

Hacker for Hire

Self-Proclaimed Insider Threat

W2 Database For Sale on Alphabay

Disgruntled Employee Solicitation

The primary author of the insider threat paper is James Scott, co-founder and senior fellow at ICIT. The new brief is titled: “In 2017, the insider threat epidemic begins.”

On recommendations, Mr. Scott said, “The best protection against insider threat is a basic level of layered security-by-design endpoint protection paired with a combination of solutions that secure data according to its value, according to the principle of least privilege, and according to role-based access controls, as well as other technical controls, and that monitor personnel and users using bleeding-edge artificial intelligence, big data analytics, and solutions that automate cyberhygiene and ensure verifiable accountability trails.”

The solutions offered in the report are vast as well as rather complex. They include these nontechnical controls, such as:

  • Utilize the Information Security Team
  • Heed the Information Security Team
  • Hire Trusted Personnel
  • Cultivate a Culture of Trust
  • Effectively Communicate
  • Appreciate Personnel
  • Train Personnel to Defend the Organization

Policies, procedures and guidelines:

  • Principles of Least Privilege
  • Limit Access According to Duties
  • Segregate Administrative Duties Based on Roles
  • Address Cybersecurity in SLAs (service level agreements)
  • COTS (commercial-off-the-shelf software)

Technical Controls:

  • Data Encryption
  • Network Segmentation
  • Predictive Artificial Intelligence
  • Security Information and Event Management (SIEM)
  • User and Entity Behavior Analytics (UEBA)
  • Identity and Access Management
  • Data Loss Protection (DLP)
  • User Activity Monitoring

 Other resources include the National Insider Threat Task Force.

  • Co-Chaired: DNI and U.S. Attorney General
  • Agencies with Classified Networks are Required to Establish Insider Threat Detection and Prevention Programs Aligned with NITTF
  • NITTF Provides Assessments, Training, Assistance, Education

Additional Helpful Resources on Insider Threats

This is not the first time, nor will it be the last that this insider threat topic is brought up in the Lohrmann on Cybersecurity & Infrastructure blog. As a reminder, this topic was even hot back in 2010 when I wrote the blog: “Are you an insider threat?” for CSO Magazine. 

I also wrote my views on Edward Snowden, which haven’t changed much, touching on insider threat topics as well. Yes — some good has come from Snowden, but the ends do not justify the means, in my opinion.

Other good reports and publications on addressing insider threats are available at:

Final Thoughts

Regardless of your views on individuals such as Edward Snowden or interest in national defense issues surrounding insider threats, we all face similar insider threat challenges in our workplaces. The many reports and presentations offered for free by ICIT are an outstanding set of resources that I highly recommend your teams take time to review.

I also want to give a shout-out to the ICIT Annual Forum ( June 7 in D.C.

The insider threat issues within cybersecurity and physical security are increasing worldwide. Small, medium and large-sized organizations need to take immediate action to address this growing challenge. These materials can show you how. 

Find naming rules for Azure resources

Original Article Here

Q. Are the rules for the naming of Azure resources documented?

A. Yes. At all the rules and restrictions for naming of Azure resources are listed. It is a good idea to create a naming convention for your resources that adhere to these rules and restrictions. This will avoid the chance of any deployments failing due to bad naming.

Illinois State University cybersecurity program gets $3M

Original Article Here

Illinois State University is getting a $3 million boost for its new cybersecurity program that’ll start this fall.

The (Bloomington) Pantagraph reports that ( ) Bloomington-based State Farm is giving the university the money. Most of it will be used to create an endowed chair position with the rest of it going to program enhancements and renovating space.

ISU President Larry Dietz says the innovative new major can help students succeed in a technology-driven world.

The cybersecurity program was approved by the Illinois Board of Higher Education in December.

Officials say they’ll develop new lab space for the program.

Roughly 21,000 undergraduate and graduate students attend ISU.

Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw

Original Article Here

Microsoft quietly patched a critical vulnerability Wednesday in its Malware Protection Engine. The vulnerability was found May 12 by Google’s Project Zero team, which said an attacker could have crafted an executable that when processed by the Malware Protection Engine’s emulator could enable remote code execution.

Unlike a May 9 emergency patch for what Google researchers called the worst Windows vulnerability in recent memory, this week’s bug was a silent fix, said Project Zero researcher Tavis Ormandy, who privately disclosed it to Microsoft. The previous zero day (CVE-2017-0290) was also in the Microsoft Malware Protection Engine, running in most of Microsoft’s antimalware offerings bundled with Windows.

“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITYSYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.”

That exposed the MsMpEng engine to a number of different problems such as giving attackers the ability to carry out various input/output control commands.

“Command 0x0C allows allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s)… Command 0x12 allows you to load additional “microcode” that can replace opcodes… Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata. This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result,”  Ormandy wrote.

Both Microsoft and Google did not return requests for comment.

“This was potentially an extremely bad vulnerability, but probably not as easy to exploit as Microsoft’s earlier zero day, patched just two weeks ago,” said Udi Yavo, co-founder and CTO of enSilo, in an interview with Threatpost.

The fact the MsMpEng isn’t sandboxed is also notable, said Yavo. He said most Windows applications such as Microsoft Edge browser are sandboxed. That means an adversary targeting Edge would have to exploit a vulnerability in Edge and then escape the sandbox to cause harm. “MsMpEng is not sandboxed, meaning if you can exploit a vulnerability there it’s game over,” Yavo said.

Yavo also notes that while both bugs are tied to the same MsMpEng engine they exploit different aspects of the service. The vulnerability patched Thursday is tied specifically to the way the emulator processes files, whereas the previous vulnerability was tied to the MsMpEng’s JavaScript interpreter.

Ormandy notes another unique aspect of this bug in Microsoft’s Malware Protection Engine. “The emulator’s job is to emulate the client’s CPU. But, oddly Microsoft has given the emulator an extra instruction that allows API calls. It’s unclear why Microsoft creates special instructions for the emulator. If you think that sounds crazy, you’re not alone,” he wrote.

Microsoft did not issue a security advisory regarding this patch, as it did for the previous zero day. Users don’t have to take any action if their security products are set to the default, which will update their engines and definitions automatically.

Kaspersky to US: Check Our Source Code

Original Article Here

Cybersecurity expert Eugene Kaspersky has volunteered to turn over his company’s software source code to allay fears about possible ties with the Russian government, The Australian reported last week. Kaspersky made the offer public at CeBIT Australia.

Kaspersky to US: Check Our Source Code

Some U.S. officials have expressed concerns that Kaspersky Lab might have a close working relationship with the Russian government.

Kaspersky five years ago replaced a number of high-level managers with people who had ties to Russia’s military or intelligence services, Bloomberg reported in 2015.

Some of them reportedly have provided data from the 400 million customers using Kaspersky’s software to Russia’s intelligence agency, the FSB.

Also, Kaspersky himself reportedly visits saunas with Russian officials on a regular basis.

Kaspersky studied at a university backed by the KGB — the precursor of the FSB — in the 1980s, according to reports, and he served as a software engineer with Soviet military intelligence before leaving for the private sector.

The heads of five U.S. intelligence agencies recently expressed suspicions regarding Kaspersky Lab to the U.S. Senate Select Committee on Intelligence, but they “don’t have an option due to political reasons,” Kaspersky suggested on Reddit.

“Recently, inaccurate statement and claims about Kaspersky Lab have circulated in public,” the company said in a statement provided to TechNewsWorld by corporate communications manager Denise Bertrand.

“Eugene never worked for the Russian government,” Kapersky Lab contended. “He grew up in the Soviet Union era when almost every education opportunity was sponsored by the government in some manner.”

The university Kaspersky studied at “was sponsored by four state institutions, one of which was the KGB,” Kaspersky Lab said. He was placed at a Russian Ministry of Defense scientific institute as a software engineer upon graduating, because “it was routine for university faculty to determine students’ post-graduate positions.”

Stirring a Hornet’s Nest

Kaspersky did itself no favors with its all-out pursuit of hackers and malware authors linked to the U.S.

It has uncovered sophisticated malware or spyware connected to U.S. intelligence sources, including Stuxnet, Flame, Shamoon, and The Equation Group.

Kaspersky didn’t seem to look equally hard for state-sponsored malware released by Russia, an acknowledged haven for cybercriminals.

Possibly because of that, and also because of the controversy surrounding Russia’s possible meddling in the U.S. presidential elections, Kaspersky now is under the microscope.

The FBI is looking into Kaspersky’s ties with the Russian government, as is the Senate.

Separately, the NSA and the UK’s GCHQ reportedly have been trying to hack into Kaspersky for years.

Is Kaspersky Targeted Unfairly?

The NSA could be behind the latest scrutiny of Kaspersky Lab and its CEO.

“It’s always dangerous to piss off three-letter agencies,” said Rob Enderle, principal analyst at the Enderle Group.

“Doing so while operating out of Russia would be even more problematic,” he told TechNewsWorld.

However, the likelihood of Kaspersky maintaining a wall between its work with the FSB and Russian government, and its work with other clients is effectively zero,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.

Like a John LeCarre Novel

The situation is “like a John LeCarre novel come to life,” said Laura DiDio, principal analyst at ITIC.

“You’re not going to be able to prove absolutely whether or not Kaspersky has ties to the Russian government, she told TechNewsWorld.

“He has done all he can do — offer to give the U.S. government his source code,” she pointed out.

“The problem isn’t whether Russia built a back door into the Kaspersky code, but that Russia may have copies of the source code,” Jude told TechNewsWorld.

“Regardless of whom Kaspersky turns his code over to, his reputation is shot,” Jude said. “If it’s Russia, the U.S. market is dead; if it’s the U.S., then just about every non-U.S. market is dead.”

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

Mastercard upgrades Masterpass platform in Brazil

Original Article Here

Mastercard has brought the second generation of its Masterpass digital payments platform to Brazil.

The latest version of the service includes a more responsive design for mobile devices and the ability to recover passwords via SMS or email.

Other highlights of the Masterpass platform include automatic digital wallet – a feature that promises to securely store user payment and shipping info – identification, a dynamic button that displays the information of the user’s financial institution at the time of payment.

New features also include simpler access to the digital wallet, the user’s password being the only information required to authenticate payments at the end of purchases.

A number of large Brazilian retailers use Masterpass’s digital payments platform, including fast food chain Bob’s, ticket company, as well as furniture and DIY chains Etna and C&C.

Future of payments

British Airways cancels flights after major computer outage – CNET

Original Article Here
Travelers stranded at Heathrow Airport's Terminal 5 after British Airways canceled flights due to an IT systems failure.

Travelers stranded at Heathrow Airport’s Terminal 5 after British Airways canceled flights due to an IT systems failure.

Daniel Leal-Olivas/Getty Images

A huge IT meltdown at British Airways caused the airline to cancel all flights out of London’s Heathrow and Gatwick airports Saturday, during one of Britain’s busiest holiday weekends.

“We are working hard to get our customers who were due to fly today onto the next available flights over the course of the rest of the weekend,” the airline said in an update on its website Saturday afternoon local time, adding that people who can’t get a flight will get a full refund.

The company didn’t respond to a request for more information.

BA said in the update that the “major IT system failure” had also affected its call centers and website. The airline said some flight disruptions might continue into Sunday but that it expects most long-distance flights set to land in London tomorrow to arrive as scheduled.

The company told CBS News there was no evidence of a cyberattack.

It’s not the first time computer problems have caused hassles at BA. In July and September, issues with the airline’s check-in systems caused global delays and long lines.

Other airlines have wrestled with network outages too. In August, Delta passengers were stranded after a power failure knocked out the company’s computer systems. And in July, Southwest Airlines customers were forced to kill time after tech problems delayed flights.

What is an App Service Environment

Original Article Here

Q. What is an App Service Environment?

A. Ordinarily to deploy Azure App Service solutions, an App Service Plan is created and the app deployed to it. An App Service can be linked to a virtual network through a point-to-site connection but the actual plan still exists on shared infrastructure. An App Service Environment (ASE) is a dedicated deployment of App Services which are created within your virtual network providing network isolation. As a best practice deploy to an empty subnet to avoid. Using an ASE also enables the use of public facing services via a VIP or internally using an Internal Load Balancer.

Scaling an App Service Plan

Original Article Here

Q. When I scale an Azure App Service Plan does it impact all applications deployed to it?

A. Yes. An App Service Plan is created which is of a certain type and size. Scale operations are applied at a service plan level. Applications are then deployed to an App Service Plan and multiple applications can be deployed to the same App Service Plan. As the App Service Plan scales all applications scale uniformly with the plan. You cannot independently scale an application, only the plan.

5 Ways To Test Your Computer's Security – Komando

Original Article Here

The moment you log onto the internet, your computer starts its game of Russian Roulette. I know that sounds bleak and frightening, but it’s true. Your personal data stored on the hard drive is a magnet for hackers and cybercriminals, and they will stop at nothing to break into your system.

These attacks are often overt and frightening. Virtual bandits have committed wave after wave of digital crimes. They have extorted untold Bitcoin dollars from regular users desperate to decrypt their files.

Tip in a Tip: Just a few weeks ago, ransomware affected some 200,000 Windows computers all over the world. Click here to learn how to protect yourself from ransomware attacks.

So how do you know if the security you set up on your computer really works?

Hackers use many different methods to invade your computer, so you’ll want to approach the problem from several angles. Think of it like a rancher leaning on the fence to make sure it’s still sturdy. Here are some ways to keep that fence from falling over.

1. Test your settings

The first tool in your arsenal is Microsoft Baseline Security Analyzer. This free tool examines your Windows and Office settings for any potential problems, especially contamination.

First, MBSA will test your user account passwords and let you know if any account has a weak or disabled password, which is easy prey for hackers.

MBSA will also check many of your account settings. Is your computer set up to get automatic updates? Do you have more than one administrator account on the computer? This software will check all of that information for you.

MBSA also has guides to what settings are preferred and why. Just click the “What was scanned” or “Result details” links to read them.

Also, pay attention to your shared folders. MBSA will show you folders set up for sharing. You may have opened up some private folders in the past, so anyone on your network can access files in these folders. Make sure you’re only sharing what you meant to share, and with whom. Click here to learn more about MBSA and download this free tool.

2. Update your browser plugins

I’ve said it before, and I’ll say it again: Keep your browser updated. Only the latest, safest version will help protect you from infections and attacks.

But an up-to-date browser is just the beginning. You need to make sure your browser plug-ins are up to date as well. Just like an old browser, an outdated plug-in leaves your browser and your computer vulnerable.

Open up the browsers on your computer, even the ones that you don’t use, and go to Mozilla’s Plugin checker. It will show you every plug-in installed on the browser and whether it’s up to date. Even though it’s the same company that makes Firefox, the Plugin checker works for Internet Explorer, Chrome, and other browsers.

If you want to remove any plug-ins or toolbars you find, follow the instructions I provide here.

Next page: Three more ways to ensure your computer is secure

Q&A with Kim: Protect Your Business Against Ransomware, Advertising to Specific Places and more

Previous Columns

Q&A with Kim: Protect Your Business Against Ransomware, Advertising to Specific Places and more

Q&A with Kim: Card skimmers, government internet credits and more

Next Columns

Q&A with Kim: Card skimmers, government internet credits and more

Could the UK be about to break end-to-end encryption? – TechCrunch

Original Article Here

Once again there are indications the UK government intends to use the law to lean on encryption. A report in The Sun this week quoted a Conservative minister saying that should the government be re-elected, which polls suggest it will, it will move quickly to compel social media firms to hand over decrypted data.

The paper quoted an unnamed government minister saying: “The social media companies have been laughing in our faces for too long”, and suggested that all tech companies with more than 10,000 users will face having to significantly adapt their technology to comply with the decryption law.

The relevant Statutory Instrument, to enable UK government agencies to obtain warranted access to decrypted data from communications service providers, currently sitting in draft form, will be voted through parliament within weeks of a new government taking office after the June 8 general election, according to the report.

As is typically the case when strong encryption comes back under political pressure in the modern Internet age, this leaked hint of an impending ‘crack down’ on tech firms came hard on the heels of another terrorist attack in the UK — after a suicide bomber blew himself up at a concert in Manchester on Monday evening. The underlying argument is that intelligence agencies need the power to be able to break encryption to combat terrorism.

Strong encryption, cryptic answers

The problem — as always in this recurring data access vs strong encryption story — is that companies that use end-to-end encryption to safeguard user data are not able to hand over information in a readable form as they do not hold the encryption keys to be able to decrypt it.

So the question remains how can the government compel companies to hand over information they don’t have access to?

Will it do so by outlawing the use of end-to-end encryption? Or by forcing companies to build in backdoors — thereby breaking strong encryption in secret? The latter would arguably be worse since government would be opening app users up to potential security vulnerabilities without letting them know their security is being compromised.

The UK government has been rubbing around this issue for years. At the back end of last year it passed the Investigatory Powers Act, which threw up questions about the looming legal implications for encrypted communications in the UK — owing to a provision that states communications service providers may be required to “remove electronic protection of data”.

It’s those powers that ministers are apparently intending to draw on to break social media firms’ use of strong encryption.

During the scrutiny process of the IP bill last year, ministers led a merry dance around the implications of the “electronic protection” removal clause for e2e encryption. The best interpretation of which was that the government was trying to frame a law that encouraged tech platforms to eschew the use of strong encryption in order not to risk falling outside the scope of an unclear law.

“He seems to be implying that providers can only provide encryption which can be broken and therefore can’t be end-to-end encryption,” was Lord Strasburger’s assessment of the government response to questions on the topic last July.

No clarity has emerged since then. The situation is still ongoing fuzziness about the legality of e2e encryption in the UK. To break or not to break, that is the question?

Arguably, as Strasburger suggested, this is strategic; intentional obfuscation on the part of the UK government — to spread FUD as a strategy to try to discourage use of a technology their intelligence agencies view as a barrier to their work.

But the problem for the government is that use of e2e encryption has been growing in recent years as awareness of both privacy risks and cyber security threats have stepped up, thanks to data breach scandal after data breach scandal, as well as revelations of the extent of government agencies’ surveillance programs following the 2013 Snowden disclosures.

Not holding encryption keys allows tech firms to step outside the controversy related to digital snooping and to bolster the security cred of their services. Yet, as a result, popular services that have championed strong encryption are increasingly finding themselves in the crosshairs of government agencies. Be it the Facebook Messenger app, or Facebook’s WhatsApp messaging platform, or Apple’s iOS and iMessage.

After another terror attack in London in March, UK Home Secretary Amber Rudd was quick to point the finger of blame at social media firms — saying they should not provide “a secret place for terrorists to communicate with each other”, and asserting: “We need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp.”

Of course she did not explain how intelligence agencies intended to “get into” encrypted WhatsApp. And that earlier political pressure on encryption morphed into calls for social media firms to be more proactive about removing terrorist content from their public channels. At least publicly. Discussions held vis-a-vis encryption were not made public.

But again, if the latest reporting is to be believed, Rudd is intent on breaking strong encryption after all.

Exceptional access, unacceptable risk 

It’s worth revisiting Keys Under Doormats; aka the paper written by a group of storied security researchers back in 2015, re-examining the notion of so-called “exceptional access” for security agencies to encryption systems — at a time when debate had also been re-ignited by politicians calling for ‘no safe spaces for terrorists’.

The report examined whether it is “technically and operationally feasible to meet law enforcement’s call for exceptional access without causing large-scale security vulnerabilities” — posing the question of whether it’s possible to build in such exceptional access without creating unacceptable risk?

Their conclusion was clear: exceptional access without unacceptable risk is not possible, they wrote. Nor is it clear it would even be feasible given how the services in question criss-cross international borders.

Here’s one key paragraph from the paper:

Designing exceptional access into today’s information services and applications will give rise to a range of critical security risks. First, major efforts that the industry is making to improve security will be undermined and reversed. Providing access over any period of time to thousands of law enforcement agencies will necessarily increase the risk that intruders will hijack the exceptional access mechanisms. If law enforcement needs to look backwards at encrypted data for one year, then one year’s worth of data will be put at risk. If law enforcement wants to assure itself real time access to communications streams, then intruders will have an easier time getting access in real time, too. This is a trade-off space in which law enforcement cannot be guaranteed access without creating serious risk that criminal intruders will gain the same access. Second, the challenge of guaranteeing access to multiple law enforcement agencies in multiple countries is enormously complex. It is likely to be prohibitively expensive and also an intractable foreign affairs problem.

They further concluded:

From a public policy perspective, there is an argument for giving law enforcement the best possible tools to investigate crime, subject to due process and the rule of law. But a careful scientific analysis of the likely impact of such demands must distinguish what might be desirable from what is technically possible. In this regard, a proposal to regulate encryption and guarantee law enforcement access centrally feels rather like a proposal to require that all airplanes can be controlled from the ground. While this might be desirable in the case of a hijacking or a suicidal pilot, a clear-eyed assessment of how one could design such a capability reveals enormous technical and operational complexity, international scope, large costs, and massive risks — so much so that such proposals, though occasionally made, are not really taken seriously.

One thing the paper did not consider is that much politicking can be primarily intended as a theatre of influence for winning votes from spectators.

And the timing of the latest leaked call for ‘decryption on-demand’ coincides with an imminent UK general election, while also serving to shift potential blame for security failures associated with a terrorist attack that took place during the election campaign off of government agencies — and onto a softer target: overseas tech firms.

As we’ve seen amply in recent times, populist arguments can play very well with an electorate. And characterizing social media companies as the mocking, many-headed pantomime villain of the story transforms complex considerations into a basic emotional attack that might well be aimed at feeding votes back to a governing party intent on re-election.

“…to disclose, where practicable… in an intelligible form”

Returning to UK law, the (still draft) ‘Investigatory Powers (Technical Capability) Regulations 2017‘ is the legal route for placing obligations on comms service providers, under the IP Act, to maintain the necessary technical capabilities to afford government agencies the warranted access on demand that they keep demanding.

Yet exactly what those technical capabilities are remains unclear. (And “vague” technical requirements for exceptional access are also raised as a problem in Keys Under Doormats.)

Among the list of obligations Technical Capability Notices can place on comms service providers is the following non-specific clause:

To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data, or to permit the person to whom the warrant is addressed to remove such electronic protection.

The document also sets out that decrypted data must be handed over within a day after a CSP has been served a warrant by a government agency, and that CSPs must maintain the capability to intercept simultaneously comms and metadata for up to 1 in 10,000 of their customers.

The technical details of how any encryption perforations could be achieved are evidently intended to remain under wraps. Which means wider data security risks cannot be publicly assessed.

“I suspect that all the vagueness about concrete technical measures is deliberate, because it allows the government to deal with the technical details within a particular technical capability notice, which would be under a gag order, and thus avoid any public scrutiny by the infosec community,” argues Martin Kleppmann, a security researcher at the University of Cambridge who submitted evidence to the parliamentary committees scrutinizing the IP bill last year. And who has blogged about how the law risks increasing cyber crime. 

“It’s easy to criticize encryption technologies as providing ‘safe spaces’ for terrorists while forgetting that the exact same technologies are crucial for defence against criminals and hostile powers (not to mention protecting civil liberties),” he adds.

“Intelligence agencies don’t seem to actually want bulk access to encrypted data, but merely want the capability to intercept specific targets. However… if a system allows encryption to be selectively circumvented at the command of an intelligence agency, it’s not really end-to-end encryption in a meaningful sense!”

One possibility for enabling ‘exceptional access’ that has sometimes been suggested is a NOBUS: aka a ‘nobody but us’ backdoor — i.e. a backdoor which is mathematically/computationally impossible to find. However Kleppmann points out that even if the math itself is solid, it merely takes one person with knowledge of the NOBUS to leak it — and then, as he puts it, “all mathematical impossibility goes out of the window”.

“The only way of making a system secure against adversaries who want to harm us is by designing it such that there are no known flaws or backdoors whatsoever, and by fixing it if any flaws are subsequently discovered,” he argues.

Meanwhile, on the vulnerability front, Kleppmann notes that even users of services which have open source components — such as WhatsApp, which uses the respected (and independently security reviewed) Signal Protocol for its encryption system — there’s still a requirement for users to trust the company’s servers are doing what they say they are when they hand over keys. Which could offer a potential route for a government-mandated backdoor to be slipped in.

“With WhatsApp/Signal/iMessage there is the remaining problem that you have to trust their server to give you the correct key for the person you want to communicate with,” he says. “Thus, even if the encryption is perfect, if a government agency can force the server to add the government’s special decryption key to your list of device keys, they can still subvert the security of the system. People are working on improving the transparency of key servers to reduce this problem, but we still have a long way to go.”

“I do believe open source is very helpful here,” he adds. “It’s not a silver bullet, but it makes it more difficult to sneak in a backdoor unnoticed.”

Previously, UK government ministers have both claimed they do not want to ban end-to-end encryption nor are demanding that backdoors be built in digital services. Although they have also described the rise of e2e encryption as “alarming“.

When interrogated specifically on the e2e question, the former UK Home Secretary (and now UK Prime Minister) said that companies should take “reasonable steps to ensure that they are able to comply with the warrant that has been served on them”.

Yet — and you might be spotting a pattern here — there has been no definition of what those “reasonable steps” might be.

Therefore it remains unclear where the UK’s legal line will be drawn on encryption.

Backdoors and outlaws

If The Sun‘s story is correct, and UK government-ministers-in-waiting are indeed preparing to demand the likes of WhatsApp and Apple hand over decrypted messages then those “reasonable steps” would presumably require an entire reworking of their respective security systems.

And if the companies don’t bow to such demands what then? Will the UK government move to block access to WhatsApp’s e2e encrypted messaging service? Or ban the iPhone, given that Apple’s iMessages also uses e2e encryption? We just don’t know at this point.

A spokesperson for WhatsApp declined to comment when contacted for a response to this story.

Apple’s press team did not respond to a request for comment either. But the company has a history of strongly defending user privacy — taking to the courts in the US last year to fight the FBI’s demand to weaken iOS security to help facilitate access to a locked iPhone that had been used by a terrorist, for example.

WhatsApp has also had its service blocked multiple times in Brazil after it was taken to court for not handing over decrypted data to law enforcement authorities. Its response? To state in public that it cannot hand over information it does not hold.

However, the legal situation in the UK is different owing to the 2016 IP Act — with its troublesome clause about “removing electronic protection”.

And while there may be fresh moves afoot in the US to introduce a decrypt bill in the US — such legislation has not yet come to pass. Whereas in the UK the relevant law is now framed in such a way as to be possible to interpret that it requires CSPs to deliver up decrypted data on warranted demand.

So it’s not apparent that there would be any legal route for Apple to try to fight a decryption order for iMessage — should it be handed one by UK government agencies — given the company has a substantial presence in the UK. (As does Facebook, the parent of WhatsApp.)

“You can’t run a company as an outlaw,” says Danvers Baillieu, former lawyer turned COO for a startup after a stint working for VPN firm, HideMyAss. “If you change the law and it is [a company’s] legal duty to do something they don’t really have a leg to stand on. It’s all very well them saying they’re going to crusade for this and that but they ultimately have to comply with the law.”

“As a VPN provider we obviously told people to get lost the whole time from other countries because we didn’t have a physical presence there and we said we just had to abide by UK law. So we were constantly having services taken down in countries like India and Turkey and other places — because the authorities there would then lean on our local server providers,” he adds.

“But we could get away with it because we weren’t physically there. But the moment you have a physical presence — and the moment we got taken over by a multinational [HMA was acquired by AVG in 2015] we suddenly had to think about these things far more, because suddenly we were part of a multinational with offices in all these countries. And we had to be a lot more sensitive to these things.”

At this point we simply do not know what these multinational tech giants might feel they have to do to their security systems behind closed doors when/if they are being leant on by the full force of UK law — also behind closed doors, as CSPs are forbidden from disclosing the existences of Technical Capability Notices.

And if they’re being leant on to build and test backdoors to afford UK intelligence agencies access to their systems we may never know as there’s no legal route for them to tell their users what’s happening.

Perhaps they’d just remove marketing materials that mention ‘end to end’ encryption from UK versions of their services — and, much like a warrant canary, we’d have to make an inference that a certain service might no longer be trustworthy for UK users from that moment on.

“It would certainly make for some very bad PR, were a company to defy the gag order and make it publicly known,” says Kleppmann. “So maybe in such cases the government would choose not to serve a technical capability notice in the first place, and only rely on cooperation from companies that are happy to cooperate voluntarily. But now we’re really in guesswork territory.”

Meanwhile, plenty of tech services are of course built and maintained by overseas firms or developers with little or no presence in the UK.

Which raises the question of how the government would respond to that workaround for its plan to acquire decrypted data? And whether it would seek to block access to services that offer e2e encryption and cannot be legally compelled to build in backdoors.

A lawyer we spoke to for this story who did not wish to be identified suggested there may be some overseas providers that are willing to “do something” — “if they can find a way to do so, and want the comfort of a legal compulsion”.

For those overseas providers that are adamant they will not remove electronic protection when handed a UK warrant, it’s difficult to say what the government might do. The source suggested they could try blocking access to such services by leaning on other UK-based companies — such as ISPs and multinational app stores.

“We’ve seen in the Digital Economy Act, in the context of overseas porn sites which fail to comply with UK rule, the fall-back position is one of ISP blocking,” they said. “There is also the (seemingly non-binding) approach of having a chat with app store operators and other ‘ancillary service providers’, to encourage them to take action — presumably, removing an app from the store, or the removal of payment services provision from the app/service in question.”

A blocking strategy would be highly unlikely to render it impossible to access all services offering e2e encryption without any government backdoors — so, as ever, the political desire to have an absolute workaround for strong encryption would be doomed to fail. Meanwhile, the cost to mainstream app users of government requiring CSPs build access exploits into their systems ‘just in case’ would be greater risk their communications are hacked, leaked and snooped on.

“I think ultimately the reputable, multinational companies would comply but then you’re always going to have some kid spinning up a service from their bedroom in the middle of nowhere — or you have the latest version of Telegram, or something like that — and then it’s not going to comply. So obviously any sensible criminal or terrorist is not going to use the mainstream ones,” says Baillieu. “Criminals are generally quite dumb about this sort of stuff. But whether that applies to the more motivated terrorists, we just don’t know.”

“I think equally there’s a very good argument to say you should make it hard for these people to do this stuff,” he adds. “They shouldn’t just be able to use the most convenient apps that everyone has on their phone. We should make it difficult for them — and they might slip up… And I think you can make it quite hard for non-compliant apps to get distributed.

“I think a lot of people, probably this week, are feeling a little bit vulnerable. And we have to do something to address this.”

While Baillieu’s view is understandable, given the horror and fear generated by terrorism, it does risk losing sight of the wider, day to day risks posed to all users of digital services if governments systematically undermine data security. And we don’t have to look far back in time for an example of the risks.

The WannaCry ransomware, which caused havoc globally earlier this month, including locking out healthcare systems in the UK, utilized an exploit developed by (and leaked from) US intelligence agencies.

So, really, a “clear-eyed assessment” is what’s called for here — despite, and perhaps even because of, the horrors of terrorism.

“These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm,” is how Keys Under Doormats‘ assessed the “exceptional access” proposals of 2015.

Two years later their assessment would surely be that the risks of seeking to systematically backdoor encryption now are only greater — as more and more systems are being connected and more and more people are dependent on the data they contain.

Yet politicians in positions of power are apparently intent on waging yet another self-defeating crypto war. Where’s the sense in that?

British Airways cancels flights due to 'major IT systems failure'

Original Article Here

British Airways has cancelled flights amidst major IT problems.

British Airways has been forced to cancel all flights this afternoon from London airports Heathrow and Gatwick after experiencing a “major IT system failure.”

The airline said that problem is also causing “very severe disruption to our flight operations worldwide”.

It said the terminals at Heathrow and Gatwick have become extremely congested and the airline has cancelled all flights from Heathrow and Gatwick before 6pm UK time today, Saturday 27 May. The IT problems coincide with the start of the half term holidays for a number of schools.

“We are extremely sorry for the inconvenience this is causing our customers and we are working to resolve the situation as quickly as possible,” the company said in a post on Facebook.

On Twitter the company described the problems as a ‘global outage’ and said that it was unable to update its website due to the technical difficulties.

British Airways cancels flights following massive IT crash – UPDATED

Original Article Here

British Airways (BA) has cancelled all flights from Heathrow and Gatwick following what it has called a “global system outage”.

Parts of the airlines website, and its travel app are also down at the time of writing.

The carrier tweeted its apologies to customers.

It’s currently unclear what is behind the outage, though according to reports, some ground staff and a pilot at BA initially told passengers that the airline was under attack from hackers.

If it is indeed an attack, it’s possible that it’s linked to the recent WannaCry ransomware outbreak.

Security firms recently told Computing how users should protect themselves from such forms of attack.

Others have suggested that it could simply be a coding glitch.

Bill Curtis, SVP & chief scientist at CAST, said: “Airline computers juggle multiple systems that must interact to control gate, reservations, ticketing and frequent fliers. Each of those pieces may have been written separately by different companies. Even if an airline has backup systems, the software running those likely has the same coding flaw.

“Tracking down a software flaw can be very difficult. It’s like investigating crime; there is a lot of data they’ve got to sift through to figure out what actually happened.”

UPDATE: BA has released a full statement about the crash. A spokesperson at the airline said:

“We have experienced a major IT system failure that is causing very severe disruption to our flight operations worldwide.

“The terminals at Heathrow and Gatwick have become extremely congested and we have cancelled all flights from Heathrow and Gatwick before 6pm UK time today, so please do not come to the airports.

“We will provide more information on, Twitter and through airport communication channels as soon as we can for flights due to depart after that time.

“We will be updating the situation via the media regularly throughout the day.

“We are extremely sorry for the inconvenience this is causing our customers and we are working to resolve the situation as quickly as possible.”

Paul’s Security Weekly #515 – Crankin’ Out the Dubs

Original Article Here

Download Audio

StarHub buys controlling stake in Accel in cybersecurity boost

Original Article Here

StarHub says it plans to acquire a 51 percent stake in Accel Systems & Technologies as part of efforts to boost its cybersecurity offerings.

Latest news on Asia

In an all-cash deal worth S$19.38 million (US$13.99 million), the deal was estimated to close by mid-June, subject to the fulfilment of terms and conditions. The Singapore telco added that it would the acquisition would enable the company to augment the research and development capabilities of its Cyber Security Centre of Excellence in developing and localising cybersecurity tools.

During the launch of the centre last May, StarHub had inked partnerships with several industry players and local tertiary institutions including Blue Coat, Fortinet, and Republic Polytechnic. The Singapore telco said the Accel acquisition would not impact its existing partnerships in cyber threat monitoring, internet clean pipe, unified threat management.

It said Singapore-based Accel specialised in security products, consulting, and managed services. Following the merger, the company would operate as an independent subsidiary and retain its existing management team.

StarHub CEO Tan Tong Hai said the acquisition would enable the carrier to offer a “full spectrum” of cybersecurity products and services.

The Singapore telco in October 2016 said it had suffered distributed denial-of-service (DDoS) attacks on its Domain Name Servers (DNS), which it said caused two service outages. This was later found to be inaccurate and the outages were, in fact, the result of a surge in legitimate DNS requests.

Local ICT regulator Infocomm Media Development Authority (IMDA) and cybersecurity lead, Cyber Security Agency of Singapore (CSA), helped investigate the October 2016 incidents and determined the disruptions were due to the inability of StarHub’s DNS servers to handle the high volume of web requests.

Both government agencies said they highlighted areas of improvement in the telco’s home broadband network infrastructure and steps were taken to mitigate further risks, including boosting its home broadband DNS server capacity and enhancing traffic monitoring.

Chipotle: Hackers did to our registers what our burritos did to your colon

Original Article Here

Fast food chain cops to POS malware breach

Fast-food chain Chipotle says hackers infected its point of sale terminals to gain access to card data from stores in 47 states and Washington, DC.

The self-described “Mexican Grill” says that the malware was active earlier this year from March 24 to April 18, when it was detected, triggering the company to issue an alert.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in its latest summary of the incident.

“There is no indication that other customer information was affected.”

That last sentence is a bit puzzling, as a fraudster who has payment card numbers, dates, and security codes would have little need for any other info.

Chipotole says that while the compromised stores are located in every state save Alaska, Hawaii and South Dakota, not every location was breached. Chipotle’s disclosure page includes a section to check individual stores.

Chipotle recommends that anyone who paid with a card at one of the compromised stores keep a close eye on bank statements and consider having an alert placed to their credit file to catch possible fraud.

The fast food chain is far from alone in falling victim to this type of scam. Hackers have targeted the POS terminals of dozens of retailers, restaurants, and hotel chains with malware payloads that collect and transmit the payment card data of customers, often resulting in the theft of thousands of card numbers. ®

NBlog May 27 – awareness-by-proxy

Original Article Here
One of the IoT security issues we explore in June’s awareness module is the use of compromised things as platforms for further attacks – for example not just spying on people but spreading malware or launching exploits against corporate systems and networks, including other things.  
While the preceding brief paragraph hopefully makes perfect sense to those who already have a reasonable understanding or appreciation of IoT security, it won’t resonate with everyone. Although ‘compromise’, ‘platform’, ‘attack’ and ‘exploit’ are ordinary everyday English words, we’re using them here in a particular context with quite specific meanings. The distinction is important in awareness because we are addressing people with varying levels of knowledge and understanding, ranging from next-to-nothing up to expert. It’s fine for them to take away different things from the awareness materials just so long as they all have a reasonable grasp of the same core messages, the learning points. Those form the common ground that we hope will enable and stimulate people to chat about information security matters among themselves, thereby socializing security and ultimately behaving more securely.
One way to tackle the conundrum is to explain ourselves in writing, clarifying precisely what we really mean. That’s entirely appropriate and necessary in some cases … but if over-used the technique quickly becomes tedious*, especially for those towards the high end of the notional expertise scale. Written explanations are a useful means to explain neologisms (newly-coined words) as you see. Written content suits people who enjoy reading, contemplating and learning. It is hard to write about complex topics and nebulous concepts (of which there is no shortage in this field, ‘security awareness’ for instance!), and especially challenging to write clearly for significant segments of the awareness audience who don’t really enjoy or have the time to get into this stuff. After all, that’s the very reason we are into awareness! 
Another approach would be to explain what we really mean in person, interacting with the audiences (whether individually or in groups), empathizing and responding to their body language (such as puzzled looks) as well as addressing their vocalized questions and comments. Face-to-face interaction is a very powerful and effective way to communicate, making it the most valuable awareness-raising technique. However since we can’t personally interact with our customers’ workers on a regular basis, we provide customers with the content and motivation to do it themselves … and that’s where things get really interesting. We’re doing awareness-by-proxy.
Aside from conventional written awareness materials, we find graphics extremely useful because:
  • They are visually appealing, stimulating and engaging, especially for those who don’t enjoy or need a break from reading, or indeed talking (‘death by PowerPoint’ can be an issue for the presenter as well as the audience!);
  • They are universal, unlike English: complex technical documentation can be especially tough going for those who aren’t fluent English speakers;
  • They succinctly express a huge amount of information, not just the literal content but also those ephemeral concepts I mentioned, plus relationships within and beyond the topic area;
  • It is straightforward for us to emphasize important stuff and down-play other aspects through judicious choice of images, sizes, colors, juxtaposition and overlays such as words, boxes, lines and arrows;
  • They prompt the audience to ponder the topic and internalize the points we’ve emphasized (hopefully!);
  • They are interpreted, live in real time, both by the presenter and the audience, putting across the intended learning points at least but there’s plenty of latitude here, far more so than with descriptive text. The particular organizational and social context is often important, such as when someone draws parallels with IoT incidents they have personally experienced.

Here’s an illustrative example (literally!) – an awareness image used as a PowerPoint slide concerning the use of things as attack platforms, jumping off points:
There are just 5 words overlaid on the slide and even they aren’t strictly necessary if the seminar facilitator understands the message, points out the constituent parts and explains their meaning … which I’m not going to do for you now. See what you make of it!
With very few words, the poster images are meant to make people puzzle over the meaning, thinking for themselves and chatting with their colleagues. 
We’re explicitly aiming to catch their imaginations, stimulate contemplation and encourage discussion.
The other awareness materials and activities help fill-in-the-gaps so we don’t feel the need to explain everything on the posters. In fact that kind of spoon-feeding would be counterproductive.
Along similar lines, we use Visio graphics quite a lot, including mind-maps and diagrams, PIGs for instance.
But that’s more than enough words from me for today. Something for you to ponder over the weekend?
* It’s ironic that this blog is so wordy. Sorry. [Note to self: cut the words, boost the graphics! Explore vlogging maybe?]  

TRUMP SCANDAL! No, not that one. Or that one. Or that one. Or that one.

Original Article Here

Hackers target The Donald’s businesses

The FBI and CIA are investigating an attempted hack on the Trump Organization.

According to a report from ABC citing unnamed officials with the intelligence agencies, it is believed someone overseas attempted to breach the President’s international real estate holding company.

The report claims that officials and cybersecurity specialists with both the FBI and CIA met earlier this month with Eric and Donald Trump Jr, who have been running the Trump Organization since their father assumed the Presidency of the United States in January.

The report did not suggest where the hackers may have originated. The Trump Organization has denied any of its data was compromised.

“We absolutely weren’t hacked,” Eric Trump said. “That’s crazy. We weren’t hacked, I can tell you that.”

According to ABC, the meeting took place on May 9th, one day before Trump caused a political firestorm by firing FBI director James Comey in the midst of his investigation into Russian government-backed hackers meddling in the 2016 US election, which saw Trump score a surprise win.

In the months following the election, the FBI and Congress have launched investigations into just how much (if anything) the Trump campaign knew of the Russian meddling.

This is not the first time the Trump Organization has been targeted for cybercrime. First in 2015 and again in 2016, hackers managed to get malware onto the point of sale systems at several Trump hotels.

Those incidents were entirely financial, however, as the attackers were looking to steal the payment card numbers of restaurant customers and hotel guests. This latest incident, given the interest taken by the FBI and CIA, could well have involved a more serious target. ®

The risky ROI on municipal broadband

Original Article Here

municipal fiber (Solomonkein/


The risky ROI on municipal broadband

What: “Municipal Fiber in the United States: An Empirical Assessment of Financial Performance,” from the University of Pennsylvania’s Law School and the Center for Technology, Innovation and Competition

Why:  Municipalities hoping to attract tech-savvy workers and businesses often consider investing in  broadband infrastructure, but little evidence exists on the financial viability of such projects.  This analysis of specific projects reveals that the risks are substantial, so officials considering a municipal fiber project should carefully assess whether their effort can deliver on its promise.

Findings: Of the 20 municipal fiber projects that break out the financial results of their broadband operations studied from 2010 to 2014, researchers found that 11 generated negative cash flow.

Of the nine cash-flow-positive projects, five have cash flow that is so small that recovering project costs would take far longer (sometimes more than a century) than the  30- to 40-year expected useful life of a fiber network.

Two potential success stories are discussed.  Bristol, Tenn., is on track to recover its project costs within a reasonable life expectancy. The network in Vernon, Calif., generated enough cash flow from 2011 to 2014 to cover its project costs, but it targets primarily business customers, making it an atypical example. In all, seven case studies are presented in which factors for success or failure are discussed.

From the data, the researchers constructed a hypothetical model for the first 14 years of a municipal fiber project and found the time to recover the adjusted project cost per household extends to 125 years.

Acknowledging the small sample size, researchers said their results “should be interpreted with considerable caution.”  Yet the results suggest that “the manner in which a municipal fiber project is operated, both in terms or generating revenue and minimizing operating cost, play a more critical role in the success of a municipal fiber project than the upfront capital costs.”

Verbatim: “The simple fact is that financial solvency matters regardless of the presence or absence of other benefits.”

Read the full report here.

About the Author

Susan Miller is executive editor at GCN.

Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company’s government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.

Miller has a BA from West Chester University and an MA in English from the University of Delaware.

Connect with Susan at or @sjaymiller.

Samba vulnerability brings WannaCry fears to Linux/Unix

Original Article Here

Researchers warn that many Linux and Unix systems contain a Samba vulnerability that could eventually lead to attacks similar to WannaCry or worse, if IT pros don’t remediate quickly.

According to the Samba security advisory, the vulnerability (CVE-2017-7494) affects versions 3.5 (released March 1, 2010) and newer. The Samba vulnerability is remotely exploitable and could allow “a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.”

Nick Bilogorskiy, senior director of threat operations at Cyphort, said although there are no active exploits in the wild, the damage from this Samba vulnerability could be steep.

“Because this vulnerability allows remote code execution, attackers will have full control over a compromised machine, and any payload is possible,” Bilogorskiy told SearchSecurity. “For example, [an attacker could] drop a backdoor, steal data from the system, spy on the user, attack other systems or try to encrypt all data for a ransom.”

Lane Thames, senior security researcher at Tripwire, said exploiting the Samba vulnerability “is a little more difficult than the SMB vulnerability targeted by WannaCry.”

“For example, to exploit CVE-2017-7494 an attacker must find a vulnerable system, then find the path of an appropriate file share on the system, and the attacker must be either authenticated with the vulnerable Samba server or the share must be available to be written to without authentication,” Thames told SearchSecurity. “Regardless, enterprises should move fast to patch this vulnerability and ensure that no unnecessary Samba services are exposed to the internet.”

Samba vulnerability remediation

Research from Rapid7 Labs said attacks on this Samba vulnerability could come over the same port 445 used to access SMB on Windows machines, but port 139 could also expose endpoints to attack. Rapid7 suggested “organizations should review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets.”

A patch has been released and the Samba advisory also noted a potential workaround for those who can’t patch right away.  Samba said adding the argument “nt pipe support = no” to the global section of the Samba configuration file will mitigate the threat, but could have the added consequence of disabling “some expected functionality for Windows clients.”

Thames said the enterprise space will be “concerned with their file and print server systems running on top of Linux and Unix operation systems that use Samba,” but warned that storage solutions “can also pose a significant risks.”

“Most of these storage devices use embedded Linux and Samba for their file sharing functionalities. Moreover, it is these types of devices that are likely to be the most troublesome for us with this vulnerability,” Thames said. “Enterprise server vendors are moving fast to push out patches to enterprise customers for this Samba vulnerability. However, [network-attached storage] vendors might not move so quickly on this and in some cases they might not even issue patches for this.”

Samba vs WannaCry

Craig Williams, senior technical leader at Cisco Talos, said the comparisons between this Samba vulnerability and WannaCry “are due to the fact that both of these issues affected the same protocol.”

“Samba is basically what [Linux/Unix] systems use to talk to Windows file stores and printers,” Williams told SearchSecurity. “That said, to date we have not seen a worm or even an exploit with a ransomware payload though this could change at any second.”

Bilogorskiy said although WannaCry makes better headlines, the better comparison was to EternalBlue — the SMB vulnerability exploited by WannaCry — because “right now we are dealing with a vulnerability, not malware yet.”

“If a worm is discovered exploiting this Samba vulnerability, then yes, WannaCry comparisons are warranted and there are ways how it may even be worse than WannaCry. WannaCry hit Windows systems, more than 60 days after the patch. Most of them had auto-update enabled and were not vulnerable,” Bilogorskiy said. “Any Samba worm may hit Linux and Unix servers, where most do not have auto-update enabled. In fact some of these Unix systems work for years without any maintenance. Also, unlike workstations, most of them are always on, users never power them off. So [there are] more online unpatched targets for a worm to infect.”           

Video: Follow these tips to protect your network from ransomware

Original Article Here

Video: Follow these tips to protect your network from ransomware – TechRepublic

Video: Follow these tips to protect your network from ransomware


Most Recent

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 22, 2017

Original Article Here

For those of you who follow the National Football League (NFL), do you remember Super Bowl 47? I wasn’t exactly thrilled about the teams that played since I’m not a 49ers or Ravens fan. What was interesting about the game is that it was halted for over half an hour in the third quarter because of a power outage, earning that game the nickname of “Blackout Bowl.” Although it was eventually ruled a power surge issue, there were many, including me, that thought there could have been foul play involved.

There is always potential for a cyberattack against our electrical grid and public safety computer systems – especially during the biggest game of the year!

We have placed an emphasis on threat intelligence for our customers’ supervisory control and data acquisition (SCADA) networks for over a decade. Earlier this week, the Zero Day Initiative (ZDI) presented a session on their extensive analysis of more than 250 security vulnerabilities in SCADA human machine interface (HMI) systems from 2015-2016 at the Positive Hack Days conference in Moscow. Their research efforts, which included vulnerabilities acquired through the ZDI bug bounty program, found that most of these vulnerabilities are in the areas of memory corruption, poor credential management, lack of authentication/authorization and insecure defaults, and code injection bugs, all of which are preventable through secure development practices.

ZDI has released the companion paper that provides the details of what was covered in their presentation. You can access the full report and read commentary from Brian Gorenc here:

Zero-Day Filters

There are 18 new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Foxit (1)

  • 28323: ZDI-CAN-4816: Zero Day Initiative Vulnerability (Foxit Reader) 

Hewlett Packard Enterprise (2)

  • 28287: ZDI-CAN-4759-4761: Zero Day Initiative Vulnerability (HPE Intelligent Management Center)
  • 28318: ZDI-CAN-4808-4809: Zero Day Initiative Vulnerability (HPE Intelligent Management) 

Trend Micro (15)

  • 28282: HTTPS: Trend Micro InterScan Web Security TestingADKerberos Command Injection (ZDI-17-217)
  • 28293: ZDI-CAN-4645,4649: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28295: ZDI-CAN-4648: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28296: ZDI-CAN-4657,4806: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28297: ZDI-CAN-4658: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28298: ZDI-CAN-4666: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28300: ZDI-CAN-4679: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28301: ZDI-CAN-4691: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28302: ZDI-CAN-4779: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28303: ZDI-CAN-4781: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28310: ZDI-CAN-4782-4783,4787: Zero Day Initiative Vulnerability (Trend Micro Mobile Security)
  • 28311: ZDI-CAN-4786: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28312: ZDI-CAN-4791: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)
  • 28313: ZDI-CAN-4792-4793,4796: Zero Day Initiative Vulnerability (Trend Micro Mobile Security)
  • 28317: ZDI-CAN-4794: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Video: Which version of Windows was most affected by WannaCry?

Original Article Here

Video: Which version of Windows was most affected by WannaCry? – TechRepublic

Video: Which version of Windows was most affected by WannaCry?


Most Recent

​Optus, LifeJourney launch online cybersecurity experience for students – ZDNet

Optus, in partnership with LifeJourney International, has launched an online cyber education program for secondary school, TAFE, and university students, aiming to beef up the country’s ability to defend against cyber threats in the future.

The Optus Cyber Security Experience hopes to address the cyber skills shortage in Australia by delivering free online cybersecurity education courses for students, allowing them to experience a day in the life of an Optus cyber expert.

Latest Australian news

Speaking at the launch in Macquarie Park, Sydney on Tuesday, David Caspari, VP of Optus Business, reiterated the concern of many of his peers that cybersecurity is the number one issue facing businesses not only in Australia but globally.

“Addressing cybersecurity continues to get more complex in the increasingly sophisticated threat landscape; it’s a constant challenge for Australian organisations to keep up with the expertise, capabilities, and resources needed to stay ahead of all these threats,” he said, adding that technology and infrastructure is only one piece of the cybersecurity puzzle.

“Having the right resources to analyse, decipher, and respond to cyber threats is critical and the significant global shortage of cyber in the workforce to meet these needs

“To effectively combat today’s cyber threats, we cannot do it alone. Industry, academia, and government must come together to share knowledge to comprehensively understand our cybersecurity defence in Australia.”

According to LifeJourney, this skills shortfall will amount to 2 million cybersecurity professionals by 2019.

“We can steal each other’s talent, but that’s not what it’s about,” Vaughan Paul, Optus VP of HR, added during the launch. “We have to start at grass roots level. We have to skill up our current workforce and skill-up educators to address the demand that’s out there.”

The Optus Cyber Security Experience provides a career simulation experience for students, and forms part of LifeJourney’s Day of STEM program, which launched in Australia in September last year and now includes a separate Women in STEM initiative.

The experience will see students learning about the types of courses and STEM subjects they need if they are interested in a career in cyber-related fields, including in the finance, education, and healthcare sectors.

The online platform allows students to explore what it is like to have a career in such fields, and will see cyber experts, including Optus’ cyber risk consultant Sophie Brown, act as virtual mentors and share their personal career journeys through the online program.

Moving though the platform, students are introduced to their mentors and are then shown what their usual work day consists of. It then continues to ask questions of the students about the future they see themselves having by allowing them to shortlist their future resume, then being shown the skills they will need to get there.

The program is also supported by Macquarie University, La Trobe University, and Deakin University, who are partnering to connect students with new cyber-related courses and degree pathways in a bid to teach the skills and activities involved in a cyber attack, and the importance of combating the growing volume of cyber threats.

“The cyber skills gap is a critical issue for the nation and education is key to addressing this challenge, if we want to be prepared and internationally competitive,” added David Wilkinson, deputy vice chancellor of Corporate Engagement and Advancement at Macquarie University.

The new partnership will see Barker College on Sydney’s north shore become Australia’s first secondary school to sign up to the cyber experience.

In addition, the program also provides a Cyber Teacher Certification program for teachers to deliver cybersecurity learnings to their students.

Optus Business opened its Advanced Security Operations Centre (ASOC) alongside Trustwave in November, offering managed cybersecurity services to enterprise and government customers.

The ASOC joined Optus and parent company Singtel’s network of security operations centres, aiming to provide customers with access to data analytics, automated incident response, and threat intelligence.

Optus Business also co-invested AU$8 million alongside La Trobe University in Melbourne last October to form a cybersecurity degree that is focused on developing multi-disciplinary courses, research programs, and scholarships for students to study cybersecurity.

The cyber degree followed the AU$10 million co-investment Optus Business made with Macquarie University in May to establish a cybersecurity hub that will provide research, degree programs, executive and business short courses, professional recruiting opportunities, and consultancy services to the private sector and government agencies.

In September, Optus Business added cybersecurity prevention, detection, and monitoring capabilities to its government and enterprise managed security services portfolio, with the solution running on the Palo Alto Networks Next-Generation Security Platform.

Analyzing Cyber Insurance Policies

Analyzing Cyber Insurance Policies

There’s a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:

In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant’s security posture; and the rate schedules which define the algorithms used to compute premiums.

Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).

In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm’s asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.

Public Workshop – Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, May 18-19, 2017

The Food and Drug Administration (FDA), in association with National Science Foundation (NSF) and Department of Homeland Security, Science and Technology (DHS, S&T) is announcing the following public workshop entitled “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis.” The purpose of this workshop is to examine opportunities for FDA engagement with new and ongoing research, catalyze collaboration among Health Care and Public Health (HPH), stakeholders to identify regulatory science challenges, discuss innovative strategies to address those challenges, and encourage proactive development of analytical tools, processes, and best practices by the stakeholder community to strengthen medical device cybersecurity.

Date, Time and Location:

This meeting will be held May 18-19, 2017, beginning at 8:00 am – 5:00 pm at the following location:

FDA White Oak Campus
10903 New Hampshire Avenue
Bldg. 31, Room 1503
Silver Spring, MD, 20993

Entrance for workshop participants (non-FDA employees) is through Building 1 where routine security check procedures will be performed. Parking and security information.


The workshop will not be webcast, but a transcript and slides from the general session will be available on this website in early June 2017.

Additional Information:

Regulatory Science is defined as the science of developing new tools, standards, and approaches to assess the safety, efficacy, quality, and performance of all FDA-regulated products. At the Center for Devices and Radiological Health (CDRH), regulatory science serves to accelerate improving the safety, effectiveness, performance and quality of medical devices and radiation-emitting products, and to facilitate innovative medical devices into the marketplace. The Regulatory Science Subcommittee of the CDRH Center Science Council assessed and prioritized the regulatory science gaps for medical devices based on input from CDRH Offices. Cybersecurity of medical devices was identified as one of the top ten regulatory science gaps. These new regulatory science tools, technologies, and approaches form the bridge to critical advances in public health.

FDA, NSF and DHS, S&T are therefore seeking input to create a framework to address the cybersecurity regulatory science gaps. The scope and nature of this cybersecurity regulatory science research framework is designed to be broad to foster collaboration across all interested stakeholders. The domain is defined by the intersection of safety and security in the design and evolution of medical devices. The objective of the workshop is to facilitate a discussion on the current state of regulatory science in the field of cybersecurity of medical devices, with a focus on patient safety.

The framework may include collaborative research conducted between federal agencies such as NSF, DHS, S&T, academia, medical device industry, and third party experts and other organizations with input from FDA. The collaborative research may include one or more of the following settings.

(a) Intramural cybersecurity research conducted within FDA;
(b) Extramural cybersecurity research in collaboration with other federal agencies (e.g., DHS, S&T); and
(c) Collaborative long term cybersecurity research conducted among federal agencies, NSF, academia, medical device industry, and third party experts and organizations.

Preliminary Agenda

Day and Time


Day 1 (5/18/2017)  
7:30 am Sign-in
8:00 am General session: Introduction and welcome
8:30 am General session: Keynote talks
10:30 am General session: Break
10:45 am General session: Keynote talks
12:15 pm Lunch Break
1:15 pm General session: Keynote talks
2:15 pm Breakout sessions

Breakout session structure:
Discus topic for – 40 mins
Internal group report on findings – 5 min
Discussion – 15 min
Break – 15 min

4:30 pm General session: Next day agenda summary, logistics, etc.
5:00 pm Break for the day
Day 2 (5/19/2017)  
8:30 am General session: Announcements, agenda summary, logistics, etc.
8:45 am Break-out sessions
11:00 am General session: Discuss break-out findings using notes taken during the sessions
12:00 pm Lunch Break
1:00 pm General session: Continued discussion of break-out group findings
2:15 pm Break
2:30 pm General session: Discussion of priorities as recommended by break-out groups, and agreement on key takeaways to be included in the workshop report
4:30 pm General session: Concluding remarks
5:00 pm End of workshop

Potential Topics for Discussion:

The workshop sessions are planned to include a number of short opening plenary talks, followed by multiple simultaneous working sessions organized by broad themes. Attendees are encouraged to participate in at least one working session of their choice providing unique views, insights, and challenges. Each break out session discussion may include following discussion elements:

  1. Immediate cybersecurity challenges and potential solutions to facilitate innovative medical devices into the marketplace;
  2. Cybersecurity regulatory science gaps to which solutions can be developed through additional scientific research; and
  3. Long-term cybersecurity research challenges which may need significant additional basic research.

Following are a list of potential topics that may be discussed during the workshop. Click each item for a brief description.

What is the nature of the intersection of security vulnerabilities and patient safety, e.g., are there specific subsections of the security field which are more relevant to safety than others? What tools (e.g. automated tools), could be leveraged to aid in risk assessment?

Are “traditional” security solutions sufficient or adaptable given that medical devices have long lifetimes, are difficult to service, and must maintain consistent and high availability, especially if devices are life-sustaining or life-preserving? How does the fact that many medical devices are low-power and/or embedded systems with limited power, processing, memory, and other resources affect the security functions which can be incorporated into devices?

How can “traditional” solutions be adapted to home environments given that home networks are potentially untrustworthy and uncontrolled, and do not have a dedicated IT staff? Moreover, how might we address the concern that no network availability or quality of service guarantees are available, and there is no option for emergency network repair in case of problems? 

How do we resolve the conflicts that may arise between facility IT and biomedical engineers due to occasionally contradictory goals of the two groups regarding, e.g., device access control, safety, security, and availability?

Is there an accepted methodology for expressing the security threat environment (e.g., on a network) to which a medical device may be exposed? Is there a better way to consistently communicate the characteristics and severity of vulnerabilities in a clinical context (e.g. CVSS-like rubrics)?

How can device security features be communicated to operators and/or regulators in a way that allows reasoning about the coexistence of many devices from different vendors simultaneously, (e.g., on a shared network), allowing reasoning about systems of devices rather than individual units?

Are there any examples/case studies of what to do and/or what not to do that facilities and/or manufacturers have encountered? Potential areas of discussion include network instructions for use, patch management strategies, articulation of baseline deployment needs (MDS2, etc.), manufacturer capacity to distribute updates in a timely manner, etc.

How can biomedical engineers, IT, and device operators set up and provision devices for maximum security and safety? What kind of potentially unexpected issues might manufacturers, HDOs, and even home users/operators encounter “in the wild”?  

Are there any notable experiences regarding adapting security to deal with e.g., physical and cost limitations from facilities and/or manufacturers? Potential areas of discussion include detection, vulnerability management, asset management, patterns and elements of secure architectures, integration challenges, etc.

Additional topics may be submitted at the time of registration using the comments text field.

Registration to Attend the Workshop:

If you wish to attend this Workshop, you must register by 4:00 pm on May 4, 2017. When registering, you must provide the following information (all fields are required):

There is no fee to register for the Workshop but early registration is recommended seating is limited. FDA may limit the number of participants from each organization. Registrants will receive confirmation when they have been accepted. If time and space permit, onsite registration on the day of the workshop will be provided beginning at 8 a.m. We will let registrants know if registration closes before the day of the workshop.

If you require special accommodations due to a disability, or need additional information regarding registration, please contact Susan Monahan, Office of Communication and Education, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Avenue, Bldg. 32, Silver Spring, MD 20993, 301-796-5661,

Transcripts: Please be advised that as soon as a transcript of the plenary session portion of the public workshop is available, it will be accessible at It may be viewed at the Division of Dockets Management. A link to the transcript will also be available on the internet at (Select this workshop from the posted events list.)

For questions regarding workshop content please contact:

Dinesh Patwardhan, Ph.D., Food and Drug Administration, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave, Bldg. 64 rm. 4076, Silver Spring MD 20993, email:

China Hacked South Korea Over Missile Defense

Chinese state-backed hackers have recently targeted South Korean entities involved in deploying a U.S. missile-defense system, says an American cybersecurity firm, despite Beijing’s denial of retaliation against Seoul over the issue. In recent weeks, two cyberespionage groups that the firm linked to Beijing’s military and intelligence agencies have launched a variety of attacks against South Korea’s government, military, defense companies and a big conglomerate, John Hultquist, director of cyberespionage analysis at FireEye Inc., said in an interview. The California-based firm, which counts South Korean agencies as clients, including one that oversees internet security, wouldn’t name the targets.
View full story


Robots in the cloud: How robotics-as-a-service can help your business


Anyone who’s familiar with cloud computing might know about software-as-a-service, infrastructure-as-a-service, and other “as-a-service” delivery models. But they might be not be aware of the latest iteration: robotics-as-a-service (RaaS).

RaaS also leverages the cloud, and makes it possible for organizations to integrate robots and embedded devices into the web and cloud computing environments. This capability will become increasingly important as robots become more common in work environments such as warehouses, distribution centers, and stores.

With RaaS, data captured by robots — such as customer preferences or inventory status — can be stored on a cloud-based system and retrieved as needed by human workers. This type of service can provide even more value if a company is operating a fleet of hundreds of robots, each performing a variety of tasks.

The RaaS provider could handle maintenance of the robots as well as integration between the robots and databases used across the enterprise. The advantages of this model, much like with cloud services in general, can include cost savings, easier management and scalability, and greater flexibility.

See also: How a burger-making robot named Flippy could impact fast food jobs (TechRepublic)

Currently the term “robotics-as-a service” is used to describe two separate robotics approaches, said Dan Kara, ‪practice director for robotics at research firm ABI Research.

First there is RaaS as a technical method. Often referred to as “cloud robots,” it includes internet-connected robots using cloud based, pay-as-you-go, computational and data storage resources.

RaaS is also the term applied to business models where robotics systems are rented on a monthly or quarterly basis, with often with technical support, real-time monitoring, and other services included.

Technical- and business-oriented RaaS approaches are often combined, Kara said.

The emergence of RaaS reflects the broader move to services-based models in technology.

“The general trend among many technology providers is a long-term migration away from selling products to selling services beyond the usual incremental revenue from support, maintenance and upgrades charges,” Kara said. “Services are recurrent revenue, and are looked on favorably by both technology providers and the investment community. Like the technology sector at large, suppliers of robotics technologies have adopted robotics-as-a-service business models and this trend is accelerating.”

Both users of robotics technologies and robotics suppliers benefit from RaaS business arrangements, Kara said. “Service-oriented solutions are not uncommon in the robotics sector, where the high cost of platforms and risk aversion to new technologies and applications can impede growth,” he said.

In addition, for some types of robotic systems a business model that relies on hardware sales is untenable, even if there are charges for maintenance, upgrades, customization and so on. There are also technical reasons for the RaaS approach, Kara said. For example, the computational resources available for a given robot might be inadequate for the task at hand. In this case, a cloud robotics approach might be suitable.

Robotics companies that employ a RaaS business model typically offer emerging technologies whose value proposition and total cost of ownership are largely unknown. Kara said.

Representative companies employing a RaaS business model include PrecisionHawk (drone-based surveying for agriculture), Knightscope (robots for security and surveillance), Aethon (mobile robots for healthcare logistics), InTouch Health (mobile robotic telepresence), and Liquid Robotics (unmanned underwater vehicles).

Bat Bot flying robot takes to the air:

Arrest of Russian national in Spain NOT linked to US election hacking

The arrest of Pyotr Levashov, the St Petersburg-based Russian national apprehended in Spain this week, was not linked with the alleged ‘hacking’ of the US election by Russia, but on the programmer’s involvement in spamming.

Early reports from newswire Reuters had suggested that one of the reasons why Levashov was arrested was over claims that he was involved in the supposed hacking of the US election. Reuters, though, later rowed back on those claims, although not before they had been repeated in multiple reports on the arrest.

Levashov, according to security blogger Brian Krebs, is better known as ‘Severa’, a hacker moniker used in a number of Russian-language cyber crime online forums, where he was the linchpin connecting virus writers with spammers.

Indeed, Levashov is currently number seven in the Spamhaus list of the Top-10 worst spammers, and the US Department of Justice believes that Levashov has also worked with notorious US spammer Alan Ralsky, convicted of running pump-and-dump spam scams intended to inflate the meagre values of penny stocks in the US.

Krebs claims that Levashov “was responsible for running multiple criminal operations that paid virus writers and spammers to install ‘fake anti-virus’ software,” which mimics genuine anti-virus software, flagging false alerts about infections that can be solved by paying for a full licence for the fake software.

Krebs also links Levashov with the Waledac spam botnet, which used between 70,000 and 90,000 compromised computers to send as many as 1.5 billion spam emails every day. Microsoft took down the network in an operation in 2010

Krebs is familiar with Levashov from the research he conducted into his book, Spam Nation: The Inside Story of Organized Cybercrime.

“Severa likely made more money renting Waledac and other custom spam botnets to other spammers than blasting out junk email on his own. For $200, vetted users could hire one of his botnets to send one million pieces of spam.

“Junk email campaigns touting auction and employment scams cost $300 per million, and phishing emails designed to separate unwary email users from their usernames and passwords could be blasted out through Severa’s botnet for the bargain price of $500 per million,” claimed Krebs. 

And the only connection with so-called ‘election hacking’, suggested Krebs, is with the Russian presidential elections in 2012, where a botnet associated with Levashov sent emails linked to fake news suggesting that opposition candidate Mikhail Prokhorov, running against Vladimir Putin, had come out as gay.

The ease with which Levashov was apprehended by Spanish police at the behest of the US, and the relative impunity with which he has been able to operate at home, once again indicates links between Russian government figures and various forms of cyber crime.  

Computing Cybersecurity Strategy Briefing for the Financial Sector logo

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector. 

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons

Attendance is free to qualifying IT professionals and IT leaders – register now!

Further reading

Incident Response as “Hand-to-Hand Combat”

NSA Deputy Director Richard Ledgett described a 2014 Russian cyberattack against the US State Department as “hand-to-hand” combat:

“It was hand-to-hand combat,” said NSA Deputy Director Richard Ledgett, who described the incident at a recent cyber forum, but did not name the nation behind it. The culprit was identified by other current and former officials. Ledgett said the attackers’ thrust-and-parry moves inside the network while defenders were trying to kick them out amounted to “a new level of interaction between a cyber attacker and a defender.”


Fortunately, Ledgett said, the NSA, whose hackers penetrate foreign adversaries’ systems to glean intelligence, was able to spy on the attackers’ tools and tactics. “So we were able to see them teeing up new things to do,” Ledgett said. “That’s a really useful capability to have.”

I think this is the first public admission that we spy on foreign governments’ cyberwarriors for defensive purposes. He’s right: being able to spy on the attackers’ networks and see what they’re doing before they do it is a very useful capability. It’s something that was first exposed by the Snowden documents: that the NSA spies on enemy networks for defensive purposes.

Interesting is that another country first found out about the intrusion, and that they also have offensive capabilities inside Russia’s cyberattack units:

The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians’ computers, but also the surveillance cameras inside their workspace, according to the former officials. They monitored the hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said.

There’s a myth that it’s hard for the US to attribute these sorts of cyberattacks. It used to be, but for the US — and other countries with this kind of intelligence gathering capabilities — attribution is not hard. It’s not fast, which is its own problem, and of course it’s not perfect: but it’s not hard.

Friday Squid Blogging: Squid from Utensils

MarkHMarch 25, 2017 8:15 AM

Authoritarian Attitudes Threaten Liberty and Privacy

Note: I was inspired to this by some comments on Bruce’s post about commenting … and judged that this squid-post would be more fitting. I apologize for lack of citations, time and energy being limited. Please pardon my America-centered perspective; the US is the country of my citizenship, has unmatched power to do good or harm abroad, and is in anxious straits.

Note 2: If you are offended by political commentary here, then for Pete’s sake either don’t read the following, or if you do, blame yourself!

1. By authoritarian, I mean an approach to government sacrificing individual liberty in favor of obedience to a strong central power (most often, a single person). Distilling to a few words, whereas enlightenment thinkers tended to favor a government of laws not men, authoritarians believe in government of men not laws — or rather, the Word of the Strong Man is the Law.

2. At least in those parts of the world with cultural traditions associated with Islam and Christianity, authoritarianism is plainly on the rise. Most impressively, it is rapidly gaining popularity in such countries as France and the USA, where (I would have supposed at least) traditions of political culture should have rendered it repugnant.

3. I’ve noticed that many writers have been using the words “autocratic” and “autocracy” in connection with Trump. Fortunately, the US system doesn’t lend itself to autocracy (yet, anyway), as the events of recent days plainly show. No doubt Trump would love to be an autocrat, but he already is — by temperament, predilection, style of leadership and self-concept — an authoritarian.

4. To what extent was Trump elected because of, or in spite of his authoritarian tendencies? We have interesting data on this, which dates back to before the US election. Psychology actually defines a sort of cognitive authoritarianism (preference for an authoritarian order of things), and offers a simple diagnostic which claims to measure it. In pre-election surveys, a high score on this test for authoritarianism was found to be the single best predictor that an individual would support Trump.

5. What I’ve been thinking about lately, is the extent to which Trump supporters in the US have expressed fury in the wake of his victory. They are the sorest winners I have seen! This was brought into focus by a recent meeting with old friends who I suppose consistently vote Republican. Though it was expressed rather mildly (they are very self-contained people), I got a distinct impression that they also were seething with resentment.

It seems that those who admire Trump are really deeply angry that the majority of their fellow citizens who didn’t want him, are not bowing down in adoring obeisance to their Lion-Maned Strong Man. I’ve been around a long time, and never saw this before in the wake of a US election. The essence of democracy is that a great many people don’t get their way a lot of the time, and that as a civil contract we must agree to disagree.

The apparent judgment by Trumpistas that protest (or even disapproval) is just WRONG, is the exact opposite of democratic spirit.

The simplest hypothesis I have found to account for this exceptional phenomenon, is an authoritarian outlook on the part of Trump’s admirers.

So what, if anything, does it all mean?

For those who care to look, the destruction of political rights (and civil rights, which necessarily come along for the ride) by Putin and Erdogan is plainly apparent. Any who care about individual liberty must prefer governments to be administered by those who cherish liberalism (in the classical sense).

Leaders who aspire to comparable heights of authoritarian triumph (Orban and Trump spring to mind) can be expected to wreak similar destruction, if allowed to run riot.

But these individuals are, I fear, only a symptom of the underlying poison: it lies in the populations, and their political cultures.

In my country, bleating acquiescence to the “Patriot Act” and a plainly contrived war of aggression showed the cancer at work more than a decade before the recent election.

Sadly, I don’t have remedies to propose (nor have I yet seen such from others). I write this to focus my thoughts, and perhaps to inspire the interest of others in this dread development.

Holy handsets, Batman! Gresso's take on the Nokia 3310 costs $3,000 – CNET



The people who brought you the $500,000, diamond-encrusted iPhone 7 are back, this time with a more true-to-the-original, titanium version of the darling of this year’s Mobile World Congress, the revamped Nokia 3310.

The new 3310 goes cheap — it’s 49 euros, which, directly converted, is about £40, $50 or AU$70 (or 2 euros if you buy the original at a black market) — in looks as well as price.

Gresso heads in the opposite direction, charging $2,990. It does improve on HMD’s resurrected model, with dual-SIM slots, a marginally higher-resolution camera and presumably a bigger battery given its rating of 722 hours standby and 75 hours talk time.

Its construction, Grade 5 Titanium alloy with a PVD coating, makes it extra durable, too. Gresso says it can withstand a 32-foot drop. Because when a supervillain’s henchman is hanging you out a window you don’t want to worry about your phone.

And unlike the other 3310, this one’s coming to the US soon. You have until May 1 to save your pennies.

Instant messenger Line working on a virtual assistant to topple Alexa – CNET


You may not have heard of it, but Line is one of the world’s biggest messaging apps. Now the Japanese company is getting into the AI game.

Line is teaming up with parent-company Naver, a South Korean search giant, to create an artificial intelligence platform called Clova. The company announced its plans at the Mobile World Congress conference in Barcelona.

Clova, named after an abbreviation of “Cloud Virtual Assistant”, will first launch with its own app and an Amazon Alexa-like smart speaker called Wave. The company says the platform will pack voice and facial recognition, as well as “understand complicated questions and make sophisticated recommendations.”

It’ll hit Japan and South Korea this summer, Line says, and expand internationally afterwards, though no timeline has been specified. Clova won’t just be in Line products though, with Sony Mobile on Clova-integrated products, according to Line.

Developed in the wake of 2011’s disastrous Tohoku earthquake and tsunami, Line is Japan’s biggest messaging app and has over 215 million active users around the world (and over 600 million registered). The company hopes to fill a void created by Amazon’s Alexa, which has popularised speaker-based personal assistants but isn’t yet widely available around the world.

VRP news from Nullcon

Over 800,000 user account details stolen from vulnerable forums running vBulletin

If you’re a member of an online forum, there’s a good chance that the site is running a piece of software called vBulletin.

The relative ease with which it’s possible to get a vBulletin forum up and running in a short period of time, has made it a popular choice and made it, in its own words, “the world’s leading community software.”

But don’t make the mistake of thinking that just because a piece of software has been widely adopted that it’s a safe choice. Things get much more complicated when you realise that many vBulletin forums have been launched and then left to their own devices, disregarded by their admins who fail to keep on top of all-important security patches and updates.

This was brought home to me today when I read that a hacking gang claims to have broken into 126 vBulletin forums, and stolen the details of over 800,000 users and forum administrators.

The hack, which is thought to have taken place in the first two months of this year, saw 819,977 user accounts exposed – with details such as users’ email addresses and hashed passwords stolen.

When you consider just how many people make the mistake of reusing the same passwords for multiple sites, you begin to realise just how worrying it is that the data apparently include credentials associated with 219,324 Gmail accounts, 108,777 Yahoo accounts, and 121,507 Hotmail accounts.

You may not particularly care that the forum account you set up to discuss your escapades in the Call of Duty videogame has been compromised, but you surely will if that information leads to – say – your Gmail account being hacked by online criminals.

There has been a long history of poorly-secured vBulletin forums being “popped” by hackers, eager to suck up the credentials and personal information of users.

For example, last year vBulletin-powered chat forums belonging to Valve’s multiplayer fantasy game Dota 2 suffered a data breach, exposing the private information of 1.9 million accounts. A similar fate befell 1.6 million fans of the popular smartphone game Clash of Kings.

In 2015, users of the Epic Games forum found that their account passwords had been compromised, potentially also giving hackers access to members’ usernames, email addresses and dates of birth. The reason? The Epic Games forum was running an out-of-date and vulnerable version of VBulletin.

Similar security breaches previously impacted 1.8 million users of Ubuntu’s online forums, 860,000 users of the MacRumors forum, and – irony of ironies – vBulletin’s own forum.

Frankly, the list goes on and on…

vBulletin has long been targeted by online criminals who have exploited vulnerabilities in its code to trick it into spewing out information about forum users. Hackers have the tools at their fingertips to quickly identify which online forums are vulnerable to known vulnerabilities.

Unless website administrators wake up to the fact that they can no longer disregard the security of online forums, we will carry on hearing stories like this. If they do not keep software like vBulletin updated with the latest security patches, and put defences in place to reduce the risks of systems being breach and data being leaked, then they are putting customers’ privacy and security at risk.

Meanwhile, us regular users of the internet need to take greater care when we create online accounts – never reusing passwords, and taking care over the personal information we share when we register for an internet forum.

Prison for former sysadmin who hacked industrial facility and caused a million dollars worth of damage.

Are you a sysadmin who left your last job under a cloud?

My advice is don’t try and seek revenge by hacking into the company that fired you. You might end up with a lengthy prison sentence.

That’s the fate that has befallen Brian Johnson, who used to work as an IT specialist and system administrator at Georgia-Pacific, one of the world’s largest manufacturers of paper, pulp, tissue, packaging, building materials, and related chemicals.

Johnson of Baton Rouge, Louisiana, has been sentenced to 34 months in a federal prison after being convicted into hacking into Georgia-Pacific’s paper mill at Port Hudson, Louisiana to disrupt and damage the industrial facility’s operations.

The sorry story begins with Johnson’s employment being terminated on February 14 2014, and his being escorted off the premises. That should have been the last time that Johnson had any access to Georgia-Pacific’s network, but despite being fired from his job he remotely accessed the plant’s computer system and sent commands that resulted in “significant damage to Georgia-Pacific and its operations.”

Within two weeks, the FBI were executing a search warrant at Johnson’s home, and noticed a VPN connection to Georgia-Pacific on his computer. Subsequent forensic analysis of Johnson’s computer revealed that it had been used to access the industrial facility’s system on a number of occasions after his dismissal.

For his part, Johnson admitted that he had accessed the plant’s computer system and deliberately transmitted “harmful code and commands”.

Johnson may have been fuming at losing his job, but that rage should never have been allowed to turn into an attack which now means he will be spending almost three years in prison.

In addition, a court has ordered Johnson to pay $1,134,828 in restitution to his former employer, $100 to the US government, and forfeit a variety of computer devices.

US Attorney Walt Green commented on the attack on Georgia-Pacific:

“This case is a powerful reminder of the very real threat and danger that businesses and individuals face from cyberattacks and other cyber-related criminal activity. Thanks to the victim’s quick response and cooperation with our office and the FBI—as well as the excellent work by the prosecutors and law enforcement agents assigned to this matter – we were able to stop Mr. Johnson’s malicious attacks and bring him to justice.”

I’ve warned before of the dangers posed by disgruntled IT staff bent on hacking the computer systems of their former employers.

The attack on Georgia-Pacific should remind all firms of the importance of regularly reviewing who has access to your network, resetting access rights and passwords when a member of staff leaves the company.

It should be impossible for disgruntled former staff to have any window of opportunity to cause damage or steal sensitive corporate information.

It’s not enough to take escort someone off the company premises. You also need to consider whether they have access to log into your network remotely, and if they might have company hardware and data in their possession at home.

Ensure that you have a solid defence in place, and that only employees with the correct authorisation can access confidential or sensitive information and systems. And when those authorised users are no longer authorised, their access rights should be revoked immediately.

Ex-NSA Contractor Facing Up to 200 Years in Prison

Original Article Here

Harold Thomas Martin spent two decades amassing 50 terabytes of sensitive government data.

The Dodge Challenger SRT Demon is ready for launch – Roadshow

Original Article Here

The latest teaser discusses torque multiplication, which will help it leap off the line at the drag strip.

Infocon: green

Original Article Here

Microsoft February Patch Tuesday Now Rolled into March Update

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World

Original Article Here

In preparation for her keynote session at AppSec EU 2017 in Belfast, Shannon Lietz continues to explore the integration of DevOps and security. This is a recording of her session at RSAC 2017 in San Francisco.