The U.S. government is taking a major step to secure its online assets with a new directive from the White House Office of Management and Budget (OMB) to run HTTPS-Only across all federal Websites. The HTTPS-Only directive, which Federal CIO Tony Scott issued June 8, mandates that all publicly accessible federal Websites only be accessible over a secure HTTPS connection by Dec. 31, 2016.
HTTPS is the secured form of HTTP that layers Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption on top of data transport and it is mostly commonly visible to end-users as the browser padlock. The Web as we know it today runs largely over plain HTTP, with all data sent in the clear that is unencrypted and open to anyone to intercept and read.
In the directive, the White House notes that a significant number of federal Websites already have deployed HTTPS, and the goal is to expand that adoption. That said, there is a cost to implementing HTTPS.
"The administrative and financial burden of universal HTTPS adoption on all federal Websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time," the directive states. "OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer."
HTTPS isn't just about encrypting data for its own sake but is also about authenticity. With an HTTPS-secured Website, there is an associated SSL/TLS certificate that validates and affirms the identity and authenticity of a given site. Simply put, when you visit an HTTPS site with a validated certificate, users have a higher degree of assurance that the site they intended to visit is the site they are on.
I personally have long been an advocate of Always-On SSL/HTTPS-Only approaches. In fact, I recently did an eSeminar sponsored by Geotrust on whether or not Always-On SSL makes sense for enterprises. My conclusion is that an Always-On SSL/HTTPS-Only approach is the right thing to do—for many reasons that the U.S. government is now embracing as well.
The Web by default is not secure. Basic HTTP Web transport provides no promise or expectation of privacy or authenticity. The promise of HTTPS is an encrypted Web with some form of validated identity for Website authenticity. It's an idea that Google, Facebook and Twitter have all embraced, as well, as all those sites are already HTTPS-Only.
For Google, the embrace of HTTPS-Only also extends to its search index—which, as of August 2014—uses HTTPS as a ranking signal. That is, Google may rank a site that is available over HTTPS higher in the search index than a site that is not HTTPS-Only.
In the case of the government mandate, having HTTPS-Only for its sites will create a level of consistency across its sites. Users will come to expect and understand that if they hit a site that claims to be a government site but doesn't have HTTPS (and the associated browser padlock that it brings), the site's authenticity is questionable.
"It is critical that federal Websites maintain the highest privacy standards for the users of its online services," Scott wrote in a White House blog post. "With this new action, we are driving faster Internet-wide adoption of HTTPS and promoting better privacy standards for the entire browsing public."
I couldn't agree more.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Why U.S. Government HTTPS-Only Mandate for Federal Sites Is Key
↧
↧
Emails From Your Trusted Suppliers Can Be Very Bad For Business!
By David Parkinson, Strategic Development Manager, UK and Ireland for Wick Hill Woking, Surrey: 10th June 2015 - The term 'Trusted Supplier' says it all. It's a supplier that we have used before, perhaps over a period of time, and one that we trust. Ho...
↧
xMatters Announces Updated Intelligent Communications Solution for Managing and Quickly Resolving IT Incidents
New Technology Addresses Complexity of Dispersed Global Teams and Infrastructures London, UK. - June 10, 2015 - xMatters, inc., a leader in communication-enabled business processes, today introduced innovative new functionality in the most advanced sys...
↧
Syrian Electronic Army Took Aim at U.S. Army Website
The Syrian Electronic Army (SEA), a digital hacking group loosely aligned with the government of Syrian President Bashar al-Assad, is claiming responsibility for an attack against the Army.mil Website operated by the U.S. Army.
The attack occurred on June 8 and was a defacement of the site that triggered multiple pop-up messages, including one that stated, "Your commanders admit they are training the people they have sent you to die fighting." The Army site was offline and unavailable briefly on June 8 and has since been fully restored.
As of June 10, the Army site is fully operational, and there is no mention whatsoever on the public site that the incident ever took place. Although it's unclear at this time precisely how the attack occurred, there are a number of common attack vectors that the SEA and other attacker groups use to get control of a given domain. One common tactic is via some form of Domain Name System (DNS) redirection that enables attackers to gain access to a domain registrar and then change the DNS settings so the site will point to a different IP address. That's what happened in the Lenovo site defacement earlier this year by the hacker group Lizard Squad.
DNS redirection apparently, however, is not the root cause for the attack on the Army site as far as publicly available records show. A Netcraft search for the Army.mil shows that the domain has been at the same IP address since at least August 2014. The SEA itself claimed in a tweet that it somehow got control of the Army site via the Limelight Content Delivery Network (CDN). That claim has not been confirmed by any third-party source, including Limelight, at this time.
SEA has been active in recent years going after multiple organizations, including Microsoft's Skype service in 2014, and attacks against media outlets, such as The Washington Post and The New York Times in 2013. In The New York Times incident, DNS records were the attack vector the SEA used while the Skype attack allegedly was executed via phished credentials.
The simple truth is that there are a lot of different ways the SEA, or any attacker for that matter, could potentially get access to any Website.
The U.S. government in now mandating the use of HTTPS-Only across all federal Websites, which is helpful, but there are other elements of Websites that need to be secured. Administrative passwords for content management systems and servers needed to be monitored and guarded closely. Third-party resources, including DNS records, need to be protected as well. The watchword for Website security is, and will always be, "continuous vigilance."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Kaspersky Lab’s Own Network Hit by Cyber-Attack
Eugene Kaspersky, founder of Kaspersky Lab, reveals that the Duqu 2.0 nation-state-developed advanced persistent threat was in his company's network for months.
Euguene Kaspersky, founder of Kaspersky Lab, is ...
↧
↧
Companies Not Confident They Can Secure Data, Foil Attacks
A new survey finds information-security capabilities are still not well developed and suggests that more mature teams may be less confident.
Corporate information-security executives and managers lack confidence in their company's ability to fend off cyber-attacks and protect their customer and business data, according to a survey published on June 9 by security firm RSA.
About three-quarters of the 400 companies polled by RSA considered their overall information-security capabilities to be average or below average, the company stated. The survey, which RSA branded as a Cybersecurity Poverty Index, found that about four out of every 10 companies considered their security program to be "functional"—the average rating—rather than "developed" or "advantaged"—the two higher ratings.
Business size did not appreciably impact companies' ratings of their capabilities, with 83 percent of large companies and 79 percent of small companies considering their overall security to be "average," "deficient," or "negligent."
"Relative to where people think they need to be, they are falling short," Zully Ramzan, CTO for RSA, told eWEEK. "The goal is, over time, to improve the index and have a baseline in place where people can compare their relative maturities."
The research used an 18-question survey to gauge whether companies have the capabilities suggested by the Cybersecurity Framework, an effort by the U.S. National Institute of Standards and Technology to create guidelines for cyber-security programs. RSA researchers hoped to measure the relative maturity of information-security programs at a variety of companies and create an overall index to benchmark companies and industries.
The five components of an information-security program include identifying threats, protecting information assets, detecting attacks, responding to incidents and recovering from compromises. Companies typically were most confident in their ability to protect their networks and data, with a third of respondents rating their ability to defend as "developed" or "advantaged." Organizations were least mature in their ability to respond to incidents, with 72 percent of companies rating their ability to effectively respond as "average" or worse.
Yet the survey results are not clearly measuring maturity. Because the poll relies on self assessment, a corporate manager's confidence in his or her own company's ability to protect the network and data, and catch attackers, is a major factor in responses. Some of the industries thought to be most mature—such as financial firms—have only an average maturity level according to the index.
"Ignorance can be bliss when it comes to self assessment," Ramzan said. "Industries that are ahead of their peers tend to think themselves less ahead, because they understand the challenges."
Perhaps the most interesting data point is that companies that reported more security incidents were also more likely to have mature information-security capabilities, according to RSA. Of the companies encountering at least 40 incidents in the last year, more than a third had the best two rankings for overall security capabilities. For those that had 10 or fewer incidents, 11 percent considered themselves to have mature information-security programs.
↧
Adobe Flash Vulnerabilities, Ransomware on the Rise
In the world of online security, change is a constant as the exploit and malware landscape is continuously evolving, with attackers adapting to evade detection and defenses. Intel Security's McAfee Labs released its May 2015 Threats Report on June 9, d...
↧
Exploit Kits Deliver Big Returns for Hackers
The Trustwave 2015 Global Security Report details the financial success attackers are achieving via exploit kits and how to avoid them.
There are a lot of different ways that hackers can attack users and devices, but perhaps the easiest and most lucrative method is via an exploit kit. The new 2015 Trustwave Global Security Report reveals that hackers are getting an estimated 1,425 percent return on investment from exploit kit and ransomware campaigns.
The report is based on 574 data compromises that Trustwave investigated. In contrast, Trustwave's 2014 report was based on 691 data compromises.
As to why exploit kits are so lucrative for attackers, there are a number of reasons. Karl Sigler, threat intelligence manager at Trustwave, explained that regular patching is a crucial component to preventing the exploit kits from putting ransomware on user systems from the start.
"Exploit kits typically look for vulnerabilities in your Web browser or one of the browser's many plug-ins," Sigler told eWEEK. "If you keep your browser and plug-ins patched regularly, you should be immune to most exploit kits."
Lack of patching is something that vendors have been highlighting over the years. In February, Hewlett-Packard reported that 44 percent of all breaches could be attributed to patched vulnerabilities that were between 2 and 4 years old.
In addition to regular patching of system components and applications, antivirus technologies still play a role in limiting the risk of exploit kits and ransomware. Sigler explained that it is post-exploitation when the malware gets placed on the victim's computer.
"Anti-malware technologies remain an important security control," he said. "When used as a gateway filter, they can often detect and strip out ransomware before it strikes."
Trustwave's analysis also found that 98 percent of the applications had at least one vulnerability in 2014. Sigler noted that many of the applications scanned by Trustwave are custom Web applications, so the vulnerabilities were new to the client and patches needed to be developed.
"In the case of COTS [Common Off-The Shelf]-type applications, it was often the case of patches that had not been applied as opposed to the vulnerability being known about and then deprioritized," Sigler said.
Application vulnerabilities and lack of patching are not the only paths to exploitation that Trustwave discovered. The company found that 56 percent of compromises were a result of weak passwords and remote access security. Looking specifically at point-of-sale (PoS) breaches, the number rises dramatically, with 94 percent of breaches attributed to weak passwords and weak remote access security.
Looking to the future, Sigler noted that while it's still a little early for 2016 predictions, he believes that there may be an increase in malware-as-a-service models.
"We've seen this in the Magnitude Exploit Kit, where rather than charge users, the criminals offer the service for free and take a cut on the back end," Sigler said. "I expect we'll see more of this type of model down the road."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
French Regulators: Google Must Apply ‘Right to Be Forgotten’ Globally
Google’s obligations under the European Union’s "right to be forgotten" mandate apply worldwide, France’s CNIL says.
France's main data protection authority, CNIL (Commission Nationale de l'Informatique et des Libertés, has given Google 15 days to start applying EU's "right to be forgotten" (RTBF) mandate on search results worldwide, or face potential sanctions.
In a June 12 statement, CNIL said it has formally asked Google to start delisting links to search results on all of its domains worldwide when the company responds to RTBF requests from EU residents. Currently, Google applies the mandate only to search results that appear within the EU.
If Google fails to comply within the specified period, the CNIL would consider imposing a sanction on the company, the data regulator warned.
Google did not respond immediately to a request for comment.
The RTBF mandate allows EU residents to ask Google and other search engine providers to remove links in search results pointing to articles about them that are inaccurate, incomplete, defamatory or outdated. The mandate stemmed from a lawsuit filed by a resident of Spain who wanted Google to remove links to two articles that he claimed were unfair and defamatory to his character.
Google has agreed to abide by the mandate and claims that it has, in fact, accommodated tens of thousands of link-removal requests from EU residents. The company's Transparency Report shows that since the mandate went into effect in May 2014, Google has received more than 269,000 link-removal requests and evaluated close to 1 million URLs for removal.
The company said it has acceded to link-removal requests in 58.7 percent of the cases while denying removal requests in the remaining 41.3 percent. Instances where Google has removed links include requests from people accused of serious crimes but later exonerated, or people jailed for petty crimes or from rape victims.
One major sticking point though has been the manner in which Google has applied the mandate so far. The company has argued that RTBF only applies to search results that are visible to people inside EU when they conduct searches using Google. When the company delists links in response to a RTBF request, it has done so only with links that are visible to users in Europe while leaving links on its main Google.com domain intact. So while a user in Europe may not see a link to an offending article inside Europe, users in the rest of the world would still see it and be able to click on it.
EU data regulators and privacy watchdogs have described the company's position as disingenuous and unhelpful and have been urging Google to apply the mandate in the spirit it was intended. Regulators meeting in Brussels last November considered a proposal that would extend Google's privacy obligations under RTBF to domains outside the EU.
Recently, a group of 80 academicians, law professors and researchers from several leading universities in Europe and the United States sent an open letter asking for more transparency from the company on its processes for agreeing to or rejecting RTBF requests. They have asked Google to provide more context around the quantity and quality of the links it has removed or refused to remove.
Google itself has argued that laws like RTBF unfairly force search engine companies to make judgment calls on content posted online by others. It has argued that mandates like this can easily be misused to censor free speech if not applied carefully.
In its statement Friday, the CNIL said it has received "hundreds of complaints" from people over Google's refusal to delist links in response to RTBF requests.
"Following the assessment of the complaints, the CNIL has requested Google to carry out the delisting of several results," the CNIL said. "It was expressly requested that the delisting should be effective on whole search engine, irrespective of the extension used (.fr, .uk, .com …)," it said in the statement.
Though Google has granted some of the requests, it has only done so with respect to European extensions of the search engine and not when searches are made via Google.com or from other countries. "The CNIL considers that in order to be effective, delisting must be carried out on all extensions of the search engine and that the service provided by Google search constitutes a single processing."
The latest French ultimatum adds to Google's woes in Europe. The Competition Office at the European Commission, which is responsible for ensuring fair trade practices in Europe recently served Google with a formal "statement of objections" over the company's alleged anti-competitive behavior in Europe. Such statements of objections have typically been precursors to formal antitrust charges being filed against companies in Europe in the past.
↧
↧
Rapid7’s IPO Filing Underscores Demand for Security Services
NEWS ANALYSIS: Money continues to flow toward companies like Rapid7, which focuses on penetration testing and recently announced new incident-response services.
Security vendor Rapid7's June 11 S-1 filing for an initial public offering (IPO) is yet another indication of the intense demand for security services and the willingness of investors to pour money into security technologies.
Rapid7's S-1 filing offers new visibility into the operations of the currently privately held company. In 2014, Rapid7 generated $76.9 million in revenue from its operations, up from only $31 million in 2011, but the company isn't currently profitable and recorded a net loss in 2014 of $32.6 million.
Rapid7 aims to raise $80 million in the IPO. Previously, the company received $91 million in financing, including a $30 million Series D round announced in December 2014.
The first time I ever actually heard of Rapid7 was back in 2009, when the company acquired the open-source Metasploit penetration-testing framework. HD Moore, the founder of Metasploit, is one of the most well-known and respected researchers working today, and is currently the chief research officer at Rapid7.
When Metasploit first moved over to Rapid7, there were no commercial options. Now there are, with multiple editions and commercial support that enables enterprises and security researchers to get one of the most feature-rich penetration-testing platforms ever created.
Penetration testing, that is, testing an organization's posture against known security threats and misconfigurations is a critical exercise for all organizations. In fact, as part of the updated Payment Card Industry Data Security Standard (PCI DSS) 3.1 compliance requirements, organizations are required to have a robust penetration-testing program.
The need for penetration testing is likely to help further drive Rapid7's business for years to come.
The other key driver for security revenue growth is the response side, which is an area that Rapid7 only recently entered. On March 3, Rapid7 announced new incident-response services to help organizations be better prepared and respond to breach incidents.
With the seemingly never-ending stream of publicly disclosed data breaches, there is a clear demand and need for incident-response services. It's an area that today is largely dominated by Mandiant, which FireEye acquired for $1 billion in January 2014.
The promise of Rapid7 is not about just making money from security technology and services, but rather about helping organizations make attacks more expensive.
"Our goal is to say how easy is it for you to be attacked and compromised systematically today and how [you should] make that more difficult and more expensive over time," Rapid7 CEO Corey Thomas told me in December 2014. "It's not a magic pill approach; it is a more managed state of security, but we think it is achievable."
Security is not a static state; it's a dynamic, managed state of operations that requires a very sophisticated skill set. That's why Rapid7 and other security companies that will likely follow it will continue to be a valued commodity for investors.
The question for Rapid7, however, is how effective the company will be at differentiating itself and maintaining operational excellence in an increasingly competitive marketplace of security vendors.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
One in four consumers would share their DNA with their bank to secure financial and personal information, Telstra report finds
MONDAY 15 JUNE 2015, LONDON: A new report [1] from Telstra reveals the majority of consumers using mobile banking applications want their mobile devices to instantly recognise them via biometrics, such as fingerprint and voiceprint, instead of having to prove who they are with passwords and usernames. According to Telstra's "Mobile Identity - The Fusion of Financial Services, Mobile and Identity" report, with smartphones now the primary channel used by Gen X and Gen Y to access and manage their finances, expectations around how financial institutions manage mobile identity are being transformed. "For the last six months, we've spoken to consumers and banks all over the world, in an effort to understand how our relationship with our smartphone is affecting our relationship with our financial institutions," said Rocky Scopelliti, Global Industry Executive for Banking, Finance & Insurance, Telstra. "What we uncovered is that when it comes to mobile banking applications, consumers no longer believe in just the safety of passwords and usernames. "Instead, two-thirds of consumers think that using biometrics - such as voice, fingerprint, iris and facial recognition - would be more secure and help reduce the risks of fraud. "In fact, one in four consumers would even consider sharing their DNA with their financial institution, if it meant it would make authentication easier and their financial and personal information more secure," he said. According to the research, while factors such as interest rates and ease of accessing funds used to be the most important considerations when selecting a financial institution, today, more than half of consumers cite the security of their finances and personal information their top priority, together with their institutions' reputation for security. Despite this, the report found that only a third of consumers were 'very satisfied' with their institutions' authentication methods, with one third willing to pay an extra £11 GBP per annum for more sophisticated mobile security measures. "Our research shows consumers are using their mobile banking applications in some really cutting edge ways, so they're expecting much more than ever before from their financial services providers in terms of security, innovation and functionality. "In fact, Gen X and Gen Y has become so dependent on their smartphones to access their financial services, that it's led to a behavioral state we are calling 'no-finapp-phobia' - the fear of being without financial applications," he said. In the UK, Nationwide and NatWest customers are the most satisfied with the identity and authentication methods offered and are accordingly, the most likely to recommend them. In the US, USAA customers are the most satisfied with the identity and authentication methods offered and are accordingly, the most likely to recommend them. "With our consumption of financial services intrinsically linked with the mobile device, our mobile identity is the key to unlock trust with our service provider. "For 'no-finapp-phobic' Gen X and Gen Y consumers it's time to create mobile identity solutions that instantly recognise them for who they are," Mr Scopelliti concluded.For more information on Telstra's Mobile Identity - The Fusion of Financial Services, Mobile and Identity whitepaper click here: http://www.telstraglobal.com/mobile-identity.Media contact: Cath Harris, +61 477 747 176, media@team.telstra.com[1] About the research: By invitation, 318 executives from a cross section of financial services business types and roles across Asia Pacific, Europe and America participated in a survey. The research further includes a quantitative study, commissioned by Telstra, of 4,272 Gen X (1965-1979 and Gen Y (1980-1994) consumers of financial services in seven countries: Australia, Singapore, Malaysia, Indonesia, Hong Kong, the United Kingdom and the United States of America. The data set was weighted to be representative of each countries total population. The objective of this research was to understand attitudes towards identity and security with current financial services institutions and their customers. Additionally, we wanted to gauge local consumer perceptions to three mobile-based identity experiences and assess the potential impact of these on current behavioural patterns. About Telstra Telstra is the leading telecommunications and information services company in Australia. We provide end-to-end solutions including managed network services, global connectivity, cloud, voice, colocation, conferencing and satellite solutions. We have licenses in Asia, Europe and the US and offer access to over 2,000 PoPs in 230 countries and territories across the globe. Our extended reach means that we can offer customers smarter technology solutions to support sustainable business growth.Source: RealWire
↧
What General Catalyst VC Steve Herrod Is Investing In
VIDEO: Steve Herrod, managing partner at General Catalyst, discusses how his venture capital firm invests in security and where it's placing its big bets.
There is no shortage of venture capital funds flowing ...
↧
OPM Data Breach News Just Keep Getting Worse
NEWS ANALYSIS: The Office of Personnel Management may have suffered more breaches and lost more information than it previously acknowledged.
The news about the data breach at the U.S. Office of Personnel Mana...
↧
↧
RiskIQ uncovers ‘app attack’ threat to high street brands
Consumers at risk from malicious mobile apps UK brands don't know aboutLONDON, UK, June 16, 2015 - New research from RiskIQ, the Digital Footprint Security company, highlights the risks posed to UK organisation's and their customers from unauthorised o...
↧
Harbrick, Producer of Autonomous Vehicle Software Systems, Selects FlexNet Producer Suite for Software Monetisation
Flexera Software solution is critical to enable secure, flexible and reliable licensing, entitlement management and automated updates of Harbrick's Polysync software Maidenhead, U.K. - June 16, 2015. Harbrick, maker of Polysync software - a universal operating system for Internet-Connected (Internet of Things) autonomous vehicle software systems - has selected Flexera Software's FlexNet Producer Suite as its Software Monetisation solution. FlexNet Producer Suite will provide automated software licensing and entitlement management capabilities enabling Harbrick to safely, flexibly and reliably license Polysync to its customers and provide 24x7 customer self-service for managing the entire software license lifecycle. The solution consists of FlexNet Licensing for license management, FlexNet Operations Cloud for back-office operations and entitlement management, and FlexNet Connect, for automated updates."Most application producers don't get how critical licensing and entitlement management is for revenue generation - we weren't going to make that mistake. If you do it right, you can plan for the future - ensuring the flexibility, change and scale that would otherwise be a disruption for the business and potentially anger users," said Josh Hartung, CEO at Harbrick. "Licensing technology is so complex and the environments in which our customers are running their vehicles are evolving so rapidly, it did not make sense for us to waste time developing our own license management solution - we needed the experts. Flexera Software is the clear leader in this space, and they have deep experience helping producers successfully monetise and protect their software applications."PolySync offers a set of software tools and services that make it easier to build advanced autonomous vehicles. Harbrick founders saw an opportunity to develop Polysync when they realised their customers were spending excessive time and resources building back-end infrastructure software for their Internet-connected, autonomous vehicle systems. As a result, critical resources were being diverted away from core innovation and product development. Polysync was launched to eliminate that inefficiency via a software platform that manufacturers can deploy out-of-the-box to control their device sensors, communications, and control systems. In order to monetise Polysync, Harbrick needed a flexible software licensing and entitlement management system that could scale to accommodate a rapidly growing customer base with a broad spectrum of licensing, entitlement and update requirements.Harbrick originally built its own patching and encryption tool, but they quickly learned that it could not scale to accommodate a connected world with potentially millions of vehicles running local software. So the company sought a third-party Software Monetisation solution that was easy to use, and that would meet its evolving needs, enable them to rapidly adapt to changing market requirements and give them credibility in the market.Harbrick will use FlexNet Producer Suite to offer three tiers of licensing for its Software as a Service (SaaS) products - Polysync Basic, Plus and Pro. The company will also use the Flexera Software solution to offer 30-day "simulator" trials. When a customer requests a trial license from Harbrick, the software "phones home" to the FlexNet Operations Cloud, which issues the trial license. FlexNet Operations Cloud will also enable Harbrick to create a connected, self-service app store marketplace so that after expiration of the trial, customers can easily and seamlessly upgrade to Polysync Basic, Plus or Pro. The system will automatically manage the back-office entitlements, ensuring that Harbrick knows who its customers are, which versions of software they've paid for, and what their specific license rights are.Security was also a critical factor weighing in favor of selecting Flexera Software's solution. "The need to issue updates is a regular occurrence in the software business - so being able to automatically push out security patches and fixes to our customers is critical," said Hartung. "FlexNet Connect's automated update capabilities will greatly simplify our ability to keep customers up to date on the software they've purchased - even as we grow and scale.""The Internet of Things is creating enormous untapped revenue opportunities for software vendors and intelligent device manufacturers that are ready and able to harness best-in-class solutions to generate revenue, protect their intellectual property and manage the software licensing lifecycle of their customers," said Mathieu Baissac, Vice President of Product Management at Flexera Software. "We are delighted to welcome Harbrick as a Flexera Software customer and are looking forward to partnering with them as the company stakes a leadership position in the autonomous vehicle systems space. By building FlexNet Producer Suite into its go-to-market strategy, Harbrick will be well equipped to rapidly grow profits and market share, and pounce on new and emerging opportunities as they arise."Resources:FlexNet Producer Suite is comprised of the following solutions: FlexNet LicensingFlexNet OperationsFlexNet ConnectRead our Blog on Software MonetisationFlexNet Producer Suite Success Stories Related Flexera Software WebinarsSoftware Monetisation White PapersFollow Flexera Software…on LinkedInon Twitteron Facebookon Google+on Xingon YouTubevia RSSAbout Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. Our next-generation software licensing, compliance and installation solutions are essential to ensure continuous licensing compliance, optimised software investments and to future-proof businesses against the risks and costs of constantly changing technology. Over 80,000 customers turn to Flexera Software as a trusted and neutral source for the knowledge and expertise we have gained as the marketplace leader for over 25 years and for the automation and intelligence designed into our products. For more information, please go to: www.flexerasoftware.com.About HarbrickHarbrick is a robotics and engineering firm in beautiful northern Idaho. We are the creators of PolySync, an out-of-box operating system for autonomous vehicles. PolySync is a set of software tools and services that make it easy to build autonomous vehicles. It's like Android or iOS for cars - a massive plug and play ecosystem of sensors, actuators, computing hardware, and third party software. We handle the nuts and bolts like sensor drivers, data management, and fault tolerance while you write apps that make your vehicle do amazing things. Visit us at www.harbrick.com to learn how PolySync can help you.Follow Harbrick on…on LinkedInon Twitteron Google+on YouTubeFor more information, contact:Vidushi Patel/ Nicola MalesVanilla PRprflexera@vanillapr.co.uk+44 7958474632 / +447976652491Copyright © 2015 Flexera Software LLC. All other brand and product names mentioned herein may be the trademarks and registered trademarks of their respective owners.Source: RealWire
↧
Google Launches Bug Bounty for Android Running on Nexus Phones
Google announces it will pay for information on software flaws in the Android operating system, and more detailed reports will earn higher rewards.
Google will pay thousands of dollars to researchers who find and report vulnerabilities in the Android mobile operating system as part of a new bug bounty program announced by the company on June 16.
The Android Security Rewards program builds on the format used in the company's well-known bug-hunting initiative for its Chrome Web browser. Software security researchers who find verifiable issues and disclose them by following the company's guidelines can earn up to $38,000 per issue.
The program is part of the company's efforts to harden the Android platform, Adrian Ludwig, a lead engineer for Android security at Google, told eWEEK.
"We think we are going to be able to raise the quality of all applications on the platform," he said. "We want to make sure that, as researchers are finding these coding issues, they are telling us about them."
Rewarding researchers for vulnerabilities is not a new idea. In 1995, Netscape kicked off an initiative to pay programmers for finding bugs in its pioneering Web browser software. In 2002, Verisign iDefense created the first third-party program, offering to pay researchers for information on bugs in popular enterprise software. Now, companies, such as HackerOne and Bugcrowd, offer third-party services to create and manage vulnerability-reward programs.
The Android Security Rewards program will be Google's third bug bounty initiative. The company has two other reward programs and paid out more than $1.5 million last year to researchers. Currently, Google pays for security vulnerabilities found in the Chrome Web browser under its Chrome Reward Program and the occasional Chromium competition. The Google Vulnerability Reward Program (VRP), its second bounty program, pays prize money to researchers who find flaws in the company's Websites, including Google.com, YouTube.com and Blogger.
With its latest bug bounty, the company will increase its payout to flaw finders for more detailed vulnerability submissions. The prizes start at $500 for a moderate issue, $1,000 for a highly severe issue and $2,000 for a vulnerability considered critical.
If the researcher also provides a patch, a way to test for the issue, or a workable way of exploiting the flaw, he or she will get more money. Finally, if the researcher can show that the vulnerability can be exploited remotely or break into the TrustZone (a systemwide security approach), additional bonuses will be paid.
"The highest [amount] in terms of paying out [for] a single issue—if they provide the bug, and a patch, and a test, and an exploit chain—that adds up to $38,000," Ludwig said. "We want to really give people an incentive to find these issues."
Initially, the program will apply only to the latest version of the Android operating system running on Google's own phones, the Nexus 6 and Nexus 9, the company stated.
The company will not pay for bugs that merely crash an application or attempt to fool the user into clicking on a dialog box, such as social engineering or tapjacking. In addition, the complexity of exploitation will also be a factor in determining whether an issue qualifies for a bounty, the company said.
↧
Watchful Software Adds Cisco Executive Greg Akers to Board of Directors
Industry luminary brings depth in technology and market expertise to growing industry leader for data-centric securityMedford, NJ, June 16, 2015 - Watchful Software, a leading provider of data-centric information security solutions, today announced the...
↧
↧
Trustwave Weighs In on Self-Detected, SSL/TLS Vulnerabilities
Security specialist Trustwave's in its latest report provides insights from 574 security incidents the company investigated. Surprisingly, 98 percent of the applications the security specialist scanned had at least one vulnerability. Secure Sockets Lay...
↧
Password Management Service LastPass Gets Hacked
After the data breach of LastPass (which claims no user data was stolen), security experts discuss the merits and the risks of using password managers.
Password security vendor LastPass publicly admitted on Ju...
↧
Microsoft’s Azure AD Sniffs Out Leaked User IDs and Passwords
Microsoft's Azure Active Directory Premium now alerts administrators when their users' passwords are being circulated around the dark corners of the Internet.
Microsoft's Azure Active Directory (AD) Premium, the software giant's cloud-based user identity management platform, is on the lookout for leaked credentials that potentially could gain hackers a foothold in their networks and lead to a bigger security headache.
David Howell, partner group program manager for the Identity and Security Services division at Microsoft, announced late Monday that his group has rolled out a new reporting option named simply Users with Leaked Credentials. Currently in preview, the feature lists users whose usernames and passwords have somehow slipped out of their grasp.
Leaked username and password combos are a major source of aggravation for businesses. "In aggregate, [tens] of millions of credentials are exposed every month," blogged Howell. "Bad actors collect, sell, and share large lists of user account credentials from these breaches."
Since folks often reuse the same password across several services, one set of credentials can act as a master key, of sorts. "Because three out of four users re-use credentials across multiple sites, there's a good chance that your users' credentials are in those lists," Howell cautioned.
To help businesses avoid spilling their secrets or other valuable information, Microsoft has been trawling the Web for the telltale signs of leaked passwords. "As part of running our consumer and enterprise identity systems, Microsoft discovers account credentials posted publically and we are making this information available to you so you can protect your enterprise when your users' account credentials are at risk," revealed Howell.
With this information in hand, Microsoft is now automatically alerting Azure AD Premium customers of the potential harm that can come to their environments. "The report surfaces any matches between these leaked credentials list and your tenant," he said.
Once clicked, the report displays "the users we've found and when we discovered the leaked credentials," Howell said. To prevent a possible breach, he advises customers to implement multifactor authentication, a feature offered in Azure AD.
Companies are increasingly relying on multifactor authentication, which augments user IDs and passwords with an additional verification method, such as a code delivered to a smartphone as an SMS or via an authentication app. In February, Apple extended its two-step authentication process to iMessage and FaceTime after rolling out the feature to iCloud.
Microsoft Azure AD has supported multifactor authentication since 2013 by way of the company's Active Authentication mobile app, a phone call or text message. Since then, the company has added the capability to several Office 365 plans.
Additional layers of password security helps, but Howell also advocates user education. "Make sure your users have read and are following your corporate IT policies," he suggested. Administrators can throw another wrench into hackers' plans by giving passwords an expiration date, forcing users to update their credentials periodically. He noted that "enforced password expiration can reduce the amount of time a leaked credential remains viable," giving intruders a limited window in which to stage an attack.
↧
More Pages to Explore .....
