NEWS ANALYSIS: Security firms jumped on the news of the XcodeGhost earlier this month, but the attack affected mostly China and was blunted by Apple’s security efforts.
The message started appearing in Chinese developer forums about six months ago: A high-speed download site for Apple's latest Xcode development environment was now available.
Because the hefty 3.6GB free software package often slowed downloads in China, many developers took advantage of the link, which sent them to a page that listed all recent versions of Xcode, from 6.0.1 to 7, according to an analysis by network security firm Palo Alto Networks. Yet the software was not what it seemed: Malicious attackers had embedded a Trojan horse into many of the programs. Any program built with the infected software would collect information on the iOS device on which the app ran and send that information to a command-and-control server.
The attack resulted in a large number of infected applications--reportedly more than a thousand—invading the Apple App Store in China. In addition, some internationally popular programs—such as WeChat, which boasts 500 million users—were infected by developers using the compromised Xcode package.
In the end, the attack showed that developers are now seen as a step along the path to targeting hundreds of millions of mobile users, Ryan Olson, director of threat intelligence for Palo Alto Networks, told eWEEK.
"I think it should be a wake-up call for developers," he said. "If the eventual goal is to infect users' systems, then developers have become a really important step to getting to that. You have a big target on your back, all of the sudden."
The attack could have been worse. While millions of users likely downloaded infected applications, the software merely could have leaked users' information, and it is unclear whether it did. In addition, when developers patched their programs, and users updated, the malicious code disappeared along with the older version of the apps.
"We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used," Apple said in a statement. "We’re not aware of personally identifiable customer data being impacted, and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords."
Trusting the Compiler Is Hard
Yet while XcodeGhost turned out to be a less-than-tangible threat, the attack provided some tangible lessons for consumers, developers and Apple. Developers have to take the security of their tools, both hardware and software, more seriously.
"It is definitely a supply-chain issue," said Palo Alto's Olson. "If you can't trust your tools, you cannot trust what you produce."
Compiler malware is not new. The concept dates back at least to a 1974 Air Force security review of the Multics operating system that discussed the possibility of a compiler "trap door" that could "survive even a complete recompilation of the entire system."
Ken Thompson, the co-creator of Unix, made the concept even more famous in his 1983 Turing Award acceptance lecture "Reflections on Trusting Trust," when he described a way to insert a backdoor into programs by infecting the popular C compiler. Because the C compiler is compiled by the previous version of the compiler, a properly executed attack would not appear in any source code, but just propagate to any program built by the infected C compiler, including the next version of the software.
"The moral is obvious," Thompson wrote in a 1984 article based on the lecture. "You can't trust code that you did not totally create yourself. … I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader or even hardware microcode."
While the Scare Fell Flat, XcodeGhost Tale Holds Lessons
↧
↧
EMV Switch This Week Could Threaten Many Businesses in U.S.
NEWS ANALYSIS: Despite years of warnings, a large percentage of U.S. businesses aren't ready for the switch to EMV cards, and many don't even know about it.
The long-awaited credit card liability shift happens...
↧
New DCA Certification awarded to Datum FRN1 Data Centre
FARNBOROUGH, 29 September 2015 – Datum Datacentres, the Farnborough based provider of ultra secure, high resilience co-location data centres, today announced that Datum FRN1* has been approved by the DCA Certification Board as a Fully Operational Class 3 Data Centre.In the diverse world of data centre provision, the DCA Certification scheme was launched to provide prospective buyers with a range of usable standards for meaningful insight into a data centre’s fit-for-purpose relating to business role, environmental impact, management culture and reliability. Starting from the recognition that not all organisations have the same requirements and priorities, the independently audited scheme identifies not just a data centre’s resilience class but also the physical security of the site, its energy efficiency strategy and operational professionalism. Based on the international data standards BSEN50600, the categorisation is intended to help clients select the appropriate category for their needs. Receiving the award from Steve Hone, Operations Director of the Data Centre Alliance, Datum Datacentres Managing Director Dominic Phillips today said: “Datum is delighted to be an early participant in the newly launched data centre certification scheme and to be awarded Fully Operational Class 3. From the outset we designed our data centre to provide a robust, resilient and highly secure co-location service, and built on that design with the people, processes and technology to fully support that intention. By helping determine whether the client needs and risk profile will be met by the data centre, the DCA scheme will enable more informed decisions, ensure that the overall operation matches the published intent and will create a better match to support a long term partnerships”. Speaking on behalf of the DCA, Steve Hone added “I am delighted that the DCA Data Centre Certification Accreditation Board has agreed with all the recommendations made by the independent approved auditors, Keysource, to certify and award the Datum Datacentres facility located in Farnborough with a Fully Operational Class 3 Certification. We look forward to the broader adoption of the certification’s scheme across the industry, providing end-users with a clear verification of a data centre’s ability to meet an organisation’s business goals and needs”. *FRN1 – Ground Floor Datum Datacentres Ltd Farnborough has been approved as a Fully Operational Class 3 Data CentreAbout DatumDatum provides highly secure and resilient carrier and cloud neutral co-location data centres to enterprises and service providers. As part of the Attenda IT Services group, delivering always-on availability, robust security and enterprise class service is hard wired into our operations. Our data centres are trusted as secure environments for content, data and business critical IT to connect with a neutral choice of networks and cloud service providers.Datum FRN1 has capacity for more than 1,000 co-location racks within a high security campus in Farnborough, which is fast developing as a strategic London-edge data centre hub. The facility incorporates a pressurised free-air cooling design that delivers enhanced environmental efficiencies and supports high density computing to 30kW per rack as standard. Always on availability is supported by resilience in both design and operations underwritten by a 100% uptime SLA with helpdesk and remote hands services which are available 24x365.www.datum.co.ukPress Contact:Lexie GowerT: 0845 5680123E: lexie.gower@datum.co.uk Source: RealWire
↧
ATM malware found in the wild
GreenDispenser malware cuts out the middleman in banking cyber fraud – enables attackers to directly drain banks' cash machines
↧
Thales and Ponemon Institute research reveals failure of PKIs to follow best practices
Commonly observed practices threaten to undermine trust for core enterprise applicationsPLANTATION, Fla., September 29, 2015 - Thales, leader in critical information systems and cybersecurity, announces the publication of its 2015 PKI Global Trends Study. The report, based on independent research by the Ponemon Institute and sponsored by Thales, reveals an increased reliance on public key infrastructures (PKIs) in today's enterprise environment, supporting a growing number of applications. At the same time, however, there is a general lack of clear PKI ownership, as well as a lack of resources and skills to properly support them. Current approaches to PKI are fragmented and do not always incorporate best practices, indicating a need for many organizations to apply increased effort to secure their PKI as an important part of creating a foundation of trust.More than 1,500 IT and IT security practitioners were surveyed in ten countries: United States, United Kingdom, Germany, France, Australia, Japan, Brazil, Russian Federation, India and Mexico, with the aim of better understanding the use of PKI within organizations. News facts:The most significant challenge organizations face around PKI is the inability of their existing PKIs to support new applications (63 percent of respondents said this). Only 11 percent of respondents say there is accountability and responsibility for PKI and the applications that rely upon it.A large percentage of respondents said they had no revocation techniques.Cloud-based services are the most significant driver for PKI-based application adoption. The level of visibility, influence and/or control over the applications that consume certificates managed by their PKI is minimal. There is a significantly higher use of weaker security techniques like passwords (53 percent) than there is of strong authentication mechanisms such as Hardware Security Modules (HSMs) (28 percent). The top three places where HSMs are deployed to secure PKIs are issuing certificate authorities together with offline and online root certificate authorities.Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, says:"On average, companies today are using their public key infrastructure (PKI) to support seven different applications. While the results of this study demonstrate some use of best practices, including strong authentication and hardware security modules, they also reveal that lower security options like passwords are still prevalent - which is concerning in light of the increased dependency on PKIs today."John Grimm, senior director, Thales e-Security, says:"An increasing number of enterprise applications are in need of certificate issuance services, and many older PKIs are not equipped to support them. As organizations undertake a PKI upgrade cycle to support new applications and capabilities, many will look to improve the trust of their PKI by using HSMs to protect private keys for offline root certificate authorities as well as online issuing certificate authorities. Thales has decades of experience providing HSM-based PKI solutions, and runs a dedicated PKI Consulting Service to help businesses design and deploy world-class self-managed PKIs that build trust at the infrastructure level."Download your copy of the new 2015 PKI Global Trends StudyTo learn more about Thales PKI Consulting Services, visit www.thales-esecurity.com/pki-experts For industry insight and views on the latest key management trends check out our blog www.thales-esecurity.com/blogs Follow Thales e-Security on Twitter @Thalesesecurity, LinkedIn, Facebook and YouTubeAbout the Ponemon Institute The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.About Thales e-SecurityThales e-Security is a leading global provider of trusted cryptographic solutions with a 40-year track record of protecting the world's most sensitive applications and information. Thales solutions enhance privacy, trusted identities, and secure payments with certified, high performance encryption and digital signature technology for customers in a wide range markets including financial services, high technology, manufacturing, and government. Thales e-Security has a worldwide support capability, with regional headquarters in the United States, United Kingdom, and Hong Kong. http://www.thales-esecurity.com/ About ThalesThales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 61,000 employees in 56 countries, Thales reported sales of €13 billion in 2014. With over 20,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its unique international footprint allows it to work closely with its customers all over the world.Positioned as a value-added systems integrator, equipment supplier and service provider, Thales is one of Europe's leading players in the security market. The Group's security teams work with government agencies, local authorities and enterprise customers to develop and deploy integrated, resilient solutions to protect citizens, sensitive data and critical infrastructure. Drawing on its strong cryptographic capabilities, Thales is one of the world leaders in cybersecurity products and solutions for critical state and military infrastructures, satellite networks and industrial and financial companies. With a presence throughout the entire security chain, Thales offers a comprehensive range of services and solutions ranging from security consulting, intrusion detection and architecture design to system certification, development and through-life management of products and services, and security supervision with Security Operation Centres in France, the United Kingdom and The Netherlands.Media Contacts:Dorothée BonneilThales Media Relations - Security+33 (0)1 57 77 90 89 dorothee.bonneil@thalesgroup.comLiz HarrisThales e-Security Media Relations +44 (0)1223 723612 liz.harris@thales-esecurity.comSource: RealWire
↧
↧
Rackspace Enters Managed Security Market
Rackspace debuts new Managed Security and Compliance Assistance services that build security into hosting and the cloud.
Rackspace is debuting new Managed Security and Compliance Assistance services today in a bid to help improve its customers' security.
"Rackspace has always had a focus on security, but we used to draw a line, where our customers were responsible for implementing security solutions on their own after a certain point," Perry Robinson, vice president and general manager of Managed Security at Rackspace, told eWEEK. "We have strong security around the data center and our operations, but we left it up to customers to protect their own environments."
Robinson said that organizations have been asking for more help in security, which is why Rackspace is now launching the managed security services. The services package together Rackspace's hosting with security.
Jarret Raim, head of Strategy and Operations, Managed Security at Rackspace, explained that from a technology perspective, Rackspace is using a triple stack that includes host- and network-based protection platforms as well as security analytics. A primary goal of the stack is to help reduce the time it takes to detect and then remediate an infection or security breach incident.
Rackspace is partnering with multiple security vendors as part of its triple stack. The Falcon platform from CrowdStrike (which recently closed a Series C round of funding, bringing in $100 million) is being used for the host-based security, Raim said. Log management is done via a partnership with Alert Logic. And on the network side, Rackspace uses tools from several vendors, including LogRhythm and AlienVault.
One thing that isn't part of the base managed security package is Web Application Firewall (WAF) technology. That said, Raim noted that Rackspace has additional security components that customers can add to their service as needed. Distributed denial of service (DDoS) is another optional capability that Rackspace has available for customers, by way of partnerships with Arbor Networks, Akamai, Incapsula and CloudFlare.
The other new service is Rackspace Compliance Assistance, used to determine and identify when an organization deviates from the baseline.
"The technology is real-time monitoring of compliance issues on customer hosts," Raim explained. "So we look to see if a host is in compliance, and if it slides out of compliance we will know in a short timeframe."
The overall goal of the Compliance Assistance service is to help improve the security posture of customers. Raim emphasized that security isn't just about always trying to prevent 100 percent of all attacks. Rather it's also about being able to respond quickly when security incidents do occur.
"The Compliance Assistance effort is about making it harder for an attacker to get into an environment in the first place," Raim said. "It's about making it more difficult and costly for an attacker to mount an attack against a business."
While Rackspace is now providing more security capabilities to its customers, one key element that isn't provided is a guarantee that they won't get breached. The idea of security guarantees is a new one and is offered by WhiteHat Security, which will refund a customer if they are hacked and pay up to $500,000 in breach-related costs.
Robinson said that Rackspace is not getting into the breach insurance marketplace, though he noted that it will provide its customers with guidance on insurance policies.
"We can help to reduce the chance of a cyber-attack, and we can help to respond to an attack more rapidly, but we can't make a commitment to keep bad things from happening altogether," Robinson said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Keeper Brings ‘Zero Knowledge’ Password Manager to the Enterprise
VIDEO: The co-founders of Keeper Security discuss their platform and why when it comes to passwords, the less they know, the better.
In the world of security vendors, Keeper Security is somewhat of an anomaly....
↧
Sloppy Remote-Access Trojan Operators Show Up in Internet Scans
Researchers use Internet scans to find hundreds of home computers managing remote-access Trojans, potentially revealing the software operators' IP addresses.
Cyber-criminals who misconfigure their management nodes for commodity remote-access Trojans (RATs)—software used to monitor and control other computers—can be detected by simple Internet scans, possibly revealing the operator's location, according to research published on Sept. 29 by data-analysis firm Recorded Future.
The company used automated scanning service Shodan to search the Internet for default communication ports left open by six different families of Trojans, finding more than 600 likely installations of the RATs in a week, the company stated in its report.
The cyber-criminals and digital Peeping Toms who frequently use commodity remote-access Trojans, and who do not change the default port on the software, have made it easy to identify the systems and their IP addresses, Levi Gundert, vice president of threat intelligence for Recorded Future, told eWEEK.
"They are installing these remote-access Trojans, and as soon as they install it, there is an open port on their system that we can scan for," he said. "And when the system responds, it sends a unique text string, so it is highly unlikely that you are looking at a false positive."
While more sophisticated attackers will change the port number or, more likely, host the management console on a remote system, the study shows that some less technical criminals could be identified by law enforcement. Many of the Internet addresses appear to come from residential networks, Gundert said.
"A significant portion of RAT operators are installing them at home; it is not every instance, but we see that happens quite a bit," he said.
The study sought out signs of six popular commodity RATs: BlackShades, DarkComet, NetBus, Poison Ivy, XtremeRAT and njRAT. Those remote-access Trojans continue to be popular choices of cyber-criminals, espionage agents and other malicious online actors, Recorded Future said. By scanning the Internet, businesses and security firms can create a list of Internet addresses that can then be investigated or blocked.
Less than a quarter of the IP addresses linked to the software had been previously discovered by security researchers and added to VirusTotal, an online database of malicious code and IP addresses run by Google.
Interestingly, a significant number of RAT management consoles, or clients, are located in the Middle East, the report stated. While attribution remains tricky, operators in Algeria, Syria, the United Arab Emirates and other Middle Eastern nations have little to worry about prosecution, Gundert said.
"They don't care about the effects of attribution," he said. "There is one host that is running Dark Comet in Syria."
XtremeRAT and njRAT are popular in the Middle East while Poison Ivy has traditionally been used by Chinese cyber-spies. Overall, Dark Comet is the most popular RAT, the study found.
↧
Italtel Renews Network Products And Enters Intel® Network Builders Program
Milan, Italy, September 30, 2015 - Italtel, a leading telecommunications company in next generation networks and services and IP communication, today announced it has joined the Intel® Network Builders program as part of an overall project for refactoring its existing network products including the NetMatch Session Border Controller (SBC), IMS Core Suite, iRPS Routing and Policy Server and Embrace WebRTC solution.The entry into the program combined with the refactoring of network products, which included the implementation of Virtualized Network Functions (VNFs), will improve Italtel's proprietary products portfolio and enhance proposed network solutions. Italtel's collaboration with Intel Network Builders also aims to contribute to accelerating innovation in Software Defined Networking (SDN) and Network Functions Virtualization (NFV) solutions. Intel Network Builders is an ecosystem of leading solutions providers which provides access to a comprehensive reference architecture library of proven solutions ready for implementation in production environments. It is designed to build and simplify SDN infrastructure, enhance security and improve efficiency in networking, computing and storage."We are pleased to be part of this program which will improve our proprietary products portfolio and enhance proposed network solutions," said Federico Descalzo, Vice President and Chief Marketing Technology Officer at Italtel. "The collaboration with the Intel ecosystem means we have access to the best available technologies. This is a great opportunity to accelerate the adoption and deployment of NFV and SDN solutions."Earlier this year, Italtel supported Vodafone's NFV and SDN strategy, called Telco over Cloud, and its implementation in Vodafone Germany, via a partnership with Cisco, in a large network evolution program.Italtel's use of VNFs, operating on both the control and user plane, gives an equivalent performance to physical network functions, while newly installed network solutions, based on Voice over LTE, VoWiFi or WebRTC technologies, provide multimedia services which guarantee high throughput, high reliability and security. "Another key focus for us is maintaining agility and flexibility when optimizing NFV/SDN solutions," added Descalzo.For more information on Italtel and the Intel Network Builders program, please see networkbuilders.intel.com/ecosystem/italtel***ItaltelItaltel designs, develops, implements solutions for NGN and NGS; Professional Services dedicated to the design and maintenance of networks; IT System Integration Services; Network Integration and migration activities. Italtel counts among its customers more than 40 of the world's top TLC Operators and SPs. In Italy Italtel is also reference partner of Enterprises and Public Sector for the deployment of IP Next-Generation Networks and for the development of multimedia convergent services for their customers. Italtel is present in many countries including France, UK, Spain, Germany, Belgium, Poland, United Arab Emirates, Argentina, Brazil. www.italtel.com. For more informationItaltel CommunicationsLaura BorlenghiTel: +39 02 4388 5275Mobile: +39 335 769 4240E-mail: laura.borlenghi@italtel.it Source: RealWire
↧
↧
Rampant Employee Use of Cloud Storage Services Placing Business Data at Risk
WinMagic survey reveals businesses struggling to catch up to cloud storage revolutionKEY FINDINGS:65% of employees don't have or don't know the company policy on cloud storage1 in 10 employees who use cloud storage services at least once a week have no confidence in the security of their data saved and accessed from the cloud Cloud storage use varies widely - 41% use cloud services at least once a week, whilst 42% never use these services at all1 in 20 employees who use cloud services at least once a week, do so despite these services being restricted by their companyLondon, UK - 30 September 2015 - UK companies are placing themselves at risk of cyberattacks and data breaches as a result of rampant use of cloud storage services and unclear or non-existent corporate policies according to research released today by WinMagic Inc. The survey, conducted by CensusWide, of 1,000 office workers in organisations of 50 or more employees revealed widespread, and often unilateral employee use of cloud storage services could be leaving businesses with poor visibility of where their data is stored, placing potentially confidential data at risk.WinMagic, a leading full disk encryption software provider, revealed that over 41 percent of employees use cloud storage services at least once a week. Despite this widespread adoption by workers across the UK, just 35 percent of employees used a company sanctioned service, whilst 43 percent were unaware of their employer's policy on the use of these services. In addition, of those that use cloud storage at least once a week, 1 in 10 have no confidence in the security of their data.Darin Welfare, EMEA VP at WinMagic, said: "This survey highlights the challenge businesses face when managing data security in the cloud. IT teams have had to cede a level of control as employees have greater access to services outside corporate control and this research indicates that IT must take additional steps to protect and control company data in this new technology landscape. The wide range of employee adoption of these services also means an additional layer of complexity when devising corporate policies and education programmes for the use of cloud storage services."Employees are increasingly accessing work documents and services outside the office, particularly among regular users of cloud storage. The survey revealed 70 percent of employees who use cloud storage at least once a week will also use work equipment at home at least once a week, significantly higher than the UK average of 47 percent.The WinMagic survey highlights a clear disparity between employee use of cloud services and company IT policy, which suggests that businesses must increase focus on devising clearer security policies and better staff training programmes in order to minimise the risk for the business. Darin Welfare added: "One of the key steps that any organisation can take to mitigate the risk from the widespread use of unsanctioned cloud services is to ensure that all company data is encrypted before employees have the opportunity to upload to the cloud. In the eventuality that the cloud vendor does not adequately put in place control mechanisms and procedures to ensure security across their infrastructure, sensitive and valuable corporate data is still encrypted and cannot be accessed and understood beyond those who have the right to. This approach provides the company with the assurance that the IT team is in control of the key and management of all company data before any employees turn to cloud storage services."The survey also revealed: Half (50%) of respondents use personal equipment to access work information and services at least once a week47 percent of employees use company-issued equipment at home at least once a weekDarin Welfare concluded: "This survey should serve as a wake-up call for IT teams to focus resources on crafting the stringent security policies, and employee education programmes that will help the business stay secure. It also indicates that this is not something that is only down to employee behaviour. Businesses need better training for all staff on the potential dangers of cloud services. Businesses must catch up with the employee cloud revolution or risk potentially catastrophic data loss."***ENDS***Research MethodologyThe research was conducted by Censuswide, with 1,000 office workers in companies with 50+ employees aged 16+ between 20.08.15 - 24.08.15. Censuswide abide by and employ members of the Market Research Society which is based on the ESOMAR principles.About WinMagic, Inc.WinMagic provides intelligent key management for everything encryption, with robust, manageable and easy-to-use data security solutions.WinMagic's SecureDoc secures data wherever it is stored, providing enterprise grade data encryption and key management policies across all operating systems. SecureDoc is trusted by thousands of enterprises and government organizations worldwide to minimize business risks, meet privacy and regulatory compliance requirements, while protecting valuable information assets against unauthorised access.For more information, please visit www.winmagic.com. WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac and SecureDoc Central Database are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2015 WinMagic Inc. All rights reserved.Source: RealWire
↧
AWS users could have their cryptographic keys stolen thanks to new vulnerability
Researchers used one instance of Amazon EC2 to recover a whole 2048-bit RSA key used by a separate instance
↧
Businesses Feel the Financial Burden of Preparing for the EU’s General Data Protection Regulation (GDPR)
Over two thirds of IT professionals surveyed say they need to invest in new technologies or services to help prepare their business for the impact of GDPRLONDON, UK - September 30, 2015 - Ipswitch™ released the results of a European survey that polled 300 IT professionals* to see how their businesses were preparing for the new European Union (EU) General Data Protection Regulation (GDPR). The regulation is designed to unify and simplify data protection across 28 EU countries and includes severe penalties for non-compliance of up to two percent of a company's annual global turnover. The GDPR draft has been passed by EU Parliament and is due to become law by the end of 2015. It is expected to impact any organisation which collects, stores, processes and shares personal data on employees, customers or partners. The Burden of GDPROver two thirds (68 per cent) of IT professionals say that keeping up to date with changing data protection regulatory requirements is a financial burden on their business. British businesses feel most strongly about this (77 per cent), compared with 66 per cent in France and 61 per cent in Germany.69 per cent of IT professionals believe they will need to invest in new technologies and services to help them prepare for the impact of GDPR. 62 per cent think they will need to invest in encryption technologies, 61 per cent in analytic and reporting technologies, 53 per cent plan to invest in perimeter security technologies and 42 per cent in file sharing technologies.Over half (51 per cent) report that their business has already allocated training budget to help staff understand and comply with GDPR. However, just under a third (30 per cent) have not. Almost one fifth (19 per cent) have no idea whether training budget has been allocated. Businesses in France report the most instances of training budget having been allocated, (56 per cent), compared to 49 per cent in Germany and 48 per cent in the United Kingdom.Exactly half of IT professionals also say they have allocated internal training resource to help staff understand and comply with the new regulation. However, almost one third, (32 per cent), have no internal resource allocated for this yet. The United Kingdom is the least prepared here, with 40 per cent having made no provision compared to their German (33 per cent) and French (24 per cent) counterparts. Awareness of GDPR and Data UseWhilst over two thirds (69 per cent) of IT professionals acknowledge that GDPR will impact their business, almost one fifth (18 per cent) still have no idea whether changes in the regulation will apply to them. This is despite confirming that they do store and process personal data.These numbers are however an improvement on awareness of the regulation at this time last year, when a GDPR compliance survey conducted by Ipswitch revealed that more than half (56 per cent) of respondents could not accurately identify what ‘GDPR' meant.Overall, 90 per cent of those surveyed said that their businesses store personal data, 86 per cent process personal data and over a third (40 per cent) share data externally. 62 per cent of those that share personal data use email to do so. A quarter are using portable storage such as USBs or CDs, almost a quarter (22 per cent) use the postal system and 43 per cent use cloud based file sharing websites.David Juitt, chief security architect at Ipswitch, commented, "It's encouraging to see that there is far greater awareness of the changes than at this time last year. Just over half of businesses are starting to prepare with training courses for staff. However, whilst IT professionals recognise the need to align data protection regulation to keep up with modern data sharing practices and the globalisation of data, it is clear that compliance comes at a price for most. Whilst many are trying to prepare by organising training and assigning resource, there's clearly a very large expectation of a need to invest in technologies including managed file transfer systems like Ipswitch MOVEit™ that meet stringent security and compliance requirements.The Ipswitch MOVEit™ managed file transfer system helps IT teams support GDPR requirements in the following ways:Protecting Personally Identifiable Information (PII)Support for secure open standard transfer protocolsEnd-to-end encryption, guaranteed delivery and non-repudiationAutomated file management policiesManaging PIIAutomated file exchangeManaged ad hoc exchangePolicy based file access and data loss protection (DLP)Managing System ExposureHigh availability and disaster recoveryMonitoring and reporting for auditing and forensicsTrading partner provisioning and management*The 2015 GDPR Ipswitch survey was conducted by technology research firm Vanson Bourne during July 2015 and polled 300 IT professionals. Survey responses include 100 responses from the UK, 100 responses from France, and 100 responses from Germany. Resources:GDPR Survey Summary Report: http://bit.ly/IpswitchGDPRsurveysummaryUKGDPR Survey Infographic: http://bit.ly/IpswitchGDPRinfographicUK About IpswitchIpswitch helps solve complex IT problems with simple solutions. The company's software is trusted by millions of people worldwide to monitor networks, applications and servers, and transfer files between systems, business partners and customers. Ipswitch was founded in 1991 and is based in Lexington, Massachusetts with offices throughout the U.S., Europe, Asia and Latin America. For more information, visit www.ipswitch.com. Ipswitch and MOVEit are registered trademarks of Ipswitch, Inc. in the U.S. and other countries. All other trademarks are the property of their respective owners.Media Contact:Charlotte Hanson or Jacob GreenwoodTOUCHDOWNPR Office: +44 (0) 1252 717 040ipswitch@touchdownpr.com Source: RealWire
↧
Zylpha’s New Bundling Functionality Slashes The Time Taken To Prepare Electronic Document Bundles For Lawyers
Innovative new functionality incorporated in Zylpha's acclaimed legal document bundling technology, slashes the time taken to prepare bundles. Of particular note is a new Email feature, which Zylpha (www.zylpha.com) believes is a first in the market. T...
↧
↧
Banking Trojan Dyreza morphs to target supply chains
↧
Microsoft Unveils Privacy-Enhancing ExpressRoute for Office 365
Security-conscious organizations can now establish a direct connection to their Office 365 clouds.
Office 365 melds Microsoft's productivity software suite with an array of cloud services aimed at improving co...
↧
Apple Unveils OS X 10.11 With Long List of Security Fixes
Apple debuts a new Mac operating system, OS X 10.11, which offers some new features and locks down security.
Apple today released its OS X 10.11 El Capitan desktop operating system, providing users with incremental new features and a long list of security patches.
The 10.11 update follows Apple's mobile iOS 9 update that debuted Sept. 16 and includes some of the same security patches. One such example is in the CFNetwork component, which provides core networking technologies to iOS and OS X. Apple patched CVE-2015-5858, a Web address parsing flaw in handling HSTS (HTTP Strict Transport Security) in iOS 9 nearly two weeks ago and is now rolling the same patch out in OS X 10.11.
Another example of an issue fixed first in iOS 9 is CVE-2015-5874, which security researcher John Villamil of the Yahoo Pentest Team reported to Apple.
"Processing a maliciously crafted font file may lead to arbitrary code execution," an Apple advisory states. "This issue was addressed through improved input validation."
The last major security update for OS X prior to today was the 10.10.5 update on Aug. 13 that came out the same day as the iOS 8.4.1 security update. Similarly, the OS X 10.10.4 update on June 30 was issued on the same day as the iOS 8.4 update. With those two updates, there were also multiple common patches across shared application libraries used on both the desktop and mobile operating systems.
While there are many common elements across iOS and OS X for security, there are also many unique elements. Among the new patches only in OS X 10.11 is CVE-2015-5836, a fix for a vulnerability in the Apple Online Store Kit.
"A malicious application may gain access to a user's keychain items," Apple warned. "This issue was addressed through improved access control list checks."
A similar, though technically different, issue was patched in iOS 9 with CVE-2015-5832, a flaw in the iTunes Store component.
Another unique issue patched in OS X 10.11 is CVE-2015-5913, a flaw in the Heimdal Kerberos 5 implementation for security credentials. The flaw was reported to Apple by security researchers working for rival operating system vendor Microsoft."An attacker may be able to replay Kerberos credentials to the SMB server," Apple advises. "This issue was addressed through additional validation of credentials using a list of recently seen credentials."
OS X 10.11 also is being patched for multiple security vulnerabilities in the IOgraphics stack. Somewhat ironically, the majority of the IOGgraphics vulnerabilities were reported to Apple by security researcher Ilja van Sprundel, who works for a security company called IOActive.
"Multiple memory corruption issues existed in the kernel," Apple's advisory states. "These issues were addressed through improved memory handling."
Also somewhat ironically is the CVE 2015-3785 patch for OS X 10.11 for a telephony vulnerability that isn't present on iOS 9 although it relies on a user having both an iPhone as well as a Mac desktop.
Dan Bastone, a security researcher at Gotham Digital Science, first reported the CVE-2015-3785 issue to Apple on May 25. According to Bastone, Apple first patched the CVE-2015-3785 issue with the OS X 10.10.5 update in August, though it was not publicly disclosed at the time. Bastone blogged that there is a bypass for the Apple fix identified as CVE-2015-5897, which also is patched in the 10.11 update."When an OS X system and an iPhone have been properly configured, Continuity allows phone calls and SMS [Short Message Service texts] to be placed and received on OS X and routed through the iPhone using the mobile carrier’s network," Bastone blogged.According to Apple's advisory on CVE-2015-3785, a local attacker can place phone calls without the user's knowledge when using Continuity.
"This issue was addressed through improved authorization checks," Apple stated.
The bypass issue identified by Bastone is CVE-2015-5897, which Apple has listed as an Address Book vulnerability.
"A local attacker may be able to inject arbitrary code to processes loading the Address Book framework," Apple's advisory states. "This issue was addressed through improved environment variable handling."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Washington Ponders Security, Again, but Its Motives Are Uncertain
NEWS ANALYSIS: Back from vacation, the Senate wades into a series of hearings on security, including bringing back a shelved law that angers privacy advocates.
The Senate Armed Services Committee has started a...
↧
↧
U.S.-China Cyber-security Agreement Lacks Teeth, Has Holes
NEWS ANALYSIS: An agreement between the nations not to conduct economic espionage holds promise, but only if adequate sanctions are part of the discussion, security experts say.
When President Xi Jinping arrived in Washington, D.C., last week, the U.S. government had already started threatening to levy sanctions against China for continuing to aid, and in many cases sponsor, domestic hackers in efforts to steal sensitive information from the U.S. government and companies.
Yet an 11th-hour agreement between China and the United States promises to put a halt to any government cyber-operations designed to boost domestic industries. In a joint press conference, President Obama and President Xi pledged that both countries would eschew economic espionage in the future.
"Both governments will not be engaged in or knowingly support online theft of intellectual properties," President Xi told assembled press. "And we will explore the formulation of appropriate state, behavior and norms of the cyber-space."
The agreement falls short in many areas, however. For one, both countries are promising only not to conduct economic espionage. Cyber-espionage conducted for national-security reasons remains a legitimate activity. The recent compromises of the U.S. Office and Personnel Management and health insurance provider Anthem—companies that both could justifiably be considered valid national-security targets—were attributed to Chinese actors and are still targets today.
For that reason, government agencies and companies will not see any respite because of the agreement. Rather, they will both have to beef up their defenses because attackers have no reason to stop, Dmitri Alperovitch, co-founder and CTO of security services firm CrowdStrike, told eWEEK.
"I think with the OPM breach—that's on us," he said. "You cannot blame the Chinese for trying. Our own people have said they would have done the same thing, if they had a chance."
As long as the costs are worth the benefits, such attacks will continue, Alperovitch said.
More significantly, the agreement has very little structure, although few details have been provided to the media. The agreement fails to define the boundaries of what constitutes economic, versus national, espionage and fails to discuss penalties for exceeding those boundaries. Without the former, any nation can claim that an attack is for national security reasons.
But more importantly, without a framework for sanctions or other policy measures to punish countries that hack other nations, cyber operations will continue to target government agencies and companies, said Jason Healey, a senior fellow with the Cyber Statecraft Initiative at the Atlantic Council, a policy think-tank. In a report published in September, the analyst group estimated that burgeoning cyber-crime and cyber-espionage could cost the worldwide economy up to $90 trillion in unrealized benefits.
While the U.S.-China agreement on economic espionage has set the stage for further discussions, it needs stiff penalties to deter each side from crossing the newly drawn lines. Deterrence, in general, requires that the participants worry that they will be caught and, if they are caught, they will face meaningful punishment. Without those two conditions, deterrence is not possible, Jen Ellis, senior director of community and public affairs for Rapid7, told eWEEK in a recent interview.
"So when you look at it in that context, the reality is that deterrence is pretty unlikely to work for cyber," Ellis said. Attributing hacks to specific actors or nations is difficult, and levying punishment when the economies of China and the United States are so intertwined is unpalatable for politicians on both sides, she added.
↧
Scammers use Google AdWords in malvertising campaign
Campaign aims to get unsavvy PC users to pay for unnecessary IT support, or worse still, gather details to carry out identity theft
↧
LogMeIn Offers Identity Management Product for IoT Platform
At its Xperience show, the company rolls out Xively Identity Manager to address the complexity and scale challenges of the Internet of things.
Enterprises looking for ways to identify and manage the growing number of connected devices are finding that traditional identity and access management solutions aren't always a good fit for the Internet of things.
LogMeIn is trying to address the issue with the introduction of a new identity manager solution for its Xively Internet of things (IoT) platform. Company officials unveiled Xively Identity Manager Oct. 1, the opening day of Xperience 2015, a two-day IoT conference In Boston hosted by LogMeIn.
Xively Identity Manager offers customers a white-label solution that can be used to onboard and manage new end users of IoT devices, according to officials. Using an API, customers can use the new offering with Web and mobile applications, which the company said are the primary ways people create accounts for their new connected devices.
As part of LogMeIn's IoT platform, the Xively Identity Manager also integrates with the Blueprint feature in the platform. Blueprint was introduced earlier this year and is designed to make it easier for organizations to manage the various roles, permissions and relationships for not only the people in their connected business, but also the devices, partners and applications. Through the integration of Xively Identity Manager and Blueprint, companies will be able to manage the identities and access for employees, customers and applications, as well as connected products and their data, officials said.
LogMeIn is looking to offer enterprises a way of managing devices that can address the security and management challenges that the IoT raises. These range from the sheer number of devices and the multiple users of these devices to the data and applications that run on them, according to Paddy Srinivasan, vice president of products for Xively by LogMeIn.
"To date, most companies building connected products have been stuck between retrofitting enterprise IAM [identity and access management], which is inherently inward facing, using consumer Web options, which means sacrificing control to third parties, or taking a do-it-yourself approach," Srinivasan said in a statement. "Xively Identity Manager is designed specifically for IoT use cases, giving our customers a turnkey option for reducing risk, bolstering security, and accelerating time to market."
Gartner analysts in February said that being able to manage identities and access will be important to the adoption and success of the IoT, but that current IAM solutions are not made to handle the scale and complexity the IoT presents.
"Traditional, people-focused IAM systems have been unable to accommodate the propagation of devices and things to give a broad and integrated view for IAM leaders," Ant Allan, research vice president at Gartner, said in a statement at the time. "The 'Identity of Things' requires a new taxonomy for the participants in IAM systems. People, software that makes up systems, applications and services, and devices will all be defined as entities and all entities will have the same requirements to interact."
Gartner defined the Identity of Things—or IDoT—as a "new extension to identity management that encompasses all entity identities, whatever form those entities take. These identities are then used to define relationships among the entities — between a device and a human, a device and another device, a device and an application/service, or (as in traditional IAM) a human and an application/service."
LogMeIn executives noted that identity management and authentication in the IoT is further complicated by the myriad numbers of people who may need access to a single device. For example, a homeowner may buy a connected thermostat, but other people living in the house, representatives from the manufacturer or service technicians may need access at various times. Xively Identity Manager is designed to handle such scenarios, they said.
By using the Xively product, businesses can quickly offer an identity solution that can collect data regarding the users of the devices, and—in conjunction with Blueprint—map the identities to the devices to enable access control. In addition, customers can manage the full lifecycle of the device for both primary and secondary users, and develop profile graphs of users, officials said.
↧
More Pages to Explore .....
