Attackers use multiples types of tools and techniques to exploit an organization that SafeBreach automates in an effort to determine risk.
One way to know if a company is vulnerable to attacks is to try and breach it—safely. That's the goal of SafeBreach, which announced the official launch and general availability of its security platform today.
"SafeBreach is all about not waiting for a breach to happen," SafeBreach CEO and co-founder Guy Bejerano told eWEEK.
The SafeBreach platform runs what Bejerano referred to as the "hacker playbook," that is, the offensive knowledge of attackers. The hacker playbook includes all manner of techniques and actions, for example, attempting to exfiltrate credit card data, activating malware and trying brute-force password attacks. The SafeBreach platform automates the common techniques hackers use in an attempt to breach an organization and helps defenders identify potential risks.
The idea of testing an organization's readiness for an attack is often associated with the security discipline of penetration testing.
Itzik Kotler, CTO and co-founder of SafeBreach, emphasized that what his company's platform does is more than a typical penetration test in that it simulates both clients and servers. In a traditional penetration test, a security researcher will attempt to gain external access to an organization or application and has to wait for the systems to react.
"What we're doing in our simulation is we're triggering the reaction immediately," Kotler explained to eWEEK.
For example, with a brute-force password attack, the SafeBreach system simulation will know how many attempts it takes for the attack to be successful or if it will fail. The goal is to rapidly make a determination of an organization's risk. With a typical penetration test, user behavior is often the weak link that leads to exploitation. For example, with a phishing attack, the goal of the hacker is to get the victim to click on a malicious link that leads to some form of malicious Website or attack payload.
There is no need to wait to see if the user will click, Kotler said. Instead, the SafeBreach approach is not to care about the user action and see what would happen if the phishing email was clicked and whether the malicious link or Website could infect the targeted user or system, he added.
"Let's not wait for the user to actually click the link or open the malware," Kotler said. "Eventually, someone will open the mail and click on the link, so let's simulate this right now and see what happens."
While encouraging users not to click on potential phishing emails, organizations have enterprise controls in place that protect users and prevent malware exploitation. The right way to really see if the enterprise controls for attacker protection work is to test them, Kotler said. However, rather than conducting a live penetration test against a production environment, what SafeBreach uses isn't real malware that can harm an organization. Instead, SafeBreach simulates malware activity as well as the client and the security controller, he said. As such, there is no risk to the live production environment.
Among the common actions modern hackers take is to use an exploit kit with a collection of known vulnerabilities that a target victim may not have patched. SafeBreach tests the impact of an exploit kit on an organization by simulating both the user that could potentially click on an exploit kit link as well as simulating the actions of the exploit kit command-and-control server, Kotler explained.
"In running the simulation, we can see if any security controls are triggered—whether that's an IPS [intrusion prevention system], data loss prevention system or a firewall," Kotler said. "If a security control isn't triggered, then we have identified that there is a risk."
SafeBreach provides a high-level dashboard that identifies the risks. Clicking into the specific risks, the system provides detail on how SafeBreach was able to exploit a specific part of an IT infrastructure.
"Since we're looking at the entire attacker kill chain, from reconnaissance to data exfiltration, it's easier for the security person to patch what matters," Bejerano said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
SafeBreach Simulates Attacks on Customers to Find Security Risks
↧
↧
Why Your Enterprise Must Pay Close Attention to IoT Device Security
NEWS ANALYSIS: It's apparent now that Internet of Things security is laughably bad, but you can prevent your enterprise from being the butt of the joke.
The woman on the videoconference screen looked at me in...
↧
Internet of Things Security Problem Just Keeps Gettin Bigger
Recent reports about Webcams being readily accessible to anyone using an Internet port-scanning service shows why there has been little progress in securing connected devices as we move into 2016
Every year or so, the Internet rediscovers that unsecured webcams are out there, leaking ready-to-watch videos of babies, pets, bank customers and even the offices of the webcam makers.
This month, the ability of the Shodan port-scanning service to easily find webcams set off a kerfuffle in the media. Yet, the criticism is missing the point. It’s more worrisome that people are putting devices into their homes and businesses with little concern for the security and privacy implications, security researcher Dan Tentler, told eWEEK.
Tentler has discussed the lack of security on webcams and other devices connected to the Internet at multiple conferences, and occasionally posts interesting results from Shodan to his Twitter feed. The popularity of the devices and their lack of security is creating a burgeoning problem, he said in an e-mail interview.
“It says neither consumers nor vendors care about security, and it’s going to be an amazing amazing apocalypse,” Tentler said.
“Sooner or later people will have a dozen things in their homes that are publicly connected, with little to no security and bad guys will find a way to take advantage of that fact with some heavy [consequences].”
In a research report presented in May 2014, Tentler found seven Webcams models are currently accessible online, accounting for nearly a million devices. Finding them was not totally straightforward, as he had to fingerprint them using telnet, but a simple enough task for any hacker.
“With a million plus endpoints, they are an excellent cross section of the type of security you can expect from people that manufacture stuff for public consumption,” he said.
Since the number of connected devices is expected to grow quickly, the lack of security will become a greater problem. Business strategy firm Frost & Sullivan forecasts that the number of connected devices will reach around 22 billion by 2019, growing by more than 18 percent a year.
Connected cars alone will account for 24.0 percent of these devices and wearables will represent 17.1 percent.
The expectation is that many of these devices will not be properly secured. Security firms are already seeing the vulnerable devices as a potential market. In November, security firm F-Secure released its Sense smart-device security gateway, which scans traffic for possible malicious code or behavior. Startup Bastille aims to create products and services that will allow companies to detect the myriad of wireless 'things' that enter the workplace.
To improve security, both consumers and manufacturers have to take responsibility for the security of the devices, Tentler said.
“The security researchers are in the middle, like a marriage counselor, saying, ‘Look, you both have to do stuff. You can't just blame each other and do nothing,’” he said.
Device makers need to conduct security audits and stop shipping products with default passwords, Tentler said. The government needs to come down harder on companies that do not adequately secure their devices. Finally, consumers need to understand that connecting a device to the Internet requires them to take responsibility for it.
“I don’t care if you’re a plumber or a nun–you don’t buy a thing and connect it to the internet without taking some kind of risk,” he said. “You have to take 60 seconds to understand that risk.”
↧
ScriptRock Rebrands as UpGuard With More Focus on Security
The visibility vendor doubles down on security with a new scoring system to help organizations and insurance companies evaluate and remediate risk.
When it comes to understanding the security risks an organization faces, a good place to start is to first understand what technologies are in place. That's the basic premise behind the visibility technology offered by UpGuard, which also now offers a scoring system called Cybersecurity Threat Assessment Report (CSTAR), based on an organization's security posture to help assess risk.
UpGuard is the new name for ScriptRock, which originally was not positioned as a security vendor. The basis of the original ScriptRock platform was visibility into servers, network appliances and other technology devices in an organization to analyze packages installed and configuration states, according to Alan Sharp-Paul, co-founder and co-CEO for UpGuard.
"What we realized is that by building tools that help companies understand and get visibility into their state, we can also help to mitigate risk and ensure security," Sharp-Paul told eWEEK. "We're not a security company; we call ourselves a digital resilience company, helping companies to understand what they have."
Another realization that Sharp-Paul made is that insurance companies are lacking the information they need to make informed decisions about cyber-security risk issues. In Sharp-Paul's view, modern IT security is no longer just about attempting to prevent attacks—it's also about risk mitigation.
"The cyber-insurance market today is broken because the actuarial tables for insurance companies don't exist," Sharp-Paul said. "Businesses don't understand their state, and insurance companies don't either."
To help both insurance companies and the organizations they insure to properly understand risk, UpGuard is launching CSTAR, which provides a FICO-like score to help assess cyber-security risk. The CSTAR score is based on multiple factors, including an internal scan of an organization's technology assets, looking at compliance, configuration and security information. The internal scan is coupled with an external scan of an organization's infrastructure to help create the risk score.
Mike Baukes, co-founder and co-CEO of the company, explained that UpGuard's visibility scanning can also assist organizations in understanding the integrity of their IT infrastructure, which can help organizations deal with unplanned and unmanaged change.
The internal scan of an organization is not a blind scan, but rather it requires the use of some form of administrative or system credentials to get configuration information from devices.
"Passive networking monitoring just on traffic really doesn't give you the configuration insights that you need to understand risk," Baukes told eWEEK.
For the external scan, UpGuard is not performing a full external penetration test that looks for vulnerabilities. Rather, Baukes explained that the external scan looks at common elements such as the proper use Secure Sockets Layer/Transport Layer Security (SSL/TLS) for Web security, the integrity of MX mail records and DNS records for Website domains.
Going a step just beyond giving organizations visibility and providing a score, UpGuard can also give direction to companies on where and how to remediate risks via integration with popular configuration management tools.
"If you come across a problem, not only can you drill down to the exact line or package, but you can generate a Chef, Puppet, Ansible or Microsoft DSC [Desired State Configuration] file to remediate issues," Baukes said. "It's a virtuous cycle of being able to see a problem and then resolve the problem using one of the common configuration tools that are out there."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Google’s Chrome Browser May Soon Mark HTTP Sites Unsafe
Google reportedly plans to introduce a feature in its Chrome browser that warns users when they land on a HTTP site.
Google is reportedly getting ready to implement a proposal it made slightly more than a year...
↧
↧
DDoS Targets, Motivations Evolve as Attack Volumes Hit New Peaks
Criminals and rogue gamers have become the main sources of distributed denial-of-service attacks, as the peak attack size reaches 500G bps.
Distributed denial-of-service attacks used to be reserved as the not-so-subtle tool of vandals and hacktivists.
Increasingly, however, other actors are using DDoS attacks for a variety of ends. Criminals clog networks to demonstrate their capabilities and extort money from companies. Rogue gamers attack rivals to gain advantage in online arenas. In fact, criminal and online gaming- and gambling-related motivations topped the list of suspected reasons for DDoS attacks in 2015.
"It definitely points to how this is becoming more of a mainstream tool in hackers' arsenals compared to the past when it was more often done as more of a nuisance or antagonistic way, rather for criminal gain," Gary Sockrider, principal security technologist at Arbor Networks, told eWEEK.
The most recent data from Arbor and other companies shows an evolving picture of DDoS attacks. In its 11th Worldwide Infrastructure Security Report, Arbor Networks found that, in addition to changing motivations, the peak bandwidth of the most powerful attacks has increased, attackers are more likely to target specific applications and attacks against voice-over-IP (VOIP) services have increased.
The report surveyed IT and security professionals at Internet service providers, enterprises, government agencies and educational institutions on the denial-of-service trends witnessed by their organizations.
In a separate analysis, security firm Kaspersky Lab found that while the attacks targeted resources in 69 countries, just three nations—China, South Korea and the United States—accounted for more than 80 percent of all targets. In its latest State of the Internet report, Akamai found that the United Kingdom, China and the United States were the largest sources of attacks.
"It has been pretty dramatic, over the past year, how popular DDoS has become," said David Fernandez, editor in chief of Akamai's State of the Internet report.
Nor is it surprising that peak attack volumes increase in 2015. The largest attack peaked at 500G bps, according to Arbor. And, the longest attack lasted more than 15 days, according to Kaspersky.
"The volumetric stuff gets the headlines and big numbers are scary, but it's not the whole story," Sockrider said. "The only time I'm surprised by the big numbers is when they don't get bigger."
The average target has to deal with more modest threats. The average attack consumes less than 500M bps and lasts less than 30 minutes, according to Arbor's data.
What does the future hold? Here are five trends to watch for in 2016, according to the data.
1. DDoS used for a greater variety of nefarious ends
In 2012, Internet service providers and companies targeted by DDoS attacks believed the largest proportion of attacks could be attributed to political and hacktivist attackers. In Arbor's 2012 Worldwide Infrastructure Security Report, ideological and political motivations accounted for a third of attacks, online gaming-related attacks accounted for 31 percent and vandalism accounted for 27 percent.
In the latest report, Arbor found that 42 percent of respondents blamed attacks on criminals trying to demonstrate their capabilities, another 41 percent connected attacks to online gaming and 35 percent to extortion. (Respondents could choose more than one motivation, so they total more than 100 percent.)
↧
NSA Gives Advice on Defending Against Nation-State Attackers
The head of NSA's offensive operations division explained how it uses vulnerabilities and how organizations can defend themselves.
Among the cache of documents leaked by U.S. National Security Agency (NSA) whistleblower Edward Snowden were files containing information on the agency's offensive operations, known as Tailored Access Operations (TAO). While Snowden's leaked documents have been a source of information on NSA activities, there is now another, more direct source: the NSA itself.
In an eye-opening 30-minute session at the USENIX Enigma conference in San Francisco on Jan. 28, Rob Joyce, chief of NSA's TAO, discussed how advanced persistent threats (APTs) target organizations and what techniques can be used to defend against those attacks. The Enigma session has now been posted to YouTube, enabling anyone with Internet access to watch the NSA explain how to attack and defend against nation-state adversaries.
"I'm from Tailored Access Operations, and from that perspective, it is very strange to be up here on a stage," Joyce said. "My talk is to tell you as a nation-state exploiter what you can do to defend yourself to make my life hard."
Joyce noted that TAO's efforts include gaining foreign intelligence by way of nation-state exploitation that supports a wide range of missions, from informing U.S. policy makers to protecting war fighters.
NSA TAO often has a better understanding of the networks that are targeted for exploitation, rather than the targeted networks owners have themselves, Joyce said.
"If you really want to protect your network, you really have to know your network, you have to know the devices and the security technologies inside it," Joyce said.
NSA TAO puts in the time to really understand the networks of targets, better perhaps even than the people that actually designed the network and those tasked with securing the network.
From an attack methodology, Joyce explained that there are a series of phases that occur when exploiting a target, starting with reconnaissance. After reconnaissance, an attacker looks to get in the door with an initial exploitation of a network. Once in the door, an attacker seeks to establish persistence and will also install tools. The initial point of entry into a target network isn't likely where all the information is kept, which is why once the attacker has persistence and tools in place, the next step is to move laterally within the network. The final phases of an intrusion are to collect and exfiltrate data from the target network.
From a defender's perspective, the goal is to disrupt an attacker's progression through the intrusion phases, Joyce explained. One simple recommendation he made is to reduce the potential attack surface by shutting down services that are not actually being used by the organization.
"It's not a new or amazingly insightful piece of advice," Joyce said in reference to his suggestion about shutting down unneeded services. He added that people would be surprised to realize all the things that are running on a network, versus the things that they think are supposed to be running on the network.
Joyce suggested that organizations run full penetration tests against their own networks to "poke and prod" for potential vulnerabilities, just like an adversary might do. While zero-day vulnerabilities do represent a risk, Joyce commented that they are not the primary attack vector.
"On any large network, I will tell you that persistence and focus will get you in and will achieve exploitation without the zero-day [exploits]," Joyce said.
↧
Spotting Insecure Websites Requires More Than Google’s Red X
NEWS ANALYSIS: Google’s plan to flag Websites as insecure depending on if it supports the HTTPS protocol is well intentioned. But it misses the mark in terms of flagging what’s secure and what’s not.
As you have probably heard by now, Google is apparently planning to change the way it flags websites according to their perceived security level.
To do this, according to media accounts, Google’s Chrome browser will display a red X adjacent to the web address in the browser’s address bar. The existence of this marking is supposed to alert site visitors that the page they’re visiting doesn't have the ability to encrypt their communications.
In one sense, this is a nice idea. It’s easier to misdirect a browsing session if the site isn’t encrypted and thus equipped with a security certificate. It’s also easier to intercept your browsing session when you are sending or receiving sensitive information if all you’re using is HTTP.
However, it’s important to note that just flagging a site as insecure because it doesn't use encryption is no guarantee of security, nor is it an indication that there’s anything insecure or risky about a site that’s not encrypted. In fact, by sending traffic preferentially to encrypted sites, Google is placing smaller sites and sites run by individuals at a significant disadvantage without any offsetting benefit to Web users.
In effect, that red X can effectively be a scarlet letter of shame for websites that have no security lapses other than not supporting HTTPS. What’s worse is that Google is planning to enforce its security plans by demoting sites without HTTPS in their search rankings. Small sites and sites run by individuals may not feel that spending $200 per year to set up a site with Secure Sockets Layer (SSL) is worth the cost or even something they can afford at all.
What’s worse is that a site running HTTPS can still be insecure; it can still host malware; and it can still lead to a phishing site. The only difference is that you’ll feel warmer and fuzzier while it’s doing it.
Still, in many cases insisting on an SSL connection provided by an HTTPS site can be very important. Any site that’s doing ecommerce in any way at all needs a secure connection. If you don’t see the green padlock or the green address bar on your browser, then you don’t want to use it to share anything that includes personal or financial information.
I’m not suggesting that using an SSL-enabled website isn’t a good idea, because it is. It’s just that using SSL, which is what you get with an HTTPS page, is no guarantee of security. Likewise, just because you don’t see an indication that a page is secure is no indication that the page is inherently dangerous in any way.
↧
Azzurri maintains government-level security credentials with renewal of Cyber Essentials Plus certification
London, 2nd February 2016: Managed communications services provider Azzurri Communications today announced that it has achieved the Government’s Cyber Essentials Plus accreditation for a second year. This builds on the company’s strong governance policies and focus on company-wide IT infrastructure security, ensuring that the company’s public sector customers are protected from the well-reported dangers posed by cyber-threats. Security has never been more important for public sector organisations, with Chancellor George Osborne recently announcing Government plans to invest £1.9 billion in cyber security over the next five years.Azzurri achieved reaccreditation of the more advanced Cyber Essentials Plus certification, which means that the security and robustness of company’s platform and internet facing applications have been independently tested and verified by an external certification body. This involved investigations inside the network, vulnerability scanning, remote access capability and penetration testing.The Cyber Essentials Scheme was launched by the UK Government in 2014, and recognises the achievement of government-endorsed standards of cyber hygiene which can significantly reduce organisations’ vulnerability. Adherence to the scheme is an essential certification for any public sector ICT supplier.“It’s another string to our bow to have achieved this accreditation once more, and it gives public sector organisations the guarantee that our security credentials meet Government standards,” said Chris Jagusz, CEO of Azzurri Communications, “Our public sector customers quite rightly consider robust security and cyber-crime detection mechanisms as more than a simple tick in the box. It has become a ‘do or die’ requirement that all their suppliers must demonstrate.” In the past financial year, Azzurri has retained all its ISO accreditations, including Quality Management (ISO9001) and Security (ISO27001). This, alongside Cyber Essentials Plus means Azzurri can continue to act as a secure and trusted managed communications services provider to public sector organisations. The company is a provider on the government’s G-Cloud 7 framework, a direct-award marketplace that allows public sector organisations to source cloud based IT services. Azzurri also holds accreditations for nine lots on the Network Services Framework (RM1045) for public sector ICT services. -ENDS-About Azzurri CommunicationsAzzurri Communications is transforming UK organisations through technology and managed services. Since 2000, Azzurri has helped its customers to become faster, more connected and more competitive by delivering unrivalled expertise and award-winning services. Azzurri’s flexible services and integrated solutions include unified communications, enterprise mobility and flexible working, networks, contact centres and document solutions.Today, Azzurri is focused on delivering transformational solutions for mid-market private enterprise and public sector organisations. Azzurri helps securely connect organisations with their people and their customers, in the office, on the move and in the cloud.For more information contact:Sarah Walker/Tamsin O’Neill020 3824 9210Azzurri@ccgrouppr.com Source: RealWire
↧
↧
AppSense Announces Record Results for Q2 and First Half of Fiscal 2016
Company Marks Best Quarter in History as Demand for Endpoint Security Solutions SoarsREADING, UK., February 2, 2016 – AppSense, the global leader of secure user environment management (UEM), today announced record results for the first half of its fiscal year 2016. New orders in the six months, ended December 31, 2015, grew 20 percent year-over-year marking a record for the company in both total bookings and revenue. “We want to thank our customers and partners who enabled AppSense to achieve strong growth globally,” said Scott Arnold, President and CEO, AppSense. “Accelerated demand for AppSense solutions that help secure and optimize endpoints has driven record results in 2015 and helped grow our installed base to 9 million seats.”The company continues to see acceleration in key growth indicators including the number of net new customers, which increased by 230 companies during the first half. Additionally, the number of seven-figure deals rose 5X during the first half, compared to the same period last year. Sales Strategy Fuelled by the ChannelAmong the key contributors to AppSense’s success during the first half of 2016 was continued growth in the channel. A renewed focus on channel partner engagement and enablement has driven an increase in partner-driven sales across every region. In the last six months, 84% of new sales were executed via the channel. “AppSense continues to demonstrate its channel commitment with impressive programs and incentives that display a channel-first philosophy,” said Ira Silverman CEO, Gotham Technology Group. “This, combined with its industry-leading technology for truly secure user environment management, makes them the go-to vendor for transformational workspace management projects.” Key Milestones and AchievementsIn addition to its financial achievements during the period, AppSense also marked the following milestones during the first half of the fiscal 2016 period:Reported rapid adoption of the AppSense Application Manager endpoint security solution with half a million security seats added during the company’s H1 fiscal 2016 AppSense’s Scott Arnold was named to the Annual 2015 CRN Top 100 Channel Executives List as a Top Industry InnovatorDelivered a DesktopNow Installation Blueprint for Citrix Workspace Cloud enabling the provisioning of a complete AppSense DesktopNow installation from anywhereRecognized by 451 Research as “The Missing Link for Virtual Desktops” in a November 2015 Impact Report“Historically, the desktop virtualization ecosystem has been dominated by session-based computing and VDI in terms of revenue and adoption, yet we expect the management layer to post far superior growth given the importance of these tools in a mobile, any-device environment that requires a strong balance between security and user productivity,” said John Abbott, Distinguished Analyst, 451 Research. “AppSense is leading the charge in this high-growth market with innovative solutions and solid execution.”About AppSenseAppSense is the leading provider of UEM solutions for the secure endpoint. AppSense user virtualization technology allows IT to secure and simplify workspace control at scale across physical, virtual and cloud-delivered desktops. AppSense Solutions have been deployed by over 3,600 enterprises worldwide to 9 million endpoints. The company is headquartered in Sunnyvale, CA with offices around the world. For more information please visit www.appsense.com.###Local UK Media Contact:Sharon MundayOn Your Case Ltd for AppSense+44 23 9311 4100sharon@onyourcase.co.uk Source: RealWire
↧
Fisher-Price Smart Teddy Bear Latest IoT Toy Under Hacker Scrutiny
The latest device with a security vulnerability is Fisher-Price's Smart Toy, as flaws in the connected Internet of things world continue to mount.
When it comes to the emerging Internet of things world, security vulnerabilities can exist almost anywhere, including in a child's teddy bear. Security vendor Rapid7 today disclosed a vulnerability in the Fisher-Price Smart Toy, which could have enabled an attacker to gain access to user information. Rapid7 responsibly disclosed the flaw to Fisher-Price, and the toy vendor has already patched the issue.
"The Fisher-Price Smart Toy device is a teddy bear that has an integrated Android 4.4 operating system in it," Tod Beardsley, security research manager at Rapid7, told eWEEK.
There is no local security controls on the device, so if someone has physical access to the device, it is possible to get an Android Debug Bridge (ADB) shell to get complete system access, Beardsley said. The lack of local access security, however, is not what concerns Rapid7, since the assumption exists that if someone already has physical access to the device, they probably know the owner. Of greater interest are the remote access vulnerabilities that Rapid7 found that could have enabled someone without physical access to the toy to get personal information.
Fisher-Price did not properly secure the Web APIs it uses for the back end of the Smart Toy, potentially giving an attacker access to customer profile information, including name, birthday, gender, language and which toys have been registered. Going a step further, Beardsley said that an attacker could have deleted or modified a child's profile.
The core flaw, which is identified as CVE-2015-8269, is an improper authentication handling vulnerability. Beardsley explained that the Web back end for the Smart Toy would let anyone attempting to access the site assert that they were any customer ID.
Fisher-Price fixed the remote security issues disclosed by Rapid7 in a timely manner, according to Beardsley. Since the disclosed issues are all remote, there is no need for end users to patch the local device.
The Fisher-Price Smart Toy vulnerability follows other flaws found in IoT toys in recent months, including issues found in Hello Kitty, VTech and Hello Barbie. What's not immediately clear in the Fisher-Price incident is the number of users who were at risk, as Rapid7 acted in a professionally responsible and legal manner and did not attempt to download or access all user profiles.
The Fisher-Price Smart Toy vulnerability helps to further illuminate the issue of IoT device security. In Beardsley's view, the lack of full, proper security isn't a function of malice, but rather one of awareness, which is now starting to improve. In particular, he praised Fisher-Price for its quick response to the issue and for patching the flaw quickly.
"No one decides not to do security," Beardsley said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
U.S., EU Agree on Privacy Shield to Maintain Transatlantic Data Flow
Salesforce.com is introducing new and updated products based on its Lightning interface technology that are designed to enable businesses to run their sales operations on mobile devices.
The free flow of petabytes of data transmitted by the largest corporations and private citizens will continue across the Atlantic as the result of a new "safe harbor" agreement reached Feb. 2 between the United States and the European Union to protect data transfers between the two nations.
The agreement replaces a 15-year-old pact that the EU's highest court struck down in October 2015 because it failed to protect the data of European citizen from snooping by U.S. intelligence or police authorities.
Months of intense negotiations in Brussels, the headquarters of the European Commission, finally yielded results a couple of days past the Jan. 31 deadline. The talks were closely watched by the world's tech community because a failure to reach a timely agreement could conceivably have disrupted or at least complicated transatlantic data transfers.
Right now, EU negotiators are pleased that they got the concessions they wanted which would limit the access to the private data of Europeans by U.S. intelligence agencies.
U.S. Commerce Department officials, meanwhile, seemed almost giddy with delight as they as they discussed the agreement's terms at a press conference, especially since some of the world’s largest corporations including Google, Facebook and Amazon.com were holding their feet to the fire. But there is still a great deal of uncertainty about whether the current informal framework of the draft agreement will hold water long enough to go into effect.
U.S. concessions include guarantees, renewed annually, of privacy for the personal information of European citizens. These agreements would include limits on what U.S. companies can do with such data along with restrictions on the interception of data by the U.S. intelligence community as it flows between the two continents.
There are also a number of methods that Europeans can use to contest any attempts to gather data, including judicial redress, ombudsman positions at the U.S. State Department and monitoring by the Commerce Department and the Federal Trade Commission.
Unfortunately, there are also some stumbling blocks in the road to a final, sign agreement. The current negotiated framework must be turned into an actual written agreement that is acceptable to both. After the draft agreement is reviewed and revised, it will be turned into final form, which must then be ratified by each of the EU member nations.
While the European Commission may think the agreement is solid, that doesn’t really matter. It will eventually be reviewed by European privacy agencies, of which each member nation has one. The EC has no authority over those agencies at all and the privacy agencies can accept or reject the new agreement for their own reasons.
Complicating matters are the concepts of privacy in a Europe with fresh memories of world wars, dictatorships, police states, genocide and ethnic cleansing. As a result the European view of privacy is far more extreme than it is the U.S.
↧
Rigby Private Equity Opens Up New Office In Austria
Wick Hill and Zycko strengthen Austrian business with new office in ViennaLondon, Cirencester and Woking, UK: Rigby Private Equity (RPE) announces the opening of a new office in Vienna, Austria. Specialist value-added distributors Wick Hill and Zycko (both part of RPE) already have business in Austria and this move shows the commitment of both distributors and RPE to strengthen and grow activities in that territory. Paul Eccleston, head of RPE, commented: “Both Wick Hill and Zycko have traded successfully into Austria from Germany in the past and have had many requests from their vendor partners to open an office in Austria itself. We see this is as a serious commitment to the territory, with significant opportunities for the value add, capability and services that both companies represent.” The Vienna office will be staffed by a strong team of experienced people who will be supported by the core capabilities of both Wick Hill and Zycko. From day one, the Austrian office will have access to the skills of both companies, which include marketing, product and technical support, consultancy and professional services. David Galton-Fenzi, CEO of Zycko, said: “Having a local resource in Austria will allow us to further improve the focus and level of service we can offer to partners there.”Ian Kilpatrick, chairman Wick Hill Group, said: “With the continued growth of our business in Austria, it was important for us to open the Vienna office to support our partners.” Rigby Private Equity, which is building an EMEA-wide high-value, specialist distribution business, was formed in 2015 to identify established companies with both a great value proposition and plans for strong growth, to invest in these companies and to support the acceleration of their growth plans. In July 2015, RPE made a major investment in leading specialist security value-added distributor Wick Hill and in December 2015 added leading specialist services distributor Zycko.About Zycko Established in 1999, Zycko is an international, specialist distributor of innovative IT solutions including data networking, data storage, network monitoring and management, voice and video communications, virtualisation, cloud, and data centre infrastructure. The company focuses on new, best-in-class, innovative technologies, delivering first-class, sophisticated and professional services, accredited training, marketing and business development support to its customers. Through a careful selection of leading-edge strategic partners and technologies, Zycko provides the opportunity for channel customers to differentiate themselves in a crowded market. The company has 15 offices in 13 countries and serves the rest of the world from its UK headquarters. Zycko is part of Rigby Private Equity, a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc. About Wick Hill Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions. The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.Wick Hill is particularly focused on providing a wide range of value added support for its channel partners. This includes a strong lead generation and conversion programme, technical and consultancy support for reseller partners in every stage of the sales process, and extensive training. Wick Hill Group is part of Rigby Private Equity, a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc. As such, Wick Hill has its headquarters in the UK, an office in Germany and an office in Austria. Wick Hill is also able to offer services to channel partners in thirteen European countries and worldwide, through its association with Zycko, as part of RPE. About Rigby Private EquityRigby Private Equity is the private equity arm of Rigby Group Investments, owned by the Rigby Group plc. Rigby Private Equity was founded in 2015, with significant funding, to build a portfolio of equity investments in leading, high-growth potential companies in the technology sector.ENDSFor further press information, please contact Annabelle Brown on 01326 318212, email abpublicrelations@btinternet.com. Wick Hill https://www.wickhill.com Zycko http://www.zycko.com Source: RealWire
↧
↧
Logicalis and HPE Introduce ‘IT Custodian’: Best Practice Service Management to Accelerate Digital IT Operations
Logicalis SMC and HPE combine to accelerate digital transformation via a complete, rapidly deployable big data ITSM solutionLondon, UK, 03 February 2016 – Logicalis, the international IT solutions and managed services provider, has announced the launch of IT Custodian, a turnkey ITSM solution developed jointly with technology leader Hewlett Packard Enterprise (HPE) and Logicalis’ Service Management Consulting (SMC) business to advance the digital enablement of large organisations. The Logicalis SMC best practice solution utilises core HPE ITSM excellence leveraging HPE Propel technology, and centres on a prebuilt, standard process model that promises fast and successful implementation at a fixed cost. IT Custodian is aligned to the Open Group IT4IT™ framework, and available on-premise or as a cloud service.“Service Management is more than capable of achieving transformational performance at the speed of digital innovation, but traditional approaches to extending the service desk and embracing ITSM can be difficult to budget and take many months to implement correctly. This is far from ideal at a time when IT departments urgently seek to regain control over IT services and become the ‘internal service provider’ to the business,” explained Martyn Birchall, Director, International Service Management Consulting at Logicalis. “With IT Custodian, instead of losing time adapting ITSM technologies to meet their bespoke needs, organisations can rapidly adopt a best of breed, best practice model relevant to their business challenge, which is based on lessons learned with hundreds of major organisations.” According to recent Logicalis research[1] highlighting the effects of the so-called Shadow IT phenomenon, 31% of CIOs globally are now routinely side-lined when it comes to making IT purchasing decisions. IT Custodian comprehensively addresses these and other governance issues, within a fully-supported framework that leverages ITSM best practice gained from over 17 years of Logicalis Service Management consultancy experience.“The IT Custodian solution extends the benefits of HPE Service Management technology with a ready to adopt implementation model that includes everything a service-defined enterprise needs for ITSM in a single solution,” said Kevin Leslie, EMEA Director of Service Portfolio Management at HPE. “Enterprise CIOs and line-of-business executives now have a proven, repeatable approach to Service Management that curbs the risks associated with shadow IT and delivers the benefits of a rich, dynamic, multi-source IT environment with full budgetary control and governance.”For more resources about the Service-Defined Enterprise (SDE), including a forthcoming workshop series for CIOs and IT directors, visit www.uk.logicalis.com/sde.[1]Logicalis Global CIO Survey 2015 http://www.logicalis.com/knowledge-share/downloads/cioreport-2015-the-shadow-it-phenomenon/logicalis-cio-report-2015/ EndsAbout LogicalisLogicalis is an international IT solutions and managed services provider with a breadth of knowledge and expertise in communications and collaboration; data centre and cloud services; and managed services.Logicalis employs over 4,000 people worldwide, including highly trained service specialists who design, deploy and manage complex IT infrastructures to meet the needs of over 6,500 corporate and public sector customers. To achieve this, Logicalis maintains strong partnerships with technology leaders such as Cisco, HPE, IBM, CA Technologies, NetApp, Microsoft, Oracle, VMware and ServiceNow on an international basis. It has specialised solutions for enterprise and medium-sized companies in vertical markets covering financial services, TMT (telecommunications, media and technology), education, healthcare, retail, government, manufacturing and professional services, helping customers benefit from cutting-edge technologies in a cost-effective way.The Logicalis Group has annualised revenues of over $1.5 billion, from operations in Europe, North America, Latin America and Asia Pacific, and is one of the leading IT and communications solution integrators, specialising in the areas of advanced technologies and services.The Logicalis Group is a division of Datatec Limited, listed on the AIM market of the LSE and the Johannesburg Stock Exchange, with revenues of over $6 billion.For more information, visit www.uk.logicalis.com Media contact:Jacob Petterson / Greg Halse Cohesive Communications+44 (0) 1291 626200logicalis@wearecohesive.com Source: RealWire
↧
Google to deep six dodgy download buttons
Google has taken aim at another class of internet scumware: the deceptive download buttons that infest advertising on places like free software directories.
“Your computer is out of date!” ads and the like that take the unwary either to adware and/or malware installers - or worse - are in Google's sights.
Lucas Ballard, the software engineer who announced the earlier stage of the safe browsing program when the Chocolate Factory started warning users about malware sites last year, says the program aims to eliminate “social engineering ads” in embedded content.
He says “embedded content (like ads) on a web page will be considered social engineering when they either:
Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself.
Try to trick you into doing something you’d only do for a trusted entity — like sharing a password or calling tech support.
Hence, if you mess with users like this:
Google's going to flag it like this:
Vulture South imagines there will be a lot of free software Website admins scrambling to catch up, once Google starts flagging their sites as dangerous. ®
Sponsored:
Building secure multi-factor authentication
↧
Microsoft’s malware mitigator refreshed, but even Redmond says it’s no longer needed
Microsoft's enhanced mitigation toolkit (EMET) has been updated with support for Windows 10, but the company says you don't really need to download it any more.
The defence tool is Microsoft's way of re-enforcing Windows versions from Vista to 8.1. Available since 2009, the tool has introduced the latest mitigation techniques to stymie common attacks including address space layout randomisation and data execution prevention.
Version 5.5, released this week, adds official support for Windows 10 (although previous versions did support the operating system).
Over time security technologies have been copied from EMET and baked into Windows, alongside many other security improvements, making it a less critical feature than in previous years.
"[It] helps enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware," Microsoft's security wonks say.
"Since that time, we have made substantial improvements to the security of the browser and the core OS.
"With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10.
The latest EMET introduces improved configuration through group policy, the blacklisting of untrusted fonts, better registry writing, and Export Address table Filtering pseudo-mitigation performance improvements.
It also grants Control Flow Guard protection for third party software not yet using once-bypassed exploit protection introduced in Windows 8.1 updates and present in Windows 10.
Control Flow Guard is one of the three that Microsoft cites as having made its way from EMET into Windows and injects a check before indirect-calls are made in code such to ensure that they call known safe locations. If that's not the case, programs are closed.
AppLocker is another Windows security feature from EMET, and helps stop most unathorised users from executing certain apps within a network. Paired with an enterprise application whitelist like Device Guard, AppLocker can ensure only trusted apps run.
EMET may be powerful, but like most other security controls has previously been bypassed. ®
Sponsored:
Building secure multi-factor authentication
↧
Go phish your own staff: Dev builds open-source fool-testing tool
Security-oriented programmer Jordan Wright has published a capable and slick open source framework to help businesses defend against phishing attacks.
The anti-phishing tool runs on 64-and-32-bit Windows, Mac, and Linux, and allows tech shops to send benign phishing emails to their staff in a bid to track which employees fall for the ruse.
Fake phishing is an effective and proven mechanism with companies like PhishMe popping up to help businesses fight the attack vector, which has claimed the likes of Target, Home Depot, RSA, and ICANN.
Virtually every attack group in existence relies on tricking staff with the emailed links and attachments. Business email compromise, a subset of phishing that tricks executives into wiring money to attackers, is estimated by the FBI to have cost US$740 million in the US alone since 2013.
Go Phish.
Twitter is one of the largest companies to go public with its internal phishing campaign, which thanks to company-wide acceptance and mature feedback loops has dramatically reduced its exposure.
Good anti-phishing programs should be designed to be seen by staff as fun with rewards for those who evade the traps, and slick and quick educational notes to help those who do.
Phishing emails should be seem increasingly legitimate as staff become adept at spotting the more obvious mock attacks.
“Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead simple,” Wright says describing the platform as industry-grade phishing training available to all.”
It allows admins to track campaigns, use templates, and capture credentials inserted into the phishing emails.
The platform was written in Go and has been posted to GitHub where it's had more than 300 commits at the time of writing. It differs from some other anti-phishing platforms in part because it is hosted on premise rather than in the cloud, “There are many commercial offerings that provide phishing simulation/training [but] unfortunately, these are SaaS solutions that require you to hand over your data to someone else,” the GoFish team says.
The Simple Phishing Toolkit is another established open source phishing platform along with the more capable and advanced Social-Engineer Toolkit which includes the ability to send payloads and well suited for penetration testers.
Wright says Gophish is different from those in its ease of use adding that he hopes to integrate it with the advanced Toolkit in the future.
For now his team promises to regularly maintain the software. ®
Sponsored:
Building secure multi-factor authentication
↧
↧
Winning Underhand C Contest code silently tricks nuke inspectors
The winner of an annual competition to write the best innocent-looking but actually malicious C code has been announced – and it terrifyingly involves hoodwinking nuclear weapons inspectors.
On Wednesday, the Underhand C Contest named Linus Åkesson the champion of its 2015 fixture. His prize: $1,000 (£685).
Entrants had to write a function that compared two sets of data and returned a 1 if the values matched within a given threshold, or 0 if they are too unlike. The data in question: one set is an array of readings from a device scanning warheads for fissile material, such as plutonium; the other set is an array of readings you'd expect from a real nuclear warhead. Here's the background:
Two countries, the Peoples Glorious Democratic Republic of Alice and the Glorious Democratic Peoples Republic of Bob, have agreed to a nuclear disarmament treaty. In practice, this is implemented by nuclear inspectors visiting each country and verifying the presence of fissile material such as Plutonium in a warhead, at which point the warhead can be destroyed.
Ideally, the inspectors would subject a warhead to a scan and observe a graph such as a radiogram or a gamma ray spectrum of the object under test, so that they can confirm the warhead contains what it is supposed to contain. But both the PGDRA and the GDPRB are dissatisfied with this approach because the results of these scans contain sensitive information about their nuclear programs and the design of their nuclear weapons. However, each country wants to ensure that the other country is dismantling real nuclear warheads, and not fakes.
To this end, the two countries agree to build a fissile material detector with an “information barrier” – essentially a computer program that will take the result of a scan, determine if it matches some reference pattern, and output only a “yes” or “no.”
So far, so good. You've got to write an algorithm that can turn an external scan of a warhead into a yes (1) or no (0) output: yes, this is a real nuke because it matches the signature of a nuclear warhead; or no, this is a normal warhead because it doesn't match the signature.
The underhand part: rig the algorithm so that it fires off false positives in certain circumstances, thus earmarking warheads for destruction even if they are not nukes. The code should return 1 when it should really return 0. It can't be an obviously bad detector, though; throwing lots of non-matching data at the function should return 0 as expected. The reference signature also cannot be changed.
What's the point? Well, imagine you're a country with 1,000 nuclear bombs and 100,000 normal warheads, and you've agreed to dismantle 950 of your nukes. You don't really want to do that, so you present, say, 50 nukes and 900 normal warheads for inspection. Thanks to the nobbled match algorithm, all are flagged up as containing sufficient fissile material and are destroyed. Everyone thinks you've disarmed 950 nuclear warheads, when really you've only rid yourself of 50.
Some entrants to the 2015 competition relied on the environment of the program: for example, if the computer's clock can be secretly wound back during the test of a weapon, it will trigger a false positive. This requires a little too much tampering for the judges' liking.
Åkesson's winning code works by exploiting the fact that on 64-bit x86 and 32-bit ARM systems, a float variable is four bytes in size and a double is eight bytes. In one source file, a header is included that overrides float_t as an eight-byte double, and in another source file, float_t is left as a four-byte float defined by the standard math.h header file.
This means the match function defined in one source file takes data as an array of eight-byte double-precision floating-point numbers, and passes them to a function defined in the other source file that expects an array of four-byte single-precision floating-point numbers due to the mischievous float_t typecasting.
The result is the data is interpreted all wrong. Really, only the first half of the input data is scanned, and each eight-byte floating-point number is read as two four-byte numbers.
Ultimately, it means a country can present a warhead with a very, very small amount of fissile material inside it along with another harmless compound that triggers the required false positive for a given reference signature.
The competition this time round had more than 40 entrants, and was sponsored by the Nuclear Threat Initiative. The contest was supposed to be "a real-world problem in nuclear verification," according to the organizers. "We hope that [this year's challenge] emphasizes the need for care and rigor, not to mention new research, in secure software development for such applications," the judges added. No kidding. ®
Sponsored:
Application release and deployment for dummies
↧
Row over GCHQ-built voice algo MIKEY SAKKE rumbles on
GCHQ has defended its controversial MIKEY-SAKKE phone encryption protocol against criticism that it leaves a backdoor into systems that support the technology.
The CESG assurance arm of the UK government’s signal intelligence agency has taken the unusual step of publishing a background document and FAQ in defence of the technology, summarised in a statement by a government spokesman.
The MIKEY-SAKKE protocol is designed to enable organisations to provide secure communications with end-to-end encryption.
Each organisation that uses a MIKEY-SAKKE based product has its own Key Management Server, which allows users to access the system. As our specification makes clear, the Key Management Server does not need to be online for the system to be secure, which makes it much less vulnerable to attack. All the products approved by HMG operate in this way.
Organisations using MIKEY-SAKKE do not share a common Key Management Server, so it is totally wrong to suggest there is a secret master key or 'backdoor' that would allow GCHQ or any other third party to access real time or historic conversations. Only the owners of individual systems can access and decrypt conversations, if they want to.
At least some independent security experts are sympathetic to the argument that the design of the technology fulfils an explicit requirement for a built-in interception capability. However Dr. Steven Murdoch, research fellow at University College London, whose detailed examination of MIKEY-SAKKE sparked the original controversy remains critical.
Dr Arnold Yau, a self-described privacy advocate, who studied for a doctorate in information security at Royal Holloway before becoming a mobile security and cryptography specialist, argues that early reports that MIKEY-SAKKE was back-doored were unfair.
“The protocols are meant for government and enterprise deployment, with an explicitly stated requirement for lawful interception,” Yau told El Reg. “It's much like companies' ability to read their employee's emails sent through their system, with the difference that emails aren't routinely encrypted.”
El Reg understands that MIKEY-SAKKE was primarily designed to support a government requirement for secure communications. Initially designed to fulfil the requirements of the UK emergency services the technology is positioned as also suitable for businesses who need to meet legal, regulatory and other governance requirements.
We put it to Murdoch that if MIKEY-SAKKE is indeed designed for government and enterprise deployments with an explicit requirement for interception then perhaps different standards ought to be applied. Murdoch responded that, even on its own terms, MIKEY-SAKKE has practical shortcomings, particularly against potentially skilled nation state adversaries.
Murdoch confessed he was “not expecting such a detailed response” from GCHQ to his research.
“The GCHQ response only discusses the security of MIKEY-SAKKE when the system is well designed, properly operated and functioning correctly,” Murdoch explained. “My article instead also dealt with the (likely) scenario that things can go wrong due to accident or malicious behaviour. In these cases an unauthorised third party could gain access to communications and bypass the safety measures GCHQ assured would be present (only to provide time-bounded, single-user keys subject to legal authorisation).”
Scorecard
Backers of MIKEY-SAKKE argue that comparison using the EFF scorecard is “misleading” since the marker is designed when running a rule over consumer services such as Skype, whereas MIKEY-SAKKE is for businesses, where different criteria apply.
Murdoch applied EFF developed criteria for assessing the security of encryption protocols, an approach he argues is valid even for systems designed for enterprises and governments rather than the general population.
“I still think the EFF criteria, which require that security be preserved even if the network provider is compromised, are appropriate. Even if the network provider has a legitimate reason to eavesdrop on communications, someone who has compromised the network provider does not.”
“The GCHQ response correctly states that other protocols have centralised aspects, but MIKEY-SAKKE is notable for making the centralised aspects difficult to protect and there being severe consequences from any compromise,” he added.
Lawful interception (eavesdropping) could have being applied in a more robust manner to that offered by MIKEY-SAKKE, he further argues. Damningly, he describes the robustness of MIKEY-SAKKE as worse than that offered by the infamous Clipper Chip, an abortive US-government backed (and backdoored) crypto scheme of the 1990s.
“MIKEY-SAKKE design is a fragile way to achieve the goal of permitting the eavesdropping of communications. The same master key is used for both communication security and for key-escrow purposes. This makes the master key more vulnerable because it must be used for many purposes, including adding of new users and the monthly update of user-keys.
“There are circumstances where eavesdropping on calls is appropriate (e.g. some enterprise and government communications) but there are other options available which separate the escrowing from normal encryption. Examples include the current financial industry approach of just recording calls before encryption or after decryption, and the Clipper chip which has a separate escrow key which can be more carefully protected and be subject to legal restrictions,” he added.
Murdoch concludes that the “need for permitting eavesdropping on calls in certain circumstances is sufficient justification for the design” of MIKEY-SAKKE, which he maintains is essentially not fit for purpose whether or not it’s eventually used by consumers, something Murdoch reckons remains an open question.
Half-IBAKEd
Murdoch further argues that GCHQ is pushing MIKEY-SAKKE over a rival approach, called MIKEY-IBAKE on the grounds that the latter was less “snoop friendly”.
"There are some hints in the GCHQ submission to the 3GPP committee discussing MIKEY-IBAKE, where they were focussing on MIKEY-SAKKE allowing law enforcement access rather than an enterprise or government getting access to their own staff’s communications," Murdoch explained. "Also of note is the GCHQ were asking the committee to prevent the use of MIKEY-IBAKE, not to permit the use of MIKEY-SAKKE. If GCHQ were content to let companies have free choice over which security protocol they use, why prevent them from using MIKEY-IBAKE if they want?”
Yau conceded Murdoch had made some fair and reasonable points. He said the discussion about the protocol would be better focused on the possibility it creates “unsafe deployment”, rather than existence of hidden "backdoors”.
“With 3GPP, I wonder why GCHQ how much it would actually help them have MIKEY-SAKKE adopted,” Yau concluded. “My (academic) understanding is that mobile communications (GSM/3G/LTE) are never secured end-to-end to start with with encryption only applied to the air interface (between cell towers and device). This means they can (and probably are) already eavesdrop on conversations (or data traffic) at the mobile network operator whether legally or illegally.”
“If law enforcement agencies wish to decrypt over-the-air traffic, there are already equipment such as Stingray, IMSI ((International Mobile Subscriber Identity) catcher, femtocells that are available for that purpose,” he added.
If MIKEY-SAKKE was intended as a backdoor then it was a hopelessly cack handed, according to Yau.
“More generally if they want to insert backdoors into public communication protocol/equipment, they'd probably do it with far more subtlety as demonstrated by the Dual-EC DRBG and the Juniper backdoor,” Yau added in what’s best described as a backhanded compliment. ®
Sponsored:
Building secure multi-factor authentication
↧
ISPCC Childline and Vodafone Ireland Foundation Announce Major New Partnership
Working to Keep Children Safe by Keeping Them Connected4th February 2016 ISPCC Childline and the Vodafone Ireland Foundation are delighted to announce a major five year partnership that aims to keep children safe by keeping them connected. The Partnership will;provide the charity with €2 million in direct funding from the Vodafone Foundation over five yearsprovide a commitment to covering the call costs for the Childline service for ten years until 2026update Childline’s technologies and service infrastructure to modernise and broaden out access to the service in line with the changing needs of childrenoffer additional resources including Vodafone’s Be Strong Online Programme, to support children and parents through some of the issues they face in today’s digital societyleverage and engage Vodafone’s 2000 employees raise further funds for ChildlineIn 2014 ISPCC’s unique support service for children and young people responded to almost 500,000 calls and online contacts. Over the last 10 years, Childline has experienced a 75% increase in children seeking support online. Through this new partnership, with Vodafone’s support, the charity will now be in a position to develop a new total communications infrastructure which will improve children’s access to Childline and provide a 24 online digital platform. Vodafone’s Be Strong Online Programme will offer support on issues ranging from bullying to online privacy and can be accessed online and in all retail stores nationwide from Tuesday, February 9th, Safer Internet Day 2016. One in five children in Ireland say that they have been bothered by something online in the last year. The Be Strong online programme will mean that children will now have a range of resources offering support and advice on cyber safety at their fingertips whenever they need it.Announcing the partnership, Grainia Long, Chief Executive, ISPCC Childline said ‘I’m thrilled that ISPCC Childline will be working with Vodafone to help keep children safe. For every child who reaches us, there are many more who cannot. From today, this partnership will enable us to give every child the connection they need, when and where they need it most.’ Ray Collins, Vodafone Ireland Director of Strategy and Chairman of the Vodafone Ireland Foundation said: “We are delighted to be partnering with Childline and are looking forward to working with them to transform their unique and invaluable service. Life is challenging for young people and children today. Together we want to ensure that when children reach out for help, they can connect with Childline in whatever way they choose, via a call or a text or an instant message. Through the partnership we also plan to work together to build young people’s resilience and awareness online, to help them navigate their world better and cope with issues that confront them with a new confidence.”The partnership comes with the support of Vodafone’s 2,000 employees, who have pledged to raise additional much needed funds for Childline through a range of fundraising activities over the course of the partnership. See www.vodafone.ie/foundation.EndsAbout VodafoneVodafone is one of the world’s largest telecommunications companies and provides a range of services including voice, messaging, data and fixed communications. Vodafone has mobile operations in 26 countries, partners with mobile networks in 57 more, and fixed broadband operations in 17 markets. As of 30 September 2015, Vodafone had 454 million mobile customers and 12.5 million fixed broadband customers. For more information, please visit: www.vodafone.comSource: RealWire
↧
More Pages to Explore .....
