STE WILLIAMS

Google’s campaign to make HTTPS security ubiquitous has been underscored once again by the news that it is to implement HSTS preload on 45 Top-Level Domains (TLDs) it controls as part of its domain registrar business.

There are several strands to this story, beginning with the little-known fact that Google has since 2015 been a registrar for generic Top-Level Domains, such as, .ads, .here, .meme, .ing, .rsvp, .fly, and .app, to name only a few.

The next is HSTS (HTTP Strict Transport Security), first adopted by Chrome 4 in 2009, which is incorporated into all major browsers.

HSTS is a way for a website to insist that browsers connect to it using the encrypted HTTPS protocol, instead of insecure HTTP. A browser attempting to visit http://nakedsecurity.sophos.com, for example, is forwarded to a URL that uses HTTPS and told to add the site to its list of sites that should always be accessed using HTTPS. From then on the browser will always use HTTPS for that site, no matter what.

The user doesn’t have to do anything, regardless of whether they reached the site through a bookmark, a link, or simply by typing HTTP in the address bar.

The only flaw in this scheme is that browsers can still reach an insecure HTTP URL the first time they connect to a site, opening a small window for attackers to carry out Man-in-The-Middle, cookie hijacking and encryption downgrade attacks such as the well-publicised Poodle SSLv3 attack discovered by Google researchers in 2014.

HSTS preload solves this by pre-loading a list of HSTS domains into the browser itself, closing that window entirely.

Best of all, this preloading can be applied to entire TLDs, not just domains and sub-domains, which means it becomes automatic for everyone registering any domain name ending in that TLD.

As Google states:

Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.

Because HSTS preload lists can take months to update in browsers, setting it by TLD has the added advantage of making HSTS instantaneous for new websites that use them.

Google extending HSTS preload to 45 TLDs in the coming months is therefore bigger news than it might sound: millions of new sites registered under each TLD will now have HTTPS enforced (and domain owners will have to configure their websites to work over HTTPS or they won’t work.)

Uptake remains a hurdle: too many sites still don’t bother with HTTPS, something Google has tried counter with recent initiatives such as Chrome marking non-HTTPS sites as “insecure”, a sort of large-scale shaming campaign.

Another barrier is cost, which explains why Google has backed the Let’s Encrypt certificate authority which offers free certificates (even if it turned out that phishing sites were also availing themselves of this).

In the end, the biggest ally in making HTTPS universal could simply be the changing expectations of web users who have started to grasp the importance of web security for their own well-being.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fVhbEGVApJg/

Acceptable use of social media and adherence to workplace physical security drops, new survey shows.

The majority of US workers fall short when it comes to strong knowledge of security and privacy best practices, potentially putting their companies at risk of a breach, according to a new report.

The 2017 State of Privacy and Security Awareness Report, which surveyed 1,012 US workers, found that 70% of employees lack a firm grasp of security and privacy. Overall, that’s an improvement from last year, when the number was at 88%.

“I think things, in general, are getting better,” says Tom Pendergast, chief strategist for security, privacy, and compliance for MediaPro, which conducted the study.

The survey results were drawn from 31 questions asked across eight categories of threat vectors. Survey participants were ranked as “risk,” “novice,” or “hero,” depending on the number of incorrect answers they provided.

According to the survey, the percentage of “risk” employees grew to 19% this year from 16% last year, while the ranks of “novice” workers shrank to 51% this year from 72% last year. Employees in the “hero” category reaching 30% this year, up from 12% last year.

Threat Vectors

             

Source: MediaPro

“Both years, ‘risky’ individuals got caught up in two key areas: physical security, and safe remote and mobile computing,” Pendergast says.  

In physical security, over half of the “risky” respondents chose to hold the door open for a stranger, without first checking to see if the individual had the proper identification or access to a secured area, he explained. Additionally, 62.3% of “risky” respondents this year thought it was okay to use a public Wi-Fi network to access company information, which was up from 45% last year.

Acceptable social media use and physical security suffered in this latest MediaPro survey.

Respondents willing to take potentially risky actions on their social media accounts that posed a risk to their companies reached 20% this year, compared to 14% last year. When queried whether they would be willing to post information about their company’s upcoming yet undisclosed product release information on their social media account, more than 20% of the survey respondents answered affirmatively this year, compared to 7.5% last year.

Pendergast says he wished he knew why security awareness around social media accounts declined this year.

In addition to social media, physical security also took a hit this year. The survey found that nearly a quarter of employees surveyed were willing to take potentially risky actions in favor of controlling access to their company’s facility. For example, 20% of survey respondents indicated they would be willing to hold an office door open if someone asked to enter, even if they lacked proper identification.

The percentage of survey respondents who lacked a firm grasp on physical security grew to 24% this year, compared to 19% last year.

“This is one where everyone knows they need to lock the door to their home at the end of the day, but why not carry this attitude to work?” Pendergast says. “They’re not protecting their company’s front door and that is a little surprising.”

Companies like Microsoft and Boeing, he says, have a corporate culture where employees feel comfortable asking strangers whether they work at the organization if their company badge is not visible.  

The Most Improved

During the year, security and privacy awareness improved for six of the eight threat vectors, according to the report:  incident reporting, identifying malware warning signs, preventing phishing, cloud computing, working remotely, and identifying personal information.     

“Phishing is always identified as the number one reason for data breaches and malware, but I think we can drive the 8% number lower with education,” Pendergast says. “If there is one thing that is talked about again and again and year after year, [it] is phishing.”

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• Employee Negligence The Cause Of Many Data Breaches
• 10 Security Product Flaw Scares
• Why Most Security Awareness Training Fails (And What To Do About It)
• State Of Employee Security Behavior

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/70--of-us-employees-lack-security-and-privacy-awareness/d/d-id/1330031?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why it’s time for DevOps and security teams to bury the hatchet — and not in each other’s back.

In 2010, when I said, “I think the cloud is our opportunity to get ahead of cyberthreats” at a Washington, DC, speaking event, I literally heard a gasp in the audience. And for the next five years, I was “that guy” on security panel discussions who defended the position — and one of the lone people in the industry who held this view.

In subsequent years, an increasing number of security professionals began joining the ranks of cloud security “believers,” and today I no longer feel isolated at security conferences. My belief that the cloud is a better security option for applications is based on two factors: software orchestration of segmentation, and building a true, verifiable defense-in-depth architecture.

Today, I see a third opportunity that will make the cloud even more secure. It is an emerging term currently gaining momentum, Dev-Ops-Sec aka DevOpsSec.

A New Approach
The root of the word, DevOps, refers to the process used by many cloud application developers to automate their workload deployments. As part of the “agile development process,” cloud developers constantly make incremental changes to applications in the cloud, normally in two-week sprints. For security professionals, merely talking about this process makes them cringe at the thought that every new sprint inevitably will create another application vulnerability that they must identify and protect against. 

Quite simply, this is “old think.” According to Gartner, 75% of data center security incidents are caused by lagging application patching, and current dwell time averages for most companies exceed 120 days. Improved collaboration between DevOps and security teams can remedy these two major security challenges.

Software developers have been at odds with security professionals for years. Security teams place stringent compliance and security standards on them, and software developers leverage software libraries to write applications that for the most part have security vulnerabilities already baked into the code. Typically, if you ask developers who the enemy of productivity is, they will say the security team. If you ask members of the security team who the biggest threat is, they will say software developers.

Meeting of the Minds
With the concept of DevOpsSec, a good security and development team can now join hands and sing “Kumbaya” while addressing mutual challenges. In the cloud, cutting-edge DevOps teams no longer update software in production environments. Using continuous delivery and DevOps automation tools, they can build a whole new “production prototype” in their test environment, normally leveraging containerization. 

They are able to apply their updated application code to these servers, conduct load testing, and make sure none of the application functionality is broken. Application patches can be inserted to ensure they’re added to the test environment simultaneously. After all, an Apache, WordPress, or other patch is just another application software change. 

If the test environment checks out, the next step of the DevOps process enables the software development team to change scripts in the automation framework used to replicate new production environments in the virtual data center where the current production environment resides. When ready for “go-live,” the DevOps team takes a 15-minute outage for production and deletes or tears down the current production environment, in literally seconds. 

The automation framework then deploys the new production environment, with application code changes and patches applied in 5 to 10 minutes, depending on the complexity of the application and scaling. The result: a threat actor who compromised the environment just lost her access, and gone is the era of 100-plus days of dwell time! In this paradigm, threat actors have to start the kill-chain process all over. And, if you’re  successful (and lucky!), the changes you made with patching or application updates may send attackers back to the drawing board to start all over — forcing them, in some cases, to move on to easier targets. 

Bottom line: Security teams need to stop looking at their shoes and join in the agile development process to ensure they apply application patches during the software development process.  Software developers need to drink a few more Red Bulls and do their part by conducting static and dynamic application code update tests that ensure changes won’t open up the environment to SQL injections or other OWASP top 10 vulnerabilities. 

If we accomplish this, then world hunger and peace are next on the checklist.

Related Content:

• 7 Steps to Transforming Yourself into a DevSecOps Rockstar
• Software Assurance: Thinking Back, Looking Forward
• Recovering from Bad Decisions in the Cloud

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jeff Schilling, a retired U.S. Army colonel, is Armor’s chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance … View Full Bio

Article source: https://www.darkreading.com/cloud/devopssec-a-big-step-in-cloud-application-security/a/d-id/1330019?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New data on consumer behavior and identity theft shows most don’t protect themselves after their personal data is compromised.

Fewer than 50% of consumers take basic protective steps after their personal information is stolen, according to a report from CyberScout and the Identity Resource Center (ITRC). Most people don’t know how to resolve the problem of identity theft and are left vulnerable, the report found.

The study polled consumers who had experienced a data breach that exposed their personal data, and explored the different ways consumers reacted to the incident. Eighty percent of the 317 respondents understood a data breach heightened their risk for identity theft and financial harm, but 49.3% were confused about the right steps to take following a breach notification.

More than one-third (38%) say they would contact their bank for support. However, experts note, banks are only obligated to help with bank account or credit card fraud, and not fraud related to Social Security Numbers or other sensitive data. Only 3.8% would turn to their insurance company for help, despite policies covering identity theft and monitoring, and 31.5% would not know where to turn.

The lack of direction is primarily driving feelings of frustration, anger, and anxiety, report 77% of consumers.

Forty-one percent say they would never again do business with a breached company – a problem for organizations with a history of breaches. If customers exposed by the Equifax breach share the same feelings of anxiety and frustration as those in the survey, researchers explain, millions will be vulnerable to identity theft and financial damage.

Read details about the findings here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/less-than-half-of-consumers-take-protective-steps-post-breach/d/d-id/1330032?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

GoDaddy does it. Name.com does it. Namecheap does it. Amazon Web Services does it. HostGator does it. The whackily named CrazyDomains.com.au isn’t all that crazy: it does it, too.

They all offer auto-renewal of domain names. In fact, it’s hard to find any registrar that doesn’t.

But perhaps Sorenson Communications found one. Or then again, perhaps employees’ calendars all broke down simultaneously and failed to send reminders that the domain renewal was coming due. However it happened, the Utah-based telco neglected to renew its domain in 2016. So, as these things go, it slipped silently off the internet.

That’s not good for anybody. But it’s particularly not good when you’re the company that brings video relay service (VRS) to deaf, hard of hearing and speech-disabled people. For 3 days, 6 – 8 June 2016, all the users who rely on the telco to place calls—including emergency calls—were out of luck as the company was bumped into service outage.

How much does the Federal Communications Commission (FCC) dislike Sorenson having inflicted this oh-so-preventable service outage on customers? … an outage that meant the VRS provider was noncompliant with the Communications Act and FCC rules, which require that services be able at all times to handle any type of call normally provided by carriers, including emergency calls on the US 911 line?

The FCC dislikes it $3 million worth. That’s the fine the regulatory agency imposed on Sorenson on Friday.

That $3m breaks down to $2.7 million to reimburse the Telecommunications Relay Services Fund and a $252,000 penalty. Under the terms of the settlement, Sorenson has also agreed to provide enhanced notices to consumers during outages.

It didn’t have to be this way, the FCC said in its announcement of the settlement:

The Commission’s investigation found the outage was preventable.

The FCC has established specific quality requirements for TRS Fund-supported services. These requirements ensure that persons with hearing or speech disabilities are able to stay connected with friends and family, and access critical services such as 911, in a manner similar to persons without hearing or speech disabilities.

Sorenson, if it’s any consolation, you’re not the first. The Dallas Cowboys did it. Microsoft did it. Twice (buh-bye, Hotmail!). Foursquare did it. Ketchup king Heinz did it with a label-design contest, Fundorado.com, that wound up as a porn site.

Hell, even Google did it: some guy bought Google.com for $12 in 2015 and held the keys to the Googleopolis for one glorious minute.

As Naked Security’s Mark Stockley points out, this is a cautionary tale for all of us. The lesson to be learned: don’t lose control of your domain.

But even if you don’t face regulatory pain, if your domain is worth owning, there are other people who’d like to own it too. Even if they don’t want to turn your Glory-Widgets-R-Us dot com into a porn site, there’s money to be made by trying to sell it back to you at a massively inflated price or by setting it up as a phishing site.

Failing to renew is hard.

Almost everyone wants you to renew, not least your registrar. It knows what’s in its best interest and a good registrar will make auto-renewal easy, even default to it, and start to nag you long before your domain is up for grabs; after all, you’re its bread and butter.

If you forget to renew a domain all is not lost. On expiry it will enter a grace period where you can still renew it at no extra cost, and even after that’s over there’s a further redemption period where you can still get it back, if you pay a little bit extra. The periods vary depending on the registrar and the top-level domain (the top-level domain is the last part of the name such as .com or .org) but they typically add up to months of time in which you, and only you, can reanimate your undead domain.

So, register your domain for the longest possible period, make sure auto-renew is switched on and check that your credit card isn’t going to expire. And for pity sake, use your calendar. It has all sorts of sophisticated features.

Like, say, reminders.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VTAW1pImz48/

You can see how Xyla Foxlin exudes troll-attracting pheromones.

She’s young, she’s an entrepreneur in the field of robotics, she’s founded a startup (one that enables you to virtually hug a child anywhere in the world via a stuffed animal; imagine how good that will feel to military kids), she’s scored an increasing number of speaking gigs, she’s won awards in robotics, she’s featured in a Microsoft ad…

…and, of course, she’s a she. Plus, she’s a she who doesn’t shun feminine dress and who has no problem with the Disney princess aesthetic and dramatic makeup.

As she tells it in a Medium article, Foxlin grew up with sexual harassment. It came from members of the almost all-boy high school robotics team (of which she was the captain) who broke into her bedroom, stripped, dressed up in her bras and underwear, photographed themselves in sexual positions, set up her stuffed animals to hump each other, and paid a freshman to videotape her reaction when they sent her the images.

It came when she worked at a local airport, exchanging washing, waxing, fueling and maintaining airplanes in exchange for the flight time she couldn’t afford. What she was told by one pilot when she drove up with the fuel truck: “No f*cking way is some chick fueling my plane.”

And then, of course, there’s the river of bile and spiteful froth known as Twitter – or at least some of the darker corners of it. It’s there, explains Foxlin, that, shortly after starting her Kickstarter campaign this summer, she began to receive typical sexist troll spewings. But there was one account – @anhdochan – that was particularly violent and hateful.

You can see the screen captures that Foxlin saved on her Medium post. They included:

• The hope that she gets punched in the face one day so she’ll know what it’s like to not be able to rely on her pretty face.
• Calling Foxlin a “photoshopped self u bimbo”.
• An accusation that Foxlin is “promoting beauty and brains while girls who don’t have urur plastic, anorexic look are left behind”.
• A suggestion that Foxlin “do all of us a favor and choke on the next expensive meal you eat, or get raped which ever exec you need to sleep with for $$$”.

Then too, because, as Foxlin says, “a picture’s worth a thousand words,” there was the photo of Foxlin with drawn-in devil’s horns, nipples, and arrows pointing at her breasts, captioned “SUPERCILLUOUS SLUT.”

But it was the threats of violence that forced Foxlin to try to put a stop to the hateful campaign.

Foxlin told Business Insider that at first, she did what Twitter suggests with regards to online abuse: she reported the tweets to Twitter via the company’s automated harassment reporting tool.

Nothing happened.

That, unfortunately, is a story told by far too many people who’ve been abused on Twitter.

You might recall that in February, Twitter had announced that it was giving people more ways to report targeted harassment, including taking steps to identify the whack-a-moles who get suspended only to go off and open new accounts.

In July, Ed Ho, general manager of Twitter’s consumer product and engineering department, said that thanks to these changes, Twitter’s new systems had removed twice the number of repeat offender accounts – the whack-a-moles – over the preceding four months.

And yet. So many “and yet’s.”

Last month, it emerged that a bug in Twitter meant that all a blocked account had to do to keep abusing somebody was to create an additional, dummy account, toggle over to it to view the messages of whoever blocked them, compose a reply, toggle back to their main account, and then hit reply to engage with that person’s tweets anew.

Of course, besides that bug, simply blocking somebody doesn’t stop them from making violent threats. It doesn’t keep a victim safe if they’re oblivious to those threats. Foxlin is a case in point: she said she needed to know what the abusive account was saying, for her own safety. The troll had moved from insults to rape threats, then to eventually doxing her. The troll tweeted out her address in response to Twitter users looking for sex, telling them Foxlin was in the sex industry.

The harassing account appears to have been set up expressly to torment Foxlin, given that it was devoid of any other content. Her friends also reported the account, after which the account became private: in other words, you’d have to follow the account to see its posts.

Twitter cleared it as OK, after which the @anhdochan account went right back to being public.

As far as Twitter blocking repeat offender accounts goes, one commenter on our coverage of that announcement said they couldn’t see any improvement:

They recently suspended my account 2 days after I reported another user who was breaking their TOS by using 2 accounts to gang up and harass people (and used both accounts to mass DM me 70+ times in an hour).

Twitter’s internal numbers painted a far rosier picture than many of its users reported. That point was strongly underscored by a report from BuzzFeed, also posted in July, about how Twitter is still slow to respond to incidents of abuse unless they go viral or involve reporters or celebrities.

Basically, when it comes to getting Twitter to pay attention to its own rules against abuse, it pays to know somebody. Otherwise, far too often, troll targets are left staring at streams of sewage in their Twitter feeds.

No surprise here: Foxlin says she got rid of her troll by contacting a friend who’s an engineer at Twitter. Yup: she knew somebody. That, plus a subpoena helped to identify the abuser, who turned out to be a fellow robotics student that Foxlin had helped to mentor. Her abuser was a woman.

When confronted with evidence, the woman confessed and wrote a lengthy apology to Foxlin, who hasn’t yet decided if she’s going to press charges.

Thankfully, many more women in tech believe in sticking together. Foxlin was aided by one such: a contact at Twitter whom she met through a supportive network for women in technology, the National Center for Women in Information Technology (NCWIT) – a group she urged others to support.

It’s wonderful that Foxlin had help at Twitter. But that’s no help at all for those of us who don’t personally know somebody who works at the historically troll-saturated platform.

It took Foxlin two months, she says, to track down the troll and get her account suspended. What she thinks of Twitter support:

Twitter support was a bot.

In other words, it was a grueling process of getting a real, live person to actually review the harassment and to take action.

Twitter, we know you’re trying. You tell us that all the time. You’re always coming out with new ways to deal with trolls, and you’re proud to show off numbers that show it’s working.

But what happened to Xyla Foxlin shouldn’t happen to anyone.

Do more. Do better. Drop the bot response. Do human. Whatever it takes, do human.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yPSpwS-uRjc/

Australian air authorities have published their final report into the MH370 mystery, concluding that they’re no wiser about what happened or why than when the Malaysian Airlines flight vanished three years ago.

Australia’s Transportation Safety Board (ATSB) took a leading role in the investigation at the invitation of Malaysian authorities after the airliner disappeared. It is thought to have crashed into the sea a few thousand miles off Australia’s north-west coast.

The ATSB published its 440-page final report into the MH370 disappearance today.

In spite of more than a dozen nations sending ships, aircraft and submarines to scour the Indian Ocean, the Boeing 777 has never been found. Analysis of some debris that was located and identified as being from MH370 narrowed the search zone considerably, in relative terms.

“This analysis complements the findings of the First Principles Review and identifies an area of less than 25,000km² which has the highest likelihood of containing MH370,” said the ATSB report. Australia suspended its search in January 2017.

While the captain of MH370, 53-year-old Zaharie Ahmad Shah, did some odd things on his home flight simulator in the month before MH370 vanished – including flying a simulated Boeing 777 from Kuala Lumpur on a southerly course into the empty skies over the southern Indian Ocean – the ATSB said “the simulated aircraft track was not consistent with the aircraft tracks modelled using the MH370 satellite communications metadata.”

Aircraft parts were later washed up on various East African nations’ coastlines. These parts, including items from wings and tailplanes, were later positively identified as coming from MH370.

During the search a Chinese vessel, Haixun 01, reported receiving underwater pulses on a frequency of 37.5MHz. British warship HMS Echo, an underwater survey ship, was unable to pick these up despite racing to the scene to corroborate them. Echo’s own hydrophones had picked up similar pulses a couple of days earlier in a different location but had discounted them as an anomaly of the ship’s own sonar gear.

Various analyses have suggested that searchers were looking in the wrong place for MH370’s fuselage, which would contain the all-important flight data recorder. Original theories were based on the notion that MH370’s crew ditched the aircraft in a controlled fashion, rather than the aircraft simply running out of fuel and crashing.

“The reasons for the loss of MH370 cannot be established with certainty until the aircraft is found. It is almost inconceivable and certainly societally unacceptable in the modern aviation era with 10 million passengers boarding commercial aircraft every day, for a large commercial aircraft to be missing and for the world not to know with certainty what became of the aircraft and those on board,” said the ATSB in a statement. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/03/mh370_atsb_final_report/

Privacy activist and student Max Schrems has hailed an Irish Court decision today to refer cross-Atlantic data flows back to the European Court of Justice – all over again.

Schrems sparked the original litigation which led to the Court throwing out the “Safe Harbor” legal framework that governed flows of European citizens’ data to third party countries (judgement here).

After US Congress agreed to expand the scope of data surveillance, and Edward Snowden revealed the extent of bulk data collection via the PRISM programme, the Court felt it couldn’t guarantee citizens’ data would remain private. As we explained, “US companies that export data are fundamentally illegal in Europe.”

In place of Safe Harbour, Standard Contractual Clauses were resurrected as a fallback as part of an ad hoc fix dubbed “Privacy Shield”.

Both Facebook and Schrems challenged this new framework in Ireland (Facebook’s European HQ) for different reasons. Schrems argued that the “self certification” protection wasn’t protection at all.

In a 150-page judgement in DPC v Facebook at the High Court in Dublin today, Justice Costello bounced the issue up to the CJEU.

Why send it up?

Facebook and the US government had argued that electronic surveillance in the US was consistent (it doesn’t have to be identical) with European legal safeguards, as it was overseen by FISA ( Foreign Intelligence Surveillance Act) courts. 2015’s FREEDOM Act also outlawed bulk surveillance, the US argued. It did admit that intercepts made under a US Presidential Executive Order (EO 12333) – which authorises the tapping of undersea cables – “are not governed by statute, are not subject to judicial review” and have no limits on data collected on foreign citizens. No evidence of data collection under EOs was presented.

The Judge however concluded that data collected under PRISM and Upstream, two Snowden revelations, showed evidence of “mass indiscriminate processing of data by the Unites States government agencies, whether this is described as mass or targeted surveillance.”

The Judge therefore agreed with the Data Protection Commissioner raised “well founded concerns” that there is an effective remedy for European citizens under US law.

The introduction of the Privacy Shield Ombudsperson mechanism in the Privacy Shield decision does not eliminate those well-founded concerns. A decision of the CJEU is required to determine whether it amounts to a remedy satisfying the requirements of Article 47.

In his reaction, Schrems issued the following video explanation, and this: (pdf) written one

First quick statement on High Court ruling.. #CJEU #SCCs @Snowden #Facebook #Referral #Dublin #HighCourt pic.twitter.com/hXQx1lBmx6

— Max Schrems (@maxschrems) October 3, 2017

“I welcome the judgement by the Irish High Court. It is important that a neutral Court outside of the US has summarized the facts on US surveillance in a judgement, after diving through more than 45.000 pages of documents in a five week hearing. Facebook seems to have lost in every argument they were making,” Schrems wrote.

An important judgement? You bet.

“It paves the way for the European courts to again potentially invalidate the legality of a very commonly used data transfer mechanism under EU law,” said Brian Johnston of law firm Bristows.

“Standard Contractual Clauses are relied on by 88 per cent of EU companies transferring data outside the EU, the implications are potentially even more significant than in 2015 and the end of Safe Harbor.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/03/schrems_busts_privacy_shield_wide_open/

SonicWall has updated its product range with an eye on ransomware and mesh networking.

The privately owned network security vendor last week released six security products and services designed to accelerate speed thresholds across wired, wireless and mobile networks. In particular, the portfolio will include a high speed firewall, a cloud analytics service, and a series of wireless access points.

The NSA 2650 firewall enables threat prevention over 2.5 Gbps Ethernet wired and 802.11ac Wave 2 wireless networks. The device offers TLS/SSL decryption and inspection. The box works alongside the SonicWall Capture ATP service, a cloud-based, multi-engine sandbox designed to discover and stop unknown, zero-day attacks, such as ransomware.

The formerly Dell-owned security firm was spun out as a standalone business last November in a $2.4 billion software business disposal that also resulted in the sale of Quest Software and other businesses. SonicWall president and chief exec Bill Conner told El Reg that Dell remains its largest reseller.

The CEO added that the firm has added 5,000 new networking resellers to its roster since last November’s split from Dell, with many of the new intake coming aboard because they are now happy to work with an independent SONICWall, as opposed to a Dell subsidiary.

The 30 year cyber-security veteran, and one-time chief of Silent Circle, said fighting ransomware is the company’s new strong suit (and front and centre in its marketing).

SonicWall Capture Advanced Threat Protection Service, a cloud-based subscription service available with SonicWall firewalls, is designed to quarantine threats at the gateway. The uses multi-layer sandboxing, including full system emulation and virtualization techniques, to analyse code that acts suspiciously.

SonicWall aims to block malware at the firewall

SonicWall focuses on catering to the needs of small and medium size businesses. Conner said the company already has a million installed firewalls and will now push them to SonicOS 6.5, an upgrade that plugs into a cloud-based breach detection platform.

Vikram Phatak, chief exec of network and security kit testing firm NSS Labs, said SonicWALL was revamping it product line to meet the needs of bigger enterprises outside its traditional SME customer base.

“The SonicWALL product revamp sends a clear message to the market of the company’s priorities and intent,” Phatak told The Register. “SonicWALL has largely remediated the technical debt accumulated under Dell, plus expanded the reach of their technology portfolio so that it is appealing to medium and large enterprises, in addition to their traditional SMB customer base.”

Conner explained that SonicWall’s product development roadmap features a push towards virtualisation, which he explained would align its security products to industry trends such as a “software defined endpoint” and mesh networking.

SonicWall, was founded 25 years ago by brothers Sreekanth and Sudhakar Ravi. The company initially sold Ethernet cards and other networking gear before diversifying into and developing a firewall and virtual private networking appliances that became a mainstay of its business. These days the firm is also big in UTMs (Unified Threat Management) and email anti-spam filtering appliances. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/03/sonicwall_product_revamp/

How can you lose playing the cryptocurrency investment game? Let us count the ways.

Yes it’s obvious, or should be, that simply investing in Bitcoin or its hundreds of crypto colleagues can be a wild ride. You can make money fast, but you can also lose it fast. Any sober financial adviser will tell you only to play with money you can afford to lose.

But there are ways beyond the fluctuating value of a currency that you can lose as well, and with no prospects of your investment bouncing back. Cryptocurrency exchanges are websites where such currencies are bought, sold and stored. For Bitcoin and its ilk they’re a soft and vulnerable underbelly.

Bitcoin owners can spend, sell, trade, donate or otherwise use their bitcoins with little fear of the strong cryptography behind it being cracked. It’s as close to bulletproof as you’ll get – so long as you keep your private keys private.

If you upload your private keys to an exchange to make trading easier then your keys are at the mercy of that site’s security.

Websites can be hacked and keys can be stolen. And there is no Federal Deposit Insurance Corporation (FDIC) to protect your assets – the exchanges are not backed by any governments or central banks.

Besides that, they are run by people who may or may not be trustworthy and who are not regulated. They might be as clever as Satoshi. They might not. They might be crooked. They might be incompetent. Their sites might be insecure. All that can add up to serious subtraction – as in the loss of millions.

One victim is Dan Wasyluk, who served as the opening anecdote in a Reuters story last week about the risks of cryptocurrencies, which began by noting that he had, “discovered the hard way that trading cryptocurrencies such as Bitcoin happens in an online Wild West where sheriffs are largely absent.”

In Wasyluk’s case, about three years ago he and some colleagues took bitcoins they had raised for a tech venture and parked them in escrow with a company running an exchange called Moolah. Months later the exchange collapsed. The former CEO, Ryan Kennedy, who created the exchange under the name Alex Green, is awaiting trial in Britain after pleading not guilty to fraud and money-laundering charges.

The group’s loss of 750 bitcoins was estimated at about $3 million, and Wasyluk, probably correctly, doesn’t think he’ll get any of it back, given that Kennedy is currently serving jail time on a rape conviction.

Wasyluk is not an outlier. Given the underground nature of the entire cryptocurrency structure, it should be no surprise that Reuters found that the exchanges, “have become magnets for fraud and mires of technological dysfunction … posing an underappreciated risk to anyone who trades digital coins.”

As David L. Yermack, chairman of the finance department at New York University’s Stern School of Business, put it to Reuters, “If you’re a consumer, there’s nothing to protect you.”

That has been made painfully clear a number of times – Reuters reported that there have been, “at least three-dozen heists of cryptocurrency exchanges since 2011,” and that more than 980,000 bitcoins have been stolen, which would have a value today of about $4b.

One of the most prominent was Japan-based Mt. Gox, which Naked Security’s Paul Ducklin called the “Big Daddy of Bitcoin exchanges.” As he put it, in 2014, “it made a, ‘So sorry, they seem to have vanished,’ announcement about a whopping 650,000 bitcoins, worth approximately $800 each at the time.”

Claims approved by a bankruptcy trustee are more than $400m, but three years later, nearly 25,000 Mt. Gox customers are still waiting and hoping for some kind of reimbursement.

And a year ago in August, hackers breached an authentication system at a Hong Kong exchange called Bitfinex and stole an estimated $72m in Bitcoin – an amount second only to Mt. Gox. Investors did eventually get partial reimbursement, but took what Coindesk described as, “a 36% haircut.”

There are plenty more stories like that. Tyler Moore, assistant professor of cybersecurity at the University of Tulsa’s Tandy School of Computer Science, who has researched the vulnerability of Bitcoin exchanges, told Fortune that from 2009, when Bitcoin was created, through March 2015, 33% of all operational Bitcoin exchanges were hacked.

This doesn’t seem to be putting people off from cryptocurrency trading though – there are now an estimated 900 different types in existence. Its fundamental selling points – that it circumvents the conventional money system and promises anonymity – are pretty compelling.

Add to that the spikes in value – a bitcoin was worth barely more than $1000 at the beginning of the year and is currently at $4350 USD. But they are also vulnerable to “flash crashes” – sudden, precipitous drops in value. As Reuters reported:

On May 7, traders on a U.S. exchange called Kraken lost more than $5 million when it came under attack and couldn’t be accessed, according to a class-action lawsuit filed in Florida. During the incident, the suit alleges, the exchange’s price of a cryptocurrency called ether fell more than 70 percent and the traders’ leveraged positions were liquidated. They received no compensation.

And those damages weren’t even from theft.

It has long been said that it doesn’t matter how secure your organization, or personal information and assets, are if you connect them with third parties that are less secure. So take note: Exchanges are third parties.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/peCyyPMnZ6w/