STE WILLIAMS

Trial proceedings of pastor Trevon Gross and Yuri Lebedev has been delayed; jury selection will take place Feb. 14.

Trial proceedings of two defendants in a bitcoin exchange case related to the JPMorgan Chase hack was delayed, and jury selection pushed to Feb. 14., after prosecutors produced a new witness in the case, Reuters reports. Philip Burgess, who was an investor in the credit union of which defendant Trevon Gross was chairman, claimed to have incriminating information.

After much deliberation over the concern that Gross and Burgess shared the same law firm, U.S. District Judge Alison Nathan said prosecutors could not produce Burgess in court and decided to resume the proceedings today.

Gross, who is a pastor, in addition to Yuri Lebedev and seven others, has been charged in connection with the 2014 JPMorgan data breach of over 83 million accounts. Gross and Lebedev are not being accused of hacking, but of being associated with Coin.mx, the illegal exchange used to convert stolen money into bitcoin. Gross is charged with accepting $150,000 in bribes to allow hackers to use the credit union for their illegal transactions.

Read Reuters for details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/jpmorgan-breach-new-witness-delays-trial-of-bitcoin-exchange-suspects-/d/d-id/1328137?_mc=RSS_DR_EDT

Seven of the world’s top security leaders share their fears and challenges around the critical new role of identity in the fight against cyber adversaries.

Ubiquitous mobility and cloud-based computing are a double-edged sword. While they have transformed the way companies do business, the myriad benefits they provide are being undermined by the lack of security and the regard for risks surrounding identity. One of the reasons for this state of affairs may be that identity is still under the purview of CIOs, not CSOs.

Much of my thinking on these topics is derived from the many discussions I’ve had with leading CIOs, CISOs, and CSOs, who view identity as ground zero in the fight against cyber adversaries. I was convinced others could benefit from the wisdom they had imparted to me, which is why I set out to capture the ideas, experiences, and best practices of some of industry’s leading security practitioners in my first book, Borderless Behavior Analytics.

A Proactive Approach Is Lacking
The core problem, as I see it, is that most security leaders are not attacking the evolving security landscape through proactive planning and change management. Instead, they are stuck in a reactive mode. It is not hard to understand why: the user profile is 24×7, global, instantaneous, and rich in consumer-driven IT.

I also asked the security leaders to consider how the explosion of digital data — primarily created by mobility and cloud adoptions — is challenging human analysis capabilities. The security perimeter has blurred and, for all intents and purposes, has simply faded away.

Everyone is on the Internet, all the time, and generating  staggering volumes of activity. At the same time, most employees have a low awareness of the access and activity risks involved in their Internet usage. This is producing undefined gray areas of risk that declarative defenses cannot address. Traditional perimeter defense mechanisms lack awareness of these access and activity risks.

Identity as an Attack Surface
Data no longer resides behind firewalls; that singular control point of protection is gone. Instead, there is a much more complex, hybrid IT security challenge of on-premises environments being connected to multiple cloud applications and multiple mobile devices. 

A popular quote among security pundits is: “There are only two kinds of companies. Those that were hacked and those that don’t yet know they were hacked.” Nowadays, attacks against businesses are likely to be very stealthy and targeted, and based around identity vulnerabilities.

Highly skilled individuals — sometimes IT professionals with a vast knowledge of the most effective ways to attack companies’ vulnerabilities — carry out these attacks. These people move quietly and methodically within organizations, sometimes for years rather than months, acquiring the knowledge they need for their assaults.

At the root of most current threats is the misuse and compromise of identity, which give attackers access to the keys of the kingdom. Identity is now the critical access risk and threat plane.

What Keeps CSOs Up at Night
When asked to view security through the lens of identity, here are the most vexing issues that seven of the world’s top CSOs came up with.

The security impact and challenges imposed by cloud and mobility on protecting hybrid, land, and sea operational environments. —Gary Eppinger, CISO of Carnival Corporation

Account compromise and misuse, insider threats, and how to implement a “resilient defense” model that makes it difficult for attackers to exfiltrate data once an environment has been compromised. —Jerry Archer, CSO of a major financial services company 

The fact that existing security defenses were built to protect an enterprise architecture that no longer exists, and where the industry needs to go with machine learning and context from big data. —Joe Sullivan, CSO of Uber

The need for a new approach that places identity and access at the core of security to protect digital and physical assets. —Teri Takai, former CIO of the Department of Defense (DoD) and current adviser for the Center for Digital Government

Understanding the levers behind security innovation and why defenses advance in such small increments. —Robert Rodriguez, Chairman and Founder of the Security Innovation Network (SINET)  

How to apply machine learning to behavior analytics across a variety of use cases. —Leslie K. Lambert, former CISO of Juniper Networks and Sun Microsystems

Uncovering the limitations of human processing, and developing technology alternatives for finding and responding to risks and unknown threats. —Gary Harbison, CISO of Monsanto

Hopefully, putting all these insights in one place and sharing them with the industry will help spur greater awareness, dialogue and innovation around the role of identity in cybersecurity.

Related Content:

• Talking Cybersecurity From A Risk Management Point Of View
• What CISOs Need To Know Before Adopting Biometrics
• How Artificial Intelligence Will Solve The Security Skills Shortage

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/why-identity-has-become-a-top-concern-for-csos/a/d-id/1328132?_mc=RSS_DR_EDT

Attendees start morning with John Lithgow telling them ‘Look at how your light shines together.’

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/darkness-and-hope-on-display-at-rsa-conference-keynotes-/d/d-id/1328147?_mc=RSS_DR_EDT

Valentine’s day is traditionally a time when you can act on your secret crushes and let them know how you feel about them.

Anyone who cares about security and technology has an app or a platform or a programming language or something that might not be very cool or very glamorous but which they love, trust and rely on. So this year we’ve decided to ask Naked Security writers what their secret crushes are.

Mark Stockley, our web technologies guru, has had a long, slightly dysfunctional love-hate relationship with Perl. He says:

My secret tech crush is Perl.

It’s not for looks, mind. In a bad light Perl looks like the contents of the unix tool chain after a heavy fall down some stairs.

It’s not because Perl loves me and nobody else either. When I first met Perl (in its prime in the late 90s), it had caught everyone’s eye and was living it up at the heart of things on seemingly every server and every website.

And it’s not because Perl was nice to me, either. Back then, we didn’t have well lit safe spaces like Stackoverflow to get to know a programming language that had caught our eye. We had to use usenet and meeting Perl meant risking the piranha-infested waters of comp.lang.misc.perl, a usenet group so fierce and elitist that suitors with questions were publicly eviscerated for sport.

Perl is complex… difficult… moody, even. On the rare occasions that things go well, working with Perl can be like painting with oils or dancing with Darcey Bussell. But when they aren’t (and they frequently aren’t) it can feel like wrestling socks on to an octopus.

In fact there are a hundred reasons to choose something else, but for me there is no doubt that it’s Perl. For all its faults it was my gateway drug, the red pill that led me to late night Slackware installs, unfathomable man pages and scratching my head for two weeks as I looked in the wrong place for Apache’s ‘it works!’ page.

Here at Naked Security, we’re upfront about our love for password managers and multifactor authentication. But Naked Security stalwart Lisa Vaas fell out of love with hers recently. She says:

I don’t know if you’d call this a secret crush. The feelings I have for my password manager are more along the lines of master-sub, with a dash of Stockholm syndrome. The strength of the bondage came clear recently when I lost my phone during a trip. Got off the Metro, but somehow, the phone did not.

After a good deal of hand-wringing and fruitless searching , I gave up and ordered a replacement phone courtesy of my insurance company. That’s when the fun really began.

The lost phone had my multifactor authentication (MFA) app on it, Google Authenticator, and without it, I couldn’t get into any email accounts. The “lost password” hoops Google made me jump through were recursive and failed every time.

Using a friend’s laptop, I tried to reach my password manager vendor (LastPass) to help me out. I could get one toe into LastPass, given that I’ve memorized that one password, but losing my Google Authenticator app on the phone meant that I couldn’t verify my login with the second factor: the one-time use password Authenticator produces.

Turns out that LastPass has no phones. None. OK, so I’ll write to customer support, I thought. Explain the situation, see what they can do to ascertain I’m not a hacker trying to hijack my account. Automatic LastPass responses kept telling me I’d get a faster response if I upgraded to premium, and I kept wailing that I am a premium user. Days later, I finally got a response: we’ll send you the instructions to download a new Authenticator instance, they said. To your email address on file. … which I couldn’t get into.

I’ll stop there. Suffice it to say that I was rather impressed with the locks and chains set up around my accounts by MFA and that crazy, frustrating password manager. One lesson I learned quite well, after about a week of writhing in those bonds: I need to set up a safe word. What does that extended metaphor translate into? Well, I’m not going to give it away, but let’s just say that it’s along the lines of writing down a password. … and then locking that physical token safely (hopefully!) away, not putting it on a sticky note on my monitor!

Sometimes the old loves are the best, and Naked Security writer Maria Varmazis remains devoted to Notepad++. She tells us:

As someone who dabbles in code but primarily writes for a living, my indispensable but slightly-unsexy tool is a text editor. For my PCs, I’m a Notepad++ fiend. For my Macs, I’m devoted to SublimeText. (Linux text editing is a sore subject in my household. I cling to emacs, which I picked up in college, while my husband is a vi die-hard. Somehow we’re still married.)

The simplicity of these editors is what makes them so beautiful and so useful. When you just want to write without distraction or frill, there’s nothing better than opening a simple text editor and getting to work. Text editors let me type without worrying about font and format, or being interrupted by grammatical suggestions – and when you’re on deadline, interruption-free writing is precisely what you need. Once I’ve written what I need and start editing, the built-in line numbering and contextual highlighting many of these text editors come with (handy for folks who are deep in code all day) make my life a lot easier as well.

Perhaps my devotion to these humble text editors comes from habit: back in the 90s when so many of my peers and I were learning rudimentary HTML, we went to work with just Notepad. I still remember the humble “Made with Notepad” buttons some of us would put on our sites as our nerdy badge of honor. Notepad was still my editor of choice in the years following when working on professional website development, Dreamweaver and others be damned.

I know a text editor isn’t the first thing people think of when they need to write, but if you find it hard to get started and the thought of firing up Word makes your blood run cold, open a text editor instead. They provide minimal distractions and render no judgments so you may write freely. And for that, they will always have my devotion.

Google may be dominant on the search scene, but not everyone is comfortable with the amount of data it scavenges about users. So Danny Bradbury, our man in British Columbia, tells us why he’s quietly in love with DuckDuckGo:

Google is great at delivering the results you want, in an attractive style. Half the time, thanks to voice search and Google Assistant, you don’t even have to type anything. But I don’t like searching for things using a tool run by a company that makes money by selling my data, especially when my work causes me to search for a lot of strange things. Evidence suggests that while Google enables users to switch off the search history that it shows them, it’s still collecting a lot behind the scenes. DuckDuckGo isn’t as polished as Google, but I’m becoming increasingly paranoid about giving my data to large companies, especially given the political uncertainties facing us over the next few years. Perhaps I’m not the only one, given that DuckDuckGo racked up 4bn searches last year.

Love is wide-ranging, and it’s not just software and applications that Naked Security writers are secretly in love with. Freelancer Bill Camarda has been faithful to a much-loved headset for many years. He tells us:

I’m jaded. I’ve been disappointed too often. My idea of lovable tech is something that just works, doesn’t demand a lot, didn’t cost a lot, and stays out of my way the rest of the time. That’d be my old Logitech ClearChat Comfort USB Headset H390.

I mean, this is seriously mature technology. Introduced a decade ago this coming August, you can still buy one new at Amazon. Where you’re informed that it’ll “Elevate the Power of Windows Vista”. Hey marketers, I love the thing, but please: nothing could do that.

Here’s what it does do: whatever I plug it into – Windows 7, 8.x, 10, Mac – it goes right to work. No waiting for drivers to fail install. Never crashes the system. Good sound. Good mic that’s easy to adjust (and moves neatly up out of the way when I’m only listening.) Handy mute button. Well-made USB cable. Fairly if not perfectly comfy adjustable padded earphones, for today’s endless Hangouts, Skype videocalls, et al. Not sexy: stable, reliable, there for me. If that’s not love, what is?

Meanwhile, Naked Security freelancer John E Dunn, also has a hardware love: it’s the privacy- and security-focused Blackphone. He says:

From the femtosecond I first saw version 1 in 2014, I’ve wanted one. If they ever get around to making Men in Black 4, this is the smartphone they’d use. But how to justify paying nearly £600 for an uneventful Android smartphone? One answer is that in an age obsessed with features and looks, the Blackphone strips away all that nonsense and just does the important thing – privacy – well.

Granted, a lot of people think that privacy is another ‘feature’ but a lot of people are wrong. Security and privacy is the future of everything, the destiny of the world. Finding all of this in a slim black device that can trace its software lineage back to the genesis of popular encryption with Phil Zimmermann’s PGP just adds to its desirability. It’s old but new with it.

And what about me? I’ve only been editing Naked Security for a few months, but I’ve been writing about technology and security for many years, and so I’ve had plenty of time to fall in love with any number of flighty suitors. But the technology I still love, even though it’s almost as old and uncool as Donny Osmond (who I saw performing in London earlier this month; I still love him, too) is Windows Phone.

I’ve been using Windows devices since back when it was known as Windows CE, and I’ve only – reluctantly – moved to Android after smashing the screen of my beloved Nokia Lumia 1520 and discovering it would cost £250 to fix (I’m now rocking a Pixel XL).

I love Windows Phone for its elegant design language: instead of dozens of multicoloured icons splattered across several pages there’s a homescreen of tiles displaying all the information you need at a glance. On my homescreen I could see how many emails were waiting for me, if I’d missed any calls, which of my key contacts had tried to reach me, if I had any Twitter mentions or DMs, when my next train was, and so on.

I also love that it remains a pretty secure platform: there’s been almost no malware spotted in the wild. And finally, while other manufacturers made Windows Phones, the Lumia range had (and to some, still has) the very best cameras a cellphone could sport: the 1020’s camera, amazing in its day, is still one to beat.

What’s your secret technology crush? We’d love to hear about your first and current loves.

Follow @NakedSecurity
Follow @katebevan

 

 

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/uAtPkVu3Ffo/

Sidd Bikkannavar, an engineer with NASA, flew out of the US on January 15, when Barack Obama was still the president.

He flew back on January 30, a week into the administration of  Donald Trump and four days after the issuance of an executive order restricting travel from seven predominantly Muslim countries.

Judging by what Bikkannavar told The Verge, he also flew back into a whole new experience at the airport, where he claims to have been detained by US Customs and Border Patrol (CBP) and pressured to hand over his NASA-issued phone and the PIN to get into it – even though it could have contained sensitive information relating to his employment at the space agency.

Should this have happened? Bikkannavar is, after all, a natural-born US citizen. He’s also enrolled in the CBP’s Global Entry program, which allows expedited clearance for pre-approved, low-risk travelers upon arrival in the US.

Perhaps the timing of his detention had nothing to do with who was sitting in the Oval Office or the “extreme vetting” of foreigners that Trump has vowed. We only know his side of the story, since the CBP isn’t in the habit of putting out press releases about whatever possibly reasonable suspicions they might have about a traveler that would lead agents to detain that traveler.

In other words, this might not have been news at all a month ago. It could have been some random CBP detention and search of a phone. But in the current political climate the story feels much more weighty.

His Facebook update about the incident had been shared more than 2,000 times as of the Verge’s writeup. A tweet from a friend who shared Bikkannavar’s experience was also shared more than 9,000 times as of Monday evening.

At any rate, according to Bikkannavar’s account, this is what happened.

He arrived in Houston early Tuesday morning on January 31. After his passport was scanned, he was detained by CBP, who escorted him to a back room and told him to wait. A handful of other people were in the room.

After 40 minutes, an officer called his name, then led Bikkannavar into an interview room, where he explained that the CBP needed to search his possessions to ensure he wasn’t bringing anything dangerous into the country.

The officer presented Bikkannavar with a document titled “Inspection of Electronic Devices” and explained that CBP had authority to search his phone.

Bikkannavar didn’t want to hand over the phone. It is, technically, the property of NASA. He even showed the officer the JPL barcode on the back of phone.

I was cautiously telling him I wasn’t allowed to give it out, because I didn’t want to seem like I was not cooperating. I told him I’m not really allowed to give the passcode; I have to protect access.

The CBP wasn’t dissuaded. The officer insisted the CBP had the authority to search the device.

Bikkannavar wasn’t allowed to leave until he gave CBP his passcode. The document the officer gave to Bikkannavar had listed a series of consequences for failure to offer information that would allow CBP to copy the contents of the device, and Bikkannavar had no interest in exploring those consequences, he said.

It mentioned detention and seizure.

Ultimately, he handed over the phone and passcode. The officer left with the device and returned after 30 minutes.

Eventually, Bikkannavar was given back his phone. He immediately turned it off, since he knew he’d have to hand it over to the Jet Propulsion Lab (JPL) IT department, which would check what data had been copied and whatever might have been installed on the phone.

The JPL was none too happy about the incident. As it is, NASA employees are obligated to protect all work-related information.

this is from an IRL friend of mine. this is NOT my america. EVER. #MuslimBan Siid is a US Citizen. @CustomsBorder u say “Welcome Home” #NASA pic.twitter.com/W4UtF88rJy

— Nick Adkins (@nickisnpdx) February 6, 2017

Did the US government have the authority to search his phone?

There’s no clear answer, according to Orin S Kerr, a research professor of law at George Washington University. Writing in the Washington Post, Kerr said that courts have disagreed on what the standard is for computer searches at the border. In some, but not all, cases, the courts have decided that CBP requires reasonable suspicion to use a Cellebrite Physical Analyzer to search a phone’s contents.

What’s also unclear is whether the CBP had the authority to compel Bikkannavar to give up his passcode… or whether he could be detained until he did. From Kerr’s article:

Imagine the agents said, “If you want to go home today, tell us your passcode and we’ll release you right away. Otherwise, you’re going to be here a while.”

Does that put so much pressure on a person that it coerces him or her to disclose the passcode? I’m skeptical of that, given the pretty high bar of the voluntariness cases. But it’s an argument.

What would/should YOU do?

Besides slicing and dicing the legal nuances of the case, there’s the question of how to protect yourself from being forced to divulge your most personal details – or even the work-related information on your phone that you’re obligated to protect – in such a situation.

Wired recently published a guide to getting past customs with your digital privacy intact, and it’s well worth a read.

One thing to note is there’s no silver bullet. For example, if you set up two-factor authentication on your phone so that your online accounts require a temporary passcode that’s texted to you, then remove your Sim card (perhaps mailing it to your destination) so that you can’t get at the SMS messages, you might plead inability to unlock with the CBP.

But just how well will that go over with the agents? As Wired notes, it could easily spike their suspicions and lead to lengthy detention and intense grilling.

If you have suggestions on how to avoid having your privacy invaded at the border, and how to do it without unintentionally baiting the border guards, please do share in the comments section below.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/63ASqBYaxUY/

This is the second in a four-part series about SophosLabs’ 2017 malware forecast, released this week at RSA Conference in San Francisco. Part 1 looked at malware targeting Linux and Internet-of-things (IoT) devices. Today’s instalment is about malware designed for Android devices.

When security experts recently raised concern about President Trump using an outdated Samsung Galaxy phone for his tweeting, there was a good reason.

Samsung Galaxy devices have traditionally used the Android operating system, and attackers are constantly targeting Android with malware, including ransomware.

SophosLabs examined a lot of Android malware in the last year, and the details are outlined in the 2017 malware forecast released Monday.

SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.

The highest malware count of the last five years

The APK packages analyzed in 2016 were the most of the last five years, as was the amount of malicious content discovered. The count has increased each year since 2012:

When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk is the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%). The top 10 are broken down in this pie chart:

From the end of 2015 to March 2016, SophosLabs saw a sharp increase in PornClk malware. There was a quick drop for a time, but activity picked back up and steadily rose in the last eight months of the year.

PornClk makes money through advertisements and membership registrations. It takes advantage of root privilege and requesting administrative access on the device. It then:

• Downloads additional APKs
• Creates shortcuts on home screens
• Collects sensitive information such as device IDs, phone numbers and models, Android versions and Geo IPs.

Snapshot: Andr/Ransom-I

One ransomware specimen SophosLabs examined was Andr/Ransom-I. The map below shows the geographical cases of infection for this sample. Concentrations of infection were greatest in Europe and North America. One percent of the cases we reviewed and protected customers against were of this malware family.

To trick users, Andr/Ransom-I pretends to be an update for the operating system and such applications as Adobe Flash and Adult Player.

Ransomware is an old topic in information security circles. Attackers have been hijacking computers and holding files hostage for years now, typically demanding that ransom be paid in bitcoins. SophosLabs did not see a surge in ransomware in 2016, but cases of it remained steady. We continue to see a lack of public awareness on the subject, and reports of cases where the victim is paying the ransom are increasing.

Just last month, for example, Los Angeles Valley College (LAVC) paid a public record of $28,000 (£22,500) in Bitcoins to extortionists after ransomware encrypted hundreds of thousands of files held on its servers.

Therefore, any ransomware that lands in the lab will be subjected to scrutiny.

Coming tomorrow: Attackers target MacOS with ransomware

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZUDs0tIcxe0/

Twitter has been revising its safety and security as we reported last week – but it’s had a bit of a false start for its “lists” function. An amendment it put forward only yesterday has hastily been withdrawn.

The list function means that any user can add any other user to a list of people – so you might (and who could blame you) add every contributor to Naked Security to a list called “Security Gurus”, or “Illuminati”, or anything else that takes your fancy. Other people can subscribe to the list and also follow us en masse.

Then yesterday Twitter decided to refine the function: “We want you to get notifications that matter,” it said on its own network. “Starting today, you won’t get notified when you are added to a list.”

If there had been enough characters left it could have added “…and stopping tomorrow”, as the backlash has forced the company to change its mind almost immediately. Some of the tweets in response to the announcement included:

@TwitterSafety Being added to a list and knowing what list you were added to was literally the last useful thing about Twitter.

— Anthony Quintano 🌴 (@AnthonyQuintano) February 13, 2017

@TwitterSafety @Support @mrdonut @peterseibel This isn’t a good move. Please reconsider.

— EricaJoy (@EricaJoy) February 13, 2017

And most crucially:

.@TwitterSafety @Support Critical for people to know if they’ve been added to a list intended for targets. This is blinding the vulnerable.

— SwiftOnSecurity (@SwiftOnSecurity) February 13, 2017

The idea that people might be targeted and added to lists without their knowledge appears not to have occurred to Twitter, which issued a hasty retraction.

However, this needn’t be exclusively a bad thing for the company. Consider for a moment how many other tech organisations have been known to zap an idea this quickly because the user community doesn’t want it – the answer is “very few”.

Meanwhile it remains impossible for Twitter members to remove themselves from lists on which they don’t particularly want to appear. That, arguably, is a bigger problem.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DypQOslPDso/

Popular car parts website PartsGateway.co.uk is dangerously insecure, a veteran UK security consultant warns.

The warning from Paul Moore comes in the midst of ongoing social media complaints (example here) by customers who say they have received phishing mails containing personal addresses and phone numbers. One of the users said the phishing email had been sent to an address they had provided only to PartsGateway. Dodgy emails appeared in the guise of legitimate-looking order confirmations.

El Reg learned of the issue as the result of a tip-off from a concerned reader. The free-to-consumers web-based service had yet to respond to repeated requests for comment at the time of publication. We’ll update if we hear more.

We did note a tweet from Parts Gateway’s Twitter account to one user that claimed its tech team was investigating the spam, however:

@Chutzpah84 Hi Rob. We do not sell customer information. We have had a few report receiving a phishing e-mail and our tech guys are on it.

— PartsGateway (@PartsGateway) February 8, 2017

Users faced with a similar lack of feedback have flagged up concerns with data privacy watchdogs at the ICO.

Paul Moore said he has identified a number of security shortcomings with the site, including a reliance on plain-text passwords and a lack of TLS encryption.

“With an 11-year-old version of Apache, a seven-year-old version of PHP, no security headers whatsoever, weak TLS and no meaningful authentication, it was only a matter of time before Partsgateway became a statistic,” Moore told El Reg.

PartsGateway says it allows UK motorists to hunt down the best deals on genuine new or used car and van parts. Customers can compare new and used car part prices from more than 180 car-breakers at no cost to themselves. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/uk_car_parts_website_insecure_worries/

The UK’s aging cybersecurity workforce is approaching a “retirement cliff edge,” according to a new survey.

Only six per cent of UK companies are recruiting graduates, while 66 per cent already have a cybersecurity skills shortage due to being unable to find qualified personnel, according to a poll by cybersecurity professionals’ association (ISC)².

Much of the workforce is edging towards retirement, with only 12 per cent of the UK workforce under 35, and 53 per cent over 45 years old. it is claimed.

Enterprises have brought this problem on themselves by refusing to hire and train inexperienced recruits. Only 10 per cent of UK respondents say that the most demand for new hires is at entry level, and 93 per cent say previous cybersecurity experience is an important factor in their hiring decisions.

The lack of cybersecurity workers is causing a dramatic spike in wages, with the more experienced people commanding annual salaries of more than £87,000. The skills shortage is inflating salaries, as more businesses compete for scarce talented resources, according to (ISC)².

Dr Adrian Davis, managing director, EMEA at (ISC)², said: “A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates, means Britain is approaching a security skills ‘cliff edge’ due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation.”

“We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf,” he added. This means that smaller businesses, in particular, face a dilemma because they are unable to afford the personnel required to protect them from cybersecurity threats. Only a quarter (23 per cent) of UK cyber professionals work for companies with fewer than 500 employees.

The findings come from the (ISC)² Global Information Security Workforce Study, which involved a worldwide survey of 19,000 info security professionals across banks, governments and multinationals.

Almost half the UK organizations quizzed said that their organizations’ shortage of security workers is already having an impact on customers and security breaches.

The skills shortfall means that many UK businesses are ill-prepared for the EU General Data Protection Regulation (GDPR), which will impose a mandatory 48-hour window for disclosing data breaches from May 2018 onwards. A quarter (22 per cent) of UK respondents currently predict that their companies would take more than eight days to repair the damage if their systems or data were compromised by hackers – far longer than the legally required window for publicly reporting breaches.

The global shortfall of cybersecurity workers will reach 1.8 million in the next five years, apparently. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/uk_cyber_skills_gap_survey/

SaaS-y endpoint protection outfit CrowdStrike has failed in an attempt to prevent publication of a review detailing its software’s qualities.

CrowdStrike makes “Falcon”, a platform that combines an agent running on endpoints with a cloudy analytical engine to spot and squash malware and other nasties.

Falcon made the list of endpoint security products that testing outfit NSS Labs decided it would include in a roundup it intends to release this week. But when CrowdStrike got wind of its inclusion, it took issue and headed off to court.

As the decision (PDF) of the United States District Court For The District Of Delaware explains, CrowdStrike authorised NSS to test Falcon but the two fell into a dispute about the nature of the tests the lab conducted.

NSS tried to conduct new tests to CrowdStrike’s satisfaction, but appears to have failed because during a third round of tests CrowdStrike got narky about NSS’ decision to include Falcon in a public test.

Off to court they went, where the Judge was asked to consider whether NSS had breached its contract with CrowdStrike (no) or breached a contract CrowdStrike had with a third party called “Constellation” (again, no).

CrowdStrike’s third argument was that releasing the review would mean NSS effectively misappropriated revealed trade secrets. That argument failed because the court felt NSS’ black box tests kept secrets safe, and that a review would not divulge those secrets.

Which left a final test of whether publishing the review would cause “Irreparable Harm” to CrowdStrike’s reputation, which the software company contended would be the result of NSS’ inevitably-inaccurate assessment of its wares. Again the court felt the argument could not stand, as the test NSS sought to reveal was a public test and not the private work it did for CrowdStrike.

Indeed, the decision says that even if NSS got it wrong, it would suffer more harm than CrowdStrike because “NSS would be enjoined from disclosing likely true and legitimately obtained data, undermining a critical aspect of NSS’s presence in the marketplace.” CrowdStrike, the decision argues, can easily contend NSS’ work by releasing its own data.

All of which will make life interesting at the RSA Conference in San Francisco on Tuesday morning US time, where NSS plans to release its research.

Grab some popcorn! ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/crowdstrike_falcon_vs_nss/