STE WILLIAMS

Don’t get too excited.

Windows XP will still officially fall off the edge of the world in April 2014 when Microsoft ends support.

Strictly speaking, of course, once you have applied the April 2014 Patch Tuesday updates to your XP computers, you’ll be no less secure than usual for another month.

But when 13 May 2014 rolls around, being the second Tuesday in May, all other versions of Windows will get patches, and you won’t.

The bad news about that is that many of the vulnerabilities that can be exploited in recent versions of Windows are also present in – indeed, were probably inherited from – the Windows XP codebase.

As a result, cybercriminals may be able to work backwards from information that has been innocently disclosed about bugs in Windows 7 and 8 – bugs that no longer matter very much once they’ve been spotted and patched – and to use that information to help them attack XP computers.

Why not keep XP going?

“Why then,” you might ask, “doesn’t Microsoft simply retrofit all the new security features from Windows Vista, 7 and 8 into XP, and keep churning out the patches?”

Part of the answer is that it would be a big economic burden to Microsoft, which can hardly be said to have a moral imperative to keep on sinking time and money into an operating system for which most users paid less than $100, and from which many users have already extracted ten years of life.

But the most important part of the answer is that continuing to patch XP would be like trying to cross a technological chasm for Microsoft.

Many of the deep internal changes that Microsoft made in its more recent operating system versions were put there precisely to create a better security substructure than XP – in other words, to bring a touch of software revolution in order to bypass the crevasses that evolution alone wouldn’t be able to cross.

Starting again

Some of us who want to get rid of XP have made it clear that we just aren’t going to make it by April (or May, if we allow ourselves that bonus final month).

Microsoft has therefore caved in just a bit, and announced that it will still provide updates to its various anti-virus tools on XP after the deadline.

Let’s be clear: no new security updates, no non-security hotfixes, no free or paid assisted support options, and no online technical content updates from Microsoft.

But Microsoft Security Essentials on XP, and various other Microsoft antimalware tools, will keep ticking over: support will continue until 14 July 2015. (Yes, that’s a Patch Tuesday – the latest day of the month it can happen.)

Note. Sophos Endpoint Security and Control (SESC) will officially support Windows XP Service Packs 2 and 3 until at least 30 September 2015. SESC will support Windows Server 2003 until at least 31 Jan 2017. (Our support knowledgebase has a complete platform support list.)

Does this mean I can postpone the inevitable?

Is this a signal from Microsoft, or, for that matter, from Sophos, that it’s perfectly OK to keep using XP past the deadline?

No!

There are some good reasons (and plenty of bad ones) why you might need to keep XP alive, but if you do so then there are various steps you should take to reduce the risk of having weak spots in your network.

For some practical advice on the subject, why not listen to our informative podcast, The End of XP?

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

As mentioned above, if you are a Sophos customer then your legacy XP computers will be covered by Sophos Anti-Virus until late 2015 (early 2017 for your 2003 servers).

That means you can use Sophos’s Application Control features, allowing you not not only to regulate malware, but also to prevent the use of software that might put your already-risky XP computers even further into harm’s way.

That way you can keep those old XP lathe controllers alive, for example, while making sure they are used only to run the lathes, and not used “off shift” for tasks such as browsing, reading PDFs or watching cat videos!

Follow @duckblog

Image of ship sailing over the edge of the earth courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/eI8X2-mgkaw/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, App Store, Apple, Google, ios, Java, Microsoft, Nest, Oracle, Patch Tuesday, Privacy, smart home, thermostat

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UZ156mypigw/

5 questions to answer about your DR plan

Miscreants have launched an Internet of Things-based cyberattack involving household “smart” appliances.

The global spam distribution campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets.

Items such as home-networking routers, connected multi-media centres, televisions and at least one refrigerator were reportedly compromised and used as a platform to launch attacks.

Cloud security firm Proofpoint reckons the attack spewed out waves of malicious emails, in bursts sent three times per day, targeting computers users worldwide between 23 December and 6 January.

Many of these malicious emails pushed phishing scams designed to trick recipients into visiting cybercrook-controlled websites and hand over their online banking login credentials.

More than 25 per cent of the email volume was sent by things that were not conventional laptops, desktop computers or mobile devices. No more than 10 emails were initiated from any single IP address, making the attack more difficult to block.

Misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and misuse by spam distributing cybercrooks. Security shortcomings turned smart appliances into “thingbots” open to abuse by criminal hackers, according to Proofpoint.

The security firm reckons that what might be the first proven Internet of Things-based cyberattack represents the shape of things to come as more and more devices are connected to the net. ®

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/17/internet_of_things_spambot_network/

The Road to Enterprise PaaS

Analysis On Friday, President Obama gave his long-awaited speech on plans to reform the activities of the US intelligence services and how they monitor the rest of the world.

You can watch the entire speech here, but words are tricky things – never more so than when national security is involved. As such we’ve taken a transcript of the president’s words and, given what we know about today’s mass surveillance operations, tried to work out what was actually said. Prez Obama’s speech is presented below in bold, with our annotations throughout.

First, a history lesson from the President

At the dawn of our Republic, a small, secret surveillance committee borne out of the “The Sons of Liberty” was established in Boston. And the group’s members included Paul Revere. At night, they would patrol the streets, reporting back any signs that the British were preparing raids against America’s early Patriots.

It’s fair to say that if the British had the capabilities of the NSA today, there wouldn’t have been an American revolution and the citizens of the North American continent would be sipping warm beer and spelling color with a ‘u’ along with the rest of British society.

The British wouldn’t have needed to monitor content of the letters sent by Paul Revere and others, just tracked his movements, examined the metadata of his associates, and then swooped. Revere and others would have been up a tree with a hemp necktie for carrying out acts of terrorism against a national government, since these “Sons of Liberty” weren’t above violence when it came to furthering their aims.

U.S. intelligence agencies were anchored in a system of checks and balances – with oversight from elected leaders, and protections for ordinary citizens. Meanwhile, totalitarian states like East Germany offered a cautionary tale of what could happen when vast, unchecked surveillance turned citizens into informers, and persecuted people for what they said in the privacy of their own homes.

The US has always had some checks and balances, to be sure. Whether or not they have always been followed, however, is another question entirely (see the history of J. Edgar Hoover for more details). If they had been, it’s probable that Obama’s Friday schedule would not have included this speech.

The Stasi example is also an unfortunate one to pick. The reports that the US was spying on not only its European friends, but also on the private phone lines of other governments’ leaders, led to accusations that the NSA had taken a leaf out of the Stasi’s playbook – and is doing a much more thorough job of it than the East Germans ever did.

How we got here

The horror of September 11th brought all these issues to the fore. Across the political spectrum, Americans recognized that we had to adapt to a world in which a bomb could be built in a basement, and our electric grid could be shut down by operators an ocean away. We were shaken by the signs we had missed leading up to the attacks – how the hijackers had made phone calls to known extremists and traveled to suspicious places. So we demanded that our intelligence community improve its capabilities, and that law enforcement change practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack.

The intelligence community did receive a drubbing in the wake of the attacks on September 11, 2001, and there were serious failings, although elected politicians should also shoulder a fair measure of blame.

But the 9/11 Commission and others have pointed out that the information to detect the attacks was out there – the problem was that the intelligence agencies weren’t sharing that data with each other. Since then, it seems, little has changed: two amateur teenagers were able to pull off the Boston Marathon bombing last year despite the massive collection facilities of the NSA.

Relationships with foreign intelligence services have expanded, and our capacity to repel cyber-attacks have been strengthened. And taken together, these efforts have prevented multiple attacks and saved innocent lives – not just here in the United States, but around the globe.

Intelligence certainly has saved lives, but the mass-monitoring program instituted hasn’t had that much success.

When the Snowden scandal broke, General Keith Alexander claimed that more than 50 attacks had been stopped by his agency, in the US and overseas. This number has been steadily reduced as the months have progressed, and a detailed report from the nonprofit think tank New America Foundation found 17 plots had been stopped, and only one by the US spying on its own citizens.

Key Considerations for your Platform as a Service Strategy

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/18/that_obama_nsa_reform_speech_with_el_reg_annotations/

Don’t get too excited.

Windows XP will still officially fall off the edge of the world in April 2014 when Microsoft ends support.

Strictly speaking, of course, once you have applied the April 2014 Patch Tuesday updates to your XP computers, you’ll be no less secure than usual for another month.

But when 13 May 2014 rolls around, being the second Tuesday in May, all other versions of Windows will get patches, and you won’t.

The bad news about that is that many of the vulnerabilities that can be exploited in recent versions of Windows are also present in – indeed, were probably inherited from – the Windows XP codebase.

As a result, cybercriminals may be able to work backwards from information that has been innocently disclosed about bugs in Windows 7 and 8 – bugs that no longer matter very much once they’ve been spotted and patched – and to use that information to help them attack XP computers.

Why not keep XP going?

“Why then,” you might ask, “doesn’t Microsoft simply retrofit all the new security features from Windows Vista, 7 and 8 into XP, and keep churning out the patches?”

Part of the answer is that it would be a big economic burden to Microsoft, which can hardly be said to have a moral imperative to keep on sinking time and money into an operating system for which most users paid less than $100, and from which many users have already extracted ten years of life.

But the most important part of the answer is that continuing to patch XP would be like trying to cross a technological chasm for Microsoft.

Many of the deep internal changes that Microsoft made in its more recent operating system versions were put there precisely to create a better security substructure than XP – in other words, to bring a touch of software revolution in order to bypass the crevasses that evolution alone wouldn’t be able to cross.

Starting again

Some of us who want to get rid of XP have made it clear that we just aren’t going to make it by April (or May, if we allow ourselves that bonus final month).

Microsoft has therefore caved in just a bit, and announced that it will still provide updates to its various anti-virus tools on XP after the deadline.

Let’s be clear: no new security updates, no non-security hotfixes, no free or paid assisted support options, and no online technical content updates from Microsoft.

But Microsoft Security Essentials on XP, and various other Microsoft antimalware tools, will keep ticking over: support will continue until 14 July 2015. (Yes, that’s a Patch Tuesday – the latest day of the month it can happen.)

Note. Sophos Endpoint Security and Control (SESC) will officially support Windows XP Service Packs 2 and 3 until at least 30 September 2015. SESC will support Windows Server 2003 until at least 31 Jan 2017. (Our support knowledgebase has a complete platform support list.)

Does this mean I can postpone the inevitable?

Is this a signal from Microsoft, or, for that matter, from Sophos, that it’s perfectly OK to keep using XP past the deadline?

No!

There are some good reasons (and plenty of bad ones) why you might need to keep XP alive, but if you do so then there are various steps you should take to reduce the risk of having weak spots in your network.

For some practical advice on the subject, why not listen to our informative podcast, The End of XP?

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

As mentioned above, if you are a Sophos customer then your legacy XP computers will be covered by Sophos Anti-Virus until late 2015 (early 2017 for your 2003 servers).

That means you can use Sophos’s Application Control features, allowing you not not only to regulate malware, but also to prevent the use of software that might put your already-risky XP computers even further into harm’s way.

That way you can keep those old XP lathe controllers alive, for example, while making sure they are used only to run the lathes, and not used “off shift” for tasks such as browsing, reading PDFs or watching cat videos!

Follow @duckblog

Image of ship sailing over the edge of the earth courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z6uC9EOvoNo/

The National Security Agency (NSA) collects hundreds of millions of text messages from around the world every day, according to the latest revelations from Edward Snowden.

Channel 4 and the Guardian newspaper report that NSA spies collect and store around 200 million messages per day for the purposes of extracting metadata including location data, credit card information and contacts.

The Guardian reports that the documents also reveal that British spies were given access to the collected metadata, but not the actual content, of text messages sent to and from British citizens.

According to GCHQ documents the program, codenamed Dishfire, collects “pretty much everything it can” as opposed to merely collecting communications data from current surveillance targets.

The secret program has been in operation from at least May 2008 and, by April 2011, was intercepting 194 million text messages per day. While that number may sound huge, it is only a drop in the ocean when you consider that Paul Lee, head of telecoms research at Deloitte, predicts that 50 billion such messages will be sent every day across the globe in 2014.

A leaked top secret presentation, dubbed “Content Extraction Enhancements For Target Analytics. SMS Text Messages: A Goldmine to Exploit”, gives us some idea as to the type of information being collected around the world each day.

For example, Dishfire collected data on over 6 million changes of SIM card, 5,314 instances of travel plans and over 800,000 financial transactions, including bank activity, credit card payments made to individuals and phone to phone money transfers. Dishfire even recorded the geocoordinates for 76,000 sent messages.

Documents shown in the Guardian report suggest that US phone numbers are removed from the database in accordance with US law but others, including those based in the UK, are retained.

To read the content of a message GCHQ requires a warrant, but it is allowed to search for “events” data relating to UK numbers – that is, who is contacting who and when it is happening.

It can also go back and access historical messages sent by and to a valid target, before the target was known to the authorities, once a warrant has been obtained. The Guardian quotes a GCHQ memo:

In contrast to [most] GCHQ equivalents, DISHFIRE contains a large volume of unselected SMS traffic. This makes it particularly useful for the development of new targets, since it is possible to examine the content of messages sent months or even years before the target was known to be of interest.

A separate GCHQ memo highlights the breadth of Dishfire by asking security analysts to limit their searching to 1,800 phone numbers at a time.

There was no immediate reaction to these revelations from the NSA but a GCHQ statement said:

All of GCHQ’s work is carried out in accordance with the strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate and that there is rigorous oversight.

Speaking to Channel 4 news Stephen Deadman, group privacy officer and head of legal for security, privacy and content standards at Vodafone group, commented:

What you’re describing sounds concerning to us because the regime that we are required to comply with is very clear and we will only disclose information to governments where we are legally compelled to do so, won’t go beyond the law and comply with due process.

We’re going to be contacting the Government and are going to be challenging them on this. From our perspective, the law is there to protect our customers and it doesn’t sound as if that is what is necessarily happening.

The former Interception Commissioner, Sir Swinton Thomas, said that the practice was “a worry,” before going on to tell Channel 4 news:

Certainly in my time I would take the view that it’s not open to our intelligence services to obtain or certainly to use communications or data which would not have been lawful in this country.

It’s not dissimilar to the question: Do you use material which you may have reason to believe has been obtained by torture? It’s a different area of course, but the concept is very similar.

Follow @Security_FAQs
Follow @NakedSecurity

Image of texting courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OG6JUm5GwXg/

5 questions to answer about your DR plan

President Obama has today outlined his plans to tweak the rules under which US intelligence services monitor their own population and citizens of countries around the world.

Trust us, we’re Americans

“As the nation that developed the Internet, the world expects us to ensure that the digital revolution works as a tool for individual empowerment rather than government control,” he said during a White House briefing.

“Having faced down the totalitarian dangers of fascism and communism, the world expects us to stand up for the principle that every person has the right to think and write and form relationships freely – because individual freedom is the wellspring of human progress.”

Obama announced that today’s system of collecting metadata on all US phone calls under Section 215 of the Patriot Act will be changed at some point this year. Rather than having the government hold this vast repository of data, this will either be left to the phone companies or handed off to an unnamed third party for storage, Obama said.

In addition, starting immediately, intelligence analysts will no longer be able to search the phone records without obtaining a court order, and will only be able to conduct “two-hop” searches – ie: of a specific phone number, to whom that number connected, and whatever numbers that second connection went on to communicate with – rather than the current “three-hops” system.

The secret Foreign Intelligence Surveillance Court that makes these decisions on who to investigate will also be reformed to allow greater congressional oversight. In addition, the government will appoint a panel of non-government “advocates” who will “provide an independent voice in significant cases” being heard by the court.

The use of national security letters, which are used to extract information from companies and stops them from disclosing they have done so, is also being reviewed. Obama said that these would no longer be open-ended gagging orders and companies would be able to disclose their use after a limited time – unless there’s a real government need for secrecy.

When it comes to the controversial section 702 of the FISA Amendments Act, that allows the surveillance of US citizen’s communications with foreigners, Obama said he has asked the Attorney General and the Director of National Intelligence to look at ways of strengthening privacy protections for US citizens.

If you’re not a terrorist, you have nothing to worry about, duh

As for the rest of the world Obama said that ordinary citizens (and their leaders) should not be worried that the US is spying on their communications, and he was instructing that such monitoring only be carried out for the purposes of “counterintelligence, counterterrorism, counter-proliferation, force protection for our troops and our allies, and combatting trans-national crime.”

US intelligence services will continue to gather information on the intentions of other governments, Obama said, adding that this was in line with the practices of any other government in the world. But he is appointing a member of the State Department to liaise with foreign governments and reassure them about US intentions and surveillance practices.

“The leaders of our close friends and allies deserve to know that if I want to know what they think about an issue, I’ll pick up the phone and call them, rather than turning to surveillance,” he explained.

“In other words, just as we balance security and privacy at home, our global leadership demands that we balance our security requirements against our need to maintain the trust and cooperation among people and leaders around the world.”

Obama emphasized this was the start of the reform process and he would be appointing a senior White House official to oversee the changes. Obama said he would also be happy to work with Congress to adapt US intelligence protocols further and was starting a separate, more general, review of big data and privacy.

“It’s embarrassing for a head of state to go on like that for 45 minutes and say almost nothing,” a newly bearded Julian Assange told CNN in an interview from his Ecuadorian embassy hideout in London. “What we see is kicking the ball off into the Congressional grass, kicking it off into panels of lawyers that he will appoint and instruct to report back at some stage in the future.” ®

The Road to Enterprise PaaS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/17/obama_promises_limited_reforms_of_nsa_powers_against_ordinary_americans/

Client Windows Migration: Expert Tips for Application Readiness

Thwart off Application-Based Security Exploits: Protect Against Zero-Day Attacks, Malware, Advanced Persistent Threats

Big Data Analytics: Are You Ready?

Solving Big Data Challenges with Simplicity Speed

How to Really Put Big Data to Work

Article source: http://www.darkreading.com/10-free-or-low-cost-network-discovery-an/240165428

A British man already in jail for terrorist activity was given another four months for refusing to give police the password to a memory stick that they couldn’t crack.

According to The Register, Judge Richard Marks QC sentenced Syed Hussain, 22, from Luton, for refusing to give up his password, contrary to section 53 of the Regulation of Investigatory Powers Act 2000 (RIPA), the UK’s wiretapping law.

The encrypted memory stick had been seized from Hussain’s home during an April 2012 counter-terrorism operation.

Hussain and three other men were jailed in 2012 after they admitted to discussing an attack on a local Territorial Army base headquarters.

They had planned to send a homemade bomb to their targeted site via a remote controlled toy car, but the men were arrested before the attack could be carried out.

Hussain’s lawyers insisted that he couldn’t remember the password to the memory stick, citing stress as the cause of his memory lapse.

He kept up the “I forgot because I’m so stressed” argument for 11 months.

During that time, police called in experts from GCHQ, the government’s intelligence agency, but even they couldn’t get at the stick’s contents.

So police and prosecutors set a deadline: they gave Hussain until last January to cough up the password.

Then, 11 months after the deadline came and went, police told the convicted man’s lawyers that they’d launched a fresh investigation: this one into alleged credit card fraud by Hussain.

That seemed to jolt Hussain’s memory. Within days, he handed over the password.

It was “$ur4ht4ub4h8”, which the Register reports is a play on words relating to a chapter of the Koran.

When police used the password to unlock the contents of the memory stick, they found it held information relevant to the investigation into alleged fraud, but nothing relating to terrorism or national security.

Follow @LisaVaas

Follow @NakedSecurity

Image of USB stick courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kjN08PzY2DQ/

The Road to Enterprise PaaS

KPMG is cutting back on its sponsorship of the UK government-backed Cyber Security Challenge after concluding the puzzle-based focus of the competition is failing to attract the right kind of potential recruits into the infosec profession.

Senior security staff at the professional services firm told Computing that it was scaling back – but not withdrawing – its involvement and sponsorship of the Cyber Security Challenge in favour of other programmes that the firm reckons are a better fit for its recruitment efforts, including working more closely with universities.

“We’ve drawn down our involvement this year, sadly we didn’t see the CVs coming through and the sponsorship is quite expensive – we are a business,” Martin Jordan, UK head of cyber security at KPMG, told the magazine.”We still sponsor it, but there are a lot of other programmes going on.”

KPMG is not looking to recruit “hacker-wannabes” but rather “very bright people that we can train,” according to Jordan.

Stephen Bonner, a partner in KPMG’s infosec practice, added that the challenge tended to emphasise puzzle solving rather than collaborating as part of a team on a project, a different skill set that is more suited to solving real world information security problems.

“Rarely in our career do we have a time-limited challenge with no conferring, it is slightly artificial and [caters for] the type of person who can perform well on their own under pressure, which is a desirable skill but not essential. Most of our problems are over a long period of time, about influencing others – not a puzzle,” Bonner explained.

Bonner credits the challenge with helping to build awareness about infosec as a profession and acknowledged it’s not the role of the Cyber Security Challenge to act as a recruitment agency. But he suggested more research on helping to close the skills gap would be preferable to business as usual for the CSC.

“I don’t think it was ever CSC’s role to find all of the candidates, they weren’t a recruitment agency. What we are yet to see is good economic research into what is causing a cyber-skills shortage and what interventions will make a difference, but it is unlikely that a series of competitions would be the most powerful [way of making a difference],” he explained, adding that CSC should focus more of its efforts on improving school computing syllabuses.

The Cyber Security Challenge’s main aim is to bring more talented people into the cyber security profession, according to the organisation itself, and a recent promo video. The Challenge started in 2010 with three competitions and has since expanded to a set of 20 exercises intended to reflect the broad range of skills required in the cyber security profession.

The challenge is funded by the UK government and private sector firms including BT, Sophos. HP, QinetiQ and others.

In response to queries from El Reg, Stephanie Daman, chief exec of the Cyber Security Challenge, issued a strong defence of the programme, which she argued goes beyond serving as a tool for recruitment.

“Stephen [Bonner] is right to state that we are not a recruitment agency and therefore our success cannot be measured by the number of CVs that just one of our 70 or more sponsors has received,” Daman said. “The fact is many of our backers have welcomed new recruits as a result of their participation in the Challenge, but this is really a by-product of our core objective which is raising awareness of cyber security career opportunities amongst people who have the right potential.”

“Examples of direct employment as a result of Challenge participation are only the tip of the iceberg in terms of the impact we are having. Many more candidates are enrolling in their first cyber security training programmes and university courses, gaining entry to industry events and meeting with key employers in order to improve their knowledge of, and suitability for, job opportunities in the coming years,” she added.

Daman acknowledged KPMG had a point is arguing that awareness about cyber security as a career needs to be involved in both schools and universities.

“We also agree with Stephen on the importance of tackling this issue in the classroom which is why this year the Challenge launched a pilot schools initiative,” Daman. “This has already seen classes of students in over 550 secondary schools up and down the country learning about the industry and beginning to developing code-breaking and cryptography skills. Its success has meant the Cabinet Office have backed the programme for another year, incorporating it officially as part of the UK Cyber Security strategy.”

Computer forensics firm Guidance Software has trained 50,000 cyber investigators; Sam Maccherola, EMEA managing director of Guidance Software, said there’s a growing need for suitably qualified cyber security staffers.

“There is a growing demand for professionals who can apply investigative skills to the new threat landscape, which is moving towards a climate of highly targeted state sponsored attacks and cyber espionage,” Maccherola commented. “Training and recruitment will play a vital role in bolstering our defences against cyber attacks in the future.” ®

5 DNS security risks that keep you up at night

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/17/kpmg_csc/