#sophoscrossword, 2FA, Backdoor, breach, chester wisniewski, chet chat, hack, hypervisor, nye, openssl, Paul Ducklin, puzzle, router, SEA, sercomm, skype, Snapchat, sophos security chet chat, sscc, Syrian Electronic Army, Twitter
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pLGht7pCfFY/
Build your sender reputation in four steps
CES2014 Intel has announced plans to phase out the infamous McAfee anti-virus brand over the next year in favour of a new Intel Security brand.
The re-branding will begin immediately, but the transition will take up to a year before it is complete with the introduction of new versions of security software products from the technology giant. The shield – which represents the core values of security and protection – will remain and McAfee will continue to operate as a wholly owned subsidiary of Intel, albeit under the Intel Security umbrella.
Brian Krzanich, chief exec of Intel, announced the branding change during a presentation at CES 2014, the consumer technology conference taking place in Las Vegas this week.
Krzanich also debuted Intel Edison, a new computer housed in an SD card form factor with built-in wireless capabilities and support for multiple operating systems as well as wearable technology and support for combined Windows/Android systems. Yet the confirmation of a rumoured decision to ditch the McAfee brand has provoked the strongest reactions in the tech world.
John McAfee, the maverick tech businessman who founded McAfee Associates back in 1987, but has had nothing to do with the firm since leaving in 1994, long before Intel’s $7.6bn acquisition in August 2010, reacted with unbounded enthusiasm to news of the name change.
Intel first floated plans to drop the McAfee brand last month, a development John reacted to with glee.
“Thank God.I will no longer have 2 apologise for the @McAfee software,” he said in a Twitter update at the time.
McAfee (the man) then told the BBC yesterday that he was elated about Intel dropping his name from its security products. “I am now everlastingly grateful to Intel for freeing me from this terrible association with the worst software on the planet,” McAfee (the man) said. “These are not my words, but the words of millions of irate users.”
“My elation at Intel’s decision is beyond words,” he added.
McAfee (the man) has been trenchant and consistent in his criticism of software that bore his name. Last year the self-described “eccentric millionaire” released a video of himself featuring strippers, snorting “bath salts” (hey, that’s what the labels on the white containers in the video say – Vulture Central’s backroom gremlins) and playing up to the worst excesses of his reputation by “uninstalling” the firm’s anti-virus software with a handgun. ®
A guide to transactional email
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/07/intel_ditches_mcafee_brand/
2013 was not only a year of multiple major breaches exposing cardholder data (CHD) but also a year in which the Payment Card Industry Security Standards Council (PCI SSC) released the next major revision to the Payment Card Industry Data Security Standard: Version 3.0. PCI DSS v3.0 changes are largely aimed at misinterpretations and misapplications of requirements meant to reduce the risk of such attacks. There are some “evolving requirements” (read new requirements) in this new version but mostly version 3.0 addresses a general lack of awareness and appropriate implementation of existing requirements. Small and medium businesses implementing PCI DSS typically do not require a Qualified Security Assessor (QSA) and either implement these requirements of their own or with the help of a security consultant. This series of blogs is aimed at those planning their 2014 PCI DSS strategy with 3 distinct and important themes found in PCI DSS 3.0.
PCI DSS 3.0 for SMBs Theme 1: Scope
The cardholder data environment (CDE) comprises all system components that a) store, process, or transmit CHD, b) any component that is directly attached to those systems, or c) any component that supports those systems. Element “a)” of the above definition has been well understood but proper segmentation of connected systems is often overlooked (element “b)”) and supporting systems such as update servers and authentication support have been erroneously left out of the PCI DSS scope in many SMB PCI DSS scoping diagrams.
The result of an inaccurate PCI DSS scope is the misapplication of requirements, a non-compliant business, and a more susceptible environment. Understanding such misapplication of requirements is widespread; the PCI SSC specifically strengthened the guidance and requirements to address this. The following revisions to PCI DSS address the CHD scope issue:
Current Network Diagram – Really! [Requirement 1.1.2 – Clarification; Requirement 1.1.3 – New] The Council went out of its way to explain that not only do you need a current network diagram with all connections to CHD but also one that identifies all connections between the cardholder data environment (CDE) and all other networks. This is an important exercise in determining the scope of your CDE and the applicability of PCI DSS requirements to your network components.
Inventory of System Components [Requirement 2.4 – New; Requirement 11.1.1 – New] There is a new requirement to maintain a formal inventory of the system components within the CDE. The reason for this requirement is to ensure that configuration standards are applied to all CDE components. In many SMBs the inventory process can be worked in with the network diagram development, in more complex systems automated inventory process would be advisable. Another new requirement states that organizations must maintain an inventory of authorized wireless access points (including the business justification).
Penetration Testing – Verify Proper Segmentation [Requirement 11.3 – New; Requirement 11.3.4 – New] There is a new requirement for a penetration testing methodology that (among other things) includes the testing of the segmentation and scope-reduction controls. Furthermore, a specific new requirement was created for annual penetration testing to verify that segmentation methods are operational and effective in isolating CDE system components from those components deemed out-of-scope.
Determine and Reduce your Scope Now.
The PCI DSS v3.0 standards are now in effect and organizations have until the end of the year to become compliant. Organizations have adequate time to address these new requirements but determining the proper scope of the CDE (and taking steps to reduce it) is the first step.
Doug Landoll CEO of Lantego Security, a firm specializing in assisting organizations with information security compliance (HIPAA, PCI, FISMA) and can be reached at [email protected].
Article source: http://www.darkreading.com/smb/3-themes-for-implementing-pci-dss-30-for/240165147
A researcher has discovered what he describes as a “backdoor” in DSL routers that could enable attackers to gain administrative access.
In a post on the GitHub site, researcher Eloi Vanderbeken offers a proof of concept showing how he was able to crack his own Linksys DSL router and gain administrative access to a home network without authentication. Subsequent posts indicate that the proof of concept would also work on routers made by other vendors.
The backdoor was found through scans of a little-known port, 32764/TCP, which is now being scanned more broadly, according to the Internet Storm Center (ISC).
“We do see a lot of probes for port 32764/TCP,” says ISC’s Johannes Ullrich in an online post. “At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network.
“Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs [on Jan. 2],” ISC’s post says.
Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.
Article source: http://www.darkreading.com/perimeter/researcher-uncovers-backdoor-in-dsl-rout/240165180
Santa Clara, Calif., Jan 6, 2014 – Palo Alto Networks (NYSE: PANW), today announced it has acquired Morta Security, a Silicon Valley-based cybersecurity company operating in stealth mode since 2012. Financial terms of the acquisition were not disclosed.
The acquisition of Morta Security further cements Palo Alto Networks as the leading provider of next-generation enterprise security. Palo Alto Networks offerings uniquely provide enterprises the ability to safely enable applications and rapidly detect and prevent threats, especially those that use an increasingly sophisticated array of tactics to compromise networks and gain access to valuable intellectual property.
Morta Security brings to Palo Alto Networks a team experienced at protecting national infrastructure as well as technologies that enhance the proven detection and prevention capabilities of the Palo Alto Networks WildFiretrade offering, which is already used by more than 2,400 customers.
QUOTES
“The Morta team brings additional valuable threat intelligence experience and capabilities to Palo Alto Networks” said Mark McLaughlin, President and CEO of Palo Alto Networks. “The company’s technology developments align well with our highly integrated, automated and scalable platform approach and their contributions will translate into additive threat detection and prevention benefits for our customers.”
“Palo Alto Networks has a successful history of disrupting the network security landscape with its unique offerings” said Raj Shah, CEO of Morta Security. “The Morta team is excited to work with the clear leaders in this space and we look forward to joining the company and contributing to future highly innovative technology leadership.”
Advanced Threats Demand Automated and Scalable Approach
Today’s sophisticated attacks increasingly rely on a combination of tactics and threat vectors to penetrate an organization and often remain undetected for extended periods of time while inflicting long-term damage. Most organizations still rely on legacy point technologies that address only specific types of attacks, or phases of the attack. Because of the singular nature of these technologies, they are ill-equipped to detect and prevent today’s advanced cyber attacks. And, when they are finally discovered, they typically require significant human incident response efforts. As the volume and sophistication of these attacks continues to grow, throwing more point products and human capital at the challenge is too costly and cumbersome for most organizations.
To address these challenges, a new approach is required: One that begins with positive security controls to reduce the attack surface; inspects all traffic, ports, and protocols to block all known threats; rapidly detects unknown threats through analysis and correlation of abnormal behavior; then automatically employs new signatures and policies back to the front line to ensure previously unknown threats are known to all and blocked. This approach can reduce the number of threats that penetrate an organization and greatly reduce the need for costly human remediation.
Palo Alto Networks is pioneering the development of this kind of automated approach; it starts with the firewall as the core enforcement vehicle within the network and is complemented by advanced detection services to increase overall efficacy. With its security platform, Palo Alto Networks builds greater visibility upstream combined with strong prevention mechanisms of both known and unknown threats. The Morta team’s cybersecurity expertise and technologies will fit seamlessly into this approach by adding capabilities that can expedite the detection of new attack variations.
To learn more about the Palo Alto Networks security platform and WildFire offering: visit: https://paloaltonetworks.com/products/features/apt-prevention.html.
ABOUT PALO ALTO NETWORKS
Palo Alto Networks is leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Unlike fragmented legacy products, our security platform safely enables business operations and delivers protection based on what matters most in today’s dynamic computing environments: applications, users, and content. Find out more at www.paloaltonetworks.com.
Article source: http://www.darkreading.com/management/palo-alto-networks-announces-first-acqui/240165181
Here’s a brief reminder of how cybercriminals use real security disasters to cause follow-up disasters of their own.
You’ll probably remember that we wrote, almost exactly a month ago, about a data breach at JP Morgan Chase.
About 450,000 of the 25,000,000 users of Chase’s UCARD debit card product had their card data stolen.
That put just under 2% of cardholders in the hot seat, which was bad enough, but left the other 98% in a sort of data security limbo.
Was there a problem or not?
Would Chase’s investigations lead to further action or not?
Would they get a warning some time down the track, like many users did in the wake of Adobe’s giant breach last year?
With this in mind, we weren’t surprised, here at Naked Security, to receive what you might call a “Chase Followup Phish,” looking like this:
Dear Chase Paymentech User,
During one of our regular verification procedures we’ve encountered a problem caused by the recent database breach. Please, take a time to complete the following information on your profile to end our identity verification process. Otherwise your access to Chase Paymentech services will be stopped.
To verify information now, please follow the link:
[CLICK HERE]
The phish isn’t terribly sophisticated, as it dumps you at a merchant page, not at a UCARD page.
(Merchants are Chase customers who process payments; UCARD customers are Chase product users who hold a benefit payments card to make purchases.)
Nevertheless, the phish passes casual visual muster, because the HTML, stylesheet and imagery are all ripped off from Chase’s own servers:
Actual merchants shouldn’t be fooled, because Chase’s official merchant login pages look quite different to the phish.
They also ask for different information, and use HTTPS with a certificate officially issued to Chase Paymentech:
Bear in mind that even – perhaps especially! – a bank that has suffered a security lapse won’t email you with a clickable link that takes you to a login page.
That’s to force you to login under your own steam, where the link you use is not controlled by some outsider who just sent you an email.
So whenever you receive an email link that does go to a login page, like this one, you can immediately be certain is it bogus.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/m4iSb3HXF9k/
Build your sender reputation in four steps
The app has been created in response to the poor permission control offered natively by Android over apps. As Facebook users have noted over the last few weeks, for example, their Android app is now demanding access to SMS / MMS, calendar events, and WiFi control.
SnoopWall is one of the growing class of permission management apps, a segment that’s attracted growing interest ever since Google’s bungled on-then-off release of App Ops in December.
That misstep prompted this furious response from the Electronic Frontiers Foundation, which pointed out that many apps simply don’t need the permissions they request (citing the case of the flashlight which was slapped down by the FTC in December).
Described by the company as “counterveillance anti-spyware software for consumers”, SnoopWall is designed to block eavesdropping, protect the camera, microphone, GPS, Bluetooth, NFC, WiFi and “other high-risk data ports”.
Too much information:
Facebook’s permission requests,
posted to Twitter by @jturner_ibrs
Users can also manage which ports are available to individual apps. “This privacy and security feature lets users disable the ability of individual apps to access sensitive, personally identifiable information such as geographic location and address book data,” the company says.
The app is now available for download from Google Play, here. ®
A guide to transactional email
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/07/app_to_manage_android_app_permissions/
It’s weekly roundup time! Here’s all the great stuff we’ve written in the past seven days.
Usually we offer you a video version of the highlights of the last seven days here, but instead why not have a listen to our roundup of the year in 60 seconds?
Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Q5spoFX1fk0/
It’s the first calendar quarter of the year.
With February and March on the visible horizon, we’re seeing the annual reappearance of “Facebook is closing” hoaxes.
The hoaxes look something like this:
Dear Facebook members, Facebook is supposed to be closing down March 15th because it is becoming very overpopulated. There have been many members complaining that Facebook is becoming very slow. Records show that there are many active Facebook members and also many new members. We will be sending this message around to see if members are active or not. If you are active please send to 15 other users using copy+paste to show that you are still active. Those who do not send this message within 2 weeks will be deleted without hesitation to make more space. Send this message to all of your friends to show that you are still active and you will not be deleted. Founder of Facebook. Remember to send this to 15 other people so your account wont be deleted.
It certainly sounds unlikely, doesn’t it?
Facebook closing down because it has too many members?
Facebook trying to reduce traffic by kicking off members who do nothing (and who thus produce no traffic), yet keeping members who participate in a chain letter that produces only a giant flurry of wasted traffic?
Mark Zuckerberg, who was born, bred and educated as an Anglophone American, writing in such stilted English?
And the reason it sounds unlikely is because it is unlikely, and it’s unlikely because it’s a pile of garbage.
Invitations to participate in chain letters should always be avoided, because getting involved is almost like joining in a DDoS attack: you’re generating loads of wasteful traffic, and actively urging others to do the same.
The problem with chain letters is that if they succeed, their distribution grows exponentially, at least for a while.
To see why, let’s do the arithmetic.
We’ll assume perfect propagation, where each recipient sends the message to 15 brand new recipients. (That’s admittedly very unlikely, but we’re looking at the principle here.)
In other words, by participating you become part of the problem, not part of the solution.
Other popular “Facebook closure” memes in previous years have warned you about Facebook closing from 29-31 February, a hoax that is rather more obvious (at least in non-leap years, when February has only 28 days), but still seems to attract plenty of interest.
One of the problems with modern social networking is the concept of frictionlessness, which is a measure of how easy it is to interact with the system.
This is one of the reasons that Facebook and other online services like Twitter are happy for you to be logged in all the time: the buttons they provide for liking, sharing, retweeting, endorsing, approving, and so on, work with a single click if you are logged in.
If you make a habit of logging out of Facebook, Twitter and other services when you are not actively engaged with them, you will add a tiny bit of hassle to your digital life.
But you will stop yourself being sucked into hoaxes, scams, bait-and-switches, and much more, if you are logged out more than you are logged in.
That’s because an ill-considered or an unexpected click on a social networking button will bring up a “You need to login” dialog whenever you are logged out.
This gives you a second chance to consider if you really intended the action you just performed, as well as keeping you safe from malicious behaviour such as clickjacking.
Clickjacking is visual trickery that makes you think you are clicking on something of your own choice, but behind the scenes you are clicking – and thus endorsing – something else entirely, such as a Like.
Stray clicks, fallacious likes and bogus tweets are all easy to propagate when you stay logged in to social networking services as a matter of routine.
If you’re in any doubt as to how this can contribute to the problem, sucking in yet more victims, take a look at this Bait-And-Switch video, where we look at how fake Tweets can put other people in harm’s way:
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mB37buwDX1A/
A study released last week by privacy campaigners Big Brother Watch (BBW) claims that as many as 1.28 million schoolchildren in the UK may have had their fingerprints taken by their school authorities last year.
It also estimates that over 30% of schools didn’t get permission for taking fingerprints, before new regulations came into force in late 2013 which meant parental consent had to be gained.
The report’s findings have been picked up by national media and seem to be having the desired effect of drawing attention to the use of biometrics in UK schools, with the expected hand-wringing about the gradual erosion of privacy.
The use of biometrics in schools is not a new thing. Mainly relying on fingerprint reading, biometric systems have been used to record attendance, charge for catering and manage library use since at least 2001 in the UK, with early instances recorded in the late nineties in the US.
There were similar stories back then too, with civil rights campaigners highlighting the numbers being fingerprinted and the lack of proper consent.
The issue has popped up repeatedly since, with another pressure group, the now-defunct LeaveThemKidsAlone, claiming a figure of 2 million fingerprinted children in 2009.
The BBW study seems to have a rather more credible scientific basis, but still relies on a fair amount of extrapolation to reach the 1.28 million figure. Using Freedom of Information requests, they surveyed over 2,500 schools, but received responses from only 1,255. Of these, 499 admitted to using biometrics, affecting over 500,000 pupils.
These figures were then extended to cover all UK schools assuming the same ratios, to give a potential figure of 866,000 affected children for the 2012-2013 school year.
As the report was released a third of the way through the following school year, the report’s authors assume an increase in biometric use from 25% to 30% of schools, and this combined with annual overall growth figures for schools produces the 1.28 million estimate.
While many of these assumptions and extrapolations seem reasonable, they do leave the report open to accusations of hype.
The numbers themselves and even their accuracy are perhaps not so important though. Even the most pedantic of quibblers would find it difficult to deny that biometric use in schools has been growing steadily over the last decade or so, and looks likely to become the norm within the next few years.
But just because it is becoming more popular, does it mean it’s a good thing?
For the schools it certainly seems to have benefits. Everyone needs to cut costs these days, and biometric systems are apparently more efficient and cheaper to operate than old-fashioned methods based on cash, ID cards or pen-and-paper records.
But under new consent rules which came into force in September 2013, schools will have to give pupils the option to refuse to take part in biometric schemes, and even if they are up for it, written parental consent will be required for all under-18s.
According to the BBW figures measured prior to the introduction of the new rules, 31% of schools were not obtaining any kind of consent before enrolling pupils in their biometric systems.
So less high-tech techniques will have to remain available to cater to the refuseniks, which will doubtless take a chunk out of those savings.
Alongside the cost issue, some schools have pointed out the social value of the schemes, as they mean children receiving state support for meals etc. are not explicitly marked out from their peers, although it seems likely there would be other ways of achieving this.
The other side of the argument is dominated by the privacy and civil liberties angle. BBW argues that if we start indoctrinating our kids to the idea that their identity should be open to tracking and monitoring at all times, we risk reducing our society to an Orwellian nightmare of supervision and control.
Going to school should not mean kids are taught they have no privacy, especially at a time when we are sharing more data about ourselves than ever before. Fingerprinting them and tracking what they do might save some admin work but the risk is pupils think it is normal to be tracked like this all the time. Schools need to be transparent about what data is being collected and how it is used.
It won’t be long, it seems, before we’re all being identified by the barcodes tattooed on our foreheads at birth.
The use of automated systems to identify people doing different things also opens up opportunities to cross-match that data to provide deep tracking of our activities and behaviours, the sort of stuff that both advertisers and government snoops adore.
At the moment all data held by schools should be kept strictly private and destroyed when pupils leave, but given the history of schools getting into bed with fast food chains and controversial religions, many fear that selling on data to the Facebooks and Googles of the future may only be a few more credit crunches away.
The other potential issue is the security of data, which is pretty likely to be at risk from time to time, given the record of educational establishments when it comes to keeping data private and reliable.
In some cases it’s even the kids themselves who bypass security.
Biometrics remains a fairly new field, with the process of defining standard techniques still under way and even expensive implementations of fingerprinting fairly easily subverted. So even if these methods should be used, there are questions over whether they can be used accurately and reliably, yet.
Given all these concerns, it seems there are some strong reasons to worry about the trend of schools adopting biometrics, above and beyond the instinctive antipathy many of us have for identity tracking.
Despite this gut reaction, I can see value in simplifying authentication in schools, as in all settings. But it’s something that needs to be done with care, precision and, above all, openness. We need to know exactly what’s being tracked, how and why, what data is stored, who it’s shared with and how it’s secured, and much more besides.
Any time the way we operate our societies changes significantly, we need to analyse and debate all aspects of the change to ensure we’re going the right way. With incremental advancements in technology, there’s a danger those changes will happen slowly over time, without us noticing what might be happening.
So it’s good to see BBW and their ilk calling us on our possible ignorance to what’s been going on around us for the last decade.
Perhaps eventually people will start to take notice, and start really thinking about what privacy risks are worth taking in the name of cut costs and improved efficiency.
Follow @VirusBtn
Follow @NakedSecurity
Images of fingerprints and hand courtesy of Shutterstock.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CUavlT8uoBs/