STE WILLIAMS

A guide to transactional email

Famed cryptographer and security guru Bruce Schneier has moved on from his seven years at BT. Just one month later, he has accepted the role of CTO at incident response startup Co3 Systems.

Schneier left BT last month following a seven-year association with the telco giant by mutual consent. Both parties were keen to stress that the working relationship had come to its natural end, dismissing suggestions that Schneier’s recent criticism of the NSA’s dragnet surveillance programmes had precipitated his departure.

Co3 Systems makes co-ordination software for incident response. Schneier had previously served on Co3 Systems’ advisory board and by joining the firm full time he will be reunited in a working partnership with people he worked with at Counterpane Internet Security prior to the security services firm’s purchase by BT in October 2006. John Bruce, Co3’s chief exec, formerly served as executive vice president of marketing at Counterpane.

“I’m pretty excited about this,” Schneier told El Reg in an email. “It’s good to be back at a startup. Plus, John Bruce and I worked together at Counterpane, so we both know exactly what we’re getting ourselves into.

“Remember protection, detection, and response?  Counterpane was about the second.  Co3 is about the third.  It’s something we should have done at Counterpane, and probably would have had BT not purchased us in 2006,” he added.

More details about the move can be found in a post on Schneier’s personal blog here.

In a statement, Co3 Systems said Schneier role in the startup “will be to inform and guide Co3’s technology and business strategy, evangelizing the ‘responsive security’ model that he has advocated for many years.”

Schneier’s a busy guy. As well as writing numerous books on information security and cryptography over the past few years, Schneier also currently serves as a fellow at the Berkman Center for Internet and Society at Harvard Law School; is a program fellow at the New America Foundation’s Open Technology Institute; a board member of the Electronic Frontier Foundation; and an Advisory Board Member of the Electronic Privacy Information Center. ®

Master list of DNS terminology

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/06/schneier_joins_startup/

A guide to transactional email

Valve’s online gaming platform Steam and Electronic Arts’ Origin were hit by separate DDoS attacks over the weekend.

An assault by a crew calling themselves DerpTrolling left EA Origin’s online systems intermittently unavailable for around 24 hours while a separate attack knocked steam offline for around an hour on Friday.

a target=”_blank” href=”https://twitter.com/DerpTrolling”DerpTrolling has form in this area, previously knocking systems used by multiplayer game League of Legends offline. Both attacks seem to be motivated more by mischief-making than anything else, although DerpTrolling does express a dislike of the use of digital rights management by online gaming forums in its Twitter feed and this may (at least in part) explain its motives.

Paul Vlissidis, technical director at NCC Group, commented: “This attack has again shown that those with the intent can successfully identify those parts of a system which cannot be protected by a CDN or forms of caching.

“The use of smart geographic routing coupled with linearly scalable systems in the cloud can dampen the effects of a DDoS but are by no means a guarantee. System architects, developers, quality assurance teams and cyber security teams should be factoring in the risk of such distributed attacks in their design and implementations, as well as testing on a regular basis to identify choke points.

“These could be bandwidth, computing resource or single points of critical or computational expensive processing which may be more susceptible,” he added. ®

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/06/online_gaming_ddos_spate/

CAMPBELL, Calif., Jan. 6, 2014 /PRNewswire/ — NexQloud

(http://www.nexqloud.com) announced today upcoming features for its DDoS Mitigation and Uptime Management platform, designed to increase cloud data privacy. Powered by the industry’s first Human ID engine, NexQloud simplifies SSL and grants perfect forward secrecy to its users.

SSL is the de-facto solution for encrypting traffic that contains confidential information. However, the implementation of this solution often exhausts at least tenfold the processing power required by normal server requests. As a result, DDoS attacks against SSL traffic are extremely effective due to the asymmetric resource consumption on servers. NexQloud resolves this vulnerability by integrating its Human ID engine to effectively mitigate DDoS attacks and bolster cloud privacy.

NexQloud’s Human Identification engine transforms SSL Renegotiation protection, dramatically simplifying the complex setup. SSL handshake requests are identified by the Human ID engine, which allows only human requests to process.

Humans flooding the system with SSL handshake requests within a short time frame are flagged as troublemakers, and automatically ejected from the system.

Security is a top priority in an ever-increasingly scrutinized world. NexQloud stores encryption keys at a secured server, detached from the mainframe. All data is protected by NexQloud’s advanced infrastructure. Advanced technologies such as Perfect Forward Secrecy and multiple SSL modes grant users flexibility in addressing their concern for data privacy.

Perfect Forward Secrecy Implementation

Amidst NSA and data privacy controversies, NexQloud ensures data remains safe from prying eyes with its Perfect Forward Secrecy (PFS) feature. During each SSL session, a new ephemeral key will be generated, so even under worst-case scenarios, a compromised key will not break the confidentiality of SSL traffic.

This advanced encryption ensures data going through NexQloud is protected and encrypted, even if traffic data and the private key has been collected by an adversary. With Perfect Forward Secrecy, NexQloud users will experience unparalleled security for their data privacy needs.

Multiple HTTPS/SSL Modes

NexQloud offers three SSL modes for advanced security protection and performance acceleration.

1. SSL Offloading

SSL traffic will be decrypted at the NexQloud-end, and traffic returned to web servers will be sent in clear-text format. SSL offloading relieves web servers of the processing burden of encrypting and/or decrypting traffic sent via SSL, improving server performance dramatically.

2. SSL Bridging

SSL traffic will be decrypted at the NexQloud-end and is re-encrypted when sent back to web servers. If there are security concerns about unencrypted traffic traversing the Internet, SSL Bridging will be the top choice for advanced protection.

3. SSL Forwarding

SSL traffic will be forwarded to web servers directly. Provision of an SSL key is not necessary and no traffic will be decrypted. Some advanced features will not be available.

NexQloud’s revolutionary service is completely free of charge for the duration of the Prerelease Program. The service will be available to the general public in early 2014, offering both subscription and token-based pricing models. Sign up now and be amongst the first to experience the future of uptime management!

About NexQloud

NexQloud is the world’s newest and most innovative DDoS mitigation and uptime management platform. Powered by the world’s first Human Identification engine, NexQloud offers fully automated protection with no software or hardware changes required. In addition to comprehensive volumetric DDoS mitigation, NexQloud champions the “Identifying the Human” approach, effectively addressing critical flaws in traditional mitigation systems. Botnets requests are automatically denied, ensuring only humans through. Human users with malicious intent are automatically rejected upon detection, while other users are queued before a flash crowd forms and slows down the website.

Article source: http://www.darkreading.com/management/nexqloud-to-bolster-cloud-privacy-and-dd/240165142

FULLERTON, Calif., Jan. 6, 2014 /PRNewswire/ — Milton Security Group, Inc, a privately held network security provider, announces the Milton Secure WiFi Small Business Bundle.

“We saw that small businesses needed an all-in-one solution for adding secure WiFi, so we came up with the idea of the Small Business Bundle,” CEO Jim McMurry explained. “With our Edge Adaptive NAC product line, BYOD is our strong suite for security. Turning that into a drop-in product was something we felt would provide tremendous value for our customers.”

Included in the Secure WiFi Small Business Bundle are the following:

— 3 Ubiquiti Access Points, setup in a mesh to provide the widest possible coverage.

— A PoE switch to provide power and network connection to each AP.

— A Milton Edge 7200Exi Adaptive Network Access Box to continuously monitor and control security on your network.

The entire bundle comes preconfigured with a simple setup to make it very easy to install and begin using immediately.

The Milton Secure WiFi Small Business Bundle is priced as a leased capability or as a purchasable product.

The Leased Option runs $450 per month and includes the following:

— 365 days of hardware warranty

— Unlimited Support Incidents

— Unlimited OS Updates

— Advanced Ship on hardware replacements The Purchasable Option runs $2999.99 and includes the following:

— 90 days of hardware warranty (upgradable to 1 Year)

— 1 Support Incident (additional incidents are available)

— 1 OS Update

— 7 Day turnaround on hardware support “Whether you are adding guest WiFi to your coffee shop or opening the doors for your corporate BYOD capability, our solution can keep your network secure without creating a management nightmare,” said McMurry.

If you are interested in finding out more about the Milton Secure WiFi Small Business Bundle or have any questions, please contact Charles Fladger at [email protected] or Evan Tremper at [email protected]. You can also call us at 714-515-4011.

For more information :

Milton Security Group

http://goo.gl/yO7pmb

About Milton Security Group, Inc:

Milton Security Group INC is the Bring Your Own Device enabler for your organization. Our product lineup enables granular control over all devices on your network. Milton Security Group, Inc. offers the first low-cost adaptive endpoint and network access control suite of products. Founded in 2007, Milton Security Group has enabled organizations, from Federal State Agencies, Cities Counties, Public Private Universities, Hospitals, Small and Mid-size corporations, to protect their internal network systems and endpoints.

Article source: http://www.darkreading.com/mobile/milton-security-introduces-secure-wifi-s/240165143

2013 was not only a year of multiple major breaches exposing cardholder data (CHD) but also a year in which the Payment Card Industry Security Standards Council (PCI SSC) released the next major revision to the Payment Card Industry Data Security Standard: Version 3.0. PCI DSS v3.0 changes are largely aimed at misinterpretations and misapplications of requirements meant to reduce the risk of such attacks. There are some “evolving requirements” (read new requirements) in this new version but mostly version 3.0 addresses a general lack of awareness and appropriate implementation of existing requirements. Small and medium businesses implementing PCI DSS typically do not require a Qualified Security Assessor (QSA) and either implement these requirements of their own or with the help of a security consultant. This series of blogs is aimed at those planning their 2014 PCI DSS strategy with 3 distinct and important themes found in PCI DSS 3.0.

PCI DSS 3.0 for SMBs Theme 1: Scope
The cardholder data environment (CDE) comprises all system components that a) store, process, or transmit CHD, b) any component that is directly attached to those systems, or c) any component that supports those systems. Element “a)” of the above definition has been well understood but proper segmentation of connected systems is often overlooked (element “b)”) and supporting systems such as update servers and authentication support have been erroneously left out of the PCI DSS scope in many SMB PCI DSS scoping diagrams.

The result of an inaccurate PCI DSS scope is the misapplication of requirements, a non-compliant business, and a more susceptible environment. Understanding such misapplication of requirements is widespread; the PCI SSC specifically strengthened the guidance and requirements to address this. The following revisions to PCI DSS address the CHD scope issue:

Current Network Diagram – Really! [Requirement 1.1.2 – Clarification; Requirement 1.1.3 – New] The Council went out of its way to explain that not only do you need a current network diagram with all connections to CHD but also one that identifies all connections between the cardholder data environment (CDE) and all other networks. This is an important exercise in determining the scope of your CDE and the applicability of PCI DSS requirements to your network components.

Inventory of System Components [Requirement 2.4 – New; Requirement 11.1.1 – New] There is a new requirement to maintain a formal inventory of the system components within the CDE. The reason for this requirement is to ensure that configuration standards are applied to all CDE components. In many SMBs the inventory process can be worked in with the network diagram development, in more complex systems automated inventory process would be advisable. Another new requirement states that organizations must maintain an inventory of authorized wireless access points (including the business justification).

Penetration Testing – Verify Proper Segmentation [Requirement 11.3 – New; Requirement 11.3.4 – New] There is a new requirement for a penetration testing methodology that (among other things) includes the testing of the segmentation and scope-reduction controls. Furthermore, a specific new requirement was created for annual penetration testing to verify that segmentation methods are operational and effective in isolating CDE system components from those components deemed out-of-scope.

Determine and Reduce your Scope Now.
The PCI DSS v3.0 standards are now in effect and organizations have until the end of the year to become compliant. Organizations have adequate time to address these new requirements but determining the proper scope of the CDE (and taking steps to reduce it) is the first step.

Doug Landoll CEO of Lantego Security, a firm specializing in assisting organizations with information security compliance (HIPAA, PCI, FISMA) and can be reached at [email protected].

Article source: http://www.darkreading.com/smb/3-themes-for-implementing-pci-dss-30-for/240165147

Yahoo.com visitors received an unexpected surprise beginning on New Year’s Eve: advertisements that targeted their systems with malware.

The malicious advertising campaign was first spotted on Friday by Dutch information security consulting firm Fox-IT, which immediately warned Yahoo. Fox-IT said in a blog post that the attack advertisements — which were being served by ads.yahoo.com — used iFrames to hide malicious scripts. If a user clicked on the advertisement, they were redirected to a site that hosted the “Magnitude” exploit kit, which then attempted to exploit any Java vulnerabilities present on their system to install malware.

“The attackers are clearly financially motivated and seem to offer services to other actors,” said Fox-IT, noting that the exploit kit behind the attacks dropped six different types of malware, including the Zeus banking Trojan, Dorkbot, and a click-fraud Trojan. The greatest number of users targeted by the malicious advertisements were in Romania (24%), the United Kingdom (23%), and France (20%), according to Fox-IT.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/yahoo-ads-hack-spreads-malware/240165154

REDMOND, Wash., Jan. 6, 2014 /PRNewswire/ — Microsoft Corp. today is releasing best practices for enterprise workers who are considering using their personal technology device for work and play. This business trend, known as Bring Your Own Device (BYOD), continues to grow as more devices enter the marketplace giving consumers a variety of choice in terms of functionality and application for work and home.

According to Gartner Research, globally, eighty-eight percent of executives report employees use their personal computing technologies for business purposes today, while only sixty-two percent of executives say they now have, or are planning to have, a BYOD program for smartphones and tablets. This gap could create challenges for the IT department for organizations that aren’t equipped with the right policies to ensure unwanted botnets or spyware don’t enter the enterprise.

The following infographic (http://photos.prnewswire.com/prnh/20140106/CL40788-INFO) depicts a scenario of an enterprise worker who has just received a new tablet during the holidays and the potential security risks that can result if proper protocols are not taken as the device gets introduced to the workplace.

“The BYOD trend offers numerous benefits to users, including reduced costs, and the ability for enterprise workers to work with their preferred technology,” said Don Morrison, Director, U.S. Anti-Piracy for Microsoft Corp. “That said, BYOD does blur the lines between enterprise and personal computing, and can create security risks for businesses and the workers, so it’s important to have best practices in place.”

Guidance from Microsoft includes:

— Procure only genuine apps and software from reputable sources

— Don’t lend your device to others and run the risk of compromising its integrity

— Make sure you’re safe online and protecting your privacy by visiting: www.microsoft.com/security

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Article source: http://www.darkreading.com/mobile/microsoft-shares-byod-best-practices-for/240165155

LAS VEGAS, NV and NASHUA, NH – January 7, 2014 – As more than 152,000 attendees gather this week for CES 2014, there’s good news for consumers concerned about ensuring personal privacy as they use smartphones, tablets and other mobile devices.

SnoopWall (http://www.snoopwall.com) the world’s first counterveillance security software company, today announced its SnoopWall for Android App is now available as a free download from the Google Play Store at http://bit.ly/SnoopWallGooglePlay.

SnoopWall is first-of-its kind, counterveillance anti-spyware software to protect consumers, families and businesses from cyber-security threats and privacy invasions of their personal computers and mobile devices. SnoopWall uniquely blocks eavesdropping in real-time, protects your webcam, microphone, GPS, Bluetooth, NFC, Wi-Fi and other high risk data ports, automatically. Uniquely, there are no updates necessary for SnoopWall to stop new Zero-Day Malware and Advanced Persistent Threats (APTs).

A well-publicized December 12, 2013 article from the Electronic Frontier Foundation1 described a “massive privacy problem,” 1 caused by Google’s removal of its App Opps feature that gave Android users fine-grained control over App permissions. In this article, the EFF’s Peter Eckersley described the disappearance of App Ops as “alarming news for Android users,” suggesting that Google’s move forces users “to choose between either privacy or security on the Android devices, but not both.”

SnoopWall addresses the Google privacy problem through easy to use Apps Permissions controls that let users manage which permissions to give or deny to each Application on their Google Android device. This privacy and security feature lets users disable the ability of individual Apps to access sensitive, personally identifiable information such as geographic location and address book data.

Previewed at the world-renowned DEMO conference in October, SnoopWall for Android is the company’s first product. Additional products providing privacy for computers, phones and other mobile devices running on the Apple iOS and Microsoft Windows platforms are in development.

SnoopWall for Android Features and Benefits:

Quick and easy to install – deploys on device in 30 seconds or less

Compatible with Google Android platforms, phones, devices and tablets

Finds out what every Application is doing, which are spying on you, and helps maintain personal privacy through easy Apps Permissions controls.

Alerts users of existing harmful and potentially harmful programs and Apps

Protection against spying, snooping and stealing for Android devices

Blocks cyber intrusion with revolutionary spyware blocking technology

Protects all high-risk data ports (webcam, microphone, GPS, wireless, Bluetooth, etc.)

from the latest, most dangerous malware

Understand risks with real-time privacy meter

Free up memory and extends battery life

“We’re thrilled to launch SnoopWall for Android – proudly made in the USA,” said Gary S. Miliefsky, President of SnoopWall and a founding member of the U.S. Department of Homeland Security. “From recent news of the FTC crackdown on one of the most popular flashlight Android Apps to widespread public dissatisfaction with Google’s App privacy limitations; and from advertisers spying on consumers to the cyber snoop who illicitly gained remote access to Miss Teen USA’s webcam and attempted to cyber-extort her — it’s time we took control of these devices to reclaim our privacy!”

Threats to Mobile Security

A research paper on “Cyber Security and Mobile Threats” clearly defines the need: “Smartphones are becoming a vehicle to provide an efficient and convenient way to access, find and share information; however… this…has caused an increase in cyber attacks … Presently, 96% of smartphones do not have pre-installed security software. This lack in security is an opportunity for malicious cyber attackers to hack into the various devices that are popular (i.e. Android, iPhone and Blackberry).”2

Android Privacy in Peril

Android users are particularly vulnerable to privacy threats, as recent research reveals:

Of the top 100 Android apps, 56 accessed device ID, contact lists and/or location data.” 3

60% of infected mobile devices are Android smartphones, with the number of Android malware samples increasing by 72% in Q3 over Q2 2013. 4

SnoopWall: Reclaim Your Privacy

While “end-point” security products such as anti-virus and firewall software provide a degree of protection, cyber crooks and snoops can easily access smartphones mobile devices through open data ports and nasty new malware/spyware hidden in “trusted” Apps.

SnoopWall’s revolutionary anti-spyware software flags and prevents cyber security threats and also functions as a “port authority”: detecting and blocking remote control, spying and eavesdropping through attempted intrusions into cameras, webcams, microphones, GPS, USB, other ports of entry on computers, smartphones, tablets, and other mobile devices.

SnoopWall’s patent-pending “counterveillance” technology provides Data Leakage Prevention (DLP), threat prevention privacy assurance, Apps Permissions management, and policy-based granular controls (via API/SDK) through offerings that will appeal to consumers, enterprises and governments, and those that serve them.

About SnoopWall

SnoopWall is the world’s first counterveillance software company focused on helping consumers and enterprises protect their privacy on all of their computing devices including smartphones, tablets, and laptops. SnoopWall augments endpoint security (antivirus, firewall, intrusion prevention) through patent-pending technology that detects and blocks all remote control, eavesdropping and spying and, while preventing data leakage and increasing device battery life/performance. SnoopWall’s software is proudly made in the U.S.A. Visit snoopwall.com and follow us on Twitter: @SnoopWallSecure.

Article source: http://www.darkreading.com/mobile/snoopwall-for-android-app-now-available/240165156

The gaming world has been just about squashed flat before, during and after New Year’s Eve, with multiple distributed denial-of-service (DDoS) attacks.

According to the Guardian, two Twitter users, @chFtheCat and @LARCENY_, have claimed responsibility for attacking the digital gaming service Steam, which was down for over an hour on Friday.

Battle.net, the login system used by World of Warcraft and other games produced by Blizzard, was hit by a similar attack, the news outlet reported.

A parallel set of attacks, launched by an entity that calls itself @DerpTrolling and which defines itself as a group of hackers, involved the DDoSing of scores of gaming servers in the days leading up to Friday’s separate attack on Steam, et al.

According to #DramaAlert [YouTube video] – a channel that covers “all the drama” in the gaming world – the gaming servers that were knocked offline included World of Tanks, RuneScape, Battlefield 3 and 4, EverQuest and EverQuest2, Club Penguin, Fifa Soccer 13 and 14, League of Legends, Minecraft, the Sony Playstation Network, Electronic Arts (EA), and even the North Korea’s state-run news agency, kcna.kp.

@chFtheCat said in one tweet that the reason s/he/they “hit Steam off” is because @DerpTrolling hit off servers for the EA game service Origin.

The Guardian reports that Origin was on-again, off-again for a period of almost 24 hours as a result of that attack.

The proposed motivations for the Steam attacks are all over the map, with the purported hackers chirping back and forth about more attacks to come and being too broke to afford more botnets to run the attacks.

PlayStation.net reports that for its part, DerpTrolling tweeted about deciding to follow PhantomL0rd, a popular streamer on the Twitch gamer community, and to crash every game he was in.

GameInformer.com reports that PhantomL0rd, whose real name is James Vargas, egged on the DDoSers during the assaults on League of Legends, Dota 2, and other games.

GameInformer’s Mike Futter writes:

At one point, Varga is egging on the DDoSers. ‘I’ll put it this way,’ he says. ‘If my team is winning, we’ll keep going. If my team starts to lose, Derp Bros, take this s*** down!’ When DerpTrolling accepts the deal, Varga begins laughing loudly.

An entity identifying itself as DerpTrolling engaged in a conversation with #DramaAlert in which he/she/they said that the group simply attacks sites based on requests from people who tweet suggested targets.

In other words, it’s all just a game, and it’s all for the lulz.

I have a smidgen of pity for the gamers who were deprived of fun and pleaded with the assault squads to knock it off, “for the love of humanity”, but only a smidgen, given the blizzard and frozen pipes I’m dealing with in the real world.

Gamers, are you back up and running? Did this spur you to do something else with your time, like maybe shovel an elderly neighbor out from a blizzard?

Is there a game where you get to shovel out elderly neighbors from blizzards and unfreeze frozen pipes?

I want to play that one!

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Nr9ZMKycLCQ/

It’s weekly roundup time! Here’s all the great stuff we’ve written in the past seven days.

Usually we offer you a video version of the highlights of the last seven days here, but instead why not have a listen to our roundup of the year in 60 seconds?

Wednesday 1 January 2014

• Skype’s Twitter account compromised by Syrian Electronic Army
• Attack dismissed as “theoretical” by Snapchat used to plunder 4.6 million phone numbers
• SSCC 128 – Learning from 2013 for a safer, more secure 2014 [PODCAST]

Friday 3 January 2014

• OpenSSL website defacement – it wasn’t a HYPERVISOR HACK after all
• Online games Steam and Origin fall as gamers ring in New Year DDoS-ing
• Snapchat praises itself over giant phone number carelessness
• Facebook is being sued for intercepting users’ communications
• The exact number of people* who trust Facebook is… [POLL]
• Gaping admin access holes found in SoHo routers from Linksys, Netgear and others
• US court dismisses suit brought against border laptop searches

Saturday 4 January 2014

• Dead donkeys, gun wielding penguins and the Internet Worm at 25 – 60 Sec Security [VIDEO]

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qFzbYlKJXCI/