STE WILLIAMS

About six weeks ago Microsoft took the highly unusual step of including a patch for operating systems it no longer supports in its May Patch Tuesday output.

It’s something the software juggernaut has only ever felt the need to do on a handful of occasions, so when it does happen it can be taken as a sign that something very serious indeed is going on. In this case, the something serious was CVE-2019-0708, a very serious RDP vulnerability, that would soon become better known as BlueKeep.

RDP (the Remote Desktop Protocol) is what allows people to control Windows machines via a full graphical user interface, over the internet. The millions of internet-connected machines running RDP includes everything from cloud-hosted servers to Windows desktops used by remote workers, and each one is a potential gateway into an organisation’s internal network.

The ‘wormable’ BlueKeep vulnerability, announced by Microsoft with the release of patches to protect against it, could theoretically be used to run attackers’ code on every one of those machines, without a username and password.

The only sliver of hope that came with May’s patches was that CVE-2019-0708 was difficult to exploit. That difficulty created a window of time for organisations to patch against BlueKeep before crooks figured out how to abuse it. There was even the outside chance that it would prove too difficult to reverse engineer.

It was a hope that didn’t last long.

Since CVE-2019-0708 became public, a small number of organisations and security researchers have credibly claimed the ability to successfully exploit it.

Among their number is Sophos, who today revealed the existence of its own CVE-2019-0708 exploit PoC (Proof-of-Concept).

The PoC, described by BlueKeep namer and ‘megathread’ keeper Kevin Beaumont as ‘incredible‘, was created by the SophosLabs Offensive Security team.

The code is obviously too dangerous to be released publicly, so SophosLabs has recorded a video showing the fileless exploit being used to gain full control of a remote system without authentication.

The PoC will help Sophos learn about how CVE-2019-0708 might be exploited by criminals.

So, why release proof of the proof-of-concept?

We hope this video convinces individuals and organizations who still haven’t patched that the BlueKeep vulnerability is a serious threat.

You can read more about the SophosLabs BlueKeep exploit on our sister site Sophos News. Do it after you’ve patched.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lWXRTB-8YaY/

Infosec veteran Bruce Schneier has said he’ll step down as a “special advisor” to IBM’s security business to, in part, focus his time on teaching the next generation of security pros.

Schneier said he also wanted to focus on work with nonprofit projects including Tor and the Electronic Frontier Foundation (EFF), where he is a board member.

The cryptographer, formerly BT’s chief security technology officer, has been writing about security since 1998 and has produced more than a dozen books, as well as hundreds of articles, essays and academic papers.

Schneier: Don’t expect Uncle Sam to guard your web privacy – it’s Europe riding to the rescue

READ MORE

Schneier started working at IBM in 2016 after Big Blue snapped up his startup, Resilient Systems (previously called Co3), where he served as CTO, for a rumoured $100m.

Resilient developed an incident-response platform, which was eventually integrated with IBM’s Security Event and Incident Management (SEIM) system, called QRadar.

The partnership started well enough. “Everything I’ve seen so far indicates that this will be a good home for me. They know what they’re getting, and they’re still keeping me on. I have no intention of changing what I write about or speak about – or to whom,” Schneier said at the time.

Three years later, he’s tossed his blue IBM blazer. For comparison, Schneier spent seven years as the CTO of another startup, Counterpane Internet Security. When Counterpane was acquired by BT, he spent another seven years as its security expert.

Schneier describes himself as a public-interest technologist – which points to one of the potential reasons he might not continue working for a global corporations past his contract obligations.

“I will continue to write and speak, and do the occasional consulting job,” he said of his future plans. “I will continue to teach at the Harvard Kennedy School. I will continue to serve on boards for organizations I believe in: EFF, Access Now, Tor, EPIC, Verified Voting. And I will increasingly be an advocate for public-interest technology.”

We’ll finish this post with a quote from the website SchneierFacts, which compares him to Chuck Norris: “Bruce Schneier only smiles when he finds an unbreakable cryptosystem. Of course, Bruce Schneier never smiles.”

As Schneier himself has said: any person can invent a security system so clever that he or she can’t imagine a way of breaking it. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/01/dont_tell_alice_and_bob_security_guru_schneier_is_leaving_ibm/

Newly published ‘2019 Black Hat USA Attendee Survey’ recommends users stay off social media and remain wary of products that promise to solve security problems.

Black Hat today will publish its annual survey of some of the industry’s most experienced security professionals. Its message to consumers: Look out.

In a survey of 345 top security professionals from a wide variety of industries, Black Hat found cybersecurity experts have serious concerns about vulnerabilities and threats affecting end users. Their concerns range from privacy issues in social media, to vulnerabilities in consumer authentication methods, to the potential hacking of upcoming US elections.

In fact, most of the respondents to the “2019 Black Hat USA Attendee Survey” believe that most consumers’ data is already available to criminals and corporations that wish to misuse it. While they did offer some advice about how individuals might better protect their data and their identities, most security pros say that users should assume their information has already been compromised and do what they can to limit the damage.

Similarly, security experts widely believe that elections, critical infrastructure, and enterprise data are increasingly at risk of cyberattack, and that government and industry must do more to protect them.

Ninety percent of security pros say that no matter how careful individuals are, it’s likely that their data is available to criminals right now. Only 30% believe it will be possible for consumers to protect their privacy and identities in the future.

Interestingly, it isn’t hackers that worry security pros most. Ninety percent of survey respondents believe consumer privacy is more seriously threatened by legitimate “data sharing” among corporations than by potential attacks by hackers.

Three-quarters (75%) of cybersecurity experts also say that using any social network is a bad idea. Seventy percent say that posting anything to “public” on Facebook is a high-risk activity.

Only 25% of security professionals believe that consumer identity protection services are effective; 31% rank them as ineffective. Only 32% say that credit monitoring services are effective; 22% say they are ineffective.

While much of the survey focuses on threats to consumers, the “Black Hat USA Attendee Survey” also offers some warnings about forthcoming US elections. Almost two-thirds of cybersecurity experts (63%) say it is likely that hacking of voting machines will affect the next US election. The same percentage believes Russian cyber initiatives will have a significant impact on the 2020 US presidential election.

Similarly, security pros are concerned about potential threats to essential services in the US. More than three-quarters of respondents (77%) believe that a successful cyberattack on US critical infrastructure will occur in the next two years, up from 69% in 2018. Only 21% believe the US government and private industry are prepared to respond.

Concerns about enterprise cybersecurity also remain high. Nearly two-thirds of respondents (65%) believe they will have to respond to a major security breach in their own organization in the coming year, up from 59% in 2018. Most respondents do not believe they have the staffing or budget to defend adequately against current and emerging threats.

Security professionals also cast doubt on the products and technologies they are currently using to protect enterprise data. In the survey, respondents rated most enterprise security technologies as ineffective. Only six technologies were cited as effective by a majority of respondents.

Four in 10 security professionals consider themselves “burned out,” according to the survey. A majority (54%) say the level of anxiety, depression, and addiction is higher among security pros than it is among the general US population.

The full survey is available here. 

Related Content:

• Black Hat QA: Defending Against Cheaper, Accessible ‘Deepfake’ Tech
• Inside MLS, the New Protocol for Secure Enterprise Messaging
• A Socio-Technical Approach to Cybersecurity’s Problems
• With GDPR’s ‘Right of Access,’ Who Really Has Access?

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech’s online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one … View Full Bio

Article source: https://www.darkreading.com/consumer-data-upcoming-elections-are-at-risk-black-hat-survey-says/d/d-id/1335089?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Akamai University, a 12-week internship program, was built from the ground up with the goal of promoting the student not the company.

The search for stellar cybersecurity job candidates is always an adventure — but much less so since we opened the doors at Akamai University, our 12-week summer student internship program.

We’re looking for candidates who can demonstrate several different skills, proficiencies, and talents both on and off their resume. In addition, we look for traits that lead to long term success in the department and industry in general. For example, one important trait is a sense of urgency: people who know when to take action when action is the most important thing to take. This skill counteracts the “impostor syndrome” that plagues our industry. By that I mean the situation that arises when you need someone to do something, and that someone is the only choice, and thus becomes the best choice.

The next trait we seek in a candidate is demonstrated ability and understanding of responsibility and independence. In the security industry, job duties often require sending relatively junior staff in to fix problems involving people many years their senior. We need staff who can take responsibility and act on their own under those circumstances.

Individuals who make it through screening get offers to join the program as an intern to a specific infosec manager. They work with their manager to select an appropriate project, which can range from creating a new process for security review, to analyzing key management processes using formal methods, or studying how to destroy data on solid state drives or writing security policy.

Sometimes, interns will build tools or new functionality that is used by the security team, or a proof of concept for a larger project. Interns work with their manager before they start their internship to pick a project with the goal of putting them in the spotlight so that by the end of the 12 weeks, they have a glowing list of achievement on their resume.

Intro into the Real World of Security
Outside of specific project work, managers will also make a list of activities that interns need to be exposed to, such as sitting in on an incident or product launch review, a severe vulnerabilities discussion, a compliance assessment, and/or a customer audit. Each activity starts with a discussion with the intern that offers context for what they’re about to experience or witness. It’s followed by a post-project question-and-answer period which provides insight into the operations of the department and frequently spawns deeper work or side projects, as well as broadening an intern’s understanding of the professional world.

Students will leave the program with an understanding of the security industry and with a solid set of relationships. While the intern is doing professional work, it’s important to us that we show her the breadth of the security industry, including parts they may not have been aware of. The goal is to have a fleshed-out, planned project work, but also give the interns broad exposure to the operations and interests of the security department.

This secondary goal around relationship building exposes senior staff to the interns, so management can get to know them, their work, and how they approach their work. Working next to someone every day, watching how they integrate with the team and the company gives us a very clear view of how someone would work out as full-time staff. Consequently, the intern program is our best pipeline for new talent. Likewise, this process allows the intern to get a better view of Akamai, and what it’s like to take on a career here.

Solving the Cyber Talent Shortage
Successful interns who graduate from Akamai University leave the program with a job offer, and those who haven’t finished school yet leave with an offer to return the following summer, or get a job offer when they graduate. In a similar vein, my Architect Studio team, which develops security researchers (and others) into security architects, came out of a concept to support one of my first interns and turn him into full-time staff. That student became a security architect at Akamai. More recently, we’ve hired interns into researcher, data science, and compliance positions.

The summer isn’t all grinding work. We also make sure to include interns in fun activities of their team and the wider department: weekly game nights and team lunches, usually some fun local activity like a boat trip in Fort Lauderdale or an escape room in Cambridge.

Most interns enjoy their work and time with Akamai and appreciate the knowledge they gain from their projects and the security industry in general. For those who don’t end up coming to Akamai full time, an internship here can be a solid launching point into a professional or academic career.

This summer, we’re looking forward to hosting interns working on projects including improving DNS, botnet tracking, writing policy on vulnerability management, or defining risk. We typically start hiring for the following year in September and October; interested candidates can apply through job postings on the Akamai.com careers page.

Related Content:

• What Cyber Skills Shortage? (Part 1 of a series on cybersecurity careers)
• Your Employees Want to Learn. How Should You Teach Them?
• Tomorrow’s Cybersecurity Analyst Is Not Who You Think

Kathryn T. Kun directs the Adversarial Resilience group at Akamai, where one of the main aspects of her work is aligning with human realities in order to get to better security practices. Kathryn draws upon her industrial background in chemical engineering and automated … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/building-the-future-through-security-internships/a/d-id/1335038?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Open source components help developers innovate faster, but they sometimes come at a high price.

Image Source: Adobe Stock

Developers in enterprise environments — and at commercial software companies, for that matter — have learned that to deliver features swiftly, it’s much more expedient not to reinvent the wheel with certain chunks of code. And so they increasingly build their software by mixing and matching open source software components within their code base to minimize their development time to coding the components that truly add value and differentiation to their applications.

This reliance on open source components greatly speeds up innovation but often comes at a high price: Many of these components available for download contain dangerous vulnerabilities. Some companies are better than others in establishing policies about how and when developers can use them, as well as at actively managing the components to track for flaws. The latest research shows that those that do it well can minimize the risks introduced by these components into their software while maximizing the gains.

“For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards are impressive,” says Wayne Jackson, CEO of Sonatype, which last week released its “2019 State of the Software Supply Chain Report.” This study, along with two others released in the past two months, paint a good picture of open source component risks and how organizations are mitigating them.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/the-truth-about-your-software-supply-chain/d/d-id/1335067?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The court’s IT department is meeting with external agencies to determine the scope and severity of the cyberattack.

News reports have confirmed the Georgia court system has been struck with a ransomware attack, which has resulted in at least part of its digital information systems being taken offline.

An investigation is now underway; it remains unclear how many systems were compromised. Bruce Shaw, spokesman for the Administrative Office of the Courts, confirmed the attack and reports not all court systems have been affected. As a precaution, the network was taken offline and the IT department is working with external parties to determine the attack’s extent.

This isn’t Georgia’s first foray into ransomware investigations. Back in March 2018, computer systems of the City of Atlanta were hit with a ransomware campaign that significantly disrupted government operations and caused millions of dollars in losses. In that case, Atlanta refused to pay the $50,000 ransom and is paying millions more to recover from the incident.

Read more details here.

 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/document.asp?doc_id=1335099&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s nothing quite like the cachet of that elusive “verified” blue check mark from Instagram.

How you get one is somewhat mysterious, as Forbes’s Tom Ward has found out: it’s not always enough to be famous and have a ton of followers, and it’s not always enough to get a digital agency to submit a request for you.

But here’s one sure-fire way not to get that little blue check – that will instead lead to your account credentials getting stolen: scammers are promising to get you a “verified” badge, but when Instagram users fall for the “apply now” come-on, their login credentials are being phished away.

The scam was spotted by security researchers with Sucuri. One of the researchers, Luke Leal, said in a post last week that they recently came across a page that was spoofing a real Instagram Verification submission page.

Verily, do not click that verification come-on

The researchers said that after clicking on the Apply Now button, the page threw up a series of phishing forms that were hosted on the phishing domain instagramforbusiness[.]info. Then, the forms asked victims for their Instagram login information: it instructed its intended victims to confirm their email addresses, as well as their passwords.

After the phishing page got the credentials, they were emailed to the scammers, enabling hackers to take over their victims’ accounts – thus adding to the pile of hijacked accounts that just keeps growing.

Leal notes that Instagram has ways to sniff out suspicious account logins. If it finds such, it responds by locking down an account with a ‘Suspicious Login Attempt’ warning.

There are ways for attackers to get around that, though, Leal said. Hackers just need one of two things: access to the phone number used to register the account (if applicable, since Instagram doesn’t require a phone number for signup) or access to the email address associated with the profile.

That’s why the phishing page goes after accounts’ associated emails, he said: having the victim’s email enables attackers to reset and verify ownership of the phished Instagram account if the ‘Suspicious Login Attempt’ warning gets triggered.

Don’t let the blue checkmark bedazzle you

Keep in mind that Instagram accounts are a hot commodity these days. With so many crooks hacking accounts away, holding them for ransom or selling them on the dark web, it pays to cast a hairy eyeball on any Instagram-related notice you get, particularly one that asks for your login.

Sucuri notes that there were some clear signs that this page, which has since been reported and removed, was malicious:

• The domain name is clearly not instagram.com.
• A lack of HTTPS results in insecure warnings in visitor’s browsers. Big-brand companies like Instagram typically use HTTPS on their websites, especially if they handle login information and other sensitive information.
• Instagram will never ask for a linked email account’s password as confirmation. It will use the standard method of sending an email with a verification link for you to click.

Another good reason to turn on 2FA

Bear in mind that even if you fall for one of these phishing scams and enter your credentials, you could still be safe – if, that is, you’ve chosen to set up two-factor authentication (2FA) via SMS or an authenticator app. 2FA makes it far more difficult for crooks to wrestle your account away.

2FA can be set up on Instagram by going to your profile and selecting the hamburger icon. Then choose Settings Privacy and security Two-factor authentication and follow the instructions on the page.

If there’s a risk that your account has been compromised, you should immediately change your account password, turn on 2FA, and double check to make sure that the email address and phone number associated with the account haven’t been changed.

If you’ve used the same password for Instagram on other online accounts, you should immediately change those, as well.

Make sure you use a unique, strong password for each account – something that password managers can help you with.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/td03HeLcv_0/

Roundup As June turns over to July, here are some additional bits of security news besides our regular infosec coverage.

Trump officials mull: Why not just ban strong encryption?

Haven’t we done this before? The White House is said to be weighing a plan to force US tech giants, software and hardware makers, and other companies, to deploy only encryption, particular only end-to-end cryptography, that can be cracked by American law enforcement, or ban it outright.

A report by Politico claims Trump administration officials met this month and kicked around the idea of asking Congress to pass legislation that would effectively ban the use of strong end-to-end encryption – as used in Apple’s iMessage, Facebook’s WhatsApp, and Signal as well as other apps and protocols.

This threat reemerges despite repeated warnings from cryptographers and security professionals that any plan to weaken encryption would be a disaster – it weakens people’s electronic security against criminals, hackers, and foreign agents, for one thing – and trying to ban it outright would have major consequences for data security.

Excel PowerQuery could pose a security risk

Bug-hunters have found yet another way Microsoft Office documents could be used to sneak malware onto the PCs of careless users.

This time, it is researchers with Mimecast who have uncovered a vulnerability in the way Excel spreadsheets use a feature called PowerQuery. It turns out, when a document uses Power Query to pull data from another source (such as an external database) it does not do much in the way of checking or sanitizing that data.

By putting attack code into a data source and then calling it with Power Query, an attacker could tell the spreadsheet to download and run malicious code of their choosing. That poisoned file could then be sent out via spear-phishing or spam attacks to infect machines.

“The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads,” says Mimecast.

“The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.”

Florida town hit with ransomware (again), agrees to make payout (again)

No, this is not a repeat from last week’s roundup. Another city in Florida has been hit by ransomware and has opted to pay the demands rather than go through the arduous process of wiping and restoring all of their locked machines.

Lake City Mayor Stephen Witt told a local news station that his office made the “tough call” to cough up the $460,000 demanded by hackers after talking to the insurance company and learning that all but $10,000 of the ransom would be covered.

While the FBI discourages people from paying ransomware demands, in this case Witt perhaps saved his city a significant amount of money by meeting the demands rather than undergoing a prolonged restoration effort. Remember, even if everything is safely backed up offline, wiping and restoring at scale, as well as preventing reinfection, is not something that can be done on a whim by a small IT department. It is a tough call.

As Ryan Weeks, CIO for security company Datto pointed out, things only stand to get worse before they get better with ransomware.

“2019 has seen a resurgence in ransomware attacks, as they have become more profitable for hackers with average demands often in the six-figure range,” Weeks said in a statement to The Register/

“In fact, 92 per cent of managed service providers expect attacks will continue at current or worsening rates and 42 percent predict that ransomware attacks will significantly increase.”

VLC could mean “virus loading code” for your PC if you don’t get these updates

Anyone who runs the VLC media player software will want to be sure they have the most recent version, thanks to an extensive list of patched vulnerabilities.

The 3.0.7.1 update fixes two dozen different buffer overflow, integer overflow, use-after-free, and other serious security flaws that could potentially allow an attacker to get malware onto the machine of unsuspecting users who open poisoned video files.

Brave boasts support for Yubikey with iOS

Good news for iStuff owners that have opted to run the Brave browser: the Safari alternative now supports Yubikey on iOS. This means that Brave users on iPhone and iPad will now be able to use the Yubikey hardware with websites supporting U2F and WebAuthn.

“With Brave’s support for Yubico’s upcoming YubiKey 5Ci devices, with both a USB-C and Lightning connector on a single device, you will soon be able to use the same robust security key across multiple devices, including iPhones and iPads,” Brave said.

“This allows for the removal of less safe login methods and greatly reduces the risk of phishing on protected accounts, no matter what device you’re logging in from.”

What’s Upguard? Oh, just another breach. What’s up with you, guard?

Since repetition seems to be a theme in this week’s news, why not have another instance of a company leaving its data sitting out on the internet in an unprotected storage bucket?

This time, it was the web crawlers at Upguard who found a trio of poorly configured AWS S3 buckets left set to public access by data management company Attunity. The exposed cache, totaling 750GB, includes email backups and internal files.

“Backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more,” Upguard noted.

Non-Google Googlers at Chronicle now Googlers

One of the companies under Google’s Alphabet umbrella is coming back home to the chocolate factory. Chronicle, a cloud security outfit spun out as an “other bet” and headed up by former Oracle bigwig Thomas Kurian, will now be part of the Google Cloud brand.

“Our security offerings address important requirements customers have to protect their infrastructure and mission critical application workloads in the cloud,” Kurian says, “to protect their data; to protect their users; and to give them transparency and auditability of their workloads running in Google Cloud.”

In brief… There’s a new strain of macOS malware, OSX/Linker, that attempts to exploit a Gatekeeper bug to infect Macs. And it’s possible for rogue mobile phone masts to send out emergency alerts via 4G/LTE: the full research is here. There are insufficient checks between cell towers and handsets, so pirate masts can broadcast alerts in the US, and probably Europe and elsewhere, to nearby devices. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/01/security_roundup_280619/

President Donald Trump said he plans to revoke the ban, or, er, grant some licences to American companies supplying components and services to Chinese telecoms giant Huawei.

Speaking after meeting the Chinese president, Xi Jinping, Trump said: “American companies that make product, that’s very complex by the way, highly scientific… I’ve agreed to allow them to continue to sell that product.”

Beyond that Trumpian word salad, it is not clear precisely what has happened. White House economic adviser Larry Kudlow told Fox News that Huawei would remain on the entity list – where it was placed in May and which means that US firms must apply for special permission to sell to it – but US companies could sell it chips and services which could be found on “general markets”.

The Semiconductor Industry Association (SIA) released the following statement:

The progress made today by President Trump and President Xi in Osaka is good news for the semiconductor industry, the overall tech sector, and the world’s two largest economies. We are encouraged the talks are restarting and additional tariffs are on hold and we look forward to getting more detail on the president’s remarks on Huawei.

The relaxing of rules around granting American businesses licences to trade with the Chinese firm is unlikely to go unopposed. Several US senators including Florida man Marco Rubio have said they will try to bring forward legislation to reinstate a total ban.

Based on what Kudlow told the press, Huawei will remain on the US Entity List, where it was placed on the grounds of “national security” in May. Although later in May tech firms were given an almost immediate US reprieve on Huawei sanctions through a 90-day temporary general licence that elapses in August, many had already been making tweaks to their supply chains and froze relations with the Chinese firm in anticipation, among them Micron, WD and Intel.

Republican Rubio said the U-turn was a catastrophic mistake, adding: “It will destroy the credibility of [Trump’s] administration’s warnings about the threat posed by the company, no one will ever again take them seriously.”

Without even playing lip service to the security angle, Democrat Charles Schumer said Huawei was “one of the few potent levers we have to make China play fair on trade”.

Pushed around and kicked around, always a lonely boy: Run Huawei, Google Play, turns away, from Huawei… turns away

READ MORE

The effective ban on selling software, hardware and services to Huawei sent shockwaves through the chip industry around the world as well as hitting Google, which was to be prevented from offering certain services like access to its app store. Huawei founder Ren Zhengfei said last month the ban would knock $30bn from revenues over the next two years as the company worked to replace its reliance on US suppliers.

Ren’s daughter, Meng Wanzhou, remains under arrest in Canada awaiting extradition to the US and Trump said her position was not discussed with the Chinese government. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/01/trump_reverses_huawei_ban/

Promo Get up to speed with everything you need to know about keeping yourself and your business safe on the web, social media, and the cloud, without having to leave your desk, during the Sophos Security SOS Week from 8-12 July.

Five top experts from the UK software and hardware security company will share their advice and expertise on an essential range of cybersecurity topics, all wrapped up in a series of 40-minute podcast interviews with Sophos Naked Security writer and senior technologist Paul Ducklin.

Here’s a taster of what’s on the agenda:

Phishing and privacy: protecting your online persona

Every time you reveal a piece of information about yourself, you could be helping crooks sidestep your defences, guess your passwords, and blend in unnoticed with your digital life or your company’s network. Sophos security expert James Burchell can explain how to avoid the pitfalls in clear and entertaining language.

Let social media be your friend

Services such as Twitter, Facebook, Instagram, and Snapchat are great for building your brand, enhancing your business, or just talking to friends. However, these sites are also an easy way to accidentally reveal more information about yourself than you would otherwise wish. Join website cybersecurity specialist Mark Stockley to learn how to keep both your business and your family safe on social media.

Don’t be a victim on the web

From apps in the cloud to the online services you offer, you need to keep the bad stuff out and the good stuff in, making sure your users are not hindered while the crooks don’t get round your security measures. Sales engineer Benedict Jones knows firsthand how hard criminals try to get at your own and your customers’ data. Learn how to stop them in their tracks.

How to love the cloud

Embracing the cloud is great: someone else looks after your servers and provides you with all the apps you need. But there are security worries, too: who else is in the server room? Were the latest patches actually applied? Who’s been fiddling with the configuration files? Security expert and keen honeypot researcher Matt Boddy has the answers.

The tricks and traps of modern malware

Learn from the knowledgeable and passionate Fraser Howard of SophosLabs on how to deal with multi-stage, multi-pronged malware attacks. Don’t miss this important episode.

As a bonus, the company is giving away a zip jacket and a pair of Sophos socks to five lucky attendees with every podcast.

All the details you need are right here.

Sponsored by Sophos.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/01/sophos_sos_week_podcasts/