STE WILLIAMS

The nation is a pioneer in spoofing and blocking satellite navigation signals, causing more than 9,800 incidents in the past three years, according to an analysis of navigational data.

A large-scale analysis of global positioning data has discovered widespread Russian spoofing over the past three years of the global navigation satellite system (GNSS) used by ships and autonomous vehicle systems to find their positions and safely chart courses, according to a new report.

The report — published by the Center for Advanced Defense (C4ADS), a nonprofit intelligence firm focused on worldwide security issues — found that at least 9,883 instances of spoofing occurred near sensitive areas in Russia and Crimea and during times when high-ranking officials, such as President Vladamir Putin, were present. In addition, the data showed that spoofing regularly occurred near Khmeimim Airbase in Syria during Russian operations there. 

The findings underscore the dangers of relying on global positioning data, such as that provided by the global positioning system and similar technology across the globe, because the service can be disrupted or co-opted to deliver false data, says one author of the C4ADS report, who asked not to be named because of the sensitivity of the topic.

“Having Russia exemplify the operational use of these technologies in a defensive and power-projecting capacity could serve as a guideline for illicit nonstate actors who are looking to profit off these vulnerabilities in GNSS systems,” the author says. “Or it could also be used as a guideline for other nation-states to conduct these operations.” 

The attacks highlight the vulnerability of satellite navigation systems and the fact that their disruption is far more widespread than originally thought. For at least a decade, a smattering of media reports covered the problems of ships near Russia having navigational difficulties. Ship crews have found that their navigational systems placed, for example, their position parked at an airport. In reality, such measures were designed to foil the GPS on autonomous drones, which typically are not allowed to fly near airports.

In 2011, Iran reportedly used GPS spoofing to capture a US drone. And in 2013, researchers at the University of Texas at Austin were able to build a device for less than $1,000 to spoof the position of a ship and cause it to change course. 

“The ship actually turned, and we could all feel it, but the chart display and the crew saw only a straight line,” said Todd Humphreys, assistant professor of the department of aerospace engineering and engineering mechanics, at the time.

The C4ADS report is based on a year-long analysis of marine-vessel location data provided through the Automatic Identification System (AIS). The analysts found 9,883 instances of GNSS spoofing affecting more than 1,300 vessels since February 2016. While the analysis did not explicit focus on the activities of the Russian Federation, the trend quickly became clear once the C4ADS analysts started their analysis. 

“As we went along with the research project and found these large case of GNSS spoofing and disruption in Russia, Crimea, and Syria, it was hard to ignore what the common thread there was,” the author says.

The analysts identified several trends in the ways that the GNSS, which encompasses all satellite-based positioning systems, was being attacked. Many of the victims of spoofing near Russia found their locations reported to be a single Russian airport; in other cases, especially near Crimea, two or more other airports were used as destinations.

In addition, the researchers also found significant activity around military and security areas. Overall, the spoofing activity appears indiscriminate — it did not target specific ships, drones, or receivers, but every device in a specific area.

C4ADS hopes that the research will cause private technology firms and navigation-system manufacturers to prepare for such attacks in the future and develop countermeasures. The low cost of GPS spoofing equipment — less than $350, according to C4ADS — could lead to regular denial-of-service and spoofing attacks against civilian targets, the firm said. 

“The Russian Federation has a comparative advantage in the targeted use and development of GNSS spoofing capabilities,” C4ADS states. “However, the low cost, commercial availability, and ease of deployment of these technologies will empower not only states, but also insurgents, terrorists and criminals in a wide range of destabilizing state-sponsored and non-state illicit networks.” 

Moreover, the analyst firm likely only detected a fraction of the activity and impact of GNSS spoofing, the report states. Recent news reports suggests that independent groups already are developing their own capabilities. Just this month, at least seven car manufacturers at the Geneva Motor Show found their navigation systems showing the wrong position and time.

“These technologies could be a blueprint for other actors or nation-states to conduct these activities,” C4ADS’s author says.

Related Content

• GPS Spoof Hits Geneva Motor Show
• IoT Malware Discovered Trying to Attack Satellite Systems of Airplanes, Ships
• GPS Spoofer Hacks Civilian Drone Navigation System
• Iran Hacked GPS Signals To Capture U.S. Drone
• Weaponizing GPS Tracking Devices

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/russia-regularly-spoofs-regional-gps/d/d-id/1334262?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple yesterday released updates across a range of its products, including macOS, which goes to 10.14.4 and iOS, which is now at version 12.2.

WebKit and beyond

In terms of numbers, the system component with the most entries in the update list is Apple’s browser core, known as WebKit, which gets fixes for 13 vulnerabilities with CVE numbers.

Most of these are a predictable mixture of cross-site scripting (CVE-2019-8551), breaking out of the sandbox (CVE-2019-8562), and things that break web cross-site origin security (CVE-2019-8515).

There’s also the snoopy sounding CVE-2019-6222, by means of which:

A website may be able to access the microphone without the microphone use indicator being shown.

Echoing this is CVE-2019-8554, through which a website could track a user’s motion and orientation data.

This is similar in theme to flaw in the ReplayKit API, CVE-2019-8566, which could allow apps to record from a device’s microphone without the user realising.

Most users probably understand that devices can be used to track their web visits and behaviour. That security flaws in devices might extend this to their conversations or physical movement sounds much spookier.

A final highlight of iOS 12.2 is CVE-2019-8553, an old-school flaw in GeoServices (device geo-location) that Apple said could give attackers a path to compromise without the need for a browser:

Clicking a malicious SMS link may lead to arbitrary code execution.

KeySteal

The news among 38 patches in macOS Mojave users is that 10.14.4 (Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra) addresses the KeySteal flaw, a bug that was announced but not disclosed to Apple 18-year-old German researcher, Linus Henze, in early February.

Similar to a previous flaw called keychainStealer, this could have allowed a malicious app to drain passwords out of Apple’s Keychain password manager.

Initially Henze said he was going to keep the flaw to himself as a protest over the fact that Apple doesn’t reward researchers with bounties for macOS vulnerabilities.

Some days later, he relented and decided to send the bug details to Apple anyway.

FaceTime

Sure enough, FaceTime gets another of its regular fixes in the form of CVE-2019-8550, described by Apple as follows:

A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing.

At least this is relatively minor compared to February’s fix for CVE-2019-6223, a FaceTime eavesdropping vulnerability that caused some panic some days earlier.

What to do?

To check that you’re up to date – and to jump the queue and get the updates right away if you haven’t been offered them yet:

• On an iPhone, go to Settings → General → Software Update.
• On a Mac, go to the Apple menu, choose About This Mac and click [Software Update…].
  

That’s it.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Q0FOxrPE7qI/

Exclusive A senior exec within DXC Technology’s global security practice has acknowledged his staff’s “puzzlement” at the company’s reluctance to fund examinations for infosec certifications.

Dean Clemons, global SCC services leader at DXC’s Offering division who reports to Mark Hughes, jumped on a conference call with staff on 19 March to inform them there will be no let-up on the expense purge: $60m worth of costs are to be squeezed out of the Security division in fiscal 2020, starting 1 April. He also fielded questions from staff on the wider impact of cost reductions on buying new work kit and on keeping up their qualifications.

Even if you are impacted [by redundancies] months down the road, you will know in your heart of hearts that it wasn’t for want of jobbing: keep working hard…

Company insiders estimate some 400 heads will roll in the Security business unit during the course of the coming financial year, equating to 8 per cent of the 5,000-strong workforce employed in it.

In a Security, Consulting, Interrogation and Compliance Town Hall meeting, attended by thousands of people in the division – and The Register – Clemons began by reading a disclaimer that “will keep me out of trouble with Work Councils if I misspeak here because a lot of this is fluid. [There are] a lot of dynamics around performance ratings, business alignment, business success or aspirational success.”

He said CEO Mike Lawrie and CFO Paul Saleh had decided the Offering division – one of three in DXC, the others being Build and Deliver – needs to jettison $200m worth of costs.

“We (Security) are the largest group, you can imagine we have a big chunk of that, and our cost takeout intent or objective here is $60m of cost takeout for the Security Offering Group. To do that there will be a lot of structural changes,” said Clemons.

Former DXC Technology veep accuses ‘toxic’ CEO Lawrie of bullying staff in lawsuit

READ MORE

I know I said cost-cutting was over, but…

This was a bit of a climbdown for the exec, who admitted that during one of the previous town hall sessions he had told Security personnel he thought much of the cost-cutting actions were done.

“I was simply wrong,” he said. “I didn’t have the view for FY20, nor what the Wall Street analysts were expecting from us for market share. If you are tracking our market share, I think the market share is up slightly but the price of share has gone up fairly consistently now. The analysts see that we are making the right moves in their mind for the business.”

Wall Street seemingly loves businesses cutting costs to maximise profits.

A general reorg at DXC Security has already taken place, with one source telling us it was “precipitated primarily by a thinning of middle management”, and juggling people into different spots. More sweeping changes are on the cards to reach that $60m target.

“What’s weird is that the emphasis is all on cost reduction. We hardly ever hear any talk about increasing revenue, but maybe they beat the sales folks with a stick,” said one of our legions of DXC insiders.

Staff in the Security division told us the performance review is under way – staff get told of their scores on 31 March – and all the talk of cutting costs cast those discussions in a certain light.

Many employees have not had pay rises for three to four years, either at CSC, HPE ES, or since those companies merged and started trading at DXC in April 2017, sources claimed.

On the conference call, Clemons highlighted four priorities for DXC Security in the soon-to-start financial year: the first is to create “Integrated Solutions” rather than operating in silos, a structure that is “not resonating with the market”.

Other include moving from a “practice specific” setup to one based around “broader industry verticals”, plans to “re-emphasise” the areas of Security that are more profitable (no details on this yet); and make a bigger push around Platform DXC, a methodology of how services are delivered.

Clemons said DXC Security is a “great business to be in” and that it is “very dynamic”. He then launched a tub-thumping rhetoric designed to rouse the troops and make everyone feel like they are in control of their own destiny.

“We make decisions on lower-cost centres,” he said. “We make decisions on the labour pyramid index, who we hire consistent with our org structure and objectives. We make decisions on who to submit for promotion because of their ability to handle more responsibility. We control the message to the accounts and the clients, that is all on us. Our success is dependent on ourselves and I find that exciting.”

Redundancy fears

Clemons further added he was aware of the “elephant in the room” – the “sense of vulnerability” staff feel due to the planned redundancies.

“And I get it’s an elephant in the room because we are seeing some of the labour war-room activity around cost takeout; it is a little unsettling. It is a little nerve-wracking in part because we’ve been doing this Q over Q since the end of Q2 now,” said Clemons.

“Remember I joined this organisation in August, so literally every day since I’ve been here, we’ve been in some activity around the sense of this elephant in the room of cost takeout.”

The advice he gave to staff to counter this nervousness? “Just keep on jobbing,” he said.

“We know if we stop and we are reluctant to explore, innovate, then we are dead in this business. If one is not changing and grows intolerant of the dynamic then we are dead. We just won’t survive in this innovative world, so here is my answer: just keep on jobbing.

“Even if you are impacted months down the road, you will know in your heart of hearts that it wasn’t for want of jobbing: keep working hard, innovate, bring solutions, bring recommendations, how do we improve our business.”

Three-quarters of the way into the hour-long conference call, Clemons started to field questions from staff, one of the early ones specifically on training for consultants as it relates to professional qualifications and security certifications.

He admitted DXC had been “really slow” to get its act together by forcing staff to seek “RTA (Request for Travel Authorisation) support” for conferences and to attend exams.

DXC Technology utters words ‘hiring’ and ‘digital’ 105 times in Q3 earnings car-crash

READ MORE

“I think we have the language specific for RTA [to] exams and certifications, now we have that more clear but it isn’t as robust as some of our competitors. Some of our competitors are grandly – even if it is a secondary or tertiary certification, they will pay for it outright. I think DXC, we recognise the importance of it and we encourage self study.

“I found it surprising in that we were not paying carte blanche for certs that are fundamental to our business – CISSP, CISM, ISO 27000. We are revisiting that.”

Clemons said more investment was being funnelled into security certs around IoT and the cloud “to look after the priorities”.

“But I fully recognise the puzzlement of people in our business cocking their head sideways and going ‘What the heck?’, because our competitors do it much more grandly than we do. My view, and I’m an old guy, most of you can tell, so we’ve got to do better there,” he added.

Training? We’ve heard of it…

Historically, both CSC and HPE paid for workers to attain and maintain certs – including CISSP and CISM.

“The trend over the past few years has been on offloading those expenses to employees,” said a person familiar with the setup at DXC. “The whole situation is not clear – I hear some people are paying out-of-pocket, and others have managed to get it through the expense systems.”

He claimed that with the exception of training from the DXC University (aka Skillsport), “paid training is virtually impossible to obtain, and employees are expected to upgrade skills on their own time”.

Staff at DXC’s Security practice are ill-equipped in other ways too, it seems, judging by a question on the conference call that centred on laptop refreshes.

“We cannot do this more poorly,” said Clemons.

He told how Peter Usherwood, director of security consultancy for the UK, Ireland India and the Middle East, had requested a new laptop because his model is five years old, doesn’t run newer apps and has “latency in it”.

“What I would say is don’t wait. Keep raising those [purchase orders],” said Clemons. “There is some delay, some hesitation, but in the end game, people end up with the right equipment. It might take longer than it used to. Those of you who were in HPE and CSC, there was a different strategy. Cost takeout and cost awareness does add interesting behaviour for things like that but don’t stop doing it, just keep pushing them. And Peter, I approved yours yesterday.”

The process to get a new PC at DXC is to file a request via the ServiceNow platform, which needs to be signed off by a line manager or Clemons himself, otherwise the request is immediately rejected.

CSC, years before it merged to become one-half of DXC, halted its regular refresh cycles, a source claimed. Some staff are still being upgraded to Windows 10, we also heard.

Most Security staff are not given work mobiles or printer and some “employees gave up” on DXC’s internal procurement department to provide equipment and “use their own PC”, a DXCer said.

“DXC has no idea where confidential customer information is stored,” our contact claimed.

DXC axes Americas boss amid latest deck chair musical

READ MORE

It is understandable why some folk within DXC’s ranks are disillusioned with senior management. One told us: “It’s all about stock prices. Spend on marketing, send execs to the RSA show and keep putting lipstick on the pig, while gutting delivery to cover for lack of revenue.

“Employees and customers suffer. Executives put more money in their pockets. The sad part is that this could be an awesome company. There are still some bright, hardworking people left. But not for long.”

DXC continues to struggle to offset declines in its legacy outsourcing business with newer revenue streams, including cloud and application services.

The company started out with 170,000 employees in April 2017 but at last count, several months ago, this was down to 130,000. This included the departure of a great many former HPE execs. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/26/dxc_security_spending/

Asus has released an update for its software update utility to rid about a million of its notebooks of a spyware-laden software update pushed to victims by its software update system.

And breathe in.

The Taiwanese PC giant on Tuesday published a fresh clean version of Live Update, which is a tool that keeps firmware driver and BIOS software up to date, and is bundled with Asus computers. Users should download and install it. Between June and November last year, during a cyber-espionage campaign dubbed ShadowHammer, someone broke into Asus’s software update servers, and hid a backdoor in a copy of Live Update.

When about a million Asus laptops checked in automatically for software updates, they downloaded from Asus’s systems the dodgy copy of Live Update, which was cryptographically signed using Asus’s security certificate, and had the same file length as a previous legit version, so everything looked above board, and then installed it. In effect, these machines were inadvertently fetching spyware over the internet from Asus’s servers, and running it. The compromised utility was designed to snoop on roughly 600 targets, identified by network MAC addresses hardcoded in the binary. Thus hundreds of thousands of Asus notebooks got a dormant backdoor in a compromised download of Live Update, and a few hundred were actively spied on.

The hijacked utility was discovered in January by Kaspersky Lab, and came to light this week. You can use this online tool to check if your machine was actively hijacked, based on your MAC address.

Now Asus has emitted a non-spyware-riddled version of Live Update for people to install on its notebooks, which includes extra security features to hopefully detect any future tampering.

Spyware sneaks into ‘million-ish’ Asus PCs via poisoned software updates, says Kaspersky

READ MORE

“Asus Live Update is a proprietary tool supplied with Asus notebook computers to ensure that the system always benefits from the latest drivers and firmware from Asus. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” Asus said today in a statement.

“Asus customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.

“Asus has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism.

“At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.”

Asus also said it had created a scanning tool [.zip file] to let customers check if their PC is among those afflicted. Presumably that download is malware free.

Symantec also confirmed its antivirus tools, like Kaspersky’s, had detected the backdoored Live Update on its customers’ systems. Kaspersky is due to publish a full report into the shenanigans.

From the wording of Asus’s statement, the PC maker seems more concerned about the tampering of downloads while they are in transit, effectively thwarting man-in-the-middle attacks. Yet Kaspersky claimed the backdoored utility was hosted on Asus’s update server, meaning the code was nobbled at the source rather than while going over the wire. Asus’s efforts to prevent man-in-the-middle fiddling is all well and good, as long as the PC slinger has also sufficiently shored up the security of its download servers, so updates can’t be poisoned again.

Also, Asus implied in its statement that ShadowHammer was carried out by an unnamed nation’s spies against a particular organization or entity rather than random netizens. It described the intrusion as the work of an advanced persistent threat, which it defined thus:

Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers.

The fact that network adapter MAC addresses were baked into the backdoored Live Update build suggests the snoops behind ShadowHammer were well aware of the internal operations of their target.

Tim Erlin, veep of product management and strategy for security house Tripwire, noted that Asus did not answer many of the questions netizens will have about the attack, and how they should deal with it.

“While Asus may have released a fix, if you’ve already been compromised that might not be enough. Affected users need to find out whether the attackers have actually targeted them, and then they need to assess the extent of the compromise,” Erlin told The Register.

“This attack leveraged a very broad platform, the Asus updates, but then strategically targeted a small set of those initially compromised for further attack. The fix from Asus doesn’t help us understand who was targeted and why.”

This supply-chain infiltration should not put you off installing security updates from manufacturers and software makers. The advice from experts is keep those automatic patches coming, as these sorts of attacks are extremely rare, though not unheard of, while exploits that hit known vulnerabilities, for which fixes are available, never go away. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/26/asus_live_update_patch/

The majority of cloud IT professionals find a direct link between network visibility and business value, new data shows.

Most (84%) businesses increased their cloud-based workloads in 2018, but lack of visibility into those workloads could compromise security and business value, cloud experts report. Only 13% of companies surveyed reported the same level of public cloud usage as the previous year.

These findings come from “The State of Cloud Monitoring,” a new report released today by Keysight, which polled 300-plus IT professionals who handle public and private cloud deployments in global organizations across 15 countries. Nearly seven out of 10 respondents said public cloud monitoring is more difficult than monitoring data centers and private cloud environments, and less than 20% said their organizations can properly monitor public cloud environments.

The lack of visibility is masking security threats, according to 87% of respondents. It also leads to a variety of application and network performance issues, including the inability to deliver against service agreements. Most (95%) pros said visibility problems led to an application or network performance issue, and 99% reported they notice a direct link between network visibility and business value.

What problems does this lack of visibility cause? Delays with troubleshooting application performance issues (48%) were most common, followed by delays in troubleshooting network performance issues (40%), an application outage (38%), and the inability to monitor performance of workloads in the cloud (31%), which tied with network outage (31%).

Read more details here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/analytics/87--of-cloud-pros-say-visibility-masks-security/d/d-id/1334236?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many small and midsize businesses work faster and harder than large enterprises, but they’re just as vulnerable to cybercrime.

Today, every company, large or small, that does business online is prey for cybercriminals. Unfortunately, the smaller ones (with fewer than 250 employees) and midmarket firms (250 to 499 employees) are often the first to be hit. Moreover, they can serve as springboards for larger hacking campaigns. The bad guys see small/midmarket businesses as low-hanging fruit because they typically have only basic security precautions in place and lack the sort of in-house staff equipped to deal with serious IT threats.

According to Cisco’s “Small and Mighty” Cybersecurity Special Report — drawing on data gathered from 1,816 respondents across 26 countries — more than half (53%) of midmarket companies suffered a security breach in 2018.

As outlined in the survey’s report, respondents worry most about targeted attacks against employees (think phishing), advanced persistent threats (such as new types of malware), and distributed denial-of-service attacks (which flood a company’s servers with so much traffic that they crash).

Cloud Adoption Requires Cloud-Based Defense Strategies
Because they are such attractive targets — and especially since they usually lack knowledgeable IT staff or dedicated network security personnel — smaller businesses need to be extra vigilant and find creative ways to detect and mitigate online skullduggery, and perhaps even more so than their larger counterparts.

In response to these security challenges, many companies are choosing to take advantage of cloud-based security solutions that cost less than the human alternatives. The use of cloud services among smaller businesses is increasing every year. According to Cisco, 55% of these businesses said in 2014 that some of their networks were hosted in the cloud; in 2017, that rose to 70%.

Clearly, rather than doing it themselves, smaller businesses are turning to hired IT guns to provide corporate cybersecurity. According to the survey, 57% use outside advice and consulting; 54% outsource incident response; and 51% employ external firms to monitor security. Not a bad idea in light of the global shortage of cybersecurity talent.

40% of Respondents Taken Offline for More Than Eight Hours
Most of today’s small/midmarket businesses understand that the more complex their product and vendor environment is, the greater their responsibilities. For example, 77% of midmarket businesses say they had trouble setting up alerts. Consequently, a mere 54% of these alerts are looked into, leaving 46% beneath the surface, ready to do damage. Not every unattended alert will be damaging, but the ones that are can be catastrophic.

Cisco’s Benchmark Study found that in 2018, 40% of respondents at smaller companies (250 to 499 employees) had eight hours or more of downtime attributable to a major security breach. The research suggests the same occurred in the bigger organizations in the study (500 or more employees). The key difference is that larger firms tend to be better off than their smaller counterparts after an attack because they have more resources to devote to response and recovery. Also, 39% of respondents experienced a severe breach in at least half of their systems. Smaller-scale companies are less likely to have many different locations or business departments, and their critical systems are usually more interconnected.

Recovering from a Cyberattack Can Be Difficult and Costly
Twenty-nine percent of midmarket companies say breaches cost them less than $100,000. A further 20% estimate that breaches cost between $1 million and just under $2.5 million, a number that would probably put an unprepared small/midmarket firm out of business for good.

The Better Business Bureau (BBB) did a recent study to show how much smaller businesses can struggle after a major cyberattack. The BBB asked North American small business owners “How long could your business remain profitable if you permanently lost access to essential data?” A mere one-third (35%) replied that they could stay profitable for more than three months. Over half of them said their financial well would run dry in less than a month.

Security Has Reached the Boardroom
The upside is that cybersecurity is now a common topic of boardroom discussion. Ninety-two percent of midmarket businesses now have a senior person in charge of security in one way or another, as noted in Cisco’s report. A respectable 42% of them have installed a CISO, and another 24% have hired a chief security officer.

Another positive note is that a solid majority (91%) of midmarket firms test their incident response plans at least once a year by running drills. However, one wonders whether incident response plans are enough of a defense to ward off attackers, who seem to be getting smarter and using more sophisticated technology every day.

To keep pace with the bad guys, small/midmarket businesses must continue to improve their cybersecurity and acknowledge that even smaller changes are better than no changes at all. The online threat landscape is wide-ranging and always changing, and the targets of attack are increasing in number. In response, security technologies and strategies have to evolve the same way.

Related Content:

• Inside Incident Response: 6 Key Tips to Keep in Mind
• Security Lessons from My Game Closet
• Hacker AI vs. Enterprise AI: A New Threat
• The Insider Threat: It’s More Common Than You Think

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/under-attack-over-half-of-smbs-breached-last-year/a/d-id/1334239?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Don’t expect to read about any of the classics, like ‘War Games’ or ‘Sneakers,’ which have appeared on so many lists before. Rather, we’ve broadened our horizons with this great mix of documentaries, hacker movies, and flicks based on short stories.

Image Source: Adobe Stock- metamorworks

Some may wonder why the computer press makes such a big fuss about hacker movies. Naysayers describe them as old-hat — a formulaic blend of computing and hacking done by societal misfits peppered in with sex, violence, shady and diabolical villains, and an occasional car chase that ends in a fiery explosion. 

That may be true — it is Hollywood, after all — but key people in the industry say hacker movies are important for security people to watch. We agree, which is why we set out to put together such a list.

“These movies are important — and fun to watch — for IT pros who need to keep their networks secure because they mostly get it right and highlight the risks of cybersecurity in a way that communicates to C-level execs,” says Stu Sjouwerman, founder and CEO of security awareness company KnowBe4.

The better hacker movies are really quite realistic, adds Chenxi Wang, founder and general partner at Rain Capital.

“As a hacker, some of the movies have a lot of inside information — jokes that you’d find interesting even if it was a bad movie otherwise,” she says. “The normal public may miss those insider references, but people like us in the trade find it really interesting. Mr. Robot, for instance, had two real hackers consult for the series, so many things are realistic, including using real IP addresses, using real exploit code — things that only people in the trade would pick up.”

And Jeremiah Grossman, CEO at Bit Discovery, says movies such as Snowden can hep security pros can keep up with important current events. While we selected the documentary about Edward Snowden for our list, there’s no stopping you if you want to see the 2016 bio-pic directed by Oliver Stone.  

“Snowden is a story about the most important and pivotal governmental whistleblower story in modern times — a story that includes computer security, personal privacy, data security, government surveillance, public policy, and national security,” Grossman says. “The ethos of the story is not only compelling but valuable to understand as a working professional in the security field.”

In compiling our list, we combined the opinions Sjouwerman, Wang, and Grossman, as well as Dark Reading’s staff. All of the writeups have links to the trailers, so if you haven’t seen some of these movies, check them out and let us know what you think.

Let us know your own picks in the Comments section below.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/analytics/10-movies-all-security-pros-should-watch/d/d-id/1334199?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Facebook is the latest company to weigh in with a corporate manifesto focused on privacy. Though it’s a welcome trend, only time will tell how many follow through.

Facebook CEO Mark Zuckerberg became the latest tech leader to release a corporate manifesto focused on digital privacy and the future of the Internet. In a blog post, Zuckerberg outlined his company’s pivot to becoming a “privacy-focused messaging and social network platform.”

After years of data breaches, data mining, and nonconsensual data sharing, technologist manifestos suggest the future of the Internet. Tech giants see the regulatory writing on the wall. Pessimists may see these manifestos as a preemptive strategy, while optimists may point to a cultural shift within the tech industry. Either way, technologist manifestos show the growing prioritization of privacy, which is disrupting business models, branding, and product road maps across the tech industry. While the first step is acceptance, action is required to drive the business and reputational benefits of privacy.

Since late 2017, public opinion has shifted significantly in favor of greater regulation for tech giants. Many point to the Cambridge Analytica data-sharing scandal as the tipping point, but the shift was already underway by the time the public learned about it. Between November 2017 and February 2018, a 15-point shift in favor of data privacy regulation occurred equally across both political parties. Privacy now ranks as the most important social issue for Americans.

These shifts reflect the beginning of a groundswell that led to a year of testimony by Google, Facebook, and Twitter, as well as victims of high-profile breaches, which continued earlier this month, with Marriott and Equifax executives testifying to a Senate subcommittee. As public opinion has changed and executives found themselves interrogated for their own personally identifiable information during testimonies, it became clear that privacy was a competitive advantage for tech companies.

With its manifesto, Facebook joins the ranks of other tech giants in embracing privacy as a competitive advantage. Last year, Microsoft declared its commitment to the EU’s General Data Protection Regulation, extending the privacy rights not just to EU citizens but to its consumers across the globe. This was in sharp contrast to Google and Facebook’s decentralized approach to the regulation, with unequal privacy applications. In November, Apple CEO Tim Cook’s keynote address in Brussels chastised the data industrial complex and reiterated Apple’s commitment to strong privacy laws. He leveraged this platform to distinguish Apple from the tech giants that monetize personal data. And just last month, Cisco advocated for US federal data privacy regulation, and similarly criticized the monetization of personal data.

In each of these manifestos, privacy serves as a business differentiator and is especially aimed at competitors without explicitly mentioning them. The Facebook manifesto is no different. Zuckerberg never mentions Facebook’s ad-based business model and instead takes a stance against working in countries with poor human rights and privacy records. He acknowledges the global diffusion of data localization legislation that requires data stored within sovereign boundaries and often contains a government access component. By refusing to adhere to those policies, Facebook signals that it’s willing to lose market access if it means weakening privacy and security. Following the manifesto’s playbook to distinguish itself from competitors, Facebook punches at both Apple and Google through the secure data storage promise. Apple has been forced to host data and even encryption keys in China to maintain market access, while Google’s Project Dragonfly was working on a Chinese search engine and was revealed only after information about it was leaked. Facebook, which currently does not have a presence in China, can use data storage as a competitive advantage.

Facebook’s manifesto isn’t just pushing back against data localization laws but also the growing global encryption debate. End-to-end encryption across all messaging platforms is a core feature of the manifesto. With frequent reference to replicating this privacy-supporting feature of WhatsApp, Zuckerberg takes a strong stand against countries like Australia, which recently passed a bill requiring access to encrypted data, as well as India, which is currently debating legislation that would require messaging traceability that would ostensibly break encryption.

Facebook is also flipping the Chinese business model on its head. Zuckerberg’s vision includes not just creating a privacy-based platform for messaging and social networks but also aspires for the company to be a one-stop shop for finances, health, and more. By the end of the post, it appears Zuckerberg is attempting to build an American WeChat — the Chinese app that dominates that market but is also linked to the government and often offers personal data when requested from the government.

Looking ahead, we should expect to see more tech manifestos. So far, corporate executives have produced the majority of them. Given the prominence of the FAANGs, it’s likely that Google, Netflix, or Amazon may be next in this trend toward privacy-branding manifestos. But it would be short-sighted to assume only executives produce manifestos; labor also has a voice. Google has already had to contend with one employee manifesto, an open letter protesting Dragonfly, protests against working for the Pentagon, and an employee walkout due to gender inequity and the handling of sexual harassment claims. Meanwhile, Microsoft employees sent their executives an open letter demanding the company cancel a $480 million contract with the US Department of Defense.

These manifestos are tightly connected and indicate the significant inflection point affecting the future of the Internet and privacy as a fundamental right. Manifestos alone are great for messaging, but now is the time for action. Too much is at stake to simply give lip service to privacy as a branding exercise. Expect more organizations to see the competitive advantage in pursuing privacy-preserving business models while being forced to decide between market access and privacy as the two conflict with authoritarian legislation. Those that truly follow through on their privacy pledges will be the great disruptors and innovators of this century.

Related Content:

• 7 Privacy Mistakes That Keep Security Pros on Their Toes
• A Glass Ceiling? Not in Privacy
• What the Transition to Smart Cards Can Teach the US Healthcare Industry
• Artificial Intelligence: The Terminator of Malware

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dr. Andrea Little Limbago is the chief social scientist at Virtru, a data privacy and encryption software company, where she specializes in the intersection of technology, cybersecurity, and policy. She previously taught in academia before joining the Department of Defense, … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/data-privacy-manifestos-competitive-advantage-or-the-start-of-something-bigger/a/d-id/1334242?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A journalist/researcher team has managed to get a highly sensitive database taken down after the mobile app vendor responsible for it failed to acknowledge the problem. The Family Locator app was publishing the real-time location data of 238,000 users for anyone to see.

The app tracks the real-time location of anyone registered on it, enabling families to figure out where their children are, for example. It contains features including geofencing, to tell you when family members reach and leave pre-defined locations.

The app’s FollowMe feature allows you to get up-to-date status on all family members. Did little Johnny reach school? Did mum make it to work ok? And so on. It sounds like a way to ensure that your family is safe, but this app did precisely the opposite.

An insecure MongoDB database, hosted in the cloud, stored real-time, unencrypted location data about all registered members. Anyone who found the database via a search engine like Shodan could see not only the user’s real-time location, but also their profile photo, name, email address, and password. Attackers could also see the name of the places that were geofenced according to their account.

This means that anyone checking out this family safety database could easily see what your 13-year-old daughter looked like, where she lives, where she goes to school, and the route she takes to get there every morning.

Sanyam Jain, a researcher for the GDI Foundation, found the database and reported it to TechCrunch. The Foundation is a nonprofit organization whose volunteers identify and report risks found online.

The app is operated by React Apps Pty, which says on its website that it is based in Melbourne, Australia. It lists no contact information and has a privacy-cloaked WHOIS address.

TechCrunch purchased its business records and tried to contact its owner, Sandip Mann Singh. It also tried the company’s feedback form but got no reply either way.

TechCrunch’s Zack Whittaker did more than just report this. Given the sensitive nature of the case, he worked to get it taken down. He contacted Microsoft, which was hosting the offending MongoDB instance, and had it taken offline.

I’ve spent an entire day desperately trying to track down the developer of an app leaking a shit ton of highly sens… twitter.com/i/web/status/1…

—
Zack Whittaker (@zackwhittaker) March 22, 2019

Applause goes to the GDI Foundation and to Whittaker for following this through to its conclusion.

Not every such story ends well, though, and it’s not the only case where people who publish sensitive data online don’t respond. In some cases, it isn’t even clear who left the databases there in the first place.

We’ve reached the point where it’s possible for a company to gather large amounts of data from trusting users and then put them at immense risk through negligence or incompetence.

This incident could have gone another way entirely. This journalist/researcher team may not have been able to get the database taken down. Jain may never have found it at all. Someone might have stumbled across the database before Jain did and stolen enough information to begin targeting victims.

How do we ensure developers and administrators behave responsibly with customers’ data?

Jain has his own thoughts on this:

Finally, I would like to say the government should make it mandatory for all the companies to apply at least minimu… twitter.com/i/web/status/1…

—
Sanyam J. (@PHONEIXMIRROR) March 23, 2019

What are yours?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FK1OGJfEnPU/

Washington state is on the road to passing a privacy bill that tech giants think is great and that the American Civil Liberties Union (ACLU) thinks is toothless.

Shankar Narayan, director of the Washington ACLU’s Technology and Liberty Project, clashed with the bill’s sponsor, Washington State Senator Reuven Carlyle, on Thursday during a panel discussion that featured privacy and antitrust experts.

That panel was hosted by the Seattle media organization Crosscut. As Crosscut reports, Carlyle has said that his proposed bill, which will address how companies collect and share internet users’ data, borrows best practices from the privacy bills we now have: the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA).

The proposed bill recently cleared the Washington State Senate and is now being considered in the State House.

A global, de facto standard?

In January, the bill’s backer, Sen. Carlyle, said the law is designed to take best practices for collecting and sharing users’ data “from around the world.”

The proposed law could have repercussions that spread far beyond the state. Microsoft President Brad Smith – who’s recently been calling for laws about the use of facial recognition and stumping for this Washington bill – recently said that he believes the law could become a de facto standard globally, given that it would rule tech giants such as Microsoft and Amazon, which are both based in Washington.

But beyond that, the Washington law would also affect companies that aren’t based in the state, as in, any that do business in Washington and that either process data of 100,000 or more consumers or that get half their revenue from the sale of personal data. Insurance Journal quoted Smith in a February article:

If it passes, it takes an important and much needed step to be a regulatory foundation for facial recognition technology and create a model that can be considered by other states and countries.

Or then again, it could be a step backwards

Privacy advocates disagree: Washington’s proposed bill would, in fact, be a step backwards from the CPA or GDPR and wouldn’t go nearly as far when it comes to protecting consumers, they say.

“Nobody wants data privacy for consumers more than we do,” Narayan said during the panel last week. However, he added that this bill won’t get us there and is just masquerading as one that would.

At the heart of the disagreement is whether consumers will, in fact, be able to delete their data under the new law, or whether the law would present companies with myriad ways to wriggle out from that requirement, as Narayan points out:

The company can continue to use my data because there’s so many exemptions and loopholes. They can just find one and override my consent.

Carlyle, sitting next to him, accused the ACLU of having the “luxury” to “make perfect be the enemy of the good,” adding:

I live in the world of making meaningful steps forward.

Narayan’s response:

I also live in the real world. Perhaps as a brown person, I live in a realer world, in some ways, in terms of the impact of face surveillance. We would take a step forward on both data privacy and face surveillance but Microsoft and other tech companies have had, undoubtedly, an outsized influence on this conversation just because they have a lot more lobbyists.

Narayan’s reference to being a “brown person” may relate to studies which have found that black faces are disproportionately targeted by facial recognition technology. The algorithms themselves have been found to be less accurate at identifying black faces – particularly those of black women.

It’s because of such research findings that New York City in December 2017 passed a bill to study biases in the algorithms used by the city for public services.

The ACLU knows first-hand how prone to error the technology is: it’s tested Amazon Rekognition, the company’s facial recognition technology, which is used by police in Orlando, Florida, and found that it falsely matched 28 members of Congress with mugshots.

Microsoft lawyer begs to differ

In response to Narayan’s comments, Julie Brill, Microsoft’s general counsel for privacy and regulatory affairs, said the bill is “a meaningful and important step in the right direction.”

Today, there is an urgent need for new, comprehensive privacy laws that provide strong protections for consumers within a framework that enables innovation to thrive.

Is the fox setting up the henhouse-guarding legal framework?

Carlyle said that he takes exception to Narayan’s charge that the bill has been “designed and written in a corporate environment” – a response to Narayan’s saying that tech giants are backing “watered down” state-level regulation so that they can eventually…

…go to the feds and say, ‘look, this patchwork of laws isn’t working. Let’s enact something even weaker.’

The ACLU had thrown its support behind a separate privacy bill in the state earlier in this legislative session. It would have called for stronger data regulations and a ban on facial recognition technology until it could be vetted for bias against people of color and other historically marginalized groups. Narayan said:

Unfortunately, Microsoft came and lobbied against that bill while supporting an enabling approach that will end us up with a face surveillance infrastructure in a lot of public places.

As goes the state, so goes the country: In February, the US House and Senate were debating a new, nationwide data privacy law. Privacy rights advocates complained that the debate was similarly near-monopolized by corporations, leaving consumers and groups such as the Electronic Frontier Foundation (EFF) out of the conversation.

From the EFF’s India McKinney and Katharine Trendacosta:

Last year, the US Senate held a hearing about consumer privacy without a single voice for actual consumers. At the time, we were promised more hearings with more diverse voices. And while a hearing a month later with consumer advocates did seem to be a step forward, this week’s two hearings – only mostly full of witnesses from tech companies – make us worried about a step back.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/E5ihhAW2EC8/