STE WILLIAMS

CEO Mark Zuckerberg published a lengthy post detailing the company’s shift from open platform to privacy-focused communications.

Facebook chief executive Mark Zuckerberg thinks the future of communication is in private, encrypted services, and he’s adjusting the company’s historically open platform to reflect it.

For the past 15 years, Facebook and Instagram have been geared toward public sharing. Now, their leader says he anticipates future versions of Messenger and Whatsapp will be the primary ways people communicate on the network, and both will be built with end-to-end encryption. He also plans to build more ways for people and businesses to privately communicate.

“I believe a privacy-focused communications platform will become even more important than today’s open platforms,” Zuckerberg wrote in a lengthy Facebook post on the news. He noted that private messaging, ephemeral stories, and small groups are “by far” the fastest growing areas of online communication. While public networks will continue to be important, he acknowledged an opportunity to create a simpler platform primarily focused on privacy.

Zuckerberg outlined different ways Facebook could buckle down on privacy through feature changes; for example, private interactions and encryption. He said messages could be deleted after a month or year by default, with the option for users to set time limits on expiration. He also admitted it makes sense to limit the amount of time Facebook stores messaging metadata – and that an important part of the solution is to “collect less personal data in the first place.”

He anticipated industry watchers would react to his news with skepticism: “I understand that many people don’t think Facebook can or would even want to build this kind of privacy focused platform,” he noted, admitting that the company doesn’t have reputation for building privacy-oriented services and has always been focused on tools for open sharing.

The post reflects efforts by Facebook to readjust following a turbulent few years under the spotlight, which has caused many users to distrust the social networks’ use of their data and led to several legal battles. It remains to be seen whether these promises will become reality.

Read more details here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/facebook-plans-makeover-as-privacy-focused-network/d/d-id/1334094?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

By integrating endpoint security with network security, end-users can reduce their risk and greatly improve their overall security, says Ashley Fidler of eSentire. For managed detection to deliver an orchestrated response, they must tap a reliable framework for decision-making and management, she adds.

Article source: https://www.darkreading.com/esentire-boost-security-with-managed-detection-and-orchestrated-response/v/d-id/1334087?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Tapping the flexibility and reach of the cloud makes good sense for customers, according to Jon Check, senior director, cyber protection solutions for Raytheon Intelligence, Information and Services. Cybersecurity as a Service (CYaaS) ensures both data resilience and cyber resilience by integrating analytics and automation features into the mix.

Article source: https://www.darkreading.com/raytheon-iis-seizes-the-moment-with-cybersecurity-as-a-service-/v/d-id/1334097?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Email continues to be the largest area of exposure for most organizations, and phishing emails lead the charge, according to Stu Sjouwerman, founder and CEO of KnowBe4. And while AI and machine learning can make a difference, these same tools are used by the bad guys, Sjouwerman adds. Regular, monthly trainings help reduce phishing click rates.

Article source: https://www.darkreading.com/regular-user-awareness-training-still-the-best-security-tactic/v/d-id/1334098?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Collaboration applications make users and IT teams more efficient. But they come with an added cost: security.

They haven’t completely replaced phone calls or email, but communication and collaboration apps are becoming increasingly popular. For workers today, who are in and out of the office, working on the go, with multiple team members, it’s all about convenience and ease of use. Many rely on Slack, Google Hangouts, Box, SharePoint, and other applications to communicate, share files, and collaborate on projects to get their work done in the most efficient manner possible.

For IT teams, there’s an added bonus: Collaboration apps are meant to be easier to manage than local servers. The brand responsible for the app takes care of outages or any other disruption; it ensures that communications are backed up and that the system is secured from data loss. Since the brand specializes in its tool, it will have the resources to ensure that things run smoothly and safely.

That’s the promise, at least — but the reality is different. A study we conducted in 2018 with 500 enterprise IT decision-makers, managerial level and above, who are involved in cybersecurity efforts in medium and large enterprises revealed that two-thirds of responding companies have been attacked via collaboration tools in the last 12 months, and three-quarters believe the sophistication of such attacks is increasing. Here are some reasons why such tools may be more of a burden than a boon security-wise:

Phishing is a favorite. Attackers have already had great success using phishing techniques. According to the 2017 Verizon data breach report, as many as 95% of security breaches have their origins in socially engineered phishing attacks. Collaboration-tool phishing attacks are takeoffs on the “classic” email scam; rather than send a malicious URL via email, attackers can instead send it through messaging services. The message could come from an insider threat, a third party, or stolen credentials. Interactions via messaging are typically very quick and immediately trusted, meaning users may be less likely to think twice before clicking.

Email and notifications. When you’re out of the office, common corporate courtesy dictates that you let people know that you’re not available to meet with them — and for that, there is the out-of-office auto-reply, in which you inform people who sent you messages (via email or collaboration app) that you’re away. The problem, of course, is that the auto-reply is sent in response to all messages that an inbox gets — and if that response is received by a thief, you could be tipping him off that it’s open season on your house.

You can’t see them? Doesn’t mean they aren’t there. Besides messages with “poison links,” hackers have had great success in sending their malware to victims via files and documents emailed directly to victims’ mailboxes. With a bit of social engineering, hackers can get their prey to open the document, thus unleashing the malware. Advanced hacking techniques enable bad actors to hide malware in macros or scripts of the poisoned document — places that antivirus and other security systems cannot penetrate. Once the document is opened and uploaded to the collaboration platform, the malware can easily spread to anyone else who accesses that document.

For example, if the malware comes in the form of a keylogger, the malware will attach itself to individual users’ systems when they access the shared document. If they access it from inside the organization, the keylogger will be able to collect and send back to the hackers each user’s corporate login. If one of those logins belongs to an administrator, it’s just a matter of time before the hackers get their hands on anything and everything.

Who said that? With the credentials to a collaboration account in hand — obtained perhaps by tricking a member of the group into giving up their name and password — hackers could perpetrate all sorts of mayhem by posing as an employee. (Typically, all it takes is a message from “tech support” saying they need the information.) Then, using the private messaging component of a collaboration app, a skilled hacker could pump a member of the group for information about a contract, event, or other important data. When coupled with the techniques that hackers use to attack organizations via collaboration platforms, the result is a one-two punch that enables them to do what they want, when they want.

Collaboration tools clearly provide great benefits for organizations — but they also provide hackers with a path to compromising IT systems. It’s unlikely that companies will give up on collaboration tools, which have opened a whole new window on productivity for both employees and organizations.

What to do? In any human exchange, caution is always warranted — especially if it’s done electronically. Before opening a document or a link, employees must ensure that they are not walking into a hacker-laid trap. Context can be important here; documents and links that seem out of character for a project should raise suspicions, and teams should work out a code that will indicate that a communication they receive is a legitimate one (i.e., a naming convention for files, using Google shortcuts for all links, etc.).

And, of course, organizations should implement defensive systems for situations where hackers do get through, despite the caution employees exercise. Collaboration tools are definitely a blessing for modern business — and the task today is to ensure that they don’t turn out to be a curse as well, sentencing companies to an eternity in hacker hell.

Related Content:

• 7 Ways A Collaboration System Could Wreck Your IT Security
• Insider Dangers Are Hiding in Collaboration Tools
• Attackers Continue to Focus on Users, Well-Worn Techniques
• The Anatomy of a Lazy Phish

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Yoram Salinger is the CEO of Perception Point, leading the company’s growth, strategy and management. He previously served as the CEO of Redbend and Netgame, as well as the COO of Algorithm Research, where he headed marketing and sales for Europe and the Far East. View Full Bio

Article source: https://www.darkreading.com/application-security/4-ways-at-work-apps-are-vulnerable-to-attack/a/d-id/1334022?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

RSA If you’re looking to the US government to save your electronic privacy, don’t hold your breath: Europe looks to be the real hero in this fight.

That’s according to, well, quite a few of you, we reckon, but also crypto-guru Bruce Schneier, who was speaking at 2019’s RSA Conference in San Francisco on Wednesday. He warned the audience that there was no way Uncle Sam was going to risk upsetting homegrown data-slurping cash-cows like Facebook with any meaningful regulation or safeguards on the sharing of personal information. Europe, meanwhile, was leading the march on data harvesters, he said.

“The EU is the regulatory superpower on the planet,” Schneier told The Register. “We won’t be regulating surveillance capitalism in the US, it’s too profitable. If you want that done, then look to the EU.”

Because the EU is such a large market, the laws it introduces have a knock-on effect for folks worldwide. Many companies have implemented the union’s GDPR privacy protections for all customers, rather than attempt to work out who is covered and who isn’t.

While GDPR has its faults, he said, it was at least a move in the right direction. In America, certain states, such as California and Massachusetts, are setting up, or have set up, similarly strict privacy and data-protection laws, which was encouraging – but there is a looming danger, he warned. A nationwide federal online privacy law could run roughshod over individual states’ attempts to guard people’s private info from misuse.

“The biggest danger to privacy will be a mediocre federal law that preempts state laws,” Schneier said. “We need to watch for that.”

Baffled

The reason for this American impasse, Schneier said, was that politicians stateside don’t have a clue about the internet, and how it works and can be abused. He reminded us of the recent Facebook hearings in Congress during which most legislators seemed baffled by the very technology they were supposed to be investigating.

Schneier said Silicon Valley hasn’t done enough to educate our political classes about the latest platforms and ways of doing things online – though, the tech goliaths are more than happy to put in plenty of lobbying dollars and hours to get their own way with legislation.

The infosec expert suggested there was a need for public-interest technologists: people who know a thing or six about technology who can work with policy makers, independently on behalf of netizens, to inform legislators’ decisions without big corporations sticking their oars and checkbooks in.

We’ve faced this before, he claimed, with the legal profession. Fifty years ago, very few lawyers did pro-bono consumer legal cases, but now 20 per cent of Harvard law graduates apply for such work, and there are many lawyers who take big pay cuts to litigate in this area. In other words, if some lawyers can put the public interest ahead of their personal bank accounts for a bit, so can tech experts.

Congress vs Facebook: Great soap opera TV, but don’t expect big results

READ MORE

And it shouldn’t be left to public-spirited eggheads. The big names of Silicon Valley could, and should, put forward advisers, too, who have their users’ interests at heart rather than their bosses’, he said. Google’s 20 per cent policy, whereby staff get a day a week to work on their own projects, would be ideal for this, and other technology companies could follow suit for some of their employees.

Such a move may also give technology workforces a better ethical grounding. Schneier cited the internal protests at Google over the development of weaponized AI as an example of some of tech land’s engineers waking up to the ethical consequences of their work.

One snag in all of this, we reckon, is that tech companies fielding employees to advise policy makers may just look like intensified lobbying in the eyes of the outside world. And also, the conflict of interest is a non-starter: you can’t be on Oracle, Facebook or Microsoft’s payroll, say, while dishing out information and recommendations on regulating your employer.

However, Schneier is confident techies are waking up to the damage they are potentially causing, and that may lead to some rebelling or persuading some executives to change course.

“Everything we do has a moral dimension, and we need to accept and engage with it,” he said. “It’s hard in security because every tool we build has a dual use and can do bad things in the wrong hands. We aren’t responsible for every single use, but we are responsible for the world we create with our technologies.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/07/policy_technology_schneier/

TalkTalk has refused to delete a former customer’s email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago.

The customer, Joanne, was contacted by her friends after they started receiving spam from an old email address of hers. After digging out the account details, she found that she was able to log in – suggesting that her password had been brute-forced by the spammers.

While she was able to log in, the webmail interface provided by TalkTalk did not allow her to change her password. To do that the user has to log into the separate TalkTalk account portal, which you cannot do if not a current customer.

A Reg-reading friend of Joanne’s, Daniel Gibbs, then had a look at her account. He told us that once the spammers had cracked the account password and harvested the contents of the address book, they began “sending out emails to the harvested email addresses – in this case the emails look more genuine than usual as the emails contain the subject line from a previous conversation. The emails contain a URL disguised as a hyperlink to a .pdf or .img file”.

In emails seen by The Register, TalkTalk refused to take any action unless Joanne posted two separate proofs of her identity to TalkTalk’s Salford HQ.

“Unfortunately we can not act on your query as you no longer have an account with TalkTalk,” a customer service advisor said in an email to her. “Please contact your services provider so that they will help to investigate on your issue or request for a IT to look into this issue to come up with a resolution.” [sic]

Gibbs commented: “Personally I would not be prepared to send two forms of ID to a company which has no current formal relationship or contract with me, and additionally has a track record of being catastrophically inept in protecting the data of its customers.”

The Register has passed full details of Joanne’s case to TalkTalk. The ISP acknowledged receipt but has not yet sent us a statement about why it refused to delete her account when she asked them to. Nor had it explained why a customer account that had been inactive for eight years wasn’t deleted after the customer walked away.

Gaining access to a legitimate email account is a valued thing for spammers, and sending attachments to recent email conversations is one convincing method of getting past anti-phishing awareness training (“Do you know this sender? Have you interacted with them before?”). In this case it was pure luck that Joanne’s account had been inactive for eight years and that recipients of the booby-trapped attachments knew instantly something was amiss.

The standard advice is never to open unsolicited attachments unless you know the sender and are expecting their email. Verifying that someone really has just sent you a file titled compromising-pics-of-the-boss.pdf takes mere seconds in this day and age. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/07/talktalk_8_yr_old_email_account_still_active/

Vulnerability rates in application software remain as high as they were 15 years ago, according to Jeff Williams, CTO of Contrast Security. But by injecting intelligent agents into code, app software gets instruments with thousands of smart, agile sensors that detect and correct vulnerabilities before deployment, and protect apps in operation.

Article source: https://www.darkreading.com/contrast-security-boosts-app-security-with-self-protecting-software/v/d-id/1334095?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data loss protection helps companies get more proactive than data loss prevention and will help customers in an era of Big Data, says Vijay Ramanathan of Code 42. Data loss protection helps with both time to awareness and time to response; its reliance on automation also means greater volumes of data can be managed.

Article source: https://www.darkreading.com/endpoint/code42-data-loss-protection-is-the-new-dlp/v/d-id/1334084?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

SOAR, or Security Orchestration, Automation and Response, helps customers ensure the sanctity of their infrastructure, data and end-users, according to Sanjay Ramnath, vice president, product marketing, of ATT Cybersecurity. Integrating analytics, automation and threat intelligence helps customers eliminate the seams where the bad guys get in.

Article source: https://www.darkreading.com/atandt-cybersecurity-ensures-companies-soar-with-security-strategy/v/d-id/1334096?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple