STE WILLIAMS

Last March, Google found itself apologizing to many of its YouTube advertisers.

It was apologizing to their backs. They were running for the hills. Brands such as Marks Spencer, McDonald’s, L’Oreal, Audi, Tesco and the BBC pulled ads that had wound up running alongside videos from rape apologists, anti-Semites, hate preachers and IS extremists.

The most recent YouTube ad scandal landed in November, when an investigation by the BBC found that a glitch in YouTube’s tool for tracking obscene comments on kids’ videos meant the tool hadn’t been working right for over a year. Meanwhile, an investigation by The Times found that YouTube ads were funding the habits of perverts.

Google’s response: sorry, we’ll do better!

Eight months later, the response from the advertisers: You’re not doing enough, and you’re not doing it fast enough.

Speaking at London’s Advertising Week Europe in March, Google’s European chief Matt Brittin said that the company was looking to give advertisers easier control over where their ads appear, that 98% of flagged YouTube content was being examined within 24 hours, and that it could, and would, do even better. However, observers noted that Brittin didn’t say anything about devoting staff to proactively seek out inappropriate content instead of just jumping on it after users had already seen and flagged it.

Since then, Google has announced other fixes, such as restricting ads only to creators and channels with 10,000 views and hiring larger numbers of people to monitor unsuitable videos, among others.

Sorry, that doesn’t cut it, say some advertisers, including JPMorgan Chase. The bank pulled its ads in March, got sick and tired of waiting for Google to fix the mess, and finally said, Forget it: we’ll fix this ourselves.

The result, as reported by Business Insider UK, is a proprietary algorithm the bank built that’s designed to select allowlisted, “safe” channels to run ads on.

Out of more than 5 million YouTube channels, JPMorgan Chase winnowed the list down to 3,000 YouTube channels on which it can countenance having its ads appear.

The bank’s algorithm plugs into YouTube’s application programming interface (API) to select safe channels. It was built by the company’s internal programmers and media-buying teams.

As Business Insider describes it, there are 17 layers or filters involved.

One of the filters, for example, looks at the total video count on a channel, which automatically sifts out channels with one-off viral videos. The bank also looks at channels’ subscriber counts, the general topics channels focus on, language, and even the comments on different channels’ videos.

The allowlisting began in March, when JPMorgan Chase culled the pre-approved list of sites to run ads on from 400,000 down to 5,000. Currently, it reportedly runs ads on 10,000.

The bank started working on the YouTube algorithm in August and rolled it out in October. And, it’s claiming a success rate of 99.9%. JPMorgan is still conducting manual checks on those channels and tweaking the tool to ensure it’s foolproof.

Business Insider quotes Aaron Smolick, executive director of paid-media analytics and optimization at JPMorgan Chase, who said that Google’s method of monetizing YouTube may work fine for Google, but it isn’t working for his company:

The attention of protecting a brand has to fall on the actual people within the brand itself.

That’s a proactive approach to dealing with Google’s YouTube mess. But some advertisers have chosen instead to get off YouTube and stay off until Google manages to keep their ads away from content promoting terrorism and hate.

It hasn’t happened yet. Speaking at Business Insider’s IGNITION Conference in November, ATT chief brand officer Fiona Carter confirmed that the company still hasn’t returned to YouTube. Other advertisers keeping their distance include Priceline, Kimberly-Clark, Squarespace and Casper, according to data from ad analytics platform MediaRadar cited by Business Insider.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Jb3YV_O-_wU/

As each New Year rolls by, someone somewhere usually predicts the death of passwords as a trend for the coming months.

Every year so far, they’ve been proved wrong – somehow passwords cling on despite an exhausting list of maladies, mostly to do with how easy they are to forget, steal and misuse.

The moral would seem to be never to listen to predictions about passwords. However, post-Christmas comments by Microsoft chief information security officer Bret Arsenault offer a small but tantalising sign that the password age might finally be nearing its end.

The evidence is usage figures for Windows Hello, the company’s technology for authenticating Windows users using facial recognition.

Launched in 2015 as part of Windows 10, Arsenault said that Hello was now the default way for the company’s 125,000 employees to log into computers.

The majority of Microsoft employees already log in to their computers using Windows Hello for Business instead of passwords. Very soon we expect all of our employees will be able to go completely password free.

No surprise that Microsoft might champion its own security technology, but Arsenault goes on to make an argument for replacing passwords that will strike a chord among professionals who manage credentials.

For several decades, the industry has focused on securing devices […] but it’s not enough. We should also be focused on securing individuals. We can enhance your experience and security by letting you become the password.

Whatever one thinks of Windows Hello, or biometrics in general, his observation sounds fair.

Passwords were created for a world of devices and systems, not one in which the need to verify a person’s identity in real time using something more substantial than a string of characters has become pressing.

One view is that multi-factor authentication (MFA) does this without the need to abolish passwords completely but the counter argument is that leaving passwords in place is both unnecessary, complicated and needlessly insecure.

Better the clean break with the past. As Microsoft says in its Hello marketing spiel – “you are the password.”

A caution is that while facial ID systems abolish passwords – unique data hopefully known only to the user – they don’t abolish the fact that discrete data must ultimately underpin this.

In the case of Hello, that’s biometric data, which has to be stored somewhere, which Microsoft recently made clear should be inside a Trusted Platform Module (TPM) chip.

As November’s scare over Infineon TPMs reminded us, these are not invulnerable. Changing a compromised password is hard enough but doing the same for a lost face, finger or voice print might be impossible.

Nor, ironically, has Hello itself been immune from security worries, such as the recent research that found that it could be spoofed by nothing more complicated than a specially-made infra-red photograph of the account holder.

Ironically, the research served to underline how hard it would be to defeat Hello under real-world conditions.

Getting hold of a high-definition IR photograph of an account holder wouldn’t be trivial, while some of the technical weakness revealed by the attack were connected to the immaturity of the camera hardware Hello needs for facial recognition (some don’t support Hello’s advanced anti-spoofing).

It could be the cost and maturity of facial recognition cameras that presents the biggest barrier to Hello, not a reluctance to let go of passwords.

As Microsoft notes:

Already, roughly 70 percent of Windows 10 users with biometric-enabled devices are choosing Windows Hello over traditional passwords.

Which perhaps begs the question of why 30% of users who’ve invested in a camera aren’t using it with Hello.

Perhaps what will unshakle users from passwords will be a patchwork of biometric systems (see Apple’s Face ID as a leading contender), of which Hello will only be one. However much security this claims to add, it won’t necessarily be simpler or cheaper for users.

Will anyone miss passwords when they eventually disappear? That seems unlikely, but at that probably far off moment there will be plenty of people feeling very nostalgic for the simpler world they served.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0E38lxs7l6c/

Three vulns in Dell EMC’s Data Protection Suite product that can combine to fully compromise a virtual appliance have been patched by the vendor.

Security consultancy Digital Defense Inc, which sniffed them out, said Dell EMC Avamar Server, NetWorker Virtual Edition and the Integrated Data Protection Appliance had a common component in Avamar Installation Manager (AVI). It’s AVI that is affected by the three bugs.

Digital Defense said the three vulnerabilities included:

1. An Authentication Bypass in SecurityService; an
2. Authenticated Arbitrary File Access in UserInputService; and an
3. Authenticated File Upload in UserInputService.

The researchers said that a login to the Avatar service involved user authentication – which was performed via a POST request that included a username, password, and wsUrl parameter. Digital Defense explained, for example, the wsURL parameter could be an arbitrary URL that the Avamar server would send an authentication SOAP request to, which included the user provided username and password. If the Avamar server received a successful SOAP response, it would return a valid session ID. An attacker exploiting the vuln thus would not require any specific knowledge about the targeted Avamar server to generate the successful SOAP response: a generic, validly formed SOAP response would work for multiple Avamar servers.

All three vulnerabilities could be combined to fully compromise the virtual appliance by modifying the sshd_config file to allow root login, uploading a new authorized_keys file for root, and a web shell to restart the SSH service. The web shell could also run commands with the same privileges as the “admin” user, the researchers said.

The weakness are referred to as an authentication bypass vulnerability (CVE-2017-15548), an arbitrary file upload vuln (CVE-2017-15549), and a path traversal vuln (CVE-2017_15550).

Dell’s security advisory is here (ESA-2018-001, but requires Dell EMC Online Support credentials).

Mike Cotton, vice president of engineering at Digital Defense, said Dell EMC had worked with his firm to “identify additional product versions impacted and collaborated to resolve and verify the fixes for the security issues”.

A Dell spokesperson sent us a statement:

“Dell EMC is aware of the identified vulnerabilities; we’ve prepared security fixes to address them and alerted our customers.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/05/dell_data_protection_suite_patched/

The ‘LightsOut’ adware is found is flashlight and utility apps, which have been downloaded between 1.5 million to 7.5 million times.

New adware dubbed “LightsOut” is making the rounds in Google Play, hiding in 22 flashlight and utility apps that have been download up to 7.5 million times, reports Check Point Research, which made the discovery.

LightsOut embeds its malicious script into flashlight and utility apps that appear legitimate. It then hides its icon when the app is launched, making it difficult for the user to remove the adware.

Although the malicious app offers users a control panel and checkbox to disable additional services, such as displaying ads, LightsOut can override users’ efforts. As a result, the persistent ads do not appear related to the control panel and checkboxes, reports Check Point.

Any Wi-Fi connection, a locked screen, a cell phone call that ends, or a charger plugged into a device can trigger the LightsOut adware, according to Check Point.

Read more about LightsOut here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/new-adware-discovered-in-22-apps-in-google-play/d/d-id/1330750?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Slime.

It’s the most beautiful, satisfying, relaxing thing I’ve ever seen, and it proves that children are geniuses, because they’re smart enough to make it and smart enough to watch online slime videos.

Says 11-year-old Alina:

If you’re like really stressed or something and you watch a really satisfying slime video it makes you like calmer.

So that’s one of many plus sides of how kids – the under-13 crowd – are using social media. They say it takes their minds off things, too: “If you’re in a bad mood at home you go on social media and you laugh and then you feel better,” says 10-year-old Kam.

But according to a Children’s Commissioner report that looked at social media use among 8- to 12-year-olds, children aren’t getting enough guidance to cope with the emotional demands that social media puts on them.

For instance, many children interviewed for the report were over-dependent on “likes” and comments for social validation, according to researchers. They spoke to 32 children in eight focus groups, each including two friendship pairs, grouped by age and gender. The report says that the friendship pairing was done to enable the children to “open up with more confidence during the research, and to allow for insight around peer dynamics and other social factors to emerge more naturally.”

These are some of the things the kids said about getting social validation from social media:

If I got 150 likes, I’d be like, ‘that’s pretty cool, it means they like you’.

I just edit my photos to make sure I look nice.

My mum takes pictures of me on Snapchat… I don’t like it when your friends and family take a picture of you when you don’t want them to.

I saw a pretty girl and everything she has I want, my aim is to be like her.

Speaking to the BBC, Children’s commissioner for England, Anne Longfield, called on schools and parents to prep children emotionally for what she called the “significant risks” of social media as they move schools and meet new classmates, many of whom have their own phones.

As it is, pretty much everything kids are doing on social media has pluses and negatives. Take, for example, when kids follow their family members. The report cited these positives given by the children they interviewed:

• I learn what to do and what not to do on social media from my older siblings
• I can see what my family are doing on my parent’s social media

…and these negatives:

• I see things that weren’t meant for me to see
• I don’t understand why my parents need to take pictures of me
• I worry about how my siblings use social media
• I don’t feel I have any control over photos when my parents post them/I can’t ask my parents to take them down

The stress starts with older kids, Ms. Longfield told the BBC:

It’s really when they hit secondary school that all of these things come together.

They find themselves chasing likes, chasing validation, being very anxious about their appearance online and offline and feeling that they can’t disconnect – because that will be seen as socially damaging.

She suggested compulsory digital literacy and online resilience lessons for year six and seven pupils (10 – 12 year olds), to teach them about the “emotional side of social media”. She also suggests that parents should help kids to “navigate the emotional rollercoaster” of the negative aspects of social media.

The BBC also spoke with Matthew Reed, chief executive of the Children’s Society, who urged parents to have “open conversations” with their kids about the sites and apps they use:

This can include looking through their ‘friends’ lists together and finding out how their child knows different people.

Check their privacy settings and get children to think about what information and photos they are comfortable with others having access to.

On the plus side, the report found that staying safe online was a priority for the younger children – age 8 to 11 – the researchers interviewed.

Most of the children had strict rules about what they can and cannot share online, which seemed to be a strong reflection of the safety messages they receive from their parents and schools. In this context, ‘safety’ was understood as protecting oneself from strangers, online predators, cyber-bullying and ‘bad’ things people share, such as swearing or violence.

Of central importance was the need to ensure they do not reveal any personal identifiable information, such as where they live or where they go to school, through the images or content they share. Many talked about specific strategies they use to protect themselves, such as never revealing their school uniform or never showing their house number in photos. Some also said they are always careful to make sure the background in their photos doesn’t easily give away what their home looks like.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Dbh3TYxwS-c/

Analysis Intel has borne the brunt of the damage from the revelation of two novel attack techniques, dubbed Meltdown and Spectre, that affect the majority of modern CPUs in various ways.

The chipmaker’s stock price is down, and it’s being eyed for possible securities litigation, following reports CEO Brian Krzanich sold the bulk of his Intel shares after the biz had been made aware of the flaws.

In its defense, Intel has said other chip designers are also affected. While the Meltdown vulnerability, a side-channel attack that allows user applications to read kernel memory, is known to affect Intel processors (and the Arm Cortex-A75 that is yet to ship). The other vulnerability, Spectre, meanwhile, has been demonstrated on Intel Ivy Bridge, Haswell and Skylake processors, AMD Ryzen CPUs, and several ARM-based Samsung and Qualcomm system-on-chips used for mobile phones.

But Spectre will be harder to mitigate than Meltdown because the most effective fix is redesigned computing hardware.

“We are currently not aware of effective countermeasures that will eliminate the root cause of Spectre, short of hardware redesign,” said Daniel Genkin, one of the authors of the Spectre research paper and postdoctoral fellow in computer science in the University of Pennsylvania and the University of Maryland, in the US, in an email to The Register.

CERT in its January 3 vulnerability note for one of the two Spectre CVEs said the solution is replace CPU hardware, noting, “Underlying vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware.” That passage was deleted from a subsequent revision of the vulnerability notification.

Coincidentally, Intel on Thursday declared it has developed and is in the process of issuing patches to its manufacturing partners that render its hardware “immune from both exploits” – meaning both Meltdown and Spectre.

Bullshit. While it has Meltdown covered, Chipzilla only has half of Spectre in its sights. The patches and firmware available now for Intel processors are:

• Operating system updates for Linux, Windows and macOS, that separate kernel and user spaces, and kill the Meltdown vulnerability. On Linux, this fix is known as Kernel Page Table Isolation, aka KPTI.
• On pre-Skylake CPUs, kernel countermeasures – and on Skylake and later, a combination of a microcode updates and kernel countermeasures known as Indirect Branch Restricted Speculation, aka IBRS – to kill Spectre Variant 2 attacks that steal data from kernels and hypervisors.
• That leaves Spectre Variant 1 attacks, in which rogue software can spy on applications, unpatched. It’s a good thing this variant is difficult to exploit in practice.

Intel is in denial. It insisted the vulnerabilities identified do not reflect flaws in its chips. “These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to,” the company said.

Thus, we’re asked to believe that Intel and its peers are racing to fix products that are in perfect working order and functioning as designed, even as the security researchers who developed these attacks contend hardware will need to be redesigned to cover all bases.

For what it’s worth, Intel and AMD CPUs, and selected Arm cores, are vulnerable to Spectre Variant 1 attacks. Intel and said Arm cores are vulnerable to Spectre Variant 2. Only Intel CPUs and one Arm core – the yet-to-ship Cortex-A75 – are vulnerable to Meltdown.

Oh, and Apple’s Arm-compatible CPUs are affected by Meltdown and Spectre, too, but we’ll get to that later.

We translated Intel’s crap attempt to spin its way out of CPU security bug PR nightmare

READ MORE

Patches to address Meltdown have already started to appear for the aforementioned operating systems, and they come with a performance hit, one that varies with the computational workload and hardware in question.

Linux kernel supremo Linus Torvalds has suggested a five per cent slowdown should be typical; Willy Tarreau, CTO of HAProxy and a Linux kernel contributor, has reported a 17 per cent slowdown; worst-case scenarios have been as high as 30 per cent.

Amazon Web Services confirmed to The Register that its deployment of the Meltdown mitigation has been noticed by AWS customers, though it stressed the impact on virtual machine performance isn’t particularly significant.

Your mileage may vary

On Thursday, Matt Linton, senior security engineer at Google, and technical program manager Pat Parseghian, expanded on previously published vulnerability info with another blog post.

Responding to concerns about slowdowns arising from KPTI, they said, “Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

The Register asked Google whether it could quantify the performance hit it has seen on its systems, but has not yet received a reply.

In any event, dealing with Spectre is likely to slow computing operations further, beyond the Meltdown tax. And Spectre is everywhere: laptop and desktop computers, servers in data centers, and smartphones. It can affect web applications and virtual machines.

To reduce idle time, most modern chips speculate about future instructions while processing present ones, a process known as speculative execution. If they guess, right, they save time; and if they guess wrong, they just toss errant predictions and are not worse off than if they’d just sat idle awaiting the next instruction.

Taken together, the right and wrong guesses still process data faster than just waiting around for every instruction to be executed in a serial fashion, one after another.

Spectre attacks dupe the processor into making guesses about future instructions that wouldn’t otherwise be allowed, and thereby can gain access to privileged information within the kernel address space, or data in other running processes.

Basically, those designing affected processors didn’t anticipate this scenario. They built a fence around their execution engines, and were satisfied with their security and privacy protection – until Google Project Zero researchers, and other experts, brought a ladder to the party and broke their security model.

Two Spectre attacks have been demonstrated, a bounds bypass check, aka Spectre Variant 1, and branch target injection, Spectre Variant 2, both of which the Project Zero researchers have explained in more detail than most would care to consider.

Fixing the bounds bypass check attack requires analysis and recompilation of vulnerable code; addressing the branch target injection attack can be dealt with via a CPU microcode update, such as Intel’s IBRS microcode, or through a software patch like “retpoline” to the operating system kernel, the hypervisor, and applications.

In other words: to protect yourself from Spectre Variant 1 attacks, you need to rebuild your applications with countermeasures. These defense mechanisms are not generally available yet. To protect yourself from Spectre Variant 2 attacks, you have to use a kernel with countermeasures, and if you’re on a Skylake or newer core, a microcode update, too. That microcode is yet to ship. It’s not particularly clear, through all the noise and spin this week, which kernels have been built and released with countermeasures, if any. A disassembly of latest Windows releases suggests Microsoft is, for one, on the case.

It’s not a straightforward process. It’s messy, and Chipzilla is trying to simplify the situation to impress investors and right its share price. Yes, Meltdown is under control. Spectre not so much, and it’s going to take a little while longer to straighten out. That’s time Intel can’t afford.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/05/spectre_flaws_explained/

Cisco is the latest company to prepare patches to tackle the serious security vulnerabilities affecting the majority of CPUs, Meltdown and Spectre.

Cybersecurity group CERT has warned companies that the only way to protect themselves from the flaw was to rip out and replace their processors. It has since backtracked on that advice, saying patches or repairs should do the job instead.

Outfits to have released patches so far include Amazon, Microsoft, Linux and Apple.

In a statement, Cisco noted that in order to exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. “The majority of Cisco products are closed systems, which do not allow customers to run custom code on the device,” it said.

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

READ MORE

However, it added that the underlying CPU and OS combination in some products could leave them vulnerable.

“Only Cisco devices that are found to allow the customer to execute their customized code side-by-side with the Cisco code on the same microprocessor are considered vulnerable.

“A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable.

“Cisco recommends customers harden their virtual environment and to ensure that all security updates are installed.”

As such, Switchzilla said it will release software updates that address this vulnerability.

The business is investigating a network application, service and acceleration product; a series of routers and switches; and a number of unified computing servers, although it said no Cisco product is known to be vulnerable. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/05/cisco_releases_meltdown_patch/

By popular demand, we went live on Facebook to discuss the F**CKWIT, aka KAISER, aka KPTI, aka Meltdown, aka Spectre, aka The Intel Bug. (By the way, AMD just confirmed that two of the three published vulnerabilities can be made to work on AMD chips as well.)

Here’s a video to help you decide what to do next…

(Can’t see the video directly above this line? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bqx2dh5Y4us/

Microsoft has released updates for Windows to block attempts by hackers and malware to exploit the Meltdown vulnerability in Intel x86-64 processors – but you will want to check your antivirus software before applying the fixes.

The Redmond giant issued the out-of-band update late yesterday for Windows 10 version 1709.

While the documentation for the fix does not name Chipzilla’s CPU-level vulnerability specifically, a Microsoft spokesman told El Reg it will hopefully protect Windows users from Meltdown exploits, and more patches are in the works. Meltdown is a design flaw in Intel’s processors going back at least 2011 that allows normal user programs to read passwords, keys and other secrets from the operating system’s protected kernel memory area. To prevent this from happening, the kernel has to be moved into a separate virtual address space from user processes.

The software giant is also deploying updates to its Azure cloud service to protect customers from attack. AMD and other non-Intel processors on the market are not affected by Meltdown.

Before rushing to install the patch, however, users and admins should note one important issue: the fix may not yet be compatible with your antivirus software.

Microsoft noted that, unless a registry key is updated by the antivirus package, installing the security patch can result in a blue screen of death (BSoD). For that reason, Microsoft said it has set the update to only apply when the registry key has been changed. In other words, antivirus tools must set the key when they are confirmed to be compatible with operating system update. The patch introduces a significant change to the design of Windows’ internal memory management, and this is probably tripping up anti-malware tools, which dig into and rely on low levels of the system.

Some AV vendors have already issued updates to change the key, and allow the fix to be applied without causing any cockups, while others have an update in the works to be released this week or early next week. The malware hunters expected the Windows patches to be released next week, and were caught out when Microsoft brought its patches forward after Meltdown exploit code emerged on the web.

Among the vendors who have already been reported to have updates are Symantec, F-Secure, Avast, and Microsoft’s own Windows Defender platform.

Users and admins who are comfortable editing Registry keys themselves can manually perform the task by setting the following:

"Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWAREMicrosoftWindowsCurrentVersionQualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”

Also, people installing the Windows Server patches should ensure they are enabled, too. They are disabled by default due to the potential performance hit involved. Casual desktop users and gamers shouldn’t notice any difference, although servers running non-CPU-bound intensive workloads – such as anything that hammers disk storage, the network or just makes a lot of system calls – will suffer to some degree with the Meltdown patch applied. Your mileage may vary.

Elsewhere, Red Hat said it has also kicked out a patch for all three of the CVE listings (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) associated with the Spectre and Meltdown bugs. The vendor notes that the patch applies to versions of the kernel in releases as far back as RHEL 5. Red Hat’s OpenStack and Virtualization releases will also get the fix. Check with your favorite Linux distro for similar updates. Apple has quietly patched the Meltdown bug in High Sierra aka 10.13.3. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/

Rather than scrambling to deal with attacks after the fact, companies need to focus on improving detection capabilities with tools that help them work within data laws, not outside of them.

Uber has discovered that when it rains, it really pours. Since Bloomberg broke the news that the ride-hailing giant had suffered a massive breach of more than 57 million customer and driver records, it has been hit with three lawsuits and five independent investigations from the attorneys general of New York, Missouri, Massachusetts, Connecticut, and Illinois. And that’s not to mention increased scrutiny of its practices by the Federal Trade Commission (FTC).

So far, media coverage has focused on Uber’s decision to pay the attackers $100,000 in return for restoring the deleted the data and the company’s yearlong concealment of the incident. Some industry pundits have suggested this type of response to attacks is helping fuel cybercrime. But focusing on the sensational aspects of the story alone obscures a much bigger, industry-wide mistake: the failure of companies to accept responsibility for keeping data safe because of a management perception that cyberattacks “happen to someone else.”

Follow the Data
Paying for stolen data to be returned is not necessarily bad. In fact, it is not dissimilar to what many firms do to outsmart criminals; they purchase the latest malware in order to identify its exploits and defend against them. Incurring a cost to secure the data was a vital part of Uber’s damage control strategy.

That said, allowing the damage to occur at all was where the company went wrong. Because data flow was not accurately monitored, attackers were able to go unnoticed while they stole millions of customer names, email addresses, and phone numbers, as well as the details for half a million US drivers, without being caught.

The theft highlights the importance of robust and fast detection in limiting the damage caused by attackers. Research that Cyber adAPT commissioned with Aberdeen Group shows that rapid attack detection can limit the business impact of breaches by 70% on average. With better detection procedures, Uber could have limited the flow of data to attackers, notified regulators faster, and avoided a substantial media storm.

Ignoring Data Responsibility
The harm done to Uber’s reputation by this breach is significant, but it is a particularly bitter pill for the company to swallow, considering its existing data security record.

In 2014, the company faced two data disasters. First, cybercriminals exposed the names and licenses of 100,000 drivers. Then the company acknowledged the existence of a software tool called “God View,” which enabled employees to track customer locations in real time. Following these incidents three years ago, Uber entered discussions with the FTC and only reached an agreement in August 2017, stating that the company must submit to third-party audits every 24 months for the next two decades.

Even though Uber had already been censured about poor data management, it did not learn from its mistakes. Instead, it has taken the same route as many companies: assuming data breaches are something that happen to other businesses and that there is no immediate need to strengthen data protection measures.

In reality, online attacks are not isolated events, and attackers can target anyone, sometimes more than once. As digital transformation makes data essential to business and leisure, everyone — from the man on the street, to global businesses — is becoming a cybercrime target. For those who hold valuable insight, there is therefore an unavoidable responsibility to keep it secure.

This brings us to a key question: What can Uber and other companies do to own their responsibility while standing up against cybercrime? The answer involves adopting a detection and prevention-focused approach to security — one that takes the complicated nature of modern connectivity into account.

Completing the Protection Puzzle
Traditional network boundaries are changing. No longer confined to the office, employees can access company systems from anywhere using a variety of technologies from laptops and mobile to Internet of Things (IoT) devices. Consequently, networks are more flexible, but also more fragmented. This means that there is greater potential for attackers to find loopholes. To defend data, businesses must mitigate threats by constantly assessing every device on their network and deploying tools that can pinpoint and remove any suspicious activity.

Of course, establishing total control of systems is not a simple task — especially for large corporations with 40 million monthly customers such as Uber. But by deploying a continually risk-aware methodology, companies can ensure they are prepared for inevitable cyber challenges and demonstrate to their customers that they can be trusted with sensitive data. Indeed, if the statement issued by Uber spokeswoman Molly Spaeth is anything to go by, this is exactly the direction the company plans to move in: “We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers,” she said in a statement.

Whether it is too late for Uber to save its reputation remains to be seen. The company has made definitive changes, such as firing chief security officer Joe Sullivan and hiring Matt Olsen, former general counsel at the National Security Agency. However, more than fresh leadership is required to restore its data credentials. As the myriad of legal suits leveled at Uber indicate, failing to take responsibility for data security has its consequences. Rather than scrambling to deal with attacks after the fact, Uber needs to focus on improving their detection and neutralization abilities — adopting tools that will help them work within data laws, not outside of them. 

Related Content:

• Why Enterprise Security Needs a New Focus
• 17 Things We Should Have Learned in 2017, but Probably Didn’t
• ‘Blocking and Tackling’ in the New Age of Security

As President and CEO of security firm Cyber adAPT, Kirsten Bay leverages more than 25 years of experience of risk intelligence, information management, and policy expertise. Her career has seen her sit on a US congressional committee; assist in developing policies for the … View Full Bio

Article source: https://www.darkreading.com/endpoint/ubers-biggest-mistake-it-wasnt-paying-ransom/a/d-id/1330736?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple