STE WILLIAMS

Infoblox Inc. (NYSE:BLOX), the automated network control company, today introduced the Infoblox Advanced DNS Protection solution, the first Domain Name System (DNS) appliance with integrated defenses against Distributed Denial of Service (DDoS) attacks, cache poisoning, malformed queries, tunneling and other DNS security threats. By building defense directly into a fortified DNS server, the Infoblox solution can deliver protection that is stronger, more intelligent and more comprehensive than what is possible today with separate external security solutions.

DNS is the address book for every destination on the Internet, translating domain names such as “infoblox.com” into IP addresses such as 54.235.223.101. Businesses, government agencies and other organizations can’t function without fast and accurate DNS service for both incoming and outgoing traffic. Because DNS must be open to everyone on the Internet, DNS servers are a tempting target for cyber-criminals, “hacktivists” and other malicious groups. Traditional approaches to network security don’t emphasize protection of this critical infrastructure, which may leave DNS vulnerable to internal and external attacks.

DDoS attacks, which seek to knock sites offline with a flood of malicious traffic, have been an especially fast-growing threat. “DDoS challenges have spiked for enterprises in 2013,” noted Lawrence Orans of the research firm Gartner in a recent report.* “Gartner estimates that its DDoS inquiry level quadrupled from September 2012 through September 2013. An increase of higher-volume and application-based DDoS attacks on corporate networks will force Chief Information Security Officers (CISOs) and security teams to find new, proactive solutions for reducing downtime.”

The security features of Infoblox Advanced DNS Protection provide multiple levels of defense, including:

Unique threat detection and mitigation. Infoblox Advanced DNS Protection intelligently analyzes incoming DNS queries and is able to distinguish between legitimate traffic from real users and malicious traffic generated by a DNS DDoS attack. Armed with this information, the Infoblox appliance then drops the DDoS traffic and only responds to the legitimate queries. This can keep a business online and functioning during a DDoS attack, unlike conventional response rate limiting which slows down all traffic by simply placing a cap on DNS query responses.

Centralized visibility. Enterprises and service providers can spot anomalous DNS traffic across all Infoblox Advanced DNS Protection appliances on their networks through a single console, allowing for early detection that makes it possible to organize a more effective defense. This is beneficial because DDoS attacks often target multiple DNS servers, start slowly and aren’t detected until they reach a catastrophic level.

Ongoing protection against evolving threats. An automatic update service regularly sends new rules to the Infoblox Advanced DNS Protection appliance, enabling it to protect against evolving threats as they are identified – much faster than the weeks that can elapse while waiting for traditional security patches and updates.

Infoblox Advanced DNS Protection defends against a wide range of DNS threats, including cache poisoning, which inserts rogue IP addresses into a DNS cache; malformed DNS queries, which can crash a DNS server; and tunneling, which can be used to smuggle out stolen data.

“Security is better when it’s built in, not bolted on,” said Steve Nye, executive vice president of product strategy and corporate development at Infoblox. “By intelligently integrating security directly into a DNS appliance, Infoblox Advanced DNS Protection delivers a depth of defense against DNS attacks that is far more robust and insightful than relying on a jumble of separate devices and services.”

Telecommunications and Internet service providers can be especially vulnerable to DNS threats, because an attack on their DNS infrastructure could disrupt connectivity for all their customers, leading to potential loss of revenue and reputation. Infoblox Advanced DNS Protection offers a range of appliances, including high-capacity models purpose-built for carrier-grade performance, making it possible to spot DNS DDoS attacks and other threats before service is significantly compromised. Service providers often have greater needs than other businesses to receive timely updates against new threats and to continually adjust their security posture – both made easier with Infoblox Advanced DNS Protection.

Pricing and Availability

The Infoblox Advanced DNS Protection solution – consisting of the Infoblox Advanced Appliance and the Infoblox Advanced DNS Protection Service – is expected to be available in January 2014. Pricing information is available immediately from Infoblox sales representatives and channel partners.

About Infoblox

Infoblox (NYSE:BLOX) delivers Automated Network Control solutions, the fundamental technology that connects end users, devices and networks. These solutions enable approximately 6,900 enterprises and service providers to transform, secure and scale complex networks. Infoblox helps take the burden of complex network control out of human hands, reduce costs, and increase security, accuracy and uptime. Infoblox (www.infoblox.com) is headquartered in Santa Clara, California, and has operations in 25 countries.

Article source: http://www.darkreading.com/management/infoblox-introduces-dns-appliance-that-c/240164579

NEW YORK, NY (December 5, 2013) — Fraudulent traffic has reached critical levels across the digital advertising ecosystem, and in response the Interactive Advertising Bureau (IAB) and its Traffic of Good Intent Task Force have released “Best Practices – Traffic Fraud: Reducing Risk to Exposure” to meet this challenge. Entering the public comment phase today, the best practices explain how robotic traffic (aka “bots”) can infiltrate legitimate publisher inventory. Accordingly, it provides premium publishers and networks, as well as buyers, with specific recommendations.

“The companies that participate in the digital advertising supply chain have been struggling with how to handle criminal enterprises intent on gaming the system,” said Steve Sullivan, Vice President, Advertising Technology, IAB. “These fraudsters are diluting the value of all legitimate inventory while simultaneously diminishing the integrity of the entire digital marketing industry. The introduction of these best practices is a first step in reducing the marketplace repercussions of these illegal activities.”

“When only a handful of companies act to reduce fraud, the criminals win. We need to band together to effectively put a stop to the destruction of our industry at the hands of racketeers,” said John Battelle, Founder and Chairman, Federated Media, and co-Chair of the IAB Traffic of Good Intent Task Force. “Even the most scrupulous publishers and networks can be hit with non-intentional traffic propagated by criminals. If we want to truly address the problem, it is incumbent upon all stakeholders to embrace uniform levels of vigilance.”

In tandem with release of the best practices for public comment, IAB is also publishing “Digital Simplified: Understanding Traffic Fraud,” an educational backgrounder on how digital advertising fraud takes place and why industry leaders should take action to eradicate this criminal activity.

“One of the challenges of dealing with traffic fraud is its inherent complexity,” said Tom Phillips, CEO of Dstillery and co-Chair of the IAB Traffic of Good Intent Task Force. “There’s no magic bullet for eliminating fraudulent traffic, because there’s no single method by which criminals exploit the digital advertising system. We’ve prepared this overview of the issue and a set of best practices to start the industry on a path to root out these corrupt practices.”

For a full copy of “Best Practices – Traffic Fraud: Reducing Risk to Exposure,” and to view “Digital Simplified: Understanding Traffic Fraud,” go to iab.net/trafficofgoodintent.

The public comment period for the best practices is open until January 10, 2013. Please submit any feedback to Steve Sullivan at [email protected] prior to the deadline.

About the IAB

The Interactive Advertising Bureau (IAB) is comprised of more than 500 leading media and technology companies that are responsible for selling 86% of online advertising in the United States. On behalf of its members, the IAB is dedicated to the growth of the interactive advertising marketplace, of interactive’s share of total marketing spend, and of its members’ share of total marketing spend. The IAB educates marketers, agencies, media companies and the wider business community about the value of interactive advertising. Working with its member companies, the IAB evaluates and recommends standards and practices and fields critical research on interactive advertising. Founded in 1996, the IAB is headquartered in New York City with a Public Policy office in Washington, D.C. For more information, please visit iab.net.

Article source: http://www.darkreading.com/end-user/best-practices-for-reducing-traffic-frau/240164581

Want to keep the Department of Defense’s computers secure? Then play a game.

That’s the pitch from Defense Advanced Research Projects Agency (DARPA), which is testing whether free online games can be used to help spot code flaws. “We’re seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun,” DARPA program manager Drew Dean said in a statement. “By leveraging players’ intelligence and ingenuity on a broad scale, we hope to reduce security analysts’ workloads and fundamentally improve the availability of formal verification.”

The effort — dubbed the Crowd Sourced Formal Verification (CSFV) program — is initially offering five different game titles, all of which are playable via a dedicated Verigames.com portal. The games aren’t first-person shooters or action-adventure games, but rather puzzle games that contain mathematical models. “Solving the games provides mathematical proofs that can verify the absence of flaws or bugs,” reads the Verigames site FAQ.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/applications/darpa-crowdsources-bug-spotting-games/240164587

Early on in NSA-gate, Microsoft was looking at a laundry list of headlines concerning its collusion with US intelligence operations.

One example is the headline of The Guardian’s public-relations-cringe-worthy coverage: “Microsoft handed the NSA access to encrypted messages” with the bulleted subheads below:

• Secret files show scale of Silicon Valley co-operation on Prism
• Outlook.com encryption unlocked even before official launch
• Skype worked to enable Prism collection of video calls
• Company says it is legally compelled to comply

So last Wednesday, Microsoft pledged to encrypt just about everything, enhance code transparency, and bolster legal protection for customers’ data.

Brad Smith, Microsoft General Counsel Executive Vice President, Legal Corporate Affairs, wrote in the posting that government snooping potentially now constitutes an “advanced persistent threat”, on par with sophisticated malware and cyber attacks.

He said that Microsoft is “especially alarmed” at the notion that governments are trying to get around online security:

Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data. In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.

In light of the allegations, Microsoft announced that it’s decided to push three things: expanding encryption across its services, reinforcing legal protection for customers’ data, and enhancing software code transparency so customers can rest easy in the knowledge that their products do not contain back doors.

On the encryption front, it plans to strengthen lockdown of customer data across its networks and services, including Outlook.com, Office 365, SkyDrive and Windows Azure.

Specifically, it said:

• Content moving between customers and Microsoft will be encrypted by default.
• All of the company’s “key” platform, productivity and communications services will encrypt customer content as it moves between its data centers.
• Microsoft will use what it calls “best-in-class” industry cryptography to protect these channels, including Perfect Forward Secrecy (which Google has been using with Gmail and Google Docs since 2011; Twitter’s been using it since November), and 2048-bit key lengths.
• All of this will be in place by the end of 2014, and Microsoft says much of it is effective already. To wit: “Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers.”
• Microsoft will also encrypt customer content that it stores. In some cases, such as third-party services developed to run on Windows Azure, the choice will be left up to developers, but Microsoft will offer the tools to allow them to get it done.
• The company says it’s also working with other companies across the industry to ensure that data traveling between services – from one email provider to another, for instance – is protected.

As pointed out by Electronic Frontier Foundation’s Kurt Opsahl, the absence of Skype from Microsoft’s list of encryption promises is a notable omission.

An excerpt from an email he sent to TechCrunch:

I agree that Skype’s absence here is extremely interesting and concerning. … Microsoft, as the owner of Skype, has totally failed to be transparent about this and it’s not surprising that users and security experts come to believe that it has something to hide.

A Microsoft spokesperson told TechCrunch that Skype isn’t excluded, per se; it just wasn’t mentioned because Microsoft didn’t feel the need to mention all products.

As The Center for Democracy and Technology’s Joe Hall explained to TechCrunch’s Gregory Ferenstein, real transparency from Microsoft means nothing less than independent review from people with recognised security chops who’ve vetted Skype’s cryptographic methods and implementation:

I think Microsoft must be very transparent to make encryption in Skype meaningful. … That means detailing the way Skype works technically, and demonstrating that independent review from folks respected by the security community have examined Skype’s cryptographic methods and implementation and said good things about it. Hopefully then anointing it as robustly ‘end-to-end.’ (Meaning only the parties at the ends of the conversation have access to the communication).

Ferenstein asked Microsoft about this type of independent review, but the spokesperson declined to address the issue.

As it now stands, Silent Circle offers encrypted voice, in addition to video, text and file transfer.

But at a starting price of $9.95/month, it can’t compete with Microsoft’s free Skype service, unless you put a price on the assurances of privacy you get from encrypted end-to-end calling.

As far as Microsoft’s pledge to get transparent with its code, the Free Software Foundation (FSF), for one, questioned the logic of trusting the Very Not Free Software maker.

From a statement made by FSF executive director John Sullivan following Microsoft’s announcement:

Microsoft has made renewed security promises before. In the end, these promises are meaningless. Proprietary software like Windows is fundamentally insecure not because of Microsoft’s privacy policies but because its code is hidden from the very users whose interests it is supposed to secure. A lock on your own house to which you do not have the master key is not a security system, it is a jail.

If the NSA revelations have taught us anything, it is that journalists, governments, schools, advocacy organizations, companies, and individuals, must be using operating systems whose code can be reviewed and modified without Microsoft or any other third party’s blessing. When we don’t have that, back doors and privacy violations are inevitable.

These are just some of the voices questioning Microsoft’s recent anti-NSA stance.

Microsoft’s announcement on Wednesday is, of course, public relations gold, surely meant to put a bandage on the company’s NSA-headline-savaged hide.

But the move to encryption and openness still sounds like it’s also a rational reaction to public outrage.

Maybe the public should keep up the outrage.

Maybe if enough people scream about the government’s trampling on the privacy of innocent people, more companies will embrace customer data privacy and defend it as fiercely as if corporate lives depended on it.

Follow @LisaVaas

Follow @NakedSecurity

Microsoft logo courtesy of IVY PHOTOS / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hhieHvX0xDs/

Without going into detail, US President Barack Obama has said that he’ll propose “some self-restraint” to the National Security Agency (NSA) in order to rein in rampant snooping.

In an interview with Chris Matthews recorded for MSNBC’s “Hardball” on Thursday, Obama defended the intelligence agency, saying that it’s keeping its nose clean at home, at least:

The NSA actually does a very good job about not engaging in domestic surveillance, not reading people’s emails, not listening to the contents of their phone calls. Outside of our borders, the NSA’s more aggressive. It’s not constrained by laws.

The president pointed to an outside panel that he set up to look into how the government was collecting surveillance data in the big-data era.

In the fall, he said that the Feds were undergoing a complete review of how US intelligence operates outside of the country.

The findings are due to Obama by 15 December.

But he’s already set to rein in the NSA, he says (if self-restraint can actually be considered a curb of powers, that is):

I’ll be proposing some self-restraint on the NSA and to initiate some reforms to give people more confidence. … [given that US persons] rightly are sensitive to needs to preserve their privacy and to maintain internet freedom, and so am I.

The Hardball interview came on the heels of last Wednesday’s revelations that the NSA is tracking hundreds of millions of mobile phone locations worldwide, feeding a massive database full of people’s location and relationship data at the rate of nearly 5 billion records every day.

During the interview, Obama asserted that “we do have people who are trying to hurt us,” but added that with oversight from Congress and from the Foreign Intelligence Surveillance Court (FISC), which oversees requests for data from intelligence agencies, security needs can be balanced with privacy rights.

Many now view that balance as completely askew. Is there any self-restraint the president can propose to the NSA that will redress it? Any limits or increased oversight?

Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute as well as a privacy and digital-rights lawyer and advocate, thinks not.

As he told US News, there’s little short of an end to the NSA’s bulk data collection that could fix this mess:

Rather than allowing the NSA to engage in mass surveillance to collect everyone’s data and then decide who to target, the president should ensure that the NSA engages only in targeted surveillance; that is, first, deciding who to target and then collecting only their data.

True leadership in this moment would be for President Obama to say to the American people and to the rest of the world, ‘I am putting an end to the NSA’s bulk collection programs, because it is contrary to the American way to treat every person who uses the telephone or the internet like a terrorism suspect.’

In the meantime, a number of proposals aiming to increase transparency and oversight of the NSA have been put forward by members of Congress, including the Freedom Act in the House and Senate, which would end bulk data collection.

Do any of these proposals – legislation that attempts to curb the NSA’s data collection and/or propose new oversight, whatever self-restraint Obama proposes – stand a chance when it comes to reining in surveillance run amok?

Or would it require a full stop to bulk data collection? Do you think that intelligence operators are even capable of stopping the use of the powerful analytics tools they’ve created?

Is the lid off of this Pandora’s box for good, to the detriment of privacy?

Your thoughts are welcome in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Image of Obama courtesy of Filip Fuxa / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-E5zvcbtDaE/

Google announced over the weekend that it recently came across a bunch of fake SSL certificates for some of its own domains.

The bogus certificates were apparently vouched for by the certificate authority of DG Trésor, the French Treasury.

The Treasury’s own authorisation certificate was, in turn, vouched for by IGC/A, the grandly-named Infrastructure de Gestion de la Confiance de l’Administration, or Public Service Infrastructure Trust Management.

Certificates issued by the IGC/A officially identify the Certificate Authorities of the French public service. They also attest to the quality management practices of public keys used by those authorities. They are awarded after an audit and may be revoked for poor practices.

The chain of trust

Generally speaking, your browser uses a chain of digital signatures from certifcate authorities (CAs) to decide if a secure web site is what is claims to be.

We’ve explained this before, during a similar fiasco caused by a Turkish CA, but we shall take another look now, because it’s important.

If you visit the MySophos website, for example, which uses HTTPS, your browser will take you straight there, trusting that the site really is Sophos’s, and displaying a padlock and the words Sophos Ltd. (GB) to denote the company that operates it:

We can click on Sophos Ltd. (GB) to find out more:

If we dig a bit deeper into the certificate, we can extract the information from which your browser derives that identifying name, as well as the websites that this certificate is authorised to vouch for:

   Owner: 
      CN=www.sophos.com 
      O=Sophos Ltd. 
      STREET=The Pentagon 
      L=Abingdon
      ST=Oxfordshire
      C=GB 
       
   Subject Alternative Names: 
      DNSName: www.sophos.com
      DNSName: partnerportal.sophos.com
      DNSName: secure2.sophos.com
      DNSName: forms.sophos.com
      DNSName: www.astaro.com
      DNSName: my.astaro.com
      DNSName: myutm.sophos.com
      DNSName: sophos.com

→ We used the Firefox [Export…] button, shown above, to save the certificate in PEM format as sop.pem. Then we used the Java utility keytool -printcert -file sop.em to dump it in human-readable form. The command openssl x509 -in sop.pem -text would have worked nicely, too.

Of course, anyone can create a public key that says it’s from Sophos, so your browser needs some corroboration:

The chain of trust for this certificate says that it was vouched for (digitally signed) by the GlobalSign Extended Validation CA – G2 key, and that this key, in turn was signed with the GlobalSign Root CA – R2 root key.

And the GlobalSign Root CA – R2 key is explicitly trusted by Firefox itself:

In short, your browser quietly and automatically trusts any HTTPS certificate signed by a CA key (that is signed by a CA key, and so on) that is signed by a CA key that is on your browser’s list of trusted keys.

The final signatory is called the root CA, and the others, unsurprisingly, are called intermediate CAs.

You can add your own trusted CA keys, or simply rely on the built-in list of root CAs that ships with your browser or operating system.

For what it’s worth, the average pre-configured list of trusted root CAs is surprisingly long.

Firefox’s, for example, contains several hundred:

Even though that leaves attackers lots of room for abuse, the need to chain back to a trusted root CA causes problems if you want to do truly comprehensive web filtering (or what you might call surveillance these days) at your company’s network gateway.

To decrypt and scan inside HTTPS traffic, you need to mount what is effectively a Man in The Middle (MiTM) attack: your gateway connects to the requested HTTPS website, fetches the content, decrypts and scans it, and then re-encrypts it before sending it to the user’s browser.

Of course, this means that the web page is no longer signed by the original site’s HTTPS certifcate, but by the gateway’s imposter certificate instead, and this – in most cases – pops up a warning message that the user would riskily need toignore.

Now, your gateway can easily mock up a certificate with the right server name in it, which suppresses any “wrong server name” warnings, but it is much harder to get the mocked-up certificate to be trusted by every user’s browser.

Right and wrong ways to do MiTM

The right way to do it it to create your own CA certificate, e.g. Example.Com Web Scanning Gateway CA, and to add it as a trusted root CA to every operating system and browser on your network.

But that can take a lot of effort, and creates ongoing support friction with visitors and BYOD (Bring Your Own Device) computers.

An easier way, but a highly dubious one, is to persaude a CA – one with a certificate that all your browsers already trust – to sign you an certificate that your gateway scanner can use to mock up digitally signed communications with any domain it likes.

That’s what happened here, it seems.

The goal was indeed surveillance inside a French government department, though apparently not for secret and undisclosed purposes but rather as a useful, perhaps even laudable, effort to improve security.

But you can imagine what can – and in this case did – go wrong.

If any of the temporary, mocked-up certificates should be lost, hacked or stolen, the crooks have an immediate way to masquerade as the web server named in the certificate.

And if the special-purpose intermedate CA certificate itself should be stolen, the crooks can mint themselves a globally-trusted HTTPS identity for any web domain they like.

But companies that sign HTTPS certificates that will be trusted by the world aren’t supposed to do so automatically or in bulk, since they are supposed to be vouching for the identity of the company on whose behalf they are signing.

Clearly, a web filtering gateway doesn’t do that (it iss merely trying to suppress inconvenient SSL warnings), so it shouldn’t be trusted with an intermediate certificate, and that, quite simply, is that.

What to do

If you are setting out to do content filtering, and you are determined to scan your users’ HTTPS traffic, don’t try to cheat by finding a CA that will mint you an intermediate certificate for the purpose.

Do the right thing: mint your own root CA and make your own company’s browsers trust it, so that if there is a certificate leak from your company, it doesn’t affect the rest of the world as well.

If you are a CA, don’t mint intermediate certificates for content scanning, even if the customer promises to use a secure hardware module to store and manage the keys.

Do the right thing: turn down the money and tell the customer to do it correctly.

If you are responsible for SSL certificates at your company, you might also like to take a look at Google’s proposals for Certificate Transparency (explained in simple terms at the end of this article).

It won’t solve the problem of rogue SSL certificates, no matter how keenly Google may want it to, but it does provide a cryptographically-sound and public list of known certificates.

If nothing else, you can interrogate this list from time to time to look for certificates with your name on, but that you didn’t create yourself.

That would be a tell-tale sign either of one-off content-filtering “mock certificates” that have escaped, or of someone malevolently trying to spoof, phish or spy on your website or its visitors.

Learn more about SSL

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/l4sAlUj3HUw/

A few weeks ago, the US Department of Defense issued a press release announcing new rules for the private-sector firms it deals with. Contractors will be required to maintain “established information security standards”, and report breaches that result in data loss.

The story was covered by Reuters and a few other press outlets, with minimal fanfare.

So far so unsurprising, you might say. We’d expect arms dealers and other firms involved in the defense industry to maintain good security practices.

It would be a bit of an eye-opener to hear our governments saying to banks, “Please keep your cash in vaults, not plastic bags.” Or saying, “Hey hospitals, when you have blood-stained waste, don’t leave it lying around the cafeteria, dispose of it safely.”

The odd thing here is not that the DoD has set these rules, but that it’s had to do so now. In 2013.

Not, say, 20 years ago when people were starting to use computers to create, store and share sensitive information of the sort that defense firms routinely deal with.

Not, perhaps, five years ago when state-sponsored hacking and online industrial espionage started becoming big news. But now, long after the requirement for cyber security became, you might think, fairly obvious to everybody.

Admittedly, the new rules mainly cover “unclassified controlled technical information” and networks that hold such data. Presumably anything considered “classified” will already be covered by much stricter regulation. But still, the unclassified stuff could well be pretty sensitive.

Defense firms are a treasure-trove for hackers. For a start, there’s an insane amount of money involved – on the same day as the rules were announced, the Pentagon granted a $5.3 billion contract, while a day that saw $109 million worth of deals done can be called “slow“.

There are also a lot of secrets, both technical information of the sort targeted by nation-state-sponsored or industrial espionage hackers, and politically-sensitive data like the horde harvested by Mr Snowden.

Everyone should be taking at least industry standard precautions

So they should expect their networks to be the target of attacks, and secure them appropriately. If you’re a small firm that doesn’t hold much valuable technical or financial information, you should be taking “industry standard” precautions just in case. If you’re dealing in valuable technology and handling large amounts of money, you should perhaps be going several steps further than this.

And you should have been doing so for years. Ideally, in fact, from before you connected your first computer to the internet.

The problem here seems to exemplify the way security has been applied to the computer world, not as a basic first step integral to how everything else works, but as an optional add-on.

The Windows systems most of us are using may have a lot of security features these days, but for the most part they’re tacked on to the original design.

Linux, Unix and Mac OS platforms are seen by many as inherently more secure, and they may have a more ground-up attitude to security, but many aspects of this are still dependent on circumstances and need to be properly applied, something which seems to come far down the priority list in many organisations.

“Get it working” comes first, “get it working securely” only later on.

How do we expect our contractors, visitors and supply chain to behave?

I’m sure the DoD has been maintaining strict cybersecurity internally for a long time now. The worry is that it’s only now that it has demanded similar precautions from the firms it outsources work to.

Everyone we do business with, share data with, outsource operations to, sell things to or buy things from forms a part of our own security chain. A breach at any point in the chain can have an impact on the privacy and integrity of our data.

So we should demand the same levels of security from all of them that we expect to maintain ourselves. Security should be part of any negotiation for new business, any contract that we enter into, ensuring that those we deal with are doing things right and not putting us at risk through their own sloppiness.

This applies to individuals as well as firms. We should be considering the security of the websites we give our information to, be they online businesses or banks, government portals or social tools and networks. We should be giving this consideration the weight it deserves. “Is it safe?” should be only a fraction below “Does it do what I need?” in our mental processes.

We should be demanding more openness from third parties too. Everyone should be required to confirm their conformity with security best practices, and rapidly inform the world of any incident which may have jeopardised the security of data they hold.

If we can all get it into our heads that security is a basic requirement, not an optional extra, maybe we’ll all live safer and happier lives.

Follow @VirusBtn
Follow @NakedSecurity

Image of weak link courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IcoRhmN2MoQ/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Eight web heavyweights have banded together to call on the US and other governments to rein in indiscriminate surveillance by state security agencies.

AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo are asking for a general reform of government surveillance laws and practices because the “balance in many countries has tipped too far in favour of the state and away from the rights of the individual”.

The tech firms said that their efforts to improve encryption and push back against overly broad snooping requests are not enough by themselves – and the US needs to take the lead in reforming surveillance practices.

In an open letter to US President Barack Obama and US Congress, the Reform Government Surveillance Coalition called for changes so that “surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight”.

The tech firms’ statement is couched in the high principles of protecting individual rights and freedoms in the wake of revelations about dragnet surveillance programmes by the US and UK, exposed by former NSA sysadmin Edward Snowden.

It doesn’t mention an issue closer to these US firms’ balance sheets – revelations about snooping are making it far harder for companies based in the country to sell cloud-based services to enterprises and (to a lesser extent) consumers. Telecoms firms are conspicuous by their absence as signatories to the lobbying effort.

On a more positive note, Microsoft and Google have put aside their differences – remember Redmond is in the middle of an aggressive sledging “Scroogled” campaign to “raise awareness” of the various ways Google uses people’s personal data to make money – to jointly call for a cap on government snooping. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/09/reform_gov_surveillance_tech_alliance/

Microsoft’s Digital Crimes Unit last week said it has joined with the FBI and Europol to disrupt the ZeroAccess botnet, also known as Sirefef.

ZeroAccess, which targets all major search engines and browsers, has infected nearly 2 million computers all over the world and cost online advertisers upward of $2.7 million each month, Microsoft says in a blog about the botnet.

“ZeroAccess is responsible for hijacking search results and directing people to potentially dangerous websites that could install malware onto their computer, steal their personal information or fraudulently charge businesses for online advertisement clicks,” the blog states. “ZeroAccess also commits click fraud.”

Microsoft calls ZeroAccess “one of the most robust and durable botnets in operation today,” infecting most computers via drive-by downloads from popular websites or via fake software licenses.

The software giant has attempted to take down several botnets in the past two years, but some of them have regenerated and are delivering malware again. For this reason, Microsoft no longer uses the term “takedown” in its anti-botnet initiatives.

“Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet,” the blog states. “However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes.”

Microsoft says it is informing users whose computers have been infected. The malware contains tools to prevent its removal, so the software giant is offering instructions on how to remediate the problem.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/end-user/microsoft-teams-with-law-enforcement-dis/240164539

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Apple has switched on its controversial iBeacon snooping system across 254 US stores.

The fruity firm’s iSpy network allows Apple to watch fanbois as they walk around an Apple store and then send them various messages depending on where they are in the shop.

This might come in handy when visiting an Apple store, for instance, which is offering the latest iStuff. Glance in its direction or wander past and your iPhone will suddenly spring to life, filled with messages about products you haven’t bought yet.

Apple’s iBeacon transmitters use Bluetooth to work out customers’ location, because GPS doesn’t work as well indoors. This functionality was quietly snuck into iOS 7.

To take part all you need to do is download the Apple Store app and agree to let it track your location.

Apple claimed iBeacon offers “a whole new level of micro-location awareness, such as trail markers in a park, exhibits in a museum, or product displays in stores”.

What that really means is that whenever you visit somewhere armed with iBeacon transmitters, your iPhone will bombard you with unwanted messages.

Luckily, there’s a way to avoid the all-seeing eye of Cupertino: just switch off location services and you can go about your shopping trip without being surveilled.

According to AP, the flagship store on Fifth Avenue, New York City, was first to switch on its system on Friday and by this point every fruity outlet will have gone live. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/09/ispy_on_your_little_buys_apples/