STE WILLIAMS

SUNNYVALE, Calif. — Nov. 19, 2013 — Centrify Corporation, the leader in Unified Identity Services across data center, cloud and mobile, today announced that its Centrify User Suite, SaaS Edition (“Centrify for SaaS”) solution uniquely protects enterprises’ shared accounts, including social media accounts such as Twitter, from internal threats and unauthorized access, including access from users who have left the organization.

Today’s organizations are often forced to leverage shared access to social accounts on behalf of the company or brand. Losing control of these social accounts can be costly, embarrassing and can damage reputations. Common access control problems occur when employees share passwords with unauthorized users, are no longer authorized to access the accounts themselves, or leave the organization and take the shared username and password with them. The Centrify for SaaS Identity-as-a-Service (IDaaS) solution provides robust Active Directory- and/or cloud-based access and application management across any cloud application, including shared enterprise accounts for social media sites. Additionally, with built-in administrative views and reports that give instant views of which employees have access to shared social media accounts, Centrify for SaaS enables organizations for the first time to centralize control over access to cloud applications in the workplace.

For example, Centrify for SaaS vaults the passwords for social accounts so users never know or need to use the social app’s password. When an approved user needs to log in to one of these social accounts, they simply log in to the Centrify portal as themselves and click on the shared account. At no time do users have access to the shared password, and an IT administrator can even define when users are allowed to access the app, from what location, and can ask them for additional factors of authentication. When the employee leaves the organization or their role in the enterprise changes, administered access in Active Directory or Centrify’s cloud user service simply turns off shared account access as well.

“While key logger trojans and hacker groups do pose a real threat to enterprise accounts, organizations often forget about protecting themselves against the casual or malicious internal threat,” said Corey Williams, Centrify senior director of product management. “Not addressing the internal threat leaves organizations exposed to unauthorized internal access or malicious Twitter posts from casual, disgruntled or ex-employees who still have access to the organization’s social accounts. With Centrify, organizations can easily centralize all their social accounts and access without having to share passwords.”

With Centrify for SaaS, organizations solve password problems and secure the devices that are accessing cloud and mobile apps. End users benefit from Centrify’s Single Sign-on (SSO) and self-service features that let them locate, lock or wipe their mobile devices, as well as reset their Microsoft Active Directory passwords. IT benefits from Centrify’s easy-to-deploy, cloud-based service that delivers centralized access control and visibility to SaaS app usage and integrated mobile application management with seamless integration to Active Directory or Centrify’s cloud user service. Centrify for SaaS decreases the cost of managing SaaS apps and mobile devices while at the same time improving security and compliance, as well as user adoption, satisfaction and productivity.

About Centrify

Centrify provides Unified Identity Services across the data center, cloud and mobile that results in one single login for users and one unified identity infrastructure for IT. Centrify’s solutions reduce costs and increase agility and security by leveraging an organization’s existing identity infrastructure to enable centralized authentication, access control, privilege management, policy enforcement and compliance. Centrify customers typically reduce their costs associated with identity lifecycle management and compliance by more than 50%. With more than 5,000 customers worldwide, including approximately half of the Fortune 50 and more than 60 Federal agencies, Centrify is deployed on more than one million server, application and mobile device resources on premise and in the cloud. For more information about Centrify and its solutions, call (408) 542-7500, or visit http://www.centrify.com/.

Article source: http://www.darkreading.com/management/centrifys-unified-identity-solution-secu/240164206

Julie Yeates of SophosLabs (thanks Julie!) alerted us earlier today to a spam campaign that seemed to originate from a whole raft of different security and anti-virus companies.

The messages have a variety of subject lines, such as:

Windows Defender: Important System Update - 
  requires immediate action

AVG Anti-Virus Free Edition: Important System Update - 
  requires immediate action

AVG Internet Security 2012: Important System Update - 
  requires immediate action

Kaspersky Anti-Virus: Important System Update - 
  requires immediate action

Microsoft Security Essentials: Important System Update - 
  requires immediate action

The emails are all very similar, claiming to include an important security update to deal with “the new malware circulating over the net”.

The parts shown in pink above vary from email to email, but the bulk of the content stays the same:

Important System Update – requires immediate action

It’s highly important to install this security update due to the new malware circulating over the net. To complete the action please double click on the system patch KB923029 in the attachment. The installation will run in the silent mode. Please pay attention to this matter and inform us in case there is a problem.

The email doesn’t explicitly mention the CryptoLocker ransomware that locks your files and tries to sell them back you.

But there is little doubt that many recipients, having heard of the ongoing saga of CryptoLocker, will be more inclined than usual to read on.

It’s all a pack of lies, of course.

There is no “system patch KB923029,” and even if there were, neither Microsoft nor any other reputable company would send out security updates as email attachments.

Also, if you are a native speaker of English, you should spot a number of niggling errors of usage and grammar in the text of the email.

→ The fact that an email is grammatically flawless, in English or any other language, is not an indicator of legitimacy. But language blunders in English, in an email purporting to come from the New York office of a legitimate software company, are a strong indicator of bogosity. If the crooks can’t even be both to trying rite and spel decent, you may as well use their linguistic sloppiness against them.

The ZIP file contains an EXE (a program file); that program file is one of the many variants of the Zbot malware, also known as Zeus, that we see on a regular basis.

You’re expected to open the ZIP and run the program inside, which has a name like this:

HOTFIX_patch_KB_00000...many digits...56925.exe

There’s nothing wrong with having an EXE inside a ZIP file.

But a ZIP that contains only an EXE, and that was delivered by email, is just as suspicious as a plain EXE that arrives as an attachment.

If you do run it, the EXE installs itself into:

C:Documents and Settings%USER%Application Data

with a random filename, and adds itself to the registry key:

HKEY_CURRENT_USERSoftwareMicrosoftWindows
   CurrentVersionRun

so that it gets launched every time you reboot or logon.

We shouldn’t need to remind you, but we’ll do so in case you want to remind someone else:

• Don’t open email attachments you weren’t expecting.
• Don’t believe emails that claim to be sending you a security patch – by email.
• Don’t ignore clues such as poor grammar or spelling in emails that claim to be official.
• Don’t neglect to keep your software patches up to date – but never by email.

Follow @duckblog

Note. Sophos Anti-Virus on Windows detects this malware proactively (and very likely a high percentage of related variants still to appear) as HPMal/Zbot-C. Sophos on non-Windows platforms, including gateway products, detects the malware’s various components as Troj/Agent-AEWF and Troj/Agent-AEWG. Sophos web and email filters proactively quarantine attacks of this sort by identifying the ZIP file as suspicious.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tlodfOiTSmY/

In 2007 the UK gave the go-ahead to the US’s National Security Agency (NSA) to snoop on innocent Britons not suspected of any wrongdoing, new documents from NSA whistleblower Edward Snowden show.

In a joint investigation, The Guardian and Britain’s Channel 4 News report that the two documents are the “first proof in black and white” that the UK let the NSA sweep up, analyse and store the phone, internet and email records of friends of friends of friends who are targets of surveillance interest.

That reach illustrates the NSA’s so-called “pattern of life” or “contact chaining” analysis, which allows the agency to look up to three “hops” away from the primary target, as The Guardian’s James Ball describes it.

The Guardian has posted an interactive calculator to illustrate how these three degrees of separation can start with one primary target and lead to enormous networks of people.

For example, a typical Facebook user has 190 friends, which, three hops away, could pull more than 5 million people into the NSA’s data coffers.

Thus, a person doesn’t need to actually talk to terror suspects for his or her communications to be analysed.

Channel 4 writes that an unconfirmed assumption holds that Britain gained the reciprocal right to use data collected on US residents in the 2007 agreement.

One NSA memo from 2007, which the Guardian published on Wednesday, describes an agreement that allowed the NSA to “unmask” and hold on to personal data about Britons that had previously been off-limits under what’s known as the Five-Eyes intelligence-sharing alliance, which also includes Australia, New Zealand and Canada.

Under that formerly secret treaty – which had its roots in the 1941 Atlantic Charter and was only revealed to the public in 2005 – it had been generally understood that each member country’s citizens were protected from surveillance by the other alliance members.

The rules changed in 2007.

The 2007 NSA memo, titled “Collection, Processing and Dissemination of Allied Communications”, says that Britons’ mobile phone and fax numbers, emails and IP addresses collected in surveillance dragnets are being stored in databases and can be made available to other members of the US intelligence and military community.

Prior to that, the data was stripped out of NSA databases in accordance with agreed-upon rules between the UK and the US.

The UK Liaison Office, which is operated by GCHQ, signed off on the document, though it’s unclear whether it discussed the rule change before granting its approval.

The agreement didn’t remove the need for a warrant before the NSA looked at the content of Briton’s communications.

But it did authorize NSA agents in these new ways:

• “Are authorized to unmask UK contact identifiers resulting from incidental collection.”
• “May utilize the UK contact identifiers in Sigint development contact chaining analysis.”
• “May retain unminimized UK contact identifiers incidentally collected under this authority within content and metadata stores and provided to follow-on USSS (US Sigint System) applications.”

The newly revealed documents show that regardless of the British government’s say-so, the US was planning to spy on Britain “unilaterally” and without its knowledge.

As Channel 4 News reports, that intention is made clear in a paragraph of a separate, draft memo dated 2005.

One passage is marked “NOFORN”, which indicates “not even for British eyes.”

It states that the Five-Eyes agreement “has evolved to include a common understanding that both governments will not target each other’s citizens/persons”.

But, the draft memo goes on, governments “reserved the right” to conduct intelligence operations against each other’s citizens “when it is in the best interests of each nation”.

“Therefore,” the draft memo continues, “under certain circumstances, it may be advisable and allowable to target second party persons and second party communications systems unilaterally, when it is in the best interests of the US and necessary for US national security.”

UK readers, are you surprised by any of this? Or is it just another brick in the surveillance wall?

Let us know your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Image of US and UK flags and NSA sign courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zJfTUbJJK6g/

Police in the US state of Texas were trying to hunt down two men they thought might have been behind thefts from 17 cars in one community on Sunday.

Police in Rosenberg, Texas said that Damian and Rolando Lozano were behind the crimes.

They managed to apprehend Damian Lozano, but Rolando remained at large.

So the police took to their Facebook page, posting Rolando Lozano’s picture to see if the public could help track him down.

The wanted man himself replied.

f*** all yall hoes, im innocent, catch me if u can muthasuckas

Stop me if you’ve heard this one before.

Oh, wait, you have heard this one before, at least if you read about the burglars who notified the Brooklyn police about their crime spree via Facebook status updates, or the burglar who opened up a stolen laptop and uploaded his picture onto his victim’s Facebook account.

Those crooks found out that police know how to use social media.

Mr. Lozano discovered that too, within 15 minutes.

Or, as police responded to his “catch me if u can” invitation, “Request granted”!

The post in its entirety:

Request Granted – SHARE THIS POST

Not 15 minutes after Rolando Lozano “taunted” law enforcement and the community as a whole, on our own Facebook site, your Rosenberg Police Officers (detectives and patrol alike) located Rolando hiding out at a family member’s home, where he was Captured.

Rolando is one of two alleged suspects in the Seaborne Meadow’s Burglary of Motor Vehicles case, where at least ### 17 ### of your vehicles were burglarized.

Both brothers, Damian and Rolando are now behind bars. And… in a bizarre twist, the resident of the home he was hiding out in, also had a warrant.

This is just another example on how Policing With Us, Works!!!

They even posted a photo of the event:

According to comments left by the police department, they may have nabbed Lozano as quickly as 5 minutes after he posted.

Did the police have such stunningly fast computer forensics on hand that they managed to track down their man within 5 minutes of his post?

Nope. According to a followup post, Rosenberg Police said that it was tips from the community that helped them to trace him to a relative’s house.

There are so many things to like about this story.

First, it doesn’t involve a mob ganging up on an accused person who is, of course, innocent until proved guilty. Instead, the community took their input to where they should in such cases: the police department.

Second, Rosenberg Police have the best Facebook page I’ve ever seen for a government outfit.

They’re such a cheery bunch, one fan complained that she was nearly overwhelmed with the urge to step out of her car, in traffic, to high-five the driver of a police vehicle.

The “official” police response:

Give us a high five next time…just warn the officer as you are running up to them like a crazy woman…lol

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8JwP-XJSokQ/

Take this test!

Put a name to the clear and present cybercrime danger that:

1. Deliberately preys on users who are less well informed or prepared than average.
2. Messes around with your data.
3. Blackmails you into paying about $300.
4. Makes you wonder if the crooks will be back, and if so, when?

You might be thinking, “CryptoLocker,” but I’m talking about crookery that is in many ways much worse: fake support call scams.

Throughout the English speaking world, including at least the USA, Canada, UK, South Africa, Australia and New Zealand, innocent people, minding their own business, are being plagued by these callous callers.

Fortunately, the call scammers have stuck to a standard formula, which makes it easy (for now) to advise your friends and family on what to look out for; unfortunately, this consistency tells us they’re still making money without an awful lot of effort.

How the scam works

You’re probably aware of how it goes, but I’ll review it here:

1. You get a call out of the blue. Usually it seems to come from a local phone number, so if you’re in Sydney, Australia, your phone will show a number like +61.2.8xxx.xxxx; if you’re in Oxford, you’ll probably see +44.1865.xxx.xxx; and so on.

2. The caller will tell you – or almost tell you – he’s from Microsoft. Or Dell. Or McAfee. Or, for that matter, Sophos. Maybe because some lawyer said it would make a difference, he probably won’t state outright he’s an employee of Sophos, or McAfee, or whomever, but will use weasel words like “I’m working with XYZ support.”

3. He’ll tell you your computer has a virus, and you need help. He may be cajoling, or sympathetic, or stern, or even downright threatening. However he chooses to behave, one thing is for sure: there isn’t much that will make him take “No” for an answer.

→ Saying you had a Mac, or that you didn’t have a computer at all, used to shut these guys up. But even that isn’t guaranteed. The only thing that really works is to hang up immediately. Don’t argue. Don’t rant and rave. Hang up, right away, without saying a single word. Mr Miagi’s Karate Kid defence: “Best way to avoid punch – no be there.”

4. He’ll get you to open the Windows Event Viewer.

5. He’ll find an innocent error message with a nice, loud warning triangle or a bright red X, and tell you that’s because you’re infected.

6. He’ll get you to give him remote access to your PC, using a legitimate remote support service. Because you can see what’s he’s up to, due to it being a legitimate “dual control” remote access service, you might feel slightly less uneasy about letting an unknown outsider in.

→ You can expect any sympathy to evaporate about now, and for the tenor of the call to become much more threatening. After all, if you did have a virus, you probably would be causing hassles for other internet users: spamming them, for example, or racking up bogus connections to their web server. So the fake call scammers exploit this to leave you wondering if you might end up in trouble – with the authorities, with your ISP, with the imaginary company you might inadvertently be attacking – and use your concern to intimidate you into what comes next.

7. He’ll rummage around in a visually interesting but technically pointless way for a while, and then claim to have fixed a security problem you didn’t have.

8. And then he’ll take $300 off you, in return for nothing.

→ Worse than nothing, in fact. At best, he’s tricked you into believing you are more secure than before, which is false. At worst, for all you know, he’s stolen data, planted new malware for some repeat business, or simply messed up something through ineptitude.

Almost all of these calls seem to come out of India – a sort of alternative call centre business that seems to be bringing plenty of money into that country’s economy.

But these callers, and the businesses that employ them, are not exactly a good advert for India as an outsourcing centre: they are demanding money by threatening you; they’re charging you for a service you didn’t need, and that in any case they didn’t actually provide; and they typically seem quite unrepentant about it.

They don’t care for Do Not Call registers; they may call over and over again (I have met people who get pestered repeatedly with these phone calls at home, and are powerless to make them stop); and in many cases, they seem to have a fair idea who you are from their cold-calling database, wherever or however they might have acquired it.

You have every right to be worried about this: a cold caller who cares nothing for regulations in your country, who has called you several times before, who doesn’t like to take “No” for an answer, who is rude and intimidating, and whose aim is to extort $300 out of by telling you a giant pack of lies…and as far as you can tell, he knows where you live.

So, what can be done, apart from the swift-and-silent hangup I mentioned above?

Well, the United States Federal Trade Commission (FTC) is trying, and has just achieved a modest success against one such scammer:

It looks as though Mr Pasari folded early, leaving his fellow defendants to the ongoing wrath of the FTC.

Agreeing to pay technically doesn’t make him guilty, but it will cost him $14,369, agreed as the amount he made out of the scams.

How big is the rest of this business?

The FTC has at least six matters on the boil right now, and I suggest you take a few minutes to browse through the open cases.

The FTC has, in my opinion, put together some excellent summaries of how the scams unfold, with a dispassionate and objective explanation of why these guys really do charge for absolutely nothing.

By the way, one of the FTC’s complaints alleges that the perpetrators were able to spend more than $1,000,000 in two years on Google adwords to bring up their phone number when potential victims searched for terms such as “McAfee Customer Support,” “Avast phone number,” and “Norton Support.”

So these guys do indeed also seem to be making lots of money for absolutely nothing.

Don’t let your friends and family fall victim

Here’s what you can do to protect your own friends and family from intimidation and exploitation by these scammers:

• Make sure they are aware that they should not feel any obligation to accept computer support they didn’t request.
• Encourage them to hang up silently and swiftly.
• Offer to help them find a local computer support service if ever they really need one.

Remember that every $300 someone you know puts into the coffers of these bogus givers of support is $300 that is effectively stolen from your local economy.

Say no, and here’s some advice on how:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Worse than CryptoLocker?

Maybe not, but you can certainly make the case that this scam is as bad.

(For $300, the CryptoLocker guys actually do seem to sell you your data back. I’m not calling that “honour among thieves,” but the call scammers charge you the same money for absolutely nothing.)

What you you think? Let us know in the comments!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jvGh3W9PrSo/

5 ways to reduce advertising network latency

South Korean electronics giant LG has confirmed that some of its smart TVs have been logging their owners’ viewing habits without their permission and has promised a patch.

Hull, UK–based developer Jason Huntley, aka “DoctorBeet,” was first to notice the spying behavior when he analyzed network traffic coming from his LG TV and found that it transmitted the names of TV channels and media files he was watching, even when a data-collection feature was supposedly disabled.

On Thursday, a second blogger tried to replicate Huntley’s results and found that his own set was also transmitting the names of media files hosted on his local network.

It’s a good thing no one’s intercepting everyone’s internet traffic, right?

LG has since investigated the matter and has now issued a statement essentially admitting that all of these findings are true – although it doesn’t see them in quite the same light as LG smart TV owners are likely to.

The statement, which was obtained by security researcher Graham Cluley, begins with the usual assurances that LG values its customers’ privacy and that it is always aiming to improve its smart TV experience. It then goes on to acknowledge that some LG TVs do transmit data about what the viewer is watching, even when that feature is turned off, but it hastens to add that no one should take this personally.

“Information such as channel, TV platform, broadcast source, etc. that is collected by certain LG Smart TVs is not personal but viewing information,” the statement explains. The information is collected, it says, in order to provide “more relevant advertisements and to offer recommendations to viewers based on what other LG Smart TV owners are watching.”

And the part about the TV scouring the local network in search of media files? That’s true, too, LG says – the behavior was implemented for an upcoming feature – but it shouldn’t worry anyone, either.

“This feature … was never fully implemented and no personal data was ever collected or retained,” LG’s statement says.

LG says it is working on a firmware update for the affected TVs that will stop the transmission of viewing information when that feature is disabled and also remove the network-scanning feature. No date for the patch was given, but LG says it is being prepared “for immediate rollout.” ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/22/lg_tv_spying_statement/

5 ways to reduce advertising network latency

Prices on underground cybercrime marketplaces are dropping, with credit card details now in less demand than the personal data of individuals, according to a new study.

And even personal details and bank account credentials are getting cheaper to buy on underground hacker markets, according to a study by Dell SecureWorks’ director of malware research Joe Stewart and independent researcher David Shear.

Compromised US Visa and MasterCard credit card details can be bought for as little as $4, a price that doubles for stolen card details from the UK, Australia or Canada. A US credit card’s information, as contained on the magnetic stripe on the reverse side of a card (Track 1 and 2 Data) fetches $12. But a similar card dump, where the holder is based in either the EU or Asia, can be sold for $28.

Complete card details along with the corresponding VBV (Verified by Visa) password command a price of $17-$25 (for card issued in the UK, Australia, Canada, EU and Asia).

A complete personal dossier on a US individual (featuring full name, address, phone numbers, email addresses (with passwords), date of birth, SSN and one or more of: bank account information) would cost $25. Such dossiers – called Fullz in underground forums – would fetch $30-$40 for an intended victim from the UK, Australia, Canada, EU or Asia. Just the date of birth for the same individual might be sold for $15-$25.

Prices are dropping. Two years ago Fullz fetched a price of between $40 to $60, depending on a victim’s country of residence.

“There is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual social security numbers for sale,” the researchers note.

“However, the hackers have come to realise that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers.”

Miscreants are also able to buy the login and password for a bank account with $70,000 to $150,000 for $300 or less. The preferred payment method for the many and varied services for sale through cybercrime bazaars has switched to either BitCoin or Western Union money transfers.

Underground hacking forums also sell malware and hacking services as well as credit card and personal details. Batches of 1,000 infected computers can be bought for $20, with bulk discount bringing the price of 10,000 infected PCs down to $160.

“Once scammers buy the malware-infected computers, they can do anything they want with the machines,” Stewart and Shear explain. “They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers.”

Stewart and Shear found that there was a variety of Remote Access Trojans (RATs) for sale ranging from $50 to $250. Most of the RATs were sold with a program to make it Fully Undetectable (FUD) to security software. Sometimes this feature cost an additional $20. Trojan buyers could also pay to have someone set up a command and control server and possibly infect a target for an additional $20 to $50.

For more advanced hacker the Sweet Orange Exploit Kit – a tool for distributing malware through drive-by download attacks from compromised websites – can be rented through underground forums for around $450 per week or $1800 per month.

The hacking of a website can be commissioned at a price of between $100 to $300, depending on the reputation of the hacker. An ad for one hacker-for-hire noticed by the researchers said he would not take commissions to hack into either government or military websites.

A Distributed Denial of Service (DDoS) attack against a targeted website would cost $100 a day, according to the researchers. All of the hackers providing the DDOS attacks guaranteed that the target website would be knocked offline.

“The types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years,” Stewart and Shear conclude. “The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or personal credentials.” ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/22/cybercrime_market_prices/

5 ways to reduce advertising network latency

Tim Berners-Lee has warned that snooping spooks are destroying the free spirit of the internet.

He said a “growing tide of surveillance and censorship” was drowning the democratic nature of the web.

Sir Tim was speaking at the launch of the World Wide Web Foundation’s annual web index report, which analyses the web’s “contribution to development and human rights globally”.

Sweden comes top, followed by Norway, while the UK is third place and the US in fourth.

“One of the most encouraging findings of this year’s web index is how the web and social media are increasingly spurring people to organise, take action and try to expose wrongdoing in every region of the world,” he said.

“But some governments are threatened by this, and a growing tide of surveillance and censorship now threatens the future of democracy.”

The report found that “moderate to extensive blocking or filtering of politically sensitive content” took place in more than 30 percent of nations during the past year.

It also found that “legal limits on government snooping online urgently need review”. Some 94% of countries in the Web Index do not meet “best practice standards for checks and balances on government interception of electronic communications”.

Berners-Lee recently said NSA surveillance was “appalling and foolish”. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/22/bernerslee_spooks_risk_destroying_the_internet/

5 ways to reduce advertising network latency

Security startup CrowdCurity is marketing a cloud-based platform that allows businesses to set up and run their own bug bounty and security testing programmes.

Bug bounty programmes have become fairly commonplace across the IT industry over recent years. The schemes reward researchers for reporting flaws to vendors, rather than hawking them through exploit brokers or vulnerability marketplaces.

Google’s bug bounties are probably the best known in the industry but many other vendors including Facebook and (most recently) Microsoft have launched comparable programmes. An extensive (but perhaps not exhaustive) list can be found here.

Jakob Storm, co-founder of CrowdCurity, told El Reg that despite these many schemes there was still an extensive market left unaddressed. He added that firms already running bug bounty programmes could benefit from outsourcing the day-to-day administration of the programme to CrowdCurity.

“Some vendors have already launched bug bounty programmes but compared with the total market this is a very small fraction,” Storm explained via email. “Apart from this we have been in contact with some companies already doing their own bug bounty programmes, and for many of them it is a pain to: 1) set up the programme with terms etc, 2) pay the testers (these can come from all over the world) 3) attract enough testers (this is mainly for the smaller businesses), and 4) managing the incoming reports.”

The Danish start-up is effectively offering a crowd-based penetration testing service. CrowdCurity’s service offers to take care of payments to the testers, using Bitcoins and PayPal. Around 400 testers already signed up to CrowdCurity’s scheme, a figure Storm said is growing. “We have a build in bug management system where it is easy to get an overview of what has been reported and what [received] feedback,” he added.

Storm named Bugcrowd and Synack as CrowdCurity’s most obvious competitors. “They however seem to target larger companies and have a slightly different approach, offering more on the consultancy side,” he explained.

Storm acknowledged our point that some businesses would want to keep very tight control about knowledge about vulnerabilities in their platform and would therefore be loth to hand over the management of a bug bounty scheme to a third-party cloud-based service. However he argued that such companies are typically either “not very confident about there security level” or outfits such as banks charged with handling sensitive data.

“We have made some features that makes possible for companies to keep tight control – to an extent,” Storm explained. “Companies can run their programmes in test/staging environment, so it will not effect the live processes, and they can choose to do a ‘soft launch’, where only one to three selected security testers are allowed access.”

“This will make it more controlled and even if there are many vulnerabilities they will come in in a lower pace and fewer will know about them. But the test will not be as in-depth as one where the whole crowd has access,” he added.

Banks should not shy away from vulnerability reward programmes just because of the nature of their business, Storm argued.

“Banks or similar should be careful, but the fact is they already are exposed. They can then choose to hope that they will find all vulnerabilities in-house or they can choose to also run a programme with high rewards, to make sure that IF a vulnerability is found, people have an incentive to report it instead of exploiting it,” Storm said.

CrowdCurity’s current client roster includes Bitcoin exchanges, that “fit the bill of companies with a lot to lose” and Bitcoin and merchant intermediaries. Apart from Bitcoin businesses, “we see a potential in to targeting established startups, small and medium sized businesses who find it to expensive to hire pentest/security consultants by the hour and want the benefits of running a bug bounty programme, but who do not have the resources like Google and Facebook to handle it in-house,” Storm explained.

Other early clients include software-as-a-service firms within HR, logistics and CRM.

More details of how the scheme works can be found in a FAQ and video available on CrowdCurity’s site here.

Businesses only pay out for the vulnerabilities they approve with rewards largely pitched between the $100-$1,000 bracket. CrowdCurity takes a 20 per cent service fee for each reward. This sort of incentive is not going to attract elite testers but it might well be of interest to Reg readers who not infrequently tell us about cross-site scripting and SQL injections flaws on websites.

Whether they get a reward or not would, of course, depend on whether the site involved is signed up to CrowdCurity’s scheme. ®

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/22/crowdsource_bug_bounty_scheme/

The financial services industry has come up with a proposed strategy for deploying third-party software–including open source–and services securely in financial institutions.

Members of a working group of the FS-ISAC (Financial Services Information Sharing and Analysis Center) this week proposed three basic security controls for ensuring the security of third-party software used by financial services firms: a vendor-focused Building Security In Maturity Model (BSIMM) assessment; binary static analysis; and policy management for open source software libraries and components.

“What we’re doing here is adding some controls that are based on knowledge [larger financial institutions] have obtained in software security maturity … and adding those to third party software governance,” says Jim Routh, CISO at Aetna, and a member of the FS-ISAC Product Services Committee who worked on the proposed controls.

The growing threats to Web-based applications and emerging mobile apps were factors in the development of the software security requirements for third-party software used in the financial services industry, he says. And vulnerabilities and weaknesses in third-party software and open-source software have increasingly become a concern for enterprises adopting those elements into their applications and systems.

“Software security controls are an integral part of building high quality software,” the FS-ISAC’s “Appropriate Software Security Control Types for Third Party Service and Product Providers” white paper says. A working group made up of executives from Fidelity, Morgan Stanley, Goldman Sachs, Capital One, Thomson Reuters and Citi, worked on the controls.

[While there is certainly room for improvement, the software vendor and financial services communities are making a steadily improving progression in maturing their software security practices. See Software Security Maturity Plods Along .].

Aetna’s Routh says the Vendor BSIMM, vBSIMM, is basically a subset of BSIMM, a study of actual secure software development programs at companies so other companies can measure their efforts with their counterparts. vBSIMM is a way to measure the maturity of software security of vendors selling to the financial industry. “This is a better indicator of risk,” Routh says.

Scanning binary code in software provides a vulnerability density score for a particular version of software at a specific point in time, Routh says. So software firms selling to the financial services industry would theoretically have their binary code scanned by HP Fortify or Veracode, which provide that type of software vulnerability scanning, for example.

“The results of the scans would be shared with the financial industry,” Routh says. “Today, the model is the financial [firms] paying for that,” but Veracode, for instance, has a program that in the future would shift that cost to the vendors, he says.

Third-party software and services vendors would then share the cost of one assessment for multiple financial services clients, he says. The same goes for vBSIMM: “If I am a software vendor and do a BSIMM assessment, that same assessment is shared with many of my clients.”

The open-source policy management control, meanwhile, helps financial industry firms to ensure their developers are employing the newest versions of open-source software, as well as more reliable and resilient libraries.

“Today, 80 to 90% of custom development uses open-source libraries to build an application,” Routh says. “And 26% of the most commonly downloaded open-source libraries are riddled with high-risk vulnerabilities.”

Policies would enforce using reliable sources for open-source software and ensuring that only the most current versions are used.

Still, the FS-ISAC won’t be enforcing the recommended security policies for third-party software and services. “The working group is saying this has been a problem for some time and there are no easy answers or quick fixes. But these controls should be considered to be adding to third-party [software] governance,” Routh says.

“We’re looking at standardizing on a set of controls that improve risk management across the [financial services] industry, and also make it easier on vendors at the same time,” he says.

The FS-ISAC working group’s white paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers,” is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/financial-services-industry-proposes-sec/240164193