STE WILLIAMS

(Tampa Bay, FL) November 18, 2013–Cybercrime has been branded the number one threat to United States security–although the number of cybercrime victims declined in 2013, the cost per victim has increased 50%, bringing the global total to a staggering $113 billion (1). As the costs of data breaches continue to skyrocket–and businesses expose themselves to potential class-action lawsuits on behalf of third parties–Internet security awareness training firm KnowBe4 (http://www.knowbe4.com/) warns small and medium-sized enterprises (SMEs) to effectively arm themselves against cyber-attacks before litigation ensues; KnowBe4 says that security awareness training triples the chances of an organization being able to decrease its phishing problems.

Recent studies show that over the past four years, cybercrime costs have climbed by an average of 78%, while the time required to recover from a breach has increased 130%:

● In the United States alone, the annual cybercrime cost seen by the 60 businesses studied ranged from $1.3 million to more than $58 million and averaged $11.6 million per company–an increase of $2.6 million from 2012.

● The average cost of cleaning up after a single successful attack was $1 million (2).

But the costs of correcting data breaches are no longer the only cause for concern–the legal consequences, such as class-action lawsuits on behalf of third parties affected by such cyberattacks, are a growing worry of business owners. Businesses–specifically those that guard individuals’ personal information, such as banks and data brokers–have become a likely target for consequential litigation in the aftermath of security breaches.

Case in Point:

Identity thieves posed as customers to steal more than 160,000 consumer records from data broker ChoicePoint. After the information theft was publicly announced, ChoicePoint paid out some $45 million as a result of the breach, and in the process effectively created a new source of liability for organizations nationwide (3).

Stu Sjouwerman, founder of KnowBe4, maintains that businesses can effectively bypass the financial burden of data breaches by implementing Internet security awareness training (http://www.knowbe4.com/) designed to teach employees to recognize and avoid potential “hack-attacks.”

“Antivirus software cannot keep up with the sophisticated tactics of professional hackers, and should not be depended upon as a reliable means of defense,” Sjouwerman said. “Internet security training has proven to work by lessening the chances of a successful cyberattack.”

Sjouwerman says that the best defense is to think like a hacker, as phishing and social engineering tactics become increasingly sophisticated and difficult to detect. KnowBe4 collaborated with Kevin Mitnick, once known as the “World’s Most Wanted Hacker,” to develop Kevin Mitnick Security Awareness Training (http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/), a product designed to help organizations defend against even the most advanced network security breaches.

But even as cybercriminals constantly refine their techniques, KnowBe4 recently announced that an upgraded Kevin Mitnick Security Awareness Training program is in the beginning stages, and will be unveiled in 2014. The program is interactive and web-based, with case studies, live demonstration videos and short tests.

Sjouwerman’s authority was confirmed by a study conducted by Osterman Research, which specializes in conducting market research for IT and technology-based companies. Sjouwerman classified five types of security awareness training that organizations commonly implement:

1. The Do-Nothing Approach: The organization conducts no security awareness training.

2. The Breakroom Approach: Employees are gathered during lunches or meetings and are told what to look out for in emails, web surfing, etc.

3. The Monthly Security Video Approach: Employees are shown short videos that explain how to keep the organization safe and secure.

4. The Phishing Test Approach: Certain employees are pre-selected and are sent simulated phishing attacks; IT determines whether they fell prey to the attack; and those employees receive remedial training.

5. The Human Firewall Approach: Everyone in the organization is tested; the percentage of employees who are prone to phishing attacks is determined; and then everyone is trained on major attack vectors. Simulated phishing attacks are sent to all employees on a regular basis.

The research found that KnowBe4’s security awareness training (http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/) program, categorized as a “human firewall approach, not only increased confidence in employee capability to distinguish phishing attempts and malware, but also nearly tripled the chances of an organization decreasing its phishing problem.”

KnowBe4’s client base is comprised of over 300 customers, 42% of whom are banks and credit unions, and all of whom have successfully reduced the rate of employees clicking on spear-phishing links by up to 80% or more.

For more information about KnowBe4 and its services, contact KnowBe4 online at www.knowbe4.com.

About Stu Sjouwerman and KnowBe4:

Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. He and his colleagues work with companies in many different industries, including highly-regulated fields such as healthcare, finance and insurance. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

Article source: http://www.darkreading.com/management/knowbe4-says-lack-of-security-training-e/240164043

OAKBROOK TERRACE, Ill., and ZURICH, Nov. 18, 2013 — VASCO Data Security International, Inc. (Nasdaq: VDSI) (www.vasco.com), a leading software security company specializing in authentication products and services, today launches its DIGIPASS for Application Perimeter Protection SDK (DIGIPASS for APPS), a software development kit providing application developers with a cross-platform programming environment to secure their (mobile) applications.

DIGIPASS for APPS offers a comprehensive set of features giving application developers all necessary building blocks to secure their application at every level. The solution allows native integration of strong authentication with one-time passwords and e-signatures ensuring a secure login or transaction signing process.

Additionally, DIGIPASS for APPS also offers unique features to secure the environment in which the application resides, such as jailbreak and rootkit detection and geolocation. The software development kit also provides a secure channel to ensure end-to-end encryption of business critical data whereby relying on mainstream technologies like HTTPS may not be enough. The secure channel offered by DIGIPASS for APPS can virtually encrypt anything, such as texts, photos or QR codes.

Furthermore, DIGIPASS for APPS enables application developers to streamline and manage the entire provisioning, deployment and lifecycle process offering several options for end user activation and device binding features that link a user to a specific device. The solution also foresees in the possibility for end users to use multiple devices for one application with a single license.

Highlights of DIGIPASS for APPS include:

native integration of strong authentication (one-time passwords and e-signatures) into applications

extended set of provisioning options

patented CrontoSign technology, supports an extended list of QR codes and barcodes

supports geolocalized OTPs and e-signatures

jailbreak and rootkit detection

device binding

secure storage

out–of-band login support

multi-device capabilities

available for the most common programming environments, including iOS, BlackBerry (including latest BlackBerry 10 versions), Android, Windows Phone, Java, Windows with comprehensive programming samples

fully customizable overcoming GUI issues

requires no cryptographic skills, reducing integration efforts

“The mobile ecosystem is a rapidly growing platform for delivering a wide variety of services, including applications that demand high levels of security such as finance and e-commerce platforms,” says Jan Valcke, President and COO of VASCO Data Security. “DIGIPASS for APPS allows application developers to protect the entire application, be it banking or commercial applications in a single software development kit. As such, the solution offers valuable and unique resources for application developers looking for a 360 degree security.”

VASCO will demonstrate its SDK and mobile solutions at Cartes on November 19, 20 and 21 in the Paris-Nord Villepinte Exhibition Center (hall 4, booth no. J 027).

More information on DIGIPASS for APPS can be found on VASCO’s website:

www.vasco.com/DIGIPASS_for_APPS

About VASCO

VASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in Internet security applications and transactions. VASCO has positioned itself as a global software company for Internet security serving a customer base of approximately 10,000 companies in more than 100 countries, including approximately 1,700 international financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and e-government.

Article source: http://www.darkreading.com/mobile/vasco-provides-sdk-for-application-devel/240164045

I don’t watch much television, but I’ve stumbled a few times upon a popular show called “Doomsday Preppers.” If you are unfamiliar with it, it is a reality show where people explain how they think the world will fall into chaos and their corresponding preparation efforts will ensure their survival.

Every time I watch, I have the same thought: “If real disaster strikes, these people are going to die.”

It’s not that they haven’t given serious thought to a number of problems or are not serious in their preparations. My issue is they all seem to make two mistakes I commonly see many businesses make.

First, they both become so focused on only one or two specific risks, they create an inflexible plan that only works if the disaster occurs EXACTLY as they envisioned it.

And second, in convincing themselves how ingenious their preparations have been, they ignore or dismiss many other significant risks because they, well, feel “prepared.” They have sold themselves on the idea that they are prepared.

For example, even after Hurricane Katrina flooded New Orleans, many coastal New Yorkers still had generators setup in their basements years later when Hurricane Sandy arrived there.

Let’s look at this from a survivalist viewpoint and then from a business point of view. Consider a man living in a typical metropolitan area. Among his many supplies, this man has stockpiled one hundred thousand rounds of ammunition to defend his family and food from desperate, starving refugees (or zombies).

In reality, long before he will have opportunity to use much of his ammunition, he’ll have run out of fresh water. Once his stockpile is depleted, he will run out of water and be forced to leave the city, likely on foot. Unfortunately, his bunker is not portable, and to acquire something as fundamental as drinking water, he’s rendered his entire fortress pointless.

Many business organizations are like the preppers on this show. They focus on selected risks, ignore greater risks, and forget to have their solutions designed for adaptability.

I see organizations that have significant physical defenses — Electronic locks, cameras, expensive firewalls, and maybe even armed guards at the door — yet a single employee with a thumb drive can walk out the door with enough information to steal (and sell) thousands of their client’s IDs. And the company will never know it happened.

We have even seen businesses take compliance and security to such extremes that it creates new risks. If your organization requires users to learn new passwords every sixty days that resemble “Ry#394Wee9,” then your organization ignored one crucial part of security: the human component.

IT departments who use this tactic essentially force all employees to write their passwords on Post-It notes and put them all over their desks. It may have felt secure to someone in IT who thought only about computers and not people, but the result is an incredibly vulnerable company. Too much focus on selected risks.

Can you prepare for every possible risk, threat, or disaster? Of course not. Even if you could, it would not make financial sense. Likewise, should you simply give up, and adopt the opinion that it is impossible to ever be truly secure and compliant? No, there is still incredible value in reasonable security and compliance plans and actions.

What you must do is be sure your plans for security, disaster response, and compliance are all adaptable. Have basics covered, check and update it regularly, and then be sure your plans focus on responding quickly to problems, not merely anticipate the few problems you were able to dream up.

Glenn S. Phillips does not own a zombie assault vehicle. He is the president of Forte’ Incorporated where he works with business leaders who finally realized they need to understand the hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Article source: http://www.darkreading.com/compliance/doomsday-prepping-your-business/240164046

San Diego, CA, November 18, 2013 – BeyondTrust, the security industry’s only provider of Context-Aware Security Intelligence, today announced the release of BeyondSaaS, an easy-to-use, cost effective cloud-based vulnerability assessment scanning solution. This new offering enables customers to achieve PCI DSS compliance by scanning externally facing webpages and IP addresses for vulnerabilities. BeyondSaaS simplifies the entire vulnerability management process by allowing an organization to rapidly assess public facing assets and manage all of the job scheduling, reporting and results using the latest web browser technology.

“Dynamic IT environments coupled with increasingly sophisticated attack methods make it imperative that organizations have the ability to look at IT assets outside the protection of their firewalls,” said Brad Hibbert, executive vice president of product strategy and operations at BeyondTrust. “BeyondSaaS provides a unique perspective of assets as they appear on the Internet and as attackers may view them from any browser, tablet, or smartphone.”

BeyondSaaS is highly cost-effective requiring no hardware or software, as assessments are made completely from the cloud on a scheduled or ad-hoc basis. With this new offering, customers no longer need to use expensive and complex third party scanners that produce overwhelming results. BeyondSaaS comes fully configured with the industry’s most respected and validated security scanner, the Retina Network Security Scanner, to help efficiently identify IT exposures and prioritize remediation company-wide. BeyondSaaS is immediately available for purchase. For more information, please visit: http://go.beyondtrust.com/beyondsaas?src=prs

“With the release of BeyondSaaS, BeyondTrust is providing a trusted hands-free approach to vulnerability management and regulatory compliance with a higher degree of accuracy and a lower annual cost,” said Kevin Baker, principal at Innovative Management LLC.

BeyondSaaS is designed to meet the stringent external scanning requirements by PCI, SOX, GLBA, and other regulatory compliance initiatives. The new offering is fully automated and enables organizations to achieve PCI DSS compliance with complete vulnerability assessment and web application scanning. While providing automated PCI compliance of external devices and assets, BeyondSaaS also enables automated asset discovery to ensure accurate PCI scoping and reporting in the proper format for PCI DSS submission with merchants.

BeyondSaaS features also include:

Integrated Microsoft Live authentication

Web application assessment

Vulnerability assessment

Management from any tablet or mobile device

Simplified whitelisting of scan engines in the cloud

Unlimited assessments per asset

BeyondTrust CTO Marc Maiffret and Senior Director of Program Management, Morey Haber will host two public webcasts on Thursday, November 21st to showcase the BeyondSaaS technology through a live demo and answer questions from the audience.

To register for the webcast on Thursday, November 21st at 2pm GMT/9am ET, please visit: https://www1.gotomeeting.com/register/728636960

To register for the webcast on Thursday, November 21st at 1pm ET/10am PT, please visit: https://www1.gotomeeting.com/register/514363329

Article source: http://www.darkreading.com/privacy/beyondtrust-launches-beyondsaas/240164048

If you’re an avid iDevice user, you’ve probably already received Apple’s fourth bug-fix release of iOS 7, unsurprisingly named 7.0.4.

At an average of one update every two weeks since iOS 7 launched in September 2013, you might view this a sign that Apple’s code quality has gone down, following the argument that more vulnerabilities needing patching must mean worse code.

We often hear this argument trotted out against other software vendors, with a count of known vulnerabilities used an an inverse measure of security.

On the other hand, you might view it as a sign that Apple is becoming more responsive to security issues by pushing out updates quickly, rather than waiting to bundle multiple fixes into a single patch.

Obviously, well-written software without security holes will never need updates, and will therefore rack up zero patches.

But it doesn’t work the other way around.

You can’t make poorly-written software secure by neglecting, or even refusing, to publish patches for it, so a low patch count can’t be used as a quality metric on its own.

And don’t forget that exploit-finding is now worth money, sometimes big money, so vulnerability counts are likely to rise, all other things – including software quality – being equal.

A lot of the coverage for the iOS 7.0.4 update has focused on a non-security bug fix in FaceTime, but there’s also an officially-listed security patch:

App and In-App purchases may be completed with insufficient authorization.

Description: A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization.

As far as we can tell, this flaw doesn’t mean that you can buy stuff on someone else’s dime without knowing their password.

But it could allow purchases on your device to be approved unexpectedly (or unscrupulously), so it’s good to have it fixed.

Many users probably already have the update, or will want to grab it promptly.

The only users left in uncertainty here are those who are hoping to jailbreak their iOS 7 devices some time in the future.

The irony, of course, is that jailbreaking relies on experts finding an exploitable vulnerability that can be used to liberate your iPhone or iPad from Apple’s strict lockdown.

Word on the street seems to be that a jailbreak for iOS 7 is likely soon, and will probably work against versions up to iOS 7.0.3.

But Apple might quietly have found the same hole that the jailbreakers are working away at, and have fixed it in iOS 7.0.4.

Once you upgrade, you can’t – or you’re not supposed to be able to – downgrade, which is Apple’s way of stopping you jailbreaking newer iOSes by reverting to the buggy ways of older versions.

Some hackers are saying “not to worry,” because the changes in 7.0.4 are minor enough that they shouldn’t make any difference to the current progress towards iOS 7 “freedom.”

Until they’re sure iOS 7.0.4 is jailbreak-safe, though, some avid jailbreakers are likely to wait.

It’s a pity that Apple won’t embrace the jailbreaking community: Naked Security readers certainly seem to think they should.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XF_5TSVHAxQ/

5 ways to reduce advertising network latency

Security experts have uncovered attacks exploiting a zero day vulnerability in Japan’s most popular word processing software, bearing all the hallmarks of a Chinese group blamed for last year’s New York Times hack.

Ichitaro developer, JustSystems, announced a remote code execution vulnerability in multiple versions of the software last week.

Symantec has claimed, in a blog post, that it had already detected attacks in the wild attempting to exploit this vulnerability, which could lead to the execution of arbitrary code on a victim’s machine.

These attacks feature the same backdoor, identified as Backdoor.Vidgrab, that was spotted in an attack exploiting the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893). Redmond patched that up last month.

Symantec continued:

It is reasonable to assume that the same malware group, or another group with close connections, is behind the attacks that utilised the Internet Explorer and Ichitaro vulnerabilities. Backdoor.Vidgrab is known to be used to target the Asia-Pacific region with government sectors being the primary targets according to TrendMicro. Symantec telemetries do not dispute this claim.

In the attacks spotted by Symantec, malware is hidden in an email attachment, as per a classic advanced persistent threat campaign, but is slightly unusual in that the content is a spoof marketing email from a popular Japanese e-commerce site, with the attachment taking the form of a virtual flyer.

A variant of the Trojan.Mdropper seen in the Ichitaro attacks was spotted by Symantec back in June. It attempts to download malware from a server associated with APT 12, a Chinese cyber crime group pegged by Mandiant for attacks on the New York Times last year.

Symantec has a couple of theories about the Ichitaro attacks:

The attackers, possibly belonging to the APT12 group who may have also developed Backdoor.Vidgrab, are persistently targeting similar, if not the identical, targets by attempting to exploit Ichitaro. The attackers may also be using the targets as guinea pigs to test if the exploit code works properly. The attack may also be a precursor, the attackers could have run the tests in order to find effective email contents and subject lines, for example, that are enticing enough lure targets into opening the malicious attachment.

JustSystems has released a patch for the remote code execution vulnerability, which Ichitaro users are urged to apply. ®

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/18/new_york_times_hackers_linked_to_japan_ichitaro_attacks/

5 ways to reduce advertising network latency

All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm.

Coin offers a single combined credit/debit/loyalty/store card that’s paired with a user’s mobile phone. The Coin app requires that you take a picture of the front and back of the card, type in your card details, and then swipe the card (using a reader it provides) to ensure the card’s encoded magnetic stripe data matches the card details provided.

It is not possible to complete these steps unless you are in physical possession of a card – see video below for an explanation of how the technology works.

However security researchers at IOActive fear the technology inadvertently creates new avenues for abuse, in particular the possibility of potentially opening the door to more potent skimming attacks.

Wim Remes, managing consultant for IOActive, explained: “Coin seems like an interesting idea, presented as a technology that simplifies how we use cards with magnetic stripes today. In essence, however, it also offers itself as a personal skimming device. From the information currently available about Coin, most of the security features that the inventors have implemented appear to be opt-in. Beyond a Bluetooth connection with a mobile phone it is to be assumed there are no further authentication features in the technology.”

“At first glance there are an abundant possibilities for abuse. For example, a person that gets temporary access to your Coin device would be capable of recording magnetic stripe data from all the cards stored on it. Most cards currently get skimmed in retail environments and it is not too difficult to track down where a card got compromised. With Coin, however, a user could present a debit card that will get correctly charged while the credit card can be skimmed after the attacker has pushed the Coin button to select another card. You give an attacker your entire wallet, without any controls, instead of a single card,” he added.

In response to El Reg‘s query, Coin acknowledged skimming was still an issue but maintained its technology was actually less at risk from skimming than conventional mag stripe cards.

“A Coin is less susceptible to some card skimming techniques that take a picture of the card as it is swiped since Coin does not display the full card details on the front or back of the device,” said the company. “A Coin is no less susceptible than your current cards to other forms of skimming that capture data encoded in the magnetic stripe as the card is swiped. Also, you can only add cards that you own to your Coin.”

Remes contended that any technology based on magnetic stripes was no longer suitable for credit or debit cards and that technology based on the harder-to-clone Chip and PIN technology was preferable.

“At best, the technology seems fit for low-value reward cards but definitely not for credit or debit cards. The fact of the matter is that in a world where card fraud is still running rampant, we should focus on the adoption of EMV [Europay, MasterCard and Visa] technology rather than making the use of magnetic stripe cards easier,” he concluded.

For now at least, Coin only works with mag strip only cards. Chip and PIN (EMV smart cards) have been standard in Europe since 2005 but the technology has only just been introduced in the US and is not expected to be the de-facto standard for point of sale retail terminal transaction until October 2015. The technology was also recently introduced in the Asia-Pacific region.

This means that Coin is attempting to address a market for technology that’s only really useful in the US, and perhaps only over a small time period at that; measurable in months rather than years.

Coin’s card-swiping tech, which costs $100 and is only initially available in the US, will only ship in summer 2014.

In an FAQ, Coin said it plans to adapt its technology to support EMV smart cards.

Coin is currently designed for the U.S. market and does not support Chip and PIN (EMV), however, future generations of the device will include EMV.

Coin promo video

IOActive are far from the only security firm to raise a quizzical eyebrow at Coin, with other focusing on the digital certificate and cryptography used on its websites and other factors. Coin contends it has all these bases covered.

Maintaining the integrity of your Coin’s data is critical to your peace of mind. That’s why our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption for all storage and communication (http and bluetooth). Additionally Coin can alert you in the event that you leave it somewhere.

In the event that your Coin loses contact with your phone for a period of time that you configure in the Coin mobile app, it will automatically deactivate itself. Your Coin account is password protected and the mobile app requires that you type in your password before you can access sensitive card details.

Currently you cannot lock your Coin, but you don’t have to. Coin will automatically deactivate if it loses contact with your phone for a period of time that you configure in the Coin mobile app.

Mike Davis, principal research scientist for IOActive, has mixed feeling about Coin’s use of radio connection technology.

“The use of BLE (Bluetooth Low Energy) is technologically the perfect choice for Coin, as the company can use super thin and flexible lithium polymer batteries, and eInk displays enabling users to get years of battery life out of a device,” Davis explained. “And that’s even before breaching the subject of inductive charging.”

“Security-wise there are a few issues,” Davis warned. “While the BLE specification does include encryption, few, if any devices have implemented it yet. Additionally, BLE has known issues when it comes to secure pairing and the only secure method ‘Out of Band’ may not be a realistic option for a product like Coin,” he added.

Coin submitted its technology for certification under the PCI DSS payment industry regulatory standard. A device such as a Coin is seen as similar to a payment card in a consumer’s wallet so the PCI Security Standards Council’s separate certification for payment applications (PA-DSS) is not applicable to Coin. ®

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/18/coin_scorned/

5 ways to reduce advertising network latency

Interview A TrueCrypt audit project has uncovered a well of technical support with its plans to publicly audit the widely used disk and file encryption utility for the first time.

TrueCrypt is a widely used utility that encrypts and decrypts entire drives, partitions or files within a virtual disk. The tool can also hide volumes of data on discs.

The TrueCrypt audit project raised enough money to pay for a professional review of the software within days of its launch. The Register recently caught up with one of the two founders of the project – Kenneth White, principal scientist at biotechnology firm Social Scientific – to find out more about where the project goes from here.

The Reg: You’ve achieved your early funding goals but will carry on accepting donations because there’s much more you’d like to do, such as the bug bounty?

Kenneth White: On IndieGoGo, you have to set a funding time range, so the 60 days was arbitrary, and, at the time we thought $25,000 was a pretty ambitious stretch goal. It turns out we hit that target in the first four days of the campaign.

But yes, we’ve set our sights high in terms of what we would like to accomplish. We have formed a technical advisory panel and are discussing different strategies to make best use of our funding, perhaps a combination of professional security engineering analysis, academic review and public research.

We are also in talks with a couple of non-profits who have offered to co-sponsor the work, but several details [need] to be worked out.

The Reg: Are there any historic precedents for your project? Do you think the same idea could be applied to evaluating other security packages? I understand that you want to do TrueCrypt first but am wondering if this type of kick-starter idea might be applied to other security projects, by yourself or others, in future?

White: The closest with TrueCrypt was by the 2008 review by engineers working with privacy-cd.org.

But more broadly, the best model we have seen – and [one which we] hold as our standard – is the recent public review (PDF) of SecureDrop by the University of Washington CS Engineering Department, along with Bruce Schneier and Jacob Applebaum.

The Reg: A security researcher has compiled TrueCrypt 7.1a for Win32 and matched the official binaries. Xavier de Carné de Carnavalet, a master’s student in information systems security at Concordia University, Canada, claims he achieved what few others have managed so far. I know confirming the Win executable matches the source code was one of your goals. So does Xavier’s work satisfy this or is further confirmation needed? Is Xavier affiliated with yourselves?

White: It’s a necessary first step, and we were impressed by Xavier’s work. He’s not affiliated, but has offered to help. He’s a very talented engineer, and very humble.

The Reg: What does the future hold?

White: With the recent NIST recall and subsequent third party review of their entire “body of existing cryptographic work”, I suspect there will be many more stories to come. ®

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/18/truecrypt_audit_founder_qanda/

Legitimate user credentials are the digital lifeblood of attackers looking to compromise a network. With valid credentials, attackers can infiltrate a target network, elevate their privileges to gain access to more sensitive data, and take control of critical systems.

To combat attacker’s ability to use stolen credentials, companies need to model the behavior of every user–especially those people, such as system administrators, with access to privileged accounts. Using that baseline, businesses can detect whether the use of a credential falls outside of what is typical or allowed by policy, says Philip Lieberman, president of Lieberman Software, a privileged-account management provider.

“You have to look at, not only what a person can do and who they are, but to look at their behavior and whether that behavior has become risky,” Lieberman says. “Then, you can respond to a high risk score by shutting down the account, if the behavior of the user is becoming anomalous.”

At the Cloud Security Alliance (CSA) Congress in December, Lieberman and industry experts will discuss how authentication can be used to better secure cloud services and network infrastructure from attack. The fundamental problem is that few companies have a good idea of how many privileged-user credentials are in existence, where they are stored and whether an account is still necessary for business, he says.

Companies typically have three or four privileged accounts per employee, most which are not monitored or managed by the business, according to a recent survey by CyberArk, a privileged-account security firm. Finding those accounts and monitoring their access is critical to heading off insider attacks and more persistent external attackers, says John Worrall, chief marketing officer for CyberArk.

“The advanced threat from the outside really goes south for [companies] once the attackers compromise an insider’s privileged credential,” he says. “So you really want to have real-time monitoring of behaviors, then you can build these profiles of what is expected.”

Similar to financial firms tracking credit-card usage, monitoring behavior allows companies to determine whether an employee’s account exhibits irregular behavior. Logging in from a different country, outside of work hours or to several accounts in one session, are all likely signs of compromise, Worrall says.

[Top executives, power users, and IT administrators may have access to more than they should. Here are some tips for keeping them in check. See How To Monitor And Control Privileged Users.]

In addition, companies should look at their password policy and work to limit privileged access, says Lieberman. A single user should not be logged into their privileged account while doing day-to-day work. Rather, they should have to elevate privilege only when necessary. Taking that approach limits the exposure of that particular user and the account credential, he says.

“This is a matter of behavior, not a matter of technology,” he says. “We have to spend a lot of time on training the behavior of our customers, to operate their business in a sane way that gives them some resiliency.”

Companies also need to survey their usage of privileged accounts, searching for default passwords, backdoor accounts, accounts for workers no longer employed by the company, and accounts that are rarely, or never, used.

Companies also can work with their authentication provider to use the most appropriate type of security for privileged accounts. Mobile authentication provider Nok Nok Labs can query a mobile device and attempt to use the strongest possible type of authentication, a technique that helps secure the cloud service from attackers, says Brendon Wilson, director of product management for Nok Nok Labs.

“There is a bunch of advanced capabilities on mobile devices–increasingly secure chips and secure elements–all of these things can be used to make the authentication piece stronger, whether for an enterprise, a consumer business, or a Web service,” he says.

Yet companies cannot just rely on strong authentication to keep out attackers. They have to assume the attackers are already inside their perimeters, says Lieberman of Lieberman Software.

“If you wake up every day knowing that someone is in your systems, and you shouldn’t stop looking for them, then I think you have a pretty good chance of preventing a breach,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/modeling-users-and-monitoring-credential/240164024

A startup company today launched a range of new services that attack the enterprise mobile security problem where it lives: in the network.

Mojave Networks, an emerging player in the mobile security space, launched new services, a new name, and a new round of funding on Monday. The company is delivering a cloud-based service that requires no equipment on the enterprise premises and can be set up via the the Mojave websitein about 10 minutes, according to the firm.

“The problem with most of the solutions that are out there is they do security at the device level, not at the network level,” says Garrett Larsson, co-founder and CEO of Mojave Networks. “We’re offering a service that can secure all the devices at the enterprise level — we can also tell you how people are using their devices, what cloud services they are using, take inventory of the devices that connect to your network, and wipe them clean if they are lost or stolen.”

Originally introduced as Clutch Mobile in August of 2012, Mojave Networks has received $5 million in funding from Bessemer Venture Partners and changed its name in a more aggressive go-to-market strategy.

Mojave’s new services include Web and network security, data loss prevention, mobile application security and access control, and mobile usage reporting and analytics.

A network-based solution could make it easier for enterprises to solve the bring-your-own-device (BYOD) problem, in which employees and contractors bring an increasingly-diverse array of devices that must access sensitive corporate data, Larsson says.

“The device-level approach doesn’t work well in BYOD, because there are so many devices and each one has its own approach to security,” Larsson says. “We’re handling it on a network level and we can enable it on a wide range of devices, so if a user downloads malware or goes to a phishing site, we can respond more quickly.”

A network-based approach may also help enterprises respond to more sophisticated attacks that begin at the mobile device, Larsson says. “We can see when mobile malware is being downloaded, and we can see when employees might be uploading data to non-company email addresses,” he says.

Mojave’s approach will work better than the current base of mobile device management (MDM) products, predicted David Cowan, Bessemer partner and founder of VeriSign and Good Technology, who recently joined the Mojave Networks board.

“MDM really stands for Malware-infected Device Management, because you can’t run robust security clients on a smartphone,” Cowan says. “We [Bessemer] spent a year evaluating cloud-based approaches to securing corporate and BYOD smartphones, and found Mojave’s team and technology is best positioned to meet the exploding demand for enterprise-grade mobile security.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/startup-firm-attacks-mobile-security-pro/240164031