STE WILLIAMS

Attaching a GPS to a car without a search warrant is unconstitutional, the US Court of Appeals for the Third Circuit ruled [click here for PDF] on Tuesday.

The decision comes as a victory for the privacy groups that filed an amicus brief [click here for PDF] in November 2012, asking that the court consider whether law enforcement agents should have to obtain a warrant based on probable cause before attaching a GPS tracker to a car and tracking its movements.

The case involves a GPS tracker that police attached to a car belonging to Harry Katzin.

Police suspected that Katzin, along with his brothers Mark and Michael Katzin, had robbed a number of Rite Aid pharmacies in the US state of New Jersey in 2009 and 2010.

All three brothers had criminal histories that included burglary and theft. In addition, Harry had been found crouching beside some bushes outside of a Rite Aid that reported suspicious activity.

Police knew where he parked his van, the court papers say.

In the early hours of a mid-December morning, they went to the street in Philadelphia, and without going before a judge to get a warrant, they attached a so-called “slap-on” GPS tracker to Harry Katzin’s van.

The trackers are called slap-on because they magnetically attach to a vehicle, are battery-operated, and require no electronic connection to a car.

Police used the GPS tracker to follow the Katzins when they traveled to another Rite Aid, where they were arrested.

The case revolved around the Fourth Amendment to the US Constitution, which prohibits unreasonable searches.

The American Civil Liberties Union (ACLU) had argued in its amicus brief that warrants are essential in such cases because, as the Supreme Court has written, they provide “the detached scrutiny of a neutral magistrate, which is a more reliable safeguard against improper searches than the hurried judgment of a law enforcement officer engaged in the often competitive enterprise of ferreting out crime.”

The ACLU said that the safeguard of a warrant is particularly important with GPS tracking, which is “cheap, convenient, difficult to detect, and highly intrusive.”

The ACLU went on:

Because cost and effort will not deter excessive and unjustified use of GPS tracking, it is essential that courts impose strict requirements before Americans are subject to this powerful technology.

And we have most certainly been subjected to this powerful technology.

Courts are grappling with the intersection between GPS, drones, mobile phone data, and the Fourth Amendment.

One such case, United States v. Graham, involved police having amassed an astonishing 221 days worth of cell phone records, all retrieved without a warrant.

In another case, United States v. Jones, the US Supreme Court held last year that GPS tracking by attaching a device to a vehicle constituted a search under the Fourth Amendment.

That case didn’t address whether warrants were reasonable and thus lawful under the Fourth Amendment, the court of appeals said on Tuesday.

Given that the police acted unconstitutionally in the case of Katzin, the court said, all evidence collected from the police via GPS tracker will be suppressed.

The government had argued that it’s tough to establish the probable cause needed for a warrant without using information such as GPS data to back it up.

Harry Katzin was found crouching in some bushes. A search showed he was equipped with electrical tools, gloves, and ski masks.

What do you think, is that not enough to establish probable cause? Did police really need to track his van without a warrant?

Legal experts, I’d love to get your input in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Image of gavel and GPS map courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PrYCvn5i9Ns/

AUSTIN, October 23, 2013 – Usage of mobile devices in the workplace is expanding security and compliance risk as today’s workers increasingly perform more of their jobs using devices of their choice. To help organizations better address these bring-your-own-device (BYOD) challenges, SailPoint today announced the integration of its award-winning identity and access management (IAM) solution, IdentityIQtrade, with mobile device management (MDM) solutions from the industry’s top providers, including AirWatch Enterprise Mobile Management, Good Secure Mobility Solution and MobileIron Advanced Mobile Management. The integration will enable companies to gain end-to-end visibility and control of user access across mobile, cloud, and on-premises resources, while realizing significant operational efficiencies in how they govern, enforce policy, and grant, change and remove mobile access.

“There are real benefits to enabling a mobile workforce, but employees can do a lot of damage from mobile devices – whether intentionally or not – if their access privileges to enterprise IT resources are not managed correctly,” said Kevin Cunningham, president and founder of SailPoint. “In order to address the security risks of BYOD, organizations must focus on controlling user access to sensitive applications, regardless of where or how those applications are accessed. By integrating MDM with IAM, organizations can now centrally manage user access privileges across datacenter, cloud and mobile applications, ensuring all access conforms to security and compliance policies.”

The integration between SailPoint IdentityIQ and leading MDM solutions enables enterprises to seamlessly manage mobile devices in the context of enterprise identity and access processes and controls. MDM solutions enable the remote management of mobile devices, performing tasks such encrypting data on devices, controlling application downloads, ensuring devices are free of malware, and selectively wiping content on devices when needed. By linking MDM capabilities with corporate IAM policies and processes for authentication, user onboarding and offboarding, policy enforcement and compliance and audit reporting, the integrated solution gives security teams the centralized visibility and control they need to better protect corporate assets – no matter where or how the access occurs.

SailPoint’s integration with leading MDM solutions allows organizations to extend IAM policies and controls to personal mobile devices, ensuring they are managed according to corporate and regulatory standards. The combined solution enables proactive governance and automates user account provisioning activities by:

•Allowing managers to review workers’ mobile applications and access rights as part of regular access certifications;

•Automating detection and remediation of policy violations on mobile devices;

•Automating granting user access to mobile applications based on new employee onboarding policy and workflow;

•Automatically revoking access privileges and wiping corporate applications from mobile devices upon employee termination; and

•Installing and configuring the SailPoint Mobile Application on individual devices to enable single sign-on for native mobile applications.

About SailPoint

As the fastest-growing, independent identity and access management (IAM) provider, SailPoint helps hundreds of the world’s largest organizations securely and effectively deliver and manage user access from any device to data and applications residing in the datacenter, on mobile devices, and in the cloud. The company’s innovative product portfolio offers customers an integrated set of core services including identity governance, provisioning, and access management delivered on-premises or from the cloud (IAM-as-a-service). For more information about SailPoint, please visit www.sailpoint.com.

Article source: http://www.darkreading.com/mobile/sailpoint-identity-team-for-mobile-devic/240163058

HOLLYWOOD, FL – (October 23, 2013) – Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) protection services, today reported that DDoS perpetrators changed tactics in Q3 2013 to boost attack sizes and hide their identities. This observation is one of many key findings found in the company’s Q3 2013 Global DDoS Attack Report, which was published today, and can be downloaded from www.prolexic.com/attackreports.

“This quarter, the major concern is that reflection attacks are accelerating dramatically, increasing 265% over Q3 2012 and up 70% over Q2,” said Stuart Scholly, president of Prolexic. “The bottom line is that DDoS attackers have found an easier, more efficient way to launch high bandwidth attacks with smaller botnets and that’s concerning.”

Attackers are flocking to so-called distributed reflection denial of service (DrDoS) attacks as they provide the benefit of obscuring the source of the attack (anonymity), while enabling the bandwidth of intermediary victims to be used, often unknowingly, to multiply the size of the attack (amplification). In DrDos attacks, there are always two victims, the intended target and the intermediary.

Prolexic’s latest report reveals that the total number of attacks against its clients in Q3 2013 remained high and represented the highest total for one quarter. This occurrence illustrates a consistently heightened level of DDoS activity around the world over the last six months. Of note, more than 62% of Q3 DDoS attacks originated from China, far surpassing all other countries. Findings are based on data gathered from attacks launched during the quarter against Prolexic’s global client base.

For the quarter, peak bandwidth averaged 3.06 Gbps and peak packets-per-second (pps) averaged 4.22 Mpps. The largest attack Prolexic mitigated during Q3 was directed at a European media company, peaking at 120 Gbps.

Summary highlights from Prolexic’s Q3 2013 Global DDoS Attack Report

Compared to Q2 2013

1.58 percent increase in total DDOS attacks

6% decrease in application layer (Layer 7) attacks

4% increase in infrastructure (Layer 3 4) attacks

44% decrease in the average attack duration: 21.33 hours vs. 38 hours

Compared to Q3 2012

58% increase in total DDOS attacks

101% increase in application layer (Layer 7) attacks

48% increase in infrastructure (Layer 3 4) attacks

12.3 percent increase in the average attack duration: 21.33 hours vs. 19 hours

Analysis and emerging trends

Prolexic data for Q3 2013 shows a 70% increase in reflection attacks (DNS and CHARGEN) over the previous quarter and a 265% increase over the same quarter last year. This rise in DrDoS attacks should come as no surprise, as attack methods that inflict high damage with low effort will always be popular.

“DrDoS attacks don’t require as many bots because the amplification factor is so large,” explained Scholly. “Because less outbound bot traffic is needed, the botnet can be much smaller. This makes it easier for these botnets to fly under the radar unless you know what to look for.”

Prolexic has closely monitored DrDoS attacks for the last 12 months and has correctly forecasted their increasing popularity, as discussed in a series of four white papers on this resurfacing attack methodology.

“Q3 data also shows that infrastructure attacks maintained their share of total attacks, but within this group there was a big jump in UDP attacks and a corresponding drop in SYN attacks,” said Scholly. “Combined with the rise in reflection attacks, this quarter showed a significant shift in attack methodologies that all businesses should be aware of.”

Prolexic’s latest attack report includes a detailed analysis of the trend toward reflection attacks, DrDoS reflection services within the underground marketplace. The analysis examines DrDoS attack methods, tools and services – specifically CHARGEN attacks being integrated into the DDoS threatscape – and provides steps for remediating CHARGEN attacks.

A complimentary copy of Prolexic’s Q3 2013 Global DDoS Attack Report is available as a free PDF download from www.prolexic.com/attackreports. Prolexic’s Q4 2013 report will be released early in the first quarter of 2014.

About Prolexic

Prolexic is the world’s largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission-critical Internet-facing infrastructures for global enterprises and government agencies within minutes. Ten of the world’s largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming, energy and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world’s first in-the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida, and has scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit www.prolexic.com, follow us on LinkedIn, Facebook, Google+, YouTube, and @Prolexic on Twitter.

Article source: http://www.darkreading.com/attacks-breaches/prolexic-releases-q3-global-attack-repor/240163037

CUPERTINO, Calif. – October 23, 2013 – Bromium, Inc., a pioneer in trustworthy computing, today announced it has raised $40M in an oversubscribed Series C funding round led by new investor Meritech Capital Partners, with participation from existing investors Andreessen Horowitz, Ignition Partners, Highland Capital Partners, and Intel Capital. The new funding will be used for continued product development and to accelerate sales in North America, EMEA, Japan and APAC.

“Bromium is privileged to be working with a group of investors who are committed to building a company that is transforming cyber-security – without relying on ineffective, legacy detection-centric techniques,” said Gaurav Banga, co-founder and CEO of Bromium. “Demand for our flagship vSentry and LAVA products continues to grow. We have doubled revenue each quarter this year and now plan to accelerate our international expansion and strengthen our development team.”

Rob Ward, managing director at Meritech Capital, led the Meritech investment and will represent his firm on the Bromium board. Ward, who led Meritech’s successful investments in Fortinet (FTNT), Imperva (IMPV) and Proofpoint (PFPT) commented, “Rapid adoption of cloud computing, mobility and consumerization leave enterprises more vulnerable than ever, at a time when cyber-crime is at an all-time high. Bromium is uniquely positioned to transform enterprise security. Its technology is revolutionary – as profoundly important for security as virtualization was for the data center. It adds durable protection against advanced malware to every end point, and provides unparalleled insights into malware intent. We are very impressed with Bromium’s success in the marketplace, and are thrilled to join the team.”

Bromium vSentry uses Intel CPU and chipset features to hardware-isolate tasks that access the Web, attachments and files that might contain malware, protecting the desktop by design. Commenting on Intel Capital’s investment, Rick Echevarria, VP, PC Client Group and GM, Intel Business Client Platform Division said, “Intel platforms uniquely offer customers hardware security features that can transform enterprise security. Bromium, as a valuable Intel partner, takes advantage of these features, and their success demonstrates the value of hardware-based security in defeating advanced malware.”

Supporting Resources

Follow Bromium on the Web at:

www.bromium.com

blogs.bromium.com

Twitter (@bromium)

About Bromium

Bromium is re-inventing enterprise security with its powerful new technology, micro-virtualization, which was designed to protect businesses from advanced malware, while simultaneously empowering users and delivering unmatched threat intelligence to IT. Unlike traditional security methods, which rely on complex and ineffective detection techniques, Bromium protects against malware from the Web, email or USB devices, by automatically isolating each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to any enterprise resource. Bromium’s technological innovations have earned the company numerous industry awards including being named as a CNBC Disruptor and a Gartner Cool Vendor for 2013. Bromium counts a rapidly growing set of Fortune 500 companies and government agencies as customers, including NYSE, BlackRock, and ADP.

Article source: http://www.darkreading.com/applications/bromium-announces-40m-series-c-funding/240163059

HOUSTON, Oct. 23, 2013 /PRNewswire/ — Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, today released its State of Cloud Security Bulletin on Information Security in the Energy Sector. The bulletin, based on a six-month study period of customer data, examines the rise of cyber attacks targeting the energy sector–an industry thought to be particularly at risk due to the highly confidential and proprietary information they possess, as well as the prevalence of BYOD (Bring Your Own Device) and contractor access.

(Logo: http://photos.prnewswire.com/prnh/20121016/DA93076LOGO)

“The energy sector is a big part of the global economy and therefore has extremely high-stakes security risks compared to other industries,” said Stephen Coty, director, security research with Alert Logic. “Daily survival of the population and businesses alike depend on the availability of energy resources, making energy companies a prime target for hackers. This Security Bulletin calls out the specific threats to energy companies and provides recommendations for fine tuning existing information security defenses.”

The Security Bulletin found that, when compared to Alert Logic’s overall customer set, the energy sector is at an elevated risk of brute force and malware/botnet attacks:

67 percent of energy companies experienced brute force attacks, versus 34% of entire customer set. Attackers look for opportunistic points of vulnerability in networks housing confidential business information. Breaches of geophysical data, in particular, are intended to damage or destroy the data used in energy resource exploration. Brute force attacks are also used to steal a company’s intellectual property for the purpose of industrial espionage.

61 percent of energy companies experienced malware/botnet infiltration attacks, versus 13% of entire customer set. These attacks seek access to physical infrastructure systems that control pipelines and other key energy plant operations. Alert Logic found that technologies such as SCADA (Supervisory Control And Data Acquisition) systems are vulnerable to hacking, while the emerging business practices of BYOD (bring your own device) and BYOA (bring your own applications) in the workplace can be carriers of viruses and other malware.

“Unlike an attack on an e-Commerce site or SaaS application provider, a malware infiltration attack on an energy company could grow to catastrophic proportions if hackers were able to block or flood the oil and gas pipeline infrastructure,”

Coty said. “This industry doesn’t see the typical web application attacks. It experiences a greater magnitude of security threats that could have global repercussions for years to come.”

To help companies meet the specific security challenges of the energy sector, The Security Bulletin includes guidance for effectively defending against brute force attacks and malware/botnet threats. Recommendations include enhancing existing security strategy with multi-layer security practices, monitoring and defensive technologies to identify and stop cyber-attacks, as well as raising security awareness among employees.

A free download of the Alert Logic State of Cloud Security Bulletin: Information Security in the Energy Sector is available at www.alertlogic.com/csr.

Additional Resources Available:

Targeted Attacks and Opportunistic Hacks – Spring 2013 Infographic Blog @alertlogic on Twitter LinkedIn

About Alert Logic

Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, provides solutions to secure the application and infrastructure stack. By integrating advanced security tools with 247 Security Operations Center expertise, customers can defend against security threats and address compliance mandates. By leveraging an “as-a-Service” delivery model, Alert Logic solutions include day-to-day management of security infrastructure, security experts translating complex data into actionable insight, and flexible deployment options to address customer security needs in any computing environment. Built from the ground up to address the unique challenges of public and private cloud environments, Alert Logic partners with over half of the largest cloud and hosting service providers to provide Security-as-a-Service solutions for business application deployments for over 2,300 enterprises. Alert Logic is based in Houston, Texas, and was founded in 2002. For more information, please visit www.alertlogic.com.

Article source: http://www.darkreading.com/vulnerability/alert-logic-cloud-security-report-warns/240163039

SAN JOSE, Calif. – Oct. 24, 2013 – It has been one year since Malwarebytes, the leader in advanced anti-malware protection and remediation, announced the launch of Malwarebytes Enterprise Edition (MEE). Since the launch, Malwarebytes has experienced strong business results with 52% growth year-over-year and continues to make strategic investments in the enterprise. Most recently, Malwarebytes released an updated version of MEE that provides an assortment of new features and enhancements for enterprise customers.

“We have been making great progress since the launch of MEE, and this is just the start. Over the next year we’ll be releasing a new enterprise product, and there will be tremendous opportunities within our growing channel program,” said Marcin Kleczynski, CEO of Malwarebytes. “We’re carving out a new space in endpoint security by offering a solution that protects enterprises from zero-day malware incidents that AVs struggle to detect.”

Twelve-month business highlights include the following:

Adoption of MEE in Medium to Large Enterprises – The University of Alabama, NextGen, a healthcare software company, and a growing portfolio of Fortune 1000 companies adopted Malwarebytes Enterprise Edition as their anti-malware of choice in the past year.

Acquisition of ZeroVulnerabilityLabs – Malwarebytes acquired ZeroVulnerabilityLabs (ZVL), the creator of the zero-day-threat protection app ExploitShield, which protects against download attacks originating from commercial exploit kits. The acquisition complements and expands Malwarebytes’ industry-leading anti-malware suite, and the company has plans to integrate its patent-pending anti-exploit technology into Malwarebytes Enterprise Edition.

Employee Growth New Corporate Headquarters – To accommodate the 70% hiring growth in 2012, and 93% hiring growth year-to-date, Malwarebytes moved into its new corporate headquarters in downtown San Jose.

Entrepreneurial Award from Frost Sullivan – Malwarebytes was recognized by Frost Sullivan as the 2012 North American Entrepreneurial Company of the Year in Endpoint Security.

North America Channel Program Expansion – Malwarebytes continued the expansion of its North America channel program with the appointment of Dave Allison to the Senior Director of Channel Sales position. Formerly Vice President of North America Channel Sales for Kaspersky Lab, Allison will spearhead Malwarebytes’ efforts to promote its business editions, including Malwarebytes Enterprise Edition.

To learn more about Malwarebytes’ enterprise offerings, visit www.malwarebytes.org/business/enterprise.

About Malwarebytes

Malwarebytes provides software designed to protect consumers and businesses against malicious threats that consistently escape detection by other antivirus solutions. Malwarebytes Anti-Malware Pro, the company’s flagship product, employs a highly advanced behavior-based detection engine that has removed over five billion malicious threats from computers worldwide. Founded in 2008, the self-funded company is headquartered in California, operates offices in Europe, and employs a global team of researchers and experts. For more information, please visit us at www.malwarebytes.org.

Article source: http://www.darkreading.com/endpoint/malwarebytes-growth-validates-need-for-z/240163061

Apple’s OS X 10.9, better known as Mavericks, is officially out.

The burning question for OS X fans everywhere, of course, is, “Should I or shouldn’t I?”

The positive spin is that the $29 fee Apple has charged for previous OS X “dot releases” has vanished.

Just like the uplift from Windows 8 to Windows 8.1, shifting from Mountain Lion (OS X 10.8) to Mavericks is free.

The negative spin is that since this is a dot release, there might just be more to go wrong than in a point release – just like happened in the uplift from Windows 8 RT to Windows 8.1 RT, which caused trouble for some early adopters.

→ In my vocabulary, a major release would be OS X to OS XI, a dot release something like 10.8.5 to 10.9, and a point release 10.8.4 to 10.8.5.

Will Mavericks go wrong if you install it right away?

Industry veteran and former Naked Security colleague Graham Cluley, for example, is dead keen on staying away – so much so that he’s even retweeted himself (I didn’t know you were allowed to do that) to tell us so.

Graham still seems to think it needs beta testing.

Digital lifestyle site Lifehacker also warns you to stay clear, saying without giving data that Mavericks “suffers from a speed decrease” (you or I would probably just have written that it was slower), and calling it “imperfect.”

Mind you, the site also says, with doubly ironic orotundity, that “you should have no trouble work under the new OS without trouble.”

I’d love to tell you that Graham is just being a scaredy-cat and Lifehacker merely stirring, but I can’t – and not for want of trying.

It’s just that at 5.29GB, over a mobile network, I’m still waiting for the Mavericks installer to download itself.

There is one thing that neither Graham nor Lifehacker took into account, however, and that’s the fact that Mavericks (the first OS X release not named after a type of cat) is a security upgrade, too.

OS X 10.9 as a security update

In fact, the list of security fixes is, to me, the most interesting part of 10.9.

If you’re looking for Remote Code Execution vulnerabilities, or RCEs, you won’t be disappointed – you’ll find several.

There’s a fix for dealing with “a format string vulnerability [that] existed in Screen Sharing Server’s handling of the VNC username.” (CVE-​2013-​5188.)

There’s a patch for curl, the web download utility, apparently sorting out multiple vulnerabilities including some that could lead to RCE. (CVE-​2013-​0249 and CVE-​2013-​1944.)

And there’s even a fix for an RCE hole in the kernel itself, caused by incorrect bounds checking, which implies that there was an exploitable buffer overflow. (CVE-​2013-​3954.)

But there are other important operational fixes, notably for security features that gave a false sense of security, because even when turned on, they didn’t always work.

Here are some examples:

• The OS X application firewall had a bug so that applications to which you thought you’d blocked network traffic might nevertheless receive it.
• Apple’s application sandbox could be bypassed by software that it was supposed to have locked down.
• Safari’s Reset function didn’t always clear your session cookies, which could leave you logged in to sites you wouldn’t expect.
• The display’s lock screen didn’t always stop window contents from appearing on top of it.
• The lock screen sometimes didn’t activate after the interval you had chosen.
• You could sometimes return from hibernation mode without needing a password.
• Random numbers weren’t always random. (Or, to quote Apple’s own delightful oxymoron, “under unusual circumstances, some random numbers may be predictable.”)
• The Mail app would sometimes detect that secure password exchange was possible when configuring a connection, but then fail to use it.
• The “Require an administrator password to access system preferences with lock icons” setting wasn’t always honoured.

Mavericks also includes a brand new release of Safari, version 7, that includes a raft of security fixes published to pre-Mavericks users as Safari 6.1.

In short, it sounds to me as though Mavericks is probably an update you do want to get, though I can’t put my hand on my heart yet and say, “She’ll be right.”

I’m still waiting for that 5.29GB to turn up.

While that’s happening, I’m sorting out my backups – always a good idea anyway – and installing the 50MB Safari 6.1 update on my Mountain Lion system.

And, I hasten to add, I’m getting ready to make a copy of the Install OS X Mavericks.app package out of the /Applications folder as soon as the download finishes, so I never need to download it again

If you’re an Apple fan, where do you sit on Mavericks?

Keen on new features, and willing to wait for 10.9.1?

Or keen on security and ready to update right away?

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cuz_XleY5MM/

Supercharge your infrastructure

Security developers have released a stripped-down privacy-friendly browser, Aviator, based on the open source browser core Chromium as used by Google Chrome.

WhiteHat Security’s Aviator browser has built-in functionality designed to block ads and tracking by default. In addition, Flash and Java are click-to-play, a configuration that WhiteHat argues greatly reduces the risk of drive-by downloads, which are a common method for malware distribution.

Each tab is sandboxed to help prevent one program from making changes to others, or to a computing environment. In addition, Aviator always operates in private mode. The technology strips out referring URLs across domains to protect its users’ privacy. The default search engine for the new browser is ‪DuckDuckGo‬, the privacy-friendly web search tool.

WhiteHat has been carrying out in-house tests of the browser, prior to releasing a Mac OS X version to the public this week.

In a blog post, WhiteHat Security’s director of product management Robert Hansen argues that major vendors (suc as Google, Mozilla and Microsoft) could all enhance their browsers’ privacy protection features. But, he says, they are reluctant to make these changes because it would hurt their market share and business model to introduce built-in ad blocking, for example.

“Not a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” said Hansen. “Current incentives between the user and browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.”

He continued: “WhiteHat Security has no interest or stake in the online advertising industry, so we can offer a browser free of ulterior motives. What you see is what you get. We aren’t interested in tracking you or your browsing history, or in letting anyone else have that information either.

A more detailed explanation of how WhiteHat Aviator differs from its older sibling, Google Chrome, can be found here courtesy of WhiteHat.

“Because the BSD license of Chromium allows us, we made many very particular changes to the code and configuration to enhance security and privacy,” says the company’s marketing bumpf. These changes extend to disabling third-party cookies and other functions that supposedly resolve navigation errors or predict URLs – functions which leak data to Google, as the post by Jeremiah Grossman, WhiteHat Security’s CTO, explains.

Browser configurations always involve a trade-off between privacy and convenience. WhiteHat Aviator has gone for the most strict privacy option and while this would be welcomed by the most privacy-conscious it’s not for everyone, because it would make sites that use cookies hard to use, for example.

Early reactions to the release of the browser software was mostly positive apart from some quibbles from security researchers about why ‪Aviator‬ isn’t open source or released as a configuration guide, rather than as a software build.

WhiteHat Aviator, with only a Mac OS X version currently available, can be downloaded here as a 48MB download. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/23/privacyconscious_aviator_browser/

Free Regcast : Microsoft Cloud OS

The UK army of cyber reservists is open to the idea of hiring convicted hackers into its ranks.

The new head of the Joint Cyber Reserve Unit, Lieutenant Colonel Michael White, told BBC Newsnight that applicants would be assessed on their skills and capabilities, rather than personality traits or past histories.

Asked whether he would be open to hiring criminally convicted hackers who had the right skills he responded positively. “If they could get through the security process, if they had the capability that we would like, and if the vetting authority was happy, then why not,” Lieutenant Colonel White said.

Defence Secretary Philip Hammond said that Britain that simply building defences was not enough and “Britain would build a dedicated ability to counterattack and if necessary to strike in cyberspace” at the launch of the Joint Cyber Reserve Unit. The armed forces as a whole did not have an “absolute bar” on recruiting former criminals. Hammond said that “former hackers would be assessed on a case-by-case basis,” The Independent reports.

David Emm, senior security researcher at Kaspersky Lab, said that the openness to hire hackers to the ranks of a kind of a geek version of the territorial army might address a short term skills shortage but said that hitting people who had proved themselves to be “motivated by money and misplaced ideals” was a risky strategy, at best. Emm emphasised the importance of training up a next generation of cyber fighters, starting in schools.

“The news that the UK Cyber Defence Unit is considering hiring convicted hackers has caused many people to voice their concerns about the ethical and security implications of employing those with a criminal past to protect the country’s most sensitive information. Those who have previously worked for the ‘dark side’ of the code-breaking fraternity are often motivated by money and misplaced ideals, and therefore expecting them to switch sides, and remain there is unrealistic.”

Emm added: “However, this development does highlight the problem of a skills shortage and the lack of talent outside the criminal community to tackle serious cyber-attacks facing the country. This is why it is so important to encourage the next generation to study, and become expert on, security-related issues so they can be the ones to fight sophisticated cyber-threats in the future.

“The government has recognised this and it is why it wants to make significant changes to the Computing element of the new National Curriculum: a move away from simply using the technology to understanding how it works.”

“As attempts to undermine governments and attack national infrastructure increasingly move online, it is imperative that the National defences are prepared to face these attacks head on, employing people with the necessary skills to block them.”

However hackers are often anti-establishment and have an antipathy towards the authorities that’s only growing because of the Snowden controversy. They may no have any desire to work for the government. Asked whether he’d be interested in preventing threats to the national security, former LulzSec member Mustafa Al-Bassam (Tflow) told the BBC Newsnight team he wouldn’t be keen on such a job.

“For me that would be in poor taste,” Al-Bassam sad. “I can understand the need for a government to protect itself… but when you go ahead and stamp on people’s civil liberties as we’ve seen with all the stories about mass surveillance we’ve seen in the past year then you can rest assured that you’re going to repel tonnes of people.”

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/23/hacker_wanted_uk_cyber_reserve_squad/

[The following is excerpted from “Using Risk Assessment to Prioritize Security Tasks and Processes,” a new report posted this week on Dark Reading’s Risk Management Tech Center.]

Information security practitioners are in an increasingly difficult position in most enterprises for several reasons. For one thing, changes in how enterprises adopt, deploy and use technology have raised the complexity bar for the environments that practitioners are charged with defending.

For example, virtualization, cloud and mobile technologies have expanded the footprint of technology in the enterprise — and along with it the security practitioner’s scope of responsibility. At the same time, the number of compromise methods is increasing: Attackers have become more sophisticated, there are more of them, and they espouse a variety of motivations.

Given all of this, it’s clear why the remit of security practitioners is more challenging than it used to be. But despite the rise in environmental complexity, spending is relatively stagnant. For example, the most recent Global State of Information Security Survey from PricewaterhouseCoopers shows that fewer than half of the organizations surveyed expect information security budgets to increase. This is why prioritization is so important in a security context — not only does security investment need to stretch further, there’s less room for error when the stretching occurs.

This question of prioritization then becomes one of the key elements (not to mention benefits) of formalized risk management techniques. For organizations that aren’t using formalized risk management methods, prioritization is an acutely felt pain point.

But even for organizations that have employed these techniques, technical prioritization often requires further analysis in order for them to be effectively put into practice. In other words, risk management efforts performed at a high level might fail to take into account the specifics of the technical environment, leaving room for interpretation or further prioritization down the line.

In any case, the art of prioritization can help enterprises master the science of security. In this Dark Reading report, we recommend how to adapt elements of risk management that address prioritization in mitigation efforts for use at the technical level. This technique isn’t always easy — and organizations must have some prerequisites in place in order to leverage it fully — but it is a necessity for security to perform optimally. It’s no longer possible to defend everything equally, so focusing on specific, strategic areas of concern is a must.

At a high level, the risk management process can be thought of as iterative, encompassing a number of key steps. These include:

• Identify: The process of determining the possible risks that a given organization might have

• Assess: Determining the degree to which the organization is susceptible

• Mitigate: The process of treating risks — for example, by avoiding, remediating, transferring or accepting the risk (that is, determining that the risk cannot be practically or practicably offset)

• Monitor: Keeping track of the risk over time to ensure that it doesn’t increase, to determine if it’s exploited and to inform future decision-making if it’s obviated.

To learn more about the process of risk assessment — and how to translate the results into a prioritized action list — download the free report.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/using-risk-assessment-to-prioritize-secu/240163019