STE WILLIAMS

Legislators in California are working to give teens more control over content they have posted on the web by giving them the ability to push the reset button on their social media profiles.

California Governor, Jerry Brown, received a letter from the CEO of Common Sense Media, James P Steyer, in which it states:

Children and teens often self-reveal before they self-reflect and may post sensitive personal information about themselves – and about others – without realizing the consequences.

Now a unanimously passed Senate Bill will guarantee privacy rights for minors in California as well as an ‘eraser button’ which will allow them to delete their faux pas. This new bill will make the West Coast state the first in the US to require websites to allow under-18s to remove their own content from the site, as well as to make it clear how to do so.

The law does have some limitations though – it only covers content posted by the child making the removal request and so does not cover anything that their friends or family may have uploaded about them. The bill also only requires removal of information from public websites and not from servers.

California’s governor has yet to take a stance on the bill but, as reported in The New York Times, he has until mid-October to sign it, after which it will become law even without his signature. The new law would have an effective start date of January 1, 2015.

The law, designed to protect kids from bullying and embarrassment, also considers the potential harm to future educational or job prospects. This is timely considering how companies are increasingly likely to use the web to run background checks on prospective new employees.

In April this year, a survey by CareerBuilder discovered that 1 in 3 employers reject applicants based on unsavory social media posts. The kind of information that led to their decision included embarrassing photos, evidence of drink or drug use, and lack of good communication skills – i.e. just the type of profile many teens are presenting to the world.

Whether California’s new ‘eraser button’ will help kids bury their indiscretions and avoid having their youthful past determine their adult futures is debatable and Senate Bill 568 is not universally approved of. There is concern that it could lead to other States passing their own laws, thereby leading to a situation whereby website operators would have to navigate a multitude of legislation in order to serve content that may be consumed by minors.

In a letter to lawmakers the non-profit group, the Center for Democracy and Technology, who lobby for internet freedoms said,

We are principally concerned that this legal uncertainty for website operators will discourage them from developing content and services tailored to younger users, and will lead popular sites and services that may appeal to minors to prohibit minors from using their services.

And then there is the question of how a website operator would know they were serving content to a minor and in what state? Presumably that would involve asking for a site visitor’s age and location – someone better hold onto the privacy advocates’ collars!

Follow @Security_FAQs
Follow @NakedSecurity

Image of smartphone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lUqgMfzpczk/

A few Naked Security readers recently said, “When I read your articles, sometimes a torrent download window pops up. Is this dangerous? Should I be concerned?”

“Torrents” are files shared via the BitTorrent peer-to-peer file sharing system, and they are often associated with piracy and dodginess, so those are pretty reasonable questions.

And Naked Security’s own downloads (e.g. technical reports and podcasts) are served up using HTTP, not BitTorrent, making the questions doubly pertinent.

As far as we’re aware, this was a mistake by Twitter.

It was confusing, and mildly alarming, but there nothing dangerous – just a file served up in the wrong way.

Here’s what seems to have happened.

Usually, our articles have a little “Tweet” button that you can click on to retweet them.

The Tweet button itself comprises an HTML file with the name widgets/tweet_button.html, and when your browser requests that file, Twitter is supposed to send it back directly.

The file includes some JavaScript to deal with the retweeting, some stylesheet formatting data, and an embedded image containing the Twitter birds:

When the HTML file is loaded into a browser, it combines the abovementioned elements to generate a clickable button like this:

Twitter’s mistake appears to have been that its servers sometimes returned a “torrent” link to the HTML file, instead of the file itself.

This caused your browser to pop up a download window instead of displaying the “Tweet” button.

If you had a Torrent downloader installed and had let it go ahead, then the HTML file you were expecting would have been fetched, with the JavaScript, stylesheet and image data inside.

I don’t recommend trusting unexpected torrent downloads, but that is what would have happened: uselessly, of course, and incorrectly, but harmlessly.

But why a “torrent” link, all of a sudden?

As far as we can tell, Twitter uses BitTorrent to distribute files between the servers in its content delivery network, from where they are supposed to go out as regular files.

It seems that for a short while, Twitter very occasionally served up the “torrent” flavour of the file by mistake, not the HTML one.

Lots of websites were affected, not just Naked Security.

As I said above, this download behaviour was incorrect, and useless (though harmless); but as some of our readers found out, it was also somewhere between annoying and alarming.

Twitter has apparently fixed the problem now; we’ve also removed the “Tweet” button from our article pages for the time being.

Our apologies for any confusion.

We hope this article assuages any concerns.

Yours,

The Naked Security Crew

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NpUVPeKP-0Y/

On Monday night, a very hush-hush Facebook tiptoed into testing an “Autofill with Facebook” feature – autofill your credit card information, that is – that it will begin rolling out to some users this week, according to The Verge.

According to sources familiar with the company’s plans, the new payments product will allow online shoppers to make purchases on mobile apps using their Facebook login, AllThingsD reports.

Wait, you say – Facebook has my credit card information? Where did it get it from? The NSA?

No, no, no, Facebook doesn’t have your credit card details. As far as I know. Yet. Unless you’ve already given it to them, that is, to buy e-sheep or whatever on FarmVille or some such Facebook app, you crazy e-farming nut, you.

If you have given Facebook your credit card information, you’ll be able to buy things on partnering e-commerce mobile apps without having to enter your billing information – instead, you’ll be able to use your Facebook account to fill it in for you.

Facebook told The Verge that Facebook Login will not be required for Autofill to pop up, but that users will need to be logged into the Facebook app on their device and have their card already on file with the network in order to see it.

AllThingsD says that Facebook has been testing the payment feature with “a handful” of retail partners. Only a small group of users now have the feature enabled and can only use the new “Autofill with Facebook” through apps from two pilot partners: clothing retailer Jack Threads and photo printer Mosaic.

Facebook will reportedly scale up the service as it continues testing and as it signs on more retail partners.

Is Facebook looking to replace PayPal or to compete with its payment services brethren – Google Wallet, Amazon, ProPay, Square, or startups such as Braintree, Stripe and Klarna?

Sucharita Mulpuru, a retail analyst at Forrester Research, told AllThingsD that it sure sounds that way.

Facebook might be playing coy, but for what it’s worth, it told AllThingsD that no, no, that’s crazy, given how tight its relationship is with PayPal. For now, it’s focused on simplifying checkout, with a setup that will still allow partnering commerce companies to still work with whatever payment processor they like.

After all, as all the payment services providers well know, entering payment information on our dinky little devices is a bit of a pain.

As its name suggests, the feature appears to simply fill information into existing forms, rather than completely taking over the process of checkout.

But would anyone actually trust Facebook with their financial information?

No, Mulpuru told AllThingsD:

Nobody trusts social networks with their financial information, and they are certainly not going to trust Facebook. … Maybe they have a few million people that have bought something on things like FarmVille, but that does not a network make.

A commenter on the Verge story, Tuan X, pointed out that it’s not appropriate to freak out, given that the PayPal-ish, Google Wallet-esque service is opt-in:

Well the plus with all of these services is that everything is an option! Sometimes people get out of hand think Facebook or whomever is trying to steal their life identity when they, 91.3% of the time, don’t have any info that they haven’t give them themselves.

Thank you for the reminder, Tuan X, but I’m instead opting for full, adrenalin-overdose, skin-tingling freakout on this one.

If this stays opt-in, then fine. Go forth, Facebook, and feast upon the valuable in$ight you and your advertisers will undoubtedly glean from the types of products and services your users buy off of Facebook.

But Facebook has never shown much taste for opt-in. We see that repeatedly.

The most recent example is a proposed privacy policy change that would rubber-stamp the use of teenagers’ names, images and personal information to endorse products in advertisements, with Facebook declaring that it’s going to deem teens’ presence on Facebook as meaning that their parents or legal guardians have agreed that commercial use of their tots is all fine and dandy.

Will Facebook someday require us to hand over credit card information to get or maintain our accounts?

It sounds far-fetched. Maybe that’s a paranoid idea.

Maybe the only thing we have to look forward to, at least in the near future, is the prospect of Facebook handling part of the mobile payment process.

What could possibly go wrong?

Please share your rants, screams of terror and maniacal laughter in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Take Our Poll

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-t-0t0HQllU/

We really didn’t want to write another Apple iOS 7 story.

With two lockscreen holes and a fingerprint sensor that can be fooled with woodglue, we thought we’d given diehard iPhone fans a horse that was already dangerously high enough for them not to get down from. [I think you have mixed more than a metaphor there, Ed.]

For example, we chose not to cover the fact that the New York Police Department were handing out flyers over the weekend advising residents of the Big Apple to take Even Bigger Apple’s advice, and to upgrade to iOS 7 as soon as possible for security reasons.

We’re weren’t entirely sure that we agreed with New York’s Finest there, not least because we’d already gone so far as to suggest that you might want to consider sticking at iOS 6.1.3 until the lockscreen holes were fixed.

But we didn’t want to enter a public wrangle with a concept we agree with strongly in principle.

Cybersecurity is important to and for everybody, not only for privacy reasons, but also as an aspect of crime prevention, so it is great to see beat cops trying to get people interested in it.

Hoewever, as you’ve no doubt noticed, this is another Apple iOS 7 story, and it’s yet another tale of woe at the lockscreen.

All about Siri

With Naked Security readers saying to us, “Ha! Did you hear about Siri?”, we could hardly let this one go.

We’ve written before about Siri, Apple’s voice control system.

Firstly, we covered Siri because Apple avoided the limitations of the voice-processing power of your handset by uploading your mumblings to its own servers, doing the processing in some stadium-sized data centre somewhere.

The company also retained both your audio data and transcripts of what you said “for a period of time” so that Apple could “generally improve” its products and services.

IBM famously banned Siri precisely because it didn’t want unspecified transcripts of employees’ musings lying around at Apple, and with all the recent fuss about internet surveillance, that may have been a prescient move.

Secondly, we covered Siri because of lockscreen problems, where locking crooks out of the keyboard and the touch interface didn’t stop them asking your phone to bypass its own security.

Seems like déjà vu all over again.

There’s a video going around, for example, from a company called Cenzik, apparently showing Siri blocking a Facebook post with a feminine-sounding equivalent of HAL’s infamous “I’m sorry, Dave, I’m afraid I can’t do that” from 2001, A Space Odyssey.

But immediately afterwards, following some modest Home button “hacking” (a feat that seems to be no more complex that holding the Home button down for a while) Siri complies politely and quickly with an almost identical request.

And a Naked Security commentator suggests:

Industry reaction has been interesting, with one publication actually using the words “access is limited,” as though there were little cause for concern, before confirming that the “limitations” apparently don’t prevent you sending email, or posting to the user’s social networks.

Oh, and you can call anywhere, just as you can with the “emergency call” hole.

What to do?

There’s a workaround: disallow Siri from the lockscreen, by heading to Settings|General|Passcode Lock and turning off Allow access when locked for Siri. (Why, oh why, is that not the default?)

You could go one step further, of course, and follow IBM’s lead by turning off Siri altogether.

There are some things that HAL’s smooth-sounding stepsister just doesn’t need to hear.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M_ihZI-nYbs/

A few Naked Security readers recently said, “When I read your articles, sometimes a torrent download window pops up. Is this dangerous? Should I be concerned?”

“Torrents” are files shared via the BitTorrent peer-to-peer file sharing system, and they are often associated with piracy and dodginess, so those are pretty reasonable questions.

And Naked Security’s own downloads (e.g. technical reports and podcasts) are served up using HTTP, not BitTorrent, making the questions doubly pertinent.

As far as we’re aware, this was a mistake by Twitter.

It was confusing, and mildly alarming, but there nothing dangerous – just a file served up in the wrong way.

Here’s what seems to have happened.

Usually, our articles have a little “Tweet” button that you can click on to retweet them.

The Tweet button itself comprises an HTML file with the name widgets/tweet_button.html, and when your browser requests that file, Twitter is supposed to send it back directly.

The file includes some JavaScript to deal with the retweeting, some stylesheet formatting data, and an embedded image containing the Twitter birds:

When the HTML file is loaded into a browser, it combines the abovementioned elements to generate a clickable button like this:

Twitter’s mistake appears to have been that its servers sometimes returned a “torrent” link to the HTML file, instead of the file itself.

This caused your browser to pop up a download window instead of displaying the “Tweet” button.

If you had a Torrent downloader installed and had let it go ahead, then the HTML file you were expecting would have been fetched, with the JavaScript, stylesheet and image data inside.

I don’t recommend trusting unexpected torrent downloads, but that is what would have happened: uselessly, of course, and incorrectly, but harmlessly.

But why a “torrent” link, all of a sudden?

As far as we can tell, Twitter uses BitTorrent to distribute files between the servers in its content delivery network, from where they are supposed to go out as regular files.

It seems that for a short while, Twitter very occasionally served up the “torrent” flavour of the file by mistake, not the HTML one.

Lots of websites were affected, not just Naked Security.

As I said above, this download behaviour was incorrect, and useless (though harmless); but as some of our readers found out, it was also somewhere between annoying and alarming.

Twitter has apparently fixed the problem now; we’ve also removed the “Tweet” button from our article pages for the time being.

Our apologies for any confusion.

We hope this article assuages any concerns.

Yours,

The Naked Security Crew

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tdadVXcjI3k/

5 ways to reduce advertising network latency

Google has yanked an app that purported to give Android users the ability to use iMessage.

As is discussed by Jay Freeman here, there was a catch in the app. It didn’t “make iMessage run on Android”, but rather sent data off for pre-processing to a server in China.

And that meant users were being asked to submit their Apple ID and password to a third party – a no-no from any point of view (The Register would guess it’s a good idea for anyone that tried the application to run a password reset immediately).

As Freeman writes, the “sub-optimal” operation of the app went like this: “Every packet from Apple is forwarded to 222.77.191.206, which then sends back exactly what data to send to Apple (along with extra packets that I presume tell the client what’s happening so it can update its UI). Likewise, if the client wants to send a message, it first talks to the third-party server, which returns what needs to be sent to Apple. The data is re-encrypted as part of this process, but its size is deterministically unaffected.”

To convince the Apple iMessage servers it was legit, the app apparently disguised itself as a Mac Mini, as noted by developer Alan Bell on Twitter:

So it looks like that iMessage on Android hack is super sketch and is spoofing iMessage requests as a mac mini: pic.twitter.com/TYT6Djumdv

— Adam Bell (@b3ll) September 24, 2013

Bell also noted that a chunk of the APK file is obfuscated, while another Twitter user, developer Steve Troughton-Smith, asserted that the app also had the ability to background-download APK files.

Whether the app’s behaviours were clumsy or a deliberate attempt to harvest user credentials, it violated Google Play’s policies and has been dumped. The putative developer’s Website, huluwa.org, is also offline at the time of publication. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/24/dodgy_imessage_for_android_app_deepsixed_by_google/

I get a lot of questions on big data. What is it? How are people using it? How do you secure it? How do I leverage it? I’ve been on the phone with three different journalists in the past couple of weeks talking about what security analytics with big data really means. Be it journalists, security professionals, IT, or management, big data is relatively new to the mainstream practitioner, so the questions are not particularly surprising.

What is surprising is just about every new database installation or project I hear about sits atop a big data foundation. The projects focus on data, looking at new ways to mine data for interesting information. From retail-buying trends, to weather analysis, to security intelligence, these platforms are the direction the market is heading. And it’s because you can Hadoop. Cassandra. Mongo. Whatever. And it’s developer-driven — not IT or DBA or security. Developers and information architects specify the data management engine during their design phase. They are in the driver’s seat. They are the new “buying center” for database security products.

Since the bulk of the questions I get are now focused on big data, I am going to begin shifting coverage a bit to cover more big data topics and trends. And I’ll spend some time addressing the questions I am getting about security and uses for big data. Yes, I will continue coverage of interesting relational security as I get questions or new trends develop, but because most of you are asking about big data, I’m going to rebalance coverage accordingly.

And to kick it off, today I want to address a specific, critical point: Big data is all about databases. But rather than a “relational” database, which has a small number of defining characteristics, these databases come in lots of different configurations, each assembled to address a specific use case. Calling this trend “big data” is even a disservice to the movement that is under way. The size of the data set is about the least interesting aspect of these platforms. It’s time to stop thinking about big data as big data and start looking at these platforms as the next logical step in data management.

What we call “big data” is really a building-block approach to databases. Rather than the prepackaged relational systems we have grown accustomed to during the past two decades, we now assemble different pieces (data management, data storage, orchestration, etc.) together in order to fit specific requirements. These platforms, in dozens of different flavors, have more than proved their worth and no longer need to escape the shadow of relational platforms. It’s time to simply think of big data as modular databases.

The key here is that these databases are fully customizable to meet different needs. Developers for the past decade have been starting with relational and then stripping it of unneeded parts and tweaking it to get it to work the way they want it. Part of MySQL’s appeal in the development community was the ability to change some parts to suit the use case, but it was still kludgy. With big data it’s pretty much game on for pure customization. Storage model, data model, task management, data access, and orchestration are all variable. Want a different query engine? No problem, you can run SQL and non-SQL queries on the same data. It’s just how you bundle it. Hadoop and Cassandra come with “stock” groupings of features, but most developers I speak with “roll-their-own” infrastructure to suit their use case.

But just as importantly, they work! This is not a fad. These platforms are not going away. It is not always easy to describe what these modular databases look like, as they are as variable as the applications that use them, but they have a set of common characteristics. And one of those characteristics, as of this writing, is the lack of security. I’ll be going into a lot more detail in the coming weeks. Till then, call them modular databases or database 3.0 or whatever — just understand that “NoSQL” and “Big Data” fail to capture what’s going on.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading.

Article source: http://www.darkreading.com/database/the-big-data-is-the-new-normal/240161775

WALTHAM, Mass. – General Dynamics Fidelis Cybersecurity Solutions today announced its flagship network security solution, Fidelis XPS, now includes a new application of YARA technology, a rule-based malware identification and classification tool, that will increase the real-time prevention of malware attacks by analyzing threats in network traffic. Arming customers with another innovative method to detect malicious traffic as it flows on the network, the continued enhancements to Fidelis XPS help customers reduce remediation costs by blocking malware before it enters the enterprise.

“The addition of YARA will help customers’ network teams analyze threats on their network in a more proactive and comprehensive way,” said Tom Lyons, vice president of product management at General Dynamics Fidelis Cybersecurity Solutions. “This extends our customers’ protection beyond the standard application of scanning suspicious files after they have entered the enterprise.”

Fidelis XPS leverages YARA’s capabilities of classifying detected malware and scanning static objects in a file system after they have already entered the network, to extend and support its prevention efforts to scan network sessions in progress. With organizations placing an increased focus on blocking as much malware as possible before it enters the network, this collaboration makes advanced threat defense an active component of network defense. In doing so, the costs and downtime associated with remediation after a threat has been detected can be drastically reduced.

“Relying on remediation may not only be cost-prohibitive, but eventually it will slow down or even stall business operations,” said Wendy Nather, research director at the 451 Group, who recently published a report on the malware threat detection capabilities of Fidelis XPS. “Enterprises and government agencies can’t afford to take a reactive approach to network defense. In order to effectively combat threats, they have to be able to see more and stop more of the malicious traffic.”

In addition, Fidelis XPS can augment YARA rules with situational awareness, applying context to the content. The open, non-proprietary nature of YARA allows security analysts to share these rules and learn from their colleagues, continually refining the intelligence of the security community.

Built on General Dynamics Fidelis Cybersecurity Solutions’ patented Deep Session Inspection platform, Fidelis XPS is an industry leading network security appliance that delivers network visibility, analysis and control over all ports and all channels in real-time, to defend against advanced threats and prevent the possibility of a data breach on multi-gigabit-speed networks. Deployed as a context-aware network appliance, Fidelis XPS gives global enterprises and government agencies the ability to see, study and stop advanced threats during all phases of the threat lifecycle. The solution recently earned an overall breach detection rating of 98.4 percent in an independent test conducted by NSS Labs, an information research and advisory company specializing in IT product testing.

General Dynamics Fidelis Cybersecurity Solutions offers a comprehensive portfolio of products, services and expertise to combat today’s sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services, delivered by a team of security professionals with decades of hands-on experience, and our award-winning Fidelis XPS Advanced Threat Defense products, which provide visibility and control over the entire threat life cycle. To learn more about General Dynamics Fidelis Cybersecurity Solutions, please visit www.fidelissecurity.com.

Article source: http://www.darkreading.com/vulnerability/general-dynamics-fidelis-cybersecurity-s/240161738

As the IT industry grapples with the security implications of mobile devices, some experts believe that one of the most important first steps it can take is to stop getting caught up in irrelevancies.

“We are lost in a conversation of mobile versus PC or phones versus tablets or whatever else, but that’s not what’s important,” says Steven Sprague, CEO of Wave Systems, explaining that the really important piece is, “How are we going to manage multiple tenant trusted devices, and what are the basic foundation principles for that? Then you’ve got to stick to your guns. I don’t care if they have the slickest marketing program under the sun — we’ve got to continue putting on our glasses and calling out when the emperor has no clothes.”

And one of the most important duds that mobile is missing, according to Sprague, is a standards-based hardware root of trust. Together with Dave Challener, security architect for Johns Hopkins University Applied Physics Laboratory and Dan Griffin, president of JW Secure, Sprague discussed the deficiencies of mobile device technology in a panel earlier this month at the first annual Trusted Computing Conference in Orlando. The running theme in their discussion was the enterprise relinquishment of on-device control.

“Mobile is a step backward from a couple of perspectives,” says Griffin, explaining that, first and foremost, the major mobile device vendors have not baked enough security features into their operating systems or provided the kind of development platforms that encourage developers to build security into their applications. “Finally, the carriers and the implementers of these operating systems are super-nervous about providing system-level access to the device, but you can’t do antivirus or other security without system-level access. So we’re just in this weird state right now where, OK, we have all this fun stuff we could do to make a PC really locked down — you just can’t do that on a mobile device.”

Challener views the state of things even more dimly.

“You look at mobile devices, and you see that you don’t control the network, you don’t control the hardware, you can’t select hardware subsystems that are in it, you don’t get to control when firmware is updated, you don’t get to select the OS, and the app selection in an app store is uncontrolled,” he says. “Boy, if I were an IT guy, I would be panicking.”

However, mobile has done one very good thing for IT security and that is bringing the discussion squarely back around to the importance of device security.

“A device-centric view of the network is really useful,” Sprague says. “The enterprise has been trying to ignore the device because devices are complicated and messy. And so we have control in the network, and hope and prayer in the device.”

But control is the key word in device security; as things stand, there’s no real control on the mobile device whether it is owned by the employee or the enterprise. Take MDM, for example.

“You don’t buy mobile device control software, you guy mobile device management software,” he says.

One of the biggest impediments today is the fact that at the hardware level the device is either controlled by the carrier or the vendor itself. This is most visibly seen in the transition from iPhone to iPad as Apple got out of its single-carrier relationship with ATT.

“As a carrier, ATT controlled the iPhone with absolute power. They could shut it off at will, terminate service, and change the OS,” Sprague says. “The brilliant maneuver by Apple was to take control of the initial hardware root of identity of the subscriber.”

Nowadays, the only way to get full use out of the iPad is through that connection with iTunes, with Apple having ultimate control over the device and the ability to shut down its functionality remotely.

“The reason why a standards-based, independent hardware root of trust is important is that it allows someone else to take control of the device before the carrier,” he says. “If you look at almost every use case and application out there, this is the fundamental capability that’s being requested, even if it is being requested in a language that is not as clear as that.”

Unfortunately, the real difficulty is convincing carriers or vendors to loosen their grasp of control. It is an issue of leverage and one that Sprague believes exists only one entity capable of wresting control away for the betterment of the industry.

“The only way we can wrestle control back from Verizon is through a requirement placed on the environment by a player strong enough to do that,” he says. “The only player — emphasis on the word only — is the U.S. federal space.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/why-a-hardware-root-of-trust-matters-for/240161739

SARATOGA, Calif., September 24, 2013 — Spikes, Inc., a leading cyber security company, today announced its launch and the general availability of AirGapTM Enterprise, an anti-malware Windows and Mac OS compatible browsing system that is purpose-built for extreme security, user-intuitive manageability and sustained high performance for the SMB-to-enterprise markets.

Cyber security is a top three business concern for executives in the United States and worldwide according to Lloyd’s of London 2013 Risk Index Report. “Over 90% of undetected malware comes through the browser and enterprises employing the best cyber security practices to-date are still being hacked daily, often with catastrophic results,” states Branden Spikes, CEO of Spikes and former CIO of PayPal and SpaceX. “We’ve taken a radically different approach to web browsing by developing a highly scalable, enterprise-level client-server application that places the browser outside the firewall rather than on the user’s computer (endpoint) – then having it interact with the web browser remotely, providing endpoint immunity to malware attacking through the browser.”

Spikes’ AirGap Enterprise resides in the network DMZ rather than on end user devices, interposing an “air gap” between the internet and the client applications accessing the web. This true hardware separation stops all malware outside the network firewall, prevents web applications from executing within the enterprise network, and ensures that employee computers remain untouched by malware attacks.

AirGap Enterprise was designed for network integration flexibility, easy management, unparalleled security and sustained high performance under the most demanding user requirements. As such, the client browser deploys easily and requires no prerequisite software while the server runs on hardened, high performance hypervisor Spikes Appliances that offer 11 layers of protection. Spikes Appliances, delivered as physical or virtual appliances, scale linearly and provide automatic load balancing and failover. These in turn, can be deployed on a user’s network (a private cloud), on a Spikes network (a public cloud), or on a combination of the two (a hybrid cloud). Further, deploying the easily scalable AirGap Enterprise onto endpoints totally eliminates the risk from client malware attacks while increasing its performance due to the ability to offload the entire workload to the Spikes Appliance(s), or to the cloud, freeing up precious resources on the client device.

“The Spikes approach is pioneering and provides the IT team with a single point of control for corporate browsing, making it far easier for IT to ensure that individuals – intentionally or inadvertently – don’t provide an opening for malware to penetrate the corporate firewall. Beyond that, management now has a single point of control to enforce those parts of corporate governance that address concerns related to Internet traffic,” adds Mike Karp, VP and Principal Analyst at Ptak Associates.

“The continuing growth of malware and the on-going global initiatives to improve cyber security best-practices affirms the need for our AirGap Enterprise. Spikes has made the hacker’s easiest target – the web browser, one of the most impenetrable,” concludes Spikes. “We will continue to drive innovation while further establishing our technological leadership in providing the best-in-class cyber security solutions to our continually growing clientele.”

About Spikes

Spikes, Inc., founded by former PayPal and SpaceX CIO Branden Spikes, solves the biggest security threat facing enterprise today: browser malware. Employees get hacked by simply visiting infected websites, even legitimate sites, that open a door into a company’s networks. Spikes provides the only effective protection from attacks through the browser while still providing a high quality user experience.

The Spikes AirGapTM Enterprise is available for Windows and Mac OS in the current release. Browse fearlessly. For more information, visit www.spikes.com.

Article source: http://www.darkreading.com/end-user/spikes-launches-airgap-enterprise-to-eli/240161777