STE WILLIAMS

Malwarebytes is acquiring Binisoft, a privately held Romanian company, to strengthen its endpoint protection platform. Binisoft is behind Windows Firewall Control, designed to improve firewall management, and USB Flash Drives Control, which regulates the use of USB drives.

Windows Firewall Control extends Windows Firewall functionality with added management features and rules. Users can choose their own security profile, which range from no firewall filtering to denying all inbound/outbound connections. Admins or users can enable or block app access, disable or change rules from the current rule set, or merge or create duplicate rules. The tool manages the native firewall in Windows 7, 8, 8.1, 10, Server 2012, and Server 2016.

Binisoft’s tech will enable Malwarebytes to offer a platform that won’t require admins to manage their firewall through Group Policy Objects or other Microsoft systems, says Malwarebytes CEO Marcin Kleczynski.

This acquisition follows Malwarebytes’ recent purchases of Saferbytes, an Italian startup with antimalware and cloud antivirus technologies, and AdwCleaner, which an adware cleaner and removal tool. Binisoft will retain its current name alongside Malwarebytes branding.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/malwarebytes-buys-binisoft-for-firewall-management/d/d-id/1331896?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Part 3 of our DPO’s Guide to the GDPR Galaxy series.

GDPR doomsday has arrived. While many organizations may be tempted to breathe a sigh of relief, this is not a virtual “pencils down, turn in the test” moment. It’s the opposite. The EU’s General Data Protection Regulation is still evolving, and your privacy program must be capable of evolving with it. These four tips will ensure that you maintain a steady compliance strategy moving forward.

1. Think GDPR and beyond. Organizations must build a “privacy-by-design” approach and ensure their privacy and security programs encompass more than GDPR. This includes determining how to balance other regulations and standards you may already have in place, such as PCI DSS and HIPAA, with GDPR because this is just the tip of the privacy iceberg. A concern over privacy, much like that of security 15–20 years ago, is now mainstream, and it will only grow in importance.

The mission to do right by your customers continues on as it did before GDPR — and always will. For those organizations that have all their controls in place, it is time to “rinse and repeat.”

If you have not completed the requirements required to meet the GDPR law, you should continue to move ahead, without cutting corners to rush the process. Let’s be clear: your program will never be in a final stage because you should always be looking for ways to improve and move it to the next level.

2. Know how to respond to DSARs. One unknown for all of us is the volume of data subject access requests (DSARs) that our organizations will be processing. Data subject rights are detailed in GDPR articles 12–23. Under this law, you must provide customers and contacts with an easy way to exercise their rights. Additionally, the law states you must respond to a DSAR within one month. In cases where the request is complex or there are many requests from an individual, you are allowed to request a two-month extension. You must also inform the user that additional time is needed. If the controller (the natural or legal authority that, either alone or jointly, determines the purposes and means of processing personal data) finds the request to be “manifestly unfounded or excessive, in particular because of their repetitive character,” it may charge a reasonable fee or refuse to act on the request.

If a controller refuses a request, it must be able to show that the request is indeed manifestly unfounded or excessive, as outlined in GDPR article 12. However, what exactly qualifies as an “unfounded or excessive subject access request” is still unclear under GDPR, and so we will need to wait for guidance by the EU on how to enforce this moving forward. If you serve as your organization’s processor and a data subject (that is, a customer of a controller you are working with) contacts you to exercise a right, be sure to direct that person to the controller. Consider creating a DSAR portal where EU customers or individuals are able to request to exercise their data subject rights. Do not forget this includes individuals who receive sales and marketing material as well as employees located in the EU. The portal should be easy to find and navigate.

3. Implement and refine your vendor management program. Another area to consider is your vendor management program. Be sure you are flowing down your GDPR obligations to vendors who handle EU citizen data. You do not want to suffer financial consequences because of a vendor’s lack of compliance. It’s also a good idea to document your reviews and follow up with vendors who are still in process on their journey to establish consistent lines of communication.

Under GDPR, your organization will be held more accountable than ever for the data flowing across your systems, so it is critical to pinpoint the various partners and vendors that have access to it as well.

4. Maintain an updated data inventory. Last, but certainly not least, it is imperative that your organization updates its data inventory and data flows, and be ready to map new flows as they develop. This means understanding where and how all of your data is being distributed across the organization including, but not limited to, your systems, documents, services, and applications. Continue to ensure that privacy and security are a part of your design process because you can’t have true privacy without a strong security foundation. Be sure to keep your employees trained and aware of GDPR and other privacy laws and regulations. Keep your risk management program up to date and perform privacy impact assessments and data protection impact assessments when warranted.

And remember, reach out to your peers, keep up with your own ongoing training, and breathe! The GDPR journey is a winding path, not a dead end, so there’s still time to act.

Related Content:

• A Data Protection Officer’s Guide to the GDPR Galaxy (Part 1)
• A Data Protection Officer’s Guide to GDPR ‘Privacy by Design’ (Part 2)
• 6 Tips for Building a Data Privacy Culture
• GDPR 101: Keeping Data Safe Throughout the ‘Supply Chain’
• Compliance Complexity: The (Avoidable) Risks of Not Playing by the Rules

Jen Brown is Sumo Logic’s compliance and data protection officer (DPO) and is responsible for leading compliance, risk, and privacy efforts for the company, including GDPR, PCI DSS, ISO 27001, HIPAA, SOC2, and FedRAMP, as well as several other regulations. Prior to Sumo … View Full Bio

Article source: https://www.darkreading.com/cloud/a-data-protection-officers-guide-to-the-post-gdpr-deadline-reality/a/d-id/1331885?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new study says that many of the assumptions corporations have been making about consumers and their privacy are seriously flawed. And in the new dawn of GDPR, those bad assumptions could have serious consequences.

The study, conducted by digital communications firm Syzygy, surveyed 3,000 adults in the US, UK, and Germany. Asked whether they would sell their private data to a company — even a favored brand — 55% of Americans say that they would not, no matter the price offered.

One of the major surprises in the data came from the question of whether consumers would trade private information for a smoother or more personal online experience. While it is an article of faith for many online companies and services that consumers are happy to make this trade, only 21% of  Americans are willing to do so.

For those who are willing to sell their data to companies, $150 is the median price they would accept. And when it comes to ongoing monitoring of online activity, 33% say they would be willing to let Google watch them Web-surf — in exchange for $25 a month.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/privacy-survey-says-americans-dont-want-to-sell-their-data/d/d-id/1331895?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On May 25, the rock is set to meet the hard place — and what happens when the two clash is anyone’s guess. That’s the date that the EU’s GDPR goes into effect — and when WHOIS, the domain information lookup service, may be forced to stop publishing data about the owners of websites that are owned or associated with persons in the European Union. As a result, law enforcement, forensic investigators, and others seeking to track down bad actors such as money launderers, hackers, and child pornographers will no longer be able to rely on what has been a default tool for such investigations.

The General Data Protection Regulation (GDPR) is the European Union’s grand plan to preserve the privacy of individuals and businesses in Europe. An evolution of the Union’s original 1995 Data Protection Directive adopted at a time when the Internet was in its infancy, the GDPR aims to ensure that privacy remains intact, despite new technologies.

Those technology changes include the emergence of big data, artificial intelligence, and machine learning — technologies that make it much easier to identify individuals or entities. Even if the data is anonymized, the enormous number of data points available makes identifying those individuals or entities a relatively simple matter. A prominent rule in GDPR is that data associated with EU “natural persons,” or data that passes through EU-based servers, is subject to enhanced privacy rules.

What does this have to do with WHOIS? Simply, WHOIS — via its controlling organization called Internet Corporation for Assigned Names and Numbers (ICANN) — publishes identification data for registered domain owners. If ICANN wants to do business with the EU, its “natural persons,” or entities that store data on servers accessed from the EU, it can no longer do so without making major changes.

The problem here is that cybersecurity and anti-cybercrime organizations have built much of their investigation models on WHOIS data. There are many other paid services, as well as customized tools based on WHOIS data, that enable organizations to track down criminals, or even shut down their operations.

For example, an email address used in two seemingly unrelated domains can give insights into hidden connections and underlying transactions. Tools using information from the WHOIS database have been used to successfully track down everything from credit card fraud to child porn rings. Based on the current interpretation of how the GDPR privacy rules are to be applied, the services that allow law enforcement and security personnel to stop spam, malware, credit card fraud, child porn, and a host of other illegal activities will no longer be readily available.

ICANN is currently trying to work out a solution that will comply with GDPR regulations yet still enable it to provide information, especially for cybersecurity purposes (as it has for at least a year). Some ideas have been proposed, but so far an acceptable solution to both sides has not been developed. A proposed timeline sees ICANN coming up with a potential GDPR-approved solution in May 2019 — a year after the rules go into effect.

Whatever the solution, one thing is clear: organizations that depend on access to WHOIS data will have major challenges that will require either extensive bureaucracy or court orders and subpoenas to track down identity information on bad actors.

If using registration information is out of bounds, companies will have to dig deeper to track down hackers and cyber thieves. One way they can do that is via comprehensive, big data–based analysis of relationships of all websites to prevent sophisticated cybercrime, such as electronic money laundering or transaction laundering. Transaction laundering occurs when an undisclosed business uses an approved merchant’s payment credentials to process payments for another undisclosed store selling unknown products and services.

This advanced online fraud scheme takes advantage of legitimate payment ecosystems by funneling unknown e-commerce transactions through legitimate merchant accounts. Valid websites act as payment processing storefronts for criminal enterprises selling firearms, illicit drugs, child pornography, and other illegal goods.

For merchants worried about credit card fraud and transaction laundering, a big data analysis system has the ability to detect hidden connections across online entities. The same tactics could apply to spam attacks, ransomware attacks, or any other unwanted activity. Comprehensive and continuous monitoring of big data can lead to insights on the identification and activities of bad actors hiding behind the scenes.

The inevitable changes to WHOIS exposes the real issue for companies that have relied on its service for so many decades. Although WHOIS has become a trusted online resource, it is not and has not been a complete, dynamic force fighting the ever-evolving world of cybercrime. The usefulness of WHOIS for data was already being called into question by the increased usage of masking services and incomplete or fake registration data. If cybercriminals are leveraging advanced technology, shouldn’t we be doing the same to stop them?

These affected industries are now faced with the responsibility to share intelligence and pursue comprehensive solutions that keep pace with advanced technology while remaining compliant with newly enforced regulations.

For law enforcement and those concerned with the prevention of cyber fraud, understanding the WHOIS versus GDPR issue is crucial. These organizations will need to find new tools and practices that can replace or enhance the service WHOIS once provided.

Related Content:

• GDPR 101: Keeping Data Safe Throughout the ‘Supply Chain’
• GDPR Compliance: 5 Early Steps to Get Laggards Going
• A Data Protection Officer’s Guide to GDPR ‘Privacy by Design’
• DPO’s Guide to the GDPR Galaxy

Ron Teicher is the CEO and founder of EverCompliant. Ron has served as a CEO of EverCompliant since its inception. Before founding EverCompliant, Ron led the compliance initiatives at Sanctum and Watchfire (acquired by IBM). Watchfire’s compliance product won SC Magazine’s … View Full Bio

Article source: https://www.darkreading.com/cloud/gdpr-whois-and-the-impact-on-merchant-risk-security-monitoring/a/d-id/1331874?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most security experts agree that passwords are a poor security mechanism. What’s even worse: We’re really bad at passwords. That’s the conclusion of a study that looked at 28.8 million users and their 61.5 million passwords in 107 services over 8 years.

The password study by researchers at Virginia Tech found that slightly more than half of all users reused passwords, or used slight modifications of passwords across a range of accounts. Password reuse, considered a major “no-no” by security experts, is considered a major factor in easy-to-hack user authentication schemes

The news actually gets worse from that bad beginning. The passwords in use were so weak that more than 16 million password pairs (30% of the modified passwords and all the reused passwords) can be cracked within just 10 guesses. And there’s worse to come: accounts dealing with sensitive data, from financial records to email, were more likely to receive repeated and reused passwords than less critical sites.

Researchers at Dashlane took anonymized data from the set used by the Virginia Tech team and looked for trends and patterns in the bad passwords. They found evidence of trends, patterns, brands and romance in the password store, all of which make passwords easier for criminals to predict and crack.

Perhaps unsurprisingly, the names of popular sports teams (which rise and fall according to their on-field results) and consumer brands find their way into passwords. The researchers were a bit more surprised by the pervasiveness of “keyboard walking” in forming passwords.

Don’t let your fingers walk

Keyboard walking occurs when a user lets their fingers walk across a row of keys on the keyboard. “asdfg”, “qwerty”, and “12345” are all examples of keyboard walking. In each case, the resulting string is an easily guessed password.

Users slightly less lazy (or slightly more security savvy) move to variations on keyboard walking, including “1q2w3e4r” and “[email protected]”. The notable thing about most of these walking passwords is that they can be typed with the fingers of the left hand only — and typed without ever moving the hand or shifting the fingers. That tendency limits the combinations and makes the passwords subject to relatively easy brute force cracking.

According to a study by Visa, one of the reasons we’re so bad at passwords is that we hate them. A lot. According to the Visa study, only about 1/3 of users follow the recommended practice of  having a unique password for each online account.  Almost two-thirds say that they have multiple passwords but share some passwords among accounts, while only about 7% admit to having a single password for every account they use.

The consequences of complex passwords

In a keynote session at last week’s CNP Conference, Jamie Uppenberg, director of digital products at Discover Global Network, said that the goal for online authentication and transactions, including those with passwords, is simple: “You want the purchase to be as forgettable as possible, as delightful as possible. Authentication is key and not many people are doing it well.”

Remembering and typing unique strong passwords makes for a high-friction transaction, and in the context of purchases, high friction is not forgettable.

At the same conference, Scott Adams, a CNP fraud and risk expert, said that an unintended consequence of requiring passwords that go beyond the easily remembered (and cracked) may be more fraud. “Provide the payment methods/features your customers want. If you don’t, fraudsters will.”

Adding to the tools fraudsters are able to employ are the huge stores of compromised log in credentials stolen and shared among criminals in the last few years. “The Next Domino To Fall: Empirical Analysis of User Passwords across Online Services“, by Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang of Virginia Tech contains this surprising pair of facts: “More than 70% of the users with reused passwords are still reusing the leaked passwords 1 year after the initial leakage. 40% of users are still reusing the same passwords leaked 3 years ago.”

Beyond bad passwords

Moving beyond passwords for user authentication remains a technological and economic challenge, though users say that they’re reading for the shift. According to the Visa study, roughly 3/4 of consumers say that they’re interested in using fingerprints for authentication, with roughly half of consumers identifying a move past passwords as the chief benefit of biometric identification technology.

Until biometric authentication becomes more wide-spread, best practice suggestions for consumers are still important. in the conclusion to its report, Dashlane provides a list that contains no surprises for anyone in the security industry:

• Use a unique password for every online account
• Generate passwords that exceed the minimum of 8 characters
• Create passwords with a mix of case-sensitive letters, numbers, and special symbols
• Avoid using passwords that contain common phrases, slang, places, or names
• Use a password manager to help generate, store, and manage your passwords
• Never use an unsecured Wi-Fi connection 

Related Content:

• Cybercriminals Battle Against Banks’ Incident Response
• Cracking 2FA: How It’s Done and How to Stay Safe
• Password Reuse Abounds, New Survey Shows
• target=”_blank”‘Zero Login:’ The Rise of Invisible Identity
• 6 Enterprise Password Managers That Lighten the Load for Security

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/authentication/more-than-half-of-users-reuse-passwords/d/d-id/1331892?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In a year of whiplash news cycles, bombshell stories, and incredible front-page scoops, one story — the blockchain and its potential world-shattering influence — has continuously dominated the news.

But blockchain technology — the endless link of cryptography-secured records that gave us Bitcoin but whose potential for other uses is limitless — is as controversial as it is conspicuous. Those who believe in the power of blockchain will take their worship to a near-religious level, while those who remain skeptical (or simply confused) by the complicated technology will tell you that it’s all hype. It’s a house of cards destined to fall, they’ll say, or they’ll tell you hackers will soon seize control of the entire system and leave us all penniless and destitute.

But here’s the thing: both sides are right, and also wrong. That’s because blockchain, in its current use, is incredibly restrictive. But if it can adapt and evolve as demand and interest grows, it could truly change the world.

What Is Blockchain?
First, a primer. Blockchain is, at its core, a method for humans to conduct secure, verified, and recorded transactions online without the use of a middle party. Bitcoin, in which money can be passed between online users without the presence of a bank or holdings company to verify and handle the transfer, is the most well-known type of blockchain.

It’s always been believed that when it comes to important transactions, such as casting a vote in an election or paying for the cost of goods, we need a dominant central authority to manage the transaction in order to verify that it was indeed carried out, and also that the process is secure and protected. The bank confirms that the money is, indeed, in the account. The elections commissions confirm that the votes are, indeed, accurately cast and counted.

But using a form of math called cryptography, blockchain has created a workaround. Cryptography ensures that records can’t be counterfeited or changed, and when you use blockchain to send money, or track digital assets, or even share intellectual property, the entire community of blockchain uses helps verify and secure the transaction, making it difficult for an outside party like a hacker to corrupt the system.

What Needs to Change?
In its current form, blockchain is very restrictive. Its proponents say that in 10 years we might use blockchain to pay our taxes. They declare that it will free up citizens to send money and aid to friends and family around the world, to build online businesses from the comfort of their home computers, and to free citizens from the financial grip of big banks and corporations who eat up their profits and don’t share the wealth down the food chain.

That may all be true, but not in its current form. Right now, blockchain touts itself as being fully anonymous — no one online knows who you are or where you’re located when you jump into the chain. It’s democracy in its purest, most unadulterated form.

But anonymity, even in the darkest corners of the Web, is never 100% guaranteed. If you make transactions online, those transactions can be traced and followed, and eventually they will lead, just like a trail of crumbs, to your true and honest identity. It may take some digging, but one should understand that, when joining blockchain, our identity might not be fully obscured.

So, first and foremost, for blockchain to survive and thrive in the future, its users need to accept this reality.

No Silver Bullet
Much of blockchain’s popularity comes from its reputation as an infallible currency. But there’s an old adage that applies here: if it seems too good to be true, it probably is. Blockchain uses public key encryption schemas, which means they are quite hard to crack.

But just because the front door of blockchain is protected doesn’t mean the back doors and garage are secure. Endpoint vulnerabilities — insecure key storage, or an insecure platform — could easily lead to exposure. A more distant potential threat is quantum computing. Theoretically, popular public-key algorithms can be efficiently broken down by quantum computers (see Shor’s algorithm). If and when this becomes a reality, the underlying technology needs to change. There is also the looming possibility of “consensus” failure, when a significant number of participants team up against other members, especially considering the hostile geopolitical climate and locations of many mining farms. And let’s not forget that blockchain technology is tangled and complex, meaning hidden vulnerabilities in code can lead to catastrophe.

Who Is the Watchdog?
Blockchain, meet stumbling block: in a perfect, utopian world, watchdogs who provide central authority and regulation wouldn’t be necessary. And the liberation from the need for the middleman, and his controlling, profit-cutting, and potential corruption, is of course what makes blockchain appealing.

But all systems have a weakness, and all weaknesses are eventually exposed. Cryptocurrency funding is the Wild West — ICOs, or the initial coin offerings that bring funds to each new cryptocurrency venture — are totally unregulated. So, when the day comes that hackers take advantage of blockchain, the vacuum created by lack of a central authority will be deafening. In the case of loss or theft, central authorities are a lifeline. Who here hasn’t had a fraudulent transaction on their credit card fixed by a simple phone call to the bank? If you have a credit card, you don’t need to worry about theft. Should the worst happen, your money will be safely returned.

With blockchain, there is no such safety net. Blockchain, in order to survive, must find a way to remain democratic and open while still providing its users with some sort of security plan in place for the day that hackers take advantage of the system.

Blockchain offers great potential. To make it real, the next great innovation should pass three key hurdles: regulation, usability for the masses and unique use cases that can be fulfilled only through this technology. The world is waiting.

Related Content:

• Cybersecurity Buzz Phrase Bingo
• Threat Actors Turn to Blockchain Infrastructure to Host Hide Malicious Activity
• Tracking Bitcoin Wallets as IOCs for Ransomware

Michael is CTO of CyberGuild Ventures, a VC and venture builder dedicated to developing standout Israeli cybersecurity startups.
Michael has 30 years of industry experience transforming vision into marketable technology products for global enterprises and startups. During … View Full Bio

Article source: https://www.darkreading.com/endpoint/the-good-and-bad-news-about-blockchain-security/a/d-id/1331872?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple