Monthly Archives: June 2014

Microsoft stops email notification services

Redmond says that Canada’s new spam law is to blame.

On Friday, Microsoft told security notification subscribers that the service would halt operations on July 1.

From the email:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:

  • Security bulletin advance notifications
  • Security bulletin summaries
  • New security advisories and bulletins
  • Major and minor revisions to security advisories and bulletins

In order to stay up-to-date on things, Microsoft encouraged subscribers to use their RSS service, which offers the same information.

The closure notifications came suddenly, causing confusion among some subscribers. However, Microsoft says the change is due to a new law in Canada, which goes into effect on the same day.

Canada’s anti-spam law would require organizations to obtain consent for bulk email lists, requiring customers or prospective customers to complete an explicit opt-in process, else the company could face a $10M CAD fine for sending mass notifications.

It isn’t clear why Microsoft has suddenly altered the 12-year-old notification system. In 2002, the email lists were created as a way to coordinate Patch Tuesday updates and keep IT professionals in the loop about security-related alerts. Under the new anti-spam laws, Microsoft would be exempt from the fines.

Microsoft would be exempt from such a penalty, because the law offers protection for those who maintain lists for “…warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased…”

Until July 13, Microsoft will register those who opt-in to their mailing lists for a drawing that promises a $500 CDN Microsoft gift voucher.

The promotion is only open to legal residents of Canada.

 

Via: csoonline

Google begins complying with European takedown requests

Google has begun removing search results in response to takedown requests from European citizens.

In May, the European Court of Justice (ECJ) upheld the right to be forgotten by ordering Google to remove search links to a 15-year-old newspaper article about a Spanish man’s bankruptcy.

The court ruled that an individual could demand that “irrelevant or outdated” information be deleted from results and that Europeans could seek redress from the courts if firms such as Google fail to respond.

Google is likely to be the company most affected by the ruling because it is the dominant search engine in Europe with 93% of the market, according to StatCounter global statistics.

By comparison, Microsoft’s Bing has only 2.4% of the European search market, and Yahoo has 1.7%.

The landmark ruling forced Google to introduce an online application form after it was inundated with more than 41,000 requests within four days of the ruling, reports The
Telegraph.

“This week we’re starting to take action on removals requests that we’ve received,” a Google spokesman said.

“This is a new process for us. Each request has to be assessed individually and we are working as quickly as possible to get through the queue.”

Google would not say how many individuals’ search histories have been changed, or how many web pages have been affected.

Google searches in Europe that involve people’s names include the notice: “Some results may have been removed under data protection law in Europe”, and a link to a page explaining the ECJ’s ruling.

However, searches made on US-based Google.com do not include the same warning because the ECJ ruling applies only in Europe, reports The
Guardian.

Shortly after the ruling, Google executive chairman Eric Schmidt told the firm’s annual shareholder meeting that the case was a collision between a right to be forgotten and a right to know.

“From Google’s perspective, that’s a balance,” he said. “Google believes – having looked at the decision, which is binding – that the balance that was struck was wrong.”

But outgoing European Commission vice-president Viviane Reding said the ruling confirmed the need to bring data protection rules up to date.

“This is exactly what the data protection reform is about – making sure that those who do business in Europe respect European laws, and empowering citizens to take the necessary actions to manage their data,” she said in a posting on her Facebook page.

 

Via: computerweekly

German government terminates Verizon contract over NSA snooping fears

The German government is to end a contract for internet services with US-based telecoms firm Verizon over concerns of snooping by the US National Security Agency (NSA).

The decision highlights the impact controversial US government surveillance programmes are making on US technology firms.

Verizon has provided internet services to a number of German government departments and the current contract was due to run until 2015, reported the BBC.

Earlier this month, Germany announced an investigation into allegations by whistleblower Edward Snowden, that US spy agencies bugged chancellor Angela Merkel’s phone.

Verizon had not been implicated, but the allegations have put pressure on US technology firms doing business in Europe.

“There are indications that Verizon is legally required to provide certain things to the NSA, and that’s one of the reasons the co-operation with Verizon won’t continue,” said German interior ministry spokesman Tobias Plate.

“Furthermore, the ties revealed between foreign intelligence agencies and firms in the wake of the US National Security Agency affair, show that the German government needs a very high level of security for its critical networks,” he said.

In response to the German government’s decision, Verizon Germany’s managing director Detlef Eppig said in a statement: “Verizon Germany is a German company and we comply with German law.”

Transparency efforts

In an attempt to head off the impact of the Snowden revelations, Verizon published a transparency report in January 2014 outlining the number of law enforcement requests for customer information.

According to the report, Verizon received no demands from the US government for data stored in other countries during 2013.

Through the company’s policy blog, Verizon also attempted to dispel “persistent myths and questions” about the US government’s ability to access customer data stored in cloud servers outside the US.

“Our view on the matter is simple: the US government cannot compel us to produce our customers’ data stored in data centers outside the US and, if it attempts to do so, we would challenge that attempt in court,” the company said.

The blog post concludes by saying: “Whatever interpretations others may apply to US law, we want our position on the matter to be clear: there should be no concern about the US government compelling Verizon to disclose data our customers store in Verizon datacentres outside the US.”

Facebook’s legal fight

Facebook, in a similar attempt to distance itself from US government snooping, this week published a blog detailing the social networking firm’s efforts to fight bulk search warrants in court.

“Since last summer, we’ve been fighting hard against a set of sweeping search warrants issued by a court in New York that demanded we turn over nearly all data from the accounts of 381 people who use our service, including photos, private messages and other information,” said Chris Sonderby, Facebook deputy general counsel.

“This unprecedented request is by far the largest we’ve ever received—by a magnitude of more than ten—and we have argued that it was unconstitutional from the start.”

Sonderby said US government gag orders had prevented Facebook from discussing this case and notifying any of the affected people until now.

He said Facebook had complied with the order only after losing a “forceful” legal challenge.

Sonderby said Facebook is continuing its efforts to invalidate these “sweeping warrants” and to force the government to return the data it has seized and retained.

“We recognise that law enforcement needs to investigate potential crimes, but we believe all government data requests must be narrowly tailored, proportionate to the case and subject to strict judicial oversight,” he said.

Germany has led European opposition to privacy infringement by US technology firms, with its strict privacy laws presenting challenges to US firms such as Google and Facebook.

Germany has also proposed building European networks to enable citizens to avoid relying on US firms.

 

Via: computerweekly

Google trumps Microsoft’s 1TB of storage with unlimited space

For an extra $5 per month per user, Google Apps for Business customers get unlimited storage space and the Apps Vault service.

Google answered Microsoft’s boost of cloud storage space by announcing it would give customers of its Google Apps for Business an unlimited amount of storage for an additional $5 per month per user.

Sundar Pichai, the Google executive who oversees Android, Chrome and Google Apps — and who led the keynote at the company’s I/O developers conference Wednesday — announced the unlimited storage for Google Drive for Work more than two hours into the long presentation.

Google Drive for Work has been the name for the cloud-based storage service linked to Google Apps for Business, the search company’s online application suite. Previously, Google included 30GB of storage for each user — Google Apps for Business runs $5 per user per month, or $50 annually — and charged an additional $5 per user per month for Google Apps Vault, an archiving, document preservation and e-discovery add-on.

Vault did not add more storage to each user’s allowance; instead, companies had to pay for the additional space. An extra 1TB ran $9.99 per month per user.

On Wednesday, Google maintained the price of Vault, but threw in unlimited storage as a bonus. For a total of $10 per user per month, business customers receive Apps for Business, Vault and unlimited storage.

Companies that have been paying for all Apps for Business, Vault and an extra terabyte will thus halve their monthly bills and get a boost to unlimited storage in the bargain. Customers that have not bought Vault, but have purchased a terabyte, will pay 33% less under the new deal.

One caveat is that plans sold to customers with fewer than five users will be capped at 1TB per user.

Organizations that stick with the basic $5-per-user-per-month Google Apps for Business plan will continue to receive 30GB of storage gratis.

The Mountain View, Calif.-based company’s move came just two days after rival Microsoft — the two have long been locked in a enterprise productivity battle — announced it was boosting the free storage allotment for Office 365 users to 1TB.

Office 365 is Microsoft’s “rent not own” software subscription plan that features the latest versions of the applications in Office 2013 (Windows) and Office for Mac 2011 (OS X).

Google’s Apps for Business website has been changed to reflect the addition of unlimited storage. Current customers can upgrade via their administrative console.

 

Via: computerworld

Google Launches Drive For Work With Unlimited Storage For $10/Month

At its I/O developer conference today, Google didn’t just launch a completely revamped version of Drive. It also launched Drive for Work, a new version of Drive and Google apps for businesses that comes with a number of extra security features. The one feature most users will notice first, however, is that Drive for Work doesn’t have any storage limitations.


If you’ve followed along, this doesn’t come as a major shock. Google already reduced the price of Drive storage drastically earlier this year. As Google Drive’s director of product management Scott Johnston told me earlier this week, IT departments shouldn’t have to think about storage anymore, but as many services moved to the cloud, storage pricing was somehow left behind.

Now, with a $10/month/seat Drive for Work subscription, users won’t have to worry about that anymore. To clearly show that Google is serious about this, the team has also raised the maximum file size for uploads to 5 terabytes. Nobody in their right mind is going to upload a 5 terabyte file to Drive anytime soon, but if you feel like testing it out, be Google’s guest.

The regular Google Apps for Business account is still available for $5/month/seat, too, and users on those accounts will also get access to the new web interface and updated mobile apps.

While unlimited storage is the most eye-catching feature of Drive for Work, though, it also comes with a number of other tools that businesses have been asking for. Just like the current $10 Apps for Business plan, Drive for Work includes support for Google Apps Vault, for example, which allows companies to retain files and emails for compliance reasons.

The new subscription also gives companies access to the Drive’s audit features so they can track who accesses which documents and where they are shared. In addition, Google has launched an Audit API so that companies can create their own dashboards based on this data.

Drive for Work, Google tells me, also offers enterprise-grade security and compliance, including a SSAE 16 / ISAE 3402 Type II, SOC 2-audit, ISO 27001 certification, adherence to the Safe Harbor Privacy Principles, and can support industry-specific requirements like HIPAA.

In a similar vein, Drive for Work also allows businesses to set more fine-grained access controls and lets them turn certain Drive features like sync on or off for different business groups (in case you don’t want your legal team to be able to sync files, for example).

As Johnston told me, companies of all sizes have been asking Google for these features. While tools like Vault may seem most useful for larger corporations, many small- and medium-sized businesses have been asking for many of these features, too — not necessarily because they need them now, but because they want to know that those tools will be there as they grow.

 

Via: techcrunch

Most ISPs don’t deliver on their advertised broadband speeds

Verizon DSL faired the worst in an FCC study.

The majority of ISPs aren’t providing customers with the broadband speeds they’re paying for, according to the most comprehensive report on the issue to date by the Federal Communications Commission (FCC).

The FCC’s latest State of U.S. Broadband report shows that major ISPs deliver less than their advertised speeds to a majority of customers.

The report focused on four ISP technologies — DSL, cable, fiber and satellite – and examined offerings from 14 of the largest broadband providers, which collectively account for well over 80% of U.S. residential broadband connections, the FCC said.

Of the major broadband providers — Verizon, Time Warner, AT&T and Cox – Verizon DSL faired the worst.


Percent of advertised to actual download performance by provider. (Chart: FCC).

Average peak period download speeds per ISP varied from a high of 139% of advertised speed (ViaSat/Exede) to a low of 83% of advertised speed (Verizon DSL). During peak hours, the study found upload speeds decreased on average by 3.9%, reflecting the added traffic on the broadband lanes.

With the exception of Verizon DSL, CenturyLink, Frontier DSL and Windstream, all other ISPs met 90% of advertised performance or better, on average, during peak periods. “Notably, these four [slower] ISPs use DSL technology,” the study stated.

During peak hours, cable-based services on average delivered 102% of advertised speeds and fiber services delivered 113% of those advertised speeds. Satellite delivered 138% of advertised speeds, the FCC said in its report.


Average peak burst download and upload speeds as a percentage of sustained speed by provider. (Chart: FCC).

“Consumers deserve to get what they pay for,” FCC Chairman Tom Wheeler said in the report. “While it’s encouraging to see that in the past these reports have encouraged providers to improve their services, I’m concerned that some providers are failing to deliver consistent speeds to consumers that are commensurate to their advertised speeds. As a result, I’ve directed FCC staff to write to the underperforming companies to ask why this happened and what they will do to solve this.”

The FCC study noted that consumer Internet traffic is asymmetric, meaning more people download content than upload it. So, most service providers typically have far higher download than upload rates.

The FCC noted that Verizon offers upload rates as high as 35Mbps and Frontier offers 25 Mbps, more than twice that of the next ISP.

“With the exception of these two service providers, no other provider in the study offers rates that are higher than 10 Mbps,” the FCC stated in their report. “Several cable companies (Comcast and Cox) doubled their maximum upload rates this year from approximately 5 Mbps to 10 Mbps.”

 

Via: computerworld

When leadership gets on board for Security

Why has the Board of Directors suddenly gotten on board with the importance of cybersecurity. For years, security was a four-letter word that meant ‘spend lots of money and get nothing in return’. Suddenly this seemed to be changing. But why?

A couple of months ago I had a deep discussion with a number of CSOs about why the Board of Directors has suddenly gotten on board with the importance of cybersecurity. For years, security was a four-letter word that meant ‘spend lots of money and get nothing in return’. Suddenly this seemed to be changing. But why?

In the middle of this deep discussion, lubricated with plenty of wine, scotch and red meat, someone said, “my CEO came back from Davos this year with a whole new sense of urgency around cybersecurity.” Another CSO noted that her CEO had returned from Davos the year before having “found religion”. What they were referring to is the annual meeting of the World Economic Forum held each winter in Davos, Switzerland. It’s a gathering of leaders, both political and business, who come together to discuss and tackle some of the world’s most pressing issues. Apparently, something was up at Davos, so I decided to take a look.

In 2012, these leaders decided that cybersecurity was a critical-enough economic issue that it needed to be addressed because of the significant risk it poses the global economy. In that year they created the Partnering for Cyber Resilience Initiative. This Initiative was to investigate the issue and report back the following year. In 2013, in addition to agreeing that the greatest risk facing cyber comes from mobile devices, also agreed that cybersecurity needs to be a regular item on the agenda of the Board of Directors. As they put it, “Cybersecurity must be hard-wired into (the) management practice throughout the organization – like brushing your teeth”. It was at this point in my research that everything began to get clear.

Fast forward to January of 2014, this year’s meeting in Davos. The WEF, in partnership with McKinsey & Co., issued their report “Risk and Responsibility in a Hyperconnected World”. In addition to outlining the challenges posed by cybersecurity and a proposed framework for addressing the challenges, it projects that by 2020, the total economic cost of ineffective security will top $3 trillion globally. This is a number that is getting everyone’s attention because it looks not only at direct losses, but also at unrealized value creation as businesses and individuals avoid “digitization” – or the adoption of technology.

The Partnership for Cyber Resilience is headed in the right direction, and is achieving things I didn’t think were possible – getting the attention of senior management. But…not every company or board pays attention to what’s happening at Davos, and that’s unfortunate. If your leadership needs a little “push” in understanding the importance of cybersecurity, please share the WEF/McKinsey report with them.

 

Via: csoonline

If you lose your key staff, are you prepared to maintain security?

Leaders need to assess and prepare for the security impact of key people leaving the organization while making it better for those who stay.

The LinkedIn alerts announcing connections with new positions seem to come more frequently. Perhaps my anecdotal experience matches a recent headline proclaiming that nearly two-thirds of IT staff is actively looking — and preparing — to find a new job in the next two years.

The challenge of a headline designed for attention is figuring out how much is wishful thinking versus those with a foot already out the door. In my experience, situations like this never work quite as expected (for anyone).

Headlines aside, it poses an important — and commonly overlooked — question:

“Are you prepared to lose more than half your staff?”

Considering three types of people in your organization

Whether driven by external circumstances, a poor fit, or something else, as a leader, pay attention to three categories of people:

  • Happy and plan to stay
  • Want to leave, but may not for a variety of reasons
  • Will leave (or in the process of leaving)

Awareness of these categories and the tendency for people to move through them during their careers guides action. It’s not a suggestion to scrutinize and score the team (lest it cause more problems). Instead, this an opportunity to assess the environment and get a sense of how things are going for the people who work there.

Are you creating an environment where people want to stay?

When considering the potential of someone to stay or go, place emphasis on understanding the context they work in. The environment contributes greatly – often reported more than salary – to whether someone stays or leaves.

Does your environment:

  • Reward people for their contributions, creating a reason to stay and a pathway for the future?
  • Give people a voice, let them use it, listen, and then act on what was learned?
  • Offer training and support necessary for career advancement — as well as for backup and resilience?

What if we train them and they leave?” asks a manager.

“What if we don’t, and they stay?” replies the leader.

  • It’s important to keep engaged, productive team members happy. By creating a culture that listens and provides for the growth of your people, they’re more likely to stay. And if they leave, perhaps they part on better terms.
  • Broader, however, it makes it easier to attract new people to the team when the time comes.

     

Preparing for the loss of key personnel

  • All-too-often, companies don’t fully appreciate the role someone played until they are gone.
  • Start by assessing key positions and roles. The trick is gaining clarity of roles, responsibilities, and influence without creating more problems. Push past politics and the desire for everyone to be essential to truly understand where a departure would create a lapse in security or hardship for the team.
  • When key roles are identified, explore how the work is done. Pay attention to the knowledge and experience taken for granted. Consider the role automation and training play in improving the functioning of the team, reducing reliance on single people, and building more resilience into the team.
  • Initially, it might make sense to keep this as a quiet mental exercise. Depending on your current environment, undertaking an exercise like this may be misconstrued and create more tension and problems instead of improving the situation.

Start with a conversation

  • People are already talking about leaving – or those who might. That makes is a great conversation with your team – and your colleagues. Talk about the security implications of losing key people. Ask them for suggestions and allow individuals the responsibility of documenting, training, and improving the process.
  • You may find that candid discussions lead to a stronger team and better security. And if someone leaves, at least you’ll be better prepared.
  • What steps are you taking to maintain security in the event your staff leaves?

 

Via: csoonline

Maybe it really does matter who the CISO reports to

The debate over CISO reporting structure reared its head again in the wake of Target’s hiring of former GM CISO Brad Maiorino.

Target’s recent appointment of Brad Maiorino was received with great fanfare this past week, an indication that Target was willing to bring in the “big guns” to address security in the wake of last Fall’s massive data breach at the big box retailer. But the disclosure that the position will report to Target’s CIO has rekindled the debate about what the most effective reporting structure should be for the CISO to deliver better overall security.

In last week’s ‘SANS Newsbites’ newsletter, Stephen Northcutt, Shawn Henry and John Pescatore debated the wisdom of this reporting structure with Northcutt and Henry arguing that it diminishes the effectiveness of the CISO. Pescatore, on the other hand, claimed, “there is zero real-world correlation that security goes up – or down (when the CISO reports to the CIO)”. While I agree with John that the relationship between the CISO and his/her boss is critically important to the CISO’s success, I am compelled to point out that there actually is empirical data supporting the argument that having the CISO reporting outside of the CIO’s office does improve the organization’s security when measured against downtime and financial losses.

This finding comes from the 2014 Global State of Information Security Survey, conducted each year, for more than a decade, by PwC, CSO and CIO magazine. I’ve not previously called-out this data because I thought this argument had been put-to-bed…apparently I was wrong. So here it is:

  • with more than 9,000 respondents from around the globe, the survey found that those organizations in which the CISO reported to the CIO experienced 14% more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO
  • and, when the CISO reported to the CIO, financial losses were 46% higher than when the CISO reported to the CEO. In fact, having the CISO report to almost any position in senior management other than the CIO (Board of Directors, CFO, etc.), reduced financial losses from cyber incidents

I also examined the findings from the 2013 survey and found the same basic conclusion: reporting to the CEO or the Board of Directors, instead of the CIO, significantly reduces downtime and financial losses resulting from cyber security incidents.

I’ve always believed that not every organization is the same and that no one model will work everywhere. However, there’s a lot to be said for having IT security leadership report to the top of the house, but not to the CIO: the reduction in conflict of interest between the CIO’s objectives and the CISO’s objectives, the ability to escalate issues to the top of the house, as well as, the opportunity it provides for security to influence corporate leadership. It’s critical that the CISO and the CIO work together towards the common goal of aligning security with the business objectives and risk appetite of the organization, but it’s clearly best done when they are peers with an equal voice in the discussion.

 

Via: csoonline

How to avoid having your cloud-hosted business destroyed by hackers

Experts outline steps to avoid a fate like Code Spaces.

The demise of Code Spaces, a code-hosting service that had its customer data deleted by extortionists, is an example of the dire consequences from inadequate cloud security.

The criminals destroyed the service, run by Wayne, N.J.-based AbleBots, after gaining access to the control panel Code Spaces used to manage its infrastructure on Amazon Elastic Compute Cloud (EC2).

With that powerful tool in hand, the hackers deleted most of the service’s data, backups, machine configurations and offsite backups. The ruinous security breach, which occurred this week, followed the attackers’ unsuccessful attempt to extort money.

Technical details of the attack are unclear, but experts say the assault is a reminder of what can happen when cloud-based environments and assets are not adequately secured.

Protective measures could include meticulous backup and disaster recovery plans and solid access control tools, particularly those that would apply tough restrictions on privileged access, experts say.

Also, Cloud Spaces should not have had so much so easily accessible from one control panel.

“They were naive to a number of basic security precautions and best practices,” Adrian Sanabria, senior security analyst for 451 Research, said. “They put all their eggs in one basket.”

The company is unlikely to ever recover, because no one would trust them with their code again, Sanabria said. “Literally with a few clicks, the company was done.”

Among the specific actions CSOs can take to avoid a similar fate when using a cloud service provider is to enforce two-factor authentication for logins to critical infrastructure, Tod Beardsley, Metasploit engineering manager at Rapid7, said. In addition, privileged access should be limited only to those people who need it.

“Aside from that, having a locally controlled backup of any irreplaceable intellectual property is a must, and an in-house plan for service interruptions,” Beardsley said.

Rapid7 interviews the CSOs of the cloud organizations it uses to determine their incidence response readiness, Beardsley said.

“Ultimately, you do have to trust these cloud service providers in their responses, but you can get a good sense of their security preparedness just by talking to them,” he said. “If the prospective cloud services provider is vague or evasive about what protections and recovery procedures they have in place already, it’d be worthwhile to look at alternatives.”

Ruihai Fang, senior analyst for IT security consultancy Bishop Fox, had a few other recommendations for CSOs:

  • Don’t hardcode credentials or access keys anywhere.
  • Enforce a key rotation every 90 days, which is what Amazon recommends.
  • Take the extra time to properly set up identity and access management (IAM) permissions on the Amazon EC2 accounts and on access keys. – “Avoid using the default IAM permission provided by Amazon,” Fang says.
  • Develop a strong password policy. The default setting for passwords should be at least 10 characters.

 

Via: csoonline