Monthly Archives: March 2015

This week HBO finally announced the arrival of HBO Now, a streaming over-the-top access pass to HBO content for $14.99 a month.

It will debut exclusively on the Apple TV for a three-month period (the first of which will be free to new users) and then expand to other platforms.

And after years of anticipation, debate and scrutiny, the process of unbundling the cable package has finally begun in a real way. The service takes HBO out from under the thumb of cable providers, such as Time Warner Cable and Comcast, and puts it squarely in the hands of consumers, whether or not they pay for 200 other channels.

Media companies have been fighting this transition away from cable for a long time. When Aereo provided over-the-top monthly access to live television through a rentable antenna, broadcasters such as 21st Century Fox, NBC, ABC and Fox joined together to drain the company dry of resources through long, and ultimately fatal, legal battles.

But as companies like Time Warner Cable and Comcast start to lose pay-TV subscribers as they grow in broadband customers, the argument that these media networks are making for the bundle is dwindling.

HBO Go. Now. First.

HBO is in a unique position to go over-the-top. For one, it holds some of the most in-demand and profitable content available on television. Customers have not only proven that they will pay $15 a month for access to their content, but in some cases will pay ~$100 on top of that just for access at all, as was required until the announcement of HBO Now.

HBO has also been testing the virality of standalone HBO for years now with HBO Go. One of the main obstacles in over-the-top content for a media company is that cable providers are not only distributing their content, but they are providing customer service, as well as built-in marketing. A cable package inherently provides access to channels customers may have yet to discover, not to mention cross-channel campaigns advertising new television programming and upgrade promotions for new tiers of service.

HBO doesn’t want to sacrifice cable as a built-in marketing tool for its own content, but it has also seen the power of the password at work.

HBO CEO Richard Plepler said in an interview in January 2014 that he saw the sharing of HBO Go passwords as a marketing tool.

 httpsv://youtu.be/NLNNL98uFXM

Pleper: To us, it’s a terrific marketing vehicle for the next generation of viewers, and to us, it is actually not material at all to business growth.

BuzzFeed: So the strategy is you ignore it now, with the hopes that they’ll subscribe later…

Pleper: It’s not that we’re ignoring it, and we’re looking at different ways to affect password sharing. I’m simply telling you: it’s not a fundamental problem, and the externality of it is that it presents the brand to more and more people, and gives them an opportunity hopefully to become addicted to it. What we’re in the business of doing is building addicts, of building video addicts. The way we do that is by exposing our product, our brand, our shows, to more and more people.

They’ve been watching the way that passwords travel across the country, from household to household, from device to device. They see what it means for one paying subscriber to spread HBO to their social graph. Netflix has data around the same form of word-of-mouth marketing, with its offering of multiple user profiles for each account.

And though HBO can’t necessarily provide customer service or billing to HBO Now customers, distribution partners like Apple and potentially Amazon could help fill in the missing pieces with HBO offering them a cut similar to the one they pay cable providers.

Which is why Plepler is encouraging broadband providers to join the fold and offer HBO Now over the top to broadband-only subscribers.

Vocabulary Check

It is now slightly inaccurate to just call a company like Comcast or Time Warner Cable a “multichannel video programming distributor.” That’s the industry name for what they do, but it’s also a misnomer, considering how much of their business is now being driven by broadband.

After all, 2013 was the first year that there were more broadband subscribers than pay-TV subscribers. For two years now, both Time Warner Cable and Comcast have lost pay-TV subscribers* but have grown in the number of broadband subscriptions they sell.

But fret not, you pitiful soul that feels any ounce of compassion toward an ISP. This isn’t a bad thing for “broadband providers,” as they’ll henceforth be known.

With video content pouring into Apple TVs and Rokus and smart TVs and tablets and smartphones and laptops, the demand for more broadband service only goes up. Sure, some broadband providers also own media properties that they themselves benefit from the cable package, the way that Comcast’s media properties do.

But broadband providers without any media properties (such as Time Warner Cable) would benefit from The Great Unbundling. So would smaller local broadband/cable providers who can’t keep up with the increasing price of television content rights.

And though some broadband providers own different media properties (and don’t underestimate just how complex this web is), one truth remains the same: These guys own the pipes. Netflix, HBO Go or regular cable television wouldn’t be possible were it not for the large capital investment made by cable providers who now oversee access to the Internet.

In an interview with Re/Code’s Peter Kafka, Plepler makes his argument to broadband providers:

This is not binary. This is multilateral. Nobody is doing us any favors launching an HBO Now over-the-top product in their broadband-only services but instead choosing to enhance their own business. So we’re trying to make the logical argument that this is an additive proposition. And I think reasonable businessmen and women will see that as true.

You’ve got gold in the hills. We’re turbocharged for you to grow your business. Why wouldn’t you join us? Now — if you think we’re going to get stuck at the door and not be able to have maximum flexibility in growing our brand — that, I’m afraid, is not a tenable proposition either.

Not Alone

HBO isn’t the only media property looking to deliver on-demand streaming content to its customers.

Viacom also announced that it would be offering a standalone streaming service for Nickelodeon, where the company has seen a slight hit in viewership due to competition from kids’ streaming services on Netflix and Amazon. And we can’t forget YouTube for Kids.

Viacom is in an interesting position as it holds on to excellent programming in relatively niche categories, such as Music and Comedy. This is important because in the long term, if media properties are forced (through cable cutting) to unbundle and sell over-the-top, the piece that they will no longer be able to provide is breadth. Right now, you can watch almost anything on television, from a show about a dog trainer to an entire channel dedicated to infomercials to 24-hour weather.

This is made possible through the bundle. Media companies can afford to make more TV, despite how expensive it is, based on the price they can charge for their most-demanded content. Through the marketing channel of the cable providers, they can grow their own brands. It works, except for the part where consumers are paying for things that they don’t care about watching.

This puts all the more pressure on a company like Viacom, which depends so greatly on the cable provider to begin to build their brand through other distribution partners. Cable channels like MTV and Nickelodeon have brand recognition strong enough to enter the over-the-top market early in order to test against obstacles like pricing, marketing, advertising and customer service.

These shifts in the landscape are slow, but you can see hints of what to expect from what is already available. WatchESPN, the media streaming service attached to a cable subscription, is currently allowing some password sharing in the same way that HBO Go did. YouTube is renting out content.DISH Network is pushing its ‘any device, anywhere’ Sling service. It’s happening.

New Leaders

Netflix ended 2014 with more than 39 million U.S. subscribers. For some perspective, Comcastended 2014 with more than 22 million cable TV subscribers.

Through brute force, Netflix has forced another option into the market that offers loads of content all at once, on any device, without any advertisements. Not without its sacrifices, the Netflix model has proven the consumer love for on-demand content, binge-able seasons, and multi-platform convenience. And as a major player in content distribution, Netflix has forged its own path in media creation with properties like Orange Is The New Black and House of Cards, among others.

Meanwhile, Amazon is focusing on solving problems of the future by integrating consumer choice in a new, more cost-effective way. Since as early as 2012, Amazon Studios has been developing sets of series pilots, waiting to gauge consumer interest and demand before following through on completing development of the season.

And let’s not forget Hulu, which, to some degree, is massaging out the problem of advertising in a new, unbundled world. With advertising comprising the majority of media network revenue, Hulu’s method of offering customizable (and thus more targeted) ads is an interesting potential compromise between consumers and media companies.

To Improve Is To Change

To perfect is to change often.

That’s something the media industry has done a lot of. From radio to broadcast to cable to broadband, we’ve seen mergers and acquisitions and spin outs and buyouts. It’s a slow change, but it’s always happening.

As cable providers continue to lose video subscribers and transform into broadband companies, providing us with the growing amount of connectivity we need to consume this media, we, as consumers, enter into a balancing act.

With the launch of HBO Now, HBO is teetering between two demographics. Like TechCrunch parent company Aol, which makes a significant portion of its revenue through dial-up, HBO still has a huge base of subscribers who pay the extra $15 to receive that service on top of their usual cable.

These people (we can assume that the majority of them are from older demographics) watch TV the same way that they always have, perhaps recording a few of their favorite shows to skip through commercials. But we can also assume that they enjoy turning on the Cooking Channel, or CNN, or the Weather Channel, all of which took less of a hit in 2014 than ESPN, which we can assume caters to both an older and a younger demographic.

No one can afford to make this shift in one fell swoop, but rather we’ll continue to watch traditional cable providers, media networks new distributors (such as Netflix, Amazon, and Apple) and advertisers test and evolve as they balance our own demand.

We are the test. Each click. Each download of Watch ABC or Fox Now or WatchESPN. Each password shared. Each cable bill paid.

Via: techcrunch

In Verizon’s 2015 PCI Compliance Report, one requirement within the Payment Card Industry Data Security Standard (PCI DSS) stood out as a weak spot for businesses. Among the 12 requirements specified in the Standard, Requirement 11 – which states that organizations should regularly test security systems and processes – was the only area where compliance dropped between 2013 and 2014.

Verizon’s report, published Thursday (PDF), showed that compliance with the remaining PCI DSS requirements improved for enterprises, particularly for authenticating access to cardholder data (Requirement 8).

Over the time period, for instance, the percentage of companies complaint with Requirement 11 at their interim assessment fell from 40 percent to 33 percent, the report said. In contrast, the remaining requirements charted an average spike in compliance of 18 percent, across the board.

Within Requirement 11 (PDF), the testing procedures that companies failed most often and used a compensating control for were procedures that “validate the detection and identification of all authorized and unauthorized wireless access points on a quarterly basis” (under Requirement 11.1), and deploy change-detection mechanisms, such as file integrity monitoring, (under Requirement 11.5), the report said.

As a Qualified Standard Assessor (QSA) certified by the PCI Security Standards Council to audit companies for PCI DSS compliance, Verizon found that 14 percent of companies used a compensating control within Requirement 11. According to a PCI DSS reference guide, compensating controls can be considered when an entity “cannot meet a requirement as explicitly stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation” of the controls.

For the 2015 report, Verizon based its findings on quantitative data collected by its QSAs who performed PCI DSS compliance assessments between 2012 and 2014. In addition, “[the] data was augmented by analysis of forensic investigation reports by our security practice, the authors of the Verizon Data Breach Investigations Report (DBIR),” the company said of its methodology.

In an interview, Andi Baritchi, global managing principal of PCI Consulting Services at Verizon, said that a lack of sustainability within organizations likely drove the compliance dip for Requirement 11. But, the trend was “pervasive throughout the whole report,” he noted.

“Lack of sustainability is a major theme,” Baritchi, who was co-authored the compliance report, said. “Too many companies treat compliance as a once a year activity.”

A major takeaway from the report, for instance, was that less than a third (only 28.6 percent) of companies were still fully compliant less than a year after successful validation, the report said.

“There are a number of possible reasons for this,” the report continued. “First, it’s very easy to fall out of compliance if you don’t have robust procedures in place for managing and maintaining it. And second, a compliance assessment can only ever be a snapshot. All it in fact proves is that the company was able to demonstrate compliance at that moment, for the selected sample of sites, devices and systems checked.”

Verizon advised companies to implement a “robust framework with security policies, procedures, and testing mechanisms” to improve continuous compliance.

In a statement, Stephen Orfei, general manager of the PCI Security Standards Council, spoke to the report’s focus on building sustainable security into business operations.

“Often an organization’s approach to PCI security is to focus on passing the annual compliance assessment,” Orfei said. “But this is just the start of a vigilant, proactive security program. Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice will help thwart these constant threats.”

Via: scmagazine

On the same day that a Venafi TrustNet blog revealed that former Secretary of State Hillary Clinton’s email went unencrypted for three months, The Hill reported that the Associated Press (AP) was filing a suitagainst the State Department to obtain the release of Clinton’s emails.

The AP has been frustrated by the department’s failure to fully respond to Freedom of Information Act(FOIA) requests regarding the email and other documents.

Clinton has said she used a private email service set up for former President Bill Clinton out of convenience and noted that her email hadn’t been breached. After a conducting a digital certificate analysis for clintonemail.com, Venafi found during the first three months of Clinton’s term “access to the server was not encrypted or authenticated with a digital certificate.”

Encryption for smartphones, browsers and tablets, enabled in 2009, is valid “through at least 2018.”

Via: scmagazine

Researchers with Trend Micro have analyzedmalware that first connects to home routers and scans for connected devices, and then sends the information it gathers to a command-and-control (C&C) server before deleting itself without a trace.

The malware was detected by Trend Micro as TROJ_VICEPASS.A, or VICEPASS, and it has been observed infecting users that navigate to malicious websites hosting a purported Adobe Flash update, according to a Monday post by Kenney Lu, of Trend Micro.

Once downloaded and executed, the malware uses a predefined list of usernames and passwords to attempt to connect to the home router, Lu wrote. Some of the usernames include admin, D-Link, guest, root and user, and some of the passwords include 12345678, admin, password and qwerty.

“This malware appears to be used primarily for intelligence gathering,” Lu told SCMagazine.com in a Tuesday email correspondence. “Specifically, it enumerates as many connected devices as possible, attempts to connect to them and returns a list of results to the command-and-control server.”

When connected to the home router, the malware scans for devices using various strings in its search, including dlink, d-link, laserjet, apache, cisco, gigaset, asus, apple, iphone, ipad, logitech, samsung, and xbox, Lu wrote in the post.

Lu said that the malware “will affect every device in the target network. If it finds any of these vendors’ devices, the devices will be given a specific vendor name, [and] other devices will be marked as ‘unknown’.”

The search results are encrypted using Base64 and a self-made encryption method, and are sent to the C&C using HTTP protocol, Lu wrote in the post, explaining that the malware will then delete itself and remove any trace of its existence.

In the post, Lu suggested that attackers could be using VICEPASS for reconnaissance for bigger campaigns. He wrote that the information gleaned from the malware could also be stored and used for future cross-site request forgery (CSRF) attacks.

To protect against these types of threats, Lu suggested using strong passwords, not clicking on links in emails, and updating software from official websites.

Via: scmagazine

More than four years ago, Microsoft released a patch to mitigate a Stuxnet attack leveraging USB drives – but this month’s Patch Tuesday update marks another attempt by the company to rectify the security issue.

On Tuesday, HP published a blog post on Microsoft’s first “failed” Stuxnet fix, MS10-046, the same day the tech giant released MS15-020, a critical patch that would thwart similar exploitation.

HP explained that the initial infection vector for Stuxnet was a USB drive “that took advantage of a vulnerability in the Windows operating system that allowed simply browsing to a directory to run arbitrary code.” The Stuxnet worm, discovered in 2010, was designed to target Siemens SCADA systems as means of undermining Iran’s nuclear program.

In the new patch, the issue was assigned the ID CVE-2015-0096 and described by Microsoft as a DLL planting remote code execution vulnerability.

Via: scmagazine

Apple issued an update for OS X and Apple TV earlier this week to address various vulnerabilities, including the FREAK flaw.

OS X Mavericks, Mountain Lion and Yosemite were all affected by updates, Apple posted on its support page. The company’s security update patched one iCloud Keychain vulnerability that could have allowed an attacker with a privilege network position to execute arbitrary code.

A separately addressed type confusion issue in IOSurface’s handling of serialized objects could have allowed a malicious application to execute arbitrary code with system privileges. It was addressed through additional type checking.

For its Apple TV update, Apple also patched a vulnerability that could have allowed a malicious application to create folders in trusted locations in the file system. The issue was in the develop disk mounting logic, which resulted in invalid disk image folders not being deleted.

Via: scmagazine

Problems with a security update issued this week by Microsoft have surfaced on a number of technology forums.

Windows users say Microsoft Security Advisory 303929, which adds SHA-2 code-signing and verification support for Windows 7 client machines and Windows Server 2008 R2 boxes, is causing computers to enter into an infinite loop.

A request for comment from Microsoft was not returned in time for publication. It is not clear whether or when Microsoft will pull the update back for repairs as it has with other faulty patches.

“After installation the PC reboots, but during the boot up configuration of the patch it fails and Windows starts, reverting the configuration and reboots,” said one poster on a Microsoft-sponsored Windows forum. “And then it starts all over again a couple of times until it eventually boot into Windows.”

Nine others on that one forum posted a reply noting the same problem almost verbatim.

Tuesday’s update notes that it supersedes another similar update from October and addressed issues that customers had with that installation, Microsoft said. Windows 8, 8.1, RT, RT 8.1, Windows Server 2012 and Windows Server 2012 R2 already have SHA-2 support built in. Windows Server 2003, Vista and Windows Server 2008 will not receive similar support, Microsoft said.

The SHA-1 algorithm has long been considered weak, obsolete and dangerous to deploy with collision attacks against it considered practical by 2018. Microsoft, itself, formally recommended that developers stop using SHA-1 two years ago, and deprecate other weak crypto such as RC4. By January, Microsoft developers will no longer be allowed to use SHA-1 in code signing or developer certs.

Browser makers such as Mozilla and Google have also shunned the use of SHA-1. Mozilla, last September, formally asked Certificate Authorities and websites to upgrade certificates to SHA-256, SHA-384 or SHA-512, all exponentially stronger mathematically than SHA-1, and announced that SHA-1 should not be trusted after Jan. 1, 2017.

Google, meanwhile, phased out SHA-1 usage in its Chrome browser starting last November with Chrome 40. Since then, Chrome no longer fully trusts sites whose certificate chains trust SHA-1 and extend beyond Jan. 1, 2017. Sites with SHA-1 certificates extending beyond that date will be trusted, but Chrome will note that they have “minor errors.” Staring with Chrome 40, sites with certificate chains including SHA-1 which extend beyond Jan. 1, 2017 will be marked with a blank white sheet, the current visual display for “neutral, lacking security.” Chrome 41 will treat such sites as “affirmatively insecure,” a state indicated by a padlock with a red X on top of it and a red strike through the text that says HTTPS.

Via: threatpost

A serious vulnerability in the Dropbox software development kit (SDK) for Android should be patched immediately, as it can allow an attacker to connect a vulnerable app on a victim’s device to their own Dropbox account for data exfiltration.

IBM’s X-Force Application Security Research Team discovered the vulnerability (CVE-2014-8889), and also developed a working proof-of-concept exploit [video], dubbed DroppedIn, which allows for a targeted app to be linked with an attacker-managed Dropbox account.

Offering two attack scenarios, a local and remote (drive-by) attack, IBM noted that both would fail if the Dropbox app is installed on the targeted device, a Wednesday blog post detailing the vulnerability said.

The author of the post, Roee Hay, X-Force Application Security Research Team leader, explained that the vulnerability “lets adversaries insert an arbitrary access token into the Dropbox SDK, completely bypassing the nonce protection.”

In the remote attack, IBM demonstrated how a saboteur could cause the Dropbox SDK within a targeted app to leak the nonce (arbitrary number used in an authentication protocol) to an attacker-operated server, using an HTTP redirect, Hay wrote.

IBM disclosed the vulnerability months ago to Dropbox, which immediately set out to rectify the issue. In a Tuesday interview with SCMagazine.com, Caleb Barlow, vice president of IBM Security, said that Dropbox patched the bug in record time – four days to be exact – and worked with app developers using the SDK to make sure they were secured against the threat.

“During the handshake between the third-party application and Dropbox, what was missing was a set of parameters that ensures that the [data] could not be captured and pointed at the attacker’s Dropbox account,” Barlow said of the vulnerability. “Effectively, what we are doing [in the POC] is swapping the token that links the app to your Dropbox account, with the attacker’s Dropbox account.”

In his blog post, IBM’s Hay said that Dropbox SDK for Android Version 1.6.2 and later addresses the vulnerability.

“Developers are strongly encouraged to update their SDK to the latest version. In order to avoid exploitation of slowly updating apps, end users should update their apps to the latest versions and install the Dropbox app, which makes exploitation impossible,” Hay wrote.

On Wednesday, Dropbox published a post on its developer blog about the bug, describing it as a “minor security vulnerability” that had long been patched.

The company reiterated that, in order to be vulnerable to attack, an user would have to use an affected (vulnerable) app on their Android device, not have the Dropbox for Android app installed, and “visit a malicious page with their Android web browser targeting that app, or have a malicious app installed on their phone,” Dropbox continued. “An attacker could then link their Dropbox account to a vulnerable third-party app on the victim’s device. This would then allow the attacker to capture new data a user saved to Dropbox via the vulnerable app.”

The company added later, that the bug can’t give attackers access to any existing files in a user’s account, and that “users with the Dropbox app installed on their devices were never vulnerable.”

There are no reports or evidence to indicate the vulnerability was ever used to access user data,” Dropbox said.

IBM published a white paper that provides more details on the vulnerability and the DroppedIn exploit.

Via: scmagazine

With a shortage of skilled tech workers looming threatening U.S. “leadership in global innovation,” President Obama said the White House will pony up $100 million in grants to train and educate coders, programmers and other tech pros.

“We’ve got this incredible set of opportunities, but we’ve got to have the workers for us to take advantage of it,” Obama said in remarks to the National League of Cities conference in Washington.

Under the TechHire program, 21 regions and cities, including Detroit and Los Angeles, will work together to accelerate training programs, particularly for potential works with disabilities and individuals who don’t speak fluent English. The regions will be competing for the $100 million in grants.

Tech companies like Microsoft, Linkedin and Cisco, along with coding schools, will support the training efforts.

Via: scmagazine

NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach.

The acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup, a chain of some 75 soup eateries spread across the northern half of the United States and Canada.

Last week, KrebsOnSecurity reached out to Zoup after hearing from financial industry sources about fraud patterns indicating some sort of card compromise at many Zoup locations. Zoup CEO Eric Ersher referred calls to NEXTEP, saying that NEXTEP was recently informed of a security issue with its point-of-sale devices. Ersher said Zoup runs NEXTEP’s point-of-sale devices across its entire chain of stores.

In an emailed statement, NEXTEP President Tommy Woycik confirmed Ersher’s account, but emphasized that the company does not believe all of its customers are impacted.

“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” Woycik wrote. “NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue. We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.  This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”

A breach at a point-of-sale vendor can impact a large number of organizations, and historically the chief victims of POS vendor breaches have been food service establishments. Last year, a pattern of credit card fraud at hundreds of Jimmy Johns sandwich shops across the country was traced back to security weaknesses that fraudsters were exploiting in point-of-sale systems produced by POS vendor Signature Systems Inc. Signature later disclosed that the breach also impacted at least 100 other independent restaurants that use its products.

Earlier this year, Denver-based point-of-sale vendor Advanced Restaurant Management Applications (ARMA) disclosed that malware attacks on its POS devices exposed credit and debit cards for a number of its clients’ customers in Colorado, many of them restaurants.

Another point-of-sale vendor breach uncovered last year by KrebsOnSecurity — that of C&K Systems — lasted 18 months and resulted in card fraud for customers of some 330 Goodwill locations nationwide.

It’s unclear what’s behind the NEXTEP breach, but if previous such breaches are any indicator the incident may have involved stolen credentials used to remotely administer affected point-of-sale systems. In June 2014, POS vendor Information Systems & Supplies Inc.notified (PDF) customers that a breach of its Log-Me-In account exposed credit card data of stores that used its systems for nearly two months last year.

With remote access to point-of-sale devices, crooks can then upload card-stealing malicious software to the POS terminals. The stolen card data is quite valuable — typically selling for anywhere from $20 to $100 per card on underground cybercrime stores. Crooks can encode the stolen card data onto anything with a magnetic stripe and use the counterfeit cards to buy high-dollar merchandise at big box stores.

It seems quite likely that we’ll hear about additional breaches at POS vendors in the weeks ahead. KrebsOnSecurity is currently in the process of tracking down the common thread behind what appear to be breached POS vendors tied to three different major cities around the country.

Via: krebsonsecurity