Monthly Archives: February 2016

IE5000 industrial Ethernet devices have a short that could spark combustion.

Cisco is recalling Ethernet switches that pose a potential fire hazard because of damage to the source wiring that can cause a short. The company issued a field notice last week on the situation, which affects its IE5000 industrial Ethernet switches.

From the field notice:

Potential damage to the source wiring can cause a short to the metal enclosure/barrier. This could lead to a potential electrical and/or fire safety hazard for the end user.

The issue was observed in a single device that had not yet been shipped and not at a customer site, Cisco says. A switch was discovered to have a short in a damaged power harness cable during a manufacturing test.

Upon discovery, Cisco initiated a hardware upgrade program to replace any impacted units. Affected devices can be identified through serial number validation, and from version IDs and deviation labels on the top and bottom of the switch or from the Device Manager screen.

Cisco has already determined that IE5000 switches with version ID V02 and deviation label #D517262 are not affected by the short.

Via: networkworld

Google is giving users who complete its Security Checkup an additional 2GB of extra Google Drive storage. Here’s how you can take advantage of it.

Google recently announced that it’s rewarding users who complete its Security Checkup with 2GB of extra Drive storage. The Security Checkup is essentially a formal walkthrough of your Google account settings and, if completed by February 11, will earn you some extra space in Drive.

The announcement was made on February 9, in honor of Safer Internet Day. In its official blog post, Google described the day as “moment for technology companies, nonprofit organizations, security firms, and people around the world to focus on online safety, together.”

To access the Security Checkup, you can go through your My Account page, or you can click here to go straight to the assessment.

You’ll first be asked to enter or verify a recovery email address, security question, and phone number for your account. You can skip this section, but it must be completed if you want the 2GB reward.

Next, you will need to verify the devices you use to access your Google account. If all looks well, click “Looks good.” If you don’t recognize a device, however, click “Something looks wrong” and you will be prompted to change your password.

Finally, you will be prompted to check your account permissions. These are simply the third-party apps that you have allowed to access your Google account information. If you no longer wish to allow certain apps access, click the “Remove” button for that particular app.

If you’re using two-step authentication, you will have to review those settings as well. When you’re all finished, click “Done” and you will receive a message that says “Nicely done, you’re all set.” Now, you can continue on to your account settings if you wish.

Remember, if you are using Google Apps with single sign-on then you’ll probably need to sign in again to access the checkup. And, depending on your account type and recent events, you may be prompted to check a few more settings, or settings of a different type. For example, one Google Apps for Work user we spoke with had the following prompts:

• Check your recent security events
  
• Check your connected devices
  
• Disable access for less secure apps
  
• Check your account permissions
  

Another user we spoke with checked all three of his Google accounts, including a Google Apps enterprise account, and they all only prompted him to check two settings. It should also be noted that the free storage doesn’t seem to show up right away as, even hours after completing the checkup, my personal account storage limit hasn’t changed.

Despite the incentive, the Security Checkup is probably in your best interest, especially if you’re an enterprise user. One IT manager that we spoke with said it was a “good reminder” to check your stuff and make sure that everything is in order.

SolarWinds “Head Geek” Leon Adato concurred. He said, “I would, and have, strongly recommended that end users go through the Google security check. If an end user has already set up some security options, such as 2-factor authentication, then the check takes all of three minutes and simply walks them through verifying the devices, accounts and applications that have access to their Google accounts. Even without the 2 gigabyte incentive, this is a very helpful process. It also gets users thinking about application security in general and how their other apps and accounts may or may not be secure.”

The free storage space on Drive was only one aspect of the blog post Google put up for Safer Internet Day. The second key point it addressed was its Safer Email Transparency Report and how Google has taken steps to warn Gmail users about messages sent without Transport Layer Security (TLS) encryption. If you receive a message with a broken lock icon in the upper right hand corner, it is not encrypted. If there is a question mark in the same spot, its encryption couldn’t be verified.

Google also noted its Google Play policies that reject bad applications to protect users from phishing, and said that it conducts scans of devices with its Safe Browsing feature to look for other potential problems. Interested users can find more of Google’s suggested mobile security tips here.

Additionally, the blog post stated that Google is taking more aggressive measure to combat botnets and bad advertising practices, and Google will be partnering with Medium to host a virtual roundtable on the future of security.

The 3 big takeaways for readers

1. Google’s Security Checkup is a solid thing to do anyway, but if you do it by February 11 (TODAY) you can earn a little extra Drive space. And who doesn’t need more storage?
   
2. Gmail users should note that Google has updated Gmail to warn users if a message wasn’t encrypted, or its encryption couldn’t be verified. Look for a broken lock icon to represent unencrypted messages and a question mark for message with unverified encryption.
   
3. Google and Medium will be hosting a security roundtable where IT professionals can follow conversations on the major cybersecurity issues affecting us today. So, if you want to go deeper on the current state of cybersecurity, check it out.
   

Via: techrepublic

A new bill introduced to the House of Representatives could kill state and local bills that seek to undermine smartphones’ encryption measures.

On Wednesday, U.S. Representatives Ted Lieu (D-California) and Blake Farenthold (R-Texas) introduced the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016”, or the “ENCRYPT Act”.

The bill in its entirety reads as follows:

A State or political subdivision of a State may not mandate or request that a manufacturer, developer, seller, or provider of covered products or services—

(1) design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency or instrumentality of a State, a political subdivision of a State, or the United States; or

(2) have the ability to decrypt or otherwise render intelligible information that is encrypted or otherwise rendered unintelligible using its product or service.

Lieu and Farenthold’s proposed legislation comes just a few weeks after state bills emerged in New York state and California that would ban the sale of smartphones with strong encryption measures.

If passed in time, the ENCRYPT Act could potentially block those bills from being enacted into law.

In a phone interview with Ars Technica on Tuesday, Lieu explained that recent events in part motivated him to sponsor the legislation:

“It’s very clear to me that the people who are asking for a backdoor encryption key do not understand the technology,” he said. “You cannot have a backdoor key for the FBI. Either hackers will find that key or the FBI will let it get stolen. As you saw it the [Department of Justice] just got hacked. The [Office of Personnel Management] got hacked multiple times. If our federal government cannot keep 20 million extremely sensitive security records, I don’t see how our government can keep encryption keys safe.”

The bill has largely received praise from privacy advocates, though some feel that its language could go further in establishing the importance of encryption on smartphones.

The proposed legislation will need to pass in both the House of Representatives and the U.S. Senate as well as receive the signature of the President in order to be enacted into law.

Via: tripwire

The Obama administration has announced its intention to appoint the United States’ first ever federal chief information security officer (CISO).

On Tuesday, the President is expected to roll out a budget of $19 billion for federal information security spending. That budget, which marks a 35 percent increase over last year’s allotment of $14 billion, will create a presidential commission on information security as well as the nation’s first federal CISO position.

“That’s a key role that many private-sector companies have long implemented and it’s good practice for the federal government,” Federal CIO Tony Scott said ahead of the president’s budget rollout, as quoted in Federal Times.

Danny Yadron of The Guardian observes that the creation of a federal CISO is a long-overdue move by the Obama administration. He argues that in the absence of this position, the federal government has at times struggled to respond to a number of high-profile attacks and breaches, including the hack against the Office of Personnel Management (2014), the State Department email system attack (2014), and a breach of DOJ employees’ information just recently.

The role, which the Obama administration hopes to fill within the next few months, will be housed in the Office of Management and Budget at the White House and will coordinate information security across federal agencies. Those efforts will be augmented by the forthcoming budget’s creation of an “Information Technology Modernization Fund”, a $3.1 billion allotment which can help to upgrade the systems that interconnect various federal agencies, reports The Hill.

The CISO will also be in charge of improving government workers’ overall security awareness. Such attempts at security hygiene will hopefully communicate to them the importance of regular patch implementation and the dangers of social engineering, thereby helping to prevent similar events such as the recent DOJ breach in which an employee gave the attacker a valid login token from happening again in the future.

Via: tripwire

San Francisco is hosting a major software development festival roughly 10 days before RSA’s 2016 security conference rolls into the city.

Whether you are a new software developer or a seasoned architect, how can you build security into your development process?

Listen to tripwires latest Security Slice podcast and hear Tim Erlin, Tyler Reguly and Craig Young discuss why developer trust can undermine software security, the importance of fuzz testing and the most common software development security mistakes.

CLICK HERE TO LISTEN TO THE PODCAST

Via: tripwire

While it is basically never good news to wake up and find out one’s federal government has been successfully hacked, there is something much worse seeming about it when the two departments hacked are in charge of protecting the citizenry from things like cybercrime and terrorism. But that is the story Americans are waking up to today (Feb. 9), as news is breaking that both the Department of Justice and the Department of Homeland Security have suffered a data breach.

The latest attack has seen a cyberattacker make it out the digital door with the information of thousands of employees at the two departments. The goods news — such as there is any — is that only employee data was nabbed, but no other sensitive information seems to have been stolen.

According to reports from internal officials, the bulk of the data seems to have been drawn from government directories, which include employees’ email addresses, phone numbers and job titles.

The story first seems to have come to light when tech news site Motherboard reported on Sunday that it had been approached by a hacker claiming to have gotten hands on employee information on about 20,000 people at the FBI and 9,000 at the Department of Homeland Security.

The hacker noted the intention was to embarrass federal agencies into improving cybersecurity operations. He released his data yesterday afternoon.

Officials at the Justice Department and the Department of Homeland Security said they were examining the breach.

“There is no indication at this time that there is any breach of personally identifiable information,” said Peter Carr, a spokesman for the Justice Department. Marsha Catron, a Homeland Security spokeswoman, echoed that statement.

Investigators are also trying to figure out if there is a connection between this breach and an attack last fall that released the email addresses of Jeh Johnson, the Homeland Security secretary, and John O. Brennan, the CIA director. That hacker group expressed pro-Palestinian positions, as does this newest hacker.

The new breach does not appear to have resulted from an attack using an outside computer to penetrate the system. Instead, officials said, they believe that the intruder impersonated a government employee and used that information to get into other parts of the system.

A much bigger intrusion that targeted the Office of Personnel Management exposed security clearance dossiers and sensitive information for nearly 22 million Americans. Chinese hackers were thought to have been behind the attack, which was much more sweeping than officials initially acknowledged publicly last year.

Via: pymnts

Oracle recommends users ensure they’re running the latest version of Java to prevent bug.

Oracle has issued a security patch to close a Java vulnerability which if left unchecked could lead to ‘complete compromise’ of Microsoft Windows systems.

The security loophole is named CVE-2016-0603 and the bug fix has been released to address a vulnerability which can be exploited when Java version 6, 7, or 8 is installed on a Windows platform. The weakness is remotely exploitable, allowing attackers to compromise a network without the need for usernames or passwords.

However, in order to exploit the security bug, an attacker would need to trick the user into visiting a malicious website and downloading infected files to their machine before Java 6, 7, or 8 is installed.

But while this would be difficult to achieve, a successful exploitation of the vulnerability could result in “complete compromise” of a user’s system, warned a post on the Oracle Software Security Assurance Blog about the patch.

Given that the risk of compromise only exists during the initial installation process, Oracle has assured users that those who are already using an existing version of Java aren’t vulnerable to CVE-2016-0603.

Nonetheless, the company warns that “users who have downloaded any old version of Java prior to 6u113, 7u97, or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later”.

The security patch is cumulative and therefore any network it’s installed upon also receives all existing fixes from previous Critical Patch Updates and Security Alerts

As part of the security alert, Oracle warns users to check that they’re running the latest version of Java Standard Edition (SE) and that older versions have been completely removed from the system.

Via: zdnet

On-demand services have taken off, much to the delight of pretty much everyone who uses them.

Now we can add notary services to the list of conveniences we can call up with a tap on our iPhones thanks to Notarize, a months-old startup with offices in Alexandria, Va., and in Boston. It offers a 24-hour service that enables people in all 50 states to have their documents notarized remotely. [Yay.]

If you’ve experienced the ridiculousness of having to track down a notary, this may all sound too good to be true. And it would have been until very recently. But in 2011, Virginia passed a bill allowing documents to be notarized remotely, using audio-video technology.

Founder and CEO  Pat Kinsel discovered this law soon after learning, while on vacation, that a brokerage couldn’t accept a document that he’d given to a notary who lost track of it.

Kinsel — who cofounded an earlier company called Spindle that sold to Twitter and who is today also a venture partner with Polaris Partners — says that out of his own “intellectual curiosity, I started researching this in my spare time.”

One of the things Kinsel learned? That there’s a $30 billion potential market opportunity to chase, given that an estimated one billion documents get notarized annually in the U.S. (Many are these are done for free, we should mention, but Notarize is charging $25 per document for its ease of use.)

As an investor in the Boston-based on-demand alcohol delivery company Drzly — which has apparently done quite a bit of verification work to ensure its drivers are at least 21 years old — Kinsel also knew there existed powerful ways of verifying IDs that would comply with the law.

Thus was born Notarize, which is available as an iOS application alone (right now) and that functions like a traditional notary, but moves the entire process online.

Clients verify they are who they say with a government issued photo ID that Notarize authenticates using computer imaging technology and some kind of software-based forensic analysis. The person is then connected with a commissioned Virginia Electronic Notary Public agent via live video call. (Notarize has 24 agents at the ready as of this writing.) The agent then completes the process using digital tools, after which the client can print and deliver the notarized document or send it electronically to whomever is waiting on it.

The company isn’t saying how much it collects versus gives to its agents.

Notarize isn’t the first to take advantage of that Virginia law, either, though Kinsel argues convincingly that it’s the first to “do it in earnest.” (Do a search and not much turns up.)

Kinsel also thinks there’s plenty of low-hanging fruit to go after as the company tests out its concept, including search traffic, which he estimates is a $100 million addressable opportunity alone.

Investors seem very prepared to gamble on the idea, in any case. Notarize has raised $2.4 million in seed funding led by Polaris Partners. Other participants in the round include the Detroit-based seed-stage firm Ludlow Ventures and individual investors.

You can see a fairly funny video explaining the service here:

via: techcrunch

Google announced on Wednesday plans to expand its Safe Browsing initiative aimed to protect users against social engineering attacks, such as deceptive online ads that install unwanted software or reveal personal information.

The Mountain View, California-based company said in a blog post it will begin to target embedded content on a web page that it considers social engineering. For example, ads that either:

• Pretend to act, or look and feel, like a trusted entity – like a user’s device, or the website itself
  
• Try to trick users into doing something they would only do for a trusted entity – like as sharing a password or calling tech support.
  

When Internet users visit a site with such deceptive content, Google Safe Browsing may warn users and offer the option to automatically report details of possible security incidents to Google:

“You may have encountered social engineering in a deceptive download button, or an image ad that falsely claims your system is out of date,” explained Lucas Ballard, a senior staff engineer on the Safe Browsing Team.

The misleading buttons or ads are often not distinguishable from the rest of the page, says Ballard, as they appear like they will produce legitimate content that relates to the site.

‘This image claims that your software is out-of-date to trick [users] into clicking ‘update’,” says Google.

“Our fight against unwanted software and social engineering is just beginning,” Ballard added. “We’ll continue to improve Google’s Safe Browsing protection to help more people stay safe online.”

The Safe Browsing technology is used by Google’s own Chrome browser, as well as Apple’s Safari and Mozilla’s Firefox browsers – protecting an estimated one billion people from potentially unsafe sites.

For webmasters whose sites have been flagged for social engineering content, Google suggests troubleshooting with Search Console and visiting its Social Engineering Help page.

Via: tripwire

The number of people whose data was breached in 2015 exceeded that of the previous year. How do we plan to regulate these cases?

Many referred to 2014 as the “Year of the Breach.” Yet, the number of people whose data was breached in 2015 exceeded that of the previous year. The U.S. Government’s Office of Personnel Management, CVS and T-Mobile are just a few of the larger-scale victims. And the bad news is there is no end in sight — anywhere in sight. We can be sure that these attacks will continue in all shapes, sizes and categories. No one is immune.

How do we plan to regulate these cases? What should organizations be compelled to do in order to protect the sensitive information they store? And what should be the expected consequences when these organizations do not go far enough to protect consumer data?

Two cases currently in the headlines could help us understand how compliance regulations and policing of security negligence will evolve over the coming year.

The Federal Trade Commission will aggressively pursue its cybersecurity authority

Having already scored a major victory in the federal Third Circuit against Wyndham Corporation in August 2015, the Federal Trade Commission (FTC) recently faced its first setback. In November, a complaint the FTC filed against LabMD criticizing its lax cybersecurity practices was dismissed by the FTC’s chief administrative law judge. When the court’s decision became public, some stories began touting the dismissal as a major setback, but that assessment may be premature.

The Wyndham decision supported the FTC’s ability to broadly institute cybersecurity requirements pursuant to the agency’s authority to prevent “unfair or deceptive practices.” The LabMD case did nothing to change that ability. The complaint in LabMD was dismissed due to the FTC’s inability to sustain its burden of proof because its key witness had a serious conflict of interest. The administrative judge never ruled that the FTC was unable to bring the action against LabMD; the organization just failed to prove it.

The FTC has already announced it is appealing the judge’s dismissal. In the 100-year history of the FTC, it has never lost an appeal to the Board of Commissioners. Should the dismissal of the complaint be overturned by the Board, the case could continue through the “regular” court system. (Incidentally Wyndham recently reached an agreeable settlement with the FTC.)

New European Union privacy rules rattle industries worldwide

In October 2015, the European Union (EU) Justice Court abolished a Safe Harbor agreement that existed for 15 years between the EU and the U.S. in its decision entitled Schrems v. Data Protection Commissioner. News reports estimate about 4,500 businesses have been affected. The agreement had allowed American companies to annually self-certify to the U.S. Department of Commerce that they were in compliance with the data privacy requirements in the 28 Member States that comprise the EU.

A new agreement is under negotiation, but both sides are struggling to find an acceptable middle-ground. Meanwhile, the European Commission has announced that if a satisfactory agreement is not in place by the end of January, each Member State’s Data Privacy Commissioner will consider initiating “coordinated enforcement actions” to mandate compliance.

In the meantime, the European Commission, in conjunction with the European Parliament and Council, has finally drafted the long-awaited General Data Protection Regulation. It would supersede the current Data Protection Directive of 1995. The Directive is only an advisory set of rules, which has caused each of the 28 EU Member States to draft its own version of privacy laws.

Under the newly proposed regulations, however, there would be only one set of rules applicable to all 28 states. There will also be a newly-created “right to be forgotten” and “right to portability” giving every EU citizen the right to move and remove her or his data. A breach notification requirement will require victims be contacted as “soon as possible” but no later than 72 hours after discovery of the breach.

Based on how these cases evolve, the results could have significant repercussions for how organizations are required to store and move data, both at a domestic and international level.

Via: csoonline