Monthly Archives: March 2016

Vendors and other third-party partners have caused some big data breaches. Here is how to keep it from happening to you.

With security breaches now a regular fixture in the news, it’s an increasing cause for concern that many — including major breaches at Target and Goodwill — are caused not by attacks on the companies themselves, but by breaches at third-party vendors.

PWC’s 2015 U.S. State of Cybercrime Survey found that 62 percent of companies evaluate the security risks of third-party vendors, 57 percent do so for contractors, and 42 percent consider supplier risks. Only 23 percent don’t evaluate third-party security at all.

In general, Veracode co-founder and CTO Chris Wysopal said, enterprises are determining that a significant portion of their risk is coming externally and they’re demanding more from vendors as a result.

“I’ve seen a change happen where in the beginning, the vendors would say, ‘No, we’re secure, trust us. We don’t have to show you our security process, we don’t have to show you the results of testing,’ to today we’re seeing vendors having to provide assurances to their customers about their security programs,” Wysopal said.

Here are five steps you can take to help reduce security threats coming from your relationships with third-party vendors.

Audit Yourself

Joe Schorr, director of advanced security solutions at Bomgar, said the first step should be to focus on yourself: Get a better understanding of which vendors have access to your system, where they’re connecting and what they’re doing. “A lot of the third-party access seems to be kind of ‘fire and forget.’ ‘We decided to outsource this function, so let’s nail up the VPN, get these guys in, get them working’ — and then people tend to walk away from it,” Schorr said.

Instead, take the time to reassess everything that’s currently in place, including access you may have set up a while ago. “Go back, do a good internal audit of who’s accessing what at the very least, and then get a little bit deeper: why are they accessing that, who gave them that, who’s the internal sponsor for this activity?” Schorr said. “Start peeling that onion a little bit.”

Look at everyone who has privileged access — especially, Schorr said, anyone who has over-privileged access.

“That janitorial service, if all they’re doing is logging in to talk to accounts receivable and make sure they get paid every two weeks as a contractor, why do they have access to the same type of vendor portal that your third-party development team is logging in through to get to an application database?” he said. “Don’t treat vendors as one big blanket entity.”

Audit Your Vendors

Schorr previously led BT’s Ethical Hacking Team, and he said a few of the big banks his team worked with gave BT an extremely onerous security audit once a year. “They didn’t just audit themselves to see who was logging in. They said, ‘BT, do you guys meet the criteria on these five tabs on this extensive spreadsheet? Prove to us you’re doing all these different things,'” he said.

Those requirements, he said, were likely more strict than the banks’ own internal policies and procedures. “That obviously is not always practical and there are business considerations,but I tell clients all the time, ‘Look, you’re the customer. You should have a little bit more say in what’s going on.'”

At a basic level, that can mean asking questions of everyone who connects to your systems. “You can start off low-level, like, “Here’s a self-service questionnaire ‘how do you do these different things?’ And then all the way to, ‘Are you audited quarterly? Do you do code reviews on applications that touch our applications?'” Schorr suggested.

Any vendor should be capable of providing you with that kind of information, Wysopal said. “If they say, ‘No, we don’t do that,’ or ‘We don’t share results on our internal security,’ they probably do, and they’re just trying to make you go away,” he said. “One of the things we’ve learned is that if you push hard enough, they say, ‘Yeah, you’re right. We have had a third party audit, and we can show you the results.'”

Audit Again (and Again)

Too many companies, Schorr said, examine these issues, both internally and externally, once in detail — but fail to follow up on a regular basis.

“Even when they do it right, they tend to leave those activities in the dust and just hope they’re good for another 11 months and three weeks until they launch that audit again,” he said. “The most effective thing I’ve seen is to do it quarterly.”

It can be tough to do more than that, Schorr said, but for crucial assets, it’s worth taking the time to do a quarterly assessment. “If you’re trying to guard that Kentucky Fried Chicken recipe at the core of your information security network, then at least every three months, you should be checking in with people that have access to it, internally and externally,” he said.

Leverage Encryption and Other Technologies

Ultimately, Schorr said, you need to control the access itself, control the assets and control the accounts that touch those assets. “There are perfectly good, mature technologies out there that meet all those needs,” he said. “The trick is putting them where they need to be, identifying exactly where that point of ingress is and exactly what they’re trying to touch on the inside.”

Every company, Schorr said, has something that somebody wants to steal.

“I call it the three Ps: Property, something that’s Profitable or something that’s Personal,” he said. “When you need to protect that, you should probably be talking about encryption. I’m not a fan of encrypting everything on network — I think that’s crazy — but the stuff that keeps you awake at night that you’re trying to protect, that’s the stuff for which you should be looking at some kind of an encryption scheme.”

In general, Wysopal said it’s best to ensure that whatever technologies you’re using for internal security are also applied to vendors with privileged access.

“If you’ve implemented two-factor authentication for remote access to your company, why aren’t you implementing two-factor authentication with all the services you’re using that also have access to your company’s data?” he said. “Try to keep parity with what you already thought was a good idea to do to yourself.”

If possible, Schorr said, it’s best to monitor all sensitive connections on an ongoing basis.

“The ability to record what’s going on and watch over someone’s shoulder while they’re working in your environment is really, really big and an emerging tool for people defending networks,” he said. From an attacker’s perspective, accessing a company’s network through a third-party vendor’s VPN connection, only to discover that the company is recording whatever their third parties are doing can be pretty scary — and an effective deterrent.

Get It in Writing

However you decide to secure your connection with a given vendor, Schorr said, get it in writing. “Make it contractual, put some teeth behind it because that’s really the only thing that people understand,” he said. “Companies are starting to fall into litigation from missing things on audits — and when companies are getting breached, they’re starting to look at their security companies and vendors, and starting to point fingers, because it’s costing money.”

Getting lawyers involved can be a good move. “I’m no more of a fan of litigation than anybody else, but sometimes the only thing that people listen to is a carrot and a stick — and sometimes you need the stick,” Schorr said.

Contracts do not need to be complex, he said. “It can be something as simple as ‘Here’s what your system should look like to connect to us, you’re going to have to go through this special connection we’ve set up, you’re going to be recorded while you’re doing all of that, and here’s our recourse if something bad happens and we find out it came through you,'” Schorr said. “That may be just enough to get people to take the extra couple of steps to do some basic security stuff on their end.”

Via: esecurityplanet

UK organizations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security awareness and capability to defend against cyber-attacks.

Research into organizations’ approach to information security awareness by Axelos reveals that most are underestimating the “human factor” of employee behavior in corporate cyber risk. The finding is a cause for concern as UK Government research found that 75% of large organizations suffered staff-related security breaches in 2015, with 50% of the worst breaches caused by human error.

Research showed that only a minority of executives responsible for information security training in organizations with more than 500 employees believe their cyber security training is very effective. While four in 10 (42%) say their training is very effective at providing general awareness of information security risks, only just over a quarter (28%) say their efforts are very effective at changing behavior in relation to information security.

For ensuring compliance with regulatory requirements, 37% rate their training as very effective though only a third (33%) rate it very effective in reducing exposure to the risk of information security breaches. A similar minority (32%) are very confident that the training is relevant to staff, despite almost all respondents (99%) citing security awareness as important to minimize the risk of security breaches.

When asked how many staff had completed their information security awareness program, respondents in a quarter of organizations said that no more than 50% of staff had done so.

“There is an incredibly high number of security incidents that are caused by, or involve, human error. No person or organization is infallible and employees will always be a weak link in an organization’s security chain. A common problem is that organizations can think it’s important to only educate those at the top of the management tree, but this is a dangerous approach. Indeed, we are increasingly hearing stories of cybercriminals looking for a gateway to the network by targeting employees lower down the ladder, quite often via spear phishing. The fact is, every employee who has access to the corporate network is a target, and with hackers using increasingly devious techniques, it only takes one download or one click of the mouse for someone to put the entire company at risk,” Ross Brewer, VP and MD of EMEA, LogRhythm told Help Net Security.

“Imagine how customers would respond if told that ‘we’re fairly confident that your precious information is safe from attack’. Equally, reporting to a board of directors that the level of confidence in the organization’s information security awareness is only “fair” would be given short shrift. If UK company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be,” according to Nick Wilding, head of cyber resilience best practice at Axelos.

Via: helpnetsecurity

We’ve read over 4,000 studies, reports, and articles about Agile work and here are what we’ve found to be the most common advantages for the companies that establish such programs. The following pros and cons of work-from-home programs aren’t just our views; they’re the outcomes from a wide range of studies. Visit the Research: Pros & Cons page for additional information about how individuals and communities can benefit from telecommuting as well.

• Improves employee satisfaction

– People are sick of the rat-race, eager to take control of their lives, and desperate to find a balance between work and life.
– Two-thirds of people want to work from home.
– 36% would choose it over a pay raise.
– A poll of 1,500 technology professionals revealed that 37% would take a pay cut of 10% if they could work from home.
– Gen Y’ers are more difficult to recruit (as reported by 56% of hiring managers) and to retain (as reported by 64% of hiring managers), but they are particularly attracted to flexible work arrangements (rating among benefits as an 8 on a 10 scale for impact on overall job satisfaction).
– 80% of employees consider telework a job perk.

• Reduces attrition

– Losing a valued employee can cost an employer $10,000 to $30,000.
– Recruiting and training a new hire costs thousands.
– 14% of Americans have changed jobs to shorten the commute.
– 46% of companies that allow telework say it has reduced attrition.
– 95% of employers say telework has a high impact on employee retention.
– Almost half of employees feel their commute is getting worse; 70% of them feel their employers should take the lead in helping them solve the problem.
– 92% of employees are concerned with the high cost of fuel and 80% of them specifically cite the cost of commuting to work. 73% feel their employers should take the lead in helping them reduce their commuting costs.
– Two-thirds of employees would take another job to ease the commute.

• Reduces unscheduled absences

– 78% of employees who call in sick, really aren’t. They do so because of family issues, personal needs, and stress.
– Unscheduled absences cost employer’s $1,800/employee/year; that adds up to $300 billion/year for U.S. companies.
– American Management Association, organizations that implemented a telework program, realized a 63% reduction in unscheduled absences.
– Teleworkers typically continue to work when they’re sick (without infecting others).
– Teleworkers return to work more quickly following surgery or medical issues.
– Flexible hours allow teleworkers to run errands or schedule appointments without losing a full day.

• Increases productivity

– Best Buy, British Telecom, Dow Chemical, and many others show that teleworkers are 35-40% more productive.
– Businesses lose $600 billion a year in workplace distractions.
– Over two-thirds of employers report increased productivity among their telecommuters.
– Sun Microsystems’ experience suggests that employees spend 60% of the commuting time they save performing work for the company.
– AT&T workers work five more hours at home than their office workers.
– JD Edwards teleworkers are 20-25% more productive than their office counterparts.
– American Express workers produced 43% more than their office based counterparts.
– Compaq increased productivity 15-45%.

• Saves employers money

– Nearly six out of ten employers identify cost savings as a significant benefit to telecommuting.
– Alpine Access Remote Agents close 30% more sales than traditional agents the year before.  Customer complaints decreased by 90%. And turnover decreased by 88%.
– IBM slashed real estate costs by $50 million.
– McKesson saves $2 million a year.
– Nortel estimates that they save $100,000 per employee they don’t have to relocate.
– Average real estate savings with full-time telework is $10,000/employee/year.
– Partial telework can offer real estate savings by instituting an office hoteling program.
– Dow Chemical and Nortel save over 30% on non-real estate costs.
– Sun Microsystems saves $68 million a year in real estate costs.
– Offers inexpensive compliance with ADA for disabled workers.
– Saves brick and mortar costs in industries where regulations or needs require local workers (e.g. healthcare, e-tail).

• Equalizes personalities and reduces potential for discrimination

– Hiring sight unseen, as some all-virtual employers do, greatly reduces the potential for discrimination.
– It ensures that people are judged by what they do versus what they look like.
– Communications via focus groups, instant messaging, and the like equalizes personalities. No longer is the loudest voice the one that’s heard.

• Cuts down on wasted meetings

– Asynchronous communications allow people to communicate more efficiently.
– Web-based meetings are better-planned and more apt to stay on message.

• Increases employee empowerment

– Remote work forces people to be more independent and self-directed.

• Increases collaboration

– Once telework technologies are in place, employees and contractors can work together without regard to logistics. This substantially increases collaboration options.

• Provides new employment opportunities for the un- and under-employed

– Eighteen million Americans with some college education aren’t working.
– More than 12% of the working-age population are disabled (16 million). A full three-quarters of unemployed workers with disabilities cite discrimination in the workplace and lack of transportation as major factors that prevent them from working.
– 24 million Americans work part-time.
– Only 75% of women, still the traditional primary caregivers age twenty-five to fifty-four, participate in the labor force (compared to 90% of men). Almost a quarter of women work part-time (16.5 million), compared to 10% of men.

• Expands the talent pool

– Over 40% of employers are feeling the labor pinch; that will worsen as Boomers retire.
– Reduces geographic boundaries.
– Provides access to disabled workers.
– Offers an alternative that would have otherwise kept parents and senior caregivers out of the workforce.
– Offers geographic, socioeconomic, and cultural diversity that would not otherwise be possible.
– Over 70%of  employees report that the ability telecommute will be somewhat to extremely important in choosing their next job.

• Slows the brain-drain due to retiring Boomers

– 75% of retirees want to continue to work – but they want the flexibility to enjoy their retirement.
– 36% of retirees say the ability to work part-time rather than full-time, or to work from home would have encouraged them to keep working – even if it didn’t provide health benefits or meant a temporarily reduced pension.
– 38% of surveyed retirees indicated that being able to work seasonally or on a independent contractor basis would have encouraged them to delay retirement.
– 71% of retired workers who later decided to go back to work, originally retired because of a desire for more flexibility than their job offered.

• Reduces staffing redundancies and offers quick scale-up and scale-down options

– Having access to a flexible at-home workforce allows call centers, airlines, and others to add and reduce staff quickly as needed.
– The need to overstaff ‘just in case’ is greatly reduced.
– 24/7 worldwide coverage is easier to staff with home-based help.

• Environmentally friendly policies are good for companies
– Sun Microsystems reported that its 24,000 U.S. employees participating in the Open Work Program avoided producing 32,000 metric tons of CO2 last year by driving less often to and from work.
– Office equipment energy consumption rate is twice that of home office equipment energy consumption.
– 70% of employees report they would see their companies in a more favorable light if they helped them reduce their carbon emissions.
– 24% of employees say they’d take a pay cut of up to 10% to help the environment.

• Reduces traffic jams

– If traffic continues to grow at the current pace, over the next couple of decades drivers in Atlanta, Baltimore, Chicago, Denver, Las Vegas, Miami, Minneapolis/St. Paul, Portland, San Francisco-Oakland, Seattle-Tacoma, and Washington, D.C. will be sitting in daily traffic jams worse than the infamous traffic jams that plague Los Angeles eight hours a day.
– As a result, commutes will take almost twice as long and you’ll have to leave even earlier to allow for traffic jams if you have to arrive someplace at a specific time, producing a further reduction to our national productivity.
– Traffic jams rob the U.S. economy of $78 billion/year in productivity.
– Traffic jams idle away almost three billion gallons of gas and accounts for 26 million extra tons of greenhouse gases.
– Every 1% reduction in vehicles yields a three-fold decrease in congestion.

• Prevents traffic accidents

– Half-time telework, for the portion of the population that holds telework-compatible jobs and wants to work from home, would save more than 1,600 lives, prevent almost 99,000 injuries, and save over $12 billion a year in direct and indirect costs associated with traffic accidents.

• Takes the pressure off our crumbling transportation infrastructure

– New roads are being built to meet needs of ten to twenty years ago. Less than 6% of our cities’ roads have kept pace with demand over the past decade.
– By 2025 we’ll need another 104,000 additional lane miles – that will cost $530 billion.

• Ensures continuity of operations in the event of a disaster

– Federal workers are required to telework to the maximum extent possible for this reason.
– Bird flu, terrorism, roadway problems, and weather-related disasters are all drivers.
– Three-quarters of teleworkers say they could continue to work in the event of a disaster compared with just 28% of non-teleworkers.

• Improves performance measurement systems

– Drucker, Six Sigma, and management experts agree that goal setting and performance measurement is key to successful management.
– For telework to work, employees must be measured by what they do, not where or how they do it.

• Offers access to grants and financial incentives

– A number of states, including Virginia, Georgia, and Oregon offer financial incentives for businesses to adopt telework. Other states including Arizona, Vermont, Washington, and Connecticut offer free training to encourage companies to give it a try.

The Obstacles To Work At Home and Telecommuting Programs

• Management mistrust

– 75% of managers say they trust their employee, but a third say they’d like to be able to see them, just to be sure.
– Company culture must embrace the concept at all levels; sweatshop and typing pool mentality has to be abandoned.
-From Peter Drucker’s introduction of Management-By-Objectives in the mid-1950’s, to Six Sigma which was popularized by General Electric’s Jack Welch in the 1990’s, setting and measuring goals has long been held as the key to good management.

• It’s not for everyone

– For some, social needs must be addressed. Telephone, email, instant messaging are a solution for some. Innovative solutions such as virtual outings, online games, and even Second Life have proven successful as well. Occasional telework is also a solution.
– Telecommuters must be self-directed.
– They should be comfortable with technology or arrangements should be made for remote tech support.
– They should have a defined home office space.
– Home-based employees need to understand that telecommuting is not a suitable replacement for daycare unless they can schedule work hours around their children’s needs.

• Career fears from ‘out of sight, out of mind’ mentality

– Some employees cite career fears as a reason not to telecommute. Successful teleworking programs overcome the ‘out of sight, out of mind’ issue with performance-based measurement systems, productivity versus presenteeism attitudes. Teleworkers who maintain regular communications (telephone, email, instant chat, even the occasional face-to-face meeting) with traditional co-workers and managers find career impact is not an issue.

• Co-worker jealousy

– Employees need to understand why they were or were not chosen for telework.
– Employees should see telework as a benefit that is earned, not given.
– Standards of selection should be uniform.

• Security issues

– Almost 93% of managers involved in IRS pilot telework program believe there is no problem with data security.
– Security issues are easy to solve, but must be addressed.
– 90% of those charged with security in large organizations feel that home-based workers are not a security concern. In fact, they are more concerned with the occasional work that is taken out of the office by traditional employees who lack the training, tools, and technologies that teleworkers receive.
– Security training should be provided for all employees.

• IT infrastructure changes may be necessary

– Teleworkers need access to company systems, software, and data.
– Infrastructure changes that support telework improve efficiency for office and traveling employees as well.
– Companies need to address remote technical support issues. Off-the-shelf solutions exist.

• Collaboration concerns
– Some managers feel that distance inhibits collaboration. They need the ‘energy in the room’ when a crisis occurs.

• Double-taxation
– Some cities, notably New York, impose taxes on home-based workers whether they work in the city or not. A Connecticut resident who works at home for a New York company owes taxes to both states.

• Employment law and OSHA concerns
– A few recent accidents in the homes of teleworkers has raised concerns about employer liability.
– The inability to monitor employee overtime is also an issue.

• Local zoning issues 
– Some communities and homeowner associations prohibit home offices.

Via: globalworkplaceanalytics

Starting this summer, San Franciso banking giant Wells Fargo will let corporate clients sign in to the bank’s commercial banking app using either an eye scan or a face- and voice-recognition system. (Wells Fargo)

Eye scanners have long been the stuff of sci-fi and action flicks, safeguarding everything from classified data to secret lairs.

Soon, though, they’ll be used in the real world to protect something more mundane: your bank account. Or, more precisely, your company’s much larger one.

Starting this summer, San Francisco banking giant Wells Fargo & Co. will let corporate clients sign in to the bank’s commercial banking app using either an eye scan or a face- and voice-recognition system.

It’s the latest step in a broader push by banks and other institutions to do away with passwords, PINs and other information that can be stolen or forgotten, and replace them with biometrics — unique physical characteristics that, for now at least, are difficult to forge.

“User names and passwords are basically 15 years old. They’re at the end of their useful life,” said Secil Watson, who oversees online and mobile applications for Wells Fargo commercial banking. “Something needs to take their place.”

Fingerprint identification is becoming commonplace thanks to the addition of scanners on phones from Apple, Samsung and others. Big banks, including Bank of America and JPMorgan Chase, already let non-business customers sign into their mobile banking apps with their fingerprints, a feature that Wells Fargo will roll out soon.

But other biometric markers — such as the sound of your voice, the shape of your face and the appearance of your eyes — are considered more secure and thus preferable for multimillion-dollar accounts.

That’s because fingerprint-authentication technology built into mobile phones allows a user to authorize more than one fingerprint for that phone, such as a family member’s. That’s not possible with the other biometric markers.

The most sophisticated eye scanners, such as those used by government security agencies, peer into the eye to look at the blood vessels on the retina. The system Wells Fargo will roll out in a few months uses a smartphone’s front-facing camera to look at the pattern of blood vessels in the whites of the eyes, a pattern that doesn’t change and is unique like a fingerprint.

Initially conceived by a University of Missouri professor as a military tool, the system was developed by EyeVerify, a Kansas City, Mo., start-up that Wells Fargo invested in two years ago. Its Eyeprint ID system is already used by a few smaller financial institutions, including a Utah credit union and a subsidiary of Toronto’s Scotiabank.

To sign in, a customer opens the app and selects the eye-scan option, then lines up the phone’s camera so the eyes are centered in a box on the screen. The customer is then directed to look to the side, exposing the blood vessels on one side of the eye.

The whole process takes just a few seconds — longer than it needs to take. “An early prototype was faster, but customers thought it was too fast and that nothing was happening,” Watson said.

To use the bank’s alternative face- and voice-recognition system, developed by two other firms, customers line up their face in a box on their phone’s screen, then read a series of numbers that pops up on the screen.

The two biometric systems replace a cumbersome process now required of corporate clients who log into the Wells Fargo app. They not only need a user name, password and corporate ID number, but a code from a security token — a device that spits out a six- or eight-digit number every few minutes that is synced with a bank server.

David Miller, the treasurer of Hunt Cos., a real estate investment firm and Wells Fargo customer, carries around more than a dozen of the keychain-size tokens — at least one for each bank his company works with.

“When I go on vacation, I take them with me,” he said. “I don’t feel comfortable not having them on me.”

Last year, Miller was one of a handful of Wells Fargo clients who tried out the biometric sign-in. One day, he was at his doctor’s office when he got an email asking him to approve a $10-million wire transfer before the close of business.

It was nearly 5 p.m., and Miller said he didn’t have time to run to his car to retrieve his security token. So he signed in with the face- and voice-recognition system and approved the transaction.

“These things are extremely time sensitive,” Miller said.

Shirley Inscoe, a senior analyst at finance-industry consulting firm Aite Group, said Miller isn’t the only corporate executive who hates dealing with security tokens.

“Hard tokens are a pain in the neck,” Inscoe said. “What banks are doing is a reaction to what their customers want.”

Watson said Wells Fargo has been looking at biometric systems for six or seven years, initially studying voice-authentication programs that could identify customers ringing up call centers.

But over the last few years, mobile devices have improved, with microphones and cameras powerful enough to support biometric sign-in systems. Corporate clients also began conducting more financial transactions on their phones, which weren’t designed for them.

“You’re holding two devices at once, you’re entering all those numbers. On mobile, the experience was much clunkier,” she said.

The eye-scan system has a few limitations. It works if you wear glasses or contacts, but not if you have a glass eye. It might be thrown off if the users can’t stand still — say if they’re in a moving vehicle — or if there’s not enough light.

However, it will work even if your eyes are bloodshot.

“We are hangover compatible,” said Toby Rush, EyeVerify’s chief executive.

Via: latimes

There’s promising news for individuals and organizations that deal in confidential data. Keybase, the service for sending encrypted messages, has begun to offer a file-sharing feature that is powered by end-to-end encryption, making it considerably more secure than Dropbox or other mainstream file-sharing options.

The feature has initially rolled out to a selection of Keybase users, who have the option to create public folders of files or those that are private only accessible to others who they invite. All files appear as plaintext, aside from images, as demonstrated in this sample page.

Because the folders are end-to-end encrypted, their contents is not readable via Keybase’s server. (Dropbox and others have been accused of posing security risks in this area.) Instead, private folders are streamed on demand to users who have been granted access to them.

Perhaps most interestingly, the team is preparing to add a feature that would enable Keybase users to securely share files with others who do not (yet) use the service.

“You’ll be able to throw data into “/keybase/private/jonrussell,pal@twitter”, even if that Twitter user hasn’t joined Keybase yet. Your app will encrypt just for you and then awake and rekey in the background when that Twitter user joins and announces a key,” the company explained on its blog.

Initially, all early users have been given 10GB of storage to get started. There’s no plan to expand that but Keybase said it will probably introduce paid plans to increase that allocation for those who want it.

That said, the company — which raised a $10.8 million Series A round last year — admits that it doesn’t have a monetization model in place just yet. Things may still be up in the air on that front, but Keybase has pledged to remain ad-free and free for regular users, while it said it will never sell its users’ data.

“We’re not trying to make money,” the company further explained. “We’re testing a product right now, and we’d like to bring public keys to the masses.”

This is a fascinating new service — bonus information nugget: keys are hashed into the blockchain for security — which could have real value for anyone wanting to transfer information confidentially online. Be that whistleblowers, media informants, or individuals or organizations in possession of highly sensitive data.

You can check out the Keybase blog post for more technical details and information about how to get on to the beta. Be warned though, you may need to wait on an invite — that’s assuming that you’ve managed to get an invite to the main Keybase service already.

Via: techcrunch

No matter how secure you think your computer might be, something malicious can always happen. As a Computer is an open book with right tools and talent.

The same is proved by a group of security researchers by hacking into a computer with no internet, and no Bluetooth devices.

Yes, it is possible for attackers to Hack Your Computer through non-Bluetooth devices such as your wireless mouse and keyboard and install Malware or Rootkit onto your machine.

That innocent-looking tiny dongle plugged into your USB port to transmit data between your wireless mouse, and the computer is not as innocent as it pretends to be.

What’s the Vulnerability?

Security researchers from the Internet of things security firm Bastille have warned that wireless keyboards and mice from seven popular manufacturers including Logitech, Dell, Microsoft, HP and Lenovo are…

…vulnerable to so-called MouseJack attacks, leaving Billions of computers vulnerable to hackers.

The flaw actually resides in the way these wireless mice and their corresponding radio receivers handle encryption.

The connection between the tiny dongle and the mouse is not encrypted; thus, the dongle would accept any seemingly valid command.

How to Hijack Wireless Mouse and Hack Computer?

Wireless mice and keyboards communicate via radio frequency with a USB dongle inserted into the PC. The dongle then sends packets to the PC, so it follows the mouse clicks or keyboard types.

While most wireless keyboard manufacturers encrypt traffic between the keyboard and the dongle in an effort to prevent spoofing or hijacking of the device.

However, the mice tested by Bastille did not encrypt their communications to the dongle, allowing an attacker to spoof a mouse and install malware on victim’s PC.

With the use of around $15-$30 long-range radio dongle and a few lines of code, the attack could allow a malicious hacker within 100 meters range of your computer to intercept the radio signal between the dongle plugged into your computer and your mouse.

The hacker can, therefore, send packets that generate keystrokes instead of mouse clicks, allowing the hacker to direct your computer to a malicious server or website in mere seconds.

During their tests, researchers were able to generate 1000 words/minute over the wireless connection and install a malicious Rootkit in about 10 seconds. They tested several mice from Logitech, Lenovo, and Dell that operate over 2.4GHz wireless communications.

Who are Affected?

The following is the list of the wireless keyboard and mouse manufacturers whose non-Bluetooth wireless devices are affected by the MouseJack flaws:

• Logitech
  
• Dell
  
• HP
  
• Lenovo
  
• Microsoft
  
• Gigabyte
  
• AmazonBasics
  

Billions of PC users with wireless dongles from any of the above manufacturers are at risk of MouseJack flaw. Even Apple Macintosh and Linux machine users also could be vulnerable to the attack.

These mice are separate from Bluetooth mice that are not affected by this security issue.

Many Wireless Devices will Never Receive any Patch

The researchers have already reported the security issue to all the seven manufacturers, but as of today, only Logitech has released a firmware update that blocks MouseJack attacks.

However, there are a wide number of cheaper mice that don’t have updatable firmware, due to which all of them will remain vulnerable forever, which could be a major issue in business environments where peripherals are often utilized for several years before being replaced.

Although Lenovo, HP, Amazon, and Gigabyte did not comment, a Dell spokesperson advised the users of the KM714 keyboard and mouse combo to get the Logitech firmware patch via Dell Tech Support and the KM632 Combo users to replace their devices.

Here’s the list of affected devices, so if you are using one of them, it might be time to check for updates, and if not available, replace your existing peripheral.

For more in-depth knowledge, you can refer this white paper explaining technical details.

Via: thehackernews

An examination of complaints to FCC finds consumer suspicions about big name hotels even after large fines for Wi-Fi hotspot blocking were issued.

The FCC has slapped hotels and other organizations with nearly $2.1 million in fines since the fall of 2014 for blocking patrons’ portable Wi-Fi hotspots in the name of IT security, or more likely, to gouge customers for Internet service. But Network World‘s examination of more than a year’s worth of consumer complaints to the FCC about Wi-Fi jamming shows that not all venue operators are getting the message (see infographic below).

Indeed, more than half of the 50-plus complaints whose contents we pored through following a Freedom of Information Act (FOIA) request to the FCC came within the few months after the FCC’s initial action on this matter, a $600,000 fine on Marriott in October of 2014. Another two dozen complaints trickled in to the FCC in 2015 – a year that began with the FCC serving stern notice that Wi-Fi blocking is prohibited and ended with the agency dishing out a $718,000 fine to big electrical contracting company M.C. Dean for blocking consumers’ Wi-Fi connections and a $25,000 fine to Hilton Worldwide for “apparent obstruction of an investigation” into whether Hilton blocked consumers’ Wi-Fi devices. The spectrum used by Wi-Fi is unlicensed, and therefore available for broad use.

Complainants’ identities were redacted by the FCC Consumer & Governmental Affairs Bureau in the documents delivered to us via the FOIA request, and just because a complaint or comment was filed does not mean that an FCC violation occurred. However, the complaints as a whole do paint a picture of a problem that is both widespread geographically and in terms of where suspected Wi-Fi hotspot blocking has taken place. No doubt others have experienced Wi-Fi blocking with personal hotspot devices supplied by the likes of AT&T or Verizon and didn’t complain to the FCC because they didn’t feel like it, didn’t realize there was an FCC consumer complaint site and hotline, or didn’t even know they were being stymied.

Big name hospitality outfits, from Sheraton to Motel 6, were named, with one person describing a Motel 6 Wi-Fi network in Denver as acting “like a virus… [It] would not remain disconnected” and allow the patron to use his or her hotspot.

A handful of Marriott locations were fingered by consumers well after the FCC levied its fine. One consumer argued that Marriott blocking personal Wi-Fi hotspots is an infringement on freedom of speech, as “forcing me to use their system allows them to block me from sites (say Hilton’s website) that they don’t like.”

Casinos, airports and lesser-known organizations were also complained about, with several people critical of Boingo at airports. One complaint even suggested a big retailer was blocking customer Wi-Fi so as to force them onto a store network that would allow patrons’ movements and search engine inquiries to be tracked.

Requests for comment to Sheraton, Motel 6, a WiFi Coalition supposedly addressing WiFi blocking for the International Association of Venue Managers and the American Gaming Association went unanswered. Marriott CIO Bruce Hoffmeister has communicated on the WiFi blocking subject by way of canned press statements. For this article, a Marriott spokesman shared the following statement:

“As we have stated, we do not block Wi-Fi signals at any hotel we manage for any reason. The policy across our managed hotels forbids blocking under any circumstances, and the capability within the networks to block is disabled.  As with most wireless technologies, WiFi is not a 100% reliable and at times people may assume that WiFi connectivity issues at any hotel — whether ours or not — is  due to the hotel engaging in blocking.  This is not the case.  To reiterate, Marriott does not block WiFi signals.”

The hospitality and convention industries have been made well aware that Wi-Fi blocking is not allowed (here’s a warning issued by one hotel lawyer). It remains to be seen whether Wi-Fi Blocking will be a topic of any continued attention at hospitality/lodging industry conventions, such as this June’s bigHospitality Industry Technology Exposition & Conference, which hasn’t yet posted its agenda. However, HITEC does highlight a 2015 Lodging Technology Implementation report on its site that guest Wi-Fi is the top in-room technology that survey respondents from the hospitality industry said they thought was worth investing in.

Wi-Fi Hotspot Device Blocking Complaints

Given that the hospitality industry’s blocking antics extend from Wi-Fi hotspot devices to press inquiries, we went directly to the consumers, by way of the FOIA request to the FCC. Perusing the consumer complaints makes for illuminating reading, even though some of the comments are only a sentence or two long, most with identifying information about the venue in question (some 200 of the 250 or so total complaints included in the FOIA request package related more to other aspects of Wi-Fi blocking, largely having to do with dissatisfaction with ISPs’ promises, and you can see all of the documents embedded into the end of this article). Complaints were collected via online forms as well as via a telephone hotline, and it’s clear that many of the objections were the products of an increasingly tech-savvy public.

Download the PDF using the link below.

Widening wi-fi blocking by the numbers

Eight of the complaints at non-Marriott hotels made reference to the FCC’s Marriott case, which clearly raised awareness of the Wi-Fi jamming practice.

“I believe that the Hilton Hotel in Phoenix is preventing wireless access by any wireless networks other than the for-pay wireless network they provide, as Marriott Hotels had been found guilty of doing,” wrote a person from Napa, Calif., in late October of 2014.

“The ruling today with regard to Marriott blocking wi-fi reminded me of an issue I had a few months ago while staying at [a hotel] in Oakland,” wrote one person from Modesto, Calif., in early October 2014. “My hot spot was blocked and every attempt to surf pushed me to the hotel’s page… There are undoubtedly numerous hotels which do this, so the message that it is illegal needs to be more widely circulated.”

The FCC attempted to do exactly that with its January 2015 Enforcement Advisory: “The Enforcement Bureau has seen a disturbing trend in which hotels and other commercial establishments block wireless consumers from using their own personal Wi-Fi hot spots on the commercial establishment’s premises. As a result, the Bureau is protecting consumers by aggressively investigating and acting against such unlawful intentional interference.” Though it’s a bit surprising that the FCC is unwilling to go on record giving any sort of update on that effort to re-emphasize the point.

One person grumbled about getting blocked at a casino/resort/spa in Las Vegas: “On Friday I was in the convention center. A hotel employee asked how the convention was going. I said fine except my cell phone internet would not work. The employee said that’s because the convention center blocks wifi signals. I asked why they do that? The employee said because wifi in the convention center is a paid service…”

Another cited Smart City for jamming Wi-Fi signals at the Orange County Convention Center in Orlando, and in fact, this very Internet service provider was fined $750K last summer by the FCC for blocking people’s Wi-Fi to encourage them to pay for service at five sites, including one in Orlando. “I contacted Smart City and they denied any wrongdoing, but we were able to collect the attached router logs indicating deauthentication was taking place,” a person from San Francisco wrote.

Still another, attempting to use a Verizon Jetpack Mi-Fi 4510L hotspot device, wrote of a Four Seasons hotel in Florida whose tech team “denied blocking wifi, but also said they only support Four Seasons network. Suggested I call Verizon to troubleshoot – unable to troubleshoot because IP address for hotspot is blocked by the hotel.” The hotel offered free low-speed Internet access or a daily paid service.

The FCC refuses to comment on any ongoing WiFi blocking investigations or whether hotels and other organizations seem to have cleaned up their acts since the agency issued its warning at the start of 2015. But an FCC spokesman does say that the agency’s Enforcement Bureau investigations into WiFi blocking stem both from consumer complaints as well as from other tips. “Thoroughly investigating potential violations of the law, including following up on consumer complaints, is a core function of the agency,” he says.

Some IT professionals at organizations outside of hospitality (such as universities) wish the FCC would elaborate on its concerns. They remain wary about what they can and can’t do in terms of managing and securing wireless networks using de-authentication and other tools supplied by WLAN vendors like Aruba, Cisco, Ruckus and Xirrus (See“Wi-Fi blocking debate far from over”).

Behind The Wi-Fi Hotspot Blocking Scenes

The blocking of Wi-Fi hotspots at hotels and convention centers is naturally much more complicated than what you can glean from consumer complaints, says technology marketing veteran Andy Abramson, author of the VoIPWatch blog and a victim of Wi-Fi blocking himself. He tells of one Las Vegas venue – since fined — that was threatening to escort people out of the building if they were caught using a third-party connection.

“They weren’t blocking using technology, they were blocking by intimidation,” he says.

The real backstory to much of this, Abramson says, is that venues typically have contracts with third-party providers written by attorneys whose expertise lies in real estate or commercial dealings rather than telecom/networking specifically. These deals guarantee exclusivity for broadband providers, and include promises for union electricians, etc., but don’t account for the major technology changes we’ve seen in wireless and beyond. They also can prevent companies from installing technology such as distributed antenna systems (DAS) that could help deliver LTE or 4G broadband services to venues, he said.

The end result has been that venues and their partners have looked to cover their costs by offering pricey Internet access — and thus, “the Mi-Fi market was born,” Abramson says. There are promising changes taking place, especially at newer venues where better and more flexible wireless setups are being installed, but he says to date “it’s all been about ignorance to technology advancements or about milking the customer for as long as possible using older, slower technology so the investment is paid back and profits made.”

So yes, consumers have had plenty to complain about.

Consumer complaints about WiFi hotspot blocking to the FCC (Oct 2014-Dec 2015)

Via: networkworld

Malware on the payment network exposed credit card details.

Orlando-based Rosen Hotels and Resorts Inc. (RH&R) disclosed a data breach last week that impacted an unknown number of guest credit cards. The upscale hospitality provider says that the cards were compromised by malware on the payment network.

The hotel first learned of the problems after they started to receive unconfirmed reports on February 3 pertaining to patterns of unauthorized charges on cards shortly after they were used by guests during their stay. An investigation of the matter, which involved an outside security firm, discovered malware on the payment network.

The malware, RH&R explained, “searched for data read from the magnetic stripe of payment cards as it was routed through the affected systems.”

“In some instances the malware identified payment card data that included cardholder name, card number, expiration date, and internal verification code. In other instances the malware only found payment card data that did not include cardholder name. No other customer information was involved,” the statement added.

The breach could impact any card used at RH&R properties between September 2, 2014 and February 18, 2016. Where possible, the hotel will be contacting guests directly if their personal information was exposed along with the card data, but only if there is current contact information on file.

Everyone else is being encouraged to monitor their card statements, and report any suspicious transactions. RH&R is working with card brands and banks to identify the affected cards in order to increase monitoring.

Via: csoonline

The names, email addresses, phone numbers and other information that hackers purport relate to some 40,000 Cox Communications employees have turned up on a Dark Web marketplace.

“Selling 40k personal details of cox employs [sic],” reads the listing on The Real Deal Market.

After Vice’s Motherboard subsidiary obtained a sample of the data for verification. It found that the names seemed to match real employee names (according to LinkedIn data), and in some cases, publicly available web addresses. The outlet also sent the sample to the cable company, after which Cox was quick to respond—but stopped short of confirming that a breach had, in fact, happened.

“Cox Communications is aware of this matter and the business-related information to which it relates,” said Todd Smith, a Cox Communications spokesperson, said in a statement to media. “We’re taking this very seriously and have engaged a third-party forensic team to conduct a comprehensive investigation and are actively working with law enforcement. Cox’s commitment to privacy and data security is a top priority for the company.”

The sample also included some internal information that could be used for phishing, like the name of the employees’ managers, physical addresses for Cox’s offices where the employees work, and the last date of log-in.

This is not the first breach that the company has faced. Last November, Cox was fined $595,000 by the FCC for failing to report a data breach involving customer data the previous year. In that case, teenage hacking gang Lizard Squad tricked a customer service employee into giving away personal information on about 60 customers.

“While the company has moved more swiftly to address the current situation than it did in 2014, clearly Cox has more work to do with its privacy and data security protocols,” said Adam Levin, chairman and founder of  IDT911. “If you are an impacted employee, and it appears that any of your credit or financial accounts have been tampered with, close the accounts immediately to prevent thieves from accessing any more information.”

Regarding the phishing threat, he added, “Do not click on any links in emails you receive or provide any personal information to someone who contacts you either online or by phone because it could be a phishing, spearphishing or vishing attack. Also, check to see if any financial services firm or insurance company with which you have a relationship offers a program to help you navigate this process.”

Via: infosecurity-magazine

The data breach at some Wendy’s restaurants might be a whopper.

That’s what Dan Berger, president of the National Association of Federal Credit Unions, told Brian Krebs, the author of the widely followed blog Krebs on Security.

“This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said this week.

“It seems to have been the work of a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”

Berger did not respond to a request for comment Thursday. Wendy’s also declined to comment on the data breach other than to say its investigation was ongoing and some malware was found at some locations.

Wendy’s has not identified the locations where the breaches occurred, when it occurred, how many were involved and the dollar amounts of the transactions. Wendy’s, which is based in Dublin, has more than 6,000 stores worldwide, the vast majority of those in North America and owned by franchisees.

The lack of communication has frustrated at least one financial institution trying to diagnose the issue.

“We don’t know how large or small the problem is,” said Gretchen Bartholomew, director of operations for Columbus-based Kemba Financial Credit Union. “Wendy’s is not providing that information fast enough, which is typical in these breaches.”

Fraud on debit-card transactions in February at Kemba was up 34 percent on a dollar basis from January, she said. The credit union, which has 84,000 members primarily in central Ohio, can’t be certain that the breach at Wendy’s is behind the increase because of a lack of information.

“It has increased, but can I truly attribute that to Wendy’s? Probably a good portion of it is,” she said.

One analyst warned that if the breach hurts enough customers it could dent Wendy’s reputation and sales, similar to Chipotle’s food safety concerns last year.

“I think it depends right now on whether customers are impacted and how much that runs through social media,” said John Gordon, a restaurant analyst and principal of Pacific Management Consulting Group. “It could hurt them. Anytime something like this happens to a big, big retailer, it’s material.”

The scope of the breach remains unknown, though Berger shared with Krebs the opinion of one credit union CEO, who asked to remain anonymous. That person told Berger “that his or her credit union might face ‘5 to 10 times the loss’ it faced after the Target and Home Depot breaches,” according to a press release from the National Association of Federal Credit Unions.

Target settled with financial institutions late last year for $39.4 million related to fraudulent charges made in the wake of its 2013 breach.

The breach at Wendy’s would be the latest in what has been a string of data breaches at merchants across the country. Other restaurants such as Jimmy Johns and P.F. Chang’s, both in 2014, have reported similar issues.

The Home Depot breach affected 56 million credit and debit cards in 2014; the Target breach affected about 40 million debit and credit cards.

Consumers generally are protected from any losses because of breaches like these, but they will have to go through the hassle of getting a new card and updating accounts where automatic payments are made by credit card.

It’s unsettling for consumers to not know if their card has been compromised, and under current law retailers to not have to share which cards could have been compromised until their investigation is complete, sometimes taking months,” said Paul Mercer, president of the Ohio Credit Union League.

“Retailers do not face the same strict data security standards that financial institutions are subject to, and major merchant data breaches expose credit unions and other financial institutions to significant monetary costs and reputational risk. Credit unions cover the costs of fraud, blocking transactions, reissuing cards, increasing staffing at call centers and monitoring consumer accounts.”

Banks and credit unions have begun to issue new credit and debit cards containing computer chips — a small metallic square on the front of the card — that makes them harder to counterfeit and are supposed to protect against fraud, but the roll out has been slow and some retailers have not installed the equipment in their stores that will read the cards.

In cases where retailers have not deployed the equipment to read the new cards, the retailer absorbs the losses tied to fraudulent transactions.

Via: dispatch