Monthly Archives: June 2016

Google has unwrapped two significant announcements for its enterprise customers, the most notable of which is the rollout of Springboard, a new digital assistant to help enterprise companies that make use of Google’s services for business.

Springboard, which has been in testing with “a small set of customers,” is a little like Google Now for enterprise workers. That’s to say that it offers a single search interface which utilizes artificial intelligence to surface information within a user’s suite of Google products — such as Google Drive, Gmail, Calendar, Google Docs and more. That’s important because, according to Prabhakar Raghavan, VP of Engineering for Google Apps, “the average knowledge worker [currently] spends the equivalent of one full day a week searching for and gathering information.”

Beyond search, Springboard also provides “useful and actionable information and recommendations” to users throughout their work day.

The second side of today’s news is a new design for Google Sites, a product that acts like an information portal for housing internal company information like quarterly reports or newsletters. Now, when designing a Google Site, users have drag-and-drop editing and real-time collaboration, creation features that have become standard in other services like Google Docs and Google Sheets.

Finally, in terms of presentation, Google Sites has been revamped so that the content fits to any kind of screen, be it a smartphone, laptop or 30-inch monitor.

These changes are rolling out to early adopter programs that existing Google Apps for Work customer can join — the Springboard program is here and Google Sites program is here — while the search giant has teased that it has “a lot more in store” for both services.

Via: techcrunch

Apple has made a big change to its suite of native applications for iOS devices, like Mail, Stocks, Compass, Calculator, Watch, Weather and others: it’s now making these available as standalone downloads in the iTunes App Store. What that means for end users of iOS devices is that the majority of the stock apps that come pre-installed can be removed. This puts users in more control of their devices.

Yes: you can now remove the Stocks app from your iPhone, among others.

Previously, Apple’s apps were only updated when the company issued an iOS update. That slowed Apple’s ability to add new features, fix bugs, address security issues, or make other changes. This has been a massive headache for Apple’s internal development teams.

However, not all of Apple’s apps have been subject to this limitation. The company already made many of its apps available as standalone downloads, including iTunes U, iMovie, the Apple Store app, and those in the iWork suite (Pages, Keynote, Numbers.)

Now it’s adding the following to that list with the following: Podcasts, Maps, Compass, Tips, Calculator, Watch, Voice Memos, Contacts, Stocks, Weather, iCloud Drive, Calendar, Mail, Music, Reminders, Videos, FaceTime, Notes, Find My iPhone, Find My Friends, Music, and its new Home app.

By making these apps available in the App Store, Apple could begin to release updates to the apps at a faster pace, if it chose to do so. However, we understand from sources familiar with the matter that the main reason Apple decided to unbundle apps is so users could delete apps from their devices. Apple at this time doesn’t have plans to update its apps at a faster pace.

Apple quietly published these apps to its iTunes website. Product Hunt spotted the Mail app in iTunes thanks to a tweet from Owen Williams, leading to speculation that Apple’s other apps will be made available through the App Store, as well.

As it turned out, they were.

This news was not announced during the WWDC keynote on Monday morning, nor in Apple’s iOS 10 press release. We’ll know more after the iOS 10 beta is installed.

UPDATE:

After installing iOS 10’s first beta build, we found that users are able to remove Maps, Videos, Watch, Reminders, Contacts, Weather, Podcasts, FaceTime, Calculator, iCloud Drive, Voice Memos, Tips, Mail, Compass, Stocks, Calendar, Music, and Find Friends.

Apps that remain include Health, Activity, Clock (why???), News, Find iPhone, Messages, Photos, Wallet, Phone, Camera, Safari and Settings. The Game Center app is not available in this first beta.

Not all the apps have been published to iTunes, but this page on the Apple website shows which will be available on the App Store in the future.

Note: This article was updated with more information as it became available. Originally we stated that the apps being available in iTunes could lead to a faster release schedule. Why that’s now technically possible, we understand Apple doesn’t currently intend to speed up the update schedule. We also were able to test app removal on the iOS 10 beta, and updated to note which apps could now be removed. 

Via: techcrunch

Minecraft, a game that skyrocketed to unprecedented levels of popularity among all ages because of its open-ended gameplay, infinite worlds, and limitless possibilities for creation and collaboration, is getting an official deathmatch mode.

Is this it? Is this Minecraft’s shark jump (or pig jump, or squid jump) moment? Oh, of course not. But it is a reminder that the gratifyingly long honeymoon period of discovery and scrappy underdog status is long past — Minecraft is no longer a buggy, funky, open secret among gamers and kids and modders — it’s a global platform owned by Microsoft and ripe for banality.

Players in Battle matches use randomly generated resources found in chests placed in specially designed PVP maps and combat one another in a free for all death match until the final victor is determined. The fun’s not all over after you are defeated though, as fallen players can spectate the combat among remaining players in the match by freely flying around each arena as a bat.

Now, to be fair, it’s probably super fun. And mods have existed to make this possible for quite a while now. Combat in Minecraft is just basic and silly enough that these matches are going to be more chaos and nonsense than serious competition. But this approach is so committee-approved! “Minecraft is popular – Call of Duty is popular – how can we combine them?”

PvP maps, randomized loadouts, spectator mode — these aren’t ideas, they’re bullet points. How long before we get in-game currency to buy diamond swords or flying pig mounts? Minecraft throve on the uniqueness of every world and its open-ended gameplay. Shouldn’t it be a priority to maintain that spirit as it expands and adds genres?

Why isn’t there a team battle mode where players have limited time and resources to build a fortress and send armies of creepers and skeletons against one another? Why not see who can delve the deepest and collect the most diamonds and obsidian in a randomly-generated cave system tweaked for maximum danger? Why not have players work together to build a stronghold and score them on defense against waves of Endermen and savage pigs?

Instead, like every other multiplayer game since Spacewar, we get a small stage on which players try to kill each other. Like I said, it’ll probably be fun, but the prognosis is bad for the legacy of creativity Mojang established over the years before being acquired. And I would be remiss if I didn’t ask why this update is for consoles only!

Let’s just hope the same doesn’t happen to Dwarf Fortress.

Via: techcrunch

Apple is taking on TimeHop, Facebook On This Day and Google Photos Assistant all at once with its new iOS 10 feature Memories that’s a tab inside Photos. Using local, on-device facial recognition and AI detection of what’s in your images, it can combine photos and videos into themed mini-movies complete with transitions and a soundtrack.

The company debuted the new feature onstage at WWDC today alongside iOS 10 and a slew of other announcements.

While TimeHop and On This Day focus on what happened on this specific date and then just lay out the old media, Apple is trying to make something more evergreen and sharable. It can recognize and bundle together photos the feature certain people, or scenes like hiking or the beach.

But at the same time, it’s trading on privacy, highlighting that all the processing happens on your device so your photos or facial recognition data aren’t sent back to Apple’s servers.

The demo of the Memories movies was impressive. The feature automatically cobbled together some photos and video clips into a happy-go-lucky family skiing video. But you can also adjust settings to select different themes like chill, gentle, or uplifting, and a short, medium, or long length. One change to the “epic” theme, and the clip became a Michael Bay-esque action movie trailer.

Apple is hoping to make iOS Photos more than just a generic media management app. If people feel like their old photos and videos become more valuable on iOS, they might be less likely to switch to Android.

Via: techcrunch

Minecraft, one of the most playable games of all time, is about to become all the more collaborative after it took a major step towards becoming a fully cross-platform title.

Mojang, the company behind the game which Microsoft acquired for $2.5 billion in 2014, took the floor at E3 to announce its first move to unite gamers across different operating systems.

A new update — dubbed “the friendly update” — now enables gamers on mobile (Android, iOS and Gear VR) and Windows 10 to play together through Minecraft Realms, which are essentially private, invite-only worlds for users.

The cross-platform support requires an Xbox Live account, but there won’t be support for the Xbox One console until later this year. (There’s no word on PC or Mac for now.) Prior to this development, gamers could play together only if they were all on mobile (Android or iOS), or on Windows 10, or on Xbox, but no variations of those platforms.

Another important tidbit for Minecraft’s 100 million-plus gamers: Realms can now be accessed even when the host — who pays the $8 monthly subscription fee — isn’t online. That provides more gaming possibilities and options.

While the cross-platform support is partial and it applies to Realms only, it is a telling step towards the Minecraft of the future: players connected across all platforms.

There’s one more thing, something more immediate for the Minecraft faithful, and that’s the introduction of “add-ons”.

Minecraft has thrived with a community of loyalists who have edited the game themselves to create different characters and worlds from the original. With a little new software you can have a Star Wars-themed Minecraft, live in a Frozen world, customize it with security agents, and many other hundreds of alternatives.

Now, Mojang itself is getting into the customization game.

The initial add-ons enable city-style building blocks or plastic blocks, while Mojang showed off some very cool customizations that turn the evil mobs of Minecraft into aliens, complete with a UFO base. The company isn’t saying too much more about add-ons for now, but it did tease that there will be more news in September when it hosts its annual Minecon event.

This week’s news follows a busy slate of Minecraft announcements of late, which have included plans to launch in China, a beta release of Minecraft Education, the use of real-world AI in Minecraft, and more.

Via: techcrunch

What a surprise. Apple just unveiled iOS 10 at its annual developer conference. The tenth major iteration of the operating system for iPhones and iPads comes with a bunch of new features, some small and some bigger — Apple is releasing a public beta next month. “It is the biggest iOS release ever for our users,” said Craig Federighi. Here’s what’s new.

Apple redesigned the lock screen with iOS 10. With “Raise to Wake” you can see your lock screen without touching your phone. Your phone wakes up. This move was needed as Touch ID had become so fast with the iPhone 6s that you wouldn’t see your notifications on your lock screen.

Now, you can also preview notifications with 3D touch. You deep press on a notification and it loads a tiny window with your message conversation for example. Third-party apps like Uber can take advantage of that as well. You deep press on the Uber notification and you can see where your car is right now.

On your lock screen, you can swipe right to launch the camera, and swipe left to see your widgets, directly on the lock screen. If you swipe from the top or the bottom, you get the notification center and control center as usual.

The notification center is completely redesigned as well and looks more like the notification screen on your Apple Watch. Control center is now made out of two panes. When you swipe right, you can see another control center with your music player only. And it looks like Apple could expand the control center with more panes in the future.

3D Touch shortcuts on the home screen are much more useful now as apps can put live information directly in the 3D Touch popup. Similarly, you can deep press on a widget in the Today View to see this baby version of your apps.

Siri is also receiving a big upgrade with third-party integrations. Federighi showcased WeChat in Siri. You can ask Siri to send a WeChat, and Siri opens the same kind of tiny version of your app to send a message to the right person. There are many other use cases — calling a ride in Uber or Lyft, starting a workout in Runtastic and Runkeeper, paying back your friends in Number26 or Venmo, calling using Skype or Viber.

Siri suggests answers in Messages now too, like your current location or contact information. And it looks like the keyboard is getting more powerful with multilingual support, finally.

iOS 10 uses deep learning locally on the iPhone to do face recognition. It lets you build albums based on your family members and friends. iOS now also detects objects in your photos, like water, a mountain, etc. You can now search for “mountains” and find all your mountain photos.

It looks like the Photos app is getting a huge upgrade and now looks more like Google Photos. The big difference, obviously, is that Apple handles everything on your device and doesn’t collect data about you. Photos build memories from a vacation together with a good-looking cover photo. You can jump from memory to memory. iOS 10 also puts together videos with a soundtrack. You can make these videos shorter, change the mood, etc. macOS will also get these features in the Photos app.

Maps is also receiving a big update with Proactive suggestions. Maps knows when you’re going to work for instance, and can suggest you to enter the itinerary to your work. Talking about turn-by-turn directions, Apple has redesigned this screen to make it more useful. Finally, Apple is opening Apple Maps to third-party developers. For instance, Foursquare could build an extension for Apple Maps. Uber could let you book a ride from Uber — all of this without leaving Maps.

Apple Music has been completely redesigned from the ground up. The Connect tab is gone, but Connect is still available. The Now Playing screen is new. It looks more like Rdio to be honest. It seems much less cluttered. When you open up the Music app, you start with your library tab. If you scroll down, you see new music added to your Apple Music account.

In the Now Playing screen, you can scroll down and see the lyrics. At the top of For You, there’s a Discovery Mix. This is like Discover Weekly on Spotify. Then you see the good-old curated playlists, and then Connect. This For You screen still feels very cluttered. The Radio tab features Beats 1, featured shows with on-demand streaming.

HomeKit is receiving a big upgrade as well. With a new Home app, you can control all your connected devices. And if you want, you can add HomeKit devices right in your control center, so you can control your lights from the control center. The Apple TV can serve as a secured point for remote access for your home. The Home app also works on the iPad, which lets you turn an iPad into a control screen for your home.

Let’s talk about the Phone app. iOS 10 will transcribe your voicemail messages. With Phone app extensions, you can use VoIP apps with the native Phone interface. And when someone calls you on Skype, your phone is going to ring just like a normal phone call. Extensions can also flag spam calls. Once again, Apple is adding extensions to one of the core features in iOS.

Finally, Messages is receiving a huge upgrade, starting with rich previews. If you send a YouTube link, you can play the video directly from the Messages app. If you open the camera, Apple now uses a mixed live camera and photo picker screen to save you a step. Emojis are three times bigger and Messages will suggest emojis based on what you type. You can also tap on words to replace them with emojis — Messages highlights words to replace once you launch the emoji keyboard. Now, everyone can become an emoji wizard!

Apple is also adding bubble effects to add more context to your messages. Handwriting bubbles, popping bubbles, tiny bubbles, etc. And if that’s not enough, you can add feedback to individual messages — like emojis in Slack. And you can send full screen effects, like a firework that fills up the entire screen. This feels like too much. Messages is trying to be Snapchat and Messenger at the same time, adding too many options for text messaging.

But that’s not all for Messages. Apple is also adding Messages apps. Third-party developers can build extensions for Messages, much like extensions for Facebook Messenger. For instance, an app can let you add stickers to photos, order food directly from Messages, etc.

There are many other little features that Apple didn’t mention during the presentation. iOS 10 is now available for developers. The public beta starts next month, and the company is expected to release iOS 10 in September.

Via: techcrunch

After retailer complaints and lawsuits, Visa confronts ‘nasty situation.

After months of frustrating delays for U.S. merchants that have been required to roll out payment systems that can accept new, more secure computer chip credit and debit cards, Visa has announced a series of remedies.

The steps include streamlining Visa’s testing requirements and simplifying the terminal certification process. Visa said it would also add resources and technical expertise to cut deployment times in half.

Many retailers complained that it has taken several months to get a sign-off from banks, card companies and their processing partners that the new equipment they have installed is ready to be used. The certifications apply not only to the terminals in stores but also to the back-end systems used to authorize and certify payments.

Visa conceded in a statement from a spokeswoman that even though the conversion from magnetic stripe cards to chip cards has progressed since last year, “some merchants have reported delays in getting chip-enabled point-of-sale solutions through the testing process.”

The solutions were mildly welcomed by retailers and analysts, but were seen as too little too late.

“These delays have been a major concern of retailers and they are the cause of significant unwarranted costs,” said Mallory Duncan, general counsel of the National Retail Federation, which represents 18,000 U.S. retailers, including some major chains. “This Visa news is good to hear, but for many of our members it is too little, too late.”

Duncan said it is uncertain whether other card companies and banks will embrace Visa’s approach. “It’s a nasty situation now, and others in the industry are saying Main Street merchants are facing their demise as a consequence of the way the [card] networks and banks have handled” the chip card conversion.

Duncan said retailers have been held hostage by a liability shift imposed by banks last October that required them to update their terminals and systems to support chip cards or the stores would bear the cost of fraudulent purchases. Since October, many retailers have seen big increases in the “chargebacks” they owe to banks for fraudulent purchases, even as they wait for certifications of equipment they have installed.

Major retailers like Walmart prepared their in-store systems for chip cards well in advance of the liability shift, but many mid-size and smaller retailers faced a backlog in testing and certifications.

The result has been that many shoppers don’t know how to pay for purchases at various retailers, either relying on the older magnetic stripe card or the chip card. Further complicating matters is whether retailers require customers to use a PIN or a signature to authorize a payment.

“The biggest consumer issue today is the inconsistency of the checkout experience,” said Jordan McKee, an analyst at 451 Research. “Shoppers are simply unsure if they should be swiping or dipping their card from merchant to merchant. It’s a terrible experience and one that is causing widespread frustration and confusion.”

Visa’s moves should help in making progress toward the newer terminals, McKee said. But “Visa’s announcement begs the question, why wasn’t this done from the start?”

MasterCard and other card companies did not immediately respond to a request for comment on Visa’s moves. McKee said he expects other players in the payment ecosystem will begin to “extend olive branches to merchants.”

Visa included in its remedies on Thursday a change to its chargeback policies. Visa said it would block counterfeit fraud chargebacks under $25, since these smaller chargebacks “generate a great deal of work and expense for merchants.”

In addition, banks will be limited to charging back 10 fraudulent transactions per customer account and will assume liability for fraudulent transactions thereafter. These changes take effect July 22 and will remain in effect until April 2018.

Duncan said the new limits on chargebacks will be small, however. “The new limits are so high as to have a marginal effect,” he said. “If you say not more than 10 chargebacks can occur from one customer account, that is still a huge hit on a merchant.”

In the past, even two chargebacks per account would have been the normal, accepted limit, but if a single chargeback averages $100, that could reach $1,000 per customer, Duncan noted.

Some retailers seemed surprised by Visa’s announcement, and it wasn’t clear what precipitated it since retailers have been complaining of certification delays since at least last September.

McKee said that recent chip card lawsuits filed by Walmart and Home Depot may have played a role in Visa’s timing and “have shown the industry that retailers are not taking this chip-card transition lightly.” While the lawsuits are not directly related to certification delays, they have bearing, McKee said.

Walmart sued Visa in New York State Supreme Court on May 10 for not requiring shoppers to type in a PIN when using a chip-ready debit card.

In a separate lawsuit filed June 13 in U.S. District Court in Atlanta, Home Depot also raised the PIN issue against both Visa and MasterCard.

As recently as April, the EMV Migration Forum, which represents 170 banks, merchants and card companies, said the chip-card conversion process was causing consumer confusion and delays at checkouts.

Randy Vanderhoof, director of the forum, said Visa was “showing some flexibility” in addressing delays im merchant chip-card migrations. “This will provide some welcome relief to merchants struggling with the costs of migration in terms of both equipment and certification as well as dealing with chargebacks.”

In a statement, Visa called the U.S. migration to chip technology ” a significant undertaking” but said 300 million chip cards are in the market with 1.2 million merchant locations accepting the cards. An average of 23,000 new merchant locations are chip-ready each week, Visa said.

There are about 12 million payment terminals in the U.S., and the EMV Migration Forum recently said up to 7 million have chip-enabled terminals in place, with only 1.2 million of those terminals certified for accepting chip cards.

Via: computerworld

There are a number of ways that Microsoft plans to take advantage of its $26.2 billion LinkedIn acquisition, ranging from data-gathering to getting a foothold in social to plans for re-imagining the recruitment and talent management businesses and more. But one of the more straightforward integration opportunities between the two companies is LinkedIn’s integration with Microsoft Office.

In its presentation, Microsoft explained how it could use LinkedIn’s data in familiar programs, like Outlook, Skype, or Office applications like Word, Excel and PowerPoint, for example.

The company says that today, there’s not a single source for data on individual professionals — it’s scattered around and often out-of-date.

By integrating professional profile data into Office 365, email and other communication apps, users would be more inclined to keep that information up-to-date as it would be more visible to friends, colleagues and others. And on the flip side, these integrations would make that data more easily accessible to anyone who wanted to know more about a professional’s background or experience.

LinkedIn has a sizable network of over 433 million users, but Office’s footprint is much bigger. Microsoft says there are more than 1.2 billion Office users today. LinkedIn becoming a part of Office would massively increase its data’s visibility.

Of course, LinkedIn itself once had the idea that its data could be valuable to email users and help enhance productivity. In 2012, it bought the Gmail plugin Rapportive for $15 million, which allowed Gmail users to access a sidebar that would show the profile and other social networking updates for the person you’re corresponding with. Unfortunately, the company soon squandered customers’ love for that product, by ripping out functionality that made the service useful and popular in the first place, including its integrations with other social networks.

Another issue with Rapportive as well as its newer competitors that stepped in to fill the void is that it’s something of a hack. You’re installing an extension into your web browser that changes what your Gmail inbox looks like and what information it displays when loaded in tab. That’s a “geekier” solution than much of the mainstream is interested in, and doesn’t address the fact that many users today get their email by way of mobile phones, not just desktop web interfaces.

But with LinkedIn becoming a part of Microsoft, that profile data can become natively integrated into Microsoft’s Office products and other communications apps. Those apps could then share their data back with LinkedIn, too.

As Microsoft CEO Satya Nadella explained in an email to employees, by integrating LinkedIn’s network in Office 365 and Dynamics, the company will be able to enable new experiences like “a LinkedIn newsfeed that serves up articles based on the project you are working on and Office suggesting an expert to connect with via LinkedIn to help with a task you’re trying to complete.”

In other words, LinkedIn’s newsfeed which today is still a hit-or-miss experience, can become highly personalized as it will know what you’re currently working on, including what meetings you have planned and what projects are underway, Microsoft presentation indicates.

And as you head into those meetings, Microsoft’s digital assistant Cortana will be able to quickly give you background on who you’re about to sit down with, as she’ll have their LinkedIn resumes on file.

This, Nadella says, will increase user engagement, the company’s subscription business, and opens the door for targeted advertising.

It’s both clever and creepy to think about your work projects and meetings becoming fodder for ad targeting in the future. Hopefully there will be some opt-out mechanisms that respect user and data privacy. (Knowing how employees spend their time and who they work with, will also help to inform LinkedIn’s recruiting products.)

Finally, Microsoft says that LinkedIn Learning (based on LinkedIn’s acquisition of Lynda.com last year for $1.5 billion), will also be integrated into Office. That means users who want to learn how to perform advanced tasks could sign up for courses without having to leave Office and hunt around the web for an e-learning course – it could be smartly suggested right inside their document as part of the “help” information.

Though outside of Office, Microsoft Dynamics CRM will also play a large role, as it’s integrated with LinkedIn’s Sales Navigator.

“Over the past decade we have moved Office from a set of productivity tools to a cloud service across any platform and device. This deal is the next step forward for Office 365 and Dynamics as they connect to the world’s largest and most valuable professional network,” Nadella says.

Via: techcrunch

The FBI can draw on upwards of 411 million photos as part of a facial recognition system to identify potential criminal suspects.

The Government Accountability Office (GAO) explains in a report (PDF) that a facial recognition service, which is known as the Next Generation Identification-Interstate Photo System (NGI-IPS), became fully operational in April 2015 after three years of testing.

Law enforcement can use the service to search a database of 30 million photos to support criminal investigations, such as by allowing police officers to submit a photo from a surveillance tape. The service will then return a list of between two and 50 possible matching candidate photos depending on the user’s specifications.

The report also states the FBI operates Facial Analysis, Comparison and Evaluation (FACE), an internal unit which can access NGI-IPS and other databases owned by the Department of Defense, the Department of State, and 16 individual states for facial recognition purposes.

A total of 411 million photos are available to FACE through third-party databases.

Between August 2011 and December 2015, FACE placed 214,920 face recognition search requests. 118,490 of those were processed by the NGI-IPS.

In its report, the GAO raises several concerns with the FBI’s system. It notes that many of the third-party sources on which the Bureau relies for its searches have never been audited, an oversight which could lead to a scenario where “potentially innocent individuals identified could be brought in for questioning.”

The GAO also accuses the FBI of failing to update its privacy report until four years after the program expanded and of failing to test the detection rate for smaller candidate sizes.

Per the report:

“Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists— specifically between 2 and 50 photos. FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes. According to these officials, a smaller candidate list would likely lower the detection rate because a smaller candidate list may not contain a likely match that would be present in a larger candidate list. According to a Texas Department of Safety official responsible for coordinating with the FBI on the state’s NGI-IPS searches, Texas law enforcement officials request different candidate list sizes when submitting search requests, sometimes less than 50 photos. According to the FBI Information Technology Life Cycle Management Directive, testing needs to confirm the system meets all user requirements. Because the accuracy of NGIIPS’s face recognition searches when returning fewer than 50 photos in a candidate list is unknown, the FBI is limited in understanding whether the results are accurate enough to meet NGI-IPS users’ needs.”

The GAO has asked the FBI to conduct tests on the service to determine its accuracy, hold annual reviews of the NGI service, and audit each database used by the FACE system.

News of this facial recognition system follows on the heels of the discovery of the FBI collaborating with scientists at NIST to develop functional tattoo recognition technology.

Via: tripwire

Critical infrastructure runs your organization. It creates and delivers products and services. It is also used to collect and process customer information during operations. If these systems are compromised, operations fail and revenue is at risk.

Much appears in blogs, articles, and news reports about the security challenges facing critical infrastructure. Critical infrastructure is usually defined as energy and water processing and delivery systems. It goes beyond this, however, and is not government’s responsibility in most cases.

In this article, we define critical infrastructure in terms of what systems are required for the continued operation of a business. Our definition also includes high-risk processes involving intellectual property or customer identities. Examples include payment card processing systems, patient health delivery systems (such as operating room equipment), systems on the manufacturing floor, and supply chain distribution systems.

Also in this category are control systems used by your vendors to manage HVAC and other facility management services. Most organizations have not yet taken appropriate steps to protect critical infrastructure, including segmentation, protection, and detection controls.

The challenges

Figure A displays a flat network with both administrative and critical infrastructures on the same network. No separation exists between critical systems and admin systems. Information flows to and from critical systems with little or no control. Finally, users of critical systems have access to the Internet and remote attackers can potentially see these systems during scanning and enumeration steps.

Figure A

Flat Network

The Solutions

Segmentation

Let’s start with fixing one of the biggest risks in our Figure A sample organization. The network is not segmented. Ask Target how this worked for them. They will tell you they wish they had segmented their production network from their vendor support network.

Segmentation is also important for any business accepting payment cards for products and services. PCI DSS stipulates that payment card processing should be separate from Internet access and from networks where Internet access is allowed. The PCI Council also advises to place payment card systems on their own isolated segment to streamline compliance assessments.

Finally, no manufacturing or other critical operations management systems should be part of the administrative network. If this is not possible, these management systems should at least be blocked from Internet access.

Figure B depicts a segmented network. A layer 3 core switch separates the admin (highlighted in yellow) and critical systems (highlighted in red) into two VLANs. A VLAN access control list prevents traffic from flowing to the critical systems from the admin VLAN. Further, Internet access is only allowed for admin VLAN systems. Internet access is blocked for critical system users. No critical system user should be able to use the Internet… period.

Figure B

VLAN Segmentation

In addition to blocking Internet traffic, all information created on the critical system VLAN are pushed to explicitly allowed business management systems. No traffic is allowed to pass the other way.

Air gaps are sometimes used to achieve this separation, but air gaps are not appropriate in many cases. For example, payment card or manufacturing systems must report information to admin systems. This requires movement of large amounts of information. Use of mobile storage for this, as we see next, is a security issue all by itself.

Mobile Storage Restrictions

As always, security must be applied to harden the critical systems. We start by disallowing use of mobile storage, as shown in Figure C. These devices are commonly used to trick a user into installing malware or to access devices once the attacker gains physical access.

Figure C

Mobile Storage

Under no circumstances should we allow use of mobile storage on critical systems for anything other than system maintenance, including shutting down the use of CD/DVD drives. This is possible via GPO settings and the use of third-party security apps.

Logical and Administrative Controls

Although not shown in Figure D, system hardening via software configuration begins by shutting down unused ports and services as well as removing all applications not needed for day-to-day operations management.

Figure D

Endpoint Security Layers

In addition to disabling mobile storage, we also block users from installing or running unapproved applications. This is easily done on Windows systems with AppLocker or software restriction policies. In either case, we only allow installation and execution of whitelisted applications. We also remove the capability of any non-administrator account from installing applications on the critical management user devices.

We allow no one to operate critical systems with unrestricted user accounts. Enforcement of least privilege is always important. This is enforceable with authentication and authorization processes. AppLocker can also be applied by user or group to reach for role-based access control.

Next, the old standbys of antimalware, firewall, and host-based IPS fill the remaining prevention gaps. They also begin the threat analysis process. Threat analysis involves log aggregation, correlation, and threat intelligence. It requires us to look for the inevitable breach and manage it quickly.

Finally, patch, patch, patch… and patch.

The Final Word

Most of the controls listed in this article have been best practices for years, and many organizations use them. However, project specific risk assessments might miss or ignore the dangers when placing critical systems on existing network segments. Configuration documentation specific for critical systems might not exist resulting in use of common business device build documentation. Further, policies addressing critical systems are often missing from the security program. Secure configuration and management of critical systems requires relevant policies, procedures dedicated to building and managing critical systems, and a trained IT staff.

Via: csoonline