Monthly Archives: May 2017

You’ve probably heard about online trolls – but what are they? And what do you need to know about them?

Digital bullies

Online trolls are most similar to the playground bullies you would have encountered at school. These people deliberately provoke arguments and fights on social media and forums, often by saying the most grossly insensitive and offensive things.

Often these people are perfectly normal and polite when met “in real life”; but when protected by the anonymity of the Internet, they can be incredibly aggressive. Often they will make sexist, racist or homophobic jokes to stir up an argument.

Sometimes online will target specific people, like the family of Madeline McCann, making unfounded (and untrue) accusations of murder, abuse and other crimes. Others will seek to humiliate their victims, tricking them into sharing sensitive personal information that they will then publish publicly online.

How to deal with online trolls

The goal of a troll is to engage their victims in an online argument – so the most effective way to deal with them is to ignore them. This may be harder than it sounds, particularly when someone has said something to make you angry.

Rather than engaging, your best bet is to simply block the troll to prevent them seeing or commenting on your posts. Use the links below to learn how to block someone:

• Facebook
• Twitter
• Instagram
• Snapchat
• Whatsapp
• iMessage and FaceTime
• Email

Some people try to communicate directly with their trolls, hoping that they can talk their way out of trouble. Unfortunately these people cannot usually be reasoned with – they are looking to start a fight after all. In the long term, it is far easier (and more effective) to simply block the troll and move on with your life.

If you persist with trolls, there are a few ways to keep yourself slightly safer:

Never, ever share personal information

The troll probably already has some of your background information, but giving them any more is providing them with ammunition to attack you with. They may use those details to blackmail you, or to humiliate you in public.

Never accept files from people you don’t know

Some trolls try to infect their victim’s computers with malware that allows them to steal personal data. Never, ever open any email attachments or files sent using social media, or you may end up installing a virus.

You should also ensure that you have a comprehensive anti-malware application installed on your PC and smartphone to stop anything sneaking through your defences.

Report crimes to the relevant authorities

If you block someone on a social media platform for trolling, you should also report them to the site’s moderators. Hopefully your report will see the troll banned, protecting other people from becoming a victim too.

Where the troll has made threats to kill, or physically harm you, the incident should be reported to your local police using their non-emergency contact number.

via:   pandasecurity

The new app for Hulu’s just-announced live TV service has now hit the app stores. Instead of offering the ability to upgrade to the live TV offering within Hulu’s existing app, the company has instead rolled out a new app, called “Hulu with Live TV.” The app features Hulu’s revamped user interface which is arriving alongside the launch of the live TV service, which could be partly why the company made the decision to release it as a separate product. However, not all Hulu users will be able to experience the new interface at this time, the company says.

The new Hulu app is available here on the iOS app store and here on Google Play. On iOS, it’s a second app, on Android, the existing app has updated to the new interface.

While all subscribers to live TV will automatically get the new interface, it hasn’t made its way over to all those who haven’t upgraded. Meanwhile, the new interface will also roll out through the existing Hulu app on Xbox One, Apple TV (4th gen.), and Android mobile devices. (Hulu Live TV will also work with Chromecast.)

If you download the new live TV app, you can delete your old Hulu app as all the on-demand programming will be available in Hulu with Live TV.

The upgraded user interface was specifically designed to combine Hulu’s existing on-demand library and its new live TV content under one roof – blurring the distinct between what’s on now versus what’s available to watch at any time.

The new Live TV app offers a number of personalization tools, including the ability to set up your own user profile, then pick your favorite TV shows, movies and even news channels. And the more you watch, the more Hulu will tailor its recommendations to your interests, the company claims.

In addition, sports fans will be able to track their favorite pro and college teams from leagues including NFL, NBA, NCAA, MLB, MLS, and NHL in Hulu’s new app, and then choose to record those games live, if they’re in a market where the game is streaming. This is a different way of thinking about TV – instead of having to know the channel to tune into to watch, you just follow your favorites.

The Kids mode will also carry over to the new app, which is where parents will find a curated selection of Hulu’s kid-friendly programming. In this mode, the ability to search or browse the other Hulu content is blocked.

As an existing Hulu on-demand subscriber, you’re walked through a new onboarding experience after launching the Live TV app which offers the option to import your WatchList and then prompts you to tell Hulu more about your interests – like Sci-Fi, British Comedy, Crime & Justice, Late Night, Documentaries, Action & Adventure, Nostalgic Romance, News & Headlines, Celeb Reality, and more.

The app then ask you to to add specific movies and TV shows to its “My Stuff” section before completing the setup process.

The new Hulu with Live TV app is available now on iOS and Android, in their respective app stores.

As an existing Hulu on-demand subscriber, you’re walked through a new onboarding experience after launching the Live TV app which offers the option to import your WatchList and then prompts you to tell Hulu more about your interests – like Sci-Fi, British Comedy, Crime & Justice, Late Night, Documentaries, Action & Adventure, Nostalgic Romance, News & Headlines, Celeb Reality, and more.

The app then ask you to to add specific movies and TV shows to its “My Stuff” section before completing the setup process.

The new Hulu with Live TV app is available now on iOS and Android, in their respective app stores.

As an existing Hulu on-demand subscriber, you’re walked through a new onboarding experience after launching the Live TV app which offers the option to import your WatchList and then prompts you to tell Hulu more about your interests – like Sci-Fi, British Comedy, Crime & Justice, Late Night, Documentaries, Action & Adventure, Nostalgic Romance, News & Headlines, Celeb Reality, and more.

The app then ask you to to add specific movies and TV shows to its “My Stuff” section before completing the setup process.

The new Hulu with Live TV app is available now on iOS and Android, in their respective app stores.

via:  techcrunch

Retail is arguably the leader in terms of the most financial transactions executed in an industry. With that in mind, the retail industry also makes up 8% of all data breaches. It may feel nerve-racking to both work and participate in such a risk dense environment. However, if you have the right security measures in place and remain aware of other’s security breaches and best practices you may be able to breathe a bit easier.

In general, new vulnerabilities are being found faster than they’re being remediated. So what are you doing to protect your business and customers? Encouraging your customers to pay in cash each time they enter your store is not the way to secure your business. All organizations under PCI compliance are required to pen-test their systems at least once each year. While this may be a requirement based on the industry this actually is a good protocol to hold companies accountable to their security practices. Penetration testing assists in identifying the ways in which an attacker may attempt to exploit your network – before it actually happens.

Why You Have to Pen-Test Your Environment

Under Requirement 11 of PCI-DSS compliance regulations, it boldly states how it is each entities duty to regularly test your security system and processes. The vulnerabilities in your network are constantly being discovered by bad actors. Consistently testing the security controls in your organization is more important than ever in this ever changing landscape. Let’s dive a little deeper into the PCI compliance regulations concerning pen-testing by focusing on a couple of articles.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. ASVs are not required to perform internal scans.

Outside of your penetration test, running vulnerability scans across your internal environment as well as any external networks should be performed – not just once, but quarterly. At the beginning, it may seem like a nuisance as this is a task that should happen many times throughout the year. However, that feeling is sure to be fleeting as knowing and understanding your security posture consistently throughout the year will provide you far more peace of mind. Vulnerability scans not only help you to identify and prioritize the risks in your network, they are a measuring stick for showing your board or executive team the progress and value of your team.

11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification, including network- and application – layer penetration tests.

Testing your network at least once a year is something that can be scheduled routinely. It’s the remembering to test after each breach and thinking you’re untouchable by bad actors that may be harder to execute. Penetration testing allows you to mimic an attack by a bad actor in a controlled way – providing insights to your organization instead of destruction. While your vulnerability scans show you what vulnerabilities exist inside your network and, hopefully, which ones should be a priority to your team to patch; penetration testing tests the effectiveness of the patch to ensure the vulnerability has been fixed. By testing these known vulnerabilities, you can evaluate your network by safely exploiting the weak areas just as a bad actor would.

How Pen-Testing Protects You and Your Customers

Pen-testing provides you a greater knowledge of what your environment looks like and how to strategically remediate your vulnerabilities. The goal is to try to get or stay ahead of bad actors by thinking like them. Routinely evaluating the security of your IT infrastructure by vulnerability scans and penetration tests keeps you more aware of how your environment is holding up against the threats of others.

Ensuring your network is protected will also help you in the long term. Doing your due diligence of pen-testing your organization allows you to avoid fines while meeting the PCI-DSS regulatory requirements. Additionally, if your organization was breached you could face network down-time as your team works to remediate the situation. And worst case scenario, if your company was breached you’d also be dealing with the potential negative change in perception others have regarding your business. Penetration testing can stop these issues before they happen by showing your team where to patch and how important each vulnerability could be if exploited.

If you avoid your pen-tests, or don’t act on behalf of what is uncovered in a timely fashion, you could be in more trouble than you thought. Yes, we encourage you to pen-test to meet regulatory mandates– but also to use this as a means to protect yourself, your vendors and your customers.

via:  coresecurity

Did someone just share a random Google Doc with you?

 
First of all — Do not click on that Google Doc link you might have just received in your email and delete it immediately — even if it’s from someone you know.

 
I, my colleagues at The Hacker News, and even people all around the Internet, especially journalists, are receiving a very convincing OAuth phishing email, which says that the person [sender] “has shared a document on Google Docs with you.“

Once you clicked the link, you will be redirected to a page which says, “Google Docs would like to read, send and delete emails, as well access to your contacts,” asking your permission to “allow” access.

 
If you allow the access, the hackers would immediately get permission to manage your Gmail account with access to all your emails and contacts, without requiring your Gmail password.

But How? The “Google Docs” app that requests permissions to access your account is fake and malicious, which is created and controlled by the attacker.

 
You should know that the real Google Docs invitation links do not require your permission to access your Gmail account.

Anything Linked to Compromised Gmail Accounts is at Risk

Once the app controlled by the attacker receives permissions to manage your email, it automatically sends same Google Docs phishing email to everyone on your contact list on your behalf.

Since your personal and business email accounts are commonly being used as the recovery email for many online accounts, there are possibilities that hackers could potentially get control over those online accounts, including Apple, Facebook, and Twitter.

 
In short, anything linked to a compromised Gmail account is potentially at risk and even if you enabled two factor authentication, it would not prevent hackers to access your data.

 
Meanwhile, Google has also started blacklisting malicious apps being used in the active phishing campaign.

“We are investigating a phishing email that appears as Google Docs. We encourage you to not click through & report as phishing within Gmail,” Google tweeted.

This Google Docs phishing scheme is spreading incredibly quickly, hitting employees at multiple organizations and media outlets that use Google for email, as well as thousands of individual Gmail users who are reporting the same scam at the same time.

 
If by anyhow you have clicked on the phishing link and granted permissions, you can remove permissions for the fraudulent “Google Docs” app from your Google account. Here’s how you can remove permissions:

1. Go to your Gmail accounts permissions settings at https://myaccount.google.com and Sign-in.
2. Go to Security and Connected Apps.
3. Search for “Google Docs” from the list of connected apps and Remove it. It’s not the real Google Docs.

Stay tuned to our Facebook Page for more updates ! Stay Safe!

Update: Google Docs Phishing Scam Hits Nearly One Million Users

Google said that the Google Docs phishing campaign affected “fewer than 0.1%” of Gmail users, which means nearly one million people were affected by it, handing over their email access to attackers.

via:  thehackernews

Security and privacy are critical issues facing the development of the internet of things. These 4 challenges are key to making IoT safer.

The internet of things (IoT) is finally here in 2017, and companies like Google and Amazon are rushing to get out and become the main company to become the hub of this revolutionary concept. There have been multiple predictions over the years which declare that there will be at least tens of billions connected devices by 2020, and even objects as mundane as baby monitors or tires could all become part of this interconnected world.

But each device which is connected increases privacy and security concerns surrounding the Internet of Things. These concerns range from hackers stealing our data and even threatening our lives to how corporations can easily uncover private data we carelessly give them. While the IoT’s progress will not be stopped anytime soon, here are some of the biggest issues which consumers and businesses need to consider before both using these connected devices.

More devices, more problems

The fundamental security weakness of the Internet of Things is that it increases the number of devices behind your network’s firewall. Ten years ago, most of us had to only worry about protecting our computers. Five years ago, we had to worry about protecting our smartphones as well. Now we have to worry about protecting our car, our home appliances, our wearables, and many other IoT devices.

Because there are so many devices that can be hacked, that means that hackers can accomplish more. You may have heard about how hackers could potentially remotely control cars and remotely accelerate or decelerate the car. But hackers could use even seemingly unimportant devices like baby monitors or your thermostat to uncover private information or just ruin your day. The point is that we have to think about what a hacker could do with a device if he can break through its security.

Updates, updates, updates

As the Internet of Things becomes reality, we have to worry about protecting more devices. But even if you start taking security seriously, the tech companies which make these new devices are too cavalier about the risks. And one problem is that companies do not update their devices enough or at all. This means that an IoT device which was safe when you first bought it can become unsafe as hackers discover new vulnerabilities.

Computers used to have this problem, but automatic and easier updates have helped alleviate this problem. But as CSO points out, companies pressured to get their devices out quickly end up compromising on security. Even if they may offer firmware upgrades for a time, they often stop when they focus on constructing the next device, leaving customers with slightly outdated hardware that can become a security risk.

Protecting your data from corporations

Hackers are scary, but they are far from the only threat to the Internet of Things. In fact, the corporations which create and distribute interconnected devices could also use these devices to obtain personal data, particularly dangerous when used for money transfers.

For example, consider how BP and other companies are distributing Fitbits to their employees so that they can track their health and thus get lower health insurance premiums. Even if we ignore the worrying idea of workers’ health being monitored by corporations around the clock, there is the question of what corporations can do with the data they have gathered. Some companies like RadioShack have attempted to send or even sell gathered data to other companies, which raises issues regarding our individual privacy rights.

For now, the best protection which consumers have is to actually read any agreement they sign when receiving a device. Also find what that device’s corporation’s policies are in regards to keeping data safe and sharing said data. This may mean refusing to use certain IoT devices, but said device may not be worth the privacy tradeoff.

Lazy consumers

Computers have automatic updates partly because most users are too lazy to perform even the basic steps needed to keep their computer safe. And when you consider that protecting the myriad IoT devices will be even harder than a single computer, this problem will get even worse.

While tech companies and the government are taking the IoT security threat more seriously, the first line of defense in your home is you. This means taking the time to think about how IoT devices could be used against you as well as going over their security features. For example, an IoT device from a smaller, less established company may be cheaper or have other attractive features. But if that smaller company folds, then there is no one around to patch its vulnerabilities.

IoT boasts opportunity, but the security risks cannot be ignored whether it is from hackers or corporations. Above all else, the best remedy is to consider the potential risks of installing connected devices and doing your research.

via:  cio

The world of IT is moving to the cloud. Market data varies but estimates of cloud usage show approximately 20-25% of overall computing workloads operate in public cloud environments today, with that number expected to grow to 50% over the next 5-10 years (Goldman-Sachs forecast).

Organizations are starting to operate in a hybrid environment that includes both public cloud and private cloud, as well as virtualization. For most organizations, this will require security controls that can serve this complete infrastructure.

Just like how perimeter defense isn’t enough to protect your corporate networks, workloads in the cloud aren’t secure by default. The AWS Shared Responsibility Model is very clear about this.

Shared Security Model. Credit: Amazon Web Services.

AWS takes care of the underlying infrastructure but its customers are still responsible for the security, compliance and operational controls of their data and apps in the cloud. This means foundational controls like secure configurations, vulnerability management and log management are just as important in the cloud as they are on-premises.

If you are planning on moving workloads from on-premises into the cloud, you may face a few challenges since controls may not work the same way in both environments.

Cloud infrastructures are different from their on-premises counterparts. If your security and compliance controls were designed for on-premises environments, don’t assume they will work correctly in the cloud. For example, controls may lack support for cloud-oriented tech like Amazon Linux or Docker containers. Conversely, don’t assume that controls built for the cloud will work well or at all in on-premises environments.

If your controls don’t support both types of environments, you may end up deploying multiple controls for multiple environments. Dealing with multiple controls for environments is time-consuming in terms of deployment, administration and reporting. In addition, gaps in monitoring can occur if the data is not consistently collected and centralized across all infrastructure.

Another challenge is the dynamic nature of elastic computing environments where elastic assets come online and go offline to scale up and down to meet demand. Your security controls will need to match that demand as cloud assets are rapidly created and destroyed. Otherwise, gaps in visibility and errors can occur as hosts appear and disappear.

An example of overcoming this challenge is a story of two large financial services organizations that sought to minimize the time between receiving and pushing out fresh machine images to their service providers. Both organizations implemented controls that auto­matically baseline each image as soon as it is received. Subsequent changes are detected in real-time, eradicating any windows of exposure and ensuring unin­terrupted compliance with all prevailing policies.

The ability to rapidly deploy images, even if only for a couple of hours, enabled their application developers to take full advantage of the unprecedented flexibility of the cloud through con­tinuous protection and the permanent audit trail.

In other words, make sure that your foundational controls support the polices, operating systems, platforms and technologies you use across your complete infrastructure.

Consider a toolset that can:

• Monitor both on- and off-premises environments
• Apply the same robust controls across on-premises and cloud networks with unified management and reporting environment
• Dynamically on-boarding and off-boarding nodes to ensure continuous coverage in elastic environments
• Support for cloud policies and platforms in addition to the policies and platforms that you use on-premises
• Assess DevOps and cloud-oriented technologies like Docker containers
• Deploy easily with pre-hardened machine images for your environments of choice (i.e. AWS, Azure, VMWare, etc.)

In summary, you may need to protect both on- and off-premises environments in the foreseeable future. But not all solutions work equally well between on-premises and the cloud, so don’t assume that what worked on premises will work in the cloud.

via:  tripwire

The latest update to Microsoft’s Windows 10 operating system features a number of changes to its built-in security protection. Rolling out in phases since April 11, the Creators Update adds a new dashboard display for Windows Defender, introduces dynamic locking capabilities and also offers new privacy controls.

However, Microsoft is also cautioning users who have not yet received the update automatically to avoid downloading the new OS manually. That’s because the company continues to work on hammering out problems the Creators Update can create on some devices.

New Dashboard Display for Security Options

One of the new safety features arriving with the Creators Update is the Windows Defender Security Center.

“The Windows Defender Security Center offers a single dashboard display so you can control your security options from one place — everything from anti-virus, network, and firewall protection; to assessing your device performance and health; to security controls for your apps and browser; to family safety options,” Windows Blog editor-in-chief Mollie Ruiz-Hopper noted last month in an overview about the Creators Update.

Enterprise users with the Windows Defender Advanced Threat Protection service also have new capabilities for tracking security threats via the Windows Security Center, Ruiz-Hopper said. The security portal now uses the Microsoft Intelligent Security Graph to link to Office 365 Advanced Threat Protection, enabling IT administrators to “easily follow an attack across endpoints and email in a seamless and integrated way.”

Users of Windows Hello, Microsoft’s biometric security system, can also use a paired device to automatically lock PCs or tablets when they walk away. The dynamic lock feature works with paired smartphones, fitness wearables and other devices.

Update Caution for Older Devices

Microsoft is rolling out the Creators Update in phases, starting with newer devices first, to avoid potential problems the new operating system could cause for older machines, according to John Cable, director of program management for Windows servicing and delivery. As it becomes aware of such issues, the company might deploy blocks that automatically prevent the update from installing on devices with known issues, he said in a blog post last week.

“It’s important to note that when customers use the Software Download Site to manually install the Creators Update they bypass many of these blocks,” Cable said. “Therefore, we continue to recommend (unless you’re an advanced user who is prepared to work through some issues) that you wait until the Windows 10 Creators Update is automatically offered to you.”

Such blocks will be removed after an issue has been resolved, he added. When that occurs, users who had been affected by the blocks will be prompted to update their privacy settings before the Creators Update is installed.

Meanwhile, Windows Insiders who are testing even newer versions of the operating system should be alert to other known security issues, Windows and Devices Group software engineer Dona Sarkar said in a blog post Friday. These include a problem on some PCs that prevents a security reset and a glitch that keeps Windows Defender from opening upon double-clicking the Windows Defender icon.

via:  enterprise-security-today

Aspiring federal agents who can hack a computer with ease but can’t shoot their way out of a paper bag could soon find the FBI to be more welcoming.

In a series of recent speeches, FBI Director James Comey has hinted the bureau may adjust its hiring requirements to attract top-notch cyber recruits, the better to compete with private sector companies who can lure the sharpest technical minds with huge salary offers.

He’s floated the idea of scrapping a requirement that agents who leave the FBI but want to return after two years must re-enroll in the bureau’s storied but arduous Quantico, Virginia, training academy. He’s also lamented, half-jokingly, that otherwise qualified applicants may be discouraged from applying because of a fondness for marijuana.

And he’s suggested the FBI may need to build its own university to groom cyber talent and questioned whether every member of a cyber squad actually needs to be a gun-carrying agent.

“Our minds are open to all of these things because we are seeking a talent — talent in a pool that is increasingly small. So, you’re going to see us experiment with a number of different approaches to this,” Comey said last week at a gathering of the Intelligence National Security Alliance.

The rethinking on recruitment comes as the FBI confronts increasingly complex cyber challenges, including crippling state-sponsored attacks, and as it’s racing to develop more sophisticated techniques for combating internet-based threats.

The FBI, for instance, has struggled in recent years to break into encrypted cellphones of criminal suspects and sued Apple last year after agents could not access a locked iPhone used by a mass shooter in a San Bernardino, California.

Though an unidentified third-party vendor ultimately came forward with a tool to open the phone, law enforcement officials remain concerned about electronic terrorism recruitment that occurs through encrypted channels and out of sight of investigators.

Even crimes that investigators have tackled for decades, like child pornography, have grown more complicated as suspects trade images through secret internet networks that shield their locations and identities. The Justice Department has been developing ways through bulk hacking to uncover the users’ locations, though defendants have repeatedly — and with some success — challenged the use of that tactic.

“The world’s not coming back. The old school stuff that I did 20, 30 years ago in the State Police and the FBI, all those crimes nowadays have a major cyber component to it,” said Robert Anderson, a retired FBI executive assistant director who oversaw cyber investigations.

Given the increasing emphasis on computer crime, the bureau has struggled to find prospective cyber agents who check all the conventional boxes for successful agents, Comey says.

“We will find people of integrity who are really smart, who know cyber — and can’t do a pushup. Or we’ll find people, maybe they can do a pushup, they’re smart and they can do cyber — but they want to smoke weed on the way to the interview,” the FBI director has said.

Comey’s floated different possible solutions, but he’s returned several times to the idea of waiving the requirement that people who want to return to the FBI after two years outside the bureau re-enroll in Quantico.

“Our people leave, go to the private sector, discover it’s a soulless, empty way to live — and then they realize, ‘My life is empty, I need moral content in my work,'” Comey said, light-heartedly and to laughter, in a recent speech at the University of Texas at Austin.

He added: “I gave the creds for the second time to a 42-year-old cyber agent, and I said, ‘So, how was Quantico?’ He said, ‘It was a nightmare, it was a nightmare.’ And so we’re trying to figure out, are there ways we should approach this differently to recognize the challenge we have in attracting talent.”

Comey made headlines on the topic in 2014 when, in response to a question, he said that a prospective candidate who had previously smoked marijuana should go ahead and apply anyway. FBI rules disqualify applicants who have smoked marijuana within the last three years, and there’s been no sign that that will change.

He was chastised days later at a Senate Judiciary Committee hearing by then-Sen. Jeff Sessions, now the United States attorney general and Comey’s boss, about whether he understood that those comments could “be interpreted as one more example of leadership in America dismissing the seriousness of marijuana use.”

Comey replied that he had tried to be “both serious and funny” and was merely remarking on the FBI’s challenges in developing a cyber workforce at a time when “more and more” young people were trying marijuana. He pronounced himself “absolutely dead-set against using marijuana” and noted that he had not said that he would change the FBI’s policy.

Anderson said, “Anything new in the government is like getting your wisdom teeth pulled out. Anything new takes a while for the culture of the FBI to adjust to it.”

He added, “If the strategic vision is to create a mecca for cyber, we’re going to have to change.”

via:  enterprise-security-today