Monthly Archives: December 2017

Google’s New Earbuds Translate Dozens Of Languages In Real Time

We know we’ve gotten excited about translating technology in the past and have already made comparisons to the Babel Fish from The Hitchhikers Guide to the Galaxy. However, Google’s upcoming Pixel Buds are yet another step in the direction of complete universal understanding AND they don’t require sticking anything living into your ear canals.

 

image

Google’s latest cell phone accessory innovation will be able to translate 40 languages with the assistance of the already useful Google Translate software. The advancement this time around is that they’ll be able to do it in real time. Jump to about 1:15 in the video below to see them in action.

 

 

A recent Google Blog post explains that the Pixel Buds will be “like you’ve got your own personal translator with you everywhere you go” and although the process isn’t as instantaneous as its Hitchhikers counterpart, it’s pretty damn close. Users need only activate the Pixel Buds and make a request like “Help me speak Italian.” and the phone and earbuds will get to work. As you talk, your Pixel 2’s speaker (you’ll need a Pixel or Pixel 2 for now) will translate your speech to the language of your choice and—as someone responds in the chosen language—the buds will pump audio of the translation back into your dear ol’ monolingual ear holes.

The Pixel Buds are due out November of 2017 and are currently available for pre-order for $159 which isn’t too bad for such a handy piece of tech. Considering you’re likely to spend at least $649 on the new Pixel 2, why not go all out, right? (pretending to have lots of money is fun, isn’t it?)

 

Now we will have to see how they compare to the Pilot Translating Earpiece.

image

 

 

 

What do you think about the new Pixel Buds? Are we headed down a road where Babel Fish won’t ever be needed in interstellar travel? What other sort of future tech do you want in your phone?

 

via:  nerdist

Amazon acquires connected camera and doorbell startup Blink

Amazon has acquired Blink (via Slashgear), a startup founded in 2014 that builds connected Wi-Fi home security cameras, as well as a new video doorbell introduced earlier this week. The company got its start via a crowdfunding campaign that raised over $1 million for its totally wireless home monitoring system.

Amazon has already made forays into connected home video cameras and even home entry products, including its Cloud Cam and Amazon Key offering for remotely enabling access to your home for delivery people dropping off packages.

What Blink brings to the table is expertise in building connected, wireless home monitoring and security tech that also operates completely wire-free requiring no complicated installation and running on simple, readily available replaceable batteries.

Blink’s Doorbell, for instanced, operates on two AA batteries and should last for about two years of regular use on those. That’s a lot better than rival Ring’s wireless doorbell in terms of battery life – and it costs less, too, at just $99 per unit, with many similar features including motion detection, two-way audio, waterproofing and night vision.

Amazon is clearly interested in owning more of the connected home space, after having tremendous success in the bourgeoning market via products like its Alexa smart speaker. This should have rivals including Ring and Alphabet-owned Nest worried, since between its own offerings and now Blink’s, it has a lot to offer consumers in terms of cost and convenience benefits.

 

via:  techcrunch

Data Breach Potentially Struck Tallahassee Utility Customers

A data breach at a payment processor might have compromised the personal and financial information of some Tallahassee utility customers.

Tallahassee Treasurer Clerk Jim Cooke is warning that a breach at TIO Networks, a company used by Florida’s capital to help people pay their bills, might have affected an untold number of utility customers in the area. He estimates that about 10 percent of local utility customers use remote locations to pay their bills. Even so, it’s difficult to hone in on who exactly might be victims of the incident.

As he told WCTV Eyewitness News:

For the vast majority of city utility customers, they would be unaffected. Unless a customer received a letter directly from TIO Networks, then they don’t have anything to be worried about. [Those who might be affected] would be persons who made a payment, by check at a remote location such as a convenience store or a credit union.

Anyone who submitted payment in this manner between 2008 and 2017 could be affected.

News of the breach first emerged in mid-November when PayPal Holdings, Inc. decided to temporarily suspend operations of TIO Networks. After acquiring the company in July 2017, the American company that offers online payment solutions decided to take TIO Networks offline after identifying the potential compromise of 1.6 million customers’ information. That data includes customers’ names, addresses, and banking information.

The incident affected TIO Networks but not PayPal, as its network remains separate from that of its acquisitions.

TIO Networks has apologized for the breach and is working to make amends:

We sincerely regret this incident and are working hard to protect you and your personal information. In addition to suspending its services, TIO contacted the appropriate law enforcement and other authorities, and has brought in outside cybersecurity experts to investigate.

We are also providing you with one year of complimentary identity protection that includes credit monitoring, identity theft insurance, and assistance with combating identity theft and fraud should any be detected.

While the company continues its investigation of the incident, Tallahassee utility customers should monitor their financial accounts for any signs of identity theft or credit card fraud. If they notice anything suspicious, they should inform the relevant authorities. Additionally, they should consider setting up account notifications for their bank and credit card accounts as well as placing security freezes on their credit reports at each of the four main credit bureaus.

Residents of Tallahassee who are looking to pay their utility bills can still do so at the Frenchtown Renaissance Center, online, or via a dedicated mobile app.

 

via:  tripwire

Xage emerges from stealth with a blockchain-based IoT security solution

Getting the myriad of devices involved in the industrial internet of things provisioned and communicating with one another in a secure way will be one of the great technological challenges facing companies in the coming years. Xage (prounounced Zage) emerged from stealth today with a blockchain-based security solution that could help simplify this.

The company also announced that Duncan Greatwood has joined the company as CEO. Greatwood is an experienced entrepreneur, who sold Topsy to Apple in 2013 and PostPath to Cisco in 2008. These exits have given him the freedom to pick and choose the projects he wants to work on, and he liked what he saw at Xage from a technology perspective.

“This is an area where a wave of change is sweeping through the industry. Security is a foundational element of this innovation,” Greatwood told TechCrunch.

He said that Xage is building a security fabric for IoT, which takes blockchain and synthesizes it with other capabilities to create a secure environment for devices to operate. If the blockchain is at its core a trust mechanism, then it can give companies confidence that their IoT devices can’t be compromised. Xage thinks that the blockchain is the perfect solution to this problem.

They do this by building a trusted network of people, machines and applications on the blockchain, which creates an irrefutable connection among these different entities and prevents anyone who has not been given explicit permission from gaining access.

“The blockchain is operating like a distributed, redundant tamper-proof data store. It connects with policies pushed from the cloud or configured locally. The [security] fabric enables the devices and AI and people to communicate with each other and controls the flow of information,” he explained.

Greatwood says this is helping solve a huge IoT security challenge because of the tremendous risk that’s inherent when everything can talk to everything. “Any to any communication at the edge with many devices is the worst case scenario for security because you are creating the maximum attack surface,” he said.

But, he says, Xage’s blockchain approach flips that because the more participation you have, the more secure it’s going to be. “The more participants you have, the more security you have, the more redundancy you have, the harder it is to attack the system and break the consensus the blockchain is there to establish,” he said.

What ends up getting deployed is a security fabric, a set of gateways and client devices on the industrial edge that form the blockchain among themselves,” he said. “ The company is working with IBM on the Hyperledger Fabric project to build their blockchain along with some of the Ethereum technology.

The product is generally available today. The company is located in Palo Alto and currently has 20 employees. Among their early customers are ABB and Itron, which is using the technology to provision smart electricity meters.

 

via:  techcrunch

Data Breach Exposes 300K RootsWeb Users’ Login Credentials

A data breach has exposed the login credentials belonging to 300,000 users of RootsWeb, a service owned and sponsored by Ancestry.com.

On 4 December 2017, someone posted a file containing the usernames and plaintext passwords of 300,000 users to a hacker forum. An analysis of the dump, which was still available for download as of 27 December 2017, suggests the hackers infiltrated the domain rsl[dot]rootsweb[dot]ancestry[dot]com. They then stole the information from a server maintained by Ancestry.com for RootsWeb, a free online genealogical community which allows members to participate in mailing lists and message boards.

As reported by HackRead, independent security researcher Troy Hunt ultimately found the data dump. His investigation indicates that the breach occurred in 2015 and that Ancestry.com was unaware of the incident at the time. So he reached out to the for-profit genealogy company and gave them the file.

image

Ancestry.com’s information security team subsequently reviewed the file and determined that the information contained therein was legitimate. Tony Blackham, CISO of the service, explains more of what the security personnel found:

Though the file contained 300,000 email/usernames and passwords, through our analysis we were able to determine that only approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers. As part of our investigation, our team also uncovered other usernames that were present on the RootsWeb server that, though not on the file shared with us, we reasonably believe could have been exposed externally. We are taking the additional step of informing those users as well.

We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify.

Blackham goes on to note that he has no reason to believe any Ancestry systems were compromised. He also reassured those affected by the breach that sensitive information including their financial data and Social Security Numbers are safe.

In response to the breach, Ancestry.com has temporarily taken RootsWeb offline while it works to make sure all user data is “safe and preserved.” It’s also locked all 55,000 Ancestry.com users affected by the RootsWeb breach and notified them of the incident. Those users must change their passwords if they wish to regain access to their accounts.

Those affected by the breach can use these experts’ advice to create a strong, unique password for their Ancestry.com profile and other web profiles.

Meanwhile, the genealogical service has said it will continue to work with regulators and law enforcement to investigate the breach and minimize its impact.

 

via:  tripwire

4 ways CISOs can improve security operations, increase ROI

Organizations will spend more on security operations, but CISOs need metrics to demonstrate ROI.

Overall, security operations are quite difficult, many organizations complain about too many manual processes, too many disconnected point tools, and a real shortage of the right skills. These issues can lead to lengthy incident detection and response cycles or worse yet, damaging data breaches. Just ask Equifax.

A recent ESG survey of 412 cybersecurity and IT professionals about their organization’s security analytics and operations found organizations know they have problems and are willing to address them. For example, 33% say their spending on security operations will increase significantly, while another 49% indicate that their security operations spending will increase somewhat.

While security operations spending will increase, it’s worth noting that 30% of cybersecurity professionals say that their biggest security operations challenge is the total cost of ownership. What does this mean? CISOs are willingly spending millions of dollars on security operations but getting marginal security efficacy and poor operational efficiency.

How CISOs can improve security operations

As the ESG data points out, business executives are more than willing to throw money at security operations problems, but they will demand that CISOs present them with all types of metrics demonstrating that increased investment is actually leading to improved results, such as improving the time needed for incident detection and response.

Bolstering these metrics won’t be easy, but based upon ESG research, CISOs can make progress by doing the following:

  • Creating a SOAPA integration plan. Leading CISOs are actively consolidating security technologies, eliminating vendors, and building a security operations and analytics platform architecture to unify detection and response tools across a common architecture.
  • Pushing for process automation and orchestration. Even well-resourced security teams can’t keep up with the scale and complexity of today’s threat landscape. Progressive organizations are using automation and orchestration for use cases such as investigations, threat hunting, and automated remediation to accelerate processes.
  • Unifying security and IT operations teams. Too often these teams have different goals and compensation, and they use diverse sets of tools in pursuit of their organizational mission. CIOs and CISOs are getting together to tear down walls between these groups, while SOAPA enables disparate groups to share data, prioritize tasks, and automate remediation actions.
  • Adopting advanced analytics. Amidst all of the industry hype, true innovation is happening in areas such as artificial intelligence and machine learning. CISOs should carefully research these technologies, determine which analytics tools fit their organization’s skills and strength, and embrace pilot projects.

As CISOs move forward with these initiatives, they should continually determine how to measure and report incremental and ongoing advancement they achieve with risk management, security efficacy, and operational efficiency. Successful CISOs will be the ones who can demonstrate and communicate real and honest progress anytime they are asked to do so. 

 

via:  csoonline

Edward Snowden’s new app turns any Android phone into a surveillance system

NSA Whistleblower Edward Snowden is among the backers of a new surveillance app that helps guard against computer hijackings.

Haven is an open source app that will run on any Android phone, particularly inexpensive and older devices. It operates like a surveillance system, using the device’s camera, audio recording capability and even accelerometer to detect movement and notify a user. The idea is that, even with the best encryption in the world, a device is vulnerability to physical, in-person tampering — also known as “evil maid” because literally a hotel maid could access it.

The app was developed by The Guardian Project, Freedom Of The Press and Snowden to offer eyes and ears to prevent, or at least increase awareness, of whether a device has been tampered with.

So, for example, you’d set up a burner Android device in a hotel safe alongside your laptop. Haven could then be set to broadcast any audio or movement, basically if anyone opened the safe it will snap a photo, record audio and detect motion. Alerts can be sent via SMS, Signal or to a Tor-based website.

 

 

Writing for The Intercept, Micah Lee, a member of Freedom Of The Press who help set up and test the app, admitted that the app does have some shortcomings — such as maintaining constant internet access for notifications, preventing battery drain and false positives — but it offers something new for those who would welcome the peace of mind from additional surveillance. While beyond helping keep hardware secure, it could also have other uses.

“Haven can also be used as a cheap home or office security system to detect break-ins or vandalism while you’re away, positioning the phone to send you photographs when someone walks within range. Or you can use it to monitor for wildlife in rural areas, or to capture evidence of human rights violations and disappearances,” Lee wrote.

Or even something more festive…

image

Haven can be downloaded via Google Play and open source Android app store F-Droid.

Snowden, who remains exiled in Russia, previously helped develop an iPhone case that detects when a device is transmitting data that can put users at risk of detection, and he’s been very vocal about services that he believes are problematic for privacy. He previously advised that people get rid of Dropbox and avoid using Google and Facebook and has spoken at length on why data collection is “the central problem of the future.”

 

via:  techcrunch

Goldman Sachs to set up cryptocurrency trading desk

Launch marks significant Wall Street acceptance of Bitcoin and other cryptocurrencies.

Cryptocurrencies such as Bitcoin have received major backing from one of the world’s biggest banking giants after reports emerged that Goldman Sachs is planning to set up a trading desk to do business with digital currencies.

According to Bloomberg, the bank has given itself until June to prepare everything and get the business running, with security and asset holding among the major issues to be considered.

It is currently forming a team in New York, and once it starts trading, it will be the first large Wall Street firm to actually do that. It still hasn’t come to a decision as to where it will house the desk, but it is being speculated that it could operate “within the fixed-income, currencies and commodities unit’s systematic trading functions”.

“In response to client interest in digital currencies, we are exploring how best to serve them,” Michael DuVally, a spokesman, said in a statement.

And at the same time, the majority of cryptocurrencies have lost quite a lot of value. Bitcoin, which hit $20,000 mid-December, has fallen to $13,000 just a week later, with some analysts thinking it might gp down even further to $11,000.

Ether, the second-largest cryptocurrency, has lost around $200 in value, dropping from an all-time high of $880 down to $680, also within a week.

 

via:  itproportal

New Year’s resolutions for CISOs

Security leaders must move closer to the business, improve staff productivity and modernize security technology infrastructure.

Most people have a few New Year’s resolutions — lose some weight, exercise more, spend more time with the family, etc. Based upon ESG research and many discussions with cybersecurity professionals, here’s a list of New Year’s resolutions for enterprise CISOs:

  1. Lead the effort to make cybersecurity part of the organizational culture. ESG/ISSA research indicates that 24 percent of organizations claim that business managers still don’t understand or support the right level of cybersecurity. In 2018, CISOs must alter this cybersecurity ignorance and apathy. How?
    Make a concerted effort to gain the CEOs support. Establish regular communications with all line-of-business managers. Work to better quantify risk in ways that business managers can understand and act upon. Get involved with business process initiatives before software developers begin writing code.  Push HR for more hands-on training. Walk the floor and meet employees on a regular basis.
    CISOs must push as hard as they can in 2018. Those who make a difference can have a personal impact on risk mitigation across the organization. Those who fail should be ready to seek other employment in 2019.
  2. Invest more time and resources in the cybersecurity staff. Based on the ESG/ISSA research report The Life and Times of Cybersecurity Professionals, we know that the cybersecurity team is overwhelmed, understaffed, and not getting the right level of training to keep up with their skills. We also know that 49 percent are solicited to take a new job at least once per week, so they are as good as gone if they aren’t treated fairly.
    To alleviate these issues, CISOs must do all they can to keep the cybersecurity staff productive, intellectually challenged and happy. That means investing in training, mentoring programs and career development. To recruit new talent, CISOs should also strive to make their organization a cybersecurity center of excellence. This includes establishing a cybersecurity culture, working with professional organizations, getting the organization more involved with the cybersecurity research and making sure the staff is stimulated at all times.
  3. Look for opportunities to employ advanced threat prevention. One way to bolster productivity is by decreasing the attack surface wherever possible with new types of advanced threat prevention technologies, such as next-generation endpoint security software, micro-segmentation, secure DNS services, threat intelligence gateways, etc. (Note: See the blog post I wrote on advanced threat prevention.) Advanced threat prevention can lower the volume of security noise, enabling the infosec staff to focus on high priorities and find more time for strategic planning and skills development.
  4. Move security technology toward integration and advanced intelligence. CISOs should focus on rationalizing, consolidating and integrating security technologies in 2018 with the goal of building a security operations and analytics platform architecture (SOAPA) that can collect, normalize, process, analyze and act upon the growing amount of security telemetry.
    At the same time, organizations should research, test, pilot and deploy selective security tools offering artificial intelligence. Based upon ESG research, CISOs can get the biggest bang for their buck by applying machine learning algorithms to existing security tools such as endpoint security software, network security analytics, threat intelligence platforms and DLP. This can help improve security efficacy of installed technologies without adding complex new projects.
  5. Make a commitment to automate and orchestrate manual processes.In cybersecurity, whatever can be automated should be automated. This includes gathering data, analyzing suspicious files and applying simple remediation rules to block malicious activities. The caveat here is best summarized by a quote attributed to Bill Gates: “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.”
    In other words, CISOs should assess processes and strive for process improvement, or they will end up automating/orchestrating a broken process and negate potential benefits.

Finally, CISOs should take a portfolio management approach toward cybersecurity by finding areas that can be simplified by cloud alternatives (as opposed to on-premise technologies) or completely outsourcing tasks to MSSPs or SaaS security providers. 

I’ve written in the past about the CISO triad: security efficacy, operational efficiency, and business enablement. These resolutions are intended to align with and enhance these objectives and could help promote a happy cybersecurity new year in 2018.

 

via:  csoonlin

The cybersecurity skills shortage acts as a root cause for security events

New research from ESG and ISSA reveals that a lack of training, inadequate cybersecurity staffing, and business apathy contribute to security events.

ESG recently published a new research report titled, The Life and Times of Cybersecurity Professionals, with its research partner, the Information Systems Security Association (ISSA).

The research looks closely at the ramifications of the cybersecurity skills shortage — beyond the obvious conclusion that there are more cybersecurity jobs than people with the right skills and background to fill these jobs.

As part of this research project, ESG and ISSA wanted to understand whether the cybersecurity skills shortage is a contributing factor to the constant wave of security events experienced by large and small organizations.

To that end, 343 cybersecurity professionals (and mostly ISSA members) were asked if their organizations had experienced a security incident over the past two years (i.e. system compromise, malware incident, DDoS attack, targeted attack, data breach, etc.). More than half (53 percent) admitted that their organization had experienced at least one security incident since 2015. It is also noteworthy that 34 percent responded with “don’t know/prefer not to say,” so the percentage of organizations experiencing a security incident is likely much higher.

4 factors contributing to cybersecurity incidents

Those survey respondents confessing to a security incident were then asked to identify the factors that contributed to these events. The data reveals that:

  • 31 percent say a lack of training for non-technical employees. This indicates that employees are probably opening rogue attachments, clicking on malicious links, and falling for social engineering scams, leading to system compromises and data breaches. Clearly, firms are not dedicating the people or financial resources necessary to provide ample cybersecurity training and are suffering the consequences. 
  • 22 percent say the cybersecurity team is not large enough for the size of their organization. Boom, direct hit. In an earlier blog post, I revealed some data about the implications of the cybersecurity skills shortage, including an increasing workload on staffers and a myopic focus on emergency response at the expense of planning and strategy. The data also exposes that the skills shortage leads directly to more security incidents, which lead to business disruption, negative publicity and data breaches. 
  • 20 percent say business and executive management tend to treat cybersecurity as a low priority. The lack of suitable business oversight on cybersecurity was a consistent theme throughout the ESG/ISSA research. It remains true that business executives are overlooking their fiduciary (and moral) cybersecurity responsibilities. Based upon this data, we can anticipate some massive GDPR fines in the second half of 2018.
  • 18 percent say the existing cybersecurity team can’t keep up with the workload. Another direct hit — the workload is too big, and the staff is too small.

Breach detection, proactive threat hunting, and incident response tend to be people-intensive processes dependent upon advanced skills, so it’s logical to assume the cybersecurity skills shortage would have a profound impact here. The ESG/ISSA research proves there is a strong correlation here, so it’s safe to say that organizations with lots of open cybersecurity requisitions can expect a lot of malicious activity on the network.

How to handle cybersecurity requirements when short-staffed

Can anything be done? Yes. CISOs should assume they’ll be short-staffed and therefore address cybersecurity requirements by doing these things:

  1. Proceed toward advanced prevention. CISOs should go the extra mile to decrease the attack surface by using technologies such as micro-segmentation, identity-based access controls (i.e. zero-trust networking), threat intelligence gateways, and secure DNS services. 
  2. Automate processes. Cybersecurity pros should assess current processes and look for ways to automate things such as data collection, event lifecycle management, and process workflow.
  3. Add intelligent solutions. All organizations should be investigating, evaluating, and deploying security solutions based upon artificial intelligence (AI). While this technology is in its genesis, it can be applied to accelerate threat detection and ease the burden on the SOC team. 
  4. Get help. CISOs must honestly assess whether they have the staff level and skills to keep up with requirements. Those who find themselves lacking should throw in the towel and find managed service and SaaS providers that can bridge this gap.

Note that the ESG/ISSA report is available for free download here.

 

via:  csoonline