Monthly Archives: February 2018

Google has added a notable addition to its line of “Go” edition apps – the lightweight apps designed primarily for emerging markets – with the launch of Gmail Go. The app, like others in the Go line, takes up less storage space on users’ smartphones and makes better use of mobile data compared with the regular version of Gmail.

The app also offers standard Gmail features like multiple account support, conversation view, attachments, and push notifications for new messages. It also prioritizes messages from friends and family first, while categorizing promotional and social emails in separate tabs, as Gmail does.

But like other Go apps, Gmail Go doesn’t consume as much storage space on the device.

In fact, according to numerous reports, Gmail Go clocked in at a 9.51 MB download, and takes up roughly 25 MB of space on a device, compared with Gmail’s 20.66 MB download, and 47 MB storage space.

Google has not made a formal announcement about Gmail Go’s launch, but several siteshave spotted its availability on the Google Play store this week. We’ve asked Google for more information about the app’s feature set, and what exactly is it that Go does to reduce the burden on low-end smartphones. The company declined to comment.

Some early adopters have pointed out that scrolling on Gmail Go is a much more choppy experience than on the standard Gmail. It also syncs fewer days of emails and attachments to use less bandwidth.

But overall, there are not many noticeable differences between Gmail and Gmail Go, in terms of feature set.

That’s not always the case with the Go-branded apps. For example, YouTube Go has several unique features, like the ability to download videos for offline viewing, and sharing videos with friends nearby, for example. In Gmail Go’s case, however, it’s only been designed to meet the size and memory requirements of Android Go.

But we have learned why Google didn’t announce Gmail Go: the app is not going to be available to all users. Instead, Gmail Go will only be available to install from the Play Store, and for update purposes, on devices that already have Gmail Go pre-installed. For now, that means only Android O Go edition devices will have the ability to use the app.

If those users prefer, they can choose to install the regular Gmail app, too, and use both side-by-side.

Gmail Go is joining a growing list of Go edition apps, including YouTube Go, Files Go, Google Go, Google Maps Go, Google and Assistant Go.

via:  techcrunch

Game streaming site Twitch is debuting an always-on chat room feature it’s simply calling “Rooms.” The addition was first announced at its developer event TwitchCon back in October, and was expected to launch before year-end. That timing shifted a bit, but the feature went live on Thursday across both web and mobile for Twitch users worldwide.

Rooms are custom chat spaces that are available from the channel page itself, and can be set up by anyone on their own account. They’re found in the header of the Stream chat on the creator’s channel, which is both where Rooms can be created or joined.

Starting now, channel owners have the option to create a “Room” for a specific group of users – like their channels’ subscribers, moderators, followers, or others with a shared interest, like spoilers, for example. That latter use case represents a topic that would make sense to hide from the publicly accessible main group chat.

But Rooms can also be used by groups who may have otherwise dominated the main Stream Chat with unrelated messages, memes, or private jokes, or for any other topic of the creators’ choosing, whether related to gaming or not. More importantly, they allow the channel’s community to stay connected and chat even when the creator isn’t streaming.

At launch, creators can only host 3 Rooms, Twitch says.

To start a Room, the creator clicks the new “Rooms” menu in the Stream Chat, followed by “Create a Room.” They then give the Room a name and assign chat permissions. Moderators and Subscribers are set categories, so they’re automatically added to any Subscriber or Moderator Room. But if the Room is set to be open to Everyone, the viewer can choose to opt into it if they want to participate.

Moderator chats are always private but creators can choose to allow all viewers to preview their Subscriber chat Room, even if they can’t participate. This setting is available upon Room creation, via a toggle switch.

The launch follows other changes on Twitch in recent days, including new features to highlight a channel’s top fans, and notable update to Twitch’s community policies to crack down on hate speech, harassment, and sexual content. Rooms could potentially help with those goals to some extent, as it could allow people to move their back-and-forth messages out of the main chat to a sub-chat where their posts are less visible – or even invisible – to the general viewing audience. That doesn’t mean that Twitch will tolerate hateful content in the sub-chats, but it could help by hiding posts that may have otherwise been misinterpreted by casual viewers who didn’t understand the context.

Twitch says the feature was something that was designed based on requests from the community, and will continue to be iterated on throughout the year.

Rooms will be rolling out starting the 15th.

via:  techcrunch

A new bug in certain versions of Apple’s operating system can cause iPhones, Macs and even Apple Watches to crash, blocking access to iMessages and other popular apps.

As reported by Italian blog Mobile World, the bug affects devices running iOS11 when an Indian language (Telugu) character is received or simply typed in a text field.

“If the character is displayed within an application (WhatsApp, Twitter, etc.), the app in question will crash and will continue to close each time you try to start it,” warned Giuseppe Trippodi of Mobile World.

Other third-party apps, including Facebook Messenger, Gmail and Outlook for iOS, also become disabled when a message containing the symbol is received.

“The situation gets worse if someone sends you the symbol and iOS tries to show it in a notification. In this case, the entire [iOS] Springboard will be blocked,” said Trippodi.

According to Mobile World, the bug was also successfully tested on the latest versions of watchOS and macOS, immediately crashing apps like Messages, Safari, Note and the App Store.

Fortunately, the beta version of iOS 11.3 already appears to resolve the issue.

The flaw was reported to Apple earlier this week but the tech giant has yet to respond in a statement.

Tom Warren

✔@tomwarren

Another iOS bug is crashing iPhones and disabling access to iMessage https://www.theverge.com/2018/2/15/17015654/apple-iphone-crash-ios-11-bug-imessage …

6:00 AM – Feb 15, 2018

This isn’t the first time Apple users are inconvenienced by a major software bug. In 2016, a similar bug caused iOS devices to freeze when attempting to play a specific video in Safari.

More recently, just a few weeks ago, another bug in iOS11 forced devices to restart repeatedly after 12:15 am. The bug was triggered by third-party apps using recurring local notifications, such as reminders.

via:  tripwire

Leaky AWS S3 buckets have been spilling confidential information onto the public internet for years, and now anonymous hackers have created a search engine to make finding those exposed secrets even easier.

New on the scene is “BuckHacker.” The name is a portmanteau, stemming from the fact that it allows the hacking of “buckets,” which is the name for containers of data within Amazon Web Services Simple Storage Service (S3).

It is a tool designed to allow easy searching of information publicly available in AWS S3. It’s like a Google search just for S3, where up to seven percent of S3 buckets contain public data, according to recent research.

Although previous tools and techniques have been published for finding accidental S3 exposures, BuckHacker is notable for making the process simple, which leads us to our titular question: what are you doing today to keep the confidential data stored in your AWS S3 account private?

If you don’t have a firm answer to the question, there’s a good chance you could find yourself in the headlines as another data dump is discovered.

AWS S3 access control configuration is incredibly complex, and accidental public exposure is all too easy to allow. Every change to access control lists (ACLs) or the bucket policy can cause previously private data to become public. We went into deep detail on the complex nature of S3 access control in a previous post on preventing AWS storage breaches.

The perfect storm is created when configuration complexity is met with tools like BuckHacker, which make it easy for even non-technical attackers to find the leaks in your buckets.

What should you be doing about it? At a minimum, you must manually evaluate all of the ACLs and Policies that affect access to your S3 storage on a continual basis.

Use the principle of least privilege and do not over grant access. A common mistake is granting access to authenticated AWS users, which is effectively public. This means you have given access to every AWS user in the world, not just those in your own organization.

You should also continuously check for the public notification icon within the S3 dashboard, as this notification can alert you to an accidental exposure.

However, be warned. Although the AWS S3 dashboard performs an analysis of the access control mechanisms and will attempt to display a notification if your S3 buckets and objects are public, our testing has shown that the S3 public access notification is not always accurate.

A tool like the Tripwire Enterprise Cloud Management Assessor can be used to automatically assess your AWS S3 buckets and objects to determine if they are exposed for anonymous access and even report on objects that have become newly exposed as might happen with an accidental access policy change.

The Cloud Management Assessor will scan each of the buckets and objects you have stored in Amazon S3 to retrieve metadata, file contents, policy and access control information. It will also monitor each of these gathered values for changes.

For a definitive test, the Cloud Management Assessor can even perform HTTP requests against each object in your S3 account to ensure you have complete knowledge of what is exposed and what isn’t.

We are unlikely to stop seeing AWS S3 data leaks anytime soon, especially with ever greater cloud adoption and tools like BuckHacker to exploit misconfigurations. AWS S3 access control is complex, and you must continuously evaluate the exposure of your private data in order to avoid becoming BuckHacked.

via:  tripwire

• Microsoft has updated its Windows Analytics service to give IT pros an overview of how well protected their IT estate is against the Spectre and Meltdown security vulnerabilities.
  
• A dashboard details which firmware, operating system, and AV compatibility updates are installed, disabled or need to be put in place.

Mitigating the Meltdown and Spectre security vulnerabilities has turned into a major headache for IT admins.

New patches to offset the risk from these flaws have introduced problems of their own, causing computers to slowdown, as well as to both randomly reboot or to stop booting at all, which in turn has resulted in fresh updates to disable earlier problematic fixes.

The difficulty is that the Meltdown and Spectre security vulnerabilities are potentially too serious for any IT admin to ignore. Meltdown and Spectre are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone, allowing hackers to read sensitive information, such as passwords, from memory.

To help IT pros navigate the minefield of working out which Meltdown and Spectre patches they should and shouldn’t install on Windows machines, Microsoft has updated its Windows Analytics service.

The updated Windows Analytics dashboard, shown below, will break down which Meltdown and Spectre patches have been installed across an IT estate, in a Windows group or on an individual machine. The overview details which firmware, operating system and AV compatibility updates are installed, disabled or need to be put in place.

The Windows Analytics service dashboard.

Image: Microsoft

The service is available on Education, Enterprise and Pro editions of supported desktop versions of Windows: Windows 7 with Service Pack 1, Windows 8.1, and Windows 10, and requires an Azure Active Directory account to set up.

Microsoft also announced it has rolled the latest operating system and firmware updates to mitigate against Spectre and Meltdown-related attacks into its February Patch Tuesday update.

While Microsoft released an out-of-band update earlier this month to disable Intel’s buggy Spectre-related firmware update, this emergency patch is not included in the February bundle.

The fixes in the Patch Tuesday update will be automatically installed on most Windows PCs but will need to be manually enabled on Windows servers.

Intel has also updated its guidance on which systems are safe to apply its microcode updates to mitigate variant 2 of the Spectre vulnerability, broadening its advice to cover older Intel processors.

via:  techrepublic

The cloud is a tremendous convenience for enterprises. Running a data center is expensive – doing so not only requires buying a lot of servers, cable and networking appliances but also electricity, labor costs, cooling and physical space.

Services like Amazon’s AWS, Microsoft’s Azure, Oracle’s Cloud and Google’s Cloud Platform give businesses the benefits of having a data center without the expensive overhead and related hassles. Imagine how much more expensive it would be to launch a Software as a Service (SaaS) product if establishing the backend had to be done without the help of third-party cloud services?

Cloud services and the internet offer tremendous cost savings, efficiency and functionality. Unfortunately, putting your data on the internet exposes it to greater cybersecurity risks. It’s certainly possible to security-harden cloud services to make them a lot less vulnerable to cyber attack.

But when Amazon or Google owns the infrastructure and your enterprise owns the data, who is responsible for keeping your cloud services secure?

WHAT ARE WE PROTECTING IN THE CLOUD?

The Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework defines the following as essential IT resources:

• People
  
• Information
  
• Applications
  
• Infrastructure

A cloud prover, such as Azure or AWS, typically provides infrastructure as a service (IaaS) and platform as a service (PaaS). The infrastructure is the physical components of computers, networks and networking appliances. The platform is all of that plus middleware components, such as databases. If the application you’re running is yours, the SaaS aspect is your responsibility.

THE SHARED CLOUD SECURITY MODEL

Amazon’s AWS is a leader in cloud services. AWS’ initiatives help to set trends in the cloud services industry. AWS features what Amazon calls a Shared Responsibility Model.

Here’s what they say on the official AWS policy site:

AWS responsibility ‘Security of the Cloud’- AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Customer responsibility ‘Security in the Cloud’– Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.

So, in a nutshell, AWS will make sure that only authorized parties have physical access to their data centers. AWS will keep the pertinent network security appliances running, such as IPS devices, IDS devices and firewalls. They also monitor logs for security alerts and address any related issues of the security of the network itself.

If there’s a vulnerability in your code (which doesn’t belong to Amazon) and a cyber attacker exploits it, that’s on you.

AWS will let you know if there’s a security incident and will address the infrastructure related issues for you. Software-related compliance and incident matters are your responsibility as the customer who owns the product which is running in AWS’ cloud. Access management pertaining to your application is up to you to protect.

WHAT’S NEXT TO HELP YOU SECURE YOUR CLOUD ENVIRONMENT?

You’re responsible for the security of your software in the cloud, but you don’t have to do it alone. Securing your applications is a lot of work; it’s a 24/7 job!

You should consider deploying a third-party cloud security solution. Configuration management, vulnerability management and log management can be better handled with the help of a company that has specific expertise with these security services. Don’t try this at home, kids!

I also strongly recommend that you download Tripwire’s free whitepaper on Securing AWS Cloud Management Configurations, especially if you’re considering AWS as your cloud provider.

via:  tripwire

Some of the most common phrases that come out of information security professional mouths include: “Well, that did not work” and “The project fell apart, and I don’t know what I could have done better.”

The pain of not knowing what security best practices your team can/should implement can cost the company time and money. It could also end up affecting the customer and making the business liable for damages that take years to pay off.

When it comes to healthcare Information security, there are tons of ways of doing business. No matter what you implement, some of the results just do not come out the way you expected. So, the question is as follows: “What are the best top practices in healthcare information security?”

HERE ARE SOME ANSWERS.

Technical Perspective:

Train, train and train some more. Ensuring your staff is up-to-date on the latest threats out there is a great way to make everyone “eyes and ears” for the company. Empower them with information security education to let them know they have skin in the game, as well.

Domain Access:

Not everyone needs domain access. In fact, it does not matter if a person has a high title or several initiations after their name. That doesn’t mean they should have domain access. Furthermore, giving the key to the king/queen is even a worse idea. Now the target on their back is even bigger.

BYOD:

If the company is allowing BYOD, then ensure that some sort of MDM solution is in place that containerizes the session when an employee accesses PHI and/or any PII. An area to look out for in the MDM space is the disabling of developer mode, which could render null and void the services provided by an MDM tool.

AV:

Do not only do “security” by checkboxes. Make sure all AV installations actually work, are up-to-date, and contain the correct configurations.

Change management and tracking are needed:

It does not matter how small or big the company is, change management is needed. Even if it’s in an Excel spreadsheet. The smaller the firm/business is, the more it will need to know to figure out where to roll back to. For bigger companies, one would hope that there is enough tracking, monitoring, and checks and balances in place that effectively make change management integrated/fully adopted.

CULTURAL PERSPECTIVE

Remove All Ego:

Time and time again, there are experts in the industry that think they know it all. But at the end of the day, you are going to have to work with others and play nice. So remove your ego, get that chip off your shoulder, and provide value to the project, organization and/or job duty.

Security Domains Are There for a Reason:

No matter how you label them or name them, security domains are there for a reason – adhere to them. Respect and understand it as a baseline minimum. You might not have to like it, but it is there for a reason.

Be as Transparent as You Can Be:

Granted, there are just some areas of information security where you can not disclose information. However, if everyone knows what everyone is doing and how they are doing it, then the business can move along a lot faster and smoother. In recent projects, I have seen staff members hoarding information in the belief that it would mean job security. That is the wrong approach. Allow your team and/or business to know the status of a project and/or the business; doing so will sow the seeds for trust and respect.

Small or Big, Know your Medical Regulations, Rules and Laws:

Know your line of business, and furthermore, know the law that your line of business is going to be held to. The law is the law, so know it and the regulations, rules and guidelines.

When adopting some of these recommendations, please take into consideration your business and your business needs.

via:  tripwire

Researchers have identified a new strain of point-of-sale (PoS) malware that impersonates a LogMeIn service pack to steal credit card data via a DNS server.

According to security firm Forcepoint, the malware – dubbed “UDPoS” – is unusual in that it generates a large amount of UDP-based DNS traffic to exfiltrate magnetic strip payment card details.

“Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications; however, DNS is still often treated differently, providing a golden opportunity to leak data,” explained Forcepoint in a detailed blog post.

Security researchers noted that, as of this writing, detection rates for the malware are still very low for the monitor component, citing that “visibility is always an issue with non-traditional malware.”

“Samples which do not target standard endpoints or servers can quite easily be missed because of the lack of focus on protecting these sorts of systems,” the researchers added.

Luke Somerville, head of special investigations at Forcepoint, told Dark Reading that the company has found no evidence showing UDPoS is currently being leveraged by cybercriminals.

Nonetheless, when analyzing the threat, one of the command and control servers communicating with the malware was active and responsive, which may suggest that the authors were at least prepared to deploy it in the wild, said Forcepoint.

LogMeIn issued an alert this week, warning users of the phishing scam:

This link, file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.

As always, users are advised to follow standard best practices to safeguard their accounts against phishing and social engineering, such as using two-factor authentication, setting strong passwords and remaining vigilant of suspicious activity.

via:  tripwire

Amazon is gearing up to compete directly with UPS and FedEx, according to a new Wall Street Journal report. The so-called “Shipping with Amazon” program will be an end-to-end shipping solution, with pickups from businesses and shipments made to consumers, per the report.

The timeframe for rollout is soon, too: Amazon is said to be readying the service for its first launch in LA in the “coming weeks,” starting, not surprisingly, with companies that sell stuff via its website. After its initial launch in LA, Amazon will look to expand it out to other cities, possibly as soon as later this year, the WSJ says.

Of course it makes sense that Amazon would extend its service to third-party merchants working on its ecommerce platform, but the report goes further, saying Amazon would eventually like to offer shipping services to basically any other business, too – with the goal of undercutting both UPS and FedEx on rates.

This should not be surprising to anyone following Amazon’s moves on the logistics front – the retail giant has its own fleet of cargo jets, its own warehouses, its own last-mile contract couriers and can even act as an ocean shipping agent, just like both FedEx and UPS. It’s been reported for a while now that Amazon would eventually compete directly with its longstanding delivery partners.

Neither UPS nor FedEx seem to be especially taken aback by this, based on their non-comment comments in the WSJ report. For now, at least, Amazon will still definitely have to rely on its shipping partners to make things work.

via:  techcrunch

Police in Lower Pottsgrove, Pennsylvania have spotted a group of thieves who are placing completely camouflaged skimmers on top of credit card terminals in Aldi stores. The skimmers, which the gang placed in plain sight of surveillance video cameras, look exactly like the original credit card terminals but would store debit card numbers and PINs of unsuspecting shoppers.

“While Aldi payment terminals in the United States are capable of accepting more secure chip-based card transactions,” writes security researcher Brian Krebs. “The company has yet to enable chip payments (although it does accept mobile contactless payment methods such as Apple Pay and Google Pay). This is important because these overlay skimmers are designed to steal card data stored on the magnetic stripe when customers swipe their cards.”

Interestingly, commenters reported that many Aldi stores support chipped EMV credit cards but that they would often tape over the slots and ask users to swipe instead.

“The Aldi stores near me got chip readers early last year with Apple Pay and everything enabled. After ~5 months they taped over the card insertion slot and now require customers to swipe again,” wrote one commenter. “I asked one of the managers and he said corporate required them to switch back because ‘swipes are faster.’”

I love these stories primarily because point of sale terminals are widely unguarded and offer the best of security theatre – you think you’re safe because they look like the egg sacs of some armored beast but, with a quick addition of a skimmer, you create something that is deeply unsafe. That this skimmer ended up at a town of just 12,000 souls is particularly poignant.

via:  techcrunch