Monthly Archives: September 2013

Should employees be punished for sloppy cyber security?

Assume that it’s time for Bob’s performance review.

Bob’s boss says he’s a great addition to the team. Easy to work with!

And the sales numbers? Hot mama, Bob’s smokin’! Mr. Bob surely has worked himself toward a big, fat raise!

Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd’s multimillion-dollar investment in security systems.

Fiction! But can you imagine if this were really the way employees were assessed? They answer a phishing scam email, they trigger a major security breach, and then they’re held accountable?

This is an approach that big companies might actually think of adopting, according to Dave Clemente, a research associate in the field of security who works at Chatham House, a London-based think tank on international affairs.

Speaking to Business Reporter, Clemente suggested that reprimands, at the very least, might help companies whose employees undo millions of dollars of security expenditures by doing something as simple as opening a bad email:

Even if it’s innocent, you can spend millions on firewalls and one of your employees can undo that by opening a dodgy email. … One idea would be to encourage employees to be more careful. You could have a system where, if you open two or three of them [phishing emails], you get a reprimand.

I think people would comply, particularly if your behavior regarding cyber security was linked to your annual assessment.

Of course, beyond the misdeeds of Bob and his ilk are the security disasters that companies manage to bring down a bit more systematically onto their own heads, particularly when jumping on the bandwagon for new trends and technologies without first figuring out the security implications, Clemente says:

For bigger companies, one problem is efficiency drives which push companies into insecure behavior, like moving into the cloud or doing BYOD [Bring Your Own Device] before you realize the security implications, because everyone else is doing it. It’s done as a reaction to what other people are doing and done without being integrated into the company’s technology strategy.

Moving data to the cloud can be particularly tempting to small firms with limited resources who struggle with the burden of dealing with cyberthreats, Clemente noted.

It’s not such a bad idea, given that cloud services can have a decent amount of security, he said, but the downside is that small businesses lose control over data stored in someone else’s hands.

If we move toward holding employees accountable for goofy clicking, should C-level types likewise be held accountable for security fiascos that erupt out of their jumping on technology bandwagons such as BYOD and cloud services?

Call me a liberal weenie, but I’d suggest that decent training might produce better effects than whipping employees.

It all reminds me of a July 2012 article by Immunity Inc. CEO Dave Aitel in which he discussed whether security training might be futile.

Aitel said at the time that in spite of a conscientious approach to security training, his clients still have, on average, a click-through rate for client-side attacks of at least 5 to 10 percent.

Even the training software his clients use has “glaring flaws,” he said, including SQL injection and cross-site scripting – the two most common vulnerabilities in OWASP’s Top 10 list of application security risks.

What’s the answer? Reprimands? Performance assessments that take people to task for security snafus?

I’d say no. I’d suggest that better training might be the way to go.

After all, there are scads of training success stories, many of them posted in reply to Aitel’s PCWorld article.

What do you think? Should we put scam-clicking employees in stocks and toss tuna sandwiches at them, or is there a better way to improve security?

Via: sophos

Apple blings up new iMac with latest Intel chips, next-gen Wi-Fi

Apple has unleashed an update of its all-in-one iMac line, which will now come with boosted Wi-Fi and a beefed-up Haswell processor.

The iMac is the technological equivalent of the onesie – all-in-one babygros beloved of Bieber and other nubile young boybadours.

It contains all the Apple goodness in one package, meaning fanbois can disappear into the iMatrix without having to plug a big ugly monitor into a bigger, uglier box.

The latest iMac comes with speedy 802.11ac Wi-Fi and new Intel Haswell processors, which are designed with power conservation in mind and have doubled the battery life of the latest model of the Macbook Air. They are unlikely to have the same effect on the new iMac because – wait for it – there’s no battery.

The newbie iMac prices range from £1,149 for the 21.5-incher with a quad-core, 2.7GHz i5 processor with Iris Pro graphics offering “unprecedented levels of integrated graphics performance”. Although this computer is badboy enough for most tasks, for an extra £150, Apple’s 21.5-incher will swap pout the integrated graphics for advanced Nvidia GeForce 700 graphics and a 2.9GHz i5.

The 27-inch model should make anyone used to a teeny-tiny 11-inch Macbook Air feel totally inadequate. The model – which will set you back a not-inconsiderable £1,599 – comes with a 3.2GHz quad-core Intel Core i5, NVIDIA GeForce GT 755M and 1GB video memory. For a hefty £1,749, Apple will give you a 27-incher with a 3.4GHz i5, GeForce GTX 775M and 2GB of video memory.

All of the iMacs come with 8GB of memory and a 1TB fusion drive, which combines hard disk with superfast flash for the best of both storage worlds.

“iMac continues to be the example that proves how beautiful, fast and fun a desktop computer can be,” said Philip Schiller, Apple’s senior vice president of Worldwide Marketing. “Inside its ultra-thin aluminum enclosure, the new iMac has the latest Intel processors, faster graphics, next generation 802.11ac Wi-Fi and faster PCIe flash storage.”

Via: theregister

Teen privacy “eviscerated” by planned Facebook changes

A coalition of US groups that advocate for teenagers is crying foul over proposed changes to Facebook policy that would rubber-stamp the use of teenagers’ names, images and personal information to endorse products in advertisements.

The coalition, which includes over 20 public health, media, youth, and consumer advocacy groups, sent a letter to the Federal Trade Commission (FTC) on 17 September asking that the government take a closer look at how the proposed changes will expose teenagers to the same “problematic data collection and sophisticated ad-targeted practices that adults currently face.”

The changes to Facebook’s Statement of Rights and Responsibilities will give the site permission to use, for commercial purposes, the name, profile picture, actions, and other information of all of its nearly 1.2 billion user base, including teens.

The group also objects to new language, directed at 13-17 year-old users, that says that if you’re a teenager, and you’re on the site, Facebook assumes it has consent from your parent or legal guardians to use your information.

The proposed language:

If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.

Joy Spencer, who runs the Center for Digital Democracy’s digital marketing and youth project, said parents, for one, should be worried about the proposed privacy policy changes:

These new changes should raise alarms among parents and any groups concerned about the welfare of teens using Facebook. By giving itself permission to use the name, profile picture and other content of teens as it sees fit for commercial purposes, Facebook will bring to bear the full weight of a very powerful marketing apparatus to teen social networks.

The coalition for teens is just the latest to join in the hue and cry over the proposed privacy policy changes.

On 4 September, the top six privacy organisations in the US – the Electronic Privacy Information Center, Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG, and the Privacy Rights Clearinghouse – sent a joint letter to politicians and regulators asking that some of Facebook’s proposed changes be blocked.

Facebook had issued the proposed changes as part of an agreement that was made in settlement of a class-action lawsuit.

However, the changes would actually weaken the privacy policy’s wording, this earlier letter claims, and would violate a 2011 privacy settlement with the FTC.

Furthermore, the amended language regarding teens “eviscerates” limits on commercial exploitation of the images and names of young Facebook users, the letter states.

It reads:

The amended language involving teens – far from getting affirmative express consent from a responsible adult – attempts to “deem” that teenagers “represent” that a parent, who has been given no notice, have consented to give up teens’ private information. This is contrary to the Order and FTC’s recognition that teens are a sensitive group, owed extra privacy protections.

Facebook was supposed to update its policy two weeks ago but has delayed the decision following the six consumer watchdog groups’ petition of the FTC to block the changes.

In an emailed statement to the LA Times, Facebook said that it put on the brakes in order to get this thing right:

We want to get this right and are taking the time to review feedback, respond to any concerns, and clarify the explanations of our practices. We routinely discuss policy updates with the FTC and are confident that our policies are fully compliant with our agreement.

In my opinion, Facebook won’t get it right until it embraces the radical notion of opt-in as opposed to making users continually jump through hoops to opt out of having their personal information used in ever new ways.

As far as deemed consent goes, it’s ludicrous to presume that teens on Facebook are a) there with their parents’ blessing and b) that that presumed blessing somehow includes letting their child’s likeness be plastered onto every money-generating shill that Facebook advertisers can cook up.

The proposed changes predate last week’s truly awful incident, when a Facebook advertiser got hold of two images of a gang-rape and suicide victim and used them in dating ads.

That dating company has since gone offline, its Facebook account has been shuttered, and Facebook has apologized.

The proposed changes go beyond teens’ images, of course, to encompass all their personal data, including their posted activities. Do we really think that the online history of children should be fair game for Facebook, when even adults leave often breathtakingly embarrassing, not to mention career-threatening, trails?

As far as images in particular go, perhaps the case I mention is only tangentially related to the proposed privacy policy changes. Maybe it just comes to mind because it tastelessly featured images of a teen who met a horrific fate.

Maybe it comes to mind because the images of children, to my mind, should be considered too precious to play games with, or perhaps even to generate profits from.

Via: nakedsecurity

Six Windows 7 security vulnerabilities you don’t know about

Windows 7 is Microsoft’s most secure desktop operating system. But although it stands up well to common security checks, the new OS also comes with its own set of security issues. These weaknesses are both technical flaws and operational concerns.

Before migrating to Windows 7, consider these six security vulnerabilities that are often ignored or forgotten:

1. If you’re not running Windows 7 Ultimate or Enterprise editions, then you don’t have access to BitLocker drive-encryption . If this is the case, to protect your systems, you should purchase a drive-encryption product from a third-party vendor like CREDANT, Symantec or WinMagic.

2. You will hit many stumbling blocks if BitLocker is your enterprise drive encryption technology, including the need for manual deployment, lack of audit logging and more. Furthermore, make sure to consider all of your other systems — Windows XP, Mac OS, Linux, etc. — as they’ll need their own drive encryption.

3. Windows 7 systems that are not properly protected are as easy to break into as Windows systems from 10 years ago. “Hope” is not a good strategy when it comes to having computers lost or stolen.

4. If you’ve deployed DirectAccess — Windows 7 and Windows Server 2008 R2’s VPN alternative — then you have to tighten the user restrictions on locking screens. All it takes for someone to gain “direct access” into your network is a careless user leaving his system unattended for a brief moment in a public place. Once a thief walks off with a wide-open laptop, all he has to do is keep the keyboard/mouse active to prevent a screensaver from starting and locking him out. Everything else is fair game.

5. Newer isn’t necessarily better or more secure, and the decision to migrate to Windows 7 on this assumption alone will disappoint. More than 20 security updates have been installed to my Windows 7 system this year. While only a few of these threats are easily-exploited with free tools such as Metasploit, the risk remains.

6. Your desktop security standards documentation needs to be upgraded to incorporate the Windows 7 changes. The Center for Internet Security’s Microsoft Windows 7 Benchmarks are a good place to start. Just remember to do this before your next security assessment or audit.

Moving to Windows 7 won’t suddenly make your life as a network administrator any easier and it won’t suddenly reduce business risks. The security issues remain, and if anything, managing a more complex OS makes managing desktop security more complex.

Via: techtarget

FBI warns “Beta Bot” malware can kill your anti-virus programs, steal data

Beta Bot targets financial institutions, e-commerce sites, online payment platforms to steal data, financial information.

The FBI sent out a warning about an uptick in the use of malware known as Beta Bot that can steal sensitive data such as log-in credentials and financial information.

The FBI says Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise. Cyber criminals aiming Beta Bot at financial institutions, e-commerce sites, online payment platforms, and social networking.

From the FBI: “Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named “User Account Control” that requests a user’s permission to allow the “Windows Command Processor” to modify the user’s computer settings. If the user complies with the request, the hackers are able to infiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites.

Although Beta Box masquerades as the “User Account Control” message box, it is also able to perform modifications to a user’s computer. If the above pop-up message or a similar prompt appears on your computer and you did not request it or are not making modifications to your system’s configuration, do not authorize “Windows Command Processor” to make any changes.”

The FBI recommends running a full system scan with up-to-date anti-virus software on the infected computer. If Beta Bot blocks access to security sites, download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware, the FBI stated.

RSA’s Limor Kessem, Cybercrime and Online Fraud Communications Specialist, wrote about Beta Bot in May saying:  “It appears that a much anticipated event has finally transpired in the cybercrime arena, with the release and active sale of a new commercially-available Trojan family that has begun around January this year, circulating under the name Beta Bot. RSA researchers have recently come across samples of this user-mode rootkit, analyzing its behind-the-scenes infrastructure. Beta Bot actually started out as an HTTP bot and not a banking Trojan, but it has since evolved, donned a trigger list, and was repurposed for financial fraud that includes targets such as banks, ecommerce and even Bitcoin wallets.

According to research performed by RSA it was inferred that Beta Bot (alias: Troj/Neurevt-A) is not the creation of an amateur. The malware is a persistent Ring-3 rootkit with layers of anti-security protection (such as not executing within virtual machines, thus avoiding sandboxes), AV-disabling features, and even a DNS redirecting scheme to isolate bots from security-themed online resources, including RSA’s official website.”

Via: networkworld

FAA will let you use electronic devices during airplane takeoff and landing soon

A panel is reportedly meeting this week to pass new regulations permitting limited use of electronic devices during air travel.

The Federal Aviation Administration (FAA) is convening this week to make sweeping changes to a long-debated ban on the use of electronic devices on airplanes during takeoff and landing, the New York Times reports.

An advisory panel is gathering this week, where they are expected to agree to permit the use of electronic devices to access content stored on electronic devices, such as e-books, music, podcasts, and videos, anonymous members of the panel told the Times. The ban on using Wi-Fi, email, messaging, and making phone calls will remain intact.

The FAA is expected to make the announcement at the end of this month, and will likely put the new rules into place next year, according to the Times.

The announcement would be welcome news to frequent flyers, who have endured a long game of cat and mouse with flight attendants who are oddly talented at spotting an active device. The FAA would join the ranks of many air travel systems in Europe and elsewhere, which have introduced technological solutions to allow in-flight use of electronic devices.

For more information on the history and justification behind the ban, feel free to browse this surpisingly long Wikipedia page titled “Mobile phones on aircraft.

Via: networkworld

5 reasons you can Skip the iPhone 5s

The release of a brand-new iPhone is an event that would make Thorstein Veblen roll in his gilded, flashy, conspicuous grave. The 5s is a very nice phone, but it contains no features that will immediately change your life, or make your work experience that much more efficient, or enhance your social status beyond that temporary, “Wow, so that’s what a gold one looks like; can I try the fingerprint sensor?” If you need a new phone, then by all means, the 5s is a wonder of engineering and design and you should get one. But it’s not worth spending more than a few hundred dollars on. Here’s why.

1. iOS 7 is half the wow. I know that the new operating system has gotten mixed reviews, but when you’ve mastered its learning curve, I think you’ll conclude, as I have, that the software’s flexibility is its biggest asset. In the past, most complaints about iOS interfaces have centered around their turgidity. A rooted Android phone is still more customizable, but iOS 7 is a lot more customizable than previous iOS versions, and it’s also probably as customizable as any user will need. The out-of-beta Siri really is better, too, and I actually find myself using it. The ad-blocking and tracking-awareness features are useful and comforting in an age of mass surveillance.

2. No effective battery improvement. I know Apple brags that the 5s has a longer battery life, but benchmark testing and use by the experts suggest that the features you are most likely to use if you get a new phone tend to cancel out the extra juice you’d get if the same battery were installed in an old phone. Battery life really is a reason to spend money on a phone, and I don’t think there’s enough of it in the 5s.

3. The 5c is a better buy. Forget about the “it’s plastic, so it’s cheaper” thing. Just buy a tougher case if it bothers you. Beyond that, the 5c is Apple’s Coke Zero/Diet Coke. It is pretty much EXACTLY the same as an iPhone 5, except it’s a little faster, a battery charge lasts a little longer, and the front camera has been improved. If cost is an issue, you’re not missing much.

4. You can play games faster and take better pictures with the 5s, but unless your job or life depend upon those two activities and you’ve been living under a rock for the past three years, you’ve already got a phone that does those things rather well. If you’re a nightlife selfie photographer, then you’ll probably get a kick out of the 5s’s photography enhancements, but why you’d switch from your Lumia 1020 is unclear. Also, if you’re a game-player primarily, you’re probably waiting for the next update to the iPad Mini series.

5. You can’t be a clutz with the 5s. It’s apparently more fragile than previous iPhones. The regular iPhone 5 is hardier than the Samsung Galaxy S4. It’s also a more survivable platform than its newer cousins.

Via: theweek

New iPhones less durable than iPhone 5 – tests show

As Apple Inc. pitches its newest smartphones, users may find something lacking compared with last year’s model: They could break more easily.

SquareTrade, a provider of protection plans for gadgets, tested five smartphones, including Apple’s new iPhones, to see if they could withstand drops, dunks and other common hazards. Its finding: The latest models aren’t as durable as last year’s iPhone 5.

SquareTrade says the biggest loser, however, was Samsung’s Galaxy S4, which failed to work after being submerged in water and being dropped 5 feet off the ground.

The phone that withstood SquareTrade’s torture test best was Google Inc.’s Moto X.

Apple started selling two new iPhones on Friday. The iPhone 5S sports a fingerprint sensor, a better camera and a faster processor. A less expensive version, the iPhone 5C, offers consumers a wider choice of colors and has a better front-facing camera than the iPhone 5.

With every upgrade Apple has made, the latest model has usually been more durable than the previous one, based on drop tests SquareTrade has done over the past few years, Shay said. But that wasn’t the case this time.

SquareTrade reviewed each device based on eight factors, including the materials of the device’s front and back panels, its size and its weight. It also tested the device’s ability to withstand drops from 5 feet and being dunked in water for 10 seconds. SquareTrade says it uses robots to do the testing to ensure consistency.

SquareTrade rates phones on a scale of 1 to 10, with a higher number reflecting a higher risk of the device breaking. All five phones tested were considered to have a medium risk of breakage, but where they fell on the scale differed.

The Galaxy S4 scored 7, the worst of the five tested. The S4 ended up not functioning, with its screen coming half off, according to a video released by SquareTrade.

The iPhone 5S, made of aluminum and glass, scored 5.5, while the 5C, with a plastic housing, had a 6 rating. Both were worse than the 5 rating scored by iPhone 5.

In particular, Shay noted that the iPhone 5C was more damaged when it was dropped than the iPhone 5. And the iPhone 5S also failed a slide test. It slid off of a table when it was pushed, unlike the other devices tested. By comparison, the iPhone 5C slid a little over 3 feet, while the iPhone 5 slid just over 2 feet.

The Moto X had a rating of 4.5, surviving the tests with only the slightest dent. Shay noted that the phone’s innovative rounded back molded to the shape of a user’s hand makes it easier for the consumer to grip.

Video of SquareTrade tests:

Via: whas11

Meet Human, A Beautiful Fitness Tracking App To Help You Effortlessly Stay Healthy

Human is a newcomer in the crowded fitness space, but its take is different. Instead of being a stat-heavy activity app like RunKeeper or a life tracker gadget like Withings, Fitbit or Jawbone, Human is a passive iOS app designed to help you stay healthy. The goal is to move for 30 minutes every day, and to keep up with this simple habit. The company calls it the ‘Daily 30′. As it is extremely simple, keeping up with Human is easier than with competitive fitness systems.

“The basic premise of the app is very simple. Human tracks all of your activity and we put the focus on how many minutes you moved today and how many minutes you need to move,” co-founder and CEO Renato Valdés Olmos told me in a phone interview. “Each day of the week that you reach your Daily 30, we send out a push notifications,” he continued.

The startup chose to develop a very simple app to appeal to a mass audience, with an emphasis on design. The UI looks great with an ever-changing background picture. Everything is animated, making you want to open the app every time you receive the Daily 30 notification. But the most interesting aspect of Human is the technology behind it.

Along with Moves, it is one of the first fitness app to use passive location tracking. You set it up once and forget about it. Then, it calculates your speed with your location and your activity with the accelerometer. But when you launch Human, it doesn’t show you a timeline of your activities.

The most interesting aspect of Human is the technology behind it

“Showing the user a chronological timeline of your daily activity is great for the first few days. But after a few days, the magic wears out,” Valdés Olmos said.

That’s why the app’s depth is hidden behind the big minute count. If you tap on it, you’re taken to the activity timeline. And if you tap on an activity, you will see a map, the duration, distance and average speed. You can share this on Twitter and Facebook as well. In other words, Human automatically tracks your activities like RunKeeper — but you don’t have to remember to launch the app.

Over time, the team plans to use all this personal data to improve your daily habits. For example, you can tell the app where your office, your home and your gym are. The service can then build up the basic pattern for user behaviors.

“The goal is to send a notification that says ‘get off the subway two stops early and you’ll be on time to work,'” Valdés Olmos said. When it comes to privacy, he was quick to reassure me. “We want to be a different type of company when it comes to data collection,” he said. Users can export and delete everything with a single tap.

The startup hasn’t closed its seed round yet, but multiple angels are already committed to invest hundreds of thousands of dollars in total. The app is available to iOS, but an Android version is coming soon. “We want to get as many people as possible to do the Daily 30,” Valdés Olmos said.


Via: techcrunch

Amazon Launches A Home Automation Store Featuring Smart Locks, Sensors, Thermostats & More

Amid a bevy of Amazon-related announcements surrounding Kindle – some intentional (the arrival of Kindle MatchBook), some not (news of an updated Kindle Paperwhite leaked a bit early) – Amazon has also quietly launched a new storefront focused on Home Automation products, including things like programmable thermostats, smart locks, sensors, video monitors, and more.

The new website aims to centralize the now numerous options involving smart home hardware and services under one roof, organizing products into broad, high-level categories, like “Energy Management,” “Entertainment,” and “Monitoring,” which you can then further drill down into via sub-categories like “Lightbulbs” or “security cameras,” “televisions” or “alarms,” and so on.

Additionally, Amazon’s Home Automation store is set up to be newbie-friendly with introductory guides to a variety of product categories like door locks, thermostats, and controllers, for example. There’s even a special section of the storefront that breaks out the “new and innovative” products from companies like Kwikset, Wimoto, SmartThings, and others.

In a rotating banner on the site’s homepage, Kevo, Nexia and Dropcam products are currently given special attention.

The automated house and digitally-controllable objects have long been a part of various “home of the future” visions, but is has only been more recently that we’ve begun to see a surge of devices with more mainstream appeal. Earlier home automation products meant complicated setups and larger investments on the part of consumers, but new products have shown that doesn’t always have to be the case. Plus, these devices themselves can add value to the home – not only financial in terms of saving money through smart management of electricity, for instance, but also in the look-and-feel of the home itself.

For example, the Nest thermostat showed that home automation hardware can include good design and aesthetic appeal. And Lockitron’s door locks are sleek and modern. Meanwhile things like Dropcam’s video monitoring solution for the home demonstrated that home automation didn’t have to involve a huge setup cost or complexity.

The ubiquity of cheaper broadband access, mini computers in the form of smartphones to control our devices, and lowered development and materials costs through crowd-funding and even more receptive VC audiences, have combined to help push the home automation movement forward as of late.

Today, tons of internet-of-things companies are finding support via crowd-funding like Piper, CanaryUbe, Beddit, Keen HomeAlmond+, or KISI to name a few TechCrunch has covered. And how many smart locks are out there now? A lot. (See, e.g., Lockitron, Poly-ControlAugust, Goji, Schlage, or Kevo, to name just a few.) Even the big guys like Microsoft, Google and AT&T have been trying their hand in this market, to varying results. Now, Amazon wants in on that action, too, it seems.

You can check out the new Home Automation Store here on

Via: techcrunch