Monthly Archives: November 2015

Solving The Persistent Security Threats For The Internet Of Things

The rapid expansion of the Internet of Things (IoT) and the security issues created in its wake have quickly captured the attention of governmental and regional bodies and consumers.

According to a survey by Auth0, more than 50 percent of consumers and 90 percent of developers are skeptical about IoT security.

The security problem — and, just as important, the security risks that consumers perceive in internet-connected devices — represents a real threat to the hundreds of millions of dollars companies are pouring into connected devices of all stripes.

And with the technology still in its infancy, defining a finite framework for its security is a challenging task.

“The Internet of Things is a complex idea and organism, constantly evolving to both its own needs and the needs of consumers. As such, to provide hard and fast security rules would be similar to knowing the workings of a biological creature,” wrote Jen Martinson, editor-in-chief of Secure Thoughts.

Taking lessons from past experiences, the tech community is scrambling to plug the leaks before the situation spins out of control, and many startups and established companies in the tech industry are using this window of opportunity to mitigate the threats and decide the fate of this fast-growing phenomenon.

From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security.

Dealing with network connectivity threats

The always-connected nature of IoT devices makes them especially vulnerable to breaches from outside attackers or from compromised devices sharing the same network.

Surveys show that there’s a general negligence when it comes to securing communications protocols and many IoT devices are still suffering from the famous HeartBleed vulnerability — which could allow hackers to stage man-in-the-middle attacks and steal sensitive information such as passwords.

Since engineers who build IoT devices aren’t necessarily network security experts, it’s only natural that they leave security gaps behind.

Patrick Foxhoven, CTO of Emerging Technologies at ZScaler, explains, “More often than not, IoT devices are developed by companies with a different mindset – they think about user experience before security or compliance. These devices increase the attack surface of a network, and IT needs to put a plan in place to secure them.”

The results from the Auth0 survey indicate that many developers ship their products while feeling pressured to rush an application to the market. Under such circumstances, they normally overlook security concerns and stick to being feature complete on their products.

Therefore if there was some way to abstract and outsource IoT device connection into readymade packages, a lot of the security issues that are being faced by this fledgling technology could be overcome.

This is the idea behind GENBAND’s new product, Kandy Communications Platform-as-a-Service (CPaaS).

According to Paul Pluschkell, who runs the project, Kandy “provides multiple layers of security that are important to IoT applications.” As Pluschkell explains, Kandy uses a combination of secure protocols and encryption technologies, including HTTPS and Secure Real-Time Protocol (SRTP), to provide data privacy, end-to-end encryption, and advance authentication mechanisms in order to ensure device integrity.

GENBAND offers its Kandy platform through simple and flexible APIs and wrappers, which allows systems to communicate without compromising or accessing each other’s underlying data and structure.

On-device data protection

Physical and on-board security is something that is generally neglected in respect with IoT devices. This can become the source of serious security headaches given that a wide range of these devices are often left unguarded in the open and attackers can gain direct access to data stored on devices.

But sensitivity varies for different devices. “A lot of innovation and development comes down to context,” says Martinson “Weather data doesn’t need to be protected, but someone’s GPS coordinates should be.” And device data context changes over time. “When our toasters eventually adapt to take biometric readings for optimal toasting efficiency,” she says, “security measures will form to protect that information.”

The most obvious solution to on-device protection is the encryption of data, an approach that is being endorsed by more and more vendors, including Apple and Microsoft, which are implementing default disk encryption on their new mobile operating systems.

Smaller vendors are also grasping on the idea of on-device encryption and including it as an out-of-box feature of their products. Sports Performance Tracking, a manufacturer of GPS performance trackers for contact sports, employs heavy encryption on all data kept on its devices.

Other companies such as Finnish VPN company Tosibox are providing versatile encryption solutions that add an encrypted control layer to remote data access mechanisms in order to improve file access security on devices that are lacking such features.

Device isolation

Without isolation, IoT devices allow attackers to move laterally across a network after they gain an entry point. This way, hackers infiltrate one device and start probing the entire system until they find the real prize, e.g. a database or repository that contains sensitive customer or business data.

“If one ‘thing’ is attacked,” says Foxhoven, “it can bring down the network and compromise the business.”

This issue is being tackled by companies like Luma, a WiFi home router shipped earlier this month by a tech startup with the same name. Aside from being a normal WiFi router, Luma is equipped with an Intrusion Detection System (IDS) that monitors traffic in your home IoT networks and looks for signs of infection or communications with a command-and-control (C&C) server. This can help in identifying and isolating compromised devices before they become conduits to breach other devices.

Describing Luma, Paul Judge, who cofounded the company, says, “We look at outbound traffic and do vulnerability scanning of all devices on the network: is the connected fridge talking to your cameras? The [networked] doorknob to your new light bulbs?”

F-Secure is taking a different approach by introducing the Sense security monitor, a device that sits between the home router and connected devices and scans all incoming and outgoing traffic for abnormal behavioral patterns, malware and phishing attacks.

According to Samu Konttinen, the company’s executive vice president, both the device and its cloud infrastructure “are not hackable.” F-Secure hopes that with Sense, consumers will never have to buy another security solution again, a goal the company wishes to achieve with the backing of 27 years of experience in the security industry.

F-Secure has many other IoT security items on its agenda is an idea called “device reputation,” a system that is supposed to scan all devices within a network and give owners indication of where they are lacking in security.

What else needs to be done?

Great strides have been taken, but we’re still very far from saying that we have the IoT security dilemma under control.

For one thing, updating mechanisms on IoT devices have become a sort of Rubik’s cube problem. Too many IoT device vendors have intentionally forgone including a means to patch and update their firmware, fearing that doing so will open up security holes to be exploited by hackers.

Others that do bake updating interfaces and features into their devices fail in implementing a secure delivery mechanism, effectively leaving openings for hackers to install and execute arbitrary code on IoT devices. Combined with poor network security, this kind of vulnerability can lead to remote hijacking of connected devices.

Another complicated issue is the huge amount of data being collected by manufacturers and stored on cloud servers. These servers are very attractive targets for hackers, and failure to secure these repositories can lead to the theft of company secrets and consumer information.

Martinson suggests user-end encryption, a method that is fast becoming popular as big data storages are increasingly being attacked by large-scale hacks. This way, even if the data vault is breached, the user data will remain safe and unusable. “The best way to not worry about cloud security breaches,” Martinson says, “is to make a server breach irrelevant.” But since vendors are one of the main beneficiaries of cloud-stored data, and they use the data for ad and sales-improvement purposes, whether they will actually opt for such a procedure remains in a “cloud” of doubt.

What the future of IoT withholds

At the chaotic pace that it is growing, the IoT industry will surely reveal great many surprises in the future months and years. The combined efforts and determination of the tech community can help us to enjoy the good surprises and avoid the bad ones.

Via: techcrunch

Windows 10 Update Reset After Privacy Settings Glitch

Thanksgiving week, glitches in a recent update to Microsoft’s Windows 10 operating system probably have users wondering if the new OS isn’t a turkey. Microsoft said yesterday that it removed a previous update from the Internet earlier in the week because of a problem that reset some users’ privacy settings when installed.

That update had been released November 12. The company restored access to the update after pulling it because of the privacy bug. A problem with the update reset settings on some devices made it easier for advertisers to track users across various applications, and also made user data more vulnerable to other devices with wireless Bluetooth connections — even if they weren’t linked to the users’ PCs, tablets or smartphones.

Bad Default

Also this week, Microsoft pulled down the Media Creation Tool installer for its latest Windows 10 build (version 1511) in the face of user complaints. Users said that in some cases the latest version of Windows 10 actually uninstalls user-installed software without the user’s permission.

However, the Windows 10 media creation tool, which allows Windows users to download installation files for clean installations and upgrades, once again allows anyone to obtain build 10586, which contains a full installation package and includes the November update.

Normally in updates, Windows Setup is supposed to migrate user settings to the new installation. But in the November 12 update, the commands for four settings — let apps use my advertising ID; turn on SmartScreen Filter for Web content; let apps run in the background; and sync with devices — were for some reason omitted and reset to their default values.

Mystery Bug

“Recently we learned of an issue that could have impacted an extremely small number of people who had already installed Windows 10 and applied the November update,” Microsoft said in a statement. “Once these customers installed the November update, a few of their settings preferences may have inadvertently not been retained.”

For those users, Microsoft said it will restore their settings over the next few days, although it didn’t say how it would do that. The company added that this won’t affect future installs of the November update, which is available now.

The company didn’t say what triggered the bug in the first place. The November 12 update affected users with fresh versions of Windows 10. Users who upgraded from Windows 7 or 8 to Windows 10 were not affected by this update.

Users who had downloaded the update can update their settings, which should clear out the existing bugs and issues found in the defective update. The restored update now contains eight security updates and several other minor bug fixes from the previous update.

Via: enterprise-security-today

Security Experts Warn of ‘Highly Sophisticated’ ModPOS Malware

As the holiday shopping season swings into high gear, a cybersecurity firm is warning of a “highly sophisticated” malware framework that could pose a threat to U.S. retailers using point-of-sale (POS) systems. Called ModPOS (for “modular POS”), the malware has been seen in the wild as far back as 2012, and was observed actively targeting businesses throughout 2014.

The Texas-based cybersecurity firm iSight Partners released a detailed report on ModPOS and has already briefed “numerous” retailers about the potential threat. The company said its experts are also working with the Retail Cyber Intelligence Sharing Center to help member businesses watch for and defend against the malware platform.

ModPOS is not only difficult to detect, but can be configured to target multiple and specific parts of retailers’ POS systems. Based on some IP addresses observed as they reverse-engineered the platform, iSight researchers believe the malware might have ties to Eastern Europe.

‘Most Sophisticated’ POS Malware to Date

ModPOS was “the most sophisticated point-of-sale (POS) malware we have seen to date,” Stephen Ward, iSight’s senior director of marketing, said a blog post. “In a nutshell, this is not your daddy’s run-of-the-mill cybercrime malware.”

With its complex and sophisticated code base, ModPOS can slip undetected past many types of modern security systems, Ward said. Its modular nature also provides multiple attack routes, with keylogger, POS scraper and uploader/downloader modules that make it possible to target unique aspects of retailers’ POS systems.

ModPOS also features custom plugins and other specialized functions, Ward noted. “Given its sophistication, it has taken our malware analysis ninjas a substantial amount of time to reverse-engineer the software,” he said.

Even Smart-Card Systems Vulnerable

The ModPOS injected shellcode appears to be written in C and features a very large number of functions, according to an intelligence report prepared by iSight researchers. The services injection, for example, has nearly 600 functions, while the typical shellcode has just 0 to five.

One module of ModPOS has been seen capturing credit-card track data out of POS systems’ memories, indicating “possible targeting of any sector that uses POS systems, including retail, food services, hospitality and healthcare.”

Even retailers with more advanced POS systems using EMV smart card (also called chip-and-PIN) technology can be vulnerable to ModPOS, according to iSight. If the POS system isn’t configured to support end-to-end encryption and encrypted data in memory, ModPOS — as well as other malware that uses RAM scraping techniques — can still enable access to customers’ payment card data, Ward said. That data can then be reused for online purchases where the physical presence of a payment card isn’t needed.

In its most recent Data Breach Investigations Report, Verizon found that retailers across 61 different countries on average experienced more than 800 malware attacks a week in 2015. Attacks are also becoming increasingly sophisticated, with some 70 percent using a combination of techniques, according to the report.

Via: enterprise-security-today

Holy Smoke! New Raspberry Pi Zero Costs Just $5…

The Raspberry Pi Foundation has upped the ante when it comes to low cost single board computers, announcing a new addition to its family of microprocessors today, called Pi Zero. And it costs…  just $5. (£4 in the U.K.)

Or it should cost $5, albeit you may have to shop around the various Pi resellers to get it for that baseline price. And international buyers in certain regions may find they’re still paying a premium. But the Foundation’s intention is for the Pi Zero to retail for just five bucks.

“We really hope this is going to get those last few people in the door and involved in computer programming,” says Pi co-founder Eben Upton in a video (embedded below) announcing the Pi Zero.

So who is the Pi Zero for? Makers building connected devices and robotics projects are likely to be first in line in the queue here. Albeit, at $5 it’s pretty much an impulse purchase… (Indeed, the Pi Zero is being given away free on the cover of the Foundation’s MagPi magazine.)

“We believe it will be particularly useful for people looking to do robotics or IoT projects — very small and low power, but able to drive a display and keyboard when you want to do debug,” Upton tells TechCrunch.

The next cheapest Pi in the family is the Model A+ which costs $20. While this fall a Raspberry Pi rival/clone, called Orange Pi, also popped up, retailing for $15 so there’s no doubt that low cost computers are getting increasingly affordable.

Whether $5 is the floor for a single board computer remains to be seen — Upton suggests this is as low as things can go for the foreseeable future at least. And there’s no doubt $5 is an incredible price for a fully fledged computer which will run applications like Minecraft Pi and the Scratch visual programming language.

So what does a $5 Pi get you, hardware wise? A 1Ghz core chip — in fact the same chip that was used in the original Raspberry Pi but upclocked to run a bit faster — and 512MB of RAM, plus on the ports front: a micro-SD card slot, a mini-HDMI and two micro-USB ports.

The full specs run-down is as follows:

  • A Broadcom BCM2835 application processor
  • 1GHz ARM11 core (40% faster than Raspberry Pi 1)
  • 512MB of LPDDR2 SDRAM
  • A micro-SD card slot
  • A mini-HDMI socket for 1080p60 video output
  • Micro-USB sockets for data and power
  • An unpopulated 40-pin GPIO header
  • Identical pinout to Model A+/B+/2B
  • An unpopulated composite video header

What don’t you get? There’s no Ethernet or on-board Wi-Fi but clearly costs needed to be kept down somehow. And the micro-USB port can be used for plugging in a Wi-Fi dongle to get it connected.

Using smaller sockets, keeping the components on one side of the board and having a very small form factor (the board is just 65mm x 30mm x 5mm) are other ways the board designers have shaved costs. That and economies of scale — having manufactured millions of Pi over the past several years. Plus of course the Pi Foundation is a not-for-profit.

“A combination of economies of scale, continued reduction in component costs, and a fanatical attention to detail in the design (this is the first board designed by Mike Stimson, who joined us at the start of the year, and it’s a great start),” is how Upton explains the low price-tag on the Pi Zero.

“Every component on the board has been made to justify its existence,” he adds.

The Foundation recently merged with after school kids’ coding organization Code Club with a mission to get a Code Club set up in “every community in the world”. That goal sounded insanely ambitious when I spoke to them earlier this month. But now, with a $5 computer to support their educational mission, it seems rather more attainable.

Asked whether he sees the Pi Zero gaining traction in emerging markets, Upton notes it has a composite TV output, adding: “So there’s potential for someone in the developing world who’s just bought an old TV to upgrade it into a computer using a Zero.”

Check this video out:

via: techcrunch

Older Workers Seeking Options for Reducing Hours on the Job

Roberton Williams’ plan was to retire on his government pension and take a part-time job to make up the difference in salary. It didn’t quite work out that way.

Williams, 68, did retire but then started another full-time job with the Tax Policy Center, a Washington think tank.

“The plan was to work full time just until I got my feet wet,” Williams said. “But, I ended up working full time for the next nine years.”

He’s far from an aberration. Many aging baby boomers are caught between a desire to work less and a labor market that just isn’t ready to let them go.

According to the Bureau of Labor Statistics, 17.7 percent of people 65 and older are still working in some capacity, compared with 11.7 percent in 1995.

Of course, part of this increase could be due to a growing fear felt by many Americans about financial insecurity during retirement. Survey data has shown that fears about outliving one’s savings are factoring into retirement planning. That is even prompting 34 percent of workers age 60-plus to say they plan on working until they die, or are too sick to work, according to a recent Wells Fargo survey.

Some workers just want a gradual transition, whether for financial reasons or just to keep working jobs where they can still contribute and help train the next generation.

Slightly more than 40 percent of U.S. workers hope to cut back hours or transition to a less demanding position before retirement, according to a 2015 report from the Transamerica Center for Retirement Studies.

One option offered by a small number of employers is “phased retirement,” which allows retiring workers to go part time while also mentoring their incoming replacement, providing for a smoother transition. The Society for Human Resource Management puts the number at 8 percent.

In other cases, employers are eschewing formal arrangements in favor of short-term contracts.

“One thing we see is that employers are increasingly able to tap into a more flexible labor market, rather than going through formal HR structures,” says Jean Setzfand, AARP’s senior vice president of programs. “So having hard-and-fast rules for this can be difficult.”

For federal workers, Congress passed legislation in 2012 creating a phased-retirement program, and the Office of Personnel Management, or OPM, formalized the rules last year.

To date, OPM has only finalized 16 applications for phased retirement from workers at the Library of Congress, NASA, the Broadcasting Board of Governors and the Energy Department. It expects to soon receive 12 more from the Smithsonian Institution_that’s from a federal workforce where 45 percent of employees are aged 50 or over.

OPM has stressed that it is up to individual federal agencies to decide when and if they will offer a phased-retirement option to their employees.

Tancred Lidderdale, 62, is one of the initial 16 who chose phased retirement. He works for the Energy Department as an economic forecaster, applying highly complex mathematical models to oil and gas markets. He’s had an integral part in building these models over the past two decades.

“I know our agency would miss me,” Lidderdale said. “They knew I was thinking about retirement and mentioned this option as a way to help pass on what I know before I leave.”

Lidderdale will work part time for the next two years. But, after nearly three years of waiting, many other federal workers are wondering if the program will even arrive in time for them.

“We have people with over 35 years of experience waiting to retire here, and it’s a shame that many of them could walk out the door without the ability to pass that knowledge,” says David Maxwell, 64. Maxwell is an air quality specialist with the Bureau of Land Management. Maxwell says if the bureau does offer the program, he’d be interested.

In a statement BLM says the Interior Department recently issued guidance and “expects to complete a draft phased-retirement policy by the spring of 2016.”

One explanation for the ongoing delays is that agreements must first be struck between management and labor unions. Email and phone requests for comment to AFGE, the largest federal labor union, were not returned.

There are also just basic difficulties of scale. How do you offer the same option to all workers when not all jobs are created equal?

“A lot of these people who would qualify for phased retirement are senior staff and managers,” Jessica Klement, legislative director for the National Association of Retired Federal Employees, said. “How do you allow someone who is managing a department to take two days off per week?”

Klement says union members are calling asking when phased retirement will come to their agency. “I just don’t think there is a strong desire from federal agencies to do this,” she said.

In the private sector, some older workers looking to spend less time in the office are simply leaving one job for another.

Sally Korth, 65, has spent almost 40 years in the health care industry, first as an emergency room nurse and later as an executive overseeing the transition to electronic medical records for large corporate accounts.

“I was working 60-70 hours per week, and one Christmas I was spending some time with my kids and grandchildren, and I just thought, ‘What am I doing?'”

So, Korth took a new job, for significantly less pay, and recently scaled back her hours to four days per week. “That extra day off is huge,” she says.

As for Roberton Williams, he hopes to cut back to four days a week next year and then finally retire at 70, “whether I like it or not.”

Via: enterprise-security-today

Microsoft Unveils Operations Center To Fight Cyber Threats

CEO Satya Nadella revealed Microsoft’s plans to enhance enterprise security and help its customers have stronger protection for what he referred to as the “mobile-first, cloud-first world.”

Addressing the Microsoft Government Cloud Forum in Washington, D.C., Nadella said that Microsoft already invests $1 billion in security research and development each year, but despite that the company is creating a new Cyber Defense Operations Center. Nadella said that center will be a state-of-the-art facility that contains a staff of security response experts charged with detecting and responding to cyber threats in real time.

It’s all part of what Nadella called Microsoft’s new approach to security: being hyper-vigilant while addressing the cybersecurity problems it and other companies routinely face, including malware, phishing attacks and accidental data loss.

Eyes on the Cloud

The new center will work around the clock, and Microsoft said it will have direct access to thousands of security specialists across the company and elsewhere to monitor security threats. Nadella didn’t say when the center, which will run out of Microsoft headquarters in Redmond, Wash., wiil open.

Meanwhile, Bret Arsenault, Microsoft’s chief information security officer, took to the company’s blog to point out that while there will always be new threats, new attacks and new technologies, companies can take action now to address security concerns and improve their security.

“It is critical for companies to strengthen their core security hygiene (across things like monitoring, antivirus, patch and operating systems), adopt modern platforms and comprehensive identity, security and management solutions, and leverage features offered within cloud services,” Arsenault said.

Security Investment

Microsoft has hinted recently that it intends to invest heavily in cybersecurity. Last week, the company acquired Israel-based Secure Islands for $150 million, its third Israeli cybersecurity acquisition in 2015. Earlier this year, Nadella said that creating an intelligent cloud platform would be one of Microsoft’s key investment areas in the future. A significant part of that investment will presumably include more scrutiny given to security issues.

“We live in a world where the attacks can come from anywhere, the attackers themselves are much more sophisticated,” Nadella told the audience at the Microsoft Government Cloud Forum. He also said that Microsoft is developing a new approach to how it detects and responds to security threats, keeping an eye on areas including data centers, sensors and software-as-a-service applications.

During his keynote, Nadella talked about how innovations in Windows 10, Office 365, Microsoft Azure, and Microsoft Enterprise Mobility Suite work together with partner products to deliver an agile security platform.

For instance, to protect against password-related attacks, Windows 10’s Microsoft Passport and Windows Hello use strong biometrics and new virtualization technology to eliminate the need for passwords, while the operating system’s Credential Guard protects attacks in which hackers use one account to gain access to the credentials of another user. And Azure Active Directory simplifies password and identity management by federating identities across business and consumer services to make signing into multiple services more secure.

Via: enterprise-security-today

Ford’s Sync Connect App Lets You Start Your Car Remotely

Building on a connected-car technology it first introduced in 2007, Ford has launched an app that will let users remotely lock, unlock, start or locate their vehicles using their smartphones (pictured). The new Sync Connect feature will even allow car owners to, for example, schedule their vehicles to start up at 7:50 a.m. so the interiors are warm and comfortable when they get in to drive to work at 8 a.m.

Ford made the announcement during today’s kickoff of the LA Auto Show and Connected Car Expo. The company said it will first bring the new Sync Connect capabilities to the 2017 Ford Escape SUV.

This summer, Ford updated its connected-car technology with Sync 3, which appears in the 2016 Ford Escape and Fiesta. Sync systems are currently in more than 12 million Ford vehicles around the world.

Two-Step Authentication for Security

“The technology helps you seamlessly integrate your vehicle into your lifestyle,” said Don Butler, executive director of Ford Connected Vehicle and Services, in a statement. “Get locked out? Cold outside? Forget where you parked? No problem. Just use your smartphone.”

The Sync Connect app, which works through a modem built into the vehicle, also allows users to check on the status of some systems, such as tire pressure and fuel, and oil and battery levels. The app uses two-step authentication for security, and requires a user to confirm the system’s setup through a touchscreen in the car.

Other features enabled through Sync include voice activation for smartphones, conversational voice recognition, Siri Eyes-Free support for Apple iPhones and an on-board graphical interface. Ford also provides Sync-equipped vehicle owners with five years of free support for Sync services, including subscription-free emergency calling.

More Autonomous Car Technologies

Ford’s 2017 Escape SUV will also come with a variety of other new technologies, including a lane-keeping alert to warn drivers when their vehicles begin drifting into other traffic lanes, enhanced assistance for parallel or perpendicular parking and a system for monitoring driver alertness.

In addition, a built-in Auto Start-Stop feature in the new Escape will sense when a vehicle is sitting idle and automatically turn off the engine to conserve fuel. The system, which automatically restarts the engine when the driver releases the brake pedal, reduces fuel consumption by 4 percent to 6 percent, according to Ford.

This is the third year the Connected Car Expo has been held in conjunction with the LA Auto Show. The 2015 expo will feature more tha 40 exhibitors, including Volvo, which is showcasing its autonomous vehicle technology; Quanergy Systems, which is announcing the 2016 availability of a new, under-$1,000 solid-state light detection and ranging sensor for self-driving cars; and Hyundai, which plans to unveil an augmented-reality technology it will bring to some of its vehicles later this year.

During today’s kickoff, automotive supplier Faurecia also presented new research into how autonomous vehicles will affect people’s behavior. It noted, for example, that vehicle occupants who no longer need to concentrate on driving have a greater risk of developing motion sickness. The company said it is working to develop solutions to mitigate or avoid such risks.

Via: enterprise-security-today

When Outsiders Become Insiders: Compromised Credentials are a Significant Threat to Sensitive Database Content

Far more cybersecurity focus should be redirected inward if modern enterprises want to seriously address today’s most nefarious threats, according to the database security professionals at DB Networks. Specifically, enterprises need to understand the tremendous value of compromised credentials and that it’s the stealing of those credentials that is the goal of most initial cyber attacks. Once credentials are compromised, an extremely large attack surface is opened up. Security analysts concur that insider threats are on the rise and the time is now to focus on these risks.

“There’s a strong consensus within the cybersecurity industry that the insider threat is quickly becoming the most dangerous threat,” said Brett Helm, Chairman and CEO of DB Networks. “Credentials are the keys to the digital kingdom, as many firms who have ended up on the wrong side of a cyberattack can attest. Unfortunately, security practices are typically behind the curve in this regard. What’s needed now is a sea change shift in how enterprises think about the insider threat and compromised credentials specifically.”

Cybersecurity firm Mandiant has reported that 100% of its most recent incident responses have dealt with some form of insider threat. A Verizon study, meanwhile, revealed that 95% of security breaches involved harvesting credentials and then using those credentials to log into web applications to steal personal data. Even more troubling from the point of view of enterprises is that insider threats generally leave more damage in their wake, not to mention the tarnished public image when a company loses sensitive customer data to cyber thieves.

A common misconception about insider threats is they require a “rogue” employee or even simply a careless employee to download malware or click on a website that opens the network to outsiders. In fact, insider threats as a whole are far more complicated and varied, which makes planning for and responding to them a significant challenge. Outside attackers have numerous tools at their disposal to steal employee credentials. With those credentials in hand, the outsider essentially becomes an insider. While training programs must naturally be geared to making employees aware of such dangers, training alone can’t mitigate the vast majority of insider threats.

Preventing insider threats against data center assets begins with a database assessment — an organization cannot protect assets of which it is unaware. The next step is to develop a clear picture of normal network activity behavior such that suspicious behavior can be identified. Intelligent monitoring can immediately detect unusual activity indicative of compromised credentials so that the situation can be mitigated before valuable data is compromised.

“Organizations seeking cutting-edge security must begin to turn their attention away from simply guarding the perimeter fences,” concluded Helm. “At this point the most pernicious threats are already on the inside. Security staff must treat administrative credentials like the golden tickets they are, implementing systems that immediately identify compromised credentials.”

Via: enterprise-security-today

Google Search Now Surfaces App-Only Content, Streams Apps From The Cloud When Not Installed On Your Phone

Google is making a big change in terms of its ability to surface the content found in mobile applications through Google search: it’s no longer requiring that apps have matching web content in order to be indexed through Google’s search engine. In addition, when Google finds in-app content that points to a mobile app you don’t already have installed on your smartphone, it will offer you the option to “stream” the app instead.

That doesn’t mean it will point you to some functional mobile web version of the app – “streamed” apps are actually running on virtual machines on Google’s cloud platform, and respond to your taps and touches similar to how native applications do.

This new streaming option and the improved version of app indexing is rolling out now, but is only currently enabled for a handful of launch partners, including Hotel Tonight, Weather, Chimani, Gormey, My Horoscope, Visual Anatomy Free, Useful Knots, Daily Horoscope, and New York Subway.

The debut partners were chosen after expressing interest in testing out the new Google’s app-only indexing functionality when it was previously announced at Google’s developer conference, Google I/O.

Google has actually been indexing the content of mobile applications for two years now, as a move against the search giant’s potential obsolescence as the world of computing increasingly shifted off the desktop and to take place inside native applications running on consumers’ phones. Since its launch, Google has expanded its ability to surface “deep links” (links that point to pages inside an app) from beyond a small set of early adopters on Android and now indexes applications across both major mobile platforms, iOS and Android.

Thousands of apps have already been indexed – meaning their content can appear as a Google search result. Today, Google has 100 billion links within apps indexed, the company says. It also points users to apps they can install on their smartphones and tablets when it finds relevant content related to your search query inside mobile applications.

Why Indexing App-Only Content Matters

But one of the challenges with the way the app indexing process worked in the past is that it required a mobile app developer to have matching web content that mirrors what’s inside their app. That meant mobile app developers would have to have a full-fledged website as well.

“In the U.S., it’s more often the case that content is both on the web and in an app mainly because the U.S. market evolved from being a desktop Internet market and then migrated over to mobile,” explains Rajan Patel, the director leading the app indexing team inside Google. That means apps like Facebook, Twitter, Airbnb, and others already have reasonable mobile web experiences.

“But there are some apps – even in the U.S. – that have app-only content,” he adds.

For example, a national parks application called Chimani, one of the debut partners for the new initiative contains information not found on the web as does an app for the New York Subways system.

“We want users to be able to have access to this content, regardless of whether it’s available on the web or in an app,” says Patel.

To make this possible, developers only have to implement Google’s app indexing API, as before, which helps Google to understand what a page is about and how often it’s used. It has also scaled its ranking algorithm to incorporate app content. (Google had actually been ranking in-app content prior to this, but now it no longer requires apps to have related websites.)

Being able to find and surface content tucked and hidden away inside apps is of crucial importance to a company whose ad business relies on people turning its search engine to find information they need, and click into advertisements related to those queries. Without being able to index the “web of apps,” so to speak, Google’s prominence could fade and its ad business could flounder.

Streaming Apps From The Cloud

But at the same time as Google is figuring out how to find content inside of mobile applications, it’s also testing out a means to surface that content even when users don’t have apps installed – something that, if successful, could potentially be bad for app developers’ own businesses.

After all, if their app’s most valuable information is just a Google search away, what motive would a user have to actually install their app on their phone? Users would have to decide if they plan on using the app frequently enough that having the native counterpart would be an advantage. Or the app would have to offer something Google couldn’t provide, like offline access to content perhaps.

Above: App Streamed by Google (beta)

The ability to “stream” virtual versions of the mobile applications comes from technology Google secretly acquired in 2014, from a startup called Agawi. The company had been developing a means of streaming mobile apps over the web, which included playing mobile games within ad units.

Several former Agawi employees worked alongside Google’s app indexing team in rolling out the new app streaming feature, says Patel, which is the first time Google has launched a consumer-facing version of this streaming technology.

For end users, the way the streaming process works is fairly simple.

A user clicks on a blue link in Google’s search results, and if they don’t have the app installed they see an option to click a link to run the streamed version.

“The app loads in a virtual machine on Google’s cloud platform, and the client – the Google app that runs on your phone – sends up the touch interactions to the cloud machine. And that cloud machine executes those touch interactions, renders the app and sends the pixels back down to the client,” explains Patel.

Initially, users will have to be in the Google application on their phone for this to work, being running Android Lollipop or higher, and have a Wi-Fi connection, as app streaming requires a good internet connection. It’s only live in the U.S. for now, as well.

Google also describes the streaming option as more of an experiment for the time being, and is looking to see how users respond before committing to a worldwide rollout or an expansion to iOS. However, its plans for indexing in-app content without matching websites will continue to progress. Links that launch apps will be supported in any browser that supports deep linking technology, including Google Chrome.

Via: techcrunch

Google And ASUS Launch The $85 Chromebit, A Chrome OS Desktop On An HDMI Stick

Earlier this year, Google and ASUS announced the Chromebit — a full Chrome OS-based computer on an HDMI stick. The two companies are officially launching this new way of using Chrome OS on any screen with an HDMI port.

The $85 Chromebit is a 75 gram (or 2.6 ounces) stick that you can plug into any HDMI port — whether that’s a regular computer screen or that large TV in your living room. It comes with 16GB of onboard storage (in the form of relatively cheap and slow eMMC storage) and 2GB of RAM.

In many ways, it’s a larger, bulkier version of the old Chromecast stick. Just like that device, it comes with a dedicated charger, but unlike the Chromecast, it also features a USB port. The Rockchip-based Chromebit comes in “Cacao Black” and “Tangerine Orange,” but overall, it’s a pretty unassuming device that’s mostly meant to disappear behind your screen anyway (hence why I’m not sure why there is an orange version).

While most people will likely want to use a Bluetooth mouse and keyboard to connect to the Chromebit, the USB port allows you to plug in wired peripherals as well (and with a USB hub, you could even plug in multiple devices).

Because it’s a full Chrome OS machine, you can pretty much run any web app on it. It’ll let you play movies and TV shows from Google Play, Netflix or Hulu, just like any other Chrome OS device, for example.

You could probably use the Chromebit as a somewhat cumbersome media center in your living room if you wanted to, but it’s really at home in a school, enterprise, or maybe call center. As long as the work only involves web apps (or maybe a remote connection to a more fully-featured machine), the Chromebit is up for the job and can turn any screen into a usable desktop. It’s also an option if you want to turn any modern screen into a single-app kiosk in a hotel or store, for example.

Google provided me with a review unit, and in the short time I had to test the device, it performed quite well. Don’t expect blazing performance from the quad-core Rockchip SoC that powers the device, but it’s perfectly usable.

In the U.S., the Chromebit will be available at Amazon, Fry’s and Newegg (interestingly, Google’s usual Chrome OS partner Best Buy isn’t part of this initial list of vendors). It’ll also be available in Australia, Canada, Denmark, Finland, Japan, New Zealand, Norway, Spain, Sweden, Taiwan and the UK.

Google for Work and Education customers can also opt to add the new single-app kiosk mode option for $24 per user and year, available through CDW in the U.S. and Canada.

Via: techcrunch