Monthly Archives: December 2015


“Prediction is very difficult,” the Nobel Prize-winning physicist Niels Bohr once said, “especially about the future.”

Security depends on the ability to make reliable predictions using what we know about the past to model the future.

There are some predictions that you can make pretty reliably. People are going to get drunk on New Year’s Eve. There will probably be a line for Star Wars. Your next phone will be faster than your last one.

And based on the past, there’s one prediction for 2016 that our Chief Research Officer Mikko Hyppönen feels confident enough to make with 100 percent confidence.

“The Olympics in Rio will be targeted,” he told us. “This is not a possibility; it’s a certainty. It’s going to happen.”

How does he know this for sure?

“Network systems of all Olympic Games have been targeted since the 1994 winter olympics in Lillehammer.”

What will the attacks look like? That’s where the uncertainty comes in.

“Some of the attackers will be interested in just disrupting the games with DDoS and defacements and so,” he said. “Some of them want to make money with fake ticket shops and credit card phishing.”

The advice our Sean Sullivan gave in 2012 as the London Olympics were approaching still holds: “…be wary of Olympic (and any other current event) themed e-mails.”

Could there be a larger attack on actual infrastructure given that we know that’s a goal of groups like ISIS?

“Islamic State is the first extremist group with a credible cyber offensive capability,” Mikko said. “None of the terrorist groups before have had such specialists in their ranks. Nevertheless, they aren’t yet at the level to do cyber terror attacks. They mostly use the net to organize themselves: to communicate, to spread propaganda and to recruit.”

While they’d like to take down power grids, so far the exploits have been mostly limited to stealing Twitter passwords.

Via: f-secure

12 Days of HaXmas: Rapid7 Gives to You… Free Professional Media Training (Pear Tree Not Included)

Posted by jenellis  in Information Security on Dec 25, 2015 9:03:41 AM

From our friends at Rapid 7.

Ho ho ho, Merry HaXmas! For those of you new to this series, every year we mark the 12 days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year we’re kicking the series off with something not altogether hackery, but it’s a gift, see, so very appropriate for the season.

For the past couple of years, I’ve provided free media training at various security conferences, often as part of an I Am The Cavalry track, and often with the assistance of a reporter. Big thank yous and lots of adoration for SantaJen’s helpers: Steve Ragan – my most frequent partner in crime – Paul Roberts, and Jim Finkle.  In the spirit of giving that is synonymous with HaXmas, the purpose of this blog is to make that training freely available to anyone that’s interested.

Why are we doing this?

It’s pretty simple really: I believe security professionals have important information to share, which can help individuals and organizations understand how they are at risk, and what they need to do to protect themselves. You could say that’s a gift, and I reckon it’s pretty valuable.

The media can be a fantastic way of disseminating information broadly, and the good thing is that a lot of publications have dedicated security reporters these days. Unfortunately that doesn’t mean its all smooth sailing.

The challenge comes in the details. Security pros are typically dealing with a pretty complex and nuanced subject matter.  Media is driven by attention-grabbing headlines and a need to feed the attention-spans and limited knowledge of readers.  As a reporter, you have to cater to people with a range of familiarity, understanding, and interest in the subject matter, even if you write for a specialist security title. There can be a vast distance between the deep technical knowledge of a security pro, and the will-my-editor-like-it need of reporters, and that provides much opportunity for misunderstanding, misreporting, or oversharing.

NB: One thing I want to flag here is that my media training isn’t about an adversarial relationship between spokesperson and reporter; it’s about optimizing the engagement for a better result all the way around. We don’t train people on this because we believe reporters are evilly conspiring against us. In fact, part of the reason I try to train with a reporter is to help build a greater understanding of their world, including their motivations, pressures and challenges. The training does talk about how to navigate certain reporter “techniques,” but often these actions arise unintentionally, or for valid reasons (eg. a reporter going quiet on a call to catch up with their notes). You won’t always encounter these techniques anyway, but if you do (and regardless of why they are used), you are better off knowing how to handle them.

So in a nutshell, the media training I deliver is designed to help security pros share the information they have in as impactful, non-FUDy, and helpful way as possible. My goal is that we’ll get better at making security relevant beyond our echo chamber, and in turn we’ll help people understand it and protect themselves.

Oh, and it probably doesn’t hurt that getting good at briefing press helps our industry, and helps you as an individual build your career.

So what am I actually giving you?

Having received several requests for my slides, I created a deck designed for people to “self-teach,” which you can download here. And yes, people have been known to pay me to media train their spokespeople, so this is free professional training, as promised in the title.

The presentation is licensed for use under the Creative Commons BY 4.0 license, so you can feel free to share it. If you end up using to it to build an amazing career as a media trainer, I’d appreciate a cut of your newfound riches.

[If you feel that this is not hackery enough to be considered an appropriate gift for HaXmas, you can think of it as me teaching you how to “hack the media for fame and profit,” which is the title I sometimes present under at cons.]

Via: rapid7

The Freelancer Generation: Why Startups And Enterprises Need To Pay Attention

Gone are the days of the 40-hour work week that kept us at work eight hours a day (I find that most startup founders or business owners in Silicon Valley work 50-60 hours a week).

Freelancing is becoming the accepted norm of the startup world. As more startups are starting to use the millions of freelancers, it’s driving more and more people to join the freelancer generation.

Regardless if you’re a startup or enterprise, it’s in your best interest to pay attention to the freelance movement if you want to succeed in this new economy.

The Freelancer Generation Is Booming

Recent research states there are more than 53 million (almost 54 Million) freelancers in the U.S.; it’s quickly becoming one of the largest workforces. Indeed, more than one-third of all U.S. workers have partaken in freelance work in the past year. Compared to the previous year, that’s more than 700,000 new freelancers.

It’s also predicted that by 2020, contingent work (freelancing jobs) will become the dominant form of labor, making up to 50 percent of the labor force. Another interesting stat is that 43 percent of freelancers are Millennials. That’s important to know, because 1 in 3 American workers today are Millenials.

This is in part due to: advances in technology that allow increased remote work; an increasing digital economy; a growing part-time workforce; and labor force gains and losses.

Furthermore, people have realized they can thrive financially as freelancers, enjoy the flexible schedules that can create a favorable work-life balance and easily promote their services to potential clients.

Business owners soon may not have many other options when looking for top talent, as a majority of the workforce will be freelancers in the very near future. This is factoring in all the freelancers who have a full-time job and are working on the side (this is how I found my last technical business partner, which worked out well for us both).

Freelancers Are Politically Active

Freelancers are typically satisfied with their decision to leave behind the 40-hour work week. However, that doesn’t mean they don’t still face challenges that many traditional workers may take for granted.

For example, freelancers don’t have access to traditional programs like 401ks. They also must pay out-of-pocket for insurance and deal with high taxes for being self-employed. Because of this, freelancers are urging politicians to make a change — primarily income and insurance stability. Why wouldn’t they, if they are becoming such a large percentage of the American workforce?

It would be one thing for freelancers to demand a change and do nothing about it. The fact is, however, that freelancers are voicing their concerns to politicians. Of the almost 54 million freelancers in the country, an astounding 86 percent have claimed that they’re going to vote in the 2016 general election.

To put that into perspective, that figure is higher than the amount of voters who helped Ronald Reagan and Bill Clinton sweep their presidential elections. Additionally, 62 percent of freelancers would vote for a candidate who supports the interests of freelancers.

Whether it’s through changes in government regulations or staying competitive, businesses of all sizes need to be aware of the concerns facing freelancers and provide programs that address these challenges. It’s an important issue for most freelancers, and they’re actively making sure that these changes are implemented.

Freelancers Bring A Lot To The Table

For business owners like myself, especially startups, freelancers offer a wide range of benefits that most full-time employees don’t. For starters, freelancers understand the everyday tasks and challenges that business owners face. They’re at least somewhat familiar with everything from bookkeeping, billing, branding, marketing and engaging an audience on social media. Because freelancers are their own bosses, they’re completely aware of these tasks and how important they are for the success of a business.

Unlike a recent graduate who probably has never had to be concerned with paying taxes, sending invoices or building and maintaining a brand, it is almost a guarantee that freelancers already have this type of experience.

A freelancer may be able to assist you in these areas as you’re launching your business. Even if you’re established, at least they are cognizant and respectful of these duties. For example, they won’t harm your brand by going on a social media tangent that offends your customers.

Another perk of hiring freelancers is that they are experts in their respective fields. They have years of experience, a portfolio and referrals to back-up their work. Even if they are young (which many are), they still are the best at what they do. Instead of just looking at a resume, you can dissect real-world examples of their work prior to bringing them on-board.

Whether it’s a copywriter, graphic designer, CPA, customer service rep or social media strategist, freelancers are seasoned pros within their niche and are ready to dive into the projects that you assign them. Best of all? You can search for the best talent from anywhere in the world, thanks to technology that allows freelancers to work remotely.

Finally, freelancers can help reduce costs. No matter the size of your business, the bottom line is always a concern. Freelancers can be a more affordable option than hiring a full-time employee. Remember, most freelancers work from home; you don’t have to train them; they’ll generally accept projects cheaper than salaried employees; and you don’t have to worry about taxes or retirement plans.

I’ve been able to successfully launch and grow my personal business with freelancers. I also like using freelancers because you pay for metrics that are measured. You want a blog post written for your company? You pay for the job or amount of words. If you need a programming job done (as I have in the past), you can get a quote based on the project and know you’re not going to spend more. It helps me get the best person in the world for that job and only pay for what I need, without committing full-time resources to it.

Via: techcrunch

Valve Still Hasn’t Told Steam Users About The Christmas Fiasco

Several days after Steam’s Christmas fiasco, we still don’t know exactly what happened. We don’t know how many people were affected, how much personal information leaked, or if some friendly Team Fortress players saw our addresses and plan to stop by our homes for an impromptu New Year’s celebration.

We don’t know any of this because Valve, carrying on a grand tradition of opacity, has refused to go into specifics about the fiasco last week, when Steam users across the country logged into the digital store to find that they’d somehow accessed other people’s accounts. It was a creepy, unsettling event for many PC gamers, and although there have been few reports of unauthorized purchases, Steam did expose enough personal information to fuel all sorts of social engineering. For nearly an hour, anyone with a Steam account could see random users’ e-mail addresses, phone numbers, and buying histories as well as the last four digits of their credit card numbers, which would be more than enough to steal someone’s Netflix account.

Yet other than a short statement sent to Kotaku and other press outlets last week—”This issue has since been resolved“—Valve hasn’t said a thing. They haven’t commented on how many people were affected. They haven’t contacted the Steam users whose information was exposed. Most alarmingly, they haven’t informed their 125+ million users—some of whom, sadly, do not read Kotaku—that this happened at all.

This is standard practice for Valve, of course. Their customer support has been horrendous for a long time, and their modus operandi has always been to say as little as possible, no matter how much faith they lose. And oh, they’ve lost faith. On the front page of r/steam right now, for example: “We shouldn’t be okay with the fact that Valve still haven’t apologized for the cache server fiasco.”

For the past few days, several people have contacted Kotaku about what happened to Steam. Some were worried that they’d been exposed and didn’t know about it; others suspected that the false charges on their PayPal accounts were a result of this disaster. There’s been no evidence linking the Steam Winter Fail to unauthorized payments, but even if there was, would anyone know about it?

One Steam user, who asked not to be identified in this story, found out on Christmas that other people had accessed his account. People had seen his name, his address, his phone number, his buying history. And when he contacted Steam support, they didn’t have a single useful thing to say.

Read the full ticket:


It’s infuriating, frankly. Infuriating that some Steam users won’t know this happened; infuriating that others might never know whether or not they were exposed; infuriating that Valve’s customer service is still so useless and uninformative.

Most of all, it’s infuriating that Valve thinks this is okay, that they can just fire off a press statement and let the crisis blow over without even telling customers that the last four digits of their credit cards may have been inadvertently shown to the world. How can such a smart company, one that’s made such stellar, polished games and dominated the PC gaming landscape for nearly a decade now, be so stupid?

Via: kotaku

Big Brother management

Farewell performance reviews, hello data systems.

In 2016 the job of management will be taken away from managers. For the salt-of-the-earth middle manager, it will be the most painful year on record. The manager’s three main functions—checking up on people, chivvying them and judging how they are doing—will either be deemed no longer necessary or will be given to machines to do instead. It will be the year in which the organization, which has professed itself to be flat every year since the mid-1980s, actually becomes so.

The new shedding of managers is going to be a departure from the steady delayering that has taken place over the past 30 years. That has been driven by cost, by technology and by a professed distaste for hierarchy.

This time delayering is not going to be about money—and yet it is going to be far more brutal than anything that has gone before. The manager’s rationale will be judged and in the main found wanting: it will be dismissed as slow, bureaucratic and fallible.

The most visible sign of the new world will be the end of the annual career appraisal. In 2016 office employees will no longer have to submit themselves to the cumbersome process in which they set a dozen meaningless goals and were rated on obscure things like “displays pro-active inclusivity”. No longer will anyone have to endure annual discussions of how they are doing—with the inevitable demotivation and disillusionment that follows. The whole bureaucratic, backward-looking charade will be over.

The end started half way through 2015 when Deloitte and then Accenture announced that they were getting rid of their performance review. Deloitte let slip that it spent an unconscionable 2m hours a year to produce yearly reports for its 65,000 people—making it among the biggest corporate wastes of time ever invented. In 2016 the vast bulk of other companies will follow and scrap their own equally hated systems.

The demise of the performance review is part of a bigger aversion to the old style of managerial bureaucracy. Existing systems will be replaced by new ones built on more fashionable qualities: speed and transparency. Companies will stop fussing about inputs (how people do things) and focus only on outputs (what they produce). They will be obsessed with data, losing all interest in anything that can’t be measured. Every employee will be monitored every second; every keystroke and click will be tracked and analyzed. Some companies will go further and get white-collar workers to wear sensors that track all movements and measure their tone of voice and the number of steps they take. Whatever they get up to, they will be watched by Big Brother.

Not only will there be little room left for the line manager, human resources (HR) will have less to do. HR has justified its existence by dreaming up increasingly tiresome initiatives for managers to implement. In the new world there will be a few HR gurus who understand how to gather and manipulate data; the rest will no longer be needed.

In some ways the future will be brighter. Less time will be wasted. It is possible that offices will become less political. There will be no point in sucking up to X just because you know that he is going to be appraising you.

Other things will be better too. With fewer managers there will be less need for pointless management training. In 2016 we will no longer be forced to go to country-house hotels to ask ourselves if we were an animal, which one would it be? The soft side of management—the emotional intelligence that all managers have spent the past decade telling everyone they possess—is going to be out of fashion. Empathy can’t be easily measured, so we are going to hear less about it.

Mentors v machines

In this brasher new world much will be lost. In time we will start to miss fallible managers. While it is true that they dither, cover their backs, show favoritism and are subject to the full range of human weaknesses, at best their very humanity can serve a purpose. A manager can comfort and protect, provide structure and protect the weak. With this comfort layer removed, those who are deemed not to be performing will be cast out with no one to stick up for them.

More alarmingly, without the line manager there will be no one to teach young hires how to behave, no one whose behavior novices can copy. Instead they will have to make it up as they go along.

Worst of all there is no sign that Big Brother will make better judgments about human employees than its human predecessors. Humans did an indifferent job, but at least when individual managers did an egregiously bad one they usually got fired. Firing systems will be a lot harder.

Via: theworldin

Comcast now offering 1Gbps speeds across DOCSIS 3.1

Comcast has connected the first commercial DOCSIS 3.1 service to a customer in Philadelphia, providing speeds of up to 1Gbps.

Making good on its promise in January to offer 1Gbps speeds across its hybrid fibre-coaxial (HFC) network in 2015, Comcast has announced that it has installed the world’s first commercial Data Over Cable Service Interface Specification (DOCSIS) 3.1 modem for a customer in Philadelphia.

DOCSIS 3.1 supersedes the current DOCSIS 3.0 technology, allowing far faster speeds by freeing up around 50 percent capacity on the cable through more efficient transmission of data over the available spectrum.

“At a home in the Philadelphia area, we took the next important step forward in delivering gigabit-speed broadband over our hybrid fiber-coaxial network,” Comcast executive vice president and CTO Tony Werner said in a blog post.

“The test used the standard cable connections that we have in homes across the country. All we needed was a new modem, a software upgrade to the device that serves that neighborhood, and a few good engineers.”

Comcast added that it will continue undertaking real-world tests of the technology by activating several more “test homes” in Pennsylvania, Northern California, and Atlanta, Georgia, over the next few months. It will begin delivering DOCSIS 3.1 services offering 1Gbps speeds to customers across the United States before the end of 2016.

“The beauty of DOCSIS 3.1 is that it is backwards compatible, so no digging up streets or backyards,” Werner added.

“This technology, when combined with the extensive upgrades we have already completed on our advanced hybrid fiber-coaxial network, will provide more gigabit choices for our customers.”

Q&A on DOCSIS 3.1, published on the website of Australian Communications Minister cum Prime Minister Malcolm Turnbull nine months ago, said the technology would be coming to the National Broadband Network (NBN) HFC network by 2017.

“We plan to run DOCSIS 3.1 trials in 2016 and we plan to have DOCSIS 3.1 services commercially available in 2017,” Turnbull wrote.

“Bringing DOCSIS 3.1 on board is the cherry on the cake that will give us even more capacity and really make sure that there is plenty of bandwidth for everyone on the network to have a great experience.”

The wide-scale rollout of NBN HFC was approved by the Australian Competition and Consumer Commission (ACCC) in June, with a revised AU$11 billion deal allowing NBN to take ownership of Telstra’s HFC and copper assets and Optus’ HFC network.

The new deal came about as a result of NBN moving away from Labor’s full fibre-to-the-premises (FttP) rollout following the Coalition’s election at the end of 2013 to the present so-called multi-technology mix (MTM), which proposes to cover 20 percent of the population with FttP; 38 percent with fibre-to-the-node (FttN) and fibre-to-the-basement (FttB); 34 percent with HFC; 5 percent with fixed wireless; and 3 percent with satellite services.

On Monday, Telstra and NBN announced they had entered a memorandum of understanding for a “significant contract” to manage the design, engineering, procuring, and construction of NBN’s HFC network, which will include Telstra updating HFC to DOCSIS 3.1 technology in order to deliver end users speeds of up to 1Gbps.

Telstra is also set to prepare exchange locations and planning and design prior to and during the contract’s negotiation. Telstra has already been continually building out its HFC network despite its impending transfer of ownership to NBN.

Last month, however, a leaked draft from NBN revealed that Optus’ HFC network is “not fully fit for purpose”, with 470,000 premises in the footprint needing to be overbuilt by either Telstra HFC or fibre services.

The leaked document, called HFC Plan B: Overbuilding Optus, dated November 2015, states that the necessary work of overbuilding Optus’ HFC network with FttN, FttB, or fibre to the distribution point (FttdP) will lead to a peak funding increase of between AU$150 million and AU$375 million, with NBN to miss its FY17 ready-for-service target by 300,000 premises, and its FY18 target by 333,000.

“Overbuilding the Optus HFC network with either Telstra HFC or FttX could deliver higher probability of success given the current state of the network [and] significant operational simplicity,” the document says.

“Optus network is not fully fit for purpose. Optus nodes are oversubscribed compared with Telstra, and will require node splits. Existing Optus CMTS don’t have sufficient capacity to support NBN services. Noise (ingress) [is] causing interference and degrading end users speeds.”

HFC will connect 4 million Australian premises in total, with 3.6 million of these coming from the old Telstra HFC network. The network will also be extended and infilled, with the Optus network likely to be infilled and overbuilt in the remaining 400,000 premises.

NBN is currently conducting a 4,500-premises HFC trial in Redcliffe, Queensland, and said it has not found any “unexpected” technical issues with the Optus network.

The HFC network will be launched by June 2016, and completed along with the rest of the NBN by 2020.

Via: zdnet

Hyatt Hotels Investigates Malware Found on Payment Processing Systems

Hyatt Hotels has launched an investigation after discovering malicious activity on its payment processing systems.

Stephanie Sheppard, a spokeswoman for Hyatt, announced the investigation in an email to Hyatt guests on Wednesday:

“Hyatt Hotels Corporation (NYSE: H) today announced that it recently identified malware on computers that operate the payment processing systems for Hyatt-managed locations,” the email begins.

The attack against the company, which owns 627 properties in 52 countries, was originally discovered on November 30th.

No information is provided in the email on whether the persons behind the attack succeeded in stealing payment card details, how long Hyatt believes its payment processing systems were infected with malware, how many of its locations were affected, how many customers might have had their information compromised, or what types of other data might have been exposed.

The message sent out by Sheppard instead sheds some light on what Hyatt is doing to keep customers safe and provides some guidelines on what previous guests of the hotel chain can do to protect themselves against fraud.

According to the email, Hyatt launched an investigation with “engaged leading third-party cyber security experts” as soon as the malicious activity was discovered. It also has taken steps to bolster the security of its payment processing systems to emphasize the point that “customers can feel confident using payment cards at Hyatt hotels worldwide.”

All updates regarding the investigation, which is currently ongoing, will be posted to the Hyatt’s guests should frequently check for new developments.

In the meantime, the hotel chain recommends that all customers review their payment card statements and report any unauthorized activity to the card issuers.

Hyatt joins a number of other hotels, including Starwood Hotels and ResortsHilton Hotels, and the hotel chain owned by Donal Trump, that discovered malicious activity on their payment processing systems in 2015.

Via: tripwire

Google Maps For iOS Now Shows You When Stores Are Busiest, Plus Gas Prices

Just in time for your last-minute holiday shopping plans, Google has rolled out an updated version of its Google Maps iOS application, which will now show you when stores are the busiest. Armed with this information, you can better plan when to visit the location in question in order to avoid the crowds. The feature is available not only for retail stores, but for any business where customers are generally curious about the store’s “rush hours.” That means it extends to places like coffee shops, restaurants, grocery stores, gyms and other points of interest.

Additionally, the app is now showing gas prices when you search for nearby gas stations.

Google first began tracking businesses’ “popular” times in July, when it introduced the feature within Google Search. At that time, if you searched for a business on Google, it would offer a chart indicating when the store or other establishment became more crowded, using the anonymized data it gathers from users of the Google Maps application. The feature was expanded to the Android version of Google Maps this September, but had not yet arrived on iOS until now.

Meanwhile, the gas-price tracking is another new addition that was also available on Android first. This October, Google announced a new feature that would allow Maps users to add a stop along a route – like, say, a gas station or coffee shop – which the app would then direct you to before your final destination.

When this feature arrived, it also included support for seeing gas prices when you chose to include a gas station as your additional stop.

While arguably a minor feature update – Google didn’t even bother putting out an official announcement about the iOS changes – it’s the sort of thing that helps Google Maps better compete with its rival Apple Maps on iOS devices, where it doesn’t have the benefit of being as deeply integrated into the mobile operating system.

Today, it’s not enough for mapping applications to offer just maps and directions. Extra information like prices, photos, hours, busy times and more can help push mobile consumers to use one application over another.

To help it gather more data about businesses, Google also expanded its “Local Guides” program this November, allowing any Maps user to help correct business listing errors or offer up additional business details by answering a series of questions that appear as pop-ups in the app, like “is it quiet here?” or “is the place family-friendly?”

This program also now includes questions that ask about how busy a store is – basically, another window on top of the anonymized data Google is already collecting.

The updated version of the Google Maps app is live now on the iTunes App Store. 

Via: techcrunch

Google Starts Testing Password-Free Logins Using Your Phone

Passwords — especially weak ones or those used across multiple systems — can create all kinds of vulnerabilities and security headaches for people and businesses. That’s why Google is now testing an alternative way for users to log into its services.

The test was brought to light yesterday when reddit user rp1226 posted documents and screenshots from Google’s experiment on the Android subreddit.

The system being tested works like this: After entering an e-mail address on Google’s login page on a computer, a user’s phone is sent a notification asking if he is trying to log in. Upon answering, “Yes,” the user is then prompted to indicate by phone which number is displayed on the computer sign-in page; choosing the right number automatically logs the person in.

Growing Use of 2FA

Google’s experimental login system works much like the Account Key method launched by Yahoo in October. Available on iOS or Android devices, the Account Key login option for mobile Mail app is “more secure than a traditional password,” according to Yahoo.

Many tech companies are looking for alternatives to old-school passwords that can be easily guessed, stolen or hacked. Another strategy being used to improve security is two-factor authentication (2FA), which requires users signing in by computer to verify their identities via second devices, usually smartphones.

For example, Amazon last month introduced a two-step verification process in private beta. Viewed as a way to add an extra layer of security for users, two-factor authentication has also been available for some time for users of Google Gmail and Microsoft Outlook, among others. Google did not respond to our request for more information about its password-free login test.

Password Pain on Help Desks

While many in the tech community have been predicting — and agitating for — an end to traditional passwords (Microsoft CEO Bill Gates made such a forecast at the RSA Security conference way back in 2004), passwords are still widely used. In fact, a report by TechNavio in June indicated that the global market for password management was likely to grow by 16.33 percent through 2019.

At the same time, momentum is growing for password-free alternatives. Last week, for instance, the adaptive authentication company SecureAuth released the results of a survey that found 66 percent of cybersecurity professionals were exploring password alternatives.

A full 91 percent of those surveyed agreed that “the traditional password will not exist in ten years,” SecureAuth said. Passwords also create a drain on help desks, with more than a third of respondents noting that employees regularly ask for help with forgotten passwords.

“This survey very clearly indicates there is an appetite for multi-factor authentication solutions beyond the traditional password,” said SecureAuth CEO Craig Lund in a statement.

Another survey by Ping Identity this month found that users are often careless about the security of their passwords.

“Employees are doing some things really well to keep data secure, like creating unique and difficult-to-guess passwords, but are then reusing passwords across personal and work accounts or sharing them with family or colleagues,” said Ping Identity CEO Andre Durand. “No matter how good employees’ intentions are, this behavior poses a real security threat.”

Via: enterprise-security-today

Hackers plan to ruin Christmas for gamers again

What’s green and enjoys whisking Christmas toys away?

There’s always the Grinch.

Last year, of course, it was the heart-of-a-seasick-crocodile Lizard Squad hackers who ruined gamers’ Christmas by launching Distributed Denial of Service (DDoS) attacks against PlayStation Network and Xbox Live.

This year, the green uglies are a new hacking group that’s threatening to take down the two gaming networks for a week during Christmas.

The DDoSers call themselves Phantom Group (@PhantomSquad) and are blaming the victims – the targeted companies – as did Lizard Squad last year.

Two of the messages coming out of that now-suspended Twitter account:

We will take down servers on christmas

I get asked a lot on why we do this? Why do we take down PSN and Xbox Live? Because cyber security does not exist.

If it sounds like the Ghost of Lizards past, you recall last Christmas correctly.

A man speaking for the hackers last year told Sky News that the Christmas attack was done “to raise awareness” and “to amuse ourselves” and that it was all Microsoft and Sony’s fault:

They [Microsoft and Sony] should have more than enough funding to be able to protect against these attacks.

The Phantom Squad claims that it’s not affiliated with Lizard Squad.

On Tuesday, the hackers claimed responsibility for knocking Reddit offline.

Today . What should it be tomorrow

Reddit confirmed that something was up, saying that its databases were coming “under extreme load” – an issue that could have been caused by a DDoS attack.

According to The Hacker News, neither Microsoft nor Sony confirmed the DDoS attacks, but Microsoft, at least, acknowledged issues with Xbox Live when Phantom Squad claimed responsibility for knocking it offline on Saturday.

In short, it seems that the group isn’t bluffing.

It could pull the plug on gamers who might not even be able to play their new Christmas games offline, given that many gifted games will attempt to update before first run, while new consoles will need to be updated before they’ll play a game.

Phantom Squad might not think it has affiliation with Lizard Squad, but it shares the same garlic-laced soul of its predecessors.

Sooner or later, its members may well look forward to sharing a similar fate: namely, getting arrested.


Via: sophos