Monthly Archives: April 2018

Risk Assessment and Identifying Vulnerabilities in Your PKI Management

Cyber security is a field both deep and broad with a large number of complicated facets. As no one can be an expert in all things, it can sometimes be difficult even for experienced security professionals to know where vulnerabilities are in the system.

That’s where risk assessments come in; they can help you identify problems that need to be addressed. The problem is that risk assessment tools aren’t always straightforward or easy-to-use.

That’s why we’ve put together this guide to help simplify the process for you. Using four basic questions, you can quickly identify if there’s cause for serious concern regarding your PKI management. While this guide won’t be comprehensive, it will certainly help you begin the risk management process for your system’s security.

1. How Do You Manage Keys and Certificates?

A business’s PKI may start with a single key and a handful of certificates, but it won’t end there. As the company grows, so will its online presence, and a larger digital footprint requires more certificates to secure. Depending on the size of the website, a company can quickly accumulate 10,000 certificates or more.

That’s a lot of information to keep track of, and how you track it makes a big difference. There are usually two approaches: you’re either using unsophisticated tactics like tracking it yourself in a spreadsheet or trusting your CA to do it, or you’re using a trustworthy third-party solution. If your solution is the former, you’re making a big PKI management mistake.

2. Who Requests Keys and Certificates?

This question is like playing golf: the fewer the better. Ideally, your PKI management will be centralized and under the jurisdiction of a single department. The more departments that are authorized to request keys and certificates from a CA, the more difficult your PKI will be to manage, and the more likely you are to experience problems with self-issued certificates.

3. How Often Do You Rotate Keys and Certificates?

Most professionals who know enough about PKI to request a certificate know that they should be rotated. The problem is that they’re not usually rotated often enough, and few are aware that they should be rotating keys. Best practice is to change both in less than six months. If you’re hanging on to either for longer than a year, you need to reevaluate your PKI policies.

4. Do You Automate?

Humans are prone to error, and the more we interact with something, the more likely we are to produce one of those errors. Automating the requesting, tracking, and renewal of certificates and keys cuts down on human error, which is why the practice is so strongly recommended.

If you’re not automating any part of your PKI management, you should be on the lookout for issues and vulnerabilities caused by negligence or ignorance.

If any of these questions gave you pause, then you need to take a closer look at your PKI management. A more thorough risk assessment by industry experts will help you pinpoint issues that need to be addressed. Get started today and ensure the security of your company.



via:  tripwire

PCI Council Loses $600K in Revenue, PO Population on the Decline

Last year I released a blog post and a GitHub repository with some code to calculate how much money the PCI Council brings in annually, with an estimation of lifetime revenue. There are some MAJOR assumptions in there that can swing the revenue in either direction. And, of course, there are already new programs that the Council will happily charge for that have been released since my initial commit (3DS Assessors, 25 of those with each individual consultant paying $1,400 per exam). I’ll work on that soon.

I was meeting with some industry people this week and thought I’d check up on the old numbers to give the package a refresh. As it turns out, the number of Participating Organizations is on the decline. Seven months ago there were over 950. As of today, there are 791.

That represents a 17% decline over the last seven months, or $600,000 of annual revenue.

Some other changes of note:

  • PFI companies down 18% from 22 to 18.
  • QSA companies up 3.5% from 368 to 381.
  • QIR companies up 30% from 346 to 450.
  • ASV companies down 10% from 112 to 101.

Once we get more details on the number of 3DS consultants, I can update that part of the program fees as well.



via:  brandenwilliams

You Can Use A VPN To Unlock Regional Content on the Amazon Fire Stick

Amazon Fire Stick is a major competitor to Google Chromecast and Roku, with Amazon diving ever deeper into the digital content creation pool. There is so much to watch on Amazon alone, and using the Fire Stick you can access all other streaming services.

Of course, the content you have access to depends on where you are in the world. If you’re not in the US, you may have a seriously limited content library, especially on Amazon. And, if you’re using an Amazon Fire Stick, having limited access is incredibly frustrating.

However, you can get past the restrictions with the right Fire Stick VPN. ExpressVPN is generally considered one of the best, and it will get you access to all streaming services, bypassing their VPN blocks.

But before you commit to subscribing to a VPN, what content is Amazon creating that makes it such an important player in the streaming industry?

The Man In The High Castle

Based on Philip K Dick’s novel of the same name, Amazon’s The Man In The High Castle is one of the most ambitious and challenging series on television. It imagines a world in which the Allies lost World War 2. The United States is split into Nazi America, the Japanese Pacific States, and a Neutral Zone between them. Authoritarian rule is as strong as ever, with rebellions brutally put down before they have the chance to make an impact.

The series focuses on characters from all sides of the political spectrum, all facing the dilemma of how to best act in accordance with the reality they’re given and their principles and ideals. There’s also the spectre of nuclear destruction looming large, with the future of the world uncertain to say the least.

Two seasons have aired so far, with the third expected later this year.

American Gods

American Gods is another one of the most ambitious shows on TV at the moment, with its genre- and mind-bending, sacrilegious storylines and themes portrayed with excellence by magnificent cinematography, acting, and unreliable narration. Based on Neil Gaiman’s novel of the same name, American Gods is a beloved American story that holds a nostalgic place in its readers’ hearts. The original Amazon series is exceeding everyone’s expectations in bringing that to the screen.


Transparent may be in trouble, considering the actor playing the character at the center of all its storylines has left the show after allegations of sexual assault surfaced. But regardless of Jeffrey Tambor’s indiscretions, the four seasons of Transparent that have already aired have had a significant cultural impact. Transparent tells the story of a family coming to terms with their patriarch’s coming out as transgender (the titular Trans Parent). The first season was released not long before Caitlyn Jenner came out as transgender, and both played a huge part in increasing the dialogue around the “T” in the LGBT community. Transgender was a word fraught with negative connotations and misunderstandings, and Amazon’s first original series really helped turn the narrative around. A 5th season, without Jeffrey Tambor, is set to be released in 2019.


via:  404techsupport

New Gmail Confidential Mode Lets Businesses Set Expiration Dates for Emails

Google has introduced a new confidential Gmail mode that allows businesses to set expiration dates for emails containing sensitive information.

On 25 April, the Menlo Park tech giant announced a series of updates to its G Suite apps for its more than four million paying business users. Gmail confidential mode was among those newly introduced features.

David Thacker, VP of product management at G Suite, explained that Gmail confidential mode enables qualifying users to set expiration dates for email messages containing sensitive data. He noted that it also allows users to revoke previously sent messages and require recipients to authenticate themselves via text message if they wish to view an email.

As part of those protections, Google took even greater steps to limit the number of people who can access an email. Thacker elaborated on these measures in a blog post:

Built-in Information Rights Management (IRM) controls also allow you to remove the option to forward, copy, download or print messages. This helps reduce the risk of confidential information being accidentally shared with the wrong people.

Google revealed its intention to roll out the new confidential mode to consumer Gmail users and some G Suite users first before making the features more broadly available at a later date.

Additionally, the company unveiled that it had redesigned its email security warnings to do a better job of protecting employees against potentially risky emails.

Google’s security warnings with a bigger and bolder design.

These security updates followed one month after Google introduced a series of protections designed to defend users against phishing-related threats including business email compromise (BEC) scams. The tech giant crafted those measures to warn users of suspicious emails or send them automatically to the junk folder.

Users can protect themselves against BEC scams and other email-related threats by familiarizing themselves with some of the most common types of phishing attacks. Here’s an article to help them get started. At the same time, companies should deploy email filtering solutions to protect their workforce against risky messages.



Via:  tripwire

Privacy Breach Exposes 1,200 School Employees’ Partial Social Security Numbers

A privacy breach at a school district in New Jersey exposed portions of 1,200 employees’ Social Security Numbers.

The breach occurred at Irvington Public Schools on 16 April when an “unknown source” sent out an email to an undetermined number of recipients. The email contained the names of current and former employees of the Irvington, New Jersey school district. It also included segments of their Social Security Numbers with some digits replaced by asterisks and dashes.

Superintendent Neely Hackett said she doesn’t know how many people ultimately received the email, which used the subject line “IBOE gave out your SS number.” (IBOE is short for “Irvington Board of Education.”) As she told

At this time, I do not know the exact number of people who received the email. To the best of my knowledge, the email was distributed to Irvington staff members using the district email address.

She went on to explain that the district, which enrolls approximately 7,000 students, “regrets this unfortunate disclosure” and intends to notify any former employees whom the breach might have affected.

Tracy Bowers, public safety director for Irvington, said detectives are currently investigating the incident to learn more about how the breach occurred.

As of this writing, it’s unclear how the unknown individual acquired the partial Social Security Numbers of more than a thousand school staff members and gained access to the school’s district email address. What is clear, however, is the need for schools everywhere to implement security measures that can help shield sensitive data from external attackers and malicious insiders. Specifically, they should consider using encryption, access controls and some of the other 20 critical security controls developed by the Center for Internet Security (CIS).


via:  tripwire

Upcoming Windows Defender feature will tell you when security fails

Microsoft is planning a new feature for Windows Defender that will continually check for system integrity, informing users if any secure part of the operating system has been compromised.

  • An upcoming feature of Windows Defender, called runtime attestation, will be able to detect the most minute signs of security compromise, all the way down to the kernel level.
  • Runtime attestation hasn’t been given a release date, but the basic features necessary to operate it will be released with the next version of Windows 10.

A feature added to the latest test build of Windows 10 is making Windows Defender a next-level security tool that can detect changes anywhere in a system, all the way down to kernel changes.

Called Windows Defender System Guard runtime attestation, the new security feature is designed to protect against system tampering that Windows Defender may otherwise miss.

Runtime attestation is designed to improve antivirus software detection, detect changes caused by rootkits, kernel tampering, and other exploits, ensure security of sensitive transactions, and ensure conditional access systems are secure.

Microsoft plans to roll out the building blocks for runtime attestation in the next version of Windows 10, but a full implementation may take some time, starting with APIs that allow Windows Defender to talk to sensitive system processes.

How runtime attestation protects Windows computers

Runtime attestation is complicated, but at its most basic level it’s simply Windows Defender having the capability to inspect and attest to the integrity of the lowest level of a Windows system.

Defender and the Windows components it attests to as being secure talk using an API that relays data to Defender, which in turn inspects it looking for changes. If none are found Defender will attest to the integrity of that component; if changes are found an error code will be returned and the user will be notified.

Runtime attestation has to be secure and encrypted to prevent an attacker from altering reports, which Microsoft has accounted for by using a virtualization-based security enclave to construct a secure kernel that the main Windows kernel can’t tamper with.

All of the attestation is done by the secure kernel, the end result of which is security validation that an attacker or malware in the Windows kernel can’t alter.

Microsoft gives an example where “an app could ask Windows Defender System Guard to measure the security of the system from the hardware-backed enclave and return a report. The details in this report can be used by the app to decide whether it performs a sensitive financial transaction or display personal information.”

The end goal of runtime attestation is to create a security system that can detect the most minute of symptoms, Microsoft said. “The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable.”

Don’t expect to see all the features of secure attestation in the next build of Windows 10—it will likely be some time until it is a full Windows feature. Microsoft hasn’t given a timeline outside of the release of groundwork elements due out soon.



via:  techrepublic

Doctors at RSA simulate emergency overdose caused by hacked medical pump

There’s a famous axiom about doctors making unusual medical diagnoses when a more commonplace explanation is more likely: “When you hear hoofbeats, think of horses not zebras.

But what if it’s a unicorn?

What if it’s something doctors are not trained to look for at all – like the hacking of a medicine pump, causing it to administer an overdose to a patient?

Dr. Kim Kwai (left) tries to solve a medical mystery caused by a medical device hack, as her medical team performs CPR on the dummy patient.

Dr. Kim Kwai (left) tries to solve a medical mystery caused by a medical device hack, as her medical team performs CPR on the dummy patient.


RSA 2018 drove this point home with a riveting medical emergency simulation, designed to test a doctor’s quick thinking and diagnosis skills in a worst-case scenario situation. Not surprisingly, it took precious minutes before the doctor realized that a malfunctioning pump was the cause of the crisis.

The demonstration was just a snippet of a series of simulations that debuted in Arizona at last year’s inaugural CyberMed Summit, organized by the Atlantic Council and two College of Medicine – Phoenix graduates with a hacker background — Drs. Jeff Tully and Christian Darneff. Tully and Darneff hosted Thursday’s RSA session, alongside Josh Corman, an innovation fellow at the Atlantic Council, and founder of I Am the Cavalry, a grassroots public safety organization specializing in computer and device security.

“We said, ‘You know, guys, nothing’s gonna change unless somebody dies first,’” said Corman, also a CSO with computer software company PTC. “So we did what any good self-respecting hackers would do: we killed people… in a simulation of course.”

Dameff, an emergency physician and clinical informatics fellow at the University of California San Diego, described the process further, noting “we have mannequins that can cry or can bleed that you can do impromptu surgery on in an effort to train our physicians to be able to the handle the most complicated difficult cases with these technologies…”

The physician being tested in this case was University of California, Davis, toxicologist Dr. Kim Kwai, who was not provided any details in advance about the fictional patient, his medical issue, or the big surprise waiting for her – a stealthy exploit of a connected hospital IoT device.

Kwai’s patient was a fictional 60-year-old man played by Beau Woods, a cyber safety innovation fellow with the Atlantic Council, and a leader with The Cavalry. Woods complained of experiencing chest pains for about a week, and presented with atrial fibrillation, or a rapid heartbeat.

After asking the patient a series of questions, she ordered her medical team – who was in on the “game” – to administer an IV drip of Cardizem, a calcium channel blocker that treats afib and related ailments.

The patient’s chest x-ray and bloodwork looked good, but soon after he complained of increasing lightheadedness, he lost consciousness as his heart stopped beating. At this point, Woods was replaced with a dummy, as Kwai’s medical team performed CPR on the patient.

At first, Kwai was confounded as to why the patient experienced cardiac arrest – until Tully, an anesthesiologist and pediatrician at the University of California, Davis, pointed out a strange anomaly: the entire bag of Cardizen had already been emptied.

Only then did the light bulb go off. Dr. Kwai immediately diagnosed the issue as a calcium channel blocker overdose and quickly ordered the pharmacy to provide insulin to counteract the effects.

The patient was saved. But in a real-life situation, perhaps no one would have noticed the empty medicine bag until it was too late.

“Can we switch out that pump?” said Kwai, realizing something had gone wrong with the equipment. Indeed, the pump was compromised, said Darneff, adding that the exploit in this case reflected the findings of researcher Billy Rios, who in 2014 discovered multiple vulnerabilities in the LifeCare PCA drug infusion pump sold by Hospira.

“Being alerted that the entire bag was empty kind of made me thing of a pump malfunction, maybe,” said Kwai following the simulation, admitting that “I have never really thought to look at the bag. In fact, I was not looking at the bag.”

Kwai said that moving forward she would now be more cognizant of how patient lives depend on the integrity of connected medical devices. It would be devastating to the entire health care system if things were hacked,” she said.


via:  scmagazine

Startup ecosystem report: China is rising while the US is waning

Startups are a gamble, but it’s possible to better understand why some thrive and many more die by looking at the ecosystems in which they operate. Such is the mission of eight-year-old Startup Genome, composed of a group of researchers and entrepreneurs who, every year, interview thousands of founders and investors around the world to get a better handle on what’s changing in the regions where they operate, and what remains stubbornly the same.

The larger objective is to figure out how to help more startups succeed, and the outfit — which this year surveyed 10,000 founders with the help of partners like Crunchbase and Dealroom — produced some data that should perhaps concern those in the U.S. To wit, China looks positioned to overtake U.S. dominance when it comes to numerous tech sectors. Consider: In 2014, just 14 percent of so-called unicorns were based in China. Between the start of last year through today, that percentage has shot up to 35 percent, while in the U.S., the number of homegrown unicorns has fallen from 61 percent to 41 percent of the overall global number.

You could argue that investors are simply assigning China-based startups overly lofty valuations, as happened here in the U.S., and we partly believe that to be true. But China is also clearly “in it to win it,” based on a look at patents, with four times as many AI-related applications and three times as many crypto- and blockchain-related patents registered in China last year. With so much of the tech industry now focused on deep tech, it’s worth noting. In fact, though we loathed the January Financial Times column penned by famed VC Michael Moritz, who suggested U.S. companies follow China’s lead, his underlying call to arms was probably, gulp, prescient in its own way.

What else should startups know? According to Startup Genome’s findings, in addition to the rise of AI, blockchain and robotics manufacturing, there are clearly declining sub sectors, too, including, least surprisingly, adtech, which has seen a roughly 35 percent drop in funding over the last five years. No doubt that ties directly to the growing dominance of Facebook and Google, which accounted for 73 percent of all U.S. digital advertising last year, according to the equity research firm Pivotal.

That doesn’t mean adtech startups are cooked, notes the study’s authors. Rather, declining sub-sectors are often “mature” but can be revived by new technologies. In this case, while funding for adtech has dropped, virtual reality and augmented reality could well inject some new growth into the industry at some point. Maybe.

Either way, to us, the most interesting facets of this report — and it really is worth poring over — are the connections it’s able to make by talking with so many people around the world. It addresses, for example, how Stockholm, a relatively small startup ecosystem, is able to produce sizable startups at a meaningful rate, versus Chicago, whose ecosystem is ostensibly three times bigger. (The answer: Stockholm’s startup founders are apparently better connected to the world’s top seven ecosystems.)

Also quite interesting is the report’s findings about women founders, who build more relationships with regional founders and are more locally connected than their male counterparts — except with investors. That’s bad news for both women founders and investors, as local connectedness is associated with better startup performance.

To read the report in full, click over here. You have to fork over your email address, but with 240 pages filled with fascinating nuggets and other useful information, you’ll likely find it worth it.


via:  techcrunch

Walmart launches Check Out With Me for on-the-spot checkouts in hundreds of US stores

Walmart announced it’s beginning to test new technology that arms store staff with mobile devices for checking out customers from the floor. The devices will first be put into use in Walmart’s “Lawn & Garden Centers” in more than 350 U.S. stores, where there’s the most need for a mobile checkout experience like this.

Before, customers shopping for items like mulch, soil or flowers may have had to go inside the physical store to pay for their Lawn & Garden purchases, which was often challenging due to the size and weight of these items. Now, they’ll be able to pay on the spot with store staff’s help.

The new service, which Walmart is calling “Check Out With Me,” involves store employees wearing a small carrying case equipped with a Bluetooth receipt printer. Their cellular device works as the barcode scanner and the credit card swiper for the transactions.

Staff assists the customers by scanning large items — like bags of mulch — while it’s still on the shelf, so customers don’t have to load heavy carts and push them through the store or to one of the Lawn & Garden Center’s fixed checkout stations. They can just carry them straight to their car parked nearby.

The service will help Walmart with its sales that take place outside the Lawn & Garden Center, too.

“During the summer, we also sell a lot of items like mulch, live plants and potting soil outside of the store — similar to Home Depot or Lowe’s,” a spokesperson said. “This new option allows people to pay for those items on the spot versus paying in the store then going outside to load the items.”

The retailer says it’s not hiring additional staff for Check Out With Me, but will use existing employees for the service.



This isn’t the first time Walmart has used mobile technology to speed up checkouts. The company also offers Walmart Pay for in-store checkout, which involves scanning a barcode on customers’ phones to pay at the register. And its Sam’s Club warehouse club offers Scan & Go, which lets customers skip the checkout line by scanning items as they shop, then showing their e-receipt at the door on their way out.

Upgrades that make checkout quicker are especially important to retailers today in light of increased competition from Amazon, which has now established a physical presence through Whole Foods, its own bookstores and its new Amazon Go stores.

In the latter, customers don’t have to check out at all — cameras, AI systems and sensor technology let them simply grab items and leave. The idea is to offer a faster way for consumers to buy items, while also tying their day-to-day purchases to their Amazon account to get a more holistic view of the shoppers’ habits. Other companies are offering similar systems for other retailers, like AiFi, IMAGRand Standard Cognition. And Walmart has been said to be testing checkout-free technology, as well.

In the meantime, Check Out With Me is available in more than 350 U.S. stores, starting today. That’s a small subset of Walmart’s 4,700 U.S. stores, but the company considers the rollout a “test” for the time being.


via:  techcrunch

AT&T CEO says a new $15-per-month, sports-free streaming service is launching in a few weeks

AT&T CEO Randall Stephenson revealed on Thursday the carrier’s plans to launch another live TV service called “AT&T Watch,” which would offer a cheap, $15-per-month bundle of channels for customers, and be provided to AT&T Unlimited Wireless subscribers for free. At this price point, the service would be one of the lowest on the market — less than Sling TV’s entry-level, $20-per-month package, and just a bit less than Philo’s low-cost, sports-free offering, priced at $16 per month.

Stephenson, who’s in court defending the proposed $85 billion merger with Time Warner against antitrust claims, announced the service on the witness stand. He held up the soon-to-arrive AT&T Watch as a rebuttal of sorts to the Justice Department’s point about the company’s continually climbing prices for its DirecTV satellite service, according to a report from Variety.

The Justice Department is concerned that if the merger goes through, AT&T will then raise prices on Time Warner’s Turner networks, like TNT, TBS and CNN in a way that would hurt other pay TV providers.

Few other details were offered regarding AT&T Watch, beyond its price point — which is due to the fact that it will also be a sports-free offering, like Philo.

But AT&T’s advantage over competitors is the distribution provided by its AT&T Wireless business. Although its existing streaming service DirecTV Now is one of the newest on the market, it has already reached No. 2 in terms of subscribers, falling behind Sling TV.

Beyond its lack of sports, the channel lineup for AT&T Watch was not discussed, nor was an exact launch date.

Stephenson said the company hoped to launch it in the next few weeks.


via:  techcrunch