Digital Guardian for Data Loss Prevention: Product overview

Digital Guardian, which was known as Verdasys until 2014, offers several data loss prevention products. Originally focused on technologies for stopping data loss from insider threats, Digital Guardian has expanded its DLP product lineup to address external threats as well.

The company’s original product is Digital Guardian for Data Loss Prevention (DLP), an endpoint DLP product. In addition, Digital Guardian acquired Code Green Networks in October 2015, adding Code Green Networks’ TrueDLP suite of products — Network Data Loss Prevention, Cloud Data Loss Prevention and Discovery Data Loss Prevention — to its lineup. When used together, Digital Guardian four DLP products address security for data in use, data in transit, data at rest and cloud-based sensitive data protection.

Digital Guardian for Data Loss Prevention

The Digital Guardian for Data Loss Prevention product provides context-aware data loss prevention inspection of all data at rest and data in use on Windows, Mac OS X and Linux-based desktops and laptops. It also offers monitoring and control for removable devices, such as USB flash drives and removable media attached to protected endpoints. This ensures that only authorized removable devices are used and that only the appropriate files may be copied or moved to removable devices and media. Digital Guardian for Data Loss Prevention also allows security managers to set policies for their organizations that can block, all or automatically encrypt sensitive data depending on the situation — such as attaching a file to an email or uploading it to a cloud service.

One of the key features included in Digital Guardian for Data Loss Prevention is automated data classification; the product is designed to tag and classify data upon installation, sorting personally identifiable information, healthcare data, PCI DDS data and more. In addition, Digital Guardian’s DLP software can cover up to 250,000 employees with a single management server.

Digital Guardian Network Data Loss Prevention

The Digital Guardian Network Data Loss Prevention product monitors three types of communications: email traffic, HTTP/HTTPS/FTP traffic and all other packets — for sensitive data in the packet content. The onboard Message Transfer Agent examines email messages for content, source, destination, attachments and subject before leaving an organization. The HTTP/HTTPS/FTP uses a web proxy acting as an ICAP client to communicate with the Network DLP appliance’s ICAP service. This enables Network DLP to inspect all outbound sessions for these protocols. The packet monitoring ensures that all outbound data packets regardless of network protocol or destination port are inspected before leaving the organization.

Digital Guardian Cloud Data Protection

The Digital Guardian Cloud Data Protection product provides monitoring and control for all data exchanges with cloud-based resources involving desktops and laptops as well as iOS and Android mobile devices. Supported cloud services include Accellion, Box, Citrix ShareFile and Egnyte. The cloud DLP product scans all files uploaded to cloud storage for confidential or regulated data and remediates it based on policies.

Digital Guardian for Data Discovery

Digital Guardian for Data Discovery performs network and local scans of at-rest files to identify sensitive information found in servers and other data center assets. It also offers an agent that can be used to scan desktops, laptops and servers at remote offices. Once sensitive data is detected, Discovery DLP can handle the file containing that data based on policy. Common responses include deleting a file, moving a file to a vault — optionally leaving a notification in place of the relocated file — generating an alert or triggering a custom script.

Summary

Digital Guardian DLP products cover several enterprise IT areas, including endpoint devices, networks and cloud services. The DLP suite also comes with a data discovery component that’s designed to help companies identify and audit potentially unsecure data within the IT environment. The suite covers data in use on endpoint devices, data in transit on networks, and data at rest as well as cloud and mobile data. Digital Guardian’s products are designed to meet the needs of large enterprises as well as small and medium-sized businesses.

Customers can access the Digital Guardian Support Portal for 24/7 technical support, FAQs, tutorials and other information. Digital Guardian also offers free product trials. Companies interested in Digital Guardian for Data Loss Prevention and other DLP products should contact the vendor for pricing and licensing information.

Next Steps

Part one of this series looks at the basics of data loss prevention products

Part two examines the business case for DLP products

Part three explores usage scenarios for DLP products

Part four focuses on procuring DLP products

Part five offers insight on selecting the right DLP product

Part six compares the best DLP products on the market

This was last published in November 2016

–News collected and synced by Info Security Solution Kolkata,

Read more
Fake online news still rattling cages, from Facebook to Google to China
Insec Ethical Hacking Hub Fake Android Virus alert says "Your Mobile compromised by Chinese Hackers"

Post-election, the ripples from fake online news continue to rock boats, from Google to Facebook to China and beyond.

The way to tackle the problem, as far as China’s concerned, seems to be to track down those who post fake news and rumors, and then “reward and punish” them – whatever that means.

According to Reuters, Chinese political and business leaders speaking at the World Internet Conference last week used the spread of fake news, along with activists’ ability to organize online, as signs that cyberspace has become treacherous and needs to be controlled.

Ren Xianling, second in command at the Cyberspace Administration of China (CAC), said that the country should begin using identification systems to track down people who post false news and rumors.

It’s one more step on the road to a more restricted internet: one that China’s already walking and one that extends even beyond its infamous Great Firewall of censorship.

Earlier this month, the country adopted a controversial cybersecurity law, set to go into effect in June 2017, that has companies fearing that they’ll have to surrender intellectual property or open backdoors in their products in order to operate in China.

Meanwhile, over at Facebook, employees have reportedly gone commando, forming an unofficial task force to study fake news.

According to BuzzFeed, the renegades have already disagreed with CEO Mark Zuckerberg, who called it “a pretty crazy idea” to think that fake news on Facebook influenced the outcome.

He’s since dialed it back, saying that this is an issue that Facebook has “always taken seriously”.

Over the weekend, Zuck took to his personal Facebook page to post seven projects launched to tweak the site and polish the algorithms that pushed fiction to the top of Trending, where it’s been masquerading as real news.

They are:

  • Stronger detection to the systems that spot misinformation before users have to do it themselves.
  • Much easier user reporting.
  • Third-party verification by fact-checking organizations.
  • Possible warnings on stories flagged by those fact-checkers or the Facebook community.
  • Raising the bar for what stories appear in “related articles” in the News Feed.
  • Cutting off the money flow. “A lot of misinformation is driven by financially motivated spam. We’re looking into disrupting the economics with ads policies like the one we announced earlier this week, and better ad farm detection,” Zuckerberg said.
  • More input from news professionals, to better understand their fact-checking systems.

As the media has been covering in minute detail post-election, it’s been suggested that such fake news swayed voters, who shocked much of the world by voting for Donald Trump in the US presidential election.

If we bounce on over to Google, another heavyweight in the news dissemination machinery, we find that it’s reportedly planning to remove its “In the news” section from the top of desktop search results in coming weeks.

Google got dragged into the fake news mess last week, when its search engine was prominently displaying a bogus report about Donald Trump having won the popular vote.

One of the top results for the In the news section when visitors searched for “final election count” was a blog, 70 News, that falsely claimed Trump had won the popular vote by a margin of almost 700,000.

He didn’t. As of Tuesday, votes were still being counted, but Hillary Clinton’s lead of 1.7 million votes was still growing.

Business Insider spoke to a source familiar with Google’s plans who said that it will replace the In the news section with a carousel of top stories, similar to what it now features on mobile.

The plan was in the works for some time before the 70 News piece got featured.

The removal of the word “news” will, hopefully, help visitors distinguish between Google’s human-vetted Google News product and the results of its Google Search engine, which don’t get assessed on the basis of whether they’re true or not – just whether they’re newsy.

However, Google has made clear that it’s not interested in serving up nonsense. Last week, Google CEO Sundar Pichai had this to say on the matter:

From our perspective, there should just be no situation where fake news gets distributed, so we are all for doing better here.

To put some bite into that bark, Google said it would starve out fake-news sites, banning them from its ad network and all that revenue. Facebook did the same.

In his post, Zuckerberg stressed that this is complex stuff, technically and philosophically. Facebook doesn’t want to suppress people’s voices, so that means it errs on the side of letting people share what they want whenever possible. The more people share, the more the ad revenue flows, and it doesn’t matter to ad revenue what people share, be it divine inspiration or drivel.

But over at Princeton University, four college students last week showed that as far as the technical part of the equation goes, it might not be quite that hard after all.

The Washington Post reports that the four spent 36 hours at a hackathon, coming out the other end with a rudimentary tool to block fake news sites.

They’re busy with class work and a little overwhelmed with an outpouring of interest. Want to have a spin with their Chrome extension? Here you go: they open-sourced it.

As the fake-news saga keeps spinning, bear in mind that we can influence this, too. If we see something that we consider fake and comment on it, that’s a +1 as far as the algorithms are concerned.

Did you share it with friends so you can all laugh at how dumb the post was? That’s another +1. All your friends who chimed in? +1, +1, +1, +1. Instead, just ignore it; starve fake news until it shrivels out of our feeds.

–News collected and synced by Info Security Solution Kolkata,

Read more
It’s the final countdown for SHA-1 SSL certificates
Insec Ethical Hacking Hub Yahoo all accounts were compromised in 2013

It’s been dying for a while, and now we’re in the final days of what was once one of the most widespread types of SSL certificates: SHA-1. We now have timelines from the likes of Apple, Microsoft, Google, and Mozilla as to when their browsers will stop trusting websites that still uses SHA-1 SSL certificates. For those cheering the demise of this much-maligned algorithm, the news is good as the end is quite near:

  • Google Chrome: At the end of January next year, with the release of version 56, Chrome will stop trusting any SHA-1 SSL certificate and will provide a security warning.
  • Mozilla Firefox: With the release of Firefox 51 in January, the browser will show an “untrusted connection” error warning for any site still using SHA-1.
  • Apple Safari: We do not have exact dates on when Apple will officially stop trusting SHA-1 certificates. The latest release notes for MacOS urge sites to drop SHA-1 as soon as possible, and websites loaded in the Sierra version already do not show the green padlock that indicates a trusted site.
  • Microsoft Internet Explorer and Edge: Starting on February 14, websites still using SHA-1 will get a rather unpleasant Valentines Day gift: the browsers will not load their websites whatsoever, though users can still opt to continue to the website after seeing a warning message.

It should be noted in many of these cases, manually installed or self-signed certificates will still be supported.

This deprecation has been a long time coming. For quite a while, almost all websites used SHA-1 certificates for their sites’ SSL encryption. Unfortunately, while it was ubiquitous, it was also quite easy to crack. Websites that hashed their users passwords with SHA-1 were offering up their users’ passwords to hackers quite readily: as previously covered on Naked Security, a password cracking server can calculate all password possibilities hashed with SHA-1 in about an hour.

Because of its widespread use and ease of cracking, sites using the encryption algorithm have been a tempting target for password crackers.  As a result, we’ve seen SHA-1 at the heart of many high-profile security issues and breaches, including LinkedIn and LivingSocial.

This is despite the fact that websites still using SHA-1 based SSL had a number of high-profile warnings to make the switch – including the Heartbleed vulnerability, which forced many sites using SSL to deploy new certificates as a matter of course.

That’s why there have been countless calls for SHA-1 to be dropped from use as far back as 2005. In 2012, NIST updated its security guideline in Special Publication 800-57, recommending the deprecation of SHA-1 as a standard. And in 2014, when Google stated it would actively penalize websites still using SHA-1 for SSL after 2016, people who hadn’t gotten the message yet started to sit up and take notice.

And with the end of 2016 upon us, the deadline threat is very real. Thankfully it looks like most websites have taken the depreciation seriously – Mozilla estimates less than 1% of websites are still using SHA-1 SSL certificates today, though others estimate that as much as a third of the web still does. Whatever the figure, their days are numbered.

–News collected and synced by Info Security Solution Kolkata,

Read more
ClickClickClick , every click you take, we’ll be watching you
Info Security Solution

I had to leave the site ClickClickClick. It wasn’t too happy about it.

I turned the audio on, as ClickClickClick told me to do, so I can still hear the site begging me not to go.

Are you still there? You haven’t been around for quite some time now. I’m thinking, do you still like me?

The running audio commentary on my clicks, mouse movements and activity/inactivity is made in a jaunty Dutch accent – the site was created by Dutch media company VPRO and the Amsterdam-based interactive design company Studio Moniker.

It’s a simple site – a white screen with a big green button labelled “Button” in the middle – and it has a simple mission: to observe and comment on everything that visitors do on the site, in great detail, and to thereby remind visitors about just how closely our online behavior is monitored.

cc3

As a cyber wolf would have said to a cyber Little Red Riding Hood, all the better to profile and target-market at you, my dear!

Wait… is ClickClickClick sniffling? Is it crying?

Subject! Stay focused! …inactive… waiting possibly for something to happen? Come on, subject. You were being so great. Do something. Moving around a lot now. Curious and energetic. Interesting.

Studio Monkier designer Roel Wouters told news.com that ClickClickClick was designed to remind people about the serious themes of big data and privacy.

Fellow designer Luna Maurer said that her own experience with target marketing came into play:

I am actually quite internet-aware, but I am still very often surprised that after I watched something on a website, a second later I get instantly personalized ads.

There’s nothing unique about ClickClickClick’s tracking. The only thing that’s unique is that it’s upfront about it, letting us see the granularity of that tracking in an ongoing log that streams on-screen with notations including where on the screen you moved, whether you zigzagged or moved straight, how many pixels, how long you were inactive and the like.

No, there’s nothing new about any of it: capturing the X and Y coordinates of where the cursor is on a page is a simple task in Javascript, and it has been for a very long time.

Back in 2013, Facebook was mulling silently tracking users’ cursor movements to see which ads we like. Some reacted to the possibility by swearing off Facebook entirely.

It’s not just Facebook, though: any site can do it. It’s very easy.

It’s the job of user interface designers to understand how people interact with web interfaces. Their job is to figure out where users have problems and how to improve their overall experience.

Collecting user behavior on sites enables those designers to work on issues such as where and why users drop off at a checkout page on an e-commerce site, for example.

They do it through mouse tracking, heat maps, click tracking, or eye tracking, among other techniques.

Unusual behavior… Subject has been gone for 10 minutes… Very slow. Boring like hell.

If the thought is offputting, what’s the answer? Swearing off Facebook, or smart pages by witty Dutch programmers, isn’t going to stop you being tracked minutely online. And unlike ClickClickClick, you won’t know when it’s happening.

cc2

So you either have to put up with it, stop using the web or use something like NoScript – an extension that blocks JavaScript, Java, Flash, Silverlight, and other “active” content by default in Firefox – to block the execution of scripts that you’re unsure of.

Subject seems unsatisfied… hmmm… is subject thinking about Facebook or something?

No, you funny Dutch psychotherapist cyber bloodhound, I’m not thinking about Facebook. I’m thinking of all the other stunts sites can pull using JavaScript – like this one, where JavaScript was being used to slip files in quietly and automatically, like a drive-by download.

Subject possibly neglects social obligations. A loner? [yawn].

A loner? Possibly! But still open to being chatted up, and educated, by a site like ClickClickClick!

If you want to avoid the more nefarious, less charming uses of JavaScript, the Sophos XG Firewall is 100% free for home use, including email scanning, web filtering, intrusion prevention, a VPN and much more.

–News collected and synced by Info Security Solution Kolkata,

Read more
NY DA wants to turn back the clock on smartphone encryption
Insec Ethical Hacking Hub India To Overtake Japan, UK, Germany To Become World’s 3rd Biggest Economy By 2050: The Economist Intelligence Unit 1

The Manhattan District Attorney’s Office released an updated report denouncing smartphone encryption, but experts said the data was willfully misleading.

Cyrus Vance, Jr., district attorney for New York County, released version 2.0 of the Report on Smartphone Encryption and Public Safety. According to the report, the Manhattan DA’s Office has “423 Apple iPhones and iPads lawfully seized since October 2014 [that] remain inaccessible due to default device encryption.” Vance said the number of inaccessible devices has been on the rise.

“While the Manhattan District Attorney’s Office has been locked out of approximately 34% of all Apple devices lawfully recovered since October 2014, that number jumped to approximately 42% of those recovered in the past three months,” the report said. “With over 96% of all smartphones worldwide operated by either Apple or Google, and as devices compatible with operating systems that predate default device encryption are becoming outdated, this trend is poised to continue.”

Experts said there was important context information omitted from this portion of the report, notably how many total cases the Manhattan DA’s Office handled over that time period in order to understand the proportion of cases influenced by inaccessible mobile devices.

Rebecca Herold, CEO of Privacy Professor, said given the population and the amount of crime in the New York area, 423 inaccessible devices collected over two years “seems very low.”

“Plus, for those 400 devices, how many were they able to get metadata, logs from associated cloud services, and other data from that did help with their investigation?” Herold asked. “They should have provided those insights to support a balanced report.”

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said the report also didn’t mention the number of people protected by smartphone encryption.

“It’s safe to estimate that the number of people protected from threat actors by iOS security is by far greater than the 400 devices in question by the Manhattan DA,” Arsene said. “Encryption technologies have caused more good than harm when it comes to protecting privacy.”

Matthew Gardiner, cybersecurity strategist at Mimecast, said “Apple sells approximately 50 million iPhones every quarter, and has sold approximately 1 billion since the beginning of time. Increasing the vulnerability of the vast majority of those users to open up 400 phones is not a reasonable tradeoff.”

The report said “approximately 10% of the impenetrable devices pertain to homicide or attempted murder cases and 9% to sex crimes,” and Arsene said these distinctions were important.

“While 400 devices might not seem like a large number, it all depends to whom those devices belong to and whether or not those individuals were involved in activities endangering national security,” Arsene told SearchSecurity. “However, it’s entirely possible that incriminating evidence involving terrorist or criminal activities could probably be procured from other sources, rather than relying on a single phone as a single point conviction.”

Surveillance and privacy

The report discussed the potential other sources for gathering investigative data, but argued against the idea that we live in a “golden age of surveillance.”

“The other sources of information may be incomplete, or unavailable to law enforcement,” the report read. “They generally do not give as complete a picture of criminal liability, or as complete access to evidence relevant to a criminal investigation or prosecution, as would a mobile device.”

Additionally, the report said the end-to-end encryption being added to communication apps like Facebook Messenger and WhatsApp “show that far from it being a “golden age” for law enforcement, today’s criminals have means of communication that are more secure from law enforcement’s scrutiny than criminals had ever dared hope.”

Experts pointed out this argument ignored two major sources of data available to investigators faced with smartphone encryption: metadata and cloud backups. Apple has admitted to providing law enforcement with metadata and iCloud backup data when presented with a valid warrant.

Arsene said there was no way to know if there was iCloud data associated with the devices in question obtained by the Manhattan DA’s Office, but he stressed that metadata can be valuable.

“Metadata is at the core of modern day information collection technologies as it removes any personally identifiable information about the individual from the picture, and focuses on his behavior, without infringing on his right to privacy,” Arsene said.

Herold said strong encryption was not only available in the U.S. and “if a terrorist or criminal is bent on keeping their communications with others strongly protected, they have many options available elsewhere throughout the world they can use.” Additionally, Herold said the constant argument for weakened encryption or backdoors has ultimately limited law enforcement from getting metadata for investigations.

“Requiring U.S. technology companies to build backdoors into encryption will result in criminals and terrorists using encryption tools from other countries, will only hurt U.S. businesses by driving all consumers to other countries for such technologies and will not lead to measurably any more capabilities for their investigation purposes,” Herold said. “In fact, investigators will now have less data, because those non-U.S. technology companies will not cooperate with U.S. investigators on cases where they could have gotten a lot of metadata, logs and other useful data beyond the encrypted data from a U.S.-based tech company, such as Apple or any other tech business they seem focused on ruling over.”

The Manhattan DA’s Office declined to comment on this story.

Getting around smartphone encryption

According to the report, the Manhattan DA’s Office “advocates enactment of a federal law that would require smartphone manufacturers and software designers whose software is used in smartphones to retain the ability to extract the information on the smartphones, if and when the manufacturer or designer receives a search warrant for that information. The proposed legislation would restore the status quo before Apple’s iOS 8, and would be no different conceptually than legislation that requires products to be safe, buildings to be constructed with exits and egresses that satisfy specific requirements, and roads to have maximum speed limits.”

The “status quo” refers to the time before iOS 8 when full device encryption was not the default for Apple products. The report asserts “the actual benefits of iOS 8’s default device encryption [has] not been demonstrated by Apple” and “default device encryption does not meaningfully increase smartphone users’ protection from unauthorized hackers.”

Experts widely disagreed with this assessment, and Herold pointed out the report referenced a decision in The Netherlands that contradicted the argument of the Manhattan DA’s Office.

In the list of actions from other countries the report pointed out that “in January 2016, the Dutch government announced that it would not require technology companies to share encrypted communications with security agencies.”

The link in the footnote quoted the Dutch Ministry of Security and Justice saying that allowing law enforcers to access protected data would make digital systems vulnerable to “criminals, terrorists and foreign intelligence services,” and added “this would have undesirable consequences for the security of information stored and communicated and the integrity of [information and communication technology] systems, which are increasingly of importance for the functioning of the society.”

Herold said, “That point summarizes the heart of the issue well: we need strong encryption for the peaceful and privacy-respecting functioning of our modern, digital society.”

The report reiterated the various security claims made by Apple regarding iOS 7 in 2012,. Specifically, it said that before iOS 8 Apple maintained the ability to aid law enforcement with investigations and said that “Apple’s method of data extraction before iOS 8 was never compromised.”

Arsene said Apple’s advancement of iOS security was “not necessarily aimed at hindering law enforcement efforts, but at offering users more privacy and security features with the purpose of adding value to Apple’s products.”

“Good enough security has never been best practice, especially since the digitalization of services and infrastructures has brought forward new attack methods and threats. Security is all about constantly developing and placing more barriers between you and the attacker, increasing the cost of attack and making it difficult for someone to gain access to your data,” Arsene said. “Cybercriminals are more creative than we’d like to think and relying on outdate or deliberately vulnerable technologies to protect and secure our data is not just bad practice, but also shortsighted.”

Ultimately, the report said there was “an urgent need for federal legislation that would compel software and hardware companies that design or build mobile devices or operating systems to make such devices amenable to appropriate searches,” but said all current attempts, including the Burr-Feinstein bill were inadequate. Because of this, the Manhattan DA’s Office has proposed legislation that “would require those who design operating systems to do so in a way that would permit law enforcement agents with a search warrant to gain access to the mobile devices.”

Herold said “it is misleading, at best, to vilify the use of strong encryption,” and said the Manhattan DA’s Office is asking for a smartphone encryption backdoor, just without using the word “backdoor.”

“Law enforcement has got to stop propagating the false narrative of encryption being all bad. They must balance the effect of encryption to also point out the significantly larger amount of good this effective technology tool does than any harm that they always seem to focus upon,” Herold said. “Overall their report is not balanced, and is skewed to promoting fear, uncertainty and doubt within the public in an effort to get their way, and to in effect get access to everyone in the U.S.’s digital selves. If people cannot be compelled to speak in person, then they should not be compelled to have their digital voices revealed either.”

Next Steps

Learn more about how encryption legislation could affect enterprise.

Find out why experts say lawmakers don’t understand encryption backdoors.

Get info on whether the feds needed Apple’s help to bypass smartphone encryption.

–News collected and synced by Info Security Solution Kolkata,

Read more
Should healthcare organizations follow the NIST guidelines for HIPAA?

I recently read that HIPAA regulations require organizations to follow NIST guidelines and standards. Is this true?…

How does HIPAA incorporate NIST guidelines? Should healthcare organizations follow the NIST regardless?

Although HIPAA does not directly require that covered entities follow NIST guidelines and standards, it references many of them as strong practices. NIST guidelines provide technical information and advice to organizations trying to meet common security objectives that overlap with those of HIPAA. NIST publications can therefore be valuable resources for organizations that must comply with HIPAA, helping them better understand their HIPAA obligations and how to meet them.

In particular, NIST offers its Special Publication 800-66, a document of over 50 pages entitled “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” Describing each HIPAA requirement in turn, this guide provides details on the administrative and technical safeguards that a HIPAA covered entity can put in place for compliance.

As NIST indicates, SP 800-66 was prepared for use by government agencies, and may be used by nongovernment agencies on a voluntary basis. The document contains a disclaimer stating that it is intended for federal organizations, and that it is not intended to be, nor should it be, construed or relied on as legal advice for any other organization or person. In other words, HIPAA is the still the law. The NIST publication is a helpful guide, but is one interpretation of the law, not the law itself. Consequently, it cannot be used as legal validation of a position or actions undertaken to comply with HIPAA.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out why HIPAA controls don’t do enough for privacy and security

Learn how NIST standards can help with penetration testing

Find out how well the NIST Cybersecurity Framework is being received

This was last published in November 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.

Related Q&A from Mike Chapple

Is a no-SMS 2FA policy a good idea for enterprises?

Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based…continue reading

How does the Safeguards Rule pertain to SEC cybersecurity regulations?

The SEC claimed Morgan Stanley violated the Safeguards Rule, but what does that mean? Expert Mike Chapple discusses the federal regulation and what …continue reading

Is destroying a decryption key a strong enough security practice?

Destroying a decryption key isn’t the same as destroying the data, but which method is more secure? Expert Mike Chapple explains the best way to …continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.

–News collected and synced by Info Security Solution Kolkata,

Read more
Leaks discovered containing info from State Farm, U.S. military, others

The leaks highlight the challenges of securing customer data, as many small to mid-sized enterprises allow third-party consultants wide-scale access to cust

The leaks highlight the challenges of securing customer data, as many small to mid-sized enterprises allow third-party consultants wide-scale access to cust

Security researchers disclosed a series of leaky databases on Monday that the researchers said includes data from State Farm, Sheet Metal Workers Union, Anchor Loans, and the U.S. military.

The leaks, disclosed by a research team at MacKeeper, highlight the challenges of securing customer data as small to mid-sized enterprises allow third-party consultants wide-scale access to customer data. Three of the leaking databases were discovered by MacKeeper security researcher Chris Vickery. According to a MacKeeper blog post, the insecure databases discovered by Vickery included Sheet Metal Workers Union, Goldberg Miller & Rubin, and the military consultant Venturist Inc.

Goldberg Miller & Rubin, a Philadelphia-headquartered law firm, was leaking approximately 3,000 detailed files that contained State Farm customer data, the post stated.

SC Media contacted the law firm on Monday to confirm the report, but the law firm’s director of operations and marketing was unable to comment by press time.

Venturist Inc., a military consultant that was founded by Col. John Warden, provides strategic advice to the U.S. military. According to Vickery’s blog post, an unauthenticated publicly exposed database contained data related to the U.S. Army, Navy, and Air Force Special Forces.

In a separate blog post, MacKeeper researchers disclosed an unsecured database that contained records of transaction details, investor communication logs, and client logins and passwords of the the lending company Anchor Loans. The database included social security numbers, passwords, e-mail addresses, driver’s license numbers, financial details, salary and bank statements of loan applicants and the applicants’ spouses.

MacKeeper spokesman Jeremiah Fowler told SC Media that the database was unencrypted and publicly available to anyone with internet access. “Once you have that information, you can even apply for a securitized loan,” he told SC Media.

The capabilities of security researchers are “dwarfed by that of hackers,” according to Alex Holden, chief information security officer at Hold Security. “If something has been found by researchers, there is a good chance that it has already been found by hackers and used ten times over,” he told SC Media.

–News collected and synced by Info Security Solution Kolkata,

Read more
Symantec acquires identity protection firm LifeLock for $2.3B
Insec Ethical Hacking Hub The 5 Stages of Job Rejection

Symantec made its first major acquisition of the Blue Coat Systems era with a $2.3 billion acquisition of identity protection firm LifeLock.

The Symantec-LifeLock deal is expected to close in the first quarter of 2017; the antivirus software maker paid $24 a share for LifeLock, which is approximately 16 percent higher than LifeLock’s closing stock price of $20.75. Rumors of the acquisition emerged last week with Bloomberg News reporting that Symantec, along with investment firms Permira and TPG Capital, were interested in bidding on LifeLock.

The LifeLock purchase comes just a few months after a major shakeup at Symantec. The security software giant purchased web and cloud security firm Blue Coat Systems for $4.65 billion in June; Blue Coat CEO Greg Clark was named as Symantec’s chief executive, filling the voice left by former CEO Michael Brown, who resigned from Symantec in April.

However, the acquisition of LifeLock is a departure from Symantec’s recent efforts to chart a new course beyond its legacy antivirus and consumer-focused businesses and focus on new opportunities in cloud security. Following the Blue Coat acquisition, Symantec outlined its “cloud generation” vision, which was carried over from Blue Coat’s own strategy to increase its cloud security offerings and combine them with existing web and networking technology.

But in Symantec’s second quarter 2017 earnings call earlier this month, Clark stated that although the consumer security business had been in decline, he felt there was still room to grow.

“We believe the market opportunity for protecting consumers is larger than what our current consumer products address today,” Clark said. “As we move to further penetrate these opportunities, we expect the Consumer Security business to improve its growth trajectory as we move beyond the PC.”

In a conference call Monday, Clark said LifeLock’s technology will compliment Symantec’s Norton consumer products and expand the scope of consumer security offerings.

“Consumers pay between 2x and 3x more for identify protection than they pay for endpoint malware protection,” he said. “With this acquisition Symantec accelerates its Consumer Business’ return to growth by offering a digital safety platform to protect information, devices, networks and identities of consumers.”

LifeLock, which was founded in 2005, has established itself as one of the leading companies in the consumer identity protection market, but the company ran afoul of the U.S. Federal Trade Commission over the years. In 2010, the company paid $12 million to settle claims that it used false claims to promote its identity theft protection services. Under the 2010 settlement, LifeLock agreed to refrain from making deceptive marketing claims and promised to “take more stringent measures to safeguard the personal information they collect from customers,” according to the FTC.

However, in 2015 LifeLock was forced to pay an additional $100 million to settle FTC contempt charges after the agency found that LifeLock had violated aspects of the 2010 settlement. Specifically, the FTC said LifeLock “failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information including their social security, credit card and bank account numbers.” In addition, the FTC found that LifeLock continued to engage in false advertising claims and failed to abide by the 2010 settlement’s recordkeeping requirements. 

Next Steps

Learn how behavioral assessments can benefit threat detection

Read more on the most important endpoint security features for enterprises

Discover how data obfuscation techniques can protect information

PRO+

Content

Find more PRO+ content and other member only offers, here.

–News collected and synced by Info Security Solution Kolkata,

Read more
Android backdoor discovered in firmware for budget devices
Insec Ethical Hacking Hub Rahul Yadav Fired As Housing CEO. No Association With The Company Anymore!

Budget Android devices were found harboring another cybersecurity risk, this time with an Android backdoor that could allow an attacker to gain root access.

Researchers at AnubisNetworks said the flaw, located in the firmware from Chinese company Ragentek Group, could affect as many as three million devices and allow for man-in-the-middle attacks. Although the issue affects a similar set of low-cost hardware, including smartphones from BLU, and the vulnerability is related to the over-the-air (OTA) update mechanism in firmware built by a Chinese company, AnubisNetworks said this Android backdoor is unrelated to the spyware found last week. According to AnubisNetworks, this flaw “appears to be an insecure implementation of an OTA mechanism for device updates associated to the software company, Ragentek Group, in China.”

“All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol,” researchers wrote in a blog post. “One of these commands allows for the execution of system commands. This issue affected devices out of the box.”

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity the Android backdoor should not be underestimated.

“Considering that a man-in-the-middle attack could potentially alter the firmware of an Android device, potentially enabling him to gain unfettered root access, this is a pretty bad hiccup,” Arsene said. “Not relying on code-signing to authenticate legitimate apps, not encrypting over-the-air communication, and hardcoding unregistered domains are a full recipe for security failure.”

AnubisNetworks said it “observed over 2.8 million distinct devices, across roughly 55 reported device models” but there could be more smartphone models affected. One device, the BLU Studio G, could be purchased in retail stores in the U.S., but most other vulnerable devices came from manufacturers targeting developing regions outside of the U.S.

Arsene said recent events should make enterprises looking towards budget devices to consider the security implications.

“While most enterprises usually opt for mid-range or high-end devices for employees, recent findings regarding budget phones should probably have companies on their toes,” Arsene said. “Not because they could also be using some of these devices, but because of the nature of the vulnerability and the lack of control when it comes to fully managing Android devices. In light of recent events regarding budgets phones, it seems that users worried about security should probably think twice when going for really low budget devices.”

Next Steps

Learn more about the Pork Explosion Android backdoor vulnerability.

Find out about Android Stagefright and its effect on 1.4 billion Android devices.

Get info on why risk management is key to smartphone security issues.

–News collected and synced by Info Security Solution Kolkata,

Read more
Alternative social network Ello in plaintext password glitch
Insec Ethical Hacking Hub Bug in the GitHub Extension for Visual Studio Makes Developer Lose $6,500

Back in March 2014, an alternative social network called ello.co went live, claiming to offer an online hangout where users were just that: users, not click-generators.

There was no real-name policy, either: a working email address was all you needed to sign up, so you could be jemima3329 just as easily as you could be Your Name Here.

Of course, it’s hard for an upstart social network to get much traction in a world where the behemoths already have tens, hundreds or even thousands of millions of existing users.

In social media, as in many public-facing endeavours, nothing breeds success like success, so those who have already succeeded have a huge advantage.

Nevertheless, Ello seems to have carved itself a social networking niche, with privacy and anonymity probably more important than many mainstream networks, given the often NSFW content it contains.

That’s why users took to Twitter over the weekend to express their surprise that when they logged in from here…


…they would sometimes end up at a web page like this:

Usernames and plaintext passwords were there in the URL for anyone to see.

Actually, to be fair, not just anyone could see them, because the site uses HTTPS, and encrypted web traffic scrambles the URLs you visit as well as your requests and replies.

Nevertheless, paswords and other personally identifiable information should never be included in URLs, for two simple reasons:

  • There’s no need for it, because it’s just as easy to transmit sensitive data in the body of a web form submission instead.
  • URLs often end up saved in many more places that you might like, such as browser histories and server logs.

In a plain, old-school HTML page, we’re talking about the difference between a form like this…

…and this:

If you just write <form>, you get the equivalent of <form method="GET">, which tells your browser to package the data into the URL itself, like this:

http://example.com/login.html?name=anon&pass=passW0RD

If you deliberately say <form method="POST"> instead, then your browser will make an HTTP POST request, effectively an upload with the form data in the body of the request itself, where it won’t end up in your browser’s history by mistake:

POST /login.html HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 23 name=anon&pass=passW0RD

Until this morning, Ello’s login form looked much like the first example above: no method was specified because the form’s submit was handled by JavaScript rather than directly by the browser.

Most of the time, the submit in Ello’s forms worked just fine, generating a pair of HTTPS requests like this:

Your username and password were packaged as a JSON (JavaScript Object Notation) data structure in the POST request:

But for reasons that the company hasn’t yet figured out, the JavaScript needed to make the submit behave correctly would occasionally fail to run in time.

That left you with a form that was submitted directly by your browser, with your username and password appended to the URL, as depicted above.

When you’re programming, take care to say what you mean, and watch out for defaults that could kick in and deliver the opposite of what you expect.

Ello’s immediate workaround was to insert method="POST" tags into its authentication forms, as you can see here:

Ello also told us that:

  • Passwords are stored in salted-hashed-and stretched form, as recommended here on Naked Security. (The company uses the bcrypt algorithm with a work factor of 10.)
  • URLs are checked for content that looks like password parameters before they are logged, and anything that looks like password data is blanked out first.
  • All traffic to its servers and from its servers to the relevant database backends uses TLS (web encryption).

Clearing your browser history should be enough to get rid of any local copies of your password that may have ended up on disk.

If you’re still worried, we suggest you change your password, too.

–News collected and synced by Info Security Solution Kolkata,

Read more