9 C
Wednesday, September 20, 2017
Home Authors Posts by cyberparse


Our purpose is to provide the right information to our readers. For obvious reasons, our information journey will of couse be ever changing, but from the outset we plan on the following: Break down and communicate knowledge relating to Cyber Crime, Cyber Security, Information Security and Computer Security. Use Risk Management practices to help in translating the technical aspects of the Risks, Threats and Vulnerabilities into business language. Communicate the appropriate Controls necessary to reduce the Impact and Probability. We will do this by: Identifying, collating and providing relevant information. Highlighting relevant News articles. Investigating trends and providing Analysis. Providing How-to tips and tricks to reduce the Threats and Vulnerabilities. Offering Products and Solutions designed to mitigate or defend against the risks. ------ Joe Woods, Editor and CTO

Security professionals warn against relying on cyber insurance

Security professionals have warned businesses not to rely on cyber insurance in the face of increased cyber attacks. The warning comes after the head of the largest Lloyd’s of London insurer, Stephen Catlin, said cyber attacks are now so dangerous to global businesses that governments should step in to cover the risks. The founder of insurer Catlin Group said cyber security presented the biggest, most systemic risk he has come across in all of the 42 years he has worked in insurance, according to the Financial Times. “Our balance sheets are not large enough to pay for that,” Catlin told the Insurance Insider London 2015 conference. Analysts said Catlin’s comments underscore the reservations that insurers have about underwriting cyber security risks. He pointed out that cyber risks are difficult to model and vulnerability in widely-used software or internet architecture can bring down systems globally. Catlin said governments have already had to establish state-backed schemes to provide terrorism cover, such as Pool Re in the UK, but he said cyber security presented an even bigger threat than terrorism. Fujisu enterprise and cyber security solutions architect for the UK and Ireland Rob Lay said businesses should not rely on insurance as a way of protecting themselves from an attack. “While insurance may help mitigate some of the financial impact of a security incident or breach, the reputational impact and the impact to the business operation cannot be mitigated with insurance in the same way,” he said. Lay said that businesses should instead aim to be smart with their approach and consider the people, process and technology elements when it comes to responding to the threats they face. “By taking this risk-based approach, businesses can ensure that they are dealing with the largest and most dangerous issues first,” he said. Lay said recent Fujitsu stud on digital enablement showed that for the 12% of UK consumers who said they never use digital services, security was a top concern. Arbor Networks director of solutions architects Darren Anstee said the costs around successful cyber attacks can be very considerable, especially where customer personal or credit information is involved.   “Unfortunately, given the value of this information, in many cases this is what attackers are after,” he said. According to research from the Economist Intelligence Unit, sponsored by Arbor Networks, the demand for insurance products which insure against losses due to cyber attacks is growing strongly. “However, market penetration is still relatively low,” said Anstee. “In this year’s Arbor Worldwide Infrastructure Security Survey, only 6% of non-service provider respondents indicated that they had contracted with an insurance provider for assistance in this area, and for service providers it was even lower at 2%,” he said. Anstee said that as the costs around successful cyber attacks – and thus the business risks – become more widely appreciated, organisations will hopefully invest to raise their security posture. “However, defending organisations from today’s threats is not all about technology, there needs to be at least as much focus on the people, processes and workflows that are involved,” he said. Anstee said incident responders need to be able to identify, prioritise and investigate threats as efficiently as possible, and they need access to threat intelligence and tools that facilitate this process. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Ultra Electronics AEP Offers BACS Payments SaaS Solution on G-Cloud 6...

Ultra Electronics AEP announces its PayGate™ Online secure payments processing service is now available to public sector organisations via the government's Digital Marketplace.Public sector organisations can now purchase AEP's innovative secure online payments processing service, PayGate™ Online, with advantageous Software as a Service (SaaS) pricing, after AEP announced that the company has been accepted onto the UK government's G-Cloud 6 Framework.The framework has been created to save public sector organisations and suppliers' time and money when embarking on IT programmes involving procurement. G-Cloud is different from other frameworks as it allows public sector organisations to pay for services as they use them, rather than being tied to inflexible, long-term contracts. AEP's BACS approved PayGate Online is a cloud-based payments service which allows the user to safely and securely submit payments and transaction data for BACS Direct Credit, Faster Payments and Direct Debit, all via a dedicated web portal. PayGate Online is fully RTI compliant, easy to use, encrypts data in transit, has built in checks to detect errors and is backed by a UK support desk, with over 30 years customer support.Nick Newman, Payments Business Manager at AEP, commented: "PayGate Online is a simple alternative to installed software solutions and outsourcing to BACS and payroll bureaux. AEP is the only BACS Approved Software supplier to also develop and manufacture its own Hardware Security Module (HSM), PayGate HSM, providing the highest level of security available for payment transactions". # ENDS #About Ultra Electronics AEPAEP provides trusted security everywhere, developing high-assurance security and communication technologies and automated payment solutions, securing data regardless of device, environment or location, tested and accredited to industry security standards, including FIPS, Common Criteria and CAPS. Trusted by businesses, governments and the defence sector, its extensive portfolio of products and solutions protect the integrity of very sensitive data and are extremely reliable, survivable and resilient. AEP is a business unit of Ultra Electronics, an internationally successful defence & aerospace, security & cyber, transport and energy company with a long, consistent track record of development and growth. Ultra businesses constantly innovate to create solutions to customer requirements that are different from, and better than, those of its competitors. For more information, please visit www.ultra-aep.com.EnquiriesJohn Bailey, Marketing Manager01628 642600 PayGate is a trademark of Ultra Electronics Limited Source: RealWire

GCHQ snooping ruling does not go far enough, says Open Rights...

The recent ruling that mass surveillance of UK citizens' internet communications by the UK intelligence services was unlawful until the end of 2014 does not go far enough, according to Open Rights Group. The Investigatory Powers Tribunal (IPT) ruled that UK intelligence agency GCHQ had breached the Human Rights Act by using intelligence on UK residents from the US National Security Agency (NSA) . The IPT found the secret intelligence sharing between the UK and the US was unlawful prior to December 2014 because the policies governing these arrangements were secret. These policies were made public in December 2014 during a case brought by Privacy International, Bytes for All, Liberty and Amnesty International. The IPT judgement rules that GCHQ was in breach of Article 8 of the Human Rights Act, which governs the right to a private and family life, as well as Article 10, which covers the right to freedom of expression. However, in an earlier ruling, the IPT held that access by GCHQ to NSA data was lawful from December 2014 onwards, because the case itself had rendered some of the secret policies more transparent. That ruling now faces further legal challenges from human rights groups. Open Rights Group said that while it welcomes the ruling on 6 February 2015 as the first time the IPT has found the UK’s intelligence services to be in breach of human rights law, the finding relates to relates to historic practices only. The IPT has already said it believes intelligence sharing is currently lawful, since the disclosure of the secret policies during the IPT proceedings. In the same December 2014 judgment, the IPT also found that GCHQ’s Tempora programme of mass surveillance was in accordance with the law Open Rights Group legal director Elizabeth Knight said the ruling was a welcome first step. "It shows that secret polices are not an acceptable basis for highly intrusive intelligence sharing practices. However, the IPT has not gone far enough,” she said.  “These flimsy policies are not enough to comply with the requirements of human rights law, even now they are public. And GCHQ’s own Tempora programme of mass interception is clearly both unlawful and disproportionate. “We hope the European Court of Human Rights will go further than the IPT and find that mass surveillance breaches our human right to privacy.” Open Rights Group has an application pending at the European Court of Human Rights, which challenges both intelligence sharing and GCHQ’s Tempora programme based on non-specific, blanket warrants. The case, brought along with Big Brother Watch, English PEN and German computer scientist and writer Constanze Kurz, has been on hold awaiting the outcome of the IPT case. The case is expected to go ahead soon, now the IPT has given its ruling. Similar European court cases are planned by Amnesty International, Privacy International, and Bytes for All. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

California lawmaker proposes warrant requirement for digital data access

"Californians recognize the risk to their privacy," Sen. Mark Leno tells Ars.

Dealer pleads guilty to selling drugs on the Silk Road

Ohio man was arrested in 2012 while picking up package of drugs from post office.

The hitman scam: Dread Pirate Roberts’ bizarre murder-for-hire attempts

On the darkweb, no one is who they seem.

Poor Reliability Threatens to Slow EMV Card Adoption in U.S.

NEWS ANALYSIS: A trial of EMV chip cards reveals an unacceptably high rate of failures that could compromise their adoption at U.S. retail outlets. One of the store managers at a Walmart store in Fairfax, Va., stood next to me as we watched a sales transaction fail—again. This was the third time I'd tried to pay for a phone charger using a debit card equipped with an EMV chip, and for the third time it failed. Each time the message on the screen of the point of sale (POS) terminal said the same thing, "Cancelled." Next I slide my American Express card into the EMV slot on the terminal, and the sale went as it should have to complete the purchase of the charger I needed to replace the one that I'd left on a United Airlines 777 a few days before as I returned from Germany. My EMV troubles actually started while on my Germany visit. A few days before my Walmart visit, I had to visit a T-Mobile store in Hannover, Germany, to replace a cell phone that had, in technical terms, "died." My EMV-equipped MasterCard had not been able to complete the purchase, although the error message was different from the one I experienced in my local Walmart (perhaps because it was in German instead of English). Again, I was able to use an alternate card. This turned out to be a harbinger of future behavior as the chip and PIN card the bank had told me so confidently would work in Europe didn't actually work. A second test in Germany came at the Frankfurt airport when my newly acquired EMV-equipped card failed in its critical mission of helping me obtain a particularly interesting single malt Scotch whiskey at the duty-free story. This time instead of saying it was canceled, the POS terminal just said the chip was invalid. Fortunately, I'd taken several chip cards along on the trip to Hannover, so I had a backup that did work. But by the time I'd reached the Walmart to purchase the phone charger, I'd had occasion to try to use six different EMV-equipped cards, of which two failed to function as they should have. Both of the failed cards were of the chip and PIN variety. Once I'd returned to the U.S., I called the banks about the problems with their respective cards, and in both cases the customer service representatives seemed unsurprised. One said that he'd experienced this problem before. "This is what happens when the chip is defective," he'd explained while ordering a replacement card for me. At the other bank, the response was similar when the agent said he'd send the replacement even before I'd finished describing the failure. While I don't have any numbers to prove it since the banks aren't sharing information about failure rates or related problems, it was clear from the response of the support staff that my experience wasn't rare or unusual. During this time I heard from others via social media of similar problems at other stores. A friend of my daughter was having trouble using her chip card anywhere that accepted the card.

Google Study Shows Users Fail to Understand Security Warnings

Researchers found ways to improve Internet users' adherence to advice, but users still demonstrated they don't understand what is at stake. Few users who encounter an alert through their browser actually read or understand the suggested advice but can be guided to take corrective action, according to a study by Google and University of Pennsylvania researchers, who hope to find ways to fix the problems. In a study to be presented in April, the group of nine researchers found that the use of graphics to promote the most secure course of action, known as opinionated design, dramatically increased the number of users who follow a recommended course of action. Yet, despite that success, relatively few users understand warning text that describes the threat or what data could be at risk. “Comprehension rates remain lower than desired for all of the SSL warning texts that we tested,” the researchers stated. “This is disappointing, as we view comprehension as more important than adherence.” The Secure Sockets Layer (SSL) is the foundation of much of the security on the Web and the Internet. SSL is the most popular way to encrypt network communications and is used to secure traffic to and from Web servers and between email servers and clients. The standard continues to evolve, with a more modern version known as the Transport Layer Security (TLS) protocol. Google has focused on securing SSL as part of its continuing development of the Chrome browser. In September, for example, the company decided to phase out the acceptance of SSL certificates based on a cryptographic protocol known as SHA–1. Because many users assume SSL warnings are false alarms, Google researchers have studied what causes SSL errors, finding that they are not just caused by man-in-the-middle attacks and bad Web coding, but by many factors. Some issues are simple errors, such as incorrect certificates or an incorrectly set clock on the client systems. Other issues are not errors, but infrastructure that does not play by the SSL rules, such as captive portals or networks that intercept SSL requests, a typical network design within primary and secondary schools. Finally, a minority are attacks, from serious malware to Internet service providers attempting to add advertisements onto Websites. The ideal SSL warning should allow users to understand the source of the threat, what data is at risk and whether the alert could be due to misconfiguration or a false positive, according to a Jan. 30 presentation by Adrienne Porter Felt of the Chrome security team. The researchers adopted visual cues, such as a red lock and a yellow background, to try to increase the proportion of users who follow the browser’s advice. Called opinionated design, the technique increased the proportion of users who followed the warning to 61 percent in real-world testing, compared with 37 percent for warnings in the prior version of the software. Yet, reducing the complexity of the language accompanying the warnings failed to markedly increase comprehension of the threats. The researchers used simpler sixth-grade-level language, rather than the eleventh-grade language of previous warnings, to describe a specific risk and added an illustration of a red lock. The researchers were clearly frustrated by the results. “Why do all warnings—including ours—fail?” the paper’s authors asked. “Although we tried to follow best practices, we faced tradeoffs between contradictory advice. Our choices may not have been optimal. This suggests a need for more research into the relative importance of brevity, specificity and non-technicality in security warnings.”

Sites featuring terrorism or child pornography to be blocked in France

ISPs will have to block questionable content within 24 of notice.

Alleged swatting prankster “Famed God” arrested in Las Vegas

Teen's computers point to swatting incidents nationwide, authorities said.

Right to Be Forgotten on Web Applies Only Within EU, Panel...

A Google-commissioned group said the directive's objectives can be met without taking it global, but some privacy advocates beg to differ. A Google-appointed group of advisors said the company has little reason to implement the European Union's right to be forgotten mandate on a global basis. In a 44-page document released Feb. 6, the eight-member panel of academicians, rights advocates and legal experts held that Google could meet the objectives of the mandate by limiting its requirements to European-directed search services. The right to be forgotten directive basically gives individuals in the EU the right to ask Google to remove links in its search engine results in certain situations. Google has maintained that it can fulfill the requirements of the directive by removing links in search engine results in the EU but not elsewhere. The advisory panel today sided with that viewpoint. "There is a competing interest on the part of users outside of Europe to access information via a name-based search in accordance with the laws of their country, which may be in conflict with the [requirements of the EU directive]," the panel said in its report. "There is also a competing interest on the part of users within Europe to access versions of search other than their own," the report noted.  The council supports the objectives of the right to be forgotten directive. But, "given concerns of proportionality and practical effectiveness, it concludes that removal from nationally directed versions of Google's search services within the EU is the appropriate means to implement the ruling at this stage." The panel's recommendations are not binding on anybody in any way and merely reflect the independent opinion of a group of people selected by Google to advise it on the best way to implement the EU directive. But it is sure to infuriate data protection authorities in the EU as well as privacy advocates who support the notion of a "right to forget" on the Internet. The EU right to be forgotten decision stems from a lawsuit filed by an individual in Spain who wanted Google to remove links in its search results to two articles that he claimed were defamatory to his character. In May 2014, the Court of Justice for the European Union held that individuals in the EU indeed had the right to ask search engine companies like Google to remove links to articles that were inaccurate, outdated or contained incomplete information about them. In arriving at is decision, however, the court left it up to Google to decide how it would implement the directive. Google has expressed its willingness to comply with the court's order but has said it will remove disputed search links only on Google search domains directed at users inside the EU. The company has resisted removing the links from its main Google.com domain. So a user in France searching on Google.fr for instance would not see links that might have been delisted at an individual's request in that country. But those same links would remain available on search engine results if the user went to Google.com instead. Google has insisted that it wants to be respectful of the privacy concerns that prompted the right to be forgotten mandate. It has argued that the directive puts it in the awkward and unsustainable position of having to evaluate the merits of thousands of link removal requests on a case-by-case basis. In acting upon such requests, Google has said it has to find a way to balance legitimate individual privacy requirements in Europe with laws pertaining to free speech, expression and the right to know in other countries. Over the past few months, EU regulators and Google have tussled over how the right to be forgotten law should be implemented. EU authorities have maintained that it makes little sense for Google to remove links from its European search results if they remain available via its main Google.com domain. Marc Rotenberg, president of the Electronic Privacy Information Center, slammed the Google's advisory council's reasoning Friday. "They got it wrong. Google's position makes no sense," he said. "The fact that a panel selected by Google selected an outcome that is favorable to Google is more evidence that these decisions should not be left to the search giant," he said, pointing to statistics showing growing support for the right to be forgotten worldwide. Already 61 percent of Americans favor the right to be forgotten on the Internet and efforts similar to the EU directive are already under way in Japan, Canada and Mexico, he said. Danny O'Brien, international director at the Electronic Frontier Foundation, said the dispute surfaces several complex issues that are going to be very hard to resolve. "This is a situation where neither of these players has the moral or legal authority to make these decisions," O'Brien said. Neither Google nor data protection authorities are equipped to decide what content should or should not be discoverable on the Internet, he said. "The real decisions will have to come from the court. But that is not going to happen unless someone challenges these takedown requests in court."

Lawmakers want US Congress to be able to (finally) deliberate online

"Recent advances in technology would make a virtual Congress possible."