15.4 C
London
Thursday, August 24, 2017

Oxagile to Attend Learning Technologies Conference in London

Oxagile, a leading provider of bespoke web and mobile application development services, will attend the Learning Technologies conference on 1-2 February, 2017 in Olympia, London.By attending Europe's largest L&D exhibition, Oxagile plans to build new partnerships and reinforce its position as a premier vendor of custom EdTech solutions designed for Fortune 500 companies, educational establishments, as well as midsize businesses and start-ups around the world.Considering its expertise in e-Learning software development and customisation, the company... Source: RealWire

Meet Riffle, the next generation of anonymity that beats Tor

Onion routing for the next generation Next week, boffins will unveil a new anonymous internet tool that they say is both faster and more reliable against attack than Tor, while still keeping online use impenetrable to spies. Dubbed Riffle, the new system was developed by MIT and the École Polytechnique Fédérale de Lausanne in Switzerland.
It uses the same Onion encryption system as Tor, which wraps messages in layers of encryption to preserve privacy. Riffle [PDF], like Tor, also uses servers set up as a mixnet – a way of scrambling the nature of a message as it passes from system to system.

But the special sauce in Riffle is that it toughens up the network against those seeking to track users. Such attacks are a big concern for Tor users, especially since last year researchers at Carnegie Mellon University apparently found a way to deanonymize sections of the Tor network by using a series of infected nodes.

The research team got a reported $1m bounty from the Feds for that research – but Riffle could render the technique moot. "Riffle uses a technique called a verifiable shuffle.

Because of the onion encryption, the messages that each server forwards look nothing like the ones it receives; it has peeled off a layer of encryption," MIT explained. "But the encryption can be done in such a way that the server can generate a mathematical proof that the messages it sends are valid manipulations of the ones it receives.
Verifying the proof does require checking it against copies of the messages the server received.
So with Riffle, users send their initial messages to not just the first server in the mixnet but all of them, simultaneously.
Servers can then independently check for tampering." It's a very secure system, but also one that's very resource-intensive.
So Riffle uses a technique dubbed authentication encryption, whereby every server works together so that as long as one of the routing computers remains uncompromised, the encryption of the message stays secure. "The idea of mixnets has been around for a long time, but unfortunately it's always relied on public-key cryptography and on public-key techniques, and that's been expensive," says Jonathan Katz, director of the Maryland Cybersecurity Center and a professor of computer science at the University of Maryland. "One of the contributions of this paper is that they showed how to use more efficient symmetric-key techniques to accomplish the same thing.

They do one expensive shuffle using known protocols, but then they bootstrap off of that to enable many subsequent shufflings." As a result, the system is both strong and efficient.

The development team says it takes a tenth of the resources to send large files as other anonymizing services and provides much better protection against active and passive monitoring. Riffle will be released at next week's Privacy Enhancing Technologies Symposium in Germany. ® Sponsored: 2016 Cyberthreat defense report

Apple needs silver bullet to slay App Store's escaped undead –...

Zombies should be exorcised from gadgets they infect Online software bazaars – such as Apple's App Store and Google Play – need to claim responsibility for "dead applications" and notify people when their programs have been revoked or removed, a study by security firm Appthority recommends. “Dead apps” are those that have been removed from an app store, but remain on devices – if they're not good enough or are harmful for new downloaders, they're probably not good enough for those already running them, to put it bluntly.

Dodgy apps on Google Play has been an issue for years but over the past six months or so the issue has also cropped up on he official Apple App Store. The iGiant's walled garden was once considered a safe haven of calm. However, the unwelcome arrival of six major iOS security vulnerabilities and exploits in the past seven months has, for some, changed that perception right around. Threats such as Quicksand, JSPatch, XCodeGhost, AceDeceiver, YouMi and MobiSage have shaken assumptions and made mobile security a more important issue for enterprises and casual App Store users alike. More than 960 apps infected with JSPatch were found on enterprise customer devices, Appthority reports. When these evil programs are found and thrown out of stores, they should be thrown out of devices, too, it's recommended. The mobile security firm further argues that Google's Verify Apps feature addresses malware, but it can't stop all malicious code from running, especially since security patching on the platform is somewhat lagging. ® Sponsored: Rise of the machines

Infosec 2014: Act now, but no new EU data protection law...

Expect new European Union (EU) data protection law to be enacted in 2017 at the earliest, said David Smith, deputy commissioner at the Information Commissioner’s Office. “But, get your house in order now under the current law, to ensure you are ready for the coming changes, because the principles are not very different,” Smith told attendees of Infosecurity Europe 2014 in London. By acting now, UK businesses can ensure they will not face huge challenges in future, said Smith. Giving an update on process of issuing new laws, based on the draft EU Data Protection Regulation, he said there had been some progress in the past year, but it had been at a “snail’s pace”. Smith said that, while the European Parliament had agreed on a version of the proposed regulation, members of the European Council were still working on theirs. “Optimists hope that the European Council will reach agreement on the matter by June 2104,” said Smith. Enacting final text The next step in the process is to hammer out a final text, agreed by the European Parliament, the European Council and the European Commission (EC), which proposed the original draft in 2012. Smith does not expect the tripartite negotiations to get underway before December 2014, which means the legislation is likely to be passed in 2015, followed by a two-year period of preparation for enactment. “In this time the data protection laws in the EU member states will have to be replaced with the new EU laws and each data protection authority will need to prepare for a new way of working,” said Smith. “The ICO will also have a big job to prepare guidance for UK companies on what they should prioritise to ensure they can comply with the new laws once they are enacted.” Smith said the current data protection directive took five years to get turned into law, which suggests it will take at least another two years before the proposed regulation reaches completion. Start preparation now But he emphasised that there is no need to wait, and UK businesses should start preparing now, according to the “direction of travel” of the proposed legislation. The top priority should be around the principle of obtaining explicit consent from people to gather and use their personal data, he told Computer Weekly. “Businesses that plan to collect information that will require explicit consent must ensure that, in all their processes, it is very clear what data is being collected and for what purpose,” said Smith. “It is important that the consent to collect data and use it for a specific purpose is prominent and not tucked away somewhere in a user agreement.” Data breach notification The next priority for UK businesses is to ensure they have a system in place for dealing with data breaches, and this should include processes for notifying anyone affected by a breach. Data breach notification is likely to become compulsory for all companies in the EU, so UK companies should look at what processes they have in place, said Smith. “If a company does not yet have any data breach notification process, they are lagging behind and risk incurring penalties if they are not ready by the time the new laws are enacted,” he said. Culture of privacy The third priority is to create a company culture where privacy is taken into account in every business activity and new processes are designed with privacy in mind. “Businesses should think about things like necessary data retention periods because, if privacy is not part of the design from the start, it is typically much more difficult to fix in response to complaints,” said Smith. The approach to retention is not expected to change. Organisations should ensure that personal data is not retained any longer than necessary for the purpose it was originally collected. For future data analysis purposes, only anonymised or pseudonymised data should be used, said Smith. “Businesses should not rush products and services to market without thorough testing, and they should listen to their privacy advisors before giving into pressures from the marketing department,” he said. Balancing enforcement and guidance Looking to the future, Smith expressed the hope that the final version of the revised data protection regulation is not highly prescriptive, nor too focused on enforcement. “There are different cultures and legal traditions in Europe, so hopefully there will be enough wriggle room for each member state to allow for local sensitivities,” he said. If there is too much focus on enforcement, the ICO is concerned that its educational and guidance activities may have to be curtailed. The ICO recently published a code of practice on privacy impact assessments and plans to publish guidelines about online security soon, to pass on learning from the mistakes of others. Smith said the ICO hopes that, under the new regulation, the UK will be able to make “sensible laws” that will not place “unnecessary burdens” on businesses. Powers to chase the 'crooks' The ICO is hoping for additional powers that will enable it to go after the “charlatans” and “crooked individuals” who “never pay up” and simply re-open for business under a new name, he said. “The ICO is no longer a ‘toothless tiger’ and we have used our new powers to good effect, but more imaginative powers are needed such as the ability to impose periods of mandatory audits,” he said. Smith said he believes the controversial Safe Harbour agreement does have a future, but only with tighter data protection assurances after it is revised in line with an EC review. “One of the biggest problems is the element of self-attestation because, in its current form, the system provides no way of checking or verifying that companies are abiding by the rules,” said Smith. The EC has submitted proposals for improvements to the Safe Harbour agreement. He said the US is working on those and a response is expected soon. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Patent-licensing company loses its $30M verdict against Sprint

Prism Technologies saw through three jury trials against big cell carriers.

Spread honeypots over your defense plan

I love honeypots.
I’ve even written a book about them.

Any time you set up a fake system that nothing and no one should try to connect to, you cull invaluable information that any security defender will find useful. I’m still surprised that honeypots aren’t part of every organization’s security strategy. My guess is that’s because you don’t have a lot to choose from in honeypot emulation software. My personal favorite is KFSensor, which has a host of excellent features and is continually updated over time. Why bother with honeypots? Well, when fine-tuned, a honeypot is incredibly low noise and high value.

That’s exactly the opposite of every other computer's security defense tool.

For example, firewall logs fill up with of tens of thousands of dropped packet events every day, most of which have nothing to do with maliciousness.

And the malicious actors? Good luck finding them in the logs. The sweet benefits of honeypots The work you invest in a honeypot takes place up front: You spend a little time filtering out the normal broadcast traffic and legitimate connection attempts (from your antivirus updating programs, patch management tools, and so on).

But once that’s done -- which usually takes two hours to two days -- any other connection attempt is, by definition, malicious. A honeypot is absolutely the best way to catch an intruder who has bypassed all other defenses.
If you assume that your defenses are either currently breached or could easily be breached, then you need the early-warning system offered by a honeypot. Your honeypots sit there waiting for any unexpected connection attempt.
I’ve tracked a lot of hackers, and one fact almost always stands out: They search and move around a network once they gain access.

Few hackers know which systems are or aren’t honeypots, so they move around, and when they simply “touch” the honeypot, you got ‘em. Case in point: One of the most common attack methods is the pass-the-hash (PtH) attack, where the attacker gains hold of elevated logon credentials and uses them to access other systems across the network.

They move laterally and horizontally with ease, usually without detection.

But establish one or more honeypots as fake Web servers, database servers, or application servers, and you’ll even be able to detect an advanced persistent threat (APT). Honeypots are also great at detecting insider threats, where someone who has legitimate logon credentials attempts unauthorized actions.
In this scenario, it’s important that as few people as possible know about your honeypots.

Give the project a code name that the project team uses whenever discussing the topic. You don’t want the word "honeypot" floating around in email or commonly known by your staff and other co-workers.

Even other members of the computer security defense and the incident response teams should simply be told that you have “intrusion sensors.” Honeypots are also great at detecting previously undetected malware.

Today, some malware starts looking on the network once it breaches your defenses. Often it will try a multitude of common passwords against every network file share it can find. Make sure your honeypot contains NETBIOS or regular file shares to detect connection attempts. The best place for a honeypot In the early days, people often placed honeypots on the Internet or in the DMZ, but today, you’d get a swarm of unauthorized connections that would be impossible to sort through.
If you can’t investigate every honeypot hit, then you’ve designed your honeypot wrong. That’s why you should set up your honeypots internally, as a last warning. Look at how and where past attacks succeeded.

Create threat models from past attacks and try to estimate future attacks.

Determine where you have gaps in your current detection methodology and install honeypots to cover those gaps. In general, I always recommend that honeypots mimic one or more Web servers, database servers, file servers, or application servers.
I like low-interaction honeypots, which have a minimum of advertised services because they are extremely easy to set up and monitor. For example, you could set up Microsoft Internet Information Server (IIS), using only the built-in website/page. When attackers connect to it, they will probably blow it off as a website that was never set up and move on.

But now you have an unauthorized connection attempt (it’s a fake system, no one should be trying to connect) and you can add an originating IP address to your incident response analysis. A lot of defenders want to set up high-interaction honeypots, which contain real-looking content, to see if they can ascertain the intent and primary target of the hacker.

These honeypots take 20 to 50 times the effort to set up and maintain, and they come with all sorts of risks not present in a system that has almost nothing beyond a default advertising port/service. Install a honeypot As I already mentioned, I use KFSensor for emulated honeypots.

There are a multitude of open source honeypot projects, many of which are more flexible than KFSensor and can emulate more actions. However, they are often hard to configure and maintain, and many people end up abandoning the honeypot initiative. I’m a big fan of using real operating systems and devices as honeypots. When working with a real operating system, here are my basic steps (I don’t care if you use physical or virtual machine software): Install a brand-new OS or use image that you already use for production systems Install, configure, and patch the system as you would a normal production system Install all the normal software as you would on a production system Enable pervasive event logging, capturing every event possible Enable packet capturing using port mirroring, for out-of-band capture and analysis Looking at the logs, fine-tune out all legitimate connection attempts Test attack scenarios you identified in your threat modeling Send alerts when high risk events are noted Respond to every alert Modify as needed How do I attract hackers? Build it, and they will come. If you’ve registered the honeypot systems in DNS, correctly configured the threat modeling, made them look as ordinary as possible, and placed them around your high-value assets, you’ve done a lot to encourage malicious intruders to connect to honeypot systems.
In my career, I’ve never set up a honeypot that did not detect malicious activity within days of implementation. If you’ve done everything correctly and still get no detection attempts, great! It means you have a high-value, low-noise, detection tool in your computer security arsenal. You’ll also have peace of mind that if badness gets in your network, your early-warning system will be ready.

Review: Tableau takes self-service BI to new heights

Since I reviewed Tableau, Qlik Sense, and Microsoft Power BI in 2015, Tableau and Microsoft have solidified their leadership in the business intelligence (BI) market: Tableau with intuitive interactive exploration, Microsoft with low price and Office i...

Volkswagen details what top management knew leading up to emissions revelations

ahhhhhlexis In a public statement on Wednesday evening, Volkswagen AG said that its top executives had been briefed on issues relating to the diesel emissions scandal prior to the time that the Environmental Protection Agency (EPA) issued the company a Notice of Violation last fall.
Still, the company maintains that its CEO may not have understood the gravity of the situation. VW Group has previously been cagey about whether top executives knew that engineers had been installing illegal defeat devices in diesel vehicles. (The term “defeat device” here refers to lines of code in the engine management software.) So-called defeat devices suppress the car’s emissions control system when it’s being driven normally, allowing the system to work when the car is being tested in a lab.

This setup resulted in diesel Volkswagens, Audis, and Porsches releasing many times the allowed limit of NOx emissions every time the car got on the road. If top executives knew about the defeat devices, they could face additional lawsuits from shareholders on top of the billions in fines that the EPA and the Department of Justice have sued VW Group for.

The company also must account for the cost to fix or buy back the affected cars. Volkswagen’s defense VW Group’s public statement on Wednesday included a defense that the company submitted to a German district court the day before.

The document comes from a shareholder lawsuit that claims VW did not inform investors that it was facing issues that would eventually send the company’s stock into a nosedive.
VW Group said it wanted to make its defense statement public "to correct the selective and incomplete publication of documents in the media about the diesel matter and to avoid having partial excerpts of its statement of defense published in the media.” The statement said that the diesel issue began in 2005 when VW decided to "start a major diesel campaign in the United States” to sell cars that were already quite popular in Europe.

But as the US standards for NOx emissions are much stricter than those in Europe, VW engineers "at levels below the Group's Management Board in the powertrain development division” decided to modify “a small number of an approximate total 15,000 individual algorithms” within the engine management software. The earliest vehicles discovered to have a defeat device came to the market in 2009. The company says that in May 2014, the California Air Resources Board (CARB) learned of a study that showed there were discrepancies between lab tests of a Volkswagen model's diesel emissions and the car's on-road results.
VW says they looked into it, and in December 2014 the company offered a voluntary recall to Volkswagen diesel owners to update the software. CARB has asserted that this recall did not change the discrepancy between emissions in the lab and emissions on the road for the diesel vehicles. VW’s defense statement goes on to say that then-CEO Martin Winterkorn received two memos regarding the discrepancies between lab and on-road emissions—one in May 23, 2014 and one on November 14, 2014. Regarding the May correspondence, Volkswagen wrote, “Whether and to which extent Mr. Winterkorn took notice of this memo at that time is not documented.” VW offers that Winterkorn might not have considered the diesel issue important at the time because "Emission deviations between test bench and road operation exist at all automobile manufacturers and are by no means automatically attributable to violations of regulations.

For global automobile manufacturers, service measures and recall campaigns are nothing out of the ordinary.” VW said that CARB came back to the company asserting that the voluntary fix the company offered in December didn’t actually correct the issue.

At that point, VW said, the company’s product safety division “established a diesel task force” in the summer of 2015 and hired an American law firm "to advise Volkswagen with regard to questions related to the American emissions law.” On July 27, 2015, according to VW, some employees brought up the diesel issue at a meeting attended by Winterkorn and VW’s chief of passenger cars Herbert Diess. “It is not clear whether the participants understood already at this point in time that the change in the software violated US environmental regulations,” VW wrote. "Mr. Winterkorn asked for further clarification of the issue.” The company asserts that its Management Board did not realize that the software update constituted an illegal defeat device until August 2014, a month before the EPA issued a Notice of Violation to the company.

The company went on to say that even at that point, it wasn’t afraid that the defeat device would cause a scandal because no other manufacturer had been punished dramatically in the past.

As VW’s statement says: Volkswagen was advised that in the past, defeat device violations under US environmental law by other car manufacturers had been sanctioned with settlement payments that were not especially high for a company the size of Volkswagen.

Even the highest US fine by then, which amounted to USD 100 million and was imposed in 2014, was at the lower end of the statutory range of fines.

This case affected about 1.1 million vehicles, which corresponded to a fine of not more than approximately USD 91 per passenger vehicle. In light of this recommendation, it was expected that the diesel matter could be resolved with the US authorities by disclosing the software modification, agreeing on appropriate measures to restore vehicle compliance with the law and the payments of potential fines in line with prior US settlements. VW seems to have dramatically underestimated how seriously the EPA would take the violations and how angry the American public would be about the deception.

But it’s not wrong that many other companies had been discovered using defeat devices in the past, whether they were hardware- or software-based devices.
VW had even been in this situation before in 1973, when it agreed to pay $120,000 to the EPA.
It didn’t even have to admit wrongdoing then. VW’s statement on Wednesday went to extremes to deny any wrongdoing on the part of management, a position that the company has held throughout the months since the defeat device scandal was made public.

But admitting that Winterkorn might or might not have seen correspondence alerting him to an issue with defeat devices is a turnaround from February, when The New York Times reported that internal e-mails showed that Winterkorn knew there was something off about the emissions control systems in diesel vehicles.

The Times wrote that VW had received an e-mail from former VW executive Bernd Gottweiss in May 2014, who warned "that regulators might accuse the carmaker of using a so-called defeat device.” In February, company officials with knowledge of the matter told The New York Times that the e-mail from Gottweiss didn't constitute a true alert that something was wrong.
Instead, the retired executive was simply using dramatic language to "get the attention of top management." VW Group has not yet been able to reach an agreement with the EPA to fix the nearly 600,000 affected vehicles.

Current VW CEO Matthias Müller said earlier this week that negotiations with the EPA would resume today. Listing image by ahhhhhlexis

Mobile Phones at Risk From Carrier Backdoor Flaw: Black Hat

Software used by carriers to help set up phones is found to have security vulnerabilities. Hidden within hundreds of millions of mobile phones around the world is control software used by carriers to help set up devices and features. According to new research set to be presented at the Black Hat USA security conference this week in Las Vegas by researchers working at Accuvant, the carrier control software itself has security vulnerabilities in it that could be exposing the world's mobile phone users to risk. Carriers embed mobile device management (MDM)-type software into most mobile devices, Matthew Solnik, research scientist at Accuvant, told eWEEK. Carriers typically include features that enable them to configure phones for their network and can also be used to push firmware, over-the-air (OTA) updates, Solnik said. Other features that can be part of the carrier MDM software could enable remote lock, device wiping, diagnostics and resetting. The software could also potentially limit a device's ability to use camera, GPS or WiFi. Accuvant's research found that at least 70 percent of the carriers it looked at use the same back-end carrier system with the same software, which also has a few nontrivial vulnerabilities. "The authentication that is in use is insecure as it is using a public device identifier, such as IMEI (International Mobile Station Equipment Identity), as a critical point to get the client's password," Solnik said. Solnik said that using IMEI, researchers can potentially pre-calculate and determine the passwords for mobile devices. Going a step further, Accuvant's researcher found that in the places where the carrier back end employs Secure Sockets Layer (SSL) encryption, the hostnames are not being properly validated. Solnik said that it's possible for an attacker to perform a man-in-the-middle attack, intercepting traffic with the ability for the attacker to impersonate the carrier. The attack would require the hacker to have a cellular base station and proximity to the end-user device that varies based on the power of the base station. With right equipment, an attacker could take control of a carrier's MDM software and get full control over a user device, Solnik said. Even if a user has his or her lock screen on, the carrier MDM attack found by Accuvant could still be used. "If the phone is on and is connected to a carrier network, the use of a lock screen does not have impact," Solnik said. "We can actually affect the lock screen itself." In terms of impact, Solnik said nearly all smartphones in the market are at risk, including iOS and Android phones, though the risk does vary based on carrier. "For Apple IOS, this is only on a single carrier," Solnik said. "So iOS is the least affected of the bunch." Solnik said that for users who purchased a mobile device that was not locked to a specific carrier, then most likely there is a much lower chance the carrier MDM client is installed. "If you bought a phone from a carrier and it has subsequently been unlocked and it still runs the carrier software, it is likely still vulnerable," he said. Disclosure Accuvant has been working diligently to properly disclose its findings to service providers to mitigate the risk. Ryan Smith, vice president of research and chief scientist at Accuvant, told eWEEK that the mobile phone industry is extremely fragmented and there are perhaps 15 vendors that can work together to put software onto a device. "All of the vendors we've spoken with have been incredibly helpful; they all want to get their customers patched," Smith said. There are a pair of primary software vendors that need to patch their software for the vulnerabilities, Smith said. He noted that once those vendors produce a patch, it needs to get distributed to the cellular baseband manufacturers and the carriers. From there, the actual handset vendors have to implement the code. "It's a huge spinning wheel, and we've been overwhelmed by the response and how well it is being coordinated," Smith said. Additionally, even though Accuvant will be discussing the cellular phone risks, the company is not releasing any exploit tools at Black Hat to take advantage of the cellular vulnerabilities. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Millennials dissatisfied with online data security, study shows

Millennials, generation Y or digital natives are losing trust in the digital economy in the face of increasing reports of data breaches, a survey has revealed. Fewer than 5% of UK and US 16 to 35 year olds believe their digital identity is completely protected by effective safeguards, according to the survey commissioned by security firm Intercede. Analysts say this unease about ineffective security practices serves as a stark warning to businesses and government departments who provide online services and products. The survey indicates a general concern about existing safeguards such as the use of easily hackable – but widely used – password-based authentication methods. A quarter of the more than 2,000 consumers polled said they access more than 20 password protected websites, applications or devices in the course of a year. However, 45% claimed they only change passwords when they have to and only 6% believe their data is completely secure based on the password policy they apply. When asked about the impact of an increasingly digitally connected world, such as the increased use of mobile devices on their digital privacy, nearly 70% believe the risk will increase. More disturbingly, 54% felt the failure of companies and governments to adequately protect identities and data will result in public distrust of goods and services. A further 44% believe there will be an eventual decline in data sharing and 36% predict demands for action. Almost 12% of respondents cited a decline in economic stability as a potential consequence of businesses and government failing to better protect consumers’ online identities, while 9% cited domestic instability and 6% cited international political instability as alternative outcomes. “Millennials have been digitally spoon-fed since birth, yet a general malaise is brewing among this demographic in terms of how safe their online data really is,” said Lubna Dajani, a communications technology expert. “Millennials understand their personal information is a form of currency they need to part with to access online services, yet they participate in this ‘digital trade-off’ in the belief that more can be done to protect their privacy,” she said. According to Dajani, digital natives want more control over who should be able to access their information. “Businesses and governments should urgently review current security protocols or else risk the potential to drive innovation and growth,” she said. Intercede chief executive Richard Parris said it is time for organisations to stop “playing fast and loose” with people’s identity and data, which are the most important assets in a digital economy. “There seems to have been a collective consensus that under 35s will accept sub-standard security in exchange for online service, but this clearly isn’t the case. The humble password should be consigned to the dusty digital archives where it belongs,” he said. To restore trust, Parris believes smart companies need to look to stronger authentication techniques to ensure the future of digital commerce and information exchange, as well as their own competitive edge.

Huawei denies government influence and calls for cyber security standards

China-based telecoms supplier Huawei has reiterated denials of government influence and called for common international cyber security standards. Huawei has now issued a cyber security white paper, which it says is designed to inform on-going discussions on how the global industry can address cyber security challenges. The company has struggled to make gains in the US market because of continual questions of links with the Chinese government. But in the forward to the white paper, Huawei deputy board chairman Ken Hu said: “We can confirm that we have never received any instructions or requests from any government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability.” The white paper goes on to discuss how to make cyber security a part of a company’s DNA and calls for common international cyber security standards to be agreed upon and implemented globally. The white paper includes an overview of the approach Huawei takes to the design, build and deployment of technology that involves cyber security considerations. This includes the company’s overarching strategy and governance structure, its day-to-day processes and standards, staff management, R&D, security verification, third-party supplier management, manufacturing, delivery and traceability. According to the white paper, Huawei’s mantra has always been: assume nothing, believe no-one and check everything. “At Huawei, when we consider security, we do not just consider addressing yesterday's problems, or even the problems we experience today, rather, we focus equally on laying down the foundations for securing tomorrow's world, a world that is dramatically different to what it is today,” said John Suffolk, Global Cyber Security Officer of Huawei. “It is with an eye to the future that we recognise and embrace the need for international industry standards for cyber security,” he said. According to Suffolk, a former UK government CIO, as ICT becomes more central to business operations, cyber security challenges in the industry need to be addressed by the global community jointly. The publication of Huawei’s white paper is part of Huawei’s efforts to contribute to this increasingly important issue, he said. “Our most modest hope is that this white paper serves as a catalyst for broader, collaborative and rationally informed public-private dialogue to meet common cyber security goals and objectives,” said Suffolk. Speaking at the Seoul Conference on Cyberspace 2013 on 17 October, he said the more that governments, enterprises and technology vendors can detail common standards, understand their purpose and the positive difference they make and commit to their effective adoption through buyers using their buying power, the more the world will begin to see a difference. “This is not about solving every problem, but it is about having a common agreement about what problems we are trying to solve and how they should be solved,” he said. Suffolk concluded his remarks by saying, “Huawei will continue to work with governments, customers and other stakeholders to meet their cyber security assurance requirements in an open, collaborative and transparent way.  “We believe it is only by working together internationally, as vendors, customers and policy and law makers, will we make a substantial difference in addressing the global cyber security challenge.” At the same conference, UK foreign secretary William Hague said that despite progress in areas such as capacity building to help all states tackle challenges in cyberspace, there is still no agreement on international ‘rules of the road’ or a set of standards on behaviour. Hague also called for an open and borderless internet to spur economic growth, and international collaboration to ensure that the internet is not only secure, but remains an engine for progress the world over. “At a time of such global economic uncertainty, making the wrong choice would have profound consequences for the future,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

BT, GCHQ and NCA set challenge to find UK cyber defenders

BT, government intelligence agency GCHQ and the new National Crime Agency (NCA) are to join forces to test the cream of the UK’s amateur cyber security talent to find the next generation of cyber defenders. Experts from each organisation are to work together to design the final of this year’s Cyber Security Challenge UK, set to take place in March 2014. Stephanie Daman, CEO, Cyber Security Challenge UK, said: “To have such a diverse and high-profile combination of organisations working together to test the next generation of cyber security professionals suggests the final is going to be our most exciting yet.” The final will test the skills of the UK’s most talented amateur cyber defenders in a two-day competition to find the latest UK cyber security champion. Finalists will need to use technical, interpersonal and decision-making skills in a simulated work environment to solve the sort of problems cyber security professionals encounter every day. Some 42 finalists have been identified during 10 months of virtual and face-to-face competitions, including the UK’s first civilian cyber security training camps held across England and Scotland in September 2013. However, some places in the final are still open to any UK national not currently working as a cyber-security professional. To qualify, candidates must register with the challenge and prove their talent by playing one or more of the upcoming virtual qualifier competitions. The Cyber Security Challenge UK began in 2010 as three competitions run by a small group of supporters from industry, government and academia to address the shortage of UK cyber security practitioners. Now in its fourth year, the challenge has grown its range of competitions to represent the variety of skills demanded in the profession and is backed by over 75 sponsors. BT’s cyber director Bob Nowill said the Cyber Security Challenge and similar initiatives are key to encouraging people to develop their cyber skills and build a career in an interesting area of security. Jonathan Hoyle, GCHQ's director general for government and industry cyber security, said competitors include a mix of self-taught talent who bring an unconventional and innovative approach to the challenges.  “That innovation is really important to the UK in tackling cyber threats today and in the future,” he said. Prizes for the competition include year-long placements at GCHQ to gain experience in fighting cyber crime. With the sponsors’ support the challenge has handed out more than £200,000 of career enabling prizes to over 100 of the UK’s leading amateur cyber defenders, some of whom have moved into the profession. Lee Miles, deputy head of the NCA, said the competition provided a unique opportunity to bring together some of the UK’s most talented amateurs in cyber security. “These sorts of initiatives are vital for attracting talented people to consider careers in security and in law enforcement,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com