VIDEO: Jay Kaplan, CEO of Synack, explains how some lessons learned while working at the NSA has helped to structure his security startup. Jay Kaplan worked for the U.S National Security Agency (NSA) for nearly ...
Targeting new iPhone users to capture user credentials, monitors find.
"We’ve now refined the signal in ways we expect to visibly affect the rankings."
With social media mavens, some brands waver between collaboration and conflict.
Sen. Leahy asks Comcast to swear off fast lanes even after NBC deal expires.
Any given week, I find myself writing about yet another security breach in which usernames and passwords are at risk. The risk isn't always limited to just the breached site either, as there are multiple examples of breaches in one location leading to attacks in another. It's a situation that Facebook understands well, and it is now taking proactive measures to defend its own users. One example of a breach with collateral damage is the Google exploit of 5 million accounts back in September. Google claimed that its servers were not in fact breached, but another third-party site was, which led to the leak. Google had to reset 100,000 user accounts as a result. The popular WordPress.com blogging platform also had to reset 100,000 user passwords in the wake of the Google account leak. WordPress users apparently had reused passwords. Last week, online file sharing service Dropbox had a similar incident, with hackers alleging a breach that Dropbox denied. Again, the likely root cause of the breach was a third-party site—and password reuse by users. More often than not, attackers will dump their breached password lists online (typically to Pastebin), making it easy for anyone to scan and use. While those password lists can potentially be used to exploit users, Facebook is using those online user credential dumps to secure its users. "We built a system dedicated to further securing people's Facebook accounts by actively looking for these public postings, analyzing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet," Facebook Security Engineer Chris Long wrote in a Facebook note. That sure seem like an obvious idea to me. Rather than wait for bad things to happen to its users, Facebook is taking a proactive stance with this password effort. If Facebook does as promised, users could be protected from data breaches that they aren't even aware of. Given the volume of password breaches that are reported and Facebook's massive user base, the task of correlating breached credentials with valid Facebook users is nontrivial. What Facebook has done is create an automated system that checks leaked credentials against its own internal user databases. Facebook doesn't store its own users' passwords in some form of clear text format, but rather uses a hashing algorithm. "Since Facebook stores passwords securely as hashes, we can't simply compare a password directly to the database," Long wrote. "We need to hash it first and compare the hashes." As is the case with Google, Facebook has a particular responsibility for its user credentials that goes beyond just access to facebook.com. Both Google and Facebook access credentials can also be used to log onto other sites and services. By re-emphasizing its focus on username/password security here, Facebook is making a wider case for the use of its Facebook Login technology that is used to securely access other sites. After all, if users know and trust that Facebook is going that extra mile to help them secure their access information, they just might be more likely to use Facebook Login in the first place. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
IBM reported lower-than-expected earnings for the third quarter of 2014, with its revenue of $22.4bn down by 4% from the same period in 2013 – missing market estimates of $23.37bn. Its pre-tax income from continuing operations decreased by 12% to $4.4bn. The tech giant reported an 18% fall in its operating net income for the period and saw revenues tumble across its software, hardware and services segment. The company blamed an “unprecedented change of pace in the industry” and a slowdown in customers’ IT purchases for the drop in income. IBM chairman, president and chief executive officer Ginni Rometty said the company is disappointed with its performance, but is continuing to adjust its strategy. “While we did not produce the results we expected to achieve, we again performed well in our strategic growth areas – cloud, data and analytics, security, social and mobile – where we continue to shift our business. We will accelerate this transformation,” she said. IBM’s cloud revenue was up by more than 50% year-on-year and its cloud-delivered-as-a-service segment was up by 80%. Revenues from its business analytics division increased by 8%, while its security division revenue was up by 20%. But its hardware revenues plunged in the third quarter. Revenue from its systems-and-technology segment was down by 15%, ending in a pre-tax loss of $99m. Within this, revenue from Power Systems were down by 12%, revenue from System z mainframe server products decreased by 35%, and revenue from storage business was down by 6%. In a bid to turn around the company's fortunes, IBM is steering itself to become a services company and has offloaded its x86 server business to Lenovo and is divesting its semiconductor operations. The divestment will help the company focus on research and development for its cloud and services assets. For instance, the company is planning to invest $1.2bn to build 15 datacentres in Europe to propel its cloud services. “We are executing on a clear strategy that is moving IBM to higher value, and we've taken significant actions to exit non-strategic elements of the business,” Rometty said. “We will continue to make the investments and the changes necessary to manage our business for the long term.” We will continue to make the investments and the changes necessary to manage our business for the long term Ginni Rometty, IBM Among other divisions, its services revenues for the third quarter of 2014 remained flat, while software revenues were down by 2% to $5.7bn. Revenues from IBM’s key middleware products – which include WebSphere, Information Management, Tivoli, Workforce Solutions and Rational products – were $3.7bn, down by 1% from the third quarter of 2013. Offloading semiconductor operations While filing its earnings report, IBM confirmed it is offloading its semiconductor business and manufacturing operations to Globalfoundaries. According to a Wall Street Journal report, IBM will pay the manufacturer $1.5bn to take the chip operations off its hands. IBM’s chip-making unit reportedly loses as much as $1.5bn a year, and its revenue – which accounted for just 2% of IBM’s revenue in 2013 – fell by 17% in the first half of 2014, according to a company filing. The deal with Globalfoundaries will close in 2015. According to analysts, selling less profitable parts of the business, such as the chip-making unit, will help IBM in achieving the goal of increasing margins as revenue growth slows. They also said to remain competitive IBM would have had to spend billions of dollars to keep its semiconductor plants up to date with newer chip technology. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Smartphones, tablets and phablets are just too easy to use, with most – if not all – offering to back up data to the cloud as either a default option or via a single click. One of the potential issues is the security of the supplier’s cloud cannot be guaranteed, and it must be remembered availability is just as much a part of security as confidentiality and integrity. So, what can be done to stop potentially sensitive company data being exported to these supplier clouds? One approach is to just ignore the problem exists, while another is the simple – and I suspect anticipated – answer of having guards at company premises to remove all personal smartphones, tablets, memory sticks and so on from all staff and visitors. Furthermore, making the IT department ensure any company PC or laptop is heavily locked down to remove the possibility of a cloud connection. But neither of these approaches do a reasonable job in mitigating the risks of data exfiltration while allowing flexible use of new technologies and ways of doing business. Potential practical solutions will depend on a company’s policies. For example, the answer may differ if an organisation insists on company-supplied IT only (including company-selected technologies and devices), or if it employs a buy-your-own device policy (where any device, or one of a limited selection, is supported). Some of the things that can be done and would apply in most scenarios include the following: Staff education Management education Regular reinforcement of the education given Well-thought-out formal acceptable-use policies (AUP) that are published, made easily accessible and formally tied into staff contracts Effective staff disciplinary procedures for breaking the AUP’s that are enforced Well-written standards, templates and work practices for setting up devices and central services Where possible, network/system controls put in place to monitor and/or control what files can be downloaded, what they can be downloaded to and when. As a minimum, audit logs need to be maintained to identify who did what and when to a file. Peter Wenham is a committee member of the BCS, The Chartered Institute for IT security forum strategic panel and director of information assurance consultancy Trusted Management. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in October 2014
European merchants need to pay more attention to securing electronic payments, warns the Payment Card Industry Security Standards Council (PCI SSC). This was one of the key messages at the recent Annual European Community Meeting in Berlin, Germany of the PCI SSC, which administers the industry’s data security standard (PCI DSS). “Cyber criminals have intensified the attack on US merchants as they move to the more secure Chip and PIN system based on the EMV standard already widely used in Europe,” said Jeremy King, European director of the PCI SSC. “However, this does not mean that European merchants can relax because cyber criminals are targeting online transactions where the EMV standard still offers little protection,” he told Computer Weekly. Europe’s Chip and PIN adoption has slashed card-present fraud, but card-not-present fraud continues unabated, particularly affecting online transactions used in e-commerce. “Cyber criminals only need to steal a few key pieces of information to enable them to carry out this kind of fraud, and they are proving to be successful at it in Europe,” said King. “The critical pieces of information, such as the card holder’s name and the card expiry date, are still easily available to attackers, even in an EMV message,” he said. This means European merchants still need to pay attention to security and ensure appropriate security education and awareness training at all levels, he said, from the shop floor to the board of directors. “Lack of understanding about the importance of strong passwords on all transactions systems, point of sale devices, routers and firewalls is still a big problem in Europe,” said King. “Organisations also need to be sure they are changing the default passwords in the systems and equipment they are using,” he said. Underlining this problem, an annual security survey by Trustwave has revealed that for the past three years one of the most common passwords used by organisations is “password1”. “Using poor or default passwords is making it very easy for criminals to find a way in to payment systems by either looking them up or simply guessing them,” said King. Organisations should educate all staff to replace weak or default passwords with stronger pass phrases, he said, that are easy to use, and yet provide much greater security. The PCI SSC has called for merchants to become more security aware and understand that they are likely to be breached and therefore need a good incident response plan. “Many organisations still lack an incident response plan, and even where they do have one set up, they are unlikely to have tested it,” said King. The PCI SSC recommends all orgnisations set up an incident response plan and test it regularly to ensure that, when they are breached, the intrusion can be contained quickly and the damage minimised. “Incident response plans, which require training and planning, are also critical to enabling organisations, and merchants in particular, to recover quickly from attacks and resume business,” said King. The PCI SCC provides support to merchant organisations through training programmes that are aimed at all levels in an organisation to promote understanding of key areas of cyber security, he said. In the coming months, the PCI SCC plans to work with banks in Europe and the US to find ways of improving security, particularly for small merchants that lack the resources of larger organisations. “We are looking at ways to make security as easy as possible by building more security into the payment services they are using to reduce the burden on the merchants,” said King. “Chip and pin took away a lot of card-present fraud, so now we have to come up with a similar process for the e-commerce space where payment providers handle payments securely,” he said. The PCI SCC is working with banks to draw up a list of reasonably priced, good third-party payment providers that are secure and comply with the PCI data security standards (PCI DSS). “This approach means the merchant is no longer seeing the card data because all that is being handled by payment service providers who are experts in the field,” said King. “Instead of trying to tacking e-commerce payments all on their own, merchants will be able to go for help to the financial institution that that they bank with, and the acquiring banks will be responsible for ensuring a consistent service to all merchants,” he said. Following consultation with acquiring banks, the PCI SCC plans to publish guidance for banks on how to provide services that reduce what merchants have to do to ensure secure online transactions. Although the initiative is aimed at helping small merchants, organisations of all sizes will benefit from services that automatically include a high level of security for transactions. King said the European community meeting in Berlin also featured discussions around new technologies such as mobile commerce. “There is a lot of interest in using mobile commerce in the merchant environment to accept payments, and we have been very busy in that regard,” he said. PCI SCC is working closely with all stakeholders, he said, to find ways of making mobile payments as secure as possible, and evaluating card readers and pin pads that plug into mobile phones. “We see a lot of challenges as well as opportunities associated with mobile ommerce, which will be another hot topic for the council in the coming year,” said King. In the meantime, he said the PCI SCC has updated its guidance for merchants looking to accept mobile payments and its guidance on the topic for developers that are available in the online documents library. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK
Florida Supreme Court says drug suspect did not "voluntarily" give up location.
Intamac, a pioneer of the "Internet of Things" and an already trusted partner of some of the world's biggest brands, has been selected by Swann Communications to develop an innovative Cloud Video Recording solution, leveraging the Internet to deliver new features and functionality around some of their existing and new products. Headquartered in Melbourne, Australia but with offices across the world, Swann is already the number one global brand for DIY surveillance, and the new partnership will take what is already a successful video surveillance product and further improve it by adding enhanced Internet connectivity and new features and functions.The new advanced solution - called SwannOne - provides Swann's customers with an improved and interactive video recording experience, connecting wireless, self-install cameras over Wi-Fi to Intamac's ensoCloud platform for 24/7 video recording and storage. The SwannOne SoundView camera supports HD video streaming and night vision, along with motion and sound detection. The end user will be able to view recorded and real-time video via feature rich interfaces on the web, smartphone or tablet. Swann selected Intamac for this high profile project because of its ability to deliver an advanced video recording solution; using Swann's existing products and combining them with Intamac's range of software and service solutions, called enso. In particular, Intamac's ensoAgent™ and ensoVideoAgent™ embedded device software turns Swann's wireless cameras and DVRs into 'smart' devices, whilst the ensoCloud™ platform provides the storage for the 24/7 recording. David Perez, CEO of Intamac comments: "The partnership between a successful specialist in hardware manufacture and an expert in the development of software and IoT solutions for OEMs, offers enormous synergy. The outcome of this collaboration will be a truly innovative, market leading product and service."Geoff Wanless, CTO of Swann comments: "SwannOne is a game changer for Swann and we sought a partner that was the international leader in this space. We are thankful we chose Intamac and we are excited about the direction we are taking together."About IntamacIntamac, a pioneer of the Internet of Things, provides a complete solution for OEMs, Service Providers and others enabling them to connect products and devices to the Internet so that they can offer value added service features to their customers, gain powerful insight into the performance and function of their products and manage and control them remotely. ContactSean Meagher, Intamac Systems, +44 870 111 7234, email@example.com For more information see www.intamac.com About SwannSwann is a global leader in consumer electronics, specializing in security monitoring and connected home solutions for consumers through retail channels. The company's products are innovative yet cost effective and mainly for do-it-yourself users in home, office and small-to-medium retail environments. Swann was founded in 1987 and now has offices in the USA, Canada, Australia, the UK, China, Hong Kong and Russia with distribution and retail partners around the globe.ContactGeoff Wanless, Swann, +61 3 8412 4600, firstname.lastname@example.orgFor more information see www.swannone.comSource: RealWire