Home Tags Due Diligence

Tag: Due Diligence

Natural Power expands due diligence team in North America

Dr Christine Bordonaro has been appointed to the role of Principal Engineer on the due diligence team at Natural Power in North America and will be supporting the due diligence activities for both wind and solar.Christine Bordonaro brings 20 years of i...

CentralNic appoints a Group Corporate Development Director

CentralNic hires experienced M&A professional Sarah RyanLondon, 9th May 2017: CentralNic is pleased to announce that its senior management team has been further strengthened by the addition of Sarah Ryan.
Sarah, a highly-experienced Mergers and Acquisitions professional, joins CentralNic as Group Corporate Development Director.Sarah was formerly Director of International M&A for LexisNexis and Thomson Financial.
In these roles, she led transaction due diligence and structured complex deal terms globally.

These included deals in the Middle... Source: RealWire

Uber’s Levandowski really doesn’t want to talk about any Waymo documents

Showing a privilege log “would violate... the right against self-incrimination.”

Cognosec enters exclusive agreement to acquire UK-based A-tek Distribution Limited

Cognosec AB (publ) (“Cognosec” or “The Company”), (Nasdaq: COGS), a leading supplier of cyber security solutions with operations in Europe, Africa and the Middle East, has signed an exclusive agreement with A-tek Distribution, a UK-based company specialising in the sale and digital distribution via innovative portal technologies of cyber security solutions, products and services.

The acquisition is in line with Cognosec’s strategy to expand business areas to cover the sale and distribution of software technologies over the internet.

This press release includes inside information of Cognosec AB (publ) (“Cognosec” or “The Company”) that has been subject to postponement of disclosure.

The disclosure of inside information was postponed on December 8, 2016 under Article 17 (4) of Regulation (EU) No 596/2014 (Market Abuse Regulation).

Cognosec AB today announces the signing of Heads of Terms of Agreement pursuant to the acquisition of A-tek Distribution, which is expected to close in Q1, 2017 subject to legal, financial and technology due diligence exercises.

A-tek Distribution was founded in 2009, and is a United Kingdom registered company.

The transaction will include the acquisition of 100% of outstanding shares for a consideration of approximately €275,000[1] comprised of €44,000 cash and €231,000 Cognosec AB new issue shares.

The transaction will be completed by Cognosec AB subsidiary, Credence Security.

There will be no other impact on Cognosec AB’s balance sheet.

A-tek Distribution is a specialist Digital Software Distribution Business, distributing cyber security solutions by portal and established by pioneers of digital software distribution who between them, possess over 85 man years of digital software distribution.

A-tek is positioned as a New Age Distribution Business, enabling global access to the vast SME markets with Pay-as-you-Use and Software-as-a-Service cyber security solutions.

The technology platform provides significant scalability and global advantages through innovative distribution methodologies.

A-tek Distribution recorded revenues of EUR101 510 2[2] in FY2016 and EBITDA of EUR 48 5602.

The acquisition of A-tek improves Cognosec’s competitive advantage for both vendors and customers alike.

This addition also expands Credence Security’s current product portfolio to incorporate cyber security solutions for secure operation centers, network operation centers, datacenters, mobile platforms, virtualised environments as well as providing critical fraud prevention solutions into the technology, media, telecommunications, financial and public sectors.

Commenting on the acquisition of the business by Cognosec AB, Robert Hall, A-tek Distribution’s Co-founder, says that - “It will allow the Company to fast track the overview above, whilst working together with a globally recognised provider of cyber security excellence to secure additional distribution agreements giving our current and future partners tremendous platforms for future growth, productivity and profitability."

Robert Brown, CEO of Cognosec AB commented – “We are delighted to broaden and deepen our business in line with our strategies through the acquisition of A-tek, a highly respected and experienced team.

Through A-tek, Cognosec will be extending its customer base with the addition of web-based digital distribution portals covering existing and new segments of this growing market.

Cognosec recognises the expansion of distribution of cyber security software through innovative portal solutions providing products and services with a strong emphasis on the SME markets as our strategic focus."

[1]The transaction will complete in GBP so the approximation is for the GBP:EUR exchange rates which were taken at mid-market on 23rd January 2017, 1GBP=1.158EUR.
[2]A-tek Distribution Limited uses GBP as reporting currency.

The approximation is for GBP:EUR exchange rates which were taken at mid-market on 23rd January 2017, 1GBP=1.158EUR.

Certified Adviser
Mangold Fondkommission AB is the Company’s Certified Adviser.
Telephone: +46 (0)8 5030 1550
E-mail: info@mangold.se

FOR FURTHER INFORMATION, PLEASE CONTACT:
Magnus Stuart
IR-contact, Cognosec AB
Email: magnus.stuart@cognosec.com

Aidan Murphy / Matthew Watkins
PR contacts, Finn Partners
Email: Cognosec@FinnPartners.com
Call: +44 (0)20 3217 7060

This information is information that Cognosec AB is obliged to make public, pursuant to the EU Market Abuse Regulation.

The information was submitted for publication, through the agency of the contact person set out above, on 24th January, 2017, at 15.00 CET.

ABOUT COGNOSEC
Cognosec AB (publ) (Nasdaq: COGS) is engaged in the provision of cyber security solutions and conducts its operations through the Swedish parent company and through subsidiaries in South Africa, UK, Kenya, and the United Arab Emirates.

The Group delivers services and technology licences to enhance clients’ protection against unwanted intrusion and to prevent various forms of information theft.

The parent company is domiciled in Stockholm, Sweden.

Cognosec employs 110 people and had revenues of EUR 16.8 million in 2015. Please visit www.cognosec.se for more information.

The essential guide to anti-malware tools

It's a sad fact of life in IT nowadays that some form of preparation for dealing with malware is part and parcel of what systems and network administrators must do.

This goes above and beyond normal due diligence in warding off malware.
It includes a proper appreciation of the work and risks involved in handling malware infections, and acquiring a toolkit of repair and cleanup tools to complement protective measures involved in exercising due diligence.
It should also include at least two forms of insurance – one literal, the other metaphorical – that can help avert or cover an organization against costs and liabilities that malware could otherwise force the organization to incur. Due diligence to defend against malware When it comes to exercising due diligence to fend off or protect against malware, four elements are necessarily involved: Monitoring for threats and vulnerabilities in an IT infrastructure: This involves the consumption and analysis of relevant intelligence about threats and vulnerabilities and acting on warnings, workarounds and other mitigation techniques to reduce related risks.

How—and why—you should use a VPN any time you hop on...

One of the most important skills any computer user should have is the ability to use a virtual private network (VPN) to protect their privacy.

A VPN is typically a paid service that keeps your web browsing secure and private over public Wi-Fi hotspots.
VPNs can also get past regional restrictions for video- and music-streaming sites and help you evade government censorship restrictions—though that last one is especially tricky. The best way to think of a VPN is as a secure tunnel between your PC and destinations you visit on the internet. Your PC connects to a VPN server, which can be located in the United States or a foreign country like the United Kingdom, France, Sweden, or Thailand. Your web traffic then passes back and forth through that server.

The end result: As far as most websites are concerned, you’re browsing from that server’s geographical location, not your computer’s location. We’ll get to the implications of a VPN’s location in a moment, but first, let’s get back to our secure tunnel example. Once you’re connected to the VPN and are “inside the tunnel,” it becomes very difficult for anyone else to spy on your web-browsing activity.

The only people who will know what you’re up to are you, the VPN provider (usually an HTTPS connection can mitigate this), and the website you’re visiting. A VPN is like a secure tunnel for a web traffic. When you’re on public Wi-Fi at an airport or café, that means hackers will have a harder time stealing your login credentials or redirecting your PC to a phony banking site. Your Internet service provider (ISP), or anyone else trying to spy on you, will also have a near impossible time figuring out which websites you’re visiting. On top of all that, you get the benefits of spoofing your location.
If you’re in Los Angeles, for example, and the VPN server is in the U.K., it will look to most websites that you’re browsing from there, not southern California. This is why many regionally restricted websites and online services such as BBC’s iPlayer or Sling TV can be fooled by a VPN.
I say “most” services because some, most notably Netflix, are fighting against VPN (ab)use to prevent people from getting access to, say, the American version of Netflix when they’re really in Australia. For the most part, however, if you’re visiting Belgium and connect to a U.S.
VPN server, you should get access to most American sites and services just as if you were sitting at a Starbucks in Chicago. What a VPN can’t do While VPNs are an important tool, they are far from foolproof. Let’s say you live in an oppressive country and want to evade censorship in order to access the unrestricted web.

A VPN would have limited use.
If you’re trying to evade government restrictions and access sites like Facebook and Twitter, a VPN might be useful.

Even then, you’d have to be somewhat dependent on the government’s willingness to look the other way. Anything more serious than that, such as mission-critical anonymity, is far more difficult to achieve—even with a VPN. Privacy against passive surveillance? No problem. Protection against an active and hostile government? Probably not. HideMyAss A VPN service provider such as HideMyAss can protect your privacy by ensuring your internet connection is encrypted. The problem with anonymity is there are so many issues to consider—most of which are beyond the scope of this article. Has the government surreptitiously installed malware on your PC in order to monitor your activity, for example? Does the VPN you want to use have any issues with data leakage or weak encryption that could expose your web browsing? How much information does your VPN provider log about your activity, and would that information be accessible to the government? Are you using an anonymous identity online on a PC that you never use in conjunction with your actual identity? Anonymity online is a very difficult goal to achieve.
If, however, you are trying to remain private from prying eyes or evade NSA-style bulk data collection as a matter of principle, a reputable VPN will probably be good enough. Beyond surveillance, a VPN also won’t do much to keep advertisers from tracking you online. Remember that the website you visit is aware of what you do on its site and that applies equally to advertisers serving ads on that site. To prevent online tracking by advertisers and websites you’ll still need browser add-ons like Ghostery, Privacy Badger, and HTTPS Everywhere. How to choose a VPN provider There was a time when using a VPN required users to know about the built-in VPN client for Windows or universal open-source solutions such as OpenVPN. Nowadays, however, nearly every VPN provider has their own one-click client that gets you up and running in seconds.

There are usually mobile apps as well to keep your Android or iOS device secure over public Wi-Fi. Of course that brings up another problem.
Since there are so many services to choose from, how can you tell which ones are worth using, and what are the criteria to judge them by? First, let’s get the big question out of the way.

The bad news for anyone used to free services is that it pays to pay when it comes to a VPN.

There are tons of free options from reputable companies, but these are usually a poor substitute for the paid options.

Free services usually allow a limited amount of bandwidth usage per month or offer a slower service.

Tunnel Bear, for example, offers just 500MB of free bandwidth per month, while CyberGhost offers a free service that is significantly slower than its paid service. CyberGhost Everybody loves free services; but when you want to use a VPN, the free version usually isn’t the best deal. Then there are the free VPNs that use an ad-supported model, which in my experience usually aren’t worth using at all. Plus, free VPNs are usually anything but; in lieu of payment they may be harvesting your data (in anonymized form of course) and selling it as “marketing insights” to advertisers. The good news is VPNs aren’t expensive. You can usually pay as little as $5 a month (billed annually or in blocks of several months) for VPN coverage. We won’t get into specific VPN service recommendations in this article; instead, here are some issues to consider when shopping around for a VPN provider. First, what kind of logging does your VPN provider do? In other words, what information do they keep about your VPN sessions and how long is it kept? Are they recording the IP addresses you use, the websites you visit, the amount of bandwidth used, or any other key details? All VPNs have to do some kind of logging, but there are VPNs that collect as little data as possible and others that aren’t so minimalist. On top of that, some services discard their logs in a matter of hours or days while other companies hold onto them for months at a time. How much privacy you expect from your VPN-based browsing will greatly influence how long you can stand having your provider maintain your activity logs—and what those logs contain. TunnelBear TunnelBear is one of the author’s favorite VPNs, but there are many good choices on the market. Second, what are the acceptable terms of use for your VPN provider? Thanks to the popularity of VPNs with torrent users, permissible activity on specific VPNs can vary.
Some companies disallow torrents completely, some are totally fine with them, while others won’t stop torrents but officially disallow them. We aren’t here to advise pirates, but anyone looking to use a VPN should understand what is and is not okay to do on their provider’s network. Finally, does the VPN provider offer their own application that you can download and install? Unless you’re a power user who wants to mess with OpenVPN, a customized VPN program is really the way to go.
It’s simple to use and doesn’t require any great technical knowledge or the need to adjust any significant settings. Using a VPN You’ve done your due diligence, checked out your VPN’s logging policies, and found a service with a great price and a customized application. Now, for the easy part: connecting to the VPN. Here’s a look at a few examples of VPN desktop applications. TunnelBear, which is currently my VPN of choice, has a very simple interface—if a little skeuomorphic. With Tunnel Bear, all you need to do is select the country you want to be virtually present in, click the dial to the “on” position, and wait for a connection-confirmation message. SaferVPN works similarly.

From the left-hand side you select the country you’d like to use—the more common choices such as the U.S., Germany, and the U.K. are at the top. Once that’s done, hit the big Connect button and wait once again for the confirmation message. SaferVPN With SaferVPN, all you need to do is choose the country you wish to have a virtual presence in. HMA Pro is a VPN I’ll be reviewing in the next few days.

This interface is slightly more complicated, but it’s far from difficult to understand.
If you want to select your desired virtual location click the Location mode tab, click on the location name, and then choose your preferred location from the list. Once that’s done click the slider button that says Disconnected. Once it flips to Connected,you’re ready to roll. There are numerous VPN services out there, and they all have different interfaces; but they are all similar enough that if you can successfully use one, you’ll be able to use the others. That’s all there is to using a VPN.

The hard part is figuring out which service to use. Once that’s done, connecting to a VPN for added privacy or to stream your favorite TV shows while abroad is just a click away. This story, "How—and why—you should use a VPN any time you hop on the internet" was originally published by TechHive.

At trial, Zuckerberg is “highly confident” Oculus built its own technology

Enlarge / Facebook CEO Mark Zuckerberg wanders past oblivious people in Samsung Gear VR headsets in a photo that is not from this trial.Facebook reader comments 41 Share this story In what he said was his first time testifying in a courtroom, Facebook CEO Mark Zuckerberg said he was "highly confident that Oculus products are built on Oculus technology." The testimony came during a trial in which ZeniMax Media, parent company of Bethesda Softworks and Id Software, alleges that Doom co-creator John Carmack stole trade secrets and destroyed evidence when he took VR technology developed as a ZeniMax employee over to Oculus when he became its Chief Technology Officer in 2013. Zuckerberg rebutted that idea flatly on the stand, saying, "the idea that Oculus products are based on someone else’s technology is just wrong" (as reported by The New York Times). In his testimony, Zuckerberg hinted that ZeniMax was simply looking to latch on to Oculus' success in the wake of the company's $2 billion acquisition by Facebook in 2014. "It is pretty common when you announce a big deal or do something that all kinds of people just kind of come out of the woodwork and claim that they just own some portion of the deal," Zuckerberg said (as reported by The New York Times' Mike Isaac in this tweet). "Like most people in the court, I’ve never even heard of ZeniMax before.
I know that our legal team would look into this and examine, but they aren’t going to take a lot of my time on something they don’t think is credible." Based on reports from journalists in the audience at the Dallas trial, ZeniMax lawyers tried to press the case that Facebook didn't do enough due diligence to detect any alleged IP theft between Oculus and ZeniMax before purchasing the VR company for $2 billion in 2014. To support that argument, ZeniMax presented into evidence a text message to Zuckerberg from Amin Zoufounoun, Facebook's vice president of corporate development, saying that "there are things [Oculus] told us that are simply not true." In response, Zuckerberg texted back that he should "keep pushing forward until we have something we can sign on a moment’s notice, then we can figure out how long we wait for diligence," according to a courtroom report from Gizmodo's William Turton. On the stand, Zuckerberg also confirmed ZeniMax's incredulous assertion that Facebook's "plan was to begin legal diligence on Friday and sign the deal on Monday." In a followup, Zuckerberg suggested that Oculus was a smaller company at the time and didn't need as much time for due diligence as other large Facebook acquisitions, such as WhatsApp. ZeniMax's lawyers established that Zuckerberg was not aware of an earlier non-disclosure agreement outlining the collaboration between Carmack and Oculus founder Palmer Luckey until 2016, when he was told about it by lawyers involved in the case. The prosecution presented other evidence to show how eager Facebook was to get in on VR through an Oculus acquisition. "I wanted to just give him all my money on the spot," venture capitalist and Facebook board member Marc Andreessen reportedly said of John Carmack in introducing Zuckerberg to the idea of an Oculus purchase.

After seeing Oculus' technology in action, Zuckerberg wrote in an e-mail that the company was "miles ahead" of the competition. ZeniMax also tried to make some legal hay of Facebook's longstanding motto "move fast and break things," suggesting that Facebook may have "broken" some things in quickly signing the Oculus deal. Zuckerberg joked that the motto has changed and that Facebook now tries to "move fast and build stable infrastructure" (a modification Facebook has publicized at least since 2014). Aside from the questions about IP ownership, Zuckerberg also revealed in the trial that in addition to the $2 billion purchase price, Facebook had to spend an additional $700 million to retain key Oculus team members and another $300 million in deliverable milestone bonuses. In a statement provided to the press, Oculus said, "We're disappointed that another company is using wasteful litigation to attempt to take credit for technology that it did not have the vision, expertise, or patience to build."

IT Professionals Hold Little Back in Reaction to Yahoo Breach

One statement shows the main problem web services like Yahoo's face on a 24/7 basis: Credibility in safeguarding personal information is of utmost importance. For a company that really could use some good news for a change, Yahoo has had another pretty rough week.  The pioneering search and web services provider, whose home page starts more browser sessions than anybody in the world, revealed Dec. 14 that new security issues had impacted the personal data of more than 1 billion of its users.

This is thought to be the largest and most widespread theft of personal information in the brief history of the internet.The breach is different and twice as large as the hack Yahoo admitted to suffering last September, one the company said happened in 2014--and was at the time the largest breach in the world.
So much for world records.The newly disclosed security intrusion from Dec. 14 apparently took place in 2013 and involved a substantial amount of personal information, including passwords and the answers to security questions. Yahoo is trying to harden all its systems and requiring all its users to change passwords, and it is automatically invalidating the security questions. Former User: 'Went Over to My Gmail Account' In a typical reaction, a Yahoo user interviewed on the street Dec. 14 on Bay Area television news simply said: "How does the Yahoo breach affect me? Simple.
I just went to my Yahoo account, closed it and went over to my Gmail account."That in one statement shows the main problem web services like Yahoo's face on a 24/7 basis: Credibility in safeguarding personal information.

To be fair, this could happen to anybody, and it does on a regular basis; the public just doesn't become aware of all the breaches.Yahoo had agreed earlier this year to sell its core businesses to Verizon Communications for $4.8 billion.
Verizon said that it might seek to renegotiate the terms of the transaction after the first hacking was discovered.
It's not known how the Dec. 14 hack attack will affect the purchase, which is still in process. No matter what, this news isn't going to help Yahoo's side of the negotiation.As one might expect, eWEEK was inundated with reactions from IT folks far and wide after the news broke two days ago.

The self-serving, "I told you so" statements were easily remedied by the delete button.Others are legitimate observations based on industry experience and perspective--information from which Yahoo and others can learn. We include some of the more cogent ones here.Jason Rose, Senior Vice President of Customer Identity Management Provider, Gigya"The biggest casualty is consumer's loss of trust in Yahoo, which will, ultimately, erode the company's value for pending acquirer Verizon.

Trust is earned in drips and lost in buckets.
In the online world, customers need to share their identity: email addresses, personal preferences, credit card numbers, etc., in order to connect with the businesses that provide them goods and services.
If customers can't rely on a business to protect that data, then trust is lost.
In other words, identity is the currency of trust."James Maude, Senior Software Engineer, Avecto: "One in six people globally have now had their data breached thanks to Yahoo. With a breach on such an unprecedented scale, users should be concerned about how a behemoth of the internet failed to notice this for such a long period of time.

This is especially concerning as recent reports have shown that around this time Yahoo was busy undermining its own security by installing backdoors in their own infrastructure for government agencies.

There is the worrying possibility that this undisclosed backdoor served as cover for the data breaches, as employees deliberately ignored or hid these back channels. "Initial reports suggest that the attackers manipulated cookies, which are normally used to authenticate or track users; however, in this case the attackers changed them to bypass logins without requiring a password. Using this technique, attackers could have logged into accounts at will and monitored them for great lengths of time. With such negligence questions must be asked as to what was going on at Yahoo to allow this to happen."Craig A. Newman, head of Privacy & Data Security Practice, Patterson Belknap LLP: "Not only is this a big deal in the context of the proposed sale to Verizon, but it raises obvious questions about Yahoo's overall data security protocols, particularly if 1 billion accounts were hacked more than 3 years ago and we're just finding out about it now.
Surely, it ups the stakes in the proposed deal and gives Verizon a lot more leverage either to renegotiate the purchase price or walk from the deal. While it also underscores the important of cybersecurity due diligence in an M&A transaction and its direct link to valuation, it begs the broader question of reputational risk and what this is really going to cost in terms of litigation and regulatory investigations."

Code Reuse a Peril for Secure Software Development

The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications. Related Posts Adobe Patches Flash Zero Day Under Attack October 26, 2016 , 11:24 am Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others October 21, 2016 , 10:01 am Threatpost News Wrap, June 17, 2016 June 17, 2016 , 11:15 am Security researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. “The problem isn’t limited to Java and isn’t just tied to obscure projects,” said Tim Jarrett senior director of security, Veracode. “Pick your programming language.” Gartner, meanwhile, estimates that by 2020, 99 percent of vulnerabilities exploited will be ones known by security and IT professionals for at least one year. Code Reuse Saves Time, Invites Bugs According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn’t exercise due diligence on the software libraries used in their project. “They’ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword – saving time but opening the door to bugs,” said Derek Weeks, vice president and DevOps advocate at Sonatype. In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component. Repositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data. “Software is no longer written from scratch,” Weeks said. “No matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.” He said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues. According to an analysis of Sonatype’s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect. Weeks says Sonatype’s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. “There is no Good Housekeeping Seal of Approval for third-party code.” “Faulty code can easily spawn more problems down the road for developers,” said Stephen Breen, a principal consultant at NTT Com Security. “Even when development teams have the best intentions, it’s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.” Breen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) – first reported in 2015 and patched in November of the same year. Source: Veracode Breen found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories. “The developer knows they are picking Spring or Hibernate for their development project. They don’t take it to the next level and realize they are also getting Common Collections,” Breen said. “That Common Collections library is then used by thousands more projects.” According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched. “Think of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it’s the carmaker on the hook to fix the problem, not the airbag maker,” Weeks said. Leaky Apps, Bad Crypto, Injection Flaws Galore Veracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs. Source: Veracode Compounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said. “Not only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,” Weeks said. Done correctly, code reuse is a developer’s godsend, he said. For those reasons, security experts say it’s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software’s supply chain with what it calls a “software bill of materials.” That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries. Sonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. “I can’t imagine any other industry where it’s okay that one in 16 parts have known defects.” The problem is that among developers there is a mix of denial and ignorance at play. “Developers choose component parts, not security,” Weeks said. It should be the other way around. “If we are aware of malicious or bad libraries or code, of course we want to warn our users,” said Logan Abbott, president of SourceForge, a software and code repository. “We scan binaries for vulnerabilities, but we don’t police any of the code we host.” Repositories Say: ‘We’re Just the Host’ Repositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don’t tell users what they can and cannot host with their service. They say rooting out bugs in software should be on shoulders of developers – not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users. “We think of ourselves as the Home Depot of repositories,” said Rahul Chhabria, product manager for Atlassian Bitbucket. “We provide the tools, material and platform to get the job done right.” Chhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket Pipelines that allows for cloud-based team development of software projects and simplifies peer review. GitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis. “There is a lot of hidden risk out there in projects,” Davenport said. “We do our best to make sure our developers know what tools are available to them to vet their own code.” He estimates a minority GitHub developers take advantage of software scanning and auditing tools. “Unfortunately security isn’t a developers first priority.” Other repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn’t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code – even older components. “An implementation of a library in one framework might not be a security risk at all,” Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project. Automated Scanning to the Rescue? One attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned. The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code. “It’s not a story about security professionals solving the problem, it’s about how we empower development with the right information about the (software) parts they are consuming,” Weeks said. “In this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.”

Ugh! Is that your security budget? *Sucks teeth and shakes head*

Gartner report says size can be misleading Organisations spend an average of 5.6 per cent of their overall IT budget on IT security and risk management, according to analyst Gartner. IT security spending ranges from approximately 1 per cent to 13 per cent of the IT budget.

Gartner warns that simply looking at the size of security spending - even in comparison to other firms in the same sector - is potentially misleading. "Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practicing due diligence in security and related programmes," explained Rob McMillan, research director at Gartner. "But general comparisons to generic industry averages don't tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable.” “Alternatively, you may be spending appropriately but have a different risk appetite from your peers,” he added. According to Gartner, the majority of organisations will continue to misuse average IT security spending figures as a measure of security program maturity, at least in the short to medium term.

Business requirements and risk tolerance need to be brought into the equation when evaluating whether or not and organisation has set its security budget at the right level, Gartner advises. Security features are being incorporated into hardware, software, activities or initiatives not specifically dedicated to security.

And staff who have a security role often have other duties. Gartner's experience is that many organisations simply do not know their security budget. “This is partly because few cost accounting systems break out security as a separate line item, and many security-relevant processes are carried out by staff who are not devoted full-time to security, making it impossible to accurately account for security personnel,” according to Gartner. “In most instances, the chief information security officer (CISO) does not have insight into security spending throughout the enterprise.” Deciding what to spend that budget on is a different and even trickier proposition.
Security spending is generally split among hardware, software, services (outsourcing and consulting) and personnel. According to Gartner, secure organisations can sometimes spend less than average on security as a percentage of the IT budget.

The lowest-spending organisations fall into two divergent camps: Unsecure organisations that underspend, and secure organisations that have implemented best practices for IT operations and security that reduce the overall IT complexity. Gartner reckons that enterprises should be spending between 4 and 7 per cent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk.

This represents the budget under the control and responsibility of the CISO, and not the "real" or total budget. Gartner clients can read more in the report, Identifying the Real Information Security Budget. ® Sponsored: Customer Identity and Access Management

Judge forces Coinbase to hand over years’ worth of user data...

EnlargeKen Teegardin reader comments 32 Share this story On Wednesday, a federal judge in San Francisco approved a request made earlier this month by the Internal Revenue Service to force Coinbase, a popular online Bitcoin wallet service, to hand over years of data that would reveal the identities of all of its active United States-based users. The IRS is concerned that some of Coinbase’s customers may have used its service to circumvent or mitigate tax liability.

Federal investigators say they need Coinbase's records to be able to identify some Bitcoin wallets and to check against tax records to make sure Coinbase's users are paying any and all proper taxes on their Bitcoin-related income. In a two-page court order, US Magistrate Judge Jacqueline Scott Corley agreed that the IRS can serve the San Francisco-based company with a form that would require disclosure of essentially all personal data of all Coinbase users who conducted a transaction between 2013 and 2015. (Full disclosure: such records would include this reporter, who briefly possessed a small amount of bitcoins in 2014 and sold them as part of our Arscoin story.) The IRS will now require Coinbase to provide, among other information: Account/wallet/vault registration records for each account/wallet/vault owned or controlled by the user during the period stated above including, but not limited to, complete user profile, history of changes to user profile from account inception, complete user preferences, complete user security settings and history (including confirmed devices and account activity), complete user payment methods, and any other information related to the funding sources for the account/wallet/vault, regardless of date. Any other records of Know-Your-Customer due diligence performed with respect to the user not included in paragraph 1, above. David Farmer, a Coinbase spokesman, told Ars that the company plans to fight the order in court.

The government's request so far has been ex parte, or one-sided—Coinbase has not been formally invited to court to challenge the IRS. “We are aware of, and expected, the Court’s ex parte order today,” the company said in a statement provided by Farmer on Wednesday afternoon. “We look forward to opposing the DOJ’s request in court after Coinbase is served with a subpoena.

As we previously stated, we remain concerned with our US customers’ legitimate privacy rights in the face of the government’s sweeping request.” A case management conference has been scheduled for February 16, 2017 at 1:30pm PT.

UKCloud supports customer due diligence with Cloud Security Alliance ‘STAR’ declaration

Assured cloud services provider also adopts Cloud Security Alliance CAIQ framework

LONDON – November 17th 2016 – UKCloud, the easy to adopt, easy to use and easy to leave assured cloud services company, today announced that it has achieved Level 1 certification against the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR), a comprehensive assertion of the security of a cloud service provider.

CSA Star logo

The CSA STAR programme records compliance levels against a comprehensive framework of cloud-based security control objectives, which allow cloud service providers from around the world to assess and communicate their security posture to potential customers. As a listed CSA STAR provider on the programme’s publically accessible Registry, this adds an even greater level of transparency of UKCloud’s industry leading security capabilities.

UKCloud has an unparalleled heritage of achieving the highest levels of independent validation of its security controls. In addition to industry standards such as ISO27001, UKCloud was amongst the very few to achieve and retain Pan Government Accreditation by the UK Government’s National Cyber Security Centre (NCSC) at the highest level available to cloud providers, and is approved as a service provider on both the Public Services Network (PSN) and the NHS National Network (N3). UKCloud provides a wealth of assurance information to its customers through independent evidence of its accreditations, certifications and detailed descriptions about the security characteristics of each of its cloud services.

“In an increasingly competitive marketplace, we have found that some of our UK public sector customers are now referring to additional governance frameworks when assessing the suitability of their cloud providers,” said John Godwin, Director of Compliance and IA and UKCloud.

“UKCloud has always been able to demonstrate the security credentials of our cloud services through formal accreditations, such as NCSC Pan Government Accreditation, compliance with standards such as ISO27001 and ISO27018, and by co-operating with our public sector customers as they undertake their own due diligence activities. As such, we are pleased to adopt and populate the Cloud Security Alliance CAIQ (Consensus Assessments Initiative Questionnaire) framework, so that we can more easily support those customers who may choose to use this as part of their formal assessment programme. UKCloud’s completed response, which is publically available to download via CSA STAR, has already been used as the basis for a successful customer assessment of our cloud services.”

UKCloud is the industry’s most highly accredited and certified cloud service providers. It provides a full range of secure network connectivity options to meet its UK public sector customers’ requirements; furthermore, its multiple UK data centres ensures that customer data is never subject to foreign data privacy issues.

UKCloud’s assured cloud services are specifically designed to meet the needs of the UK public sector, delivering UK sovereign solutions, with genuine and flexible pay-by-the-hour consumption models.

For more information regarding UKCloud’s CSA certification, please visit: https://cloudsecurityalliance.org/star-registrant/ukcloud-ltd/

- ends -

About UKCloud
UKCloud is dedicated to the UK Public Sector. We provide assured, agile and value-based true public cloud that enable our customers to deliver enhanced performance through technology.

We’re focused on cloud. Delivering a true cloud platform that is scalable, flexible, assured and cost-effective.

We’re open. You are never locked in. Using industry standards and open source software we enable flexibility and choice across multiple cloud solutions.

Dedicated to the UK Public Sector. Our business is designed specifically to serve and understand the needs of public sector organisations.

We develop communities. We bring together communities of users that are able to share datasets, reuse code, test ideas and solve problems.

Customer engagement. We will only be successful if our customers are successful. We embody this in the promise: Easy to adopt. Easy to use. Easy to leave.

Additional information about UKCloud can be found at www.ukcloud.com or by following us on Twitter at @ukcloudltd

UKCloud. The power behind public sector technology.

Media Contacts
Caitlin Mullally/Charlotte Martin
Finn Partners
+44 (0)20 3217 7060
UKCloudteam@finnpartners.com