Home Tags Peer-to-peer

Tag: peer-to-peer

Cybercriminals prefer to chat over Skype

Law enforcement and government officials don’t like encrypted peer-to-peer chat platforms such as WhatsApp and Jabber because it is harder to eavesdrop on what cybercriminals are planning.

But according to a recent study of global cybercriminal operations, the bulk of criminal discussions don’t happen over encrypted chat.
Skype is the preferred mode of communication among cybercrime gangs worldwide.Skype, owned by Microsoft and widely used by consumers and enterprises, doesn’t encrypt messaging end-to-end the way the secure messaging apps do.

But it is still popular among cybercrime gangs around the world, FlashPoint analysts found in a study of communications platforms used by financially motivated cybercriminals.To read this article in full or to leave a comment, please click here

Cybercriminals Mostly Prefer Skype Messaging

But cybercrime gangs worldwide are increasingly using encrypted peer-to-peer chat platforms for their communications outside online underground forums, new study finds.

Vigilante botnet infects IoT devices before blackhats can hijack them

Hajime battles with Mirai for control over the Internet of poorly secured things.

Merriam Webster updates tech word list—and you will believe which ones...

Includes "net neutrality" and "EpiPen"; still on the sidelines about how to say "GIF."

25% off ARRIS SURFboard SB6190 DOCSIS 3.0 Cable Modem – Deal...

The SURFboard SB6190 is the first Gigabit+ cable modem available in retail, and is compatible with major US Cable Internet Providers like Xfinity by Comcast, Time Warner, Cox, Brighthouse and many others, so you can ditch their cable modem (along with their rental fee) and regain control.
It harnesses the power of DOCSIS 3.0 technology to bond up to thirty two downstream channels and eight upstream channels--providing you advanced multimedia services with data rates up to 1.4 Gbps download and 131 Mbps upload depending on your Cable Internet provider service.

That makes streaming HD Video, gaming, shopping, downloading, working, high-quality voice and video conferencing, and peer-to-peer networking applications far more realistic, faster, and efficient than ever before.
It averages 4.5 out of 5 stars on Amazon from over 4,100 people (read reviews).
Its typical list price of $149.99 has been reduced 25% to $111.99.
See it now on Amazon.To read this article in full or to leave a comment, please click here

Researchers Find Security Flaws in IoT Cameras From Sony, Others

Security researchers discover significant vulnerabilities in two separate lines of surveillance video cameras that could allow them to be hacked or made part of an internet of things botnet, researchers say. Two security researchers working separately are warning consumers and enterprises that network-connected video cameras from different manufacturers may not be secure, after researchers found vulnerabilities and backdoor code in the devices that could allow attackers to create internet-of-things botnets or spy on the users.In a research note published on Dec. 6, security firm SEC Consult stated that 80 models of cameras sold under the Sony brand have a backdoor that could allow attackers to take complete control of the devices.
In a separate study published the same day, researchers for security firm Cybereason detailed their discovery of two zero-day vulnerabilities in white-box video cameras sold under various brand names on sites such as Amazon and eBay.Hundreds of thousands of devices connected directly to the Internet are vulnerable, and even more may be accessible through a peer-to-peer service, Amit Serper, principal security researcher with Cybereason, told eWEEK.“In about six hours, we came up with two zero-days that allow us to get the password for the camera, no matter how complex it was,” he said. “I’ve reversed engineered hundreds of these types of devices, and this is the worst that I’ve ever seen.” Serper and Cybereason have attempted to contact the manufacturer, but have not had any luck and there is no fix for the camera.

Cybereason recommends that users dispose of the devices instead of continuing to use them. The discoveries are the latest evidence highlighting the lack of security in connected devices.
Security researchers have warned the makers of internet-of-things devices that security has to be a greater priority. Numerous studies have found vulnerabilities in popular network-connected consumer devices that could leak information or, in the worst case, allow an attacker to take control of the devices.The state of IoT security, however, has taken on much greater meaning recently, after massive denial-of-service attacks that have emanated from botnets comprised of connected devices.
In September, security researcher and journalist Brian Krebs was the target of a massive denial-of-service attack produced by a program, named Mirai, which had infected a large number of digital video recorders and home routers.
In October, a similar attack disrupted domain-service provider Dyn and major internet services, such as Twitter and GitHub.The backdoor in Sony’s video cameras took the form of a hard-coded password for the root—or super-user—account on the devices.“We believe that this backdoor was introduced by Sony developers on purpose—maybe as a way to debug the device during development or factory functional testing—and not an ‘unauthorized third party’ like in other cases, (such as) the Juniper ScreenOS Backdoor,” SEC Consult stated in its research note.“We have asked Sony some questions regarding the nature of the backdoor, intended purpose, when it was introduced and how it was fixed, but they did not answer.”SEC Consult notified Sony of the issues, and the company has released updated firmware for the affected models, the security firm stated.

Sources: Crowdstrike Hires Former Tanium Exec As Head Of Worldwide Sales

As the battle for the endpoint security market heats up, Crowdstrike has landed former Tanium top sales executive Mike Carpenter as its new head of worldwide sales, sources told CRN.

Carpenter left Tanium in September, where he had been president of global sales and field operations since February 2014.
Sources said Carpenter is now being brought in to lead worldwide sales and that an announcement about the move could come as soon as next Monday.

Carpenter did not respond to requests for comment from CRN. His LinkedIn profile currently says "president – to be announced soon."

[Related: Carbon Black, IBM Take Aim At Competitor Tanium With New Partnership]

Crowdstrike declined to comment when reached by CRN.

Carpenter has a long history in the security market, prior to Tanium serving as president of the Americas for Intel Security.

During his 12-year stint at the company, then McAfee, he worked with Crowdstrike CEO George Kurtz, who was worldwide chief technology officer and executive vice president before leaving and starting Crowdstrike in 2012. Kurtz did not respond to direct requests for comment about the executive addition.

The move is the latest example of rapidly accelerating competition in the endpoint security market, where both Tanium and Crowdstrike play.

Tanium's peer-to-peer technology lets organizations continuously scan all endpoints in a network to detect vulnerabilities and unmanaged devices, technology which is critical as companies look to ramp up the security and management of endpoint devices.

Crowdstrike focuses in the endpoint detection and response market and is one of the leading players in that space.

It is also the latest piece of news coming out of Tanium, which has been red-hot in the security space but has had multiple reports of buyout offers, including rejected bids from Palo Alto Networks and VMware, and seen multiple top-level executive departures, including Carpenter and multiple other top executives in recent months.

Crowdstrike, for its part, was recently ranked as one of the fastest-growing companies in the country by Deloitte.
It has been expanding its executive team over the past few months, adding Jerry Dixon as chief information security officer and Rod Murchison as vice president of product management in October.
It also added Brian Brouillette as vice president of customer success in August. 

Researchers Show Even 'Smart' Light Bulbs Are Threatened on IoT

A team of academic researchers find a way to infect Internet of Things devices—in this case, smart light bulbs—to enable them to spread malicious code to other devices. A team of academic researchers demonstrated how even the simplest Internet of Things devices could be used to spread malicious code when they exploited a vulnerability in a popular smart light bulb to infect other devices.In a draft research paper, researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada outlined their method of wresting control of Philips Hue smart lights from a home-automation network and then remotely updating the devices with malicious code.With just 15,000 randomly distributed smart lights in an urban area, a network worm could spread in a chain reaction throughout an entire city, the researchers concluded using a type of analysis known as percolation theory.“The attack can start by plugging in a single infected bulb anywhere in the city and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack,” the researchers said. Network-connected devices—from smart light bulbs to programmable thermostats to wireless video cameras—are the basic building blocks of the Internet of Things. An increasing number of devices are already connected to controllers and Internet-connected hubs, with as many as 50 billion expected to be in use by 2020. While some smart-device manufacturers have made security a priority, most have focused on getting their products to market, leaving the potential for significant vulnerabilities that could affect the products and their users.Unsecured webcams, for example, can allow attackers to see into consumers’ homes. And in September and October botnets using millions of IoT devices knocked many target websites off the Internet, including security journalist Brian Krebs and domain-name service Dyn.Unless more manufacturers and users consider the threats of the technology they are using every day, the risk of a major incident will only rise, the researchers said.“Without giving it much thought, we are going to populate our homes, offices, and neighborhoods with a dense network of billions of tiny transmitters and receivers that have ad-hoc networking capabilities,” they wrote in the paper.“These IoT devices can directly talk to each other, creating a new unintended communication medium that completely bypasses the traditional forms of communication such as telephony and the internet.”Philips had taken steps to secure the lights from hackers, including encrypting data and refusing to reset a connection unless a ZigBee controller is in close proximity to the bulb.However, the ZigBee chip used by Philips, and made by Atmel, had a major bug in its proximity test, the researchers found. As a result, a controller within 400 meters can initiate the factory reset procedure. The researchers tested the attack on lights distributed around their university campus, taking control of the Hue smart bulbs.The equipment needed to conduct the factory reset could be mounted on a drone for a remote attack, a technique known as war-flying.The attack could easily be undone, except that the researchers also reverse engineered older bulbs to extract the encryption key used to secure firmware updates. Using that key, they created new software to overwrite the code that manages the bulbs to spread to other bulbs.“A single infected lamp with a modified firmware, which is plugged-in anywhere in the city, can start an explosive chain reaction in which each lamp will infect and replace the firmware in all its neighbors within a range of up to a few hundred meters,” the researchers wrote.Unlike previous worms, the attack does not require any internet access or communications, relying on the ZigBee protocol to send the malicious code among the bulbs in a peer-to-peer network. A city the size of Paris, about 105 square kilometers, could be infected if 15,000 lights were installed in a random distribution across the urban area, the researchers calculated.“Since the Philips Hue smart lights are very popular in Europe and especially in affluent areas such as Paris, there is a very good chance that this threshold had in fact been exceeded, and thus the city is already vulnerable to massive infections via the ZigBee chain reaction described in this paper,” they wrote.

17 essential tools to protect your online identity, privacy

Make no mistake: Professional and state-sponsored cybercriminals are trying to compromise your identity -- either at home, to steal your money; or at work, to steal your employer’s money, sensitive data, or intellectual property. Most users know the basics of computer privacy and safety when using the internet, including running HTTPS and two-factor authentication whenever possible, and checking haveibeenpwned.com to verify whether their email addresses or user names and passwords have been compromised by a known attack. But these days, computer users should go well beyond tightening their social media account settings.

The security elite run a variety of programs, tools, and specialized hardware to ensure their privacy and security is as strong as it can be. Here, we take a look at this set of tools, beginning with those that provide the broadest security coverage down to each specific application for a particular purpose. Use any, or all, of these tools to protect your privacy and have the best computer security possible. Everything starts with a secure device Good computer security starts with a verified secure device, including safe hardware and a verified and intended boot experience.
If either can be manipulated, there is no way higher-level applications can be trusted, no matter how bulletproof their code. Enter the Trusted Computing Group.
Supported by the likes of IBM, Intel, Microsoft, and others, TCG has been instrumental in the creation of open, standard-based secure computing devices and boot pathways, the most popular of which are the Trusted Platform Module (TPM) chip and self-encrypting hard drives. Your secure computing experience begins with TPM. TPM. The TPM chip provides secure cryptographic functions and storage.
It stores trusted measurements and private keys of higher-level processes, enabling encryption keys to be stored in the most secure manner possible for general-purpose computers. With TPM, computers can verify their own boot processes, from the firmware level up.

Almost all PC manufacturers offer models with TPM chips.
If your privacy is paramount, you’ll want to ensure the device you use has an enabled TPM chip. UEFI. Universal Extensible Firmware Interface is an open standards firmware specification that replaces the far less secure BIOS firmware chips. When enabled, UEFI 2.3.1 and later allow device manufacturers to “lock” in the device’s originating firmware instructions; any future updates must be signed and validated in order to update the firmware.

BIOS, on the other hand, can be corrupted with a minimum number of malicious bytes to “brick” the system and make it unusable until sent back to the manufacturer. Without UEFI, sophisticated malicious code can be installed to bypass all your OS’s security protections. Unfortunately, there is no way to convert from BIOS to UEFI, if that’s what you have. Secure operating system boot. Your operating system will need self-checking processes to ensure its intended boot process hasn’t been compromised. UEFI-enabled systems (v.2.3.1 and later) can use UEFI’s Secure Boot process to begin a trusted boot process. Non-UEFI systems may have a similar feature, but it’s important to understand that if the underlying hardware and firmware do not have the necessary self-checking routines built in, upper-level operating system checks cannot be trusted as much. Secure storage. Any device you use should have secure, default, encrypted storage, for both its primary storage and any removable media storage devices it allows. Local encryption makes it significantly harder for physical attacks to read your personal data. Many of today’s hard drives are self-encrypting, and many OS vendors (including Apple and Microsoft) have software-based drive encryption. Many portable devices offer full-device encryption out of the box. You should not use a device and/or OS that does not enable default storage encryption. Two-factor authentication. Two-factor authentication is fast becoming a must in today’s world, where passwords are stolen by the hundreds of millions annually. Whenever possible, use and require 2FA for websites storing your personal information or email.
If your computing device supports 2FA, turn it on there. When 2FA is required, it ensures an attacker can’t simply guess or steal your password. (Note that using a single biometric factor, such as a fingerprint, is not even close to being as secure as 2FA.
It’s the second factor that gives the strength.) 2FA ensures that an attacker cannot phish you out of your logon credentials as easily as they could if you were using a password alone.

Even if they get your password or PIN, they will still have to get the second logon factor: biometric trait, USB device, cellphone, smart card, device, TPM chip, and so on.
It has been done, but is significantly more challenging. Be aware, though, that if an attacker gains total access to the database that authenticates your 2FA logon, they will have the super admin access necessary to access your data without your 2FA credentials. Logon account lockout. Every device you use should lock itself when a certain number of bad logons have been attempted.

The number isn’t important.

Any value between 5 and 101 is reasonable enough to keep an attacker from guessing your password or PIN. However, lower values mean that unintentional logons might end up locking you out of your device. Remote find. Device loss or theft is one of the most common means of data compromise. Most of today’s devices (or OSes) come with a feature, often not enabled by default, to find a lost or stolen device. Real-life stories abound in which people have been able to find their devices, often at a thief’s location, by using remote-find software. Of course, no one should confront a thief.

Always get law enforcement involved. Remote wipe. If you can’t find a lost or stolen device, the next best thing is to remotely wipe all personal data. Not all vendors offer remote wipe, but many, including Apple and Microsoft, do. When activated, the device, which is hopefully already encrypted and protected against unauthorized logons, will either wipe all private data when a certain number of incorrect logons are entered or when instructed to do so upon the next connection to the internet (after being instructed to wipe itself by you). All of the above provide a foundation for an overall secure computing experience. Without firmware, boot, and storage encryption protection mechanisms, a truly secure computing experience cannot be ensured.

But that’s only the start. True privacy requires a secure network The most paranoid computer security practitioners want every network connection they use to be secured.

And it all starts with a VPN. Secure VPN. Most of us are familiar with VPNs, from connecting remotely to our work networks.

Corporate VPNs provide secure connectivity from your offsite remote location to the company network, but often offer no or limited protection to any other network location. Many hardware devices and software programs allow you to use a secure VPN no matter where you connect. With these boxes or programs, your network connection is encrypted from your device to your destination, as far as possible.

The best VPNs hide your originating information and/or randomly tunnel your connection among many other participating devices, making it harder for eavesdroppers to determine your identity or location. Tor is the most used, free, secure VPN service available today. Using a Tor-enabled browser, all of your network traffic is routed over randomly selected intermediate nodes, encrypting as much as the traffic as possible.

Tens of millions of people rely on Tor to provide a reasonable level of privacy and security.

But Tor has many well-known weaknesses, ones that other secure VPN solutions, such as MIT’s Riffle or Freenet are attempting to solve. Most of these attempts, however, are more theoretical than deployed (for example, Riffle) or require opt-in, exclusionary participation to be more secure (such as Freenet).

Freenet, for example, will only connect to other participating Freenet nodes (when in “darknet” mode) that you know of in advance. You can’t connect to other people and sites outside of Freenet when in this mode. Anonymity services. Anonymity services, which may or may not provide VPN as well, are an intermediate proxy that completes a network request on behalf of the user.

The user submits his or her connection attempt or browser connection to the anonymity site, which completes the query, obtains the result, and passes it back to the user.

Anyone eavesdropping on the destination connection would be more likely to be stopped from tracking beyond the anonymity site, which hides the originator’s information.

There are loads of anonymity services available on the web. Some anonymity sites store your information, and some of these have been compromised or forced by law enforcement to provide user information. Your best bet for privacy is to choose an anonymity site, like Anonymizer, that doesn’t store your information for longer than the current request.

Another popular, commercial secure VPN service is HideMyAss. Anonymity hardware. Some people have attempted to make Tor and Tor-based anonymity easier using specially configured hardware. My favorite is Anonabox (model: anbM6-Pro), which is a portable, Wi-Fi-enabled VPN and Tor router.
Instead of having to configure Tor on your computer/device, you can simply use Anonabox instead. Secure VPNs, anonymity services, and anonymity hardware can enhance your privacy greatly by securing your network connections.

But one big note of caution: No device or service offering security and anonymity has proved to be 100 percent secure.

Determined adversaries and unlimited resources can probably eavesdrop on your communications and determine your identity.

Everyone who uses a secure VPN, anonymity services, or anonymity hardware should communicate with the knowledge that any day their private communications could become public. Secure applications are a must as well With a secure device and secure connections, security experts use the most (reasonable) secure applications they can find. Here’s a rundown of some of your best bets for protecting your privacy. Secure browsing. Tor leads the way for secure, almost end-to-end Internet browsing. When you can’t use Tor or a Tor-like VPN, make sure the browser you use has been set to its most secure settings. You want to prevent unauthorized code (and sometimes legitimate code) from executing without your being aware.
If you have Java, uninstall it (if not using it) or make sure critical security patches are applied. Most browsers now offer “private browsing” modes. Microsoft calls this feature InPrivate; Chrome, Incognito.

These modes erase or do not store browsing history locally and are useful in preventing local, unauthorized forensic investigations from being as fruitful. Use HTTPS for all internet searches (and connections to any website), especially in public locations.

Enable your browser’s Do Not Track features.

Additional software can prevent your browser experience from being tracked, including browser extensions Adblock Plus, Ghostery, Privacy Badger, or DoNotTrackPlus.
Some popular sites try to detect these extensions and block your use of their sites unless you disable them while on their sites. Secure email. The original “killer app” for the internet, email is well-known for violating user’s privacy.

The internet’s original open standard for securing email, S/MIME, is being less used all the time.
S/MIME requires each participating user to exchange public encryption keys with other users.

This requirement has proved overly daunting for less savvy users of the internet. These days most corporations that require end-to-end email encryption use commercial email services or appliances that allow secure email to be sent via HTTPS-enabled sites. Most commercial users of these services or devices say they are easy to implement and work with, but can sometimes be very expensive. On the personal side there are dozens of secure email offerings.

The most popular (and widely used in many businesses) is Hushmail. With Hushmail, you either use the Hushmail website to send and receive secure email or install and use a Hushmail email client program (available for desktops and some mobile devices). You can use your own, original email address, which gets proxied through Hushmail’s proxy services, or obtain a Hushmail email address, a cheaper solution. Hushmail is one among dozens of secure email providers currently available. Secure chat. Most OS- and device-provided chat programs do not offer strong security and privacy.

For strong end-to-end security you need to install an additional chat program. Luckily, there are dozens of chat programs, both free and commercial, that claim to offer greater security.
Some require installation of a client app; others offer website services. Most require all parties to communicate with the same program or use the same website (or at least the same chat protocol and protection). Common secure chat programs include ChatCrypt, ChatSecure, and Cryptocat. Most secure chat clients have the same basic features, so pick the one that enables you to communicate with the broadest set of people you need to securely chat with. Secure payments. Most payment systems are required to store lots of information about you and your purchases, and they are usually required to provide payment or payer details when asked by law enforcement.

Even if they aren’t required to provide detailed data to the police or governments, many payment databases are compromised each year by malicious hackers. Most users wishing for greater payment anonymity on the internet are turning to online cryptocurrencies, such as bitcoin. Users must first buy bitcoins, usually via traditional online payment methods, and must go through bitcoin exchanges to get their bitcoin value back out into traditional currencies.

Each exchange into and out of bitcoin typically takes a small payment fee. Of course, the privacy and anonymity of virtual currencies comes with real risk.

They are usually not considered legal currency and may not be provided the same protections under law as “real” currencies.

They may also have incredible price volatility, with the value of your holdings potentially jumping or declining by huge margins in a single day.
It’s also possible that a single crypto attack could result in permanent, unrecoverable loss. Hackers have been successful in stealing millions of dollars in bitcoins, and sometimes those thefts are not reimbursed by the compromised holders. As for credit cards, you can buy and use temporary online (or physical) credit cards. Most credit card agencies offer temporary cards, often at slightly high fee rates, which can be used for a temporary set period of time or even one-time use.
If a website gets compromised, exposing your temporary credit card, you won’t be at a loss because you’ll never use it again. Secure file transfers. Probably the only class of applications that offer more alternatives than secure email is secure file transfer.

Any program using SSH or SCP allows encrypted and secure file sharing, and there are dozens, if not hundreds, of commercial offerings. Users who wish to securely share files while also preserving their anonymity have a myriad of choices. One of the most popular commercial services is BTGuard.
It provides file anonymity services over the BitTorrent, a very popular peer-to-peer file sharing protocol. Anything Phil Zimmerman creates. Phil Zimmermann, creator of Pretty Good Privacy (PGP), cares deeply about privacy. He was willing to risk being arrested, imprisoned, and even potentially faced the U.S. death penalty because he strongly believed that everyone on the planet deserved good privacy tools. Every good and experienced computer security person I know and trust uses PGP.

To work with PGP, each participant creates their own private/public key pair and shares their public key with other participants for securely sending files, emails, or other content. Symantec bought and has supported PGP commercially since 2010, but dozens of open source versions are available and trusted, including OpenPGP.
If you don’t have PGP, get it, install it, and use it. Zimmermann, who was also behind Hushmail, is a co-founder of Silent Circle, which offers secure solutions for a range of technologies.
It even offers the Blackphone, which was designed from the ground up to be the most secure, generally accessible cellphone ever.

There have been some hacks of the Blackphone, but it still is the cellphone that prizes privacy and security above all other features -- at least as much as one can and still sell the product to the general population. Whatever Phil Zimmermann creates or promotes can be assured to be well thought out, delivering privacy and security in spades. Related articles

Don’t let banks fool you, the blockchain really does have other...

Gov.UK missing out on the real value? We're shocked, we tell you...
Shocked! Analysis It is a truth universally acknowledged that executives in the financial sector are capable of making the most exciting innovations boring, and in this respect their approach to the blockchain has been exemplary. During 2008's financial crash, a nine-page paper titled Bitcoin: A Peer-to-Peer Electronic Cash System [PDF] was published to the cryptography and policy mailing list at metzdowd. The paper, attributed to Satoshi Nakamoto, offered cypherpunks and anarcho-capitalists a chance to realise their fantasy of a decentralised digital money; in practice, fiat currency backed not by government but by cryptography and collective consent. You know this story: it was going to change the world, and then it wasn't, and around the time bankers realised it wasn't going to change anything they struck upon the notion of getting it to work for them - though with very little idea how. According to Gartner's hype-cycle, this sets blockchain technology near the peak of inflated expectations at the moment, ahead of 4D printing (What? - Ed) but behind virtual reality. Speaking to The Register, fintech consulant Diana Biggs said it seemed "pretty evident that blockchain is very hyped at the moment" and noted a "marked change" from even two years ago, "when no financial institution or professional services firm would speak about it openly." A lot of the discussion (or hype) in the space is also quite surface level, outside of specialist circles, which I would attribute to a number of factors, including the early stage of the technology, the complexity and a lack of understanding [about the technology itself.] Late last week, almost eight years after the Bitcoin paper's publication, Rupert Scofield admitted to The Register over a breakfast briefing in Soho that he really didn't understand what the blockchain was, nor its relationship to Bitcoin, but he believed it was important for fintech companies to look into it. Scofield, the president of Finca International — a microfinance business which seeks to make small loans to businesses in the developing world — is not the first person to be as bewildered at what the business case for the blockchain is as he was excited one could be found. Blockbuster cool Earlier this year, even Blighty's Chief Scientist could be caught advocating that a GDS-built blockchain in the UK could help Her Majesty's Government “collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services.” Sir Mark Walport's 88-page report made little mention of how this would actually be of greater business value for the cited use-cases than a simple transactional database.

Even Scofield's notion of using the blockchain for Finca's “back room” would be obviously better handled by MySQL – something the CEO acknowledged. Yet the hype regarding the blockchain remains. Earlier this year, London-based fintech company GovCoin Systems partnered with Barclays, RWE npower and University College London to trial blockchain tech for the Department for Work and Pensions (DWP).

This trial was subsequently slammed by the Open Data Institute, although it did so on privacy grounds. Painfully slow and expensive? We must have it A more pointed criticism, however, may be the unsuitability of the blockchain to store or process payments at all, because it is very slow and very expensive.
In recording every Bitcoin transaction that has ever occurred, forever, it is meeting the business necessity of establishing trust and user belief in that digital currency. The blockchain prevents double-spending in digital currencies by ensuring that everyone knows where every Bitcoin is all of the time.

Transactions of Bitcoin take place by updating the blockchain so everyone knows that the Bitcoin in question is located somewhere new, with cryptographic hash values computed to validate its location. While this novel method of preventing double-spending has been applauded, the protocol regarding the distribution of information along the blockchain also limits transactions to seven per second.

Compared with the thousands of transactions per second conducted by the payments company VISA, this is crippling quality for. Suggestions for increasing the speed of Bitcoin transactions are regular subjects of debate in the Bitcoin community, but there may always be a critical limit to the speed of transactions as a product of the blockchain's trust requirements. As there is no need to require so much trust from the DWP or any other government department, these transaction limits may be improved — but when trust isn't an issue, the business value of a distributed ledger also seems to evaporate. A statement emailed to The Register after Friday's breakfast briefing with Finca, and attributed to Scofield, accepted that “the financial sector has not properly come to terms with the opportunities that blockchain might present to businesses, and financial institutions need to put a lot more energy into bringing in experts who can make sense of the business case in a rational and sensible way.” A blockchain advisor at Secure Trading, Mustafa Al-Bassam, who is also a doctoral researcher at UCL, told The Register that “sometimes industry receives investment because investors are excited by the buzzwords, despite the fact that blockchain might be incompatible with what they want". Al-Bassam added, “There is large amount of interesting innovation happening in Industry with blockchain and smart contract technology. “For instance, some companies have been looking at smart contracts for financial instruments such as loans, or using a blockchain for inter-bank settlement.

These use cases could be more economically efficient than traditional approaches by removing administration costs or middlemen that take a fee. “Apart from financial use cases of this technology, there are also use cases for internet security,” he said. “For example, the transparency property of distributed ledgers make it quite useful for certificate transparency to make rogue certificates easily detectable.” Not that this has stopped the big corporations from having a go, with Microsoft offering a blockchain-as-a-service product on Azure, and IBM open-sourcing its own blockchain code earlier this year too. Earlier this year, Gartner fellow Ray Valdes told The Register that 2016 was “the year of pointless blockchain projects.” He added that IBM and Microsoft's blockchain-as-a-service efforts were confusing and missed the business-case yet again.

Centralised blockchain hubs defeated the trust problem that the blockchain was invented to solve. Valdes said it was futile trying to pick winners in today's saturated blockchain hypezone because the zone was at a stage similar to that of the web in 1995, back when the first wave of innovators started to build services and win millions of customers. Potential use-cases exist, as Al-Bassam noted, but they don't seem to be on the market yet. Biggs told The Register that her personal opinion was that "there is exciting potential for this technology, but perhaps not in the ways most people think.

And ultimately, new or old technology, it will all come down to business processes, policy and regulation to define what changes and benefits we will get out of this." She added: "In terms of a new underlying protocol, that will also depend on consensus and adoption, and to a much greater extent than in the early days of the internet as we are today more cognisant of the enormity of the potential impact of such technologies and thus more committed to trying to get it right." ®

Fortinet Expands Security Fabric With New Technology Partner Program, SIEM Integrations

As part of a building integrated security strategy, Fortinet is extending its Security Fabric ecosystem with the launch of a new Fabric-Ready Partner Program for third-party vendor integration, the company said Monday. The new Partner Program opens up the Security Fabric ecosystem to validated third-party vendors, with peer-to-peer integration and commitments to ongoing interoperability and go to market.

The first batch of partners include a cross-section of endpoint, cloud, SIEM, management and vulnerability vendors, including Brocade, Carbon Black, Centrify, Nozomi Networks, Palerra, Pulse Secure, Qualys, Tufin, UBIqube, VeriSign, WhiteHat Security and Ziften. For integration beyond the selective Fabric-Ready set of partners, Fortinet also said it is extending its FortiSIEM solution, which it acquired in June as AccelOps and has since rebranded, with support for multivendor security solutions. [Related: Fortinet Channel Chief: Integrated Security Creates 'New Opportunity' For Solution Providers] Mark Miller, partner at M&S Technologies, a Dallas-based Fortinet partner, said he is “excited” about the launch, saying the new open ecosystem will allow him to better pair the Fortinet offerings with his other vendor lines and create enhanced security solutions for customers. “It will be a more strategic security sale for me, the partner,” Miller said. In particular, Miller said opening the Security Fabric ecosystem to more third-party partners will help his company sell more complex solutions with faster deployment rates, which he said he expects will help boost his professional services business. “I think there’s a lot of opportunity for us.
I think it shows the maturity of the company and the maturity of their product line. We’re pretty excited about it,” Miller said. “It seems like a great step forward.” The launch builds on a strategy at Fortinet, which it calls the Security Fabric, to provide an integrated security architecture and internal segmentation capabilities for customers. With this launch, that integrated architecture is extended to whatever third-party vendors the customer has in its environment, or the partner has in its portfolio, John Maddison, senior vice president of products and solutions, said. “It provides some guidance for partners for when they are proposing the solution or the partners.

The goal is to get customers to think longer term about their security solutions, instead of buying point solutions that don’t talk to each other,” Maddison said.

Researcher pops locks on keylogger, finds admin’s email inbox

Hawkeye plucked Trustwave researcher Rodel Mendrez has gained access to the inbox of the criminal behind a commercial keylogger used to attack industries including finance, cloud services, logistics, foreign trade, and government. Mendrez's reverse engineering effort found credentials buried within the Hawkeye keylogger that lead through redirection to the author's inbox. Attackers behind Hawkeye were siphoning from compromised machines browser, email, and FTP credentials, and system data including installed firewalls, operating system information, and IP address data. Mendrez found the criminals were using compromised email addresses to forward emails on to their real gmail account as they may have been aware of vulnerabilities in their keylogger. "To protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address," Mendrez says in a description of the reverse engineering process. "Naturally, I checked out these email inboxes. "They appear to be email accounts on compromised systems … emails sent [here] are rerouted automatically to the attacker's Gmail account." Mendrez has informed the owners of compromised email addresses who are being used to forward on pilfered data. The $35 keylogger was advertised on a now dead site hawkeyeproducts.com.

A cached copy reveals admins promoted it as taking "operating system monitoring to the next level" by recording keystrokes and 'recovering and stealing' saved passwords in browers that "may have been forgotten". Hawkeye screen capture. It sported USB and peer-to-peer spreading capabilities, plundering of modern browsers and messaging clients, and compatibility with all versions of Windows. The site even sported glowing customer 'reviews' and support from a "qualified team". Intelligence firm iSIGHT Partners in June last year confirmed HawkEye had stolen credentials from organisations in the targeted industries which also include foreign trade, retail, and science and technology. At the time of analysis iSight researcher Randi Eitzman said Hawkeye was focused on plundering targets in India, with Italy, the US, and Turkey taking a equal hit. A dozen other countries including Britain and Australia were also targeted. It said the malware and others like it would continue to be a threat to organisations. ®