Home Tags Secure Electronic Transactions

Tag: Secure Electronic Transactions

Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate

No choice but to use American gear, grins spymaster CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical." Thus, the choice is American-built-and-backdoored or nothing, apparently. The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data. Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications.

The director denied that forcing American companies to backdoor their security systems would cause any commercial problems. "US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said. "So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues." We don't think the CIA man has been paying attention, to put it generously.

A study in February found there are 865 encryption products in use around the world supplied by developers in 55 countries.

About a third of these packages came from the US, with Germany, the UK and Canada the next biggest suppliers. Nevertheless, Brennan is right that the bulk of commercial encryption products in use by enterprises are supplied by American firms.

The word he missed is "now." If US firms are mandated to install backdoors, sales of encryption products are going to change very quickly.
Very few overseas companies are going to buy a broken encryption system that can be read by US intelligence, and a fair few US companies aren't going to be wild about doing so either. Youtube Video "It is clearly inaccurate to say that foreign encryption is a 'theoretical' capability," said Senator Wyden. "Requiring companies to build backdoors in their products to weaken strong encryption will put the personal safety of Americans at risk at a dangerous time and – I want to make this clear – I will fight such a policy with everything I have." Interestingly, Brennan didn't mention legislation proposed by Senators Richard Burr (R‑NC) and Dianne Feinstein (D‑CA) which would mandate backdoors.

The proposed bill has little support and instead Brennan indicated he supported an alternative legislative push. Instead, Brennan spoke supportively of a bill introduced by Senators Mark Warner (D-VA) and House Committee on Homeland Security Chairman Michael McCaul (R-TX) which would set up a congressional committee to explore the encryption issue. Not that we should be worried about the CIA snooping, Brennan said.
In the last three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff.

The person will review all CIA activities to ensure they are legal, Brennan said. So that's all right then. ® Sponsored: Rise of the machines

ID Specialist OneLogin Acquires Password Manager Portadi

Portadi's machine-learning IP will automate onboard credentialing for all of the apps used in the organization, saving employees and IT a lot of time. Even though passwords are targeted for elimination by new-gen security companies, there are still ple...

“Guccifer” leak of DNC Trump research has a Russian’s fingerprints on...

Arnold NijhuisWe still don't know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country's lost Soviet era. Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name "Феликс Эдмундович." That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, "Феликс Эдмундович" is the colloquial name that translates to Felix Dzerzhinsky, the 19th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.) @PwnAllTheThings Exhibit B is this opposition research document on Donald Trump, the presumptive Republican presidential nominee.

Exhibit B is also written in Word.
Several of the Web links in it are broken and contain the error message "Error! Hyperlink reference not valid." But in a PDF-formatted copy of the same document published by Gawker a few hours before Guccifer 2.0's post went live, the error messages with roughly the same meaning appear in Russian. Enlarge / The image on the left, with an error message in Russian, shows the document as it appeared on Gawker.

The image on the right shows it as it was published directly by Guccifer 2.0. @PwnAllTheThings The most likely explanation is that the Russian error messages are an artifact left behind when the leaker converted the Word document into a PDF.

That kind of conversion would be expected if the leaker's PC was set up to use Russian. The other piece of evidence is more circumstantial, but it still strengthens the case that the person publishing the documents intentionally or unintentionally left Russian—or at least Eastern European—fingerprints on the leak.
It's the use of ")))" in the accompanying blog post.

That's a common way people in Eastern Europe and Russia denote a smiley in text.

The grammar in the post strongly suggests that English is not the writer's native language, although in fairness, there's nothing indicating that the writer's mother tongue is Russian or even Eastern European. All three pieces of evidence were teased out of the documents and noted on Twitter by an independent security researcher who goes by the handle PwnAllTheThings.

The theory is also consistent with everything previously published by CrowdStrike, the security firm the DNC hired to investigate its suspicions that its servers had been breached.

CrowdStrike researchers said they quickly determined that the servers had been infiltrated by two separate Russian hacking groups.
In response to Wednesday's leak, CrowdStrike raised the possibility that the leak was part of a Russian Intelligence disinformation campaign.

Company officials declined to comment on Thursday for this post. "There's also the fact that the hacker is publishing documents at all, which rules out lots of nation-states," the PwnAllTheThings researcher told Ars in a private message. "China, for example, would happily spy on the DNC to try and get the Trump oppo [opposition] research to support their foreign policy objectives, but they wouldn't publish the documents to influence the election." A pretty big deal Dave Aitel, CEO of Immunity Security, a firm that provides advanced hacking tools to security professionals, agreed with the researcher's theory. "I think his analysis is very believable when you look at what CrowdStrike is saying and when you look at what other people are not saying," Aitel told Ars. "You don't have the FBI or DHS coming out and saying: 'Hey we don't think it's Russia.' If it is Russia, a nation state, it's a pretty big deal. Otherwise the FBI would say: 'We're conducting an investigation.' But they're not saying that." Of course, it's still possible that the Russian fingerprints were left intentionally by someone who has no connection to Russia, or by a Russian-speaking person with no connection to the Russian government, or any number of other scenarios.

The abundance of plausible competing theories underscores just how hard it is to accurately attribute attacks online and how perilous it is to reach summary conclusions. Readers are once again advised to keep an open mind, and that means recognizing that Wednesday's leak by Guccifer 2.0 is merely consistent with what CrowdStrike has reported. On its own, the leak neither impeaches the veracity of the report nor does it prove it.
If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development.

But given the house of mirrors surrounding this entire episode, the evidence should be thoroughly investigated before anyone reaches that conclusion.

Kill Flash now. Or patch these 36 vulnerabilities. Your choice

One bug being exploited right now in the wild Adobe has released an update for Flash that addresses three dozen CVE-listed vulnerabilities. The update includes a fix for the CVE-2016-4171 remote code execution vulnerability that is right now being exploited in the wild to install malware on victims' computers. Adobe is recommending that users running Flash for Windows, macOS, Linux, and ChromeOS update the plugin as quickly as possible, giving the update the "Priority 1" ranking, a designation reserved for flaws that are, according to Adobe, "being targeted, or which have a higher risk of being targeted." Adobe credited security researchers at Cisco Talos, Google Project Zero, FireEye, Microsoft Vulnerability Research, Tencent PC Manager, Kaspersky, Pangu Lab, and Qihoo 360 Codesafe Team with reporting the 36 flaws. For Windows, macOS and ChromeOS (as well as the Chrome browser), the updated version will be 22.0.0.192.

The latest version of Flash Player for Linux is 11.2.202.626 and Flash Player Extended Support will get version 18.0.0.360. The update comes just days after Adobe posted its June security update to address vulnerabilities in Flash as well as Cold Fusion, Creative Cloud, and Brackets. The release also comes as more software makers are opting to exclude Flash from their browsers.

Apple said Safari will be disabling Flash by default, joining the ranks of Google Chrome in opting for HTML5 content rather than Flash code, due to the large volume of security flaws present in the widespread browser plugin. Both of the Flash-less versions of Chrome and Safari are due to be released under general availability later this year. You should set your browser to run Flash content only when you specifically allow it – so-called click-to-run – to prevent drive-by exploitation of these flaws. ® Sponsored: Rise of the machines

Supreme Court revives $2M fees dispute in copyright case over resold...

sparkle-motionOn Thursday, the Supreme Court provided nuanced guidance to lower courts in determining whether the prevailing party in a copyright lawsuit should be awarded attorney fees.

The decision by the unanimous eight-member court revives a $2 million fee dispute in one of the court's most important copyright cases in the digital era. The issue is significant because attorneys fees play a huge role in US litigation, and they are among the top considerations of whether a lawsuit would be brought or even defended. The case the justices decided Thursday (PDF) concerns the fallout from Kirtsaeng v. Wiley, the court's 2013 decision involving the rights of those who buy copyrighted works.
In that closely watched case, the justices had ruled that the first-sale doctrine allowed a US university student to buy textbooks overseas and resell them on eBay while undercutting textbook publisher John Wiley & Sons.

The publisher sued on copyright infringement allegations and lost in a case in which the justices certified the reselling rights of those who buy copyrighted works.

At the same time, the ruling put companies on notice that they don't have unlimited control of their products once they hit the stream of commerce. The attorneys for the plaintiff in the case, Supap Kirtsaeng, were denied the $2 million in attorneys fees they had sought litigating and winning the case.

The lower courts sided with John Wiley & Sons on that issue. Kirtsaeng appealed that fee issue to the justices.

The high court accepted the petition in January and ruled on the dispute Thursday. As the Supreme Court puts it, the lower courts gave "substantial weight" to the “objective reasonableness” of Wiley’s infringement claim. Writing for the court, Justice Elena Kagan summed up the lower's court's rationale in denying fees in this case: In explanation of that approach, the court stated that "the imposition of a fee award against a copyright holder with an objectively reasonable"—although unsuccessful—"litigation position will generally not promote the purposes of the Copyright Act." An appeals court upheld that ruling, which the high court set aside Thursday.

The decision doesn't mean Kirtsaeng's counsel will ultimately get their fees, but it means the justices want the lower courts to change the way they consider awarding fees to prevailing parties in copyright lawsuits.

As it turned out, courts across the country were all over the map concerning fees, and the Supreme Court wants an end to that disparity. According to Kagan: Section 505 of the Copyright Act provides that a district court “may... award a reasonable attorney’s fee to the prevailing party.” 17 U.
S.

C. §505.

The question presented here is whether a court, in exercising that authority, should give substantial weight to the objective reasonableness of the losing party’s position.

The answer, as both decisions below held, is yes—the court should.

But the court must also give due consideration to all other circumstances relevant to granting fees; and it retains discretion, in light of those factors, to make an award even when the losing party advanced a reasonable claim or defense.

Because we are not certain that the lower courts here understood the full scope of that discretion, we return the case for further consideration of the prevailing party’s fee application. For Kirtsaeng, the decision means the lower courts will have to re-examine his fee request.

But Kagan was careful to note that "we do not at all intimate" that the lower courts "should reach a different conclusion than it already has." In Kirtsaeng's petition (PDF) to the justices, his lawyers maintained that winning legal fees was a crapshoot in copyright cases.

For its part, John Wiley & Sons maintained (PDF) that it should not have to pay fees, because it claimed it brought a reasonable lawsuit over a complex issue.
In its view, a ruling against the textbook publisher could discourage the filing of legitimate copyright cases.

FamilyTime Premium (for Android)

There's a certain mindset implied by the features offered by traditional parental control applications.

The kids might accidentally or deliberately visit inappropriate websites, so we'll block access to those.

They might get on the Internet for too long, or at the wrong time, so we'll set limits.

But in the background, there's the idea that the kids will be using a PC.

Tokyo-based FamilyTime recognizes that many modern kids stick strictly to mobile devices, and FamilyTime Premium (for Android) focuses on monitoring and protecting the modern mobile kid.
It's got a lot of potential, but there's definitely some work to do. FamilyTime pricing plans are based on the number of devices covered.

A one-device license goes for $27 per year, while $35 per year gets you a two-device license. Or you could go all out and spend $69 per year for a five-device license. You can apply your licenses either to the Android edition, reviewed here, or to FamilyTime Premium (for iPhone). Note that the feature set is very different on the two platforms.
If you're planning to use FamilyTime on iOS devices too, be sure to read that review. Compared with some of its competitors, this product is a bit pricey. Qustodio Parental Control has a similar five-device limit, but its yearly subscription is just $44.95.

For $89.99 per year, ContentWatch Net Nanny 7 lets you define up to 10 child profiles and protect an unlimited number of PC, Mac, iOS, and Android devices.

And a $49.99 subscription to Norton Family Parental Control (for Android) doesn't impose any limits at all. Note, too, that FamilyTime assumes each child has exactly one device. Most of the competing products let you define a child profile and associate it with multiple devices. Getting Started With FamilyTimeYou can install the FamilyTime Dashboard parental app on any number of Android or iOS devices.

For this review, I naturally used the Android version, installed on a Nexus 9. You can also log in to the dashboard from any browser; the experience is almost exactly the same regardless of the platform. Mobicip (for Android) also has an app for parents. With ESET Parental Control (for Android) and Norton, the same app serves parent and child, depending on who logs in. When you launch the app, you're prompted to sign in or sign up.

After you sign up, you get a verification code in your email.

Enter that and you're good to go. Well, almost. Keep your eye out for a second email that includes your temporary password. You'll probably want to change that right away. Next, you'll add a profile for each child you want to monitor, up to the number of licenses you purchased. You enter the child's name, date of birth, relationship (son or daughter), and time zone.

That's it; there's no other configuration at this time. The parental app links to some very clear instructions for installing the child app on your child's devices and connecting them to your account.

For an Android device, you download and install the APK file directly from FamilyTime.
I installed it on a Samsung Galaxy Tab 3 for testing. If you maintain good security practices, you'll find that you can't install the app at first, because it comes from an unknown source.

FamilyTime offers an easy link to change that setting. Naturally you'll want to change it back after installation. Like most Android parental control apps, FamilyTime requires Device Administrator permission for some of its features.
If the child disables this setting, the product won't be fully functional, but that's par for the course. To make the final connection between the child app and your account, you go back to the parental dashboard and find the activation code for the child profile.

Enter that in the child app and you're good to go. Child DashboardAs noted, FamilyTime focuses on safety issues for the modern child.

The two big features found in the child app are Pick Me and SOS.
In the iOS version, Pick Me is called PickMeUp. Did you forget to pick up little Sally after Tae Kwon Do practice? She can remind you easily with a simple tap to the Pick Me button. You receive an alert in the parental dashboard, including the child's location. You can tap one of two buttons, OK, Coming or Sorry, I Can't.

The notification itself doesn't include the precise location, but when you open it in the parental app you can see it on a map. Tapping SOS likewise sends the parent a notification. On the child's device, the app advises staying calm and staying put.

The only response here is "Got it, on my way!" This is similar to Qustodio's panic button feature, which emails a notification to as many as four trusted contacts. There's one more option, Family Talk, but it's not ready yet.

And the child probably won't have much interest in viewing profile information.

That's it for the child app. Places and GeofencingIn the old-school parental control mode, the child's location went without saying—sitting in front of the family computer.

FamilyTime uses Wi-Fi geolocation and GPS to keep close track of just where your child goes.

Familoop also offers geofencing, Norton and Qustodio track location without geofencing, and Net Nanny and Mobicip eschew location-tracking entirely. If you wish, you can define any number of geofences, and get notification when the child enters or leaves one of these areas.

Familoop lets you define a place for geofencing by tapping in the center of the area and dragging until the circle is big enough.

FamilyTime's way is a bit different. Rather than tapping to define the center, you move the map until the stationary pointer is in the right place.

And rather than freely defining the circle size, you choose 150M, 300M, 500M, or 1KM.

But the end result is much the same.
Interestingly, the iOS version does let you tap to define the center of a geofenced area. When the child crosses into or out of one of your defined places, you get a notification. You can also just check the location history from time to time.

Do note that notifications only occur at the moment your child crosses a boundary.
If the child's device is Wi-Fi only, you won't necessarily get a notification.

Familoop doesn't have this limitation; in testing, logging in from a Wi-Fi connection within a geofenced zone did trigger a Familoop notification. Time RestrictionsWhen I tapped Access Control, I didn't immediately know what to do.
It asked me to set a device passcode, with an unusual set of controls.
Sure, the expected numeric keypad was present, but it also showed a second group of controls with six punctuation marks, Pause, Wait, and an oversized capital N.

Tech support explained that these additional buttons aren't really supposed to be there, and that they only show up on the large screen of a tablet.
I hope the company fixes this quickly. I entered a simple passcode just so I could get past that screen. Here I learned that access control really means control of time periods during which the child gets no Internet access.

By default it includes Bedtime, Dinner time, and Homework. You can adjust the start and end times for these, define which days of the week they're active, and optionally add your own no-Internet times. Note that the iOS edition doesn't have these time scheduling features, though they're planned for a future edition. On a more ad hoc basis, you can go back to the parental app's main page and simply click Lock Phone for any profile associated with an Android device.

FamilyTime's lockscreen takes over, advising the child to do something else for a while.
SOS and Pick Me Up are still available, never fear.

But unlocking the device requires that passcode that you defined, not the child's regular one. You can also unlock the phone remotely through the dashboard.

Circle With Disney has a similar feature, the option to pause the Internet for one child, or for the whole household. App BlockerLike Norton, Qustodio, and most competing products, FamilyTime can block the use of apps you consider inappropriate. However, using this feature is pretty awkward. To get started, you tap App Blocker in settings, then click the + button to add blocked apps.

This brings up a ridiculously long list of apps, way more than I could believe were installed on the Galaxy Tab.

A handful are listed as Important, things like the Play Store, Phone, and Chrome.
Settings and Bluetooth are identified as System, suggesting you shouldn't mess around. All the rest of the apps appear in a super-long list.
It's not in alpha order, and there's no way to search for a specific app.
Scrolling carefully, I counted more than 200 apps in the list. Worse, in testing the list repeatedly became unresponsive, triggering a warning message from Android. My contact said the company is aware of the problem and is working on a database of apps that shouldn't show up in this list. When I did manage to add some blacklisted apps, the feature worked as promised.
It notified the child that house rules don't permit use of the app, and it send a notification to the parental app. Contact WatchlistSome parental control systems take detailed control over your children's communications. Norton Family Parental Control (for Android), for example, can block some contacts, allow others, and monitor unkonwns.

Alas, Norton's iOS edition lacks that feature. FamilyTime doesn't attempt to block contacts, or to capture conversations.

The contact list is a watchlist, not a blacklist.
If your child does call or text a contact on the watchlist, you should receive a notification.

Email contact isn't tracked, so I couldn't see this feature in action on my Android tablet.

FamilyTime's iOS edition doesn't log calls, but it captures the child's entire Contacts list. Log and NotificationsIn the parental app, you can define rules for just how this child's activity should be tracked.

There are six tracking toggles, all enabled by default: Call History, Contacts, Location History, Bookmarks, Web History, and Installed Apps. Only Contacts and Geo Location appear in settings for a child's iOS device. Note that while FamilyTime tracks Web activity, at present it does not make any attempt to filter undesirable sites.

The company does plan to add content filtering. You definitely don't want to disable notifications for the SOS and Pick Me Up notifications mentioned above.

But you can choose whether or not you want three other types of notification.

FamilyTime tracks your child's location history, so you might not necessarily want geofencing notifications. You can also choose whether or not to receive notification when the child tries to launch a blacklisted app, or calls a watchlisted contact. Limited ReportsTapping Reports on a child's profile gets you a somewhat confusing welter of choices.
Initially, it just shows the history of where your child has been. Places History is a separate list of geofencing events, times when your child entered or left a defined geofence area. To get at the other reports, you tap the hamburger menu at top left.
In addition to Places History and Location History, you can view Call History and Web History.

All of the Android devices I have for testing are tablets, not phones, so I couldn't see call history.

And, strangely, the Web History page only showed pages visited last November. Other items on the menu aren't precisely reports. Rather, they duplicate choices from Settings.

Tapping Contacts gets you the same list you'd see if you were aiming to edit the contact watchlist, and you can edit it here too. Looking closely, you can see that watched contacts have a blue icon, unwatched contacts, a grey one.

Tapping the icon changes its status. In the same fashion, the Installed Apps item under Reports displays the same interminable list of apps, each with an open padlock icon if it's allowed, locked padlock if it's locked. Here, too, you tap the icon to toggle its state.
I don't see any point in these duplicate user interface elements. A Different ApproachI've had parents tell me, "Why should I filter Internet content? My kids watch Game of Thrones, for Pete's sake!" It's a valid point.
In the mobile era, parental monitoring includes keeping track of where kids are more than what they're viewing, and responding to calls for help, not notifications that Billy's looking at naughty pictures again.

FamilyTime Premium (for Android) clearly supports this new approach. Note that content filtering is in the works for the iPhone edition, awaiting review by Apple. FamilyTime also quite visibly a work in progress.
If you page through the list of features, you'll find quite a few that are marked as coming soon.

And in testing, I found that a number of features didn't work quite right. When FamilyTime has had a chance to work out the kinks and add those not-yet-present features, it could be pretty impressive.

For now, though, Norton Family Parental Control remains our Editors' Choice for Android parental control. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

FamilyTime Premium (for iPhone)

In order to do its job, a parental control utility needs to have low-level access to network and operating system functions.

Apple's tight control over what iOS apps can do makes life tough for parental control vendors.

FamilyTime Premium (for iPhone)...

Zylpha’s Latest Bundling System Adds Easy Integration With SharePoint & E-Discovery...

Press Release Zylpha (www.zylpha.com), the UK’s leading legal technology innovator has announced the latest version of its bundling technology, which reduces the time taken to create document bundles from hours to minutes. Pride of place amongst a host of new features included is a new SharePoint integration.

This has been designed specifically to recognise and work with the different ways that SharePoint can be set up between legal practices. This latest version also now includes extensive import and export functionality for Microsoft Excel.

This is especially useful where users seek to combine Zylpha bundles with eDiscovery platforms. Nigel Spicer A range of enhanced data accessibility options has also been incorporated.

This includes icon based file management that enables users to identify file issues easily, including password protection or outstanding file requirements that need attention. Commenting on the new version Nigel Spicer, Zylpha’s Head of Development noted, “To a great degree our development is driven by our success across an ever broader range of bundling requirements.
In this case, we have recognized and met the demand from SharePoint and E-Discovery users.

This user led evolution of features and functionality works extremely well, as it continuously expands the appeal of our software to a greater variety of organisations. We are confident, therefore, that this latest version will be greeted with exceptionally strong demand both from traditional practice sectors and key in-house operations such local authority legal services teams.” Ends About Zylpha www.zylpha.comHeadquartered in Southampton Zylpha is an innovative specialist offering tools for the legal profession including: Secure electronic document production and delivery. Court Bundling. Integration with the MOJ Portal. Links to agencies for AML and Identity Verification. The company, which was founded by Tim Long its CEO, has won widespread acclaim in both the legal and local government sectors for its systems that transform secure communications for court and case management bundles. For more information, please contact:Tim LongZylpha Ltd.T: 01962 658881M: 07917 301496t.long@zylpha.comwww.zylpha.com Or Leigh RichardsThe Right ImageT: 0844 / 561 7586M: 07758 372527leigh.richards@therightimage.co.ukwww.therightimage.co.uk

Pentagon Bug Bounty Contest Uncovers at Least 100 Vulnerabilities

More than 1,400 hackers signed up to hammer at the U.S. Department of Defense's computer systems in search of security flaws during a 24-day pilot program. The U.S. Department of Defense finally revealed how its systems fared in a $150,000 bug-finding contest, where vetted hackers were given rewards for finding significant vulnerabilities.On June 10, Defense Secretary Ash Carter told attendees at the Defense One Tech Summit that more than 1,400 security specialists applied to take part in the "Hack the Pentagon" program. Hackers that passed background checks and then participated in the contest found more than 100 security flaws, he said."It's again exceeded all of our expectations," Carter said in the published text of his speech. "They're helping us to be more secure at a fraction of the cost, and in a way that enlists the brilliance of the white hatters" rather than waiting to learn the lessons of the black hatters, Carter said in his published comments.The 24-day Hack the Pentagon program, managed by bug-bounty program management firm HackerOne, ended on May 12, according to the Department of Defense. The U.S. military agency set aside $150,000 for the program, including bounties, which HackerOne was scheduled to pay out by June 10. The Pentagon quickly added more researchers to its program. Less than halfway into the program, 500 researchers had signed up—a number that quickly grew to 1,400, a spokesperson for HackerOne said. The company declined to specify how much prize money had been paid out in the contest. HackerOne declined to immediately provide more information on the severity and types of vulnerabilities, but promised to deliver more details later this week. The company did say that the Department of Defense's openness about the effort contributed greatly to its popularity."The Pentagon was incredibly transparent by publicly announcing this pilot program," Marten Mickos, CEO of HackerOne, said in an e-mail interview. "Most pilots happen behind close doors when they first launch. This transparency directly contributed to their success. They were able to recruit more hackers and therefore found more vulnerabilities."HackerOne did not reveal the average number of bugs typically found during such a program, but Mickos' comments—and those of Secretary Carter—suggested that the hackers did well in discovering 100 security issues.While the Pentagon made its bug bounty program public, most companies and organizations continue to keep their programs private. Nearly 63 percent of the programs managed by bug-bounty management firm Bugcrowd have involved private contracts, according to the company's State of the Bug Bounty 2016 report.While bug bounties started out small—the average payout in 2014 was $201—they have risen quickly, increasing to $295 in 2015 and to $506 in the first quarter of 2016.A survey of customers conducted as part of the report found that the primary reasons that companies use bug-bounty programs are to benefit from the diversity of creative testing methods, to only pay for positive results and to tap into a large volume of testers.The Department of Defense has argued that such programs are a way to make good on the Cyber National Action Plan, a strategy document announced Feb. 9. The document mandates that the government prioritize immediate actions that improve the nation’s network defenses.

Cybereason Aims to Block Ransomware Attacks

Cybereason is playing a new role in attack prevention by expanding upon its detection and analysis technology to block ransomware attacks. Security vendor Cybereason is expanding its detection and analysis technology with an update that enables organizations to block threats.

Cybereason has enhanced its ability to find, analyze and block ransomware attacks, which have been growing this year.Cybereason has raised $90.5 million to date, including a $59 million Series C funding round in October 2015, to help develop technology and build its market share."So far, Cybereason has been focused very strongly on detection and response, the ability to find hackers, whether they are using malware or not," Yonatan Striem Amit, CTO of Cybereason, told eWEEK. "With today's release, we are entering the prevention space, so not only can we detect known and unknown threats, we can also proactively block them."Blocking attacks can take different technology approaches in an organization, with many making use of network-based technologies such as intrusion-prevention systems or firewall policies, but that's not what Cybereason is doing.

According to Amit, Cybereason's blocking technology stops threats at the endpoint level. "We use our own endpoint technology to block malicious execution on devices, without relying on any type of third-party network technology," Amit said. "Having the blocking technology on the endpoint is critical to actual understand what is happening." The endpoint technology is what Amit referred to as a "silent sensor"—that is a small footprint piece of software.
In Amit's view, the endpoint is the source of truth in an organization to actually have the right context for what malware is attempting to do.With an endpoint agent, that means that there is also the possibility that there are unmanaged devices in a network that do not have the endpoint agent installed.

Amit doesn't see that as a problem for Cybereason. He noted that, for example, if a piece of ransomware infects an unmanaged device, the ransomware will often attempt to expand and encrypt a network share, or another device on the network.

Cybereason has the ability to detect what goes on in an environment to see behavioral aspects of software that is running, Amit said.When it comes to detecting and blocking ransomware, Amit emphasized that a signature-based approach will not suffice, as threats are always evolving. While there are known indicators of compromise (IOCs) for ransomware, there are also behavioral aspects as well that Cybereason tracks.

The company tracks approximately 25 ransomware families, and each has different signatures and actions that are easily modified by attackers and change regularly.While Cybereason also sees exploit kit-based attacks against its customers, basic macro malware as well as phishing attacks are also common, though zero-day vulnerabilities can also be a risk, Amit said.With its new update, Cybereason is also expanding its sensor technology to Linux servers.

Amit explained that his company started with Windows and Apple Mac systems for the sensors, but has seen an increasing need to deploy on Linux as well.

The new Linux sensor is initially being targeted at Red Hat Enterprise Linux with support for Debian Linux-based systems set to come in the near future.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.

Facebook 'Spam King' Gets 2.5 Years

Sanford Wallace compromised 500K Facebook accounts and sent more than 27 million spam messages. The Las Vegas man who admitted to sending tens of millions of spam messages on Facebook was sentenced yesterday to 30 months in prison, the Department of ...

Admins in outcry as Microsoft fix borks Group Policy

After Patch Tuesday comes Facepalm Wednesday Microsoft's most recent security update is causing problems with Windows Group Policy settings. Users on Reddit and Microsoft support forums are reporting that after the MS16-072 update was installed, changes were made in Group Policy object (GPO) settings that left previously hidden drives and devices accessible. "I installed windows patches last night and this morning found out that there were a number of issues with my GPOs," writes one admin. "Example: desktop image would not show up, A, B, C and D drives that were meant to be hidden from users are now showing up." Other users report having printers and drive maps become inaccessible and security group settings no longer applying. The users report that uninstalling the MS16-072 update from PCs and servers remedies the problem, though it is at the expense of leaving the underlying security vulnerability open.

Admins can also opt not to deploy the update through WSUS controls. The CVE-2016-3223 flaw, described in MS16-072, allows an attacker with local network access to set up a man-in-the-middle attack to read data being passed between the target machine and domain controller. Microsoft has rated the bulletin as an "important" priority for all supported versions of Windows. The bulletin was one of 16 posted by Microsoft yesterday as part of its monthly update schedule. MS16-072 was one of 11 bulletins rated "important," behind five "critical" bulletins. El Reg has asked Microsoft for comment on the matter but has yet to hear back from Redmond at the time of publication. ® Sponsored: Rise of the machines