3.1 C
London
Sunday, November 19, 2017
Home Tags Technology

Tag: technology

Law enforcement finds and charges a 28-year-old man in connection with the 2014 hack of celebrity Apple iCloud accounts. The U.S. Department of Justice has issued charges against another individual in the September 2014 hack of Apple iCloud and Google Gmail accounts owned by Hollywood celebrities.In a statement issued July 1, the DOJ named 28-year-old Edward Majerczyk as one of the hackers involved in the so-called "Celebgate" breach, gaining unauthorized access to more than 300 Apple iCloud and Gmail accounts. The DOJ stated that Majerczyk signed a plea agreement, issuing a guilty plea on the charge of a felony violation of the Computer Fraud and Abuse Act (CFAA) on one count of unauthorized access to a protected computer to obtain information.According to the plea agreement, Majerczyk executed a phishing campaign to trick users into giving up their usernames and passwords from Nov. 23, 2013, until August 2014. Once Majerczyk obtained the usernames and passwords, he was able to gain access to private pictures and videos located in the victims' accounts.News of the Celebgate hacks first publicly emerged in September 2014. "Hacking of online accounts to steal personal information is not merely an intrusion of an individual's privacy but is a serious violation of federal law," United States Attorney Eileen M. Decker said in a statement. Majerczyk isn't the first individual to be charged in connection with the Celebgate hacks. In March, the DOJ announced that it had charged 36-year-old Ryan Collins for his actions in the Celebgate hack. The DOJ claimed that Collins had gained access to at least 50 iCloud and Gmail accounts. In contrast, Majerczyk was able to gain access to more than 300 Apple iCloud and Gmail accounts.Security experts contacted by eWEEK were not surprised that an additional hacker has been found and charged in connection with the Celebgate hack."During digital investigations it's really common to find more than one actor on breached systems," Marcus Carey, CTO and founder of vThreat, told eWEEK.It's possible that even more people could be involved in Celebgate. Carey said it is common for people to share details of how they were able to hack things. He said he wouldn't be surprised if multiple people posted details on Internet forums or discovered the hack independently.There is also the possibility that the Celebgate attack was an organized effort by a group of people."We often observe cyber-criminal working in groups, so it is absolutely foreseeable that there could be more individuals involved in this crime," Rob Sadowski, director of Technology Solutions at RSA, the security division of EMC, told eWEEK.While the Celebgate hack didn't involve an application code vulnerability, the attackers were able to exploit a number of human and technical weaknesses to trick users. According to Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures, user education is an important element in mitigating security risks. In Majerczyk's plea, he admits to tricking users by appearing to be an Internet service provider (ISP) asking users to log into a fake page. Barron-DiCamillo said most ISPs don't send emails requesting users to click a link to update their username/password."Username and passwords are too easily compromised via this method or others," Barron-DiCamillo told eWEEK. "If multifactor authentication was used, this attack would not have been successful."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems also reportedly exists in products from other vendors, including HP and Gigabyte Technology. An exploit for the vulnerability was published last week ...
Hawkeye plucked Trustwave researcher Rodel Mendrez has gained access to the inbox of the criminal behind a commercial keylogger used to attack industries including finance, cloud services, logistics, foreign trade, and government. Mendrez's reverse engineering effort found credentials buried within the Hawkeye keylogger that lead through redirection to the author's inbox. Attackers behind Hawkeye were siphoning from compromised machines browser, email, and FTP credentials, and system data including installed firewalls, operating system information, and IP address data. Mendrez found the criminals were using compromised email addresses to forward emails on to their real gmail account as they may have been aware of vulnerabilities in their keylogger. "To protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address," Mendrez says in a description of the reverse engineering process. "Naturally, I checked out these email inboxes. "They appear to be email accounts on compromised systems … emails sent [here] are rerouted automatically to the attacker's Gmail account." Mendrez has informed the owners of compromised email addresses who are being used to forward on pilfered data. The $35 keylogger was advertised on a now dead site hawkeyeproducts.com.

A cached copy reveals admins promoted it as taking "operating system monitoring to the next level" by recording keystrokes and 'recovering and stealing' saved passwords in browers that "may have been forgotten". Hawkeye screen capture. It sported USB and peer-to-peer spreading capabilities, plundering of modern browsers and messaging clients, and compatibility with all versions of Windows. The site even sported glowing customer 'reviews' and support from a "qualified team". Intelligence firm iSIGHT Partners in June last year confirmed HawkEye had stolen credentials from organisations in the targeted industries which also include foreign trade, retail, and science and technology. At the time of analysis iSight researcher Randi Eitzman said Hawkeye was focused on plundering targets in India, with Italy, the US, and Turkey taking a equal hit. A dozen other countries including Britain and Australia were also targeted. It said the malware and others like it would continue to be a threat to organisations. ®
Today BioConnect announces the successful deployment of its BioConnect Identity Platform and Suprema biometric hardware for access control at Netwise Hosting Ltd, a leading provider of data centre colocation in London, UK.

BioConnect provides identity solutions, with a special focus on data centre colocation customers.

BioConnect offers a unique approach which removes the need to manage point-to-point integrations as it couples Suprema biometric readers with over 20 of the leading access control system providers. Netwise Hosting’s primary focus and fundamental values are speed, security, and stability as they deliver enterprise-level hosted environments to a wide and varied customer-base, working closely with clients all around the world.

As Netwise Hosting looked to expand their offering with the development of an additional 11,000 sq. ft. data centre in London, they chose BioConnect to fulfill their security requirements to identify a more fully- featured access control system that checked all the boxes.

They saw BioConnect as a leader, with its understanding of specific data centre colocations customer needs – shared spaces of sensitive data require assurance of identity throughout the facility and to be most effective, a standardized way of deploying biometrics coupled with enterprise level support are needed. “BioConnect really set themselves apart from the competition when it comes to support; they have a small team of highly experienced individuals who know the product and the associated software inside out,” says Matthew Butt, Netwise Hosting Ltd., Managing Director, “We really cannot recommend this aspect of their offering high enough!” Netwise compared their previous vendor installations and decided on the following requirements: They needed a solution that would allow them to incorporate a clearer view of identity with a multi-authentication biometric solution that would seamlessly integrate into Paxton Net2.

The main driver, in addition to finding the correct physical product, was to avoid having duplicate systems and information for access control. Suprema biometric devices provided and supported by the BioConnect team now cover all high-security ingress and egress locations throughout the data centre facility.

These readers provide the highest level of identity authenticity and provide flexibility in indoor/outdoor placement and multifactor authentication with card and fingerprint support.

The BioConnect Identity Platform incorporates an advanced plugin architecture to connect directly into Netwise Hosting’s preferred access control software, Paxton Net2.

Therefore, in addition to finding the correct physical product, Netwise was able to avoid having duplicate systems and information for access control between their biometric and non-biometric devices running on Paxton Net2. The addition of BioConnect identity platform meant that Netwise didn’t have to make a tradeoff between software and hardware that would meet their needs – they now have their preferred access control system and multi-authentication biometrics in one single interface for the creation, removal and administration of all users and access zones. “We chose BioConnect for several reasons, primarily the ability to integrate their system seamlessly with Paxton Net2, but closely followed up by their feature set and quality of the readers themselves,” said Matthew Butt, Managing Director, “The almost immediate availability of the product – coupled with their excellent support – meant they really did stand out from the competition.” To read the full case study on this deployment, visit www.bioconnect.com/case-studies Visit BioConnect and Suprema June 21-23 during this month’s IFSEC conference at ExCel London, UK in Stand E1400. About BioConnectBioConnect is on a Quest – for Rightful Identity. Why? To empower people to use their unique biometric credentials (their Rightful Identity) in their everyday lives – delivering greater security, assurance and convenience along the way.

BioConnect revolutionized the physical access control market with its industry-first identity platform that enables the integration of biometric technology with the industry’s leading access control solutions.

And as a representative of the world leader in biometrics and security, Suprema, BioConnect provides and supports the implementation of the top-rated biometric hardware devices (finger, face, card and PIN) and IP access control solutions in select markets. Learn more at http://www.bioconnect.com/. About Netwise Hosting Ltd.The Netwise Hosting team take great pride in their ability to offer truly high-end services, without the excessive and restrictive barriers that regularly force businesses out to countryside data centres - many miles from the nearest major business and trading hubs.

Access to London data centre space is no longer reserved for firms with enormous IT budgets.
SME’s can at last rub shoulders with much larger businesses, deploying their online services from a facility they can really boast about - all managed by a company with core values in line with their own.

For more information, visit http://www.netwisehosting.co.uk/.
Secure Cloudlink eliminates the need for passwords safeguarding organisations from cyber attack, security breaches, support costs and software license abuseA new, patented cloud services brokerage (CSB) solution providing secure identity management and cloud services distribution has been launched designed specifically to eliminate the need for passwords. The solution from British cloud security software company Secure Cloudlink Ltd – Secure Cloudlink – supports three factor, SSO (single sign on) and biometric user authentication but unlike other solutions in the market, does not store, send or replicate any user credentials outside of an organisations’ directory service. Secure Cloudlink acts as a secure, centralised user authentication and application to manage all users access rights to all authorised applications without the need to create and manage internal domains. Brian Keats, CEO, Secure Cloudlink Ltd, stated: “Passwords are quickly evolving into an untenable means of authentication because of their fundamental security vulnerabilities.

That evolution is being accelerated by the dramatic shift to mobile computing and the ever-rising tide of data breaches. We identified the need for a fundamentally new way of anonymous authentication bypassing the vulnerabilities that exist because of the inherent properties of passwords being human-accessible shared secrets.” “It’s impossible to use the same password everywhere because different sites insist on different password formats.

Even if it were possible, it wouldn’t be sensible.
So we tend to use many different passwords and then forget which password to use for what, so resort to using similar passwords and never changing them, or to writing them down.

Either way, security is compromised.” According to Gartner in its report ‘Design IT Self Service for the Business Consumer’ “password resets account for as much as 40 per cent of IT service desk contact value.”[1] Designed from the ground up with security in mind Secure Cloudlink’s Cloud Services Brokerage platform overcomes identity security issues associated with passwords by the inclusion of a unique and patented token passing technology.

This advanced authentication method requires no user credentials to be stored separately or outside of the directory service dramatically reducing the risk of a cyber breach and costs associated with password reminders. “This usability problem has got worse in recent years through the ubiquity of smaller keyboards such as those on mobile devices, more complex requirements for “password strength” at many sites, and the introduction of one-time-passcodes as a second factor “secret” that forces the users to type not one, but two passcodes every time they authenticate,” continued Brian. “Although some organisations are investing in technology to automate password resets to reduce the number of calls user credentials still persist exposing the organisation to the threat of cyber attack.

At SCL our approach is to eliminate the passwords and streamline the granting of access to applications, IT resources and on-line services.” Secure Cloudlink is the only platform that anonymises user identities over the web for secure access to cloud services.
Its unique technology never requires access or stores user security credentials when connecting internal users, customers and suppliers to web-based applications. The use of Federated Security authentication, also means that network users can enjoy seamless and secure access to multiple cloud services without even appearing to have left the corporate network. With a secure single-sign-on Secure Cloudlink reduces IT service desk time managing multiple passwords by deploying users with a single, secure access point for access to their applications via their desktop, tablet or mobile. Users can be provisioned access both at single and group level, and with a bulk upload facility.

Furthermore, Secure Cloudlink provides an environment that allows centralised management access to employees, contractors, suppliers and customers without creating new domains and user accounts in an existing directory. The company has already sold the Secure Cloudlink solution to a number of customers across a diverse range of markets including government, SaaS providers, and financial institutions.
It is a highly applicable solution for any organisation looking to provide a simple, secure yet password free user access to cloud and on-premise applications and services. [1] Gartner, Design IT Self Service for the Business Consumer, February 19, 2014, Gartner Foundational July 6, 2015 -ENDS- NOTES TO EDITORSAbout Secure CloudlinkSecure Cloudlink – no passwords Secure Cloudlink is a patented cloud services brokerage (CSB) solution providing both secure identity management and cloud services distribution which uniquely eliminates the use of passwords. Unlike other user authentication solutions Secure Cloudlink does not store transmit or replicate user credentials ‘behind the scenes’ removing the security risks, frustrations, system and cost overheads associated with issuing and maintaining passwords. Including biometric user interfaces, multi-factor authentication and single sign on (SSO) capabilities , Secure Cloudlink is a highly cost competitive, secure, and centrally managed access solution to on-premise and SaaS applications including, financial services, Microsoft Office 365 and Mimecast. For further information please go to http://www.securecloudlink.com/ ContactsRob GaskinSecure Cloudlink LtdT: +44 (0)1372 888 660E: rob.gaskin@securecloudlink.com Beau Bass/Nick Bird (media enquires)SpreckleyTel: 0044 (0)207 388 9988Email: securecloudlink@spreckley.co.uk
Commissioned by Nok Nok Labs, the White Paper evaluates key privacy implications of processing biometric data; comparing the benefits and risks of on-device and on-server matching for biometric authenticationLondon, UK – May 12, 2016 – Nok Nok Labs, an innovator in modern authentication and a founding member of the FIDO (Fast IDentity Online) Alliance, today published a White Paper from PwC Legal comparing key privacy implications of on-device and on-server matching of biometric data. Phillip Dunkelberger, President & CEO of Nok Nok Labs For organisations considering biometrics as they move away from reliance on usernames and passwords, the report highlights why device-side matching of biometric data is a compelling approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of individual choice and control around such personal data. Biometric data is considered to be sensitive personal data and some jurisdictions have already specifically referenced it in privacy guidance and legislation.

This paper emphasises key privacy considerations, sets out the implications of processing biometric data in the EU, Switzerland, Canada, USA and the Asia-Pacific region, and touches on best practice recommendations in these jurisdictions. “Biometric authentication and verification can be one of the most secure ways to control access to restricted systems and information,” said Stewart Room, partner at PwC Legal. “Unlike authentication based on traditional passwords, authentication through biometric data is easier to use in practice, and can be far more secure. “However, this is a double-edged sword, because biometric data is extremely sensitive due to its uniqueness and how intrinsic it is to a specific individual.

Additional efforts must be made to keep this data secure including choosing a proper compliance system and infrastructure, training staff how to handle it and protecting it from unauthorised access or disclosure.” Other key findings in the White Paper include: Freely given, informed user consent is required before processing biometric data in almost every jurisdiction covered in the White Paper With centralised storage of biometric data, the potential for large-scale loss of data is significantly increased On-device authentication will generally avoid international cross-border biometric data transfer implications.

Conversely, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted “Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, President & CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach.

The on-device approach, as used by Nok Nok Labs technology, ensures optimal privacy for biometric information.” The full report can be found here: https://go.noknok.com/PwCLegal-Biometric-WP.html. # # # About PwC LegalAt PwC Legal we combine legal advice with the expertise of professionals in Tax, Accounting and HRS to provide our clients with commercial solutions to the most complex business issues. We're a network of 2,500 legal experts in over 85 countries committed to delivering an exceptional service to clients and experience for our people.

The white paper has been prepared by PwC Legal LLP upon request by Nok Nok Labs, Inc, and does not constitute legal advice. About Nok Nok LabsNok Nok Labs provides organisations with the ability to bring a unified approach to deploy easy to use and secure authentication infrastructure to their mobile and web applications, using standards-based solutions that include support for FIDO and other specifications.

The Nok Nok S3 Authentication Suite enables organisations to accelerate revenues, reduce fraud, and strengthen security and privacy. Nok Nok Labs is a founding member of the FIDO Alliance with industry leading customers and partners that include NTT DOCOMO, PayPal, Alipay, Samsung and Lenovo.

For more information, visit www.noknok.com. Nok Nok Labs, Nok Nok and NNL are all trademarks of Nok Nok Labs, Inc.

FIDO is a trademark of the Fast IDentity (FIDO) Online Alliance.
Media contacts for Nok Nok LabsLindsey Challis or Gemma WhiteNok Nok Labs team at Finn Partners+44 020 3217 7060NNL@finnpartners.com Tom RiceNok Nok Labs team at Merritt Group+1 703-856-2218NNLPR@merrittgrp.com
- Reducing operating costs through accurate sizing at point of sale -eCommerce experts and service provider Tryzens has entered into an exclusive partnership with personalised size guide provider What’sMySize.

The move means Tryzens will be responsible for managing and supporting the product and systems behind What’sMySize’s innovative solution.

Tryzens will offer the sizing guide solution to the market at large and more specifically for their eCommerce customers, as a built-in extra to their Acceleration Service for Demandware, Hybris and Magento platforms. Shoppers use the What’sMySize function located on the product pages of a retailer’s website, to input their measurements.

Thereafter, they are provided with the right clothing and/or shoe sizes for that retailer. With a variance of 1-2 inches between clothing brands, consumers are often surprised by discrepancies in sizing. Whilst they may be a size 10 with one retailer, they could be an 8 or a 12 with another, theoretically similar brand. What’sMySize helps online consumers significantly reduce their need to order multiple sizes and return products by ensuring the right size is purchased every time.

This in turn, has beneficial implications for retailers looking to reduce their operational costs. “With a return rate for online retail fashion and apparel purchases ranging between 20% to 50%, retailers are losing money when they don’t need to” says Kavita Kapoor, CEO, What’sMySize. “There’s unnecessary expense in the end to end experience from direct delivery costs through to stock management and wastage. Just by checking your measurements on Whatsmysize.com a consumer can see that their recommended clothing size can vary significantly between brands.
In partnering with Tryzens we are able to enhance the online experience; building consumer confidence that they’re buying the right size, which in turn increases loyalty and trust in a Brand.” Tryzens is supporting the What’sMySize product roadmap for new and existing clients, by including the sizing function as an additional extra to their popular Acceleration Service.

This will allow Tryzens to provide their clients with the tools to reduce their returns from the outset. What’sMySize’s easy to use integration function allows each retailer to install the What’sMySize service directly onto their website. “What’sMySize is a really innovative platform for the eCommerce retail fashion/apparel market and we are proud to be in an exclusive partnership with this great team,” says Andy Burton, CEO, Tryzens. “We passionately believe in delivering business outcomes for our clients and not just being a traditional SI.

As such, it is important that everything we do either helps our clients reduce operating costs or increase their sales, and ideally both! With the financial, operational and customer experience ‘costs’ associated with a high rate of return, there is plenty of opportunity to help our clients set the benchmark for Generation Consumer’s customer experience, and this partnership will directly address a key industry and consumer issue. We can now integrate this service into our existing eCommerce portfolio and assist our customers in achieving a direct improvement in their operating costs and margins.” What’sMySize has already been proven to decrease retailer return rates.

During a recent study of a UK high street retailer, returns were reduced by 25% over a period of 70 days, when the What’sMySize technology was implemented. NOTES TO EDITORS About TryzensSince 2004, Tryzens has been trusted by retail’s biggest names as an independent expert to plan, implement and maintain eCommerce systems and to optimise retail performance through systems & services. Tryzens enables its clients to leverage efficient, effective and reliable retail solutions that carry the promise of a positive and unified experience that in turn delights their customers, builds loyalty and drives growth. From concept to outcome, Tryzens offer a range of services to support our clients throughout their multi-channel development, whether starting in-store or online.www.tryzens.com About What’sMySizeWhat’sMySize is a fitting room in your sitting room.

Translating your measurements into the correct clothing size for all your favourite brands. No more confusing multi brand size charts, just a single What’sMySize profile that works across multiple retailers. We pride ourselves on being the easiest sizing solution for retailers to implement and with our proven success at reducing size related return rates we delight retailers and consumers alike. What’sMySize was created by ex Figleaves.com technologists as a side project.

The clever tech they crafted won the prestigious Innovate UK Award (previously known as the Digital Britain Technology Strategy Board). What’sMySize has been actively resizing Britain since 2013 when it was officially incorporated. Led by co-founders Kavita Kapoor and Tammy Learn the technology continues to work with fashion labels from around the world to take the mystery out of online sizing. Editorial contactsNick Ringrow / Paul MooreSpreckley PartnersT: 020 7388 9988E: ringrow@spreckley.co.uk
Stick a memory card in Sugarlock and all your videos appear by organized by date. The user interface on the TV is clean and simple, and you navigate using your phone as a remote (via an app). Video previews play when you select a clip, and a simple tap...
Making seanse of the wealth of information sources in an enterprise can be challenging. BigPanda offers a SaaS model for helping enterprises understand IT incidents. Startup BigPanda emerged from stealth mode on Oct. 28, complete with funding and a cloud-based software-as-a-service model (SaaS) for helping enterprises understand IT incidents. BigPanda has raised $7 million in a Series A round of funding, which included the participation of Mayfield and Sequoia Capital. Including seed funding, the company has raised a total of $8.5 million to date. The basic promise behind BigPanda is to help organizations with the deluge of incident logs and data that is generated in a modern enterprise so that the information can be correlated and understood to help fix problems and improve efficiency. The idea of collecting events and logs and trying to make sense of them is sometimes the domain of security information and event management (SIEM) software, but that's not quite what BigPanda is aiming to deliver. Assaf Resnick, CEO of BigPanda, told eWEEK that a SIEM is somewhat parallel to what his company does. "We help IT teams make sense of the large volume of IT events that are happening across their production environment," Resnick said. "It's similar to what SIEM providers enable for security events, but we are focused on another market, IT incident management." That said, BigPanda can also consume security alerts from a wide range of security monitoring tools, Resnick said. That enables IT teams to see security events and issues alongside performance issues that are occurring throughout their production environments. Part of BigPanda's feature set is a clustering capability that enables users to map out all the different relationships between their enterprise systems. "We aggregate and normalize alerts from leading monitoring systems, such as New Relic, Nagios and Splunk, as well as home-built monitoring solutions," Resnick said. Then, by leveraging clustering and machine learning algorithms that BigPanda has developed, the technology is able to map out the topological and statistical relationships between alerts to determine relationships and commonality. Going a step further, understanding alerts is important, but so is the ability to act on alerts. To that end, there is an integration in BigPanda with deployment and configuration management systems, including support for Chef, Puppet, Ansible, Jenkins and Capistrano. The system is also extensible via BigPanda's API. "We also connect to ITSM [IT service management] and ticketing tools such as ServiceNow, Remedy, JIRA and Zendesk," Resnick said. The BigPanda technology includes some open-source elements around the front-end infrastructure, though Resnick commented that the core of the offering, including everything the company does around automation and data science, is entirely proprietary. From a deployment perspective, BigPanda is a SaaS solution that enables enterprises to consume the service from the cloud. BigPanda's cloud provider back-end is Amazon Web Services. Now that Big Panda is out of stealth, the focus is on growing the company and the technology. "The next step for the company is to grow the sales and marketing team and to continue to focus on technology innovation around expanding the use of our algorithmic platform to automate other additional areas of incident management," Resnick said. While the name BigPanda might seem somehow connected to the term "big data," Resnick said that that there is not much behind the name. "We were looking for a name that would stand out and that we could have fun with," he said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
The Payment Card Industry Security Standards Council (PCI SSC) has published a guide to help organisations better educate employees on information security. Specifically, the guide aims to help organisations educate staff on protecting sensitive payment-card data, which is increasingly being targeted by cyber criminals. The best practices guide was developed in response to breach reports continually highlighting the critical role employee security understanding and awareness plays in identifying, protecting against and mitigating data compromise. The PCI SSC administers the Payment Card Industry’s Data Security Standard (PCI DSS). PCI DSS compliance is necessary for any organisation that handles customer payment card data and specifies how that information must be held and protected. Requirement 12.6 of the most recent version of the PCI DSS highlights the necessity for organisations to have a security awareness programme in place to educate personnel on the importance of protecting sensitive payment information and how to do so securely. Developed by retailers, banks and technology providers of a PCI Special Interest Group (SIG), the guide is designed to help organisations of all sizes, budgets and industries to achieve this goal. PCI SIGs are initiatives selected and developed by the PCI community that provide additional guidance and clarifications, or improvements, to the PCI standards and supporting programmes. Recommendations for security awareness programmes According to the PCI SSC, the guide provides detailed recommendations for developing, implementing and maintaining a security awareness programme that supports PCI DSS requirements. The guide focuses on the key areas of assembling a security awareness team, developing appropriate security awareness content and creating a security awareness checklist. The guide also includes a sample mapping of PCI DSS requirements to different roles, materials and metrics, for documenting how PCI DSS requirements could be incorporated into a training programme, as well as a checklist for recording how a security programme is being managed. The Best Practices for Implementing a Security Awareness Programme guide is available for download on the PCI SSC website. PCI SSC chief technology officer Troy Leach said businesses and employees are exposed to threats every day that can put sensitive information at risk – whether it be Poodle, Shellshock or the latest variant of malware. “PCI Standards emphasise the importance of people, process and technology when it comes to protecting payment information. “This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organisations,” he said. Leach noted that as with all PCI SSC information supplements, the guidance provided in the most recent guide does not supersede or replace any PCI DSS requirements. PCI DSS version 3.0 Merchants around the world who process payment card information are gearing up for version 3.0 of the PCI DSS, which becomes mandatory for PCI compliance from 1 January 2015. PCI SSC European director Jeremy King said most merchants have had a look at the latest requirements since the release of version 3.0 and, with it becoming mandatory in January, they are now asking for clarifications. As part of the clarification process, the PCI SSC has updated the guidance document for the self-assessment questionnaire that must be completed by all merchants applying for PCI DSS compliance certification, he told Computer Weekly. “Version 3.0 puts a greater focus on trying to improve the security of third-party service providers, because it is in data transfers between merchants and third parties where we are seeing of lot of the compromises and breaches occurring,” said King. “We now expect merchants to start looking to their third-party providers to be PCI DSS-compliant in their own right, or at least understand the requirements and have appropriate measures in place for securing the data that comes to them,” he said. Increased focus on data segmentation Version 3.0 of PCI DSS also puts more focus on data segmentation in response to data breach investigators finding that cardholder data is often scattered throughout databases. “Version 3.0 requires more proof that cardholder data is restricted to the areas that merchants say it is, and that it is adequately protected,” said King. “We plan to do much more thorough testing of network segmentations to ensure the exact whereabouts of all card data is known,” he added. King believes merchants are now a lot more comfortable with the updated requirements and are ready to make the transition at the start of 2015. “But we still need to focus on awareness – which is still not strong enough across all data security – and not just payment-card data security,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More RELATED CONTENT FROM THE TECHTARGET NETWORK
When it comes to all things cyber there is a tendency to always look for a technology solution. Yet although technology is an essential part of any cyber solution, it is people using technology and many other skills, who deliver genuine cyber resilience. The reality is lots of different types of people and skills are required, to ‘ride the wave of chaos’ that cyber threats create in what is perhaps the most complex and dynamic ‘market’ in the world. So first what is cyber resilience, second what skills and people are needed and how do we develop people and teams?  Cyber resilience is the capability of an organisation (public or private), to have the agility to be proactive, responsive, robust, flexible and adaptive to cyber threats and attacks. In an era of ‘industrial’ levels of cyber crime, thieves and other attackers will find the combination of attack characteristics (vectors, payloads, behaviours and effects) to circumvent any security capabilities that are in place, to achieve their aim.  To be resilient requires a genuine ‘board room to server room’ approach. This includes organisation’s strategically accepting a level of risk and proactively managing it, supported by a diverse and practiced team. This team stretching across all business functions and often including external stakeholders, needs to be able to communicate, collaborate, and establish mutual trust and shared understanding, to develop the necessary agility required for cyber resilience against complex, dynamic and uncertain attacks by criminals and others.  But who are the people and what skills are needed to develop cyber resilience? The answer goes well beyond the traditional and important pool of academic and certified personal qualifications. These are important skills and have a high cost of entry, and can lead to a narrow focus on encouraging a particular type of person, whilst perhaps discouraging people outside the IT area to engage with and to understand the issues and risks. It deceives organisations into thinking this is a technology problem and solution – it isn’t. But a narrow focus on these ‘black arts’ skills can also lead to a very narrow recruitment pool and career path with few opportunities to grow and bring value beyond cyber security.  So to widen the talent pool and to help engage the wider organisation to develop cyber resilience, requires a change of approach. In particular to develop an education and training programme which can be opened up to apprentices and to draw people in from other disciplines, who understand the business and can communicate effectively the risks and consequences of different attacks. This broadening of the team skills and backgrounds should increasingly enable organisations to ‘think thief’ and ‘join the dots,’ when considering different cyber attacks.  This change of approach needs to move from traditional paper-based and didactic learning to more individual experiential learning – learning through reflection on doing; and cooperative learning, where problems are solved through collaboration and using the collective resources and skills. This can bring together software and network engineers, data analysts, business operations, corporate communications, business continuity, crisis management, psychology, security and other disciplines together, in a similar way that those exploiting business intelligence and big data often fuse teams from different disciplines and goes beyond contextual analytics, but rather really exploits them.  This approach can encourage and identify those people who are only constrained by their imagination and their ‘chutzpah’ to try it, these are the type of people who can social engineer their way to achieving their chosen effect, or understand how others may. With these multi-skilled teams  drawing expertise from across the technical and business teams of an organisation, a more agile (software) manifesto type approach of iterative development of cyber resilience can be achieved.  This can range from identifying vulnerabilities to developing incident response plans across all business functions, so that when an attack occurs the consequences can be effectively managed whilst the diagnosis and remediation is taking place.  The reality is every organisation will be attacked, the best way to manage this risk, is to develop organisational cyber resilience. This requires new approaches to widening and rapidly developing the talent pool at its centre.  Richard Preece is a director of cyber training specialist cybX 
Pirate Bay co-founder Gottfrid Svartholm Warg faces up to six years in jail after being convicted of hacking computers in Denmark. A Danish court found Warg and his co-defendant guilty of breaking into computers owned by technology services firm CSC and downloading police and social security files from government servers. The court heard that Warg and his accomplice, who was granted anonymity by the court, hacked into servers CSC was hosting. Investigators found the initial intrusion took place in February 2012, giving the hackers access to sensitive information for about six months. Once inside the computer network, the pair accessed police email accounts, the European border control database and downloaded millions of social security numbers belonging to Danish citizens. Warg is to be sentenced on 31 October 2014, but his co-defendant was released after conviction because he had already served 17 months in pre-trial detention. Defence lawyers claimed Warg’s computer was hijacked by unnamed hacker, but the court found it was "unlikely" other people were responsible, reports the BBC. The court ruled that the CSC servers had been hacked in a "systematic and organised” way, according to Danish reports. “The court has taken into account that the accused Warg did not want to reveal any more details about the identity of the persons indicated by him as having the ability to remotely control his computers, nor explain how the remote control could have taken place,” the judge said. The conviction is Warg’s third in the past five years. In 2009, he was convicted of copyright breach along with the three other co-founders of the Pirate Bay file-sharing site – Fredrik Neij, Peter Sunde and Carl Lundstroemj. However, Warg went on the run in an attempt to avoid going to jail. Although Neij, Sunde and Lundstroem had to pay almost $7m in damages to content owners, their one-year jail terms were reduced to between four and 10 months after an appeal in 2010. In September 2013, Warg was deported from Cambodia to Sweden to serve his sentence of a year in jail after being arrested under an international warrant.  In a separate case in 2013, Warg was sentenced to two years in a Swedish jail for hacking into a bank's computers through IT services firm Logica, but the sentence was reduced to one year on appeal. In November 2013, he was deported from Sweden to Denmark to face charges in the latest CSC hacking case. The Pirate Bay was launched in 2003 to provide links to music and film files stored on users' computers. Its founders defended their website by claiming that no copyrighted material was stored on its servers and no exchange of files actually takes place there. In February 2012, the UK High Court ruled that the site illegally encourages users to infringe music copyright and ordered major UK broadband providers to block access to the site in a case brought by the British Phonographic Industry (BPI). According to the BPI, illegal copies of films, books and music made available on file-sharing sites destroy creative industry jobs and discourage investment in new talent. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK