#Google sued by employee for confidentiality policies that 'muzzle' staff

 A product manager at Google has sued the company over its allegedly illegal confidentiality rules, which, among other things, prohibit employees from speaking even internally about illegal conduct and dangerous product defects for fear that such statements may be used in lawsuits or sought by the government.

 The alleged policies, which are said to violate California laws, restrict employees' right to speak, work or whistle-blow, and include restrictions on speaking to the government, attorneys or the press about wrongdoing at Google or even “speaking to spouse or friends about whether they think their boss could do a better job,” according to a complaint filed Tuesday in the Superior Court of California for the city and county of San Francisco.

 “The policies prohibit Googlers from using or disclosing all of the skills, knowledge, acquaintances, and overall experience at Google when working for a new employer," according to the complaint, which alleges that the company’s confidentiality policies are contrary to the California Labor Code, public policy and the interests of the state.

 Google’s Global Investigation Team “also relies on ‘volunteers’ to report other employees who might have disclosed any information” about the company, according to the complaint, which paints a picture that is in sharp contrast to the glowing image one usually gets about Google's workplace culture and perks.

 Under a program called Stopleaks, Google asks employees to report on “strange things” around them such as anyone asking detailed questions about an employee’s project or job, according to the complaint. Employees are also said to be banned from writing creative fiction such as “a novel about someone working at a tech company in Silicon Valley,” without Google’s approving the book idea and the final draft.

 The policies are said to be be intended to control Google’s former and current employees, limit competition, infringe on constitutional rights and block the reporting of misconduct. The complaint goes on to state that the case does not concern Google’s trade secrets, consumer privacy or information that should not be disclosed under the law, but reflects the company’s use of confidentiality and other policies for illegal and improper purposes.

 In the lawsuit, first reported by The Information, the employee who has filed anonymously as John Doe, claims that Brian Katz, Google’s director of global investigations, intelligence and protective services, had falsely informed some 65,000 Google employees that the plaintiff was terminated for leaking information to the press, without naming him. Katz and Google used him as scapegoat to ensure that other employees continued to fall in line with the company’s confidentiality polices, according to the complaint, which asks that the employee should not be asked “to self-publish” his name.

 Google could not be immediately reached for comment on the lawsuit after business hours. The company was quoted by some news outlets as saying in a statement that its "employee confidentiality requirements are designed to protect proprietary business information, while not preventing employees from disclosing information about terms and conditions of employment, or workplace concerns."

 In September, the employee had complained to the Labor Workforce and Development Agency, after which Google made an amendment in which it “purported to broaden Googler’s right to discuss pay, hours or other terms of employment and to communicate with government agencies regarding violations of the law,” according to the complaint.

 Employees were not informed of the amendment and other policies were not changed, and “in fact, Google’s actual policies and practices remained unchanged,” it added.

 The employee has asked the California court for penalties for each of the 12 alleged violations under the Private Attorneys General Act on behalf of himself, the state of California and other Google employees.

Computerworld.com



Genesis mining promo code: CZL5k6

#SuperMario Run breaks records with 40 million downloads in its first 4 days

 Nintendo has confirmed what we all knew was likely – Super Mario Run got a lot of downloads at launch. The company says that the app was downloaded over 40 million times during its first four days on the App Store, which breaks records for Apple’s mobile software shop. Previous third-party estimates suggested the new game was on track to topple Pokémon Go’s previous early performance and approach the 40 million mark, but this official number confirms it.

 In a press release issued by Nintendo, the company says that in addition to its top ranking in the “free” chart of the App Store in 140 different global markets (of the 150 where it’s available), it’s also now in the top 10 ranking for best grossing games in 100 different markets.

 Apple SVP of Marketing Phil Schiller is quoted in the release, confirming that the game broke a record for App Store downloads during its initial few day of availability. Nintendo closes the record announcement with a note that it believes its achieving its goal of growing the group of customers who are familiar with its IP even further.


 The release also notes that Nintendo is making it easier to enjoy all modes as much as possible following the initial purchase, and a recent feature update indeed now allows you to run head-to-head with friends without using tickets, which are normally required for the Toad Rally.

Techcrunch.com

Genesis mining promo code: CZL5k6

#Security Predictions – 2017

 Each year organizations from around the world start looking at the new year and try to make predictions on what will occur. The security industry is no different. Our WhiteHat team has gathered their thoughts on predictions for 2017 and new vulnerabilities or trends that might emerge in 2017. I hope you find their predictions a great way to kickstart 2017 planning and start implanting some thoughts on how to protect your applications in the coming years as threats continue to increase. We are a small security community with pretty much the entire world trying to attack our applications. I’m proud and honored to start the conversation about how we can fight back and protect our assets and our customers.

We’ll start out with my prediction.

 Every year around this time people start asking me what I think the cyber security trends for the next year are going to be. What new vulnerabilities are going to come out? Is IoT going to be hacked in a major way? Will self-driving cars start smashing into each other because they’re connected to the Internet? All are valid questions and any of them could occur next year. However, I unfortunately predict a somewhat bleaker and kind of boring thing will happen… Nothing will change. Companies will continue to get breached because of simple vulnerabilities. We have seen year after year that vulnerabilities we knew about at the turn of the century continue to be exploited leading to massive data breaches that effect both companies, and their users. Cross site scripting and SQL injection continue to be found on site after site after site. Here at WhiteHat, we still find cross site scripting on about 50% of all sites we asses. SQL injection which leads to database breaches still occurs on about 6% of all sites. It’s staggering that we haven’t learned from the past and continue to introduce these easily exploitable vulnerabilities.

 As a security community, we need to do a better job. We need to start training all developers on secure coding from day one. Universities need to start teaching secure coding to all computer science majors. The security teams need to share their knowledge with the developers and the rest of the company. We need to tear down the walls that so often pop up between the different organizations. Only then can we start to make forward progress on stopping the bad guys. 

 Ok, enough of my predictions and recommendations.  On to the predictions of some of the team here at WhiteHat…

Marc Druzin, Product Management

(Reference: http://spectrum.ieee.org/cars-that-think/transportation/systems/its-now-temporarily-legal-to-hack-your-own-car)

Cars are a key target for hackers

There will be a lot more surfaced vulnerabilities in cars next year. You can bet as soon as newer models come out with more auto-driving/steering and logically, interconnected features, the hack-a-thon will be on.

Antoine Baisy, Threat Research Center

• Cars are a key target for hackers
• There will be a published hack for Google Home or the Amazon Echo

So, when I gazed into my crystal ball located conveniently on my desk, two major events appeared in the mist. One is another remote hack on self-driving cars which will continue to hammer home that they need to be properly secured before they are released to the masses. The other is a published hack for either the Google Home or the Amazon Echo. The Echo has been out for two years and it’s been solid so far. However, with the Google Home emerging, the always-on microphones in people’s homes are a serious concern for the general consumer. I’ll trust both Google and Amazon to patch the hacks before they are published, but I do think both devices have a target on them in the hacking community. If you believe crystal balls that is.

Brian Williams, Threat Research Center

DDoS attacks like Mirai will continue.

DDoS attacks are likely to become a big problem.

The record-breaking Mirai botnet, and the subsequent release of its source code, was some of the biggest security news that we saw this year. The malware first reared its head back in September, when it was used to deliver a record-breaking DDoS attack on Brian Krebs’ security blog. Mirai exploits default passwords on Internet of Things devices, such as routers, security cameras, and DVRs in order to gain control of them. Thousands of devices are infected at once, and then used to deliver a massive barrage of requests to a target victim, unloading up to 700 gigabits of data per second. Directly following the attack on Brian Krebs’ blog, the source code for Mirai was released to the public.

On October 21, Mirai was used to take down the DNS provider, Dyn. By targeting Internet infrastructure, attackers were able to deny service to a large number of websites for most of the day, including Twitter, Amazon, Tumblr, Reddit, Spotify, Netflix, and GitHub.

Since the source code of Mirai is easily obtained, I expect that DDoS attacks of this nature will continue.

Jeannie Warner, Security Manager

The social and political unrest around the world will encourage a dramatic rise in Hactivism.

I foresee the return of Anonymous, cranking up U.S. operations to unheard-of new levels. We’re all used to www.whitehouse.gov and www.cia.gov being constantly attacked, defaced, and taken offline. With all of the anger and frustration of the 2016 U.S. elections, we’re going to see a lot more attacking, DDoS, and exposure attacks of many media outlets, right- and left- leaning special interest groups, and definitely the FBI. Anonymous already stands with Standing Rock and the protests there.  There will likely be a lot more attacks on big oil, as well as state-level sheriff and police supporting these kinds of activities. The gloves seem to be off on the topic of fair play. Google and Facebook are both declaring they are working at eliminating the fake news issues that plagued social media over the last 12 months. What will come of it remains to be seen, but I predict there will be a lot of focus on new natural language processing technology examining ad filters and URL processing as part of web applications.

New guidelines will emerge from organizations such as NIST requiring that application security vendors partner with device manufacturers and testing labs to deliver secure IoT systems.   

The Internet of Things is growing daily, with smart devices and controlling applications at the core of every business from Healthcare to smart cars and smart buildings. It’s essential to protect smart anything from attackers attempting to exploit their vulnerabilities – and I’m expecting/hoping to see a shift from the term “security” to “safety”, as well as an increase in legislation mandating increased rigor of testing. In the same way manufacturing safety testing via the American National Standards Institute controls new releases in devices, I think that the National Institute of Standards and Technology’s SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing. Commonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications which combine to expand the borders of the security ecosystem. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products.

Dan Lacey, Threat Research Center

Nothing will change.

Attackers will continue to discover and exploit zero-days. Companies large and small will continue to lose data and money to the usual attacks, often because they didn’t take basic security precautions. Individuals will continue to lose money in the usual ways, often because they lack basic knowledge of Internet safety. Manufacturers will continue to produce Internet-connected devices with no security, or easily by-passable security, enabling attackers to hijack them. Someone might pass laws mandating that new Internet of Things devices have security, but those laws will be unenforceable and impossible to apply retroactively.

No one will deploy a better authentication system than passwords.

The government will continue to press for increased surveillance including backdoors.

Whitehatsec.com

Genesis mining promo code: CZL5k6

#Nexus 4 expiration delayed with CyanogenMod 14.1 Nougat

 Market analysts would say that the average turnover rate for most smartphones is two years, which is exactly how long most contracts last anyway. That is true even for Google’s Nexus devices. In that sense, the Nexus 4, launched way back in 2012, is way past its due date. But for those still with a perfectly serviceable unit, news of its death has been largely exaggerated. Especially now that there’s a CyanogenMod 14.1 nightly image for it, bringing the nutty goodness of Nougat to the phone.




To be clear, this is far from being a “stable” version of Android 7.0 Nougat for the Nexus 4, though CyanogenMod itself has done away with such labels for its rolling releases. The nightly builds, which are cooked, well, nightly, come with no guarantee of stability, which may change daily. But those who own a Nexus 4 hungry from some new dessert, they will most likely take what they can.

The biggest question will be whether it will be worth it for owners to risk running CM 14.1 nightly on their smartphone. The Nexus 4 definitely doesn’t have the hardware to support many of the features introduced in Android 7.0 and the upcoming 7.1. At the very least, the device’s aging hardware might not be able to handle much of those features in the first place. Still, as far as having the latest Android version is concerned, it is one of the only paths available for those who want to live on the cutting edge.

There is, however, no guarantee that the nightly builds will continue ad infinitum. Unlike Cyanogen OS, CyanogenMod development and support for devices is a purely volunteer-based work of love and enthusiasm. Should maintainers for the Nexus 4 branch meet an insurmountable problem, they are likely to drop work on it. Or wait for Android O.

Slashgear.com

Genesis mining promo code: CZL5k6

Redesigned #BMW i3 Electric Vehicle With Longer Range Tipped For 2017

BMW is reportedly cooking up a new i3 electric vehicle for 2017, increasing the car's range and updating its design.

Electric vehicles continue to gain momentum, but BMW hasn't been very successful in this segment of the auto market so far. While the automaker has been offering i3 electric vehicles for a few years now, it hasn't seen stellar demand.

Nevertheless, a neat redesign and a longer range could give the small electric vehicle just the boost it needs to become more successful.

BMW i3 Makeover

German publication Welt am Sonntag reports (via Reuters) that the BMW i3 model planned for next year will have both its front and rear ends redesigned. No images leaked just yet to offer a glimpse of the makeover, so it remains unclear for now just how the next BMW i3 will look like.

Increased Range

The publication further reveals that BMW will pack new battery technology into its next-generation i3, enabling the electric vehicle to have a longer range. The current BMW i3 can go for 114 miles on a full charge, but the range can be increased up to 180 miles via a "Range Extender."

Welt am Sonntag doesn't specify how long the new range will be, but it does note that it would be an increase of less than 50 percent. This means that the BMW i3 coming next year will still offer a mile range below 200 miles.

That's well below the range of other electric vehicles such as Tesla's Model S, but BMW's electric vehicles are more affordable than Tesla's. The Tesla Model S with a P100D battery, for instance, can run up to 300 miles on a single charge, but it starts at around $134,000 before incentives. The current BMW i3 with Range Extender, meanwhile, costs $47,450 (not including destination and other fees).

BMW Autonomous Vehicle Plans

The German publication also asked Klaus Fröhlich, BMW's head of Research & Development (R&D), about the automaker's plans for self-driving vehicles. Fröhlich said that BMW wanted to see a common standard for autonomous vehicles across the auto industry so that it could use the same systems and number of sensors.

As a reminder, BMW already teamed up with Intel and Mobileye earlier this year to create an open platform for autonomous vehicles by 2021. Mobileye also worked with Tesla on the carmaker's Autopilot system, but the two companies parted ways back in September.

It remains to be seen what BMW will offer next, but it may also look to score more partnerships to expand its offers. Fiat, for instance, partnered with Amazon to sell cars online, albeit the option is available only in Italy for now.

Techtimes.com

Genesis mining promo code: CZL5k6

#Gartner: Artificial intelligence, algorithms and smart software at the heart of big network changes

Gartner says CIOs will participate in the building of a new digital platform with intelligence at the center.

Artificial intelligence, machine learning and advanced algorithms are at the heart of an emerging digital world.

That was one of the chiefs components of Gartner’s Peter Sondergaard, senior vice president and global head of Research opening remarks at today’s Gartner Symposium/ITxpo show in Orlando.


“CIOs will participate in the building of a new digital platform with intelligence at the center,” Sondergaard said told a crowd of more than 8,000 CIOs and IT leaders. “The new competitive differentiator is understanding the customer’s intent through advanced algorithms and artificial intelligence. Creating new experiences that solve problems customers didn’t realize they had.”

Gartner says “advanced machine learning algorithms are composed of many technologies (such as deep learning, neural networks and natural-language processing), used in unsupervised and supervised learning, that operate guided by lessons from existing information.”

Advanced machine learning not only enables a smart machine to understand concepts in the environment, but enables it to learn. Through machine learning, a smart machine can change its future behavior. For example, by analyzing vast databases of medical case histories, "learning" machines can reveal previously unknown insights in treatment effectiveness. This area is evolving quickly, and organizations must assess how they can apply these technologies to gain competitive advantage, Gartner said last Fall in presenting trends for 2016.

Gartner says artificial intelligence “is technology that appears to emulate human performance typically by learning, coming to its own conclusions, appearing to understand complex content, engaging in natural dialogs with people, enhancing human cognitive performance (also known as cognitive computing) or replacing people on execution of nonroutine tasks. Applications include autonomous vehicles, automatic speech recognition and generation and detecting novel concepts and abstractions (useful for detecting potential new risks and aiding humans quickly understand very large bodies of ever changing information).”


“We are building machines that learn from experience and produce outcomes their designers did not explicitly envision. Systems that can experience and adapt to the world via the data they collect,” Sondergaard said. “Machine learning and artificial intelligence move at the speed of data, not at the speed of code releases. Information is the new code base.”

A few other salient points from Gartner’s opening session:
Gartner forecasts worldwide IT spending to total $3.4 trillion in 2016, a 0.3% decline from last year. In 2017, global IT spending is projected to grow 2.9% and reach $3.5 trillion. Analysts said this growth will be driven by the software and IT services segments. Worldwide spending on software is projected to grow 7.2%, and IT services 4.8%. Software and IT services will be key to the development of the civilization infrastructure.
Real-time analytics will outpace traditional analytics by a factor of three by 2020 to become 30% of the market.
“Machine learning and artificial intelligence move at the speed of data, not at the speed of code releases. Information is the new code base.”

Networkworld.com

Genesis mining promo code: get your 3% with: CZL5k6 

Firms Are in Denial About the #EU 's Coming Privacy Law, Survey Suggests. #GDPR

Survey says: what privacy law?

The world’s toughest privacy law will go into force in Europe 18 months from now, and so far, the strategy of many IT professionals appears to be “pretend it’s not happening.” That’s the takeaway from a survey published today by Dell that suggests most firms are unprepared for the EU’s General Data Protection Regulations.

This collection of laws (known as #GDPR) passed earlier this year, and will introduce a spate of stiff compliance measures and eye-watering penalties for companies that don’t take a series of steps to manage data. For instance, firms will have to:

• Hire a data protection officer
• Introduce “privacy by design” to their workflow
• Get explicit consent to use a wide variety of data
• Increase opt-out and data portability options

If they don’t comply, companies face a maximum fine of 20 million euros or 4% of total revenue—whichever is greater.

According to the Dell survey, which polled 821 IT professionals across the globe, 80% said they knew little or nothing about the GDPR, while 97% said their companies didn’t have a plan in place to implement the new law.

According to Michael Tweddle, a Dell executive, the survey also suggested that the IT crowd felt most confident about being able to comply with impending rules related to email security, but much less so when it came to those related to document access. (Under the GDPR, companies will have to create procedures that limit who can access shared files hosted on platforms like Dropbox or SharePoint.)

The lack of readiness described in the survey could be an ominous sign for companies, especially those outside the EU that do business with European citizens, given the recent assertiveness of privacy regulators on the continent.

Firms will, presumably, start paying more attention as the GDPR implementation date of May 2018 draws closer. And it’s a safe bet corporate legal departments are tuning into the rules, even if the operation crowd is not (law firm Allen & Overy has a good briefing here).

Finally, it will be curious to see if politicians in Europe, where the economy is still limping, will decide to flinch and water down or defer the regulations if compliance costs prove too high.

Fortune.com

#G7 FUNDAMENTAL ELEMENTS OF #CYBERSECURITY FOR THE FINANCIAL SECTOR

 Increasing in sophistication, frequency, and persistence, cyber risks are growing more dangerous and diverse, threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems. To address these risks, the below nonbinding, high-level fundamental elements are designed for financial sector private and public entities to tailor to their specific operational and threat landscape, role in the sector, and legal and regulatory requirements.

The elements serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture. The elements also provide steps in a dynamic process through which the entity can systematically re-evaluate its cybersecurity strategy and framework as the operational and threat environment evolves. Public authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts. Working together, informed by these elements, private and public entities and public authorities can help bolster the overall cybersecurity and resiliency of the international financial system.

Element 1: Cybersecurity Strategy and Framework.

 Establish and maintain a cybersecurity strategy and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines.The purpose of a cybersecurity strategy and framework is to specify how to identify, manage,and reduce cyber risks effectively in an integrated and comprehensive manner. Entities in the financial sector should establish cybersecurity strategies and frameworks tailored to their nature, size, complexity, risk profile, and culture. Informed by the cyber threat and vulnerability landscape, a jurisdiction can also establish sector-wide cybersecurity strategies and frameworks that outline how cooperation occurs between entities and public authorities in the financial sector, with sectors upon which the financial sector depends, and with other relevant jurisdictions.

Element 2: Governance.

 Define and facilitate performance of roles and responsibilities for personnel implementing,
managing, and overseeing the effectiveness of the cybersecurity strategy and framework to
ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities).Effective governance structures reinforce accountability by articulating clear responsibilities and lines of reporting and escalation. Effective governance also mediates competing objectives and fosters communication among operating units, information technology, risk, and controlrelated activities. Consistent with their missions and strategies, boards of directors (or similar oversight bodies for public entities or authorities) should establish the cyber risk tolerance for their entities and oversee the design, implementation, and effectiveness of related cybersecurity programs.

Element 3: Risk and Control Assessment.

 Identify functions, activities, products, and services—including interconnections, dependencies,and third parties—prioritize their relative importance, and assess their respective cyber risks.
Identify and implement controls—including systems, policies, procedures, and training—to
protect against and manage those risks within the tolerance set by the governing authority.Ideally as part of an enterprise risk management program, entities should evaluate the inherentcyber risk (or the risk absent any compensating controls) presented by the people, processes,technology, and underlying data that support each identified function, activity, product, and service. Entities should then identify and assess the existence and effectiveness of controls to protect against the identified risk to arrive at the residual cyber risk. Protection mechanisms can include avoiding or eliminating risk by not engaging in an identified activity. They can also include mitigating the risk through controls or sharing or transferring the risk. In addition to evaluating an entity’s own cyber risks from its functions, activities, products, and services, risk and control assessments should consider as appropriate any cyber risks the entity presents to others and the financial sector as a whole. Public authorities should map critical economic functions in their financial systems as part of their risk and control assessments to identify single points of failure and concentration risk. The sector’s critical economic functions range from deposit taking, lending, and payments to trading, clearing, settlement, and custody.

Element 4: Monitoring.

 Establish systematic monitoring processes to rapidly detect cyber incidents and periodically
evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.Effective monitoring helps entities adhere to established risk tolerances and timely enhance or remediate weaknesses in existing controls. Testing and auditing protocols provide essential assurance mechanisms for entities and public authorities alike. Depending on the nature of an entity and its cyber risk profile and control environment, the testing and auditing functions should be appropriately independent from the personnel responsible for implementing and managing the cybersecurity program. Through examinations, on-site and other supervisory mechanisms, comparative analysis of entities’ testing results, and joint public-private exercises, public authorities can better understand sector-wide cyber threats and vulnerabilities, as well as individual entities’ relative risk profiles and capabilities.

Element 5: Response.

Timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate); and (d) coordinate joint response activities as needed.As part of their risk and control assessments, entities should implement incident response policies and other controls to facilitate effective incident response. Among other things, these controls should clearly address decision-making responsibilities, define escalation procedures,and establish processes for communicating with internal and external stakeholders. Exercising protocols within and among entities and public authorities contributes to more effective responses. Exercising also enables entities and public authorities to identify how potential 3decisions could affect each other’s ability to maintain critical and other functions, services, and activities.

Element 6: Recovery. 

 Resume operations responsibly, while allowing for continued remediation, including by (a)
eliminating harmful remnants of the incident; (b) restoring systems and data to normal and
confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited;
(d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.Once operational stability and integrity are assured, prompt and effective recovery of operations should be based on prioritization of critical economic and other functions and in accordance with objectives set by the relevant public authorities. Maintaining trust and confidence in the financial sector significantly improves when entities and public authorities have the ability to mutually assist each other in the resumption and recovery of critical functions, processes, and activities. Therefore, before an incident occurs, establishing and testing contingency plans for essential activities and key processes, such as funding, can contribute to a faster and more effective recovery.

Element 7: Information Sharing. 

 Engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage,increase situational awareness, and broaden learning.Sharing technical information, such as threat indicators or details on how vulnerabilities were exploited, allows entities to remain up-to-date in their defenses and learn about emerging methods used by attackers. Sharing broader insights among entities, between entities and public authorities, and among public authorities deepens collective understanding of how attackers may
exploit sector-wide vulnerabilities that could potentially disrupt critical economic functions and endanger financial stability. Given its importance, entities and public authorities should identify and address impediments to information sharing.Element 8: Continuous Learning.Review the cybersecurity strategy and framework regularly and when events warrant—including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components—to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.Cyber threats and vulnerabilities evolve rapidly, as do best practices and technical standards to address them. The composition of the financial sector also changes over time, as new types of entities, products, and services emerge, and third-party service providers are increasingly relied
upon. Entity-specific, as well as sector-wide, cybersecurity strategies and frameworks need
periodic review and update to adapt to changes in the threat and control environment, enhance user awareness, and to effectively deploy resources. Other sectors, such as energy and telecommunications, present external dependencies; therefore, entities and public authorities should consider developments in these sectors as part of any review process. 

Ec.europa.eu

Think changing your #Yahoo password is enough? Think again…

With the recent announcement of more than 500 million accounts impacted by a security breach, many Yahoo users have been changing their passwords. After all, that’s the official guidance. However, as ZDI’s Simon Zuckerbraun points out, a new password isn’t enough.

If you have a Yahoo account, chances are you’ve seen a notification that your account information has been stolen by attackers. You aren’t alone. According to public reports, more than half a billion accounts were impacted during a security breach in 2014. While it’s not known why it took Yahoo over 18 months to inform people, the notification from Yahoo CISO Bob Lord included the recommendation to change your password. While this is sound advice and a good first step, Zero Day Initiative (ZDI) researcher Simon Zuckerbraun found this step alone isn’t enough to protect your account.

Change your password. This should still be your first step. It should always be your first reaction after an account compromise. If you reused the compromised Yahoo password with other online services, you’ll need to change it there as well. Have trouble remembering different passwords? Try a password manager like the Trend Micro™ Password Manager. Set up two-factor authentication (2FA) or use Yahoo’s Account Key. This will make it more difficult for attackers to access your information even if your password is compromised. Just don’t expect 2FA to reset your iPhone Mail app settings. You still need to go through the website to remove a device. Review your devices and activity. Understanding which devices access your account is key to finding unusual or unauthorized activity. You should specifically look for connected apps listed on the “Recent Activity” tab, as well as check the “Account Security” tab for active application passwords.

Like many others, Simon received a notification that his account was included in the breach. Like many others, Simon logged in to his account and changed his password. He then opened his iPhone Mail application since he had configured the app to use his Yahoo account. He expected to be prompted for his new password and was more than a little surprised when he found it was not necessary. Even though he had changed the password associated with his Yahoo account, the phone was still connected.

Upon investigating, it became clear that Yahoo had issued a permanent credential to the device. This credential does not expire and is not revoked when the password changes. In other words, if someone already obtained access to your account and configured the iOS Mail app to use it, they would still have access to the account even after the password changes. What’s worse is that you would likely not even realize someone still has access to your email.

This presents a couple of different problems. First, steps beyond changing your password are not being clearly communicated from Yahoo. This could lead to a situation where millions believe they are protected even though they aren’t. Additionally, even if you are security conscious like Simon and want to review your activity and devices, it’s not easy to find. Associated devices aren’t listed under the “Account Security” tab at all. As shown in Figure 1 (below), the “Account Security” tab has no mention of associated devices.

Figure 1 – Yahoo Security Tab

 The setting actually exists under the “Recent Activity” tab (Figure 2). Here you are able to see which applications are connected to your account with an option to remove them. It’s also interesting to see the apps and devices are just listed by product name – in this case “iOS” – and the date authorized. It’s up to the user to figure out what is legitimate and what’s not.

Figure 2 – Yahoo Recent Activity Tab

Looking at the phone settings (Figure 3) is of little help. Looking at the setting shows there is no option via the app to change the password. This is likely by design. When you set up your mail account on the device, it gets permanently credentialed until the credential is revoked through the server.

Figure 3 – iPhone Mail Settings

While it’s unfortunate Yahoo’s official advice for securing a hacked Yahoo account makes no mention of checking for or removing associated apps and devices, it definitely should be on your list. In fact, your list should look something like this:

The steps users take after a breach notification often determine whether further account damage occurs. It’s unknown if the attackers will be able to decrypt stolen passwords or how they intend to use other leaked data. Regardless, if you change your password and review the associated devices, you’re less likely to be impacted. By understanding all the actions needed, you can exert some control over your account’s security.











blog.trendmicro.com

Genesis mining promo code: CZL5k6

#FBI Official Explains What To Do In A #Ransomware Attack

Feds say even basic information can advance the agency's investigation.

Businesses or consumers hit by ransomware should refuse to pay the ransom and immediately contact the FBI or file a complaint on www.ic3.gov, the federal government’s website for filing and sharing information about cybercrime, an FBI official said today.

Will Bales, supervisory special agent for the FBI’s Cyber Division, said any information, whether it’s a Bitcoin wallet address, transaction data, the hashtag of the malware, or any email correspondence, can help advance an FBI ransomware investigation.

“People have to remember that ransomware does not affect just one person or one business,” Bales said. “It will more than likely move on and affect somebody else. And for those who pay the ransom, it only encourages them to extort the next person.”

Bales was part of a panel discussion on ransomware today at the kickoff of the Federal Trade Commission’s Fall Technology Series held at the Constitution Center in Washington, DC.

FTC Chairwoman Edith Ramirez started the afternoon conference by underscoring how the threat of ransomware has increased in the past year.

Ramirez cited Justice Department data that said there have been 4,000 ransomware attacks daily since January 1, 2016 alone – a quadrupling of such attacks in just a year. In addition, PhishMe research found that 93% of phishing emails now contain some variant of ransomware.

“Ransomware attackers can access extremely sensitive personal information such as medical data, financial account numbers, and the contents of private communications, some of which may be sold on the dark web,” Ramirez said. “We are eager to expand our understanding of this growing threat … and for nearly a decade we’ve worked with other agencies and have provided guidance to consumers and businesses on how to best protect their computers and networks.”

The FTC Chairwoman also said the agency will be active in pressing cases against the attackers, pointing out that the agency has made at least 60 enforcement actions around companies not protecting consumer data. She said not protecting against ransomware may violate federal law.

The FBI’s Bales said the government has been making progress on prosecuting ransomware cases, but would give no real specifics other than to say they have been successful in working with other law enforcement agencies around the world in taking down the infrastructure of some of the ransomware criminals.

Bales indicated that there would be more news of success stories in the upcoming months.

Darkreading.com

Genesis mining promo code: get your 3% with: CZL5k6