Category: Uncategorized

---

Original news article at https://news.hitb.org/ on December 10, 2012 at 02:59PM

---

Original news article at https://news.hitb.org/ on December 10, 2012 at 02:56PM

Should I DISCOVER where sensitive/regulated data resides in my environment OR DETECT when it is being leaked? Storage DLP first or network DLP first? Data-at-rest (DAR) first or Data-in-motion (DIM) first? What is more important, knowing WHAT can be stolen and from where OR WHAT is being sent out today?

Sorry, but “IT DEPENDS.” As many tough questions in life, this one has no single right answer. Successful data protection projects, whether for regulated data or corporate secrets, often start from a discovery sweep of an internal network. Looking for PANs, SSNs, known secret documents, customer records or whatever else allows the DLP conversation to start and the “lay of the data land” to become more clear. At the same time, they also often start from observing sensitive and regulated data flows out of your environment via email, FTP, web uploads, etc. This helps jumpstart the DLP discourse and creates a sobering realization of “Whaaaat!? This is going on RIGHT NOW!!?” Both are common and reasonable.

So, why discover first?

• Learn the extent of sprawl of a particular type of data
• Assess the complexity of the upcoming data protection effort
• Gather ammunition for identifying and then engaging the data owners
• Learn what to include in monitoring policies next

Why monitor first?

• Observe (and, then, hopefully, stop) the most blatant and obvious leaks
• Assess the priority of needed data protection efforts based on ongoing data movement
• Easily get a taste of content-aware DLP technology without too much hard work (!)
• Learn what to include in discover scans next

As a side note, few organizations would venture into “enforce first” as you need to know BEFORE you can act. Control comes after visibility (and, by the way, in some domain it never really comes…). One can discover first and then reduce, secure, monitor and protect what is discovered. One can also monitor first and then evolve to reduce the exposure. A sole exception I’ve seen is about enforcing something trivial like ‘block all USB access on endpoints’ which is hardly at the core of content-aware DLP.

Finally, if you’d absolutely push me to the wall and make me give a simple answer to a complex question, then go do network monitoring first… mostly because it is easier (= the most similar to netsec technologies) and often produces nasty (and thus deeply motivating) surprises.

P.S. this discussion does not remove the requirement to understand what you are trying to do with DLP and with data security in general. The real FIRST action is always ‘think’, not ‘buy’ or ‘deploy’. Don’t get those ideas

Related posts:

• On DLP and PCI DSS
• On DLP and IP Theft
• DLP and/or/for/vs Data Security
• On DLP Processes or “No DLP For Dummies”
• On DLP Research

---

Original news article at https://blogs.gartner.com/anton-chuvakin on December 07, 2012 at 10:15PM

Attacks against massive and proprietary enterprise accounting systems, in particular financial software such as SAP and Oracle, have been few and far between. That changed at this week’s Black Hat Abu Dhabi conference where a pair of researchers presented proof-of-concept code that could change the dynamic of the financially motivated attack landscape.

read more

---

Original news article at https://threatpost.com/en_us/frontpage on December 07, 2012 at 09:03PM

When you register a new account on a website or service you are usually asked to provide it with an email address. You may receive a verification email after the registration, or it may be used to send you notifications or make sure you are a unique user and not the same guy who has created a dozen accounts already on the site.

You can enter your main email address whenever you do that, but that increases the chance that you will be swarmed with spam in the future as some services will sell your information to the highest bidder to make money. A secondary email address for that purpose, or a disposable address that gets created on the fly, is the second option that you have. The benefit here is that you protect your main email address to keep it as spam free as possible.

MaskMe is an extension for the Google Chrome browser that helps you create masked emails, that is unique random email addresses that you have no affiliation with, whenever you need them. While you may still use your main email address when signing up on some sites, you get the option to create a new masked email address instead at other times.

MaskMe displays a popup below the email field on registration pages that gives you the option to register using your main email address, which you select when you create a MaskMe account after installation or a randomly generated unique address that is generated on the fly.

The random email address forwards all emails to your main email address until you block the process in the management console. That’s actually a great way of dealing with it, as you get options to switch between forward and block there as often as you want. You may want to keep forward enabled for instance until you receive the verification message. Once you did, you can switch to block so that no mails get forwarded anymore to your main email address. Should the need arise to receive emails again, for instance when you have lost your account password and need to reset your account, you simply enable forwarding again here to do so.

You can create custom email addresses on the MaskMe account page as well, which is useful if you need to register in third party programs for instance where the automatic generation does not work in for obvious reason.

You may want to check out the service’s settings after installation to make sure everything is set in order. The program can generate strong passwords for you for instance and will also check if the password you have entered during registration may not be strong enough. If you do not need that reminder, for instance if you are using a password manager that does that for you, you can disable that feature in the settings.

The program keeps track of your privacy while you are online, and displays what it records in a privacy timeline on your account page. It basically helps you keep track of where and when you have shared personal information on the Internet. A paid upgrade is available that adds masked phone numbers and mobile access for $5 a month.

Here is a visual demonstration of how MaskMe works

---

Original news article at https://www.ghacks.net on December 09, 2012 at 12:42AM

WatchGuard Reveals Top Security Predictions for 2013 — Cyber Attacks Resulting in Human Death, Android Pick-Pocketing Attempts and Rise in Browser-Infecting Malware All Forecasted Next Year SEATTLE, December 5, 2012 — WatchGuard Technologies, a global leader in manageable business security solutions, [has] revealed its annual security predictions … (more)

---

Original news article at https://www.topix.com/tech/computer-security on December 08, 2012 at 03:42AM

There are a couple of things you can do to protect your wireless network against freeloaders and intruders. Probably the best thing right now is to make sure it is protected by a security protocol that is offering the best protection. That is usually WPA2 right now. You also need to make sure that the key is significantly long enough so that it can’t be easily guessed (your cat’s name) or brute forced.

There are a couple of other things that you can do, for instance position the router in a way that reception is bad or not available at all when you are not in the apartment or house. There is also wifi blocking wallpaper and paint available, but that is usually something that companies may want to do.

Another effective option is to monitor your wireless network for new connections. SoftPerfect WiFi Guard is a free program for the Windows operating system that can aid you with that. The program monitors all wireless connections which it displays in the main window.

Here you find information about the IP address used by the devices, the MAC address, the name, and additional information. The listing provides you with information about all connections, so that you can easily distinguish your own devices from devices that someone else may be using to connect to your wireless network. The program scans the network automatically from time to time and provides you with the means to run manual scans whenever you want to. Devices are pinged automatically which helps you detect systems behind firewalls or other security that blocks ping requests.

Since it is not really practicable to have the window open 24/7, it ships with a notification system in place that informs you whenever unknown devices connect to the wireless network.

The program is dead easy to use and a great option if you are using wireless connections to connect to the Internet, especially if you suspect someone else taking advantage of your wireless setup.

---

Original news article at https://www.ghacks.net on December 05, 2012 at 04:45PM

Microsoft’s Imagine Cup rewards student innovators with thousands of dollars worth of prizes, the chance to network with other entrepreneurs and valuable experience. But to develop those skills into a viable business can require additional funding, and Microsoft’s Imagine Cup Grant winners, announced Tuesday, now have that.

Team Graphmasters of Germany walked away with $100,000 in cash, which the company will use to develop a navigation system using Windows Phone and Microsoft’s cloud technology, Windows Azure. Team Stethocloud placed second, walking away with a $50,000 prize for its mobile-hybrid stethoscope that can be used to detect childhood pneumonia via the cloud.

See the similarities? The company is funding startups that combine a client sensor, like a phone, with the combined knowledge of the cloud. In fact, every team that Microsoft funded combined a Windows Phone with Windows Azure.

According to a Microsoft representative, each team was judged based on four criteria:

1. Project impact and viability (40%), including whether or not the solution would be technically and economically viable.
2. Team quality and motivation (30%), concerning how the team is structured, and how capable it appears to be to overcome obstacles.
3. Solution design (20%), or how novel the solutuion is.
4. Defining the problem (10%), or how broad the problem that the team is solving actually is.

Imagine Cup Grants are a three-year, $3 million competitive grants program that provides opportunity for young people by helping them realize their vision of bringing their technology enabled projects to life, according to Microsoft. Grant recipients receive funding, access to resources and support to help them create a business or nonprofit organization. The Imagine Cup Grants are part of Microsoft YouthSpark, a global initiative that aims to create opportunities for 300 million youth in more than 100 countries during the next three years.

Graphmasters: Solving Traffic Problems, Collaboratively

According to Christian Brueggemann, who is involved in the technical development of the algorithms behind Team Graphmasters, the company began life as an academic project, natch, which competed in the Imagine Cup about four years ago.

The company’s first product – originally dubbed “Greenway” and now known as “Nunav,” uses a combination of cloud services and devices not to route drivers to their destination via the shortest, most optimized route, but to send them along a variety of paths to minimize total congestion. That, in turn, can cut the amount of time all drivers spend idling in traffic, reducing congestion and the corresponding increase in greenhouse gases from wasted gas. In a hypothetical example, one car can produce 2.5 tons of carbon dioxide per year – enough that a forest of 200 trees would be needed to consume it all. In total, the CO2 output from the world’s cars would require a forest the size of Australia.

Rival navigation systems, according to Brueggemann, are reactive: a driver’s GPS device encounters a traffic jam, reports it, is rerouted, possibly encounters another traffic jam, and the process repeats itself. What Nunav attempts to do, he said, was to proactively assign drivers to side streets, so that every driver wasn’t trying to fit through the same high-speed bottlenecks. (It’s worth noting that Graphmasters’ examples focused on cities, where a number of relatively equal alternative routes present themselves.)

“A reactive system routes drivers around traffic jams that already exist, and when the traffic jam exists, you already have the problem,” Bruggemann said.

All Nunav needs is about 1% of the cars on the road to communicate and respond to create a detailed traffic overview, and about 10% of the GPS infrastructure. “The strategy we’re making is to get our service into the navigation systems alrady in the market, because once we do that it will be very easy to get 10% of users,” Bruggemann said. That doesn’t necessarily mean only Windows Phones, but all GPS devices.

And what’s the business model? It’s a new one: Nunav charges for the accelerated route. Yes, it’s only $.10 or so, which Graphmasters promises will be made up for by reduced stress.

Stethocloud And Winsenga

The same strategy – the cloud plus a device – drove the introduction of Stethocloud, a nifty app developed by four students from Australia. The team created a digital stethoscope that could be plugged into the audio jack of a smartphone. The goal is to help diagnose and treat pneumonia. 

After a user enters some basic information about the child, such as the date of birth, the app asks the parent or doctor to hold the stethoscope up to eight points on the child’s chest, “listening” and then uploading the sound file to the cloud. An algorithm then determines whether or notthe child has pneumonia, and advises a course of treatment.

That same approach was used to develop Winsenga, which combines a high-performance microphone placed within a Pinard horn, rural Africa’s answer to the stethoscope. Without access to ultrasound machines, doctors and nurses have to rely on their own ears to determine if a fetus is alive, and what problems there might be. The app listens to the heartbeat, diagnoses any problems and issues an alert if needed.

Team Vivid from Egypt and Team QuadSquad from Ukraine each won $50,000 to form companies that can access healthcare records from mobile devices, as well as help disabled individuals speak more effectively.

The message here is clear: Microsoft is looking for developers focused on using devices as a local sensor and tapping into the cloud for specialized intelligence and additional computing horsepower. Whether it’s Microsoft technology talking to Microsoft services, or something like Symbian talking to an Amazon Web Services hosted application running within Amazon’s cloud, the company sees the combination of local sensors and back-end intelligence as a powerful trend it wants to encourage.

---

Original news article at https://readwrite.com on December 05, 2012 at 06:30PM

Why is is that many computer users do not take better care of their systems security-wise? I think the main reason for that is that security does not matter for as long as you are not attacked or encounter situations where you need better security. When that happens, it is often too late and while many Internet users learn from this, it is still fair to say that security is something that many users ignore for the most part.

Many may have an antivirus solution installed because all the magazines and sites tell them that this is important, but it usually does not get farer than this.

I’d like to present to you 5 tips that help you stay safe on the Internet. Some recommend software programs or browser extensions, while others explain key security concepts that you can use to make sure you are safe. Feel free to add your own recommendations in the comment section below.

1. Updates

I’m not telling you to install antivirus solution A or B, or that you need a bi-directional firewall, or need to scan your system from time to time with a rootkit scanner. No, the most important tip is to keep your system up to date. This includes Windows Updates that get released on the second Tuesday of every month. Make sure you install them when they are released, and not days, weeks or months later (unless you know what you are doing).

But updating does not end there. You also need to make sure that your programs are up to date, especially those that you use to connect to the Internet, web browsers for instance, but also programs that may embed plugins into those browsers, like Adobe with its Flash Player.

Some programs come with options to install updates automatically, while others require you to download and install updates by yourself.

I recommend to activate automatic updates in Windows and in your browser of choice. It is also useful to stay on top of Flash and Java updates, and updates for other browser plugins you are using.

To find out which you are using, enter about:plugins in Firefox or Opera, and chrome://plugins/ in Google Chrome. For Microsoft’s Internet Explorer, it is complicated.You need to open the Windows Registry Editor and look under the following keys:

1. HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
2. HKLM\Software\Microsoft\Internet Explorer\Toolbar
3. HKLM\Software\Microsoft\Internet Explorer\Extensions

Some web browsers inform you if plugins need updating. You can visit Mozilla’s Plug-in Check site to test if plugins in your browser need updating. Note that this may not work in all browsers.

2. Know Internet addresses

Sounds easy but is something that most users do not pay attention to. The Internet address, or website address or url, determines the site you are connected to. What you need to understand is that https is better than https, and that finance related sites, like your bank’s website, payment processors and the payment section of shopping sites, need to display https in front. You also need to make it a habit to check the web address.

You can also click on the icon in front to get additional information in your browser.

Link checking is important. This is done by hovering your mouse cursor over a link to read the web address it links to. Browsers and other programs usually display link destinations then, which you should make use of to make sure a link leads to the correct destination and not a phishing or fake site.

If you are unsure, enter the address manually instead in your browser or contact the support of the site to find out if the mail is legit or not.

3. Pick secure unique passwords

A password like Dallas or 123456 is easy to remember, but what you need to consider is that it is also easily guessable. You need to select secure unique passwords whenever you sign up for a service.

Secure means that it needs to have a decent length, 12 to 16 characters is a good start, that it is diverse, meaning that you need to mix letters, numbers and special chars if allowed by the site. Since it is quite difficult to remember passwords like V34cy_dsf23$s23, especially if you have dozens or more of those, it is advised to use a password manager. You can use an online password manager like Last Pass for that, or a desktop password manager like the excellent KeePass.

These programs not only save your passwords and usernames, they also include password generators which simplifies the generation of secure passwords.

Unique on the other hand means that you should not use the same password on more than one sites. The only exemption that I’d make here is if the account is not personal, e.g. you have signed up for a site to watch videos there but have not entered any personally identifiable information.

Do not write those passwords down physically, save them in unencrypted form on the computer, or tell them to anyone you know or do not know.

4. Use disposable mail / a second mail account

You do not and should not sign up for all services with your main account. One option that often makes sense is to create a second email account and use that account exclusively for sign ups on sites that are not overly important to you. While you might want to sign up with your real email address on your University’s student site, you should prefer a secondary address for social networking sites, news sites, blogs, gaming sites and more or less all other sites on the Internet.

Why? This is more of a “we sell your email address and profile information” kind of thing that it is a potential security hazard. Still, if you do not want to be swarmed by spam, use a secondary address or disposable email.

Disposable email addresses basically let you create email addresses on the fly that have a limited lifespan. The idea is to sign up using one, get the confirmation email, click on the link, and never use that email address again. Pretty handy huh?

They are not useful for all types of sign ups though. Anyone with knowledge of the email address you signed up with can for instance request a password reset for your account. The email goes directly to the disposable email provider where anyone with knowledge can access it and reset your password. When that happens, it is usually only a matter of time until your account gets hijacked.

In short: they are very good when you need to sign up to a site to access contents. As soon as you reveal personal information, it is better to use a secondary email account for sign up.

5. Use common sense

A Nigerian prince wants to give you 10% of his 10 billion Dollar stash but requests that you send him money first so that he can make the transfer? A women emails you that you never heard of before and claims that she wants to have sex with you? An Iraqi war veteran stumbled upon a ton of Gold and needs logistics to transport it out of the country?

Those email messages and a lot more are common. Spammers try a lot to get you on the hook. Even if you would not fall for those examples, there are others that you may. Examples of this are information about a package that a service like UPS tried to deliver but could not, a Casino that is offering you free spins, or someone who claims to have made millions with a simple Internet site (and wants to sell that secret to you for $10).

A rule of thumb is that you should not open attachments of emails where the sender is not known to you. I do not open emails from businesses that I do not have a relationship with.

But common sense is also important when you are browsing the web. Congratulations, you are the 1,000 visitor, you have won an Apple iPad. Bogus messages are all around you, and it is best to ignore them all instead of falling pray to people who just want your data so that they can sell it to the highest bidder.

Common Sense should probably have been number one of the list

Closing Words

Anything that I missed that you’d like to add? Leave a comment below, I’d love to read your suggestions.

---

Original news article at https://www.ghacks.net on December 05, 2012 at 09:10PM

Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this…

---

Original news article at https://www.net-security.org on December 05, 2012 at 07:11PM