now browsing by tag
If you’re one of the tiny contingent still using Windows 10 Mobile, 10 December 2019 is probably a day you’ve been dreading for nearly a year.
As announced by Microsoft in January 2019, it’s the end of life date for version 1709 of the OS, which means that November’s Build 15254.597 (KB4522811) was its last ever software update and therefore its last set of security patches.
After this date, users are on their own, warming themselves in the fading heat of a dying star which began life with some fanfare what seems like a long time ago but was in fact only 2015.
It’s a death that’s been well-rehearsed by Microsoft – Windows 10 Mobile version 1703 users reached this end-of-life moment earlier this year, on 11 June.
From what we can tell, no new Windows 10 Mobile devices were released after early 2016, which means affected devices running version 1709 will be among the following models:
- Microsoft Lumia 550
- Microsoft Lumia 650
- Microsoft Lumia 950/950 XL
- HP Elite x3 (Verizon, Telstra),
- Wileyfox Pro
- Alcatel IDOL 4S
- Alcatel IDOL 4S Pro
- Alcatel OneTouch Fierce XL
- Softbank 503LV
- VAIO Phone Biz
- MouseComputer MADOSMA Q601
- Trinity NuAns Neo
Bad news too for anyone still running the unsupported (as of 11 July 2017) Windows Phone 8.1 which sees the end of its app store support on 16 December 2019. No feature updates, no security fixes and now no software of any kind.
Build 15254.597 fixes some Intel chip issues plus a small pile of other flaws Microsoft doesn’t identify in detail, some of which were included in previous updates:
- Intel Processor Machine Check Error vulnerability (CVE-2018-12207).
- Protections against the Intel Transactional Synchronization Extensions (TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135).
- Security fixes for Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Microsoft Edge, Windows Fundamentals, Windows Cryptography, Windows Virtualization, Windows Linux, Windows Kernel, Windows Datacenter Networking, Windows Peripherals, and the Microsoft JET Database Engine.
Safe to say, if you run this OS, you’ll want the update, which should happen automatically.
Ironically, not many Microsoft employees will download this update because it seems that not many people inside Microsoft use Windows 10 Mobile. That includes figurehead Bill Gates himself, who in 2017 admitted he used an unspecified Android smartphone.
Phrases like ‘end of an era’ are easy to throw around but this does feel like one. Microsoft’s dream of a Windows for mobile devices is finally past tense.
The post Windows 10 Mobile receives its last security patches – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans In nearly every security environment, competing priorities are a constant battleground. Here’s how to keep the focus on what’s important. When I sit down to write an article, I encounter any number of distractions. Each distraction seems to want nothing more than to keep me from […] View full post on AmIHackerProof.com
ESG research recently completed a new research project focused on security analytics and operations. As part of this project, ESG surveyed 406 IT and security professionals working at midmarket and enterprise organizations in North America across all industries. Based on the research results, we came to the following conclusions:
Security analytics and operations continue to grow more difficult.
Nearly two-thirds (63%) of survey respondents claim that security analytics and operations are more difficult today than they were two years ago. This increasing difficulty is being driven by external changes and internal challenges. From an external perspective, 41% of security pros say that security analytics and operations are more difficult now due to rapid evolution in the threat landscape, and 30% claim that things are more difficult because of the growing attack surface.
Security teams have no choice but to keep up with these dynamic external trends. On the internal side, 35% of respondents report that security analytics and operations are more difficult today because they collect more security data than they did two years ago, 34% say that the volume of security alerts has increased over the past two years, and 29% complain that it is difficult to keep up with the volume and complexity of security operations tasks. Security analytics/operations progress depends upon addressing all these external and internal issues.
The security data pipeline dilemma: More data, more problems.
Just under one-third (32%) of organizations collect substantially more data to support cybersecurity analytics and operations today than they did two years ago, while 44% collect somewhat more security data. Furthermore, 52% of organizations retain this data online for longer periods of time than they did in the past. The volume of real-time and historical security data creates massive data repositories that are costly and difficult to manage. Security analysts commonly offer a complaint worthy of Yogi Berra: “We have so much security data that we can’t find anything we’re looking for.”
Traditional on-premises SIEM is an incomplete solution.
A full 70% of organizations continue to anchor their security analytics and operations with security information and event management (SIEM) systems. Despite this central role, security operations center (SOC) teams now surround the SIEM with additional tools for threat detection/response, investigations/query, threat intelligence analysis, and process automation/orchestration. This raises the question: If SIEM is essential to security analytics and operations, why do organizations need so many tools?
The research reveals that while SIEM is good at discovering known threats and generating security and compliance reports, it’s not well suited for detecting unknown threats or other security operations use cases. What’s more, 23% of security pros say that SIEM platforms require lots of personnel training and experience, and 21% believe that SIEM requires constant tuning and operational overhead to be useful. SIEM isn’t going away, but it needs help.
Staffing and skills shortages remain ubiquitous.
Three-quarters of survey respondents agree that the cybersecurity skills shortage has affected security analytics and operations at their organizations. Can’t CISOs simply hire their way out of this situation? It’s not that easy: 70% of security pros say that it is extremely difficult or somewhat difficult to recruit and hire SOC personnel. Organizations are addressing the skills gap by turning to managed services. Seventy-four percent of organizations use managed security services (for security analytics and operations) today, and 90% plan on increasing their use of managed security services in the future. When it comes to the SOC, it seems that no one can go it alone anymore.
Security analytics and operations technologies are migrating to the public cloud.
In the past, CISOs preferred the hands-on control of on-premises security analytics and operations technology, but this is no longer true. The research indicates that 41% of organizations prefer cloud-based security analytics and operations technologies while another 17% are willing to look at cloud-based security analytics and operations technology options on a case-by-case basis.
Why move to the cloud? The most obvious reason is to avoid the cost and complexity of an on-premises security analytics and operations infrastructure (i.e., deployment and ongoing operations of data collectors/processors, load balancers, servers, storage devices, etc.). Interestingly, some progressive organizations believe that scalable, burstable cloud-based processing and storage resources can provide analytics opportunities they simply can’t achieve with homegrown on-premises efforts. This is particularly true with the application of machine learning algorithms on massive security data sets.
Based upon this research, ESG has four recommendations for CISOs and security professionals:
- CISOs must address SOC deficiencies with long-term and comprehensive strategies that can improve security efficacy, bolster operational efficiency, and support business objectives. Tactical tweaks won’t do.
- Large organizations should understand that security analytics and operations is a big data application. This demands that security teams have appropriate data management skills so they can build and operate security data pipelines at scale.
- CISOs must plan for cloud migration so they can create a security operations and analytics platform architecture (SOAPA) that helps them prevent, detect, and respond to security incidents across hybrid IT infrastructure. “Lift-and-shift” should be viewed as a starting, not an ending, point.
- To address the scale and scope of security operations along with the ongoing cybersecurity skills shortage, SOC managers must lean on artificial intelligence, security process automation, and managed services moving forward. Once again, CISOs need a detailed plan on how these elements will augment the SOC staff, supplement and improve SOC processes, and better safeguard critical business assets.
Jon Oltsik is an ESG senior principal analyst, an ESG fellow, and the founder of the firm’s cybersecurity service. With over 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help … View Full Bio
View full post on National Cyber Security
There’s a serous debate on reforming Section 230 of the Communications Decency Act. I am in the process of figuring out what I believe, and this is more a place to put resources and listen to people’s comments.
The EFF has written extensively on why it is so important and dismantling it will ben catastrophic for the Internet. Danielle Citron disagrees. (There’s also this law journal article by Citron and Ben Wittes.) Sarah Jeong’s op-ed. Another op-ed. Another paper.
Here are good news articles.
Reading all of this, I am reminded of this decade-old quote by Dan Geer. He’s addressing Internet service providers:
Hello, Uncle Sam here.
You can charge whatever you like based on the contents of what you are carrying, but you are responsible for that content if it is illegal; inspecting brings with it a responsibility for what you learn.
You can enjoy common carrier protections at all times, but you can neither inspect nor act on the contents of what you are carrying and can only charge for carriage itself. Bits are bits.
Choose wisely. No refunds or exchanges at this window.
We can revise this choice for the social-media age:
Hi Facebook/Twitter/YouTube/everyone else:
You can build a communications based on inspecting user content and presenting it as you want, but that business model also conveys responsibility for that content.
You can be a communications service and enjoy the protections of CDA 230, in which case you cannot inspect or control the content you deliver.
Facebook would be an example of the former. WhatsApp would be an example of the latter.
I am honestly undecided about all of this. I want CDA230 to protect things like the commenting section of this blog. But I don’t think it should protect dating apps when they are used as a conduit for abuse. And I really don’t want society to pay the cost for all the externalities inherent in Facebook’s business model.
*** This is a Security Bloggers Network syndicated blog from Schneier on Security authored by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2019/12/reforming_cda_2.html
The post #cybersecurity | #hackerspace |<p> Reforming CDA 230 – Security Boulevard <p> appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | Alex Pickering, BBC Studios’ Content Security Chief Named as New Chair by CDSA Board of Directors
Source: National Cyber Security – Produced By Gregory Evans The global entertainment industry’s advocate for content security, content protection and information security, the Content Delivery & Security Association (CDSA), has named BBC Studios’ Content Security Director, Alex Pickering as its new Chairman. Pickering will direct the strategy for the Association’s mission of providing global community engagement around […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans A list of 26 MSSP mergers, acquisitions, buyouts & investments involving managed security services providers (MSSPs), Managed Detection & Response (MDR) & more. by Joe Panettieri • Dec 4, 2019 This blog offers an ongoing list of managed security services provider (MSSP) mergers and acquisitions that […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Underestimating the security changes that need to accompany a shift to the cloud could be fatal to a business. Here’s why. The cloud has changed a lot about the way we conduct business, but one of the most significant shifts has been in the realm of […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | How to Really ‘Own IT’ for National Cybersecurity Awareness Month – Homeland Security Today
National Cybersecurity Awareness Month (NCSAM) is in its 16th year. The theme for 2019 – Own IT. Secure IT. Protect IT. – is focused on encouraging personal accountability and proactive behavior in security best practices and digital privacy. Considering that individually we are picking up our smartphones on average of 77 times a day and spending nearly 12 hours a day in front of a screen, the digital lines between work and personal lives are all but gone. With nearly every facet of our lives impacted by what we do online, NCSAM calls to action this year include:
- Own IT. If you are reading this, you are using a digital device. Whether you own the device or not, we are all responsible for how we use them – from the data they store and transmit to the information we post online about ourselves and others, or share with other third parties. We are all responsible for our digital footprints, including the data apps collect and transmit from these devices.
- Secure IT. If you own it, you must secure it, from strong credentials (unique usernames, passwords/passphrases, and multifactor authentication) to physical access. This includes securing computers, laptops, tablets, smartphones, apps, and website logins.
- Protect IT. If you own it, you must protect it with security updates and safe browsing practices. Stored information, including personal and customer/consumer data that you gather from others, must also be protected. Every organization has a duty to safeguard the confidentiality, integrity, and availability of data obtained from other persons.
Struggle with Passwords Continues
After all of these years, we are still terrible at creating and managing passwords. Year after year the most commonly used (and breached) passwords still include – you got it – ‘password’ and ‘12345678.’ Variations like ‘p@$$w0rd’ are not any better as they contain common substitutions such as ‘@’ for ‘a,’ etc. Given these shortcomings, password hygiene is a leading topic any time of year, but as National Cybersecurity Awareness Month continues it is a good time for another reminder for organizations to do better at helping employees improve password management.
It is no secret that passwords alone are not the best method to safeguard our digital assets, especially weak passwords. Password security firm LastPass recently published its 3rd Annual Global Password Security Report, which highlights how employees’ continued poor password habits weaken the overall organizational security posture. To affect positive password changes, it is up to organizations to take action to improve password hygiene. Read on for three simple and effective low-cost and no-cost solutions companies and their employees should apply today to start improving overall security and reduce risk posed from stolen passwords.
Longer Passwords Take Longer to Crack
Enforcing the use of longer passwords or passphrases can go a long way. Depending on computing power (and other factors), it could take approximately 23 seconds to crack ‘football1’ (or similar) vs. over 10,000 centuries to crack ‘R73&nebp@98backyard45’ or ‘tHe!weatheriscoLd67outside?’. In addition to making passwords longer, not reusing them across multiple sites and services cannot be overstated. Even if a password is stolen, if it is only used for a single site or service, cyber thieves can only potentially compromise that single account, not the entire kingdom.
Passwords Aren’t Perfect, but MFA Could Save the Day
Adding multifactor authentication (MFA) is another quick win. MFA does not guarantee an account will not be compromised, but it does significantly reduce that likelihood. Authenticator apps like Duo, Authy, and Google Authenticator provide low-cost, no-cost, hassle-free options to add an additional layer of security to the authentication process. This extra step reduces the risk a malicious attacker would be able to successfully log in and compromise valuable accounts, even with a stolen password.
The “Problem” with Password Managers
Password managers store passwords and create strong (and long) passwords so you do not have to – what’s wrong with that? Skeptical about password managers? Password managers don’t have to be perfect, they just have to be better than not having one, says cybersecurity expert Troy Hunt (founder of haveibeenpwned). Other quips by Troy: The only secure password is the one you can’t remember, and when accounts are “hacked” due to poor passwords, victims must share the blame. There are several reputable password managers to choose from, but if you are looking for “go here, do this” for picking a “good” one, check out Troy’s post on why he partnered with 1Password. On a final note, the aforementioned LastPass Global Security Report found that password manager adoption increases when it is convenient. If employees can access and use password managers from their smartphone or other device of their choice, they are more likely to use it. So, what IS the “problem” with password managers? They simply are not used enough.
Cybersecurity Awareness All Year
While October is designated NCSAM, cybersecurity awareness is far from a once-a-year activity. NCSAM materials provide proactive awareness content to use throughout the year. So, while you are sipping that long-awaited (or 100th) pumpkin spice latte, review NCSAM materials for tips, resources, webinars, and workshops. In addition, it is not too late to demonstrate your cybersecurity awareness commitment by becoming an NCSAM Champion. Some of the best NCSAM Champions come from the information-sharing community – WaterISAC, Research & Education Networks ISAC (REN-ISAC), Information Technology ISAC (IT-ISAC), Retail & Hospitality ISAC (RH-ISAC), National Council of ISACs (NCI), Faith-Based ISAO (FB-ISAO), InfraGardNCR, and InfraGard Los Angeles – and they are ensuring organizations and consumers have the resources to stay safer and more secure online. Follow #BeCyberSmart and #CyberAware on social media for great security awareness tips from the NCSAM Champions and others.
Finally, NCSAM is a great time to bolster or jump-start your cybersecurity awareness program. Interested in a ready-made program to plug into your organization? The Cyber Readiness Institute (CRI) may have just the program! Founded by the CEOs of Mastercard, Microsoft, the Center for Global Enterprise, and PSP Partners, CRI’s Cyber Readiness Program is a no-cost, practical, step-by-step guide to help small- and medium-sized enterprises become cyber ready. Completing the program will help make your organization safer, more secure, and stronger in the face of cyber threats.
15 Steps to Keep Foes from Hacking and Hurting Our Water Infrastructure
(Visited 50 times, 1 visits today)
View full post on National Cyber Security
Techies are used to worrying about the longevity of their data storage. Hard drive heads used to have a nasty habit of crashing before laptops introduced software to protect them from drops and power surges. ‘Data rot‘ can damage your DVD storage, and magnetic tape can suffer as its substrates and binders degrade.
But what about the firmware, which contains the instructions for reading and writing from the media in the first place? That’s now an issue too, thanks to HPE. It had to recall some of its solid-state drives (SSDs) last week after it found that they were inadvertently programmed to fail.
The company released a critical firmware patch for its serial-attached SCSI (SAS) SSDs, after revealing that they would permanently fail by default after 32,768 hours of operation. That’s right: assuming they’re left on all the time, three years, 270 days, and eight hours after you write your first bit to one of these drives, your records and the disk itself will become unrecoverable.
The company explained the problem in an advisory, adding that an unnamed SSD vendor tipped it off about the issue. These drives crop up in a range of HPE products. If you’re a HPE ProLiant, Synergy, Apollo, JBOD D3xxx, D6xxx, D8xxx, MSA, StoreVirtual 4335, or StoreVirtual 3200 user and you’re using a version of the HP firmware before HPD8, you’re affected.
You might hope that a RAID configuration might save you. RAID disk implementations (other than RAID 0, which focuses on speed), mirror data for redundancy purposes, meaning that you can recover your data if disks in your system go down. However, as HPE points out in its advisory:
SSDs which were put into service at the same time will likely fail nearly simultaneously.
Unless you replaced some SSDs in your RAID box, they’ve probably all been operating for the same amount of time. RAID doesn’t help you if all your disks die at once.
This bug affects 20 SSD model numbers, and to date, HPE has only patched eight of them. The remaining 12 won’t get patched until the week beginning 9 December 2019. So if you bought those disks a few years ago and haven’t got around to backing them up yet, you might want to get on that.
HPE explains that you can also use its Smart Storage Administrator to calculate your total drive power-on hours and find out how close to data doomsday your drive is. Here’s a PDF telling you how to do that.
Unfortunately, HPE didn’t include the same kind of warning that Mission Impossible protagonist Jim Phelps got at the beginning of every episode: “This tape will self destruct in five seconds”.
But then, 117,964,800 seconds is a little harder to scan. In any case, your mission, should you choose to accept it, is to back those records up.
The post HPE warns of impending SSD disk doom – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans MONROE, La. (KNOE) – Gov. John Bel Edwards declared a state of emergency following a cyber-attack on Nov. 18. An apparent “ransomware” virus infected 1,500 of the state’s 30,000 computers last week. Source: (MGN) An apparent “ransomware” virus infected 1,500 of the state’s 30,000 computers. This […] View full post on AmIHackerProof.com