Discount Offers

Combat Trousers Security Bouncer Police Security Door Supervisor

£19.19
End Date: Tuesday Aug-22-2017 17:47:09 BST
Buy It Now for only: £19.19
Buy It Now | Add to watch list

Security Patrol Police Army Cadet Boot Size 8

£35.99
End Date: Saturday Sep-16-2017 12:07:14 BST
Buy It Now for only: £35.99
Buy It Now | Add to watch list

Combat Trousers Security Bouncer Police Security Door Supervisor

£19.19
End Date: Tuesday Aug-22-2017 17:47:09 BST
Buy It Now for only: £19.19
Buy It Now | Add to watch list

Bomber Jacket Black Bouncer Security Door Supervisor

£35.99
End Date: Tuesday Aug-22-2017 17:26:22 BST
Buy It Now for only: £35.99
Buy It Now | Add to watch list
0024323
Visit Today : 1
Visit Yesterday : 1
This Month : 22
This Year : 234
Total Visit : 24323
Hits Today : 934
Total Hits : 2859753
Who's Online : 1

science

The biggest challenge in security ?

Human nature

WIRED They say that, on the internet, nobody knows you re a dog1.

ADVERTISEMENT

Technology is making it easier to trust strangers2

Technology is making it easier to trust strangers


Or, at least, they used to . As memes go, that image macro of a pup propped up with its paws on a keyboard, masquerading nominally as human, sits somewhere on the Venn diagram between twee , nostalgic and things from the internet your kids don t remember and will judge you for . The 1993 New Yorker cartoonist originally responsible for the gag, Peter Steiner, couldn t possibly have guessed more how hot-button an issue anonymity and trust online would become: as bored script-kiddies, organised crime gangs and multi-billion-dollar government agencies sprouted, flowered and burst like cyber-spores onto an unsuspecting internet targeting everyone and their nan (especially the nans) with schemes designed to exploit trust . The more we rely on devices for the day-to-day running of our lives, the lower we dangle like fruit for criminals. Folks who have been tasked with cybersecurity have been, for the past few decades, building defences using a model of isolation, says Allison Miller, product manager in security and privacy at Google . But what s happening with technology today particularly consumer technology is that we are becoming interconnected.. . People have become the new target . As opposed to, for example, all attackers focusing on getting into sensitive enterprises to get their corporate data, there s a lot of bad behaviour that ends up getting focused on users.

Miller and the Google security team are building the tools that gently (or in some cases, urgently) steer users safely away from sites that might have been designed or compromised to install malware or phish for personal data . Perhaps the most readily familiar example of the team s work is the joltingly all-red Chrome warning screen: the page a user is diverted to should they stray, unwittingly, into dangerous territory. It s an example of why internet users need unseen security teams working on their behalf: as online attack vectors become more and more numerous and sophisticated, the average user can t keep up.

ADVERTISEMENT

And that s a problem that doesn t just apply to individuals: while the enormous, household-name internet companies can afford to throw diamond after gold brick at protecting their data (even then not always successfully), smaller companies rely just as heavily on consumer trust, and have to decide how much budget to allocate to it from comparatively thimble-sized pots.

“Institutional trust was not designed for the digital age”


Rachel Botsman

That s the question of the ages: how do you determine how much to invest in security ? says Miller, of the line between protection and paranoia for smaller companies . And that is not something I can answer simply.. . It s worth it to sit down and figure out what is most valuable to you, what you have that might be most valuable to folks who would do ill or might potentially take advantage of you.

ADVERTISEMENT

The complexity rises as you go from being an individual to being an organisation, but unfortunately.. . I think large enterprises are in the best position to find experts who will help them identify what s at risk and how to protect it. Whatever their size, companies that misjudge the allocation of resources for security (or are just unlucky) stand to lose more than just client information and money . Data dumps of user info as any former Ashley Madison3 member might tell you also cost companies a second digital currency: trust .

Human nature doesn t scale up well to the company that, through bad luck or negligence, is ultimately responsible for your credit card details ending up on a mile-long list of account numbers and sort codes swapping back and forth on the dark web . We trust companies like we trust friends: you get screwed over once, and it s an uphill battle to win you back. Institutional trust was not designed for the digital age, says Rachel Botsman, author of What s Mine is Yours and the upcoming Who Can You Trust?, on how trust translates into the digital world . If you think of risk mechanisms, whether that be the way we think about government, or regulation, or insurance contracts, they were all designed during the industrial revolution and haven t really evolved that much . So when we talk about institutions rebuilding trust, there is this belief that we can go back to this institutional era of trust that was very opaque, very top-down and very decentralised. The interim solution is already here, albeit in nascent form: trust scores . Ebay, Amazon, Airbnb and TripAdvisor already rely on them . In lieu of knowing a stranger in person, we trust a combination of star ratings, reviews and numbers . The mass decentralisation of the internet forces us not to trust a single stranger, but an aggregate of them: a web of dozens, hundreds or thousands of strangers .

As it is now with the auctioning of celebrity autographs or the buying of an impregnable sub- 20 pop-up tent, so it will be with banks, public institutions maybe even governments. I think these rate and review systems are inevitable, and I think these will be the tools that we use to assess trustworthiness, Botsman says . I m not saying that should be the goal . Trust is highly contextual.

ADVERTISEMENT

If the goal is to increase trustworthiness, whether that s a corporation or an individual, you ve basically got two ways of doing that . The old way was through legislation and regulation, which led to more standards and more compliance . I m not saying that s going to go away . But the other option is: how do you provide information that empowers individuals to assess trustworthiness themselves ? And that s what I think we re in the very, very early stages of figuring out. All of which neatly covers two extremes on a spectrum .

If you re a one-person business a consultant or freelance-anything your trust score will be on your CV right below your name . At the other end: if you re a million-or-billion pound enterprise and slip up, there s no cushion like cash . The question is: what about the people in the middle ? Where is the room for experimentation, failure, progress, if the internet s web of strangers turns against your company in its first week? I think that small businesses are in an interesting spot, because they don t necessarily have the investment or the technical expertise of an enterprise, but they have to think like an organisation, says Miller . They have to think in a different way to individuals, and to me: that s where the biggest gap or question mark in cybersecurity is today.

Want to know more about the cyber threats of the future ? WIRED Security 2017 returns to London on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity .

Join us at King s Place by booking your tickets today4.

References

  1. ^ nobody knows you re a dog (www.google.co.uk)
  2. ^ Technology is making it easier to trust strangers (www.wired.co.uk)
  3. ^ Ashley Madison (www.wired.co.uk)
  4. ^ booking your tickets today (www.eventbrite.co.uk)

Carbon Black denies its IT security guard system oozes customer secrets

Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post1 claiming endpoint security vendor Carbon Black’s Cb Response protection software would, once installed for a customer, spew sensitive data to third parties . This included customers’ AWS, Azure and Google Compute private keys, internal usernames and passwords, proprietary internal applications, and two-factor authentication secrets, allegedly. Jim Broome, president of DirectDefense, said the problem stems from the way Cb Response patrols corporate file systems, and transmits data out to third-party malware scanners to check whether files are legit or infected with nasties . If the Cb Response installation doesn’t recognize a document or executable, it can punt it out to multiple scanners to see if they have come across the binaries before, and if they’re safe or need quarantining.

“This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay,” he explained.

“Welcome to the world’s largest pay-for-play data exfiltration botnet.”

Broome said that his team had discovered this flow of data while working for a client last year, and have since found multiple organizations using the Cb Response system . He said his team went public with its findings to warn people without informing the vendor and put out a press release2 to highlight the supposed danger. However, Carbon Black has fired back with a blog post of its own, claiming DirectDefense got its facts wrong . It’s not a bug causing the data emissions it’s a feature.

Bug ? Feature?

“This is an optional feature, turned off by default, to allow customers to share information with external sources for additional ability to detect threats,” said3 Michael Viscuso, cofounder of Carbon Black.

“In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis .

This option can be enabled by a customer, on a per-sensor group basis . When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.”

He pointed out that even with the information sharing feature turned on, users can customize exactly what data is sent out of the network . There’s also a popup warning page telling admins that they are sending data outside the company network. He also notes that DirectDefense could have contacted them about this before creating a big fuss about it, and Carbon Black would have explained the issue. A spokeswoman for DirectDefense told The Register that they didn’t tip off Carbon Black about the issue because it didn’t consider the data transmission a vulnerability, instead describing Cb Response as suffering “a function of how the tool is architected” in the original blog.

“Yes, we’ve seen this feature setting in the product and in the manual that stated this is off by default,” the firm said in a followup blog post4.

“However, the recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.”

So DirectDefense decided to “educate users” about the issue, albeit in somewhat alarmist terms .

Education or PR stunt that backfired you decide.

Sponsored: M3: Machine Learning & AI conference brought to by The Register5

References

  1. ^ blog post (www.directdefense.com)
  2. ^ press release (www.businesswire.com)
  3. ^ said (www.carbonblack.com)
  4. ^ blog post (www.directdefense.com)
  5. ^ M3: Machine Learning & AI conference brought to by The Register (go.theregister.com)

Carbon Black denies its IT security guard system oozes customer …

Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post1 claiming endpoint security vendor Carbon Black’s Cb Response protection software would, once installed for a customer, spew sensitive data to third parties . This included customers’ AWS, Azure and Google Compute private keys, internal usernames and passwords, proprietary internal applications, and two-factor authentication secrets, allegedly. Jim Broome, president of DirectDefense, said the problem stems from the way Cb Response patrols corporate file systems, and transmits data out to third-party malware scanners to check whether files are legit or infected with nasties . If the Cb Response installation doesn’t recognize a document or executable, it can punt it out to multiple scanners to see if they have come across the binaries before, and if they’re safe or need quarantining.

“This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay,” he explained.

“Welcome to the world’s largest pay-for-play data exfiltration botnet.”

Broome said that his team had discovered this flow of data while working for a client last year, and have since found multiple organizations using the Cb Response system . He said his team went public with its findings to warn people without informing the vendor and put out a press release2 to highlight the supposed danger. However, Carbon Black has fired back with a blog post of its own, claiming DirectDefense got its facts wrong . It’s not a bug causing the data emissions it’s a feature.

Bug ? Feature?

“This is an optional feature, turned off by default, to allow customers to share information with external sources for additional ability to detect threats,” said3 Michael Viscuso, cofounder of Carbon Black.

“In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis .

This option can be enabled by a customer, on a per-sensor group basis . When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.”

He pointed out that even with the information sharing feature turned on, users can customize exactly what data is sent out of the network . There’s also a popup warning page telling admins that they are sending data outside the company network. He also notes that DirectDefense could have contacted them about this before creating a big fuss about it, and Carbon Black would have explained the issue. A spokeswoman for DirectDefense told The Register that they didn’t tip off Carbon Black about the issue because it didn’t consider the data transmission a vulnerability, instead describing Cb Response as suffering “a function of how the tool is architected” in the original blog.

“Yes, we’ve seen this feature setting in the product and in the manual that stated this is off by default,” the firm said in a followup blog post4.

“However, the recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.”

So DirectDefense decided to “educate users” about the issue, albeit in somewhat alarmist terms .

Education or PR stunt that backfired you decide.

Sponsored: M3: Machine Learning & AI conference brought to by The Register5

References

  1. ^ blog post (www.directdefense.com)
  2. ^ press release (www.businesswire.com)
  3. ^ said (www.carbonblack.com)
  4. ^ blog post (www.directdefense.com)
  5. ^ M3: Machine Learning & AI conference brought to by The Register (go.theregister.com)