According to a survey of CIOs, security spending is increasing at double the rate of overall investment. 75% of individuals use only three or four passwords across all their accounts. Passwords are not always secure. Windows 10 introduces an alternative to password with Microsoft Passport and Windows Hello.*

Stay on the offense against cybercrime by protecting yourself with Windows 10.

All the latest information in Windows 10 here.

The National Security Agency (NSA) has set a date to purge phone records collected during its bulk surveillance program.

"Analytic access" to the five years worth of records will end on 29 November, and they'll be destroyed three months later, it said in a statement released on Monday.

There are two reasons for the three-month lag:

1. The bulk telephony metadata has to be preserved until civil litigation regarding the program is resolved or until courts relieve NSA of such obligations. From the statement:

As soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

2. Also, "solely for data integrity purposes" to verify the records produced under the new, targeted production authorized by the USA Freedom Act, the NSA will allow technical personnel to access the historical metadata for those additional three months.

For a while there, it didn't look like the NSA would ever let go of its death grip on the records.

"Plus ça change, plus c'est la même chose, well, at least for 180 days," US Foreign Intelligence Surveillance Court (FISC) Judge Michael W. Mosman wrote last month, as he jauntily granted a six-month extension to the agency's bulk collection of phone metadata.

Earlier in June, there had been a standoff on Capitol Hill around the renewal of lapsed spying provisions of the Patriot Act: a standoff that was resolved with the passage of the Freedom Act, which resurrected the three spying-centric Patriot Act provisions that presidential candidate Senator Rand Paul single-handedly forced into retirement when those provisions expired at midnight on 1 June.

The FISC rationalized the six-month extension by saying that the enactment of the Freedom Act allowed for some "transition period" under which the NSA could continue its bulk data collection.

On the 29 November deadline, NSA analysts will be able to request restricted phone metadata from phone companies on an as-needed basis.

The statement put out by the government on Monday said that at the same time, access to previously collected records will cease.

As far as the NSA's legal obligation to preserve the data for ongoing litigation goes, the government didn't specify which cases it was referring to.

Such litigation likely includes cases brought by the Electronic Frontier Foundation that have claimed that the bulk-surveillance program was unconstitutional and not statutorily authorized.

by Lisa Vaas
Source: https://nakedsecurity.sophos.com/2015/07/29/nsa-sets-date-for-purge-of-surveillance-phone-records/

Posted by Lisa Vaas on July 20, 2015

Ashley Madison users, you are "cheating dirtbags" in the judgmental eyes of whoever attacked the adulterers' dating site, and, with no sympathy forthcoming from the culprits, your personal details are in danger of being published, if they haven't already.

The attackers claim that the personal, intimate data they've breached includes all customer records: secret sexual fantasies, nude photos, conversations, credit card transactions, real names and addresses, plus the dating site company's employee documents and emails.

Security journalist Brian Krebs broke the story on Sunday, and the company confirmed the breach.

Krebs published an image showing the attackers' lengthy manifesto, which was published alongside data stolen from Avid Life Media (ALM): the Toronto firm that owns Ashley Madison as well as the related hookup sites Cougar Life and Established Men.

The attackers call themselves the Impact Team, and it sounds like unmasking the site's users is merely fallout, given that they're after nothing less than the shutdown of Ashley Madison.

They say they'll keep leaking information on a daily basis until ALM shuts down both Ashley Madison and Established Men.

From the manifesto:

Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.

The other websites may stay online.

That means they're leaving alone the ALM site Cougar Life that connects older women with younger men.

In their view, only men use Ashley Madison:

Too bad for those men, they're cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver.

This assumption about gender is incorrect, but the point is moot: a female friend of mine who formerly used Ashley Madison tells me that, being a woman, she never had to pay, and she had the smarts to fictionalize all her user information:

Being a woman, [I] never had to pay so all data was erroneous. ... even separate email, [birthdays]. ... now [partner's name] on the other hand...

According to the Impact Team's manifesto, this is comeuppance for ALM having "promised secrecy" that it didn't deliver.

The attackers accuse ALM of hoodwinking users when it comes to a "full-delete" feature that Ashley Madison sells, promising "removal of site usage history and personally identifiable information from the site."

As Ars Technica reported in August 2014, Ashley Madison was charging £15 (about $20 then and about $23 now) to delete a users' data from its system.

The promise to scrub users' purchase details - including real name and address - was hollow, Impact Team claims:

Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.

For its part, ALM has published a statement on AshleyMadison.com denying those accusations - the full-delete feature works just as advertised, the company said - and announced that full-delete is now offered free of charge to all members:

Contrary to current media reports, and based on accusations posted online by a cyber criminal, the "paid-delete" option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity. The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.

As our customers' privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today's news.

It's not clear how much stolen data has been published, though Krebs reports that it looks like a relatively small percentage of user account data.

Nor do we know precisely what details that data included.

Krebs writes that the published samples, at least, appear to include information on the site's 37 million users, company financial data such as salary figures, and even maps of the company's internal network.

On Monday morning, ALM announced that it had already used copyright infringement takedown requests to have "all personally identifiable information about our users" deleted from the unnamed websites where it was published.

That doesn't let users off the hook, unfortunately, given that the thieves can simply repost the stolen data elsewhere.

The Ashley Madison breach comes fast on the heels of a data breach in May of AdultFriendFinder - a similar site promising "discreet" hookups.

In the AdultFriendFinder breach about 3.9 million people had their private data, including personal emails, sexual orientation and whether they were looking to cheat on their partners, exposed on the Dark Web.

In another statement, ALM claimed there was nothing it could have done better to prevent the attack: "no company's online assets are safe from cyber-vandalism," despite having the "latest privacy and security technologies."

Impact Team agreed, apologizing to ALM's security head:

Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this.

Salting and hashing

Many questions remain unanswered, including how ALM stored users' passwords: were they properly salted and hashed, for example?

Hashes are the best way to handle passwords because you can create a hash from a password, but you can't recreate a password from a hash.

Properly stored passwords are combined with a set of extra characters, called a salt, and then hashed over and over again, many thousands of times (the salt is unique for each user and prevents any two users with the same password getting the same hash).

An attacker who makes off with a database full of hashes can't decrypt them, instead they have to crack them one by one with brute force and guesswork.

Did ALM store CVVs?

Another unanswered question: was ALM storing credit card security codes - also known as CVVs, CVV2, CID, or CSC - along with account information?

Let's hope not, given that it's a big no-no. Payment card regulations known as PCI-DSS specifically forbid the storage of a card's security code or any "track data" contained in the magnetic strip on the back of a credit card.

Choose a strong, unique password

The attack on Ashley Madison is only the latest example of why it's imperative that we all choose strong, unique passwords - one site, one password.

It's bad enough that Impact Team is forcing users to suffer along with the company it's displeased with.

But once your password is out there it's trivial for crooks to try it on dozens of other popular sites to see if it works on those too.

Don't make it so easy for them.

Instead, cook up a good, unique password for every online account, and do it now.

Source: https://nakedsecurity.sophos.com/2015/07/20/cheating-site-ashley-madison-breached-by-hackers-threatening-to-expose-users/

The ABCs of cloud security

By Thomas Hansen, Vice President of Worldwide SMB, Microsoft

Small businesses are adopting cloud services at a rapid pace – be it for payroll, accounting, work from anywhere, collaboration, storage or email needs. And it’s understandable that many still have questions about how safe the cloud is or how cloud providers actually take care of their data. However, the cloud is actually the single safest places for small businesses to keep their sensitive data.

Some may think this is a bold statement, but the reality is small businesses might find themselves at greater risk if they run their businesses on outdated technology or keep all their sensitive information in a server in the back room or in a laptop. And with Windows 10 on the horizon, we’re actively addressing modern security threats with advancements to strengthen identity protection, information protection and threat resistance.

No doubt cloud security is a huge topic. For this post, I’d like to focus on three things that help keep your data secure.

A is for Access

In one sense, security is simple: it’s about controlling access.

You want to provide your employees, partners and other authorized parties access to the files they need, while ensuring that unauthorized parties can’t get to them. And just because your business may be classified as small, it doesn’t mean it’s not a target for hackers. In fact, some smaller companies are actually more vulnerable to attack because criminals know these businesses don’t take substantial preventative measures. One of the benefits of working with vendors like Microsoft is that we invest in security and take preventative measures, so you don’t have to worry about it. Dedicated teams track how security threats and attacks change over time, so we can evolve our approach too.

For example, when data moves from your computer into the Microsoft cloud, it’s encrypted. This means that even if it was somehow intercepted, it can’t be accessed by anyone who doesn’t also have the encryption key specific to that file.

We put these processes in place so you don’t have to worry about the security of your data. Instead, you can focus on tasks more critical to the success of your business.

Once your file arrives on the cloud drive, it’s stored on one of thousands of servers in a secure, state-of-the-art facility. The only people who have physical access to the servers holding your data are those doing occasional maintenance on them — and they have no way of knowing whose data is on which disk. This actually provides a huge security advantage over hosting your data on on-premises servers, which are probably exposed to hundreds of people on a monthly basis – your employees, visitors to your office, etc.

B is for Better (Encryption)

Encryption is just one of the ways we make life tough for malicious hackers. Just as the military constantly hones its skills through drilling and training, we’re constantly testing and updating our protections. We maintain a “blue team” dedicated to continually improving the security of our products and services. And to make sure those defenses are up to standard, we employ a ”red team” of hired hackers who use the latest techniques to try and penetrate our cloud environments. When a potential security issue is spotted, the blue team moves to resolve it as quickly as possible, so attackers don’t have a chance to exploit it.

We put these processes in place so you don’t have to worry about the security of your data. Instead, you can focus on tasks more critical to the success of your business.

C is for Control

C could also be for “Customer,” because the truth is that security begins with you and your employees. As a cloud provider, there are many things we have control over that help keep your data safe. But there are many things that only you have control over, and a secure cloud environment depends on small businesses using best practices for security with their employees and vendors. For example:
•Use strong passwords, change them often, and use unique passwords for different applications. This way, in the event that one account gets compromised, your other applications are safe. Also, with new Windows 10 feature Windows Hello, we’re taking control and security one step farther by allowing instant access to your devices through biometric authentication – using your face, iris or fingerprint to unlock your devices.
•Make sure that your file permissions are set up so that the right people see the right data, require strong passwords within your organization and vet your employees and partners for any potential security concerns.

In addition, when you move your business to a Microsoft cloud solution, you control who in your organization can access data, right down to the file level. We enable automatic data loss prevention services that make sure your employees are in compliance with your organization’s privacy policies before they send files out, but control over which files they can see in the first place is in your hands.

The cloud introduced a new era in IT security, where all of us – from technology providers and policy makers to business owners and employees – have a role to play. I encourage you to take advantage of everything the cloud has to offer your business and to make smart choices to protect your business.

Source: http://blogs.microsoft.com/work/2015/07/07/the-abcs-of-cloud-security/

If you’re one of the millions of users of a Samsung Galaxy phone, you might be a potential target for a malicious hacker.

A report released on 6/17/15 by NowSecure, a security firm located in Chicago, found that a glitch in Swift, the keyboard software used by default on all Samsung Galaxy devices could allow a remote attacker to compromise your phone.

This particular bug makes the phone vulnerable to what is known as a “man in the middle” attack. The Swift software consistently sends requests to a server, checking for updates. To someone with the right knowhow, though, it’s possible to impersonate Swift’s server and send through software that can be used to gain control of the device.

The main problem with this vulnerability is that there’s no real solution. The Swift keyboard is so integrated into Samsung’s software that it cannot be removed or disabled — even if it is switched out with a different keyboard app. Steering clear of unsecured Wi-Fi networks will make you less likely to be targeted, but it won’t render you invulnerable.

Swift runs with elevated permissions, giving it pretty much free rein around the phone. This means that a hacker that worms his way into it can also access the Galaxy’s microphone and camera, track the user’s location or listen to their calls. They can even install apps.

NowSecure claims to have made Samsung and Google’s Android team aware of this vulnerability in late 2014, and Samsung reportedly has made a patch available to network providers. It’s not clear, though, whether providers have pushed out the patch to users yet. Many networks have a record of being notoriously slow to push through updates and security patches, and NowSecure’s tests found a number of Galaxy phones on different carriers were still vulnerable as of Tuesday.

If you’re of a more technical bent, you may be interested in seeing the details of NowSecure’s report on their blog. If you’re of a less technical bent, you might want to check with your carrier and try to avoid insecure Wi-Fi networks.

Article by: Andrew Lumby, MSN

On Wednesday, June 17th Managed Solution Business Development Managers, Sean McMahon and Tina Rountree attended the AITP June Chapter Meeting. The event featured a prestigious moderator and panel of industry experts from Gartner, Intuit, Qualcomm, Siege Secure & SoCal Privacy Consultants discussing Cloud vs. On-Premise Security.

Peter Coffee, VP of Strategic Research at Salesforce, once said, "The battle is over, and the cloud has won.” However, there are many others who disagree. Over 60% of surveys show companies have not moved to the cloud because of security and privacy concerns. Are these concerns still valid? Have cloud vendors addressed security concerns adequately? These questions were addressed and discussed in detail by the distinguished panel of security experts at last nights event.

AITP June Chapter Meeting Featured Speakers:

• Matt Stamper, VP of Managed Services redIT, Moderator
• Paul Boulanger, Vice President SoCal Privacy Consultants
• F. Christian Byrnes, Managing Vice President Gartner Research
• Joshua Davis, Senior Director of Information Security & Risk Management Qualcomm
• Richard McElroy, Chief Information Security Officer Siege Secure
• Erik Naugle, Director of Cloud Strategy Intuit

On Saturday, June 20th AITP San Diego partners with GeekGirl for TechCon 2015, a full day event for women and men from 8-88 to learn how to code, hear industry thought leaders and meet some new tech friends.

Snapchat is hugely popular with teens and young adults as a way to send short-lived photo and video messages, but it hasn't won many fans in the security business.

In the past couple of years, Snapchat has run into trouble with the US Federal Trade Commission for its deceptive marketing practices, and was blasted by security researchers for really poor security of users' account information.

More recently, however, Snapchat has picked up its security game in a big way - notably, since April 2014 when it hired a new director of information security, ex-Googler Jad Boutros, who says he is building a "culture of security" at the company.

On Monday, Snapchat released version 9.9.0 of the app for Android and iOS, with an optional new security feature called Login Verification that helps prevent unauthorized account access.

This kind of extra protection is especially relevant now that Snapchat is offering additional services such as Snapcash, to help prevent a thief from logging in as you and sending money from your account to another Snapchat account.

Once enabled, Login Verification requires users to enter a one-time code when logging in from a new device (in addition to their password).

This type of verification, also known as two-factor authentication (or for Apple accounts, two-step verification) makes it doubly hard for an imposter to access your account.

Because the verification code is sent via SMS text message to the phone number linked to the account, a snoop would need to have access to your phone as well as knowing your username and password combination to log in as you.

You can also use the Login Verification setting to verify additional devices, or to request a Recovery Code you can enter for logging in from an unverified device in case of a lost or stolen phone.

If you want to use Snapchat on, for example, your iPhone and your iPad, or manage your account online from your Mac, you can verify all of those devices - but a thief with your username and password signing in from another device wouldn't be able to log in without a verification code.

And if you're worried about someone else getting access from one of your verified devices, you can also "forget" previously verified devices from the Login Verification setting.

Source: https://nakedsecurity.sophos.com/2015/06/11/snapchat-steps-up-its-security-with-login-verification/

Cisco Live is Cisco's premier education and training destination for IT professionals worldwide - June 7 - 11, 2015 San Diego, CA

Be amazed and transform your outlook, your career, and your potential with 5 days of education, training, and more!

• Get inspired about their future

• Hear industry innovators discuss how technology is changing how we work, live, play and learn

• Learn from the experts about how the Internet of Everything (IOE) is connecting people, process data and things

• Learn what jobs are being created in the future IOE economy and how to help improve the world with IoE skils

• Learn how to best prepare to be a future innovator

• Attend the exhibit hall that houses over 200 partners and vendors

• Hear from special guest speakers about the new IT careers

The Cisco Live 2015 San Diego broadcast is free to view and will be featured here June 8–11.

College students in the San Diego Area are invited to Cisco Live for a special day of learning and mentorship. Registration is FREE*.

About Cisco Live
Cisco Live is Cisco’s premier education and training destination for IT professionals worldwide. We offer unparalleled opportunities to increase your knowledge of Cisco products and solutions via in-person events, live webcasts, and on-demand learning opportunities.

Date
Cisco Live 2015
June 7 – 11

Location
San Diego Convention Center
111 W Harbor Drive
San Diego, CA 92101