Intel CEO Updates Industry on Recent Security Issues – Watch Brian Krzanich CES Keynote

At the Consumer Electronics Show in Las Vegas Intel CEO Brian Krzanich provided an update on important security issues currently facing Intel customers. He focused specifically on a recent security research study.

“Today is a day when we all come together to celebrate the lifeblood of our amazing industry – and that’s really about innovation. But before we start, I want to take a moment to thank the industry for coming together for another purpose – to address the recent security research findings reported as “Meltdown” and “Spectre.”
“The collaboration among so many companies to address this industry-wide issue across several different processor architectures has been truly remarkable. Security is job number one for Intel and our industry. So, the primary focus of our decisions and our discussions have been to keep our customer’s data safe.

“As of now, we have not received any information that these exploits have been used to obtain customer data. And we are working tirelessly on these issues to ensure it stays that way. The best thing you can do to make sure your data remains safe is to apply any updates from your operating system vendor and system manufacturer as soon as they become available.

“For our processors, products introduced in the past five years, Intel expects to issue updates for more than 90 percent of them within a week and the remaining by the end of January. We believe the performance impact of these updates is highly workload-dependent. As a result, we expect some workloads may have a larger impact than others, so we will continue working with the industry to minimize the impact on those workloads over time.

“When we come together like this, there are endless possibilities. And I’d like to share some of those possibilities now with you. So, if you’ll indulge me, I’d love nothing more than to simply put my phone away and take this evening to truly celebrate innovation with you.”

Watch Brian Krzanich’s full keynote below:

The post Intel CEO Updates Industry on Recent Security Issues – Watch Brian Krzanich CES Keynote appeared first on WebProNews.

Read more here:: Security Pro News

Thumbnail for 94566

Google Chrome 63 Set to Ramp Up Security with Site Isolation

2705 Google Chrome 63 Set to Ramp Up Security with Site Isolation by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley

Google’s campaign to convince more businesses to turn away from Microsoft’s Windows 10 Edge and onto its side has intensified with the release of Chrome 63. Google is confident that it’s new security feature, site isolation, will have more companies migrating to them.

Better Security with Site Isolation

Chrome’s new security feature will enable enterprise admins to configure the browser to render content for each page in its own dedicated process, keeping it isolated from other pages. The feature can also be customized so only specific webpages on a preset list will be kept separate.

Site isolation is designed to stop malicious attacks that take advantage of vulnerabilities during the renderer process. The security measure kicks in during rendering because this is usually the point at which dangerous code is run in order to steal key data and information.

How to Enable Google Chrome’s Site Isolation Security Feature. #chrome #security #new

— downloadsourcenet (@downloadsourcEN) December 11, 2017

In a statement, Google explained that keeping each page isolated provides stronger security. The company also suggests that this feature is best used for pages that require a log-in and carries sensitive content. Google also emphasized that this new security feature will result in significant memory usage on computers. Using site isolation can lead to memory use increase of about 10 to 20 percent.

TLS 1.3 Rollout

Chrome 63 will also introduce TLS 1.3 for Gmail. The Transport Layer Security feature is a protocol that permits more secure communication on the internet. Google explained that the previous version, which became the standard protocol way back in 2008, was in serious need of a revamp. TLS 1.3 is reportedly swifter and more secure.

A Look at the Improvements That TLS 1.3 Brings

— Quentin ‘1f427 Google Chrome 63 Set to Ramp Up Security with Site Isolation by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley‘ ADAM (@waxzce) December 8, 2017

A larger rollout is set to be scheduled next year and while users are not expected to feel or see any major impact, Google warned administrators that not all systems will be interoperable with the new protocol. System admins are advised to check the company’s feedback forum for more information.

The post Google Chrome 63 Set to Ramp Up Security with Site Isolation appeared first on SecurityProNews.

Read more here:: Security Pro News

Thumbnail for 91831

Security Challenges to Consider Before Adopting a Hybrid Cloud Strategy

Hybrid%20Cloud%20Page%20Image%20Large 1.png?t=1509554636764&width=1403&name=Hybrid%20Cloud%20Page%20Image%20Large 1 Security Challenges to Consider Before Adopting a Hybrid Cloud Strategy by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley

Cloud computing has brought numerous benefits to companies. However, putting all data on the public cloud is something that a lot of IT admins are concerned about. This is why a number of businesses have opted to utilize a hybrid cloud environment. This allows them to store some data in the public cloud and others in an on-site cloud storage.

However, the hybrid cloud isn’t perfect. There are several security problems that companies should watch out for. Here are five security issues to keep in mind:

Inadequate Data Redundancy

Cloud storage service providers commit a substantial amount of resources to ensure the infrastructure is accessible and open whenever end users need it. Unfortunately, problems will inevitably arise. Some well-publicized outages like those involving Amazon Web Services and Microsoft Azure have underlined the risk of running applications using just one data center. Cloud architects need redundancy across data centers to lessen impact of such outages.

This lack of redundancy can end up being a major security risk to a company’s hybrid cloud, particularly if redundant data is not distributed across various data storage centers. Cloud architects can work around this by implementing redundancy via numerous data centers from one provider, using several public cloud providers or a hybrid cloud.

Data Compliance

Maintaining and showing data compliance can be more challenging with a hybrid cloud. Aside from having to ensure that the public cloud provider and the hybrid cloud you’re using are in compliance, you also have to prove that the means of coordination between the two is also compliant.

Poorly Assembled SLAs

Public cloud providers work hard to ensure that they meet all the conditionsservice level agreement 620x349 Security Challenges to Consider Before Adopting a Hybrid Cloud Strategy by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley listed in their service level agreement (SLA). Businesses should also make sure that their private cloud can also live up to the same expectation. Otherwise, the company might need to develop SLAs based on the outlook of the lower of the two clouds, which could be your private cloud.

It’s best to gather data on your private cloud’s availability and performance under pragmatic conditions. Watch out for possible issues with integrating private and public clouds that could hinder service. For instance, if a vital business driver for the private cloud is storing confidential and sensitive data on-site, then your SLA should reflect the limitations to which the company can utilize the public cloud for certain services.

Risk Management

From a business point of view, information security revolves around risk management. Cloud computing, especially in hybrid clouds, entails the use of new application programming interfaces (APIs), demand advance network configurations, and pushes the boundaries of a conventional system administrator’s abilities and knowledge.

Unfortunately, these factors can lead to new types of threats. While cloud computing is just as secure as internal infrastructures, the hybrid cloud has a more complex system that IT admins have limited experience in handling, and this can create problems.

As with any technology, problems do arise. Luckily, several traditional IT and security vendors are already working on improving their products in order to support hybrid cloud issues. There are also third parties that can deliver niche tools to bolster particular security configurations.

[Featured image via Pixabay]

The post Security Challenges to Consider Before Adopting a Hybrid Cloud Strategy appeared first on SecurityProNews.

Read more here:: Security Pro News

Thumbnail for 90007

Cybersecurity expert Symantec is looking to cut down on its data center costs

Availability on Demand thumb Cybersecurity expert Symantec is looking to cut down on its data center costs by Authcom, Nova Scotia\s Internet and Computing Solutions Provider in Kentville, Annapolis Valley

Cybersecurity expert Symantec is looking to cut down on its data center costs by moving some of its workload to Microsoft Azure. The deal between the two companies, which was revealed on Monday, would see Symantec delivering its Norton product line to its customers from Azure.

Microsoft announced that Symantec has already moved “105 critical consumer digital safety capabilities” to its data centers to provide support for services like advanced threat protection, reputation scoring, and security telemetry. The security firm is also utilizing Azure to keep track of its financial, security and operational metrics.

However, this extensive cloud migration will take time and extensive planning before it’s finalized. Moving the selected apps and data to Microsoft’s cloud servers will take about 18 months from its commencement last year to its expected completion on March 2018.

The world’s largest #security software provider @Symantec trusts #Azure to deliver @NortonOnline consumer security:

— Microsoft Azure (@Azure) October 16, 2017

This isn’t the first time that Microsoft and Symantec have worked together though. But this latest collaboration comes on the heels of Symantec’s view to adopt hybrid cloud policies to enhance performance and agility while lowering their operating costs.

Sheila Jordan, Symantec’s CIO and senior vice president, said that the cloud is crucial in their strategy to streamline operations, accelerate innovation and protect and empower their customers. She also added that Microsoft has been a reliable partner in ensuring their strategy’s success.

The Mountain View-based security software company’s decision to have Microsoft’s cloud facilities host its line of consumer security products is not only a major win for Azure but also a clear affirmation of the company’s data security capacities.

Symantec’s current plans will undoubtedly assist Microsoft and its partners to sell the cloud to large enterprises. A lot of companies are still laboring under the assumption that the cloud is less secure than in-house data centers. But having two major enterprises like Microsoft and Symantec standardizing their workloads on Azure would give other businesses the confidence to shift their own data and software over to the cloud.

Public cloud facilities like Azure or Amazon Web Services are composed of a large set of computer servers, networking apparatus and storage systems which are rented out to companies that do not want to run or expand their data centers. This is particularly useful to businesses with uneven workloads.

A lot of big companies, like Salesforce and Infor have already taken advantage of the cloud’s capabilities for about two years now. Hopefully, many more companies will follow them into the cloud.

[Featured image via Microsoft]

The post Cybersecurity expert Symantec is looking to cut down on its data center costs appeared first on SecurityProNews.

Read more here:: Security Pro News

Google Security Team Releases “Project Wycheproof”

“We’re excited to announce the release of Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses,” stated Daniel Bleichenbacher, Security Engineer and Thai Duong, Security Engineer, aka Cyber Overlord at Google, on the Google Security Blog.

“We’ve developed over 80 test cases which have uncovered more than 40 security bugs (some tests or bugs are not open sourced today, as they are being fixed by vendors),” they noted. “For example, we found that we could recover the private key of widely-used DSA and ECDHCimplementations. We also provide ready-to-use tools to check Java Cryptography Architecture providers such as Bouncy Castle and the default providers in OpenJDK.”

Read the full blog post here…

The main motivation for the project is to have an achievable goal. That’s why we’ve named it after the Mount Wycheproof, the smallest mountain in the world. The smaller the mountain the easier it is to climb it!

In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades’ worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means.

These observations have prompted us to develop Project Wycheproof, a collection of unit tests that detect known weaknesses or check for expected behaviors of some cryptographic algorithm. Our cryptographers have surveyed the literature and implemented most known attacks. As a result, Project Wycheproof provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto, and authenticated encryption.

Our first set of tests are written in Java, because Java has a common cryptographic interface. This allowed us to test multiple providers with a single test suite. While this interface is somewhat low level, and should not be used directly, we still apply a “defense in depth” argument and expect that the implementations are as robust as possible. For example, we consider weak default values to be a significant security flaw. We are converting as many tests into sets of test vectors to simplify porting the tests to other languages.

While we are committed to develop as many tests as possible and external contributions are welcome — if you want to contribute, please read CONTRIBUTINGbefore sending us pull requests — Project Wycheproof is by no means complete. Passing the tests does not imply that the library is secure, it just means that it is not vulnerable to the attacks that Project Wycheproof tries to detect. Cryptographers constantly discover new weaknesses in cryptographic protocols. Nevertheless, with Project Wycheproof developers and users now can check their libraries against a large number of known attacks without having to sift through hundreds of academic papers or become cryptographers themselves.

For more information about the tests and what you can do with them, please visit our homepage on GitHub.

The post Google Security Team Releases “Project Wycheproof” appeared first on SecurityProNews.

Read more here:: Security Pro News

DDoS Attack Kills Krebs Security Site

One of the largest Denial of Service (DDoS) attacks ever seen on the internet has caused Akamai to dump a site it hosted, The DDoS attack was apparently in retaliation for journalist Brian Krebs‘ recent article about vDOS, which is allegedly a cyberattack service. According to BI following Krebs reporting two Israeli men were arrested. and the site was taken down.

One Twitter post noted the irony in a security expert having his site taken down because of a DDoS attack. “Brian Krebs, the man who gives cybercriminals nightmares, has been hit with a Godzilla-sized DDoS attack,” noted cybercrime researcher, blogger and speaker, Graham Cluley, “Sad news, hope he’s back soon.”

The Attack Was Huge

Holy moly. Prolexic reports my site was just hit with the largest DDOS the internet has ever seen. 665 Gbps. Site’s still up. #FAIL

— briankrebs (@briankrebs) September 21, 2016

Before his site was take down Krebs posted about the attack on his website saying that was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. “The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.”

It’s looking likely that KrebsOnSecurity will be offline for a while. Akamai’s kicking me off their network tonight.

— briankrebs (@briankrebs) September 22, 2016

Later Akamai did take down the site and Krebs was understanding:

Before everyone beats up on Akamai/Prolexic too much, they were providing me service pro bono. So, as I said, I don’t fault them at all.

— briankrebs (@briankrebs) September 23, 2016

“The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second,” writes Krebs. “Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.”

Krebs said that Martin McKeay, Akamai’s senior security advocate, told him that this was the largest attack that they had seen. Earlier this year they clocked an attack at 363 Gbps, but there was a major difference: This attack was launched by a “very large” botnet of hacked devices, where typical DDoS attacks use the common amplifying technique that bulks up a small attack into a large one.

Krebs last tweets about the attack:

So long everyone. It’s been real.

— briankrebs (@briankrebs) September 22, 2016

there’s no place like

— briankrebs (@briankrebs) September 23, 2016

The post DDoS Attack Kills Krebs Security Site appeared first on SecurityProNews.

Read more here:: Security Pro News

Google: Cloud Computing More Secure Than Any On-Premise Solution

Google recently conducted a roundtable of in-house experts discussing how Google uniquely provides a secure platform for businesses to store their data online. Google experts tell the story of how Google invented innovative technology allowing them to keep their customers information and data safe from digital intruders.

“Information security has become such a hot topic,” stated Eran Feigenbaum, Director of Security for Google Apps. “With the increase in cybercrime, the trends in privacy, the changes in regulations, it’s something that businesses can’t ignore. Enterprises all over the world are concerned about security.”

Companies around the world are rapidly moving toward cloud computing spurred on by the success of Amazon’s AWS platform. Google has been working hard to catch up especially in regards to large enterprise companies that require an extreme level of security.

“The move of businesses to cloud computing has really increased,” said Feigenbaum. “Companies see the benefits of lower cost, but also the ability to innovate faster for users to collaborate. But one of the big areas of hesitation is security, right? Companies are not comfortable putting their own data into the cloud.”

Should Companies be Concerned About Cloud Security?

“I think we’re seeing a real sea change right now with respect to people understanding that the cloud is more secure than on any on-premise solution,” says Suzanne Frey, Director of Security, Privacy, and Trust at Google. “If you just think about it, mathematically, you’ve
got all these different on-premise solutions and individual teams trying to do the right thing.”

Frey says that Google is extremely focused on putting their best talent and expertise on making sure that the Google Cloud solution is secure. “If you take a look at our customer base, we have some of the world’s largest banks. We have some of the most stringent government customers. We’re FedRAMP certified here in the US, and the fact that we can solve for security for all of those customers is a great testimony to our capabilities,” she adds.

She sees Google as different than other cloud providers. “In addition, we solve for something special,” said Frey. “In talking to our customers, it’s our ability to innovate and to bring new ideas to bear that help enable them to be competitive, productive, and truly novel, and focus on the things that matter to them. That’s part of our really special secret sauce.”

Frey adds, “I often say to people, at Google, security comes in two forms, it’s both traditional cybersecurity, but it’s also security against technological stagnation.

Innovation Vs. Security

Can a cloud provider be too secure at the expense of innovation? “Actually, I like the observation about being too focused on security to the exclusion of innovation,” says Adrian Ludwig, Director of Android Security, in reply to Frey’s observation. “I hadn’t seen that phrased that way. But I think one of the changes that we’ve seen in the mobile space over the last few years is companies have focused first and foremost on innovation–Android being a great example of that– but we’ve tied it to a security model that is how people actually consume applications and services.”

“So we thought about the web and sandboxing model that was used on the web, and we incorporated that in the way we built application sandboxing,” Ludwid added. “I think a consequence of that is cloud services are becoming more and more important. Most applications that are built for Android, or that are built for mobile, regardless of your mobile platform, are really cloud-based. So I think those two are tied together, because both of them, we’re thinking about innovation first and foremost, and the security has sort
of unlocked that innovation.”

The Cloud Has Security Advantages

“We have a complex set of systems that we’re dealing with today and they get more and more complex over time,” said Tim Willis, Technical Manager of Chrome Security. “We also have adversaries with increasing levels of sophistication. So you’ve got that on one side and on the other side, we’ve got IT managers having to defend their networks. The problem with defense is you need to defend everything incredibly well. Attackers only need to find one hole into your network.”

Willis adds, “I think that’s where an advantage of moving to the cloud is that you have dedicated teams with robust experience. Some of the people who I work with wrote my textbooks in university and it’s one of those things that I get to work with these experts and that’s all they do. They focus on security, and that’s one of the huge benefits, in my point of view, of moving to the cloud.”

Safety of the Data that’s Not at Google

Do cloud providers have a responsibility for data safety when the data leaves the cloud?
“Safe Browsing would be a good example of something that we can do at very, very large scale, where we actually believe that the right approach is make the entire internet safer.,” says Stephan Somogyi, a Product Manager in Google’s Security and Privacy Engineering Team. “So we build systems that hunt around and find malware and find phishing and then we go and report this.

“An individual consumer can benefit from this, because their web browser will let them know,” adds Somogyi. “In a cloud environment, enterprises can take advantage of this data as well and keep themselves protected. We take this approach through a number of different areas– certificate transparency being another example– where we’re taking a look at the internet as a whole and finding ways to keep it safe at scale.”

Google Cloud Security Innovations Moving the Needle

“For the longest time, we have been talking about sort of two-factor authentication is critically important for most organizations to implement,” said Frey. “Many customers use Google Authenticator and other apps like that to generate a one-time passcode, and those are great. They’re certainly better than nothing, right? However, a hardware-based security key is just quantum leaps ahead in terms of they’re not hackable and they really do protect our customers from phishing in a way that, basically, the one-time passwords do not.”

“One of those (not so glamorous) things is encryption for me,” said Willis. “It may not seem incredibly innovative, but we’re working really hard to make sure that all of our traffic is encrypted at rest and at transit. One example where we’re being open with that is our HTTPS Transparency Report. Now, you can go to that site and you can see our progress towards our goal of 100% encryption in transit through all of our products.”

“Again, another example would be working with TLS 1.3.,” added Willis. “That’s the next generation of Transport Layer Security. Now, it may not sound glamorous, but we’re not only
helping to implement that, we’re helping author the next version. That shows that we’re in the mix and we know what technologies are around the corner.”

Willis explained that a practical application of that would be Progressive Web Apps. “These are low friction web applications, which are designed to help increase engagement and have an app-like experience for customers and businesses,” he said. “We’ve seen studies how that increases engagement, and it’s fantastic, it’s easy across the board.”

“Why am I talking about it?” asks Willis. “TLS is actually a hard requirement for those apps. So it’s one of these things where not only are we innovating, we’re making sure that security is baked in from the get-go. I think that’s one huge advantage of Google.”

“There’s a couple of elements about that that are interesting to me,” said Ludwig. “One of them is it’s not so much that the security itself is innovative, it’s about using an innovative product to make security available.”

Ludwig says that what they did early on with Android is thinking about the platform stack. “We were like, OK, you need to have a verified boot, and you need to have encryption, and you need to have sandboxing,” he said. “Those are all sort of, I think at this point, almost commodities for an operating system. But one of the things that Google brought to bear was security services. It’s going to be a cloud-connected device and we’re going to make all of those services available, by default, on all of the devices.”

“We started thinking about, how do you bind services into the operating system itself? We added things like SafetyNet and Verify Apps, where there are effectively hooks in the operating system where we can make sure that we’re adding security dynamically over time.
And so we can innovate in security even more quickly than we can innovate in the operating system itself,” added Ludwig.

Interestingly, Ludwig says that most people don’t even realize this about the Google Cloud. “But that’s OK, because they’re safer and they’re happier as a result of it.”

The post Google: Cloud Computing More Secure Than Any On-Premise Solution appeared first on SecurityProNews.

Read more here:: Security Pro News

Google Sees Its Cloud Platform as Most Secure

Neal Mueller, Security and Networking lead for Google Cloud, recently was interviewed about security and other important aspects of using the Google Cloud Platform to host websites, online retailers and other data intensive applications.

Should I move our online applications to the cloud and is it secure?

We get that question less and less these days. There are big advantages to moving to the cloud. You get to have all of the scale that you want immediately when you want it. You don’t pay for it when you don’t use it. And you don’t have to worry about the maintenance of the underlying machines. The advantages are so big, in fact, that we seldom get the question of, should I move to the cloud? More often, the question that we get is, how can I move to the cloud safely?

Where does Google’s responsibility for security begin?

It’s simple. Google’s responsibility is to control the underlying infrastructure. Your responsibility is to secure the data on top.

Why use Google as a cloud provider?

One of the reasons that we talk about a lot is that Google is the right cloud provider for you because we’ve got over 500 security engineers. These are 500 people that are foremost in their fields. They’ve been in peer-reviewed journals, they’re experts at security.

Let me give you an example of just one team within the 500. It’s called Project Zero. These are forward-facing engineers whose job it is to discover 0-Days, that is, new vulnerabilities, never before seen or disclosed. They discovered Heartbleed, which affects anybody with a browser. It’s a TLS vulnerability. They discovered rowhammer, which affects anybody that has a computer with RAM and they discovered 15 of the last 21 KVM vulnerabilities, which is really important to Google because we use KVM as our chosen hypervisor technology. All of these vulnerabilities, as soon as we discover them, we immediately disclose them so that the world is a safer place thanks to the work of Project Zero.

Can you tell us more about this?

Let’s talk about the word provenance. It’s a word in English that means come from. It’s a fundamental tenet of how we think of secure systems. We don’t just buy hardware that’s off the shelf. We return to first principles, figure out what functionality we need from the hardware and which ones we don’t, because functionality that’s included in the hardware off the shelf might introduce vulnerabilities that we don’t want. This leads us in many cases to custom-build secure systems. So we have custom-built ASICs, custom-built servers, custom-built racks, custom-built storage arrays inside custom-built data centers. All of this leads to a much more secure data center.

Infrastructure security, doesn’t that go beyond hardware?

Sure. It extends to the people inside that data center, too. These are full-time, badged Googlers that have submitted to a background check and have an array of physical security to make their job easier. We’re talking about stuff that you’ve seen in “Mission Impossible”– biometrics, lasers, vehicle barriers, bollards. All of this is custom-built, also, to make the data center more secure.

So is this unique to just Google?

Yeah, it’s unique to Google, but not for long. Part of being Google is giving back to your community. So as part of the Open Compute Project, just last week with Facebook, we released our design for a 48-volt rack. This is a very high-density, highly efficient, highly green rack. And although Google is the only one that can build it, now that everybody has the designs, everybody can build data centers as efficient.

What other cool stuff is Google Cloud doing?

What’s next? So with 500 security engineers on staff, there’s a lot that’s up next. But let me tell you about just two things that spring to mind. The first one is BeyondCorp. Here, we have separated ourself from the traditional enterprise security model. Traditional enterprise security has a hard firewall to guard the perimeter. However, we’ve seen what happens with recent breaches– what happens when an adversary gets inside that perimeter. He has relatively unfettered access to the resources inside the internet. What Google does is device authentication which allows our applications to be accessible by the internet, but be just as secure as if they were only accessible by the intranet. We believe that this makes our public cloud more secure.

What’s the second initiative?

On Google Cloud Platform, data at rest is encrypted by default. This is a real differentiator for us. We believe it’s good practice and good business. We’ve seen what happens when adversaries get a hold of breached PII and we think that encryption by default is a good preventative measure against that.

The post Google Sees Its Cloud Platform as Most Secure appeared first on SecurityProNews.

Read more here:: Security Pro News

Adblocking Goes Mobile

Some quick facts from the PageFair 2016 Mobile Adblocking Report:

  • At least 419 million people (22% of the world’s 1.9bn smartphone users) are blocking ads on the mobile web.
  • Both mobile web and in-app ads can now be blocked.
  • As of March 2016 an estimated 408 million people are actively using mobile adblocking browsers (i.e., a mobile browser that blocks ads by default).
  • As of March 2016 there are 159 million users of mobile adblocking browsers in China, 122 million in India, and 38 million in Indonesia.
  • As of March 2016 in Europe and North America there were 14 million monthly active users of mobile adblocking browsers.
  • A further 4.9 million content blocking and in-app adblocking apps were downloaded from the app stores in Europe and North America since September 2014.

“Although consumer adoption of mobile level ad blockers is lower than the desktop market, Juniper Research believes that adoption is set to witness a sizable increase,” said Juniper Research analyst Sam Barker. “Drivers of this include Apples inclusion of ad blocking compatibility with Safari and increasing consumer awareness.”

He adds, that much like desktop browsers, mobile ad blockers are not able to block all types of advertising:

  • Internet Search and Display Adverts will be blocked, however like the desktop space, native adverts are not able to be blocked.
  • Video Display Adverts are able to be blocked, except if the video is channelled through a mobile application.
  • The possibility of blocking in-app advertising has been explored, however when speaking to players in the market many feel the practice to be morally unethical or the technical challenges too costly.

“In comparison to the desktop space, the mobile ad blocking market is still fairly nascent,” said Barker. “Since the announcement from Apple in September 2015 that iOS’s native browser would be able to support ad blocking applications there has been a rise in the number of users adopting the technology.

The Bad News is AdBlock-Plus is Not Alone

IAB President Randall Rothenberg noted that for-profit adblockers have become the “darlings of the venture capital industry and angel investors” and include otherwise mainstream advertising technology and publishing companies.

There’s Shine, an Israeli startup that sells adblocking software for mobile phone networks so that they can block ads at the network level. Shine is backed by Horizons Ventures which backed Spotify and Facebook.

Then there’s Brave, that was launched by former Mozilla CEO Brendan Eich. Rothenberg says that “his business model not only strips advertisements from publishers’ pages – it replaces them with his own for-profit ads.”

“The ad-block profiteers are building for-profit companies whose business models are premised on impeding the movement of commercial, political, and public-service communication between and among producers and consumers,” says Rothenberg. “They offer to lift their toll gates for those wealthy enough to pay them off, or who submit to their demands that they constrict their freedom of speech to fit the shackles of their revenue schemes.”

The post Adblocking Goes Mobile appeared first on SecurityProNews.

Read more here:: Security Pro News

Hard Rock Finds Card Scraping Malware on its Payment System

The Hard Rock Hotel & Casino in Las Vegas discovered a major breach of their credit card processing data with card scraping malware placed on its payment-card system. Cardholders who purchased anything at Hard Rock Las Vegas including restaurant and retail outlets between October 27, 2015 and March 21, 2016, could have been affected. The popular Las Vegas party resort popular with celebrities first noticed irregularities in May.

The Hard Rock described the data that was taken:

“The investigation identified signs of unauthorized access to the resort’s payment card environment. Further investigation revealed the presence of card scraping malware that was designed to target payment card data as the data was routed through the resort’s payment card system. In some instances the program identified payment card data that included cardholder name, card number, expiration date, and internal verification code. In other instances the program only found payment card data that did not include cardholder name. No other customer information was involved.”

“Once again, we see another hotel being breached by what is suspected to be malware that was placed on a payment-card system,” stated John Christly, who is a Cybersecurity Evangelist at Netsurion. “Customers like this need to understand that they are in a digital war with the hackers that want this type of data.” Christly bluntly calls this “a a war that is being won, in many instances, by these hackers and that absolutely needs to change.”

Zach Forsyth, Director of Product Strategy at Comodo tells us why hospitality organization are targeted by hackers:

“Hospitality organizations are ideal targets for the cybercriminal today because they handle highly valuable personal and financial information—the proverbial goldmine for the cyberthief. Large, well-known chains are even more susceptible targets due to the sheer volume of data that they store and share.

Unfortunately, many of these companies have antiquated IT security technology in place, which is an easy workaround for the hackers. It’s a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left. By then, it’s too late. The focus for IT departments needs to be on protection, not detection, and installing modern secure Web gateways and advanced endpoint protection solutions that can stop malware and cyberattacks from compromising data and negatively impacting their businesses and customers.”

“We advise our customers that any business, regardless of size, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target, but it’s still no secret that large brand name companies like Hard Rock are unfortunate targets for hackers— enticing them with large quantities of valuable information such as credit card data for patrons, sensitive employee data for staff, and sometimes even medical data used by in-house care facilities, added Christly. “Many recent breaches have involved malware that, once installed, works to steal sensitive data.”

“There’s no silver bullet strategy to defend against every threat. However, a strong line of defense is making sure that data doesn’t leave the network without the admin’s knowledge and if data is sent out, it only goes to verified Internet addresses. This is where having a relationship with a managed security provider can help, since it is very difficult to defend against the emerging threats of today’s cybersecurity world on your own.”

According to the Wall Street Journal, “In the past year, Hyatt Hotels Inc., Starwood Hotels & Resorts Worldwide Inc. and Hilton Worldwide Holdings Inc. all reported data breaches of their credit and debit-card processing systems.”

The post Hard Rock Finds Card Scraping Malware on its Payment System appeared first on SecurityProNews.

Read more here:: Security Pro News