Category Archives: Internet Security
EARN IT Act threatens end-to-end encryption – Naked Security
While were all distracted by stockpiling latex gloves and toilet paper, theres a bill tiptoeing through the US Congress that could inflict the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years.
At least, thats the interpretation of digital rights advocates who say that the proposed EARN IT Act could harm free speech and data security.
Sophos is in that camp. For years, Naked Security and Sophos have said #nobackdoors, agreeing with the Information Technology Industry Council that Weakening security with the aim of advancing security simply does not make sense.
The first public hearing on the proposed legislation took place on Wednesday. You can view the 2+ hours of testimony here.
Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), the bill would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.
To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites arent liable for user-submitted content.
Heres how the Electronic Frontier Foundation (EFF) frames the importance of Section 230:
Section 230 enforces the common-sense principle that if you say something illegal online, you should be the one held responsible, not the website or platform where you said it (with some important exceptions).
EARN IT is a bipartisan effort, having been introduced by Republican Lindsey Graham, Democrat Richard Blumenthal and other legislators whove used the specter of online child exploitation to argue for the weakening of encryption. This comes as no surprise: in December 2019, while grilling Facebook and Apple, Graham and other senators threatened to regulate encryption unless the companies give law enforcement access to encrypted user data, pointing to child abuse as one reason.
What Graham threatened at the time:
Youre going to find a way to do this or were going to go do it for you. Were not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.
One of the problems of the EARN IT bill: the proposed legislation offers no meaningful solutions to the problem of child exploitation, as the EFF says:
It doesnt help organizations that support victims. It doesnt equip law enforcement agencies with resources to investigate claims of child exploitation or training in how to use online platforms to catch perpetrators. Rather, the bills authors have shrewdly used defending children as the pretense for an attack on our free speech and security online.
If passed, the legislation will create a National Commission on Online Child Sexual Exploitation Prevention tasked with developing best practices for owners of Internet platforms to prevent, reduce, and respond to child exploitation online. But, as the EFF maintains, Best practices would essentially translate into legal requirements:
If a platform failed to adhere to them, it would lose essential legal protections for free speech.
The best practices approach came after pushback over the bills predicted effects on privacy and free speech pushback that caused its authors to roll out the new structure. The best practices would be subject to approval or veto by the Attorney General (currently William Barr, whos issued a public call for backdoors), the Secretary of Homeland Security (ditto), and the Chair of the Federal Trade Commission (FTC).
The bill doesnt explicitly mention encryption. It doesnt have to: policy experts say that the guidelines set up by the proposed legislation would require companies to provide lawful access: a phrase that could well encompass backdoors.
CNET talked to Lindsey Barrett, a staff attorney at Georgetown Laws Institute for Public Representation Communications and Technology Clinic who said that the way that the bill is structured is a clear indication that its meant to target encryption:
When youre talking about a bill that is structured for the attorney general to give his opinion and have decisive influence over what the best practices are, it does not take a rocket scientist to concur that this is designed to target encryption.
If the bill passes, the choice for tech companies comes down to either weakening their own encryption and endangering the privacy and security of all their users, or foregoing Section 230 protections and potentially facing liability in a wave of lawsuits.
Kate Ruane, a senior legislative counsel for the American Civil Liberties Union, had this to say to CNET:
The removal of Section 230 liability essentially makes the best practices a requirement. The cost of doing business without those immunities is too high.
Tellingly, one of the bills lead sponsors, Sen. Richard Blumenthal, told the Washington Post that hes unwilling to include a measure that would stipulate that encryption is off-limits in the proposed commissions guidelines. This is what he told the newspaper:
I doubt I am the best qualified person to decide what best practices should be. Better-qualified people to make these decisions will be represented on the commission. So, to ban or require one best practice or another [beforehand] I just think leads us down a very perilous road.
The EARN IT Act joins an ongoing string of legal assaults against the CDAs Section 230. Most recently, in January 2019, the US Supreme Court refused to consider a case against defamatory reviews on Yelp.
Weve also seen actions taken against Section 230-protected sites such as those dedicated to revenge porn, for one.
In March 2018, we also saw the passage of H.R. 1865, the Fight Online Sex Trafficking Act (FOSTA) bill, which makes online prostitution ads a federal crime and which amended Section 230.
In response to the overwhelming vote to pass the bill it sailed through on a 97-2 vote, over the protests of free-speech advocates, constitutional law experts and sex trafficking victims Craigslist shut down its personals section.
Besides the proposed bill containing no tools to actually stop online child abuse, it would actually make it much harder to prosecute pedophiles, according to an analysis from The Center for Internet and Society at Stanford Law School. As explained by Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity, as it now stands, online providers proactively, and voluntarily, scan for child abuse images by comparing their hash values to known abusive content.
Apple does it with iCloud content, Facebook has used hashing to stop millions of nude childrens images, and Google released a free artificial intelligence tool to help stamp out abusive material, among other voluntary efforts by major online platforms.
The key word is voluntarily, Pfefferkorn says. Those platforms are all private companies, as opposed to government agencies, which are required by Fourth Amendment protections against unreasonable search to get warrants before they search our digital content, including our email, chat discussions, and cloud storage.
The reason that private companies like Facebook can, and do, do exactly that is that they are not the government, theyre private actors, so the Fourth Amendment doesnt apply to them.
Turning the private companies that provide those communications into agents of the state would, ironically, result in courts suppression of evidence of the child sexual exploitation crimes targeted by the bill, she said.
That means the EARN IT Act would backfire for its core purpose, while violating the constitutional rights of online service providers and users alike.
Besides the EFF, the EARN IT bill is facing opposition from civil rights groups that include the American Civil Liberties Union and Americans for Prosperity, Access Now, Mozilla, the Center for Democracy & Technology, Fight for the Future, the Wikimedia Foundation, the Surveillance Technology Oversight Project, the Consumer Technology Association, the Internet Association, and the Computer & Communications Industry Association.
Earlier this month, Sen. Ron Wyden, who introduced the CDAs Section 230, said in a statement that the disastrous legislation is a Trojan horse that will give President Trump and Attorney General Barr the power to control online speech and require government access to every aspect of Americans lives.
Read my full statement on the disastrous EARN IT Act, which will give Bill Barr and Donald Trump more control over twitter.com/i/web/status/1
Wydens statement didnt specifically mention encryption, but his office told Ars Technica that when [the senator] discusses weakening security and requiring government access to every aspect of Americans lives, that is referring to encryption.
Continued here:
EARN IT Act threatens end-to-end encryption - Naked Security
The EARN IT Bill Is the Government’s Plan to Scan Every Message Online – EFF
Imagine an Internet where the law required every message sent to be read by government-approved scanning software. Companies that handle such messages wouldnt be allowed to securely encrypt them, or theyd lose legal protections that allow them to operate.
Take Action
Stop the Graham-Blumenthal Attack on Encryption
Thats what the Senate Judiciary Committee has proposed and hopes to pass into law. The so-called EARN IT bill, sponsored by Senators Lindsay Graham (R-GA) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesnt follow a list of best practices, meaning those sites can be sued into bankruptcy. The best practices list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement legal access to any digital message.
The EARN IT bill had its first hearing today, and its supporters strategy is clear. Because they didnt put the word encryption in the bill, theyre going to insist it doesnt affect encryption.
This bill says nothing about encryption, co-sponsor Sen. Blumenthal said at todays hearing. Have you found a word in this bill about encryption? he asked one witness.
Its true that the bills authors avoided using that word. But they did propose legislation that enables an all-out assault on encryption. It would create a 19-person commission thats completely controlled by the Attorney General and law enforcement agencies. And, at the hearing, a Vice-President at the National Center for Missing and Exploited Children (NCMEC) made it clear [PDF] what he wants the best practices to be. NCMEC believes online services should be made to screen their messages for material that NCMEC considers abusive; use screening technology approved by NCMEC and law enforcement; report what they find in the messages to NCMEC; and be held legally responsible for the content of messages sent by others.
You cant have an Internet where messages are screened en masse, and also have end-to-end encryption any more than you can create backdoors that can only be used by the good guys. The two are mutually exclusive. Concepts like client-side scanning arent a clever route around this; such scanning is just another way to break end-to-end encryption. Either the message remains private to everyone but its recipients, or its available to others.
The 19-person draft commission isnt any better than the 15-person commission envisioned in an early draft of the bill. Its completely dominated by law enforcement and allied groups like NCMEC. Not only will those groups have a majority of votes on the commission, but the bill gives Attorney General Barr the power to veto or approve the list of best practices. Even if other commission members do disagree with law enforcement, Barrs veto power will put him in a position to strongarm them.
The Commission wont be a body that seriously considers policy; it will be a vehicle for creating a law enforcement wish list. Barr has made clear, over and over again, that breaking encryption is at the top of that wish list. Once its broken, authoritarian regimes around the world will rejoice, as they have the ability to add their own types of mandatory scanning, not just for child sexual abuse material but for self-expression that those governments want to suppress.
The privacy and security of all users will suffer if U.S. law enforcement is able to achieve its dream of breaking encryption. Senators should reject the EARN IT bill.
Take Action
Stop the Graham-Blumenthal Attack on Encryption
Follow this link:
The EARN IT Bill Is the Government's Plan to Scan Every Message Online - EFF
Apples WWDC 2020 is on in a purely digital way – Pickr
Apple wont be assembling people in a room while coronavirus is an issue, but it will run its Worldwide Developers Conference in the online world.
The COVID-19 coronavirus is killing events and sporting events regularly, including mass gatherings, but it wont stop those who go online.
In the online world, theres no risk of catching a physical virus. While you still want to have some form of internet security on your computer to protect you from the nasties, you can talk and shake digital hands with anyone you meet without the fear of catching something, making online gatherings a thing of the now, especially while were being told real events wont happen for similar reasons.
To that end, Apple will be holding its typically in-person Worldwide Developers Conference WWDC online this year in June, instead of at a hall in San Jose.
The approach keeps the show going into its 31st year, and will allow developers from across the world, as well as consumers in general, the chance to check out whats new from Apple across iOS, iPadOS, macOS, watchOS, tvOS, and likely bits and pieces of Apple hardware that could be announced.
Apple hasnt said exactly how this will happen, though the company has said that WWDC 2020 will take on an entirely new online format, so were hoping for more than just a webcam. Its worth noting that back in the day, Apple created not just QuickTime for video, but QuickTime VR for 360 degree video, which was the forerunner to how virtual reality videos are created today in the niche that plays them. QuickTime VR hasnt been active for quite some time, but its possible that Apple is working on something a little more innovative than a mere web conference, and we could be seeing that in use in the online WWDC 2020 environment.
We are delivering WWDC 2020 this June in an innovative way to millions of developers around the world, bringing the entire developer community together with a new experience, said Phil Schiller, Senior Vice President of Worldwide Marketing at Apple.
The current health situation has required that we create a new WWDC 2020 format that delivers a full program with an online keynote and sessions, offering a great learning experience for our entire developer community, all around the world, he said. We will be sharing all of the details in the weeks ahead.
Based on this, if youre an Apple developer, you need not make travel plans for WWDC in June for a change, and should be able to experience some of those changes in an online way from the comfort of your own home.
See the article here:
Apples WWDC 2020 is on in a purely digital way - Pickr
The pitfalls of being an influencer: What parents should know and do – We Live Security
Does your child dream of becoming a YouTube or Instagram celebrity? The influencer lifestyle is not as picture-perfect as it may seem.
The rise of the internet has led to the rise of the social media influencer, altering the aspirations of children around the world. A recent survey of 2,000 parents of 11 to 16-year-olds shows that doctors (18%) are still number one on the dream job list, but they are closely followed by social media influencers (17%) and, more specifically, YouTubers (14%).
Being an online celebrity might look glamorous, but what are the risks? The digital world can hide a range of dangers, and its important that both children and their parents are aware of the threats.
Many young influencers, who base their self-worth on the likes and shares they receive, struggle if the interest of the online crowd fades. Basing self-esteem on public acknowledgement from strangers at an early age is risky this is especially true considering that feedback on the internet can often be even more aggressive as anonymity is heightened and the commentator can hide behind their screen.
Any person in the social media limelight will inevitably have to face online hate. Comment sections flooded with hateful messages are an emotional drag while actual threats are frightening for anyone, no matter their age.
Parents can help their children by moderating comments and reporting inappropriate behavior to administrators, but this is not feasible when large numbers of people are involved.
Kim Kardashian is one of the most influential figures on social media someone who likes to post and share everything from her private life. During one of her visits to Paris this backfired in the worst possible way when she was robbed at gun point, with criminals stealing jewelry worth US$8 million. It later came to light that the heist was organized based simply on following Kims whereabouts on social media posts. This example of oversharing should be a warning to anyone, especially to young influencers who will do almost anything to please their followers.
Parental guidance at the start a childs digital life is essential. It helps set healthy boundaries between public and private life on social media. Remember anything posted online will stay there forever.
Nowadays we spend so much time in the digital world that we often feel like its the real world, and so young children tend to overlook the simple fact that followers are not real friends. Anonymous online crowds will not be there when they need a break from the latest social media craze or be their confidant in difficult times. Real friends and family cannot be replaced and should not be neglected in favor of a digital life.
To learn more about dangers faced by children online as well as about how not only technology can help, head over to the to the Safer Kids Online platform.
See the original post here:
The pitfalls of being an influencer: What parents should know and do - We Live Security
25 tips for navigating the internet today – Alton Telegraph
25 tips for navigating the internet today
The internet continues to become more complex, and the changing social norms and constant scam threats can exhaust even canny users. Stacker compiled a list of 25 tips you can use each day to stay safe, avoid scams, and keep your personal information personalalong with some security specifics and search tips. The best tips from public agencies and portals like USA.gov, the U.S. Department of Homeland Security, Grants.gov, the U.S. Food & Drug Administration, and the FBIwere combined;the...
25 tips for navigating the internet today
The internet continues to become more complex, and the changing social norms and constant scam threats can exhaust even canny users. Stacker compiled a list of 25 tips
Photo: LinkedIn Sales Navigator // Unsplash
25 tips for navigating the internet today
The internet continues to become more complex, and the changing social norms and constant scam threats can exhaust even canny users. Stacker compiled a list of 25 tips you can use each day to stay safe, avoid scams, and keep your personal information personalalong with some security specifics and search tips. The best tips from public agencies and portals like USA.gov, the U.S. Department of Homeland Security, Grants.gov, the U.S. Food & Drug Administration, and the FBIwere combined;the...
25 tips for navigating the internet today
The internet continues to become more complex, and the changing social norms and constant scam threats can exhaust even canny users. Stacker compiled a list of 25 tips
25 tips for navigating the internet today
This slideshow goes through security and safety tips, as well as some best practices for staying happy and connected online. Its compiled from public agencies and portals like USA.gov, the U.S. Department of Homeland Security, Grants.gov, the U.S. Food & Drug Administration, and the FBI.
This article was first published on theStacker.com
Visit link:
25 tips for navigating the internet today - Alton Telegraph
Interos Raises $17.5M from Venrock and Kleiner Perkins to Grow Third-Party Risk Management Platform – GlobeNewswire
ARLINGTON, Va., March 12, 2020 (GLOBE NEWSWIRE) -- Interos, the first and only multi-tier, multi-factor third-party risk management platform, today announced it has raised $17.5 million in a Series B funding round to accelerate data science and engineering growth, expand personnel and boost sales to drive commercial momentum for its leading risk management platform.
The funding comes after Interos tripled its headcount, increased annual recurring revenue by 700% and hiked SaaS subscription bookings by 693% in 2019. With the funding, Interos expects to capitalize on last years growth and more than double its personnel in 2020, hiring more staff to augment its proprietary software, which exposes critical risks in the global supply chain for leading private and public sector customers.
The round was led by first-time investor Venrock with participation from Kleiner Perkins.
After a strong 2019, this funding shows Interos has already secured major support in 2020 from the worlds most successful investors, said Jennifer Bisceglie, CEO and founder of Interos. Like our customers, investors see the value of the Interos platform, which is critical for global businesses in 2020. From events like the coronavirus to political unrest, companies need a platform that exposes risks and identifies how events affect suppliers around the world the moment they happen.
The latest funding underscores Interos strong 2019 and positions the company as a leader in third-party risk management. Risk leaders use the Interos platform to accelerate due diligence, eliminate environment, social and governance (ESG) risk and ensure the resilience of the worlds most complex supply chains.
Interos is one of the most compelling big data and AI companies Ive come across in the last decade, said Nick Beim, Venrock partner. Over the last 20 years, global supply chains have grown so rapidly and with so much opacity that most companies dont know who theyre working with or who theyre dependent on. Theres so much data to gather to fully understand those risks, and Interos helps companies address these urgent, strategic issues with a brand new set of capabilities.
Interos also recently added Phil Venables, a widely sought-after cybersecurity and risk expert to its board of directors. Venables distinguished career includes previously serving as Goldman Sachs first Chief Information Security Officer and Head of Technology Risk, and as its Chief Operational Risk Officer. Prior to his work at Goldman Sachs, Venables was the Chief Information Security Officer at Deutsche Bank. Venables serves on the Executive Committee of the U.S. Financial Services Sector Coordinating Council for Critical Infrastructure Protection, is co-chair of the Board of Sheltered Harbor, and is a member of the boards of the Center for Internet Security and the NYU Tandon School of Engineering. He is also an advisor to the cybersecurity efforts of the U.S. National Research Council and the Institute for Defense Analyses.
Interos has worked with the U.S. Department of Defense, NASA and Department of Energy critical infrastructure. Interos uses machine learning to build and maintain the worlds largest knowledge graph of over 50 million relationships to discover and monitor the entirety of a supplier ecosystem. Each month, Interos ingests over 85,000 information feeds, processing over 250 million risks a month. Interos instantly visualizes the most complex multi-tier relationships, updating and alerting to changes in risk along five factors: financial, operations, governance, geographic and cyber.
"In todays interconnected world, Interos is bringing clarity to the muddled, confusing nature of supplier relationships, said Ted Schlein, partner at Kleiner Perkins. By automating due diligence, leveraging sophisticated technology and exposing vital risks, Interos shines a light on an otherwise opaque global supply chain.
About InterosInteros protects customers brand and operations from risk in their extended supply chains and business relationships. The first AI-powered platform for eliminating multi-tier, multi-factor risk from 3rd, 4th to Nth tier parties, Interos automates discovery, detection, and response to financial, governance, geographic, cyber and operational risk. Designed by experts and leveraging the companys 15 years of experience in managing risk in the worlds most complicated supply chains, Interos provides real-time risk management for Fortune 500 brands in manufacturing, financial services, and aerospace and defense.
For more information, visit http://www.interos.ai.
Contact
Highwire Public Relationsinteros@highwirepr.com
Read more from the original source:
Interos Raises $17.5M from Venrock and Kleiner Perkins to Grow Third-Party Risk Management Platform - GlobeNewswire
Why Are Internet Security Standards Badly Deployed and What to Do About It? – CircleID
In 2019 under the aegis of the Internet Governance Forum, a pilot project was conducted into the causes of and solutions for the, in general, slow deployment of internet security standards. Standards that on mass deployment make the Internet and all its users safer, indiscriminately, immediately.
The report
Recently the report 'Setting the standard. For a more Secure and Trustworthy Internet. The Identification of Pressure Points in Society to Speed up Internet Standards Deployment', was published on the IGF website. Information was gathered by means of an international survey, breakout sessions at the IGF, dozens of interviews with stakeholders and desk research. It focused on two questions: 1) What are the reasons for slow deployment? and; 2) What are solutions to speed up deployment? This showed that underneath all other provided reasons lies a collective action problem. To break out of this state of inertia, 6 recommendations, 25 identified pressure points in society, and 7 action plans are presented including identified stakeholders who have to be(come) involved to have a chance at success in speeding up deployment.
Six standards
The project took six standards as examples to start the discussion, three internet standards by the official definition, DNSSEC, RPKI and bcp38 and three not: OWASP top 10, ISO 27001 and the Safe Software Alliance principles. For ease of writing and reading, all are called internet standards within this context.
Causes
Many participants agreed on the main cause for the slow uptake: the lack of a business case. If there is no demand, in general, there's no offer. Research showed that there are underlying causes. The report shows that there is a lack of pressure on decision-makers; from the sides that matter. As far it was able to ascertain and no one pointing to another conclusion, there is no(t enough) pressure from laws/regulation, media, or consumer organisations. As one of the interviewees stated: "No one cares if you deploy and no one cares if you don't."
Additionally, the overwhelming majority of consumers are not willing to pay for security measures, while/because of not understanding the implications of insecurity. The entrepreneurs willing to deploy, face a negative business case, or operate in a niche market.
Another important conclusion is that it is not (just) technically proficient employees deciding on deployment of the standards. Yet, outreach from the technical community is often aimed at these people. Unfortunately, not reaching the level of success needed to make the Internet safer, as they do not decide on deployment. This calls for different aims and for a change of narrative. It is the owners, board members, financial officers who need convincing. That may take pressure from other stakeholders to achieve change.
Governments have not taken internet standards into law (ISO 27001 is a voluntary exception), as is the preferred situation of nearly all we've spoken to. At the same time most of the efforts of governments (agencies) but also e.g., banks concerning cybersecurity are aimed at the only stakeholder with limited power where deployment of standards is concerned: the consumer or "user" as the internet industry prefers to call its customers. In other words, there are no carrots and no sticks of any kind, making it far worse than having no business case.
Collective Action Problem
All this results in a collective action problem, where there is no demand and no incentive to change behaviour and deploy the Internet standards. Usually, it is the government that society looks towards for solutions. In many sectors, this is completely normal and accepted behaviour. Health, (air)traffic , agriculture, etc., etc.. A question in need of an answer is, what makes the Internet so different and justifies the absence of governments, while the market cannot solve the enormous security challenges facing it? Perhaps it becomes necessary to look at the problem as a (digital) health issue. What perspectives does that provide to act upon?
This report does not answer these questions. It searched for potential solutions and pressure points in society that can contribute to breaking up the collective action problem. A few examples are presented below.
Recommendations
The six recommendations are an accumulation of advice provided. Although there is a near consensus among participants that action is needed, there is no consensus on the precise way forward. The first five were tested in the breakout sessions (number 6 came out of the sessions) at the IGF and are seen as sensible.
1. 'Create a business case for the deployment of internet standards.'2. 'To deploy internet standards successfully, they need to be incorporated by reference into law or legally binding regulations, including a designated regulator.'3. 'To deploy internet standards successfully requires building security by design/default into products and services.'4. 'All stakeholders should collaborate on coherent strategies for multilingual awareness-raising of internet standards and their effect on internet security.'5. 'Internet standards and architecture must become part of education curricula.'6. 'Standardisation processes are advised to include a consultation phase with government and industry policy makers and civil society experts.'
The paradox this report bares is that a large proportion of the participants see legislation as the only option to force the industry into deploying, yet no one wants it. As legislation is seen as the least desirable option, this comes with a moral obligation to step up on all others. No legislation can and may not equal non-deployment. Hence the pressure on those having to deploy needs to be created elsewhere. The report mentions 25 options, from parliamentarians addressing the issue to industry, to consumer organisations testing ICT services and products, from regulation to media publications.
Next steps
Where deployment of standards is concerned, a government can take on a few roles. Standards could be demanded by them through procurement. Standards could be demanded on the basis of duties to care. A question in need of an answer is what regulators can achieve on the basis of current laws, whether telecommunication, privacy, consumer, etc.. When all else fails, the government is the legislator, but even then, cooperation is of utmost importance.
Mistrust of governments is one of the reasons mentioned why the technical community remains more or less aloof from other stakeholders that could play a role in making deployment happen. It is of the greatest importance that these others understand what internet standards are, why they exist, how they are made, and what the importance of deployment is for a more secure internet. To ensure that the future measures are the right ones, interaction is key. Hence the reason this report invites IETF en ISOC to participate actively in the next phase and assist in the creation of a change of narrative and the direction of outreach, to prevent legislation where possible. Their role lies in leading the other stakeholders forward and to make plausible deniability of not having heard of Internet standards in need of deployment impossible at the highest levels of industry and society at that. Why? The decision to deploy seldom is a technical decision but a financial one, an investment (without return). This calls for a different approach and narrative.
All this translates into seven actions that you can find in the report. To massively deploy internet standards is and will be a herculean task involving many stakeholders with different and most likely competing interests. Deep down, however, all stakeholders around the globe have the same interest: not to be hacked, not to have compromised or lost data, not to lose money, etc.. This is a starting point. And, when all is said and done, all will have to pay for security. That goes without saying.
Conclusion: a no-brainer
Ideally, this report is not the end but a beginning. To start work on deployment by enacting the recommendations and gather the stakeholders in the action groups. The IGF is a neutral platform where all involved are equal. The first and most difficult steps can be conducted here before the results are taken outside of the IGF to be implemented. All with one aim: to make deployment of security raising standards a no-brainer for all involved.
You can find my report on the IGF website: https://www.intgovforum.org/multilingual/content/implementing-internet-standards-and-protocols-for-a-safer-internet
See the original post:
Why Are Internet Security Standards Badly Deployed and What to Do About It? - CircleID
The Internet of Things is a security nightmare reveals latest real-world analysis: unencrypted traffic, network crossover, vulnerable OSes – The…
No less than 98 per cent of traffic sent by internet-of-things (IoT) devices is unencrypted, exposing huge quantities of personal and confidential data to potential attackers, fresh analysis has revealed.
Whats more, most networks mix IoT devices with more traditional IT assets like laptops, desktops and mobile devices, exposing those networks to malware from both ends: a vulnerable IoT device can infect PCs; and an unpatched laptop could give an attacker access to IoT devices - and vast quantities of saleable data.
Those are the big conclusions from a real-world test of 1.2 million IoT devices across thousands of physical locations in the United States, carried out by Palo Alto Networks.
The company also focused in on the healthcare industry and found a truly alarming security situation: no less than 83 per cent of medical imaging devices run on unsupported operating systems; a massive 56 per cent jump from two years ago because of the end of support for Windows 7.
That leaves hospitals vulnerable to attacks that can disrupt care or expose sensitive medical information, the report notes. In addition, 72 per cent of healthcare VLANs mix IoT and traditional assets, so the potential for hackers to access personal health data is a ticking time bomb.
The researchers estimate that more than half - 57 per cent - of IoT devices are currently vulnerable to medium or high-severity attacks, making them an obvious target for hackers. We found that, while the vulnerability of IoT devices make them easy targets, they are most often used as a stepping stone for lateral movement to attack other systems on the network, the report noted. Furthermore, we found password-related attacks continue to be prevalent on IoT devices due to weak manufacturer-set passwords and poor password security practices.
In short, the poor IoT security that people have been warning about for years now risks compromising larger networks because they are being attached to the same network; and thanks to a failure to upgrade imaging equipment to newer operating systems, hackers also have an extra route in networks where they could gather vast amounts of data from unencrypted IoT devices. A double-whammy in other words.
There is a small amount of good news: Californias new IoT law (SB-327) that requires a different password for every device - rather than manufacturer defaults - came into effect at the start of the year and is expected to cut down on easy hacks.
While that is an improvement, as we previously noted the law only deals with the lowest hanging fruit and did not include things like secure software updates which are, over time, a greater security risk - as those running Windows 7 are likely to find out over the next few years. Even a law requiring manufacturers to periodically prompt users to upgrade their software could have a massively positive security impact.
Laws requiring encryption would also be a huge help. As would a data-minimization law that requires companies to only request and store data that is needed for the functioning of their products. As would some kind of compulsory two-factor authentication.
The fear is that lawmakers will take their focus off terrible IoT security now that they passed a law eliminating default passwords. As far as we are aware, that appears to be playing out with no new security legislation working its way through the corridors of power.
The report also has some interesting observations about specific security risks and OS use. Were witnessing a shift away from attackers primary motivation of running botnets to conduct DDoS attacks via IoT devices to malware spreading across the network via worm-like features, enabling attackers to run malicious code to conduct a large variety of new attacks, the authors noted.
As for the operating systems that critical hospital equipment is using: 56 per cent are on now-unsupported Windows 7 and a vaguely terrifying 11 per cent are still using WinXP. Seven per cent are running unsupported Linux or Unix; with just two per cent using supported Linux.
The report has several pieces of advice to limit exposure to IoT related threats. First up, find out whether you have IoT devices on your network and if so, segment them across VLANs. Then patch, patch, patch - especially easy things like printers. And lastly, switch to active monitoring so you find out faster if something is going on.
Sponsored: Quit your addiction to storage
The Internet Avoided a Minor Disaster Last Week – WIRED
The impact of pulling those certificates would be swift and severe. Once browsers like Chrome and Firefox found them missing, they would flash warnings to any visitors that the sites werent safe. Some browsers would block access altogether. A not insignificant chunk of the internet would effectively be taken out of commission. All because of this one small flaw in one niche corner of the Lets Encrypt operation.
Within two minutes of confirming the bug, the Lets Encrypt team stopped issuing any new certificates in a bid to stanch the bleeding. A little over two hours after that, they fixed the bug itself. And then they let everyone know what was coming.
We cant contact everybody, so we started contacting the largest subscribers, telling them about the situation, getting them as informed as possible, says Aas. And then we worked with them to get them to replace their certificates as quickly as possible.
Once a site operator renewed a certificate, Lets Encrypt could safely revoke the old one. No harm would befall the site. Which sounds like a simple enough solutionbut nothings simple at this kind of scale.
Bigger organizations had an easier time fixing the problem, because they generally have the resources to monitor any signs of trouble that surface and the tools to automate the renewal process. If youve got a dozen or two dozen servers or something, thats some poor sleepy-eyed soul in the middle of the night at a keyboard, says MongoDBs White. We reissued a little over 15,000 certificates [for clients], and we did it in a few hours. There was some work involved, but it wasnt catastrophic. We had measures in place to be able to rotate quickly.
Smaller sites got a big assist from the Electronic Frontier Foundation, which operates Certbot, a free software tool that automatically adds Lets Encrypt certificates to sites and renews them every 60 days. In the last two months alone, Certbot has generated certificates for 19.2 million unique sites. Fortunately we had anticipated the need to check revoked certificates for renewal in 2015, says EFF engineering director Max Hunter. Because Let's Encrypt communicated the issue early, and the code path for the query was already in place, our work was relatively straightforward. By Tuesday a team from EFF, along with volunteers in Paris and Finland, had updated Certbot to renew any revoked certificates.
Meanwhile, Lets Encrypt sent an email to every address it had on file. It created a searchable database of every affected domain so that hosting companies could see if they needed to act. We marked those certificates as expired in our internal system, and then our normal automated processes kicked in to generate and deploy new certificates, says Justin Samuel, CEO of Less Bits, a startup that operates hosting company ServerPilot.
On Tuesday night, 30 minutes before the deadline, Lets Encrypt made another announcement. Of the 3 million potentially impacted sites, 1.7 million had managed to renew their certificates, an astonishing number given the short window of time. No other CA comes close to making large-scale cert reissuing not only feasible but also fast, says Samuel.
That success also emboldened Aas to make a difficult call. Lets Encrypt would let the remaining certificates slide. We made the decision that instead of breaking more than a million websites, potentially, we just arent going to revoke them by the deadline, says Aas. We think its the right decision for the health of the internet.
It was the internet equivalent of a call from the governor minutes before midnight. Lets Encrypt will continue to revoke certificates if it can confirm that the sites have renewed them, but otherwise it is content to leave them be in their slightly broken form. The security risk is small, Aas says, and since Lets Encrypt certificates are only viable for 90 days to begin with, any stragglers will have washed out of the ecosystem by summertime at the latest.
If anything, this just reinforces that they are one of the most transparent, modern certificate authorities in the world, says MongoDBs White, who points to previous certificate snafus that for-profit companies like Symantec have badly mishandled. Its easy to armchair quarterback. But I think if people are overly critical thats misplaced.
The intricacies of internet infrastructure are generally ignored until something goes terrible wrong. This time, though, its useful to reflect on what went right. For once, the story is that nothing broke.
More Great WIRED Stories
See the original post:
The Internet Avoided a Minor Disaster Last Week - WIRED
How The Internet Of Things Can Transform Workplace Safety | Baird Capital | Security News – SecurityInformed
As New York City hip hop group Non Phixion boldly proclaimed in their 2002 debut album: The Future Is Now. From drone fleets and autonomous transportation systems to smart homes with computer-controlled lighting, heating, media and security systems, a new group of highly-automated technologies is gripping the popular imagination. These technologies known collectively as the Internet of Things (IoT) form advanced ecosystems of interrelated devices with the capacity to monitor, detect, communicate and act on the real world independently of human intervention. Promising to fulfill all of our wildest technological dreams and needs, the IoT age has arrived and it looks like its here to stay.
While the consumer applications of IoT tend to receive the most attention, one area that is seeing strong growth in the uptake of IoT devices is workplace safety. Workplace safety costs businesses billions every year, and industries with especially hazardous working environments Construction, Oil & Gas, Mining, Utilities, Rail, etc. are beginning to adopt IoT technology to help minimize risk and address preventable threats. Before exploring these IoT solutions, however, let us first consider some of the key threats faced by workers in these industries.
Construction is one of the worlds most dangerous occupations, accounting for 1 in 5 worker deaths in the US and incurring tens of thousands of short- and long-term injuries each year. In construction, the major risk is falling from a height, which accounts of 26 per cent of fatal injuries in the workplace. Additional risks come from being struck by vehicles and heavy moving objects, proximity to overhead/underground high voltage power lines, confined spaces, high noise environments, and exposure to dust and fumes.
In underground mining operations, hazards include respiratory health problems
In Mining & Quarrying, sustained overexertion is the most common threat to workplace safety, accounting for 24 per cent of nonfatal injuries. In surface mining operations, specifically, the leading hazards come from geological instability (i.e. falling rocks), blast debris and collisions with large and heavy plant equipment. In underground mining operations, hazards include respiratory health problems (e.g. Black Lung), explosions and gas leaks (particularly in coal mines), heat stress, confined spaces and ionising radiation.
Other industries are often faced with some combination of the above, or similar, threats. In the Rail sector, for instance, there is high risk from collisions with vehicles, objects and machinery and vulnerability to electric shock. In Utilities, the number one risk is slips, trips and falls, accounting for 30 per cent of Lost Workday Injuries (LWIs) in 2016. And in Oil & Gas extraction, exposure to flammable gas, chemical emissions and oxygen-deficient atmospheres creates vulnerability to explosions and chemical poisoning.
What, then, is being done to tackle these threats? In a high-tech world, many safety measures currently in use hardhats, earplugs, gloves, gas masks, guardrails, harnesses, protective goggles and high visibility clothing appear decidedly primitive. Therefore, whilst these measures are still useful in minimizing risk, companies have started to integrate IoT technologies to enhance their application. These technologies bring together real-time analytics, machine learning, advanced sensors and embedded systems to offer a number of key functionalities:
Wearable technology is used to monitor a workers physiological state in real-time. Japanese wearable tech company Mitsufuji is active in this space, creating smart clothes woven from silver-metallised fibres that collect a range of data about its wearer, including heart rate and body temperature. Other examples include wristbands with bio-sensors to accurately measure stress levels and glasses that detect eye movements to identify fatigue and periods of micro-sleep.
Sensors used to measure temperature, radiation, gas leaks, carbon monoxide and other harmful chemicals can automatically alert workers to unsafe external conditions. Additionally, visual imaging software can map 3D representations of a workers environment, facilitating effective two-way communication between supervisors and personnel in the field, and remote guidance technologies provide live assistance to workers caught in serious danger (e.g. guide a miner trapped in a tunnel to the best way out).
Augmented Reality (AR) technologies offer new ways to support decision making in the field by providing holographic representations of physical equipment, while Virtual Reality (VR) technologies offer immersive situational training without the risks associated with real-life procedures. These technologies also offer up valuable behavioral data, which can be used to gauge a workers risk tolerance level and tendency to respond to danger.
Proximity detection systems utilize wearable sensors to monitor workers location, map their movements, and alert them to nearby hazards. One example of this are radio-frequency identification (RFIDs), which can measure a workers proximity to moving equipment and alert them to possible collisions and near misses. Another piece of kit is the smart helmet, which can immediately detect an accident, determine the workers location and send an alert containing coordinates to a safety control centre. The centre is able to make video and audio contact and communicate with the worker until help arrives.
Exoskeletons can assist with heavy lifting and the prevention of musculoskeletal disorders (MSDs) by analyzing worker movements and providing the necessary support. The Chairless Chair, for example, used by factory floor workers, fixes around the back and legs to provide support whenever the worker sits or crouches. Exoskeletons are also used to monitor worker movements, identifying repetitive movements and sustained periods of overexertion.
IoT innovations are helping to improve workplace safety on multiple fronts
Taken together, these IoT innovations are helping to improve workplace safety on multiple fronts. Firstly, they are preventative. By closely monitoring ones environment both internal and external IoT technologies can pre-empt and alert workers to potential dangers. Secondly, they are responsive. In the case of an accident, IoT technologies can alert supervisors and help coordinate a quick and effective response. Thirdly, they are informative. By accumulating and analyzing rich pools of data, IoT technologies can help optimize work in the field and find improved ways to limit risk.
While IoT certainly cannot eliminate all risk from the workplace it cannot prevent rocks falling in quarries, explosions on oil rigs or gas leaks in mines it can go a long way to make these environments safer and better places to work. Because when it comes down to it, workplace safety is certainly no accident!
Read the original here:
How The Internet Of Things Can Transform Workplace Safety | Baird Capital | Security News - SecurityInformed