Do you know what you were doing 3736 days ago?

We do! (To be clear, lest that sound creepy, we know what we were doing, not what you were doing.)

Admittedly, we didnt remember all on our own we needed the inexorable memory of the internet to help us recall what happened on 22 October 2009.

That was the official release date of Windows 7, so we armed ourselves with a fresh-out-of-the-box copy (remember boxed software?) and tried a bunch of new viruses against it.

Simply put, we took the next 10 Windows malware samples that showed up for analysis at SophosLabs, checked that they ran on the previous versions of Windows and then threw them at the all-new Windows 7.

The good news is that three of the 10 samples didnt work on Windows 7; the bad news is that seven did.

You cant really blame Microsoft for that, as much as you might like to, given that everyone expected existing software to work out of the box with the new version, despite numerous security improvements.

That was a decade ago 10 years and nearly 3 months, to be precise.

Today marks the other end of the Windows 7 story the very end of the other end, in fact.

Its the first Patch Tuesday of 2020 and once todays Windows 7 updates are shipped

thats that.

So long, and thanks for all the fish.

There wont be any more routine Windows 7 updates, as there havent been for Windows XP since Tuesday, 08 April 2014.

The problem is that new malware samples, together with new vulnerabilities and exploits, are likely to work on old Windows 7 systems in much the same way, back in 2009, that most old malware worked just fine on new Windows 7 systems.

Even if the crooks stop looking for new vulnerabilities in Windows 7 and focus only on Windows 10, theres a fair chance that any bugs they find wont be truly new, and will have been inherited in code that was originally written for older versions of Windows.

Bugs arent always found quickly, and may lie low for years without being spotted even in open source software that anyone can download and inspect at their leisure.

Those latent bugs may eventually be discovered, weaponised (to use one of the security industrys less appealing jargon terms) and exploited by crooks, to everyones unfortunate surprise.

The infamous Heartbleed flaw in OpenSSL was there for about two years before it became front-page news. In 2012, the Unix security utility sudo fixed a privilege escalation bug that had been introduced in 2007. OpenSSH patched a bug in 2018 that had sat undiscovered in the code since about 2000.

Windows 10 is significantly more secure against exploitation by hackers than Windows 7 ever was, and retrofitting those new security features into Windows 7 is just not practicable.

For example, there are numerous breaking changes in Windows 10 that deliberately alter the way things worked in Windows 7 (or remove components entirely) because theyre no longer considered secure enough.

For that reason, going forwards by upgrading can be considered both a necessary and a desirable step.

At the same time, not going forwards will leave you more and more exposed to security holes because any vulnerabilities that get uncovered will be publicly known, yet unpatched forever.

For better or for worse, the modern process of bug hunting and disclosure generally involves responsibly reporting flaws, ideally including a proof of concept that shows the vendor how the bug works in real life as a way of confirming its importance.

Then, once patches are out, its now considered not only reasonable but also important to publish a detailed expos of the flaw and how to exploit it.

As crazy as that sounds, the idea is that were more likely to write secure software in future if we can readily learn from the mistakes of the past, on the grounds that those who cannot remember history are condemned to repeat it.

The downside of the full disclosure of exploits, however, is that those disclosures are sometimes attack instructions in perpetuity against systems whose owners havent patched, cant patch, or wont patch.

Depending on whom you ask, youll see figures suggesting that somewhere between 25% and 33% (thats one-fourth to one-third) of desktop computers are still running Windows 7.

So, please dont delay do it today!

Read more here:
Windows 7 computers will no longer be patched after today - Naked Security

Fraud Prevention and Online Authentication Report 2019/2020

The Paypers interviewed Jordan Blake, BehavioSec VP of Products, on the potential of behavioural biometrics and how to best use this deep authentication technology

How does BehavioSec develop the potential of behavioural biometrics and how do your customers leverage this technology?

In 2008, BehavioSec launched with a mission: to apply the nascent area of machine learning to behavioural biometrics the concept of leveraging someones behaviour to positively identify them. Today, our companys software platform protects billions of transactions across mobile apps and Websites by studying users typing patterns, touch screen gestures and even the way they hold their devices to discern authentic users behaviour from criminals, bots, or malware used to commit fraud, hijack accounts, or steal data. Customers leverage our platform in two primary ways: They use it to drastically reduce the number of legitimate end-users who are unnecessarily targeted by existing, noisy authentication signals. When an organisation isnt able to establish that an end-user is authentic, that user may be inconvenienced in a number of ways such as by having to answer obscure security questions, respond to CAPTCHAs, deal with heavy-handed password measures and may be subject to account lockouts and long phone calls to customer service. Organisations that utilise BehavioSec can significantly reduce reliance on such unfriendly safety measures.

Our platform is also leveraged to reduce fraud and the costs associated with it. Fraudsters find myriad ways to scam their way into users accounts, whether it be leveraging a shared password found in a data breach, targeting thousands of accounts with a login bot, performing a sophisticated SIM swap attack or even coaching a user over the phone (i.e. a voice-phishing or vishing attack). Regardless of the tactics used, our technology profiles authentic user behaviour in such a way that a fraudster, even with the keys to the proverbial kingdom, simply cannot replicate it.

By bringing BehavioSec into the mainstream market, our efforts are influencing the standards and norms in the industry, bringing about changes that help reduce the amount of financial loss that organisations incur every year due to cyber theft and fraud. In the fight to protect consumers from ever resourceful fraudsters and cybercriminals, behavioural biometrics offers significant advantages over other authentication technologies. We turn users into securitys strongest link by helping them stop attacks by just being themselves.

Could you thoroughly explain how continuous authentication works?

A consistent, individual signature marks the essence of human movement and touch every movement you make is influenced by personal style/preferences, speed, pressure, and dexterity. This also applies in the digital world. No one else can replicate exactly how we physically interact with our devices. BehavioSecs platform plays off this, continuously monitoring, and authenticating users based on their unique physical behaviours, throughout each session, not just once at login.

Powered by this unique application of behavioural biometrics, our companys platform integrates with websites and apps to analyse user behaviour in real time, enabling organisations to block or flag suspect transactions.

This anti-fraud protection surpasses one-time authentication measures like passwords and thumbprints by enabling organisations to invisibly and unobtrusively authenticate users by validating their personal mannerisms.

In which way is behavioural biometrics relevant in the PSD2s SCA context?

The PSD2 mandates that payment service providers must ensure Strong Customer Authentication (SCA), which comprises at least two factors from three different categories knowledge (e.g. password), possession (e.g. smartphone), and inherence (e.g. unique attributes of an individuals behaviour, like patterns in how users hold their mobile devices and interface with websites and browsers). Behavioural biometrics is an ideal technology for PSD2 compliance because it combines inherence with traditional login credentials, offering dramatically enhanced defences from account hijacking and fraud. Every customer and business handling online payments face mounting threats of fraud and abuse because login credentials are widely breached, and it is trivial for bots and other malicious programs to impersonate account holders names and devices. Behavioural biometrics breaks this cycle by giving institutions and payment companies the ability to block login attempts that deviate from known users behaviours.

There are several challenges for behavioural biometrics application related to privacy, impersonation attack (spoofing), and even error rates. How does your company meet these challenges to make this technology work at its best?

Privacy can be very well managed with this technology. For example, we do not gather or use any end user biometric data, nor are we interested in capturing PII like credentials. We provide the software platform that our customer organisations around the world then administer in their operations to protect their services and consumers.

Additionally, another benefit of our platform is the accuracy and low error rates. The platform has proven itself to yield low false positive alerts and delivers detailed information for real-time fraud detection and forensic purposes. Our customers discover measurable cost savings from lower fraud incidences, coupled with fewer customer support calls and false positive issues associated with traditional authentication tools across billions of transactions and millions of users.

What other developments do you have in the pipeline for 2020?

Our goal is to enable customers to mitigate risk and further link security and trust to their brands. We have ongoing product updates being introduced that further strengthen BehavioSecs platform and break the otherwise chronic password breach cycle.

About Jordan Blake

Jordans role as BehavioSecs VP of Products drives the vision and growth of cyber safety solutions while in addition to ensuring quality and client satisfaction. His 20-year career in product management, internet security, cyber security, and cyber safety solutions makes him the best choice to lead the product division. Jordan has held many Product Management roles with global industry leaders like IBM, and Symantec.

About BehavioSec

Founded in 2008 out of groundbreaking academic research, BehavioSecs technology allows companies to continuously verify digital identities with superior precision, in real-time. BehavioSec is the only enterprise-grade vendor used in global deployments safeguarding billions of transactions. BehavioSec investors include Forgepoint Capital, Cisco, ABN AMRO, Conor Ventures and Octopus Ventures.

See original here:
Interview with Jordan Blake on the potential of behavioural biometrics - The Paypers

Zacks Investment Research cut shares of Cyren (NASDAQ:CYRN) from a strong-buy rating to a hold rating in a report published on Tuesday morning, Zacks.com reports.

According to Zacks, Cyren Ltd. provides messaging, antivirus and Web security solutions. The Companys messaging solutions include anti-spam, Outbound Spam Protection for service providers, Zero-Hour virus outbreak protection and GlobalView Mail Reputation services, as well as Command Antivirus and GlobalView URL Filtering services. It offers its solutions to network and security vendors offering content security gateways, unified threat management solutions, network routers and appliances, anti-virus solutions and to service providers, such as software-as-a-service vendors, Web hosting providers and Internet service providers. Cyren Ltd., formerly known as Commtouch Software Ltd., is headquartered in Herzliya, Israel.

Cyren stock opened at $1.28 on Tuesday. The stock has a market capitalization of $75.93 million, a PE ratio of -4.13 and a beta of 0.28. Cyren has a twelve month low of $1.11 and a twelve month high of $2.79. The company has a quick ratio of 0.90, a current ratio of 0.90 and a debt-to-equity ratio of 0.49. The company has a 50 day moving average of $1.31 and a 200-day moving average of $1.54.

Cyren (NASDAQ:CYRN) last released its quarterly earnings results on Wednesday, November 13th. The technology company reported ($0.06) earnings per share for the quarter, beating the Thomson Reuters consensus estimate of ($0.07) by $0.01. The company had revenue of $9.50 million during the quarter, compared to analysts expectations of $9.80 million. Cyren had a negative net margin of 47.56% and a negative return on equity of 68.95%. Equities analysts anticipate that Cyren will post -0.3 EPS for the current fiscal year.

Several institutional investors have recently added to or reduced their stakes in CYRN. BlackRock Inc. acquired a new position in shares of Cyren in the second quarter valued at approximately $25,000. Renaissance Technologies LLC raised its position in Cyren by 1.0% during the second quarter. Renaissance Technologies LLC now owns 648,763 shares of the technology companys stock worth $1,122,000 after acquiring an additional 6,130 shares in the last quarter. Finally, White Pine Capital LLC raised its position in Cyren by 33.2% during the second quarter. White Pine Capital LLC now owns 689,480 shares of the technology companys stock worth $1,193,000 after acquiring an additional 171,680 shares in the last quarter. Institutional investors own 52.06% of the companys stock.

About Cyren

CYREN Ltd., together with its subsidiaries, provides information security solutions for protecting Web, email, and mobile transactions worldwide. The company operates Cyren Cloud Security, a SaaS security platform, which provides Internet security services, including Web Security that provides the enforcement of Web policy and state-of-the-art threat protection for business users; DNS Security, which allows businesses to protect employees at headquarters, visitors in remote offices, customers at retail stores, or students on a campus; Email Security, a cloud-based secure email gateway; and Cloud Sandboxing that protects businesses against breaches and data loss from threats.

Read More: Derivative

Get a free copy of the Zacks research report on Cyren (CYRN)

For more information about research offerings from Zacks Investment Research, visit Zacks.com

Receive News & Ratings for Cyren Daily - Enter your email address below to receive a concise daily summary of the latest news and analysts' ratings for Cyren and related companies with MarketBeat.com's FREE daily email newsletter.

The rest is here:
Cyren (NASDAQ:CYRN) Stock Rating Lowered by Zacks Investment Research - Riverton Roll

There are a lot of password managers out there. In this article, you can find out why you should use them, how to use them, and what do they provide you with.

The dependency on online services is increasing day by day. Thus a large amount of confidential data like credit card numbers, bank account details, and account passwords are being stored on servers, always under the risk of getting stolen in a data breach incident. The Internet and online business for people are becoming inevitable in todays world, and because of that, online security is in high demand. People tend to keep passwords that are easy to remember, and this is what hackers take advantage of.

Passwords containing names, phone numbers, etc. are often easily guessable or can be cracked easily with a word list. A secure password must contain arbitrary numbers, characters, and special characters and must be at least eight characters long. Brute forcing these passwords would seem infeasible if they are long enough, containing arbitrary characters and numbers. Keeping secure, non-guessable passwords should be the highest priority when creating an online account, keeping in mind the consequences of not doing so. Using arbitrary passwords is the safest way to secure an online account.

Password managers are not a new concept. They have been in existence for more than a decade now. Password managers usually come as a bundle with three key features:

Some password managers implement a local database to store all the passwords while some use remote encrypted online stores. For example, Keeper Password Manager & Digital Vault has that kind of feature. It also provides users with dark web protection, secured cloud vault & encrypted chat services for the ultimate protection for your business and personal use. You can find more specific information about Keeper Password Manager & Digital Vault here. These password managers are accessible through web applications or mobile applications. Apart from these, hardware devices can also be used as password managers.

Using password managers that use a single master password to encrypt all your account passwords, so that it can provide you with better cybersecurity and information requires a central authority that stores the encrypted data on a server. Retrieving these passwords from the server requires an active Internet connection. To tackle this, the password managers tend to store the encrypted vault on the users device. If the device is stolen/lost, or if the master password is not strong enough, all the data may be compromised.

Storing private data on central servers may often produce a feeling of mistrust since there is always a chance of data getting breached. Even though hardware password managers are secure, it involves carrying the hardware device everywhere. If the device is lost, as no online backups are kept, all the password data is lost. Some password managers are local-storage-based but use a web interface to interact with the user. A small flaw in the algorithm design may break the complete system. Also, one has to ensure that the data from the server is synced with multiple instances of the app on various platforms like mobile, computers, smartwatches, and so on. If they are not in sync, a newly added password to the vault may not be accessible from a different or new device. A personal device on which the password manager app is stored is always needed to access the passwords.

The master password generator algorithm is an algorithm that doesnt store passwords anywhere. The setup starts with the user selecting a master password. Then, the user enters the website for which he/she wants a password. Afterward, the user selects the type of password numeric, alphanumeric, character only, or a passphrase. The algorithm generates a new, secure, and unique password for the website. The user then sets this generated password as the password for the site. This algorithm ensures that every time you enter the master password and the website name correctly, it will produce the same password as generated initially.

Thus, passwords are created on-the-fly. The only inconvenience involved in this method is changing the existing insecure website passwords to these newly generated passwords, which is to be done just once. After the initial setup phase, the algorithm will always create the desired password, provided that the master password, website name, and password type are the same. This algorithm does not restrict itself to generating arbitrary passwords. It can also create PINs or even passphrases.

A passphrase is a set of unpredictable but meaningful words used together as a password. They are easy to remember due to the usage of common words, and the master password uniquely produces them. The major advantage of this password manager is that there is no way of breaching any data. Also, there is no way for the attacker to know whether his/her guess of the master password is correct or not since the master password algorithm will always have a unique set of passwords associated with the master password. The algorithm can be implemented as a web, mobile, or a standalone desktop application, with the same algorithm implemented on all platforms.

The algorithm can be deployed as a complete password manager application, running cross-platform. An extension to this can be to the creation of a browser plugin/extension that can be used to auto-fill passwords on websites. The password generation algorithm is not restricted to a particular programming language. The accessibility of the password manager is crucial, and hence it should be implementable on a variety of platforms, which includes websites, phone applications, and desktop applications. It may also be possible to create a stand-alone hardware device that will have a biometric sensor, USB HID (human interface device) capability, and buttons for site selection.

Such a device could be attached to any device that accepts USB keyboards, and the generated passwords can then be entered without a driver. However, requirements for such hardware to existing are algorithms that can produce a hash based on fingerprint minutiae that must be studied and carefully applied. Such a hardware device will be cost-effective to construct, would work for any person (no storage and no vendor lock-in), and on any device which accepts USB HID keyboard input. If device manufacturers deem fit, all upcoming devices can implement this functionality by default, virtually eliminating the need ever to remember passwords or use weak ones.

Photo credit: The feature image has been done by Jezael Melgoza. The photo of the USB dongle has been taken by Sara Kurfe. The picture woman in black was prepared by Donny Jiang. The photo womens blue denim jeans was done by Joshua Gandara.Source: Sophie Anderson (Safety Detectives) / Alison Grace Johansen (NortonLifeLock) / Merriam-WebsterEditorial notice: This article has been made possible by site supporters.

Link:
Password Managers: What Are They & How to Use Them? - TechAcute