For the Next Election, Don’t Recount the Vote. Encrypt It

Let’s be honest: The 2016 election wasn’t a sterling display of American democracy. Its problems extended beyond Russian hackers and trolls trying to thumb the scale, and the winner’s baseless, ongoing claims of voter fraud. For computer scientist Ben Adida, the most troubling part came afterward, when voting security experts and Green Party candidate Jill Stein called for a recount of the vote in three thin-margin swing states, raised millions of dollars to do it—and still mostly failed.

While Stein successfully triggered a Wisconsin recount, federal judges in Pennsylvania and Michigan put an early stop to her efforts. In the latter case, a judge ruled that Stein had “not presented evidence of tampering or mistake” in the electronic voting machines. It was a vexing catch-22, says Adida, an engineer and applied cryptographer at the education startup Clever. If the Michigan vote was tainted, the paper backup ballots Stein wanted to recount were the evidence that could prove it. But Stein didn’t have any evidence to justify looking at the evidence.

“Recounts don’t actually happen, because if you can’t bring a shred of evidence to the table that something went wrong, you sound like a lunatic,” Adida says. “That’s what 2016 proves. We need to build a voting system that inherently provides that evidence in case something goes wrong.”

Encrypt the Vote

At the Enigma security conference next week in Oakland, Adida will make the case for a decade-old voting system that provides that inherent evidence, what Adida and other voting security experts call “end-to-end verification.” Since 2007, thousands of people, including organizations like the Association of Computing Machinery and Greenpeace, have used Adida’s election software, called Helios to solve that core problem. Helios encrypts every vote, and then publishes an online list of encrypted results by voter in a form that allows anyone from an election-monitoring organization to individual voters themselves to check the results.

“The whole idea that paper ballots are going to save us is well-intentioned but flawed,” says Adida. “I think we can do better. We can provide true end-to-end proof that an election works.”

Now that same system will be put into practice for the first time in actual government: A voting scheme, known as STAR-Vote—for Secure, Transparent, Auditable, and Reliable—uses a similar cryptographic system to Helios, but with real, physical voting machines and ballots. One Texas county is even set to implement it before the 2020 presidential election.

“STAR-Vote allows the general public to verify the vote themselves,” says Dana DeBeauvoir, the county clerk of Travis County, Texas, which includes the city of Austin. “We’re trying to build a better mousetrap and share it with everyone else.”

How It Works

Here’s the clever—and somewhat convoluted—way that end-to-end verified voting system works: Registered voters input their vote on a touchscreen machine. When they’re done, the machine prints their ballot with their choices, along with a “receipt” at the bottom that they can take home. That input machine also encrypts the results, shares the encrypted vote data with all the other voting machines at the polling place, and also enters it into a database of all the encrypted votes that will be published online at the end of the election day. Then voters feed their printed ballot into a ballot box with a scanner that reads a barcode on the ballot and confirms to the network that the vote has been cast.

After the votes are published, anyone can use a tracking number on their receipt to look up their vote online and confirm that it was registered. But crucially, no one can see who voted for whom. Not even the voter can decrypt their own vote; if they could prove who they voted for, they might be coerced or paid to vote for a certain candidate.

In fact, thanks to some mathematical sleight-of-hand known as “homomorphic encryption,” not even the election officials counting up the results can decrypt any individual votes. Homomorphic encryption allows simple arithmetic to be performed on encrypted data without decrypting it. So the encrypted votes can be added up and published online to produce an encrypted, public total tally that remains accurate without ever exposing anyone’s vote. Election officials decrypt only that final result, and even they can only do so when a certain number of overseers combine their secret passwords. After the results are decrypted and declared, anyone can re-encrypt them to check that they match the online encrypted tally, to prevent the officials from colluding to falsify the count.

That somewhat mind-bending process still leaves another question: How can voters check that the STAR-Vote machine not only registered their encrypted vote, but registered the correct vote rather than slyly switching it? To solve that problem, the system offers voters one more feature it calls a “challenge.” When the vote is encrypted and declared to the other voting machines—but before the voter scans it and puts it in the ballot box—the voter can choose to challenge it instead of confirming it, essentially declaring the ballot to have been a test of the system. If a ballot is challenged, it’s not counted, and the machine where the voter input their choice uses a special key that only it possesses to decrypt the encrypted vote it just declared to reveal who that challenged vote was for; it’s then shared with the local network and the public database. (The voter, meanwhile, starts over and votes again.)

Before the voter has even left the voting place you have all the information you need to catch the machine cheating. Dan Wallach, STAR-Vote Inventor
Thanks to some proven cryptographic math, there’s no way for the computer to believably decrypt the ballot without revealing which candidate it was about to register a vote for. So if the machine’s answer in the public database doesn’t match the voter’s choices, the voter can look up the challenged vote, spot the mismatch and report the machine’s fraudulent behavior. That makes any attempt at tampering with voting machines highly risky. “Before the voter has even left the voting place you have all the information you need to catch the machine cheating in its electronic representation of your ballot,” says Dan Wallach, a cryptographer at Rice University and one of STAR-Vote’s inventors.

Baking in the Evidence

All of those cryptographic checks aren’t meant to replace paper ballot backups, Wallach and Adida say, which would still serve as the ultimate record in any recount. But with STAR-Vote, the hints of tampering that trigger that recount would be far easier to spot. And just as importantly, says Travis County Clerk Dana Debeauvoir, all that cryptographic complexity remains hidden from any voter that doesn’t want to deal with it. “It has to be something that mom and pop can operate,” she says.

Next month, Travis County, which has about 720,000 registered voters, will reveal the results of a request-for-proposal it issued last year for tech firms to code and build its STAR-Vote machines. Debeauvoir hopes to put the system to use for the first time in local elections in 2019, so that any bugs will be worked out before the 2020 presidential election. She says she expects the system to cost between $8 and $12 million to develop, but argues that’s still less in the long run than licensing the currently available, less-verifiable systems.

Supporters hope that if it catches on, STAR-Vote could serve as a key reassurance for the American electoral system, and save millions of dollars spent on wasted paper recounts. Rather than lawsuits, sore loser accusations, and expensive audits, the audit would be baked into the system, says Adida. “Instead of having to seek the evidence, the system would provide evidence of correct operation by virtue of the process of voting itself,” says Adida. Imagined voter fraud and Russian trolls aside, that might actually be a system all Americans can trust.

Source: Wired-For the Next Election, Don’t Recount the Vote. Encrypt It

Advertisements

Business failing to learn lessons of past cyber attacks, report shows

Business and other organisations are failing to learn the lessons of past cyber attacks, the latest Verizon Data Breach Investigations Report (DBIR) reveals.

The analysis of 2,260 breaches and more than 100,000 incidents at 67 organisations in 82 countries shows that organisations are still failing to address basic issues and well-known attack methods.

“This year’s study underlines that things are not getting better,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions.

“We continue to see the same kind of attacks exploiting the same vulnerabilities because many organisations still lack basic defences,” he told Computer Weekly.

The 2016 DBIR shows, for example, that nearly two-thirds of confirmed data breaches involved using weak, default or stolen passwords.

The report also shows that most attacks exploit known vulnerabilities that organisations have never patched, despite patches being available for months – or even years – with the top 10 known vulnerabilities accounting for 85% of successful exploits.

“User security awareness continues to be overlooked as organisations fail to understand that they need to make their employees the first line of defence,” said Dine.

“Organisations should be investing in training to help employees know what they should and shouldn’t be doing, and to be aware of the risks so they can alert security teams if they spot anything suspicious,” he said.

For this reason, Dine said it is important for organisations to have the processes in place that make it easy for employees to report security issues.

Phishing attacks

Phishing is one area where increased user awareness could help, said Dine, especially as the use of fraudulent emails to steal credentials or spread malware increased dramatically in the past year.

“If we could reduce phishing through user awareness training, we could probably reduce a lot of the other stuff as well because many of the attacks start with a simple phishing email,” said Dine.

The study shows that 30% of phishing messages were opened – up from 23% in the 2015 report – and 12% clicked on malicious attachments or links that installed malware.

In previous years, phishing was a leading attack pattern for cyber espionage, but now features in most cyber attacks.

According to Verizon researchers, this technique is amazingly effective and offers attackers a number of advantages, such as a very quick time to compromise and the ability to target specific individuals and organisations.

Human error cause of most attacks

Underlining the importance of user awareness and the human element of security, the report shows that human error accounts for the largest proportion of security incidents, with 26% of these errors involve sending sensitive info to the wrong person.

 

Source: computerweekly.co-Business failing to learn lessons of past cyber attacks, report shows

IoT to play a part in more than a quarter of cyber attacks by 2020, says Gartner

More than 25% of cyber attacks will involve the internet of things (IoT) by 2020, according to technology research firm Gartner.

And yet, researchers claimed IoT would account for less than 10% of IT security budgets and, as a result, security suppliers would have little incentive to provide usable IoT security features.

They also said the decentralised approach to early IoT implementations in organisations would result in too little focus on security.

Suppliers will focus too much on spotting vulnerabilities and exploits, rather than segmentation and other long-term means that better protect IoT, according to Gartner.

“The effort of securing IoT is expected to focus more and more on the management, analytics and provisioning of devices and their data,” said Gartnerresearch director Ruggero Contu.

“IoT business scenarios will require a delivery mechanism that can also grow and keep pace with requirements in monitoring, detection, access control and other security needs,” he added.

According to Contu, the future of cloud-based security services is, in part, linked with the future of the IoT.

“The IoT’s fundamental strength in scale and presence will not be fully realised without cloud-based security services to deliver an acceptable level of operation for many organisations in a cost-effective manner,” he said.

Gartner predicted that by 2020, at least half of all IoT implementations would use some form of cloud-based security service.

Read more about IoT security

Although overall spending will initially be moderate, Gartner predicted that IoT security market spending would increase at a faster rate after 2020, as improved skills, organisational change and more scalable service options improved execution.

Gartner predicted global spending on IoT security would reach $348m in 2016 – just 23.7% up compared with 2015 – $433.95m in 2017 and $547m in 2018.

“The market for IoT security products is currently small, but it is growing as both consumers and businesses start using connected devices in ever greater numbers,” said Contu.

“Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, up by 30% from 2015, and will reach 11.4 billion units by 2018. However, considerable variation exists among different industry sectors as a result of different levels of prioritisation and security awareness,” he said.

Source: computerweekly.com – IoT to play a part in more than a quarter of cyber attacks by 2020

The link between third-party vendor support and the cloud

Rebecca Wettemann is the vice president of research at Nucleus Research and leads the quantitative research team. Nucleus Research provides case-based technology research with a focus on value, measurement and data. The company assesses the ROI for technology and has investigated and published 600 ROI case studies. Wettemann specializes in enterprise applications, customer relationship management, enterprise resource planning and cloud. She spoke with SearchOracle about the ROI for cloud adoption and third-party vendor support.

Can you tell me what the typical return on investment is for cloud and third-party vendor support?

Rebecca Wettemann: Cloud delivers 1.7 times the return on investment of on premises. It’s interesting because, intuitively, we think it’s because cloud is cheaper and that’s certainly partially true. But the bigger top line benefit is that I can make changes, upgrades, get more value from my cloud application over time without the cost, pain and suffering, and disruption associated with upgrading a traditional on-premises application.

Today, a lot of ERP customers are a couple of upgrades behind. Staying current, particularly if you’ve made a lot of customizations, is extremely expensive, extremely risky, extremely disruptive. Going through an upgrade can cost maybe half a million dollars. It’s not unusual. So customers stay behind, and that’s when they start to look at third-party support as an option. Support from the vendor is expensive, and, as I get further behind, I get less attention from the vendor and less support that is really focused on what my needs and particular challenges might be because they’re focusing their resources on the customers who are upgrading and staying current.

I can cut my maintenance bill in half by going to third-party support and use that money to invest in cloud innovation.

Rebecca Wettemannvice president of Nucleus Research

Are companies that are already using cloud likely to be more or less interested in third-party vendor support?

Wettemann: Someone who is already on the cloud is likely to be less interested in third-party support because cloud vendors tend to recognize that they have to win that contract again every year or two. So they’re in there delivering additional value, delivering upgrades, delivering enhancements and providing support because they know that the barriers to switching are a lot lower for cloud applications. What we do see is companies taking their core ERP or core critical applications like Siebel where they are a few generations behind and [saying], “I’m going to put this on third-party support.” This is either because I already have a plan to implement a whole new version of what I have in a couple of years and I want to save money in order to do that, or because there are other areas of innovation in cloud that I want to take advantage of and I can put the money toward that. I can cut my maintenance bill in half by going to third-party support and use that money to invest in cloud innovation.

What we’re seeing with customers is not a lot that are saying, “Okay, I’m going to move from PeopleSoft to ERP cloud.” It’s a very small population. What we are seeing is people saying, “You know what, PeopleSoft is mission-critical for us. We don’t want to disrupt it right now. We want to watch the road map for ERP cloud and see where it’s going. But we want to get a Taleo subscription, so we can manage talent management, or we want to invest in something on the CRM side in Sales Cloud or Marketing Cloud that’s attractive to us.” So they’re looking at taking advantage of the investment Oracle has made in cloud in different areas of the organization, which is where putting the PeopleSoft portion — to use that example — on third-party support saves them a ton of money. Our research and talking to Rimini customers finds that they get as good if not better support as they get from the vendor.

This is definitely something we’re seeing as we talk to customers about how to fund new projects. IT budgets are not flat, but not growing at a tremendous rate. And what they’re looking at is: “How can I cut out this big portion of expenditure, which for many firms can be high six figures? How do I cut that out? Or cut it in half and use that to fund cloud innovation?” So, if I look at my overall ongoing IT budget, a significant portion of that is license fees. Anything I cut from there becomes, without needing more budget, funds to invest in cloud.

Is this what you see people doing?

Wettemann: We’re definitely seeing folks say, “Yes, I need to do more with my IT budget.” This is a great way to keep systems that I’m not ready to move to cloud yet on a much more cost-effective basis so I can divert my resources elsewhere.

When Oracle customers move to the cloud, do they remain with Oracle or start using other vendors’ products?

Wettemann: I would say it’s a combination.

What factors influence that decision?

Wettemann: How much they’re an Oracle shop, certainly. Specific business needs that they’re looking for, whether it’s supply chain, CRM, HCM or another — Marketing Cloud is a great example. But they’re looking at what are the competing solutions in the cloud marketplace and how does Oracle stack up.

Is now a good time for making big decisions?

Wettemann: Yeah, absolutely. And it can also be a matter of not necessarily wanting to put all of their eggs in one basket. Because, remember, with cloud I don’t have to have the level of developer skill or DBA [database administrator] skill that I do to support an on-premises application. So, I don’t have to decide that I’ve got to have two or three Oracle DBAs that I know I’m going to be able to retain to make sure they keep my application running and everything works. I don’t have to do that with cloud, so I have more flexibility.

Source: searchoracle.techtarget.com- The link between third-party vendor support and the cloud

How current industry mega trends tangibly affect the EUC industry. Part 4: Security

This is the fourth (and final) article in a series detailing several industry “mega” trends that I see in EUC today. The first article was about Hyper-Convergence, the second was about Application Management (Layering), and the most recent was about Cloud.

In this article I want to discuss another trend, ‘Security’, and how it will have an impact on our industry today and tomorrow for the bulk of our use cases across the world.

Boring and Invisible – Yet Important

Security is a difficult subject. If there’s too much of it then it is annoying, but if there is too little then bad things happen. Let’s face it: traditionally our End User Computing industry has had relatively little to do with security (*ducks*). I mean, outside of the virus scanners on PCs it really was not a big part of our [EUC] life. Of course there are the brave souls who dare to run antivirus on shared hosted desktop platforms or even hypervisors, but for the most part the job of security was left for the ‘firewall guy’. Well, you and the firewall guy need to have lunch together (often) because the world is changing rapidly.

Omni-Connected

One important factor is that the Enterprise IT world is becoming more and more connected. Where the firewall used to be the boundary of the Enterprise perimeter, this is no longer strictly the case. Think about it: with the ever increasing consumption of cloud services / SaaS applications in enterprises a larger portion of the stuff that IT is tasked to protect moves out of their network.

Don’t take my word for it. The segment called CASBs (Cloud Access Security Brokers) focuses exactly on this problem and has been exploding (in a good way) recently. Next to CASBs, there’s also the segment of more ‘traditional’ security vendors, which have all been trying to grow beyond firewalls for a while now. Much of this all revolves around the fact that all malware or other malicious ‘stuff’ in your network have one thing in common: at one point or another this malicious content will attempt to communicate outside of your network – either to phone home, spread, talk to other ‘members,’ or whatever. That’s where the prime detection possibility is and that is where a lot of the new focus will be.

Cybercrime

Another important factor is the rise of Cybercrime. Cybercrime is growing fast and getting more and more organized, both for pure monetary reasons but also for political and religious reasons. Whatever the reason, the effect was already witnessed in 2015: an unprecedented amount of high profile attacks have occurred and the year is not over yet (plus a lot of hacks are going on right now that have not been discovered yet, I am sure). Hacks ranged from those that were high profile financial services to prisoner records. Ransomware and Cryptoware are no longer just a problem for singular users. Companies are being targeted more and more, which is costing enterprises a ton of money. This survey showed that the average annual cost incurred by affected enterprises globally now stands at $7.7 million.

Cybercrime budgets are also one of the few budget categories that are increasing. For example, in 2016 the Cybercrime (CDM) budget for the US government alone is $14 billion. In a similar fashion, the UK plans to double its cybercrime budget over the next 5 years. Finally, an additional important accelerator will be that legislation, especially in EMEA, will become even stricter in terms of who is held liable when a hack occurs. The simple fact is that a lot of organizations are not well equipped (yet) to deal with this new world, and that’s why we will see security have a big impact on End User Computing in 2016.

Security at the EUC vendors

When it comes to security, I think that are a couple of types of vendors in our End User Computing market that you will see creating or expanding their offerings. For the EUC Big 3, Microsoft kind of already made the first move when they acquired Adallom for $320M in September. I say “kind of” because while you may not directly work with this technology, you probably will indirectly. Security is also part of the bigger VMware proposition–it’s actually one of the five imperatives the CEO has for the company. I have not seen a specific security product (capability) from the EUC group at VMware, but I am sure we will in the next year (NSX is an example that is very close to VMware EUC already). As for Citrix, it would be no surprise to me if Citrix jumps on the security bandwagon as well (outside of the classic security benefits that ‘centralized computing offers,’ which aren’t unique to their products). Still, I have seen no major initiatives there yet, which kind of makes sense since they are rationalizing their product portfolio.

Another category is the User Environment Management (UEM) vendors. Two that come to mind for me are AppSense and RES Software. They’ve had some security capabilities in their products for a while now, and seem to be adding to them a lot more as time goes on (a trend that I think will continue).

I also think there’s also great potential here for the more traditional End User Computing monitoring and analytics products to help their customers with these problems. That is actually quite important to realize–to be able to protect and secure the workspace you need to have detailed insights into that workspace. Since most of the workspace today is still Windows based, the current End User Computing monitoring and analytics products are in a great position to start providing these security services. Lakeside Software, for example, recently added a specific security capability in their Systrack product, and I am confident we will see some more security related developments from the End User Computing monitoring and analytics vendors in the next year.

Source: Brianmaidden-How current industry mega trends tangibly affect the EUC industry. Part 4: Security by Michel Roth

EU-US Privacy Shield: Can written assurances adequately protect EU data from US snoops?

Privacy campaigners have been quick to question whether Safe Harbour’s replacement will be looked on favourably by the European Court of Justice.

Safe Harbour’s successor, the EU-US Privacy Shield, has been weighed up and found wanting by privacy campaigners, who fear the proposed data-transfer agreement may not stand up to legal scrutiny by the European Court of Justice (CJEU).

The European Commission (EC) has been working with US lawmakers to develop a replacement for the Safe Harbour transatlantic data-transfer agreement since it was ruled invalid by the CJEU in October 2015.
The result of these discussions is the EU-US Privacy Shield, which is expected to come into force in three months’ time, the EC said.

For that to happen, the agreement’s content has to pass muster with the Article 29 Working Party, an affiliation of the data protection authorities of all 28 EU member states.

The working party has given the EC and the US until the end of February 2016 to provide a complete breakdown of how the Privacy Shield will work, and stated formally that anyone attempting use Safe Harbour to transfer data back to the US is now breaking the law.

It also warned organisations using alternative data-transfer mechanisms – including standard contractual clauses and binding corporate rules – that permission to use these could be revoked by the end of February.

Apart from a new name, a logo and some lofty declarations about how the EU-US Privacy Shield is a “significant improvement” on Safe Harbour, only scant details about how it will work were outlined at the launch of the new-look data-transfer regime on 2 February.

These include the fact that the agreement will be subject to annual reviews – unlike Safe Harbour – and be supported by the work of a “functionally independent” ombudsman for European citizens who fear their data has been accessed unlawfully by US authorities.

Safe Harbour 2 and its shortcomings

Given how short on detail the announcement was, many industry watchers have described it as a ruse by the EC and the US to buy more time to flesh out the details of the Safe Harbour alternative, as the Article 29 Working Party initially gave the pair until 31 January to do so.

Frank Jennings, a partner specialising in cloud and technology commercial contracts at legal firm Wallace, told Computer Weekly he shares this view.

“The main driver over the timing of the announcement was the enforcement deadline set by the Article 29 Working Party,” he said. “This has bought some time while the detail is finalised.

“The European Commission has to prepare a draft adequacy decision for consideration by the Article 29 Working Party and the US still needs to set up the monitoring mechanisms and an ombudsman.”

During the 2 February press conference, Andrus Ansip, EC vice-president in charge of the Digital Single Market, promised European citizens that the EU-US Privacy Shield would protect them from “indiscriminate mass surveillance” by the US government.

He said the EC has received “written assurances” from the US government to this effect, but concerns about how watertight these penned declarations are likely to be are already starting to mount up.

A history of Safe Harbour

The Safe Harbour agreement was the legal mechanism previously used by thousands of US companies to transfer data belonging to European citizens to the US, before it was struck down by the CJEU last October following a legal challenge by Austrian legal student Max Schrems.

Is government surveillance going too far?
The CJEU backed Schrems’ assertion that Safe Harbour did not adequately protect the data of European citizens from the mass surveillance activities of the US government, which, in turn, were uncovered by NSA whistleblower Edward Snowden in 2013.

In this context, the problem that many people have with the EU-US Privacy Shield’s “written assurances” is whether or not these would be considered “adequate protection” from the US government’s mass surveillance activities.

Former EC vice-president Viviane Reding, who previously spearheaded a review of Safe Harbour in response to Snowden’s 2013 revelations, has already aired concerns about the shape of its replacement is taking.

“The new text is disappointing,” she said. “The commitment to limit mass surveillance of EU citizens is ensured only by a written letter from US authorities.

“Is this sufficient to limit oversight and prevent generalised access to the data of EU citizens? I have serious doubts if this commitment will withstand a possible new examination by the European Court of Justice.”

Alexander Hanff, CEO of civil liberties advisory group Think Privacy, shares Reding’s misgivings, saying that although the US government’s Foreign Intelligence Surveillance Act (FISA) remains in place, these penned declarations are “not worth the paper they are written on”.

FISA is a piece of federal legislation that allows the US government to covertly keep tabs on people suspected of spying on the US for overseas governments or intelligence agencies, as long as the Foreign Intelligence Surveillance Court (FISC) gives it permission to do so.

“We are supposed to believe that the very same agencies and the very same political machine that has been spying on the world’s digital communications for over a decade will now suddenly stop spying on Europeans because the European Commission has asked them to?” said Hanff. “It is preposterous to even suggest such a thing, let alone do so with a straight face.

“It doesn’t matter how many ‘assurances’ the US gives the EC, the very fact that the FISC exists and issues secret orders under FISA renders them into nothing but fantasy.”

Hanff has already written to the Article 29 Working Party outlining his concerns about the Privacy Shield’s reliance on written assurances over mass surveillance. He calls on the working party not to “entertain the notion that such an agreement is either legally secure or honest”.

He then signs off by asking Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, to make sure the existence of FISA and FISC are communicated to other members of the party, along with the risk they pose to ensuring that the EU-US Privacy Shield can make good on its promise of protecting citizens from snooping.

“We simply must not allow a lie (for this Privacy Shield is exactly that) to replace a lie (which Safe Harbour was) in order to maintain the status quo and pander to the economic interests of the US technology sector,” Hanff wrote.

“The deal is bad for EU citizens and it is bad for the EU economy. It must not be accepted.”

Written assurances vs legal protections

Max Schrems released a statement following the EU-US Privacy Shield announcement, also focusing on whether a written declaration would be enough to satisfy the CJEU.

“A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” said Schrems.

“We don’t know the exact legal structure yet, but this could amount to disregarding the CJEU’s judgment. The court has clearly stated that the US has to ‘ensure’ proper protection by means of ‘domestic law or international commitments’.”

However, Daniel Hedley, an associate at legal firm Thomas Eggar, said that until the full details of EU-US Privacy Shield are made public, it is difficult to decide exactly how the CJEU will view the finished article.

“The CJEU’s judgment was based in large part on a finding that the US did not provide equivalent protections in law,” Hedley told Computer Weekly. “So I think we can at least say that the Privacy Shield’s legal status and enforceability are going to be critical to its success or failure.

“That is, whether or not these ‘written assurances’ provided by the US government amount to real binding rights and obligations giving European equivalent data rights, and whether the proposed enforcement mechanisms have real teeth. At the moment, with the information we have, we just can’t tell if that is the case or not.”

Until the EU and US lawmakers present the EU-US Privacy Shield proposition in full to the Article 29 Working Party at the end of February, it is difficult to say with any degree of certainty whether the CJEU would uphold any legal challenges against it, said Hedley.

And, it seems, there will be no shortage of candidates willing to put it to the test once the full details are known.

“I am not sure if this system will stand the test before the Court of Justice,” Schrems said, in his post-announcement statement. “There will clearly be people who will challenge this; depending on the final text, I may well be one of them.”

Source: CIO.com- EU-US Privacy Shield: Can written assurances adequately protect EU data from US snoops? by Caroline Donnelly

Google releases Mobile Application Management for iOS devices

Google has announced that its Mobile Application Management (MAM) solution for Google for Work environments is now available to iOS devices. A new Google Device Policy app for iOS allows users of Google Apps for Business, Education, and Government to enroll their iOS devices in their organizational policies in order to streamline access to device approval requests and internal Wi-Fi networks, use single sign-ons across all Google Apps such as Gmail, Drive, and Docs, and install iOS apps that have been whitelisted by the organization in a managed device profile.

Google Apps Administrators will be able to use the Google Admin console to whitelist any free app found on the iOS app store, allowing a list of approved apps to be easily discovered and downloaded by their organization’s users without having to scour the App Store or recall specific app names from an orientation session or employee handbook. Apps installed through the Google Device Policy app are also managed by the organizational policies and can be removed from a user’s device when no longer whitelisted, or when a device is remotely wiped by an admin, ensuring that corporate information is not retained on personal devices when a user leaves the organization.

Source: ilounge.com-Google releases Mobile Application Management for iOS devices by Jesse Hollington

UK tops global cyber crime hit list

UK based criminals were the second highest originators of cyber crime attacks after the US in the second quarter, according to ThreatMetrix

UK is the top target for cyber criminals with UK businesses targeted more frequently than US counterparts, a study has revealed.

Apart from local threats, criminals in Nigeria, Germany, the US and Mexico lead the way in attacking the UK, according to a study published by security firm ThreatMetrix.

But UK-based criminals were the second highest originators of cyber crime attacks after the US, according to the study, which is based on more than a billion transactions monitored each month by the firm’s Digital Identity Network.
The study shows that online commerce worldwide has been particularly badly hit by cyber crime. Fraudulent attacks rose 20% in the second quarter of 2015 in which ThreatMetrix blocked 36 million fraud attempts estimated to be worth £2bn.

Account creation fraud was the highest risk, accounting for nearly 7% of transactions blocked by ThreatMetrix, while account login risk was lower at 3%. But ThreatMetrix said that, because there are many times more login transactions processed, this represents a significant account takeover or hijacking risk.

The study also found that cyber criminals targeting financial institutions are particularly focused on the online lenders. Attacks spiked significantly in the second quarter and focused mainly on new accounts originations and payment disbursements.

Online lending is a rapid growth industry because it provides an easier way for the unbanked and underbanked to gain access to loans in a matter of days – making it a top target for cyber criminals.

According to ThreatMetrix, major UK peer-to-peer lender, Zopa, has issued £829m in loans since it started ten years ago.

“Online lending is a hotbed for fraud because it is a less secure channel designed for the unbanked and underbanked population an attractive target for attackers,” said Stephen Moody, European solutions director at ThreatMetrix.

“The more businesses and consumers turn to the digital space to store and manage their financial information, the greater the opportunity for fraudsters, and ensuring digital identities are effectively protected should be high priority for everyone,” he said.

Cyber crime is a well organised global phenomenon, said ThreatMetrix, with criminals fast adopting new technologies and tactics to attack businesses.

With sophisticated technology and strong knowledge-sharing across organised crime rings, nation states and decentralised cyber gangs, the security firm said these cyber criminals continue to attack traditional and non-traditional sources of consumer data to stitch together identities that can exploited.

Criminals hiding in the noise

Mobile now makes up one third of all transactions analysed by ThreatMetrix and is the biggest emerging opportunity and risk for businesses and financial institutions trying to deliver frictionless experiences to their customers, the company said.

“The more mobile transactions you have, the more opportunities will arise for fraudsters to conduct spoofing attacks or identity theft, by increasingly impersonating other devices to facilitate attacks,” said Moody.

“With consumers constantly on the go, they prefer iPhones over iPads after work and at the weekends – people’s digital behaviour is changing and this provides new opportunities for fraudsters to hide in the noise,” he said.

While UK-based e-commerce sites also experienced a spike in fraud attacks in the second quarter, attacks on financial services remained steady and attacks on the media industry saw a fall compared with the first three months of 2015.

However, attacks on the media industry are still fairly high, accounting for 11.4% of transactions blocked – more than double the rate in the US. According to ThreatMetrix, media sites are often targeted as testing sites for stolen credentials.

Source: computerweekly.com-UK tops global cyber crime hit list by Warwick Ashford

Alleged airplane hack creates more questions than answers

As details emerge about a security researcher’s alleged hack — and subsequent denial — of an airplane, more questions are being asked than answers given.

News of a security researcher penetrating an airplane’s network has dominated the news for the past few days, but the reality of the situation is muddled.

An application for a search warrant filed by FBI Special Agent Mark Hurley on April 17, which was obtained and published online last Friday by Canadian news outlet APTN National News, alleges the devices seized from Chris Roberts, a security researcher with One World Labs, contain evidence that he successfully commandeered the network of an in-flight airplane he was riding on. Roberts has not been charged with any crime at this time.

In a previous interview, Roberts told Wired he caused a plane to climb in a virtual environment, but insisted he did not interfere with the operations of a plane in flight. Roberts also told Wired he accessed in-flight networks approximately 15 times during various flights only to “explore” and “observe data traffic crossing them.”

While the FBI affidavit mentions the virtual environment, it also states Roberts admitted to controlling a plane in flight. During conversations with the FBI, the warrant application reads, Roberts said he had “exploited vulnerabilities with [in-flight entertainment, or IFE] systems on an in-flight aircraft” 15 to 20 times from 2011 to 2014.

According to the warrant application, Roberts gained access to the network through the Seat Electronic Box installed under passenger seats on airplanes; he was able to remove the SEB cover by “wiggling and squeezing” the box. He then used an Ethernet cable with a “modified connector” to connect his laptop to the IFE system.

The affidavit states Roberts then connected to other systems and overwrote code on the airplane’s Thrust Management Computer to successfully command the system and issue a “CLB,” or climb command, which “thereby caused one of the airplanes to climb, resulting in a lateral or sideways movement of the plane.”

Many news articles over the past few days, however, may have been a bit too aggressive in their conclusions, especially as what is contained in the warrant has not been proven in a court of law. The FBI believes Roberts hacked a plane, yet Roberts denies it.

Before the weekend was over, many security researchers were questioning what really happened. Expert Graham Cluley argued the very real possibility that nothing at all had happened. He wrote in his blog, “Wired isn’t saying that Chris Roberts claimed to have hijacked and meddled with a plane’s flight, instead, they’re saying that the FBI’s search warrant claims that Roberts told them that he had done that.”

While the affidavit does not state which flight Roberts allegedly controlled, Roberts maintains he did not penetrate the IFE system of the April 15 flight during which he tweeted his now infamous “joke:”
The same day, Roberts was questioned by the FBI and had his computer equipment seized.

Though Roberts denies any wrongdoing on this flight, the FBI search warrant application claims the SEB installed near Roberts “showed signs of tampering” and was “open approximately ½ inch and one of the retaining screws was not seated and was exposed.”

Not only are questions arising about what happened during the supposed airline hack, but also whether it is even possible to connect to mission-critical airplane systems through in-flight entertainment.

Law enforcement sources told ABC News there is no evidence a hacker could gain control of an airline network as Roberts described. Federal sources also told ABC News it is extremely unlikely someone could hack into an in-flight plane’s control system.

“Nobody can take control of the airplane right now,” ABC News aviation consultant and former Marine Corps pilot Steven Ganyard said. “At this point, we don’t have any reason to suggest that somebody can take over the airplane and fly it into a mountainside.”

United Airlines spokesperson Rohsaan Johnson also refuted Roberts’ claims, telling The Associated Press, “We are confident our flight control systems could not be accessed through techniques he described.” (United Airlines has since released details of a bug bounty program to incentivize researchers to disclose vulnerabilities to the company directly.)

The U.S. Government Accountability Office released a report last month revealing modern communications make aircraft more vulnerable to attack, but many have also refuted this claim. Dr. Phil Polstra, a qualified pilot and professor of digital forensics at Bloomsbury University, said the report contained “erroneous information” and was “deceptive.”

“It’s certainly possible,” security expert and frequent critic of air travel security Bruce Schneier said, “but in the scheme of internet risks I worry about, it’s not very high.”

While Roberts has not yet denied completing any airplane hacks, he did discuss the inaccuracies of the affidavit with Wired.

“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing, which, obviously, I can’t say anything about,” he said. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”

Roberts also told Forbes today that “typically all maintenance and system software issued [or] procured from manufacturers is for monitoring only, not influencing.” Roberts offered no further details.

Roberts has also taken to Twitter to defend himself, alluding to conversations that were held “in confidence,” information that “needs to be said and will come out,” and “a lot” of things being taken “out of context.”

Roberts still maintains all his actions have been in the name of aircraft security.

Source: searchsecurity.techtarget.com-Alleged airplane hack creates more questions than answers

Cisco 2015 Annual Security Report

Understand how attackers are taking advantage of gaps between defender intent and their actions in order to conceal malicious activity and evade detection.

New Threat Intelligence and Trend Analysis

Despite advances by the security industry, criminals continue to evolve their approaches to break through security defenses. Attackers are realizing that bigger and bolder is not always better. The Cisco 2015 Annual Security Report reveals shifts in attack techniques, emerging vulnerabilities, and the state of enterprise security preparedness.

Download the report at: Cisco 2015 Annual Security Report