Tag Archives: Listen

When will mobile voting be ready?

Listen to this podcast

This week’s Risk & Repeat podcast examines the rise of mobile voting apps and how security experts have expressed concerns about the risks deploying the technology for elections.

This week’s Risk & Repeat podcast looks at the prospect of mobile voting apps being deployed for U.S. elections in the near future.

The COVID-19 pandemic has raised concerns about in-person voting at potentially crowded polls with long lines. But despite those concerns, various security experts as well as mobile voting advocates say the technology won’t be ready for widespread deployment in elections any time soon. Critics of the technology argue the mobile apps aren’t secure enough to ensure the integrity of votes, while advocates say there isn’t enough funding or infrastructure to support a large rollout of the technology.

In this episode, SearchSecurity editors Rob Wright and Alex Culafi discuss the challenges facing mobile and internet voting options, the friction between voting system vendors and the security research community, and the potential of these systems in future elections.

Go to Original Article

Introducing more privacy transparency for our commercial cloud customers

At Microsoft, we listen to our customers and strive to address their questions and feedback, because one of our foundational principles is to help our customers succeed. Today Microsoft is announcing an update to the privacy provisions in the Microsoft Online Services Terms (OST) in our commercial cloud contracts that stems from additional feedback we’ve heard from our customers.

Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ). The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud.

Microsoft is currently the only major cloud provider to offer such terms in the European Economic Area (EEA) and beyond.

We are also announcing that we will offer the new contractual terms to all our commercial customers – public sector and private sector, large enterprises and small and medium businesses – globally. At Microsoft we consider privacy a fundamental right, and we believe stronger privacy protections through greater transparency and accountability should benefit our customers everywhere.

Clarifying Microsoft’s responsibilities for cloud services under the OST update

In anticipation of the General Data Protection Regulation (GDPR), Microsoft designed most of its enterprise services as services where we are a data processor for our customers, taking the necessary steps to comply with the new data protection laws in Europe. At a basic level, this means Microsoft collects and uses personal data from its enterprise services to provide the online services requested by our customers and for the purposes instructed by our customers. As a processor, Microsoft ensures the integrity and safety of customer data, but that data itself is owned, managed and controlled by the customer.

Through the OST update we are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services. In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses will serve our customers by providing further clarity about how we use data, and about our commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

Meanwhile, Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.

As noted above, the updated OST reflects the contractual changes we developed with the Dutch MOJ.  The only substantive differences in the updated terms relate to customer-specific changes requested by the Dutch MOJ, which had to be adapted for the broader global customer base.

The work to provide our updated OST has already begun. We anticipate being able to offer the new contract provisions to all public sector and enterprise customers globally at the beginning of 2020.

Working with our customers to strengthen privacy

Before and after GDPR became law in the EU, Microsoft has taken steps to ensure that we protect the privacy of all who use our products and services. We continue to work on behalf of customers to remain aligned with the evolving legal interpretations of GDPR.  For example, customer feedback from the Dutch MoJ and others has led to the global roll out of a number of new privacy tools across our major services, specific changes to Office 365 ProPlus as well as increased transparency regarding use of diagnostic data.

We remain committed to listening closely to our customers’ needs and concerns regarding privacy. Whenever customer questions arise, we stand ready to focus our engineering, legal and business resources on implementing measures that our customers require. At Microsoft, this is part of our mission to empower every individual and organization on the planet to achieve more.

 This post is also available in Dutch, French and German.

Tags: , ,

Go to Original Article
Author: Microsoft News Center

Inside the GAO’s Equifax breach report

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Government Accountability Office’s report on the Equifax breach and the questions it raises.

The U.S. General Accountability Office offered a detailed postmortem on the 2017 Equifax data breach, including new details about what led to the incident.

The Equifax breach report revealed that threat actors began scanning the credit rating agency’s systems for an Apache Struts vulnerability just two days after the vulnerability was publicly disclosed.

And while the Apache Struts bug enabled the attackers to gain a foothold in Equifax’s network, the General Accountability Office (GAO) report shows the vulnerability was just one of the many missteps that contributed to the breach. Those errors include missing 9,000 database queries made by the threat actors in search of valuable data, failing to catch data exfiltration because of a misconfiguration and an outdated recipient list of system administrators who should have been notified of the Apache Struts flaw.

In addition, the Equifax breach report describes how U.S. government agencies were unclear about which — if any — federal agency was coordinating the response effort; the U.S. Department of Homeland Security offered assistance, but Equifax turned it down. Several agencies, including the IRS, U.S. Postal Service and Social Security Administration, used Equifax’s identity verification services at the time of the breach.

What were the biggest lessons learned from the Equifax data breach report? What did the GAO investigation miss? Should companies like Equifax that handle massive amounts of personal data be subject to greater government oversight? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Are the Meltdown and Spectre flaws overhyped?

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss whether or not Meltdown and Spectre deserved to be nominated for the Pwnie Awards’ Most Overhyped Bug.

Were the Meltdown and Spectre flaws as bad as some claimed? That question was raised by the Pwnie Awards at Black Hat 2018 earlier this month.

While the Meltdown and Spectre flaws were nominated for the Most Innovative Research and Best Privilege Escalation Bug awards, the flaws were also nominated for the Most Overhyped Bug award. According to the Pwnie Awards, the “hype train jumped the tracks a bit” with the reaction to Meltdown and Spectre.

While the Most Overhyped Bug award eventually went to another vulnerability, the Pwnie nomination illustrated the ongoing debate over the seriousness of Meltdown and Spectre. While some experts at Black Hat argued the flaws opened up a dangerous new avenue of attacks, others said Meltdown and Spectre aren’t nearly as threatening as other recent bugs.

Were the Meltdown and Spectre flaws overhyped by some media outlets and security researchers? How dangerous can the flaws be if there’s no evidence they’ve been successfully exploited in the wild? Have we seen the worst of Meltdown and Spectre or are more variants coming? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Meltdown and Spectre disclosure in review

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss new insights — and questions — regarding the coordinated disclosure effort for Meltdown and Spectre.

Black Hat USA 2018 offered new insights into the Meltdown and Spectre disclosure process and raised questions about how such coordinated vulnerability disclosure efforts should be handled.

A Black Hat panel discussion provided a behind-the-scenes look at the process from the perspective of Microsoft, Google and Red Hat representatives.

During the discussion, the panelists revealed a number of stumbling blocks that posed problems for not only Intel, AMD and ARM, but the security response teams at various stakeholder companies, as well. For example, because of a miscommunication, Google wasn’t officially informed about the vulnerabilities until 45 days after they were first reported to the chipmakers.

The panelists also discussed the challenge of deciding which stakeholders to include in the Meltdown and Spectre disclosure and response process and when to include those parties.

How could the coordinated vulnerability disclosure process have been handled better? Should the pre-disclosure response and mitigation effort have included more people or fewer? How could Google have been left out of the loop for so long? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions on the Meltdown and Spectre disclosure and more in this episode of the Risk & Repeat podcast.

The evolution of music: how the cloud helps reward artists and record labels

From vinyl records to cassette tapes, CDs, MP3 players and streaming services, the way we listen to music has rapidly evolved over the years.

As more and more people turn to the conveniences of streaming music, it’s easy to forget the challenges faced when making sure that artists and labels are fairly compensated.

Everyone talks about digital transformation providing companies with a competitive edge. For music rights organisations, however, adopting a digital culture isn’t a choice. It’s a matter of survival.

This was the situation facing the Canadian Musical Reproduction Rights Agency (CMRRA), a music licensing organisation which represents the majority of music publishers and music copyright owners in Canada.

In 2011, the CMRRA along with the rest of the music copyright industry faced drastic changes to its business model. Streaming services such as Spotify and Apple Music were dramatically increasing the number of transactions from tens of thousands to hundreds of millions, while the revenue per transaction decreased to small fractions of a cent.

In this new digital-first world, a file containing hundreds of millions of transactions can generate royalty payments of €100,000. In the pre-digital world, for comparison, this would have generated millions of Euros instead.

To help its transformation, CMRRA needed a robust and secure solution which would help with the increased number of transactions in a cost-effective way, while allowing it to continue to distribute royalties to artists and other rights holders. The company began its journey by turning to Spanish Point – a Microsoft Gold Partner in Ireland.

Hitting play on transformation
Spanish Point had already digitised the process for the Irish Music Rights Organisation (IMRO), but it wasn’t just a case of dealing with increased transaction volumes, as Spanish Point CEO Donal Cullen explains: “There is also the problem of matching millions of music streaming transactions with poor metadata against a database of millions of songs,” he states.

“Many copyright organisations have failed to cope with this increase in data volumes, meaning the songs and recordings have not been licensed or correctly identified. The license income that should have been paid to songwriters and music publishers has remained with streaming companies. The streaming services and other entertainment platforms do want to pay the artists, it’s just a question of finding a practical way of doing it.”

The solution developed by Spanish Point saw CMRRA move its operations to the cloud, enabling it to successfully cope with these challenges and generate more income for its members. Using Microsoft’s advanced features, Spanish Point provided a more agile and responsive service at a lower cost than a traditional on-premise or hosted provider.

“In the past, if a song was played on a radio station it was broadcast to thousands of listeners,” Cullen explains. “Now you have people using their smartphone in cars to stream music. Services like Spotify and YouTube are sending data to rights organisations on each individual stream. That has increased the volume of data by three or four orders of magnitude.”

“It is not unusual for files to contain 200 million transactions. The rights organisations now must identify each song from quite poor metadata and find the artists to pay royalties to. There is simply no way they could do that without a cloud solution. Even four or five years ago it would have been beyond our reach. It has enabled us to help customers like CMRRA improve their data processing performance by a factor of 40.”

Moving to the cloud solved the problems of scale, flexibility and financial viability. “Before the cloud, organisations would invest in computing power to meet peak demand,” Cullen notes. “That meant the payroll system had to be able to meet very high demand on one or two days each month while it would be barely used for the rest of the time. In the cloud you pay for what you use as you need it. Also, Microsoft’s cloud autoscales to meet the size of files and that’s directly related to how much we and our customers are going to get paid.”

Microsoft Ireland commercial director Aisling Curtis believes the challenge faced by the music rights industry demonstrates the enormous power of digital culture. “This is a great example of digital disruption and how a digital transformation approach can be used to solve issues across an entire industry”, she says.

“It’s not just something for large companies or enterprise-sized organisations to be concerned about. Organisations of every size can adopt a digital culture to innovate and gain competitive advantage. Spanish Point has done a fantastic job for CMRRA using the Microsoft platform and has created a new solution which is applicable to the whole music rights industry.”

Cloud with benefits
As a result of its transformation, CMRRA has dramatically increased its revenue and reduced its members’ annual subscription fees from 10.5 per cent to six per cent. It has also opened up new numerous new opportunities for the company.

“They are now going to licence mechanical works in the US,” says Cullen. “They were restricted to Canada up until now, but they have become a lot cheaper than their US competitors because of the Microsoft cloud solution.”

For the future, Spanish Point is planning to use Microsoft’s AI technology to further enhance its solution. Currently, the company is moving into the US market and is also working with customers in Spain and Turkey with this solution.

“Microsoft has worked closely with Spanish Point on a number of digital transformation projects over the years,” says Aisling Curtis. “Spanish Point is a very innovative firm. It explores new frontiers with Microsoft products and platforms which enables its customers to access new business opportunities and gain competitive advantage. This is a very tangible example of how digital culture and transformation is allowing an Irish company to solve a worldwide issue for customers. It is a defining example of the impact of digital culture.”

DHS warns of power grid cyberattacks

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss a new warning from the Department of Homeland Security regarding Russian hackers targeting the U.S. power grid.

The Department of Homeland Security has renewed its concerns over potential power grid cyberattacks.

DHS officials held a briefing this week to discuss the threat of Russian hackers targeting utility companies and industrial control systems in an apparent effort to compromise and potentially cripple U.S. critical infrastructure, according to a report from The Wall Street Journal. The report also claimed the hackers, who were linked to the Russian threat group Dragonfly, last year gained access to the control rooms of U.S. electric companies during an extensive hacking campaign.

While the government has issued warnings about active threats to ICS and critical infrastructure before, the DHS briefing marks the first time the agency has publicly discussed the extent of the power grid cyberattacks. Government officials said the Dragonfly campaign is likely continuing.

What effect will DHS’ briefing have on critical infrastructure security? Is the government’s assessment of the ICS threats accurate? Why did DHS decide to make this information public now? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Closing the gender gap at cybersecurity conferences

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the under-representation of women at cybersecurity conferences and how it affects the infosec industry.

This week’s Risk & Repeat podcast looks at the lack of women at cybersecurity conferences and explores what can be done to improve those numbers, as well as to increase diversity as a whole in the infosec industry.

Earlier this year, RSA Conference came under fire for having just one woman keynote speaker among nearly two dozen keynote spots. The criticism led members of the infosec community to form a new event, dubbed Our Security Advocates, or OuRSA. And while cybersecurity conferences such as Black Hat 2018 will prominently feature women infosec professionals as keynote speakers, there is still a significant gender gap at cybersecurity conferences.

Why aren’t more women speaking at industry events? How can organizations increase the number of women attending and participating in these events? Is the lack of women at cybersecurity conferences a symptom of the larger gender gap in infosec or a contributor to it? SearchSecurity editors Rob Wright and Maddie Bacon discuss those questions and more in this episode of the Risk & Repeat podcast.

U.S. government eyes offensive cyberattacks

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the risks of the U.S. Cyber Command engaging in offensive cyberattacks against foreign adversaries.

The prospect of the U.S. government using offensive cyberattacks against foreign adversaries appears to be gaining steam.

According to the New York Times, the Pentagon approved a policy that empowers the U.S. Cyber Command to initiate constant offensive cyberattacks designed to disrupt foreign networks. The Times report details a vision statement from military leadership that calls for cyber activities that are “short of war” to retaliate against hacking campaigns from adversarial nation states. The Pentagon’s new strategy for the U.S. Cyber Command, which has traditionally led the nation’s cyber defensive efforts, comes in the wake of many recent high-profile cyberattacks attributed to the governments of Russia, North Korea and Iran.

The concept of “hacking back” against cyber adversaries has gained momentum in both the private sector as well as the government. Some cybersecurity experts, however, have warned that the risks and unintended consequences of offensive cyberattacks can put private enterprises in the crosshairs of nation-state hackers.

What are the implications of the U.S. Cyber Command turning its attention to offensive hacking? What activities would be considered short of cyberwarfare? Could the Pentagon’s policy lead to an escalation of cyberattacks? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

More trouble for federal cybersecurity

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the recent federal cybersecurity report, which found the majority of agencies have significant security gaps.

The latest government report on the state of federal cybersecurity brought more bad news for Washington, D.C.

The Federal Cybersecurity Risk Determination Report and Action Plan, which was commissioned by the Office of Management and Budget and the Department of Homeland Security, found the vast majority of government agencies have significant gaps in their security postures. Specifically, the report found that 59 of 96 agencies are considered to be at risk, while 12 agencies are at high risk.

Key issues, according to the report, included ineffective and outdated identity and access management processes, a lack of communication between security operations centers, and a lack of accountability for agency leadership. The report also found that just 16% of agencies have deployed encryption for data at rest.

How serious are the federal cybersecurity report’s findings? What steps should be taken to improve the situation? What are the primary causes of the poor state of security in Washington? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.