Tag Archives: News

IT experts exchange container security tips and caveats

News
Stay informed about the latest enterprise technology news and product updates.

Real-world container security requires users to dig in to the finer points of container, host, Kubernetes and application configurations.


BOSTON — Blue-chip IT shops have established production container orchestration deployments. Now, the question…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

is how to make them fully secure within large, multi-tenant infrastructures.

For starters, users must make changes to default settings in both Docker and Kubernetes to close potential security loopholes. For example, a default component of a container image, called docker.sock, that’s mounted without proper security tools to control its usage is vulnerable to an attack that can use it to access the host operating system and then back-end databases to exfiltrate data. Similarly, the Kubernetes API’s default setting could potentially let containers access host operating systems through a malicious pod.

“Containers also have the same problem as any other VM: They can talk to each other via an internal network,” said Jason Patterson, application security architect at NCR Corp., an Atlanta-based maker of financial transaction systems for online banking and retailers, in a presentation at the DevSecCon security conference held here this week. “That means that one misconfiguration can compromise pretty much all the containers in the environment.”

Container security configuration settings are critical

NCR uses Red Hat’s OpenShift, which restricts the Kubernetes API settings out of the box, but OpenShift users must set up security context constraints, Patterson said.

Etienne Stalmans at DevSecCon
Heroku’s Etienne Stalmans presents on container security at DevSecCon.

In general, it’s best to constrain a user’s permissions and each container’s capabilities as tightly as possible and, ideally, configure container images to whitelist only the calls and actions they’re authorized to perform — but this is still uncommon, he added.

It’s possible to limit what a container root user can do outside the container or the host on which the container runs, said Etienne Stalmans, senior security engineer at Heroku, based in San Francisco, in a separate DevSecCon presentation. To do this, container administrators can adjust settings in seccomp, an application sandboxing mechanism in the Linux kernel, and configure application permissions or capabilities.

“That still makes them a privileged user, but not outside the container,” Stalmans said. “Overall, it’s best to drop all capabilities for all container users, and then add them back in as required.”

Some highly sensitive applications require isolation provided by a hypervisor to remove any possibility that an attacker can gain host access. Vendors such as Intel, Google and Microsoft offer modified hypervisors specifically tuned for container isolation.

DevSecCon presenters also touched on tools that can be used to minimize the attack surface of container and host operating systems.

Beeline, which sells workforce management and vendor management software, uses an Oracle tool called Smith that strips out unneeded OS functions. “That shrank our Docker image sizes from as much as 65 MB to 800 KB to 2 MB,” said Jason Looney, enterprise architect at Beeline, based in Jacksonville, Fla.

Container security experts weigh host vs. API vulnerabilities

Overall, it’s best to drop all capabilities for all container users, and then add them back in as required.
Etienne Stalmanssenior security engineer, Heroku

Most of the best-known techniques in container security restrict attackers’ access to hosts and other back-end systems from a compromised container instance. But prevention of unauthorized access to APIs is critical, too, as attackers in recent high-profile attacks on AWS-based systems targeted vulnerable APIs, rather than hosts, said Sam Bisbee, chief security officer of Boston-based IT security software vendor Threat Stack, in a DevSecCon presentation.

Attackers don’t necessarily look for large amounts of data, Bisbee added. “Your security policy must cover the whole infrastructure, not just important data,” he said.

Kubernetes version 1.8 improved API security with a switch from attribute-based access control to role-based access control (RBAC). And most installers and providers of Kubernetes, including cloud container services, now have RBAC Kubernetes API access by default. But users should go further with configuration settings that prevent untrusted pods from talking to the Kubernetes API, Stalmans said.

“There is some discussion [in the Kubernetes community] to make that the default setting,” he said. It’s also possible to do this programmatically from container networking utilities, such as Calico, Istio and Weave. But “that means we’re back to firewall rules” until a new default is decided, he said.

Dig Deeper on Managing Virtual Containers

PagerDuty incident response tools loop in business stakeholders


The scope of PagerDuty incident response tools widened this week, with the addition of two products that give business…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

stakeholders visibility into incident response.

PagerDuty Visibility offers corporate managers a view into ongoing incidents as IT mobilizes to address them. This access helps business units react effectively to external customer concerns about the incidents, and it frees up IT first responders to address the incident, rather than update business stakeholders on the situation.

“As part of the triage team, we want to take care of the business side. But we don’t want them coming into our conference bridge asking for an update when we could be spending that time on triage,” said Ben Hwang, cloud automation leader at GE Digital, General Electric’s software engineering division, which uses PagerDuty and helped test PagerDuty Visibility in its alpha and beta stages. “PagerDuty Visibility is better than the internal tools we’ve been using, and our IT organization has been waiting for it to launch.”

Another product released this week, PagerDuty Analytics, is a counterpart to Visibility that offers business managers a long-term view of incident response trends in cost and average time to resolution. Hwang said this product also appeals to him, but would require wider adoption of PagerDuty across more GE Digital teams to be truly effective. Many of these teams are in flux while GE plans to spin them off.

These products are part of a trend in IT incident response that fits into broader shifts in corporate thinking around IT service management. Atlassian adjusted its incident response tools this month with the acquisition of OpsGenie and the launch of Jira Ops, which also offers visibility into ongoing incidents for business stakeholders. Splunk also expanded its incident response offerings with the acquisition of VictorOps in June 2018.

IT shops want PagerDuty incident response flexibility

PagerDuty users are intrigued by the company’s additional incident response tools, but they said the core triage product also needs work to keep pace with complex organizational structures that arise from microservices architectures.

At SPS Commerce, for example, PagerDuty should notify database teams when an incident affects certain apps with database dependencies, but the company also wants to track those incidents according to the service they’re part of, said Andy Domeier, director of technology operations at the communications network for supply chain and logistics businesses in Minneapolis.

[PagerDuty Visibility] has a lot of great potential … but we pulled out of the beta because of the issues with service alignment.
Andy Domeierdirector of technology operations, SPS Commerce

However, today, PagerDuty incident response notifies all members of a particular application or service team even if it only must route the notification to the database staff.

“Right now, we rely on our team in India to route notifications to the database team,” Domeier said. “We’d like to be able to override escalation policies for certain integrations so that they’re still associated with a certain application, but only go to the database team.”

PagerDuty Visibility and Analytics look interesting, but until that more basic notification-routing issue is solved, SPS will struggle to adopt those capabilities, Domeier said.

“We provided early feedback for PagerDuty Visibility, and it has a lot of great potential,” he said. “But we pulled out of the beta because of the issues with service alignment.”

GE Digital’s Hwang said he’s had a similar problem with escalation policies and alignment with distributed teams. But he added that PagerDuty Visibility offers more flexibility with escalation policies he hopes will also find its way into other PagerDuty products.

That is the plan. PagerDuty Visibility introduces business services and a service dependence hierarchy, which will eventually be added to the core platform for alerting and escalation, a PagerDuty spokesperson said in an email.

PagerDuty has also reconfigured its products into new packages that were previously offered as one platform, but are now split into three major product tiers:

  • PagerDuty Platform Team is for single teams within larger organizations.
  • PagerDuty Business is for multiple teams, and it also includes more advanced scalability, high availability and security features.
  • PagerDuty Enterprise bundles in products that are now add-ons for the lower tiers, including Modern Incident Response, Event Intelligence and PagerDuty Visibility.

PagerDuty Analytics is a separate add-on for all levels.

Modern Incident Response, which provides visibility into ongoing incidents, overlaps somewhat with PagerDuty Visibility. And Event Intelligence, which uses analytics to offer triage recommendations, overlaps with PagerDuty Analytics.

The chief differences between these tools are their target audiences, PagerDuty officials said. Modern Incident Response and Event Intelligence are aimed at incident response teams that handle triage, while Visibility and Analytics are meant for business stakeholders within the wider organization.

Bing helps you learn more about the news in less time

Being an informed consumer of the news is more challenging today than it used to be. We live in a busy world where dozens of headlines compete for our attention every day. On top of that, it’s difficult to know if you’re getting all sides of a story or just leaning into an echo chamber, and it can feel like a full-time job to seek out various points of view.

At Bing, we want to empower users to get an overview of the news in less time. That’s why we built the Bing spotlight that provides overviews of news topics that you can see right in the Bing search results when you search for major developing news stories.

Spotlight shows users the latest headlines, a rundown of how the story has developed over time, and relevant social media posts from people around the web. Spotlight also shows diverse perspectives on a given topic so users can quickly get a well-rounded view on the topic before deciding what they want to go deeper on and read by clicking on any of the articles.

Spotlight is currently available on Bing desktop and mobile web in the US.


 

Users’ trust in the news we present is of the utmost importance to Bing, and we’re committed to providing a well-rounded view of news from diverse, quality sources.

To start, Bing monitors millions of queries and news articles every day and identifies impactful stories that evolve over a period of weeks or months. We look at various user signals such as queries and browser logs, and document signals from publishers such as how many publishers cover a story, their angles, and how prominently they feature the story on their site.  For controversial topics, in the Perspectives module, we show different viewpoints from high-quality sources. For a source to be considered high quality, it must meet the Bing News PubHub Guidelines, which is a set of criteria that favors originality, readability, newsworthiness, and transparency. Top caliber news providers identify sources and authors, give attribution and demonstrate sound journalistic practices such as accurate labeling of opinion and commentary. Behind the scenes, we leverage our deep learning algorithms and web graphs of hundreds of millions of web sites in the Bing index to identify top sources for national news, per category, query, or article. Our goal is to provide broader context for impactful stories, from politics to business to major disasters, and much more.

To try the new experience, search for major news topics like self-driving cars on Bing.com, or find the latest spotlights on the Bing.com homepage carousel.

Providing different perspectives in our spotlight experience is part of a broader effort to help our users be more informed with various perspectives on a range of topics, from news to common health questions. We’re working hard to expand the range of topics covered by this approach, including expanding the numbers of topics spotlight covers, to help you become more informed in less time and effort. We hope you’re as excited about these updates as we are!

ICS security fails the Black Hat test

The news at Black Hat 2018 wasn’t great when it came to industrial control systems. But while numerous sessions added up to sweeping condemnation of ICS security, there was at least the occasional saving grace that some vendors will correct some problems — at least some of the time. Still, the apparent lack of a security-conscious culture within these organizations means they’ll only fix the minimum, leaving similar products with the same underlying hardware, firmware and fatal bugs untouched and unsecured.

Speaking in a session, called “Breaking the IIoT: Hacking Industrial Control Gateways,” Thomas Roth, security researcher and founder of Leveldown Security, an embedded and ICS security consulting and research company based in Esslingen, Germany, walked through the security faults of a series of five gateway devices he’d found at prices he could afford on eBay. He wanted to look at commonly deployed, relatively current devices — things you find in the real world.

“If you go out on the network and start scanning, you’ll find thousands of these devices. In fact, you’ll find entire network ranges that are used almost exclusively for these devices,” he said.

“Often, they use static IP addresses with no VPN protection.” One device he looked at had a proprietary protocol for its wireless communications. But if you could break it — and he did — you had access to every one of those devices in the field, because the network addressing architecture was flat and unsegmented.

The first device he looked at was typical of his various experiments, tackling a Moxa W2150A which connects ICS devices to wireless networks via an Ethernet port on the device side and a wireless interface on the other side. In between the two interfaces is an easily opened case that reveals a circuit board with pads for connecting to a debugging port. Roth discovered, in a common theme across many of the devices discussed at the conference, the port was a serial terminal connection that booted directly to a root shell in Linux.

“This is a design decision, not a bug,” Roth said. But he noted that if you have the device and you can access a root shell, then as you are writing exploits, you can debug them directly on the device, “which is a pretty nice situation to be in.”

Roth noted the firmware for the device was available on the internet from the Moxa website, but it was encrypted. At first, this seemed like a dead end. But in looking at earlier firmware versions, he noticed one of the upgrades included adding the feature of encrypting the firmware.

This led him to an unencrypted update version, which included a package called “upgrade_firmware.” This, in turn, led to a function called “firmware_decrypt” — a function name that gave the audience a chuckle — which gave him plaintext access to the current version of the software. The decryption key was, needless to say, included in the upgrade code.

Roth raised an issue that hasn’t been much discussed in ICS security: supply chain security issues caused by the wide prevalence of openly accessible terminal access ports on devices. You can change the firmware, he said, write the changed version back to the device, return it to your distributor without mentioning the change, “and they will happily resell it to someone else.” In fact, he knows this because he conducted an experiment and was sold a device with firmware he had previously rewritten.

Roth discussed four more devices in some detail, with two of them still in the process of disclosure, “and there are a lot of fun issues.”

Beyond Roth’s pathway strewn with pwned gateways, there were other such sessions, including ones that found significant vulnerabilities in medical devices, cellular gateways, smart city infrastructure and satellite communications.

Jonathan Butts, CEO of security consultancy QED Secure Solutions, located in Coppell, Texas, noted in a press conference at the event that dealing with vendors around ICS security disclosure had been particularly frustrating. In the case of a pacemaker made by Medtronic, a protracted process leading to the company deciding that changes in the product weren’t necessary led Butts and co-speaker Billy Rios, founder of WhiteScope LLC, a cybersecurity company based in Half Moon Bay, Calif., to demonstrate their attack live and let the audience judge for themselves.

“To be honest,” Butts said, “after about the one-and-a-half-year mark, and you see stuff like [Medtronic’s response], you get fed up.”

ICS security: Protection? Not

While it’s theoretically possible to protect at least the devices that aren’t implanted in human bodies by placing the ICS equivalents of a firewall at strategic network junction points, a session by Airbus security evaluators Julien Lenoir and Benoit Camredon showed a widely deployed ICS firewall made by Belden could be remotely exploited.

The Tofino Xenon device is typically situated between the IP-based control network and local ICS assets that use Modbus, EtherNet/IP or OPC protocols. Interestingly, the device itself doesn’t have an IP address; it is essentially invisible to ordinary interrogation on the network.

A custom protocol allows a Windows machine running a configurator to discover and then send configuration data to a Xenon device. The configurator knows the addresses of protected ICS devices and knows the Xenon is somewhere between the configurator and the devices. The Xenon knows to watch for packets that carry a specific payload and recognizes them as packets from a configurator.

The two researchers were able to reverse-engineer the protocol enough to understand the arrangement that was used for encryption keys. The configurator discovers devices using a common key and then generates two additional keys that are unique to the particular pairing of that configurator and that specific firewall. All of these keys could be extracted from the discovery session, and then the keys unique to the device were used to establish a connection with the device.

“We were able to get a root shell,” Lenoir told the audience, heralding the familiar theme that almost all ICS devices are actually outdated Linux kernels. “Once everything was running as root, now the appliance was no longer a black box, but was instead a Linux kernel.”

From here, they settled on an attack model that used the devices’ ability to be updated from files on a USB stick. Camredon explained the updates comprised two files, both encrypted. “One is an update script, and one is a data file that is an image, including an image of the kernel.”

It turned out that all configurators and all Tofino Xenon devices used the same key for decrypting the update files. Because they had access to root on the Xenon, they were able to extract this key, at which point they further discovered there were no checks in the update script to ensure the data file hadn’t been tampered with since it was created.

Thus, a breached Xenon could be modified in whatever way the attackers wanted, an image of that system made, and the image could be encrypted and included in an update package without the separate installation script detecting the change.

The Xenon has been updated to correct these problems since the researchers disclosed their findings. So, in theory, the firewall is back in business. One problem Roth noted, though, is these systems often come in dozens of variants, with different names and model numbers.

“If you report a bug to some of these vendors,” Roth said, “the vulnerability gets fixed, but then there are 10 different devices which run the same firmware, and they are left completely unpatched.”

Roth suggested this was a clear indication of the lack of security culture at many ICS vendors.

“It’s like exploiting in the ’90s,” he concluded. “We have no integrity protections on any of these devices.”

At another moment, he made a sweeping generalization: “Everything runs as root; everything runs on outdated Linux kernels; everything runs on outdated web servers. If any of these components fails, you have root permission.”

News roundup: Manage employee resource groups and more

This week’s news roundup features a tool to manage employee resource groups, a roadmap for a wellness coaching technology program and an AI-powered platform to match employees with the right insurance options.

Ready, set, engage

Espresa, which makes a platform for automating employee programs, has added new features that can track and manage employee resource groups.

Employee resource groups, which are organically formed clubs of people with shared enthusiasms, are increasingly popular in U.S. corporations. A 2016 study by Bentley University indicated 90% of Fortune 500 companies have employee resource groups, and 8.5% of American employees participate in at least one.

At a time when employee retention has become more critical, thanks to a very tight labor market, employee resource groups can help employee engagement. But the grassroots nature of the efforts makes it hard for both employees and HR departments to track and manage them.

In many companies today, employee resource groups are managed with a cobbled-together collection of wiki pages, Google Docs and Evite invitations, said Raghavan Menon, CTO of Espresa, based in Palo Alto, Calif. And HR departments often have no idea what’s going on, when it’s happening or who is in charge.

“Today, nothing allows the employer or company to actually promote [employee resource groups] and then decentralize them to allow employees to manage and run the groups with light oversight from HR,” Menon explained.

Espresa’s new features give HR departments a web-based way to keep track of the employee resource groups, while giving the employees a matching mobile app to help them run the efforts.

“When employees are running things, they’re not going to use it if it’s an old-style enterprise app,” he said. “They want consumer-grade user experience on a mobile app.”

With Espresa, HR staff can also measure employee resource groups’ success factors, including participation and volunteer activity levels. That information can then be used to make decisions about company funding or a rewards program, Menon said.

An alternate health coach

Is it possible to help an employee with a chronic condition feel supported and empowered to make lifestyle changes using high-tech health coaching and wearable health technology? According to John Moore, M.D., medical director at San Francisco-based Fitbit, the answer is yes.

During World Congress’ 10th annual Virtual Health Care Summit in Boston, Moore outlined a health coaching roadmap designed to help HR departments and employers meet workers where they are.

“Hey, we know the healthcare experience can be really tough, and it’s hard to manage with other priorities,” he said. “We know you have a life.”

Using a health coach, wearables or a mobile phone — and possibly even looping in family and friends — an employee with a health condition is walked through the steps of setting micro-goals over a two-week period. Reminders, support and encouragement are delivered via a wearable or a phone and can include a real or virtual coach, or even a family intervention, if necessary.

The idea, Moore stressed, is to enable an HR wellness benefits program to give ownership of lifestyle changes back to the employee, while at the same time making the goals sufficiently small to be doable.

“This is different than [typical] health coaching in the workplace,” he said. “This is going to be a much richer interaction on a daily basis. And because it’s facilitated by technology, it’s more scalable and more cost-effective. We’ll be able to collect information that spans from blood pressure, to weight, to steps, to glucose activity and sleep data to get the whole picture of the individual so they can understand themselves better.”

This is an in-the-works offering from Fitbit, and it will not be limited to just the Fitbit-brand device. This platform will be based on technology Fitbit acquired from Twine in February 2018. Moore outlined a vision of interoperability that could include everything, from the pharmacy to a glucose meter to, eventually, an electronic health record system. This could work in tandem with a company’s on-site or near-site health clinic and expand from there, he said.

“Technology can help break down barriers that have existed in traditional healthcare. Right now, interactions are so widely spaced, you can’t put coaches in the office every day or every week. There needs to be a way to leverage technology,” he said. “We can’t just give people an app with an AI chatbot and expect it to magically help them. The human element is still a very important piece, and we can use technology to make that human superhuman.”

HR on the go

StaffConnect has released version 2.2 of its mobile engagement platform, which includes new options for customers to create portals for easier access to payroll, training and other HR information and forms. The StaffConnect service can be used by workers in the office and by what the company calls “nondesk employees,” or NDEs.

The company’s 2018 Employee Engagement Survey showed more than one-third of companies have at least 50% of their workforce as NDEs and highlighted the challenges of keeping all employees equally informed and engaged. The survey indicated the vast majority of companies continue to use either email (almost 80%) or an intranet (almost 49%) to communicate with employees, while just 2% of companies reach out via mobile devices.

The company is also now offering a REST API to make it easier to integrate its platform into existing HR services, and it added custom branding and increased quiz feature options to boost customization.

StaffConnect’s new version also offers additional security options and features, including GDPR compliance and protection for data at rest.

Researchers discover Android apps spying on users’ screens

The good news, according to academic researchers, is that your phone most likely isn’t secretly listening to your conversations. The bad news is that fears of Android apps spying on users aren’t totally unfounded.

Computer science researchers at Northeastern University in Boston conducted a massive study of 17,260 Android apps from the Google Play store, as well as third-party marketplaces AppChina, Mi.com and Anzhi. The study, which was published this week in a research paper titled “Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications,” found no evidence that apps were secretly enabling device microphones to record and exfiltrate audio data. However, the research team did find evidence of “several” Android apps spying on users by recording video and images of users’ screens.

“Our study reveals several alarming privacy risks in the Android app ecosystem, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent,” the researchers wrote. “We also identify a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user and without requiring any permissions.”

The research team, which used a combination of static and dynamic code analysis, didn’t specify the number of Android apps found spying on users, but the paper did say it was “few” compared to the total number of apps reviewed. “On the one hand, this is good news: a very large fraction of apps are not abusing the ability to record media,” the researchers wrote. “On the other hand, it could also indicate that our analysis missed other cases of media leaks.”

The Northeastern University team cited several examples of popular apps that engaged in unauthorized recording of users’ screens, including GoPuff, a food delivery app. The researchers discovered the app sent captured video via the internet to a domain belonging to web analytics firm Appsee, and that the video recording could include personally identifiable information such as ZIP codes. The researchers said that Appsee’s software required no permissions to record the video and did not issue notifications to users.

The researchers noted that GoPuff was notified of the issue and has since removed the Appsee SDK from its iOS and Android apps and revised its privacy policy, which previously did not disclose any recording or exfiltration of video. The researchers also notified Google, which, according to the paper, said it “took the appropriate actions.” Google Play’s privacy policy requires that app developers disclose to users how their data is collected, shared and used.

Northeastern University’s “Panoptispy” research comes as Google has increased its efforts to curb potential Android app spying. The company previewed the security features of Android P, the newest version of the mobile OS, at the Google I/O conference in May. Android P will only grant access to device sensors such as microphones and cameras to apps in the foreground, preventing potentially harmful apps from running covertly in the background and using sensors to spy on users. However, that particular feature wouldn’t prevent apps like GoPuff from performing unauthorized video exfiltration.

In other news

  • A former employee of NSO Group Technologies, an Israeli company that specializes in spyware and iPhone hacking tools, has reportedly landed in hot water. According to an indictment, Israeli authorities claim an unnamed NSO employee stole the company’s Pegasus spyware product and tried to sell it for $50 million in cryptocurrency. According to reports, the indictment states the disgruntled employee began working for NSO last year as a senior programmer and was granted access to the company’s source code. The indictment also claims the employee posed as a hacker and tried to sell the Pegasus code to other hackers on the dark web; one potential buyer notified NSO of the matter, which investigated the individual with the assistance of law enforcement.
  • Computer scientists from the University of California, Irvine, published research regarding a new attack technique they call “Thermanator,” which records thermal residue on keyboard keys to determine users’ passwords and other sensitive information such as PINs. According to the researchers, a midrange thermal imaging camera could allow threat actors to observe and record keystroke. “Results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as 1 minute after entry,” the research paper states. While attackers would need to have a clear view of a target’s keyboard, the researchers say the Thermanator attack shows that “using external keyboards to enter (already much-maligned) passwords is even less secure than previously recognized.”
  • A newly discovered update of malware descended from an old Trojan is now equipped with a downloader that can decide whether to mine cryptocurrencies or encrypt files for ransom on victim systems. Kaspersky Lab researchers Egor Vasilenko and Orkhan Mamedov wrote that the new version of the malware, which is related to the Rakhni family of ransomware that Kaspersky Lab uncovered in 2013, checks system attributes before downloading its malicious payload, specifically looking at whether there is a folder named %AppData%Bitcoin. If the folder is present, then the downloader selects the ransomware cryptor; “If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component,” to continue propagating the malware locally, the researchers wrote. The cryptomining malware mines for the Monero, Monero Original and Dashcoin cryptocurrencies.

Vision + Execution: Microsoft named a leader again in Gartner MQ for Access Management

Howdy folks,

Some great news to share with you today! For the second year in a row, Gartner has positioned Microsoft in the Leaders Quadrant in the 2018 Magic Quadrant for Access Management, Worldwide, based on our completeness of vision and ability to execute in the access management market. Find out why in a complimentary copy of the report here.


According to Gartner, Leaders show evidence of strong execution for anticipated requirements related to technology, methodology, or means of delivery. Leaders also show evidence of how access management plays a role in a collection of related or adjacent product offerings.

Furthest in Vision in Leaders Quadrant

Microsoft is positioned the furthest in completeness of Vision in the Leaders Quadrant, for the second straight year. We believe our jump up in Execution also illustrates how important it is for us to execute on a strategy that can help organizations where they are at today and prepare them for the identity needs of tomorrow.

At Microsoft, we champion conditional access policies and threat protection for identities as critical capabilities for a world-class identity and access management solution. As part of a rich ecosystem with Windows 10, Office 365 and EMS, we’ve worked hard to integrate security policies across products to give you visibility and control over the full user experience. We’ve also taken in the insights and feedback from our customers this year to improve the experience and make it even easier to get all your identities in one place. We are committed to providing innovative and comprehensive identity and access management solutions for your employees, partners, and customers.

We could not have continued to be a leader in this space without the input and support from our customers and partners – thank you!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Important note:

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

News roundup: TriNet software targets professional services

The theme of this news roundup is specialization: professional services HR, an effort to pull together a comprehensive benefits plan and a payroll offering aimed at the gig economy.

The debut of TriNet software for professional services HR is an effort to provide a platform for small and medium-sized businesses that caters to specific HR needs. TriNet Professional Services “is a bundle more relevant to what a small consulting company owner or an ad agency owner or any type of business depending on people to deliver a service would need,” explained Jimmy Franzone, senior vice president of strategy at TriNet, based in San Leandro, Calif. The new product joins other vertical TriNet software aimed at technology, nonprofits, life sciences and financial services.

In thinking about what the issues are around professional services HR, Franzone said the company bundled in a lot of applications that are ancillary in some other products, but should be important to this demographic. Expense management, performance management, application tracking and a variety of payroll-related tasks are at the core of the professional services package, Franzone said, because they are areas busy consultants, certified public accountants or lawyers would want to easily access.

TriNet’s heavy investment in its mobile application should also work nicely for those looking for professional services HR, Franzone said. “Mobile is a huge driver from the client side, especially in professional services,” he said. “We’re finding, in some ways, the professional services HR [market] is more mobile-enabled than tech or financial services firm employees who are always at a desk. Consulting firms and ad agencies are working outside of their desks. The need to be able to access data is critical to what they do.”

The new TriNet software is supported by a client services team that specializes in professional services HR, Franzone said. “They understand how those businesses work, what questions to ask, and what the trials and tribulations are.”

BenefitsPlace: All employee options on one platform

BenefitsPlace, a new platform from Benefitfocus, has a lofty goal: “We want to unify the entire benefits industry on one platform,” said Tom Dugan, vice president of product management at Benefitfocus, based in Charleston, S.C.

“We want the platform to show carriers’ insurance, life products and critical illness plans, as well as the emergent benefits that are focused on noninsurance products, like ID theft protection and concierge healthcare,” he continued. “We want to onboard all types of sellers’ products to make it easy for brokers to evaluate those sellers’ products and for employers to evaluate and make choices.”

BenefitsPlace won’t just offer the choices, Dugan stressed, but it will also present information around the offerings, so employers and consumers can make informed decisions about their benefits.

The average Benefitfocus customer offers 15 different benefits, and 20% of its clients offer 20 or more, Dugan said. So, the choices can be overwhelming to both employers and employees.

“We want to remove friction from the process,” he said. “We want to help people really understand what’s available, and it’s only getting more difficult when new products come in. We want to help consumers navigate those choices.”

An easier small-business payday process?

In the gig economy, small businesses can struggle with the prospect of payday happening potentially daily. Intuit’s QuickBooks just announced new payroll software options to help small businesses more easily deal with short-term employees who expect to be paid the day they work.

Contractor Direct Deposit brings “drop in the bank account” payment options to small businesses and syncs up with QuickBooks, so everything is streamlined at tax time. Same Day Direct Deposit is a new option in QuickBooks Full Service Payroll, and it’s an alternate way to pay contractors or freelancers more quickly and stay on top of expenses.

All of the Xbox E3 2018 Briefing Videos – Xbox Wire

Yesterday’s Xbox E3 2018 Briefing featured a ton of big news, from our announcements of new studios joining the Microsoft Studios family to the reveal of the next chapter in the Halo saga. There was something for everyone in the briefing too, including first looks at hardcore shooters like Metro: Exodus and Battlefield V, family-friendly titles like Ori and the Will of the Wisps and Kingdom Hearts 3, and indie gems like Session and Tunic. Did you miss out on the action? If so, we’ve got you covered with trailers and demos galore. Take a look below or watch the entire briefing above!

Halo Infinite

Video forAll of the Xbox E3 2018 Briefing Videos

Ori and the Will of the Wisps

Video forAll of the Xbox E3 2018 Briefing Videos

Crackdown 3

Video forAll of the Xbox E3 2018 Briefing Videos

Sea of Thieves – Cursed Sails and Forsaken Shores

Video forAll of the Xbox E3 2018 Briefing Videos

Forza Horizon 4

Video forAll of the Xbox E3 2018 Briefing Videos

Cyberpunk 2077 Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

PlayerUnknown’s Battlegrounds

Video forAll of the Xbox E3 2018 Briefing Videos

Gears 5 – Cinematic Announce Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

Gears 5 – Announce Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

Fallout 76

Video forAll of the Xbox E3 2018 Briefing Videos

Tunic

Video forAll of the Xbox E3 2018 Briefing Videos

Devil May Cry 5

Video forAll of the Xbox E3 2018 Briefing Videos

Session

Video forAll of the Xbox E3 2018 Briefing Videos

Gears POP!

Video forAll of the Xbox E3 2018 Briefing Videos

Xbox Game Pass Catalog Preview

Video forAll of the Xbox E3 2018 Briefing Videos

ID@Xbox Games Montage

Video forAll of the Xbox E3 2018 Briefing Videos

Battletoads Announce Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

Hyper Universe

Video forAll of the Xbox E3 2018 Briefing Videos

Xbox One X Enhanced Games

Video forAll of the Xbox E3 2018 Briefing Videos

Xbox One E3 2018 Montage

Video forAll of the Xbox E3 2018 Briefing Videos

Cuphead DLC Announce

Video forAll of the Xbox E3 2018 Briefing Videos

Captain Spirit Announce

Video forAll of the Xbox E3 2018 Briefing Videos

Jump Force Announce

Video forAll of the Xbox E3 2018 Briefing Videos

Just Cause 4 Announce

Video forAll of the Xbox E3 2018 Briefing Videos

Shadow of the Tomb Raider

Video forAll of the Xbox E3 2018 Briefing Videos

Tales of Vesperia: Remastered

Video forAll of the Xbox E3 2018 Briefing Videos

We Happy Few Story Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

NieR: Automata Become As Gods Edition

Video forAll of the Xbox E3 2018 Briefing Videos

Metro Exodus Gameplay Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

Kingdom Heart III Frozen Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

The Division 2 Gameplay Demo

Video forAll of the Xbox E3 2018 Briefing Videos

Dying Light 2 Gameplay Demo

Video forAll of the Xbox E3 2018 Briefing Videos

Dying Light 2 Announce Trailer

Video forAll of the Xbox E3 2018 Briefing Videos

Battlefield 5 Single Player Teaser

Video forAll of the Xbox E3 2018 Briefing Videos

Federal cybersecurity report says nearly 75% of agencies at risk

The latest federal cybersecurity report holds little good news regarding the security posture of government agencies, and experts are not surprised by the findings.

The Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) developed the report in accordance with President Donald Trump’s cybersecurity executive order issued last year. The report acknowledged the difficulties agencies face in terms of budgeting, maintaining legacy systems and hiring in the face of the cybersecurity skills gap, and it identified 71 of 96 agencies as being either “at risk or high risk.”

“OMB and DHS also found that federal agencies are not equipped to determine how threat actors seek to gain access to their information. The risk assessments show that the lack of threat information results in ineffective allocations of agencies’ limited cyber resources,” OMB and DHS wrote in the report. “This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.”

The federal cybersecurity report tested the agencies involved under 76 metrics and identified four major areas of improvement: increasing threat awareness, standardizing IT capabilities, consolidating security operations centers (SOCs), and improving leadership and accountability.

Greg Touhill, president of Cyxtera Federal Group, based in Coral Gables, Fla., and former CISO for the United States, said the report was an “accurate characterization of the current state of cyber risk and a reflection of the improvements made over the last five years in treating cybersecurity as a risk management issue, rather than just a technology problem.”

“I am concerned that the deletions of and vacancies in key senior cyber leadership positions [are] sending the wrong message about how important cybersecurity is to the government workforce, commercial and international partners, and potential cyber adversaries,” Touhill wrote via email. “As national prosperity and national security are dependent on a strong cybersecurity program that delivers results that are effective, efficient and secure, I believe cybersecurity ought to be at the top of the agenda, and we need experienced cyber leaders sitting at the table to help guide the right decisions.”

Agencies at risk

The federal cybersecurity report said many agencies lack situational awareness and noted this has been a long-standing issue in the U.S. government.

I am concerned that the deletions of and vacancies in key senior cyber leadership positions [are] sending the wrong message about how important cybersecurity is to the government workforce, commercial and international partners, and potential cyber adversaries.
Greg Touhillpresident of Cyxtera Federal Group and former CISO for the United States

“For the better part of the past decade, OMB, the Government Accountability Office, and agency [inspectors general] have found that agencies’ enterprise risk management programs do not effectively identify, assess, and prioritize actions to mitigate cybersecurity risks in the context of other enterprise risks,” OMB wrote. “In fact, situational awareness is so limited that federal agencies could not identify the method of attack, or attack vector, in 11,802 of the 30,899 cyber incidents (38%) that led to the compromise of information or system functionality in [fiscal year] 2016.”

Sherban Naum, senior vice president of corporate strategy and technology at Bromium, based in Cupertino, Calif., said improving information sharing might not “address the protection component.”

“Sharing information in real time of an active and fully identified attack is critical. However, more information alone won’t help if there is no contextual basis to understand what was attacked, what vulnerability was leveraged, the attacker’s intent and impact to the enterprise,” Naum said. “I wonder what systems are in place or are needed to process the real-time threat data to then automatically protect the rest of the federal space.”

Not all of the news was bad. OMB noted that 93% of users in the agencies studied use multifactor authentication in the form of personal identity verification cards. However, the report said this was only the beginning, as “agencies have not matured their access management capabilities” for modern mobile use.

“One of the most significant security concerns that results from the current decentralized and fragmented IT landscape is ineffective identity, credential, and access management processes,” OMB wrote. “Fundamentally, any organization must have a clear understanding of the people, assets, and data on its networks.”

The federal cybersecurity report acknowledged the number of high-profile data leaks and breaches across government systems in recent years and said the situation there is not improving.

“Federal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents. The risk assessment process revealed that 73 percent of agency programs are either at risk or high risk in this critical area,” OMB wrote. “Specific metrics related to data loss prevention and exfiltration demonstrate even greater problems, with only 40 percent of agencies reporting the ability to detect the encrypted exfiltration of information at government-wide target levels. Only 27 percent of agencies report that they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually.”

Additionally, only 16% of agencies have properly implemented encryption on data at rest.

Suggested improvements

The federal cybersecurity report had suggestions for improving many of the poor security findings, including consolidating email systems, creating standard software configurations and a shared marketplace for software, and improving threat intelligence sharing across SOCs. However, many of the suggestions related directly to following National Institute of Standards and Technology (NIST) Cybersecurity Framework guidelines, the Cyber Threat Framework developed by the Office of the Director of National Intelligence, or DHS’ Continuous Diagnostics and Mitigation (CDM) program.

Katherine Gronberg, vice president of government affairs at ForeScout Technologies, based in San Jose, Calif., said the focus of CDM is on real-time visibility.

“For example, knowing you have 238 deployed surveillance cameras found to have a particular vulnerability is a good example of visibility. Knowing that one or more of those cameras is communicating with high-value IT assets outside of its segment is further visibility, and then seeing that a camera is communicating externally with a known, malicious command-and-control IP address is the type of visibility that helps decision-making,” Gronberg wrote via email. “CDM intends to give agencies this level of real-time domain awareness in addition to securing data. It’s worth noting that many agencies are now moving to Phase 3 of CDM, which is about taking action on the problems that are discovered.”

Katie Lewin, federal director for the Cloud Security Alliance, said “standardization is an effective tool to get the best value from resources,” especially given that many risks faced by government agencies are due to the continued use of legacy systems.

“Standardized, professionally managed cloud systems will significantly help reduce risks and eliminate several threat vectors,” Lewis wrote via email. “If agencies adopt DHS’s Continuous Diagnostics and Mitigation process, they will not have to develop and reinvent custom programs. However, as with all standards, there needs to be some flexibility. Agencies should be able to modify a standard approach within defined limits. Failure to involve agencies in developing a common approach and in defining the boundaries of flexibility will result in limited acceptance and adoption of the common approach.”

Gary McGraw, vice president of security technology at Synopsys Inc., based in Mountain View, Calif., said focusing on standards may not hold much improvement.

“The NIST Framework has lots of very basic advice and is very useful. It would be a step in the right direction. However, it is important to keep in mind that standards generally reflect the bare minimum,” McGraw said. “Organizations that view security solely as a compliance requirement generally fall short, compared to others that treat it as a core or enabling component of their operations.”

Michael Magrath, director of global regulations and standards at OneSpan, said, “Improving resource allocations is a crucial to improving our federal cyberdefenses.” 

“With $5.7 billion in projected spending across federal civilian agencies, some agencies may cry poor. The report notes that email consolidation can save millions of dollars each year, and unless agencies have improved efficiencies like email consolidation, have implemented electronic signatures and migrated to the cloud, there remains an opportunity to reallocate funds to better protect their systems,” Magrath said. “The report also notes that agencies are operating multiple versions of the same software. This adds unnecessary expense, and as more and more agencies migrate to the cloud, efficiencies and cost reductions should follow enabling agencies to reallocate budget and IT resources to other areas.”