- IT -

Last update 20.09.2017 20:11:46

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8

Security Gaps Remain as OT, IT Converge
14.5.2018 securityweek IT 

The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices -- and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.

The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.

Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet's senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: "IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler."

In January 2018, Forrester queried 429 global decision-makers responsible for the security of their organization’s critical infrastructure from a range of different industries, asking about their IT / OT convergence (PDF) and the security challenges being faced. The result suggests that awareness is high, and steps are in progress (SCADA / ICS security spending is planned to increase by 77%) -- but there is much yet to be done (45% of respondents do not used privileged account management (PAM) for their administrators).

The last issue is particularly relevant given the extent to which converged networks are being opened to third-party suppliers. Sixty-four percent of the companies surveyed provide either complete or high-level access to their SCADA / ICS, including to outsourced suppliers, business partners and government agencies. This seems to be changing, with respondents taking steps to reduce the number of vendors used to provide security functions for IPS, NAC and IoT.

"The number of organizations that now rely on a single vendor to provide a full range of outsourced solutions has jumped from 38% to 47% between 2016 and 2018," comments John Maddison, Fortinet's SVP products and solutions, in a separate blog post.

Coupled with the lack of a PAM solution, the report highlights that 45% of the respondents do not use role-based access control, which provides openings for insider threats. Indeed, internal hackers are considered a greater threat (77% of respondents are extremely or very concerned) than external hackers (70%). The greatest concern is reserved for malware at 77%, with leakage of sensitive or confidential data at 70%.

The security threat is not hypothetical. While there have already been severaal highly-publicized incidents (such as the Ukraine power outages in December 2015, and the U.S. water utility incident in March 2016) the majority of respondents have also experienced a breach. Fifty-six percent of organizations using SCADA / ICS reported a breach in the past year, and only 11% indicated they have never been breached.

SCADA / ICS breaches can have serious consequences. "Sixty-three percent of organizations say the safety of their employees was highly or critically impacted by a SCADA / ICS security breach," notes the report. "Another 58% report major impacts to their organization’s financial stability, and 63% note a serious drag on their ability to operate at a sufficient level."

Solutions to the growing SCADA / ICS risk exist, but require a new approach beyond the traditional IT security approach. IT and OT teams speak different languages for security, comments Newton. Existing OT systems may be running on an obsolete operating system on hardware that is ten or more years old. "But that may be because it only has one job," he explains: "for example, monitoring a thermostat and then throwing a switch when it reaches a critical temperature. That doesn’t require the latest technology, and if it is doing the job it was designed to do, then there is no reason to change it. But because so many of these systems run on proprietary software and use delicate instrumentation, even something as benign as scanning a device for malware can cause it to malfunction."

Solutions do exist, but must be chosen with care. "When considering a security vendor for their SCADA / ICS environments," suggests Newton, "the ability to meet compliance standards and provide end-to-end solutions, along with a reputation for reliability are the most important attributes [the respondents] look for. These organizations are looking for solutions from a variety of vendors, from systems integrators to security manufacturers."

Symantec Stock Plunges After Firm Announces Internal Probe
10.5.2018 securityweek IT

Symantec announced its fourth quarter and full year financial results on Thursday and while its revenue has increased, the cybersecurity firm’s stock dropped roughly 20% after it revealed that an internal investigation will likely delay its annual report to the U.S. Securities and Exchange Commission (SEC).

Symantec reported a Q4 GAAP revenue of $1.22 billion, which represents a 10% year-over-year increase, and $1.23 billion in non-GAAP revenue, an increase of 5% year-over-year.

As for the full fiscal year ended on March 30, GAAP revenue increased by 21% year-over-year to $4.84 billion, while non-GAAP revenue went up 19% to nearly $5 billion. The company said it had a cash flow of $950 million from operating activities for the fiscal year 2018.

Despite strong financial results, Symantec stock dropped from over $29 to less than $24 in after-hours trading after the company announced the launch of an internal investigation by the Audit Committee of the Board of Directors.

Few details have been made public by the company, but the probe was apparently triggered by concerns raised by a former employee.

“The Audit Committee has retained independent counsel and other advisors to assist it in its investigation. The Company has voluntarily contacted the Securities and Exchange Commission to advise it that an internal investigation is underway, and the Audit Committee intends to provide additional information to the SEC as the investigation proceeds. The investigation is in its early stages and the Company cannot predict the duration or outcome of the investigation,” Symantec said.

The security firm believes it’s unlikely that it will be able to file its annual 10-K report with the SEC in a timely manner due to the investigation.

In response to news of the internal probe, investor rights law firm Rosen Law Firm announced the preparation of a class action to recover losses suffered by Symantec investors. Rosen says it’s investigating allegations that Symantec “may have issued materially misleading business information to the investing public.”

Cyber Insurance Startup At-Bay Raises $13 Million
10.5.2018 securityweek IT

Cyber insurance firm At-Bay announced this week that it has raised $13 million in Series A funding, which brings the company’s total funding to $19 million.

The Mountain View, Calif-based company emerged from stealth in November 2017 with a mission to shake up the status quo in cyber insurance.

At-Bay brings a new model of security cooperation between insured and insurer to reduce risk and exposure to both parties.

"We will be collecting data and using researchers to push the limits of our understanding of risk," Rotem Iram, CEO and founder of At-Bay, previously told SecurityWeek. "As we do that, we will be improving the quality of our product. Product quality is depressed today because insurance companies do not really understand the cybersecurity risk.”

The Series A funding round was co-led by Keith Rabois of Khosla Ventures, Yoni Cheifetz of Lightspeed, and Shlomo Kramer.

"Cyber insurance is one of the fastest growing and complex markets, yet the incumbents are still currently relying on standardized checklists and irrelevant actuarial data to model risk. At-Bay is focusing on customized and real-time risk modeling and risk reduction for its customers which unlocks superior pricing and coverage options for them," said Keith Rabois, general investment partner at Khosla Ventures.

The company said the new round of financing will help accelerate development of its proactive cyber security monitoring service and roll out its insurance products.

Protego Labs Raises $2 Million in Seed Funding
10.5.2018 securityweek IT

Serverless application security firm Protego Labs announced Wednesday that it has raised $2 million seed funding from a group of investors led by Ron Gula of Gula Tech Adventures, Glilot Capital Partners, and the MetroSITE Group of security industry pioneers, including former RSA CTO, Tim Belcher.

The serverless approach -- where the server being used is managed by a cloud provider rather than the application owner -- offers great advantages in speed, simplicity and cost-savings. Gula believes it is a transformative step in leveraging the full potential of the public cloud.

Protego"But," he adds, "but it also presents a host of new threats and security challenges that traditional application security cannot handle. Protego offers a security solution designed specifically with serverless in mind, putting it at the forefront of this major technology shift."

Protego summarizes the security problem in a blog published in March 2018. "Not owning the platform means not being able to leverage the platform for security in ways you might have in the past. You’re at the mercy of whatever security mechanisms the cloud provider puts in place for you, and those rarely provide the level and granularity of protection you’d like."

The Protego platform operates by continuously scanning the serverless infrastructure, including functions, logs, and databases. It uses machine-based analysis and deep learning algorithms to build a model of normal behavior to find threats by anomaly detection as they initiate and begin to propagate. It does this in real time allowing the minimal effective protection dose in the right place -- maximizing security while minimizing costs.

Protego has offices in Baltimore, MD, and Israel. It was founded by Tsion (TJ) Gonen, Hillel Solow, Shali Mor, Itay Harush and Benny Zemmour. In January 2018 it won the Startup Competition for the most innovative cyber initiative at the Cybertech Tel Aviv 2018 Conference.

SafeBreach Raises $15 Million in Series B Funding
8.5.2018 securityweek IT

Attack simulation platform provider SafeBreach on Tuesday announced that it raised $15 million in a Series B funding round, bringing the total raised by the company to date to $34 million.

The latest funding round was led by Draper Nexus with participation from PayPal and existing investors Sequoia Capital, Deutsche Telekom Capital Partners, and HPE Pathfinder.

SafeBreach told SecurityWeek that the funding will be used for continued product innovation, further expansion of marketing and sales, and to support the company’s growing global customer base.SafeBreach raises $15 million

The firm has announced record growth, claiming that bookings increased over 470 percent year-over-year with expanded traction in the Fortune 100 sector.

SafeBreach’s Breach and Attack Simulation platform allows organizations to test their defenses against more than 3,400 breach methods.

Along with the new funding, SafeBreach announced on Tuesday a series of new capabilities for its platform. These include the addition of simulations based on US-CERT alerts and the MITRE ATT&CK framework, and integration with Visa Threat Intelligence for creating breach methods specific to the payment industry.

Organizations using SafeBreach’s platform now enable their security teams to prioritize and drill down into simulation results.

“Organizations can use the Risk Trends, Kill Chain Explorer and simulation analysis dashboards available on the platform, integrate with existing security operations workflows via SafeBreach partnership with industry leading SIEM providers such as Splunk and Arcsight, or utilize existing Business Intelligence tools such as Tableau and Kibana to target critical areas of focus and vastly reduce alert fatigue,” SafeBreach said.

Another new capability added to the SafeBreach platform is designed to accelerate remediation efforts through integration with various third-party solutions, including the Jira and ServiceNow ticketing systems, and the Phantom and Demisto automation and orchestration platforms.

LookingGlass Acquires Threat Intelligence Platform From Goldman Sachs
7.5.2018 securityweek IT

Goldman Sachs Becomes a Strategic Investor in LookingGlass Cyber Solutions

Threat intelligence solutions firm LookingGlass Cyber Solutions has acquired a threat intelligence platform developed by investment banking giant Goldman Sachs.

Called Sentinel, the platform was built by Goldman Sachs engineers and served as the firm’s in-house Security Information and Event Management (SIEM) to manage cyber threat intelligence.

Goldman Sachs has previously only been using Sentinel internally, but will now be further developed and sold by LookingGlass to the broader financial services industry and others.
Per the terms of the deal, Goldman Sachs is receiving equity in LookingGlass and a revenue share for Sentinel Product sales, a LookingGlass spokesperson told SecurityWeek.

LookingGlass, which has raised more than $100 million in funding, said it will incorporate the platform into its portfolio of threat intelligence-focused solutions.

“The financial services industry has traditionally led other sectors in building or buying cybersecurity tools to safeguard the corporate and customer information within their networks,” said Chris Coleman, CEO at LookingGlass. “The Sentinel platform is a leading example of a financial services company building an elegant solution to meet its unique needs and developing it into an industry-leading technology. As we worked with Goldman Sachs in discussing threats and intelligence-powered security operations, it quickly became apparent that acquiring Sentinel was a natural way to meaningfully advance the state of technology and help protect the wider financial services industry as well as other sectors facing greater cyber risk stakes.”

“Our engineers built Sentinel with the goal of developing a platform that spans the entire threat lifecycle and we have seen great success in its application and adoption by our threat intelligence, incident response, and security operations teams at Goldman Sachs,” Andy Ozment, Goldman Sachs’ Chief Information Security Officer and an overseer on the LookingGlass board of directors, said in a statement.

As part of the transaction, Rana Yared, Managing Director in the Principal Strategic Investments (PSI) group at Goldman Sachs, will be joining LookingGlass’ board of directors.

The Sentinel product acquisition is not the first by Arlington, VA-based LookingGlass.

In December 2015, LookingGlass acquired open-source threat intelligence firm Cyveillance for $35 million in cash. The company acquired botnet monitoring firm Kleissner and Associates in July 2015, and Deep Packet Processing (DPP) platform provide CloudShield in February 2015.

Google announces the open-source Asylo framework for confidential computing
5.5.2018 securityaffairs IT

Last week, Google announced the release of an open-source framework and an SDK dubbed ‘Asylo’ that allows developers to build applications targeting trusted execution environments.
The Asylo framework makes it easy to protect the confidentiality and integrity of applications and data in an isolated, confidential computing environment.

The framework leverages trusted execution environments (TEEs) that implements specialized execution environments, so-called “enclaves,” to mitigate the risk of compromise by a malicious insider or an unauthorized third-party

“While cloud infrastructures offer numerous security controls, some enterprises want additional verifiable isolation for their most sensitive workloads—capabilities which have become known as confidential computing.” reads the announcement published by Google.

“Today we’re excited to announce Asylo (Greek for “safe place”), a new open-source framework that makes it easier to protect the confidentiality and integrity of applications and data in a confidential computing environment.”

The Asylo framework allows developers to verify the integrity of code running in enclaves and to protect sensitive communications through the encryption.

Previously, the development and the execution of applications in a trusted execution environment required specialized skills and tools, in some cases, the implementations required specific hardware. Asylo aims to overwhelm these limitations.

“Asylo makes TEEs much more broadly accessible to the developer community, across a range of hardware—both on-premises and in the cloud.” continues Google.

The Asylo framework allows developers to create portable applications that can run on various software and hardware.

Asylo framework

Google also implements a Docker image via Google Container Registry that includes all of the dependencies needed to run a container anywhere.

This flexibility of the Asylo framework allows developers to take advantage of various hardware architectures with TEE support without modifying your source code making the porting of applications very quickly.

Google believes Asylo will soon also allow developers to run existing applications in trusted execution environments (TEEs) that implements specialized execution environments. Google images that the process will be very easy, developers would simply need to copy their apps into the Asylo container, choose the backend and rebuild them.

To start using Asylo, developers need to download the sources and pre-built container image from Google Container Registry.

“Be sure to check out the samples in the container, expand on them, or use them as a guide when building your own Asylo apps from scratch.” suggests Google.

“Check out our quick-start guide, read the documentation, and join our mailing list to take part in the discussion. We look forward to hearing from you on GitHub!”

Microsoft Makes Hyper-V Debugging Symbols Public
4.5.2018 securityweek  IT

Microsoft  Logo

In an attempt to improve Hyper-V technology, which Microsoft considers central to the security of its cloud services, the software giant has released Hyper-V debugging symbols to the public.

Microsoft is now offering access to most Hyper-V-related symbols through the public symbol servers, starting with symbols for Windows Server 2016 with an installed April 2018 cumulative update.

“We would like to share with the security community that we have now released debugging symbols for many of the core components in Hyper-V, with some exceptions such as the hypervisor where we would like to avoid our customers taking a dependency on undocumented hypercalls for instance,” Microsoft announced.

This move, the company says, should prove handy for partners building solutions leveraging Hyper-V, for developers attempting to debug specific issues, and to security researchers to better analyze Hyper-V’s implementation and report any vulnerabilities as part of the Microsoft Hyper-V Bounty Program.

Microsoft is offering consistent rewards for vulnerabilities discovered in the Hyper-V client running on Windows 10 (latest builds of Windows Insider Preview slow) and Windows Server 2016 (latest available version).

The highest payouts reach $250,000 for eligible Critical Remote Code Execution bugs in Hypervisor and Host Kernel. Microsoft is also willing to pay up to $20,000 for issues discovered in Remotefx, Legacy Network Adapter (Generation 1) and Fibre Channel Adapter.

At this year’s Pwn2Own hacking competition, Microsoft was willing to pay up to $150,000 for vulnerabilities in the Hyper-V client, the highest rewards offered at the event.

Developers and security researchers interested in learning more on Microsoft’s Hyper-V Bounty Program should head to this TechNet article.

The list of components that now have debugging symbols made public was published by the Microsoft Virtualization team in a blog post last week.

The set is likely to be updated as the company decides to make more symbols public: “With newer releases, we are evaluating whether we can make even more symbols available,” Microsoft’s Lars Iwer notes.

A limited set of virtualization-related symbols that haven’t been released as of now includes storvsp.pdb, vhdparser.pdb, passthroughparser.pdb, hvax64.pdb, hvix64.pdb, and hvloader.pdb.

Google Launches "Asylo" Framework for Confidential Computing
4.5.2018 securityweek  IT

Google this week announced the release of an open-source framework and software development kit (SDK) that allows developers to build applications targeting trusted execution environments.

Dubbed Asylo (Greek for “safe place”), the new framework should make it easier to protect the confidentiality and integrity of applications and data in isolated, confidential computing environments.

Aimed at defending against attacks targeting underlying layers of the stack (operating system, hypervisor, drivers, and firmware), trusted execution environments (TEEs) offer specialized execution environments called “enclaves” and can mitigate the risk of compromise by an unauthorized third-party.

The newly announced Asylo framework “includes features and services for encrypting sensitive communications and verifying the integrity of code running in enclaves, which help protect data and applications,” Google says.

Until now, specialized knowledge and tools were required for creating and running applications in a TEE, and implementations have been tied to specific hardware environments. With Asylo, TEEs become more broadly accessible to the developer community, allowing for the creation of applications that target various on-premises and in the cloud hardware.

With the Asylo framework, developers can easily build applications and make them portable, thus ensuring they can be deployed on various software and hardware backends. Google also provides a Docker image via Google Container Registry, offering all of the dependencies needed to run a container anywhere.

Because of this increased flexibility, developers can leverage hardware architectures with TEE support without having to modify their source code. Developers can quickly port their applications across different enclave backends (laptop, workstation, a virtual machine in an on-premises server, or an instance in the cloud).

“We are exploring future backends based on AMD Secure Encryption Virtualization (SEV) technology, Intel Software Guard Extensions (Intel SGX), and other industry-leading hardware technologies that could support the same rebuild-and-run portability,” Google says.

Asylo also provides increased ease-of-use, enabling apps to leverage the security properties of TEEs without requiring developers to learn a completely new programming model.

On top of that, the framework is open-source, meaning that it makes confidential computing technology available to everyone.

Now offering an SDK and tools to help developers build portable enclave applications, Asylo will soon also allow them to run existing applications in an enclave. For that, developers would simply need to copy their apps into the Asylo container, specify the backend and rebuild them.

To get started with Asylo, developers just need to download the sources and pre-built container image from Google Container Registry. The container includes samples that developers can analyze to start building their code. A quick-start guide and documentation were also published. Asylo is also available on GitHub.

Ex-NSA Director's IronNet Raises $78 Million
4.5.2018 securityweek  IT

IronNet Cybersecurity, a company founded by former NSA director Gen. Keith Alexander, announced on Wednesday that it has raised $78 million in a Series B funding round.

The latest funding round, which brings the total amount of money secured by the firm to over $110 million, was led by new investor C5 Capital, with participation from existing investors ForgePoint Capital and Kleiner Perkins.

IronNet plans on using the newly obtained funds to accelerate its efforts to advance the adoption of its products in the financial and healthcare sectors, and expand internationally in Europe, Asia and the Middle East.

The company announced that its IronDome collective defense system is currently used by nearly half-dozen energy sector providers covering operating subsidiaries across over two dozen states. The product provides automated and real-time sharing of threat data and analysis between participating energy companies.

IronNet’s IronDefense platform offers behavioral threat detection, visibility, and risk prioritization capabilities. The company says this product is currently used by organizations in the financial and energy sectors, including a major custodian bank, a prominent hedge fund, and various energy companies.

“This investment represents a clear endorsement of our core technology and strategy for defending nations and industries around the world,” said Gen. Alexander, who was also the founding commander of the U.S. Cyber Command. “We look forward working closely with our new investors joining us in this funding round to continue to rapidly innovate and expand our efforts in this critically important national security arena.”

Regulus Cyber Aims to Secure Cars, Robots With $6.3 Million Funding
4.5.2018 securityweek  IT

Regulus Cyber emerged from stealth mode this week with $6.3 million in funding and a solution designed to protect sensors, communications and data in autonomous cars and trucks, robots and drones.

Israel-based Regulus raised $1.2 million in seed funding and $5.1 million in Series A funding from Sierra Ventures, Canaan Partners Israel, Technion and F2 Capital.

The company, led by CEO Yonatan Zur and CTO Yoav Zangvil, offers a solution, named Pyramid, that aims to provide security and mission reliability for the various sensors used by autonomous vehicles, drones and robots, including GPS, cameras, lidar and radar.

Malicious or accidental interference with these sensors can have serious consequences – in the case of drones, for instance, hackers can make them fly off course and obtain the potentially sensitive data they collect.

Regulus’ solutions include both software and hardware designed to protect these sensors. The hardware provided by the firm typically weighs less than 2 ounces (50 grams).Regulus Pyramid CSM device

For example, Pyramid CSM is a hardware module that can be connected to flight and robot controllers in order to protect command and control communications and mission data.

Regulus Pyramid CSM device

The Pyramid GPS SP device is designed to protect ships, cars and drones against GPS spoofing attacks.

Another module of the Pyramid suite is Pyramid RFM, which allows drones and robots to map radio frequencies (RF) in a certain area, helping their operators get a better understanding of their ability to operate in that location.

Finally, the Pyramid SVS (Sensor Validation System) should help protect the sensors in cars, robots and drones against smart physical hacks, which can be conducted more easily compared to remote attacks. Pyramid SVS combines external, independent sensors in an effort to identify and mitigate threats.

Pyramid SVS is expected to become available only next year, but the other modules should be released sometime in 2018, Regulus says on its website.

The company says it has already partnered with OEMs, tier 1 vendors, high-tech companies and government agencies in the automotive, aviation and telecoms sectors.

Mobile Phone Maker Settles With FTC Over Data Collection
4.5.2018 securityweek  IT

Mobile phone maker BLU Products this week reached a settlement with the Federal Trade Commission (FTC) over allegations that software in its devices collected users’ personal information.

In November 2016, security firm Kryptowire revealed that a backdoor in various Android phone models sold in the United States, including BLU devices, sent personally identifiable information (PII) to third-party servers without informing users on the practice or asking for their consent.

The backdoor activities were performed via Shanghai ADUPS Technology Co. Ltd’s Firmware Over-The-Air (FOTA) update software system. Collected sensitive data included text messages, contact lists, call history (including full telephone numbers), the International Mobile Subscriber Identity (IMSI), and the International Mobile Equipment Identity (IMEI).

In July 2017, during a Black Hat presentation, Kryptowire revealed that the pre‐installed system apps from ADUPS could be used to target only “specific users and text messages matching remotely-defined keywords.”

Soon after, Amazon suspended sales of BLU phones citing security and privacy concerns. The retailer, however, resumed the sales only one week later.

At the time, BLU issued an official statement saying it hadn’t been aware of ADUPS’ practices and that it decided to replace the OTA application on future devices with Google's GOTA. Older devices, however, remained stuck with the ADUPS software.

Now, the FTC says a settlement was reached over allegations that BLU Products allowed ADUPS to “collect detailed personal information about consumers, such as text message contents and real-time location information, without their knowledge or consent despite promises by the company that it would keep such information secure and private.”

In its complaint (PDF), the FTC claims that BLU and its co-owner and President Samuel Ohev-Zion misled consumers by falsely saying that the third-party collection of data from BLU devices was limited to information needed to perform requested services. Furthermore, the Commission alleges that BLU falsely claimed it implemented the appropriate procedures to protect the personal information of users.

“As part of the settlement, BLU must implement a comprehensive data security program to help prevent unauthorized access of consumers’ personal information and address security risks related to BLU phones,” the FTC says.

The FTC complaint also alleges that the phone maker failed to implement the necessary mechanisms to oversee the security practices of their service providers. The company also failed to “perform appropriate due diligence of service providers,” failed to come up with written data security procedures regarding service providers, and failed to assess the privacy and security risks of third-party software installed on BLU devices.

This is what led to ADUPS collecting sensitive user data via BLU devices without consumers’ knowledge and consent, although the company didn’t need to perform the data collection as part of the contracted services. Moreover, the FTC claims, the ADUPS software preinstalled on BLU devices included common security vulnerabilities that could allow attackers to take over the smartphones.

“After reports about the unexpected collection and sharing by ADUPS became public in November 2016, BLU issued a statement informing consumers that ADUPS had updated its software and had stopped its unexpected data collection practices. Despite this, the FTC alleges that BLU continued to allow ADUPS to operate on its older devices without adequate oversight,” the Commission says.

Under the proposed settlement, BLU and Ohev-Zion are “prohibited from misrepresenting the extent to which they protect the privacy and security of personal information and must implement and maintain a comprehensive security program that addresses security risks associated with new and existing mobile devices and protects consumer information.”

Furthermore, BLU’s security program will be assessed by a third-party every two years for 20 years. The mobile phone manufacturer will also be subject to record keeping and compliance monitoring requirements.

Slack Releases Open Source Secure Development Lifecycle Tool
1.5.2018 securityweek IT

Team collaboration solutions provider Slack last week announced that one of the secure development lifecycle (SDL) tools used internally by the company has been released as open source.

The tool, named goSDL, is a PHP-based web application designed to provide developers and project managers a list of questions and checklists that should help them improve the security of new software and features. It is meant to be used at the middle or near the end of a project.

After providing some general information about their project, developers using goSDL are instructed to answer some questions for an initial risk assessment. Among other things, developers are asked if they believe the involvement of the security team is necessary, and if their code adds new authentication features or changes existing security controls.

Once the initial assessment has been completed, goSDL requires developers to provide information about the components they are using, including web technologies, programming languages, and parsers. New components can be easily added to the questionnaire via JSON plugins.

Based on the responses provided in the previous phases, goSDL then generates security checklists that are relevant to the project. For tracking purposes, two JIRA tickets are created – one for the developer and one for the security team, allowing it to track its own review.

“The tool tailors the checklist to the developers’ specific needs, without providing unnecessary unrelated security requirements. Security experts can establish custom security guidance and requirements as checklist items for all developers,” Slack said. “This checklist is used as a guide and reference for building secure software. This encourages a security mindset among developers when working on a project and can be used to easily track the completion of security goals for that project.”

goSDL can be used with Atlassian’s Jira Enterprise issue tracker and the Trello project management application. The goSDL source code, along with usage instructions, can be found on GitHub.

“By open-sourcing goSDL, we hope to enable other growing organizations to scale their security. We also hope to learn from their experience; we welcome contributions to the tool, its modules, and its checklists, and are excited to see what pull requests will come in!” said Max Feldman of the Slack Product Security team.

Google Ramps Up Gmail Privacy Controls in Major Update
26.4.2018 securityweek IT

Google on Wednesday ramped up privacy controls in a Gmail overhaul, aiming first at businesses that use its suite of workplace tools hosted in the internet cloud.

The "all new" Gmail is available to the more than four million businesses that pay for G Suite services.

People who use the email service personally for free can opt in by making the choice in settings, vice president of product management David Thacker said in a blog post.

Revamped Gmail has "a brand new look on the web, advanced security features, new applications of Google's artificial intelligence and even more integrations with other G Suite apps," according to Thacker.

A confidential mode added to Gmail promises to let people sending messages set expiration dates and block them from being forwarded, copied, downloaded or printed.

Messages can be revoked after being sent, Thacker said.

Senders of mail can also require that a code delivered by text message be entered before an email can be viewed, in an added layer of security.

"Because you can require additional authentication via text message to view an email, it's also possible to protect data even if a recipient's email account has been hijacked while the message is active," Thacker said.

Confidential mode will begin to roll out to personal Gmail users and a limited number of G Suite customers in coming weeks, according to Google.

Artificial intelligence is being put to work in new Gmail features including "nudging" people to tend to neglected messages and automated reply suggestions along the lines of those added to a mobile version of the email service last year.

"Gmail can also recommend when to unsubscribe from mailing lists," Thacker said.

"Using intelligence, unsubscribe suggestions appear based on cues like how many emails you get from a sender and how many of them you actually read."

Google and rival technology titans such as Apple, Amazon, and Microsoft have followed people into the internet cloud with services, digital content, and software hosted online at data centers but accessed from the gamut of devices.

$35 Million Penalty for Not Telling Investors of Yahoo Hack
25.4.2018 securityweek IT

US securities regulators on Tuesday announced that Altaba will pay a $35 million penalty for not telling them hackers had stolen Yahoo's "crown jewels."

The 2014 breach blamed on Russian hackers affected hundreds of millions of Yahoo accounts, with stolen 'crown jewel' data including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions, according to the Securities and Exchange Commission.

While Yahoo discovered the data breach quickly, it remained mum about it until more than two years later when it was being acquired by telecom giant Verizon Communications, the SEC case maintained.

"Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach," SEC San Francisco regional office director Jina Choi said in a release.

"Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors."

Although Yahoo is no longer an independent company -- its financial holdings are in a separate company now called Altaba -- Verizon has continued to operate the Yahoo brand, including its email service and a variety of news and entertainment websites.

Oath includes the Yahoo internet operations along with those of another former internet star, AOL.

In addition to the 2014 breach, a hack the previous year affected all three billion Yahoo user accounts, according to findings disclosed by Verizon after the acquisition.

The US Justice Department charged two Russian intelligence operatives and a pair of hackers over one of the attacks, which had apparent twin goals of espionage and financial gain.

Yahoo, which was once one of the leading internet firms, sold its main online operations to Verizon last year in a deal valued at $4.48 billion.

The purchase price was cut following revelations of the two major data breaches at Yahoo.

Clear Scope for Conflict Between Privacy Laws
24.4.18 securityweek IT

The Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, was enacted into U.S. federal law on March 23, 2018. It had been attached, at page 2212 of 2232 pages, to the omnibus spending bill, and allows law enforcement to demand access to data of concern wherever in the world that data is stored.

The General Data Protection Regulation, or GDPR, becomes European Law on May 25, 2018. It restricts companies that operate in Europe or process EU citizen data from transferring that data to third parties.

On the surface, there is clear scope for conflict between these two laws; but as always, it is more complex than that. The two key elements are, for CLOUD, section 2713; and for GDPR, article 48.

Section 2713 reads, "A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire of electronic communication and any record or other information relating to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside the United States."

Article 48 of GDPR states, "Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter."

It gets complicated because CLOUD specifically allows for 'international agreements', but not mutual legal assistance treaties (MLATs), which it does not mention at all. Indeed, the U.S. government has always complained that MLATs are too complex and slow to be of any value to a fast-moving investigation. The potential for conflict between CLOUD and GDPR consequently hinges on whether the U.S and the EU sign an international agreement that satisfies both parties.

Opinions vary. While a UK - U.S. agreement already exists, the UK is leaving the EU. David Flint, senior partner at the MacRoberts law firm, comments, "In the new GDPR world and indeed a post Brexit world, it remains to be seen the extent to which other governments are able and willing to give up the privacy and human rights of their citizens on the altar of data sharing."

Other opinions are more optimistic that CLOUD will operate without disturbance from GDPR.

Dr Brian Bandey, a Doctor of Law specializing in international cyber laws, told SecurityWeek, "I believe it is generally accepted that the CLOUD Act... would meet the requirements of the GDPR’s Article 48. This addresses foreign (including U.S.) investigations and prohibits the transfer or disclosure of personal data unless pursuant to an MLAT or other international agreement. One possible resolution would be for the U.S. to enter into an agreement with the EU or for the EU to agree that the U.S. investigations and subsequent transfers or disclosures in compliance with the CLOUD Act procedures do not conflict with Article 48."

Alexander Hanff, a respected privacy expert and advocate, believes that CLOUD "completely undermines MLATs. MLATs are the correct instruments for this purpose, and if MLATs are proving too burdensome, that should be addressed directly -- circumventing MLATs is not the right answer." However, he points out that the European Commission (EC) seems to be coming into line with the U.S. by proposing something very similar to CLOUD, but for the European Union.

Last week, the EC issued a statement proposing new rules to make it easier and faster for police and judicial authorities to obtain electronic evidence. It states, "This will allow a judicial authority in one Member State to request electronic evidence (such as emails, text or messages in apps) directly from a service provider offering services in the Union and established or represented in another Member State, regardless of the location of data, which will be obliged to respond within 10 days, and within 6 hours in cases of emergency (as compared to 120 days for the existing European Investigation Order or 10 months for a Mutual Legal Assistance procedure)."

This is similar to the effect of CLOUD: European law enforcement will be able to demand access to data from U.S. companies operating in the EU. On this wording, that would include, for example, Microsoft or Facebook user data belonging to a U.S. citizen and stored on servers in the U.S. It too, but more explicitly than CLOUD, denigrates the effectiveness of MLATs. Under these circumstances, it is unlikely that there will be any difficulty in the EC and the U.S. coming to an international agreement for mutual access to data of interest to law enforcement.

The implication is that U.S companies have nothing to worry about over CLOUD and GDPR. Provided they adhere to the basic demands of GDPR, they will be able to turn EU data over to the FBI without concern over GDPR. But again, it's not that simple. The greatest danger from CLOUD to trans-Atlantic privacy relations is only indirectly related to GDPR -- it is the effect of CLOUD on the Privacy Shield.

Privacy Shield is the agreement between the EU and the U.S. that allows U.S. companies to 'export' European PII -- which is a fundamental aspect of doing business with the EU. Privacy Shield replaces an earlier agreement (Safe Harbor) that was struck down by the European Court as being unconstitutional. That court also specifically told the national regulators that they could not be bound by an EC 'adequacy' ruling. In effect, while they will be guided by the EC, they do not simply have to accept that the Privacy Shield is 'adequate' to comply with EU law and the constitution.

Privacy Shield is being challenged, including by the same activist (Max Schrems) who ultimately took down Safe Harbor.

Hanff comments, "Whether or not CLOUD Act will interfere with Privacy Shield remains to be seen. Obviously there are concerns, but Privacy Shield has its own issues and will soon be challenged by EU regulators in the courts as well as being included in the case from the Irish High Court on Standard Contractual Clauses currently before the Court of Justice of the European Union. It is likely Privacy Shield will fall in that judgment."

The relevance of the CLOUD Act to Privacy Shield is similar to the relevance of PRISM to Safe Harbor -- it's very existence could be cited as further proof that Privacy Shield is inadequate.

"I would argue," continues Hanff, "that it is already impossible for EU citizens to access and enforce their rights under Privacy Shield anyway, so CLOUD Act is just one more stack in that house of cards -- a house which is built on the 'swamp' and will inevitably fall."

"From the perspective of U.S. companies," he added, "they are stuck in a catch 22 situation; they cannot ignore legal requests from their own countries but in doing so they will not be able to respect the rights of EU citizens or arguably comply with EU law."

With good will between the U.S. administration and the European Commission, law enforcement access to overseas cloud data can be aligned. In both cases there are likely to be constitutional challenges and any arrangements will ultimately need to be ratified by the courts. But even before then, the very basis of trans-Atlantic trade may fail if the Privacy Shield is struck down by the European Courts.

CLOUD makes the Privacy Shield waters even muddier. "Is this the final nail in the Privacy Shield coffin?" asks lawyer David Flint. "Time will tell."

U.S. Energy Department Offers $25 Million for Cybersecurity Tech
16.4.2018 securityweek  IT

The United States Department of Energy (DOE) on Monday announced that it’s prepared to award up to $25 million for the research and development of technologies designed to protect the country’s energy infrastructure against cyber threats.

The funding opportunity announcement (FOA) comes from the Office of Electricity Delivery and Energy Reliability’s Cybersecurity for Energy Delivery Systems (CEDS) program and it seeks applications for researching, developing and demonstrating novel approaches to improving cyber resilient energy delivery systems.Energy Department offers $25 million for cybersecurity

Specifically, the offer is for projects focusing on designing a cyber-resilient architecture for the electric and oil and natural gas (ONG) subsectors, security for the ONG environment, secure communications, secure cloud-based technologies in operational technology (OT) networks, and enhancing security in the energy sector.

Applicants must not only conduct research and develop the products, but also demonstrate them in an actual facility. Proposals, which need to be submitted until June 18, must also include a strategy for transitioning from existing systems either by commercializing the new solution or by making it open source.

“This FOA builds on DOE’s efforts with the private sector toward improving the security of the Nation's critical energy infrastructure, and reducing the risk of a cyber incident that could disrupt energy delivery,” the DOE said. “It will expand the development and adoption of energy technologies that will help ensure a more secure, resilient, and reliable electricity system.”

As of last year, the DOE said it had invested more than $270 million since 2010 in cybersecurity research, development and demonstration projects led by members of the industry, universities and the agency’s own National Laboratories.

In September 2017, the Energy Department announced its intention to invest $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure, including more than $20 million in cybersecurity.

Earlier this year, the DOE announced the creation of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to help the organization efficiently coordinate preparedness and response to both manmade and natural threats.

Energy facilities in the United States and the Energy Department itself have often been targeted by malicious hackers in the past years, although the attacks have not been as damaging as the ones that hit Iran, Saudi Arabia and Ukraine

McAfee Expands Cloud Security Program
16.4.2018 securityweek  IT

At RSA Conference 2018 at San Francisco, CA, McAfee has announced two additions to its cloud security program, and published a new analysis of the corporate adoption of cloud services. The new services are centered on securing containers in the cloud, and adding consistent security to third-party cloud services. The analysis, Navigating a Cloudy Sky, surveyed 1,400 IT decision makers around the world, and interviewed several C-level executives.

Key findings from the survey (PDF) are that cloud adoption is continuing to grow, but the cloud-first strategy has slowed. Ninety-seven percent of organizations now use cloud services (either public, private, or both; up from 93% one year ago); but the adoption of a cloud first strategy has dropped from 82% last year to 65% this year.

It isn't immediately clear why the cloud first strategy has slowed, but it could partly be down to uncertainty about the EU's General Data Protection Regulation (GDPR) coming into effect in May 2018. While fewer than 10% of organizations expect to decrease their cloud investments because of GDPR, there are marked differences in the expected increases. Forty-nine percent of firms expect to increase their investment in private and hybrid cloud; but only 37% expect to increase investment in the public cloud (where they are likely to have less control of and visibility into their data).

A disparity between the growing use of containers and serverless computing in the cloud, and the secure use of those technologies is also apparent from the survey. Eighty percent of those surveyed are using or experimenting with these technologies, while only 66% have a security strategy for containers, and 65% have a security strategy for serverless computing.

This issue is now addressed with McAfee's announcement that support will be included in its Cloud Workload Security (CWS) v5.1, which will be available before the end of Q2 2018.

"As enterprises turn to the cloud to transform themselves into a digital business and develop compelling experiences for their customers, they often overlook the security challenges involved in adopting a multi-cloud or hybrid-cloud environment," said Rajiv Gupta, SVP of the cloud security business unit. "McAfee Cloud Workload Security enables organizations to secure cloud workloads and containers across AWS, Azure, VMware, and their private cloud, addressing key security, compliance and governance requirements so that they can accelerate their business in the cloud."

This version will discover new Docker containers within five minutes of their deployment. It allows administrators to quarantine concerning workloads or containers using micro- and nano-segmentation with a single click, isolating threats and inhibiting their spread. It also offers enhanced threat monitoring and detection with AWS GuardDuty alerts available within the CWS dashboard; and includes policy compliance assessments to PCI, SOX, HIPAA and more to enable simple remediation.

McAfee has also, and separately, announced the McAfee CASB Connect Program. This is designed to allow customers to apply the same set of security policies across all their cloud applications. It is, says McAfee, the industry's first self-serve framework and accompanying program that enables any cloud service provider or partner to rapidly build lightweight API connectors to McAfee® Skyhigh Security Cloud within days, without writing a single line of code.

But only if the cloud service is incorporated within the 'McAfee CASB Connect Catalog'. Right now, there are just 12 entries in this catalog (out of some 20,000 different cloud services); but they include heavyweights such as O365, Box, Salesforce, Slack and Dropbox.

Gopi Krishna Boyinapalli, a senior product manager with McAfee's CASB, explains the problem being addressed in an associated blog: "Organizations not only need to enforce appropriate security controls for different cloud services, they also require a central control point to enforce the same set of security policies across their SaaS, PaaS, and IaaS deployments. In fact, Gartner predicts that, through 2020, 95% of cloud security failures will be the customer's fault. This has caused enterprises to look for ways to enforce additional security controls on their cloud solutions beyond what a cloud service provider offers natively."

Clearly, the Connect Catalog will need to expand before it is of serious value to the McAfee customer; but we can expect the company to react to customer requests for the inclusion of new cloud services, just as we can expect new and small, perhaps niche, cloud providers to seek inclusion to become more attractive to the existing McAfee cloud customer base.

In time, it should benefit both cloud service providers and cloud service consumers. The providers can minimize the cost and complexity of customizing their security controls to meet the data and security requirements of different customers; while consumers can more easily and rapidly adopt new cloud services without having to extend their security and compliance policies to every new service.

"One of the core tenets of our vision," explains Rajiv Gupta, SVP of the McAfee cloud security business unit, "is to make cloud the most secure environment for businesses. The McAfee CASB Connect Program framework enables every cloud service in the catalog to easily conform to the security needs of enterprises, thus minimizing the security barriers that hinder cloud adoption and allowing enterprises to confidently adopt cloud services to accelerate their business."

McAfee's cloud security business unit combines McAfee with the Skyhigh cloud access security broker that it acquired in January 2018. McAfee itself was spun out of Intel in April 2017. Intel had acquired McAfee for $7.68 billion in 2010.

Enterprise App Security Firm Onapsis Raises $31 Million
14.4.2018 securityweek IT

Application security firm Onapsis has raised $31 million through a Series C funding round led by new investor LLR Partners, the company announced Friday, bringing the total amount raised to $62 million.

Onapsis, which helps companies protect ERP systems and applications such as SAP and Oracle, says the funding will help support sales and marketing efforts as it expands in the application security market, and also support product development, threat research and scaling its channel and partner programs.

With more than 180 employees globally, the company says it currently has more than 200 Fortune 2000 companies as customers, and has achieved record year-over-year growth for five consecutive years.

Existing institutional investors .406 Ventures, Evolution Equity Partners and Arsenal Venture Partners. David Stienes, Partner at LLR Partners, also participated in the funding round.

“Onapsis is helping to solve a multi-billion-dollar security and compliance problem, which is now becoming even more widespread with complex digital transformation and ERP cloud migration projects on almost all board room agendas. We are excited to partner with the Onapsis team and leverage our experience and expertise in cybersecurity to help them execute their vision,” said David Stienes, Partner at LLR Partners.

OPAQ Networks Raises $22.5 Million in Series B Funding
13.4.2018 securityweek IT

Northern Virginia-based network security cloud company OPAQ Networks on Wednesday announced that it has secured $22.5 million in a Series B funding round, bringing the total raised by the firm to date to $43.5 million.

The funding round was led by venture capital firm Greenspring Associates, with participation from previous investors Columbia Capital and Harmony Partners. Hunter Somerville, partner at Greenspring Associates, will join OPAQ’s board of directors.OPAQ raises $22.5 million

The newly obtained funds will be used to accelerate growth and finance the company’s go-to-market initiatives for delivering its solutions to midsize enterprises.

“OPAQ Networks has redefined the security-as-a-service market. Its demonstrated progress to date and strategic acquisitions place the company in a position of real market leadership,” said Somerville. “OPAQ Networks joins an existing and prior portfolio of cyber security company investments like Proofpoint and Cloudflare. I look forward to working with the veteran security management team at OPAQ to continue to capitalize on this large and rapidly growing market opportunity.”

OPAQ’s cloud platform provides a fully encrypted private network backbone, along with continuous monitoring, firewall, compliance reporting, DDoS mitigation, microsegmentation, and automated security management capabilities. These capabilities, provided by third-parties and OPAQ’s own technology, are managed from a centralized dashboard.

Last year, OPAQ acquired Drawbridge Networks for $10 million and last month it bought business intelligence firm FourV Systems for an undisclosed sum.

Palo Alto Networks Acquires Incident Response Firm Secdo
12.4.2018 securityweek IT

Palo Alto Networks this week announced that it has entered a definitive agreement to acquire Israel-based incident response firm Secdo. Financial terms of the deal have not been disclosed, but some reports say Palo Alto is prepared to pay $100 million.

According to Palo Alto Networks, endpoint detection and response (EDR) capabilities obtained as a result of the Secdo acquisition will be used to improve the Palo Alto Networks Traps endpoint protection product and the Application Framework.

Secdo’s collection and visualization system will feed rich data to Palo Alto’s Logging Service in order to give applications running on the Application Framework greater precision, the companies said.

Secdo has raised a total of $11 million since it was founded in 2014 by security experts from Israel’s famous 8200 intelligence unit.

Israeli media claims to have learned from sources close to Secdo that Palo Alto Networks has agreed to pay $100 million, mostly in cash.

“We believe security operations teams need the most advanced and consistent approach to endpoint security. With Secdo’s EDR capabilities as part of our platform, we will accelerate our ability to detect and prevent successful cyberattacks across cloud, endpoint, and the network,” said Mark McLaughlin, chairman and CEO of Palo Alto Networks.

Palo Alto Networks expects to complete the acquisition in the third fiscal quarter.

Carbon Black Prepares for $100 Million IPO
12.4.2018 securityweek IT

Endpoint security solutions provider Carbon Black this week announced that it has filed an S-1 registration statement with the U.S. Securities and Exchange Commission (SEC) for a proposed initial public offering (IPO) of its common stock.

Waltham, Massachusetts-based Carbon Black says it’s looking to raise $100 million in the IPO. The company’s stock will be traded on NASDAQ under the ticker symbol CBLK.

Rumors of a Carbon Black IPO have been circulating for years, with some reports saying that the company filed confidentially for an IPO back in 2016.

Carbon Black files for IPO

Carbon Black has raised more than $191 million in over a dozen funding rounds since it was founded in 2002. The company was initially called Bit9, but in 2016, two years after a merger with Carbon Black, it became Carbon Black. The list of Carbon Black acquisitions includes Objective Logistics, VisiTrend, and Confer Technologies.

In its SEC filing, Carbon Black says it has more than 3,700 global customers, including some of the world’s largest security-focused government agencies and enterprises. These customers are served by more than 900 employees.

The company says it has experienced strong revenue growth in the past years, increasing from $70.6 million in 2015 to $116.2 million in 2016 and $162 million in 2017. However, losses have also increased, from $38.7 million in 2015 to $55.8 million in 2017, which the company has blamed on its continued investment in growth.

Carbon Black’s endpoint security solutions include application control, endpoint detection and response (EDR), and next-generation antivirus capabilities. Competitors named by the company in its SEC filing are McAfee, Symantec, Cisco, FireEye, Palo Alto Networks, Cylance, CrowdStrike, and Tanium.

The first cybersecurity firm to go public in 2018 was Zscaler, which started with an IPO price of $16 per share and closed the first day of trading at $33 per share. The company was hoping to raise $110 million, but ended up making nearly double that amount. The company’s stock currently trades at roughly $28.

Another cybersecurity company that went public recently is ForeScout Technologies, which raised $116 million in October in its IPO.

Financial experts have named several firms that could file for an IPO this year, including Illumio, Cloudflare, Tanium, AlienVault, Centrify and ForgeRock.

Czech Antivirus Targets London's Biggest Tech Float
12.4.2018 securityweek IT

Czech antivirus software maker Avast announced Thursday that it will float on the London stock market next month in the British capital's biggest ever technology IPO.

"Avast ... today announces that it intends to proceed with an initial public offering" in London, it said in a statement, adding that it was expected to occur in early May.

Prague-based Avast, one of the world's biggest online security software companies, will seek to float at least 25 percent of its share capital.

The IPO could value it at $4.0 billion (3.2 billion euros), according to the Financial Times.

"Over the past thirty years, Avast has grown from a visionary start-up to the number one consumer cybersecurity company," said Avast chief executive Vincent Steckler.

"This transformation of our company has happened because of the dramatic increase in the number and types of threats around the world which are a growing concern to people, and Avast's ability to stay ahead of the bad guys with new and evolving technologies and products."

The group is well positioned to take advantage of an expanding consumer cybersecurity market, which Steckler said was forecast to grow 10 percent annually and reach $21 billion by 2021.

Avast is 46-percent owned by its founders, while investment company CVC has a 29-percent stake.

The group, which has more than 435 million users around the world, has a workforce of 1,700 people and generated sales of $653 million in 2017. Avast purchased Dutch rival AVG Technologies in 2016.

Container Security Firm StackRox Raises $25 Million
12.4.2018 securityweek IT

Container security firm StackRox announced this week that it has secured $25 million in a Series B funding round, bringing the total raised to date by the company to more than $39 million.

The funding round was led by Redpoint Ventures with participation from previous investors Sequoia Capital and Amplify Partners. The new funds will be used to accelerate product development and support expanded go-to-market programs, which includes hiring new marketing and sales executives.

TJ Cooley, who served in senior positions at Tanium, VMware and Citrix, has joined StackRox as vice president of sales. Michelle McLean, who previously held senior marketing roles at ScaleArc, Silver Spring Networks, ConSentry Networks, Peribit Networks, and Trapeze Networks, has been named the company's first vice president of marketing.StackRox

Based in Mountain View, California, StackRox provides solutions that help enterprises secure cloud-native applications running on container technologies such as Docker and Kubernetes. The company’s flagship product, StackRox Detect and Respond, is designed to monitor activities at runtime, identify attack tactics, and neutralize threats. Improved performance and detection capabilities have now been added to the solution, the startup said.

Next week at the RSA Conference, the company will announce the general availability of its second product, Prevent, which helps minimize the attack surface, centralize governance, and prioritize risks.

StackRox says it works with a number of research and government organizations in an effort to understand threats to containers. The company claims its customers include government agencies and Global 2000 firms in the finance, tech and media sectors, including the DHS and City National Bank.

Companies specializing in securing containers have raised significant amounts of money in the past few years. Aqua Security has raised a total of $38 million, Twistlock secured $30 million, NeuVector raised $7 million, Capsule8 raised $8.5 million, and Tigera received $23 million.

Karamba Security Raises $10 Million for Inorganic Growth
11.4.2018 securityweek  IT

Karamba Security, a firm that specializes in cybersecurity solutions for autonomous and connected cars, on Tuesday announced that it has raised another $10 million, bringing the total raised to date to $27 million.

The latest funding round was led by Silicon Valley-based venture debt firm Western Technology Investment (WTI), which claims to have provided more than $5 billion of growth capital to companies in the past 38 years.

Karamba Security raises $10 million

Karamba plans on using the newly obtained funds for inorganic growth, specifically to acquire companies and technology that will help accelerate the progress of its portfolio. The money will also be used to address the growing demand for its products, the firm said.

“Our ongoing operations are well funded from the previous $17 million raised last year. This new funding provides a line of capital we can use as needed for inorganic growth to expand Karamba's solutions suite across the rapidly evolving automotive landscape,” said Karamba CEO Ami Dotan.

Since its launch in April 2016, Karamba Security says it has engaged with 17 automotive OEMs and tier-1 suppliers to help them secure their products. The company’s technology has been integrated with ARM, Intel, PowerPC, and Infineon chips, along with QNX, Linux and various RTOS and AUTOSAR platforms on the operating system level.

Apple Plans to Replace Intel Chips in Macs with its Custom Designed CPUs
8.4.2018 thehackernews IT

In a major blow to Intel, Apple is reportedly planning to use its custom-designed ARM chips in Mac computers starting as early as 2020, ultimately replacing the Intel processors running on its desktop and laptop hardware.
The company makes its own A-series custom chips for iPhones, iPads and other iThings, while the Mac devices use Intel x64 silicon. Now according to a report from Bloomberg, Apple plans to replace Intel's Mac chips with its own homegrown CPUs.

The report says Apple executives have a project, codenamed "Kalamata," that designs desktop-grade Arm-compatible processors, along with a macOS port, allowing the company to craft a uniform architecture across all of its product lines.
The report also says this changeover would be part of a "multi-step transition" to make iOS devices and Macs "work more similarly and seamlessly together," helping Apple's plan (project codename 'Marzipan') to bring iOS apps to Mac for software cross-compatibility.
The changeover is likely to be in the wake of recent high-profile security issues around Intel chip architecture and chips from other manufacturers. It is similar to the approach Apple has taken in the past by switching to PowerPC architecture in 1991 and to Intel in 2006.
With the changeover, Apple would not have to share 5% of its annual revenue with Intel and pay for exclusive deals to offer high-end processors first to its customers, and competitors would not be able to copy innovations so easily.
Switching to its own chips would also allow the company to control its own hardware roadmap better, and offer better performance to its users.

Bloomberg also notes that the revised Mac Pro laptops arriving next year will include an Apple-developed chip, and other Mac laptops will also receive Apple-developed chips this year.
Soon after the Bloomberg report was published, Intel’s stock price took a hit and dropped by 9.2 percent, the biggest intraday drop in over two years. They are down 6.07 percent at $48.92 at the time of writing.
Rumors of Apple ditching Intel and switching to its own custom silicon have been circulating for a decade. Last September, a report also claimed Apple was looking to cut back on its reliance on Intel, but nothing of that sort happened.
Both Apple and Intel did not yet respond to the report.

RSA to Acquire Behavioral Analytics Firm Fortscale
7.4.2018 securityweek  IT

RSA on Thursday announced that it has entered an agreement to acquire Fortscale, a company that provides behavioral analytics solutions. Financial terms of the deal have not been disclosed.

Fortscale’s technology is designed to identify threats using a combination of predictive, big data analytics and machine learning. It automatically identifies deviations from normal behavior and warns security teams of potential risks, such as shared user credentials, remote access anomalies, and abuse of privileged user accounts.RSA acquires Fortscale

As a result of the acquisition, RSA wants to provide customers new user and entity behavioral analytics (UEBA) capabilities through its NetWitness Platform.

RSA acquires Fortscale

“RSA NetWitness UEBA directly addresses and overcomes obstacles that standalone solutions have encountered due to their high cost and high touch requirements,” said Idan Tendler, CEO and co-founder of Fortscale. “RSA NetWitness UEBA requires minimal customization and no manual tuning. It is designed to detect unknown threats and to address malicious behavior in which exploits have received elevated permissions.”

Since its launch in 2013, Fortscale has raised a total of $23 million, including $7 million roughly one year ago.

RSA also announced a new version of its NetWitness Platform. Version 11.1 includes not only UEBA Essentials, but also Endpoint Insights, which helps organizations manage endpoints, and Dynamic Log Visibility, which uses dynamic parsing technology to provide instant access to log data.

Later this month, RSA will also make available NetWitness Orchestrator, a product powered by Demisto that should make it easier for security teams to investigate incidents. The NetWitness Orchestrator suggests analyst assignments, enhances playbooks, and identifies the best course of action for investigations, RSA said.

WAF Security Startup Threat X Raises $8.2 Million
5.4.2018 securityweek IT

Cybersecurity startup Threat X, which offers cloud-based web application firewall (WAF) solutions, today announced that it has closed an $8.2 million Series A funding round.

The Denver, Colorado-based company says the new funding will be used to fuel growth and support adoption of its WAF technology and managed security services.

The company explains that its SaaS-based solution “employs kill-chain based, progressive profiling to identify and neutralize threats."

“Our goal is to help organizations protect their applications with a SaaS based web application firewall that provides a holistic view of every attack, the techniques being utilized, and target vulnerabilities,” Bret Settle, Founder and CEO of Threat X, said. “Our behavioral profiling and correlation engine analyzes each attack and eliminates false positives by grading risk level and progress throughout the ‘kill-chain’. Our customers can also leverage our deep analytics and expert security team for greater threat intelligence and visibility into preventative measures.”

The funding round was co-led by Grotech Ventures and Access Venture Partners.

Project Kalamata – Apple will replace Intel processors in Macs with its custom designed chips
3.4.2018 securityaffairs IT

In the wake of the discovery of severe flaws in Intel chips, so-called Meltdown andSpectre vulnerabilities, Apple announced it plans to use custom-designed ARM chips in Mac computers starting as early as 2020.
The move aims to replace the Intel processors running on its desktop and laptop systems like done for its own A-series custom chips that are used for iPhones and iPads.

“Apple Inc. is planning to use its own chips in Mac computers beginning as early as 2020, replacing processors from Intel Corp., according to people familiar with the plans.” states a report published by Bloomberg.

“The initiative, code named Kalamata, is still in the early developmental stages, but comes as part of a larger strategy to make all of Apple’s devices — including Macs, iPhones, and iPads — work more similarly and seamlessly together, said the people, who asked not to be identified discussing private information.”
According to Bloomberg, the Apple’s initiative was codenamed ‘Kalamata’ that was launched with the primary goal to have a uniform architecture across all of its product.

According to Bloomberg, the move is part of a larger initiative internally dubbed Marzipan to make Macs work more like iPhones and make iOS apps interoperable on Apple devices.


Currently, Apple shares 5% of its annual revenue with Intel and pay for exclusive deals to offer to its customers, the changeover would allow the company to improve performance for its systems and keep secret its projects.

According to Bloomberg, the new models of Mac Pro laptops arriving next year will include a chip designed by Apple. After the publication of the Bloomberg report, Intel’s stock price took a hit and dropped by 9.2 percent.

“Apple plans to add that chip to a new version of its Mac Pro, to be released by next year, and new Mac laptops this year, according to a person familiar with the matter.” added Bloomberg.

“Intel shares dropped as much as 9.2 percent, the biggest intraday drop in more than two years, on the news. They were down 6.4 percent at $48.75 at 3:30 p.m. in New York.”

Both companies, Apple and Intel, did not yet comment the Bloomberg report.

VMware Acquires Threat Detection and Response Firm E8 Security
31.3.2018 securityweek IT

VMware announced this week that it has acquired threat detection and response company E8 Security, whose technology will be used to improve the Workspace ONE digital workspace platform. This is the third acquisition made by VMware in less than two months.

California-based E8 Security emerged from stealth mode in March 2015 and it has raised a total of nearly $22 million – more than $23 million if you count seed funding.

E8 Security has developed a platform that helps organizations detect malicious activity by monitoring user and device behavior. The product also improves incident response by providing the data needed to analyze threats.VMware acquires E8 Security

VMware plans on using E8 Security’s technology to improve its Workspace ONE product, specifically a recently announced intelligence feature that provides actionable information and recommendations, and automation for remediation tasks.

“By adding E8 Security’s user and entity behavior analytics capabilities to insights from VMware Workspace ONE Intelligence, our customers will be able to streamline management, remediation, and automation to improve the employee experience and the security of their digital workspace,” explained Sumit Dhawan, senior vice president and general manager of VMware’s End-User Computing (EUC) business.

VMware announced in February the acquisition of CloudCoreo, a Seattle-based cloud security startup launched less than two years ago. The company has created a product that allows organizations to identify public cloud risks and continuously monitor cloud infrastructure to ensure that applications and data are safe.

The virtualization giant plans on using the CloudCoreo technology and team to help customers secure their applications in the cloud.

Also in February, VMware announced its intent to buy CloudVelox, a company that specializes in providing workload mobility between the data center and public clouds. CloudVelox’s solutions also include data, system and application security capabilities.

Financial terms have not been disclosed for these recent acquisitions.

Under Armour Says 150 Million Affected in Data Breach
30.3.2018 securityweek IT

Under Armour Data Breach Impacts 150 Million Users

Sports gear maker Under Armour said Thursday a data breach of its fitness application was hacked, affecting some 150 million user accounts.

The Baltimore, Maryland-based company said it had contacted law enforcement and outside consultants after learning of the breach.

Under Armour said it learned on March 25 of the breach of its MyFitnessPal application, which enables users to track activity and calorie intake using a smartphone.

It said an unauthorized party obtained usernames, email addresses, and "hashed" passwords, which make it harder for a hacker to ascertain.

The hack did not affect social security numbers, drivers licenses or credit card data, according to the company.

"The company's investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue," a statement said.

Users were being notified by email and messaging to update settings to protect account information.

The attack is the latest affecting companies with large user bases such as Yahoo, retailer Target and credit reporting agency Equifax.

Virsec Raises $24 Million in Series B Funding
21.3.2018 securityweek IT

Virsec, a cybersecurity company that protects applications from various attacks, today announced that it has closed a $24 million Series B funding round led by tech investment firm BlueIO.

This latest funding round brings the total amount raised to-date by the company to $32 million. The company previously raised $1 million in seed funding and $7 million in a Series A funding round.

Virsec explains that its technology can protect applications by protecting processes in memory and pinpointing attacks in real-time, within any application. In more detail, the company explains that its Trusted Execution technology “maps acceptable application execution, and instantly detects deviations caused by attacks.”

“The battleground has shifted in cybersecurity and the industry is not keeping up,” said Atiq Raza, CEO of San Jose, California-based Virsec. “With our deep understanding of process memory, control flow, and application context, we have developed a revolutionary solution that stops attacks in their tracks, where businesses are most vulnerable – within applications and processes.”

Additional investors participating in the round include Artiman Ventures, Amity Ventures, Raj Singh, and Boston Seed Capital.

Fraud Prevention Firm Sift Science Raises $53 Million
21.3.2018 securityweek IT

Fraud prevention and risk management solutions provider Sift Science today announced that it has closed a $53 million Series D funding round, bringing the total raised to date by the company to $107 million.

The latest funding round was led by New York-based growth equity firm Stripes Group, with participation from SPINS, Remitly, Flatiron Health, Udemy, GrubHub, and previous investors Union Square Ventures, Insight Venture Partners, and Spark Capital.

Sift Science plans on using the newly acquired funds to expand its global footprint in the fraud detection and prevention market, which is estimated to reach roughly $42 billion by 2022.

Sift’s Digital Trust Platform relies on machine learning to protect businesses against fraud and abuse, including payment fraud, fake accounts, account hijacking, and abusive user-generated content.

The platform uses data from thousands of websites and apps to identify fraud patterns based on connections between users, behaviors, locations, devices and more. Sift says its customers include Airbnb, Twitter, Twilio, Shutterstock, Yelp, Wayfair and Jet.

“We believe Sift is uniquely positioned to leverage its best-in-class software platform and data network to fundamentally reshape the way businesses and consumers interact online – with more confidence, transparency and security. We are thrilled to be partnering with Sift as it accelerates its already exceptional growth trajectory,” said Ron Shah, partner at Stripes Group.

Uber Self-Driving Car struck and killed a woman in Tempe, Arizona
21.3.2018 securityaffairs IT
An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona. The incident raises questions about the safety and security of this kind of vehicles.
This is a sad page of the book of technology evolution, an Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona.

The news was confirmed by the company, this is the first incident of this type.

Our hearts go out to the victim’s family. We’re fully cooperating with @TempePolice and local authorities as they investigate this incident.

— Uber Comms (@Uber_Comms) March 19, 2018

According to the media, the accident occurred while the car, a Volvo XC90 SUV, was in the self-driving mode.

“Tempe police are investigating a deadly crash involving a self-driving Uber vehicle overnight. The Uber vehicle was reportedly headed northbound when a woman walking outside of the crosswalk was struck.” states the TV station ABC15.

“Tempe Police says the vehicle was in autonomous mode at the time of the crash and the vehicle operator, 44-year-old Rafaela Vasquez, was also behind the wheel. No passengers were in the vehicle at the time. “

The victim Elaine Herzberg (49), the Uber self-driving car has struck the woman while she was crossing the street outside of a crosswalk.

The woman was transported to the hospital where she has died.

Uber Self-Driving Car accident - Source
Source USA Today

The company immediately suspended its service, all the self-driving cars in the US will be halted, below the message sent by the Uber CEO.

Some incredibly sad news out of Arizona. We’re thinking of the victim’s family as we work with local law enforcement to understand what happened. https://t.co/cwTCVJjEuz

— dara khosrowshahi (@dkhos) March 19, 2018

Uber launched the self-driving program in 2015, its vehicles since then are circulating in many US cities, including Phoenix, Pittsburgh, San Francisco, and Toronto.

The tests in Tempe, Arizona started in February 2017.

The National Transportation Safety Board announced an investigation and sent a team to the place of the accident.

NTSB sending team to investigate Uber crash in Tempe, Arizona. More to come.

— NTSB_Newsroom (@NTSB_Newsroom) March 19, 2018

The company suspended its self-driving program and withdrew all autonomous cars from US roads.

Even if this is an accident, we cannot forget the aspect safety and security when dealing with automotive. Are we really ready to make a self-driving car on the road?

When such kind of vehicle will crowd our cities the risks will be high and the cybersecurity aspects will be crucial.

California Bill Seeks to Adopt Strict Net Neutrality Despite FCC Ruling
19.3.2018 securityweek IT

As Americans wait to see whether net neutrality can gain enough support among lawmakers to invoke disapproval via the Congressional Review Act, individual states are not waiting -- several are working on state laws to maintain net neutrality within their own borders.

In December 2017, under the chairmanship of Ajit Pau, the FCC voted 3-2 to remove net neutrality protections by rolling back its earlier Obama-era classification of ISPs as telecommunications service providers (and therefor under FCC purview) to the common carriers as they had been previously classified. This has now happened. It simply means that existing FCC rules can no longer be applied to ISPs because they are not telecommunications services. This ruling won't come into effect until April 23; that is, 60 days after publication of the ruling in the Federal Register.

In the meantime, California has now joined the number of states attempting to preserve local net neutrality regardless of federal preferences. California state senator Scott Wiener has introduced SB 822, a comprehensive proposal that would prevent ISPs from blocking websites, throttling users' services or introducing paid priority services within California. In some ways this new bill imposes even stricter net neutrality than that being dismantled by the FCC, by, for example, imposing conditions on the practice of 'zero rating'.

Coincidentally, the communications regulator in the UK, OFCOM, this month announced investigations into service providers Vodafone and Three. Vodafone operates a zero rating option called Vodafone Passes. "Our Passes allow customers to access their favorite content without fear of running out of data or attracting out-of-bundle charges," says a Vodafone statement. "They are open to any content provider of video, music, chat and social. Twenty-two content providers have signed up so far, ensuring Vodafone customers can enjoy the widest selection of worry-free access to content across the industry."

Opponents of net neutrality claim this is good for the consumer, effectively providing free bandwidth to the user. Proponents suggest it can starve new and smaller websites of the visitors they need.

In the U.S., AT&T offers a sponsored data program that is similarly zero rated on data usage. It seems, however, that the only services actually zero rated are owned by AT&T -- such as DirecTV. This gives DirecTV a huge advantage over rival services such as Hulu and Sling, since potential customers are more likely to use the service that has a zero data cost to them.

This is the whole net neutrality argument writ small. Large, established organizations can afford to starve new innovative organizations of internet traffic by paying a premium to the service providers; and will always -- in a completely free market -- be able to buy more of the available bandwidth.

Knock-on concerns are that in order to guarantee bandwidth availability to the large premium-paying customers, it might be necessary to rein back availability to ordinary users -- and in order to encourage those ordinary users to pay more for their bandwidth, there will be a temptation for providers to throttle what is already available.

The difficulty in policing net neutrality is that lawmakers recognize that some lee-way for 'throttling' (in the form of traffic management) will always be necessary. Europe's net neutrality laws require that any such traffic management must be 'transparent, non-discriminatory and proportionate'.

OFCOM has promised an update of its investigation into Vodafone in June, and it's not possible to predict the outcome. Vodafone claims that its Passes service does not generate any bandwidth throttling, and indeed guarantees full service to the consumer. This may be true with just 22 signed up content providers; but may not necessarily be true with 200 signed up content providers.

In California, Senator Wiener's proposal solves this problem, not by banning zero-rating outright, but by allowing it only for whole classes of content provider. In the AT&T example, AT&T could continue to zero-rate DirecTV only if it also zero-rates all similar content providers including Hulu and Sling.

Without doubt, SB 822 is one of the strongest net neutrality bills yet seen; and it will undoubtedly be disliked by the ISP providers. Jamie Davies, writing in Telecoms.com, considers net neutrality to be a heavy-handed approach to bandwidth problems. "The telcos have to be given the opportunity to make money," he writes. "If the telcos are making less money, they are spending less on tackling the increased consumption of data. This is a net loss in the long-run and we do not think this is a nuance of the argument which has been considered by Weiner and his army of preachers."

SB 822 may never happen. It may not be necessary if the Congressional Review Act can be used to overturn the FCC decision; or it may fail to get enough votes in California. Ironically, however, the FCC won't be able to stop it. Back in December, the FCC barred states from adopting their own net neutrality rules -- however, it will not be able to enforce its own rule.

"While the FCC's 2017 Order explicitly bans states from adopting their own net neutrality laws," writes Barbara van Schewick, Professor of Law at Stanford Law School, "that preemption is invalid. According to case law, an agency that does not have the power to regulate does not have the power to preempt. That means the FCC can only prevent the states from adopting net neutrality protections if the FCC has authority to adopt net neutrality protections itself."

Palo Alto Networks to Acquire CIA-Backed Cloud Security Firm Evident.io for $300 Million
15.3.2018 securityweek IT

Network security firm Palo Alto Networks (NYSE: PANW) on Wednesday said that it has agreed to acquire cloud security and compliance firm Evident.io for $300 million in cash.

Palo Alto Networks currently has several security offerings that cater to cloud environments, including its VM-Series virtualized next-generation firewalls, API-based security for public cloud services infrastructure, and Traps for host-based security.

Palo Alto Networks Logo

Pleasanton, Calif.-based Evident.io’s flagship Evident Security Platform (ESP) helps customers reduce cloud security risk by minimizing the attack surface and improving overall security posture. ESP can continuously monitor AWS and Microsoft Azure deployments, identify and assess security risks, provide security teams with remediation guidance, along with providing security auditing and compliance reporting by analyzing configurations of services and account settings against security and compliance controls.

“Once integrated with the Palo Alto Networks cloud security offering, customers will be able to use a single approach to continuous monitoring, comprehensive storage security, and compliance validation and reporting,” explained Tim Prendergast, CEO & Co-Founder of Evident.io.

Evident.io is backed by Bain Capital Ventures, True Ventures, Venrock, Google Ventures, and In-Q-Tel, the not-for-profit venture capital arm of the CIA.

The acquisition is expected to close during Palo Alto Networks fiscal third quarter, subject to satisfaction of customary closing conditions.

Evident.io's co-founders, Tim Prendergast and Justin Lundy, will join Palo Alto Networks.

Cyber-Attack Prevention Firm Solebit Raises $11 Million
14.3.2018 securityweek IT

Tel Aviv-based cyber-attack prevention firm Solebit Labs, currently establishing new global headquarters in Silicon Valley, has announced completion of an $11 million Series A funding round led by ClearSky Security.

Solebit was founded in 2014 by Boris Vaynberg, Meni Farjon, and Yossi Sara -- all of whom graduated from Israel's IDF technology units. The funding announced today will be used to accelerate adoption and deployment of the SoleGATE Security Platform from the new headquarters in Silicon Valley.

SoleGATE is an attack prevention system that can be used as a replacement or alternative to traditional endpoint protection systems. Such systems typically rely on either malware signatures or malware behavioral analysis engines -- with or without benefit of machine learning AI algorithms-- to detect malware; and both of these approaches can be evaded by zero-day fileless attacks.

SoleGATE is an attack prevention system that uses neither signatures nor behavioral analysis to detect malicious code before it enters the network. Instead, it creates a logical 'no code zone' that inspects every data stream for executable code, no matter how encrypted or hidden. By inspecting every data stream, malicious code has nowhere to hide, and cannot evade detection. Solebit claims that it has a false positive rate of less than 0.002%.

“Attackers still possess the edge, particularly in zero-day attacks, despite considerable security investment,” said Vaynberg, CEO of Solebit. “DvC (Solebit's patent-pending inspection engine) assumes that there is no legitimate reason for executable code to be present in any data file. DvC also accurately identifies and blocks malicious active content using advanced flow analysis, de-obfuscation techniques and deep content evaluation, to reveal threat intent within any data file covering machine, operating system and application levels, thereby rendering such sandbox-evading malware harmless to the enterprise.”

SoleGATE is a virtual appliance that can analyze data streams at high speed. For large companies, "SoleGATE supports both vertical and horizontal scaling," Vaynberg told SecurityWeek. "Each SoleGATE virtual appliance can scan many files concurrently (based on number of CPU cores dedicated to the virtual appliance) and customers can use multiple SoleGATE instances working in Active-Active mode."

The technology is closer in concept to Content Disarm and Reconstruct (CDR) solutions than it is to standard malware detection products -- but still has fundamental differences. "The SoleGATE DvC engine analyzes the binary content of each scanned file and reaches a conclusive verdict regarding the file, whether it is malicious or not. It covers a wide range of file formats, does not change anything in the scanned file and, of course, there is no effect on user experience," explained Vaynberg.

"CDR, however, is reconstructing the file, assuming that reconstruction will remove any malicious payload. This technology is generally limited in the number of supported file formats, and it can affect user experience since it is actually altering the file the user receives."

SoleGATE does not create signatures for files or malicious behavior -- all data streams are inspected as if never before seen. Nor does it share or export any data from the customer's environment -- eliminating, for example, the sequence of events that triggered Kaspersky Labs' issues with the US government. In that instance, it is thought that files exported from an NSA contractor's home computer for Kaspersky malware analysis somehow alerted Russian intelligence services to the presence and location of those sensitive files; which were later obtained by hacking the contractor's computer.

SoleGATE does, however, provide IoCs to the customer, "in order," said Vaynberg, "to leverage the customer's entire security stack based on SoleGATE's unique detection." He added, "SoleGATE also supports malicious links detection and prevention. It provides customers with prevention against links that lead to malicious web pages or malicious files to be downloaded from the web. A phishing web page that seeks to socially engineer user credentials will be supported later."

"Solebit provides the most effective, real-time, and accurate cyber-attack prevention platform that is incredibly simple to use, integrate and manage,” said Peter Kuper, Managing Director, ClearSky Security. “As organizations struggle to better manage risk against unknown threats, Solebit is ideally positioned to be a trusted partner to both enterprise and large-scale security vendors as they contend with ever increasingly sophisticated attackers."

Trump Blocks Broadcom's Bid to Buy Qualcomm
13.3.2018 securityweek IT

US President Donald Trump blocked Monday an unsolicited bid by Singapore-based Broadcom to take over smartphone chipmaker Qualcomm, citing national security concerns.

Trump issued an order barring the proposed mega-acquisition, saying there is credible evidence such a deal "threatens to impair the national security of the United States," according to a White House statement.

The order came despite Broadcom's assurances that it would complete its move to the United States by early April, ahead of a planned Qualcomm shareholder vote on the $117 billion deal -- meaning any national security concerns were moot.

"Broadcom strongly disagrees that its proposed acquisition of Qualcomm raises any national security concerns," the company said, adding that it was reviewing the order.


The Treasury Department said in a letter over the weekend that Broadcom had violated a Committee on Foreign Investment in the United States order on three separate occasions by failing to give advance notice before taking actions such as filing takeover-related securities filings in the United States.

A CFIUS investigation of the proposed acquisition so far has "confirmed" national security concerns earlier identified by US officials, according to the letter.

Trump ordered Broadcom and Qualcomm to "immediately and permanently abandon the proposed takeover."

The rival chip giants were told to notify CFIUS in writing that all aspects of the order had been followed.

"This deal was a bad idea from the start," said analyst Patrick Moorhead of Moor Insights and Strategy.

Broadcom shares closing the trading day up 3.5 percent to $262.84 and gaining slightly more in after-market trades.

Qualcomm shares sank 4.4 percent to $60.04 in after-market trades.

- Battling boards -

Qualcomm has been maneuvering for weeks to rebuff Broadcom's unwanted advances, and had asked CFIUS to look into national security implications of a merger.

Concern over China's potential influence, and rising US protectionist sentiment, hangs over an effort by California-based Qualcomm to repel a Singaporean firm's hostile takeover bid.

Qualcomm rejected multiple Broadcom offers during weeks of parries and thrusts between the two firms since the proposed deal emerged in November.

The company, which makes most of the world's microprocessors for smartphones, postponed until April 5 an annual shareholders' meeting after secretly requesting a national security review of Broadcom's bid.

CFIUS noted that a Broadcom-Qualcomm merger could weaken Qualcomm's leadership in the field.

This would likely help Chinese competitors such as telecommunications firm Huawei, particularly in the emerging 5G blazing fast wireless internet, where a stronger China could present a national security issue.

While they are rival chip companies, Broadcom and Qualcomm are very different in their approaches to the market, according to Moorhead.

Qualcomm is known for mobile chip innovations that set industry standards, for example in new superfast 5G wireless connection technology, the analyst noted.

Meanwhile, he said Broadcom is adept at using intellectual property developed by others and making products at low cost, referring to them as "implementors."

Moorhead likened the idea of merging the companies to mixing oil and water.

- Mobile military -

CFIUS likely had China concerns, possible Broadcom's relationship with entities there or the fact that the only company other than Qualcomm investing heavily in long-term mobile chip research is China-based Huawei, the analyst speculated.

Along with self-driving cars, drones and robots relying on blazingly fast wireless data connections, such networks will also be relied on by the military.

"I'm a technology analyst, not a military analyst, but it makes sense to me that troops will be wirelessly connected in the air, on the water and on the ground," Moorhead said.

"There will be drones and robots."

Broadcom's initial offer was tinged by politics, coming just after the company's chief executive, Hock Tan, appeared at the White House with Trump to announce plans to move the firm back to the United States from Singapore.

Because Broadcom is based in the Southeast Asian financial hub essentially for tax purposes, the US government's "case is terribly misinformed" regarding a purchase of Qualcomm, said Stacy Rasgon, an analyst at market research firm Bernstein.

"I get the concerns about China taking our intellectual property etc... but I think they are misplaced in this specific case," Rasgon told AFP in an earlier interview.

Behavioral Biometrics Firm BioCatch Raises $30 Million
12.3.2018 securityweek IT

New York and Tel Aviv-based behavioral biometric authentication firm BioCatch has raised $30 million in new growth financing led by Maverick Ventures, and including American Express Ventures, NexStar Partners, Kreos Capital, CreditEase, OurCrowd, JANVEST Capital and other existing investors.

"We have raised $17 million over several angel and seed rounds," CEO Howard Edelstein told SecurityWeek. "This is our first growth round, bringing the total raised to $47M."

BioCatch was founded in Tel Aviv in 2011 by Avi Turgeman, Benny Rosenbaum, and Uri Rivner. Turgeman is an alumnus of the IDF Unit 8200 intelligence service, having spent six years as head of innovation in the unit. In this role, he studied how criminals -- or for him at that time, terrorists -- moved around the internet. It was the skills learned at this time that inspired the founding of BioCatch.

The company provides behavioral biometric authentication for both in-house corporate use, and new user online account creation. In normal corporate use, the service provides continuous authentication by first generating a legitimate user profile (it takes just a few minutes) and then continuously authenticating the user's biometric behavioral patterns against that profile. Most current access control systems only authenticate the user at log-on -- meaning that anyone could continue the session once it has commenced.

While this approach works for normal in-house corporate use, it doesn't prevent New Account Fraud where remote fraudsters create new accounts with online services such as banking and retail, using stolen or forged identities -- in this case there is no existing user profile to authenticate against.

New Account Fraud is frequently attempted following major PII data breaches, such as the IRS and Anthem Health breaches in 2015, and the Equifax breach in 2017. Criminals collate and compile stolen details to either impersonate a genuine person or create a fictitious character in order to generate a new fraudulent account with a bank or retail organization.

With no legitimate user profile available, BioCatch monitors and compares the actual online account generation behavior with typical legitimate user and typical criminal user behavior. This is where Turgeman's criminal/terrorist Unit 8200 training comes in. -- it turns out that there are significant measurable differences between criminal and legitimate usage patterns.

For example, criminal users tend to show a greater familiarity and facility with the account application form, while genuine users are more comfortable with their own personal details (full name, DoB, address, etc). Similarly, criminal users tend to display more advanced keyboard skills than legitimate users -- for example, the use of ALT-Tab is common to criminals but used by only 13% of the general population.

BioCatch monitors the entire account generation process examining usage parameters in three main categories: application fluency, computer skill level, and data familiarity. By the time the form is complete, BioCatch is able to say with great accuracy whether the application is likely to be genuine or fraudulent.

This also works with banking malware and existing customers. "For example," Edelstein told SecurityWeek, "a CFO was logged in to his online corporate bank and was working on a series of payables. He was in his office using his standard machine (ie, right location and right device). When he went to confirm the total amount of the payments, which came to $1.6M, he got an alert that the session was blocked, and he had to call the Call Center."

While he had been attempting the transactions, a remote access attack was changing all the routing numbers and account numbers in the background. "The BioCatch system detected this based on various behavioral anomalies that were happening in the session," continued Edelstein, "and sent an alert in real time to the bank and stopped the transaction from going through."

"BioCatch's robust behavioral analytics platform is helping companies identify and stop fraudulent activity without sacrificing the user experience for legitimate customers," said Harshul Sanghi, Managing Partner of Amex Ventures, the strategic investment group within American Express. "The demand for organizations to strike that balance will only increase as digital engagement with their customers grows, and cyber threats become more sophisticated. We're excited to support BioCatch as it works to expand its capabilities and help organizations, including American Express, address this critical need."

BioCatch proactively collects and analyzes more than 2,000 parameters to generate user profiles and model different types of genuine and malicious behavior. The platform can address a wide range of threats at login and beyond by identifying malware, robotic activity, social engineering (phishing, etc.) and other cyber threats, which is a differentiator from traditional fraud approaches and other behavioral biometrics providers. The company monitors more than 5 billion transactions per month and generates real-time alerts when behavioral anomalies are detected.

The technology is supported by more than 50 patents that are either granted or pending.

Web App Security Firm Netsparker Raises $40 Million
8.3.2018 securityweek IT

Web application scanner company Netsparker announced on Thursday that it has raised $40 million from San Francisco-based growth and private equity firm Turn/River.

Netsparker was founded by Ferruh Mavituna, Peter Edgeler and Mark Lane in London, England in 2009, with Mavituna's working proof-of-concept for a new approach to finding web vulnerabilities without false positives. This involves first locating the vulnerability and then exploiting it to provide proof: it combines the related but different concepts of vulnerability scanning and penetration testing to eliminate false positives. The first commercial version of the product was launched in 2010.

Now with offices in London, Austin TX, and Turkey, Netsparker will use the new funding for further product development, sales growth and new marketing initiatives.

“Netsparker’s solution combines unique Proof-Based Scanning Technology with enterprise workflow tools, making it the only scalable web security solution on the market," comments Mavituna, now CEO at Netsparker. "With overwhelming market demand for this solution in the face of increasing security and compliance regulations, such as Europe’s GDPR, Netsparker aims to become the de facto solution for enterprises that need to secure thousands of web applications at scale.

"Turn/River Capital’s expertise in growing similar companies," he continued, "such as website security platform Sucuri, makes them a perfect match for this market expansion."

"Netsparker’s industry-leading vulnerability detection rates have won over a rapidly expanding, loyal base of thousands of enterprises that trust Netsparker with a mission-critical part of their security," added Dominic Ang, Turn/River Capital's founder and Managing Partner.

In January 2018, test results of independent researcher and analyst Shay Chen's Web Application Vulnerability Scanner Evaluation Project (WAVSEP) were published. "Netsparker was the only scanner that identified all the vulnerabilities and one of two that did not report any false positives," announced Netsparker.

Qualcomm Requests National Security Review of Broadcom Bid
7.3.2018 securityweek  IT

US chipmaker Qualcomm postponed its annual shareholders' meeting after secretly requesting a national security review of Broadcom's bid to take over the company, the Singapore-based Broadcom announced Monday.

Qualcomm shareholders were due to meet Tuesday, but Broadcom said it was informed Sunday night that Qualcomm filed a voluntary request on January 29 for US regulators to investigate the deal, and was ordered to postpone the meeting for 30 days.

"It should be clear to everyone that this is part of an unprecedented effort by Qualcomm to disenfranchise its own stockholders," Broadcom said in a statement.

Qualcomm fired back accusing Broadcom of trying to mislead shareholders and 'trivialize' US regulatory and national security issues.

Broadcom"Broadcom's dismissive rhetoric notwithstanding, this is a very serious matter for both Qualcomm and Broadcom," the US chipmaker said.

The Committee on Foreign Investment in the United States (CFIUS) can review any acquisition by a foreign corporation of a US firm that may have an impact on national security, and can recommend the president block the deal. CFIUS has blocked some transactions, but frequently foreign companies withdraw once it appears a transaction will be prohibited.

CFIUS issued an order to Qualcomm for the shareholder meeting to be delayed for 30 days to allow time to fully investigate the proposed acquisition by Broadcom, according to a US Treasury Department.

Broadcom said it will fully cooperate with the review, but rejected any national security concerns since it is a US-controlled company, and is in the process of relocating its headquarters back to the United States.

- Board battle -

If finalized, the Broadcom-Qualcomm tie-up, estimated at $117 billion, would be the largest merger in a sector awash with consolidation amid the development of technologies for autonomous vehicles and 5G mobile services.

Qualcomm has repeatedly rejected multiple Broadcom offers that it says undervalue the company.

Shareholders at Qualcomm's annual meeting were to vote whether to replace six of the California company's 11 board members with candidates backed by Broadcom, essentially endorsing the merger deal.

Weeks of thrust and parry, along with tactical public statements, have left the companies' boards at odds over the unsolicited offer.

Qualcomm, which is the dominant maker of microprocessors for smartphones, says it has a bright future on its own, especially amid a transition to fifth-generation (5G) wireless communications networks.

The Qualcomm board has also expressed concern that any deal with Broadcom could be delayed or blocked by antitrust regulators around the world.

Broadcom has urged Qualcomm shareholders to elect all six of its nominees to the board, sending "a clear signal" supporting the takeover bid which would provide a handsome gain to shareholders of the US firm.

"This was a blatant, desperate act by Qualcomm to entrench its incumbent board of directors and prevent its own stockholders from voting for Broadcom's independent director nominees," Broadcom said of the delaying development.

- Coveted chip technology -

CFIUS last year opposed the takeover of US semiconductor manufacturer Lattice by a Chinese state group backed by a US investment fund, and President Donald Trump then blocked the deal.

In the semiconductor sector, the committee -- whose deliberations are secret -- in 2016 recommended that then-President Barack Obama oppose a deal between the German group Aixtron and Chinese fund Grand Chip because there was a US subsidiary of the German group.

Broadcom's initial offer already was tinged by politics, coming as it did the day after a White House meeting between Trump and Broadcom CEO Hock Tan, who promised to repatriate the company's headquarters.

Any tie-up of the two giants could reshape the fast-evolving sector of chips for smartphones and connected devices. But it would have to pass regulatory muster in several countries.

Analyst Patrick Moorhead of Moor Insights & Strategy questioned the wisdom of Broadcom buying Qualcomm.

The rival chip companies are very different in their approaches to the market, Moorhead said, comparing the tie-up to mixing "oil and water."

Qualcomm is known for mobile chip innovations that set industry standards, for example in new superfast 5G wireless connection technology, the analyst noted.

Meanwhile, Broadcom is adept at using intellectual property developed by others and making products at low cost, referring to them as "implementers."

Qualcomm, one of Apple's main suppliers, is currently engaged in the acquisition of the Dutch group NXP and has indicated the operation will proceed regardless of the outcome of discussions with Broadcom.

Broadcom shares lost 1.5 percent by the close of trading in New York, while Qualcomm fell 1.1 percent.

Industrial Cybersecurity Firm CyberX Raises $18 Million
27.7.2018 securityweek IT

Industrial cybersecurity startup CyberX announced today that it has raised $18 million in a Series B funding round, bringing the total amount received to date by the company to $30 million.

The latest funding round was led by Norwest Venture Partners, which also invested in FireEye and Symantec-acquired Fireglass, with participation from previous investors Glilot Capital Partners, Flint Capital, ff Venture Capital, and OurCrow.

CyberX says it plans on using the additional funding to continue its expansion in Europe and the United States, drive international growth, and expand its product development, research, and threat intelligence teams.

Founded in 2013 by military cyber experts Nir Giller and Omer Schneider, CyberX offers a platform that continuously monitors networks and collects data to help detect potentially malicious activity. The company also recently unveiled simulation technology designed to help predict breach and attack vectors.

CyberX says its product has been used by Global 2000 organizations across the energy and utilities, chemical, oil and gas, manufacturing, and other critical infrastructure sectors.

“There is a growing need in many enterprises to connect their IIoT and ICS networks to corporate IT networks for performance, monitoring, and manageability reasons. This trend creates a new security risk which requires a modern, IIoT-optimized, security solution.” said Dror Nahumi, general partner at Norwest Venture Partners. “We are extremely impressed with CyberX’s solution and its successful adoption with top-tier enterprise customers across multiple verticals.”

“We’re proud that our team has delivered a series of industry-firsts, including the first anomaly detection platform to incorporate ICS-specific threat intelligence, risk and vulnerability assessments, and automated threat modeling, as well as native integration with SOC tools,” said Giller. “By providing SOC teams with deeper visibility into Operational Technology (OT) assets, behaviors, and threats, we’re helping organizations implement a unified approach across IT and OT security and remove silos between IT and OT -- thereby improving their combined IT/OT risk posture.”

CyberX previously raised $20,000 in 2013, $2 million in 2014, and another $9 million in 2016, which, along with some add-on investments to the Series A round brought the total raised so far to $30 million. The company noted that its latest funding is the largest B round to date in industrial cybersecurity.

Splunk to Acquire Security Orchestration Firm Phantom for $350 Million
27.7.2018 securityweek IT

Machine data solutions firm Splunk said on Tuesday that it has agreed to acquire Phantom Cyber, a provider of Security Orchestration, Automation and Response (SOAR) solutions.

Under the terms of the agreement, Splunk will pay approximately $350 million in cash and stock to acquire Palo Alto, Calif.-based Phantom.

Phantom, which has raised more than $23 million in funding, has developed a community-powered security automation and orchestration platform that currently has more than 200 “apps” which integrate with various security products. These apps are available for a wide range of security tools from partners including Cisco, McAfee, Palo Alto Networks, RSA Security, Symantec, Splunk, HPE, IBM and others.

By combining technologies from both companies, Splunk says that IT teams will be able to leverage automation capabilities to “help solve automation challenges in a widening range of use cases, including Artificial Intelligence for IT Operations (AIOps).”

Following the acquisition, Phantom founder and CEO Oliver Friedrichs will report to Haiyan Song, senior vice president and general manager of security markets at Splunk.

The acquisition is expected to close during the first half of 2018, subject to customary closing conditions and regulatory reviews.

“The majority of purchase price consideration will be paid from cash on our balance sheet. Total equity consideration plus Phantom employee retention incentives will result in less than one percent total dilution from this transaction,” said Dave Conte, chief financial officer, Splunk.

Investors in Phantom include, iconic Silicon Valley VC firm Kleiner Perkins, TechOperators Venture Capital, Blackstone, Foundation Capital, In-Q-Tel, Rein Capital, Zach Nelson, and John W. Thompson.

Hacker Detection Firm Vectra Networks Raises $36 Million
21.2.2018 securityweek IT

Vectra Networks, a cybersecurity firm that helps customers detect “in-progress” cyberattacks, today announced that it has closed a $36 million Series D funding round, bringing the total amount raised to date by the company to $123 million.

The company said the investment would be used to expand sales and marketing, fuel product development of its Cognito threat hunting platform, and open a new research-and-development (R&D) center in Dublin, Ireland.

Vectra describes its flagship Congito platform as a solution that “performs non-stop, automated threat hunting with always-learning behavioral models to quickly and efficiently find hidden and unknown attackers before they do damage.”

Vectra Networks Logo

The Series D funding round was led by growth equity fund Atlantic Bridge, with the Ireland Strategic Investment Fund (ISIF) and Nissho Electronics Corp. Returning investors Khosla Ventures, Accel Partners, IA Ventures, AME Cloud Ventures, DAG Ventures and Wipro Ventures also participated in the funding.

“This is an exciting investment for ISIF that promises significant economic impact for Ireland,” said Fergal McAleavey, head of private equity at ISIF. “It is encouraging to see Ireland leverage its emerging expertise in artificial intelligence by attracting businesses such as Vectra that are on the leading edge of technology. With cybersecurity becoming critical for all organizations, we are confident Vectra will deliver a strong economic return on our investment while creating high-value R&D employment here in Ireland.”

The new Dublin facility is expected to add up to 100 jobs in Ireland over the next five years, the company said.

Vectra also has R&D facilities in San Jose, Calif., Austin, Texas and Cambridge, Mass.

Oracle to Acquire Cloud Security Firm Zenedge
17.2.2018 securityweek IT

Oracle said Thursday that it has agreed to acquire cloud security firm Zenedge for an undisclosed sum.

Zenedge offers a suite of services to protect systems deployed in the cloud, on-premise or in hybrid hosting environments, with solutions including a Web Application Firewall (WAF), Distributed Denial of Service (DDoS) protection, and products to secure applications, networks, databases and APIs from attacks. Additionally, the company provides outsourced security monitoring and mitigating attacks

Powered by artificial intelligence (AI), Zenedge's products and 24/7 virtual Security Operations Center (SOC) defend over 800,000 web properties and networks globally.

Oracle says the acquisition of Zenedge expands Oracle Cloud Infrastructure and Oracle's Domain Name System (DNS) capabilities, adding application and network protection that augments existing Oracle security services and partnerships.

“The combination with Zenedge equips Oracle Cloud Infrastructure with integrated, next-generation network and infrastructure security, to address modern security threats,” claims Don Johnson, Senior Vice President of Product Development, Oracle.

According to Crunchbase, Zenedge has raised approximately $13.7 million in funding.

In September 2016, Oracle announced its acquisition of Cloud Access Security Broker (CASB) firm Palerra for an undisclosed sum, followed by an acquisition of Web traffic management firm Dyn in late 2016.

Financial Regulator's Algorithm Compliance Concerns Are Relevant to All Businesses
16.2.2018 securityweek IT 

The UK's financial regulator, the Financial Conduct Authority (FCA), issued a report Monday warning financial companies that it would be looking closely at so-called 'algo trading': "Algorithmic Trading Compliance in Wholesale Markets" (PDF).

Algo (or algorithmic) trading is the use of computer algorithms to buy or sell stock automatically and at speed if certain market conditions are met. The danger is that rapid trading by computers can change the market causing more buying or selling before human traders can intervene and correct the situation. Such algo trading has been blamed as partly responsible for this month's Wall Street sell-off that led to a 4% fall in Standard & Poor's 500-stock index last Monday -- the worst decline since August 2011.

David Murray, Corvil's chief marketing and business development officer, explains the problem. "It takes a person 300-400 milliseconds (thousandths of a second) to blink, and computers can execute a trade in 30-40 microseconds (millionths of a second) -- so it is clear that the new reality of time in an algorithmic world mandates new oversight and controls."

In its new report, compiled in the months preceding last week's Wall Street sell-off, the FCA warns, "In the absence of appropriate systems and controls, the increased speed and complexity of financial markets can turn otherwise manageable errors into extreme events with potentially wide-spread implications." Because of this, it adds, "We will continue to assess whether firms have taken sufficient steps to reduce risks arising from algorithmic trading."

Five key compliance areas are highlighted by the FCA: a full understanding and management of algorithms across the business; robust development and testing processes for algorithms; pre and post trade risk controls; an effective governance and oversight framework; and the ability to monitor for potential conduct issues and thereby reduce market abuse risks.

This isn't just about automated trading with the potential to wobble global financial markets -- it is also about localized and criminal abuse of algorithms. In November 2017, the FCA fined Paul Axel Walter -- subsequently known as 'algo-baiter' -- £60,090 for market abuse via algorithms. Walter was a senior bond trader, working at Bank of America Merrill Lynch (BAML). In 2014, he entered bids into the system that reflected the opposite of his intention. The algorithms reacted to his bids allowing him to subsequently enter his true bids into a market that he had manipulated.

But the issues go beyond just financial trading. "Similar conditions exist not only across global financial markets," explains Murray. "There are similar risks for other algorithmic businesses and use of artificial intelligence."

With the digitization and computer-based automation of all industry, the problems currently highlighted in the financial sector will become an issue for businesses generally. Actions will be triggered by and acted upon by unseen algorithms hidden within the system. It already happens within security products, where decisions can be made without anyone really understanding how or why they were reached. At the same time, outsiders will be able to manipulate the algorithms by feeding them false information, similar to Walter's manipulation of the trading algorithms.

The FCA's five principles for algo compliance are applicable far beyond just financial institutions. Compliance officers and security teams will need to understand their use of algorithms within machine learning and artificial intelligence systems to remain within compliance and defeat both internal and external malicious actors. Key, perhaps, is the second principle: robust development and testing processes. This is particularly relevant where a business develops its own algorithms -- as is common in the financial industry -- rather than relying, blindly, on externally developed algorithms.

Algorithm development is subject to the same pressures as any other software development -- the need to get it complete and operational as quickly as possible. The FCA warns against development procedures that focus on operational effectiveness without considering other issues. An example outside of finance could be automated customer or user profiling without considering the impact of the General Data Protection Regulation (GDPR). Article 22 states, "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

The FCA's advice is good for all software development: "a culture of open communication between different business units, while having a clear separation of roles and independent reviews... by having a separate team that verifies and checks the output and quality of code."

As the algorithms get more complex, they get more difficult to control. "There's often a tradeoff between model or algorithm performance and complexity," explains Endgame's technical director of data science, Hyrum Anderson, "with higher performing models often requiring more model mass. Examples include: more trees in random forest or gradient boosting models, more layers in convolutional neural networks, etc. As a design principal, experienced machine learning researchers try to utilize the principle of Occam's razor -- when many models have similar performance, choose the simpler one."

But he also warns that while simplicity aids in human understanding and verification, and prevents models from making extreme predictions, it also potentially creates the best conditions for adversaries to fool them. While DevOps may be good for software development, DevSecOps would be better for algorithm development to ensure the most secure and reliable outcome.

A second of the FCA's five principles is also relevant to compliance and security teams beyond just the financial industry: the ability to monitor for potential conduct issues. Two aspects of this requirement are particularly relevant: network monitoring for signs of abuse or misuse; and algorithm testing standards and procedures.

The first will become increasingly challenging. Security teams already monitor their networks for anomalous events; but they use algorithms to do so. As algorithmic automation increases throughout industry, security teams will need to find monitoring methods to monitor even the algorithms they use for monitoring other aspects of the business. They will need to be able to detect malicious external actors attempting to subvert the algorithms, and insiders attempting to manipulate the algorithms. This is of course particularly concerning in the financial sector where entire markets, and potentially national economies, could be manipulated for criminal gain -- or individual company share prices manipulated in sophisticated versions of pump and dump schemes.

Corvil's Murray summarizes the problem. "To operate in today’s machine time environments and enable rapid, secure, compliant time to market, businesses require process controls as well as layered technology oversight to assure precision and accuracy of time stamping to establish sequencing, continuous capture and of all electronic business activity, real-time analysis of transactions, and anomaly detection for cyber and abuse surveillance."

Testing the veracity of algorithms will also be a problem. The third-party anti-malware testing industry is struggling to find methods of adequately and objectively testing algo-based endpoint protection systems. As companies begin to develop their own algorithms for their own automation purposes, testing will likely fall on the very people who developed the algorithms. Objectivity may be impossible, and testing may not be effective.

The FCA's algorithmic trading compliance report should be a clarion call for all businesses. The new and emerging world of artificial intelligence -- that is, algorithms -- promises huge benefits for industry in increased speeds and lower costs; just as it does in the financial markets. But whether industry generally has fully examined the security and compliance issues that algorithms bring with them is a separate but urgent question. Algorithmic Trading Compliance in Wholesale Markets is a good starting point.

Zerodium Offers $45,000 for Linux 0-Days
9.2.2018 securityweek  IT
Hackers willing to find unpatched vulnerabilities in the Linux operating system and report them to exploit acquisition firm Zerodium can earn up to $45,000 for their findings, the company announced on Thursday.

The company has been long acquiring vulnerabilities in Linux as part of its normal payouts program, but it would normally pay only up to $30,000 for Local Privilege Escalation flaws in the operating system. Until March 31, 2018, however, such flaws can earn hackers up to 50% more, Zerodium said on Twitter.


Got a Linux LPE? Working with default installations of Ubuntu, Debian, CentOS/RHEL/Fedora? We are increasing our payouts to $45,000 per #0day exploit until March 31st, 2018. To submit, please check: https://zerodium.com/submit.html

4:03 PM - Feb 8, 2018
43 people are talking about this
Twitter Ads info and privacy

Zerodium claims that hackers who submit valid zero-day vulnerabilities in products of interest would receive payment for their efforts within a week after the initial submission.

The exploit acquisition firm is targeting vulnerabilities in the most commonly used Linux distributions and interested hackers can head over to its website to learn specific information on what is considered an eligible submission.

The payments promised for Linux vulnerabilities, however, aren’t the highest the company offers.

On desktop platforms, remote code execution flaws in Windows can earn the reporting hacker up to $300,000. Those who discover unpatched vulnerabilities in mobile operating systems can make up to $1,500,000, if the bug affects Apple’s iOS platform.

In fact, Zerodium is already known to have paid a group of hackers $1 million for a zero-day in iOS.

In August 2017, Zerodium announced it was prepared to pay up to $500,000 for unpatched vulnerabilities in popular instant messaging and email applications. The offer remains active in its current program.

In September last year, the company announced it was willing to pay up to $1 million for zero-day flaws in the Tor Browser. The “bounty” program ended in December 2017, but Zerodium wouldn’t provide information on the results of the operation.

Once in the possession of vulnerabilities it considers of interest, the company sells them to its customers as part of the Zerodium Zero-Day Research Feed. The company also says it analyzes, aggregates, and documents the acquired security intelligence before offering it, along with protective measures and security recommendations, to its clients.

U.S. Announces Takedown of Global Cyber Theft Ring
8.2.2018 securityweek  IT
The US Justice Department announced indictments Wednesday for 36 people accused of running a transnational ring stealing and selling credit card and personal identity data, causing $530 million in losses.

Thirteen members of the "Infraud Organization" were arrested in the United States, Australia, Britain, France, Italy, Kosovo and Serbia, it said.

Created in Ukraine in 2010 by Svyatoslav Bondarenko, Infraud was a key hub for card fraud, touting itself with the motto "In Fraud We Trust."

It was "the premier one-stop shop for cybercriminals worldwide," said Deputy Assistant Attorney General David Rybicki.

Members could buy and sell card and personal data for use to buy goods on the internet, defrauding the card owners, card issuers and vendors.

Infraud operated automated vending sites to make it easy for someone to buy card and identity data from them. It had 10,901 approved "members" registered to buy and sell with them in early 2017, and maintained a rating and feedback system for members.

The senior administrators continuously screened the products and services of vendors "to ensure quality products," said the indictment.

The group operated moderated web forums to share advice among customers, and operated an "escrow" service for payments in digital currencies like Bitcoin, the Justice Department said.

"As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale," said Acting Assistant Attorney General John Cronan.

The network of indicted Infraud leaders included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.

Bondarenko remains at large, but the number two figure in the organization, Russian co-founder Sergey Medvedev has been arrested, according to US officials.

Proofpoint to Acquire Security Awareness Training Firm Wombat Security for $225 Million
7.2.2018 securityweek IT
Cybersecurity firm Proofpoint on Tuesday announced that it has agreed to acquire Wombat Security Technologies for $255 million in cash.

Wombat, which helps companies educate employees on the dangers of phishing attacks and how to avoid them, grew out of a research project at Carnegie Mellon University in 2008.

The purchase of Wombat is the second acquisition north of $100 million by Proofpoint in recent months. Proofpoint also acquired messaging security firm Cloudmark in November 2017 for $110 million in cash.

Proofpoint LogoBest known for its email security offerings, Proofpoint says the acquisition will help its customers use data from active phishing campaigns for simulations.

The company explains that by integrating Wombat’s technology with Proofpoint’s threat detection and intelligence, enterprises will have insights into their employees’ vulnerability to the real phishing attacks that strike every day.

“Because threat actors target employees as the weakest link, companies need to continuously train employees and arm them with real-time threat data,” said Gary Steele, Proofpoint CEO. “The acquisition of Wombat gives us greater ability to help protect our customers from today’s people-centric cyberattacks, as cybercriminals look for new ways to exploit the human factor. We are thrilled to welcome Wombat’s employees to the Proofpoint team.”

The integrated solution will become part of Proofpoint's advanced email solution suite, and is scheduled to be available in the first half of 2018.

The agreement is subject to customary closing conditions and is expected to close in the first quarter of 2018, Proofpoint said.

Following the acquisition, Proofpoint expects Wombat will increase its 2018 revenue range by $30 – $32 million, and increase the free cash flow range by $2 million for the year.

Booz Allen Hamilton Awarded $621 Million DHS Cyber Contract
5.2.2018 securityweek IT
Technology consulting firm Booz Allen has been awarded a $621 million contract by the Department of Homeland Security (DHS) to support the government-wide Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) Program.

Created help defend Federal IT networks from cyber threats, the CDM program was designed to provide continuous monitoring sensors (tools), diagnosis, mitigation tools, dashboards, and Continuous Monitoring as a Service (CMaaS).

The program is the result of the executive order from President Barack Obama which requires the DHS to ensure unclassified government networks are scanned constantly for threats, defended from attacks, and regularly audited to be compliant with computer security rules.

For more than two years, Booz Allen says that it has helped 13 Federal Agencies deploy cybersecurity tools to protect four million computers through DHS CDM efforts.

According to Booz Allen, the new contract will extend across the three current and possible future CDM Phases and is part of the larger DEFEND Program, which has a total value of up to $3.4 billion.

McLean, Virginia-based Booz Allen has more than 24,000 employees globally, and annual revenue of approximately $5.8 billion.

It's Time For Machine Learning to Prove Its Own Hype
2.2.2018 securityweek IT

Machine Learning in Cybersecurity

Machine Learning is a Black Box that is Poorly Understood

2017 was the year in which 'machine learning' became the new buzzword -- almost to the extent that no new product could be deemed new if it didn't include machine learning.

Although the technology has been used in cybersecurity for a decade or more, machine learning is now touted as the solution rather than part of the solution.

But doubts have emerged. Machine learning is a black box that is poorly understood; and security practitioners like to know exactly what it is they are buying and using.

The problem, according to Hyrum Anderson, technical director of data science at Endgame (a vendor that employs machine learning in its own endpoint protection product), is that users don't know how it works and therefore cannot properly evaluate it. To make matters worse, machine learning vendors do not really understand what their own products do -- or at least, how they come to the conclusions they reach -- and therefore cannot explain the product to the satisfaction of many security professionals.

The result, Anderson suggests in a blog post this week, is "growing veiled skepticism, caveated celebration, and muted enthusiasm."

It's not that machine learning doesn't work -- it clearly does. But nobody really understands how it reaches its decisions.

Anderson quotes Ali Rahimi. "He compared some trends, particularly in deep learning, to the medieval practice of Alchemy. 'Alchemy ‘worked’,' Ali admitted. 'Alchemists invented metallurgy, ways to dye textiles, our modern glass-making processes, and medications. Then again, Alchemists also believed they could cure diseases with leeches, and turn base metals into gold'."

"If the physicist’s mantra is Feynman’s 'What I cannot create, I do not understand'," he continues, "then the infosec data scientist should adopt, 'What cannot be understood, should be deployed with care.' Implied, but not spoken, is 'if at all'.

This problem of not understanding how a conclusion is reached could become much worse if a possible interpretation of Article 22 of the EU's General Data Protection Regulation (GDPR) is enforced to its full potential. This states, "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

This should not directly affect machine-learning malware detection because data subjects are not directly involved, but could have implications for other applications used by both IT and security departments.

GDPR's Recital 71 clarifies the requirement. It adds, "In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision."

Right now, suggests Anderson, this would be largely impossible. "The point is that although some models may reach impressive predictive performance, it may not be clear what information in the data directly determine the decisions. Ironically, machine learning is such that even with full access to the source code and data, it may still be very difficult to determine 'why' a model made a particular decision."

A partial solution for infosec practitioners would come from the increased involvement of the machine learning industry with third party testing. This would at least enable the practitioners to understand how effective the algorithms are, even if not how they work. Although some machine-learning, so-called next-gen, endpoint protection vendors have been slow and reluctant to embrace third-party testing, Endgame is not one of them.

"Fortunately," writes Anderson, "there are technique-agnostic methods to compare solutions. We have previously argued that AV can be compared apples-to-apples to ML by comparing both false positive and true positive rates, for example, whereas 'accuracy' is wholly inadequate and may hide all manner of sins... In the endpoint security space, vendors are beginning to offer holistic breach tests rather than AV-only tests, which help customers value a broader protection landscape."

But ultimately, it is the lack of visibility into the working of machine learning and AI algorithms that must change. "My call for 2018," says Anderson, "is to continue to address what is still particularly needed in ML infosec research: more cross-pollination between academia and industry, more open community engagement from security vendors, and more open datasets for reproducible research. By doing this, we’ll continue to move ML in infosec from the dark arts of Alchemy to rigorous Science."

Endgame was founded in 2008 by Chris Rouland and other executives who previously worked with the CIA and Internet Security Systems. It originally discovered and sold 0-day vulnerabilities, but shifted away from this around 2014. Under current CEO Nate Fick's leadership, it has grown its commercial offering using more than $100 million in funding, including a $23 million Series B funding round in March 2013 followed by a $30 million Series C round in November 2014.

Google Adds Custom Roles Feature to Cloud IAM
1.2.2018 securityweek IT
The Identity & Access Management (IAM) service in the Google Cloud Platform (GCP) now includes a feature that allows users to assign custom roles for finer-grained security.

The custom roles feature was first announced back in October when the beta version was introduced. The tech giant announced on Wednesday that nearly all permissions can now be customized.

Granting users excessive privileges to services, applications and data can introduce serious security risks, which is why it’s crucial for administrators to ensure that users only have the permissions needed to perform their jobs.

Customers of Google’s cloud platform now have full control over more than 1,200 public permissions, providing them fine-grained access control for enforcing the principle of least privilege. The principle of least privilege is a concept that promotes minimal user profile privileges based on job necessities.

In the case of GCP, administrators can rely on the IAM service to assign a predefined role to users - for example, allow them to view or modify data stored in the cloud. However, these predefined roles are sometimes not enough for implementing the principle of least privilege.

Custom roles, on the other hand, can be used to remix permissions across all services to ensure that users do not receive privileges other than ones required to do their job.

“Consider a tool that needs access to multiple GCP services to inventory Cloud Storage buckets, BigQuery tables and Cloud Spanner databases. Enumerating data doesn’t require privileges to decrypt that data. While predefined roles to view an entire project may grant .query,.decrypt and .get as a set, custom roles make it possible to grant .get permission on its own,” Google’s Rohit Khare and Pradeep Madhavarapu explained in a blog post.

Except for certain permissions that are only supported in predefined roles, all permissions are now customizable. A list of all supported permissions has been made available and users can keep track of changes via a central change log.

In the future, Google wants to further enhance its IAM service, including by using research from the company’s Forseti open source initiative to help explain why a specific permission has been granted or denied.

Tenable, Cylance Disclose Revenue Metrics
30.1.2018 securityweek IT
Cybersecurity solutions providers Tenable and Cylance this week shared financial metrics for 2017, with both privately-held companies showing strong revenue growth.

Cylance reported revenue of more than $100 million last year, which the company says represents a year-over-year growth of 177 percent.

The company’s AI-powered endpoint protection and threat detection solutions are used by over 3,800 enterprises, including 87 percent of Fortune 500 firms. Cylance’s customers include The Gap, Dell, Panasonic, Noble Energy, the National Hockey League Players Association, United Service Organizations (USO), and Partners In Health.

Cylance has raised more than $170 million in funding, including $20 million in February 2014, $42 million in June 2015, and $100 million in June 2016.

When announcing its financial results, Cylance highlighted that its growth rate and the time it took the company to reach $100 million in annual revenue surpassed other cybersecurity firms, including Palo Alto Networks, FireEye, Symantec and CyberArk.

Tenable announced record billings of more than $250 million in 2017, which it says represents a 45 percent growth. The company has attributed this success to strong performance in North America, Europe and Asia. The fourth quarter of 2017 was the seventh consecutive quarter of greater than 40 percent year-over-year billings growth.

As for revenue, Tenable reported $189 million for the 12-month period that ended on December 31, 2017, which represents over 50 percent growth.

Tenable, makers of vulnerability scanners and software solutions that help find network security gaps, has more than 24,000 customers across 160 countries. The list includes more than 50 percent of Fortune 500 companies, over 20 percent of Global 2000 firms, and the ten largest tech companies in the U.S.

Tenable recently announced a partnership with Siemens that aims to provide asset discovery and vulnerability management solutions for industrial networks.

Tenable has raised more than $300 million, including $250 million in November 2015 and $50 million in September 2012.

RELX Group to Acquire Fraud Fighting Firm ThreatMetrix for $815 Million
30.1.2018 securityweek IT

RELX Group, a provider of b2b Information and analytics services, announced on Monday that it has agreed to acquire fraud detection firm ThreatMetrix for £580 million (approximately $815 million) in cash.

Founded in 2005, San Jose, Calif.-based ThreatMetrix’s technology analyzes connections among devices, locations, identity information and threat intelligence, and combines the data with behavioral analytics to identify high-risk transactions in real time.

“ThreatMetrix has built the largest digital identity network that can determine when an individual’s credentials are being used by cybercriminals in real time, which enables businesses to better understand the global footprint of stolen identities,” Alisdair Faulkner, chief products officer at ThreatMetrix, said in 2015 when the company launched its ThreatMetrix Digital Identity Network.

The company says the network currently analyzes more than 100 million transactions per day across 35,000 websites from 5,000 customers.

According to a report published by ThreatMetrix in mid-2017, the United States was the world's primary target for cyber fraud attacks, and Europe has emerged as the major source of attacks, now accounting for 50% more attacks than the US. The report also found that growth in attacks was outpacing the growth of transactions; and that in a 90-day period, 130 million fraud attacks were detected.

Accoding to the company, ThreatMetrix will become part of Risk & Business Analytics, which under the LexisNexis Risk Solutions brand addresses fraud and authentication challenges by "applying advanced analytics to physical identity attributes, including identity credentials, addresses and asset ownership."

LexisNexis Risk Solutions has an existing partnership with ThreatMetrix, as ThreatMetrix’s device intelligence solutions are already integrated into its Risk Defense Platform.

“Further integration of ThreatMetrix’s capabilities in device, email and social intelligence will build a more complete picture of risk in today’s global, mobile digital economy, providing both physical and digital identity solutions,” the company said.

ThreatMetrix has raised more than $90 million in funding, including $20 million in Series E funding in March 2014, $30 million in growth funding from Silicon Valley Bank in October 2016, and $12.1 million in 2010.

The transaction is expected to close during the first half of 2018.

EU Antitrust Regulators Fine Qualcomm $1.2 Billion Over Apple Deal
26.1.2018 thehackernews IT

The European Commission has levied a fine of €997 Million, approximately $1.2 Billion, against U.S. chipmaker Qualcomm Inc. for violating antitrust laws in a series of deals with Apple by "abusing its market dominance in LTE baseband chipsets."
According to the European Union (EU), Qualcomm paid Apple billions of dollars to make the iPhone-maker exclusively use its 4G chips in all its iPhones and iPads, reducing competition from other competing manufacturers in the LTE baseband chip industry like Intel.
The European Commission launched an investigation in 2015, which revealed that Qualcomm abused its market dominance in LTE baseband chipsets and struck a deal with Apple in 2011, which meant the iPhone maker would have to repay Qualcomm if it decided to use a rival's chipsets until the end of 2016, hurting innovation in the chip sector.
"This meant that no rival could effectively challenge Qualcomm in this market, no matter how good their products were. This is illegal under EU antitrust rules and why we have taken today's decision," EU competition commissioner Margrethe Vestager said in a press statement.
Apple received payments from Qualcomm for approximately 5 years between 2011 and 2016. The company still uses Qualcomm components in its iPhones and iPads, but it began using Intel LTE modems in its iPhone 7 and 7 Plus devices after the agreement ended.
The fine imposed on the chip maker is hefty, but won't hurt Qualcomm's bottom line significantly as it represents 4.9 percent of the company's turnover in 2017, according to the EU's antitrust commission.
Qualcomm said it 'strongly disagrees' with the European Commission's decision and will 'immediately appeal' it at the General Court of the European Union. The company also believes its agreement with Apple does not violate European Union competition law.
"We are confident this agreement did not violate EU competition rules or adversely affect market competition or European consumers," Qualcomm General Counsel Don Rosenberg said in a statement. "We have a strong case for judicial review, and we will immediately commence that process."
Not just one, Qualcomm is facing a patent fight with Apple over chip royalties, and simultaneously fending off a $100 billion hostile takeover from rival chipmaker Broadcom, but it rejected the bid last November, saying it 'dramatically undervalued' the company.

Former Yahoo CISO Bob Lord Joins DNC
26.1.2018 securityweek IT

Former Yahoo chief information security officer Bob Lord has been appointed chief security officer at the Democratic National Committee (DNC), the formal governing body for the United States Democratic Party.

The announcement was made on Thursday and Lord has already told his Twitter followers that he is looking to hire.

“Very honored to be able to work with [DNC CTO Raffi Krikorian], [DNC Chairman Tom Perez], and the rest of the amazing team at the DNC,” Lord said on Twitter.Bob Lord named CSO of DNC

Lord is the DNC’s first CSO. His hiring comes after the organization was the target of cyberattacks in the months leading up to the 2016 presidential election in the United States. Security firms and intelligence agencies attributed the attacks to threat groups previously linked to the Russian government.

Before joining the DNC, Lord was Yahoo’s CISO for nearly two years. While at the tech firm, he led the investigations into the massive data breaches suffered by the company in 2013 and 2014. He was lured by Yahoo after the company’s former security chief, Alex Stamos, joined Facebook as CSO.

A veteran with more than 20 years of experience in cybersecurity, Lord has held leadership positions at AOL, Red Hat, Twitter and Rapid7.

Intel Tests Performance Impact of CPU Patches on Data Centers
18.1.2018 securityweek IT
Intel Patches for Meltdown and Spectre Cause More Frequent Reboots

Intel on Wednesday shared information on the performance impact of the Meltdown and Spectre patches on data centers, and the company told customers that systems with several types of processors may experience more frequent reboots after firmware updates are installed.

Performance impact on data centers

Roughly one week ago, Intel informed customers that the mitigations for the recently disclosed CPU flaws should have a negligible performance impact for operations typically conducted on home and business PCs. The company reported seeing performance penalties ranging from 2-14% on these types of systems.

Intel has also conducted some performance tests on data centers and the initial results show that, as expected, impact depends on the type of workload and the configuration of the system.

Tests conducted on Intel Xeon Scalable (Skylake) systems showed that impact on integer and floating point throughput, Linpack, STREAM, server-side Java, and energy efficiency, which are typical for enterprise and cloud customers, was 0-2%.

In the case of online transaction processing (OLTP), Intel saw a performance impact of roughly 4%. The company is in the process of conducting more tests and believes the results will depend on system configuration and other factors.

In the case of FlexibleIO, which simulates various I/O workloads, throughput performance decreased by 18% when the CPU was stressed, but there was no impact when CPU usage was low.

Intel saw the most significant performance penalties during Storage Performance Development Kit (SPDK) tests, specifically using iSCSI, reaching 25% when only a single core was used. However, there was no impact on performance when SPDK vHost was used.

Performance penalties of Intel patches on data centers

Microsoft, AWS, Red Hat and others have also shared information on the impact of the Spectre and Meltdown mitigations on performance.


Intel has released firmware updates for 90% of the CPUs released in the last five years. While the company claims that the updates are effective at mitigating the Spectre and Meltdown attacks, users have reported seeing more frequent reboots after applying patches.

Intel initially said only systems running Broadwell and Haswell CPUs experienced more frequent reboots, but similar behavior has also been reported on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

“We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week,” said Navin Shenoy, executive vice president and general manager of Intel’s Data Center Group.

Many affected vendors, including system manufacturers, have already released patches and workarounds for the Spectre and Meltdown vulnerabilities, but installing them has been known to cause serious problems.

Microsoft’s initial patches prevented systems with some AMD processors from booting, and Canonical’s Meltdown fix broke some devices running Ubuntu. Industrial control systems (ICS) vendors have warned customers that the patches for the CPU vulnerabilities should be thoroughly tested before being installed in order to prevent any disruptions.

Threat Intelligence Tech Firm Anomali Raises $40 Million
18.1.2018 securityweek IT
Anomali, a security technology firm that offers a SaaS-based threat intelligence platform, today announced that it has raised $40 million in series D funding.

The additional funding brings the total amount raised to-date by the company to $96 million.

Anomali Logo

According to the company, the investment will help accelerate its growth globally and continue product development.

Formerly known as ThreatStream, the company rebranded itself as Anomali in February 2016.

Headquartered in Redwood City, Calif., the company is led by ArcSight co-founder Hugh Njemanze, who took the role as CEO in July 2014. Njemanze co-founded ArcSight in May 2000 and led product development, information technology deployment and product research leading up to HP’s acquisition of ArcSight for $1.75 billion in 2010.

The Series D round was led by Lumia Capital, with Deutsche Telekom Capital Partners (DTCP), Telstra and Sozo Ventures also participating in the round along with returning investors GV, General Catalyst, IVP and Paladin Capital Group.

Game of Drones – Researchers devised a technique to detect drone surveillance
17.1.2018 securityaffairs IT

A group of Israeli researchers at Ben Gurion University have built a proof-of-concept system against surveillance operated a surveillance drone.
Drones have created a new threat to people’s privacy. Anyone with a drone equipped with a video camera can potentially violate our privacy by streaming the subject in his/her private space over an encrypted first person view (FPV) channel.

Experts suggested many methods to detect nearby drones, but they all suffer from the same shortcoming: they cannot identify exactly what is being captured, and therefore they fail to distinguish between the legitimate use of a drone (for example, to use a drone to film a selfie from the air) and illegitimate use that invades someone’s privacy (when the same operator uses the drone to stream the view into the window of his neighbor’s apartment), a distinction that in some cases depends on the orientation of the drone’s video camera rather than on the drone’s location.

A group of Israeli researchers at Ben Gurion University in Beer Sheva (Ben Nassi, Raz Ben-Netanel, Adi Shamir, Yuval Elovici) have built a proof-of-concept system against surveillance operated with spying drones that is able to determine whether a certain person or object is under drone surveillance.

The system first generates a recognizable pattern on whatever subject someone might want to guard spy on with aerial surveillance, then researchers remotely intercept a drone’s radio signals and scan the streaming video the drone sends to the operator scanning for that pattern.

“In this paper, we shatter the commonly held belief that the use of encryption to secure an FPV channel prevents an interceptor from extracting the POI that is being streamed. We show methods that leverage physical stimuli to detect whether the drone’s camera is directed towards a target in real time.” wrote the researchers,

“We investigate the influence of changing pixels on the FPV channel (in a lab setup). Based on our observations we demonstrate how an interceptor can perform a side-channel attack to detect whether a target is being streamed by analyzing the encrypted FPV channel that is transmitted from a real drone (DJI Mavic) in two use cases: when the target is a private house and when the target is a subject.”
The experts leverage the “delta frames” technique, instead of encoding video as a series of raw images, it’s compressed into a series of changes from the previous image in the video. A streaming video related to a still object contains fewer bytes of data compared with a streaming video of an object in motion or images that continuously change color.

That compression feature can reveal key information about the content of the video to someone who’s intercepting the streaming data, the technique works even when data is encrypted.

The Ben Gurion researchers used in the tests a “smart film” to toggle the opacity of several panes of a house’s windows. They used a DJI Mavic quadcopter to spy on the house, they demonstrated that the technique was able to detect the changing from opaque to transparent and back again of the panes. Then they used a parabolic antenna and a laptop to intercept the drone’s radio signals sent back to the operator and search the pattern in the encrypted data stream to detect if the UAV was used for aerial surveillance of the house.


“In another test, they put blinking LED lights on a test subject’s shirt, and then were able to pull out the binary code for “SOS” from an encrypted video focused on the person, showing that they could even potentially “watermark” a drone’s video feed to prove that it spied on a specific person or building.” reported Wired.

But Nassi confirmed that their technique works at ranges where it’s very difficult to spot a surveillance drone in the sky, the researchers tested their technique from a range of about 150 feet. The range is scalable by using a more powerful antenna.

Spectre/Meltdown patches had a significant impact on SolarWinds’s AWS infrastructure
17.1.2018 securityaffairs IT

Analysis conducted by SolarWinds on the impact on the performance of the Spectre/Meltdown patches on its own Amazon Web Services infrastructure revealed serious performance degradation.
SolarWinds, the vendor of IT Management Software & Monitoring Tools, has analyzed the impact on the performance of Meltdown and Spectre security patches on its own Amazon Web Services infrastructure.

The results are disconcerting, the company has graphically represented the performance of “a Python worker service tier” on paravirtualized AWS instances.

The CPU usage jumped up to roughly 25% just after Amazon restarted the PV instance used by the company.

“As you can see from the following chart taken from a Python worker service tier, when we rebooted our PV instances on Dec 20th ahead of the maintenance date, we saw CPU jumps of roughly 25%.” states the analysis published by SolarWinds.

The company also monitored the performance of its EC2 instances noticing a degradation while Amazon was rolling out the Meltdown patches.

“AWS was able to live patch HVM instances with the Meltdown mitigation patches without requiring instance reboots. From what we observed, these patches started rolling out about Jan 4th, 00:00 UTC in us-east-1 and completed around 20:00 UTC for EC2 HVM instances in us-east-1. ” continues the analysis.

“CPU bumps like this were noticeable across several different service tiers:”

Summarizing, the packet rate drops up to 40% on its Kafka cluster, while CPU utilization spiked by around 25 percent on Cassandra.

The deployment of the patches had also some positive effects, CPU utilization rates decreased. The company issued an update on Jan 12, 2018.

“As of 10:00 UTC this morning we are noticing a step reduction in CPU usage across our instances. It is unclear if there are additional patches being rolled out, but CPU levels appear to be returning to pre-HVM patch levels.” states the firm.

Mike Heffner
New EC2 hot patches for Meltdown/Spectre rolling out? Previous CPU bumps appear to be dropping off starting after 10:00 UTC this morning.

3:06 PM - Jan 12, 2018
1 1 Reply 10 10 Retweets 22 22 likes

BlackBerry Launches Security Product for Automotive, Other Industries
17.1.2018 securityweek IT

BlackBerry announced on Monday the launch of Jarvis, a new cybersecurity service designed to help companies in the automotive and other sectors find vulnerabilities in their software.

Jarvis has been described by BlackBerry as a cloud-based static binary code analysis software-as-a-service (SaaS) product. The tool is currently used by automakers, including Britain’s largest car maker, Jaguar Land Rover, but BlackBerry says it is ideal for other types of organizations as well, including in the healthcare, aerospace, defense, and industrial automation sectors.

Modern cars use hundreds of software components, including many provided by third-party vendors across several tiers. While this approach has some advantages, it also increases the chances of vulnerabilities making it into the software somewhere along the supply chain.BlackBerry launches Jarvis code scanning service

Jarvis aims to address this issue by scanning code and offering actionable information within minutes. In addition to finding vulnerabilities, the service also helps ensure compliance with various standards.

BlackBerry claims the new product performs tasks that would require a large number of experts and a lot of time, which should help companies save money. The tool can be integrated with existing development tools and APIs.

“Connected and autonomous vehicles require some of the most complex software ever developed, creating a significant challenge for automakers who must ensure the code complies with industry and manufacturer-specific standards while simultaneously battle-hardening a very large and tempting attack surface for cybercriminals,” said John Chen, executive chairman and CEO of BlackBerry.

“Jarvis is a game-changer for OEMs because for the first time they have a complete, consistent, and near real-time view into the security posture of a vehicle's entire code base along with the insights and deep learning needed to predict and fix vulnerabilities, ensure compliance, and remain a step ahead of bad actors,” Chen added.

Jarvis is an online tool that can be used by companies as a pay-as-you-go service. The product can be customized for each organization’s needs and their specific supply chain, allowing them to scan code at every stage of the development process.

FireEye Acquires Big Data Firm X15 Software
17.1.2018 securityweek IT

Cyber threat protection firm FireEye said on Friday that it has acquired privately held big data platform provider X15 Software in a deal valued at roughly $20 million.

Under the terms of the acquisition, which closed on Jan. 11, FireEye agreed to pay approximately $15 million in equity and $5 million in cash to acquire Sunnyvale, Calif.-based X15.

FireEye says that X15’s technology will “add significant data management capabilities and provide customers with an open platform for integrating machine-generated data that can easily incorporate new security technologies and big data sources to adapt to the evolving threat environment.”

FireEye LogoShortly after acquiring security orchestration firm Invotas in February of 2016, FireEye made a push into orchestration and automation with the launch of its Security Orchestrator offering, designed to help eliminate repetitive manual processes, reduce process errors, and automate the correct response between different security controls. In late 2016, the company unveiled Helix, a platform designed to help customers efficiently integrate and automate security operations functions.

“Organizations today are overwhelmed by alerts, the number of tools required to manage their security operations, and the challenge of unifying access to the large volumes of data that matter,” John Laliberte, senior vice president of engineering at FireEye, said in a statement. “X15 Software technology will accelerate our strategy of delivering an innovative, next-gen security platform.”

FireEye claims that the integration of X15 Software’s technology will help FireEye’s security operations platform address the challenges of collecting, querying and analyzing large volumes of machine-generated data in real-time and manage security data from on-premise, hybrid and cloud environments.

X15 Software was founded in 2013 and currently employs approximately 20 employees.

Security Operations Firm Arctic Wolf Raises $16 Million
11.1.2018 securityweek IT
Arctic Wolf Networks, a Sunnyvale, Calif.-based company that offers outsourced security operations center (SOC) services, announced on Wednesday that it has raised $16 million in new funding.

According to the company, the new injection of cash will help support overall business growth, and fuel sales and marketing, product development and strategic alliance initatives.

With security operations teams overwhelmed by the sheer volume of vulnerabilities across the enterprise, they are falling behind in efforts to remediate them. According to a mid 2017 report published by EMA, seventy-four per cent of security teams admit they are overwhelmed by the volume of maintenance work required.

This is a problem that Artic Wolf aims to help with. The company offers a turnkey “SOC-as-a-Service” that includes what the company calls a “Concierge Security Engineer” (CSE) that is a single point of contact for a customer and an extension of a customer’s internal security team.

“Security operations centers are an essential element of modern cybersecurity, and every company needs one,” said Brian NeSmith, CEO and co-founder of Arctic Wolf. “We are transforming how companies look at cybersecurity from a product-centric view to one focused on proactive detection and response. The new funding allows us to invest in key areas of the business and maintain our extraordinary growth trajectory.”

The funding round was led by Sonae Investment Management with participation from Lightspeed Venture Partners, Redpoint Ventures and Knollwood Investment Advisory.

Endgame Lands $1 Million Contract From U.S. Navy
11.1.2018 securityweek IT
Endgame, an Arlington, VA-based supplier of advanced endpoint protection software, has been awarded a $1 million contract by the U.S. Fleet Cyber Command/U.S. Tenth Fleet. The purpose of the contract is to protect more than 500,000 computers and ships' hull, mechanical and electrical systems, weapons and navigation systems, aviation systems, and the technology controlling physical devices on bases and facilities.

"Endgame is honored to enter this partnership with the U.S. Navy," said Nate Fick, Endgame CEO and U.S. military combat veteran. "The Navy is widely known as being on the cutting-edge of cybersecurity defenses, and we were happy to exceed their protection requirements during this competitive process. Safeguarding the most targeted organizations across the Department of Defense is an important part of our mission, and we look forward to continuing it with the Navy."

Endgame LogoFleet Cyber Command is the central cyber authority for the entire U.S. Navy, serving (in its own words), "to direct Navy cyberspace operations globally to deter and defeat aggression and to ensure freedom of action to achieve military objectives in and through cyberspace."

Specifically, the contract is for the acquisition of the Endgame Hunt Team Platform with 10,000 sensors, plus maintenance and support.

Endgame credits the contract to its existing history in protecting both federal government and the U.S. military, and its ability to protect against targeted attack techniques and technologies outlined in the MITRE ATT&CK Matrix. In 2016 it was awarded an $18.8 million contract by the U.S. Air Force.

The Navy's contract justification and approval document is more specific: "Delivered as a single agent, replacing the functions of AV, NGAV, IR, EDR, and exploit prevention agents, Endgame stops all targeted attacks and their components." It scans for vulnerabilities, compares against current STIG checklists, and conducts "if-then scenarios with secondary and tertiary effects (also known as a blast radius)..."

The STIG checklist is a NIST Windows 10 Security Technical Implementation Guide designed to improve the security of Department of Defense information systems. Endgame automatically maps the network against the STIG checklist to evaluate the network's security posture.

While stressing that FLTCYBER will continue to monitor the evolution of EDR, EPP and Next Gen AV technologies that could compete with Endgame in the future, it found that no other single technology currently provides all of its requirements. While combinations of other products could provide much of its required functionality, some requirements could still only be found in Endgame.

Of particular note is Endgame's ability to calculate the "blast radius" on a compromised box. Applied to cybersecurity, the blast radius is the potential effect on the overall network from a compromise. Network segmentation can, for example, limit the blast radius. Endgame's ability to apply 'what-if' scenarios can help security teams determine whether their network configuration is able to contain a potential compromise.

"No other product has been found by the FLTCYBER team at this time that can perform the blast radius function of Endgame," the Navy explained. "This has been identified as a key requirement by FLTCYBER."

Endgame was founded in 2008 by Chris Rouland and other executives who previously worked with the CIA and Internet Security Systems. It originally discovered and sold 0-day vulnerabilities, but shifted away from this around 2014. Under Fick's leadership it has grown its commercial offering using a $23 million Series B funding round in March 2013 followed by a $30 million Series C round in November 2014.

AT&T Backs Away From Deal to Supply China Made Huawei Phones
11.1.2018 securityweek IT
AT&T has reportedly walked away from a deal to provide new mobile phones to U.S. customers made by Chinese technology giant Huawei

Based in Shenzhen, China, Huawei announced in December 2017 that it would be supplying smartphones via U.S. carriers this year; and it was widely expected that a deal would be announced during the CES Huawei Keynote speech in Las Vegas on Tuesday.

But just one day earlier, The Wall Street Journal reported that AT&T had backed out the deal under political pressure. Members of the U.S. Senate and house intelligence committees had apparently written to the FCC on 20 December, 2017, noting concerns over "Chinese espionage in general, and Huawei's role in that espionage in particular."

It is assumed that this led to political pressure on AT&T to abandon the deal; and it is believed that Verizon is under pressure not to conclude a similar deal with Huawei later in the year. Huawei has been a persona non grata in U.S. official channels since a 2012 Congressional Report raised concerns over possible state-sponsored espionage delivered via Huawei communications equipment.

Huawei has always denied any involvement with the Chinese government; and the U.S. is almost alone in 'banning' (effectively, if not legally) Huawei equipment. Similar concerns in the UK government have to a large extent been mitigated by the ability to examine hardware and reverse engineer software under GCHQ overview at a location called The Cell in Banbury, near Oxford.

There is little official comment about what happened this week. It seems from Huawei's consumer business unit CEO Richard Yu's comments on Tuesday that Huawei blames AT&T for the break down of the deal. "It's a big loss for consumers," he told his audience, "because they don't have the best choice for devices."

Although entering the market late, Huawei is already the world's third largest supplier of smartphones, behind only Samsung and Apple. Access to the huge American market, where by far the majority of phones are provided by the carriers, will now be seriously limited. It is worth noting that there is no legal ban on Huawei phones, and the Chinese company will still sell them to American consumers through online outlets such as Amazon.

There are some similarities with the US government ban on Russia's Kaspersky Lab products. In both cases, concern has been raised over historical ties with the founders' respective governments. Eugene Kaspersky, founder and CEO of Kaspersky Lab, was educated at a KGB-sponsored school and served in the Russian military as a software engineer; while Ren Zhengfei, founder and president of Huawei Technologies Co, is an ex-People's Liberation Army officer. There is concern that both companies could retain covert relations with their respective governments.

There is, however, one very big difference. With Kaspersky Lab, the ban is on its use by federal agencies. With Huawei, the ban is effectively on anyone seeking to acquire Huawei hardware via a phone-and-data-plan from a carrier; that is, the Huawei ban excludes general consumers -- who could pose no national security risk -- from acquiring these phones in the most popular manner.

This in turn has raised some concerns that the pressure on AT&T is more economic and perhaps geopolitical than it is national security. Could it be additional political pressure on China to be more proactive against North Korea? Or could it be a visible manifestation of 'America First' and President Trump's demand that China balance bilateral trade between the two countries?

Either way, it is unlikely to be good for U.S./China relations.

The South China Morning Post today quoted He Weiwen, a former business counselor at the Chinese consulate in New York. "Investment cooperation between China and the U.S. will be squeezed," he said. "China should contemplate countermeasures."

However, at this stage it is only conjecture (however well-informed) that this is a U.S. political move -- without further details it could be an AT&T business decision.

"This might be because there is something preinstalled on the phones that AT&T doesn't agree with; for example, preinstalled software, certificate authority certificates and other things that might yield some kind of data gathering capabilities and/or control either directly or indirectly," noted F-Secure's principle security consultant Tom Van de Wiele. "It might be that Huawei is putting its foot down on the application eco-system and its rules."

He also pointed out further non-political issues that could have scuppered the deal. "The phone might be too 'open' in that it easily allows you to unlock it and switch telcos, away from AT&T -- and that's still a huge thing in the U.S."

Similarly, there are potential security issues with any phone, possibly heightened by Huawei phones using Huawei proprietary chips. "As Android devices come in a multitude of deployments -- it's easier for overly 'curious' features to get included without being noticed," F-Secure's security adviser Sean Sullivan told SecurityWeek. "There have been several cases in which vendors screwed up and included things such as Baidu components in European deployments."

But he added, "These were budget phones; you get the quality that you pay for. In the case of Huawei -- too many eyes are/would be auditing its devices -- it's doubtful that anything deliberate would be done via an AT&T phone." Sullivan is not convinced that the AT&T deal has been shelved for purely security concerns.

This is the second China deal to have been prevented in the last few days. Last week the U.S. Committee on Foreign Investment rejected Chinese firm Ant Financial's takeover bid for U.S.-based money transfer firm MoneyGram -- again citing national security concerns.

Inside McAfee's Acquisition of Skyhigh Networks
5.1.2018 securityweek IT
McAfee Completes Acquisition of Skyhigh Networks

On Jan. 3, McAfee completed the acquisition of Skyhigh Networks that was announced in November 2017. McAfee itself was spun out of Intel in April 2017 with the express purpose of becoming one of the world's largest pure play cybersecurity firms. The purchase of Skyhigh, a cloud access security broker (CASB), now allows McAfee to offer an integrated security solution from endpoint across networks and into the cloud.

"Today's news marks a new milestone for the future of our company in cloud," said Chris Young, McAfee's CEO. "With two industry leaders meeting under one company, we will make cybersecurity an enabler to the transformative power of our digital age. We are focused on securing customers from their devices to the cloud."

SecurityWeek talked to McAfee SVP and CTO Steve Grobman to understand the mechanics and purpose of this new, expanded, McAfee. "McAfee's strategy," he said, "is all about security from the device to the cloud, and supporting organizational defense with all the information that comes from both of those places. McAfee currently has a very strong set of technologies on the endpoint, on the devices -- but what the Skyhigh acquisition does is provide a very powerful control point in the cloud for a wide range of cloud security use cases."

McAfee LogoHe believes there are three exciting aspects to this purchase: being able to offer greater cloud visibility and control under the McAfee umbrella; the improved threat detection that will come from seeing both cloud and on-premise threats in context; and the continuing growth potential of CASBs in their own right.

The Skyhigh solution offers three primary aspects to cloud security: visibility into the cloud; control over interaction with the cloud; and greater awareness of and solutions to the threats inherent in moving into public cloud. "At the highest level," he said, "a big part of the cloud problem is just awareness of what Shadow IT services an organization is using. More often than not, people are not using shadow IT because they are malicious, but rather because it they have found a more efficient way for them to get their job done.

"Skyhigh," he continued, "can identify the use of Shadow IT so that an organization can determine whether it's an approved and sanctioned use of cloud capabilities, and take appropriate action." This is useful. Employees can sometimes find a better solution to their work requirements than is currently available from the IT department. Simply banning Shadow IT probably would not work, but would certainly have a negative effect on employee initiative and productivity. Knowing what is being used allows the security team to analyze the risk and determine whether and to what extent a newly used cloud application should be allowed within the enterprise.

The second aspect, he continued, "is about controlling and managing access, content and methodologies for cloud services. That's either through proxies or through native cloud APIs that provide better visibility into the way that users are accessing these services." He gave the example of moving from on-prem Exchange to cloud Office 365, where the organization will need to ensure that sensitive information isn't flowing to places it shouldn't.

"The organization might want to have different policies for what users can do when they access the cloud based on different access scenarios. For example, if employees are using a managed corporate laptop, they might have unrestricted access to O365 where they can download documents with the full versions of Word or Excel. But if they are accessing their account through their personal phone there might be a policy setting that would restrict them to only using the web interface; or requiring that if they download a document, it is wrapped in an enterprise or digital rights management control. Being able to control how the cloud is used makes it possible to minimize risk."

The third element is in identifying and solving the new risks that come with moving to the cloud. "When organizations move to the cloud, they need to be aware of all sorts of new risks that a CASB solution is able to monitor, detect and alert on," he said. He gave AWS S3 misconfigurations as an example. "There have been numerous data breaches recently involving the misconfiguration of access controls in public cloud storage. Users have inadvertently given world read access to an Amazon S3 bucket, giving anyone access to what should be protected data." Examples include the exposure of tens of thousands of potentially sensitive government files disclosed in June 2017; the personal details of 198 million American voters also disclosed in June 2017; and millions of Dow Jones customer details exposed in July 2017.

What really excites Grobman about the Skyhigh acquisition is the ability to combine and integrate visibility into cloud threats with McAfee's existing visibility into on-premise threats.

"A large part of threat detection today is not in identifying a threat from just one event, but understanding threats from multiple events chained together," Grobman said. "In order to do this effectively, you need to have visibility into events from many different sources, including both the cloud and on-prem corporate devices. This is one reason why the Skyhigh acquisition makes a lot of sense for McAfee -- it is the aggregation of looking at the information coming from both the cloud computing element of the organization as well as traditional computing resources. When you put these together you can identify a lot of threats that would be difficult to detect individually."

Now the acquisition is complete, Grobman explained that Skyhigh will largely exist as its own division within McAfee. "Rajiv Gupta, the founder and CEO of Skyhigh, will join McAfee CEO Chris Young's staff and drive the product line as its own business unit. There are a few exceptions related to back office functions, like finance and HR," he added, "but for the most part, the initial approach is for Skyhigh to be its own business unit."

The definitive roadmap for things like branding are still being investigated. For the moment, the official McAfee announcement describes Skyhigh as "now part of the new cloud security business unit, led by Rajiv Gupta, former Skyhigh Networks chief executive officer."

"What we're concentrating on," said Grobman, "is really building on the synergies that Skyhigh will bring to our environment; taking McAfee's world class protection technology and integrating that into Skyhigh -- being able to look at event data from both cloud sources and traditional computing and have those work together in order to give our customers a better ability to detect threats within their infrastructure. So although the Skyhigh business will be a separate business unit within McAfee, there will be lots of work to maximize the value of the solution the system can bring to both existing and new customers."

And that, of course, is another offering from the acquisition. The CASB market is still a rapidly growing and emerging area. "There are still many customers that have yet to deploy a CASB solution," said Grobman. "We are very much looking forward to the opportunity to present this technology solution -- especially in the context of McAfee's other technology -- to organizations that are not yet McAfee customers."

FCC Just Killed Net Neutrality—What Does This Mean? What Next?
17.12.2017 thehackernews  IT
FCC Just Killed Net Neutrality
Net neutrality is DEAD—3 out of 5 federal regulators voted Thursday to hand control of the future of the Internet to cable and telecommunication companies, giving them powers to speed up service for websites they favor or slow down others.
As proposed this summer, the US Federal Communications Commission (FCC) has rolled back Net Neutrality rules that require Internet Service Providers (ISPs) to treat all services and websites on the Internet equally and prohibit them from blocking sites or charging for higher-quality service.
This action repeals the FCC's 2015 Open Internet Order decision taken during the Obama administration.
What is Net Neutrality and Why Is It Important?
Net Neutrality is simply Internet Freedom—Free, Fast and Open Internet for all.
In other words, Net Neutrality is the principle that governs ISPs to give consumers access to all and every content on an equal basis, treating all Internet traffic equally.
Today, if there's something that makes everyone across the world 'Equal,' it is the Internet.
Equality over the Internet means, all ISPs have to treat major websites like Facebook and Google in the same way as someone's local shop website, and the wealthiest man in the world has the same rights to access the Internet as the poorer.
This is what "Net Neutrality" aims at.
Here's Why the FCC Repeals Net Neutrality Rules
The FCC Chairman for the Trump administration, Ajit Pai, who has openly expressed his views against net neutrality, was previously quoted as saying that Net Neutrality was "a mistake."
Pai has previously argued that the 2015 regulations had discouraged internet providers from investing in their networks, as well as slowed the expansion of internet access.
On Thursday, the FCC's two Democrats voted to object the decision to repeal Net Neutrality, and the three Republican members, including Chairman Pai, Commissioner Brendan Carr, and Commissioner Mike O'Rielly, voted to overturn protections put in place in 2015.
Here's what all the three Republicans said in their remarks about their decision to repeal Net Neutrality:
"Prior to the FCC's 2015 decision, consumers and innovators alike benefitted from a free and open internet. This is not because the government imposed utility-style regulation. It didn't. This is not because the FCC had a rule regulating internet conduct. It had none. Instead through Republican and Democratic administrations alike, including the first six years of the Obama administration, the FCC abided by a 20-year bipartisan consensus that the government should not control or heavily regulate internet access," said Commissioner Carr.
"I sincerely doubt that legitimate businesses are willing to subject themselves to a PR nightmare for attempting to engage in blocking, throttling, or improper discrimination. It is simply not worth the reputational cost and potential loss of business," said Commissioner O'Rielly.
"How does a company decide to restrict someone's accounts or block their tweets because it thinks their views are inflammatory or wrong? How does a company decide to demonetize videos from political advocates without any notice?...You don't have any insight into any of these decisions, and neither do I, but these are very real actual threats to an open internet," said Chairman Pai.
Here's How the Internet & Tech Firms Reacted
The response from the tech industry was swift and loud and predictable. The industry isn't happy with what is turning out to be the Trump administration's biggest regulatory move yet.
"We are incredibly disappointed that the FCC voted this morning – along partisan lines – to remove protections for the open internet. This is the result of broken processes, broken politics, and broken policies. As we have said over and over, we'll keep fighting for the open internet, and hope that politicians decide to protect their constituents rather than increase the power of ISPs," Mozilla said in a statement.
"Today's decision from the Federal Communications Commission to end net neutrality is disappointing and harmful. An open internet is critical for new ideas and economic opportunity – and internet providers shouldn't be able to decide what people can see online or charge more for certain websites," Sheryl Sandberg said, Chief Operating Officer of Facebook.
"We're disappointed in the decision to gut #NetNeutrality protections that ushered in an unprecedented era of innovation, creativity & civic engagement. This is the beginning of a longer legal battle. Netflix stands w/ innovators, large & small, to oppose this misguided FCC order," Netflix tweeted.
Obviously, Internet providers are more likely to strike valuable deals with large, established services and websites than relatively unknown companies or startups, which will be hit hardest by the repeal.
With no surprise, ISPs including Comcast, Verizon, and AT&T have welcomed the new rules, saying they will not block or throttle any legal content but may engage in paid prioritization.
Since the commission will take a few weeks to make final adjustments to the new rules, you will not see any potential change right away.
What Next? Can Net Neutrality Be Saved?
Obviously, you cannot do anything overnight to repeal the decision.
Reportedly, attorney generals from across the country and consumer advocacy groups are considering suing the FCC in an attempt to reverse Thursday's repeal of net neutrality rules.
To overturn the FCC's order, critics and internet activists are also going to push for Congress to step in and pass a resolution of disapproval using the Congressional Review Act.
"This fight isn't over. With our allies and our users, we will turn to Congress and the courts to fix the broken policies," Mozilla said.
"We're ready to work with members of Congress and others to help make the internet free and open for everyone," Sheryl Sandberg said.
"We will continue our fight to defend the open Internet and reverse this misguided decision," Twitter said.
The FCC's repeal of net neutrality will take effect 60 days after publication in the Federal Register, which doesn't happen immediately and could take six weeks or even more after the FCC vote.
Once it become law, the repeal will return everything to the state it was before 2015.