Posts tagged Security

Run WordPress SEO by Yoast on your website? You need to update it – Graham Cluley Security News

Run WordPress SEO by Yoast on your website? You need to update it
Graham Cluley Security News
WordPress SEO by Yoast has over one million active users, running it on their self-hosted WordPress sites to boost their appearance in search engine results. And, as we all know, the higher you appear in search engines, the more traffic you will get.

View full post on SEO – Google News

SearchCap: SEO Fears, Google Security Flags & Doodles

Below is what happened in search today, as reported on Search Engine Land and from other places across the web.

The post SearchCap: SEO Fears, Google Security Flags & Doodles appeared first on Search Engine Land.



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Google Says They May Flag Broken Security Certificates In The Search Results

Google may flag sites that have broken security certificates in the search results. They may also boost the ranking benefit on login pages, to prevent phishing attempts.

The post Google Says They May Flag Broken Security Certificates In The Search Results appeared first on Search Engine Land.



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Google Says About Half Of Security Certificates Are Broken On The Web

Google may flag sites that have broken security certificates in the search results. They may also boost the ranking benefit on login pages, to prevent phishing attempts.

The post Google Says About Half Of Security Certificates Are Broken On The Web appeared first on Search Engine Land.



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

How Blackphone Turned A Security Fail Into A Win

Last year, privacy-focused Blackphone got a dubious distinction: It became known as the locked-down phone that supposedly got hacked in just 5 minutes.

Things have changed. Now, it’s a whole mobile product line geared for companies (and perhaps paranoid individuals), a brand-new acquisition for encryption services firm Silent Call, and a multi-million dollar enterprise with nearly $750 million in device sales.

The group introduced its latest devices this week at Mobile World Congress—the Blackphone 2 smartphone and its first tablet, currently dubbed Blackphone+. But what was really on display was the company’s uncanny knack for turning a well-publicized security flub into a win.

Meet Blackphone 2 And Blackphone+

As far as upgrades go, the 5.5-inch Blackphone 2 looks like a decent successor to last year’s original 4.7-inch Blackphone.

Like most second-generation phones, version 2 offers several hardware improvements, including a faster 64-bit 8-core processor, more memory (3GB), a bigger battery and a larger display. The phone also ties into Citrix’s Mobile Device Management, so IT departments can manage employees’ company-supplied or BYO (“bring your own”) phones. Blackphone 2 is priced at $630 (unlocked) and slated for a July release. Soon after, it will be joined by the company’s first tablet, the 7-inch Blackphone+, sometime this fall. 

The original Blackphone (left) and Blackphone 2 exhibition unit (right)

Both run Blackphone’s PrivatOS software, a variation on Android designed as an extra layer of protection between users and the big, bad outside world. When apps unnecessarily ask for personal data, like contacts or location, Blackphone can intercept the request, blocking or obscuring it. The software can even fool the app into thinking the user granted access, even if he or she didn’t.

“You can take an Android device, you can root it, introduce [similar] features, and after months, you can have something like Blackphone,” said Javier Agüera, Blackphone’s founder and now a chief scientist at Silent Call. “Or you can have an out-of-the-box device, with everything set up by security specialists, that’s enterprise ready and configured the way you need it.”

PrivatOS boasts new virtualization feature called “Spaces,” which offers separate “work” and “personal” modes, the ability to add profiles and an app store vetted by Blackphone. The technology’s encryption protocols also save keys on the device itself, not some unknown remote server. The phone’s price includes two years of security services that guards against unsafe WiFi networks, private browsing, and secure cloud file storage.

Sounds like a lot of protection, at least, it’s more than most users are accustomed to getting. It all goes back to Blackphone’s mission: The company wants to safeguard people. It seems sincere—even though a hacker actually did manage to breach those walls last year.

Turning Hackers Into BFs

PrivatOS running on last year’s model

At hacking convention DefCon last year, CTO Jon “Justin” Sawyer of Applied Cybersecurity LLC told Blackphone that he managed to get past its security to root its device. What’s more, he tweeted the exploit, which landed on BlackBerry sites and other tech blogs.

Sawyer found a couple of weak spots in the software, including a hole in the remote wipe feature that let the security expert access the device and grant himself system privileges. He was able to give himself access to core parts of the phone. But what gets less attention, the execs said, is that the company had already patched the hole.

Sawyer essentially attacked an old, outdated version of the software. Even so, the incident and publicity could have humiliated Blackphone right out of the market. It didn’t. Instead, the company is milking it. 

The team thanked Sawyer for the discovery and sent him a bottle of wine. Then it enlisted others to scope out any other vulnerabilities. 

According to Vic Hyder, Silent Call’s chief strategy officer, Blackphone recently launched a bug bounty program to reward people for finding security glitches—from $128 to more, depending on the severity. (Bounties are fairly common in the tech industry; even big companies like Facebook, Google and Microsoft offer rewards to bug hunters.)

“[It] makes them part of the solution, instead of part of the problem,” Hyder said. “It brings everybody in as a participant.” Even Sawyer, now a friend of Blackphone, helps out by looking for other vulnerabilities. The company publishes all of its source code, to help make it easier for people to find holes.

So far, Hyder estimates that the company has paid out about $15,000 to $20,000 in bounties.

Throwing Shade

“Nothing is hack-proof,” admits Daniel Ford, chief security officer.

However, he says his company can help guard against certain types of attacks. “Targeted attacks are completely different than mass surveillance,” he said.” There’s little Blackphone or anyone can do against the former, such as last year’s breach at Sony Pictures—which may have been a specific retaliation for The Interview, a comedy that poked fun at North Korea. 

Sony’s “The Interview” made fun of North Korea’s regime, which may have been responsible for hacking the movie studio. 

Ultimately, if a hacker wants your data badly enough—whether it’s a criminal or a NSA agent—he or she has innumerable tools that can help get it. No platform can hold up against that, he explained.

But when it comes to broader mass surveillance, Ford said Blackphone can step in and offer more protection. “This is where our commitment is: If there is a vulnerability that was disclosed publicly, we will fix it in less than 72 hours,” he said. “We have done so every time. That is our goal … the last time, it took only 6 hours.”

“Samsung had two critical vulnerabilities that was released two weeks ago,” he added, calling out one of his archrivals in the enterprise market, albeit for a vulnerability in its TV business. Still, he couldn’t resist poking at Samsung’s overall attitude toward security: “They have not even started to address it,” he said. 

Photos by Adriana Lee for ReadWrite

View full post on ReadWrite

Why An Open-Source Pro Sees His Next Act In Security

Security is boring—at least until you don’t have it anymore. Then it becomes exciting for all the wrong reasons. 

In our increasingly interconnected world, it’s also painfully difficult. How do you secure connections to internal devices and external services that you do not and, indeed, cannot own? For enterprises trying to lock down sensitive corporate data in a world awash in personal devices and cloud computing, it’s an exercise in futility. 

Maybe. Maybe not.

Zack Urlocker

Zack Urlocker was just named COO of Duo Security, a Benchmark and Google Ventures-backed security company that aims to make two-factor authentication omnipresent and painless. Is this Urlocker’s next unicorn? After all, as SVP of products and marketing at MySQL, he helped to drive a $1 billion sale by Sun. Later, he went on to run operations at pre-IPO Zendesk (now worth $2 billion). 

Urlocker clearly knows how to build unicorns, but is security ripe for a unicorn-sized exit? 

To better understand the allure of security to Urlocker, I caught up with him to discuss the shift from databases and help desk software to security.

Security Is Big For All The Wrong Reasons

Security has been a big market for a long time, but for all the wrong reasons. And while we like to think of security as someone else’s problem (at least, until our own data is pilfered), a Ponemon study shows that we all bear the costs:

Source: Ponemon

And while malicious criminal attacks account for 42% of data breaches, human error comes in second place (30%). Lost devices or other errors in human judgment open up corporations to all sorts of security problems. 

Making It Easy

The problem for most people, however, is that securing their devices and, hence, their data, can be a pain. Often we won’t bother until we’re forced to do so.

I remember when I first implemented two-factor authentication. My IT team had been pushing me to do it for nearly a year, and I kept resisting because I didn’t want the bother. It didn’t help that some things (like calendars) were shared with other family members on their devices. The thought of having to constantly update the passwords on their devices, and not merely mine, seemed to not be worth the effort.

That is, until my daughter’s Gmail account was hacked.

In this case, the hacker goaded me as I madly tried to get ahead of him to change her passwords. He used the Gmail account to get into her Facebook and other accounts, and used all of them to send vile messages to her and her friends. As I tried to stop him, he IM’d me to laugh at my efforts. It was frightening.

It was the wake-up call I needed, and I implemented two-factor authentication for myself and my family immediately afterward. We haven’t had a problem since (though I wish I could keep my credit card numbers from getting stolen every few months.) 

Since that time, two-factor authentication has become increasingly easy, thanks to companies like Duo Security, which Facebook, Box, Palantir, Yelp, Whatsapp, Etsy, and over 5,000 other companies use to provide simple security to hundreds of millions of users. In fact, Duo has developed solutions that secure 80% of the ISPs globally. 

As Urlocker told me, 

Duo makes strong security easy to buy, easy to use and easy to roll into production. Usually security means making things hard for people. With a SaaS solution, it’s easy to deploy. You can get Duo Security up in running in 15 minutes or a few days for major rollouts compared to weeks or months with traditional solutions. And it works, too! 

That ease of use is essential. I’m a reasonably savvy technologist. No one in my family is. For them to be comfortable with two-factor authentication, it has to be as simple as typing in a password. (Or, in this case, a code sent to them via SMS.)

Learning From Open Source

So how did Urlocker get here from open source land? Duo, so far as I know, isn’t offering its software free over the Internet and charging for support. What can open source teach us about security?

Security, it turns out, has an equally open community, sharing both code and insights into how to secure code. 

Importantly, as he told me, it’s critical to “know how bad guys operate and where the vulnerabilities hide,” not to mention “how customers behave.” The best open source software makes difficult processes easy for developers. Duo is trying to accomplish the same thing for security. 

Which means not foisting silly security policies on users (i.e., forcing them to change passwords every 90 days to equally obscure and hard-to-remember passwords). Duo provides multiple ways for users to authenticate, but the one I like best involves sending push notifications and allowing me to simply to respond.

As the thinking goes, anyone can get my password. But getting my password and my mobile device? That’s hard.

Not surprisingly, then, Urlocker find that certain SaaS categories, like Zendesk, Box, New Relic, HubSpot and Duo Security, “definitely operate at a similar scale” to open-source software, “but with much better conversion rates than we ever had in open source!”

That’s good for Duo, of course, but also for corporate security. Which makes it easier to sleep at night, even if the hackers never do.

Photo by Tim RT

View full post on ReadWrite

An Open Source Exec Tries His Hand At Security

Security is boring—at least until you don’t have it anymore. Then it becomes exciting for all the wrong reasons. 

In our increasingly interconnected world, it’s also painfully difficult. How do you secure connections to internal devices and external services that you do not and, indeed, cannot own? For enterprises trying to lock down sensitive corporate data in a world awash in personal devices and cloud computing, it’s an exercise in futility. 

Maybe. Maybe not.

Zack Urlocker

Zack Urlocker was just named COO of Duo Security, a Benchmark and Google Ventures-backed security company that aims to make two-factor authentication omnipresent and painless. Is this Urlocker’s next unicorn? After all, as SVP of products and marketing at MySQL, he helped to drive a $1 billion sale by Sun. Later, he went on to run operations at pre-IPO Zendesk (now worth $2 billion). 

Urlocker clearly knows how to build unicorns, but is security ripe for a unicorn-sized exit? 

To better understand the allure of security to Urlocker, I caught up with him to discuss the shift from databases and help desk software to security.

Security Is Big For All The Wrong Reasons

Security has been a big market for a long time, but for all the wrong reasons. And while we like to think of security as someone else’s problem (at least, until our own data is pilfered), a Ponemon study shows that we all bear the costs:

Source: Ponemon

And while malicious criminal attacks account for 42% of data breaches, human error comes in second place (30%). Lost devices or other errors in human judgment open up corporations to all sorts of security problems. 

Making It Easy

The problem for most people, however, is that securing their devices and, hence, their data, can be a pain. Often we won’t bother until we’re forced to do so.

I remember when I first implemented two-factor authentication. My IT team had been pushing me to do it for nearly a year, and I kept resisting because I didn’t want the bother. It didn’t help that some things (like calendars) were shared with other family members on their devices. The thought of having to constantly update the passwords on their devices, and not merely mine, seemed to not be worth the effort.

That is, until my daughter’s Gmail account was hacked.

In this case, the hacker goaded me as I madly tried to get ahead of him to change her passwords. He used the Gmail account to get into her Facebook and other accounts, and used all of them to send vile messages to her and her friends. As I tried to stop him, he IM’d me to laugh at my efforts. It was frightening.

It was the wake-up call I needed, and I implemented two-factor authentication for myself and my family immediately afterward. We haven’t had a problem since (though I wish I could keep my credit card numbers from getting stolen every few months.) 

Since that time, two-factor authentication has become increasingly easy, thanks to companies like Duo Security, which Facebook, Box, Palantir, Yelp, Whatsapp, Etsy, and over 5,000 other companies use to provide simple security to hundreds of millions of users. In fact, Duo has developed solutions that secure 80% of the ISPs globally. 

As Urlocker told me, 

Duo makes strong security easy to buy, easy to use and easy to roll into production. Usually security means making things hard for people. With a SaaS solution, it’s easy to deploy. You can get Duo Security up in running in 15 minutes or a few days for major rollouts compared to weeks or months with traditional solutions. And it works, too! 

That ease of use is essential. I’m a reasonably savvy technologist. No one in my family is. For them to be comfortable with two-factor authentication, it has to be as simple as typing in a password. (Or, in this case, a code sent to them via SMS.)

Learning From Open Source

So how did Urlocker get here from open source land? Duo, so far as I know, isn’t offering its software free over the Internet and charging for support. What can open source teach us about security?

Security, it turns out, has an equally open community, sharing both code and insights into how to secure code. 

Importantly, as he told me, it’s critical to “know how bad guys operate and where the vulnerabilities hide,” not to mention “how customers behave.” The best open source software makes difficult processes easy for developers. Duo is trying to accomplish the same thing for security. 

Which means not foisting silly security policies on users (i.e., forcing them to change passwords every 90 days to equally obscure and hard-to-remember passwords). Duo provides multiple ways for users to authenticate, but the one I like best involves sending push notifications and allowing me to simply to respond.

As the thinking goes, anyone can get my password. But getting my password and my mobile device? That’s hard.

Not surprisingly, then, Urlocker find that certain SaaS categories, like Zendesk, Box, New Relic, HubSpot and Duo Security, “definitely operate at a similar scale” to open-source software, “but with much better conversion rates than we ever had in open source!”

That’s good for Duo, of course, but also for corporate security. Which makes it easier to sleep at night, even if the hackers never do.

Photo by Tim RT

View full post on ReadWrite

How A Linux “Ghost” Spooked The Security World

A vulnerability in a widely used component of many Linux distributions could allow remote attackers to take control of a system. Researchers at Qualys have dubbed it Ghost since it can be triggered by the “gethost” functions in Linux.

See also: How To Protect Yourself Against The Internet “Poodle” Attack

The vulnerability can be found in the in the GNU C Library, known as glibc for short. Without glibc, a Linux system couldn’t function. The flaw is found in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls. An attacker able to access either function could take remote control of the entire Linux system.

A series of misfortunes have helped Ghost to slip through the cracks. First of all, the bug had been previously identified and fixed back on May 21, 2013, as Qualys CTO Wolfgang Kandek writes. However, at the time it was seen only as a flaw, not a threat, and no further patching was done:

Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.”

Secondly, since Ghost affects a code library that’s integral to the Linux system, patching it is no simple fix. Patching the GNU C Library will mean that the Linux core functions, or the entire affected server, will have to be rebooted. Companies will have to schedule that downtime, which means affected servers could stay vulnerable for some time longer.

With all the worlds’ Linux distributions to choose from, it’s unlikely your homebrew Linux server is anywhere near high risk. And now that Red Hat, Debian, Ubuntu and Novell have all issued patches, Linux server operators have the resources to stay in the clear. 

Photo by Jon Feinstein

View full post on ReadWrite

Obama To Propose National Data Security Policy

If your credit card or personal data is compromised, it should be the law for companies to let you know. On Monday, President Obama will call for legislation to make it happen.

The Personal Data Notification and Protection Act would ensure that American companies quickly and succinctly inform customers about data breaches according to an established national standard for dealing with just that. The President will call for companies to inform consumers within a deadline of 30 days, White House officials said Sunday.

See also: Box And Dropbox Are Going To War Over Corporate Data Security

The President’s speech, which is scheduled for Monday at the Federal Trade Commission, will also propose the Student Data Privacy Act, which would prevent technology companies from selling the data they collect from schools as teachers increasingly utilize laptops, tablets, and software for their curriculums.

Currently, an uneven range of state laws are in place to protect people from technological data breaches and privacy overreach, something the President is expect to say is insufficient where a consistent national standard could address citizen’s concerns.

“As cybersecurity threats and identity theft continue to rise, recent polls show that nine in 10 Americans feel they have in some way lost control of their personal information—and that can lead to less interaction with technology, less innovation and a less productive economy,” said a White House briefing document on the proposed legislation.

Photo via  Everett Collection / Shutterstock

View full post on ReadWrite

UK Is Ready For Apple Pay, But Security Remains A Concern

Apple Pay is set to travel across the pond to the United Kingdom in the first half of 2015. However, the Telegraph reports that one of the UK’s biggest banks is concerned about “the amount of personal and financial information Apple wants to collect about its customers.”

The bank’s objection goes against Apple executive Eddy Cue’s insistence that “we are not in the business of collecting your data,” as he announced at the keynote in September. Cue explained that during and after an Apple Pay transaction, “Apple doesn’t know what you bought, where you bought it, or how much you paid for it.”

Of course, it wouldn’t be the first time Apple has given reason for users to be concerned about security. In September, a major photo theft revealed vulnerabilities in Apple’s iCloud security.

See also: Apple To Increase iCloud Security Following Celebrity Photo Theft

The UK bank may be stalling, but the Telegraph reports that sources say “no major bank will want to miss out on Apple Pay,” given the amount of success it has had in the United States. Even if consumers still have cold feet, companies certainly do not. As of mid December, Apple Pay supported 90% of U.S. credit cards in terms of purchase volume.

Screenshot of Apple Pay via September Apple keynote

View full post on ReadWrite

Go to Top
Copyright © 1992-2015, DC2NET All rights reserved