source: wired.com

Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them

THE UNITED STATES federal government isn’t known for robust cybersecurity. Even the Department of Defense has its share of known vulnerabilities. Now a new report from the Government Accountability Office is highlighting systemic shortcomings in the Pentagon’s efforts to prioritize cybersecurity at every level and making seven recommendations for shoring up DoD’s digital defenses.

The report isn’t a checklist of what DoD should be doing to improve cybersecurity awareness in the abstract. Instead, GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of “cybersecurity hygiene” like this doesn’t directly analyze a network’s hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.

“It’s everyone’s responsibility to understand their part in cybersecurity, but how do you convince everyone to follow the rules they’re supposed to follow and do it consistently enough?” says Joseph Kirschbaum, a director in GAO’s defense capabilities and management team who oversaw the report. “You’re never going to be able to eliminate all the threats, but you can manage them sufficiently, and a lot of DoD’s strategies and plans are good. Our concern is whether they’re doggedly pursuing it enough so they’re able to do the risk management.”

Continue reading “THE PENTAGON HASN’T FIXED BASIC CYBERSECURITY BLIND SPOTS”

source: fastcompany.com

We’re four weeks into the massive time-out forced on us by coronavirus. Many of us have spent much of that time trying to get used to the radical lifestyle change the virus has brought. But we’re also beginning to think about the end of the crisis, and what the world will look like afterward.

So it’s a good time to round up some opinions about how the pandemic might change how we think about various aspects of life and work. We asked some executives, venture capitalists, and analysts for thoughts on the specific changes they expected to see in their worlds.

Naturally, many of them tended to see the aftermath of the COVID-19 crisis in optimistic terms, at least when it comes to their own products, ideas, and causes. And at least some of them are probably right. But the general themes in their comments add up to preview of what might be ahead for tech companies and consumers once the virus is no longer the biggest news story in the world.

The responses below have been edited for publication.

WORKING FROM HOME BECOMES THE NEW NORMAL

Matthew Prince, CEO of Cloudflare
The pandemic has resulted in what is effectively the largest “work from home” experiment ever conducted in human history . . . We’re seeing the effect on the internet, in terms of traffic patterns that are shifting. People are accessing more educational resources online for their kids; finding unconventional ways to connect with coworkers, friends, and family; and employers are being more flexible in how they respond to employee needs through more dynamic, cloud-based technology. I think we’ll see these shifts last well beyond the immediate fallout of the COVID-19 outbreak.

Jared Spataro, corporate vice president, Microsoft 365
This time will go down as a turning point for the way people work and learn. We have a time machine as China navigates its return back to work—and we’re not seeing usage of Microsoft Teams dip. People are carrying what they learned and experienced from remote work back to their “new normal.” We’re learning so much about sustained remote work during this time.

REMOTE HIRING OF TECHNICAL TALENT WILL BECOME THE NORM.”

VIVEK RAVISANKAR, HACKERRANK

Jeff Richards, partner at the venture capital firm GGV Capital
I travel over 200,000 miles per year for work. Now that doing board meetings, interviews, and other mission-critical meetings via video chat has been normalized, will I reduce my travel? I don’t know, but I definitely think it’s a behavior shift that will stick. In the past, if you joined via video, you were thought of as “mailing it in.” Now it’s become an accepted form of participation. Net/net, I still think we’ll see corporate travel [come back], as nothing is better than an in-person meeting with a customer or exec hire candidate. But for routine meetings, I think we are going to see a lot more video. I also think Zoom has crossed the rubicon from “corporate” to “consumer” as everyone in my family age 5-75 now knows how to use it. That’s a game-changer.

Tim Bajarin, principal analyst at Creative Strategies
We talked to CIOs recently, and they told us that they are becoming more comfortable with at least some of their staff working from home. Two CIOs even quantified it by saying they might consider letting as much as 25% of their staff work from home. That would mean less people in the office, and in turn, possibly less demand for office space. I believe that this could signal the death of open space work environments. The experience with COVID-19 will for years make people more aware of working in shoulder-to-shoulder open offices where it is easy for viruses to spread.

Continue reading “ALL THE THINGS COVID-19 WILL CHANGE FOREVER…”

source: forbes.com

Video-conferencing startup models recovery plan on a Microsoft push years ago to boost Windows security

The COVID-19 crisis has given video conferencing app Zoom a huge surge in users, but it’s also highlighted multiple security and privacy issues. Amid reports of Zoom bombers andvideos of chats available online, the firm is now feeling the harsh repercussions of that rapid growth. 

This week, schools in New York City were banned from using Zoom for remote teaching, while Google no longer allows employees to use the app on their work-sanctioned laptops.

It’s led to rivals trying to cash in on Zoom’s misfortunes, with Microsoft promoting the secure credentials of its Teams video calling, and Google publishing a blog pushing its Google Meet video conferencing service. 

It is no surprise that people are worried about Zoom’s security, but I have to say the company’s response has so far been impressive. It’s not trying to hide security issues–fixing problems for Mac and Windows users very quickly. 

Continue reading “ZOOM HIRES SECURITY HEAVYWEIGHTS TO FIX FLAWS”

source: fastcompany.com

By making encryption free and easy, Let’s Encrypt solved one of the web’s biggest problems. Its secret? A maniacal focus on automation and efficiency.

Let’s Encrypt issued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server that’s effectively impenetrable to snooping. The pandemic hasn’t halted the group’s progress: It says it’s now issued over 1,080,000,000 certificates.

That Let’s Encrypt doesn’t charge for this service is a big deal. A digital certificate for a website—also useful for email servers and other client/server systems—used to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.

While the price had dropped significantly before Let’s Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though I’ve been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Let’s Encrypt.)

Let’s Encrypt didn’t set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.

As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to “go out and participate fully in the web without having to pay hundreds of dollars to do something.” Setting the cost at zero benefits each site’s users and the internet as a whole.

Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Let’s Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.

This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Let’s Encrypt as a catalyst to put it within the reach of every website.

BLOCKING UNPRECEDENTED SNOOPING

After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users’ attention to unprotected web sessions.

Continue reading “HOW A NONPROFIT YOU’VE NEVER HEARD OF MADE THE WEB SAFER FOR EVERYONE”

source: defenseone.com

New guidance recommends immediate contract modifications to allow some contractors to remain at home during the COVID-19 pandemic.

The Office of the Director of National Intelligenceissued guidance this week directing the intelligence community to allow some contractor personnel to remain home in a “ready state” during the novel coronavirus outbreak. 

The guidance calls for “immediate implementation” of Section 3610 of the Coronavirus Aid, Relief, and Economic Security Act, the $2 trillion stimulus package President Trump signedin late March.

Section 3610 authorizes federal agencies to modify contracts when contractors are unable to access authorized work sites or unable to work remotely due to COVID-19.

ODNI strongly encourages IC agencies to make full use of the flexibility provided by this act, and in other existing contracting tools, to enable contract personnel to stay home in a ‘ready state’ during the national effort to mitigate the spread of the COVID-19 pandemic,” ODNIsaid in a statement Thursday.

The guidance followscalls from lawmakers for the Trump administration to address concerns over how coronavirus spread affects national security contractors. These contractors face unique challenges due to the sensitivity of their missions, and many are unable to work.

In the guidance, ODNI said it will “support agency decisions” to slip acquisition and development milestones as agencies limit staffing during pandemic mitigation. In addition, the guidance addresses how contractors should submit requests for equitable readjustment, and sets reimbursement levels at 40 hours per week per employee.

source: defenseone.com

 

The U.S. Justice Department and other federal agencies on Thursday called on the Federal Communications Commission (FCC) to revoke China Telecom (Americas) Corp’s (0728.HK) authorization to provide international telecommunications services to and from the United States.

China Telecom is the U.S. subsidiary of a People’s Republic of China (PRC) state-owned telecommunications company. Last year, two U.S. senators asked the FCC to review approvals of China Telecom and China Unicom (0762.HK) to operate in the United States.

The FCC last May voted unanimously to deny another state-owned Chinese telecommunications company, China Mobile Ltd (0941.HK), the right to provide services in the United States, citing risks that the Chinese government could use the approval to conduct espionage against the U.S. government, It said then that it was “looking” at the licenses of China Telecom and China Unicom.

China Telecom (Americas) rejected the allegations and said it has “been extremely cooperative and transparent with regulators.”

“In many instances, we have gone beyond what has been requested to demonstrate how our business operates and serves our customers following the highest international standards,” the company said in a statement. “We look forward to sharing additional details to support our position and addressing any concerns.”

China’s foreign ministry said on Friday that Beijing is “firmly opposed” to any action by the United States against China Telecom.

“We urge the United States to respect market economy principles, to cease its mistaken practices of generalizing national security and politicizing economic issues, and to cease unjustifiable oppression of Chinese companies,” Foreign ministry spokesman Zhao Lijian told reporters during a daily briefing.

Click here to view video

Continue reading “U.S. AGENCIES BACK REVOKING ABILITY OF CHINA TELECOM TO OPERATE IN U.S.”

source: securityweek.com

The hovering drone emits a mechanical buzz reminiscent of a wasp and shouts down instructions in a tinny voice.

“Attention! You are in a prohibited area. Get out immediately,” commands the drone, about the size of a loaf of bread.

A heat sensor takes the offender’s temperature and sends the information to a drone operator, who stares at a thermal map on his hand-held screen — shining orange and purple blobs.

“Violations of the regulations result in administrative and criminal penalties,” the drone says.

Italy’s coronavirus epicentre in the northern province of Bergamo, in Lombardy region, has had enough of people spreading COVID-19.

Continue reading “DRONES TAKE ITALIANS’ TEMPERATURE AND ISSUE FINES”

source:  darkreading.com

Tests on the fingerprint scanners of Apple, Microsoft, and Samsung devices reveal it’s possible to bypass authentication with a cheap 3D printer.

Researchers armed with a $2,000 budget and 13 smartphones, laptops, and other devices found it’s possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests yielded around an 80% success rate on average; however, the attack isn’t easy.

Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5. Biometric authentication has been made available on several kinds of devices: laptops, smartphones, padlocks, USB drives. Even though hackers were able to bypass TouchID shortly after its release, fingerprint authentication is generally considered a more secure means of authentication than the password for most people, on most types of devices.

Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body’s natural electrical current to read prints. Optical sensors use light to scan the print’s image. Ultrasonic sensors, the newest type and commonly used for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor proved the easiest to bypass.

Continue reading “RESEARCHERS FOOL BIOMETRIC SCANNERS WITH 3D-PRINTED FINGERPRINTS”