We ain’t surprised, but it is quite a shocking and naked fact when you consider it. The naming and resulting shaming happens in the HPE Cyber Risk Report 2016, which HPE said “identifies the top security threats plaguing enterprises”.

Enterprises, it seems, have myriad problems, of which Microsoft is just one.

“In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown,” said Sue Barsamian, senior vice president and general manager for security products at HPE.

“We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organisation to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth.”

Microsoft earned its place in the enterprise nightmare probably because of its ubiquity. Applications, malware and vulnerabilities are a real problem, and it is Windows that provides the platform for this havoc.

“Software vulnerability exploitation continues to be a primary vector for attack, with mobile exploits gaining traction. Similar to 2014, the top 10 vulnerabilities exploited in 2015 were more than one-year-old, with 68 percent being three years old or more,” explained the report.

“In 2015, Microsoft Windows represented the most targeted software platform, with 42 percent of the top 20 discovered exploits directed at Microsoft platforms and applications.”

It is not all bad news for Redmond, as the Google-operated Android is also put forward as a professional pain in the butt. So is iOS, before Apple users get any ideas.

“Malware has evolved from being simply disruptive to a revenue-generating activity for attackers. While the overall number of newly discovered malware samples declined 3.6 percent year over year, the attack targets shifted notably in line with evolving enterprise trends and focused heavily on monetisation,” added the firm.

“As the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms. The number of Android threats, malware and potentially unwanted applications have grown to more than 10,000 new threats discovered daily, reaching a total year-over-year increase of 153 percent.

“Apple iOS represented the greatest growth rate with a malware sample increase of more than 230 percent.”

Courtesy-TheInq

The Android fork, which adds conventional desktop features such as a taskbar, start menu and support for multiple windows, has been a huge hit, overshadowing the implementation of Android revealed in Google’s recent high-end tablet the Pixel C.

The initial build, as ever, is designed to fish for bugs and aid developers. A beta will follow in the coming weeks. The Alpha doesn’t contain Google Mobile Services apps such as the Play store and Gmail, but the finished version will. In the meantime, users can sideload the gApps package or go to the Amazon Web Store.

There may also be problems with some video codecs, but we’re told this is a licensing issue which will be resolved in the final version too. In the meantime, the first release is perfectly useable.

Compatibility with most Android apps is instant, but the user community can ‘upvote’ their favourites on the Remix OS site to flag what’s working best in each category.

The company has already released a small desktop machine of its own, called the Remix Mini, the world’s first fully functioning Android PC, priced at just $70 after a successful Kickstarter campaign. It has also developed a 2-in-1 ultrabook, the Remix Ultra, and has licensed Remix OS to several Far East tablet manufacturers.

In this new move, the company has teamed up with Android-x86, a group that has been working on an executable version of Android for computers since 2009, to launch a Remix OS installer which will allow existing hardware to become Remix OS powered, or as a partition on a dual-boot machine.

A third option is to store the OS on a USB stick, meaning that you can make any computer your own. This technique has already been popular through the Keepod programme which offers Android on a stick to countries without access to high-speed computers.

The advantages of Remix OS to the developing world are significant. Bench tests have shown that Remix OS works significantly faster than Windows, which will potentially breathe new life into older machines and make modern machines run at previously impossible speeds.

Remix OS was designed by three ex-Google engineers and includes access to the full Google Apps suite and the Google Play store.

David Ko, co-founder of Jide Technology, said: “Today’s public release of Remix OS, based on Android-x86, is something that we’ve been working towards since we founded Jide Technology in 2014.

“All of us are driven by the goal of making computing a more accessible experience, and this free, public release allows us to do this. We believe Remix OS is the natural evolution of Android and we’re proud to be at the forefront of this change.”

The public Alpha will be available to download from Jide and android-x86 from 12 January, and a beta update is expected swiftly afterwards. The INQUIRER has been using a Remix Mini for over a month now, and a full review of the operating system is coming soon.

Courtesy-TheInq

This is the second bout of attacks from the group of technology tearaways, according to Motherboard, which reports on the Clapper problem and its connection to a group known as Crackas With Attitude.

A member of the group, a young chap called Cracka, told Motherboard that access to a range of Clapper accounts had been seized, and that Clapper and the CIA haven’t a clue what’s going on.

“I’m pretty sure they don’t even know they’ve been hacked. You asked why I did it. I just wanted the gov to know people aren’t fucking around, people know what they’re doing and people don’t agree #FreePalestine,” he said.

The claims were supported by the Office of the Director of National Intelligence, which confirmed that something has happened and that the authorities are looking into it.

“We’re aware of the matter and we reported it to the appropriate authorities,” said spokesman Brian Hale, before going mute.

Cracka, representing himself on Twitter as @dickreject, is less quiet. He has tweeted a number of confirmatory and celebratory messages that are not particularly flattering about the CIA and its abilities.

This is the group’s second bite at the CIA cherry. The teenagers walked into the personal email account of CIA director John Brennan last year and had a good look around. Some of the impact of this was washed away when it was discovered that Brennan used an AOL account for his communications.

“A hacker, who describes himself as an American high school student, has breached the CIA boss’s AOL email account and found a host of sensitive government files that one assumes a government official shouldn’t be sending to his personal email address,” said security comment kingpin Graham Cluley at the time.

“I’m not sure what’s more embarrassing. Being hacked or having an AOL email account.”

Courtesy-TheInq

Since August, the group has been engaged in an attack campaign focused on defense contractors, according to security researchers from Kaspersky Lab.

During this operation, the group has used a new version of a backdoor program called AZZY and a new set of data-stealing modules. One of those modules monitors for USB storage devices plugged into the computer and steals files from them based on rules defined by the attackers.

The Kaspersky Lab researchers believe that this module’s goal is to defeat so-called network air gaps, network segments where sensitive data is stored and which are not connected to the Internet to limit their risk of compromise.

However, it’s fairly common for employees in organizations that use such network isolation policies to move data from air-gapped computers to their workstations using USB thumb drives.

Pawn Storm joins other sophisticated cyberespionage groups, like Equation and Flame, that are known to have used malware designed to defeat network air gaps.

“Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena,” the Kaspersky researchers said in a blog post. “This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day.”

Source- http://www.thegurureview.net/aroundnet-category/pawn-storm-hacking-group-develops-new-tools-for-cyberespionage.html

It has taken Amazon some time to fall into line on this. Two-factor authentication has become increasingly popular and common in the past couple of years, and it is perhaps overdue for a firm that deals so heavily in trade.

Amazon is treating it like it’s new, and is offering to hold punters’ hands as they embrace the security provision.

“Amazon Two-Step Verification adds an additional layer of security to your account. Instead of simply entering your password, Two-Step Verification requires you to enter a unique security code in addition to your password during sign in,” the firm said.

The way that the code is served depends on the user, who can choose to get the extra prompt in one of three ways. They may not appeal to those who do not like to over-share, but they will require a personal phone number.

As is frequently the case, Amazon will offer to send supplementary log-in information to a phone via text message or voice call, and even through a special authenticating app.

It’s an option, and you do not have to enable it. Amazon said that users could select trusted sign-on computers that spare them from the mobile phone contact.

“Afterward, that computer or device will only ask for your password when you sign in,” explained the Amazon introduction, helpfully.

There are a number of other outfits that offer the two-factor system and you might be advised to take their trade and do your business through them. Apple, Microsoft, Google, Twitter, Dropbox, Facebook and many others offer the feature.

A website called TwoFactorAuth will let you check your standing and the position of your providers.

Source- http://www.thegurureview.net/technology-2/amazon-finally-goes-two-factor.html

Redmond had earlier said that Windows would block SHA-1 signed TLS (Transport Layer Security) certificates from January 1, 2017, but is now mulling moving up the date to June.

There have been concerns about the algorithm’s security as researchers have proven that a forged digital certificate that has the same SHA-1 hash as a legitimate one can be created. Users can then be tricked into interacting with a spoofed site in what is called a hash collision.

In October, a team of cryptoanalysts warned that the SHA-1 standard should be withdrawn as the cost of breaking the encryption had dropped faster than expected to US$75,000 to $120,000 in 2015 using freely available cloud computing.

Programme manager for Microsoft Edge Kyle Pflug wrote in his blog that Redmond will coordinate with other browser vendors to evaluate the impact of this timeline based on telemetry and current projections for feasibility of SHA-1 collisions.

Mozilla said in October that in view of recent attacks it was considering a cut-off of July 1, 2016 to start rejecting all SHA-1 SSL certificates, regardless of when they were issued, ahead of an earlier scheduled date of January 1, 2017.

Courtesy- http://www.thegurureview.net/computing-category/microsoft-to-block-sha-1-hashing.html

But they are being resisted by the banking industry, which sees no need to invest further in PIN technology, already used with debit cards, resulting in halting adoption and widespread confusion.

A small band of retailers with the clout to call the shots on their branded credit cards is leading the charge. Target Corp is moving ahead with a chip-and-PIN rollout, and Wal-Mart Stores Inc plans to do the same.

But Wal-Mart said it faces obstacles because its credit card partner, Synchrony Financial, is not yet able to handle PINs on credit cards. Synchrony declined comment.

Broadly, U.S. banks are unprepared or resisting the change.

The impasse comes after many consumers got their hands on new credit cards embedded with so-called EMV chips in advance of an Oct. 1 deadline that required retailers to accept chip cards or be liable for fraud losses. EMV stands for EuroPay, MasterCard and Visa.

But only about a third of merchants are actually using the chip technology, according to analyst estimates. The number may not pick up until early next year, if at all, because the retail industry typically halts upgrades during the crucial holiday shopping season.

“PIN issuance will remain a niche,” said Julie Conroy, credit-card analyst with Aite Group.

Banks favor using chip cards verified by old-school signatures, even though chip-and-PIN usage has led to lower fraud over the decade they have been used in Europe and elsewhere.

“The PIN is definitely a must,” said Lance James, chief scientist with cyber intelligence firm Flashpoint. “It’s one extra step that provides true two-factor authentication.”

But bankers say PINs provide little benefit beyond the advantage of using chips in combating the estimated $7 billion-plus in annual U.S. card fraud.

EMV chips thwart criminals who use stolen data to create counterfeit cards, a category that Aite estimates accounts for 37 percent of that fraud. Banks say that PINs only provide additional fraud protection when criminals seek to use lost or stolen cards, a situation that Aite estimates accounts for only 14 percent of fraud.

Banking groups say there are better approaches than PINs for verifying customers and have asked retailers to embrace tokenization and encryption to prevent theft of credit card numbers.

“PIN is a static data element that would not have a meaningful impact on overall payments fraud,” said Electronic Payments Coalition spokesman Sam Fabens.

Courtesy-http://www.thegurureview.net/aroundnet-category/confusion-continues-to-reign-with-u-s-chip-pin.html

We say reportedly as we have not been able to contact Hilton ourselves and can rely only on reports. They are pretty solid reports, however, and they concern a problem at the company that happened between 21 April and 27 July.

Brian Krebs, of KrebsOnSecurity, started this off with a report about a payment card breach. Krebs said that he had heard about the breach from various sources, and that Visa – the card provider – has mailed potentially affected parties with a warning, and the news that it is the fault of a bricks and mortar company.

Visa did not name the company, but affected parties, or banks to be more precise, have uttered it to Krebs. Its name is Hilton.

“Sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: they were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts,” he wrote.

“It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.”

Krebs has a statement from the Hilton organisation in which the firm defended its security practices, and revealed that it is aware of the potential problem and is looking into it. This is a common theme among the breached, and should soon become part of mission statements.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” said the company in the statement to Krebs.

“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”

We have asked Visa and Hilton for their comments.

Source-http://www.thegurureview.net/computing-category/was-the-hilton-hotel-chain-hacked-in-april.html