Dropbox usernames and passwords were leaked online this week. It’s the latest in a string of recent data breaches involving compromises of third-party websites that take advantage of password re-use to get at users’ accounts on multiple services. In 2014 alone, millions have had their private information and passwords compromised, leading to what some are calling data breach “fatigue.” Dropbox was quick to respond, denying a breach on their end while urging their users to enable tighter password security measures. Dropbox’s response was refreshing when compared to that of other major brands, such as Home Depot, which chose to communicate very little with the public, distributing only a few carefully crafted press releases.

As businesses learn to navigate their way through crisis management in the digital age, there are solutions that can mitigate risk, greatly saving these companies both dollar value and reputation value. Sophos offers a complete suite of solutions to ensure your customers’ data is safe and secure. A major component of this is our SafeGuard Encryption solution. Simply put, encryption adds the crucial layer of security in situations where a customer’s data is breached. Even if a bad guy gets hold of a user’s data, it’s utterly useless when encrypted, whether that data is at rest or in motion (e.g, being uploaded/downloaded from the cloud).

Although this breach was not due to a compromise of Dropbox itself, are you confident that your important files are safe when stored in the public cloud? In the case of cloud storage services, of which Dropbox is one of many, encryption prevents any breach, regardless of who caused it, from resulting in the loss or exposure of data. Using an encryption solution where the keys and control mechanisms are stored far from the potential points of compromise means you can control how data is stored, and manage who has access.

Learn more about SafeGuard Encryption

Sophos SafeGuard Encryption solves the major challenge of managing encryption across multiple platforms, devices, and cloud environments. Users and IT staff can share data safely between Windows, Mac and mobile devices – securing data wherever it lives and wherever it is sent. For more information about SafeGuard Encryption, get our free whitepaper Managing BitLocker With SafeGuard Enterprise (registration required).

Or download our Encryption Buyers Guide to learn more about how to choose the best encryption solution for your needs. You can also read interesting articles about SafeGuard Encryption, here and here.  

Read the original article, here.

Sophos announced additions to its range of SG Series firewall/UTM appliances, WiFi access points, and the availability of Sophos iView, a new dedicated virtual reporting appliance. By extending its Network Security portfolio with new entry-level and enterprise class appliances, Sophos now provides businesses of any size and the channel partners that serve them with the flexibility to consolidate their security with a complete proven solution set.

Sophos SG Series Appliances 

In April 2014 Sophos released the first of its new generation of network security appliances, the Sophos SG Series. Today, Sophos announced six additional firewall appliances, meaning that Sophos customers and partners can now choose from 12 SG Series models. As with the existing models, each uses the latest Intel multi-core technology to provide optimal performance. The new appliances include four desktop models ideal for small office deployments and two new 2U models that utilize the fastest Intel Chips and deliver extensive redundancy and customization features. Further desktop models will be available later in the year with integrated wireless connectivity, including two which support the 802.11ac standard.

Sophos iView

The release of the Sophos iView virtual appliance addresses what a recent Sophos survey on Spiceworks of SMB IT managers identified as their most significant frustration with existing firewalls from any vendor – insufficient reporting. This was the number one complaint with 35 percent of respondents saying they’d like greater reporting options. With over 1,000 built-in reports, including regulatory compliance reports, Sophos iView will give IT managers the extra depth they need. Users can also build their own custom reports and dashboards, focusing on problem areas or users on their network. Available as a virtual appliance only, Sophos iView supports VMware, Hyper-V, Citrix, and KVM virtual environments.

As a dedicated reporting appliance, Sophos iView can offload reporting duties and provide a range of added capabilities such as:

• Compliance reporting for industry standard regulations such as HIPAA, PCI, SOX, and GLBA
• Consolidated reporting across multiple UTM firewalls for a complete view of all network traffic from a single console
• Long-term persistent log management and storage for security and backup with convenient access for audits or forensics
• Licensing that is based on storage requirements, with the entry level vSI-Light including 100GB of storage and the vSI-Unlimited

Wireless Access Points

In addition to the SG Series and iView appliances, Sophos also announced the AP 100, the first in a new generation of wireless access points that support the latest 802.11ac protocols, and an entry level access point, the AP 15. As with previous Sophos wireless access points, the new AP15 and AP100 models can be managed directly from the Sophos SG Series appliances, meaning the wireless network is tightly integrated with the firewall protection.

You can read the original article here.

Sophos announced that it has acquired cloud-based security firm Mojave Networks of San Mateo, Calif. This acquisition will strengthen Sophos cloud-managed and appliance-based security solutions. To Sophos Cloud, an integrated cloud-managed security offering, Mojave will add a rich cloud-based web security solution. And to Sophos’ line of network security hardware it will enable hybrid deployment options (SaaS and non-SaaS) to meet diverse web security needs. An increasingly mobile workforce and an explosion of mobile devices have created a serious challenge for IT. To safeguard valuable corporate data and to secure roaming devices, Mojave’s innovative security platform provides an effective cloud-based network security solution that is easy to deploy and manage. It will allow Sophos customers to benefit by providing:

• A cloud-based web filtering engine enabling full protection for web interactions without requiring additional on-site technology
• Near instantaneous protection from emerging threats by supplying real-time threat intelligence from the cloud
• A simple and intuitive management experience designed for small and mid-market enterprises or pragmatic enterprises of any size
• A zero-compromise approach to security across Windows, Mac, iOS, and Android devices, delivering context-awareness, visibility and seamless protection whether they are on or off the corporate network

“Mojave Networks is a young innovative company that has built a leading platform right at the intersection of three cutting-edge areas of security:  cloud, web security, and mobile,” said Kris Hagerman, CEO, Sophos. “We’re dedicated to delivering security that is both powerful and comprehensive, but also simple. By integrating Mojave Networks’ technology into Sophos Cloud, we’re extending our leadership position and enhancing an offering that is already one of the fastest growing products in Sophos’ history.”

“We are proud of the work we’ve done at Mojave to pioneer a cloud-based approach to mobile and web security that offers unrivaled protection from malicious threats, security for mobile workers, and uniform policies across platforms,” said Garrett Larsson, CEO of Mojave Networks. “As part of Sophos we can continue to pursue our vision of comprehensive security for a mobile workforce at an accelerated pace, as we take full advantage of the rapid growth of Sophos Cloud, Sophos’ world-class community of more than 15,000 partners, and Sophos’ global presence. We’re excited to join such an innovative and disruptive leader in the IT security space.”

Sophos plans to integrate Mojave Networks’ technology into its fast-growing Sophos Cloud product line in early 2015 and then later in 2015 into appliance-based network security solutions. This will allow Sophos partners to offer their customers an integrated security platform that brings together best-of-breed PC, Mac, mobile, and network protection abilities through a single cloud-based console. This represents another leap forward in delivering comprehensive protection to organizations seeking enterprise-class security without enterprise-class complexity.

You can read theoriginal article here.

InfoCom World Congress is the largest event on digital technologies in SE Europe, attracting more than 3,500 delegates per year. It successfully records and captures for many years to run the course taken and convergence happening in Technology, Informatics, Telecommunications & Media sectors. The 16th InfoCom World titled «Techonomy: Time for Synergies!» will take place on October 21, 2014 at Divani Caravel Hotel. This year’s conference takes place in a period when special emphasis is given to technology, business strategies and synergies that are now unanimously recognized as a driver for growth.

NSS could not be absent so is one of the Sponsors of the conference. Come to chat with us !!

A lot has changed since 1995, the last time a major European law was passed on the subject of data protection (the Data Protection Directive 95/46/EC). For example, mobile devices are ubiquitous, and it’s not unusual to carry two or even three at a time. Meanwhile, sensitive company data is moving outside the safety of the traditional corporate security perimeter. Employees email documents to themselves, access data from personal smartphones and tablets, and store data in the cloud. Major data breaches are commonplace today, putting customers at risk of identity theft and financial loss, and businesses at risk of losing customer and investor loyalty. European businesses are not prepared to meet regulatory requirements outlined in the EU Data Protection Regulation, due to be enacted by the EU parliament in 2015. That’s the story told by a survey of 1,500 office workers in the UK, France and Germany, conducted by Sophos. Although a large majority of poll respondents (84%) agree that stricter data protection requirements are needed, most lack confidence that their employers are compliant (77%), and many do not know what type of data protection their companies currently have in place.

During a roundtable discussion about the survey, our security experts talked about the current state of data protection and how the new requirements might impact businesses. Anthony Merry, director of product management in the data protection group at Sophos, said companies have to get a better understanding of not just what regulations require, but what data protection actually is. “Many of the companies I talk to still do not understand what data protection is, why businesses need to do it and why it is important, and that needs to change,” he said, according to ComputerWeekly.

Some of the proposed changes to the EU Data Protection Directive include huge fines for non-compliant companies in the event of a data breach — as much as 5% of global turnover, or €100m, whichever is higher. Compared to relatively lax data protection laws in the United States, such punitive laws could be seen as harmful to businesses.

However, if companies are encrypting their data — on disks, mobile devices, storage drives, and in the cloud — they don’t have to worry as much. “If data is encrypted, even if IT systems are breached, companies will not be liable under the law,” Anthony said. Unfortunately, businesses in the countries we surveyed have a long way to go to complete data protection. According to our survey, only 62% of UK companies are encrypting laptops, along with 36% in France and 56% in Germany. Encryption of mobile devices is even farther behind: 41% in the UK, compared to 21% in France and 32% in Germany.

Learn more about data protection

Sophos SafeGuard Encryption solves the major challenge of managing encryption across multiple platforms, devices, and cloud environments. Users and IT staff can share data safely between Windows, Mac and mobile devices – securing data wherever it lives and wherever it is sent. For more information about SafeGuard Encryption, get our free whitepaper Managing BitLocker With SafeGuard Enterprise (registration required). Or download our Encryption Buyers Guide to learn more about how to choose the best encryption solution for your needs.

The email reads:

    Hello,
    A Secure Document was sent to you by your financial institute using Google Docs.
    Follow the link below to visit Google Docs webpage to view your Document
    Follow Here. The Document is said to be important.
    Regards.
    Happy Emailing,
    The Gmail Team

Phishing emails aren’t exactly rare, but this one caught my eye. In addition to being a somewhat plausible lure, it is an equal opportunity exploit. If you click the link you are presented with a phishing page hosted in Thailand. The page not only asks for your Google credentials, it also suggests it will accept Yahoo!, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account.

Of course, filling out this form can only end in tears. Your details are sent off to the compromised servers for whatever purposes these thieves desire.  You might think, “So what? My Gmail isn’t full of secrets that will destroy my nation/life/career.” You would likely be wrong, because your email is the key to unlocking much of your online identity. Forget your banking password? No worries, they will email you a password reset link. Does your company utilize cloud services? Your email account is likely key to accessing these systems. Phishing is an amazingly successful technique. Just ask the Syrian Electronic Army, who with little technical talent have been able to compromise some of the most powerful media organizations in the world. As an IT administrator, these are opportunities to educate your staff on the risks.

This might not be the most convincing of the phishes that are out there, but it is a useful tool to educate your staff. Many organizations are using Google and other cloud service providers to provide critical IT services. At first glance this could be very believable. What do I do to avoid being a victim? I create shortcuts in my browser for all sensitive services. If I need to access my email, bank or other online service, I don’t click the link; I click the favourite.

You can read the original article, here.

But those signals were not authentic, and the ship was not on course. The signals were in fact being sent from the White Rose’s upper deck by University of Texas/Cockrell School of Engineering graduate students Jahshan Bhatti and Ken Pesyna. A team from the school had been invited aboard while the White Rose sailed from Monaco to Rhodes, Greece, on the Mediterranean Sea. Using a blue box about the size of a briefcase, the duo spoofed the ship’s GPS signals, sending counterfeit signals that slowly, subtly overpowered the authentic GPS signals until the ship ultimately came under their control.

If this sounds familiar, it’s because students from this engineering school did the same thing to a drone last year. In May 2012, the engineering students tried out their $1,000 spoofer, which they had cobbled together in response to a dare from the US Department of Homeland Security (DHS). Under the direction of Assistant Professor Todd Humphreys, who is now working for the Department of Aerospace Engineering and Engineering Mechanics, the students last spring managed to hack and hijack a drone with what Humphreys at the time said was the most advanced spoofing device ever.

Both the drone and yacht hijackings were designed to shed light on the perils of navigation attacks, serving as evidence that spoofing is a serious threat to marine vessels and other forms of transportation. In plain English, that means that hackers can send drones smashing, say, into our skulls.

After the students had gained control of the ship’s navigation system, the team planned to coerce the ship onto a new course with subtle maneuvers that positioned the yacht a few degrees off its original course. When the ship’s navigation system detected the location discrepancy, the crew corrected the course – at least, they thought they did. In reality, their course corrections were setting the ship slightly off its course line. Watch a video about the attack here.

You can read the original article, here.

Instead of just reinstalling your favourite apps and starting afresh, your new device will know how to get online straight away, how to get into your Twitter account, and how many Angry Birds levels you haven’t conquered yet. Clearly, Google keeps a raft of configuration data on your behalf, because if you have the option enabled and then decide to turn it off you get this dialog: So how risky is this option? It’s not risky in the sense, for example, of the recent flaw in the Tumblr app on iOS. There, Tumblr forgot to secure the actual transmission of personally identifiable information (PII), such as your password.

That meant that crooks at a coffee shop, for example, might easily be able to sniff out and extract your Tumblr password. The Android issue is more subtle: the data is encrypted in transit, and Google (for all we know) probably stores it encrypted at the other end. But it’s not encrypted in the sense of being inaccessible to anyone except you. That’s obvious because, you can recover your data from Google even after you’ve wiped (or lost) your device, or changed your Google account password. In other words, Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently even if you forget your device password and have to start over. That’s just the sort of convenience which many users will trade against security. So, let’s say some Three Letter Agency were to use some prismatic techqniue to acquire those Wi-Fi passwords from Google. Is that likely? If so, would it be bad? I have to say that it probably would be, if only because the list of Wi-Fi networks and passwords on your device is most likely much more extensive than just your own network in your own home.

You’d effectively be helping to built a list of passwords to go with the already-existing and extensive maps of Wi-Fi access points built up over years, both by Google and others. You probably don’t want to help anyone, friend or foe, to do that. The solution is to encrypt everything “for your eyes only” before you back it up anywhere, especially into the cloud. And the problem with that is it’s not quite as convenient, not least because there’s no password-free way to recover that backed-up data, for example if you forget your password. That’s the dilemma we all face. Are you prepared to accept a digital equivalent of locking your keys in the car forever (for example if you forget your full-disk encryption password and didn’t save the recovery key)? Or would you prefer to have what amounts to a backdoor to your own, or worse still, to other people’s, personal information? What do you think?

You can read the original article, here.

Likewise, the three countries that took their place in the top flight all came up from the 13-24 range. And, just like in your favourite football league, the majority of the high-flyers stayed put at the top. But is it so surprising that the USA is the Man United of the SPAMMIERSHIP, “winning” as often as not, or that China and India are often found near the top? With more than a billion people each and a thirstily-increasing demand for internet access in both countries, where else would you expect to see China and India except in the Dirty Dozen?

Welcome, then, to the SophosLabs SPAMMIERSHIP League Table:

And with more than 300 million people and the lion’s share of the world’s internet connectivity, where else would you expect to see the USA than leading the pack outright? What, then, if we scale the scores up or down in proportion to each country’s population? Now things get interesting, becase a rather different story emerges:

Half of the volume-based culprits are gone, and countries that would usually fly under the radar when measured on spamming volume alone – like Luxembourg and Singapore – suddenly burst onto the scene. Don’t be surprised. This doesn’t mean that usually law-abiding Singapore has turned into a seething swamp of spam-related cybercriminality. Remember that although the Dirty Dozen denotes the extent to which a country’s computers are used for delivering spam, it doesn’t tell us where the spammers themselves are located.

That’s because most spam is sent indirectly these days, especially if it is overtly malevolent, such as:

• Phishing emails. These try to lure you into entering passwords into mock-ups of a real site such as your bank or your webmail account.
• Malware links. These urge you to click links that put you directly in harm’s way by taking your browser to hacked websites.
• Malware deliveries. These use false pretences, such as fake invoices, to trick you into opening infected attachments.
• Identity theft. These invite you to reply with personally identifiable information, often by claiming to offer work from home opportunities.
• Investment scams. These talk up investment plans that are at best unregulated and at worst completely fraudulent.
• Advance fee fraud. These promise wealth or romance, but there are all sorts of fees, bribes and payments to hand over first.

If the crooks behind this sort of cybercrime were to use their own computers, they’d never be able to send the volume of spam they’d like. Also, using their own computers would lead law enforcement to their digital doorsteps. Instead, cybercriminals rely heavily on bots, also known zombies: innocent users’ computers that are infected with malware that regularly calls home to download instructions on what to do next. Those instructions may say something such as “here is a boilerplate email message, and here is a list of email addresses – send a copy to everyone on it.” So, if your country is in the Dirty Dozen, it almost certainly has a much-higher-than-average number of unprotected computers that are actively infected with malware. And if a cybercriminal can secretly tell your computer to send spam to 1000 people you’ve never heard of – leaving you to argue with your ISP why you shouldn’t be thrown off line for antisocial behaviour – then ask yourself this: “What else could he get up to on my account?” In short, the SPAMMIERSHIP League Tables are meant as a light-hearted way of reminding us all of one very serious aspect of computer security: namely that if you put yourself in harm’s way, you’ll probably end up harming lots of other people, too. In other words, getting serious about computer security is the easiest sort of altruism: by protecting yourself, you help to protect everyone else at the same time.

You can read the original article, here.

One of Negobot’s creators, Dr. Carlos Laorden, told the BBC that past chat bots have tended to be too predictable: “Their behaviour and interest in a conversation are flat, which is a problem when attempting to detect untrustworthy targets like paedophiles.” The most innovative aspect of Negobot may be a key differentiator that makes it appear more lifelike: namely, the incorporation of the advanced decision-making strategies used in game theory. In a paper about their creation, the researchers describe how they’ve taught the robot to consider a conversation itself as a game.

For example, the bot identifies the best strategies to achieve its goal in what its programmers have taught it to understand as a competitive game. Negobot’s goal is to collect the information that can help to determine if a subject involved in a conversation has paedophile tendencies, all the while maintaining a convincing, kid-like prattle, sprinkled with slang and misspellings, so the subject doesn’t get suspicious. Negobot keeps track of its conversations with all users, both for future references and to keep a record that could be sent to the authorities if, in fact, the subject is determined to be a paedophile.

The conversation starts out neutral. The bot gives off only brief, trivial information, including name, age, gender and hometown. If the subject wants to keep talking, the bot may talk about favorite films, music, drugs, or family issues, but it doesn’t get explicit until sex comes into the conversation. The bot provides more personal information at higher levels, and it doesn’t shy away from sexual content. The Negobot will try to string along conversationalists who want to leave, with tactics such as asking for help with family, bullying or other typical adolescent problems. If the subject is sick of the conversation and uses less polite language to try to leave, the bot acts like a victim – a youngster nobody pays attention to and who just wants affection from somebody. Robot. Image courtesy of Shutterstock.From there, if the subject has stopped talking to the bot, the bot tries to exchange sex for affection. Is this starting to sound uncomfortably like entrapment?

That’s exactly what gets some experts worried. John Carr, a UK government adviser on child protection, told the BBC that overburdened police could be aided by the technology, but the software could well cross the line and entice people to do things they otherwise might not: “Undercover operations are extremely resource-intensive and delicate things to do. It’s absolutely vital that you don’t cross a line into entrapment which will foil any potential prosecution.” The BBC reports that Negobot has been field-tested on Google chat and could be translated into other languages. Its researchers admit that Negobot has limitations – it doesn’t, for example, understand irony.

Still, it sounds like a promising start to address the alarming rate of child sexual abuse on the internet. Hopefully, the researchers will keep it reined in so as to avoid entrapment – a morally questionable road that could, as Carr pointed out, ruin the chances for prosecutorial success. What do you think? Are you comfortable with the premise, or does the chances of entrapment sour the concept for you?

You can read the original article, here.