September, 2014

now browsing by month


‘Bash’ bug could let hackers attack through a light bulb

September 25, 2014: 12:54 PM ET


dangerous light bulbs

Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.

Computer security researchers have discovered a flaw in the way many devices communicate over the Internet. At its most basic, it lets someone hack every device in your house, business or government building — via something as simple as your “smart” light bulb.

With this flaw, criminals can potentially break computers or steal private and government information.

The problem extends to lots of Internet-connected computers located anywhere — from shops to hospitals to schools.

It’s worse if you’re one of those tech-embracing types who buys Internet-connected “smart” appliances. But keep in mind, that includes a rapidly growing number of businesses and governments that use smart devices — like cameras — within their internal networks.

Why fear the bash bug? Because it’s so pervasive.

According to open source software company Red Hat, it affects any device that uses the operating system Linux — which includes everything from calculators to cars. But it also affects Apple (AAPL, Tech30) Macs and some Windows and IBM machines. Google (GOOG) said no Android machines are susceptible.

Share your story with CNN: Money stolen from your bank account? Identity theft?

In a public warning, Red Hat researchers classified the severity of the bug as “catastrophic.”

Not every connected device is vulnerable. But it’s difficult for the average person to figure out if, for instance, their home security camera is at risk. And it’s unlikely that companies and public institutions are updating every single computer in the back room.

The problem is new, but hackers have already been caught trying to exploit the flaw to set up botnets — hijacking vast numbers of computers. They can then use these slave armies of devices to spread malware or attack websites.

Related: 7 safety tips from hackers themselves

If this bug turns out to be anything like the Heartbleed bug discovered earlier this year, we might not see damage for months. And when we do, it could be disastrous.

In the case of Heartbleed, hackers eventually broke into a hospital network and stole 4.5 million patient records — including Social Security numbers.

Norweigian cybersecurity consultant Per Thorsheim noted that the bug will become old news — but people will still be vulnerable.

“In a few days everything will be forgotten, and the hackers will feast on [this] for years to come,” Thorsheim said.

The only solution for the bash bug? If and when a patch becomes available, update every device you have. But that’s something that’s not likely. Companies don’t often update their fleet of devices, and customers rarely pay attention for that sort of thing.

Security experts say IT departments are now running exams on computer systems to see if hackers have exploited this flaw before. The problem? They’ll have to look way back. This flaw has been around for as long as 20 years.

“We just don’t know how far this goes,” said Chris Wysopal, co-founder of app security firm Veracode.

How hackers beat the Heartbleed bug

Here’s how the bash bug works, as explained by cybersecurity expert Robert Graham.

The problem stems from a flaw in the “bash,” a type of computer program called a shell. A shell translates commands from you to a device’s operating system. Think of it as an efficient middleman.

Lots of Internet-connected devices use the bash shell to run commands, like “turn on” and “turn off.” Generally, a device that communicates using a bash shell also looks for extra information, like what browser or device you’re using.

And that’s where the problem lies. If a hacker slips bad code into this extra data, they can sneak past a device’s safeguards.

A “smart,” Internet-connected light bulb then suddenly becomes a launchpad to hack everything else behind your network firewall, Graham said. That could be your home computer, or a retailer’s payment terminals, or a government office’s sensitive database of information.

“This is the problem with the ‘Internet of Things.’ We’re putting all these things on the Internet without any expectation of actually patching them in the future,” Graham said.

The bug was discovered by Stéphane Chazelas, a French IT manager working for a software maker in Scotland.

Related: How safe are you? CNNMoney’s cybersecurity Flipboard magazine

Related: Obamacare website still isn’t totally safe

Have you had money stolen from your bank account lately? Or have you been a victim of identity theft? Share your story with CNN.

Deeper Learning: A Common Denominator for Stem Initiatives

Source: Re/Code

The U.S. added 209,000 jobs in July, the Labor Department unveiled early this month. Coming as it did on the heels of a strong economic rebound in the April-June quarter, you’d think the announcement would be cause to celebrate. But don’t pop the champagne cork just yet.

Yes, job growth is up. But the unemployment rate (6.2 percent) remains stalled. Despite the availability of 4.7 million jobs (according to the June 2014 U.S. Job Openings and Labor Turnover report), 9.7 million people in America still can’t find work. In that gap lies the problem, and it’s a big one.

Job openings are staying open because there are not enough qualified applicants to fill them. If our nation is to stay on the leading edge of the global economy, the single greatest determining factor will be how quickly and effectively we close this skilled workforce gap.

Business and civic leaders rightly look to education for solutions. Technology companies in particular have poured resources into initiatives to drive students to the STE(A)M fields of science, technology, engineering, art and math. But beyond these and other subjects, we must find common-denominator skills that all employees should have, regardless of the industry. Otherwise, we will never translate our myriad corporate initiatives into a scalable solution. Focusing on core academic subjects and relying on assessments that primarily measure recall rather than understanding have yet to yield the caliber of graduates we need — and at the scale we require — to bring our workforce to 21st century standards.

This is why an increasing number of industry leaders are paying attention to a highly promising approach called Deeper Learning.

Deeper Learning focuses on a range of knowledge and skills that include mastery of core academic content, critical thinking and problem solving, collaboration, effective communication, self-directed learning, and acquisition of an “academic mindset” or belief in oneself, that schoolwork is relevant, and that learning will pay off. These skills need to be developed across all subjects, from science and math to English and art. These are precisely the same skills that Fortune 500 companies say they value most highly in employees. What company wouldn’t want a cadre of problem-solving team players with strong interpersonal skills?

Students who are taught with the Deeper Learning approach master academic content — history, language arts, math and science — through hands-on experiences where they apply their learning to real-world situations. In this way, they also get an early lesson in transferring skills — another valuable asset in today’s workforce.

At Swanson Middle School in Arlington, Virginia, eighth graders are using professional, cloud-based design software donated by my company, Autodesk, to design and 3-D print an assistive device to enable a disabled member of their community to better communicateusing a touchscreen computer. If these students are already designing devices like this in the eighth grade, imagine what they’ll be able to create down the road. Yet, if they aren’t learning how to collaborate, think critically, communicate effectively and work independently across all their subjects, even their advanced design experience may not be enough to make them successful and engaged employees.

Right now, schools like Swanson are the exception. What will it take to bring Deeper Learning to public schools nationwide?

Leaders across the education, business and civic sectors must work together to create policies that put the focus on how students learn, and on acquiring skills that will be relevant to the rigorous demands of the 21st century economy.

As Winston Churchill once observed, “The empires of the future will be empires of the mind.” These words ring as true today as they did when he spoke them 70 years ago. Our nation is facing a global battle for talent. It is a battle that, if lost, will lower our standing as an economic powerhouse and innovation leader. If we win, we will continue to be the country that builds game-changing industries around ideas that have yet to be imagined. Such empires spring from the cultivation of a child’s mind.

Tom Joseph is senior director of worldwide education at Autodesk Inc.
Reach him @Autodesk

What to Do If You’ve Been Hacked (And How to Prevent It)

Source: Re/Code

The recent celebrity hacking incident and Home Depot data breach may have you worried about your online security, and rightly so. As we bring more aspects of our lives online — social, shopping, banking, storage — the risks of cyber crime increase. But there are ways you can better protect yourself.

In this guide, I’ll outline some steps you can take to safeguard your various Web accounts and devices. The recommendations come from several Internet security experts I spoke with, including Laura Iwan, senior vice president of programs at the Center for Internet Security; Sean Sullivan, security adviser at F-Secure (an antivirus and online security solution provider); and Timo Hiroven, senior researcher at F-Secure. There are also tips on how to detect if you’ve been hacked and what to do about it.

De-fense! De-fense!

There are numerous precautions that you can take in order to protect yourself from hackers. One of the easiest and most simple ways is to create strong, unique passwords for every one of your accounts. Yet most people don’t.

While it’s tempting to use something like your child’s name and birthday because it’s easier to remember, creating a password with a random mix of uppercase and lowercase letters, numbers and characters will be harder to crack.


There are password apps like LastPass and 1Password that can help you with this by generating strong passcodes for each of your accounts. Plus, they’ll keep track of them all. When choosing such a program, Iwan recommends that you look for one that uses an industry-accepted standard for encryption like Advanced Encryption Standard, or AES, and one that stores your passwords locally on your computer, rather than in the cloud.

Another safety measure you should take is to enable two-factor authentication when available. Two-factor authentication requires a user to provide an extra form of identification beyond just your login ID and password. This may be a special PIN code that’s sent to your phone, a physical token like a key fob, or your fingerprint.

Two-factor authentication isn’t impervious to attacks, but it does add an extra layer of protection. Many popular Web services, including Gmail, Microsoft, Apple, Twitter,Facebook and Dropbox offer two-factor authentication, so take the extra few minutes to turn it on.

Be suspicious of emails asking for personal information. A lot of hackers use a method called “phishing” that aims to gather sensitive data from you by sending an email that looks like it’s from a legitimate entity like your bank or credit card company. Some signs of a scam might be requests for immediate action, spelling and grammar mistakes, and suspicious links. Do not respond to these. Instead, call up the institution that supposedly sent the email and confirm if it’s legit or alert them to the issue.

Also, it should go without saying, but in general, don’t click on suspicious links or browse unsafe websites. Only install applications that come from trusted, well-known sources. And be sure that the operating system and apps on your computers and mobile devices are updated with the latest versions and patches.

Here are some more specific tips for different Internet activities:

Email and social accounts

  • Think twice about what you post to your social networks, and monitor what others are posting about you. There’s a chance that hackers might use your social profile pages to gather personal information about you, and try to guess your password or answers to your secret question.
  • Related to that, check your account’s privacy settings to make sure you’re only sharing information with your friends, and not with the public.
  • Sullivan also recommends creating separate email addresses for your personal communication and everything else. For example, you might use a throwaway email address for news websites that make you register with a user name and password, or for retailers who want to send you coupons.

Cloud accounts

  • If you back up your files to the cloud, remember that even though you delete them on your computer or mobile device, they’re still stored in your cloud account. To completely delete the file, you’ll also need to remove it from your backup cloud account.

Online transactions

  • Don’t use public computers or public Wi-Fi networks to make any transactions. The machines might contain malicious software that can collect your credit card information, and criminals could also be monitoring public Wi-Fi networks for similar information.

Web browsing

  • Don’t respond to pop-up windows.
  • Secure your home Wi-Fi network using WPA-2 with AES encryption settings. There’s a good tutorial on how to do that here.
  • Set your Web browser to auto-update to ensure that you’re running the most current version.

Know the signs

How do you know if you’ve been hacked? There may be some obvious signs. For example, you may start getting emails from your friends saying they received a strange message from your email address. Or your bank or credit card company might call you about some suspicious activity on your account. If you installed a mobile app with malware on your smartphone, you might find some unauthorized charges on your phone bill.

Hacked Screen

There are other, more subtle indicators. You may find new toolbars installed on your Web browser, or new software on your computer. Your computer may also start behaving strangely or slow to a crawl.

These are all signs that you might have been hacked.

I’ve been hacked. Now what?

If you have been hacked, the first thing you should do is reset your passwords. Iwan recommends starting with your email account, followed by your financial and other critical accounts. This is because password resets for all your other accounts are typically sent to your email.

If you’re locked out of your account or blocked from accessing it, many Web services have steps in place so you can get back in. For example, Facebook has a system where you can use a trusted source like a friend to take back your account. Search each service’s help section for specific instructions.

Speaking of friends, you should let your contacts know that you’ve been hacked, and report the issue to the site. Also, run a scan of your computer or mobile device using a trusted and up-to-date antivirus program.

In the case of identity theft, order a copy of your credit reports, and file an initial fraud alert with the three major credit bureaus: Equifax, Experian and TransUnion. Contact your local police and report the identity theft, and request new cards from your bank and credit card companies. You should also continue to monitor your monthly statements for any more unusual activity.

Unfortunately, there’s no way to completely eliminate the risk of hack attacks and other cyber crimes. But by taking some safeguards and arming yourself with the knowledge of what actions to take in the event of an attack, you can help better protect yourself and minimize damage.

Ten Things You Didn’t Know Google Now Could Do

Source: Re/Code

Apple’s Siri is not the only mobile virtual assistant in town. There’s Google Now for Android devices, Cortana for Microsoft’s Windows Phone and plenty of third-party “artificial intelligence” apps that try to make your mobile calendar or contact lists smarter.

The most formidable of these Siri competitors is Google Now. But even for Android power users, it can feel a bit nebulous.

Unlike Siri, which only runs on iOS, Google Now runs on a variety of devices, and might work differently across different smartphones and operating systems. And while Siri has a dedicated button, Google Now runs as a kind of intelligent layer under other applications on the phone. In other words, even when you’re not saying “Okay, Google,” Google Now will still cue up info for you.

It’s also tightly integrated into Google Search — in fact, Google Now exists within the Google Search app, which can make things even more confusing.

So, as a follow-up to Bonnie Cha’s Re/code column about Siri a couple weeks ago, this column is a series of tips and tricks that might help users understand and fully utilize Google Now.*


First, the basics

Google Now is free. It runs on any smartphone running Android 4.1 or later (and on some other devices, which I’ll explain below). If your phone doesn’t have Google Now preinstalled, you can set it up by downloading the Google Search app to your phone.

This is where you can “access” Google Now, although once you’ve opted in, Google Now will also show you alerts and reminders without your opening the app. It can also be accessed via voice control from your phone’s home screen. If you simply say, “Okay, Google,” the app launches. On some hardware, like Google’s own Nexus 5, you can also swipe left from the home screen and see your Google Now data, but this is only on certain phones. (On the Samsung Galaxy S5 that I’ve been using, a swipe from the left brings me to a Samsung-made Flipboard-like app instead.)

In many ways, Google Now works similarly to Siri. For the uninitiated: You can dictate texts and emails, ask for driving directions, have it read you your daily schedule, book reservations for some restaurants, and search for facts and trivia.

Okay, Google. Now for the fun stuff.

Google Now hasn’t solved traffic yet, but …

… it is supposed to help you with your commute. Once Google Now has figured out where you live and where you work — and it does this automatically, based on your daily habits — it will regularly show you an information “card” that estimates your commute based on time of day and location. You can make this even more precise by telling the app whether you normally get around by car, bike, walking or train.

To do this, go into Google Now, scroll all the way to the bottom of your cards, and tap the magic wand. Then, in the Customize menu, select “Everything else,” and there you’ll see an option to tell Google how you usually get around. It will begin to calculate your commute based on this information. Unfortunately, though, there’s no way to select more than one, if you happen to use multiple methods of transport.

Of course I’m always this put-together after a red-eye

Google Now is also supposed to help you look like an informed traveler, not the frazzled flier who says to a cabbie, “Um … hold on … let me check my email … I’ve got the address right here,” when you need to get to your hotel. Google Now pulls reservation information from your Gmail and from Airbnb, provided that you’re logged into that app, and it will show you a reservation card when you land at your destination. I haven’t been able to test this one yet — my reporting trip to Belize was somehow not approved — but, in theory, this should make traveling a little bit easier.

Listen up, sports fans

Love the Boston Red Sox? Or the San Jose Sharks? Or (my favorite basketball team) the Duke Blue Devils? You can tell Google Now which teams are your favorites, and it will push you news stories and real-time updates during games. To do this, go to the same customizable menu you used in tip No. 2 and tap on “Sports.” From there, you can set your teams.

Now you have no excuse for not picking up the milk

Like Siri, Google Now lets you set quick reminders for things. You can simply say, “Okay, Google … set a reminder for” whatever it is. But you can also attach a location to this reminder. So, when I said, “Okay, Google … remind me to pick up coffee filters next time I’m at Safeway,” the reminder popped up when I was in the vicinity of the grocery store. Bonus tip: Once you’ve picked up said groceries, you can use Google Now to set a timer while you’re cooking, by simply saying, “Okay, Google … set a timer for 20 minutes,” or however long you’d like it to be.

Drop a pin? That’s so 2011.

Google Now knows where you’ve parked your car. Try to let that creepy feeling roll off your back for a minute, while I explain how this works. Google Now uses your smartphone’s accelerometer to get a read on when you’ve been driving, when you’ve stopped driving, and when you’ve started walking, and from that, it determines your approximate parking spot. Still a little creeped out? It’s understandable. But this might be useful for people who often forget where they’ve parked.

Have I shown you all 76 of my vacation photos yet?

If you have auto-backup turned on for photos in your Google+ account, then the photos you take on your smartphone will be automatically uploaded to G+, and can be pulled up through Google Now based on geolocation. So if you say, “Okay, Google … show me my pictures from Paris,” Google Now is supposed to pull up all of your photos from that location. In order for this to work, you have to say “my photos” — otherwise it will show you Web photos of Paris.

In my experience, however, this didn’t work so well. I took a handful of photos in downtown San Francisco last week, which were auto-uploaded to G+, and when I asked Google Now to show me my photos from San Francisco, it told me there were no matching photos. Google says there could be technical quirks that might cause it to not work, and that the company is working to improve this feature.

“And then?”

While virtual-assistant software is getting smarter and smarter, most of the time you have to talk, well, like a robot in order for the app to understand what you’re saying. With Google Now, you can actually build on top of your searches to ask shorter, more natural-sounding subsequent questions. So, for example, I said to my Galaxy S5 smartphone, “Okay, Google … how tall is Michael Jordan?” And Google Now told me, “Michael Jordan is six feet six inches tall.” Next, I simply said, “Okay, Google … what about LeBron?” and the app told me that LeBron James is six feet eight inches tall. Next, I said, “Who does he play for?” and it told me the Cleveland Cavaliers.

Spreading the Google Now love

Google Now isn’t just for Android devices. It also runs on iOS through the downloadable Google Search app. The major caveat here, of course, is that it’s not nearly as powerful on iOS as it is on Android devices. For instance, Google Now on iOS won’t let you pull up contacts and call, text or email using voice commands.

“No, I meant tentacles …”

Google Now can also act as your translator. If you say something like “Okay, Google … How do I say in Spanish, ‘I need a doctor’?” the app will dictate the translation for you. This dictation feature works with most Latin-based languages — but not all languages. In fact, I tried translating something from English to Hungarian to communicate with the Google spokeswoman for Google Now, and the app gave me a text-based result, but didn’t read the phrase aloud for me.

Bonus tip: And you thought you’d never have to hear this song again

As with Siri, there are some “Easter eggs” in Google Now. Try asking it, “What does the fox say?” or saying, “Up, up, down, down, left, right, left, right,” and you’ll get some fun responses. However, when you ask Google Now if it will marry you, or if it thinks you’re sexy, the responses come in the form of Google search results.

* Almost forgot about the asterisk, didn’t you? As with most of these types of software applications, it’s a give-and-take — meaning, you’ll have to give up your data if you want the full Google Now experience. When you go to activate Google Now on your Android phone, or you download the Google Search app for iPhone, the app will tell you that it needs to use and store your location for traffic alerts, directions and more, and use your synced calendars, Gmail, Chrome and other Google data to send you reminders and other suggestions. In other words, Google’s got a lot on you, and the data-sharing-averse will likely not want to opt in.

The Government Attack on the Internet

Source: Re/Code

Former FCC Commissioner Robert McDowell recently wrote that “the Internet is the greatest deregulatory success story of all time.” It has remained free of intrusive government controls, facilitating the rapid development of entrepreneurial and innovative companies. Many of these firms started small before generating massive valuations, such as the likes of Facebook, Twitter, and recently BuzzFeed. These are some of the big names, but there are tens of thousands of others, like our members’ startups and firms, who have used the Internet to innovate, grow, compete and transform their industries.

However, the Internet is under attack by government. This unjustified regulation would cause irreversible damage to investment and U.S. leadership on innovation.

Small businesses and entrepreneurs routinely harness the power of the Internet to successfully run their operations — from connecting to consumers and suppliers; to mobile apps and cloud software that help them manage their finances and workforce; to accessing capital through lending and investment platforms. The Internet has fostered a collaborative and dynamic environment, and more people have the opportunity to become successful entrepreneurs because of the tools and opportunity it provides.

If the Federal Communications Commission (FCC) succumbs to the small but vocal few calling for utility-style regulation of broadband networks, much of what we are experiencing today will dramatically change, and not for the better. The FCC is considering wrapping archaic telephone rules around high-speed broadband. These rules are designed for the long-gone domestic telephone oligopoly of the 1930s. In regulatory speak, broadband may be reclassified as a Title II telecommunications service, which means that onerous rules and red tape would interfere with existing competition among high-speed broadband providers.

Under these rules, the government could micromanage common business decisions of companies large and small, like managing Internet traffic or determining the various prices for speeds and services consumers could choose from. Imagine how quickly the dynamism of the Internet would disintegrate if Washington bureaucrats were allowed to intrude in these technically complex and market-driven areas.

Internet service providers have invested more than a trillion dollars into maintaining the privately owned networks that serve as the central infrastructure of the Internet.

Internet service providers (ISPs) have invested more than a trillion dollars into maintaining the privately owned networks that serve as the central infrastructure of the Internet. But with unwarranted government interference potentially coming into play, these businesses will have significantly less incentive to make large-scale investments. In Europe, for example, where utility-style regulation of the Internet has been in place for decades, investment per household is $300 less than in the U.S.

At the local level, regional and medium-sized ISPs have invested in rural areas and small towns to extend access to remote communities — a critical undertaking for economic development and job creation in these areas. Perhaps that is why even the smaller ISPs engaged in rural expansion have expressed grave concerns about the FCC’s upcoming regulatory decision. These ISPs assert that a heavy-handed regulatory approach is unnecessary, and could add additional costs and burden to their operations. For smaller ISPs, their survival is at stake.

The online marketplace has grown organically, and has prospered without government interference. The marketplace is competitive, meaning consumers unhappy with the actions of one company can move to another. A competitive broadband market ensures that customers can access the content they desire at the speed and price that is right for them. That will remain the case as long as the FCC maintains a “light-touch” regulatory framework. This cautious approach to regulation has been in place since President Bill Clinton’s FCC argued that “classifying Internet access services as telecommunications services could have significant consequences for the global development of the Internet.” This remains true today.

A survey for the Small Business & Entrepreneurship Council’s Center for Regulatory Solutions found that the public is overwhelmingly concerned about intrusive government regulation. For example, 70 percent believe that regulation “mostly hurts” the economy, with 84 percent saying that “too many special interests” drive a process that is out of touch, and does not consider real-world impact. Clearly, without any market failure to point to as rationalization to regulate the Internet, the FCC feels the need to act at the behest of a vocal minority. Too much is at stake to let agitators ruin the Internet for everyone else.

Especially now, government policies must protect the investment and innovation that have been vital to the Internet’s development, which remains vital to the modern entrepreneurial ecosystem. With the economy still in a weak state, small businesses and entrepreneurs need a cautious government, not an activist one. The FCC can take heed by rejecting Title II regulations.

Karen Kerrigan is the president and CEO of the Small Business & Entrepreneurship Council (SBE Council). Reach her @KarenKerrigan.

VArmour Comes Out of Stealth With Plan to Secure Data Centers

Source: Re/Code

Barely a day goes by without a news report about a hacker attack, or the revelation of a new security vulnerability to worry about. The rise in computer breaches has sparked a new generation of startups that are thinking about security in new ways and enticing investment.

Today, vArmour, a Mountain View, Calif.-based company whose ability to attract venture capital funding we noted last month, is coming out of stealth mode. Its plan is to offer companies ways to secure their data centers against some of the new tactics that attackers use to sneak in.

While computers have evolved, the ways in which they are secured largely have not. More than half of the computing workload in a modern corporation makes use of so-called virtual machines, which uses software to allow one physical computer to act like many. Most of the servers on the Internet, in fact, make use of virtualization, a backbone technology of cloud computing.

And while virtualization has done wonders for computing efficiency and flexibility, it has also created weaknesses that an attacker could exploit and that can also hide the attack itself. On average, attackers are spending more than 240 days perusing a target’s network looking for the juicier files to take before being detected.

VArmour founder and CEO Tim Eades represents a new school of thought in computer security circles that can be best summed up like this: Determined hackers are going to get in, one way or another, so it’s better to catch them in the act and silently study their techniques and learn how they got in. We saw this in the attack against the New York Times disclosed last year.

“The thing that’s not being understood with all these breaches are sometimes the most basic questions: Where did the attackers get in? How did they navigate to it? Where is patient zero?” he said. “If you can’t tell me exactly where they came in, then you can’t shut the door.”

Eades says data centers are suffering from what he calls “invisible east-west traffic.” When virtual machines talk to each other, in the parlance of data center nerds, they’re talking “east to west,” as opposed to the “north to south” traffic between physical machines. It’s so named because servers, storage and networking gear are stacked on top of each other in a data center. (Up-down equal north-south, get it?)

Once a hacker gets inside a network, more than 80 percent of attacks on data centers, Eades says, take place in that “east to west” territory. They get inside and start sniffing around, hopping from one virtual machine to another, looking for the good stuff to take. Most security products date back to the days before virtualization and so are more focused on the “north-south” connection between physical machines, essentially guarding the perimeter. Trouble is, those tools are busy looking for trouble outside, while the attack is likely happening right behind their backs.

“It’s one thing to shut the gate, but quite another if you don’t know what side of the gate the bad guys are on,” Eades said.

The answer, according to Eades, is to create small virtual machines that can be deployed anywhere in the data center. He calls them sensors. “When the sensors see something suspicious, they can actually do something about it,” he said. “They can stop it, they can move it. But most of our customers don’t want to stop it right away. They want to observe the attack as it happens and see what the perpetrators are up to.”

Putting software sensors throughout the network puts the protection where it’s needed most: Right next to a company’s critical data. Think of the sensors as bodyguards watching over anything on a network — including the traffic between virtual machines — sounding a silent alarm if anything suspicious is going on.

It makes sense in a world that is shifting its computing resources toward the cloud. And so vArmour charges like a cloud vendor: Customers pay for what they use. “The model has to change. In the old ‘up to’ model, you pay for 100 percent of something, even if you’re only using, say, 37 percent of that something.” That allows customers the flexibility to use more sensors when they’re under attack, and throttle back down later. “The legacy security companies are going to have a hard time adjusting to that,” he said.

VArmour last month closed a $21 million C round led by Columbus Nova Technology Partners, Citi Ventures and Work-Bench Ventures, and also disclosed a $15 million B round led by Menlo Ventures which it closed late last year. It has raised a combined $42 million. Eades sold his last security company, Silver Tail Systems, to RSA, the security unit of tech giant EMC. The deal was said at the time to value Silver Tail in the neighborhood of $300 million.

FBI’s New Facial Recognition System May Cover a Third of Americans

Jason Mick (Blog) – September 16, 2014 4:14 PM
Law-abiding citizens may be dragged into criminal investigations due to the database’s alarmingly high levels of false positivesContinuing the slow creep towards the ubiquitous “Big Brother” style surveillance of George Orwell’s 1984, the U.S. Federal Bureau of Investigation (FBI) revealed on Monday that its Next Generation Identification (NGI) system had achieved “full operational capability”.I. Fully OperationalThe new effort ties together multiple sources of biometric information — most notably mugshots for facial recognition and fingerprints.  The FBI brags in a press release:

As part of NGI’s full operational capability, the NGI team is introducing two new services: Rap Back and the Interstate Photo System (IPS). Rap Back is a functionality that enables authorized entities the ability to receive ongoing status notifications of any criminal history reported on individuals holding positions of trust, such as school teachers.Law enforcement agencies, probation and parole offices, and other criminal justice entities will also greatly improve their effectiveness by being advised of subsequent criminal activity of persons under investigation or supervision. The IPS facial recognition service will provide the nation’s law enforcement community with an investigative tool that provides an image-searching capability of photographs associated with criminal identities. This effort is a significant step forward for the criminal justice community in utilizing biometrics as an investigative enabler.

It’s taken the FBI over half a decade to construct its system.  Work on the NGI began in 2006, with a Phase I pilot version launching in early 2011.  In announcing the project, the FBI wrote:

Next Generation Identification is not… A tool to expand the categories of individuals from who the fingerprints and biometric data may be collected, nor will it change existing legal authorities.It doesn’t threaten individual privacy. As required with any federal system, the FBI is doing Privacy Impact Assessments on what information will be collected, how it will be shared, how it will be accessed, and how the data will be securely stored…all in an effort to protect privacy.

The NGI was an expensive project costing taxpayers billions, much of which went to a variety of high profile contractors, including International Business Machines, Corp. (IBM), BAE Systems plc. (LON:BA), and Lockheed Martin Corp. (LMT).  The lucrative payday for military-espionage corporate special interests might be justified, but the question is whether this program is a more limited effort aimed at criminals, or whether it might be the next coming of the U.S. National Security Agency‘s (NSA) Orwellian PRISM program.

FBI NGI architecture
The NGI’s backend is driven by IBM supercomputers.

Some aspects of the NGI are certainly praiseworthy and draw little controversy.  For example, it has reduced the time to process high priority criminal ten-fingerprint submissions from 2 hours down to 10 minutes — an order of magnitude speedup.

FBI next-gen fingerprinting
The NGI is paired with the agency’s next-generation fingerprinting technologies.

The FBI’s full legacy criminal fingerprint database has as many as 100 million fingerprints in it.  But only roughly 2 million are stored in this special high-speed database, designed to identify “dangerous” suspects, such as known terrorism affiliates, sex offenders, and fugitives.


The database may also be expanded to include palmprints, an emerging form of biometrics.  However, as with the high-priority database, the palm database would likely be reserved for select groups of suspects.

II. Poor Quality Images of Criminals May Lead to False Flagging of Law-Abiding Citizens

The more contentious aspects of the next generation biometrics criminal database are the facial recognition and advanced biometrics bits.  In addition to facial images, the FBI is also reportedly storing images of iris and identifying marks (scars and tattoos) to help identify persons of interest, both law-abiding and otherwise.

It’s hard to deny that there may be some benefits to the FBI’s increased ability to identify faces.  The FBI’s database of roughly 100 million fingerprints and its large collection of criminals’ DNA has offered key breaks in many cases over the years.

But groups such as the Electronic Frontier Foundation (EFF) are already voicing concern over a number of aspects of the NGI’s facial recognition components.  One concern is that while most of the database’s photos of current and former criminals, a small but increasing minority of its images is of law-abiding citizens.  As these two collections (criminal suspects and citizens with clean records) are run through the same identification algorithms, it raises the prospect of innocent citizens being unnecessarily implicated in criminal investigations.

Writes the EFF:

NGI will allow law enforcement at all levels to search non-criminal and criminal face records at the same time. This means you could become a suspect in a criminal case merely because you applied for a job that required you to submit a photo with your background check.

While mistaken identification is of course a common problem in a non-digital context, the NGI could greatly increase it by offering up faulty tools.  But how are the tools faulty and who’s to blame?  The answer arguably lies in the states.

FBI NGI detection
The size of the database in records has skyrocketed, but poor data quality may lead to false positives.

So far twenty-six states — a little over half the states in the Union — have signed on to participate in the facial recognition program. The other states haven’t — likely fearing civil liberty issues.  The FBI set forth a series of guidelines to participating states, but it basically got its images in whatever form the state deemed fit.

A hint at how bad the data quality may be comes in the “Face Report Card”, which the FBI published in a special more in-depth effort with the state of Oregon.

In this publication, it reports that Oregon provided it with 14,408 photos over the review period in 2011.  Of these, most were deemed unacceptable for a variety of reasons.  First, the photos were of too low a resolution.  The program requests that images be at least 0.75 megapixels (less than a smartphone photo).  But most of the photos submitted by the state of Oregon were even lower resolution than that — perhaps VGA quality images.  Further, many were deemed problematic due to non-ideal lighting, background, and interference.

It’s unclear just how many of the NGI’s images are these kind of poor quality shots.  In 2012 the database housed 13.6 million images of 7 to 8 million individuals.  By 2013 the database grew to 15 million images and by 2015 it’s expected to further expand to 52 million facial images.  The latest metric indicate that on a daily basis roughly 55,000 new facial images are added to the database and “tens of thousands” of searches are conducted by the FBI and the “18,000 law enforcement agencies and other authorized criminal justice partners” (mostly state, local, and tribal police) on the growing database of images.

III. Civilian Contractors are in for a Headache

A particularly glaring concern is that many of the best images may actual come from non-criminals.  The FBI says it expects to have 46 million criminal images by 2015, but also 4.3 million “civilian” images — pictures of law-abiding citizens.

FBI NGI by states
Roughly half of states are giving the FBI’s facial recognition efforts a helping hand. [Image Source: EFF]

Technically the FBI appears to be keeping its process of not expanding biometrics to new groups, as the “civilian” images largely come from groups like federal employees or contractors who already were required to submit fingerprints to the government.  But what is concerning is that in some cases the high-quality face shots of these law abiding citizens may be compared to millions of low quality images of criminals.  Such a system might almost be guaranteed to create false positives.

But the FBI tries to obfuscate the issue with double-speak saying in effect that the system doesn’t make determinations so it can’t have false positives.  The EFF describes:

Because the system is designed to provide a ranked list of candidates, the FBI states NGI never actually makes a “positive identification,” and “therefore, there is no false positive rate.” In fact, the FBI only ensures that “the candidate will be returned in the top 50 candidates” 85 percent of the time “when the true candidate exists in the gallery.”It is unclear what happens when the “true candidate” does not exist in the gallery—does NGI still return possible matches? Could those people then be subject to criminal investigation for no other reason than that a computer thought their face was mathematically similar to a suspect’s? This doesn’t seem to matter much to the FBI—the Bureau notes that because “this is an investigative search and caveats will be prevalent on the return detailing that the [non-FBI] agency is responsible for determining the identity of the subject, there should be NO legal issues.”

The question becomes if the tool only produces a true positive detection rate of 85 percent and is at its worst accuracy-wise when it comes to criminal photos (which reviews indicated were unacceptably low quality images for a variety of reasons); is the database going to violate due process by leading to the harassment of law abiding citizens?

The EFF doesn’t have a very favorable view of the tool, writing:

Even though FBI claims that its ranked candidate list prevents the problem of false positives (someone being falsely identified), this is not the case. A system that only purports to provide the true candidate in the top 50 candidates 85 percent of the time will return a lot of images of the wrong people.

Is the database more trouble than it’s worth?

IV. What the FBI Isn’t Telling Us

That question grows tougher to answer amid accusations that the FBI is not being forthright about how many civilian records are in its dataset.  If the EFF is correct it is very possible that you may be in the search space, even if you’ve never applied for credentials at a federal agency or done other work-related background screenings that would place you in the FBI’s data set.

The first place you might find yourself is in the vaguely defined categories in the FBI set itself.

Close to a million additional facial images of law-abiding civilians could also be in the database by 2015, under the “Special Population Cognizant” (SPC) (750,000 images) and “New Repositories” (215,000 images) categories.  The FBI has been vague about exactly who falls under these groups, but a 2007-era agency document [PDF] unearthed by the EFF seems to indicate that the SPC group will be used as an arbitrary grab-bag which federal partner agencies can use to create groups of civilian or criminal images they feel are relevant to their investigations.  For example, a federal agency might include civilian pictures from their contractors’ keycards as part of their submission.

Because of these poorly defined groups the percentage of non-criminal (civilian) images in the database could be as high as 10 percent or as low as 8 percent — in the set the FBI is acknowledging, at least.  Either way, some may be surprised to find themselves in the database and potentially unnecessarily ensnared in FBI investigations due to erroneous matches.

But there’s more.  There’s a second set you may belong to.  And this set may be much bigger.

The EFF also warns that the contractor responsible for the facial recognition algorithm — MorphoTrust (formerly L-1 Identity Solutions) — may also effectively search other large federal and state databases in addition to those detailed by the FBI.  MorphoTrust is responsible for the driver’s license databases at 35 of the 50 state Departments of Motor Vehicles (DMVs).  It also provides a facial recognition database for the U.S. Department of Defense (DoD) and yet another database to the U.S. State Department.  The State Department database is the largest officially disclosed government facial recognition database in the world, with 244 million images of over 100 million people.

NGI datasets

It is known that [PDF] the DoD shares its facial recognition data with the FBI and it is not believed that this is included in the 52 million image total.  Similar share may occur with the state DMVs and with the State Department.  The EFF complains:

The FBI failed to release records discussing whether MorphoTrust uses a standard (likely proprietary) algorithm for its face templates. If it does, it is quite possible that the face templates at each of these disparate agencies could be shared across agencies—raising again the issue that the photograph you thought you were taking just to get a passport or driver’s license is then searched every time the government is investigating a crime.The FBI seems to be leaning in this direction: an FBI employee email notes that the “best requirements for sending an image in the FR system” include “obtain[ing] DMV version of photo whenever possible.”

In other words, the database of faces used by the FBI may only be the tip of the iceberg, a criminal subset of the greater search space.  The true searchable dataset of faces may be primarily civilians, which raises serious questions why the FBI is accessing that data — or if it’s not accessing it, why it isn’t making that clear to the public.


There’s strong evidence that the NGI is tied to the U.S. Department of Homeland Security‘s (DHS) BOSS project, whose goal is to be able to publicly identify every American in public via facial recognition.

And due process issues aside, this influx of civilian records would seemingly make the job of picking out criminals in the already poor state-submitted photo database even harder.

V. Database May Cover Over 100 Million Americans

It’s possible these datasets are not searchable by the FBI, but the lack of transparency, at the bare minimum, is glaring.  The FBI was supposed to conduct regular “Privacy Impact Assessments to discuss and brainstorm solutions to such issues.  But its last Privacy Impact Assessment was filed in 2008 — more than a half decade ago.  As a result of this blackout, it’s unclear what exactly the FBI’s “fully operational” database truly represents.

FBI NGI bigger and better
Bigger, as in “Big Brother”?

The EFF states that the worse case scenario may indeed not be too far off the mark.  Its initial investigation indicates that as many as 100 million + civilians — a third of law-abiding Americans — may have their facial images stored in the database, assigned a searchable “Universal Control Number” just like photos of criminals.  The EFF writes:

EFF received these records in response to our Freedom of Information Act lawsuit for information on Next Generation Identification (NGI)—the FBI’s massive biometric database that may hold records on as much as one third of the U.S. population. The facial recognition component of this database poses real threats to privacy for all Americans.

But threat or no threat, Americans have little recourse unless they can convince the courts that the program is unconstitutional (good luck with that) or, more likely, convince Congress to more clearly and narrowly define its scope.  At present Congress has failed to adopt any sort of legislation restricting what kinds of civilian biometrics can be collected and whether those biometrics can be searched in a criminal investigation.

Boston bomber
The FBI tried to use facial recognition to ID the Boston bombing suspects, but the system failed.  Will it be more useful for harassing the populace? [Image Source: FBI/Salon]

 As a result, if you are an American, you might find yourself pulled in for questioning by police in the near future simply because your photo looked vaguely like a blurry VGA photo of a known criminal.  And as the number of such innocent mistakes grow, so too does the potential for abuse as law enforcement receives a convenient excuse to pull in and harass whoever they want be it a political rival or an ex-lover.

And moreover, your taxpayer money will be spent on these mistakes — be they innocent and malicious.  You may ultimately be paying taxes to falsely implicate yourself in a criminal investigation.  It’s easy to see why the EFF believes that it’s cause for concern.
Sources: FBI [press release], EFF [press release]

– See more at:


Cognizant to Buy Trizetto to Boost Health Care Business

Source: Re/Code

Cognizant Technology Solutions struck its biggest deal on Monday, acquiring health-care IT services provider TriZetto for $2.7 billion to beef up its slowing health-care business.

Shares of the company, which is buying TriZetto from London-based private equity firm Apax Partners, were down almost one percent in late trading.

Cognizant’s health-care business, which accounted for about 26 percent of total revenue in 2013, has declined in the last three quarters.

The company provides services such as claims processing, billing and call center operations to insurers, hospitals and some state-run health-care exchanges set up under President Barack Obama’s Affordable Care Act, also known as Obamacare.

TriZetto provides information technology services, including care management and the administration of benefits. The company said it reaches 245,000 health-care providers, representing more than half of the insured population in the United States.

Englewood, Colo.-based TriZetto is the latest U.S. health-care IT services provider to be acquired as payers and providers of health-care seek new ways to cut costs.

“Health care is undergoing structural shifts due to reform, cost pressure and shifting responsibilities between payers and providers,” Cognizant CEO Francisco D’Souza said in a statement. “This creates a significant growth opportunity, which TriZetto will help us capture.”

The company in August forecast its slowest full-year sales growth in its 20-year history.

Cognizant, whose rivals include Tata Consultancy Services and Infosys, said it expected revenue synergies of $1.5 billion over the next five years from the deal.

The company said the deal would immediately add to adjusted profit on closing, expected in the quarter ending December.

Apax Partners, which acquired TriZetto in 2008, was exploring a sale of the company, sources told Reuters in August.

TriZetto had 12-month earnings before interest, tax, depreciation and amortization of more than $190 million as of June 30, one of the sources had then said.

Cognizant said on Monday it would fund the deal through a combination of cash and debt and had secured $1 billion in financing.

The deal comes after private equity firms Silver Lake Partners and BC Partners sold health insurance claims processor MultiPlan for $4.4 billion in March to a consortium led by Maurice “Hank” Greenberg’s buyout firm Starr Investment Holdings.

Credit Suisse, UBS Securities LLC and Centerview Partners advised Cognizant, while J.P.Morgan Securities and Goldman Sachs & Co advised TriZetto.

(Reporting by Soham Chatterjee in Bangalore; Editing by Saumyadeb Chakrabarty and Sriraj Kalluvila)

SNMP DDoS Scans Spoof Google Public DNS Server

Source: Threatpost

The SANS Internet Storm Center this afternoon reported SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.

“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.

Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands.

“The attack uses the default ‘read/write’ community string of ‘private.’ SNMP uses this string as a password, and ‘private’ is a common default,” Ullrich said. “For read-only access, the common default is ‘public.’”

Ullrich explained that the attack tries to change configuration variables in the affected device, the TTL or Time To Live variable to 1 which he said prevents any future traffic leaving the gateway, and it also sets the Forwarding variable to 2, which shuts it off. Vulnerable configurations, Ullrich said, are likely not common.

“If this works, it would amount to a [DDoS] against the network used by the vulnerable router,” Ullrich said. “This could also just be a troll checking ‘what is happening if I send this?’”

Large-scale DDoS attacks rely on amplification or reflection techniques to amp up the amount of traffic directed at a target. DNS reflection attacks are a time-tested means of taking down networks with hackers taking advantage of the millions of open DNS resolvers on the Internet to get up to 100 to 1 amplification rates for every byte sent out. Earlier this year, home routers were targeted in DNS-based amplification attacks; more than five million were used during February alone as the starting point for DDoS attacks.

Also earlier this year, hackers found a soft spot in Network Time Protocol (NTP) servers that synch time for servers across the Internet. NTP-based DDoS attacks, some reaching 400 Gbps, were keeping critical services offline. However, a concerted patching effort has kept these attacks at bay and in June, NSFocus reported that of the 430,000 vulnerable NTP servers found in February, all but 17,000 had been patched.

Experts, however, warned that SNMP-based DDoS attacks could be the next major area of concern. Matthew Prince, CEO of CloudFlare, said in February that SNMP attacks could dwarf DNS and NTP.

“If you think NTP is bad, just wait for what’s next. SNMP has a theoretical 650x amplification factor,” Prince said. “We’ve already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up.”

SANS’ Ullrich, meanwhile, said he’s continuing to research this attack, and admins should be on the lookout for packets from the source IP, which is Google’s DNS server, with a target UDP port of 161.

“Just like other UDP based protocols (DNS and NTP), SNMP has some queries that lead to large responses and it can be used as an amplifier that way,” Ullrich said.

Hack Canon Printers – Play Doom!

Source: Slashdot

Security researcher Michael Jordon has hacked a Canon’s Pixma printer to run Doom. He did so by reverse engineering the firmware encryption and uploading via the update interface. From the BBC: “Like many modern printers, Canon’s Pixma range can be accessed via the net, so owners can check the device’s status. However, Mr Jordon, who works for Context Information Security, found Canon had done a poor job of securing this method of interrogating the device. ‘The web interface has no user name or password on it,’ he said. That meant anyone could look at the status of any device once they found it, he said. A check via the Shodan search engine suggests there are thousands of potentially vulnerable Pixma printers already discoverable online. There is no evidence that anyone is attacking printers via the route Mr Jordon found.”