Hacking and data breaches have been in the public mindset for a long time. But as more technology is integrated into our daily lives and the workplace, you and your firm have become even more susceptible to a hack – highlighting the importance of cybersecurity, an industry Arizona is on the frontline of shaping. You’ve probably seen the splashy headlines about data breaches hitting big names like Banner Health, Chick-fil-A, Equifax, Target, the U.S. Postal Service, Sony, Yahoo! and the list goes on. Like many other people, you might have brushed off those headlines or yawned, thinking you’re glad not to have to manage those damage control teams. But in this growing world of cybercrime and technology, it’s no longer a matter of if you’ll be playing damage control after a data breach at your firm, it’s a matter of when. “Small and medium-sized businesses are drastically underestimating the risk by just thinking, ‘They’re not interested in me,’” says Michael Cocanower, founder and president of Phoenix-based itSynergy. “In fact, hackers are very interested in you. They realize, ‘I can spend six months hacking into Target, or I can spend this afternoon hacking into your 20-person company and make $10,000 off that.’” Cybercrime has cost businesses, individuals, governments and the world game-changing amounts of money. Cost of cybercrime Cybersecurity Ventures, a research and market intelligence firm, reports the cost of cybercrime will grow from $3 trillion in 2015 to $6 trillion by 2021. United Kingdom-based research firm Juniper Research predicts cybercrime will cost businesses alone more than $2 trillion by 2019. However you cut it, cybersecurity will only get more serious and more important as time moves on. Many businesses are unprepared, with 87 percent of small businesses reporting that they do not have a formal written Internet security policy, according to the National Cyber Security Alliance. Also, The National Cyber Security Alliance reports that 60 percent of small companies are unable to stay in business six months after a cyberattack. Cocanower says business owners need to be much more aware of cybercrime and the importance of having their cybersecurity systems up to snuff. There are a variety of ways hackers can infiltrate your business and you need to be aware of them, Cocanower says. Phishing scams and downloading malware or viruses are probably the most common and known. But you could also be compromised by inputting your password on a website you think is real, using open Wi-Fi, the list of risks goes on. Nothing Web-connected is safe either. Your smart phone, watch, car and Web-connected toaster oven are just the newest items susceptible to attack. Sure, you can download the latest anti-virus software, hire a skilled cybersecurity team (if you can find people who are qualified and available) and do 100 different things to keep your company secure, but that’s still not enough. Why? “The weakest link in any system is the human being,” Cocanower says.
WASHINGTON (Reuters) – The Trump administration on Wednesday told U.S. government agencies to remove Kaspersky Lab products from their networks, saying it was concerned the Moscow-based cyber security firm was vulnerable to Kremlin influence and that using its anti-virus software could jeopardize national security.
The decision represents a sharp response to what U.S. intelligence agencies have described as a national security threat posed by Russia in cyberspace, following an election year marred by allegations that Moscow weaponized the internet in an attempt to influence its outcome.
In a statement, Kaspersky Lab rejected the allegations, as it has done repeatedly in recent months, and said its critics were misinterpreting Russian data-sharing laws that only applied to communications services.
“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions,” the company said.
The Department of Homeland Security (DHS) issued a directive to federal agencies ordering them to identify Kaspersky products on their information systems within 30 days and begin to discontinue their use within 90 days.
The order applies only to civilian government agencies and not the Pentagon, but U.S. intelligence leaders said earlier this year that Kaspersky was already generally not allowed on military networks.
In a statement accompanying its directive, DHS said it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
It continued: “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
The department said it would provide Kaspersky with the opportunity to submit a written response to address the allegations. The agency said other entities claiming commercial interests affected by the directive could also submit information
Kaspersky Lab has repeatedly denied that it has ties to any government and said it would not help a government with cyber espionage.
However, the company has not been able to shake off the allegations. Last week, Best Buy Co (BBY.N), the No.1 U.S. electronics retailer, said it was pulling Kaspersky Lab’s cyber security products from its shelves and website.
Rob Joyce, the White House cyber security coordinator, said Wednesday at the Billington CyberSecurity Summit that the Trump administration made a “risk-based decision” to order Kaspersky Lab’s products removed from federal agencies.
Asked by Reuters whether there was a smoking gun showing Kaspersky Lab had provided intelligence to the Russian government, Joyce replied: ”As we evaluated the technology, we decided it was a risk we couldn’t accept.”
Some cyber security experts have warned that blacklisting Kaspersky Lab could prompt a retaliation from Russian President Vladimir Putin. Joyce said those concerns were a factor but that a “tough decision” ultimately had to be made to protect government systems.
The direct financial impact of the decision will likely be minimal for Kaspersky Lab, one of the world’s leading anti-virus software companies, which was founded in 1997 and now counts over 400 million global customers.
Federal contracting databases reviewed by Reuters show only a few hundred thousand dollars in purchases from Kaspersky, and an employee told Reuters in July the company’s federal government revenue was “miniscule.”
But Kaspersky also sells to federal contractors and third-party software companies that incorporate its technology in their products, so its technology may be more widely used in government than it appears from the contracting databases, U.S. officials say.
The decision by the Trump administration came as the U.S. Senate was planning to vote as soon as this week on a defense policy spending bill that includes language that would ban Kaspersky Lab products from being used by U.S. government agencies.
Democratic U.S. Senator Jeanne Shaheen, who had led efforts in Congress to crack down on Kaspersky Lab, applauded the Trump administration’s announcement.
“The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented,” Shaheen said, adding that she expected Congress to act soon to reinforce the decision by passing legislation.
Also on Wednesday, Democratic Senator Amy Klobuchar wrote to DHS asking whether the agency used Kaspersky products in relation to any critical infrastructure, such as election equipment, banks or energy suppliers, and if it knew whether any voting systems used the company’s software.
Eugene Kaspersky, the company’s co-founder and chief executive, attended a KGB school, and the company has acknowledged doing work for the Russian intelligence agency known as the FSB. But he has adamantly denied charges his company conducts espionage on behalf of the Russian government.
Reporting by Dustin Volz, additional reporting by Doina Chiacu and Jim Finkle; Editing by Jonathan Oatis and Cynthia Osterman
Rivetz.com is a company that I have been following very closely for several years now.
Rivetz believes that online services are significantly enhanced when a device can be trusted to be what it says it is and to execute instructions exactly as asked. Building upon a decade of industry investment in trusted computing, Rivetz is offering a platform that delivers on this goal.
A service provider generally has confidence in its servers. They are under administrative control and usually protected physically. However, nearly all services are delivered to users through devices the service provider knows very little about and over which it rarely exerts any control.
Rivetz changes this. Through the use of Trusted Execution technology we are able to provide a service provider with an oasis of trust in the unknown world of consumer devices. Basic capabilities such as “sign this”, or “decrypt this” are executed outside the murky world of the main OS. Keys can be generated and applied without ever being exposed in memory and can be attested to through a chain of endorsements traced back to the device manufacturer.
When you can trust a device not to lie or leak secrets, you can form a much more reliable and simpler relationship with the device. It makes life easier and safer for the user and service provider alike.
Rivetz is all about trust in devices. We believe that a reliable relationship with a device can make for a much safer, easier and stronger relationship with an end user.
To achieve this, first and foremost you need to know with confidence that a device is the same device it was before. You also need to be sure that a device won’t leak its secrets when asked to do something sensitive, like a decryption or signing.
Our device code runs in the Trusted Execution Environment (TEE) available in many modern devices. The TEE is a hardware environment that runs small applets outside the main OS. This protects sensitive code and data from malware or snooping with purpose-built hardware governed by an ecosystem of endorsements, beginning with the device manufacturer.
Rivetz enrolls a device and equips it with a service provider’s keys. Our API’s enable secure execution of a number of sensitive device-side transactions, including:
- Get a reliable and anonymous device id – On request, Rivetz will generate a signing key for a device. The public key is hashed into a string that can be used to identify and communicate with a device. The private key remains locked in the hardware and can only be applied on behalf of the SP that requested the ID.
- Get a device to sign something – The private key of the device identity can be used to sign things proving that this device was involved. The signing ceremony is executed in secure hardware such that the key is never exposed to normal processing environment of the device.
- Get a device to encrypt something – An encryption key can be generated on request and applied to any blob of data. Encryption/Decryption is triggered locally and takes place within the secure execution environment so as to protect the key.
- Create a Bitcoin account – The device can be asked to generate a new Bitcoin account using the RNG built into the Trusted Execution Environment.
- Sign a Bitcoin transaction – The device can apply it’s private Bitcoin account key to sign a transaction and then return it to the service provider
- Secure Confirmation – (coming soon) Newer TEE environments support trusted display and input in addition to trusted execution. Trusted display enables a simple confirmation message, such as “confirm transaction amount”, to be presented to an end user.
- Join Devices to share and backup identities – Most users have a couple of devices. Rivetz allows those devices to be bound into a ring so they can interchangeably present themselves to a service provider on behalf of the user.
Rivetz is a toolbox for riveting the online world to the hardware we use to get online. By providing this basic set of features we hope services across the web from wallets to content apps can provide a simpler and safer experience.
A Service Provider calls Rivetz to create hardware keys in a device. Different types of keys are available depending on the purpose, such as for crypto-coins or data encryption.
Riveted keys are governed by simple usage rules established during creation. For example, a key may require that usage requests are signed by the Service Provider that created the key, or that the user confirms access through the Trusted User Interface.
A Rivet will only respond to an instruction from a Service Provider that has been “paired” with the device. Rivetz.net conducts the pairing ceremony as it is able to confirm the integrity and identity of both device and service provider. When a device is paired it acquires the public key of the service provider, while the service provider gets a uniquely generated identity and public key for the device.
While Rivetz supports local calls, ideally all instructions are signed by the Service Provider. This protects a device key from being applied by a rogue application. The _Rivetz Library is used by all components to prepare and sign device instructions and interpret instruction results.
There is a class of apps that benefit greatly from strong assurance of their origin and opaque separation from the execution of other apps. This is known as a Trusted Execution Environment or TEE.
Unlike an app running on the primary OS and memory stack, an app running in a TEE has access to cryptographic primitives that can be exercised without snooping by the OS. On certain platforms, it also has direct access to user input and display to ensure a private interaction with the operator of the device.
While the technology has been pursued for well over a decade, it is only recently that devices with support for a TEE have become available. Intel began delivery of commercial solutions in 2011 and Trustonic, an ARM joint venture, launched in 2013.
Deploying an applet into a TEE is akin to delivering a dedicated hardware device. Execution and data are cryptographically isolated from any other function of the host.
While most applications of Trusted Execution technology have been concerned with enterprise security or DRM, Rivetz instead provides an applet that is focused on the needs of common web services. Crypto currencies such as Bitcoin have highlighted the need for consumer key security.
There have been a number of high-profile hacks recently, evidently demonstrating that hiding and using secrest on the Internet is still really difficult. From the $5 million in bitcoin lost at Bitstamp to the Sony hack, it is clear that a new approach to the problem is required. Recently, I was at CES, and the IoT is moving along at breakneck speed, with barely and afterthought for cyber security. All of the things end up controlled by a smartphone or PC. The integrity of the connection from your computing device to your house, car or medical equipment will need the same peer-to-peer security that bitcoin requires. So how should we all be approaching the problem? All private keys should be protected by tamper-resistant hardware — a device, not the operating system. Smart cards or USB tokens are great solutions, but the embedded trusted execution environment provides the built-in solution we all desire. It also provides the tamper-resistant security to match that of a SIM module, but it is not controlled by the carrier. In addition to access, the instruction sent to a cloud service or another device should be encrypted (for privacy) and signed (for integrity), assuring that the intended action is not corrupted. This critical step is mostly overlooked on today’s systems. Protecting the instruction assures that the intended action is actually what happens. Instructions are critical interactions between the client and the cloud. Rivetz leverages the trusted execution environment to assure the formation of the highest quality instructions. Trusted user input and output is by far the hardest piece of the puzzle. This is where an uncorrupted presentation of the intended transaction to the user and the proper collection of the user’s consent is executed. Secure display in combination with a secure PIN or secure biometrics is ultimately required to be fully effective. The technology to do this is just now being integrated but is not available on most platforms. Intel has been at the forefront of trusted display for a number of years. Rivetz is now demonstrating the trusted user interface on Intel and on some Samsung Galaxy Note 4 phablets released in December.
Continue Reading: Cyber Security and Blockchain – AlleyWatch
BRIVAS LABS brings advancements to revolutionize USER identity in the privacy ecosystem. Identity management is vital in our new cyber and BRIVAS PHALANX v 1.0 solves the user identity problem leveraging existing thru augmented authentication with real-time + contextual biometric encryption. Biometrics are increasingly used as a way to verify a person’s identity. As organizations become more security-conscious, biometric-based solutions are set to grow in terms of usage and importance as ability to accurately capture and compute increase. Given the growing global security threats, governments around the world have long known that the biometric elements of identity verification increase security, augment accountability, and provide risk and liability mitigation. BRIVAS is a computer vision and machine learning specialist dealing in biometric fusion and contextual, real time verification on smartphone technology. Our digital needs require a continuous search for a cost-effective means of reducing fraud and gaining accurate USER information. BRIVAS accomplishes this with GPU and CLOUD processing at an extremely affordable and scalable approach. BRIVAS is able to pattern the events leading up to an authentication, then qualify a real-time, singular event data structure actually encrypted with our proprietary biometric facial verification technology.
The human face plays an important role in our social interaction, conveying people’s identity and now in BRIVAS’ man & machine binding qualities. Using identity as a key to security, coupled with trusted computing adds greater accuracy to the entire security system. As compared with other biometrics systems using fingerprint/palmprint and iris, face recognition has distinct advantages because of its non-contact process which leverages our streaming methods to detect liveness, intent to authenticate, 3D verification, and real-time contextual existence. Beyond authentication and verification, we hold patent pending on a unique method to generate secret encryption/decryption keys tied specifically to the unique architecture of an individual’s unique facial structure to generate keys. BRIVAS’ contextual face recognition process has a highly diverse range of applications, extending from crime fighting, border control, to access control for sensitive areas and (limited access control) that blend to a smart, elastic format to provide greater accuracy and assurances while keeping cost in mind Right now, we are implementing our solution in the electronic medical records industry for a one-touch release of people’s medical records. We would market to EMR/health technology companies who sell to Healthcare providers. we would be using the EMR/Health technology companies as a strategic partner channel to go after the Accountable Care Organizations, mid-sized and small hospitals and independent physician/clinics. To summarize, BRIVAS IDENTITY’ technology is the future and companies are quickly responding to the ease of use as well as the many different uses for it.