Is Arizona becoming a leader and innovator in cybersecurity? | AZ Big Media

cropped-cyber_security_overview_hero_med_1280x436.jpgHacking and data breaches have been in the public mindset for a long time. But as more technology is integrated into our daily lives and the workplace, you and your firm have become even more susceptible to a hack – highlighting the importance of cybersecurity, an industry Arizona is on the frontline of shaping. You’ve probably seen the splashy headlines about data breaches hitting big names like Banner Health, Chick-fil-A, Equifax, Target, the U.S. Postal Service, Sony, Yahoo! and the list goes on. Like many other people, you might have brushed off those headlines or yawned, thinking you’re glad not to have to manage those damage control teams. But in this growing world of cybercrime and technology, it’s no longer a matter of if you’ll be playing damage control after a data breach at your firm, it’s a matter of when. “Small and medium-sized businesses are drastically underestimating the risk by just thinking, ‘They’re not interested in me,’” says Michael Cocanower, founder and president of Phoenix-based itSynergy. “In fact, hackers are very interested in you. They realize, ‘I can spend six months hacking into Target, or I can spend this afternoon hacking into your 20-person company and make $10,000 off that.’” Cybercrime has cost businesses, individuals, governments and the world game-changing amounts of money. Cost of cybercrime Cybersecurity Ventures, a research and market intelligence firm, reports the cost of cybercrime will grow from $3 trillion in 2015 to $6 trillion by 2021. United Kingdom-based research firm Juniper Research predicts cybercrime will cost businesses alone more than $2 trillion by 2019. However you cut it, cybersecurity will only get more serious and more important as time moves on. Many businesses are unprepared, with 87 percent of small businesses reporting that they do not have a formal written Internet security policy, according to the National Cyber Security Alliance. Also, The National Cyber Security Alliance reports that 60 percent of small companies are unable to stay in business six months after a cyberattack. Cocanower says business owners need to be much more aware of cybercrime and the importance of having their cybersecurity systems up to snuff. There are a variety of ways hackers can infiltrate your business and you need to be aware of them, Cocanower says. Phishing scams and downloading malware or viruses are probably the most common and known. But you could also be compromised by inputting your password on a website you think is real, using open Wi-Fi, the list of risks goes on. Nothing Web-connected is safe either. Your smart phone, watch, car and Web-connected toaster oven are just the newest items susceptible to attack. Sure, you can download the latest anti-virus software, hire a skilled cybersecurity team (if you can find people who are qualified and available) and do 100 different things to keep your company secure, but that’s still not enough. Why? “The weakest link in any system is the human being,” Cocanower says.

Source: Is Arizona becoming a leader and innovator in cybersecurity? | AZ Big Media

Advertisements

Trump administration orders purge of Kaspersky products from U.S. government

sdl010226291-5b1dfWASHINGTON (Reuters) – The Trump administration on Wednesday told U.S. government agencies to remove Kaspersky Lab products from their networks, saying it was concerned the Moscow-based cyber security firm was vulnerable to Kremlin influence and that using its anti-virus software could jeopardize national security.

The decision represents a sharp response to what U.S. intelligence agencies have described as a national security threat posed by Russia in cyberspace, following an election year marred by allegations that Moscow weaponized the internet in an attempt to influence its outcome.

In a statement, Kaspersky Lab rejected the allegations, as it has done repeatedly in recent months, and said its critics were misinterpreting Russian data-sharing laws that only applied to communications services.

“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions,” the company said.

The Department of Homeland Security (DHS) issued a directive to federal agencies ordering them to identify Kaspersky products on their information systems within 30 days and begin to discontinue their use within 90 days.

The order applies only to civilian government agencies and not the Pentagon, but U.S. intelligence leaders said earlier this year that Kaspersky was already generally not allowed on military networks.

In a statement accompanying its directive, DHS said it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”

It continued: “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

The department said it would provide Kaspersky with the opportunity to submit a written response to address the allegations. The agency said other entities claiming commercial interests affected by the directive could also submit information

Kaspersky Lab has repeatedly denied that it has ties to any government and said it would not help a government with cyber espionage.

However, the company has not been able to shake off the allegations. Last week, Best Buy Co (BBY.N), the No.1 U.S. electronics retailer, said it was pulling Kaspersky Lab’s cyber security products from its shelves and website.

‘TOUGH DECISION’

Rob Joyce, the White House cyber security coordinator, said Wednesday at the Billington CyberSecurity Summit that the Trump administration made a “risk-based decision” to order Kaspersky Lab’s products removed from federal agencies.

Asked by Reuters whether there was a smoking gun showing Kaspersky Lab had provided intelligence to the Russian government, Joyce replied: ”As we evaluated the technology, we decided it was a risk we couldn’t accept.”

Some cyber security experts have warned that blacklisting Kaspersky Lab could prompt a retaliation from Russian President Vladimir Putin. Joyce said those concerns were a factor but that a “tough decision” ultimately had to be made to protect government systems.

The direct financial impact of the decision will likely be minimal for Kaspersky Lab, one of the world’s leading anti-virus software companies, which was founded in 1997 and now counts over 400 million global customers.

Federal contracting databases reviewed by Reuters show only a few hundred thousand dollars in purchases from Kaspersky, and an employee told Reuters in July the company’s federal government revenue was “miniscule.”

But Kaspersky also sells to federal contractors and third-party software companies that incorporate its technology in their products, so its technology may be more widely used in government than it appears from the contracting databases, U.S. officials say.

The decision by the Trump administration came as the U.S. Senate was planning to vote as soon as this week on a defense policy spending bill that includes language that would ban Kaspersky Lab products from being used by U.S. government agencies.

Democratic U.S. Senator Jeanne Shaheen, who had led efforts in Congress to crack down on Kaspersky Lab, applauded the Trump administration’s announcement.

“The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented,” Shaheen said, adding that she expected Congress to act soon to reinforce the decision by passing legislation.

Also on Wednesday, Democratic Senator Amy Klobuchar wrote to DHS asking whether the agency used Kaspersky products in relation to any critical infrastructure, such as election equipment, banks or energy suppliers, and if it knew whether any voting systems used the company’s software.

Eugene Kaspersky, the company’s co-founder and chief executive, attended a KGB school, and the company has acknowledged doing work for the Russian intelligence agency known as the FSB. But he has adamantly denied charges his company conducts espionage on behalf of the Russian government.

Reporting by Dustin Volz, additional reporting by Doina Chiacu and Jim Finkle; Editing by Jonathan Oatis and Cynthia Osterman

Our Standards:The Thomson Reuters Trust Principles.

Source: Trump administration orders purge of Kaspersky products from U.S. government

myGeoTracking Teams with Rivetz to Provide State of the Art Device Security for Mobile Field Employees – Blockchain News

myGeoTracking and Rivetz combination to ensure better mobile device and data security, and an enhanced user experience for Healthcare, Transportation, and other field service workers

Abaqus, Inc., provider of the myGeoTracking cloud-hosted mobile workforce management and transportation logistics platform, today announced it has teamed with Rivetz International to integrate the advanced Rivetz mobile security solution into its platform. Abaqus customers will benefit from hardware protected authentication and encryption capabilities for mobile security that will enable next generation solutions for field operations in industries such as healthcare, utilities and emergency responders.

“We continually strive to provide our customers with the best tools in the market to protect their data and create a great user experience,” said Shailendra Jain, CEO of Abaqus, Inc. “The Rivetz solution provides us with the advanced cybersecurity capabilities we need to meet our customer demands in industries requiring sensitive data collection in the field including healthcare, utilities and first responders.”

Rivetz’s state-of- the-art decentralized security harnesses the Trusted Execution Environment (TEE) and blockchain to protect users’ mobile data and privacy. It’s like a hidden vault (already embedded in most phones) that no OS or software can eavesdrop on. Rivetz Blockchain provides the secure recording of compliance and integrity data.

“Cybersecurity and mobile data protection is an ongoing challenge for all companies,” said Steven Sprague, Founder and CEO of Rivetz. “We are excited to help Abaqus leverage next generation cybersecurity technology to meet and exceed their customers’ expectations going forward.”

Richard Kastelein is the Founder, Publisher and Editor in Chief of industry leading online publication, Blockchain News, partner of token design and ICO architecture company Cryptoassets Design Group and co-founder and director at education company Blockchain Partners.

As a prominent keynote presenter, Kastelein has spoken on Blockchain at events in Gdansk, Beijing, Venice, Nanchang, Shanghai, Amsterdam, Minsk, Dubai, Antwerp, Eindhoven, Bucharest, Munich, Nairobi, Tel Aviv, Manchester, Brussels, Barcelona, San Meteo etc, where he helped spread the cause for Blockchain technology and cryptocurrency and, consequently, has built a notable network in the scene.

Visit Website

Source: myGeoTracking Teams with Rivetz to Provide State of the Art Device Security for Mobile Field Employees – Blockchain News

Rivetz.com offers built-in Hardware Security

rivetz_logo_wordmark_horiz_750Rivetz.com is a company that I have been following very closely for several years now.

Rivetz believes that online services are significantly enhanced when a device can be trusted to be what it says it is and to execute instructions exactly as asked. Building upon a decade of industry investment in trusted computing, Rivetz is offering a platform that delivers on this goal.

A service provider generally has confidence in its servers. They are under administrative control and usually protected physically. However, nearly all services are delivered to users through devices the service provider knows very little about and over which it rarely exerts any control.

Rivetz changes this. Through the use of Trusted Execution technology we are able to provide a service provider with an oasis of trust in the unknown world of consumer devices. Basic capabilities such as “sign this”, or “decrypt this” are executed outside the murky world of the main OS. Keys can be generated and applied without ever being exposed in memory and can be attested to through a chain of endorsements traced back to the device manufacturer.

When you can trust a device not to lie or leak secrets, you can form a much more reliable and simpler relationship with the device. It makes life easier and safer for the user and service provider alike.

What Can I Do with Rivetz?

Rivetz is all about trust in devices. We believe that a reliable relationship with a device can make for a much safer, easier and stronger relationship with an end user.

To achieve this, first and foremost you need to know with confidence that a device is the same device it was before. You also need to be sure that a device won’t leak its secrets when asked to do something sensitive, like a decryption or signing.

Our device code runs in the Trusted Execution Environment (TEE) available in many modern devices. The TEE is a hardware environment that runs small applets outside the main OS. This protects sensitive code and data from malware or snooping with purpose-built hardware governed by an ecosystem of endorsements, beginning with the device manufacturer.

Rivetz enrolls a device and equips it with a service provider’s keys. Our API’s enable secure execution of a number of sensitive device-side transactions, including:

  • Get a reliable and anonymous device id – On request, Rivetz will generate a signing key for a device. The public key is hashed into a string that can be used to identify and communicate with a device. The private key remains locked in the hardware and can only be applied on behalf of the SP that requested the ID.
  • Get a device to sign something – The private key of the device identity can be used to sign things proving that this device was involved. The signing ceremony is executed in secure hardware such that the key is never exposed to normal processing environment of the device.
  • Get a device to encrypt something – An encryption key can be generated on request and applied to any blob of data. Encryption/Decryption is triggered locally and takes place within the secure execution environment so as to protect the key.
  • Create a Bitcoin account – The device can be asked to generate a new Bitcoin account using the RNG built into the Trusted Execution Environment.
  • Sign a Bitcoin transaction – The device can apply it’s private Bitcoin account key to sign a transaction and then return it to the service provider
  • Secure Confirmation – (coming soon) Newer TEE environments support trusted display and input in addition to trusted execution. Trusted display enables a simple confirmation message, such as “confirm transaction amount”, to be presented to an end user.
  • Join Devices to share and backup identities – Most users have a couple of devices. Rivetz allows those devices to be bound into a ring so they can interchangeably present themselves to a service provider on behalf of the user.

Rivetz is a toolbox for riveting the online world to the hardware we use to get online. By providing this basic set of features we hope services across the web from wallets to content apps can provide a simpler and safer experience.

How does it work?

A Service Provider calls Rivetz to create hardware keys in a device. Different types of keys are available depending on the purpose, such as for crypto-coins or data encryption.

Riveted keys are governed by simple usage rules established during creation. For example, a key may require that usage requests are signed by the Service Provider that created the key, or that the user confirms access through the Trusted User Interface.

A Rivet will only respond to an instruction from a Service Provider that has been “paired” with the device. Rivetz.net conducts the pairing ceremony as it is able to confirm the integrity and identity of both device and service provider. When a device is paired it acquires the public key of the service provider, while the service provider gets a uniquely generated identity and public key for the device.

While Rivetz supports local calls, ideally all instructions are signed by the Service Provider. This protects a device key from being applied by a rogue application. The _Rivetz Library is used by all components to prepare and sign device instructions and interpret instruction results.

Trusted Execution Environment

There is a class of apps that benefit greatly from strong assurance of their origin and opaque separation from the execution of other apps. This is known as a Trusted Execution Environment or TEE.

Unlike an app running on the primary OS and memory stack, an app running in a TEE has access to cryptographic primitives that can be exercised without snooping by the OS. On certain platforms, it also has direct access to user input and display to ensure a private interaction with the operator of the device.

While the technology has been pursued for well over a decade, it is only recently that devices with support for a TEE have become available. Intel began delivery of commercial solutions in 2011 and Trustonic, an ARM joint venture, launched in 2013.

Deploying an applet into a TEE is akin to delivering a dedicated hardware device. Execution and data are cryptographically isolated from any other function of the host.

Rivetz and the TEE

While most applications of Trusted Execution technology have been concerned with enterprise security or DRM, Rivetz instead provides an applet that is focused on the needs of common web services. Crypto currencies such as Bitcoin have highlighted the need for consumer key security.

TV Manufacturer Vizio Spies On Customers Using Advanced Big Data Analytics

US TV manufacturer Vizio’s underhanded Big Data dealing may have just cost it $2.2 million but I think it is something we can unfortunately expect to see a lot more of.

The FTC this week announced that viewing data of individual households was monitored through a built-in spy device which used image recognition technology. Once every second, software in the Vizio TVs would read pixel data from a segment of the screen. This was sent home and compared against a database of film, television and advertising content to determine what was being watched.

The FTC has revealed that Vizio went further than this – matching data on what was being watched with IP addresses, and selling it, along with third party demographic data, to businesses and organizations with a need for audience measurement.

This week we heard that Vizio paid $2.2 million to settle the FTC complaint, agreed to stop collecting viewing data in this way, and to delete the data it had already collected from its servers. That might seem like a comparatively low figure, but this may be, as Vizio point out in their statement, because personally identifiable information wasn’t transmitted.

Source: Shocking: Smart TV Manufacturer Vizio Spies On Customers Using Advanced Big Data Analytics

Wendy’s says over 1,000 locations affected by credit card breach

Fast food chain Wendy’s announced in February that is was looking into a possible security breach. The franchise followed up in May confirming it found malware on its point-of-sale systems that was being used to nab credit card info. Stolen details were said to include including credit or debit card number, expiration date, cardholder verification value, and service code from less than 300 locations. Last month, the company provided and update that the investigation revealed the breach could be much worse due to a second cyberattack. Wendy’s gave another update on the situation this week, disclosing that over 1,000 locations had systems where the malware was installed. The company says that the malware has been disabled at all of the locations where it was discovered to be installed. Wendy’s explained that the breach likely originated from franchisees remote access credentials being compromised, giving the culprits the ability to install the software needed to swipe details from credit and debit card transactions. The investigation is still in progress, so more details could be on the way. “We will continue to work diligently with our investigative team to apply what we have learned from these incidents and further strengthen our data security measures,” said president and CEO Todd Penegor. For now, Wendy’s has posted a list of affected locations. If you made a purchase at one of those, the company is offering a year of fraud protection and identity restoration free of charge. Of course, it’s a good idea to take a glance at your recent statements even if your local restaurant isn’t on the list.

Source: Wendy’s says over 1,000 locations affected by credit card breach