The Electronic Frontier Foundation's Coder's Rights Project

The Coders' Rights Project builds on EFF's longstanding work protecting researchers through education, legal defense, amicus briefs, and involvement in the community with the goal of promoting innovation and safeguarding the rights of curious tinkerers and hackers on the digital frontier.

They also provide policy advice to decision-making officials who are considering new computer crime legislation and treaties. Reverse Engineering: People have always explored and modified the technologies in their lives, whether crystal radios, automobiles, or computer software. Reverse engineering is one expression of this tinkering impulse. Unfortunately, legal regulation of reverse engineering can impact the Freedom to Tinker in a variety of ways. This FAQ gives some information that may help coders reduce their legal risk. Vulnerability Reporting: Discovering security flaws is only half the battle – the next step is reporting the findings such that users can protect themselves and vendors can repair their products. Many outlets exists for publicly reporting vulnerabilities including mailing lists supported by universities and by the government. Unfortunately, however, researchers using these public reporting mechanisms have received legal threats from vendors and government agencies seeking to stop publication of vulnerability information or “proof of concept” code demonstrating the flaw. The Vulnerability Reporting FAQ gives information that may help security researchers reduce their legal risk when reporting vulnerabilities. Grey Hat Guide: A computer security researcher who has inadvertently violated the law during the course of her investigation faces a dilemma when thinking about whether to notify a company about a problem she discovered in one of the company’s products. By reporting the security flaw the researcher reveals that she may have committed unlawful activity which might invite a lawsuit or criminal investigation. On the other hand withholding information means a potentially serious security flaw may go unremedied. Do these coder rights withstand the need for consumer security? Send us your thoughts here at the Cloud and Cyber Security Center.

What is the New Normal for Cyber Terrorism? Is This Acceptable?

With recent news stories involving serious attacks on Sony and its PlayStation Network, Microsoft’s Xbox Live network, alongside other high profile attacks on the Tor project and North Korea’s Websites, has cyber-terrorism become a very real and dangerous reality for enterprises to battle alongside other threats? Let’s start from the beginning.

What is the difference between cyber-terrorism, vandalism, or even war? Looking back to the 90s and early 2000s, websites were commonly defaced just to satisfy an attacker’s ego. Just like graffiti, this is a great example of vandalism. A more recent example of this sort of attack was the recent defacement of the Twitter home page – a textbook example of vandalism. If you consider malware like Stuxnet  discovered in June 2010 and nicknamed the “world’s first digital weapon” things change drastically. Stuxnet had moved beyond the virtual world and was capable of causing physical destruction to computer equipment and possible large-scale destruction – or cyber-war. However, cyber-terrorism seems to have found a different niche where the destruction or disruption of service isn’t a military or state target, but that of a commercial entity or service – the businesses, services, or information that you and I often times depend upon. In the case of the Sony attack, which saw the release of confidential data of employees and their families in November 2014, there are many potential suspects. Sony’s potential and current customers are likely to question purchasing Sony products, which could have a devastating long-term impact on the company. Share your comments with us here at the Cloud and Cyber Security Center.

Security Best Practices for Cloud Users

First time cloud users can be most at risk, simply because of unfamiliarity with the new environment and the added burden of having to grapple with a new way of managing users, data and security. Here are five security must-do’s before taking the plunge: 

1. Know the cloudy areas There are three main segments in any cloud deployment - the cloud vendor, network service provider and enterprise. Given that the cloud should be treated like an extension of the enterprise data centre, the question to ask is therefore: can a common set of security services and policies be applied across the three segments? What are the security gaps?

2. New apps, new fortifications Ready to move an application into the cloud? Before you do, consider adding new fortifications to the existing security measures you have built around your application’s authentication and log-in processes. To fortify the access to your cloud application, you should have a granular data access scheme. You can do so by tying access privileges to roles, company positions and projects.  This will add an additional layer of protection when attackers steal your staff’s login credentials. 3. Embrace encryption Data encryption is one of your biggest security ally in the cloud, and it should be non-negotiable when it comes to file transfers and emails. While it may not prevent hacking attempts or data theft, it can protect your business and save an organization from incurring hefty regulatory fines when the dreaded event happens. Ask your cloud vendor about their data encryption schemes. Find out how it encrypts data that is at rest, in use, and on the move. To understand what data should be encrypted, it helps to get a handle of where they reside - whether in your cloud vendor’s servers, the servers of third-party companies, employee laptops, office PCs or USB drives. 4. Wrestling with the virtual Moving into the cloud lets businesses reap the benefits of virtualization, but a virtualized environment can present challenges to data protection. The main issue has to do with managing the security and traffic in the realm of multi-tenancy and virtual machines. Physical security appliances are typically not designed to handle the data that is in the cloud. This is where virtual security appliances come in - to secure traffic as it flows from virtual machine to virtual machine. Such appliances are built to handle the complexities of running multiple instances of applications, or multi-tenancy. 5. Don’t be in the dark about shadow IT There is no shortage of anecdotes and reports out there that point to how the unauthorised use of applications and cloud services, or shadow IT, is on the rise among businesses. The uncontrolled nature of this poses a security threat and governance challenge. Your new cloud application will be at risk because of this. Consider the simple scenario in which your employees use their smartphones to open a file on their device. It is likely that the phone will make a copy of the file, which could then be sent to an unapproved online storage destination when the phone does its routine automatic backup. Which cloud security best practices do you recommend? Share your inputs with the Cloud and Cyber Security Center.

Data Breaches Large and Small Affect Millions of Users

Cyber crime or computer crime can be divided into two categories: the first comprises crimes that target computers directly such as viruses, attacks and malware; the second focuses on online crime that uses computer networks or devices as means to perform fraud and identity theft through social engineering as well as cyber bullying, cyber stalking and cyber warfare.

Companies in the United States experience an annual loss of greater than $25m USD.  Due to cyber crime with the majority of these losses stemming from malicious code and DoS attacks. Data breaches and their consequences have also had profound effects on consumers with personal information and credit details being stolen. Th largest on-line data breach compromised more than 130 million user accounts. Online brands with the highest possibility of being targeted by phishing attacks.  include online payment provider Paypal and online auction house eBay, as well as numerous online service providers that require personal identification as well as payment information.  With the ubiquity of the internet, an increased online usage and the spread of social network usage throughout all age groups, cyber bullying and cyber stalking have become increasingly common, especially among teenagers. Cyber bullyingis defined as the harming or harassing of other people in a deliberate, repeated, and hostile manner, including cyber dating abuse within relationships.  Will this brand of cyber crime continue to expand in 2016? Share your comments with the Cloud and Cyber Security Center. Graph provided by Statistica.

Government Measure to Combat Cyber Threats to National Infrastruture

Cyberspace touches nearly every part of our daily lives. It's the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power our nation. It's the classified military and intelligence networks that keep us safe, and the World Wide Web that has made us more interconnected than at any time in human history. 

We must secure our cyberspace to ensure that we can continue to grow the nation’s economy and protect our way of life. The government must work collaboratively with critical infrastructure owners and operators to protect our nation’s most sensitive infrastructure from cybersecurity threats.   Specifically, we are working with industry to increase the sharing of actionable threat information and warnings between the private sector and the U.S. Government and to spread industry-led cybersecurity standards and best practices to the most vulnerable critical infrastructure companies and assets. Because cyberspace crosses every international boundary, we must engage with our international partners.  We will work to create incentives for, and build consensus around, an international environment where states recognize the value of an open, interoperable, secure, and reliable cyberspace. We will oppose efforts to restrict internet freedoms, eliminate the multi-stakeholder approach to internet governance, or impose political and bureaucratic layers unable to keep up with the speed of technological change.  An open, transparent, secure, and stable cyberspace is critical to the success of the global economy. Do these counter-measures go far enough to protect our national infrastucture? Share your comments with the Cloud and Cyber Security Center.

Cloud Standards Customer Council - Emerging Cloud Security Standards

The current landscape for information security standards specifically targeted for cloud computing environments is best characterized as immature but emerging. This space is still very much in its infancy stage but there are several standards initiatives that have recently been started that plan to deliver formal specifications in the 2014/2015 time frame. 

In the interim, there is are number of general IT security standards that are applicable to cloud computing environments that customers should be aware of and insist that their cloud service providers support. When finalized, the cloud specific security standards will provide more detailed guidance and recommendations for both cloud service customers and cloud service providers. As customers transition their applications and data to use cloud computing, it is critically important that the level of security provided in the cloud environment is equal to or better than the security provided by their traditional IT environment. Failure to ensure appropriate security protection could ultimately result in higher costs and potential loss of business thus eliminating any of the potential benefits of cloud computing. This report focuses primarily on information security requirements for public cloud deployment since this model introduces the most challenging information security concerns for cloud service customers. Which cloud standards will have the greatest impact on on the future of cloud security? Share your comments here at the Cloud and Cyber Security Center.

Fortinet named 2015 Frost & Sullivan Network Security Vendor of the Year

Fortinet® has received the 2015 Frost & Sullivan New Zealand Network Security Vendor of the Year Award. The Award acknowledges the NZ team's dedication to customers and recognises Fortinet’s outstanding performance throughout 2014.

The award was presented on Thursday, 15 October at the Frost & Sullivan Asia Pacific ICT Awards banquet held at the Conrad Centennial in Singapore. “New Zealand businesses are confronting the fact that cyber attacks have increased significantly in the last few years,” says Andrew Milory, Vice President, ICT Practice, Asia Pacific for Frost & Sullivan. “A major challenge is that a large portion of New Zealand businesses are not prepared for these cyber attacks. Coupled with that, many organisations in the country have encouraged employees to bring their own devices to work to increase productivity and employee satisfaction. “However,” he continues, “these trends have also introduced more threats into business networks, which in turn has caused more challenges for these businesses to secure their network infrastructure as well as their commercially-sensitive digital assets. Fortinet has leveraged cutting-edge network security technologies to address these challenges and become a market leader in New Zealand. “Fortinet has continued to increase its market share by securing contracts and partnering with major organisations in New Zealand. Consequently, the company showed strong financial performance with 24% growth in year-on-year revenue." Send us your picks for Cloud and Cyber Security "Vendor of the Year - 21015 to the Cloud and Cyber Security Center.

Countermeasures to Prevent and Mitigate Against ISIS Cyber Attacks

Hacker collective Anonymous posted a video Saturday on YouTube in which it declared a cyber war on ISIS. In the nearly two-and-a-half-minute video, a person wearing the group’s signature Guy Fawkes mask 

read a statement in French promising that the hacktivist organization would attack ISIS in cyberspace with the ultimate goal of weakening the terrorist organization. “Expect massive cyber attacks,” the person said. “War is declared. Get prepared. Anonymous from all over the world will hunt you down. You should know that we will find you and we will not let you go.” ISIS has claimed responsibility for the horrific attacks that killed nearly 140 people and left hundreds more injured on Friday. The attacks prompted the French government to go on the offensive against the group. Prime Minister Manuel Valls confirmed on Monday that French authorities had conducted more than 150 raids and completed a bombing campaign against suspected ISIS encampments in Syria. Anonymous, however, has its own plans. And as history has shown that it is not one to be taken lightly. Which pro-active countermeasures should governments and corporations take to prevent ISIS cyber attacks? Send us your recommendations here at the Cloud and Cyber Security Center.

Mitigation Tactics for Evolving Cyber Crimes - How to Keep Your Business Secure?

Advances in IT security are continuing to cause headaches for today’s cyber criminals, yet as a new breed of increasingly savvy hackers emerge, exposure to a variety of threats remains a fact of life for most organizations across the globe. Without appropriate security measures in place, companies are facing the risk of data breaches, loss of employee productivity, damage to brand reputation and non-

compliance, leading to potentially severe fines. 

Malware is constantly evolving, with millions of forms of malware being released every year. In fact, McAfee catalogs over 100,000 new malware samples a day (69 per minute). With that, successful cyber-attacks have risen 20 percent year on year, with the average cost of cybercrime standing at over $7m dollars a year Increasingly, threats faced by enterprises are coming from the inside as well as the outside. Recent headlines have been dominated by stories of data theft driven by maverick insiders. Details of the most high profile event, the notorious breach by Edward Snowden at the NSA, continue to emerge over a year later. With research commissioned by the UK BIS finding that 84% of data breach incidents are caused by staff, business leaders must be prepared for the risks associated by insiders gaining access to corporate information.

Predictions: 1) McAfee: “In the spy vs. spy world of cybercrime and cyberwarfare, criminal gangs and state actors will deploy new stealth attacks that will be harder than ever to identify and stop.” McAfee Labs 2014. 2) Gartner: “We are in one of those periods that occurs every  five years or so, where the attackers find new levels of vulnerabilities to exploit, and the threats get ahead of the standard level of protection.” Gartner, Strategies for Dealing with Advanced Targeted Attacks. Which mitigation tactics have been most effective in your organization? Share your thoughts - without disclosing confidential  details - with the Cloud and Cyber Security Center.

Gemalto Offers New Data Protection for the Cloud

Cloud and Virtualization gives you agility and efficiency to instantly roll out new services and expand your infrastructure. But the lack of physical control, or defined entrance and egress points, bring a whole host of cloud security issues – data co-mingling, privileged user abuse, snapshots and backups, data deletion, data leakage, geographic regulatory requirements, cloud super-admins, and many more. 

Fortunately, experts agree that encryption is the unifying cloud security control, allowing you protect, control and comply. Gemalto's proven encryption and enterprise key management solutions turn any cloud environment into a trusted and compliant environment by solving the critical challenges of data governance, control, and ownership - no matter where you store your data. Snapshots and backups are taken daily, or even hourly, and automatically stored in the cloud.  Do you know where they’ve been stored, or who can move and copy them? Can you trace unauthorized copying of data? Virtualization and cloud computing require cooperation between security, storage, server, application, and cloud security admins – all with access to your most sensitive data. With this number of people, the risks of failing an audit, or an admin going rogue, grow exponentially. In minutes, a disgruntled employee can load an entire virtual machine onto a thumb drive. Virtual data is easily lost or exposed as it moves between VMs or in the cloud. Can you prove that authorized users are accessing your data within their defined policies? Can you block access to compromised information? Share your comments with the Cloud and Cyber Security Center. 

Cloud and Virtualization gives you agility and efficiency to instantly roll out new services and expand your infrastructure. But the lack of physical control, or defined entrance and egress points, bring a whole host of cloud security issues – data co-mingling, privileged user abuse, snapshots and backups, data deletion, data leakage, geographic regulatory requirements, cloud super-admins, and many more. Fortunately, experts agree that encryption is the unifying cloud security control, allowing you protect, control and comply.
SafeNet’s proven encryption and enterprise key management solutions turn any cloud environment into a trusted and compliant environment by solving the critical challenges of data governance, control, and ownership - no matter where you store your data.

Data Replication & Lack of Visibility

Snapshots and backups are taken daily, or even hourly, and automatically stored in the cloud.  Do you know where they’ve been stored, or who can move and copy them? Can you trace unauthorized copying of data?

New Class of Privileged Users

Virtualization and cloud computing require cooperation between security, storage, server, application, and cloud security admins – all with access to your most sensitive data. With this number of people, the risks of failing an audit, or an admin going rogue, grow exponentially.

Risk of Breach & Data Loss

In minutes, a disgruntled employee can load an entire virtual machine onto a thumb drive. Virtual data is easily lost or exposed as it moves between VMs or in the cloud. Can you prove that authorized users are accessing your data within their defined policies? Can you block access to compromised information?
- See more at: http://www.safenet-inc.com/data-protection/virtualization-cloud-security/#sthash.B8vrlfue.dpuf

Cloud and Virtualization gives you agility and efficiency to instantly roll out new services and expand your infrastructure. But the lack of physical control, or defined entrance and egress points, bring a whole host of cloud security issues – data co-mingling, privileged user abuse, snapshots and backups, data deletion, data leakage, geographic regulatory requirements, cloud super-admins, and many more. Fortunately, experts agree that encryption is the unifying cloud security control, allowing you protect, control and comply.
SafeNet’s proven encryption and enterprise key management solutions turn any cloud environment into a trusted and compliant environment by solving the critical challenges of data governance, control, and ownership - no matter where you store your data.

Data Replication & Lack of Visibility

Snapshots and backups are taken daily, or even hourly, and automatically stored in the cloud.  Do you know where they’ve been stored, or who can move and copy them? Can you trace unauthorized copying of data?

New Class of Privileged Users

Virtualization and cloud computing require cooperation between security, storage, server, application, and cloud security admins – all with access to your most sensitive data. With this number of people, the risks of failing an audit, or an admin going rogue, grow exponentially.

Risk of Breach & Data Loss

In minutes, a disgruntled employee can load an entire virtual machine onto a thumb drive. Virtual data is easily lost or exposed as it moves between VMs or in the cloud. Can you prove that authorized users are accessing your data within their defined policies? Can you block access to compromised information?
- See more at: http://www.safenet-inc.com/data-protection/virtualization-cloud-security/#sthash.B8vrlfue.dpuf

Cloud and Virtualization gives you agility and efficiency to instantly roll out new services and expand your infrastructure. But the lack of physical control, or defined entrance and egress points, bring a whole host of cloud security issues – data co-mingling, privileged user abuse, snapshots and backups, data deletion, data leakage, geographic regulatory requirements, cloud super-admins, and many more. Fortunately, experts agree that encryption is the unifying cloud security control, allowing you protect, control and comply.
SafeNet’s proven encryption and enterprise key management solutions turn any cloud environment into a trusted and compliant environment by solving the critical challenges of data governance, control, and ownership - no matter where you store your data.

Data Replication & Lack of Visibility

Snapshots and backups are taken daily, or even hourly, and automatically stored in the cloud.  Do you know where they’ve been stored, or who can move and copy them? Can you trace unauthorized copying of data?

New Class of Privileged Users

Virtualization and cloud computing require cooperation between security, storage, server, application, and cloud security admins – all with access to your most sensitive data. With this number of people, the risks of failing an audit, or an admin going rogue, grow exponentially.

Risk of Breach & Data Loss

In minutes, a disgruntled employee can load an entire virtual machine onto a thumb drive. Virtual data is easily lost or exposed as it moves between VMs or in the cloud. Can you prove that authorized users are accessing your data within their defined policies? Can you block access to compromised information?
- See more at: http://www.safenet-inc.com/data-protection/virtualization-cloud-security/#sthash.B8vrlfue.dpuf

Cloud and Virtualization gives you agility and efficiency to instantly roll out new services and expand your infrastructure. But the lack of physical control, or defined entrance and egress points, bring a whole host of cloud security issues – data co-mingling, privileged user abuse, snapshots and backups, data deletion, data leakage, geographic regulatory requirements, cloud super-admins, and many more. Fortunately, experts agree that encryption is the unifying cloud security control, allowing you protect, control and comply.
SafeNet’s proven encryption and enterprise key management solutions turn any cloud environment into a trusted and compliant environment by solving the critical challenges of data governance, control, and ownership - no matter where you store your data.

Data Replication & Lack of Visibility

Snapshots and backups are taken daily, or even hourly, and automatically stored in the cloud.  Do you know where they’ve been stored, or who can move and copy them? Can you trace unauthorized copying of data?

New Class of Privileged Users

Virtualization and cloud computing require cooperation between security, storage, server, application, and cloud security admins – all with access to your most sensitive data. With this number of people, the risks of failing an audit, or an admin going rogue, grow exponentially.

Risk of Breach & Data Loss

In minutes, a disgruntled employee can load an entire virtual machine onto a thumb drive. Virtual data is easily lost or exposed as it moves between VMs or in the cloud. Can you prove that authorized users are accessing your data within their defined policies? Can you block access to compromised information?
- See more at: http://www.safenet-inc.com/data-protection/virtualization-cloud-security/#sthash.B8vrlfue.dpuf

On-line Shoppers Brace for Cyber Theft During the Christmas Retail Season

As millions of Americans are steeling themselves for the holiday shopping season, cybersecurity researchers are warning about a stealthy malware aimed at stealing credit card and debit card numbers from retailers. Cybersecurity firm iSight Partners on Tuesday revealed research about the malware, dubbed ModPOS, which the company says is largely undetectable by current antivirus scans.

The firm declined to name specific victims of the threat, but it said its investigation uncovered infections at "national retailers." The revelation comes as the retail industry is reeling from a wave of breaches uncovered since Target was hit during the 2013 holiday season. "It's the most sophisticated point-of-sale malware we've seen to date," said Maria Noboa, an iSight senior threat analyst. Instead of being just one piece of software, it's a complex framework of multiple modules and plug-ins. Those parts combine to collect a lot of detailed information about a company, including payment information and personal log-in credentials of executives. One way the companies try to limit their exposure is using more advanced forms of encryption to protect consumer data. With one method, known as point-to-point encryption, a consumer's payment card data is unlocked only after it reaches the payment processor. Which other measures can consumers and Etailers alike take to prevent on-line theft? Share your comments at the Cloud and Cyber Security Center.

We Survived Cyber Monday Security Threats - So What is Next?

With Cyber Monday behind us many people still wonder if it is safe to buy online during end-of-the-year sales events. Of course it is safe in the sense that you won't be pushed, hit, or crushed by other customers who also want to get their hands on the big deals.

But is your credit or debit card information safe when you shop online? If you take a few basic precautions, you can enjoy the big discounts and not worry about getting into trouble. Historically, November and December are the months with the most online transactions, and are therefore the months in which cyber-criminals are the most active. The common threats still lurking on the Internet for eCommerce shoppers include Phishing, Weak Passwords, Malware and Social Media Scams, Transactions Made Over Public Computers and Shopping at Unsecure Web Sites. So which threats have you encountered, avoided and can advise other users to avoid during the Christmas shopping season? Share your comments with the Cloud and Cyber Security Center or shop at the Home and Computer Security Superstore: www.homecomputersecuritysuperstore.