瀀椀渀最℀ 稀椀渀攀眀攀戀 栀漀猀琀椀渀最

伀一䔀Ⰰ 吀圀伀Ⰰ吀䠀刀䔀䔀 䠀䄀䌀䬀匀夀伀唀ᤠ刀䔀 伀唀吀

䘀䤀嘀䔀 圀䄀夀匀吀伀 䌀䄀吀䌀䠀䄀 䠀䄀䌀䬀䔀刀

倀刀伀吀䔀匀吀匀 伀刀 倀刀伀䘀䤀吀䔀䔀刀䤀一䜀吀䠀䔀 䠀䄀䌀䬀 刀䔀䴀䄀䤀一匀 吀䠀䔀 匀䄀䴀䔀

吀䠀䔀 䘀䤀一䄀一䌀䤀䄀䰀 䤀一䐀唀匀吀刀夀ᤠ匀 䈀䤀䜀䜀䔀匀吀 吀䠀刀䔀䄀吀

洀愀最圀

圀圀

⸀倀䤀一

䜀娀䤀一

䔀⸀䌀伀䴀

PINGZINE TABLE OF CONTENTS

THE FINANCIAL INDUSTRY’S BIGGEST THREAT

t w e n t y

PING! ZINE 080

DON’T MISS AN ISSUE!

SUBSCRIBE NOWWWW.PINGZINE.COM/SUBSCRIBE

DIGITAL EDITIONS...FREE!

IN THIS ISSUE...012

FIVE PLACES TO NEVER USE A BANK OR CREDIT CARD

n i n e

t e nFIVE WAYS TO CATCH A HACKER

IS YOUR COMPANY’S MOBILE APP PUTTING YOUR CUSTOMERS AT RISK FOR FRAUD?

s i x t e e n

e i g h t e e nPROTESTS OR PROFITEERING - THE HACK REMAINS THE SAME

ONE, TWO, THREE HACKS—YOU’RE OUT! FOUR LESSONS ALL COMPANIES CAN LEARN FROM

BASEBALL’S ASTROS HACKING SCANDAL

CITIZENS DEMAND ‘UBER’ PRIVACY

t w e n t y f o u r

INTEL AND MICRON PRODUCE BREAKTHROUGH MEMORY TECHNOLOGY

t w e n t y s i x

04

PINGZINE OUR TEAM OUR SPONSORS

PING! ZINE 080

Ping! Zine Web Hosting Magazine © 2015, Ping! Zine Web Hosting

Magazine, Published and Copyrighted 2015 by PINGZINE, LLC, P.O. Box

516, Denham Springs, LA 70726. All rights reserved.

Permission to reproduce part or all of this issue must be secured in writing

from the publisher. Complementary subscriptions are at the discretion of

the publisher and may be cancelled or modified at any time. Unsolicited

submissions are welcome. We assume no liability for lost or damage of

submissions. We assume no liability for the content of this issue and all

points and ideas are strictly that of the writers involved and not that of the

publisher, publishing company, printing company or editors.

EXECUTIVE STAFF

Publisher Keith Duncan

Production Manager Lois Clark-Mayer

Marketing Director Zachary McClung

Executive Editor Dave Young

Senior Online Editor Robert Lang

EDITORIAL STAFF

Technical Editor Frank Feingold

Associate Editor Peter Burns

Headlines Editor Derek Vaughan

CONTRIBUTING WRITERS

Shaun Murphy

SRV Network, Inc

James Pooley

Gary Miliefsky

Stephen Coty

Deborah Galea

ADDRESS

Ping! Zine, LLC

Post Office Box 516

Denham Springs, LA 70726

BLACK LOTUSz e r o t w o

WEB HOST DIRECTORYz e r o f i v e

1&1 INTERNETz e r o s e v e n

RACKMOUNTS ETCf o u r t e e n

HOSTINGCONt w e n t y o n e

TIER.NETt w e n t y s i x

KAJEt w e n t y s e v e n

HOST4YOURSELFt w e n t y e i g h t

06

* 1&1 Cloud Server is available free for one month, after which regular price of $9.99/month applies. No setup fee is required. Visit 1and1.com for full offer details, terms and conditions. Intel, the Intel Logo, Intel Inside, the Intel Inside logo, Intel. Experience What‘s Inside are trademarks of Intel Corporation in the U.S. and/or other countries. 1&1 and the 1&1 logo are trademarks of 1&1 Internet, all other trademarks are property of their respective owners. ©2015 1&1 Internet. All rights reserved.

1and1.com

TRIALTRY FOR30 DAYS1 MONTH

FLEXIBLE PAYMENT OPTIONS1 CALL

SPEAK WITH AN EXPERT 24/71

DOMAINS | MAIL | HOSTING | eCOMMERCE | SERVERS

EASY TO USE – READY TO GO

The new 1&1 Cloud Server offers all the advantages of dedicated hardware performancecombined with the fl exibility of the cloud!

1&1 Cloud Panel■ Innovative, user-friendly interface

with smart administration

Security■ Built-in fi rewall to protect your server

from online threats ■ Backups and snapshots to prevent

accidental data loss■ High-performance 1&1 Data Centers

are among the safest in the US

FLEXIBLE & AFFORDABLE EASY & SECURE ALL-INCLUSIVE

Best performance■ Unlimited traffi c ■ Premium SSD with the

highest performance■ Private networks, professional API,

load balancers, fi rewalls and more-all easy to confi gure

■ Ready-to-use applications includingWordPress, DrupalTM and Magento®

■ Powered by Intel® Xeon® Processor E5-2683 V3 (35M Cache, 2.00 Ghz)

Customized confi guration■ SSD, RAM and CPU can be

adjusted independently,fl exibly and precisely

■ NEW: Pre-confi guredpackages available

Transparent costs■ Billing by the minute■ Clearly structured cost overview

enables effi cient planningand management

■ No minimum contract term

1&1 CLOUD SERVERNEXT GENERATION

TRY IT FOR 1 MONTH - FREE! Then starting at $9.99 per month*

®

1 (877) 461-2631

Top performer

MAPUS1508W1P_CloudServer_212,7x276,2+5_XX_46L.indd 1 20.07.15 16:46

5 Places to Never Use a Bank or Credit Card

PINGZINE BITS & BYTES

According to ConsumerCredit.com, 80% of consumers use their debit cards for everyday purchases like gas, meals and groceries instead of cash. While a card is more convenient to simply swipe through a machine versus counting out change and worrying if you have enough cash on hand to make a purchase, it is not always the safest way to pay. Cash cannot be traced to a bank account or to other personal financial information like a bank or credit card can. Privacy and security expert Shaun Murphy, founder of Private Giant, has identified five places consumers should never use their bank or credit card in order to help prevent their identity from being stolen and to protect their personal information.

1.) Online shopping sites that are not secure. Before you enter your credit or bank card information, look for the lock icon without any overlays. While you are checking out, you should see this icon in your web browser:

Not either of these: Some sites, Amazon included, will not show you a lock icon until you login to your account or begin the check out process. This means anyone can see what you are shopping for while you are browsing.

2.) Hidden / out of view terminals. A hidden terminal could be as simple as the gas pump furthest away from the center or an unattended station for automatic checkouts at the grocery store. These are sweet targets for credit card skimming devices that can sit there for months without anyone noticing.

P!

BITS & BYTES PINGZINE

3.) Cell phone charging stations. While it may sound convenient to swipe your card to charge your phone for free when the battery is nearly dead, but you should think again. Despite being ripe for credit card skimming or nefarious credit card information storage, these devices can also dump the information from your cell phone while charging! This attack method even has a cool name: Juice Jacking!

4.) Apps (desktop or mobile) that ask you for your credit card information outside of the normal app store. Chances are this is not a legit application, especially if it is threatening you (you have a virus, please deposit $10... or I’ve encrypted all of your files and I’ll unlock them for a price.)

5.) Services that claim to be free or a free trial but still need you to input a credit card before you can start using it. It is almost guaranteed that service is either going to scam you or sign you up for some paid service that will be impossible to cancel.

Now, if you are wondering how exactly you are supposed to pay for the services you need in situations like those listed above there are a few options. One of the easiest is to use your bank or credit card to buy one-time use/reloadable cards that do not have ties to your personal information. Just make sure when you are checking out at the store that you go to a clerk, not a self-checkout lane.

By: Shaun Murphy, CEO Private Giant

Tech Expert Explains How To Nab A Hacker

Data breaches are disturbingly common these days. Luckily, the authorities have many resources at their disposal when it comes to catching these criminals.

Tech expert Karl Volkman explains, “Federal authorities are getting very close to catching the criminals who were behind the infamous JP Morgan Chase hacking last year. When it comes to huge cases such as this, there is a big opportunity to really make an example of these hackers, and that is exactly what the authorities have in mind. Small-time hackers will see that even the most proficient and expert hackers are not able to escape unscathed, so it will certainly be a lesson for everyone.”

FIVE Ways to Catch a Hacker

PINGZINE BITS & BYTES

10

About SRV Network, Inc. SRV Network, Inc. is Microsoft Gold Certified partner that offers a variety of IT services, including a variety of flexible service packages that meet any client requirement, from as-needed technical help to intensive, regular on-site work. They work with all technology platforms and have a broad expertise in a wide variety of technology solutions. They specialize in Network Design and Implementation, Network Maintenance and Monitoring, Disaster Recovery and Prevention and IP Telephony.

BITS & BYTES PINGZINE

11

Here are the top five ways to catch a hacker, according to Volkman:

1. Be observant. “The best offense is a good defense,” says Volkman, “To that end, observation is key. Look out for certain things such as whether or not your hard drive activity has recently increased. This could be a sign of an online intruder.”

2. Know the clues. “Look in your temp folder. Are there numerous new files in there? Is your computer suddenly running slower than normal? These are not good signs.”

3. Don’t ignore repeat evidence. “If you continually have someone from the same IP address trying to get past your firewall, then you know that there is something hugely awry.”

4. Be proactive. “When you think you are being hacked, you should watch and wait in case the attack occurs again. Try to have some networking monitoring software in place. Take note of the time and day of the hacks if possible.”

5. Contact the police. “Don’t sit and wait too long. Get the police involved right away and take measures to protect all of your personal data. It’s always better to be safe than sorry.”

Most of us assume that corporate espionage and digital theft of trade secrets rarely occur outside of technology, retail, and finance. But as the recent hacking of the Houston Astros’ internal computer network—allegedly by St. Louis Cardinals employees—proves, every company in every industry is vulnerable.

As cybersecurity breaches become increasingly common, says James Pooley, companies need to take steps to protect their information assets. If it can happen in baseball, it can happen anywhere.

“Clearly, just hitting the ball well isn’t enough: Competition these days is all about information—who has it and who can get it,” says Pooley, author of Secrets: Managing Information Assets in the Age of Cyberespionage (Verus Press, 2015, ISBN: 978-0-9963910-0-9, $24.97). “We’ll be hearing about stories like this more frequently as we expand our use of technology and hackers get more sophisticated.”

Having recently completed a five-year term as deputy director general at the World Intellectual Property Organization in Geneva, where he was responsible for management of the international patent system (PCT), Pooley is an expert in the fields of intellectual property, trade secrets, and data security. Secrets, which thoroughly explains how to recognize and mitigate the risk of information loss in today’s electronic business landscape, is a must-have guide for executives and managers, knowledge workers, consultants, security professionals, entrepreneurs, investors, lawyers, and accountants—anyone and everyone who works with information.

Here, Pooley spotlights four questions to consider if you’re serious about protecting your company’s secrets from being hacked:

What information do you have that could give your competition an edge? Don’t underestimate the value of your company’s information. Cyberhacking isn’t just a threat for big organizations with complicated technology. In the hands of the competition, a wide variety of information about your company’s products, processes, strategies, and client base can be used against you.

“The Astros’ database contained private statistics, scouting reports, and information about players,” Pooley comments. “Most companies collect and store similar data about their performance, strategies, customers, and employees. The competition would love to know all

12

One, Two, Three Hacks—You’re Out! Four Lessons All Companies Can Learn from Baseball’s Astros Hacking

Scandalthis, and sometimes people step over ethical and legal

lines to get it. Remember, in order to protect your information assets, you must first know what you

have.”

What are you doing about your passwords? In the Astros’ case, it appears that the hackers were

able to access the team’s internal network simply by trying some passwords that had been used by a former manager of the Cardinals before he went to the Astros.

“In our personal lives, we often reuse the same passwords because they’re hard to remember,” Pooley

acknowledges. “But in business, you can’t afford that kind of convenience. Especially if you rely only on

passwords to protect information, you need to change them frequently—and especially after key personnel leave your company. Use very ‘strong’ combinations of characters. And if possible, consider adding extra

layers of protection, like call-back requirements or biometrics such as fingerprints.”

What procedures are in place to prevent employees from taking valuable information with them when

they leave? When employees leave your company, you reclaim

their keys, laptops, and ID cards—but do you worry about the knowledge they carry in their heads?

Companies need to mitigate the risk from the “insider threat,” since most information is lost this way.

“Even when you have the right contracts in place and have done all appropriate training, you should conduct

a thorough exit interview, learning as much as you can about the employee’s next job and emphasizing the importance of your secret information and your

determination to protect your rights,” Pooley advises.13

Do you educate employees about your trade secrets? Employees don’t naturally think about information security, and the Facebook generation in particular has been raised on the idea that sharing is good and information is free. Again, behavior that is generally acceptable in employees’ private lives can cause serious problems in a business context. That’s why employers must proactively educate their people about corporate hygiene.

“Good training is the best (and most cost-effective) way to avoid problems and make sure employees stay within the bounds of what’s legal, ethical, and safe,” Pooley shares. “The best training is continuous, careful, upbeat, and professional, and does not rely on threats. While stories of information breaches—like the Astros hacking scandal—provide good case studies, be sure to also highlight your company’s own initiatives, especially actions by individual employees, that may have helped avoid a problem.”

“As the Astros’ misfortune has demonstrated, no industry or organization can consider its information assets safe,” Pooley concludes. “While it is impossible to guard against all information leaks, companies do have the power to strongly mitigate the risk of being hacked. What steps does your organization need to take to plug holes in its defense system?”

About the Author: James Pooley is the author of Secrets: Managing Information Assets in the Age of Cyberespionage. He provides international strategic and management advice in patent and trade secret matters, performs pre-litigation investigation and analysis, acts as a neutral and special master, and consults on information security programs.

Mr. Pooley recently completed a five-year term as deputy director general at the World Intellectual Property Organization in Geneva, where he was responsible for management of the international patent system (PCT). Before his service at WIPO, Mr. Pooley was a successful trial lawyer in Silicon Valley for over 35 years, representing clients in patent, trade secret, and technology litigation. He has also taught trade secret law at the University of California, Berkeley, and has served as president of the American Intellectual Property Law Association and of the National Inventors Hall of Fame.

Mr. Pooley is an author or coauthor of several major works in the IP field, including his treatise Trade Secrets (Law Journal Press) and the Patent Case Management Judicial Guide (Federal Judicial Center). He graduated from Columbia University Law School as a Harlan Fiske Stone Scholar in 1973 and holds a bachelor of arts, with honors, from Lafayette College.

About the Book: Secrets: Managing Information Assets in the Age of Cyberespionage (Verus Press, 2015, ISBN: 978-0-9963910-0-9, $24.97) will be available June 30, 2015, at bookstores nationwide and on Amazon.

15

P!

Is Your Company’s Mobile App Putting Your Customers

At Risk For Fraud?Mobile apps are becoming big business for businesses.

Many bank customers now check their account balances or transfer funds through an app on their cell phones. Savvy retail shoppers can use a favorite store’s apps to learn about discounts, access coupons and find daily deals.

“The apps for financial institutions and retailers are getting greater use and that can be wonderful for business,”

says Gary Miliefsky, CEO of SnoopWall (www.snoopwall.com), a company that specializes in cyber security.

But as with so many things in the cyber world, caveats are connected. Even as companies provide additional

services through those apps, they may be putting their customers at risk for fraud.

“Most companies don’t realize just how vulnerable their apps are and what the potential is for leaking their customers’ personal information,” Miliefsky says.

“And when that happens, it’s bad for business.”

He suggests a few reasons why most companies need better protection for their mobile apps:

• New forms of mobile malware are being widely deployed in the major app stores and can eavesdrop on a customer through a company’s app.

16

P!

“These new forms of malware are undetected by anti-virus engines and are able to circumvent encryption, authentication and tokenization,” Miliefsky continues.

“That makes it easy for cyber criminals to exploit the personal information of a company’s customers and commit fraud.”

• The PCI Data Security Standard requires merchants to protect credit-card holder data. Likewise, mobile-commerce providers must protect any payment card information, whether it is printed, processed, transmitted or stored. “Even though a customer has the breach on their mobile device, the retailer is responsible because it was their app that allowed the eavesdropping,”

“A breach of credit-card information potentially could result in fines for the retailer.”

• The FDIC requires banks that are providing an ATM-like online or mobile-banking experience to protect access to the confidential records of the consumer, the consumer’s bank account information, user name and password credentials, and bill payment and check-deposit services. Just like with retailers, it doesn’t matter that the breach happened on the customer’s mobile device, Miliefsky says. The bank’s app caused the problem because it allowed the eavesdropping, so “the risk and the responsibility is the bank’s not the consumer’s, he says. And, as in the case with retailers, banks could face fines for a breach.

“Businesses have become great at creating useful apps that their customers eventually feel they can’t live without,” Miliefsky says.

“But the failure to secure that app is going to come back to haunt the business over the long haul.”

17

Protests or Profiteering - The Hack Remains the SameHacktivism has been around since the Cult of the Dead Cow in the 80s; only the names have changed. Where we once heard about Chaos Computer Club and the Legion of Doom, we now have high-profile examples like Anonymous, Anti-Sec, and Lul-Sec. This is not a comparison—35 years ago it was mostly demonstrations and denials of service. Now, attacks are exponentially more intrusive and destructive.

With this escalation in damages comes a new name. Cyber Terrorism is a term that the media has been using quite frequently. There have been countless articles on Cyber Caliphate, Cyber Berkut, and Cyber Freedom fighters that are fighting for the rights of freedom and free information around the world. Is changing “hacktivism” to “terrorism” the media’s way of upping the ante on hacking? What is the difference between hacktivism and cyber terrorism? They both seek out the same targets. They have a singular purpose, in its simplest definition—to cause damage to an entity, organization or group. So what sets these two categories of hackers apart? Is the answer in their motivation? Is one viewed as “good,” while the other “bad”? Or is it simply in the eye of the beholder?

ANONYMOUS is a loose association of activist networks that has an informal centralized leadership

structure. Beginning in 2003, on the bulletin board 4Chan, anonymous began to recruit and train young people interested in hacking for a cause. Throughout the years, they have run cyber attacks, mostly DDOS (Distributed Denial of Service), against the Financial, Healthcare, Education, Religious Organizations, Oil,

Gas and Energy industries. They have also earned a spot on that distinguished list of attackers who have

targeted SONY in the past. Anonymous has really changed the nature of protesting, and in 2013 Time Magazine called them one of the top 100 influential

people in the world.

Supporters have called the group “freedom fighters” and even compared them to a digital Robin Hood. Others

consider them cyber terrorists. In the public’s eye, it depends on their motivation, following and targets. The

bottom line: This could either be a case of malicious activity masked by political motivation, or pure malicious

activity.

By Stephen Coty, chief security evangelist, Alert Logic

18

Protests or Profiteering - The Hack Remains the SameCYBER BERKUT, a modern group of hacktivists, claims its name from the special police force “Berkut,” formed in the early 1990s. The pro-Russian group made a name for itself by conducting DDOS attacks against the Ukranian government and western corporate websites conducting business in the region. The group has also been known to penetrate companies and retrieve sensitive data; they would post on public-facing paste sites or their non-English website that includes a section called “BerkutLeaks.”

Cyber Berkut was most recently credited for hacking attacks against the Chancellor of the German Government, NATO, Polish websites as well as the Ukrainian Ministry of Defence. The group has been compared to Anonymous based on its methods of protest and political targets. Viewed as passionate about its targets, Cyber Berkut has a clear agenda that it aims to accomplish. However, the group’s ideology in no way diminishes the amount of intended damage that might be inflicted on potential victims.

CYBER CALIPHATE, a hacker group claiming association with terrorist group ISIS, has attacked many different government and private industry entities in the name of the freedom-fighting group. Caliphate is responsible for multiple website defacements and data breaches.

The group has hacked various websites and social media accounts, including those of military spouses, US military command, Malaysia Airlines, Newsweek and more.

Cyber Caliphate has proven itself efficient and hungry for media attention. This raises the question: Does Cyber Caliphate believe in its stated cause, or is this just opportunistic hacking under the guise of a cause for media attention? What if the group is just looking for fame and fortune?

What if the group is not a group at all, but the work of one or two people collaborating with different contributors for specific targets?

MOTIVE DOESN’T MATTERIs this cyber terrorism, hacktivism or just another set of hackers trying to get famous by jumping on the media’s hot topic of the month? We can wax poetic about standing up for a cause, but the fact remains that attacks are attacks, whether they are motivated by politics, fortune, or fame. And the key to fighting back is Threat Intelligence. Threat Intelligence gathering is key to keeping up with the actions of these groups and their potential targets. Staying ahead of future attacks requires a proper investment in intelligence groups who have the proper tools, people and processes to deliver up-to-date intelligence. Information sharing among intelligence groups from different industries and countries will help expedite the reverse engineering of malicious code and assist in the building of signature content and correlation logic that is deployed to our security technologies. So once attacks are deployed globally, defences have been created and detection logic has been integrated.

19P!

Nearly half of financial services respondents (46%) cited cyber risk as the single biggest threat to the financial industry, and 80% listed it as one of the top five risks, according to a recent study from the Depository Trust & Clearing Corporation (DTCC). Cyber risk was listed far ahead of other concerns such as geopolitical risk, the impact of new regulations, and the US economic slowdown.

With all the data breaches and cyber attacks that the financial sector has suffered recently, it is no surprise that cyber security is now seen as the top concern. Last year, the JP Morgan Chase breach compromised account information for 83 million households and small businesses. Earlier this year, Kaspersky lab uncovered a cyber attack on more than 100 banks across 30 countries that resulted in financial losses of up to one billion dollars. According to the report Threats to the Financial Sector from consultancy firm PwC, 39% of the financial services respondents had been hit by cyber attacks in 2014, compared to 17% from other industries.

Many of these attacks, including the cyber attacks that Kaspersky discovered, start with a spear phishing attack. The attackers gain entry by sending out a targeted email to selected individuals with a malicious link or attachment. In the banking hack that Kaspersky uncovered, the email attachment was an infected Microsoft Word document. Once the attachment was opened the attackers were able to obtain access to the system and proceed in stealth to analyze, monitor and ultimately steal large sums from the banks they infiltrated.

Financial organizations are an especially attractive target for cyber criminals. Not only for stealing money, but also to obtain sensitive customer data that can be sold for copious amounts on the black market (according to the Ponemon Institute, on average, each data record yields $217 in the US). What should financial organizations be doing to protect themselves against these data breaches?

Improve Threat DetectionFinancial organizations need to improve their ability to detect malware threats, both known and unknown. Many companies only use one or two antivirus engines. With the sheer number of new malware released each day, this will not provide sufficient protection. When combining the detection algorithms and heuristics of different engines, the chance of catching threats increases exponentially, including zero-day and targeted attacks. Multi-scanning with multiple anti-malware engines needs to be applied to all data workflows of the organization, including email, servers, clients, browsing, portable media and file transfer. (continued...)

The Financial Industry’s Biggest Threat

20

NETWORK • LEARN • GROW

SEPT 22-23, 2015AMSTERDAM, NETHERLANDSTHE PREMIER INDUSTRY CONFERENCE AND TRADE SHOW

FOR HOSTING AND CLOUD PROVIDERS.

EUROPE.HOSTINGCON.COM

REGISTER NOW AND SAVE WITH EARLY BIRD RATES!

䰀䤀䴀䤀吀䔀䐀 吀䤀䴀䔀 伀一䰀夀堀攀漀渀 䔀㌀ⴀ㈀㌀　ⴀ嘀㌀ 䐀攀搀椀挀愀琀攀搀 匀攀爀瘀攀爀

⠀㐀 挀漀爀攀猀 ⼀ 㠀 琀栀爀攀愀搀猀⤀㘀䜀䈀 刀䄀䴀

㈀吀䈀 匀䄀吀䄀 䌀愀瘀椀愀爀 䈀氀愀挀欀 䠀䐀䐀㔀吀䈀 倀爀攀洀椀甀洀 䈀愀渀搀眀椀搀琀栀 䤀渀挀氀甀搀攀搀

　　─ 唀瀀琀椀洀攀Ⰰ 䴀漀渀攀礀ⴀ䈀愀挀欀 䜀甀愀爀愀渀琀攀攀㈀㐀⼀㜀⼀㌀㘀㔀 䤀渀搀甀猀琀爀礀ⴀ䰀攀愀搀椀渀最 匀甀瀀瀀漀爀琀㈀㐀⼀㜀⼀㌀㘀㔀 䤀渀搀甀猀琀爀礀ⴀ䰀攀愀搀椀渀最 匀甀瀀瀀漀爀琀㔀 䤀倀瘀㐀 䤀倀猀 䤀渀挀氀甀搀攀搀Ⰰ 唀渀氀椀洀椀琀攀搀 䤀倀瘀㘀

␀㘀㔀䴀伀一吀䠀匀吀䄀刀吀䤀一䜀 䄀吀

㠀㠀㠀ⴀ㔀㠀ⴀ　㈀㠀㠀 猀愀氀攀猀䀀琀椀攀爀⸀渀攀琀

吀椀攀爀⸀一攀琀 䠀漀猀琀椀渀最㨀 匀栀愀爀攀搀Ⰰ 刀攀猀攀氀氀攀爀Ⰰ 嘀倀匀Ⰰ 䌀氀漀甀搀Ⰰ 䐀攀搀椀挀愀琀攀搀Ⰰ 䌀漀氀漀Ⰰ 䄀搀瘀愀渀挀攀搀

Deborah Galea, product manager, OPSWAT (www.opswat.com) Deborah Galea heads OPSWAT’s product marketing for the Metascan and Metadefender product suite, and is dedicated to identifying solutions to help companies of all sizes ensure a secure data workflow. Prior to joining OPSWAT, she was co-founder and COO of Red Earth Software. Red Earth Software specialized in the development of email management software to help companies ensure proper usage of their corporate email systems.

Improve Threat PreventionIn the event that a threat is not detected by anti-virus engines, there are a number of additional precautions that can be taken to prevent malware infection by undetected threats. By converting files to a different format, data sanitization can ensure that any possible embedded threats are removed. For instance in the attack that Kaspersky uncovered, the spear phishing email included a malicious Word document. If data sanitization had been applied, the Word document could have been rendered harmless before it was delivered to the recipient.

File type and email attachment control, such as limiting the types of email attachments that are allowed in as well as intercepting spoofed files by verifying the file format, can also help prevent any possible malicious files circumventing filters.

By ensuring that devices and endpoints are up to date with the latest patches and anti-virus updates, the chance that malware is able to infect the computer is decreased. In the financial breach that Kaspersky discovered, only the Word installations that were not up to date were vulnerable to the malware in the email attachment. In order to properly monitor devices, financial institutions require a central monitoring system that can detect compromised machines.

Keeping Data SecureSensitive information must be segregated and encrypted. When sensitive data must be shared externally, a secure file transfer system must be used to ensure confidentiality and prevent data theft. For high security environments, networks containing sensitive data are even entirely disconnected from the Internet and other networks, in so called ‘air-gapped networks’. Limited connectivity is possible using a cross-domain solution or data diode that enables one-way traffic only, from the lower security network to the higher security network. This ensures that for productivity purposes it is possible to connect to the Internet from the secure network, however it is impossible for any data to leave the network. By implementing such measures, even if a cyber attack is successful, the data will always remain secure.

OPSWAT provides a number of solutions to help organizations improve their security and defenses against cyber attacks, including multi anti-malware scanner Metascan, along with Policy Patrol Security for Exchange (email security for Exchange Server), Policy Patrol Secure File Transfer (secure file transfer solution), Metadefender (portable media security) and Gears (device monitoring).

䰀䤀䴀䤀吀䔀䐀 吀䤀䴀䔀 伀一䰀夀堀攀漀渀 䔀㌀ⴀ㈀㌀　ⴀ嘀㌀ 䐀攀搀椀挀愀琀攀搀 匀攀爀瘀攀爀

⠀㐀 挀漀爀攀猀 ⼀ 㠀 琀栀爀攀愀搀猀⤀㘀䜀䈀 刀䄀䴀

㈀吀䈀 匀䄀吀䄀 䌀愀瘀椀愀爀 䈀氀愀挀欀 䠀䐀䐀㔀吀䈀 倀爀攀洀椀甀洀 䈀愀渀搀眀椀搀琀栀 䤀渀挀氀甀搀攀搀

　　─ 唀瀀琀椀洀攀Ⰰ 䴀漀渀攀礀ⴀ䈀愀挀欀 䜀甀愀爀愀渀琀攀攀㈀㐀⼀㜀⼀㌀㘀㔀 䤀渀搀甀猀琀爀礀ⴀ䰀攀愀搀椀渀最 匀甀瀀瀀漀爀琀㈀㐀⼀㜀⼀㌀㘀㔀 䤀渀搀甀猀琀爀礀ⴀ䰀攀愀搀椀渀最 匀甀瀀瀀漀爀琀㔀 䤀倀瘀㐀 䤀倀猀 䤀渀挀氀甀搀攀搀Ⰰ 唀渀氀椀洀椀琀攀搀 䤀倀瘀㘀

␀㘀㔀䴀伀一吀䠀匀吀䄀刀吀䤀一䜀 䄀吀

㠀㠀㠀ⴀ㔀㠀ⴀ　㈀㠀㠀 猀愀氀攀猀䀀琀椀攀爀⸀渀攀琀

吀椀攀爀⸀一攀琀 䠀漀猀琀椀渀最㨀 匀栀愀爀攀搀Ⰰ 刀攀猀攀氀氀攀爀Ⰰ 嘀倀匀Ⰰ 䌀氀漀甀搀Ⰰ 䐀攀搀椀挀愀琀攀搀Ⰰ 䌀漀氀漀Ⰰ 䄀搀瘀愀渀挀攀搀

23

P!

The world is waking up. Riots in France. Over Uber, you ask? Yes, the app you conveniently downloaded on your smartphone to help you get a ride from where you are to where you want to go, usually at a lower cost than a taxi and more convenient in some cities than hailing a cab, is also a brilliant piece of SPYWARE.

Yes, let’s call it what it is. Just review the permissions it asks for on the Google Play store.

Uber app by Uber Technologies Inc., Version 3.55.0, can access:

• Identity – add or remove accounts; find accounts on the device; read your own contact card.

• Contacts – read your contacts.

• Location – find your approximate location (network-based); or precise location (GPS and network-based).

• SMS – receive text messages (SMS).

• Phone – directly call phone numbers.

• Photos/Media/Files – read the contents of your USB storage; modify or delete the contents of your USB storage.

• Camera – take pictures and videos.

• Wi-Fi connection information – view Wi-Fi connections.• Device ID & call information – read phone status and identity.

• Other – receive data from the Internet; modify system settings; use accounts on the device; view network connections; full network access; control vibration; prevent device from sleeping; read Google service configuration

In addition, without knowing in detail what’s in them, updates to Uber may automatically add more capabilities within each group.

Citizens Demand ‘Uber’ Privacy

By Gary S. Miliefsky, CEO, SnoopWall Inc.

24

Now, I would agree the riots in France were mostly over UberPop, their French app with more than 400,000 downloads in the country, stealing business away from the taxi industry in violation of French law. But it’s also been reported that the French are upset with Uber’s data collection and privacy policies.

Like most “growing too fast to think straight” companies, Uber joins the ranks of Google, Facebook and Twitter in wanting to know everything they can about everyone.

It’s a growing trend where the marketing vice president of these companies convinces the CEO that “consumer analytics” is where it’s at. Collecting as much information about everyone is just going to make the product better, they say.

Without concerns for our privacy, they collect and mine data without us knowing when, how and why? Ultimately, these companies feel if we the people (or in this case “sheeple”) are willing to go along with the pack and just give away our right to privacy for convenience, well, shame on us, not them. It should be the other way around.

Slowly, there is an awakening. It’s happening now in France, all over Uber. It’s happening in New York City, all over Uber. What did Uber do in NYC to spark this rebellion? Uber has been using data mining to attempt to rally public sentiment against the proposed cap on Uber’s drivers in New York. They actually send unsolicited political text messages to those in the Geolocation of NYC trying to rally support.

Creepy. Very creepy. This is the tip of the iceberg of what Uber can do because of all the data it has collected. Remember last year, when Uber NYC executive Josh Mohrer tracked technology reporter Johana Bhuiyan on two occasions using a feature known as “God View?” What a great internal name for the SPYWARE dashboard of Uber.

God View is available to all employees at the car-sharing service and allows them to see customer activity, such as where a person wants to be picked up.

Marketing VP and developers at Uber, what were you thinking? Shame on you for building a SPYWARE network instead of a private car service.

Maybe this is the beginning of a pivotal moment – when consumers start to question companies with God Views that collect data on them that violates their privacy. Maybe soon people will demand a PRIVACY ride service and even be willing to pay a slight premium per ride so that their personally identifiable information (PII) won’t be gobbled up into a corporate database that is never secure enough against the next hacker attack, and that’s managed by companies with staff willing to use that data in ways consumers would never have approved.

Uber, get out of our contacts list. Stop tracking us. Anonymize and encrypt your “God View” system and rename it to what is – Consumer SPYWARE Dashboard. Your marketing VP needs to read “1984” by George Orwell and realize that “we the people” no longer are willing to become a product in your database.

Do a great job. Offer a great service. Don’t steal our privacy or creep on us anymore.

About Gary S. MiliefskyGary S. Miliefsky is the CEO of SnoopWall Inc. and inventor of the company’s novel Counterveillance technology. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine and was a frequent contributor to Hakin9 Magazine. He also founded NetClarity Inc., an internal intrusion defense company, based on a patented technology he invented. He is a member of ISC2.org, CISSP® and Advisory Board of the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. He also advised the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace. Miliefsky is a Founding Member of the U.S. Department of Homeland Security (http://www.DHS.gov), serves on the advisory board of MITRE on the CVE Program (http://CVE.mitre.org) and is a founding Board member of the National Information Security Group (http://www.NAISG.org). Email him at: ceo@snoopwall.com.

Citizens Demand ‘Uber’ Privacy

25

P!

Intel and Micron Produce Breakthrough Memory Technology

Intel and Micron begin production on new class of non-volatile memory, creating the first new memory category in more than 25 years.

Intel Corporation and Micron Technology, Inc.unveiled 3D XPoint™ technology, a non-volatile memory that has the potential to revolutionize any device, application or service that benefits from fast access to large sets of data. Now in production, 3D XPoint technology is a major breakthrough in memory process technology and the first new memory category since the introduction of NAND flash in 1989. The explosion of connected devices and digital services is generating massive amounts of new data. To make this data useful, it must be stored and analyzed very quickly, creating challenges for service providers and system builders who must balance cost, power and performance trade-offs when they design memory and storage solutions. 3D XPoint technology combines the performance, density, power, non-volatility and cost advantages of all available memory technologies on the market today. The technology is up to 1,000 times faster and has up to 1,000 times greater endurance3 than NAND, and is 10 times denser than conventional memory. “For decades, the industry has searched for ways to reduce the lag time between the processor and data to allow much faster analysis,” said Rob Crooke, senior vice president and general manager of Intel’s Non-Volatile Memory Solutions Group. “This new class of non-volatile memory achieves this goal and brings game-changing performance to memory and storage solutions.” “One of the most significant hurdles in modern computing is the time it takes the processor to reach data on long-term storage,” said Mark Adams, president of Micron. “This new class of non-volatile memory is a revolutionary technology that allows for quick access to enormous data

sets and enables entirely new applications.”

As the digital world quickly grows – from 4.4 zettabytes of digital data created in 2013 to an expected 44 zettabytes by 20204 – 3D XPoint technology can turn this immense amount of data into valuable information in nanoseconds. For example, retailers may use 3D XPoint technology to more quickly identify fraud detection patterns in financial transactions; healthcare researchers could process and analyze larger data sets in real time, accelerating complex tasks such as genetic analysis and disease tracking. The performance benefits of 3D XPoint technology could also enhance the PC experience, allowing consumers to enjoy faster interactive social media and collaboration as well as more immersive gaming experiences. The non-volatile nature of the technology also makes it a great choice for a variety of low-latency storage applications since data is not erased when the device is powered off. New Recipe, Architecture for Breakthrough Memory TechnologyFollowing more than a decade of research and development, 3D XPoint technology was built from the ground up to address the need for non-volatile, high-performance, high-endurance and high-capacity storage and memory at an affordable cost. It ushers in a new class of non-volatile memory that significantly reduces latencies, allowing much more data to be stored close to the processor and accessed at speeds previously impossible for non-volatile storage. The innovative, transistor-less cross point architecture creates a three-dimensional checkerboard where memory cells sit at the intersection of word lines and bit lines, allowing the cells to be addressed individually. As a result, data can be written and read in small sizes, leading to faster and more efficient read/write processes.

PINGZINE BITS & BYTES

26

P!