This is our first look at Windows 10’s completely redesigned Start menu

Windows 10 could eliminate two major online security headaches

Windows 10 New Security Features

We’ve seen a bunch of hugely promising new features that Microsoft has added to Windows 10 via its Technical Preview but this might be the most important one yet. ZDNet’s Ed Bott gives us a detailed rundown of the new two-factor authentication system that Microsoft is implementing with Windows 10 and he says it has the potential to effectively cripple phishing attacks and password database breaches, which are two of the most popular tactics hackers use to gain unauthorized access to our online accounts.

LEARN MORE: Everything we know about Windows 10

By now you’re probably familiar with two-factor authentication, which typically involves sending you a separate access code via either email or SMS that you enter in after you’ve entered in your password onto a website. This technique prevents hackers from using your password to access your online accounts unless they have access to either your email account or your cell phone as well since that would be the only way for them to get the proper code to enter into the website.

Now, Bott explains that Microsoft has plans to bring this extra layer of security to its entire computing platform.

“The feature… will allow the owner of a Windows 10 device (PC, tablet, or phone) to enroll that device as trusted for the purposes of authentication,” writes Bott. “In combination with a PIN or biometric proof, such as a fingerprint, the user will be able to sign in to any supported mobile service… If that PIN is stolen in a database breach or phishing attack, the thief will be unable to access any services, because the hardware part of the two-factor authentication requirement isn’t present. Likewise, a stolen device without the necessary PIN will be useless.”

Bott’s full explanation for how this new feature will work is worth reading and can be found at the source link below.

SymantecVoice: How To Hire The Best IT Security Team For Your Business

SymantecVoice: How To Hire The Best IT Security Team For Your Business

By Robert Shaker II, COO, Cyber Security Group, Symantec

There is an emerging need for cybersecurity expertise across the board, but finding the right security professional is not an easy task. This is especially the case when you are looking for experienced staff with technical security expertise that covers a wide range of business security priorities. Here are some considerations to keep in mind for finding an IT security manager and building a skilled team to fit your business needs.

Finding an IT Security Manager

The process of building a cybersecurity team starts with finding the right IT security manager to lead it. Here are the three key factors you should be looking for when hiring an IT security manager:

1. Professional Experience

The number one thing to look for is someone with experience in information security–but not necessarily in your specific industry. Hiring a manager from another industry could provide you with a different approach to security that could significantly improve your overall posture against attacks. Education alone doesn’t make a good security manager; having hands-on experience means that your lead will have knowledge of how to deal with problems when they arise and how to provide the leadership that the team needs.

While experience is central, a successful IT security manager doesn’t necessarily have to be a security expert. If you want or need to hire someone who doesn’t have a security background, look for diverse IT experience. A candidate that has experience working on different teams will have a good grasp of the challenges that each one faces and be able to manage those in relation to security needs.

2. Culture Fit

It’s important to find a candidate who fits the culture of your company and your workforce. Ensuring that this person has the same mission and values of the company and the team they are leading (or the team you want them to build) is critical to their overall success and the success of the company’s security program.

3. Business Understanding

A security manager must also understand how the business operates and not just think of security for security’s sake. Being able to see what’s important to the business and how it operates will make a manager better equipped to deploy the right kinds of security technology and protections. While the role of the Chief Information Security Officer is to see the business through a security lens, a security manager should see security through a business lens.

Building a Team

With a security manager in place, it’s time to start building a skilled support staff. Here are 10 tips for managers looking to hire experienced security professionals:

  1. Evaluate your team by looking at resumes and talking to each member individually. Whether you are starting from scratch or taking over an existing security team, it’s important that you take the time to individually assess each of your team members to identify strengths and skills gaps.
  2. Ask employees if they know people who can help. As you look to fill in gaps and expand your team, the best resource you have is your current workforce. Using their network can save hiring time and be good for the culture of the team by bringing together people who already have strong relationships.
  3. Find the right recruiter. Be sure to find a recruiter that understands your needs to help you find the best people and avoid wasted time and money.
  4. Create a social network and then leverage it. You can get a lot of leads by having a social presence on networks like LinkedIn. Take some time to also actively search these networks for candidates that fit your desired profile.
  5. Ask the questions that you want the answers to. Don’t simply rely on stock interview questions. Ask questions that are direct and relevant to the central aspects of the role.
  6. Always ask for a writing sample. Whether writing is a key part of the role or not, effective written communication skills are always important.
  7. Do a hands-on interview. If a new hire will be working on a security technology that is unique, hold a technical interview to make sure they have the practical skill level required.
  8. Find a cultural fit. Try to select someone that is a good fit culturally for your team and your company.
  9. Learn something about the person that’s not work related. Once you find a candidate to hire, you’ll be spending many long hours together. It’s never too early to start building a strong relationship.
  10. Allocate enough time to the hiring process. Expect for the process of finding and hiring the right person to take at least 60 days. If possible, give yourself three to six months lead time to complete the hiring process.

Finding the best candidate for the job can be challenging and it takes time. Again, if you find someone that has the right background, culture and understands your business and security, but doesn’t have the exact experience in your field it may be worth giving them a chance; the benefits to your business could be manifold.

A woman walks past the Check Point Software Technologies Ltd. logo at the company's offices in Tel Aviv

Check Point third-quarter profit beats estimates, raises 2014 forecast

TEL AVIV (Reuters) – Network security provider Check Point Software Technologies reported quarterly profit that topped expectations and raised its full-year forecast on strong demand for its threat prevention and other software subscriptions.

Check Point earned 93 cents a share excluding one-time items

in the third quarter, up from 85 cents a year earlier. Revenue

grew 8 percent to $370.4 million, the Israeli-based company said on Thursday.

Check Point, a leader in the corporate fight against cyber crime and computer viruses, was forecast to have earned 91 cents a share on revenue of $367.1 million, according to Thomson Reuters I/B/E/S.

“Cyber security demand has become a top priority in today’s IT landscape and Check Point is at the right place at the right time to benefit from these trends,” said FBR Capital Markets managing director Daniel Ives, who rates Check Point “outperform”.

“While tech stalwarts such as IBM, Oracle, SAP, and EMC are seeing IT spending headwinds, pure play security vendors such as Check Point are seeing the benefits of a shifting landscape … towards next generation cyber security platforms.”

Check Point’s shares were up 3.9 percent to $70 in pre-market Nasdaq trading.

Revenue from its software blades – modular software building blocks bought on an annual subscription basis – was especially strong, with growth of 22 percent.

“There is still demand for security around the world and this is the main reason for our growth,” Chief Executive Officer Gil Shwed told a news conference, noting the biggest driver was the company’s threat prevention blade.

This is in line with a trend in the industry as cyber security providers focus on detecting and preventing attacks before they penetrate organizations rather than just protecting gateways as in the past.

“There are more attacks; they are more violent and more sophisticated,” Shwed said.

He forecast fourth-quarter revenue of $395 million to $430 million and earnings per share excluding one-time items of 99 cents to $1.09. Analysts on average estimated revenue of $410 million and EPS of $1.03.

Shwed also raised his full-year forecast to revenue of $1.47-$1.505 billion from a previous estimate of $1.45-$1.5 billion, and adjusted EPS of $3.64-$3.74 from $3.50-$3.70.

Check Point, which has nearly $3.7 billion in cash, is seeking to use some of its funds for mergers and acquisitions.

The company also expects to benefit from a strengthening dollar against the shekel, if the trend continues.

(Reporting by Tova Cohen; Editing by Steven Scheer)

Here’s how to make sure your iCloud data is safe from hackers

Here’s how to make sure your iCloud data is safe from hackers

iCloud Phishing Attack

After reports emerged from China detailing a sophisticated iCloud phishing attack, Apple has posted instructions on its support pages to help users figure out whether they’re actually on the real iCloud page, or on a fake page meant to steal iCloud credentials from unsuspecting victims. Additionally, Reuters reports, Apple CEO Tim Cook on Wednesday met with China’s vice premier Ma Kai to discuss personal data security.

FROM EARLIER: Apple falls victim to an iCloud attack from the Chinese government, servers not affected

According to Greatfire’s initial report, a Chinese firewall had blocked all connections to, directing the traffic instead to a dummy site that mimicked Apple’s login page for the service. The same group later told Reuters that Apple rerouted traffic on Tuesday in an effort to circumvent the hack.

“Apple is deeply committed to protecting our customers’ privacy and security,” Apple wrote on its support pages. “We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.”

Apple continued, “The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting, they should pay attention to the warning and not proceed. Users should never enter their Apple ID or password into a website that presents a certificate warning. To verify that they are connected to the authentic iCloud website, users can check the contents of the digital certificate as shown below for Safari, Chrome, and Firefox—each of which provides both certificate information and warnings.”

On the same page, instructions on how to spot fake Apple pages trying to obtain login credentials from unsuspecting users have also been posted — the full document, complete with images, is available at the source link.

Meanwhile, the Chinese government has strongly refuted the claim that it’s involved in this particular data collection scheme.

Cook and Ma Kai spoke about the “protection of users’ information,” but also about “strengthening cooperation and in information and communication fields,” according to the report.

Twitter changes: 20 hits and misses from the social network's history

Twitter changes: 20 hits and misses from the social network’s history

Grump’s Internet Law dictates that whenever a large social network like Facebook or Twitter changes its design or adds a major new feature, people kick up a stink online claiming it’s going to ruin the service.

Sometimes, they’re right, and the company executes a quick u-turn. Sometimes, the new feature flops and is retired at a later point. But quite often, the new feature beds in nicely, and becomes an important part of the social network.

Later today, Twitter will be making its latest announcements at its Flight conference, reportedly including a new app development platform called Fabric. The implications for Twitter users are sure to spark debate among its always-vocal community.

It’s a good point to look back at some of Twitter’s past changes and the impact they had on the social network and the people that use it.

Here are 20 of the changes that helped make Twitter what it is today, usually for the better, although occasionally – if only in the short term – for the worse.

Twitter verified accounts.

Twitter verified accounts.

Verified accounts (June 2009)

Many celebrities caught on to Twitter early in its life, but it was 2009 before their status was recognised with the now-familiar blue ‘Verified’ tick. It was a good move for those well-known individuals (plus companies and public agencies) to protect against impersonation.

That said, Twitter has occasionally been caught out by imposters who manage to get verified – most recently a Morrissey account that fooled Twitter and media outlets alike.

Hyperlinked hashtags (July 2009)

Hashtags weren’t actually Twitter’s invention, but the company caught on to the way people were using them to group tweets around specific events and topics. In July 2009, it made hashtags automatically hyperlinked, so that people could click on a hashtag to see other tweets using it.

Over time, that small feature has become increasingly important to Twitter: for example in its dealings with the television industry, as it tries to persuade broadcasters that it can be their “synchronised social soundtrack”.

Twitter lists.

Twitter lists.

Twitter lists (October 2009)

When Twitter revealed its Lists feature, it pitched them as a way to “curate” lists of interesting Twitter accounts either privately or publicly: “You could create a list of the funniest Twitter accounts of all time, athletes, local businesses, friends, or any compilation that makes sense,” explained the company at the time.

For power users, Twitter Lists have been a useful feature, especially if you follow hundreds of accounts and are prepared to take the time to divide them into separate lists. However, it’s not quite caught on yet for mainstream users, even though recommending good Lists to newcomers might be a way to make Twitter less intimidating when they first sign up.

Retweet buttons (November 2009)

In 2014, some people think it’s rude to manually re-post someone’s tweet with an RT at the start, rather than just tapping the retweet button. So it might be strange to think that once, all retweets were done in this way.

But in 2009, Twitter started rolling out its retweet button, initially to a “very small percentage of accounts”, suggesting that it “makes forwarding a particularly interesting tweet to all your followers very easy”. Since then, it’s become a familiar part of the service.

Promoted tweets (April 2010)

In the first half of 2014, Twitter made $503m from advertising. Back in 2010, though, the company was only just starting along the road to making money. Promoted Tweets was its long-anticipated advertising platform, with brands paying to have their tweets shown at the top of search results pages.

It wasn’t until the following year that Twitter started putting promoted tweets into people’s main streams, and it has since launched other kinds of ad too: Promoted Accounts and Promoted Trends for example. Thus far, Twitter appears to have walked the line well between making money and not annoying users.

@EarlyBird (July 2010)

This is one of the Twitter experiments that many people have forgotten. @EarlyBird was a new form of Twitter ad, but also an account that people could follow, tweeting out exclusive offers from advertising partners.

The first was a buy-one-get-one-free offer for tickets to Disney’s The Sorcerer’s Apprentice film, while the second was a deal to get a cheap TV set from US retailer Target. A few months later, @EarlyBird was shut down with then-COO Dick Costolo saying Twitter had “tremendous early success with it, but it needs to be reworked or rethought”. Or, indeed, shelved for good.

Twitter's first official mobile app.

Twitter’s first official mobile app.

Official mobile apps (2010)

A fun piece of mobile trivia for you: BlackBerry was actually first to get an official Twitter app in April 2010, thanks to a partnership between Research In Motion and Twitter. But the same month, the company signified its intentions by buying popular iPhone app Tweetie, rebranding it as Twitter in May – by which point there was also an official Android app.

Twitter’s move into mobile apps was controversial at the time and since, due to restrictions placed on other developers making their own Twitter apps. Yet predictions that Twitter would squeeze them out of the market proved wrong: some fell by the wayside, but TweetBot, Echofon and others are still around in 2014.

#NewTwitter (2011-12)

Twitter has gone through several redesigns in its history, with #NewTwitter being one of the most protracted: unveiled in September 2010, it rolled out to users over the next year, initially as a voluntary upgrade, before ultimately being a forced change for the last few refuseniks.

The key change here – again, one that feels to many Twitter users in 2014 like it’s always been there – was a two-pane design, with videos and photos now viewable within Twitter. It also introduced features like related content and mini-profiles.

It laid more foundations for the Twitter that we know in 2014. The rollout was completed in August 2011.

The Quick Bar – or

The Quick Bar – or “DickBar” (left) – wasn’t #winning. Photograph: PR

#DickBar (March 2011)

Hands up if you remember the #DickBar? Or, as it was officially known, the Quick Bar – Costolo was the inspiration for the nickname, coined by influential tech blogger John Gruber as “Dick-Bar”.

It was a storm in a teacup in March 2011, with users protesting loudly at the addition of a floating bar at the top of the tweet stream in Twitter’s iPhone app, showing trending topics – including promoted ones. It was annoying and intrusive, not least because it couldn’t be turned off.

Well, it could be… by Twitter. At the end of March, Twitter removed the feature. “After testing a feature and evaluating its merits, if we learn it doesn’t improve the user experience or serve our mission, we’ll remove that feature,” explained the company.

Downloadable archives (December 2012)

There were ways to dig back into your Twitter archives before this change, but Twitter’s launch of the ability to download all your past tweets made it a lot easier. It started rolling out to users at the end of 2012, providing tools to rewind the clock and view tweets by month, and search the archives.

This was the sort of new feature that power users loved – not least because it helped them boast about how long they’d been using Twitter – but it didn’t have a noticeable impact on newer users of the service.

Vine (January 2013)

Twitter’s move into shortform-video sharing started in October 2012, when it bought a fledgling mobile startup called Vine, which hadn’t launched its app yet. A few months later, it went live: a way to shoot and share six-second looping videos, leaked a day in advance when Costolo – now CEO – posted a Vine of someone cooking a steak tartare (above).

Vine has since gone from strength to strength, with versions for Android and Windows Phone, more video-editing features, and the addition of “loop counts” to show how popular individual clips are. By August 2014, more than 100m people a month were watching Vine videos, looping clips more than 1bn times a day.

Vine has also spawned its own subculture of “Viners” in areas including music, comedy and art, with some of its stars going on to find success in the mainstream media: from musicians like Shawn Mendes signing major-label deals and having chart hits to comedians like Dapper Laughs going on tour and bagging TV shows.

Twitter #Music (April 2013)

If Vine has been a big hit, Twitter #Music was a high-profile flop. It was the result of another acquisition – music startup Next Big Sound – and was pitched by Twitter as “a way to surface songs people are tweeting about” and thus help people discover new artists and music.

It launched as a website and iOS app, but by October that year rumours were already flying of its imminent demise, as it didn’t catch on. By April 2014, it was toast. But Twitter #Music did lay the groundwork for Twitter to do more around music since then – for example, its recent partnerships with SoundCloud and iTunes to play songs within people’s timelines.

Conversation chronology (August 2013)

Twitter’s “thin blue line” feature was controversial when introduced, due to the way it messed with the traditional reverse-chronological timeline of tweets. Now, in an effort to make conversations more “easy to follow”, up to three tweets would be shown in sequence, linked by a blue line.

As is often the way of these things, over time, the feature settled in to Twitter’s interface, and the complaints died down.

Emergency alerts (September 2013)

People have been turning to social networks in times of emergency – from natural disasters to terrorist attacks – for years. Twitter (and Facebook for that matter) have been figuring out what they can do beyond ensuring their services stay online at such times.

Twitter Alerts was Twitter’s strategy: “a new feature that brings us one step closer to helping users get important and accurate information from credible organizations during emergencies, natural disasters or moments when other communications services aren’t accessible”.

It involved signing up for alerts from specific accounts, initially in the US, Japan and Korea although it has since expanded elsewhere. An example of a new feature that draws praise rather than complaints – even if its effectiveness can’t be tested until an emergency happens.

In-stream mobile media (October 2013)

Photos and videos have been a prominent part of Twitter ever since the #NewTwitter redesign, but an update to Twitter’s iOS and Android apps in October 2013 did spark more debate, due to the way it showed “previews” of photos and Vine videos within the stream itself.

Would this result in people spamming Twitter with endless photos and videos, making it more of a chore to scroll down the timeline? As it happened, no. Although as and when Twitter introduces mobile video ads – especially if they play automatically like those on Facebook – this issue may raise its head again.

Blocking policy changes (December 2013)

In the last year, there has been growing discussion of Twitter’s responsibilities to protect users facing abuse and harassment on its service. Its decision in December 2013 to change the way its “blocking” system worked was a notable own goal, in that respect.

The change meant that blocking someone else on Twitter would not prevent them from following you and seeing your tweets. After an uproar accusing Twitter of making life easier for trolls, the company changed its mind.

“We never want to introduce features at the cost of users feeling less safe,” wrote Twitter’s Michael Sippey in a blog post. “Moving forward, we will continue to explore features designed to protect users from abuse and prevent retaliation.”

Twitter's new profile design.

Twitter’s new profile design. Photograph: PR

New profile design (April 2014)

Twitter’s latest design change revolved around your profile page, with a larger photo, customisable header and the ability to pin a tweet to the top of the page. A resemblance to Facebook sparked plenty of comment online, but since it rolled out to all users, unrest has been muted.

Mute button for mobile apps (May 2014)

The ability to “mute” people and/or hashtags has been very popular in third-party Twitter apps like Tweetbot, but it took Twitter until May 2014 to get in on the silencing action, with a mute feature for its iPhone and Android apps.

“Muting a user on Twitter means their Tweets and Retweets will no longer be visible in your home timeline, and you will no longer receive push or SMS notifications from that user,” explained the company.

The key point: they wouldn’t know they had been muted. A way to quietly unfollow boring, negative and/or over-spammy accounts without having to actually unfollow them. A boon, and not just for socially-awkward, conflict-averse British people. Although especially for us.

Starting today, you can share and view animated GIFs on, Android and iPhone.

— Twitter Support (@Support) June 18, 2014

Animated GIFs (June 2014)

A sign of the times, this: the ability to share and view animated GIFs on Twitter’s website, Android and iPhone apps. Rather than spark complaints, it generated more conversations along the lines of “What, you can’t already share animated GIFs on Twitter?”

Cats, Taylor Swift, Superwholock and Beyoncé were the real beneficiaries, of course.

Inserting tweets in your timeline (October 2014)

Twitter’s most recent change before today has also been one of its most controversial: inserting tweets into your timeline from accounts that you don’t follow.

“There are times when you might miss out on tweets we think you’d enjoy,” explained Twitter earlier this month. “To help you keep up with what’s happening, we’ve been testing ways to include these tweets in your timeline — ones we think you’ll find interesting or entertaining.”

There has been a vocal backlash from experienced Twitter users, who fear it’s the first step towards more Facebook-style curation of their timelines: not just adding tweets in, but taking others away without their knowledge. For now, that’s not officially on the cards though.

Stephen Fry on Twitter: ‘People expect online services to be free’

This article originally appeared on

CenturyLinkVoice: The 3 Biggest Cybersecurity Threats of 2014 -- And How The Federal Government Plans Stop Them

CenturyLinkVoice: The 3 Biggest Cybersecurity Threats of 2014 — And How The Federal Government Plans Stop Them

The cyber attack on JP Morgan Chase that compromised the personal information of 76 million households is just the latest in a slew of security breaches that have plagued some of the nation’s most trusted institutions. Indeed, the number and scope of cyber attacks and threats looming today can seem overwhelming, but some are more dangerous than others. Let’s take a look at three of the biggest cyber threats, ​as identified by the Information Security Forum (ISF):

1. BYOD trend in the workplace. BYOD, or “bring your own device,” can no longer be thought of as a fad; it is quickly becoming the new reality. As this trend grows, all businesses are potentially at risk, as Steve Durbin, Global VP of the ISF, explains. “These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.”

2. Data privacy in the cloud. Not all clouds are built alike; some are more vulnerable than others, and organizations of all kinds need to ensure that the cloud providers they work with are up to snuff. If they are not, then the adverse consequences can be huge. As JP Morgan Chase and many other organizations have learned, the inadvertent release or exposure of their customers’ personally identifiable information (PII) can have huge negative impacts on both their reputation and their bottom line.

3. Cyber crime. In the 19th century, the criminals du jour were renegade bank robbers. In the 21st century, it’s cyber criminals. Durbin writes, “Cyber space is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks.”

What’s more, these threats are fluid, and they are evolving every day. As a result, organizations need security systems that will evolve at the same pace.

Protection against the biggest cyber risks?

It’s one thing to know what the biggest cyber risks are; it’s quite another to be able to protect against them. Many companies are finding themselves overwhelmed with the task of fighting threats that are growing in number and sophistication every day.

Fortunately one port in this cyber storm is the federal government. In an effort to protect key players in the nation’s economic infrastructure, the feds have rolled out a program called Enhanced Cybersecurity Services (ECS), which has been designed to aid key stakeholders in the private sector, as well as state and local governments, in fighting cyber crime.

First, some background: The monumental task of helping government agencies and critical infrastructure organizations fight cybercrime falls to U.S. Department of Homeland Security (DHS). DHS has a presidentially-mandated mission to protect the nation’s critical infrastructure against cyber attacks, which are quickly emerging as one of our biggest threats to national security.

Many critical infrastructure organizations do not fall under the exclusive purview of the federal government—many are in the private sector or are under the control of state and local governments. Enter ECS, which is designed to protect the 16 critical infrastructure sectors that make up the backbone of the U.S. economy—key sectors like state and local governments, energy, health care, food and water, the defense industrial base, and public transportation.

Essentially, ECS can provide key support to resource-strapped businesses and local governments, helping them up their cybersecurity game. CenturyLink is currently one of only two DHS-approved commercial service providers of ECS.

How ECS works

Data is critical when it comes to cybersecurity, and the more an organization knows about potential threats, the easier it can protect against them. The mission of ECS it to help protect America’s critical infrastructure from advanced cyber threats by sharing government-furnished information with commercial service providers that then share it with their ECS customers.

It works like this: DHS engages with agencies across the federal government to gather information about cyber threats. Then, DHS shares the information and detailed threat indicators with approved ECS providers, which then integrate that data with their own threat indicators to create significantly more robust cyber security protection than what is available in the commercial marketplace.

For example, ECS customers, which must be approved by DHS, receive network-based inbound email filtering that neutralizes dangerous email strings or attachments, and prevents harmful code from becoming embedded into the ECS customer’s IT infrastructure. They also receive Domain Name System (DNS) protections, which prevent users from accessing malicious websites and stop infected machines from establishing command-and-control links to external entities.

A layered approach

Advanced cyber threats are constantly evolving. As a result, protecting critical infrastructure requires a layered, dynamic approach that’s constantly evolving as well to confront and stop new technologies and threats.

There is no silver bullet when it comes to cyber security, ECS included. However, ECS is an enhancement that organizations can use in tandem with standard security protocols they should already have in place. The exclusive information they receive from DHS lets ECS providers see things that others can’t, and helps them defend our nation’s critical infrastructure against those threats.

Considering the dangers of quickly evolving malware and the recent rampage of data breaches, it just makes sense to explore whether ECS can help you improve your company’s cybersecurity protection.

People talk in front of a Baidu's company logo at Baidu's headquarters in Beijing

China’s Baidu, Ping An invest in Israeli VC fund Carmel

TEL AVIV (Reuters) – Israeli venture capital firm Carmel Ventures said on Wednesday it raised $194 million for its Carmel Ventures IV fund with participation from new strategic investors in Asia that include Chinese Internet search engine Baidu.

The new fund, like its predecessor funds, will invest in early-stage technology companies in enterprise software, data center infrastructure, big data, cyber security, financial technology, digital media and consumer applications.

Carmel has already made investments out of the new fund in the increasingly popular quiz technology provider PlayBuzz, LuckyFish Games and three other companies.

The fund was raised with equity commitments from global institutional investors that include a significant number of return investors as well as new investors.

“Carmel offers us reliable access to Israeli innovation and we look forward to partnering with them,” Daniel Tu, chief innovation officer at financial services group Ping An, one of the new Asian investors in Carmel, said.

China’s role in Israel has been growing fast as it offers a large market and source of funding at a time of growing calls, especially in Europe, for a boycott of Israel over its failure to make peace with the Palestinians.

Carmel Ventures, part of Israeli private equity group Viola, manages over $800 million of capital and is invested in 35 active companies.

(Reporting by Tova Cohen; Editing by Jeffrey Heller)

US Probes Medical Devices For Cybersecurity Flaws

US Probes Medical Devices For Cybersecurity Flaws


The U.S. Department of Homeland Security, or DHS, is conducting an investigation to study the susceptibility of medical devices and hospital equipment to cybercrime, a report said Wednesday, citing a senior official who revealed that the investigation is based on about two dozen cases of possible cybersecurity flaws.

The devices that are being inspected by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira and implantable heart devices from Medtronic and St Jude Medical, Reuters reported. Although there have been no reported instances of hackers using these devices to attack patients, the U.S. government is concerned that hackers may try to access the products remotely.

After gaining control remotely, hackers can instruct an infusion pump to overdose a patient with drugs, or force a heart implant device to deliver a deadly jolt of electricity, Reuters reported, citing the sources.

“These are the things that shows like ‘Homeland’ are built from,” the DHS official told Reuters, referring to the American political thriller television series in which a fictional vice president of the U.S. is assassinated by hacking into his pacemaker.

“It isn’t out of the realm of the possible to cause severe injury or death,” the official said, adding that the agency is working with manufacturers to detect and fix software vulnerabilities that could help hackers access confidential data and control medical devices.

The latest probe comes after the U.S. Food and Drug Administration, or FDA, recently announced guidelines for manufacturers and health care providers to increase security in medical devices.

“The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too,” William Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health, told Reuters, without commenting on the DHS probe.

Ransomware takes malware from bad to worse

Ransomware takes malware from bad to worse

Targeted email attacks (called spear phishing) with harmful links or attachments containing malware are an ever-increasing threat. These attacks are part social networking and part sophisticated technical effort to penetrate companies’ defense systems. Traditional security deployments, in many cases, aren’t prepared for these kinds of attacks.

The weakest link of any network is the user. But it’s not always their fault. If a person receives an email from a real co-worker with a link, how can that person know the link will send them to a zero-day threat or that the attachment is a CryptoLocker attack?

[ Build and deploy an effective line of defense against corporate intruders with InfoWorld's Encryption Deep Dive PDF expert guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security newsletter. ]

After you train your users, they will have a good amount of fear and how-to ideas in mind, but over time they will forget or get sloppy — and it takes only one or two clicks to pull CryptoLocker or similar threats into your environment. CryptoLocker is especially insidious malware because it encrypts all files — documents, databases, photos, and so on — with military-grade encryption unless you pay a ransom. Also, there is only one key to decrypt — and the attacker is holding and asking money for it. Overall, ransomware is getting smarter.

You need to look at putting protections in place that checks links and scans email for malware as standard.

It’s easy enough to scan email as it comes in and look for known viruses and such. What’s hard is thwarting the kinds of sophisticated attacks where truly devastating tools like CryptoLocker are used: Someone sends a link that, at the time it comes through, points to a legitimate and safe server. But later, that link is switched by the attacker on the server side to a harmful location. There is typically no recheck in place when a user clicks a link in their email.

There should be — and there can be.

You need email protection that covers the full lifecycle of a message, for as long as that message exists and there is a link to be clicked, when clicked the system will ensure the URL is still pointing to a safe location.

Tools for lifecycle malware detection carry different names, including targeted threat protection (TTP), targeted attack protection (TAP), and click-time link scanning. Whatever you call it, you want it in place.

You also want to scan all your systems and data stores to see if anything has already snuck through and is lurking to cause damage later. You have plenty of tools to do that, such as Malwarebytes Antio-Malware, which is what I use.

What happens if you are infected by ransomware? You have two options:

  • Pay the ransom and get back to work
  • Restore from backup, assuming it wasn’t infected too
  • The problem with paying the ransom is that you tell the bad guys, “If this happens again, I will pay you,” so you go on the list of repeat targets, likely for a higher ransom amount. Certainly, if you don’t have secured backups of your data, you need to start making them.

    When all is said and done, three items are necessary to protect your organization from modern-day phishing attacks:

  • Solid training for users
  • Solid security technology with the latest in targeted threat protection
  • A budget for ransoms or a usable backup of data (in case the training and security systems don’t work)
  • Don’t put it off any longer!

    U.S. government probes medical devices for possible cyber flaws

    U.S. government probes medical devices for possible cyber flaws

    The U.S. Department of Homeland Security is investigating about two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials fear could be exploited by hackers, a senior official at the agency told Reuters.

    The products under review by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira Inc and implantable heart devices from Medtronic Inc and St Jude Medical Inc, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.

    These people said they do not know of any instances of hackers attacking patients through these devices, so the cyber threat should not be overstated. Still, the agency is concerned that malicious actors may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity, the sources said.

    The senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment. He declined to name the companies.

    “These are the things that shows like ‘Homeland’ are built from,” said the official, referring to the U.S. television spy drama in which the fictional vice president of the United States is killed by a cyber attack on his pacemaker.

    “It isn’t out of the realm of the possible to cause severe injury or death,” said the official, who did not want to be identified due to the sensitive nature of his work.

    Hospira, Medtronic and St Jude Medical declined to comment on the DHS investigations. All three companies said they take cybersecurity seriously and have made changes to improve product safety, but declined to give details.

    ICS-CERT’s mandate is to help protect critical U.S. infrastructure from cyber threats, whether they are introduced through human error, virus infections, or through attacks by criminals or extremists.

    According to the senior DHS official, the agency started examining healthcare equipment about two years ago, when cybersecurity researchers were becoming more interested in medical devices that increasingly contained computer chips, software, wireless technology and Internet connectivity, making them more susceptible to hacking.

    The U.S. Food and Drug Administration, which regulates the sale of medical devices, recently released guidelines for manufacturers and healthcare providers to better secure medical devices and is holding its first public conference on the topic this week.

    “The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too,” said William Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health. He declined to comment on the DHS reviews.

    The senior DHS official said the two dozen cases currently under investigation cover a wide range of equipment, including medical imaging equipment and hospital networking systems. A DHS review does not imply the government thinks a company has done anything wrong – it means the agency is looking into a suspected vulnerability to try to help rectify it.

    One of the cases involves an alleged vulnerability in a type of infusion pump, a piece of hospital equipment that delivers medication directly into a patient’s bloodstream. Private cybersecurity researcher Billy Rios said he discovered the alleged bug but declined to identify the manufacturer of the pump. Two people familiar with his research said the manufacturer was Hospira.

    Rios said he wrote a program that could remotely force multiple pumps to dose patients with potentially lethal amounts of drugs. He submitted his analysis to the DHS.

    “This is a issue that is going to be extremely difficult to patch,” said Rios, a former Marine platoon commander who has worked for several Silicon Valley technology firms and recently founded security startup Laconicly.

    Reuters was not able to independently review his research or identify the type of pump Rios studied from Hospira’s line, which includes multiple models.

    Hospira spokeswoman Tareta Adams, while declining to comment on specifics, said the company is working to improve the security of its products.

    “Hospira has implemented software adjustments, distributed customer communications and made a commitment to evaluate other changes going forward, while ensuring we are not adversely impacting the ability of our devices to meet hospital and patient needs, and maintain compliance with FDA product requirements,” Adams said in the statement.

    Hospital security officers say there is increasing awareness about cyber threats, and medical centers around the country have been shoring up networks to better defend against hackers.

    At the University of Texas MD Anderson Cancer Center, all medical devices will soon need to be tested to make sure they meet security standards before they can be put on the hospital’s network, according to Lessley Stoltenberg, the center’s chief information security officer.

    “I’m pretty concerned,” said Stoltenberg. “Coming out of the block, medical devices don’t really have security built into them.”

    The DHS is also reviewing suspected vulnerabilities in implantable heart devices from Medtronic and St Jude Medical, according to two people familiar with the matter.

    They said the probe was based in part on research by Barnaby Jack, a well-known hacker who died in July 2013. Jack had said he could hack into wireless communications systems that link implanted pacemakers and defibrillators with bedside monitors.

    Medtronic spokeswoman Marie Yarroll said in an email that the company has “made changes to enhance the security” of its implantable cardiac devices, but declined to give specifics “in the interest of patient safety.”

    St. Jude Medical spokeswoman Candace Steele Flippin also declined to discuss specific products but said the company has “an ongoing program to perform extensive security testing on our medical devices and networked equipment. If a risk is identified, we will issue patches for any known issues.”

    Experts said it is important that security vulnerabilities in medical devices are exposed so manufacturers can fix them, but many said there was no need for patients to panic.

    “It’s very easy to sort of sensationalize these problems,” said Kevin Fu, who runs the Archimedes Research Center for Medical Device Security at the University of Michigan.

    Still, worries about cybersecurity have made some individuals wary of medical devices with wireless and Internet connections.

    In 2007, then-U.S. Vice President Dick Cheney ordered some of the wireless features to be disabled on his defibrillator due to security concerns. When asked if he would recommend other patients do the same, Cheney said not necessarily.

    “You’ve got to look at all eventualities and do whatever you have to safeguard the capabilities of the individual,” Cheney told Reuters on Tuesday. “In terms of how it would affect others, I think the president and vice president are in relatively unique circumstances.”

    Cyber researcher Jay Radcliffe used to be among the hundreds of thousands of diabetics relying on computerized insulin pumps. He said he stopped using his Medtronic pump after he found that he could hack into its wireless communications system and potentially dump fatal doses of insulin into his body.

    “I don’t feel safe wearing these devices,” said Radcliffe, who works for Rapid7, a security software maker. “It’s better for me to stick myself with a needle.”

    Medtronic said it has made security improvements to its insulin pumps, though the company declined to give specifics.

    George Grunberger, who has led the insulin pump management task force of the American Association of Clinical Endocrynologists, said he believes the benefits of pumps far outweigh any cyber risks, so he would not advise patients to follow Radcliffe’s example.

    © Muscat Press and Publishing House SAOC 2014 Provided by SyndiGate Media Inc. (